diff -Nru snort-2.8.5.2/aclocal.m4 snort-2.9.2/aclocal.m4 --- snort-2.8.5.2/aclocal.m4 2009-10-19 21:17:51.000000000 +0000 +++ snort-2.9.2/aclocal.m4 2011-12-07 19:23:11.000000000 +0000 @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.10 -*- Autoconf -*- +# generated automatically by aclocal 1.11.1 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006 Free Software Foundation, Inc. +# 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,108 +11,196 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -m4_if(m4_PACKAGE_VERSION, [2.61],, -[m4_fatal([this file was generated for autoconf 2.61. -You have another version of autoconf. If you want to use that, -you should regenerate the build system entirely.], [63])]) +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.63],, +[m4_warning([this file was generated for autoconf 2.63. +You have another version of autoconf. It may work, but is not guaranteed to. +If you have problems, you may need to regenerate the build system entirely. +To do so, use the procedure documented by the package, typically `autoreconf'.])]) # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- +# +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, +# 2006, 2007, 2008 Free Software Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +m4_define([_LT_COPYING], [dnl +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, +# 2006, 2007, 2008 Free Software Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 +# +# This file is part of GNU Libtool. +# +# GNU Libtool is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GNU Libtool; see the file COPYING. If not, a copy +# can be downloaded from http://www.gnu.org/licenses/gpl.html, or +# obtained by writing to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +]) -# serial 48 AC_PROG_LIBTOOL +# serial 56 LT_INIT -# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED) -# ----------------------------------------------------------- -# If this macro is not defined by Autoconf, define it here. -m4_ifdef([AC_PROVIDE_IFELSE], - [], - [m4_define([AC_PROVIDE_IFELSE], - [m4_ifdef([AC_PROVIDE_$1], - [$2], [$3])])]) +# LT_PREREQ(VERSION) +# ------------------ +# Complain and exit if this libtool version is less that VERSION. +m4_defun([LT_PREREQ], +[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1, + [m4_default([$3], + [m4_fatal([Libtool version $1 or higher is required], + 63)])], + [$2])]) -# AC_PROG_LIBTOOL -# --------------- -AC_DEFUN([AC_PROG_LIBTOOL], -[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl -dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX -dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX. - AC_PROVIDE_IFELSE([AC_PROG_CXX], - [AC_LIBTOOL_CXX], - [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX - ])]) -dnl And a similar setup for Fortran 77 support - AC_PROVIDE_IFELSE([AC_PROG_F77], - [AC_LIBTOOL_F77], - [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77 -])]) - -dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly. -dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run -dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both. - AC_PROVIDE_IFELSE([AC_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [AC_PROVIDE_IFELSE([A][M_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ], - [AC_LIBTOOL_GCJ], - [ifdef([AC_PROG_GCJ], - [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])]) - ifdef([A][M_PROG_GCJ], - [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])]) - ifdef([LT_AC_PROG_GCJ], - [define([LT_AC_PROG_GCJ], - defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])]) -])])# AC_PROG_LIBTOOL +# _LT_CHECK_BUILDDIR +# ------------------ +# Complain if the absolute build directory name contains unusual characters +m4_defun([_LT_CHECK_BUILDDIR], +[case `pwd` in + *\ * | *\ *) + AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;; +esac +]) -# _AC_PROG_LIBTOOL -# ---------------- -AC_DEFUN([_AC_PROG_LIBTOOL], -[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl -AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl -AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl -AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl +# LT_INIT([OPTIONS]) +# ------------------ +AC_DEFUN([LT_INIT], +[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT +AC_BEFORE([$0], [LT_LANG])dnl +AC_BEFORE([$0], [LT_OUTPUT])dnl +AC_BEFORE([$0], [LTDL_INIT])dnl +m4_require([_LT_CHECK_BUILDDIR])dnl + +dnl Autoconf doesn't catch unexpanded LT_ macros by default: +m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl +m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl +dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4 +dnl unless we require an AC_DEFUNed macro: +AC_REQUIRE([LTOPTIONS_VERSION])dnl +AC_REQUIRE([LTSUGAR_VERSION])dnl +AC_REQUIRE([LTVERSION_VERSION])dnl +AC_REQUIRE([LTOBSOLETE_VERSION])dnl +m4_require([_LT_PROG_LTMAIN])dnl + +dnl Parse OPTIONS +_LT_SET_OPTIONS([$0], [$1]) # This can be used to rebuild libtool when needed -LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh" +LIBTOOL_DEPS="$ltmain" # Always use our own libtool. LIBTOOL='$(SHELL) $(top_builddir)/libtool' AC_SUBST(LIBTOOL)dnl -# Prevent multiple expansion -define([AC_PROG_LIBTOOL], []) -])# _AC_PROG_LIBTOOL +_LT_SETUP +# Only expand once: +m4_define([LT_INIT]) +])# LT_INIT + +# Old names: +AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT]) +AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PROG_LIBTOOL], []) +dnl AC_DEFUN([AM_PROG_LIBTOOL], []) -# AC_LIBTOOL_SETUP -# ---------------- -AC_DEFUN([AC_LIBTOOL_SETUP], -[AC_PREREQ(2.50)dnl -AC_REQUIRE([AC_ENABLE_SHARED])dnl -AC_REQUIRE([AC_ENABLE_STATIC])dnl -AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl -AC_REQUIRE([AC_CANONICAL_HOST])dnl + +# _LT_CC_BASENAME(CC) +# ------------------- +# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. +m4_defun([_LT_CC_BASENAME], +[for cc_temp in $1""; do + case $cc_temp in + compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;; + distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;; + \-*) ;; + *) break;; + esac +done +cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` +]) + + +# _LT_FILEUTILS_DEFAULTS +# ---------------------- +# It is okay to use these file commands and assume they have been set +# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'. +m4_defun([_LT_FILEUTILS_DEFAULTS], +[: ${CP="cp -f"} +: ${MV="mv -f"} +: ${RM="rm -f"} +])# _LT_FILEUTILS_DEFAULTS + + +# _LT_SETUP +# --------- +m4_defun([_LT_SETUP], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_REQUIRE([AC_CANONICAL_BUILD])dnl +_LT_DECL([], [host_alias], [0], [The host system])dnl +_LT_DECL([], [host], [0])dnl +_LT_DECL([], [host_os], [0])dnl +dnl +_LT_DECL([], [build_alias], [0], [The build system])dnl +_LT_DECL([], [build], [0])dnl +_LT_DECL([], [build_os], [0])dnl +dnl AC_REQUIRE([AC_PROG_CC])dnl -AC_REQUIRE([AC_PROG_LD])dnl -AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl -AC_REQUIRE([AC_PROG_NM])dnl - +AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +dnl AC_REQUIRE([AC_PROG_LN_S])dnl -AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl -# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers! -AC_REQUIRE([AC_OBJEXT])dnl -AC_REQUIRE([AC_EXEEXT])dnl +test -z "$LN_S" && LN_S="ln -s" +_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl dnl +AC_REQUIRE([LT_CMD_MAX_LEN])dnl +_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl +_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl +dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_CHECK_SHELL_FEATURES])dnl +m4_require([_LT_CMD_RELOAD])dnl +m4_require([_LT_CHECK_MAGIC_METHOD])dnl +m4_require([_LT_CMD_OLD_ARCHIVE])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl + +_LT_CONFIG_LIBTOOL_INIT([ +# See if we are running on zsh, and set the options which allow our +# commands through without removal of \ escapes INIT. +if test -n "\${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST +fi +]) +if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST +fi -AC_LIBTOOL_SYS_MAX_CMD_LEN -AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE -AC_LIBTOOL_OBJDIR +_LT_CHECK_OBJDIR -AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl -_LT_AC_PROG_ECHO_BACKSLASH +m4_require([_LT_TAG_COMPILER])dnl +_LT_PROG_ECHO_BACKSLASH case $host_os in aix3*) @@ -128,6291 +216,7915 @@ # Sed substitution that helps us do robust quoting. It backslashifies # metacharacters that are still active within double-quoted strings. -Xsed='sed -e 1s/^X//' -[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'] +sed_quote_subst='s/\([["`$\\]]\)/\\\1/g' # Same as above, but do not quote variable references. -[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'] +double_quote_subst='s/\([["`\\]]\)/\\\1/g' # Sed substitution to delay expansion of an escaped shell variable in a # double_quote_subst'ed string. delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' + # Sed substitution to avoid accidental globbing in evaled expressions no_glob_subst='s/\*/\\\*/g' -# Constants: -rm="rm -f" - # Global variables: -default_ofile=libtool +ofile=libtool can_build_shared=yes # All known linkers require a `.a' archive for static linking (except MSVC, # which needs '.lib'). libext=a -ltmain="$ac_aux_dir/ltmain.sh" -ofile="$default_ofile" -with_gnu_ld="$lt_cv_prog_gnu_ld" -AC_CHECK_TOOL(AR, ar, false) -AC_CHECK_TOOL(RANLIB, ranlib, :) -AC_CHECK_TOOL(STRIP, strip, :) +with_gnu_ld="$lt_cv_prog_gnu_ld" old_CC="$CC" old_CFLAGS="$CFLAGS" # Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as test -z "$CC" && CC=cc test -z "$LTCC" && LTCC=$CC test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS -test -z "$DLLTOOL" && DLLTOOL=dlltool test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$NM" && NM=nm -test -z "$SED" && SED=sed -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: test -z "$ac_objext" && ac_objext=o -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - case $host_os in - openbsd*) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" - ;; - *) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" - ;; - esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" -fi - _LT_CC_BASENAME([$compiler]) # Only perform the check for file, if the check method requires it +test -z "$MAGIC_CMD" && MAGIC_CMD=file case $deplibs_check_method in file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then - AC_PATH_MAGIC + _LT_PATH_MAGIC fi ;; esac -AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no) -AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL], -enable_win32_dll=yes, enable_win32_dll=no) - -AC_ARG_ENABLE([libtool-lock], - [AC_HELP_STRING([--disable-libtool-lock], - [avoid locking (might break parallel builds)])]) -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes +# Use C for the default configuration in the libtool script +LT_SUPPORTED_TAG([CC]) +_LT_LANG_C_CONFIG +_LT_LANG_DEFAULT_CONFIG +_LT_CONFIG_COMMANDS +])# _LT_SETUP -AC_ARG_WITH([pic], - [AC_HELP_STRING([--with-pic], - [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], - [pic_mode="$withval"], - [pic_mode=default]) -test -z "$pic_mode" && pic_mode=default -# Use C for the default configuration in the libtool script -tagname= -AC_LIBTOOL_LANG_C_CONFIG -_LT_AC_TAGCONFIG -])# AC_LIBTOOL_SETUP +# _LT_PROG_LTMAIN +# --------------- +# Note that this code is called both from `configure', and `config.status' +# now that we use AC_CONFIG_COMMANDS to generate libtool. Notably, +# `config.status' has no value for ac_aux_dir unless we are using Automake, +# so we pass a copy along to make sure it has a sensible value anyway. +m4_defun([_LT_PROG_LTMAIN], +[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl +_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir']) +ltmain="$ac_aux_dir/ltmain.sh" +])# _LT_PROG_LTMAIN -# _LT_AC_SYS_COMPILER -# ------------------- -AC_DEFUN([_LT_AC_SYS_COMPILER], -[AC_REQUIRE([AC_PROG_CC])dnl -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} +# So that we can recreate a full libtool script including additional +# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS +# in macros and then make a single call at the end using the `libtool' +# label. -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -# Allow CC to be a program name with arguments. -compiler=$CC -])# _LT_AC_SYS_COMPILER +# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS]) +# ---------------------------------------- +# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL_INIT], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_INIT], + [$1 +])])]) +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_INIT]) -# _LT_CC_BASENAME(CC) -# ------------------- -# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. -AC_DEFUN([_LT_CC_BASENAME], -[for cc_temp in $1""; do - case $cc_temp in - compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;; - distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` + +# _LT_CONFIG_LIBTOOL([COMMANDS]) +# ------------------------------ +# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS], + [$1 +])])]) + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS]) + + +# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS]) +# ----------------------------------------------------- +m4_defun([_LT_CONFIG_SAVE_COMMANDS], +[_LT_CONFIG_LIBTOOL([$1]) +_LT_CONFIG_LIBTOOL_INIT([$2]) ]) -# _LT_COMPILER_BOILERPLATE -# ------------------------ -# Check for compiler boilerplate output or warnings with -# the simple compiler test code. -AC_DEFUN([_LT_COMPILER_BOILERPLATE], -[ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* -])# _LT_COMPILER_BOILERPLATE +# _LT_FORMAT_COMMENT([COMMENT]) +# ----------------------------- +# Add leading comment marks to the start of each line, and a trailing +# full-stop to the whole comment if one is not present already. +m4_define([_LT_FORMAT_COMMENT], +[m4_ifval([$1], [ +m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])], + [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.]) +)]) -# _LT_LINKER_BOILERPLATE -# ---------------------- -# Check for linker boilerplate output or warnings with -# the simple link test code. -AC_DEFUN([_LT_LINKER_BOILERPLATE], -[ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* -])# _LT_LINKER_BOILERPLATE -# _LT_AC_SYS_LIBPATH_AIX -# ---------------------- -# Links a minimal program and checks the executable -# for the system default hardcoded library path. In most cases, -# this is /usr/lib:/lib, but when the MPI compilers are used -# the location of the communication and MPI libs are included too. -# If we don't find anything, use the default library path according -# to the aix ld manual. -AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX], -[AC_LINK_IFELSE(AC_LANG_PROGRAM,[ -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi],[]) -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi -])# _LT_AC_SYS_LIBPATH_AIX +# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?]) +# ------------------------------------------------------------------- +# CONFIGNAME is the name given to the value in the libtool script. +# VARNAME is the (base) name used in the configure script. +# VALUE may be 0, 1 or 2 for a computed quote escaped value based on +# VARNAME. Any other value will be used directly. +m4_define([_LT_DECL], +[lt_if_append_uniq([lt_decl_varnames], [$2], [, ], + [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name], + [m4_ifval([$1], [$1], [$2])]) + lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3]) + m4_ifval([$4], + [lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])]) + lt_dict_add_subkey([lt_decl_dict], [$2], + [tagged?], [m4_ifval([$5], [yes], [no])])]) +]) -# _LT_AC_SHELL_INIT(ARG) -# ---------------------- -AC_DEFUN([_LT_AC_SHELL_INIT], -[ifdef([AC_DIVERSION_NOTICE], - [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)], - [AC_DIVERT_PUSH(NOTICE)]) -$1 -AC_DIVERT_POP -])# _LT_AC_SHELL_INIT +# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION]) +# -------------------------------------------------------- +m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])]) + + +# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_tag_varnames], +[_lt_decl_filter([tagged?], [yes], $@)]) + + +# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..]) +# --------------------------------------------------------- +m4_define([_lt_decl_filter], +[m4_case([$#], + [0], [m4_fatal([$0: too few arguments: $#])], + [1], [m4_fatal([$0: too few arguments: $#: $1])], + [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)], + [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)], + [lt_dict_filter([lt_decl_dict], $@)])[]dnl +]) -# _LT_AC_PROG_ECHO_BACKSLASH -# -------------------------- -# Add some code to the start of the generated configure script which -# will find an echo command which doesn't interpret backslashes. -AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH], -[_LT_AC_SHELL_INIT([ -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} -case X$ECHO in -X*--fallback-echo) - # Remove one level of quotation (which was required for Make). - ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','` - ;; -esac +# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...]) +# -------------------------------------------------- +m4_define([lt_decl_quote_varnames], +[_lt_decl_filter([value], [1], $@)]) + + +# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_dquote_varnames], +[_lt_decl_filter([value], [2], $@)]) + + +# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_varnames_tagged], +[m4_assert([$# <= 2])dnl +_$0(m4_quote(m4_default([$1], [[, ]])), + m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]), + m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))]) +m4_define([_lt_decl_varnames_tagged], +[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])]) + + +# lt_decl_all_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_all_varnames], +[_$0(m4_quote(m4_default([$1], [[, ]])), + m4_if([$2], [], + m4_quote(lt_decl_varnames), + m4_quote(m4_shift($@))))[]dnl +]) +m4_define([_lt_decl_all_varnames], +[lt_join($@, lt_decl_varnames_tagged([$1], + lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl +]) -echo=${ECHO-echo} -if test "X[$]1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X[$]1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then - # Yippee, $echo works! - : -else - # Restart under the correct shell. - exec $SHELL "[$]0" --no-reexec ${1+"[$]@"} -fi -if test "X[$]1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null 2>&1 && unset CDPATH -if test -z "$ECHO"; then -if test "X${echo_test_string+set}" != Xset; then -# find a string as large as possible, as long as the shell can cope with it - for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do - # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... - if (echo_test_string=`eval $cmd`) 2>/dev/null && - echo_test_string=`eval $cmd` && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null - then - break - fi - done -fi +# _LT_CONFIG_STATUS_DECLARATIONS +# ------------------------------ +# We delimit libtool config variables with single quotes, so when +# we write them to config.status, we have to be sure to quote all +# embedded single quotes properly. In configure, this macro expands +# each variable declared with _LT_DECL (and _LT_TAGDECL) into: +# +# ='`$ECHO "X$" | $Xsed -e "$delay_single_quote_subst"`' +m4_defun([_LT_CONFIG_STATUS_DECLARATIONS], +[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames), + [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])]) -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for dir in $PATH /usr/ucb; do - IFS="$lt_save_ifs" - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$lt_save_ifs" +# _LT_LIBTOOL_TAGS +# ---------------- +# Output comment and list of tags supported by the script +m4_defun([_LT_LIBTOOL_TAGS], +[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl +available_tags="_LT_TAGS"dnl +]) - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running configure again with it. - ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL [$]0 --fallback-echo" - elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL [$]0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null - then - break - fi - prev="$cmd" - done +# _LT_LIBTOOL_DECLARE(VARNAME, [TAG]) +# ----------------------------------- +# Extract the dictionary values for VARNAME (optionally with TAG) and +# expand to a commented shell variable setting: +# +# # Some comment about what VAR is for. +# visible_name=$lt_internal_name +m4_define([_LT_LIBTOOL_DECLARE], +[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], + [description])))[]dnl +m4_pushdef([_libtool_name], + m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl +m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])), + [0], [_libtool_name=[$]$1], + [1], [_libtool_name=$lt_[]$1], + [2], [_libtool_name=$lt_[]$1], + [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl +m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl +]) - if test "$prev" != 'sed 50q "[$]0"'; then - echo_test_string=`eval $prev` - export echo_test_string - exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi - fi - fi - fi -fi -fi -# Copy echo and quote the copy suitably for passing to libtool from -# the Makefile, instead of quoting the original, which is used later. -ECHO=$echo -if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then - ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo" -fi +# _LT_LIBTOOL_CONFIG_VARS +# ----------------------- +# Produce commented declarations of non-tagged libtool config variables +# suitable for insertion in the LIBTOOL CONFIG section of the `libtool' +# script. Tagged libtool config variables (even for the LIBTOOL CONFIG +# section) are produced by _LT_LIBTOOL_TAG_VARS. +m4_defun([_LT_LIBTOOL_CONFIG_VARS], +[m4_foreach([_lt_var], + m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])]) -AC_SUBST(ECHO) -])])# _LT_AC_PROG_ECHO_BACKSLASH +# _LT_LIBTOOL_TAG_VARS(TAG) +# ------------------------- +m4_define([_LT_LIBTOOL_TAG_VARS], +[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])]) -# _LT_AC_LOCK -# ----------- -AC_DEFUN([_LT_AC_LOCK], -[AC_ARG_ENABLE([libtool-lock], - [AC_HELP_STRING([--disable-libtool-lock], - [avoid locking (might break parallel builds)])]) -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes -# Some flags need to be propagated to the compiler or linker for good -# libtool support. -case $host in -ia64-*-hpux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.$ac_objext` in - *ELF-32*) - HPUX_IA64_MODE="32" - ;; - *ELF-64*) - HPUX_IA64_MODE="64" - ;; - esac - fi - rm -rf conftest* - ;; -*-*-irix6*) - # Find out which ABI we are using. - echo '[#]line __oline__ "configure"' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - if test "$lt_cv_prog_gnu_ld" = yes; then - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -melf32bsmip" - ;; - *N32*) - LD="${LD-ld} -melf32bmipn32" +# _LT_TAGVAR(VARNAME, [TAGNAME]) +# ------------------------------ +m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])]) + + +# _LT_CONFIG_COMMANDS +# ------------------- +# Send accumulated output to $CONFIG_STATUS. Thanks to the lists of +# variables for single and double quote escaping we saved from calls +# to _LT_DECL, we can put quote escaped variables declarations +# into `config.status', and then the shell code to quote escape them in +# for loops in `config.status'. Finally, any additional code accumulated +# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded. +m4_defun([_LT_CONFIG_COMMANDS], +[AC_PROVIDE_IFELSE([LT_OUTPUT], + dnl If the libtool generation code has been placed in $CONFIG_LT, + dnl instead of duplicating it all over again into config.status, + dnl then we will have config.status run $CONFIG_LT later, so it + dnl needs to know what name is stored there: + [AC_CONFIG_COMMANDS([libtool], + [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])], + dnl If the libtool generation code is destined for config.status, + dnl expand the accumulated commands and init code now: + [AC_CONFIG_COMMANDS([libtool], + [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])]) +])#_LT_CONFIG_COMMANDS + + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT], +[ + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +sed_quote_subst='$sed_quote_subst' +double_quote_subst='$double_quote_subst' +delay_variable_subst='$delay_variable_subst' +_LT_CONFIG_STATUS_DECLARATIONS +LTCC='$LTCC' +LTCFLAGS='$LTCFLAGS' +compiler='$compiler_DEFAULT' + +# Quote evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_quote_varnames); do + case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ;; - *64-bit*) - LD="${LD-ld} -melf64bmip" + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac - else - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -32" - ;; - *N32*) - LD="${LD-ld} -n32" +done + +# Double-quote double-evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_dquote_varnames); do + case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ;; - *64-bit*) - LD="${LD-ld} -64" + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac - fi - fi - rm -rf conftest* - ;; - -x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.o` in - *32-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_i386" - ;; - ppc64-*linux*|powerpc64-*linux*) - LD="${LD-ld} -m elf32ppclinux" - ;; - s390x-*linux*) - LD="${LD-ld} -m elf_s390" - ;; - sparc64-*linux*) - LD="${LD-ld} -m elf32_sparc" - ;; - esac - ;; - *64-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_x86_64" - ;; - ppc*-*linux*|powerpc*-*linux*) - LD="${LD-ld} -m elf64ppc" - ;; - s390*-*linux*) - LD="${LD-ld} -m elf64_s390" - ;; - sparc*-*linux*) - LD="${LD-ld} -m elf64_sparc" - ;; - esac - ;; - esac - fi - rm -rf conftest* - ;; - -*-*-sco3.2v5*) - # On SCO OpenServer 5, we need -belf to get full-featured binaries. - SAVE_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -belf" - AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, - [AC_LANG_PUSH(C) - AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) - AC_LANG_POP]) - if test x"$lt_cv_cc_needs_belf" != x"yes"; then - # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf - CFLAGS="$SAVE_CFLAGS" - fi - ;; -sparc*-*solaris*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.o` in - *64-bit*) - case $lt_cv_prog_gnu_ld in - yes*) LD="${LD-ld} -m elf64_sparc" ;; - *) LD="${LD-ld} -64" ;; - esac - ;; - esac - fi - rm -rf conftest* - ;; +done -AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL], -[*-*-cygwin* | *-*-mingw* | *-*-pw32*) - AC_CHECK_TOOL(DLLTOOL, dlltool, false) - AC_CHECK_TOOL(AS, as, false) - AC_CHECK_TOOL(OBJDUMP, objdump, false) +# Fix-up fallback echo if it was mangled by the above quoting rules. +case \$lt_ECHO in +*'\\\[$]0 --fallback-echo"')dnl " + lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\` ;; - ]) esac -need_locks="$enable_libtool_lock" +_LT_OUTPUT_LIBTOOL_INIT +]) -])# _LT_AC_LOCK +# LT_OUTPUT +# --------- +# This macro allows early generation of the libtool script (before +# AC_OUTPUT is called), incase it is used in configure for compilation +# tests. +AC_DEFUN([LT_OUTPUT], +[: ${CONFIG_LT=./config.lt} +AC_MSG_NOTICE([creating $CONFIG_LT]) +cat >"$CONFIG_LT" <<_LTEOF +#! $SHELL +# Generated by $as_me. +# Run this file to recreate a libtool stub with the current configuration. + +lt_cl_silent=false +SHELL=\${CONFIG_SHELL-$SHELL} +_LTEOF + +cat >>"$CONFIG_LT" <<\_LTEOF +AS_SHELL_SANITIZE +_AS_PREPARE -# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, -# [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) -# ---------------------------------------------------------------- -# Check whether the given compiler option works -AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], -[AC_REQUIRE([LT_AC_PROG_SED]) -AC_CACHE_CHECK([$1], [$2], - [$2=no - ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$3" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&AS_MESSAGE_LOG_FD - echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - $2=yes - fi - fi - $rm conftest* -]) +exec AS_MESSAGE_FD>&1 +exec AS_MESSAGE_LOG_FD>>config.log +{ + echo + AS_BOX([Running $as_me.]) +} >&AS_MESSAGE_LOG_FD + +lt_cl_help="\ +\`$as_me' creates a local libtool stub from the current configuration, +for use in further configure time tests before the real libtool is +generated. + +Usage: $[0] [[OPTIONS]] + + -h, --help print this help, then exit + -V, --version print version number, then exit + -q, --quiet do not print progress messages + -d, --debug don't remove temporary files + +Report bugs to ." + +lt_cl_version="\ +m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl +m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION]) +configured by $[0], generated by m4_PACKAGE_STRING. + +Copyright (C) 2008 Free Software Foundation, Inc. +This config.lt script is free software; the Free Software Foundation +gives unlimited permision to copy, distribute and modify it." -if test x"[$]$2" = xyes; then - ifelse([$5], , :, [$5]) -else - ifelse([$6], , :, [$6]) -fi -])# AC_LIBTOOL_COMPILER_OPTION +while test $[#] != 0 +do + case $[1] in + --version | --v* | -V ) + echo "$lt_cl_version"; exit 0 ;; + --help | --h* | -h ) + echo "$lt_cl_help"; exit 0 ;; + --debug | --d* | -d ) + debug=: ;; + --quiet | --q* | --silent | --s* | -q ) + lt_cl_silent=: ;; + -*) AC_MSG_ERROR([unrecognized option: $[1] +Try \`$[0] --help' for more information.]) ;; -# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, -# [ACTION-SUCCESS], [ACTION-FAILURE]) -# ------------------------------------------------------------ -# Check whether the given compiler option works -AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], -[AC_CACHE_CHECK([$1], [$2], - [$2=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $3" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The linker can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&AS_MESSAGE_LOG_FD - $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if diff conftest.exp conftest.er2 >/dev/null; then - $2=yes - fi - else - $2=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" -]) + *) AC_MSG_ERROR([unrecognized argument: $[1] +Try \`$[0] --help' for more information.]) ;; + esac + shift +done -if test x"[$]$2" = xyes; then - ifelse([$4], , :, [$4]) -else - ifelse([$5], , :, [$5]) +if $lt_cl_silent; then + exec AS_MESSAGE_FD>/dev/null fi -])# AC_LIBTOOL_LINKER_OPTION +_LTEOF +cat >>"$CONFIG_LT" <<_LTEOF +_LT_OUTPUT_LIBTOOL_COMMANDS_INIT +_LTEOF + +cat >>"$CONFIG_LT" <<\_LTEOF +AC_MSG_NOTICE([creating $ofile]) +_LT_OUTPUT_LIBTOOL_COMMANDS +AS_EXIT(0) +_LTEOF +chmod +x "$CONFIG_LT" + +# configure is writing to config.log, but config.lt does its own redirection, +# appending to config.log, which fails on DOS, as config.log is still kept +# open by configure. Here we exec the FD to /dev/null, effectively closing +# config.log, so it can be properly (re)opened and appended to by config.lt. +if test "$no_create" != yes; then + lt_cl_success=: + test "$silent" = yes && + lt_config_lt_args="$lt_config_lt_args --quiet" + exec AS_MESSAGE_LOG_FD>/dev/null + $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false + exec AS_MESSAGE_LOG_FD>>config.log + $lt_cl_success || AS_EXIT(1) +fi +])# LT_OUTPUT -# AC_LIBTOOL_SYS_MAX_CMD_LEN -# -------------------------- -AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], -[# find the maximum length of command line arguments -AC_MSG_CHECKING([the maximum length of command line arguments]) -AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl - i=0 - teststring="ABCD" - case $build_os in - msdosdjgpp*) - # On DJGPP, this test can blow up pretty badly due to problems in libc - # (any single argument exceeding 2000 bytes causes a buffer overrun - # during glob expansion). Even if it were fixed, the result of this - # check would be larger than it should be. - lt_cv_sys_max_cmd_len=12288; # 12K is about right - ;; +# _LT_CONFIG(TAG) +# --------------- +# If TAG is the built-in tag, create an initial libtool script with a +# default configuration from the untagged config vars. Otherwise add code +# to config.status for appending the configuration named by TAG from the +# matching tagged config vars. +m4_defun([_LT_CONFIG], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_CONFIG_SAVE_COMMANDS([ + m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl + m4_if(_LT_TAG, [C], [ + # See if we are running on zsh, and set the options which allow our + # commands through without removal of \ escapes. + if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST + fi - gnu*) - # Under GNU Hurd, this test is not required because there is - # no limit to the length of command line arguments. - # Libtool will interpret -1 as no limit whatsoever - lt_cv_sys_max_cmd_len=-1; - ;; + cfgfile="${ofile}T" + trap "$RM \"$cfgfile\"; exit 1" 1 2 15 + $RM "$cfgfile" - cygwin* | mingw*) - # On Win9x/ME, this test blows up -- it succeeds, but takes - # about 5 minutes as the teststring grows exponentially. - # Worse, since 9x/ME are not pre-emptively multitasking, - # you end up with a "frozen" computer, even though with patience - # the test eventually succeeds (with a max line length of 256k). - # Instead, let's just punt: use the minimum linelength reported by - # all of the supported platforms: 8192 (on NT/2K/XP). - lt_cv_sys_max_cmd_len=8192; - ;; + cat <<_LT_EOF >> "$cfgfile" +#! $SHELL - amigaos*) - # On AmigaOS with pdksh, this test takes hours, literally. - # So we just punt and use a minimum line length of 8192. - lt_cv_sys_max_cmd_len=8192; - ;; +# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. +# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# NOTE: Changes made to this file will be lost: look at ltmain.sh. +# +_LT_COPYING +_LT_LIBTOOL_TAGS - netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) - # This has been around since 386BSD, at least. Likely further. - if test -x /sbin/sysctl; then - lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` - elif test -x /usr/sbin/sysctl; then - lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` - else - lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs - fi - # And add a safety zone - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` - ;; +# ### BEGIN LIBTOOL CONFIG +_LT_LIBTOOL_CONFIG_VARS +_LT_LIBTOOL_TAG_VARS +# ### END LIBTOOL CONFIG - interix*) - # We know the value 262144 and hardcode it with a safety zone (like BSD) - lt_cv_sys_max_cmd_len=196608 - ;; +_LT_EOF - osf*) - # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure - # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not - # nice to cause kernel panics so lets avoid the loop below. - # First set a reasonable default. - lt_cv_sys_max_cmd_len=16384 - # - if test -x /sbin/sysconfig; then - case `/sbin/sysconfig -q proc exec_disable_arg_limit` in - *1*) lt_cv_sys_max_cmd_len=-1 ;; - esac - fi - ;; - sco3.2v5*) - lt_cv_sys_max_cmd_len=102400 - ;; - sysv5* | sco5v6* | sysv4.2uw2*) - kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` - if test -n "$kargmax"; then - lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'` - else - lt_cv_sys_max_cmd_len=32768 - fi - ;; - *) - # If test is not a shell built-in, we'll probably end up computing a - # maximum length that is only half of the actual maximum length, but - # we can't tell. - SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} - while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \ - = "XX$teststring") >/dev/null 2>&1 && - new_result=`expr "X$teststring" : ".*" 2>&1` && - lt_cv_sys_max_cmd_len=$new_result && - test $i != 17 # 1/2 MB should be enough - do - i=`expr $i + 1` - teststring=$teststring$teststring - done - teststring= - # Add a significant safety factor because C++ compilers can tack on massive - # amounts of additional arguments before passing them to the linker. - # It appears as though 1/2 is a usable value. - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + case $host_os in + aix3*) + cat <<\_LT_EOF >> "$cfgfile" +# AIX sometimes has problems with the GCC collect2 program. For some +# reason, if we set the COLLECT_NAMES environment variable, the problems +# vanish in a puff of smoke. +if test "X${COLLECT_NAMES+set}" != Xset; then + COLLECT_NAMES= + export COLLECT_NAMES +fi +_LT_EOF ;; esac -]) -if test -n $lt_cv_sys_max_cmd_len ; then - AC_MSG_RESULT($lt_cv_sys_max_cmd_len) -else - AC_MSG_RESULT(none) -fi -])# AC_LIBTOOL_SYS_MAX_CMD_LEN + + _LT_PROG_LTMAIN + + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? + sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + _LT_PROG_XSI_SHELLFNS + + sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + mv -f "$cfgfile" "$ofile" || + (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") + chmod +x "$ofile" +], +[cat <<_LT_EOF >> "$ofile" + +dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded +dnl in a comment (ie after a #). +# ### BEGIN LIBTOOL TAG CONFIG: $1 +_LT_LIBTOOL_TAG_VARS(_LT_TAG) +# ### END LIBTOOL TAG CONFIG: $1 +_LT_EOF +])dnl /m4_if +], +[m4_if([$1], [], [ + PACKAGE='$PACKAGE' + VERSION='$VERSION' + TIMESTAMP='$TIMESTAMP' + RM='$RM' + ofile='$ofile'], []) +])dnl /_LT_CONFIG_SAVE_COMMANDS +])# _LT_CONFIG -# _LT_AC_CHECK_DLFCN +# LT_SUPPORTED_TAG(TAG) +# --------------------- +# Trace this macro to discover what tags are supported by the libtool +# --tag option, using: +# autoconf --trace 'LT_SUPPORTED_TAG:$1' +AC_DEFUN([LT_SUPPORTED_TAG], []) + + +# C support is built-in for now +m4_define([_LT_LANG_C_enabled], []) +m4_define([_LT_TAGS], []) + + +# LT_LANG(LANG) +# ------------- +# Enable libtool support for the given language if not already enabled. +AC_DEFUN([LT_LANG], +[AC_BEFORE([$0], [LT_OUTPUT])dnl +m4_case([$1], + [C], [_LT_LANG(C)], + [C++], [_LT_LANG(CXX)], + [Java], [_LT_LANG(GCJ)], + [Fortran 77], [_LT_LANG(F77)], + [Fortran], [_LT_LANG(FC)], + [Windows Resource], [_LT_LANG(RC)], + [m4_ifdef([_LT_LANG_]$1[_CONFIG], + [_LT_LANG($1)], + [m4_fatal([$0: unsupported language: "$1"])])])dnl +])# LT_LANG + + +# _LT_LANG(LANGNAME) # ------------------ -AC_DEFUN([_LT_AC_CHECK_DLFCN], -[AC_CHECK_HEADERS(dlfcn.h)dnl -])# _LT_AC_CHECK_DLFCN +m4_defun([_LT_LANG], +[m4_ifdef([_LT_LANG_]$1[_enabled], [], + [LT_SUPPORTED_TAG([$1])dnl + m4_append([_LT_TAGS], [$1 ])dnl + m4_define([_LT_LANG_]$1[_enabled], [])dnl + _LT_LANG_$1_CONFIG($1)])dnl +])# _LT_LANG -# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, -# ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) -# --------------------------------------------------------------------- -AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF], -[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl -if test "$cross_compiling" = yes; then : - [$4] -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif -#include +# _LT_TAG_COMPILER +# ---------------- +m4_defun([_LT_TAG_COMPILER], +[AC_REQUIRE([AC_PROG_CC])dnl -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif +_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl +_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl +_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl +_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} -#ifdef __cplusplus -extern "C" void exit (int); -#endif +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; +# Allow CC to be a program name with arguments. +compiler=$CC +])# _LT_TAG_COMPILER - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - else - puts (dlerror ()); - exit (status); -}] -EOF - if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) $1 ;; - x$lt_dlneed_uscore) $2 ;; - x$lt_dlunknown|x*) $3 ;; - esac - else : - # compilation failed - $3 - fi -fi -rm -fr conftest* -])# _LT_AC_TRY_DLOPEN_SELF +# _LT_COMPILER_BOILERPLATE +# ------------------------ +# Check for compiler boilerplate output or warnings with +# the simple compiler test code. +m4_defun([_LT_COMPILER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_compile_test_code" >conftest.$ac_ext +eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_compiler_boilerplate=`cat conftest.err` +$RM conftest* +])# _LT_COMPILER_BOILERPLATE -# AC_LIBTOOL_DLOPEN_SELF +# _LT_LINKER_BOILERPLATE # ---------------------- -AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], -[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else - lt_cv_dlopen=no - lt_cv_dlopen_libs= +# Check for linker boilerplate output or warnings with +# the simple link test code. +m4_defun([_LT_LINKER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_link_test_code" >conftest.$ac_ext +eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_linker_boilerplate=`cat conftest.err` +$RM -r conftest* +])# _LT_LINKER_BOILERPLATE +# _LT_REQUIRED_DARWIN_CHECKS +# ------------------------- +m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ case $host_os in - beos*) - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - - mingw* | pw32*) - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - - cygwin*) - lt_cv_dlopen="dlopen" - lt_cv_dlopen_libs= - ;; - - darwin*) - # if libdl is installed we need to link against it - AC_CHECK_LIB([dl], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[ - lt_cv_dlopen="dyld" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes + rhapsody* | darwin*) + AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:]) + AC_CHECK_TOOL([NMEDIT], [nmedit], [:]) + AC_CHECK_TOOL([LIPO], [lipo], [:]) + AC_CHECK_TOOL([OTOOL], [otool], [:]) + AC_CHECK_TOOL([OTOOL64], [otool64], [:]) + _LT_DECL([], [DSYMUTIL], [1], + [Tool to manipulate archived DWARF debug symbol files on Mac OS X]) + _LT_DECL([], [NMEDIT], [1], + [Tool to change global to local symbols on Mac OS X]) + _LT_DECL([], [LIPO], [1], + [Tool to manipulate fat objects and archives on Mac OS X]) + _LT_DECL([], [OTOOL], [1], + [ldd/readelf like tool for Mach-O binaries on Mac OS X]) + _LT_DECL([], [OTOOL64], [1], + [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4]) + + AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod], + [lt_cv_apple_cc_single_mod=no + if test -z "${LT_MULTI_MODULE}"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + rm -rf libconftest.dylib* + echo "int foo(void){return 1;}" > conftest.c + echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ +-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib -Wl,-single_module conftest.c 2>conftest.err + _lt_result=$? + if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then + lt_cv_apple_cc_single_mod=yes + else + cat conftest.err >&AS_MESSAGE_LOG_FD + fi + rm -rf libconftest.dylib* + rm -f conftest.* + fi]) + AC_CACHE_CHECK([for -exported_symbols_list linker flag], + [lt_cv_ld_exported_symbols_list], + [lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [lt_cv_ld_exported_symbols_list=yes], + [lt_cv_ld_exported_symbols_list=no]) + LDFLAGS="$save_LDFLAGS" ]) - ;; - - *) - AC_CHECK_FUNC([shl_load], - [lt_cv_dlopen="shl_load"], - [AC_CHECK_LIB([dld], [shl_load], - [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"], - [AC_CHECK_FUNC([dlopen], - [lt_cv_dlopen="dlopen"], - [AC_CHECK_LIB([dl], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"], - [AC_CHECK_LIB([svld], [dlopen], - [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"], - [AC_CHECK_LIB([dld], [dld_link], - [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"]) - ]) - ]) - ]) - ]) - ]) + case $host_os in + rhapsody* | darwin1.[[012]]) + _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + darwin*) # darwin 5.x on + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + 10.[[012]]*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test "$lt_cv_apple_cc_single_mod" = "yes"; then + _lt_dar_single_mod='$single_module' + fi + if test "$lt_cv_ld_exported_symbols_list" = "yes"; then + _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' + else + _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' + fi + if test "$DSYMUTIL" != ":"; then + _lt_dsymutil='~$DSYMUTIL $lib || :' + else + _lt_dsymutil= + fi ;; esac +]) - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes + +# _LT_DARWIN_LINKER_FEATURES +# -------------------------- +# Checks for linker and compiler features on darwin +m4_defun([_LT_DARWIN_LINKER_FEATURES], +[ + m4_require([_LT_REQUIRED_DARWIN_CHECKS]) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_automatic, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + _LT_TAGVAR(whole_archive_flag_spec, $1)='' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined" + case $cc_basename in + ifort*) _lt_dar_can_shared=yes ;; + *) _lt_dar_can_shared=$GCC ;; + esac + if test "$_lt_dar_can_shared" = "yes"; then + output_verbose_link_cmd=echo + _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" + _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" + _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" + m4_if([$1], [CXX], +[ if test "$lt_cv_apple_cc_single_mod" != "yes"; then + _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}" + fi +],[]) else - enable_dlopen=no + _LT_TAGVAR(ld_shlibs, $1)=no fi +]) - case $lt_cv_dlopen in - dlopen) - save_CPPFLAGS="$CPPFLAGS" - test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - - save_LDFLAGS="$LDFLAGS" - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" +# _LT_SYS_MODULE_PATH_AIX +# ----------------------- +# Links a minimal program and checks the executable +# for the system default hardcoded library path. In most cases, +# this is /usr/lib:/lib, but when the MPI compilers are used +# the location of the communication and MPI libs are included too. +# If we don't find anything, use the default library path according +# to the aix ld manual. +m4_defun([_LT_SYS_MODULE_PATH_AIX], +[m4_require([_LT_DECL_SED])dnl +AC_LINK_IFELSE(AC_LANG_PROGRAM,[ +lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\(.*\)$/\1/ + p + } + }' +aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` +# Check for a 64-bit object if we didn't find anything. +if test -z "$aix_libpath"; then + aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` +fi],[]) +if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi +])# _LT_SYS_MODULE_PATH_AIX - save_LIBS="$LIBS" - LIBS="$lt_cv_dlopen_libs $LIBS" - AC_CACHE_CHECK([whether a program can dlopen itself], - lt_cv_dlopen_self, [dnl - _LT_AC_TRY_DLOPEN_SELF( - lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, - lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) - ]) +# _LT_SHELL_INIT(ARG) +# ------------------- +m4_define([_LT_SHELL_INIT], +[ifdef([AC_DIVERSION_NOTICE], + [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)], + [AC_DIVERT_PUSH(NOTICE)]) +$1 +AC_DIVERT_POP +])# _LT_SHELL_INIT - if test "x$lt_cv_dlopen_self" = xyes; then - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" - AC_CACHE_CHECK([whether a statically linked program can dlopen itself], - lt_cv_dlopen_self_static, [dnl - _LT_AC_TRY_DLOPEN_SELF( - lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, - lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) - ]) - fi - CPPFLAGS="$save_CPPFLAGS" - LDFLAGS="$save_LDFLAGS" - LIBS="$save_LIBS" - ;; - esac +# _LT_PROG_ECHO_BACKSLASH +# ----------------------- +# Add some code to the start of the generated configure script which +# will find an echo command which doesn't interpret backslashes. +m4_defun([_LT_PROG_ECHO_BACKSLASH], +[_LT_SHELL_INIT([ +# Check that we are running under the correct shell. +SHELL=${CONFIG_SHELL-/bin/sh} - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac +case X$lt_ECHO in +X*--fallback-echo) + # Remove one level of quotation (which was required for Make). + ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','` + ;; +esac - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac +ECHO=${lt_ECHO-echo} +if test "X[$]1" = X--no-reexec; then + # Discard the --no-reexec flag, and continue. + shift +elif test "X[$]1" = X--fallback-echo; then + # Avoid inline document here, it may be left over + : +elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then + # Yippee, $ECHO works! + : +else + # Restart under the correct shell. + exec $SHELL "[$]0" --no-reexec ${1+"[$]@"} fi -])# AC_LIBTOOL_DLOPEN_SELF +if test "X[$]1" = X--fallback-echo; then + # used as fallback echo + shift + cat <<_LT_EOF +[$]* +_LT_EOF + exit 0 +fi -# AC_LIBTOOL_PROG_CC_C_O([TAGNAME]) -# --------------------------------- -# Check to see if options -c and -o are simultaneously supported by compiler -AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O], -[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl -AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], - [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)], - [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&AS_MESSAGE_LOG_FD - echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp - $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 - if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then - _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes - fi - fi - chmod u+w . 2>&AS_MESSAGE_LOG_FD - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* -]) -])# AC_LIBTOOL_PROG_CC_C_O +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH +if test -z "$lt_ECHO"; then + if test "X${echo_test_string+set}" != Xset; then + # find a string as large as possible, as long as the shell can cope with it + for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do + # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... + if { echo_test_string=`eval $cmd`; } 2>/dev/null && + { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null + then + break + fi + done + fi -# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME]) -# ----------------------------------------- -# Check to see if we can do hard links to lock some files if needed -AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], -[AC_REQUIRE([_LT_AC_LOCK])dnl + if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + : + else + # The Solaris, AIX, and Digital Unix default echo programs unquote + # backslashes. This makes it impossible to quote backslashes using + # echo "$something" | sed 's/\\/\\\\/g' + # + # So, first we look for a working echo in the user's PATH. -hard_links="nottested" -if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - AC_MSG_CHECKING([if we can lock with hard links]) - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - AC_MSG_RESULT([$hard_links]) - if test "$hard_links" = no; then - AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe]) - need_locks=warn - fi -else - need_locks=no -fi -])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS - - -# AC_LIBTOOL_OBJDIR -# ----------------- -AC_DEFUN([AC_LIBTOOL_OBJDIR], -[AC_CACHE_CHECK([for objdir], [lt_cv_objdir], -[rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - lt_cv_objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - lt_cv_objdir=_libs -fi -rmdir .libs 2>/dev/null]) -objdir=$lt_cv_objdir -])# AC_LIBTOOL_OBJDIR + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + for dir in $PATH /usr/ucb; do + IFS="$lt_save_ifs" + if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && + test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && + echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + ECHO="$dir/echo" + break + fi + done + IFS="$lt_save_ifs" + if test "X$ECHO" = Xecho; then + # We didn't find a better echo, so look for alternatives. + if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + # This shell has a builtin print -r that does the trick. + ECHO='print -r' + elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } && + test "X$CONFIG_SHELL" != X/bin/ksh; then + # If we have ksh, try running configure again with it. + ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} + export ORIGINAL_CONFIG_SHELL + CONFIG_SHELL=/bin/ksh + export CONFIG_SHELL + exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"} + else + # Try using printf. + ECHO='printf %s\n' + if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + # Cool, printf works + : + elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && + test "X$echo_testing_string" = 'X\t' && + echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL + export CONFIG_SHELL + SHELL="$CONFIG_SHELL" + export SHELL + ECHO="$CONFIG_SHELL [$]0 --fallback-echo" + elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` && + test "X$echo_testing_string" = 'X\t' && + echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + ECHO="$CONFIG_SHELL [$]0 --fallback-echo" + else + # maybe with a smaller string... + prev=: -# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME]) -# ---------------------------------------------- -# Check hardcoding attributes. -AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], -[AC_MSG_CHECKING([how to hardcode library paths into programs]) -_LT_AC_TAGVAR(hardcode_action, $1)= -if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \ - test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \ - test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then + for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do + if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null + then + break + fi + prev="$cmd" + done - # We can hardcode non-existant directories. - if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no && - test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then - # Linking always hardcodes the temporary library directory. - _LT_AC_TAGVAR(hardcode_action, $1)=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - _LT_AC_TAGVAR(hardcode_action, $1)=immediate + if test "$prev" != 'sed 50q "[$]0"'; then + echo_test_string=`eval $prev` + export echo_test_string + exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"} + else + # Oops. We lost completely, so just stick with echo. + ECHO=echo + fi + fi + fi + fi fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - _LT_AC_TAGVAR(hardcode_action, $1)=unsupported fi -AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)]) -if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless +# Copy echo and quote the copy suitably for passing to libtool from +# the Makefile, instead of quoting the original, which is used later. +lt_ECHO=$ECHO +if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then + lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo" fi -])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH +AC_SUBST(lt_ECHO) +]) +_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts]) +_LT_DECL([], [ECHO], [1], + [An echo program that does not interpret backslashes]) +])# _LT_PROG_ECHO_BACKSLASH -# AC_LIBTOOL_SYS_LIB_STRIP -# ------------------------ -AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP], -[striplib= -old_striplib= -AC_MSG_CHECKING([whether stripping libraries is possible]) -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - AC_MSG_RESULT([yes]) -else -# FIXME - insert some real tests, host_os isn't really good enough - case $host_os in - darwin*) - if test -n "$STRIP" ; then - striplib="$STRIP -x" - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) -fi - ;; - *) - AC_MSG_RESULT([no]) - ;; - esac -fi -])# AC_LIBTOOL_SYS_LIB_STRIP +# _LT_ENABLE_LOCK +# --------------- +m4_defun([_LT_ENABLE_LOCK], +[AC_ARG_ENABLE([libtool-lock], + [AS_HELP_STRING([--disable-libtool-lock], + [avoid locking (might break parallel builds)])]) +test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes -# AC_LIBTOOL_SYS_DYNAMIC_LINKER -# ----------------------------- -# PORTME Fill in your ld.so characteristics -AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER], -[AC_MSG_CHECKING([dynamic linker characteristics]) -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext_cmds=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` +# Some flags need to be propagated to the compiler or linker for good +# libtool support. +case $host in +ia64-*-hpux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.$ac_objext` in + *ELF-32*) + HPUX_IA64_MODE="32" + ;; + *ELF-64*) + HPUX_IA64_MODE="64" + ;; + esac fi -else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no - -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown - -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' + rm -rf conftest* ;; - -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[[01]] | aix4.[[01]].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' +*-*-irix6*) + # Find out which ABI we are using. + echo '[#]line __oline__ "configure"' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + if test "$lt_cv_prog_gnu_ld" = yes; then + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -melf32bsmip" + ;; + *N32*) + LD="${LD-ld} -melf32bmipn32" + ;; + *64-bit*) + LD="${LD-ld} -melf64bmip" + ;; + esac else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}${shared_ext}$major' + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -32" + ;; + *N32*) + LD="${LD-ld} -n32" + ;; + *64-bit*) + LD="${LD-ld} -64" + ;; + esac fi - shlibpath_var=LIBPATH fi + rm -rf conftest* ;; -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' +x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +s390*-*linux*|s390*-*tpf*|sparc*-*linux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_i386_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_i386" + ;; + ppc64-*linux*|powerpc64-*linux*) + LD="${LD-ld} -m elf32ppclinux" + ;; + s390x-*linux*) + LD="${LD-ld} -m elf_s390" + ;; + sparc64-*linux*) + LD="${LD-ld} -m elf32_sparc" + ;; + esac + ;; + *64-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_x86_64_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; + ppc*-*linux*|powerpc*-*linux*) + LD="${LD-ld} -m elf64ppc" + ;; + s390*-*linux*|s390*-*tpf*) + LD="${LD-ld} -m elf64_s390" + ;; + sparc*-*linux*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + ;; + esac + fi + rm -rf conftest* ;; -beos*) - library_names_spec='${libname}${shared_ext}' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH +*-*-sco3.2v5*) + # On SCO OpenServer 5, we need -belf to get full-featured binaries. + SAVE_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -belf" + AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, + [AC_LANG_PUSH(C) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) + AC_LANG_POP]) + if test x"$lt_cv_cc_needs_belf" != x"yes"; then + # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf + CFLAGS="$SAVE_CFLAGS" + fi ;; - -bsdi[[45]]*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs +sparc*-*solaris*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *64-bit*) + case $lt_cv_prog_gnu_ld in + yes*) LD="${LD-ld} -m elf64_sparc" ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; + esac + ;; + esac + fi + rm -rf conftest* ;; +esac -cygwin* | mingw* | pw32*) - version_type=windows - shrext_cmds=".dll" - need_version=no - need_lib_prefix=no +need_locks="$enable_libtool_lock" +])# _LT_ENABLE_LOCK - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) - library_names_spec='$libname.dll.a' - # DLL is installed to $(libdir)/../bin by postinstall_cmds - postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog $dir/$dlname \$dldir/$dlname~ - chmod a+x \$dldir/$dlname' - postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - shlibpath_overrides_runpath=yes - case $host_os in - cygwin*) - # Cygwin DLLs use 'cyg' prefix rather than 'lib' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" - ;; - mingw*) - # MinGW DLLs use traditional 'lib' prefix - soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi - ;; - pw32*) - # pw32 DLLs use 'pw' prefix rather than 'lib' - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' - ;; - esac - ;; +# _LT_CMD_OLD_ARCHIVE +# ------------------- +m4_defun([_LT_CMD_OLD_ARCHIVE], +[AC_CHECK_TOOL(AR, ar, false) +test -z "$AR" && AR=ar +test -z "$AR_FLAGS" && AR_FLAGS=cru +_LT_DECL([], [AR], [1], [The archiver]) +_LT_DECL([], [AR_FLAGS], [1]) + +AC_CHECK_TOOL(STRIP, strip, :) +test -z "$STRIP" && STRIP=: +_LT_DECL([], [STRIP], [1], [A symbol stripping program]) + +AC_CHECK_TOOL(RANLIB, ranlib, :) +test -z "$RANLIB" && RANLIB=: +_LT_DECL([], [RANLIB], [1], + [Commands used to install an old-style archive]) + +# Determine commands to create old-style static archives. +old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' +old_postinstall_cmds='chmod 644 $oldlib' +old_postuninstall_cmds= +if test -n "$RANLIB"; then + case $host_os in + openbsd*) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" + ;; *) - library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib' + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" ;; esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; + old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" +fi +_LT_DECL([], [old_postinstall_cmds], [2]) +_LT_DECL([], [old_postuninstall_cmds], [2]) +_LT_TAGDECL([], [old_archive_cmds], [2], + [Commands used to build an old-style archive]) +])# _LT_CMD_OLD_ARCHIVE -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' - soname_spec='${libname}${release}${major}$shared_ext' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi - sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' - ;; -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; +# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------------------- +# Check whether the given compiler option works +AC_DEFUN([_LT_COMPILER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$3" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + fi + $RM conftest* +]) -freebsd1*) - dynamic_linker=no - ;; +if test x"[$]$2" = xyes; then + m4_if([$5], , :, [$5]) +else + m4_if([$6], , :, [$6]) +fi +])# _LT_COMPILER_OPTION -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; +# Old name: +AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], []) + + +# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------- +# Check whether the given linker option works +AC_DEFUN([_LT_LINKER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $3" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&AS_MESSAGE_LOG_FD + $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + else + $2=yes + fi + fi + $RM -r conftest* + LDFLAGS="$save_LDFLAGS" +]) -freebsd* | dragonfly*) - # DragonFly does not have aout. When/if they implement a new - # versioning mechanism, adjust this. - if test -x /usr/bin/objformat; then - objformat=`/usr/bin/objformat` - else - case $host_os in - freebsd[[123]]*) objformat=aout ;; - *) objformat=elf ;; - esac - fi - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes +if test x"[$]$2" = xyes; then + m4_if([$4], , :, [$4]) +else + m4_if([$5], , :, [$5]) +fi +])# _LT_LINKER_OPTION + +# Old name: +AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], []) + + +# LT_CMD_MAX_LEN +#--------------- +AC_DEFUN([LT_CMD_MAX_LEN], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +# find the maximum length of command line arguments +AC_MSG_CHECKING([the maximum length of command line arguments]) +AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl + i=0 + teststring="ABCD" + + case $build_os in + msdosdjgpp*) + # On DJGPP, this test can blow up pretty badly due to problems in libc + # (any single argument exceeding 2000 bytes causes a buffer overrun + # during glob expansion). Even if it were fixed, the result of this + # check would be larger than it should be. + lt_cv_sys_max_cmd_len=12288; # 12K is about right ;; - freebsd3.[[01]]* | freebsdelf3.[[01]]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes + + gnu*) + # Under GNU Hurd, this test is not required because there is + # no limit to the length of command line arguments. + # Libtool will interpret -1 as no limit whatsoever + lt_cv_sys_max_cmd_len=-1; ;; - freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \ - freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes + + cygwin* | mingw* | cegcc*) + # On Win9x/ME, this test blows up -- it succeeds, but takes + # about 5 minutes as the teststring grows exponentially. + # Worse, since 9x/ME are not pre-emptively multitasking, + # you end up with a "frozen" computer, even though with patience + # the test eventually succeeds (with a max line length of 256k). + # Instead, let's just punt: use the minimum linelength reported by + # all of the supported platforms: 8192 (on NT/2K/XP). + lt_cv_sys_max_cmd_len=8192; ;; - freebsd*) # from 4.6 on - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes + + amigaos*) + # On AmigaOS with pdksh, this test takes hours, literally. + # So we just punt and use a minimum line length of 8192. + lt_cv_sys_max_cmd_len=8192; ;; - esac - ;; -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; + netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) + # This has been around since 386BSD, at least. Likely further. + if test -x /sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` + elif test -x /usr/sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` + else + lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs + fi + # And add a safety zone + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + ;; -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - version_type=sunos - need_lib_prefix=no - need_version=no - case $host_cpu in - ia64*) - shrext_cmds='.so' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - if test "X$HPUX_IA64_MODE" = X32; then - sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" - else - sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" + interix*) + # We know the value 262144 and hardcode it with a safety zone (like BSD) + lt_cv_sys_max_cmd_len=196608 + ;; + + osf*) + # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure + # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not + # nice to cause kernel panics so lets avoid the loop below. + # First set a reasonable default. + lt_cv_sys_max_cmd_len=16384 + # + if test -x /sbin/sysconfig; then + case `/sbin/sysconfig -q proc exec_disable_arg_limit` in + *1*) lt_cv_sys_max_cmd_len=-1 ;; + esac fi - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; - hppa*64*) - shrext_cmds='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) - shrext_cmds='.sl' - dynamic_linker="$host_os dld.sl" - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' + sco3.2v5*) + lt_cv_sys_max_cmd_len=102400 ;; - esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -interix3*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - -irix5* | irix6* | nonstopux*) - case $host_os in - nonstopux*) version_type=nonstopux ;; - *) - if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux - else - version_type=irix - fi ;; - esac - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' - case $host_os in - irix5* | nonstopux*) - libsuff= shlibsuff= + sysv5* | sco5v6* | sysv4.2uw2*) + kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` + if test -n "$kargmax"; then + lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'` + else + lt_cv_sys_max_cmd_len=32768 + fi ;; *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") - libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") - libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") - libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac + lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` + if test -n "$lt_cv_sys_max_cmd_len"; then + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + else + # Make teststring a little bigger before we do anything with it. + # a 1K string should be a reasonable start. + for i in 1 2 3 4 5 6 7 8 ; do + teststring=$teststring$teststring + done + SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \ + = "XX$teststring$teststring"; } >/dev/null 2>&1 && + test $i != 17 # 1/2 MB should be enough + do + i=`expr $i + 1` + teststring=$teststring$teststring + done + # Only check the string length outside the loop. + lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` + teststring= + # Add a significant safety factor because C++ compilers can tack on + # massive amounts of additional arguments before passing them to the + # linker. It appears as though 1/2 is a usable value. + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + fi ;; esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - hardcode_into_libs=yes - ;; +]) +if test -n $lt_cv_sys_max_cmd_len ; then + AC_MSG_RESULT($lt_cv_sys_max_cmd_len) +else + AC_MSG_RESULT(none) +fi +max_cmd_len=$lt_cv_sys_max_cmd_len +_LT_DECL([], [max_cmd_len], [0], + [What is the maximum length of a command?]) +])# LT_CMD_MAX_LEN -# No shared lib support for Linux oldld, aout, or coff. -linux*oldld* | linux*aout* | linux*coff*) - dynamic_linker=no - ;; +# Old name: +AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], []) -# This must be Linux ELF. -linux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - # find out which ABI we are using - libsuff= - case "$host_cpu" in - x86_64*|s390x*|powerpc64*) - echo '[#]line __oline__ "configure"' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.$ac_objext` in - *64-bit*) - libsuff=64 - sys_lib_search_path_spec="/lib${libsuff} /usr/lib${libsuff} /usr/local/lib${libsuff}" - ;; - esac - fi - rm -rf conftest* - ;; - esac +# _LT_HEADER_DLFCN +# ---------------- +m4_defun([_LT_HEADER_DLFCN], +[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl +])# _LT_HEADER_DLFCN - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/^[ ]*//;s/#.*//;/^[^\/]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra" - fi - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; +# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, +# ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) +# ---------------------------------------------------------------- +m4_defun([_LT_TRY_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test "$cross_compiling" = yes; then : + [$4] +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +[#line __oline__ "configure" +#include "confdefs.h" -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; +#if HAVE_DLFCN_H +#include +#endif -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; +#include -newsos6) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif -nto-qnx*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif -openbsd*) - version_type=sunos - sys_lib_dlsearch_path_spec="/usr/lib" - need_lib_prefix=no - # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. - case $host_os in - openbsd3.3 | openbsd3.3.*) need_version=yes ;; - *) need_version=no ;; - esac - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in - openbsd2.[[89]] | openbsd2.[[89]].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac +void fnord() { int i=42;} +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + /* dlclose (self); */ + } else - shlibpath_overrides_runpath=yes - fi - ;; + puts (dlerror ()); -os2*) - libname_spec='$name' - shrext_cmds=".dll" - need_lib_prefix=no - library_names_spec='$libname${shared_ext} $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' - runpath_var=LD_RUN_PATH - ;; - siemens) - need_lib_prefix=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' - soname_spec='$libname${shared_ext}.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - version_type=freebsd-elf - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - if test "$with_gnu_ld" = yes; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - shlibpath_overrides_runpath=no - else - sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' - shlibpath_overrides_runpath=yes - case $host_os in - sco3.2v5*) - sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" - ;; + return status; +}] +_LT_EOF + if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) $1 ;; + x$lt_dlneed_uscore) $2 ;; + x$lt_dlunknown|x*) $3 ;; esac + else : + # compilation failed + $3 fi - sys_lib_dlsearch_path_spec='/usr/lib' - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -*) - dynamic_linker=no - ;; -esac -AC_MSG_RESULT([$dynamic_linker]) -test "$dynamic_linker" = no && can_build_shared=no - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" fi -])# AC_LIBTOOL_SYS_DYNAMIC_LINKER - +rm -fr conftest* +])# _LT_TRY_DLOPEN_SELF -# _LT_AC_TAGCONFIG -# ---------------- -AC_DEFUN([_LT_AC_TAGCONFIG], -[AC_ARG_WITH([tags], - [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@], - [include additional configurations @<:@automatic@:>@])], - [tagnames="$withval"]) - -if test -f "$ltmain" && test -n "$tagnames"; then - if test ! -f "${ofile}"; then - AC_MSG_WARN([output file `$ofile' does not exist]) - fi - if test -z "$LTCC"; then - eval "`$SHELL ${ofile} --config | grep '^LTCC='`" - if test -z "$LTCC"; then - AC_MSG_WARN([output file `$ofile' does not look like a libtool script]) - else - AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile']) - fi - fi - if test -z "$LTCFLAGS"; then - eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`" - fi +# LT_SYS_DLOPEN_SELF +# ------------------ +AC_DEFUN([LT_SYS_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test "x$enable_dlopen" != xyes; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= - # Extract list of available tagged configurations in $ofile. - # Note that this assumes the entire list is on one line. - available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` + case $host_os in + beos*) + lt_cv_dlopen="load_add_on" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for tagname in $tagnames; do - IFS="$lt_save_ifs" - # Check whether tagname contains only valid characters - case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in - "") ;; - *) AC_MSG_ERROR([invalid tag name: $tagname]) - ;; - esac + mingw* | pw32* | cegcc*) + lt_cv_dlopen="LoadLibrary" + lt_cv_dlopen_libs= + ;; - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null - then - AC_MSG_ERROR([tag name \"$tagname\" already exists]) - fi + cygwin*) + lt_cv_dlopen="dlopen" + lt_cv_dlopen_libs= + ;; - # Update the list of available tags. - if test -n "$tagname"; then - echo appending configuration tag \"$tagname\" to $ofile - - case $tagname in - CXX) - if test -n "$CXX" && ( test "X$CXX" != "Xno" && - ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || - (test "X$CXX" != "Xg++"))) ; then - AC_LIBTOOL_LANG_CXX_CONFIG - else - tagname="" - fi - ;; + darwin*) + # if libdl is installed we need to link against it + AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[ + lt_cv_dlopen="dyld" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ]) + ;; - F77) - if test -n "$F77" && test "X$F77" != "Xno"; then - AC_LIBTOOL_LANG_F77_CONFIG - else - tagname="" - fi - ;; + *) + AC_CHECK_FUNC([shl_load], + [lt_cv_dlopen="shl_load"], + [AC_CHECK_LIB([dld], [shl_load], + [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"], + [AC_CHECK_FUNC([dlopen], + [lt_cv_dlopen="dlopen"], + [AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"], + [AC_CHECK_LIB([svld], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"], + [AC_CHECK_LIB([dld], [dld_link], + [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"]) + ]) + ]) + ]) + ]) + ]) + ;; + esac - GCJ) - if test -n "$GCJ" && test "X$GCJ" != "Xno"; then - AC_LIBTOOL_LANG_GCJ_CONFIG - else - tagname="" - fi - ;; + if test "x$lt_cv_dlopen" != xno; then + enable_dlopen=yes + else + enable_dlopen=no + fi - RC) - AC_LIBTOOL_LANG_RC_CONFIG - ;; + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS="$CPPFLAGS" + test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - *) - AC_MSG_ERROR([Unsupported tag name: $tagname]) - ;; - esac + save_LDFLAGS="$LDFLAGS" + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - # Append the new tag name to the list of available tags. - if test -n "$tagname" ; then - available_tags="$available_tags $tagname" - fi - fi - done - IFS="$lt_save_ifs" + save_LIBS="$LIBS" + LIBS="$lt_cv_dlopen_libs $LIBS" - # Now substitute the updated list of available tags. - if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then - mv "${ofile}T" "$ofile" - chmod +x "$ofile" - else - rm -f "${ofile}T" - AC_MSG_ERROR([unable to update list of available tagged configurations.]) - fi -fi -])# _LT_AC_TAGCONFIG + AC_CACHE_CHECK([whether a program can dlopen itself], + lt_cv_dlopen_self, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, + lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) + ]) + if test "x$lt_cv_dlopen_self" = xyes; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + AC_CACHE_CHECK([whether a statically linked program can dlopen itself], + lt_cv_dlopen_self_static, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, + lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) + ]) + fi -# AC_LIBTOOL_DLOPEN -# ----------------- -# enable checks for dlopen support -AC_DEFUN([AC_LIBTOOL_DLOPEN], - [AC_BEFORE([$0],[AC_LIBTOOL_SETUP]) -])# AC_LIBTOOL_DLOPEN + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + ;; + esac + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac -# AC_LIBTOOL_WIN32_DLL -# -------------------- -# declare package support for building win32 DLLs -AC_DEFUN([AC_LIBTOOL_WIN32_DLL], -[AC_BEFORE([$0], [AC_LIBTOOL_SETUP]) -])# AC_LIBTOOL_WIN32_DLL + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi +_LT_DECL([dlopen_support], [enable_dlopen], [0], + [Whether dlopen is supported]) +_LT_DECL([dlopen_self], [enable_dlopen_self], [0], + [Whether dlopen of programs is supported]) +_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0], + [Whether dlopen of statically linked programs is supported]) +])# LT_SYS_DLOPEN_SELF + +# Old name: +AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], []) -# AC_ENABLE_SHARED([DEFAULT]) +# _LT_COMPILER_C_O([TAGNAME]) # --------------------------- -# implement the --enable-shared flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_SHARED], -[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([shared], - [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@], - [build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_shared=yes ;; - no) enable_shared=no ;; - *) - enable_shared=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_shared=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_shared=]AC_ENABLE_SHARED_DEFAULT) -])# AC_ENABLE_SHARED - - -# AC_DISABLE_SHARED -# ----------------- -# set the default shared flag to --disable-shared -AC_DEFUN([AC_DISABLE_SHARED], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_SHARED(no) -])# AC_DISABLE_SHARED - - -# AC_ENABLE_STATIC([DEFAULT]) -# --------------------------- -# implement the --enable-static flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_STATIC], -[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([static], - [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@], - [build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_static=yes ;; - no) enable_static=no ;; - *) - enable_static=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_static=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_static=]AC_ENABLE_STATIC_DEFAULT) -])# AC_ENABLE_STATIC - - -# AC_DISABLE_STATIC -# ----------------- -# set the default static flag to --disable-static -AC_DEFUN([AC_DISABLE_STATIC], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_STATIC(no) -])# AC_DISABLE_STATIC - - -# AC_ENABLE_FAST_INSTALL([DEFAULT]) -# --------------------------------- -# implement the --enable-fast-install flag -# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. -AC_DEFUN([AC_ENABLE_FAST_INSTALL], -[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl -AC_ARG_ENABLE([fast-install], - [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], - [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], - [p=${PACKAGE-default} - case $enableval in - yes) enable_fast_install=yes ;; - no) enable_fast_install=no ;; - *) - enable_fast_install=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_fast_install=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac], - [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT) -])# AC_ENABLE_FAST_INSTALL - - -# AC_DISABLE_FAST_INSTALL -# ----------------------- -# set the default to --disable-fast-install -AC_DEFUN([AC_DISABLE_FAST_INSTALL], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -AC_ENABLE_FAST_INSTALL(no) -])# AC_DISABLE_FAST_INSTALL - - -# AC_LIBTOOL_PICMODE([MODE]) -# -------------------------- -# implement the --with-pic flag -# MODE is either `yes' or `no'. If omitted, it defaults to `both'. -AC_DEFUN([AC_LIBTOOL_PICMODE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl -pic_mode=ifelse($#,1,$1,default) -])# AC_LIBTOOL_PICMODE +# Check to see if options -c and -o are simultaneously supported by compiler. +# This macro does not hard code the compiler like AC_PROG_CC_C_O. +m4_defun([_LT_COMPILER_C_O], +[m4_require([_LT_DECL_SED])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + fi + fi + chmod u+w . 2>&AS_MESSAGE_LOG_FD + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* +]) +_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1], + [Does compiler simultaneously support -c and -o options?]) +])# _LT_COMPILER_C_O -# AC_PROG_EGREP -# ------------- -# This is predefined starting with Autoconf 2.54, so this conditional -# definition can be removed once we require Autoconf 2.54 or later. -m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP], -[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep], - [if echo a | (grep -E '(a|b)') >/dev/null 2>&1 - then ac_cv_prog_egrep='grep -E' - else ac_cv_prog_egrep='egrep' - fi]) - EGREP=$ac_cv_prog_egrep - AC_SUBST([EGREP]) -])]) +# _LT_COMPILER_FILE_LOCKS([TAGNAME]) +# ---------------------------------- +# Check to see if we can do hard links to lock some files if needed +m4_defun([_LT_COMPILER_FILE_LOCKS], +[m4_require([_LT_ENABLE_LOCK])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_COMPILER_C_O([$1]) -# AC_PATH_TOOL_PREFIX -# ------------------- -# find a file program which can recognise shared library -AC_DEFUN([AC_PATH_TOOL_PREFIX], -[AC_REQUIRE([AC_PROG_EGREP])dnl -AC_MSG_CHECKING([for $1]) -AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, -[case $MAGIC_CMD in -[[\\/*] | ?:[\\/]*]) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; -*) - lt_save_MAGIC_CMD="$MAGIC_CMD" - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR -dnl $ac_dummy forces splitting on constant user-supplied paths. -dnl POSIX.2 word splitting is done only on the output of word expansions, -dnl not every word. This closes a longstanding sh security hole. - ac_dummy="ifelse([$2], , $PATH, [$2])" - for ac_dir in $ac_dummy; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$1; then - lt_cv_path_MAGIC_CMD="$ac_dir/$1" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - $EGREP "$file_magic_regex" > /dev/null; then - : - else - cat <&2 +hard_links="nottested" +if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then + # do not overwrite the value of need_locks provided by the user + AC_MSG_CHECKING([if we can lock with hard links]) + hard_links=yes + $RM conftest* + ln conftest.a conftest.b 2>/dev/null && hard_links=no + touch conftest.a + ln conftest.a conftest.b 2>&5 || hard_links=no + ln conftest.a conftest.b 2>/dev/null && hard_links=no + AC_MSG_RESULT([$hard_links]) + if test "$hard_links" = no; then + AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe]) + need_locks=warn + fi +else + need_locks=no +fi +_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?]) +])# _LT_COMPILER_FILE_LOCKS -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org -EOF - fi ;; - esac - fi - break - fi - done - IFS="$lt_save_ifs" - MAGIC_CMD="$lt_save_MAGIC_CMD" - ;; -esac]) -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - AC_MSG_RESULT($MAGIC_CMD) +# _LT_CHECK_OBJDIR +# ---------------- +m4_defun([_LT_CHECK_OBJDIR], +[AC_CACHE_CHECK([for objdir], [lt_cv_objdir], +[rm -f .libs 2>/dev/null +mkdir .libs 2>/dev/null +if test -d .libs; then + lt_cv_objdir=.libs else - AC_MSG_RESULT(no) + # MS-DOS does not allow filenames that begin with a dot. + lt_cv_objdir=_libs fi -])# AC_PATH_TOOL_PREFIX +rmdir .libs 2>/dev/null]) +objdir=$lt_cv_objdir +_LT_DECL([], [objdir], [0], + [The name of the directory that contains temporary libtool files])dnl +m4_pattern_allow([LT_OBJDIR])dnl +AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/", + [Define to the sub-directory in which libtool stores uninstalled libraries.]) +])# _LT_CHECK_OBJDIR -# AC_PATH_MAGIC -# ------------- -# find a file program which can recognise a shared library -AC_DEFUN([AC_PATH_MAGIC], -[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) -if test -z "$lt_cv_path_MAGIC_CMD"; then - if test -n "$ac_tool_prefix"; then - AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) +# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME]) +# -------------------------------------- +# Check hardcoding attributes. +m4_defun([_LT_LINKER_HARDCODE_LIBPATH], +[AC_MSG_CHECKING([how to hardcode library paths into programs]) +_LT_TAGVAR(hardcode_action, $1)= +if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" || + test -n "$_LT_TAGVAR(runpath_var, $1)" || + test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then + + # We can hardcode non-existent directories. + if test "$_LT_TAGVAR(hardcode_direct, $1)" != no && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no && + test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then + # Linking always hardcodes the temporary library directory. + _LT_TAGVAR(hardcode_action, $1)=relink else - MAGIC_CMD=: + # We can link without hardcoding, and we can hardcode nonexisting dirs. + _LT_TAGVAR(hardcode_action, $1)=immediate fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + _LT_TAGVAR(hardcode_action, $1)=unsupported fi -])# AC_PATH_MAGIC +AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)]) +if test "$_LT_TAGVAR(hardcode_action, $1)" = relink || + test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then + # Fast installation is not supported + enable_fast_install=no +elif test "$shlibpath_overrides_runpath" = yes || + test "$enable_shared" = no; then + # Fast installation is not necessary + enable_fast_install=needless +fi +_LT_TAGDECL([], [hardcode_action], [0], + [How to hardcode a shared library path into an executable]) +])# _LT_LINKER_HARDCODE_LIBPATH -# AC_PROG_LD -# ---------- -# find the pathname to the GNU or non-GNU linker -AC_DEFUN([AC_PROG_LD], -[AC_ARG_WITH([gnu-ld], - [AC_HELP_STRING([--with-gnu-ld], - [assume the C compiler uses GNU ld @<:@default=no@:>@])], - [test "$withval" = no || with_gnu_ld=yes], - [with_gnu_ld=no]) -AC_REQUIRE([LT_AC_PROG_SED])dnl -AC_REQUIRE([AC_PROG_CC])dnl -AC_REQUIRE([AC_CANONICAL_HOST])dnl -AC_REQUIRE([AC_CANONICAL_BUILD])dnl -ac_prog=ld -if test "$GCC" = yes; then - # Check if gcc -print-prog-name=ld gives a path. - AC_MSG_CHECKING([for ld used by $CC]) - case $host in - *-*-mingw*) - # gcc leaves a trailing carriage return which upsets mingw - ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; - *) - ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; - esac - case $ac_prog in - # Accept absolute paths. - [[\\/]]* | ?:[[\\/]]*) - re_direlt='/[[^/]][[^/]]*/\.\./' - # Canonicalize the pathname of ld - ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'` - while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do - ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"` - done - test -z "$LD" && LD="$ac_prog" - ;; - "") - # If it fails, then pretend we aren't using GCC. - ac_prog=ld + +# _LT_CMD_STRIPLIB +# ---------------- +m4_defun([_LT_CMD_STRIPLIB], +[m4_require([_LT_DECL_EGREP]) +striplib= +old_striplib= +AC_MSG_CHECKING([whether stripping libraries is possible]) +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + AC_MSG_RESULT([yes]) +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + fi ;; *) - # If it is relative, then search for the first ld in PATH. - with_gnu_ld=unknown + AC_MSG_RESULT([no]) ;; esac -elif test "$with_gnu_ld" = yes; then - AC_MSG_CHECKING([for GNU ld]) -else - AC_MSG_CHECKING([for non-GNU ld]) fi -AC_CACHE_VAL(lt_cv_path_LD, -[if test -z "$LD"; then - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then - lt_cv_path_LD="$ac_dir/$ac_prog" - # Check to see if the program is GNU ld. I'd rather use --version, - # but apparently some variants of GNU ld only accept -v. - # Break only if it was the GNU/non-GNU ld that we prefer. - case `"$lt_cv_path_LD" -v 2>&1 &1 /dev/null ; then + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'` + else + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # Ok, now we have the path, separated by spaces, we can step through it + # and add multilib dir if necessary. + lt_tmp_lt_search_path_spec= + lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` + for lt_sys_path in $lt_search_path_spec; do + if test -d "$lt_sys_path/$lt_multi_os_dir"; then + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" else - reload_cmds='$LD$reload_flag -o $output$reload_objs' + test -d "$lt_sys_path" && \ + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" fi - ;; -esac -])# AC_PROG_LD_RELOAD_FLAG - + done + lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk ' +BEGIN {RS=" "; FS="/|\n";} { + lt_foo=""; + lt_count=0; + for (lt_i = NF; lt_i > 0; lt_i--) { + if ($lt_i != "" && $lt_i != ".") { + if ($lt_i == "..") { + lt_count++; + } else { + if (lt_count == 0) { + lt_foo="/" $lt_i lt_foo; + } else { + lt_count--; + } + } + } + } + if (lt_foo != "") { lt_freq[[lt_foo]]++; } + if (lt_freq[[lt_foo]] == 1) { print lt_foo; } +}'` + sys_lib_search_path_spec=`$ECHO $lt_search_path_spec` +else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +fi]) +library_names_spec= +libname_spec='lib$name' +soname_spec= +shrext_cmds=".so" +postinstall_cmds= +postuninstall_cmds= +finish_cmds= +finish_eval= +shlibpath_var= +shlibpath_overrides_runpath=unknown +version_type=none +dynamic_linker="$host_os ld.so" +sys_lib_dlsearch_path_spec="/lib /usr/lib" +need_lib_prefix=unknown +hardcode_into_libs=no -# AC_DEPLIBS_CHECK_METHOD -# ----------------------- -# how to check for library dependencies -# -- PORTME fill in with the dynamic library characteristics -AC_DEFUN([AC_DEPLIBS_CHECK_METHOD], -[AC_CACHE_CHECK([how to recognise dependent libraries], -lt_cv_deplibs_check_method, -[lt_cv_file_magic_cmd='$MAGIC_CMD' -lt_cv_file_magic_test_file= -lt_cv_deplibs_check_method='unknown' -# Need to set the preceding variable on all platforms that support -# interlibrary dependencies. -# 'none' -- dependencies not supported. -# `unknown' -- same as none, but documents that we really don't know. -# 'pass_all' -- all dependencies passed with no checks. -# 'test_compile' -- check by making test program. -# 'file_magic [[regex]]' -- check by looking for files in library path -# which responds to the $file_magic_cmd with a given extended regex. -# If you have `file' or equivalent on your system and you're not sure -# whether `pass_all' will *always* work, you probably want this one. +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +need_version=unknown case $host_os in -aix4* | aix5*) - lt_cv_deplibs_check_method=pass_all - ;; - -beos*) - lt_cv_deplibs_check_method=pass_all - ;; - -bsdi[[45]]*) - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)' - lt_cv_file_magic_cmd='/usr/bin/file -L' - lt_cv_file_magic_test_file=/shlib/libc.so - ;; - -cygwin*) - # func_win32_libid is a shell function defined in ltmain.sh - lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' - lt_cv_file_magic_cmd='func_win32_libid' - ;; - -mingw* | pw32*) - # Base MSYS/MinGW do not provide the 'file' command needed by - # func_win32_libid shell function, so use a weaker test based on 'objdump'. - lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' - lt_cv_file_magic_cmd='$OBJDUMP -f' - ;; +aix3*) + version_type=linux + library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' + shlibpath_var=LIBPATH -darwin* | rhapsody*) - lt_cv_deplibs_check_method=pass_all + # AIX 3 has no versioning support, so we append a major version to the name. + soname_spec='${libname}${release}${shared_ext}$major' ;; -freebsd* | kfreebsd*-gnu | dragonfly*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - case $host_cpu in - i*86 ) - # Not sure whether the presence of OpenBSD here was a mistake. - # Let's accept both of them until this is cleared up. - lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` +aix[[4-9]]*) + version_type=linux + need_lib_prefix=no + need_version=no + hardcode_into_libs=yes + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line `#! .'. This would cause the generated library to + # depend on `.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + case $host_os in + aix4 | aix4.[[01]] | aix4.[[01]].*) + if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' + echo ' yes ' + echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then + : + else + can_build_shared=no + fi ;; esac - else - lt_cv_deplibs_check_method=pass_all + # AIX (on Power*) has no versioning support, so currently we can not hardcode correct + # soname into executable. Probably we can add versioning support to + # collect2, so additional links can be useful in future. + if test "$aix_use_runtimelinking" = yes; then + # If using run time linking (on AIX 4.2 or later) use lib.so + # instead of lib.a to let people know that these are not + # typical AIX shared libraries. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + else + # We preserve .a as extension for shared libraries through AIX4.2 + # and later when we are not doing run time linking. + library_names_spec='${libname}${release}.a $libname.a' + soname_spec='${libname}${release}${shared_ext}$major' + fi + shlibpath_var=LIBPATH fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - -hpux10.20* | hpux11*) - lt_cv_file_magic_cmd=/usr/bin/file +amigaos*) case $host_cpu in - ia64*) - lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' - lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so - ;; - hppa*64*) - [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'] - lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl + powerpc) + # Since July 2007 AmigaOS4 officially supports .so libraries. + # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' ;; - *) - lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library' - lt_cv_file_magic_test_file=/usr/lib/libc.sl + m68k) + library_names_spec='$libname.ixlibrary $libname.a' + # Create ${libname}_ixlibrary.a entries in /sys/libs. + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' ;; esac ;; -interix3*) - # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' - ;; - -irix5* | irix6* | nonstopux*) - case $LD in - *-32|*"-32 ") libmagic=32-bit;; - *-n32|*"-n32 ") libmagic=N32;; - *-64|*"-64 ") libmagic=64-bit;; - *) libmagic=never-match;; - esac - lt_cv_deplibs_check_method=pass_all - ;; - -# This must be Linux ELF. -linux*) - lt_cv_deplibs_check_method=pass_all +beos*) + library_names_spec='${libname}${shared_ext}' + dynamic_linker="$host_os ld.so" + shlibpath_var=LIBRARY_PATH ;; -netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' - else - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' - fi +bsdi[[45]]*) + version_type=linux + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" + sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" + # the default ld.so.conf also contains /usr/contrib/lib and + # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow + # libtool to hard-code these into programs ;; -newos6*) - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=/usr/lib/libnls.so - ;; +cygwin* | mingw* | pw32* | cegcc*) + version_type=windows + shrext_cmds=".dll" + need_version=no + need_lib_prefix=no -nto-qnx*) - lt_cv_deplibs_check_method=unknown + case $GCC,$host_os in + yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*) + library_names_spec='$libname.dll.a' + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \${file}`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + + case $host_os in + cygwin*) + # Cygwin DLLs use 'cyg' prefix rather than 'lib' + soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" + ;; + mingw* | cegcc*) + # MinGW DLLs use traditional 'lib' prefix + soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` + if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then + # It is most probably a Windows format PATH printed by + # mingw gcc, but we are running on Cygwin. Gcc prints its search + # path with ; separators, and with drive letters. We can handle the + # drive letters (cygwin fileutils understands them), so leave them, + # especially as we might pass files found there to a mingw objdump, + # which wouldn't understand a cygwinified path. Ahh. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + else + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + ;; + pw32*) + # pw32 DLLs use 'pw' prefix rather than 'lib' + library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + ;; + esac + ;; + + *) + library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib' + ;; + esac + dynamic_linker='Win32 ld.exe' + # FIXME: first we should search . and the directory the executable is in + shlibpath_var=PATH ;; -openbsd*) - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$' - else - lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' - fi +darwin* | rhapsody*) + dynamic_linker="$host_os dyld" + version_type=darwin + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext' + soname_spec='${libname}${release}${major}$shared_ext' + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +m4_if([$1], [],[ + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' ;; -osf3* | osf4* | osf5*) - lt_cv_deplibs_check_method=pass_all +dgux*) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH ;; -solaris*) - lt_cv_deplibs_check_method=pass_all +freebsd1*) + dynamic_linker=no ;; -sysv4 | sysv4.3*) - case $host_vendor in - motorola) - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]' - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` - ;; - ncr) - lt_cv_deplibs_check_method=pass_all - ;; - sequent) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' +freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. + if test -x /usr/bin/objformat; then + objformat=`/usr/bin/objformat` + else + case $host_os in + freebsd[[123]]*) objformat=aout ;; + *) objformat=elf ;; + esac + fi + version_type=freebsd-$objformat + case $version_type in + freebsd-elf*) + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' + need_version=no + need_lib_prefix=no + ;; + freebsd-*) + library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' + need_version=yes + ;; + esac + shlibpath_var=LD_LIBRARY_PATH + case $host_os in + freebsd2*) + shlibpath_overrides_runpath=yes ;; - sni) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib" - lt_cv_file_magic_test_file=/lib/libc.so + freebsd3.[[01]]* | freebsdelf3.[[01]]*) + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes ;; - siemens) - lt_cv_deplibs_check_method=pass_all + freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \ + freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no + hardcode_into_libs=yes ;; - pc) - lt_cv_deplibs_check_method=pass_all + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes ;; esac ;; -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - lt_cv_deplibs_check_method=pass_all +gnu*) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + hardcode_into_libs=yes ;; -esac -]) -file_magic_cmd=$lt_cv_file_magic_cmd -deplibs_check_method=$lt_cv_deplibs_check_method -test -z "$deplibs_check_method" && deplibs_check_method=unknown -])# AC_DEPLIBS_CHECK_METHOD - - -# AC_PROG_NM -# ---------- -# find the pathname to a BSD-compatible name lister -AC_DEFUN([AC_PROG_NM], -[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM, -[if test -n "$NM"; then - # Let the user override the test. - lt_cv_path_NM="$NM" -else - lt_nm_to_check="${ac_tool_prefix}nm" - if test -n "$ac_tool_prefix" && test "$build" = "$host"; then - lt_nm_to_check="$lt_nm_to_check nm" - fi - for lt_tmp_nm in $lt_nm_to_check; do - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - tmp_nm="$ac_dir/$lt_tmp_nm" - if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then - # Check to see if the nm accepts a BSD-compat flag. - # Adding the `sed 1q' prevents false positives on HP-UX, which says: - # nm: unknown option "B" ignored - # Tru64's nm complains that /dev/null is an invalid object file - case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in - */dev/null* | *'Invalid file or object type'*) - lt_cv_path_NM="$tmp_nm -B" - break - ;; - *) - case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in - */dev/null*) - lt_cv_path_NM="$tmp_nm -p" - break - ;; - *) - lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but - continue # so that we can try to find one that supports BSD flags - ;; - esac - ;; - esac - fi - done - IFS="$lt_save_ifs" - done - test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm -fi]) -NM="$lt_cv_path_NM" -])# AC_PROG_NM - -# AC_CHECK_LIBM -# ------------- -# check for math library -AC_DEFUN([AC_CHECK_LIBM], -[AC_REQUIRE([AC_CANONICAL_HOST])dnl -LIBM= -case $host in -*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*) - # These system don't have libm, or don't need it - ;; -*-ncr-sysv4.3*) - AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw") - AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") - ;; -*) - AC_CHECK_LIB(m, cos, LIBM="-lm") +hpux9* | hpux10* | hpux11*) + # Give a soname corresponding to the major version so that dld.sl refuses to + # link against other versions. + version_type=sunos + need_lib_prefix=no + need_version=no + case $host_cpu in + ia64*) + shrext_cmds='.so' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + if test "X$HPUX_IA64_MODE" = X32; then + sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" + else + sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" + fi + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + hppa*64*) + shrext_cmds='.sl' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + *) + shrext_cmds='.sl' + dynamic_linker="$host_os dld.sl" + shlibpath_var=SHLIB_PATH + shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + ;; + esac + # HP-UX runs *really* slowly unless shared libraries are mode 555. + postinstall_cmds='chmod 555 $lib' ;; -esac -])# AC_CHECK_LIBM - - -# AC_LIBLTDL_CONVENIENCE([DIRECTORY]) -# ----------------------------------- -# sets LIBLTDL to the link flags for the libltdl convenience library and -# LTDLINCL to the include flags for the libltdl header and adds -# --enable-ltdl-convenience to the configure arguments. Note that -# AC_CONFIG_SUBDIRS is not called here. If DIRECTORY is not provided, -# it is assumed to be `libltdl'. LIBLTDL will be prefixed with -# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/' -# (note the single quotes!). If your package is not flat and you're not -# using automake, define top_builddir and top_srcdir appropriately in -# the Makefiles. -AC_DEFUN([AC_LIBLTDL_CONVENIENCE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl - case $enable_ltdl_convenience in - no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;; - "") enable_ltdl_convenience=yes - ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;; - esac - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la - LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) - # For backwards non-gettext consistent compatibility... - INCLTDL="$LTDLINCL" -])# AC_LIBLTDL_CONVENIENCE +interix[[3-9]]*) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; -# AC_LIBLTDL_INSTALLABLE([DIRECTORY]) -# ----------------------------------- -# sets LIBLTDL to the link flags for the libltdl installable library and -# LTDLINCL to the include flags for the libltdl header and adds -# --enable-ltdl-install to the configure arguments. Note that -# AC_CONFIG_SUBDIRS is not called here. If DIRECTORY is not provided, -# and an installed libltdl is not found, it is assumed to be `libltdl'. -# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with -# '${top_srcdir}/' (note the single quotes!). If your package is not -# flat and you're not using automake, define top_builddir and top_srcdir -# appropriately in the Makefiles. -# In the future, this macro may have to be called after AC_PROG_LIBTOOL. -AC_DEFUN([AC_LIBLTDL_INSTALLABLE], -[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl - AC_CHECK_LIB(ltdl, lt_dlinit, - [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no], - [if test x"$enable_ltdl_install" = xno; then - AC_MSG_WARN([libltdl not installed, but installation disabled]) - else - enable_ltdl_install=yes - fi - ]) - if test x"$enable_ltdl_install" = x"yes"; then - ac_configure_args="$ac_configure_args --enable-ltdl-install" - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la - LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) - else - ac_configure_args="$ac_configure_args --enable-ltdl-install=no" - LIBLTDL="-lltdl" - LTDLINCL= - fi - # For backwards non-gettext consistent compatibility... - INCLTDL="$LTDLINCL" -])# AC_LIBLTDL_INSTALLABLE - - -# AC_LIBTOOL_CXX -# -------------- -# enable support for C++ libraries -AC_DEFUN([AC_LIBTOOL_CXX], -[AC_REQUIRE([_LT_AC_LANG_CXX]) -])# AC_LIBTOOL_CXX - - -# _LT_AC_LANG_CXX -# --------------- -AC_DEFUN([_LT_AC_LANG_CXX], -[AC_REQUIRE([AC_PROG_CXX]) -AC_REQUIRE([_LT_AC_PROG_CXXCPP]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX]) -])# _LT_AC_LANG_CXX - -# _LT_AC_PROG_CXXCPP -# ------------------ -AC_DEFUN([_LT_AC_PROG_CXXCPP], -[ -AC_REQUIRE([AC_PROG_CXX]) -if test -n "$CXX" && ( test "X$CXX" != "Xno" && - ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || - (test "X$CXX" != "Xg++"))) ; then - AC_PROG_CXXCPP -fi -])# _LT_AC_PROG_CXXCPP - -# AC_LIBTOOL_F77 -# -------------- -# enable support for Fortran 77 libraries -AC_DEFUN([AC_LIBTOOL_F77], -[AC_REQUIRE([_LT_AC_LANG_F77]) -])# AC_LIBTOOL_F77 - - -# _LT_AC_LANG_F77 -# --------------- -AC_DEFUN([_LT_AC_LANG_F77], -[AC_REQUIRE([AC_PROG_F77]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77]) -])# _LT_AC_LANG_F77 +irix5* | irix6* | nonstopux*) + case $host_os in + nonstopux*) version_type=nonstopux ;; + *) + if test "$lt_cv_prog_gnu_ld" = yes; then + version_type=linux + else + version_type=irix + fi ;; + esac + need_lib_prefix=no + need_version=no + soname_spec='${libname}${release}${shared_ext}$major' + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' + case $host_os in + irix5* | nonstopux*) + libsuff= shlibsuff= + ;; + *) + case $LD in # libtool.m4 will add one of these switches to LD + *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") + libsuff= shlibsuff= libmagic=32-bit;; + *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") + libsuff=32 shlibsuff=N32 libmagic=N32;; + *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") + libsuff=64 shlibsuff=64 libmagic=64-bit;; + *) libsuff= shlibsuff= libmagic=never-match;; + esac + ;; + esac + shlibpath_var=LD_LIBRARY${shlibsuff}_PATH + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" + hardcode_into_libs=yes + ;; +# No shared lib support for Linux oldld, aout, or coff. +linux*oldld* | linux*aout* | linux*coff*) + dynamic_linker=no + ;; -# AC_LIBTOOL_GCJ -# -------------- -# enable support for GCJ libraries -AC_DEFUN([AC_LIBTOOL_GCJ], -[AC_REQUIRE([_LT_AC_LANG_GCJ]) -])# AC_LIBTOOL_GCJ +# This must be Linux ELF. +linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + # Some binutils ld are patched to set DT_RUNPATH + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \ + LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\"" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null], + [shlibpath_overrides_runpath=yes])]) + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes -# _LT_AC_LANG_GCJ -# --------------- -AC_DEFUN([_LT_AC_LANG_GCJ], -[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[], - [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[], - [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[], - [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])], - [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])], - [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ]) -])# _LT_AC_LANG_GCJ + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi -# AC_LIBTOOL_RC -# ------------- -# enable support for Windows resource files -AC_DEFUN([AC_LIBTOOL_RC], -[AC_REQUIRE([LT_AC_PROG_RC]) -_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC]) -])# AC_LIBTOOL_RC + # We used to test for /lib/ld.so.1 and disable shared libraries on + # powerpc, because MkLinux only supported shared libraries with the + # GNU dynamic linker. Since this was broken with cross compilers, + # most powerpc-linux boxes support dynamic linking these days and + # people can always --disable-shared, the test was removed, and we + # assume the GNU/Linux dynamic linker is in use. + dynamic_linker='GNU/Linux ld.so' + ;; +netbsd*) + version_type=sunos + need_lib_prefix=no + need_version=no + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + dynamic_linker='NetBSD (a.out) ld.so' + else + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + dynamic_linker='NetBSD ld.elf_so' + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; -# AC_LIBTOOL_LANG_C_CONFIG -# ------------------------ -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG]) -AC_DEFUN([_LT_AC_LANG_C_CONFIG], -[lt_save_CC="$CC" -AC_LANG_PUSH(C) +newsos6) + version_type=linux + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; -# Source file extension for C test sources. -ac_ext=c +*nto* | *qnx*) + version_type=qnx + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='ldqnx.so' + ;; -# Object file extension for compiled C test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext +openbsd*) + version_type=sunos + sys_lib_dlsearch_path_spec="/usr/lib" + need_lib_prefix=no + # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. + case $host_os in + openbsd3.3 | openbsd3.3.*) need_version=yes ;; + *) need_version=no ;; + esac + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + shlibpath_var=LD_LIBRARY_PATH + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + case $host_os in + openbsd2.[[89]] | openbsd2.[[89]].*) + shlibpath_overrides_runpath=no + ;; + *) + shlibpath_overrides_runpath=yes + ;; + esac + else + shlibpath_overrides_runpath=yes + fi + ;; -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" +os2*) + libname_spec='$name' + shrext_cmds=".dll" + need_lib_prefix=no + library_names_spec='$libname${shared_ext} $libname.a' + dynamic_linker='OS/2 ld.exe' + shlibpath_var=LIBPATH + ;; -# Code to be used in simple link tests -lt_simple_link_test_code='int main(){return(0);}\n' +osf3* | osf4* | osf5*) + version_type=osf + need_lib_prefix=no + need_version=no + soname_spec='${libname}${release}${shared_ext}$major' + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; -_LT_AC_SYS_COMPILER +rdos*) + dynamic_linker=no + ;; -# save warnings/boilerplate of simple test code -_LT_COMPILER_BOILERPLATE -_LT_LINKER_BOILERPLATE +solaris*) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; -AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1) -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) -AC_LIBTOOL_SYS_LIB_STRIP -AC_LIBTOOL_DLOPEN_SELF - -# Report which library types will actually be built -AC_MSG_CHECKING([if libtool supports shared libraries]) -AC_MSG_RESULT([$can_build_shared]) +sunos4*) + version_type=sunos + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + if test "$with_gnu_ld" = yes; then + need_lib_prefix=no + fi + need_version=yes + ;; -AC_MSG_CHECKING([whether to build shared libraries]) -test "$can_build_shared" = "no" && enable_shared=no +sysv4 | sysv4.3*) + version_type=linux + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + case $host_vendor in + sni) + shlibpath_overrides_runpath=no + need_lib_prefix=no + runpath_var=LD_RUN_PATH + ;; + siemens) + need_lib_prefix=no + ;; + motorola) + need_lib_prefix=no + need_version=no + shlibpath_overrides_runpath=no + sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' + ;; + esac + ;; -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' +sysv4*MP*) + if test -d /usr/nec ;then + version_type=linux + library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' + soname_spec='$libname${shared_ext}.$major' + shlibpath_var=LD_LIBRARY_PATH fi ;; -aix4* | aix5*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + version_type=freebsd-elf + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else + sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' + case $host_os in + sco3.2v5*) + sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" + ;; + esac fi - ;; -esac -AC_MSG_RESULT([$enable_shared]) - -AC_MSG_CHECKING([whether to build static libraries]) -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -AC_MSG_RESULT([$enable_static]) - -AC_LIBTOOL_CONFIG($1) - -AC_LANG_POP -CC="$lt_save_CC" -])# AC_LIBTOOL_LANG_C_CONFIG - + sys_lib_dlsearch_path_spec='/usr/lib' + ;; -# AC_LIBTOOL_LANG_CXX_CONFIG -# -------------------------- -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)]) -AC_DEFUN([_LT_AC_LANG_CXX_CONFIG], -[AC_LANG_PUSH(C++) -AC_REQUIRE([AC_PROG_CXX]) -AC_REQUIRE([_LT_AC_PROG_CXXCPP]) - -_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no -_LT_AC_TAGVAR(allow_undefined_flag, $1)= -_LT_AC_TAGVAR(always_export_symbols, $1)=no -_LT_AC_TAGVAR(archive_expsym_cmds, $1)= -_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_direct, $1)=no -_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= -_LT_AC_TAGVAR(hardcode_libdir_separator, $1)= -_LT_AC_TAGVAR(hardcode_minus_L, $1)=no -_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported -_LT_AC_TAGVAR(hardcode_automatic, $1)=no -_LT_AC_TAGVAR(module_cmds, $1)= -_LT_AC_TAGVAR(module_expsym_cmds, $1)= -_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown -_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds -_LT_AC_TAGVAR(no_undefined_flag, $1)= -_LT_AC_TAGVAR(whole_archive_flag_spec, $1)= -_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no +tpf*) + # TPF is a cross-target only. Preferred cross-host = GNU/Linux. + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; -# Dependencies to place before and after the object being linked: -_LT_AC_TAGVAR(predep_objects, $1)= -_LT_AC_TAGVAR(postdep_objects, $1)= -_LT_AC_TAGVAR(predeps, $1)= -_LT_AC_TAGVAR(postdeps, $1)= -_LT_AC_TAGVAR(compiler_lib_search_path, $1)= +uts4*) + version_type=linux + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + ;; -# Source file extension for C++ test sources. -ac_ext=cpp +*) + dynamic_linker=no + ;; +esac +AC_MSG_RESULT([$dynamic_linker]) +test "$dynamic_linker" = no && can_build_shared=no -# Object file extension for compiled C++ test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext +variables_saved_for_relink="PATH $shlibpath_var $runpath_var" +if test "$GCC" = yes; then + variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" +fi -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" +if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then + sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" +fi +if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then + sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" +fi -# Code to be used in simple link tests -lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }\n' +_LT_DECL([], [variables_saved_for_relink], [1], + [Variables whose values should be saved in libtool wrapper scripts and + restored at link time]) +_LT_DECL([], [need_lib_prefix], [0], + [Do we need the "lib" prefix for modules?]) +_LT_DECL([], [need_version], [0], [Do we need a version for libraries?]) +_LT_DECL([], [version_type], [0], [Library versioning type]) +_LT_DECL([], [runpath_var], [0], [Shared library runtime path variable]) +_LT_DECL([], [shlibpath_var], [0],[Shared library path variable]) +_LT_DECL([], [shlibpath_overrides_runpath], [0], + [Is shlibpath searched before the hard-coded library search path?]) +_LT_DECL([], [libname_spec], [1], [Format of library name prefix]) +_LT_DECL([], [library_names_spec], [1], + [[List of archive names. First name is the real one, the rest are links. + The last name is the one that the linker finds with -lNAME]]) +_LT_DECL([], [soname_spec], [1], + [[The coded name of the library, if different from the real name]]) +_LT_DECL([], [postinstall_cmds], [2], + [Command to use after installation of a shared archive]) +_LT_DECL([], [postuninstall_cmds], [2], + [Command to use after uninstallation of a shared archive]) +_LT_DECL([], [finish_cmds], [2], + [Commands used to finish a libtool library installation in a directory]) +_LT_DECL([], [finish_eval], [1], + [[As "finish_cmds", except a single script fragment to be evaled but + not shown]]) +_LT_DECL([], [hardcode_into_libs], [0], + [Whether we should hardcode library paths into libraries]) +_LT_DECL([], [sys_lib_search_path_spec], [2], + [Compile-time system search path for libraries]) +_LT_DECL([], [sys_lib_dlsearch_path_spec], [2], + [Run-time system search path for libraries]) +])# _LT_SYS_DYNAMIC_LINKER -# ltmain only uses $CC for tagged configurations so make sure $CC is set. -_LT_AC_SYS_COMPILER -# save warnings/boilerplate of simple test code -_LT_COMPILER_BOILERPLATE -_LT_LINKER_BOILERPLATE +# _LT_PATH_TOOL_PREFIX(TOOL) +# -------------------------- +# find a file program which can recognize shared library +AC_DEFUN([_LT_PATH_TOOL_PREFIX], +[m4_require([_LT_DECL_EGREP])dnl +AC_MSG_CHECKING([for $1]) +AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, +[case $MAGIC_CMD in +[[\\/*] | ?:[\\/]*]) + lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD="$MAGIC_CMD" + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR +dnl $ac_dummy forces splitting on constant user-supplied paths. +dnl POSIX.2 word splitting is done only on the output of word expansions, +dnl not every word. This closes a longstanding sh security hole. + ac_dummy="m4_if([$2], , $PATH, [$2])" + for ac_dir in $ac_dummy; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$1; then + lt_cv_path_MAGIC_CMD="$ac_dir/$1" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD="$lt_cv_path_MAGIC_CMD" + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 -# Allow CC to be a program name with arguments. -lt_save_CC=$CC -lt_save_LD=$LD -lt_save_GCC=$GCC -GCC=$GXX -lt_save_with_gnu_ld=$with_gnu_ld -lt_save_path_LD=$lt_cv_path_LD -if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then - lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx -else - $as_unset lt_cv_prog_gnu_ld -fi -if test -n "${lt_cv_path_LDCXX+set}"; then - lt_cv_path_LD=$lt_cv_path_LDCXX -else - $as_unset lt_cv_path_LD -fi -test -z "${LDCXX+set}" || LD=$LDCXX -CC=${CXX-"c++"} -compiler=$CC -_LT_AC_TAGVAR(compiler, $1)=$CC -_LT_CC_BASENAME([$compiler]) +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org -# We don't want -fno-exception wen compiling C++ code, so set the -# no_builtin_flag separately -if test "$GXX" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS="$lt_save_ifs" + MAGIC_CMD="$lt_save_MAGIC_CMD" + ;; +esac]) +MAGIC_CMD="$lt_cv_path_MAGIC_CMD" +if test -n "$MAGIC_CMD"; then + AC_MSG_RESULT($MAGIC_CMD) else - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + AC_MSG_RESULT(no) fi +_LT_DECL([], [MAGIC_CMD], [0], + [Used to examine libraries when file_magic_cmd begins with "file"])dnl +])# _LT_PATH_TOOL_PREFIX -if test "$GXX" = yes; then - # Set up default GNU C++ configuration +# Old name: +AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], []) - AC_PROG_LD - # Check if GNU C++ uses GNU ld as the underlying linker, since the - # archiving commands below assume that GNU ld is being used. - if test "$with_gnu_ld" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - - # If archive_cmds runs LD, not CC, wlarc should be empty - # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to - # investigate it a little bit more. (MM) - wlarc='${wl}' - - # ancient GNU ld didn't support --whole-archive et. al. - if eval "`$CC -print-prog-name=ld` --help 2>&1" | \ - grep 'no-whole-archive' > /dev/null; then - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - fi +# _LT_PATH_MAGIC +# -------------- +# find a file program which can recognize a shared library +m4_defun([_LT_PATH_MAGIC], +[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) +if test -z "$lt_cv_path_MAGIC_CMD"; then + if test -n "$ac_tool_prefix"; then + _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) else - with_gnu_ld=no - wlarc= - - # A generic and very simple default shared library creation - # command for GNU C++ for the case where it uses the native - # linker, instead of GNU ld. If possible, this setting should - # overridden to take advantage of the native linker features on - # the platform it is being used on. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + MAGIC_CMD=: fi - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' - -else - GXX=no - with_gnu_ld=no - wlarc= fi +])# _LT_PATH_MAGIC -# PORTME: fill in a description of your system's C++ link characteristics -AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) -_LT_AC_TAGVAR(ld_shlibs, $1)=yes -case $host_os in - aix3*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - aix_use_runtimelinking=no - - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*) - for ld_flag in $LDFLAGS; do - case $ld_flag in - *-brtl*) - aix_use_runtimelinking=yes - break - ;; - esac - done - ;; - esac - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi +# LT_PATH_LD +# ---------- +# find the pathname to the GNU or non-GNU linker +AC_DEFUN([LT_PATH_LD], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - _LT_AC_TAGVAR(archive_cmds, $1)='' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes +AC_ARG_WITH([gnu-ld], + [AS_HELP_STRING([--with-gnu-ld], + [assume the C compiler uses GNU ld @<:@default=no@:>@])], + [test "$withval" = no || with_gnu_ld=yes], + [with_gnu_ld=no])dnl - if test "$GXX" = yes; then - case $host_os in aix4.[[012]]|aix4.[[012]].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - else - # We have old collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - fi +ac_prog=ld +if test "$GCC" = yes; then + # Check if gcc -print-prog-name=ld gives a path. + AC_MSG_CHECKING([for ld used by $CC]) + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [[\\/]]* | ?:[[\\/]]*) + re_direlt='/[[^/]][[^/]]*/\.\./' + # Canonicalize the pathname of ld + ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` + while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do + ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` + done + test -z "$LD" && LD="$ac_prog" + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test "$with_gnu_ld" = yes; then + AC_MSG_CHECKING([for GNU ld]) +else + AC_MSG_CHECKING([for non-GNU ld]) +fi +AC_CACHE_VAL(lt_cv_path_LD, +[if test -z "$LD"; then + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + lt_cv_path_LD="$ac_dir/$ac_prog" + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some variants of GNU ld only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$lt_cv_path_LD" -v 2>&1 &1 &1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + +# _LT_CMD_RELOAD +# -------------- +# find reload flag for linker +# -- PORTME Some linkers may need a different reload flag. +m4_defun([_LT_CMD_RELOAD], +[AC_CACHE_CHECK([for $LD option to reload object files], + lt_cv_ld_reload_flag, + [lt_cv_ld_reload_flag='-r']) +reload_flag=$lt_cv_ld_reload_flag +case $reload_flag in +"" | " "*) ;; +*) reload_flag=" $reload_flag" ;; +esac +reload_cmds='$LD$reload_flag -o $output$reload_objs' +case $host_os in + darwin*) + if test "$GCC" = yes; then + reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs' else - _LT_AC_TAGVAR(ld_shlibs, $1)=no + reload_cmds='$LD$reload_flag -o $output$reload_objs' fi ;; +esac +_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl +_LT_DECL([], [reload_cmds], [2])dnl +])# _LT_CMD_RELOAD - chorus*) - case $cc_basename in - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, - # as there is no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi +# _LT_CHECK_MAGIC_METHOD +# ---------------------- +# how to check for library dependencies +# -- PORTME fill in with the dynamic library characteristics +m4_defun([_LT_CHECK_MAGIC_METHOD], +[m4_require([_LT_DECL_EGREP]) +m4_require([_LT_DECL_OBJDUMP]) +AC_CACHE_CHECK([how to recognize dependent libraries], +lt_cv_deplibs_check_method, +[lt_cv_file_magic_cmd='$MAGIC_CMD' +lt_cv_file_magic_test_file= +lt_cv_deplibs_check_method='unknown' +# Need to set the preceding variable on all platforms that support +# interlibrary dependencies. +# 'none' -- dependencies not supported. +# `unknown' -- same as none, but documents that we really don't know. +# 'pass_all' -- all dependencies passed with no checks. +# 'test_compile' -- check by making test program. +# 'file_magic [[regex]]' -- check by looking for files in library path +# which responds to the $file_magic_cmd with a given extended regex. +# If you have `file' or equivalent on your system and you're not sure +# whether `pass_all' will *always* work, you probably want this one. + +case $host_os in +aix[[4-9]]*) + lt_cv_deplibs_check_method=pass_all ;; - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_automatic, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - - if test "$GXX" = yes ; then - lt_int_apple_cc_single_mod=no - output_verbose_link_cmd='echo' - if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then - lt_int_apple_cc_single_mod=yes - fi - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - fi - _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - fi - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - fi - ;; - dgux*) - case $cc_basename in - ec++*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - ghcx*) - # Green Hills C++ Compiler - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - freebsd[[12]]*) - # C++ shared libraries reported to be fairly broken before switch to ELF - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - freebsd-elf*) - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - ;; - freebsd* | kfreebsd*-gnu | dragonfly*) - # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF - # conventions - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - ;; - gnu*) - ;; - hpux9*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, - # but as the default - # location of the library. - - case $cc_basename in - CC*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aCC*) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - hpux10*|hpux11*) - if test $with_gnu_ld = no; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: +beos*) + lt_cv_deplibs_check_method=pass_all + ;; - case $host_cpu in - hppa*64*|ia64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' - ;; - *) - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - ;; - esac - fi - case $host_cpu in - hppa*64*|ia64*) - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - *) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, - # but as the default - # location of the library. - ;; - esac +bsdi[[45]]*) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)' + lt_cv_file_magic_cmd='/usr/bin/file -L' + lt_cv_file_magic_test_file=/shlib/libc.so + ;; - case $cc_basename in - CC*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - aCC*) - case $host_cpu in - hppa*64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - esac - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes; then - if test $with_gnu_ld = no; then - case $host_cpu in - hppa*64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - esac - fi - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - interix3*) - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; - irix5* | irix6*) - case $cc_basename in - CC*) - # SGI C++ - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - - # Archives containing C++ object files must be created using - # "CC -ar", where "CC" is the IRIX C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' - ;; - *) - if test "$GXX" = yes; then - if test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib' - fi - fi - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; - esac - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; - linux*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' - ;; - icpc*) - # Intel C++ - with_gnu_ld=yes - # version 8.0 and above of icpc choke on multiply defined symbols - # if we add $predep_objects and $postdep_objects, however 7.1 and - # earlier do not add the objects themselves. - case `$CC -V 2>&1` in - *"Version 7."*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - ;; - *) # Version 8.0 or newer - tmp_idyn= - case $host_cpu in - ia64*) tmp_idyn=' -i_dynamic';; - esac - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - ;; - esac - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' - ;; - pgCC*) - # Portland Group C++ compiler - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - ;; - cxx*) - # Compaq C++ - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' +cygwin*) + # func_win32_libid is a shell function defined in ltmain.sh + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + ;; - runpath_var=LD_RUN_PATH - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: +mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by + # func_win32_libid shell function, so use a weaker test based on 'objdump', + # unless we find 'file', for example because we are cross-compiling. + if ( file / ) >/dev/null 2>&1; then + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + else + lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + fi + ;; - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - esac - ;; - lynxos*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - m88k*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - mvs*) - case $cc_basename in - cxx*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - ;; - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' - wlarc= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - fi - # Workaround some broken pre-1.5 toolchains - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' - ;; - openbsd2*) - # C++ shared libraries are fairly broken - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - openbsd*) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - fi - output_verbose_link_cmd='echo' - ;; - osf3*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' - - ;; - RCC*) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - cxx*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' +cegcc) + # use the weaker test based on 'objdump'. See mingw*. + lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + ;; - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - osf4* | osf5*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - _LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Archives containing C++ object files must be created using - # the KAI C++ compiler. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' - ;; - RCC*) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - cxx*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ - echo "-hidden">> $lib.exp~ - $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~ - $rm $lib.exp' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' +darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; - else - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; - psos*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - sunos4*) - case $cc_basename in - CC*) - # Sun C++ 4.x - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - lcc*) - # Lucid - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; +freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) + # Not sure whether the presence of OpenBSD here was a mistake. + # Let's accept both of them until this is cleared up. + lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` + ;; esac - ;; - solaris*) - case $cc_basename in - CC*) - # Sun C++ 4.2, 5.x and Centerline C++ - _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes - _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - case $host_os in - solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; - *) - # The C++ compiler is used as linker so we must use $wl - # flag to pass the commands to the underlying system - # linker. We must also pass each convience library through - # to the system linker between allextract/defaultextract. - # The C++ compiler will combine linker options so we - # cannot just pass the convience library names through - # without $wl. - # Supported since Solaris 2.6 (maybe 2.5.1?) - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' - ;; - esac - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - - output_verbose_link_cmd='echo' - - # Archives containing C++ object files must be created using - # "CC -xar", where "CC" is the Sun C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' - ;; - gcx*) - # Green Hills C++ Compiler - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - - # The C++ compiler must be used to create the archive. - _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' - ;; - *) - # GNU C++ compiler with Solaris linker - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs' - if $CC --version | grep -v '^2\.7' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - else - # g++ 2.7 appears to require `-G' NOT `-shared' on this - # platform. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' + else + lt_cv_deplibs_check_method=pass_all + fi + ;; - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - fi +gnu*) + lt_cv_deplibs_check_method=pass_all + ;; - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' - fi - ;; - esac - ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) - _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - runpath_var='LD_RUN_PATH' - - case $cc_basename in - CC*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - ;; - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - # For security reasons, it is highly recommended that you always - # use absolute paths for naming shared libraries, and exclude the - # DT_RUNPATH tag from executables and libraries. But doing so - # requires that you compile everything twice, which is a pain. - # So that behaviour is only enabled if SCOABSPATH is set to a - # non-empty value in the environment. Most likely only useful for - # creating official distributions of packages. - # This is a hack until libtool officially supports absolute path - # names for shared libraries. - _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - - case $cc_basename in - CC*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - ;; - tandem*) - case $cc_basename in - NCC*) - # NonStop-UX NCC 3.20 - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac +hpux10.20* | hpux11*) + lt_cv_file_magic_cmd=/usr/bin/file + case $host_cpu in + ia64*) + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' + lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so ;; - vxworks*) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no + hppa*64*) + [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'] + lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl ;; *) - # FIXME: insert proper C++ library support - _LT_AC_TAGVAR(ld_shlibs, $1)=no + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library' + lt_cv_file_magic_test_file=/usr/lib/libc.sl ;; -esac -AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)]) -test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no + esac + ;; -_LT_AC_TAGVAR(GCC, $1)="$GXX" -_LT_AC_TAGVAR(LD, $1)="$LD" +interix[[3-9]]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' + ;; -AC_LIBTOOL_POSTDEP_PREDEP($1) -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) +irix5* | irix6* | nonstopux*) + case $LD in + *-32|*"-32 ") libmagic=32-bit;; + *-n32|*"-n32 ") libmagic=N32;; + *-64|*"-64 ") libmagic=64-bit;; + *) libmagic=never-match;; + esac + lt_cv_deplibs_check_method=pass_all + ;; -AC_LIBTOOL_CONFIG($1) +# This must be Linux ELF. +linux* | k*bsd*-gnu) + lt_cv_deplibs_check_method=pass_all + ;; -AC_LANG_POP -CC=$lt_save_CC -LDCXX=$LD -LD=$lt_save_LD -GCC=$lt_save_GCC -with_gnu_ldcxx=$with_gnu_ld -with_gnu_ld=$lt_save_with_gnu_ld -lt_cv_path_LDCXX=$lt_cv_path_LD -lt_cv_path_LD=$lt_save_path_LD -lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld -lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld -])# AC_LIBTOOL_LANG_CXX_CONFIG +netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' + fi + ;; -# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME]) -# ------------------------------------ -# Figure out "hidden" library dependencies from verbose -# compiler output when linking a shared library. -# Parse the compiler output and extract the necessary -# objects, libraries and library flags. -AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[ -dnl we can't use the lt_simple_compile_test_code here, -dnl because it contains code intended for an executable, -dnl not a library. It's possible we should let each -dnl tag define a new lt_????_link_test_code variable, -dnl but it's only used here... -ifelse([$1],[],[cat > conftest.$ac_ext < conftest.$ac_ext < conftest.$ac_ext < conftest.$ac_ext <&1 | sed '1q'` in + */dev/null* | *'Invalid file or object type'*) + lt_cv_path_NM="$tmp_nm -B" + break + ;; + *) + case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in + */dev/null*) + lt_cv_path_NM="$tmp_nm -p" + break + ;; + *) + lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but + continue # so that we can try to find one that supports BSD flags + ;; + esac + ;; + esac + fi + done + IFS="$lt_save_ifs" + done + : ${lt_cv_path_NM=no} +fi]) +if test "$lt_cv_path_NM" != "no"; then + NM="$lt_cv_path_NM" +else + # Didn't find any BSD compatible name lister, look for dumpbin. + AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :) + AC_SUBST([DUMPBIN]) + if test "$DUMPBIN" != ":"; then + NM="$DUMPBIN" + fi fi +test -z "$NM" && NM=nm +AC_SUBST([NM]) +_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl -$rm -f confest.$objext +AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface], + [lt_cv_nm_interface="BSD nm" + echo "int some_variable = 0;" > conftest.$ac_ext + (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD) + cat conftest.out >&AS_MESSAGE_LOG_FD + if $GREP 'External.*some_variable' conftest.out > /dev/null; then + lt_cv_nm_interface="MS dumpbin" + fi + rm -f conftest*]) +])# LT_PATH_NM + +# Old names: +AU_ALIAS([AM_PROG_NM], [LT_PATH_NM]) +AU_ALIAS([AC_PROG_NM], [LT_PATH_NM]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_PROG_NM], []) +dnl AC_DEFUN([AC_PROG_NM], []) -# PORTME: override above test on systems where it is broken -ifelse([$1],[CXX], -[case $host_os in -interix3*) - # Interix 3.5 installs completely hosed .la files for C++, so rather than - # hack all around it, let's just trust "g++" to DTRT. - _LT_AC_TAGVAR(predep_objects,$1)= - _LT_AC_TAGVAR(postdep_objects,$1)= - _LT_AC_TAGVAR(postdeps,$1)= - ;; -solaris*) - case $cc_basename in - CC*) - # Adding this requires a known-good setup of shared libraries for - # Sun compiler versions before 5.6, else PIC objects from an old - # archive will be linked into the output, leading to subtle bugs. - _LT_AC_TAGVAR(postdeps,$1)='-lCstd -lCrun' - ;; - esac +# LT_LIB_M +# -------- +# check for math library +AC_DEFUN([LT_LIB_M], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +LIBM= +case $host in +*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*) + # These system don't have libm, or don't need it + ;; +*-ncr-sysv4.3*) + AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw") + AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") + ;; +*) + AC_CHECK_LIB(m, cos, LIBM="-lm") ;; esac -]) - -case " $_LT_AC_TAGVAR(postdeps, $1) " in -*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;; -esac -])# AC_LIBTOOL_POSTDEP_PREDEP +AC_SUBST([LIBM]) +])# LT_LIB_M -# AC_LIBTOOL_LANG_F77_CONFIG -# -------------------------- -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)]) -AC_DEFUN([_LT_AC_LANG_F77_CONFIG], -[AC_REQUIRE([AC_PROG_F77]) -AC_LANG_PUSH(Fortran 77) +# Old name: +AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_CHECK_LIBM], []) -_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no -_LT_AC_TAGVAR(allow_undefined_flag, $1)= -_LT_AC_TAGVAR(always_export_symbols, $1)=no -_LT_AC_TAGVAR(archive_expsym_cmds, $1)= -_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_direct, $1)=no -_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= -_LT_AC_TAGVAR(hardcode_libdir_separator, $1)= -_LT_AC_TAGVAR(hardcode_minus_L, $1)=no -_LT_AC_TAGVAR(hardcode_automatic, $1)=no -_LT_AC_TAGVAR(module_cmds, $1)= -_LT_AC_TAGVAR(module_expsym_cmds, $1)= -_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown -_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds -_LT_AC_TAGVAR(no_undefined_flag, $1)= -_LT_AC_TAGVAR(whole_archive_flag_spec, $1)= -_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no -# Source file extension for f77 test sources. -ac_ext=f +# _LT_COMPILER_NO_RTTI([TAGNAME]) +# ------------------------------- +m4_defun([_LT_COMPILER_NO_RTTI], +[m4_require([_LT_TAG_COMPILER])dnl -# Object file extension for compiled f77 test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext +_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= -# Code to be used in simple compile tests -lt_simple_compile_test_code=" subroutine t\n return\n end\n" +if test "$GCC" = yes; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' -# Code to be used in simple link tests -lt_simple_link_test_code=" program t\n end\n" + _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], + lt_cv_prog_compiler_rtti_exceptions, + [-fno-rtti -fno-exceptions], [], + [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) +fi +_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1], + [Compiler flag to turn off builtin functions]) +])# _LT_COMPILER_NO_RTTI -# ltmain only uses $CC for tagged configurations so make sure $CC is set. -_LT_AC_SYS_COMPILER -# save warnings/boilerplate of simple test code -_LT_COMPILER_BOILERPLATE -_LT_LINKER_BOILERPLATE +# _LT_CMD_GLOBAL_SYMBOLS +# ---------------------- +m4_defun([_LT_CMD_GLOBAL_SYMBOLS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([LT_PATH_NM])dnl +AC_REQUIRE([LT_PATH_LD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_TAG_COMPILER])dnl -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${F77-"f77"} -compiler=$CC -_LT_AC_TAGVAR(compiler, $1)=$CC -_LT_CC_BASENAME([$compiler]) +# Check for command to grab the raw symbol name followed by C symbol from nm. +AC_MSG_CHECKING([command to parse $NM output from $compiler object]) +AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], +[ +# These are sane defaults that work on at least a few old systems. +# [They come from Ultrix. What could be older than Ultrix?!! ;)] -AC_MSG_CHECKING([if libtool supports shared libraries]) -AC_MSG_RESULT([$can_build_shared]) +# Character class describing NM global symbol codes. +symcode='[[BCDEGRST]]' -AC_MSG_CHECKING([whether to build shared libraries]) -test "$can_build_shared" = "no" && enable_shared=no +# Regexp to match symbols that can be accessed directly from C. +sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. +# Define system-specific variables. case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi +aix*) + symcode='[[BCDT]]' ;; -aix4* | aix5*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no +cygwin* | mingw* | pw32* | cegcc*) + symcode='[[ABCDGISTW]]' + ;; +hpux*) + if test "$host_cpu" = ia64; then + symcode='[[ABCDEGRST]]' fi ;; +irix* | nonstopux*) + symcode='[[BCDEGRST]]' + ;; +osf*) + symcode='[[BCDEGQRST]]' + ;; +solaris*) + symcode='[[BDRT]]' + ;; +sco3.2v5*) + symcode='[[DT]]' + ;; +sysv4.2uw2*) + symcode='[[DT]]' + ;; +sysv5* | sco5v6* | unixware* | OpenUNIX*) + symcode='[[ABDT]]' + ;; +sysv4) + symcode='[[DFNSTU]]' + ;; esac -AC_MSG_RESULT([$enable_shared]) - -AC_MSG_CHECKING([whether to build static libraries]) -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -AC_MSG_RESULT([$enable_static]) - -_LT_AC_TAGVAR(GCC, $1)="$G77" -_LT_AC_TAGVAR(LD, $1)="$LD" - -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) - -AC_LIBTOOL_CONFIG($1) - -AC_LANG_POP -CC="$lt_save_CC" -])# AC_LIBTOOL_LANG_F77_CONFIG - - -# AC_LIBTOOL_LANG_GCJ_CONFIG -# -------------------------- -# Ensure that the configuration vars for the C compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)]) -AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG], -[AC_LANG_SAVE - -# Source file extension for Java test sources. -ac_ext=java -# Object file extension for compiled Java test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext +# If we're using GNU nm, then use its standard symbol codes. +case `$NM -V 2>&1` in +*GNU* | *'with BFD'*) + symcode='[[ABCDGIRSTW]]' ;; +esac -# Code to be used in simple compile tests -lt_simple_compile_test_code="class foo {}\n" +# Transform an extracted symbol line into a proper C declaration. +# Some systems (esp. on ia64) link data and code symbols differently, +# so use this general approach. +lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" -# Code to be used in simple link tests -lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }\n' +# Transform an extracted symbol line into symbol name and symbol address +lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p'" +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"lib\2\", (void *) \&\2},/p'" -# ltmain only uses $CC for tagged configurations so make sure $CC is set. -_LT_AC_SYS_COMPILER +# Handle CRLF in mingw tool chain +opt_cr= +case $build_os in +mingw*) + opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp + ;; +esac -# save warnings/boilerplate of simple test code -_LT_COMPILER_BOILERPLATE -_LT_LINKER_BOILERPLATE +# Try without a prefix underscore, then with it. +for ac_symprfx in "" "_"; do -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${GCJ-"gcj"} -compiler=$CC -_LT_AC_TAGVAR(compiler, $1)=$CC -_LT_CC_BASENAME([$compiler]) + # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. + symxfrm="\\1 $ac_symprfx\\2 \\2" -# GCJ did not exist at the time GCC didn't implicitly link libc in. -_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no + # Write the raw and C identifiers. + if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Fake it for dumpbin and say T for any non-static function + # and D for any global variable. + # Also find C++ and __fastcall symbols from MSVC++, + # which start with @ or ?. + lt_cv_sys_global_symbol_pipe="$AWK ['"\ +" {last_section=section; section=\$ 3};"\ +" /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ +" \$ 0!~/External *\|/{next};"\ +" / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ +" {if(hide[section]) next};"\ +" {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\ +" {split(\$ 0, a, /\||\r/); split(a[2], s)};"\ +" s[1]~/^[@?]/{print s[1], s[1]; next};"\ +" s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\ +" ' prfx=^$ac_symprfx]" + else + lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + fi -_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds + # Check to see that the pipe works correctly. + pipe_works=no -AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1) -AC_LIBTOOL_PROG_COMPILER_PIC($1) -AC_LIBTOOL_PROG_CC_C_O($1) -AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1) -AC_LIBTOOL_PROG_LD_SHLIBS($1) -AC_LIBTOOL_SYS_DYNAMIC_LINKER($1) -AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1) + rm -f conftest* + cat > conftest.$ac_ext <<_LT_EOF +#ifdef __cplusplus +extern "C" { +#endif +char nm_test_var; +void nm_test_func(void); +void nm_test_func(void){} +#ifdef __cplusplus +} +#endif +int main(){nm_test_var='a';nm_test_func();return(0);} +_LT_EOF -AC_LIBTOOL_CONFIG($1) + if AC_TRY_EVAL(ac_compile); then + # Now try to grab the symbols. + nlist=conftest.nm + if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then + # Try sorting and uniquifying the output. + if sort "$nlist" | uniq > "$nlist"T; then + mv -f "$nlist"T "$nlist" + else + rm -f "$nlist"T + fi -AC_LANG_RESTORE -CC="$lt_save_CC" -])# AC_LIBTOOL_LANG_GCJ_CONFIG + # Make sure that we snagged all the symbols we need. + if $GREP ' nm_test_var$' "$nlist" >/dev/null; then + if $GREP ' nm_test_func$' "$nlist" >/dev/null; then + cat <<_LT_EOF > conftest.$ac_ext +#ifdef __cplusplus +extern "C" { +#endif +_LT_EOF + # Now generate the symbol file. + eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' -# AC_LIBTOOL_LANG_RC_CONFIG -# ------------------------- -# Ensure that the configuration vars for the Windows resource compiler are -# suitably defined. Those variables are subsequently used by -# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'. -AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)]) -AC_DEFUN([_LT_AC_LANG_RC_CONFIG], -[AC_LANG_SAVE + cat <<_LT_EOF >> conftest.$ac_ext -# Source file extension for RC test sources. -ac_ext=rc +/* The mapping between symbol names and symbols. */ +const struct { + const char *name; + void *address; +} +lt__PROGRAM__LTX_preloaded_symbols[[]] = +{ + { "@PROGRAM@", (void *) 0 }, +_LT_EOF + $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext + cat <<\_LT_EOF >> conftest.$ac_ext + {0, (void *) 0} +}; -# Object file extension for compiled RC test sources. -objext=o -_LT_AC_TAGVAR(objext, $1)=$objext +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt__PROGRAM__LTX_preloaded_symbols; +} +#endif -# Code to be used in simple compile tests -lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n' +#ifdef __cplusplus +} +#endif +_LT_EOF + # Now try linking the two files. + mv conftest.$ac_objext conftstm.$ac_objext + lt_save_LIBS="$LIBS" + lt_save_CFLAGS="$CFLAGS" + LIBS="conftstm.$ac_objext" + CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" + if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then + pipe_works=yes + fi + LIBS="$lt_save_LIBS" + CFLAGS="$lt_save_CFLAGS" + else + echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD + fi + else + echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD + cat conftest.$ac_ext >&5 + fi + rm -rf conftest* conftst* -# Code to be used in simple link tests -lt_simple_link_test_code="$lt_simple_compile_test_code" + # Do not use the global_symbol_pipe unless it works. + if test "$pipe_works" = yes; then + break + else + lt_cv_sys_global_symbol_pipe= + fi +done +]) +if test -z "$lt_cv_sys_global_symbol_pipe"; then + lt_cv_sys_global_symbol_to_cdecl= +fi +if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then + AC_MSG_RESULT(failed) +else + AC_MSG_RESULT(ok) +fi -# ltmain only uses $CC for tagged configurations so make sure $CC is set. -_LT_AC_SYS_COMPILER +_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1], + [Take the output of nm and produce a listing of raw symbols and C names]) +_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1], + [Transform the output of nm in a proper C declaration]) +_LT_DECL([global_symbol_to_c_name_address], + [lt_cv_sys_global_symbol_to_c_name_address], [1], + [Transform the output of nm in a C name address pair]) +_LT_DECL([global_symbol_to_c_name_address_lib_prefix], + [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1], + [Transform the output of nm in a C name address pair when lib prefix is needed]) +]) # _LT_CMD_GLOBAL_SYMBOLS -# save warnings/boilerplate of simple test code -_LT_COMPILER_BOILERPLATE -_LT_LINKER_BOILERPLATE -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${RC-"windres"} -compiler=$CC -_LT_AC_TAGVAR(compiler, $1)=$CC -_LT_CC_BASENAME([$compiler]) -_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes +# _LT_COMPILER_PIC([TAGNAME]) +# --------------------------- +m4_defun([_LT_COMPILER_PIC], +[m4_require([_LT_TAG_COMPILER])dnl +_LT_TAGVAR(lt_prog_compiler_wl, $1)= +_LT_TAGVAR(lt_prog_compiler_pic, $1)= +_LT_TAGVAR(lt_prog_compiler_static, $1)= -AC_LIBTOOL_CONFIG($1) +AC_MSG_CHECKING([for $compiler option to produce PIC]) +m4_if([$1], [CXX], [ + # C++ specific cases for pic, static, wl, etc. + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' -AC_LANG_RESTORE -CC="$lt_save_CC" -])# AC_LIBTOOL_LANG_RC_CONFIG + case $host_os in + aix*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the `-m68020' flag to GCC prevents building anything better, + # like `-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; -# AC_LIBTOOL_CONFIG([TAGNAME]) -# ---------------------------- -# If TAGNAME is not passed, then create an initial libtool script -# with a default configuration from the untagged config vars. Otherwise -# add code to config.status for appending the configuration named by -# TAGNAME from the matching tagged config vars. -AC_DEFUN([AC_LIBTOOL_CONFIG], -[# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - _LT_AC_TAGVAR(compiler, $1) \ - _LT_AC_TAGVAR(CC, $1) \ - _LT_AC_TAGVAR(LD, $1) \ - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \ - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \ - _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \ - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \ - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \ - _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \ - _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \ - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \ - _LT_AC_TAGVAR(old_archive_cmds, $1) \ - _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \ - _LT_AC_TAGVAR(predep_objects, $1) \ - _LT_AC_TAGVAR(postdep_objects, $1) \ - _LT_AC_TAGVAR(predeps, $1) \ - _LT_AC_TAGVAR(postdeps, $1) \ - _LT_AC_TAGVAR(compiler_lib_search_path, $1) \ - _LT_AC_TAGVAR(archive_cmds, $1) \ - _LT_AC_TAGVAR(archive_expsym_cmds, $1) \ - _LT_AC_TAGVAR(postinstall_cmds, $1) \ - _LT_AC_TAGVAR(postuninstall_cmds, $1) \ - _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \ - _LT_AC_TAGVAR(allow_undefined_flag, $1) \ - _LT_AC_TAGVAR(no_undefined_flag, $1) \ - _LT_AC_TAGVAR(export_symbols_cmds, $1) \ - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \ - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \ - _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \ - _LT_AC_TAGVAR(hardcode_automatic, $1) \ - _LT_AC_TAGVAR(module_cmds, $1) \ - _LT_AC_TAGVAR(module_expsym_cmds, $1) \ - _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \ - _LT_AC_TAGVAR(exclude_expsyms, $1) \ - _LT_AC_TAGVAR(include_expsyms, $1); do - - case $var in - _LT_AC_TAGVAR(old_archive_cmds, $1) | \ - _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \ - _LT_AC_TAGVAR(archive_cmds, $1) | \ - _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \ - _LT_AC_TAGVAR(module_cmds, $1) | \ - _LT_AC_TAGVAR(module_expsym_cmds, $1) | \ - _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \ - _LT_AC_TAGVAR(export_symbols_cmds, $1) | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + mingw* | cygwin* | os2* | pw32* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + *djgpp*) + # DJGPP does not support shared libraries at all + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' ;; *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; esac - done - - case $lt_echo in - *'\[$]0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'` - ;; - esac - -ifelse([$1], [], - [cfgfile="${ofile}T" - trap "$rm \"$cfgfile\"; exit 1" 1 2 15 - $rm -f "$cfgfile" - AC_MSG_NOTICE([creating $ofile])], - [cfgfile="$ofile"]) - - cat <<__EOF__ >> "$cfgfile" -ifelse([$1], [], -[#! $SHELL - -# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltmain.sh. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# -# This file is part of GNU Libtool: -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# A sed program that does not truncate output. -SED=$lt_SED - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="$SED -e 1s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -# The names of the tagged configurations supported by this script. -available_tags= - -# ### BEGIN LIBTOOL CONFIG], -[# ### BEGIN LIBTOOL TAG CONFIG: $tagname]) - -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: - -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1) - -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) + else + case $host_os in + aix[[4-9]]*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; + chorus*) + case $cc_basename in + cxch68*) + # Green Hills C++ Compiler + # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" + ;; + esac + ;; + dgux*) + case $cc_basename in + ec++*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + ghcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + freebsd* | dragonfly*) + # FreeBSD uses GNU C++ + ;; + hpux9* | hpux10* | hpux11*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + if test "$host_cpu" != ia64; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + fi + ;; + aCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + ;; + *) + ;; + esac + ;; + interix*) + # This is c89, which is MS Visual C++ (no shared libs) + # Anyone wants to do a port? + ;; + irix5* | irix6* | nonstopux*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + # CC pic flag -KPIC is the default. + ;; + *) + ;; + esac + ;; + linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # KAI C++ Compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + ecpc* ) + # old Intel C++ for x86_64 which still supported -KPIC. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + icpc* ) + # Intel C++, used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + cxx*) + # Compaq C++ + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xlc* | xlC*) + # IBM XL 8.0 on PPC + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + esac + ;; + esac + ;; + lynxos*) + ;; + m88k*) + ;; + mvs*) + case $cc_basename in + cxx*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' + ;; + *) + ;; + esac + ;; + netbsd*) + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + osf3* | osf4* | osf5*) + case $cc_basename in + KCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + ;; + RCC*) + # Rational C++ 2.4.1 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + cxx*) + # Digital/Compaq C++ + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + *) + ;; + esac + ;; + psos*) + ;; + solaris*) + case $cc_basename in + CC*) + # Sun C++ 4.2, 5.x and Centerline C++ + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + gcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + ;; + *) + ;; + esac + ;; + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + lcc*) + # Lucid + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + tandem*) + case $cc_basename in + NCC*) + # NonStop-UX NCC 3.20 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + *) + ;; + esac + ;; + vxworks*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +], +[ + if test "$GCC" = yes; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install + case $host_os in + aix*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the `-m68020' flag to GCC prevents building anything better, + # like `-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; -# An echo program that does not interpret backslashes. -echo=$lt_echo + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; -# A C compiler. -LTCC=$lt_LTCC + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; -# A language-specific compiler. -CC=$lt_[]_LT_AC_TAGVAR(compiler, $1) + msdosdjgpp*) + # Just because we use GCC doesn't mean we suddenly get shared libraries + # on systems that don't support them. + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + enable_shared=no + ;; -# Is the compiler the GNU C compiler? -with_gcc=$_LT_AC_TAGVAR(GCC, $1) + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; -# An ERE matcher. -EGREP=$lt_EGREP + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; -# The linker used to build libraries. -LD=$lt_[]_LT_AC_TAGVAR(LD, $1) + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + else + # PORTME Check for flag to pass linker flags through the system compiler. + case $host_os in + aix*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; -# Whether we need hard or soft links. -LN_S=$lt_LN_S + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; -# A BSD-compatible nm program. -NM=$lt_NM + hpux9* | hpux10* | hpux11*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but + # not for PA HP-UX. + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + # Is there a better lt_prog_compiler_static that works with the bundled CC? + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + ;; -# A symbol stripping program -STRIP=$lt_STRIP + irix5* | irix6* | nonstopux*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC (with -KPIC) is the default. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD + linux* | k*bsd*-gnu) + case $cc_basename in + # old Intel for x86_64 which still supported -KPIC. + ecc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # icc used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + icc* | ifort*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # Lahey Fortran 8.1. + lf95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared' + _LT_TAGVAR(lt_prog_compiler_static, $1)='--static' + ;; + pgcc* | pgf77* | pgf90* | pgf95*) + # Portland Group compilers (*not* the Pentium gcc compiler, + # which looks to be a dead project) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + ccc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All Alpha code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xl*) + # IBM XL C 8.0/Fortran 10.1 on PPC + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + ;; + *Sun\ F*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='' + ;; + esac + ;; + esac + ;; -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" + newsos6) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds + osf3* | osf4* | osf5*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All OSF/1 code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; -# How to pass a linker flag through the compiler. -wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) + rdos*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; -# Object file suffix (normally "o"). -objext="$ac_objext" + solaris*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + case $cc_basename in + f77* | f90* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';; + *) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';; + esac + ;; -# Old archive suffix (normally "a"). -libext="$libext" + sunos4*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' + sysv4 | sysv4.2uw2* | sysv4.3*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; -# Executable file suffix (normally ""). -exeext="$exeext" + sysv4*MP*) + if test -d /usr/nec ;then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; -# Additional compiler flags for building library objects. -pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) -pic_mode=$pic_mode + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len + unicos*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) + uts4*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; -# Must we lock files when doing compilation? -need_locks=$lt_need_locks + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +]) +case $host_os in + # For platforms which do not support PIC, -DPIC is meaningless: + *djgpp*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])" + ;; +esac +AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)]) +_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1], + [How to pass a linker flag through the compiler]) -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix +# +# Check to make sure the PIC flag actually works. +# +if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works], + [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)], + [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [], + [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in + "" | " "*) ;; + *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;; + esac], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) +fi +_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1], + [Additional compiler flags for building library objects]) -# Do we need a version for libraries? -need_version=$need_version +# +# Check to make sure the static flag actually works. +# +wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\" +_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works], + _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1), + $lt_tmp_static_flag, + [], + [_LT_TAGVAR(lt_prog_compiler_static, $1)=]) +_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1], + [Compiler flag to prevent dynamic linking]) +])# _LT_COMPILER_PIC -# Whether dlopen is supported. -dlopen_support=$enable_dlopen -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self +# _LT_LINKER_SHLIBS([TAGNAME]) +# ---------------------------- +# See if the linker supports building shared libraries. +m4_defun([_LT_LINKER_SHLIBS], +[AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) +m4_if([$1], [CXX], [ + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + case $host_os in + aix[[4-9]]*) + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + fi + ;; + pw32*) + _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" + ;; + cygwin* | mingw* | cegcc*) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' + ;; + *) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + ;; + esac + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] +], [ + runpath_var= + _LT_TAGVAR(allow_undefined_flag, $1)= + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(archive_cmds, $1)= + _LT_TAGVAR(archive_expsym_cmds, $1)= + _LT_TAGVAR(compiler_needs_object, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(hardcode_automatic, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= + _LT_TAGVAR(hardcode_libdir_separator, $1)= + _LT_TAGVAR(hardcode_minus_L, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + _LT_TAGVAR(inherit_rpath, $1)=no + _LT_TAGVAR(link_all_deplibs, $1)=unknown + _LT_TAGVAR(module_cmds, $1)= + _LT_TAGVAR(module_expsym_cmds, $1)= + _LT_TAGVAR(old_archive_from_new_cmds, $1)= + _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)= + _LT_TAGVAR(thread_safe_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + # include_expsyms should be a list of space-separated symbols to be *always* + # included in the symbol list + _LT_TAGVAR(include_expsyms, $1)= + # exclude_expsyms can be an extended regexp of symbols to exclude + # it will be wrapped by ` (' and `)$', so one must not match beginning or + # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', + # as well as any symbol that contains `d'. + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] + # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out + # platforms (ab)use it in PIC code, but their linkers get confused if + # the symbol is explicitly referenced. Since portable code cannot + # rely on this symbol name, it's probably fine to never include it in + # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. +dnl Note also adjust exclude_expsyms for C++ above. + extract_expsyms_cmds= -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test "$GCC" != yes; then + with_gnu_ld=no + fi + ;; + interix*) + # we just hope/assume this is gcc and not c89 (= MSVC++) + with_gnu_ld=yes + ;; + openbsd*) + with_gnu_ld=no + ;; + esac -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1) + _LT_TAGVAR(ld_shlibs, $1)=yes + if test "$with_gnu_ld" = yes; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='${wl}' -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + supports_anon_versioning=no + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1) + # See if GNU ld supports shared libraries. + case $host_os in + aix[[3-9]]*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1) +*** Warning: the GNU linker, at least up to release 2.9.1, is reported +*** to be unable to reliably create shared libraries on AIX. +*** Therefore, libtool is disabling shared libraries support. If you +*** really care for shared libraries, you may want to modify your PATH +*** so that a non-GNU linker is found, and then restart. -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1) +_LT_EOF + fi + ;; -# Library versioning type. -version_type=$version_type + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; -# Format of library name prefix. -libname_spec=$lt_libname_spec + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file (1st line + # is EXPORTS), use it as is; otherwise, prepend... + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1) -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1) + gnu* | linux* | tpf* | k*bsd*-gnu) + tmp_diet=no + if test "$host_os" = linux-dietlibc; then + case $cc_basename in + diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) + esac + fi + if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ + && test "$tmp_diet" = no + then + tmp_addflag= + tmp_sharedflag='-shared' + case $cc_basename,$host_cpu in + pgcc*) # Portland Group C compiler + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag' + ;; + pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag -Mnomain' ;; + ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 + tmp_addflag=' -i_dynamic' ;; + efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 + tmp_addflag=' -i_dynamic -nofor_main' ;; + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + lf95*) # Lahey Fortran 8.1 + _LT_TAGVAR(whole_archive_flag_spec, $1)= + tmp_sharedflag='--shared' ;; + xl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below) + tmp_sharedflag='-qmkshrobj' + tmp_addflag= ;; + esac + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C 5.9 + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + tmp_sharedflag='-G' ;; + *Sun\ F*) # Sun Fortran 8.3 + tmp_sharedflag='-G' ;; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi -# Commands used to build and install a shared archive. -archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1) -archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1) -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds + case $cc_basename in + xlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir' + _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib' + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + fi + ;; + esac + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1) -module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1) + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + fi + ;; -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib + solaris*) + if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1) +*** Warning: The releases 2.8.* of the GNU linker cannot reliably +*** create shared libraries on Solaris systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.9.1 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1) +_LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1) + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1) +*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not +*** reliably create shared libraries on SCO systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.16.91.0.3 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1) +_LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method + sunos4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1) + if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then + runpath_var= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + # PORTME fill in a description of your system's linker (not GNU ld) + case $host_os in + aix3*) + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + _LT_TAGVAR(hardcode_direct, $1)=unsupported + fi + ;; -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1) + aix[[4-9]]*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag="" + else + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + fi + aix_use_runtimelinking=no -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then + aix_use_runtimelinking=yes + break + fi + done + ;; + esac -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. -# This is the shared library runtime path variable. -runpath_var=$runpath_var + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' -# This is the shared library path variable. -shlibpath_var=$shlibpath_var + if test "$GCC" = yes; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + ;; + esac + shared_flag='-shared' + if test "$aix_use_runtimelinking" = yes; then + shared_flag="$shared_flag "'${wl}-G' + fi + else + # not using gcc + if test "$host_cpu" = ia64; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test "$aix_use_runtimelinking" = yes; then + shared_flag='${wl}-G' + else + shared_flag='${wl}-bM:SRE' + fi + fi + fi -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test "$aix_use_runtimelinking" = yes; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(allow_undefined_flag, $1)='-berok' + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + else + if test "$host_cpu" = ia64; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + # This is similar to how AIX traditionally builds its shared libraries. + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + fi + fi + ;; -# How to hardcode a shared library path into an executable. -hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1) + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs + bsdi[[45]]*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic + ;; -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) + cygwin* | mingw* | pw32* | cegcc*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + # FIXME: Should let the user specify the lib program. + _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs' + _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) + ;; -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1) + dgux*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1) + freebsd1*) + _LT_TAGVAR(ld_shlibs, $1)=no + ;; -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1) + # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor + # support. Future versions do this automatically, but an explicit c++rt0.o + # does not break anything, and helps significantly (at the cost of a little + # extra space). + freebsd2.2*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1) + # Unfortunately, older versions of FreeBSD 2 do not have this feature. + freebsd2*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1) + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" + hpux9*) + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1) + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + ;; -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec + hpux10*) + if test "$GCC" = yes -a "$with_gnu_ld" = no; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + fi + ;; -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + hpux11*) + if test "$GCC" = yes -a "$with_gnu_ld" = no; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + else + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + fi + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)" + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' -# Set to yes if exported symbols are required. -always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1) + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + fi + ;; -# The commands to list exported symbols. -export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1) + irix5* | irix6* | nonstopux*) + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + # Try to use the -exported_symbol ld option, if it does not + # work, assume that -exports_file does not work either and + # implicitly export all symbols. + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" + AC_LINK_IFELSE(int foo(void) {}, + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' + ) + LDFLAGS="$save_LDFLAGS" + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else + _LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1) + newsos6) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Symbols that must always be exported. -include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1) + *nto* | *qnx*) + ;; -ifelse([$1],[], -[# ### END LIBTOOL CONFIG], -[# ### END LIBTOOL TAG CONFIG: $tagname]) + openbsd*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + else + case $host_os in + openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + ;; + esac + fi + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; -__EOF__ + os2*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' + _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' + ;; -ifelse([$1],[], [ - case $host_os in - aix3*) - cat <<\EOF >> "$cfgfile" + osf3*) + if test "$GCC" = yes; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac + osf4* | osf5*) # as osf3* with the addition of -msym flag + if test "$GCC" = yes; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ + $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? - sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1) + # Both c and cxx compiler support -rpath directly + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; - mv -f "$cfgfile" "$ofile" || \ - (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") - chmod +x "$ofile" -]) -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi -fi -])# AC_LIBTOOL_CONFIG + solaris*) + _LT_TAGVAR(no_undefined_flag, $1)=' -z defs' + if test "$GCC" = yes; then + wlarc='${wl}' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + else + case `$CC -V 2>&1` in + *"Compilers 5.0"*) + wlarc='' + _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' + ;; + *) + wlarc='${wl}' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + ;; + esac + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands `-z linker_flag'. GCC discards it without `$wl', + # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) + if test "$GCC" = yes; then + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + fi + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + sunos4*) + if test "x$host_vendor" = xsequent; then + # Use $CC to link under sequent, because it throws in some extra .o + # files that make .init and .fini sections work. + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME]) -# ------------------------------------------- -AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], -[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl + sysv4) + case $host_vendor in + sni) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true??? + ;; + siemens) + ## LD is ld it makes a PLAMLIB + ## CC just makes a GrossModule. + _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' + _LT_TAGVAR(hardcode_direct, $1)=no + ;; + motorola) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie + ;; + esac + runpath_var='LD_RUN_PATH' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + sysv4.3*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' + ;; -if test "$GCC" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var=LD_RUN_PATH + hardcode_runpath_var=yes + _LT_TAGVAR(ld_shlibs, $1)=yes + fi + ;; - AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], - lt_cv_prog_compiler_rtti_exceptions, - [-fno-rtti -fno-exceptions], [], - [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) -fi -])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; -# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE -# --------------------------------- -AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], -[AC_REQUIRE([AC_CANONICAL_HOST]) -AC_REQUIRE([AC_PROG_NM]) -AC_REQUIRE([AC_OBJEXT]) -# Check for command to grab the raw symbol name followed by C symbol from nm. -AC_MSG_CHECKING([command to parse $NM output from $compiler object]) -AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], -[ -# These are sane defaults that work on at least a few old systems. -# [They come from Ultrix. What could be older than Ultrix?!! ;)] - -# Character class describing NM global symbol codes. -symcode='[[BCDEGRST]]' + sysv5* | sco3.2v5* | sco5v6*) + # Note: We can NOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' + runpath_var='LD_RUN_PATH' -# Regexp to match symbols that can be accessed directly from C. -sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; -# Transform an extracted symbol line into a proper C declaration -lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'" + uts4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; -# Transform an extracted symbol line into symbol name and symbol address -lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" + *) + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac -# Define system-specific variables. -case $host_os in -aix*) - symcode='[[BCDT]]' - ;; -cygwin* | mingw* | pw32*) - symcode='[[ABCDGISTW]]' - ;; -hpux*) # Its linker distinguishes data from code symbols - if test "$host_cpu" = ia64; then - symcode='[[ABCDEGRST]]' + if test x$host_vendor = xsni; then + case $host in + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym' + ;; + esac + fi fi - lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - ;; -linux*) - if test "$host_cpu" = ia64; then - symcode='[[ABCDGIRSTW]]' - lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" +]) +AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) +test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no + +_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld + +_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl +_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl +_LT_DECL([], [extract_expsyms_cmds], [2], + [The commands to extract the exported symbol list from a shared archive]) + +# +# Do we need to explicitly link libc? +# +case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in +x|xyes) + # Assume -lc should be added + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + + if test "$enable_shared" = yes && test "$GCC" = yes; then + case $_LT_TAGVAR(archive_cmds, $1) in + *'~'*) + # FIXME: we may have to deal with multi-command sequences. + ;; + '$CC '*) + # Test whether the compiler implicitly links with -lc since on some + # systems, -lgcc has to come before -lc. If gcc already passes -lc + # to ld, don't add -lc before -lgcc. + AC_MSG_CHECKING([whether -lc should be explicitly linked in]) + $RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if AC_TRY_EVAL(ac_compile) 2>conftest.err; then + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) + pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1) + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1) + _LT_TAGVAR(allow_undefined_flag, $1)= + if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) + then + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + else + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + fi + _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 + fi + $RM conftest* + AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)]) + ;; + esac fi ;; -irix* | nonstopux*) - symcode='[[BCDEGRST]]' - ;; -osf*) - symcode='[[BCDEGQRST]]' - ;; -solaris*) - symcode='[[BDRT]]' - ;; -sco3.2v5*) - symcode='[[DT]]' - ;; -sysv4.2uw2*) - symcode='[[DT]]' - ;; -sysv5* | sco5v6* | unixware* | OpenUNIX*) - symcode='[[ABDT]]' - ;; -sysv4) - symcode='[[DFNSTU]]' - ;; esac -# Handle CRLF in mingw tool chain -opt_cr= -case $build_os in -mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp - ;; -esac +_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0], + [Whether or not to add -lc for building shared libraries]) +_LT_TAGDECL([allow_libtool_libs_with_static_runtimes], + [enable_shared_with_static_runtimes], [0], + [Whether or not to disallow shared libs when runtime libs are static]) +_LT_TAGDECL([], [export_dynamic_flag_spec], [1], + [Compiler flag to allow reflexive dlopens]) +_LT_TAGDECL([], [whole_archive_flag_spec], [1], + [Compiler flag to generate shared objects directly from archives]) +_LT_TAGDECL([], [compiler_needs_object], [1], + [Whether the compiler copes with passing no objects directly]) +_LT_TAGDECL([], [old_archive_from_new_cmds], [2], + [Create an old-style archive from a shared archive]) +_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2], + [Create a temporary old-style archive to link instead of a shared archive]) +_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive]) +_LT_TAGDECL([], [archive_expsym_cmds], [2]) +_LT_TAGDECL([], [module_cmds], [2], + [Commands used to build a loadable module if different from building + a shared archive.]) +_LT_TAGDECL([], [module_expsym_cmds], [2]) +_LT_TAGDECL([], [with_gnu_ld], [1], + [Whether we are building with GNU ld or not]) +_LT_TAGDECL([], [allow_undefined_flag], [1], + [Flag that allows shared libraries with undefined symbols to be built]) +_LT_TAGDECL([], [no_undefined_flag], [1], + [Flag that enforces no undefined symbols]) +_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1], + [Flag to hardcode $libdir into a binary during linking. + This must work even if $libdir does not exist]) +_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1], + [[If ld is used when linking, flag to hardcode $libdir into a binary + during linking. This must work even if $libdir does not exist]]) +_LT_TAGDECL([], [hardcode_libdir_separator], [1], + [Whether we need a single "-rpath" flag with a separated argument]) +_LT_TAGDECL([], [hardcode_direct], [0], + [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes + DIR into the resulting binary]) +_LT_TAGDECL([], [hardcode_direct_absolute], [0], + [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes + DIR into the resulting binary and the resulting library dependency is + "absolute", i.e impossible to change by setting ${shlibpath_var} if the + library is relocated]) +_LT_TAGDECL([], [hardcode_minus_L], [0], + [Set to "yes" if using the -LDIR flag during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_shlibpath_var], [0], + [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_automatic], [0], + [Set to "yes" if building a shared library automatically hardcodes DIR + into the library and all subsequent libraries and executables linked + against it]) +_LT_TAGDECL([], [inherit_rpath], [0], + [Set to yes if linker adds runtime paths of dependent libraries + to runtime path list]) +_LT_TAGDECL([], [link_all_deplibs], [0], + [Whether libtool must link a program against all its dependency libraries]) +_LT_TAGDECL([], [fix_srcfile_path], [1], + [Fix the shell variable $srcfile for the compiler]) +_LT_TAGDECL([], [always_export_symbols], [0], + [Set to "yes" if exported symbols are required]) +_LT_TAGDECL([], [export_symbols_cmds], [2], + [The commands to list exported symbols]) +_LT_TAGDECL([], [exclude_expsyms], [1], + [Symbols that should not be listed in the preloaded symbols]) +_LT_TAGDECL([], [include_expsyms], [1], + [Symbols that must always be exported]) +_LT_TAGDECL([], [prelink_cmds], [2], + [Commands necessary for linking programs (against libraries) with templates]) +_LT_TAGDECL([], [file_list_spec], [1], + [Specify filename containing input files]) +dnl FIXME: Not yet implemented +dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1], +dnl [Compiler flag to generate thread safe objects]) +])# _LT_LINKER_SHLIBS -# If we're using GNU nm, then use its standard symbol codes. -case `$NM -V 2>&1` in -*GNU* | *'with BFD'*) - symcode='[[ABCDGIRSTW]]' ;; -esac -# Try without a prefix undercore, then with it. -for ac_symprfx in "" "_"; do +# _LT_LANG_C_CONFIG([TAG]) +# ------------------------ +# Ensure that the configuration variables for a C compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to `libtool'. +m4_defun([_LT_LANG_C_CONFIG], +[m4_require([_LT_DECL_EGREP])dnl +lt_save_CC="$CC" +AC_LANG_PUSH(C) - # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. - symxfrm="\\1 $ac_symprfx\\2 \\2" +# Source file extension for C test sources. +ac_ext=c - # Write the raw and C identifiers. - lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" +# Object file extension for compiled C test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext - # Check to see that the pipe works correctly. - pipe_works=no +# Code to be used in simple compile tests +lt_simple_compile_test_code="int some_variable = 0;" - rm -f conftest* - cat > conftest.$ac_ext < $nlist) && test -s "$nlist"; then - # Try sorting and uniquifying the output. - if sort "$nlist" | uniq > "$nlist"T; then - mv -f "$nlist"T "$nlist" - else - rm -f "$nlist"T - fi +_LT_TAG_COMPILER +# Save the default compiler, since it gets overwritten when the other +# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. +compiler_DEFAULT=$CC - # Make sure that we snagged all the symbols we need. - if grep ' nm_test_var$' "$nlist" >/dev/null; then - if grep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext -#ifdef __cplusplus -extern "C" { -#endif +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE -EOF - # Now generate the symbol file. - eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext' +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + LT_SYS_DLOPEN_SELF + _LT_CMD_STRIPLIB + + # Report which library types will actually be built + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr_t void * -#else -# define lt_ptr_t char * -# define const -#endif + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr_t address; -} -lt_preloaded_symbols[[]] = -{ -EOF - $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr_t) 0} -}; + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; -#ifdef __cplusplus -} -#endif -EOF - # Now try linking the two files. - mv conftest.$ac_objext conftstm.$ac_objext - lt_save_LIBS="$LIBS" - lt_save_CFLAGS="$CFLAGS" - LIBS="conftstm.$ac_objext" - CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" - if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then - pipe_works=yes - fi - LIBS="$lt_save_LIBS" - CFLAGS="$lt_save_CFLAGS" - else - echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD - fi - else - echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD - fi - else - echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no fi - else - echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD - cat conftest.$ac_ext >&5 - fi - rm -f conftest* conftst* + ;; + esac + AC_MSG_RESULT([$enable_shared]) - # Do not use the global_symbol_pipe unless it works. - if test "$pipe_works" = yes; then - break - else - lt_cv_sys_global_symbol_pipe= - fi -done -]) -if test -z "$lt_cv_sys_global_symbol_pipe"; then - lt_cv_sys_global_symbol_to_cdecl= + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_CONFIG($1) fi -if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then - AC_MSG_RESULT(failed) +AC_LANG_POP +CC="$lt_save_CC" +])# _LT_LANG_C_CONFIG + + +# _LT_PROG_CXX +# ------------ +# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++ +# compiler, we have our own version here. +m4_defun([_LT_PROG_CXX], +[ +pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes]) +AC_PROG_CXX +if test -n "$CXX" && ( test "X$CXX" != "Xno" && + ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || + (test "X$CXX" != "Xg++"))) ; then + AC_PROG_CXXCPP else - AC_MSG_RESULT(ok) + _lt_caught_CXX_error=yes fi -]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE +popdef([AC_MSG_ERROR]) +])# _LT_PROG_CXX +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([_LT_PROG_CXX], []) -# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME]) -# --------------------------------------- -AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC], -[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)= -_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= -_LT_AC_TAGVAR(lt_prog_compiler_static, $1)= -AC_MSG_CHECKING([for $compiler option to produce PIC]) - ifelse([$1],[CXX],[ - # C++ specific cases for pic, static, wl, etc. - if test "$GXX" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' +# _LT_LANG_CXX_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a C++ compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to `libtool'. +m4_defun([_LT_LANG_CXX_CONFIG], +[AC_REQUIRE([_LT_PROG_CXX])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl + +AC_LANG_PUSH(C++) +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(compiler_needs_object, $1)=no +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' +# Source file extension for C++ test sources. +ac_ext=cpp + +# Object file extension for compiled C++ test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the CXX compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_caught_CXX_error" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests + lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC=$CC + lt_save_LD=$LD + lt_save_GCC=$GCC + GCC=$GXX + lt_save_with_gnu_ld=$with_gnu_ld + lt_save_path_LD=$lt_cv_path_LD + if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then + lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx + else + $as_unset lt_cv_prog_gnu_ld + fi + if test -n "${lt_cv_path_LDCXX+set}"; then + lt_cv_path_LD=$lt_cv_path_LDCXX + else + $as_unset lt_cv_path_LD + fi + test -z "${LDCXX+set}" || LD=$LDCXX + CC=${CXX-"c++"} + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + # We don't want -fno-exception when compiling C++ code, so set the + # no_builtin_flag separately + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + else + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + fi + + if test "$GXX" = yes; then + # Set up default GNU C++ configuration + + LT_PATH_LD + + # Check if GNU C++ uses GNU ld as the underlying linker, since the + # archiving commands below assume that GNU ld is being used. + if test "$with_gnu_ld" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty + # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to + # investigate it a little bit more. (MM) + wlarc='${wl}' + + # ancient GNU ld didn't support --whole-archive et. al. + if eval "`$CC -print-prog-name=ld` --help 2>&1" | + $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + with_gnu_ld=no + wlarc= + + # A generic and very simple default shared library creation + # command for GNU C++ for the case where it uses the native + # linker, instead of GNU ld. If possible, this setting should + # overridden to take advantage of the native linker features on + # the platform it is being used on. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' fi - ;; - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' - ;; - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - mingw* | os2* | pw32*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' - ;; - *djgpp*) - # DJGPP does not support shared libraries at all - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - ;; - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. - ;; - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic - fi - ;; - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - else + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"' + + else + GXX=no + with_gnu_ld=no + wlarc= + fi + + # PORTME: fill in a description of your system's C++ link characteristics + AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) + _LT_TAGVAR(ld_shlibs, $1)=yes case $host_os in - aix4* | aix5*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + aix3*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aix[[4-9]]*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag="" + else + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + case $ld_flag in + *-brtl*) + aix_use_runtimelinking=yes + break + ;; + esac + done + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' + + if test "$GXX" = yes; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + esac + shared_flag='-shared' + if test "$aix_use_runtimelinking" = yes; then + shared_flag="$shared_flag "'${wl}-G' + fi + else + # not using gcc + if test "$host_cpu" = ia64; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test "$aix_use_runtimelinking" = yes; then + shared_flag='${wl}-G' + else + shared_flag='${wl}-bM:SRE' + fi + fi + fi + + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to + # export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test "$aix_use_runtimelinking" = yes; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(allow_undefined_flag, $1)='-berok' + # Determine the default libpath from the value encoded in an empty + # executable. + _LT_SYS_MODULE_PATH_AIX + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + else + if test "$host_cpu" = ia64; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + # This is similar to how AIX traditionally builds its shared + # libraries. + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + fi + fi + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' else - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + _LT_TAGVAR(ld_shlibs, $1)=no fi ;; + chorus*) - case $cc_basename in - cxch68*) - # Green Hills C++ Compiler - # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" + case $cc_basename in + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - esac + esac + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file (1st line + # is EXPORTS), use it as is; otherwise, prepend... + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon' - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - ;; - esac - ;; + dgux*) - case $cc_basename in - ec++*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + case $cc_basename in + ec++*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - ghcx*) + ghcx*) # Green Hills C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - *) + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - esac - ;; - freebsd* | kfreebsd*-gnu | dragonfly*) - # FreeBSD uses GNU C++ - ;; - hpux9* | hpux10* | hpux11*) - case $cc_basename in - CC*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' - if test "$host_cpu" != ia64; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - fi + esac + ;; + + freebsd[[12]]*) + # C++ shared libraries reported to be fairly broken before + # switch to ELF + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + freebsd-elf*) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + ;; + + freebsd* | dragonfly*) + # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF + # conventions + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + gnu*) + ;; + + hpux9*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aCC*) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed' + ;; + *) + if test "$GXX" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + hpux10*|hpux11*) + if test $with_gnu_ld = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in + hppa*64*|ia64*) + ;; + *) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + ;; + esac + fi + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + ;; + esac + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - aCC*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + aCC*) case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - ;; + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; esac + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed' ;; - *) + *) + if test "$GXX" = yes; then + if test $with_gnu_ld = no; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + esac + fi + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi ;; - esac - ;; - interix*) - # This is c89, which is MS Visual C++ (no shared libs) - # Anyone wants to do a port? - ;; - irix5* | irix6* | nonstopux*) - case $cc_basename in - CC*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - # CC pic flag -KPIC is the default. + esac + ;; + + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + irix5* | irix6*) + case $cc_basename in + CC*) + # SGI C++ + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + + # Archives containing C++ object files must be created using + # "CC -ar", where "CC" is the IRIX C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' ;; - *) + *) + if test "$GXX" = yes; then + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib' + fi + fi + _LT_TAGVAR(link_all_deplibs, $1)=yes ;; - esac - ;; - linux*) - case $cc_basename in - KCC*) - # KAI C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + esac + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + ;; + + linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # Archives containing C++ object files must be created using + # "CC -Bstatic", where "CC" is the KAI C++ compiler. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; - icpc* | ecpc*) + icpc* | ecpc* ) # Intel C++ - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - ;; - pgCC*) - # Portland Group C++ compiler. - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + with_gnu_ld=yes + # version 8.0 and above of icpc choke on multiply defined symbols + # if we add $predep_objects and $postdep_objects, however 7.1 and + # earlier do not add the objects themselves. + case `$CC -V 2>&1` in + *"Version 7."*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + ;; + *) # Version 8.0 or newer + tmp_idyn= + case $host_cpu in + ia64*) tmp_idyn=' -i_dynamic';; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + ;; + esac + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + case `$CC -V` in + *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*) + _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~ + compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"' + _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~ + $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~ + $RANLIB $oldlib' + _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' + ;; + *) # Version 6 will use weak symbols + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + ;; cxx*) # Compaq C++ - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' + + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed' + ;; + xl*) + # IBM XL 8.0 on PPC, with GNU ld + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ;; *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + + # Not sure whether something based on + # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 + # would be better. + output_verbose_link_cmd='echo' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' + ;; + esac ;; esac ;; + lynxos*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; + m88k*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; + mvs*) - case $cc_basename in - cxx*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' + case $cc_basename in + cxx*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + fi + # Workaround some broken pre-1.5 toolchains + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' + ;; + + *nto* | *qnx*) + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + openbsd2*) + # C++ shared libraries are fairly broken + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + openbsd*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + fi + output_verbose_link_cmd=echo + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi ;; + osf3* | osf4* | osf5*) - case $cc_basename in - KCC*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Archives containing C++ object files must be created using + # the KAI C++ compiler. + case $host in + osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; + *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;; + esac ;; - RCC*) + RCC*) # Rational C++ 2.4.1 - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - cxx*) - # Digital/Compaq C++ - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + cxx*) + case $host in + osf3*) + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + ;; + *) + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ + echo "-hidden">> $lib.exp~ + $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~ + $RM $lib.exp' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed' ;; *) + if test "$GXX" = yes && test "$with_gnu_ld" = no; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + case $host in + osf3*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"' + + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi ;; - esac - ;; + esac + ;; + psos*) - ;; + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + lcc*) + # Lucid + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + solaris*) - case $cc_basename in - CC*) + case $cc_basename in + CC*) # Sun C++ 4.2, 5.x and Centerline C++ - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + _LT_TAGVAR(archive_cmds_need_lc,$1)=yes + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands `-z linker_flag'. + # Supported since Solaris 2.6 (maybe 2.5.1?) + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + + output_verbose_link_cmd='echo' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' ;; - gcx*) + gcx*) # Green Hills C++ Compiler - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + + # The C++ compiler must be used to create the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' ;; - *) + *) + # GNU C++ compiler with Solaris linker + if test "$GXX" = yes && test "$with_gnu_ld" = no; then + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs' + if $CC --version | $GREP -v '^2\.7' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"' + else + # g++ 2.7 appears to require `-G' NOT `-shared' on this + # platform. + _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"' + fi + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' + ;; + esac + fi ;; - esac - ;; - sunos4*) + esac + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + + case $cc_basename in + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We can NOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' + runpath_var='LD_RUN_PATH' + case $cc_basename in - CC*) - # Sun C++ 4.x - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - lcc*) - # Lucid - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' ;; *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' ;; esac - ;; + ;; + tandem*) - case $cc_basename in - NCC*) + case $cc_basename in + NCC*) # NonStop-UX NCC 3.20 - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - *) + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no ;; - esac - ;; - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - case $cc_basename in - CC*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - esac - ;; + esac + ;; + vxworks*) - ;; + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - ;; + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; esac - fi -], + + AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) + test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no + + _LT_TAGVAR(GCC, $1)="$GXX" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + CC=$lt_save_CC + LDCXX=$LD + LD=$lt_save_LD + GCC=$lt_save_GCC + with_gnu_ld=$lt_save_with_gnu_ld + lt_cv_path_LDCXX=$lt_cv_path_LD + lt_cv_path_LD=$lt_save_path_LD + lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld + lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld +fi # test "$_lt_caught_CXX_error" != yes + +AC_LANG_POP +])# _LT_LANG_CXX_CONFIG + + +# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME]) +# --------------------------------- +# Figure out "hidden" library dependencies from verbose +# compiler output when linking a shared library. +# Parse the compiler output and extract the necessary +# objects, libraries and library flags. +m4_defun([_LT_SYS_HIDDEN_LIBDEPS], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +# Dependencies to place before and after the object being linked: +_LT_TAGVAR(predep_objects, $1)= +_LT_TAGVAR(postdep_objects, $1)= +_LT_TAGVAR(predeps, $1)= +_LT_TAGVAR(postdeps, $1)= +_LT_TAGVAR(compiler_lib_search_path, $1)= + +dnl we can't use the lt_simple_compile_test_code here, +dnl because it contains code intended for an executable, +dnl not a library. It's possible we should let each +dnl tag define a new lt_????_link_test_code variable, +dnl but it's only used here... +m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF +int a; +void foo (void) { a = 0; } +_LT_EOF +], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF +class Foo +{ +public: + Foo (void) { a = 0; } +private: + int a; +}; +_LT_EOF +], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer*4 a + a=0 + return + end +_LT_EOF +], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer a + a=0 + return + end +_LT_EOF +], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF +public class foo { + private int a; + public void bar (void) { + a = 0; + } +}; +_LT_EOF +]) +dnl Parse the compiler output and extract the necessary +dnl objects, libraries and library flags. +if AC_TRY_EVAL(ac_compile); then + # Parse the compiler output and extract the necessary + # objects, libraries and library flags. + + # Sentinel used to keep track of whether or not we are before + # the conftest object file. + pre_test_object_deps_done=no + + for p in `eval "$output_verbose_link_cmd"`; do + case $p in + + -L* | -R* | -l*) + # Some compilers place space between "-{L,R}" and the path. + # Remove the space. + if test $p = "-L" || + test $p = "-R"; then + prev=$p + continue + else + prev= + fi + + if test "$pre_test_object_deps_done" = no; then + case $p in + -L* | -R*) + # Internal compiler library paths should come after those + # provided the user. The postdeps already come after the + # user supplied libs so there is no need to process them. + if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then + _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}" + else + _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}" + fi + ;; + # The "-l" case would never come before the object being + # linked, so don't bother handling this case. + esac + else + if test -z "$_LT_TAGVAR(postdeps, $1)"; then + _LT_TAGVAR(postdeps, $1)="${prev}${p}" + else + _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}" + fi + fi + ;; + + *.$objext) + # This assumes that the test object file only shows up + # once in the compiler output. + if test "$p" = "conftest.$objext"; then + pre_test_object_deps_done=yes + continue + fi + + if test "$pre_test_object_deps_done" = no; then + if test -z "$_LT_TAGVAR(predep_objects, $1)"; then + _LT_TAGVAR(predep_objects, $1)="$p" + else + _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p" + fi + else + if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then + _LT_TAGVAR(postdep_objects, $1)="$p" + else + _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p" + fi + fi + ;; + + *) ;; # Ignore the rest. + + esac + done + + # Clean up. + rm -f a.out a.exe +else + echo "libtool.m4: error: problem compiling $1 test program" +fi + +$RM -f confest.$objext + +# PORTME: override above test on systems where it is broken +m4_if([$1], [CXX], +[case $host_os in +interix[[3-9]]*) + # Interix 3.5 installs completely hosed .la files for C++, so rather than + # hack all around it, let's just trust "g++" to DTRT. + _LT_TAGVAR(predep_objects,$1)= + _LT_TAGVAR(postdep_objects,$1)= + _LT_TAGVAR(postdeps,$1)= + ;; + +linux*) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + + # The more standards-conforming stlport4 library is + # incompatible with the Cstd library. Avoid specifying + # it if it's in CXXFLAGS. Ignore libCrun as + # -library=stlport4 depends on it. + case " $CXX $CXXFLAGS " in + *" -library=stlport4 "*) + solaris_use_stlport4=yes + ;; + esac + + if test "$solaris_use_stlport4" != yes; then + _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' + fi + ;; + esac + ;; + +solaris*) + case $cc_basename in + CC*) + # The more standards-conforming stlport4 library is + # incompatible with the Cstd library. Avoid specifying + # it if it's in CXXFLAGS. Ignore libCrun as + # -library=stlport4 depends on it. + case " $CXX $CXXFLAGS " in + *" -library=stlport4 "*) + solaris_use_stlport4=yes + ;; + esac + + # Adding this requires a known-good setup of shared libraries for + # Sun compiler versions before 5.6, else PIC objects from an old + # archive will be linked into the output, leading to subtle bugs. + if test "$solaris_use_stlport4" != yes; then + _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' + fi + ;; + esac + ;; +esac +]) + +case " $_LT_TAGVAR(postdeps, $1) " in +*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;; +esac + _LT_TAGVAR(compiler_lib_search_dirs, $1)= +if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then + _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'` +fi +_LT_TAGDECL([], [compiler_lib_search_dirs], [1], + [The directories searched by this compiler when creating a shared library]) +_LT_TAGDECL([], [predep_objects], [1], + [Dependencies to place before and after the objects being linked to + create a shared library]) +_LT_TAGDECL([], [postdep_objects], [1]) +_LT_TAGDECL([], [predeps], [1]) +_LT_TAGDECL([], [postdeps], [1]) +_LT_TAGDECL([], [compiler_lib_search_path], [1], + [The library search path used internally by the compiler when linking + a shared library]) +])# _LT_SYS_HIDDEN_LIBDEPS + + +# _LT_PROG_F77 +# ------------ +# Since AC_PROG_F77 is broken, in that it returns the empty string +# if there is no fortran compiler, we have our own version here. +m4_defun([_LT_PROG_F77], [ - if test "$GCC" = yes; then - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' +pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes]) +AC_PROG_F77 +if test -z "$F77" || test "X$F77" = "Xno"; then + _lt_disable_F77=yes +fi +popdef([AC_MSG_ERROR]) +])# _LT_PROG_F77 + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([_LT_PROG_F77], []) + + +# _LT_LANG_F77_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a Fortran 77 compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_F77_CONFIG], +[AC_REQUIRE([_LT_PROG_F77])dnl +AC_LANG_PUSH(Fortran 77) + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for f77 test sources. +ac_ext=f + +# Object file extension for compiled f77 test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the F77 compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_disable_F77" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC="$CC" + lt_save_GCC=$GCC + CC=${F77-"f77"} + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + GCC=$G77 + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)="$G77" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC="$lt_save_CC" +fi # test "$_lt_disable_F77" != yes + +AC_LANG_POP +])# _LT_LANG_F77_CONFIG + + +# _LT_PROG_FC +# ----------- +# Since AC_PROG_FC is broken, in that it returns the empty string +# if there is no fortran compiler, we have our own version here. +m4_defun([_LT_PROG_FC], +[ +pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes]) +AC_PROG_FC +if test -z "$FC" || test "X$FC" = "Xno"; then + _lt_disable_FC=yes +fi +popdef([AC_MSG_ERROR]) +])# _LT_PROG_FC + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([_LT_PROG_FC], []) + + +# _LT_LANG_FC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for a Fortran compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_FC_CONFIG], +[AC_REQUIRE([_LT_PROG_FC])dnl +AC_LANG_PUSH(Fortran) + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for fc test sources. +ac_ext=${ac_fc_srcext-f} + +# Object file extension for compiled fc test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the FC compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_disable_FC" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC="$CC" + lt_save_GCC=$GCC + CC=${FC-"f95"} + compiler=$CC + GCC=$ac_cv_fc_compiler_gnu + + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC="$lt_save_CC" +fi # test "$_lt_disable_FC" != yes + +AC_LANG_POP +])# _LT_LANG_FC_CONFIG + + +# _LT_LANG_GCJ_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Java Compiler compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_GCJ_CONFIG], +[AC_REQUIRE([LT_PROG_GCJ])dnl +AC_LANG_SAVE + +# Source file extension for Java test sources. +ac_ext=java + +# Object file extension for compiled Java test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="class foo {}" + +# Code to be used in simple link tests +lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC="$CC" +lt_save_GCC=$GCC +GCC=yes +CC=${GCJ-"gcj"} +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)="$LD" +_LT_CC_BASENAME([$compiler]) - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - fi - ;; +# GCJ did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' - ;; +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; + _LT_CONFIG($1) +fi - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' - ;; +AC_LANG_RESTORE - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. - ;; +GCC=$lt_save_GCC +CC="$lt_save_CC" +])# _LT_LANG_GCJ_CONFIG - msdosdjgpp*) - # Just because we use GCC doesn't mean we suddenly get shared libraries - # on systems that don't support them. - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - enable_shared=no - ;; - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic - fi - ;; +# _LT_LANG_RC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for the Windows resource compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_RC_CONFIG], +[AC_REQUIRE([LT_PROG_RC])dnl +AC_LANG_SAVE - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - ;; +# Source file extension for RC test sources. +ac_ext=rc - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' - ;; - esac - else - # PORTME Check for flag to pass linker flags through the system compiler. - case $host_os in - aix*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - else - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' +# Object file extension for compiled RC test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' + +# Code to be used in simple link tests +lt_simple_link_test_code="$lt_simple_compile_test_code" + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC="$CC" +lt_save_GCC=$GCC +GCC= +CC=${RC-"windres"} +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_CC_BASENAME([$compiler]) +_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + +if test -n "$compiler"; then + : + _LT_CONFIG($1) +fi + +GCC=$lt_save_GCC +AC_LANG_RESTORE +CC="$lt_save_CC" +])# _LT_LANG_RC_CONFIG + + +# LT_PROG_GCJ +# ----------- +AC_DEFUN([LT_PROG_GCJ], +[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ], + [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ], + [AC_CHECK_TOOL(GCJ, gcj,) + test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2" + AC_SUBST(GCJFLAGS)])])[]dnl +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_GCJ], []) + + +# LT_PROG_RC +# ---------- +AC_DEFUN([LT_PROG_RC], +[AC_CHECK_TOOL(RC, windres,) +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_RC], []) + + +# _LT_DECL_EGREP +# -------------- +# If we don't have a new enough Autoconf to choose the best grep +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_EGREP], +[AC_REQUIRE([AC_PROG_EGREP])dnl +AC_REQUIRE([AC_PROG_FGREP])dnl +test -z "$GREP" && GREP=grep +_LT_DECL([], [GREP], [1], [A grep program that handles long lines]) +_LT_DECL([], [EGREP], [1], [An ERE matcher]) +_LT_DECL([], [FGREP], [1], [A literal string matcher]) +dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too +AC_SUBST([GREP]) +]) + + +# _LT_DECL_OBJDUMP +# -------------- +# If we don't have a new enough Autoconf to choose the best objdump +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_OBJDUMP], +[AC_CHECK_TOOL(OBJDUMP, objdump, false) +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper]) +AC_SUBST([OBJDUMP]) +]) + + +# _LT_DECL_SED +# ------------ +# Check for a fully-functional sed program, that truncates +# as few characters as possible. Prefer GNU sed if found. +m4_defun([_LT_DECL_SED], +[AC_PROG_SED +test -z "$SED" && SED=sed +Xsed="$SED -e 1s/^X//" +_LT_DECL([], [SED], [1], [A sed program that does not truncate output]) +_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"], + [Sed that helps us avoid accidentally triggering echo(1) options like -n]) +])# _LT_DECL_SED + +m4_ifndef([AC_PROG_SED], [ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_SED. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # + +m4_defun([AC_PROG_SED], +[AC_MSG_CHECKING([for a sed that does not truncate output]) +AC_CACHE_VAL(lt_cv_path_SED, +[# Loop through the user's path and test for sed and gsed. +# Then use that list of sed's as ones to test for truncation. +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for lt_ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then + lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" fi - ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon' - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - ;; - esac - ;; + done + done +done +IFS=$as_save_IFS +lt_ac_max=0 +lt_ac_count=0 +# Add /usr/xpg4/bin/sed as it is typically found on Solaris +# along with /bin/sed that truncates output. +for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do + test ! -f $lt_ac_sed && continue + cat /dev/null > conftest.in + lt_ac_count=0 + echo $ECHO_N "0123456789$ECHO_C" >conftest.in + # Check for GNU sed and select it if it is found. + if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then + lt_cv_path_SED=$lt_ac_sed + break + fi + while true; do + cat conftest.in conftest.in >conftest.tmp + mv conftest.tmp conftest.in + cp conftest.in conftest.nl + echo >>conftest.nl + $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break + cmp -s conftest.out conftest.nl || break + # 10000 chars as input seems more than enough + test $lt_ac_count -gt 10 && break + lt_ac_count=`expr $lt_ac_count + 1` + if test $lt_ac_count -gt $lt_ac_max; then + lt_ac_max=$lt_ac_count + lt_cv_path_SED=$lt_ac_sed + fi + done +done +]) +SED=$lt_cv_path_SED +AC_SUBST([SED]) +AC_MSG_RESULT([$SED]) +])#AC_PROG_SED +])#m4_ifndef - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' - ;; +# Old name: +AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_SED], []) - hpux9* | hpux10* | hpux11*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z' - ;; - esac - # Is there a better lt_prog_compiler_static that works with the bundled CC? - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' - ;; - irix5* | irix6* | nonstopux*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # PIC (with -KPIC) is the default. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; +# _LT_CHECK_SHELL_FEATURES +# ------------------------ +# Find out whether the shell is Bourne or XSI compatible, +# or has some other useful features. +m4_defun([_LT_CHECK_SHELL_FEATURES], +[AC_MSG_CHECKING([whether the shell understands some XSI constructs]) +# Try some XSI features +xsi_shell=no +( _lt_dummy="a/b/c" + test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \ + = c,a/b,, \ + && eval 'test $(( 1 + 1 )) -eq 2 \ + && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ + && xsi_shell=yes +AC_MSG_RESULT([$xsi_shell]) +_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell']) + +AC_MSG_CHECKING([whether the shell understands "+="]) +lt_shell_append=no +( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \ + >/dev/null 2>&1 \ + && lt_shell_append=yes +AC_MSG_RESULT([$lt_shell_append]) +_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append']) - newsos6) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + lt_unset=unset +else + lt_unset=false +fi +_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl - linux*) - case $cc_basename in - icc* | ecc*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static' - ;; - pgcc* | pgf77* | pgf90* | pgf95*) - # Portland Group compilers (*not* the Pentium gcc compiler, - # which looks to be a dead project) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; - ccc*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # All Alpha code is PIC. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - esac - ;; +# test EBCDIC or ASCII +case `echo X|tr X '\101'` in + A) # ASCII based system + # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr + lt_SP2NL='tr \040 \012' + lt_NL2SP='tr \015\012 \040\040' + ;; + *) # EBCDIC based system + lt_SP2NL='tr \100 \n' + lt_NL2SP='tr \r\n \100\100' + ;; +esac +_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl +_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl +])# _LT_CHECK_SHELL_FEATURES - osf3* | osf4* | osf5*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - # All OSF/1 code is PIC. - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' - ;; - solaris*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - case $cc_basename in - f77* | f90* | f95*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';; - *) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';; - esac - ;; +# _LT_PROG_XSI_SHELLFNS +# --------------------- +# Bourne and XSI compatible variants of some useful shell functions. +m4_defun([_LT_PROG_XSI_SHELLFNS], +[case $xsi_shell in + yes) + cat << \_LT_EOF >> "$cfgfile" + +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; + esac +} + +# func_basename file +func_basename () +{ + func_basename_result="${1##*/}" +} + +# func_dirname_and_basename file append nondir_replacement +# perform func_basename and func_dirname in a single function +# call: +# dirname: Compute the dirname of FILE. If nonempty, +# add APPEND to the result, otherwise set result +# to NONDIR_REPLACEMENT. +# value returned in "$func_dirname_result" +# basename: Compute filename of FILE. +# value retuned in "$func_basename_result" +# Implementation must be kept synchronized with func_dirname +# and func_basename. For efficiency, we do not delegate to +# those functions but instead duplicate the functionality here. +func_dirname_and_basename () +{ + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; + esac + func_basename_result="${1##*/}" +} + +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +func_stripname () +{ + # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are + # positional parameters, so assign one to ordinary parameter first. + func_stripname_result=${3} + func_stripname_result=${func_stripname_result#"${1}"} + func_stripname_result=${func_stripname_result%"${2}"} +} + +# func_opt_split +func_opt_split () +{ + func_opt_split_opt=${1%%=*} + func_opt_split_arg=${1#*=} +} + +# func_lo2o object +func_lo2o () +{ + case ${1} in + *.lo) func_lo2o_result=${1%.lo}.${objext} ;; + *) func_lo2o_result=${1} ;; + esac +} + +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=${1%.*}.lo +} + +# func_arith arithmetic-term... +func_arith () +{ + func_arith_result=$(( $[*] )) +} + +# func_len string +# STRING may not start with a hyphen. +func_len () +{ + func_len_result=${#1} +} + +_LT_EOF + ;; + *) # Bourne compatible functions. + cat << \_LT_EOF >> "$cfgfile" + +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + # Extract subdirectory from the argument. + func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi +} + +# func_basename file +func_basename () +{ + func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"` +} - sunos4*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; +dnl func_dirname_and_basename +dnl A portable version of this function is already defined in general.m4sh +dnl so there is no need for it here. + +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# func_strip_suffix prefix name +func_stripname () +{ + case ${2} in + .*) func_stripname_result=`$ECHO "X${3}" \ + | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;; + *) func_stripname_result=`$ECHO "X${3}" \ + | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;; + esac +} - sysv4 | sysv4.2uw2* | sysv4.3*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; +# sed scripts: +my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q' +my_sed_long_arg='1s/^-[[^=]]*=//' - sysv4*MP*) - if test -d /usr/nec ;then - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - fi - ;; +# func_opt_split +func_opt_split () +{ + func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"` + func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"` +} - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; +# func_lo2o object +func_lo2o () +{ + func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"` +} - unicos*) - _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - ;; +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'` +} - uts4*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic' - _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' - ;; +# func_arith arithmetic-term... +func_arith () +{ + func_arith_result=`expr "$[@]"` +} - *) - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no - ;; - esac - fi -]) -AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)]) +# func_len string +# STRING may not start with a hyphen. +func_len () +{ + func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len` +} -# -# Check to make sure the PIC flag actually works. -# -if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then - AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works], - _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1), - [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [], - [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in - "" | " "*) ;; - *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;; - esac], - [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= - _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) -fi -case $host_os in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= +_LT_EOF +esac + +case $lt_shell_append in + yes) + cat << \_LT_EOF >> "$cfgfile" + +# func_append var value +# Append VALUE to the end of shell variable VAR. +func_append () +{ + eval "$[1]+=\$[2]" +} +_LT_EOF ;; *) - _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])" + cat << \_LT_EOF >> "$cfgfile" + +# func_append var value +# Append VALUE to the end of shell variable VAR. +func_append () +{ + eval "$[1]=\$$[1]\$[2]" +} + +_LT_EOF ;; -esac + esac +]) +# Helper functions for option handling. -*- Autoconf -*- # -# Check to make sure the static flag actually works. +# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc. +# Written by Gary V. Vaughan, 2004 # -wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\" -AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works], - _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1), - $lt_tmp_static_flag, - [], - [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=]) +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 6 ltoptions.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])]) + + +# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME) +# ------------------------------------------ +m4_define([_LT_MANGLE_OPTION], +[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])]) + + +# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME) +# --------------------------------------- +# Set option OPTION-NAME for macro MACRO-NAME, and if there is a +# matching handler defined, dispatch to it. Other OPTION-NAMEs are +# saved as a flag. +m4_define([_LT_SET_OPTION], +[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl +m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]), + _LT_MANGLE_DEFUN([$1], [$2]), + [m4_warning([Unknown $1 option `$2'])])[]dnl ]) -# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME]) -# ------------------------------------ -# See if the linker supports building shared libraries. -AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS], -[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) -ifelse([$1],[CXX],[ - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - case $host_os in - aix4* | aix5*) - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - else - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - fi - ;; - pw32*) - _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" - ;; - cygwin* | mingw*) - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([[^ ]]*\) [[^ ]]*/\1 DATA/;/^I /d;/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' - ;; - *) - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - ;; - esac -],[ - runpath_var= - _LT_AC_TAGVAR(allow_undefined_flag, $1)= - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no - _LT_AC_TAGVAR(archive_cmds, $1)= - _LT_AC_TAGVAR(archive_expsym_cmds, $1)= - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)= - _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)= - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - _LT_AC_TAGVAR(thread_safe_flag_spec, $1)= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_minus_L, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown - _LT_AC_TAGVAR(hardcode_automatic, $1)=no - _LT_AC_TAGVAR(module_cmds, $1)= - _LT_AC_TAGVAR(module_expsym_cmds, $1)= - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - # include_expsyms should be a list of space-separated symbols to be *always* - # included in the symbol list - _LT_AC_TAGVAR(include_expsyms, $1)= - # exclude_expsyms can be an extended regexp of symbols to exclude - # it will be wrapped by ` (' and `)$', so one must not match beginning or - # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', - # as well as any symbol that contains `d'. - _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_" - # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out - # platforms (ab)use it in PIC code, but their linkers get confused if - # the symbol is explicitly referenced. Since portable code cannot - # rely on this symbol name, it's probably fine to never include it in - # preloaded symbol tables. - extract_expsyms_cmds= - # Just being paranoid about ensuring that cc_basename is set. - _LT_CC_BASENAME([$compiler]) - case $host_os in - cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++) - with_gnu_ld=yes - ;; - openbsd*) - with_gnu_ld=no - ;; - esac +# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET]) +# ------------------------------------------------------------ +# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. +m4_define([_LT_IF_OPTION], +[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])]) - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' - # Set some defaults for GNU ld with shared library support. These - # are reset later if shared libraries are not supported. Putting them - # here allows them to be overridden if necessary. - runpath_var=LD_RUN_PATH - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - fi - supports_anon_versioning=no - case `$LD -v 2>/dev/null` in - *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 - *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... - *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... - *\ 2.11.*) ;; # other 2.11 versions - *) supports_anon_versioning=yes ;; - esac +# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET) +# ------------------------------------------------------- +# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME +# are set. +m4_define([_LT_UNLESS_OPTIONS], +[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option), + [m4_define([$0_found])])])[]dnl +m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3 +])[]dnl +]) - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - _LT_AC_TAGVAR(ld_shlibs, $1)=no - cat <&2 -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. +# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST) +# ---------------------------------------- +# OPTION-LIST is a space-separated list of Libtool options associated +# with MACRO-NAME. If any OPTION has a matching handler declared with +# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about +# the unknown option and exit. +m4_defun([_LT_SET_OPTIONS], +[# Set options +m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [_LT_SET_OPTION([$1], _LT_Option)]) + +m4_if([$1],[LT_INIT],[ + dnl + dnl Simply set some default values (i.e off) if boolean options were not + dnl specified: + _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no + ]) + _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no + ]) + dnl + dnl If no reference was made to various pairs of opposing options, then + dnl we run the default mode handler for the pair. For example, if neither + dnl `shared' nor `disable-shared' was passed, we enable building of shared + dnl archives by default: + _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED]) + _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install], + [_LT_ENABLE_FAST_INSTALL]) + ]) +])# _LT_SET_OPTIONS -EOF - fi - ;; - amigaos*) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can't use - # them. - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; +# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME) +# ----------------------------------------- +m4_define([_LT_MANGLE_DEFUN], +[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])]) - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, - # as there is no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=no - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; +# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE) +# ----------------------------------------------- +m4_define([LT_OPTION_DEFINE], +[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl +])# LT_OPTION_DEFINE - interix3*) - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; - linux*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - tmp_addflag= - case $cc_basename,$host_cpu in - pgcc*) # Portland Group C compiler - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag' - ;; - pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag -Mnomain' ;; - ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 - tmp_addflag=' -i_dynamic' ;; - efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 - tmp_addflag=' -i_dynamic -nofor_main' ;; - ifc* | ifort*) # Intel Fortran compiler - tmp_addflag=' -nofor_main' ;; - esac - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' +# dlopen +# ------ +LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes +]) - if test $supports_anon_versioning = yes; then - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~ - cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ - $echo "local: *; };" >> $output_objdir/$libname.ver~ - $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' - fi - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; +AU_DEFUN([AC_LIBTOOL_DLOPEN], +[_LT_SET_OPTION([LT_INIT], [dlopen]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `dlopen' option into LT_INIT's first parameter.]) +]) - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], []) - solaris*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - _LT_AC_TAGVAR(ld_shlibs, $1)=no - cat <&2 -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. +# win32-dll +# --------- +# Declare package support for building win32 dll's. +LT_OPTION_DEFINE([LT_INIT], [win32-dll], +[enable_win32_dll=yes -EOF - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; +case $host in +*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*) + AC_CHECK_TOOL(AS, as, false) + AC_CHECK_TOOL(DLLTOOL, dlltool, false) + AC_CHECK_TOOL(OBJDUMP, objdump, false) + ;; +esac - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) - case `$LD -v 2>&1` in - *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - cat <<_LT_EOF 1>&2 +test -z "$AS" && AS=as +_LT_DECL([], [AS], [0], [Assembler program])dnl -*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not -*** reliably create shared libraries on SCO systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.16.91.0.3 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. +test -z "$DLLTOOL" && DLLTOOL=dlltool +_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl -_LT_EOF - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac - ;; +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl +])# win32-dll - sunos4*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no +AU_DEFUN([AC_LIBTOOL_WIN32_DLL], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +_LT_SET_OPTION([LT_INIT], [win32-dll]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `win32-dll' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], []) + + +# _LT_ENABLE_SHARED([DEFAULT]) +# ---------------------------- +# implement the --enable-shared flag, and supports the `shared' and +# `disable-shared' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_SHARED], +[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([shared], + [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@], + [build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_shared=yes ;; + no) enable_shared=no ;; + *) + enable_shared=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_shared=yes + fi + done + IFS="$lt_save_ifs" ;; + esac], + [enable_shared=]_LT_ENABLE_SHARED_DEFAULT) - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - _LT_AC_TAGVAR(ld_shlibs, $1)=no - fi - ;; - esac + _LT_DECL([build_libtool_libs], [enable_shared], [0], + [Whether or not to build shared libraries]) +])# _LT_ENABLE_SHARED - if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then - runpath_var= - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)= - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)= - fi - else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - fi - ;; +LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])]) - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - else - _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols' - fi - aix_use_runtimelinking=no +# Old names: +AC_DEFUN([AC_ENABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared]) +]) - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - ;; - esac +AC_DEFUN([AC_DISABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], [disable-shared]) +]) - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi +AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) +AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_SHARED], []) +dnl AC_DEFUN([AM_DISABLE_SHARED], []) - _LT_AC_TAGVAR(archive_cmds, $1)='' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - if test "$GCC" = yes; then - case $host_os in aix4.[[012]]|aix4.[[012]].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - else - # We have old collect2 - _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)= - fi - ;; - esac - shared_flag='-shared' - if test "$aix_use_runtimelinking" = yes; then - shared_flag="$shared_flag "'${wl}-G' - fi - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - _LT_AC_TAGVAR(always_export_symbols, $1)=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok' - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' - _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs" - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - _LT_AC_SYS_LIBPATH_AIX - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - # This is similar to how AIX traditionally builds its shared libraries. - _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' +# _LT_ENABLE_STATIC([DEFAULT]) +# ---------------------------- +# implement the --enable-static flag, and support the `static' and +# `disable-static' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_STATIC], +[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([static], + [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@], + [build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_static=yes fi - fi + done + IFS="$lt_save_ifs" ;; + esac], + [enable_static=]_LT_ENABLE_STATIC_DEFAULT) - amigaos*) - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - # see comment about different semantics on the GNU ld section - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; + _LT_DECL([build_old_libs], [enable_static], [0], + [Whether or not to build static libraries]) +])# _LT_ENABLE_STATIC - bsdi[[45]]*) - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic - ;; +LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])]) - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext_cmds=".dll" - # FIXME: Setting linknames here is a bad hack. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true' - # FIXME: Should let the user specify the lib program. - _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs' - _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`' - _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - ;; +# Old names: +AC_DEFUN([AC_ENABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static]) +]) - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[[012]]) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_automatic, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - if test "$GCC" = yes ; then - output_verbose_link_cmd='echo' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - fi - ;; +AC_DEFUN([AC_DISABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], [disable-static]) +]) - dgux*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; +AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) +AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) - freebsd1*) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_STATIC], []) +dnl AC_DEFUN([AM_DISABLE_STATIC], []) - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | kfreebsd*-gnu | dragonfly*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no +# _LT_ENABLE_FAST_INSTALL([DEFAULT]) +# ---------------------------------- +# implement the --enable-fast-install flag, and support the `fast-install' +# and `disable-fast-install' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_FAST_INSTALL], +[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([fast-install], + [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], + [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_fast_install=yes ;; + no) enable_fast_install=no ;; + *) + enable_fast_install=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_fast_install=yes + fi + done + IFS="$lt_save_ifs" ;; + esac], + [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT) - hpux9*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_direct, $1)=yes +_LT_DECL([fast_install], [enable_fast_install], [0], + [Whether or not to optimize for fast installation])dnl +])# _LT_ENABLE_FAST_INSTALL + +LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])]) + +# Old names: +AU_DEFUN([AC_ENABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the `fast-install' option into LT_INIT's first parameter.]) +]) - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - ;; +AU_DEFUN([AC_DISABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], [disable-fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the `disable-fast-install' option into LT_INIT's first parameter.]) +]) - hpux10*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' - fi - if test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], []) +dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], []) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - fi - ;; +# _LT_WITH_PIC([MODE]) +# -------------------- +# implement the --with-pic flag, and support the `pic-only' and `no-pic' +# LT_INIT options. +# MODE is either `yes' or `no'. If omitted, it defaults to `both'. +m4_define([_LT_WITH_PIC], +[AC_ARG_WITH([pic], + [AS_HELP_STRING([--with-pic], + [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], + [pic_mode="$withval"], + [pic_mode=default]) - hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - case $host_cpu in - hppa*64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - else - case $host_cpu in - hppa*64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - fi - if test "$with_gnu_ld" = no; then - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: +test -z "$pic_mode" && pic_mode=m4_default([$1], [default]) - case $host_cpu in - hppa*64*|ia64*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - *) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' +_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl +])# _LT_WITH_PIC - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - ;; - esac - fi - ;; +LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])]) - irix5* | irix6* | nonstopux*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; +# Old name: +AU_DEFUN([AC_LIBTOOL_PICMODE], +[_LT_SET_OPTION([LT_INIT], [pic-only]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `pic-only' option into LT_INIT's first parameter.]) +]) - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_PICMODE], []) - newsos6) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - openbsd*) - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' - else - case $host_os in - openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - ;; - *) - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' - ;; - esac - fi - ;; +m4_define([_LTDL_MODE], []) +LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive], + [m4_define([_LTDL_MODE], [nonrecursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [recursive], + [m4_define([_LTDL_MODE], [recursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [subproject], + [m4_define([_LTDL_MODE], [subproject])]) - os2*) - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported - _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; +m4_define([_LTDL_TYPE], []) +LT_OPTION_DEFINE([LTDL_INIT], [installable], + [m4_define([_LTDL_TYPE], [installable])]) +LT_OPTION_DEFINE([LTDL_INIT], [convenience], + [m4_define([_LTDL_TYPE], [convenience])]) - osf3*) - if test "$GCC" = yes; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; +# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- +# +# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc. +# Written by Gary V. Vaughan, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 6 ltsugar.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])]) + + +# lt_join(SEP, ARG1, [ARG2...]) +# ----------------------------- +# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their +# associated separator. +# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier +# versions in m4sugar had bugs. +m4_define([lt_join], +[m4_if([$#], [1], [], + [$#], [2], [[$2]], + [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])]) +m4_define([_lt_join], +[m4_if([$#$2], [2], [], + [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])]) - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' - else - _LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp' - # Both c and cxx compiler support -rpath directly - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' - fi - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: - ;; +# lt_car(LIST) +# lt_cdr(LIST) +# ------------ +# Manipulate m4 lists. +# These macros are necessary as long as will still need to support +# Autoconf-2.59 which quotes differently. +m4_define([lt_car], [[$1]]) +m4_define([lt_cdr], +[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], + [$#], 1, [], + [m4_dquote(m4_shift($@))])]) +m4_define([lt_unquote], $1) + + +# lt_append(MACRO-NAME, STRING, [SEPARATOR]) +# ------------------------------------------ +# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'. +# Note that neither SEPARATOR nor STRING are expanded; they are appended +# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked). +# No SEPARATOR is output if MACRO-NAME was previously undefined (different +# than defined and empty). +# +# This macro is needed until we can rely on Autoconf 2.62, since earlier +# versions of m4sugar mistakenly expanded SEPARATOR but not STRING. +m4_define([lt_append], +[m4_define([$1], + m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])]) - solaris*) - _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text' - if test "$GCC" = yes; then - wlarc='${wl}' - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp' - else - wlarc='' - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - case $host_os in - solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; - *) - # The compiler driver will combine linker options so we - # cannot just pass the convience library names through - # without $wl, iff we do not link with $LD. - # Luckily, gcc supports the same syntax we need for Sun Studio. - # Supported since Solaris 2.6 (maybe 2.5.1?) - case $wlarc in - '') - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;; - *) - _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; - esac ;; - esac - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - ;; - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes - _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; - sysv4) - case $host_vendor in - sni) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true??? - ;; - siemens) - ## LD is ld it makes a PLAMLIB - ## CC just makes a GrossModule. - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' - _LT_AC_TAGVAR(hardcode_direct, $1)=no - ;; - motorola) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie - ;; - esac - runpath_var='LD_RUN_PATH' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; +# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...]) +# ---------------------------------------------------------- +# Produce a SEP delimited list of all paired combinations of elements of +# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list +# has the form PREFIXmINFIXSUFFIXn. +# Needed until we can rely on m4_combine added in Autoconf 2.62. +m4_define([lt_combine], +[m4_if(m4_eval([$# > 3]), [1], + [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl +[[m4_foreach([_Lt_prefix], [$2], + [m4_foreach([_Lt_suffix], + ]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[, + [_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])]) + + +# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ]) +# ----------------------------------------------------------------------- +# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited +# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ. +m4_define([lt_if_append_uniq], +[m4_ifdef([$1], + [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1], + [lt_append([$1], [$2], [$3])$4], + [$5])], + [lt_append([$1], [$2], [$3])$4])]) - sysv4.3*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' - ;; - sysv4*MP*) - if test -d /usr/nec; then - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - _LT_AC_TAGVAR(ld_shlibs, $1)=yes - fi - ;; +# lt_dict_add(DICT, KEY, VALUE) +# ----------------------------- +m4_define([lt_dict_add], +[m4_define([$1($2)], [$3])]) - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7*) - _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - runpath_var='LD_RUN_PATH' - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; +# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE) +# -------------------------------------------- +m4_define([lt_dict_add_subkey], +[m4_define([$1($2:$3)], [$4])]) - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' - _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':' - _LT_AC_TAGVAR(link_all_deplibs, $1)=yes - _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - if test "$GCC" = yes; then - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; +# lt_dict_fetch(DICT, KEY, [SUBKEY]) +# ---------------------------------- +m4_define([lt_dict_fetch], +[m4_ifval([$3], + m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]), + m4_ifdef([$1($2)], [m4_defn([$1($2)])]))]) + + +# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE]) +# ----------------------------------------------------------------- +m4_define([lt_if_dict_fetch], +[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4], + [$5], + [$6])]) + + +# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...]) +# -------------------------------------------------------------- +m4_define([lt_dict_filter], +[m4_if([$5], [], [], + [lt_join(m4_quote(m4_default([$4], [[, ]])), + lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]), + [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl +]) - uts4*) - _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' - _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no - ;; +# ltversion.m4 -- version numbers -*- Autoconf -*- +# +# Copyright (C) 2004 Free Software Foundation, Inc. +# Written by Scott James Remnant, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. - *) - _LT_AC_TAGVAR(ld_shlibs, $1)=no - ;; - esac - fi +# Generated from ltversion.in. + +# serial 3017 ltversion.m4 +# This file is part of GNU Libtool + +m4_define([LT_PACKAGE_VERSION], [2.2.6b]) +m4_define([LT_PACKAGE_REVISION], [1.3017]) + +AC_DEFUN([LTVERSION_VERSION], +[macro_version='2.2.6b' +macro_revision='1.3017' +_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) +_LT_DECL(, macro_revision, 0) ]) -AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)]) -test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no +# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- # -# Do we need to explicitly link libc? +# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc. +# Written by Scott James Remnant, 2004. # -case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in -x|xyes) - # Assume -lc should be added - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 4 lt~obsolete.m4 + +# These exist entirely to fool aclocal when bootstrapping libtool. +# +# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN) +# which have later been changed to m4_define as they aren't part of the +# exported API, or moved to Autoconf or Automake where they belong. +# +# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN +# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us +# using a macro with the same name in our local m4/libtool.m4 it'll +# pull the old libtool.m4 in (it doesn't see our shiny new m4_define +# and doesn't know about Autoconf macros at all.) +# +# So we provide this file, which has a silly filename so it's always +# included after everything else. This provides aclocal with the +# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything +# because those macros already exist, or will be overwritten later. +# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. +# +# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here. +# Yes, that means every name once taken will need to remain here until +# we give up compatibility with versions before 1.7, at which point +# we need to keep only those names which we still refer to. + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])]) + +m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])]) +m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])]) +m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])]) +m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])]) +m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])]) +m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])]) +m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])]) +m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])]) +m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])]) +m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])]) +m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])]) +m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])]) +m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])]) +m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])]) +m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])]) +m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])]) +m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])]) +m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])]) +m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])]) +m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])]) +m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])]) +m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])]) +m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])]) +m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])]) +m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])]) +m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])]) +m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])]) +m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])]) +m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])]) +m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])]) +m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])]) +m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])]) +m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])]) +m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])]) +m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])]) +m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])]) +m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])]) +m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])]) +m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])]) +m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])]) +m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])]) +m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])]) +m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])]) +m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])]) +m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])]) +m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])]) +m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])]) + +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# +# Copyright © 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $_LT_AC_TAGVAR(archive_cmds, $1) in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - AC_MSG_CHECKING([whether -lc should be explicitly linked in]) - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi + +fi[]dnl +])# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# +# Similar to PKG_CHECK_MODULES, make sure that the first instance of +# this or PKG_CHECK_MODULES is called, or make sure to call +# PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_ifval([$2], [$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) - if AC_TRY_EVAL(ac_compile) 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) - pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1) - _LT_AC_TAGVAR(allow_undefined_flag, $1)= - if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) - then - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no - else - _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes - fi - _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)]) - ;; - esac - fi - ;; -esac -])# AC_LIBTOOL_PROG_LD_SHLIBS +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +m4_define([_PKG_CONFIG], +[if test -n "$$1"; then + pkg_cv_[]$1="$$1" + elif test -n "$PKG_CONFIG"; then + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + else + pkg_failed=untried +fi[]dnl +])# _PKG_CONFIG -# _LT_AC_FILE_LTDLL_C -# ------------------- -# Be careful that the start marker always follows a newline. -AC_DEFUN([_LT_AC_FILE_LTDLL_C], [ -# /* ltdll.c starts here */ -# #define WIN32_LEAN_AND_MEAN -# #include -# #undef WIN32_LEAN_AND_MEAN -# #include -# -# #ifndef __CYGWIN__ -# # ifdef __CYGWIN32__ -# # define __CYGWIN__ __CYGWIN32__ -# # endif -# #endif -# -# #ifdef __cplusplus -# extern "C" { -# #endif -# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved); -# #ifdef __cplusplus -# } -# #endif -# -# #ifdef __CYGWIN__ -# #include -# DECLARE_CYGWIN_DLL( DllMain ); -# #endif -# HINSTANCE __hDllInstance_base; -# -# BOOL APIENTRY -# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) -# { -# __hDllInstance_base = hInst; -# return TRUE; -# } -# /* ltdll.c ends here */ -])# _LT_AC_FILE_LTDLL_C +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])# _PKG_SHORT_ERRORS_SUPPORTED -# _LT_AC_TAGVAR(VARNAME, [TAGNAME]) -# --------------------------------- -AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])]) +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl +pkg_failed=no +AC_MSG_CHECKING([for $1]) -# old names -AC_DEFUN([AM_PROG_LIBTOOL], [AC_PROG_LIBTOOL]) -AC_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) -AC_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) -AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) -AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) -AC_DEFUN([AM_PROG_LD], [AC_PROG_LD]) -AC_DEFUN([AM_PROG_NM], [AC_PROG_NM]) +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) -# This is just to silence aclocal about the macro not being used -ifelse([AC_DISABLE_FAST_INSTALL]) +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD -AC_DEFUN([LT_AC_PROG_GCJ], -[AC_CHECK_TOOL(GCJ, gcj, no) - test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2" - AC_SUBST(GCJFLAGS) -]) + ifelse([$4], , [AC_MSG_ERROR(dnl +[Package requirements ($2) were not met: -AC_DEFUN([LT_AC_PROG_RC], -[AC_CHECK_TOOL(RC, windres, no) -]) +$$1_PKG_ERRORS -# NOTE: This macro has been submitted for inclusion into # -# GNU Autoconf as AC_PROG_SED. When it is available in # -# a released version of Autoconf we should remove this # -# macro and use it instead. # -# LT_AC_PROG_SED -# -------------- -# Check for a fully-functional sed program, that truncates -# as few characters as possible. Prefer GNU sed if found. -AC_DEFUN([LT_AC_PROG_SED], -[AC_MSG_CHECKING([for a sed that does not truncate output]) -AC_CACHE_VAL(lt_cv_path_SED, -[# Loop through the user's path and test for sed and gsed. -# Then use that list of sed's as ones to test for truncation. -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for lt_ac_prog in sed gsed; do - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then - lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" - fi - done - done -done -IFS=$as_save_IFS -lt_ac_max=0 -lt_ac_count=0 -# Add /usr/xpg4/bin/sed as it is typically found on Solaris -# along with /bin/sed that truncates output. -for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do - test ! -f $lt_ac_sed && continue - cat /dev/null > conftest.in - lt_ac_count=0 - echo $ECHO_N "0123456789$ECHO_C" >conftest.in - # Check for GNU sed and select it if it is found. - if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then - lt_cv_path_SED=$lt_ac_sed - break - fi - while true; do - cat conftest.in conftest.in >conftest.tmp - mv conftest.tmp conftest.in - cp conftest.in conftest.nl - echo >>conftest.nl - $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break - cmp -s conftest.out conftest.nl || break - # 10000 chars as input seems more than enough - test $lt_ac_count -gt 10 && break - lt_ac_count=`expr $lt_ac_count + 1` - if test $lt_ac_count -gt $lt_ac_max; then - lt_ac_max=$lt_ac_count - lt_cv_path_SED=$lt_ac_sed - fi - done -done -]) -SED=$lt_cv_path_SED -AC_SUBST([SED]) -AC_MSG_RESULT([$SED]) -]) +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT +])], + [AC_MSG_RESULT([no]) + $4]) +elif test $pkg_failed = untried; then + ifelse([$4], , [AC_MSG_FAILURE(dnl +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT -# Copyright (C) 2002, 2003, 2005, 2006 Free Software Foundation, Inc. +To get pkg-config, see .])], + [$4]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + ifelse([$3], , :, [$3]) +fi[]dnl +])# PKG_CHECK_MODULES + +# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -6424,10 +8136,10 @@ # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.10' +[am__api_version='1.11' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.10], [], +m4_if([$1], [1.11.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -6441,10 +8153,12 @@ # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. -# This function is AC_REQUIREd by AC_INIT_AUTOMAKE. +# This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.10])dnl -_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)]) +[AM_AUTOMAKE_VERSION([1.11.1])dnl +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- @@ -6501,14 +8215,14 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006 +# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 8 +# serial 9 # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- @@ -6521,6 +8235,7 @@ AC_SUBST([$1_FALSE])dnl _AM_SUBST_NOTMAKE([$1_TRUE])dnl _AM_SUBST_NOTMAKE([$1_FALSE])dnl +m4_define([_AM_COND_VALUE_$1], [$2])dnl if $2; then $1_TRUE= $1_FALSE='#' @@ -6534,14 +8249,14 @@ Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 9 +# serial 10 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, @@ -6598,6 +8313,16 @@ if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` fi + am__universal=false + m4_case([$1], [CC], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac], + [CXX], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac]) + for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and @@ -6615,7 +8340,17 @@ done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested @@ -6625,19 +8360,23 @@ break fi ;; + msvisualcpp | msvcmsys) + # This compiler won't grok `-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; none) break ;; esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message @@ -6694,57 +8433,68 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -#serial 3 +#serial 5 # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], -[for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # Grep'ing the whole file is not good either: AIX grep has a line - # limit of 2048, but all sed's we know have understand at least 4000. - if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then - dirpart=`AS_DIRNAME("$mf")` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`AS_DIRNAME(["$file"])` - AS_MKDIR_P([$dirpart/$fdir]) - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" +[{ + # Autoconf 2.62 quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`AS_DIRNAME("$mf")` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`AS_DIRNAME(["$file"])` + AS_MKDIR_P([$dirpart/$fdir]) + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done done -done +} ])# _AM_OUTPUT_DEPENDENCY_COMMANDS @@ -6776,13 +8526,13 @@ # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006 Free Software Foundation, Inc. +# 2005, 2006, 2008, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 12 +# serial 16 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -6799,7 +8549,7 @@ # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], -[AC_PREREQ([2.60])dnl +[AC_PREREQ([2.62])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl @@ -6850,8 +8600,8 @@ AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) -AM_PROG_INSTALL_SH -AM_PROG_INSTALL_STRIP +AC_REQUIRE([AM_PROG_INSTALL_SH])dnl +AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AM_PROG_MKDIR_P])dnl # We need awk for the "check" target. The system "awk" is bad on # some platforms. @@ -6859,24 +8609,37 @@ AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], - [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], - [_AM_PROG_TAR([v7])])]) + [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], + [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], - [_AM_DEPENDENCIES(CC)], - [define([AC_PROG_CC], - defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl + [_AM_DEPENDENCIES(CC)], + [define([AC_PROG_CC], + defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], - [_AM_DEPENDENCIES(CXX)], - [define([AC_PROG_CXX], - defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl + [_AM_DEPENDENCIES(CXX)], + [define([AC_PROG_CXX], + defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], - [_AM_DEPENDENCIES(OBJC)], - [define([AC_PROG_OBJC], - defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl + [_AM_DEPENDENCIES(OBJC)], + [define([AC_PROG_OBJC], + defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl ]) +_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl +dnl The `parallel-tests' driver may need to know about EXEEXT, so add the +dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro +dnl is hooked onto _AC_COMPILER_EXEEXT early, see below. +AC_CONFIG_COMMANDS_PRE(dnl +[m4_provide_if([_AM_COMPILER_EXEEXT], + [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl ]) +dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not +dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further +dnl mangled by Autoconf and run in a shell conditional statement. +m4_define([_AC_COMPILER_EXEEXT], +m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) + # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header @@ -6887,18 +8650,19 @@ # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. +_am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $1 | $1:* ) + $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) +echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -6909,7 +8673,14 @@ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"} +if test x"${install_sh}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; + *) + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac +fi AC_SUBST(install_sh)]) # Copyright (C) 2003, 2005 Free Software Foundation, Inc. @@ -6936,27 +8707,38 @@ # Add --enable-maintainer-mode option to configure. -*- Autoconf -*- # From Jim Meyering -# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004, 2005 +# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 +# serial 5 +# AM_MAINTAINER_MODE([DEFAULT-MODE]) +# ---------------------------------- +# Control maintainer-specific portions of Makefiles. +# Default is to disable them, unless `enable' is passed literally. +# For symmetry, `disable' may be passed as well. Anyway, the user +# can override the default with the --enable/--disable switch. AC_DEFUN([AM_MAINTAINER_MODE], -[AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles]) - dnl maintainer-mode is disabled by default - AC_ARG_ENABLE(maintainer-mode, -[ --enable-maintainer-mode enable make rules and dependencies not useful +[m4_case(m4_default([$1], [disable]), + [enable], [m4_define([am_maintainer_other], [disable])], + [disable], [m4_define([am_maintainer_other], [enable])], + [m4_define([am_maintainer_other], [enable]) + m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])]) +AC_MSG_CHECKING([whether to am_maintainer_other maintainer-specific portions of Makefiles]) + dnl maintainer-mode's default is 'disable' unless 'enable' is passed + AC_ARG_ENABLE([maintainer-mode], +[ --][am_maintainer_other][-maintainer-mode am_maintainer_other make rules and dependencies not useful (and sometimes confusing) to the casual installer], - USE_MAINTAINER_MODE=$enableval, - USE_MAINTAINER_MODE=no) + [USE_MAINTAINER_MODE=$enableval], + [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes])) AC_MSG_RESULT([$USE_MAINTAINER_MODE]) - AM_CONDITIONAL(MAINTAINER_MODE, [test $USE_MAINTAINER_MODE = yes]) + AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes]) MAINT=$MAINTAINER_MODE_TRUE - AC_SUBST(MAINT)dnl + AC_SUBST([MAINT])dnl ] ) @@ -6964,13 +8746,13 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 +# serial 4 # AM_MAKE_INCLUDE() # ----------------- @@ -6979,7 +8761,7 @@ [am_make=${MAKE-make} cat > confinc << 'END' am__doit: - @echo done + @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. @@ -6989,24 +8771,24 @@ _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# We grep out `Entering directory' and `Leaving directory' -# messages which can occur if `w' ends up in MAKEFLAGS. -# In particular we don't look at `^make:' because GNU make might -# be invoked under some other name (usually "gmake"), in which -# case it prints its new name instead of `make'. -if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then - am__include=include - am__quote= - _am_result=GNU -fi +# Ignore all kinds of additional output from `make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf - if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then - am__include=.include - am__quote="\"" - _am_result=BSD - fi + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac fi AC_SUBST([am__include]) AC_SUBST([am__quote]) @@ -7016,14 +8798,14 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005 +# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 5 +# serial 6 # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ @@ -7040,7 +8822,14 @@ AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " @@ -7078,13 +8867,13 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 +# serial 4 # _AM_MANGLE_OPTION(NAME) # ----------------------- @@ -7101,7 +8890,7 @@ # ---------------------------------- # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], -[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) +[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- @@ -7111,14 +8900,14 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005 +# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 +# serial 5 # AM_SANITY_CHECK # --------------- @@ -7127,16 +8916,29 @@ # Just in case sleep 1 echo timestamp > conftest.file +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[[\\\"\#\$\&\'\`$am_lf]]*) + AC_MSG_ERROR([unsafe absolute working directory name]);; +esac +case $srcdir in + *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) + AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);; +esac + # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` + set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$[*]" != "X $srcdir/configure conftest.file" \ @@ -7189,18 +8991,25 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006 Free Software Foundation, Inc. +# Copyright (C) 2006, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. +# serial 2 + # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- -# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in. +# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) +# AM_SUBST_NOTMAKE(VARIABLE) +# --------------------------- +# Public sister of _AM_SUBST_NOTMAKE. +AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) + # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004, 2005 Free Software Foundation, Inc. diff -Nru snort-2.8.5.2/ChangeLog snort-2.9.2/ChangeLog --- snort-2.8.5.2/ChangeLog 2009-12-15 23:27:50.000000000 +0000 +++ snort-2.9.2/ChangeLog 2011-12-08 16:49:14.000000000 +0000 @@ -1,3 +1,2608 @@ +2011-12-14 Ryan Jordan +Snort 2.9.2 + * src/build.h: updating build number to 78 + + * snort.8: + Fixed spelling errors. Thanks to Neline van Ginkel for the report. + + * src/: snort.c, preprocessors/spp_perfmonitor.c: + Perfmonitor "now" files are created after Snort drops privileges. + + * src/output-plugins/spo_unified2.c: + Only log IPv6 extra data when the packet is IPv6. + + * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c: + Fixed unfolding of HTTP Headers across packet boundaries. + Thanks to Jim Hranicky for reporting this issue on the RC build. + + * src/preprocessors/spp_httpinspect.c: + HTTP Inspect should check for hi_swap_config in HttpInspectInit() + only when snort is compiled with --enable-reload. + Fixed build errors on Win32. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + When pruning a session, don't attempt to flush if the grinder + failed to decode a TCP header. + Thanks to Jim Hranicky for reporting this issue on the RC build. + +2011-11-23 Ryan Jordan +Snort 2.9.2 RC + * src/build.h: updating build number to 75 + + * src/preprocessors/spp_httpinspect.c: + Fixed an issue with HTTP Inspect server conf reload + (when the HTTP Inspect is turned on from off between a reload) + + * src/preprocessors/spp_stream5.c: + Fixed a memory leak caused by initializing the expected channel + more than once. + + * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: + Fixed a segfault during dcerpc2 startup when stream5 is not enabled. + + * src/preprocessors/spp_normalize.c: + Added support to turn normalization off or on during a Snort reload. + + * src/dynamic-preprocessors/modbus/spp_modbus.c: + Moved the check for truncated PDUs past the port check, to avoid + false positives. + + * src/sfutil/bitop_funcs.h: + Fixed an error in the allocation of flowbit groups, where bytes + were interpreted as bits. + + * src/detection-plugins/sp_flowbits.c: + Fixed a flowbits issue where the "isset" operation failed when + there was only a single flowbit in a group. + Fixed the error message logged when the same flowbit is added + to two groups. + + * src/ipv6_port.h: + * src/: dynamic-preprocessors/gtp/gtp_parser.c, + dynamic-preprocessors/gtp/gtp_roptions.c, + dynamic-preprocessors/ftptelnet/pp_ftp.c, + dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + dynamic-preprocessors/reputation/reputation_config.c, + sfutil/segment_mem.c, encode.c: + Compiler warning cleanup. + + * doc/: README.reload, snort_manual.pdf, snort_manual.tex: + Updated the reload documentation to mention the caveat that exists + with reload and fail-open in OpenBSD when Snort is run on primary + network interface. + + * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c, + dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c: + Added support for multiple DNP3 PDUs in a single DNP3 payload. + Fixed an issue where the DNP3 preprocessor only identified the + minimum reserved address, instead of all reserved addresses. + + * src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Updated an incorrect minimum DNP3 memcap to match the documented + minimum of 4144 bytes. + + * src/output-plugins/spo_unified2.c: + Snort will fatal error when the user configures the same filename + for options "alert_unified2" and "log_unified2". + + * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h: + Added the ability to delete entries in the sfrt table. + + * src/preprocessors/snort_httpinspect.c, + src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c, + src/preprocessors/spp_stream5.c, + src/preprocessors/Stream5/snort_stream5_tcp.c, + src/preprocessors/Stream5/stream5_common.c, + src/dynamic-preprocessors/reputation/reputation_config.c, + etc/gen-msg.map, src/detection-plugins/sp_flowbits.c, + src/detection-plugins/sp_replace.c, + src/output-plugins/spo_alert_sf_socket.c, src/decode.c, + src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c, + src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c, + src/sfutil/acsmx2.c, configure.in, + src/dynamic-preprocessors/dnp3/spp_dnp3.c, + src/target-based/sftarget_protocol_reference.c: + * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: + Made the format of warning messages consistent. + + * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c: + Providing an empty port list now causes a fatal error. + + * src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Fixed reserved address check on big-endian machines. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Changed identification of TCP retransmits by comparing payloads + instead of TCP checksums. + + * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, + src/dynamic-preprocessors/imap/snort_imap.c, + src/dynamic-preprocessors/pop/snort_pop.c, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/output-plugins/spo_unified2.c, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/snort_httpinspect.h, + src/preprocessors/spp_httpinspect.c, + src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, + src/preprocessors/HttpInspect/include/hi_ui_config.h, + src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: + Enable logging of normalized JavaScript to unified2 when built + without --enable-sourcefire. + - Changed extra data logging to log packet-specific data + (gzip/normalized) after each packet. + - Updated u2spewfoo to read the normalized JavaScript + extra data. + + * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c: + Fixed a bug where "dnp3_data" rules would not work if the content + was broken up by CRCs or split across multiple DNP3 segments. + As a result, DNP3 rules that inspect the DNP3 headers now require + "rawbytes" to work correctly, as the DNP3 reassembly buffer is + inspected by default. + + * etc/gen-msg.map, preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Removed DNP3 rule 145:5, and decremented the SIDs of rules 145:6 + and 145:7. The old 145:5 was never able to be triggered. + Updated references for rules 119:15 and 137:1. + + * rpm/snort.spec: + Updated the RPM spec file to use wildcards for linking and installing + preprocessors. Thanks to Tim Brigham for the suggestion. + + * src/detection_util.h: + Increased the URI buffer size from 4096 to 8192 to normalize and + detect longer URIs. + + * src/preprocessors/: spp_frag3.c, spp_stream5.c, + Stream5/snort_stream5_tcp.c, Stream5/snort_stream5_udp.c: + Change the printing function of tracker/session sizes + (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf + to LogMessage. + Fix handling of "first" and "vista" policies in stream5 that, + under certain circumstances with overlaps and gaps, could cause + the stream5 segmentation list to get out of order. + + * doc/snort_manual.pdf, doc/snort_manual.tex, + src/detection-plugins/sp_dsize_check.c: + Enable the "dsize" rule option with rebuilt packets, if it is the + start of a PDU. Thanks to Dave Bertouille for reporting this problem. + + * src/dynamic-preprocessors/modbus/modbus_decode.c: + Added length checking for Modbus "Read File Record" and + "Write File Record" requests. + + * src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h, + tools/u2spewfoo/u2spewfoo.c: + Added new Unified2 event structs with extra application ID data. + Updated u2spewfoo to read these fields. + + * src/detection-plugins/: sp_asn1_detect.c, sp_byte_check.c, + sp_byte_jump.c, sp_isdataat.c: + Allow rule evaluation to continue if the doe_ptr reaches the end + of a buffer, but a negative offset brings it back in-bounds. + Thanks again to Dave Bertouille for the suggestion. + + * src/target-based/sf_attribute_table.y: + Allow empty attribute_value in attribute table. + + * configure.in, + src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: + Added Protocol-Aware Flushing support for FTP. + + * snort.8: + Updated the man page to include more signals that have been used. + Made some format changes, thanks to Markus Lude. + + * doc/Makefile.am: + Fixed an error while running "make distcleancheck". + + * doc/snort_manual.pdf, doc/snort_manual.tex, + src/win32/WIN32-Includes/config.h, configure.in, src/snort.c, + src/snort.h, src/util.c, src/control/sfcontrol.c, + src/target-based/sftarget_reader.c: + Redefined default signals, and added support for signal + customization. + + +2011-10-28 Ryan Jordan +Snort 2.9.2 Beta + * src/build.h: updating build number to 64 + + * src/preprocessors/: snort_httpinspect.c, + HttpInspect/include/hi_ui_config.h, + HttpInspect/server/hi_server.c, + HttpInspect/server/hi_server_norm.c, + HttpInspect/user_interface/hi_ui_config.c: + * src/sfutil/: util_jsnorm.c, util_jsnorm.h: + Updated the HTTP preprocessor to normalize HTTP responses that include + javascript escaped data in their bodies. This expands Snort's coverage + in detecting HTTP client-side attacks. + See the Snort Manual and README.http_inspect for configuration details. + + * doc/README.modbus: + * src/dynamic-preprocessors/modbus/: Makefile.am, modbus_decode.c, + modbus_decode.h, modbus_paf.c, modbus_paf.h, modbus_roptions.c, + modbus_roptions.h, sf_modbus.dsp, spp_modbus.c, spp_modbus.h: + Added the Modbus preprocessor, which decodes the Modbus protocol and + provides new rule options for some protocol fields. + See the Snort Manual and README.modbus for more details. + + * doc/README.dnp3: + * src/dynamic-preprocessors/dnp3/: Makefile.am, dnp3_map.c, dnp3_map.h, + dnp3_paf.c, dnp3_paf.h, dnp3_reassembly.c, dnp3_reassembly.h, + dnp3_roptions.c, dnp3_roptions.h, sf_dnp3.dsp, spp_dnp3.c, spp_dnp3.h: + Added the DNP3 preprocessor, which decodes the DNP3 protocol + and provides new rule options for some protocol fields. + The preprocessor also performs reassembly of segmented DNP3 traffic. + See the Snort Manual and README.dnp3 for more details. + + * doc/README.gtp: + * src/decode.c: + * src/dynamic-preprocessors/gtp/: Makefile.am, gtp_config.c, + gtp_config.h, gtp_debug.h, gtp_parser.c, gtp_parser.h, gtp_roptions.c, + gtp_roptions.h, sf_gtp.dsp, spp_gtp.c, spp_gtp.h + Added a packet decoder and preprocessor for the GTP protocol. + These support detecting attacks over GTP (GPRS Tunneling Protocol). + See the Snort Manual and README.gtp for more details. + + * doc/faq.pdf, doc/faq.tex, src/Makefile.am, src/debug.c, + src/smalloc.h, src/snort_debug.h, + src/dynamic-plugins/sf_dynamic_common.h, + src/dynamic-preprocessors/dcerpc2/dce2_paf.c, + src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + src/dynamic-preprocessors/gtp/gtp_debug.h, + src/dynamic-preprocessors/sip/sip_debug.h, + src/parser/IpAddrSet.c, + src/preprocessors/HttpInspect/utils/hi_paf.c, + src/preprocessors/Stream5/stream5_paf.c: + Expanded the debug bits from 32 to 64 bits. + + * src/preprocessors/: spp_stream5.c, Stream5/snort_stream5_icmp.c, + Stream5/snort_stream5_icmp.h, Stream5/snort_stream5_ip.c, + Stream5/snort_stream5_ip.h, Stream5/snort_stream5_udp.c, + Stream5/snort_stream5_udp.h: + Cleaned up application data for non-TCP sessions after + a block or timeout. + + * src/preprocessors/spp_sfportscan.c: + Negative memcap numbers are no longer allowed. + + * src/preprocessors/HttpInspect/server/hi_server.c: + HTTP responses with incorrect status messages are now inspected. + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed PAF callback registration during Snort reload. + + * src/parser.c: + Fixed crash when setting HOME_NET to an empty variable. + Thanks to Elof for reporting this issue. + + * src/preprocessors/spp_normalize.c: + Don't register the packet callback if Snort is not inline. + Fixed a crash in the normalizer during Snort reload. + + * src/: sfdaq.c, sfdaq.h, snort.c, snort.h, util.c: + Fixed a possible segfault upon fatal error during Snort reload. + + * src/win32/WIN32-Prj/snort_installer.nsi: + Updated Windows project files for new preprocessors. + + * doc/: snort_manual.pdf, snort_manual.tex: + Updated the Snort manual for new features. + Updated the names of contributors to match those found on snort.org. + Updated the 'config cs_dir' path to be relative to pid-path. + + Described the FlowIP CSV file format. Thanks to Eoin Miller for + pointing out the lack of documentation. + + * src/preprocessors/: perf-base.c, perf-base.h, perf.c, perf.h, + spp_frag3.c, spp_frag3.h, Stream5/snort_stream5_tcp.c: + Added frag3 and stream5 memory usage to perfmon output. + + * src/control/sfcontrol.c: + Added counters to bypass the work queue mutex when nothing + is queued. + Cleaned up compiler warnings. + + * src/preprocessors/HttpInspect/client/hi_client.c: + When the same IP is parsed multiple times for XFF/True-client-IP + , the duplicate entries are freed from memory. + + * src/preprocessors/: stream_expect.c, spp_stream5.c, stream_api.h, + stream_expect.h, Stream5/snort_stream5_session.c, + Stream5/snort_stream5_session.h, Stream5/stream5_common.h: + Changed instances of "char" to "uint8_t" when dealing with + protocol numbers, preventing a potential issue when Snort + supports protocols > 128. Thanks to Joshua Kinard for + providing a patch for this issue. + + * src/detection-plugins/sp_react.c: + Added a content-length header to the react responses. + + * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-preprocessors/imap/snort_imap.c, + dynamic-preprocessors/pop/snort_pop.c, + dynamic-preprocessors/smtp/smtp_config.h, + dynamic-preprocessors/smtp/smtp_util.c, + dynamic-preprocessors/smtp/smtp_util.h, + dynamic-preprocessors/smtp/snort_smtp.c, + dynamic-preprocessors/smtp/snort_smtp.h, + dynamic-preprocessors/smtp/spp_smtp.c, + output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/spp_httpinspect.c, preprocessors/spp_stream5.c, + preprocessors/stream_api.h, + preprocessors/HttpInspect/include/hi_ui_config.h, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/snort_stream5_tcp.h, + preprocessors/Stream5/stream5_common.h: + Reduced the memory usage per TCP session for extra data event + logging. + + * src/dynamic-preprocessors/sip/spp_sip.c: + Changed a description in the SIP exit stats. + + * configure.in, src/snort.c, src/util.c, + src/target-based/sftarget_reader.c: + Where possible, sigaction() is used instead of signal() to + establish signal handlers. + + * src/util.c: + Fixed an error in the calculation of dropped packets. + Thanks to Will Metcalf for identifying the issue. + + * src/preprocessors/: perf-flow.c, perf-flow.h: + Fixed a bug where packets longer than 4500 bytes were not logged + in the perfmon flow stats. + + * src/: active.c, decode.c, decode.h, encode.c, parser.c, + sf_protocols.h, snort.c: + Fix PPPoE support and active responses to ICMP. + Thanks to Eric Lauzon for identifying an issue with PPPoE traffic. + + * etc/gen-msg.map, preproc_rules/preprocessor.rules, + src/generators.h, + src/preprocessors/HttpInspect/client/hi_client.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_client.h, + src/preprocessors/HttpInspect/include/hi_eo_events.h: + Added new preprocessor alerts: + 1) Both true-client-ip and XFF headers exist in single packet + 2) Multiple client-ips with different values in the same session + + * etc/gen-msg.map: + Fixed an error with incorrect SID numbers for some SMTP preprocessor + rules. Thanks to Eric Olsen for identifying the issue. + + * src/: decode.h, detect.c, encode.c, encode.h, plugbase.c, + plugbase.h, snort.c, snort.h, + detection-plugins/detection_options.c, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-preprocessors/dcerpc2/snort_dce2.c, + dynamic-preprocessors/sdf/spp_sdf.c, + output-plugins/spo_alert_fast.c, preprocessors/spp_frag3.c, + preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c, + preprocessors/stream_api.h, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.c: + Refactored packet flags. Added new packet flags for raw in-order + stream segment discrimination. + + * src/preprocessors/snort_httpinspect.c: + Fixed an issue where gzip logging code misinterpreted the data + being passed to it. + + Increased max_method_len to 256. + Thanks to rmkml for identifying the issue. + + * src/: preprocessors/spp_rpc_decode.c, + dynamic-preprocessors/dcerpc2/dce2_roptions.c, + dynamic-preprocessors/dcerpc2/dce2_smb.c: + Fixed compiler warnings. + + * src/sfutil/bnfa_search.c: + Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run. + Thanks to Brian Hwang for reporting the issue. + + * src/: dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.h, + dynamic-preprocessors/reputation/reputation_config.c, + dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, + dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h: + The paths to whitelist & blacklist files are now relative to + the location of snort.conf. + + * src/preprocessors/Stream5/snort_stream5_session.c: + Don't prune blocked sessions if pruning for memcap. + + * src/preprocessors/spp_stream5.c: + Fixed session data lookup for meta data messages. + + * etc/: sf_rule_options, sf_rule_validation.conf: + Updated rule validation files with new rule options. + + * configure.in, doc/INSTALL, doc/README.ARUBA, doc/README.database, + doc/README.ipv6, doc/snort_manual.tex, + src/output-plugins/spo_alert_arubaaction.c, + src/output-plugins/spo_alert_prelude.c, + src/output-plugins/spo_database.c: + Added deprecation warnings for database, alert_aruba_action, + and alert_prelude output plugins. These output plugins are + considered deprecated with this release and will be removed + in Snort 2.9.3. + + * src/: plugbase.c, plugbase.h, preprocids.h, profiler.c, sfdaq.c, + sfdaq.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + preprocessors/spp_stream5.c, preprocessors/stream_api.h, + preprocessors/Stream5/snort_stream5_icmp.c, + preprocessors/Stream5/snort_stream5_ip.c, + preprocessors/Stream5/snort_stream5_session.c, + preprocessors/Stream5/snort_stream5_session.h: + Added API and DAQ functions to get flow start and end events + directly from the DAQ when no stream data is available. + + * src/sfdaq.c: + Prevent underflow when calculating outstanding packets. + Thanks to Hussein Bahaidarah for reporting this issue. + + Don't unload daq modules if --disable-dlclose was a configure + option. + + * src/: active.c, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h: + Snort dynamic API changes to inject response packets. + +2011-10-20 Ryan Jordan +Snort 2.9.1.2 + * configure.in, + rpm/snort.spec, + src/build.h, + src/win32/WIN32-Includes/config.h, + src/win32/WIN32-Prj/snort_installer.nsi: + Incremented version numbers to Snort 2.9.1.2, Build 84. + + * src/preprocessors/snort_httpinspect.c, + src/sfutil/util_utf.c: + Fixed an issue where Snort would sometimes stop processing traffic + in a persistent HTTP 1.1 connection with a UTF-32 encoded response + followed by a UTF-16 encoded response. + +2011-10-05 Ryan Jordan +Snort 2.9.1.1 + * src/decode.c: + Fixed decode.c to allow building with --enable-debug. + + * src/: dynamic-plugins/sf_engine/sf_decompression.c, + dynamic-plugins/sf_engine/sf_decompression.h, + preprocessors/snort_httpinspect.h, + preprocessors/HttpInspect/server/hi_server.c: + Fixed http_inspect decompression and decompression API to decompress + both raw and zlib deflated data. + Support locating utf charset when spaces are present. + + * src/: preprocessors/HttpInspect/server/hi_server_norm.c, + sfutil/util_utf.h: + Added "Byte Order Mark" support for unicode in http_inspect. + + * src/detection-plugins/sp_urilen_check.c: + Fixed potential false positives when using urilen detection option. + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed flushing beyond "paf_max". + Verify paf configuration before enabling. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Free application and protocol state when a session is blocked. + Ensure that seglist_next is NULL after being freed. + + * src/dynamic-preprocessors/smtp/smtp_util.c: + Fixed an issue with SMTP logging while running in inline mode. + + * src/dynamic-preprocessors/reputation/Makefile.am, + src/dynamic-preprocessors/reputation/reputation_config.c, + src/dynamic-preprocessors/reputation/reputation_config.h, + src/dynamic-preprocessors/reputation/spp_reputation.c, + src/dynamic-preprocessors/reputation/spp_reputation.h, + src/Makefile.am, src/idle_processing.c, src/idle_processing.h, + src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h, + src/snort.c, src/snort.h, src/util.c, src/util.h, + src/dynamic-examples/Makefile.am, + src/dynamic-preprocessors/reputation/shmem/shmem_config.c, + src/dynamic-preprocessors/reputation/shmem/shmem_config.h, + src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, + src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, + src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, + src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, + src/control/Makefile.am, src/control/sfcontrol.c, + src/control/sfcontrol.h, src/control/sfcontrol_funcs.h, + src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c, + src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h, + src/dynamic-preprocessors/reputation/shmem/shmem_common.h, + src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, + src/dynamic-preprocessors/reputation/shmem/shmem_lib.h, + src/sfutil/Makefile.am, src/sfutil/segment_mem.c, + src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c, + src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, + src/sfutil/sfrt_flat_dir.h, + src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am, + tools/control/README.snort_control, tools/control/sfcontrol.c, + src/dynamic-plugins/sf_dynamic_plugins.c, + src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in, + tools/Makefile.am: + - Added support for shared memory between Snort processes. + This is used in the IP Reputation preprocessor to share a single copy + of IP whitelists & blacklists. + - Added a control channel, so that commands may be issued to + a running Snort process by way of a Unix socket. + + * src/preprocessors/HttpInspect/utils/hi_paf.c: + Ensure HTTP 1.1 responses without length indicators (e.g. 304) + are flushed at the end of the headers. + Preprocessor rule 120:8 is fired at end of headers if content-length + and transfer-encoding: chunked are not present, but not for response + codes 1XX, 204, 304. + + * doc/README.reputation, doc/snort_manual.pdf, + doc/snort_manual.tex: + Updated Snort documentation, added documentation for Shared Memory + and the Control Socket. + + * src/: dynamic-preprocessors/reputation/sf_reputation.dsp, + dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, + win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp, + win32/WIN32-Prj/snort.dsw: + Updated Win32 build files. + + +2011-08-23 Ryan Jordan +Snort 2.9.1 + * src/build.h: + Updated build number to 71. + + * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, + src/decode.h, src/generators.h, src/snort.c, + src/dynamic-plugins/sf_engine/sf_snort_packet.h: + Fixed an issue with decoding large numbers of IPv6 extension headers. + Added rule 116:456 to safeguard against too many IPv6 extension headers. + Thanks to Martin Schütte for reporting the issue. + + * src/detection-plugins/sp_urilen_check.c, + src/detection-plugins/sp_urilen_check.h: + Fixed the urilen rule option to look at reassembled packets. + Added an extra parameter to specify whether to check raw or normalized + uri buffer. Will check raw uri buffer by default. + + * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dns/sf_dns.dsp, + dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, + dynamic-preprocessors/imap/sf_imap.dsp, + dynamic-preprocessors/isakmp/sf_isakmp.dsp, + dynamic-preprocessors/pop/sf_pop.dsp, + dynamic-preprocessors/reputation/sf_reputation.dsp, + dynamic-preprocessors/sdf/sf_sdf.dsp, + dynamic-preprocessors/sip/sf_sip.dsp, + dynamic-preprocessors/smtp/sf_smtp.dsp, + dynamic-preprocessors/ssh/sf_ssh.dsp, + dynamic-preprocessors/ssl/sf_ssl.dsp, + win32/WIN32-Prj/sf_engine.dsp: + Fixed a bug where the sensitive_data preprocessor gave an error while + loading sensitive data rules. + + * doc/README.http_inspect, etc/gen-msg.map, + preproc_rules/preprocessor.rules, src/generators.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_eo_events.h, + src/preprocessors/HttpInspect/utils/hi_paf.c: + Added two HTTP Inspect preprocessor rules: + 119:28 - post w/o content-length or transfer-encoding: chunked + 120:8 - message with invalid content-length or chunk size + + * src/preprocessors/spp_httpinspect.c: + Fixed a bug where Snort wouldn't reload, giving the error that + "Changing decompress_depth requries a restart". + + * etc/gen-msg.map: + Commented out four rules from gen-msg.map, 133:44 through 133:47, + because they were not yet implemented. + + * preproc_rules/preprocessor.rules: + Added a CVE reference for Rule 119:19. + Added a reference to SMTP preprocessor rule 124:4. + Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor + alert that was missing the corresponding rule. + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + PAF tweak for single-segment full PDUs matching only-stream + + * src/snort.c: + Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD. + Set default paf_max to 16K. + + * doc/: README.reputation, snort_manual.pdf, snort_manual.tex: + Added a use case in the IP Reputation preprocessor documentation. + + * src/: dynamic-preprocessors/reputation/reputation_config.c, + dynamic-preprocessors/reputation/sf_reputation.dsp, + win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi: + Fixed the IP Reputation preprocessor so that it would build on Windows. + + * src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h, + server/hi-server.c, utils/hi_paf.c: + Support up to full 32-bit content-lengths + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed compilation with the options "--disable-target-based --enable-paf". + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed an error in IDS mode when segments overlap and the sequence + number wraps. + + * tools/u2spewfoo/Makefile.am: + Added the u2spewfoo Windows project file to the Snort source tarball. + +2011-07-19 Ryan Jordan +Snort 2.9.1 RC + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: + Added three new SIP preprocessor alerts. + + * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c, + stream5_paf.h: + Allow multiple preprocs to scan for PDUs on the same port. + This fixes a problem with DCE autodetect using the same + ports as HTTP. + + * src/build.h: + Updated build number to 63. + + * src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c, + detection-plugins/sp_tcp_win_check.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + preprocessors/spp_normalize.c: + Fixed some compiler warnings. + + * src/: detection-plugins/detection_options.c, + detection-plugins/sp_flowbits.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/examples/Makefile.am, + dynamic-plugins/sf_engine/examples/flowbits_test.c, + dynamic-plugins/sf_engine/examples/rules.c, + dynamic-plugins/sf_engine/examples/web-client_test.c: + Only set/clear/toggle/unset a flowbit when all of the rule + matches, including the IPs and Ports. Thanks to Eoin Miller + for reporting the issue. + + * src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am, + dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am, + pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am, + sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am, + ssh/Makefile.am, ssl/Makefile.am: + Fixed dynamic preprocesor Makefiles so that they can be built + in parallel. + + * doc/README.http_inspect, doc/snort_manual.pdf, + doc/snort_manual.tex, etc/gen-msg.map, + preproc_rules/preprocessor.rules, src/generators.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/snort_httpinspect.h, + src/preprocessors/HttpInspect/client/hi_client.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_eo_events.h, + src/preprocessors/HttpInspect/include/hi_ui_config.h, + src/preprocessors/HttpInspect/include/hi_util.h, + src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, + src/sfutil/util_unfold.c: + Added a new HTTP Inspect preprocessor rule, GID 119 SID 26. + This rule checks for 200+ whitespaces in a folded header line + from an HTTP request. A new config option was added to configure + the allowable amount whitespace. + + Added a new configuration option to http_inspect server configuration: + "small_chunk_length { }", with + preprocessor rules for both client and server. Consecutive chunk lengths + less than or equal to will cause an event to be generated. + + See README.http_inspect for more information. + + * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dns/sf_dns.dsp, + dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, + dynamic-preprocessors/imap/sf_imap.dsp, + dynamic-preprocessors/isakmp/sf_isakmp.dsp, + dynamic-preprocessors/sdf/sf_sdf.dsp, + dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, + dynamic-preprocessors/sip/sf_sip.dsp, + dynamic-preprocessors/smtp/sf_smtp.dsp, + dynamic-preprocessors/ssh/sf_ssh.dsp, + dynamic-preprocessors/ssl/sf_ssl.dsp, + win32/WIN32-Prj/sf_engine.dsp, + win32/WIN32-Prj/sf_engine_initialize.dsp, + win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp: + Fixed the Win32 build to (1) not use .pch, and (2) correct sed + patterns on ipv6_port.h. + + * src/output-plugins/spo_alert_sf_socket.c: + Fixed a problem where Snort's generic IP address structure was + being sent by the socket output plugin. + The output plugin now only generates events for IPv4 packets, + and is guaranteed to use uint32_t IPv4 addresses for interoperability. + + * src/sfutil/: sfrt.c, sfrt.h: + Optimized some memory usage. + + * configure.in: + Add check for pkg-config and provide instructions to get it if + pkg-config is not installed. + + * src/preprocessors/Stream5/: snort_stream5_tcp.c, + stream5_common.h: + Show single segment PAF packets and only short-circuit at + correct sequence. + When aborting PAF, flush at paf_max. + Tweaked retransmission check to use actual sequence numbers + instead of the adjusted sequence numbers. + Changed the pseudo-random flush point after each flush. + + * src/snort.c: + Fixed a compilation error when active response is disabled. + + * src/snort.h: + Fixed a bug where Snort wouldn't daemonize on OpenBSD if the + process was running as root. Thanks to Olaf Schreck for reporting + this issue. + + * src/preprocessors/: perf-base.c, perf-base.h, perf-event.c, + perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h, + spp_perfmonitor.c: + Split out Perfmon submodule Init and Reset, so that everything is + initialized when the Perfmonitor preprocessor is initialized. + Previously, some data was initialized on the first packet. + + * src/detection-plugins/sp_tcp_flag_check.c: + Fixed a couple spots where the "1" and "2" + flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for + reporting the issue and supplying a patch. + + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/spp_sip.h, + preproc_rules/preprocessor.rules, etc/gen-msg.map: + Added a new SIP preprocessor alert for missing content type headers. + Fixed an issue where the SIP preprocessor checked for Stream5 even if + the SIP preprocessor was disabled. + + * etc/unicode.map: + Updated unicode.map to match the unicode standard on Windows 7 SP1. + + * etc/snort.conf: + Sync'ed to VRT's latest snort.conf. + + * src/: decode.c, detect.c: + Tweaked the preprocessing loop to bypass app preprocs if no + app data. + + * src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c, + src/dynamic-preprocessors/reputation/Makefile.am, + src/dynamic-preprocessors/reputation/reputation_config.h, + src/dynamic-preprocessors/reputation/reputation_utils.c, + src/dynamic-preprocessors/reputation/sf_reputation.dsp, + src/dynamic-preprocessors/reputation/spp_reputation.c, + src/dynamic-preprocessors/reputation/spp_reputation.h, + src/dynamic-preprocessors/reputation/reputation_config.c, + src/dynamic-preprocessors/reputation/reputation_debug.h, + src/dynamic-preprocessors/reputation/reputation_utils.h, + doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf, + doc/snort_manual.tex, preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/Makefile.am, configure.in, + src/preprocids.h, etc/gen-msg.map: + Added the IP Reputation preprocessor. This preprocessor provides + the ability to whitelist and blacklist packets based on IP addresses. + See README.reputation for more information. + + * src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-preprocessors/dcerpc2/Makefile.am, + dynamic-preprocessors/dcerpc2/dce2_config.c, + dynamic-preprocessors/dcerpc2/dce2_debug.h, + dynamic-preprocessors/dcerpc2/dce2_paf.c, + dynamic-preprocessors/dcerpc2/dce2_paf.h, + dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dcerpc2/snort_dce2.c: + Added protocol-aware flushing support for the dcerpc2 preprocessor. + + * src/dynamic-plugins/sf_convert_dynamic.c: + Added the ability to convert shared object rules that use the + preprocessor rule option. + + * src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c, + HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c, + Stream5/snort_stream5_tcp.c: + Don't enable paf unless stream ports configured + for the given direction; add "(PAF)" to http inspect ports output + to indicate when enabled; and only register port for given + direction if corresponding flow depth is set. + + Support full 32-bit content-lengths and chunk sizes, and flush/abort + when exceeded. + + * doc/README.SMTP, doc/snort_manual.tex, + src/dynamic-preprocessors/smtp/smtp_config.h, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/dynamic-preprocessors/smtp/snort_smtp.h, + src/dynamic-preprocessors/smtp/spp_smtp.c: + Fixed performance issue: allocate the buffers used + for filename, mailfrom and rcptto logging using mempool + ('memcap' used to allocate the mempool). + Added a fatal error when b64_decode_depth is used with + enable_mime_decoding. + + * src/dynamic-plugins/sf_engine/examples: all rule files: + Fixed compiler warnings. + +2011-06-13 Ryan Jordan +Snort 2.9.1 Beta + * configure.in: + Updates to configure.in. + - Fix zlib checks to use correctly named variable for checking zlib + header and library existence. + - Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off. + using --enable-zlib, configure should fail. snort -V should show + IPv6 by default and VRT config should load without modification. + - Added a new option, "--enable-large-pcap", which allows Snort to read + pcap files that are larger than 2 GB. + - Changed the default ./configure options to match the requirements + for the bundled snort.conf + * doc/: INSTALL, README.imap, README.pop, + README.SMTP, README.stream5, README.sip, README.tag, + README.http_inspect, README.counts, README.normalize, + snort_manual.pdf, snort_manual.tex: + Updated documentation for Snort 2.9.1: + - Added documentation for new SIP, POP and IMAP preprocessors + - Updated README.stream5 with documentation for + Protocol Aware Flushing (PAF) + - Updated README.http_inspect with memcap information, + clarified "http_cookie" information, and documentation for + "log_uri" and "log_hostname". + - Fixed a typo in README.counts + - Updated "byte_extract" section to reflect syntax changes + - Improved the explanation of "max_queued_events" + - Added documentation for the ESP decoder, which is now configurable + - Improved the explanation of "rawbytes" + - Fixed an incorrect example in README.tag. + * etc/snort.conf: + Synced snort.conf with VRT's latest version. + + Added configurations for new preprocessors. + * preproc_rules/: decoder.rules, preprocessor.rules + Added new preprocessor rules for SIP, SMTP, POP, and IMAP. + + Added decoder rules 116:453, 116:454, and 116:455. These rules + were formerly covered by VRT rules. + * src/build.h: Updated build number to 46 + * src/decode.c: + TCP and UDP decoder rules that require a fully-decoded packet will + only fire if the checksum is correct and the port number is not ignored. + + ESP decoding is now configurable, and off by default. + + The "config enable_decode_oversized_alerts" option now applies to + packets where the UDP header claims there is more data than actually exists. + The Teredo decoder now only processes packets in the Teredo prefix + (2001:0000::/32) or the link-local prefix (fe80::/16). + * src/detection-plugins/sp_cvs.c: + Fixed a false positive in the CVS detection plugin. + * doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c: + Made some changes to the byte_extract syntax: + - Writing "string" without a number type defaults to decimal. + - The "string" and "hex/dec/oct" options are now independent of each + other, like in byte_test and byte_jump. + You can write "string,dec", "hex,string", "string,relative,oct", etc. + - Specifying one of "hex", "dec", and "oct" without using "string" + results in an error. + - byte_extract options can no longer be delimited by spaces. + This does not affect "align " or "multiplier ". + * src/: parser.c, util.c, util.h, + detection-plugins/sp_base64_decode.c, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.c, + dynamic-preprocessors/smtp/smtp_util.c, + preprocessors/HttpInspect/client/hi_client.c, + preprocessors/HttpInspect/server/hi_server.c, + sfutil/sf_base64decode.c, sfutil/sf_base64decode.h: + Changes include the following: + - Attempt dechunkind only when transfer-encoding: chunked is present. + - Override the content length with transfer encoding + - SnortStrcasestr uses slen now. + - unfolding : trim spaces when required. + * src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c, + sfutil/sf_ipvar.h, sfutil/sf_vartable.c: + Update Frag3/Stream5 to print bound addresses, better descriptsions of detect + anomalies and port lists. + - Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds + - Updated Frag3 to print meaningful detect anomalies configuration + - Updated Stream5 to print that there are more ports than those printed. + * src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c, + sf_decompression.h, sf_snort_detection_engine.c, + sf_snort_plugin_api.h: + Added a Decompression API that wraps Zlib for use with dynamic + plugins. See sf_decompression.h for more details. + * src/: fpcreate.c, fpdetect.c, treenodes.h: + Update pattern matcher and sort functions to + correctly sort by priority as well as implement sorting by + content_length (which was never done with 2.8.2 addition of rule + option tree). + + Added a warning when max-pattern-len is defined twice. + + Packets will no longer be tagged or logged if they are filtered or passed. + * src/preprocessors/Stream5: + Ensured that reassembly doesn't require packet dropping in IPS mode. + The message "additional ports configured but not printed" is only printed + when that is actually the case. + * src/snort.c: + fix output of filename / shutdown alerts sequence when iterating over multiple + pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or + -A console:test). + + Fixed an issue with reloading Snort while the default output options + were used. + + When reading several pcap files with --pcap-dir, Snort will move on + to the next file if one fails to load. + * src/output-plugins/spo_alert_full.c: + Update alert_full to print rule references, regardless of whether + there is TCP/UDP/etc. + * src/output-plugins/spo_log_tcpdump.c: + convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0 + fix 'mixed decls and code' compiler warning + * src/: decode.h, detect.c, detection_util.c, detection_util.h, + fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c, + rule_option_types.h, detection-plugins/Makefile.am, + detection-plugins/detection_options.c, + detection-plugins/sp_base64_data.c, + detection-plugins/sp_byte_check.c, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_jump.c, + detection-plugins/sp_file_data.c, + detection-plugins/sp_ftpbounce.c, + detection-plugins/sp_isdataat.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c, + detection-plugins/sp_pkt_data.h, + dynamic-plugins/sf_convert_dynamic.c, + dynamic-plugins/sf_dynamic_common.h, + dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_dynamic_engine.h, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-plugins/sf_engine/sf_snort_plugin_api.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + dynamic-plugins/sf_engine/examples/detection_lib_meta.h, + dynamic-preprocessors/ftptelnet/pp_ftp.c, + dynamic-preprocessors/ftptelnet/pp_telnet.c, + dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + dynamic-preprocessors/smtp/smtp_util.c, + dynamic-preprocessors/smtp/snort_smtp.c, + dynamic-preprocessors/smtp/snort_smtp.h, + preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/spp_rpc_decode.c, + preprocessors/HttpInspect/server/hi_server.c, + preprocessors/HttpInspect/server/hi_server_norm.c, + preprocessors/Stream5/snort_stream5_tcp.c: + The "file_data" and "base64_data" rule options now set the buffer + for any rule options that follow them. This applies to both relative + and non-relative rule options. + + The detection code now uses 3 separate buffers: + - "Alt Detect": set by file_data, base64_data, etc. + - "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect + - Raw packet data + + The AltDetect buffer can also be set by custom .so rules. + * src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c, + src/sfutil/Unified2_common.h: + IPv6 source and destination addresses are now logged in Unified2 + as extra data events. This is configured with "config log_ipv6_extra_data". + * src/dynamic-preprocessors/sip/Makefile.am, + src/dynamic-preprocessors/sip/sf_sip.dsp, + src/dynamic-preprocessors/sip/sip_config.c, + src/dynamic-preprocessors/sip/sip_config.h, + src/dynamic-preprocessors/sip/sip_debug.h, + src/dynamic-preprocessors/sip/sip_dialog.c, + src/dynamic-preprocessors/sip/sip_dialog.h, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/sip_parser.h, + src/dynamic-preprocessors/sip/sip_roptions.c, + src/dynamic-preprocessors/sip/spp_sip.c, + src/dynamic-preprocessors/sip/spp_sip.h, + src/dynamic-preprocessors/sip/sip_roptions.h, + src/dynamic-preprocessors/sip/sip_utils.c, + src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip, + etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am, + src/dynamic-preprocessors/sip/test/sip_test.c, configure.in, + src/dynamic-preprocessors/Makefile.am: + Added a new preprocessor for SIP traffic. + See README.sip and the Snort Manual for more information. + * src/: dynamic-preprocessors/dcerpc2/dce2_utils.c, + dynamic-preprocessors/dcerpc2/spp_dce2.c, + preprocessors/spp_frag3.c: + Make Frag3 OpenBSD Vuln alert only happen if the frag policy is + 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used + for OpenBSD, which is the only OS on which the vulnerability was + present. + + This reduces false positives to only occur when frag3 policy is + linux and its an actual linux system, rather than the alert + occuring regardless of frag policy. + * src/: detection-plugins/Makefile.am, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_extract.h, + dynamic-plugins/sf_convert_dynamic.c, + dynamic-plugins/sf_engine/Makefile.am, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_detection_engine.h, + dynamic-plugins/sf_engine/sf_snort_plugin_api.c, + dynamic-plugins/sf_engine/sf_snort_plugin_api.h, + dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c, + dynamic-plugins/sf_engine/sf_snort_plugin_loop.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + Added support for ByteExtract variables to the .so rule versions of + Content, ByteTest, ByteJump, and isdataat. + * src/: encode.c, preprocessors/spp_normalize.c, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.c: + Fixed the TTL on encoded response packets. + * src/: fpcreate.c, fpdetect.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pattern_match.h, + dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_plugin_api.h: + Update to not inspect HTTP method buffer with Snort's fast pattern engine. + Rules with only HTTP method content end up as non-content rules. + This eliminates a short cycle of searches with fast pattern on every + initial HTTP request. + * src/dynamic-preprocessors/pop/: all files + Added a new preprocessor for POP traffic. + See README.pop for more information. + * src/dynamic-preprocessors/imap/: all files + Added a new preprocessor for IMAP traffic. + See README.imap for more information. + * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h: + Base64 decoding was moved to its own section in sfutil, for use + by the new email preprocessors. + + Added support for uuencoded email attachments. + * src/dynamic-preprocessors/sdf/spp_sdf.c: + The Sensitive Data preprocessor now inspects the "file_data" buffer, used + for HTTP response bodies & decoded email attachments. + * src/: snort.c, preprocessors/spp_stream5.c, + preprocessors/stream_api.h: + Update Snort to return a DAQ verdict of whitelist (meaning don't + send Snort any more packets) for sessions that are being ignored + in both directions or ports that are configured to ignore. For + DAQ modules and hardware that supports it, this should result in + a performance gain because Snort no longer has to decode packets + that are part of that connection. + * src/util.c: + Added an error message when opening a pid file fails. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + The Set-Cookie: and Cookie: headers wont be included in the cookie buffers. + * configure.in, src/active.c, src/active.h, src/decode.h, + src/encode.c, src/encode.h, src/log_text.c, src/log_text.h, + src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c, + src/sfdaq.h, src/snort.h, src/snort_debug.h, + src/detection-plugins/sp_react.c, + src/detection-plugins/sp_respond3.c, + src/dynamic-plugins/sf_dynamic_define.h, + src/dynamic-plugins/sf_engine/sf_snort_packet.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/spp_httpinspect.c, + src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, + src/preprocessors/HttpInspect/Makefile.am, + src/preprocessors/HttpInspect/include/Makefile.am, + src/preprocessors/HttpInspect/include/hi_paf.h, + src/preprocessors/HttpInspect/mode_inspection/hi_mi.c, + src/preprocessors/HttpInspect/server/hi_server.c, + src/preprocessors/HttpInspect/utils/Makefile.am, + src/preprocessors/HttpInspect/utils/hi_paf.c, + src/preprocessors/Stream5/Makefile.am, + src/preprocessors/Stream5/snort_stream5_icmp.c, + src/preprocessors/Stream5/snort_stream5_session.c, + src/preprocessors/Stream5/snort_stream5_tcp.c, + src/preprocessors/Stream5/snort_stream5_tcp.h, + src/preprocessors/Stream5/snort_stream5_udp.c, + src/preprocessors/Stream5/stream5_common.c, + src/preprocessors/Stream5/stream5_common.h, + src/preprocessors/Stream5/stream5_paf.c, + src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h: + Added support in Stream5 for Protocol Aware Flushing (PAF). + PAF allows Snort to statefully scan a stream and reassemble a complete + PDU regardless of segmentation. + + Added PAF support to HTTP Inspect, allowing the preprocessor to determine + when HTTP sessions are flushed by Stream5. + + See README.stream5 for more details. + * src/preprocessors/: stream_ignore.h, stream_ignore.c, + Stream5/snort_stream5_udp.c: + added support for ignoring UDP channels. Light weight session + will be created to track UDP channel, even ports are not + monitored. + * src/win32/: most files + Updated Snort and its libraries to build/link against MFC. + +2011-03-23 Steven Sturges + * src/build.h: + Increment Snort build number to 134 + * src/: decode.h, encode.c: + * src/dynamic-plugins/sf_engine/: sf_snort_packet.h: + * src/preprocessors/: spp_sfportscan.c, spp_frag3.c: + * src/output-plugins/: spo_alert_fast.c: + * src/preprocessors/Stream5/: stream5_common.c: + Updated portscan to set protocol correctly in raw packet for + IPv6 and changed the encoder to recognize portscan packets as pseudo + packets so that the checksum isn't calculated + * src/: sfdaq.c, util.c: + Improve handling of DAQ failure codes when Snort is shutting down. + * src/preprocessors/spp_perfmonitor.c: + Update perfmonitor to create now files prior to dropping privs + +2011-03-16 Ryan Jordan +Snort 2.9.0.5 + * src/build.h: + Increment Snort build number to 132 + * src/snort.c: + * src/preprocessors/: normalize.c, perf-base.c, perf-base.h, + Stream5/snort_stream5_tcp.c: + TCP timestamp options are only NOPed by the Normalization preprocessor + if Stream5 has seen a full 3-way handshake, and timestamps weren't + negotiated. + + The IPS mode reassembly policy has been refactored to do stream + normalization within the first policy. + + Packets injected by the normalization preprocessor are now counted + in the packet statistics. + * doc/snort_manual.tex: + * src/: parser.c, parser.h: + * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: + Added a "config vlan_agnostic" setting that globally disables Stream's + use of vlan tag in session tracking. + * src/: snort.c, preprocessors/normalize.c, + preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, + preprocessors/perf-base.c, preprocessors/perf-base.h: + * doc/: README.normalize, snort_manual.pdf, snort_manual.tex: + Fixed the normalization preprocessor to call its post-initialization + config functions during a policy reload. + + Packets can no longer be trimmed below the minimum ethernet frame + length. Trimming is now configurable with the "normalize_ip4: trim;" + option. TOS clearing is now configurable with "normalize_ip4: tos;". + + The "normalize_ip4: trim" option is automatically disabled if the + DAQ can't inject packets. If the DAQ tries and fails to inject + a given packet, the wire packet is not blocked. + + Updated documentation regarding these changes. + * src/detection-plugins/sp_cvs.c: + Fixed a false positive in the CVS detection plugin. It was incorrectly + parsing CVS entries that had a '+' in between the 3rd and 4th slashes. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + Changed a pointer comparison to a size check for code readability. + Belated thanks to Dwane Atkins and Parker Crook for reporting a + related issue that was fixed in Snort 2.9.0.4 build 111. + + Moved the zlib initialization such that gzipped responses are still + inspected if the zipped data starts after the first Stream-reassembled + packet is inspected. + * src/decode.c: + Fixed an issue with decoding too many IP layers in a single packet. The + Teredo proto bit was not unset after hitting the limit on IP layers. + Thanks to Dwane Atkins for reporting this issue. + + IPv6 fragmented packets are no longer inspected unless they have an + offset of zero and the next layer is UDP. This behavior is consistent + with IPv4 decoding. + Thanks to Martin Schütte for reporting an issue where fragged ICMPv6 + packets were being inspected. + + The decoder no longer attempts to decode Teredo packets inside of + IPv4 fragments, instead waiting for the reassembled packet. + * src/encode.c: + Fixed a problem where encoded packets had their lengths calculated + incorrectly. This caused the active response feature to generate + incorrect RST packets if the original packet had a VLAN tag. + * preproc_rules/preprocessor.rules: + Updated references to rule 125:1:1 + * src/preprocessors/spp_perfmonitor.c: + Perfmonitor files are now created after Snort changes uid/gid. + * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: + Fixed the size formatting of an error message argument when + compiling with --enable-rzb-saac. + Thanks to Cleber S. Brandão for reporting this issue. + * etc/snort.conf: + Updated the default snort.conf with max compress and decompress + depths to enable unlimited decompression of gzipped HTTP responses. + * snort.8: + Fixed the man page's URL regarding the location of Snort rules. + Thanks to Michael Scheidell for reporting an out-of-date man page section. + * doc/README.http_inspect, doc/snort_manual.tex, + src/preprocessors/snort_httpinspect.c: + HTTP Inspect's "unlimited_decompress" option now requires that + "compress_depth" and "decompress_depth" are set to their max values. + * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_dynamic_engine.h, + preprocessors/Stream5/snort_stream5_tcp.c: + Fixed an error that prevented compiling with --disable-dynamicplugin. + Thanks to Jason Wallace for reporting this issue. + * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, + snort_ftptelnet.h, spp_ftptelnet.c: + Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside + the ftp_telnet preprocessor to avoid a naming conflict with similar + functions in HTTP Inspect. + Thanks to Bruce Corwin for reporting this issue. + * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c, + perf-flow.h: + Fixed comparisons between signed and unsigned int, which lead to + a faulty length check. + Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this + issue. + +2011-02-28 Ryan Jordan +Snort 2.9.0.4 + * src/build.h: + Increment Snort build number to 111. + * src/preprocessors/HttpInspect/client/hi_client.c: + src/preprocessors/HttpInspect/server/hi_server.c: + Fixed a bug in the way partial HTTP headers are handled. + +2011-02-10 Ryan Jordan +Snort 2.9.0.4 + * src/build.h: Increment Snort build number to 110 + * snort.8, src/snort.c: + Updated Snort man page to match the output of "snort --help". + Removed "-o" from the list of valid options, since it was removed + a while ago. + The verdict from defragged packets are no longer cleared, so that + they can be applied to the raw packet. + Thanks to Markus Lude for submitting a patch that fixed errors in the + man page. + * src/fpcreate.c: + Deletec the call to fpDeletePortGroup() prior to calling FatalError(). + * src/parser.c: + Fixed portvar parsing code to correctly dislpay names of undefined + portvars. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed a FIN sequence number handling issue, where RST after FIN caused a + false positive on Stream5 preprocessor rule 129:15. + Thanks to Jason Wallace for pointing out the issue. + * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5, + snort_manual.tex, snort_manual.pdf: + Added documentation for the option "small-segments". + Updated team members. + Clarified some undocumented "flow" options. + Minor edits to punctuation on "ssl_version" examples. + Re-worded uricontent's description. + Added missing semicolons to rule option examples. + Updated "enable_cookie" documentation. + Added documentation for "iis_encode" in http_encode keywords. + Improved the description of the "disable" keyword. + Added "--enable-sourcefire" description. + Thanks to Joshua Kinard for sending in several patches to the manual. + * doc/: Makefile.am, README.rzb_saac: + Added SaaC readme. + * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c, + src/util.c, src/util.h, + src/dynamic-plugins/sf_engine/examples/Makefile.am, + src/dynamic-preprocessors/Makefile.am, + src/dynamic-preprocessors/dns/spp_dns.c, + src/dynamic-preprocessors/rzb_saac/Makefile.am, + src/dynamic-preprocessors/rzb_saac/rzb_debug.c, + src/dynamic-preprocessors/rzb_saac/rzb_debug.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-client.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-client.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-server.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-server.h, + src/dynamic-preprocessors/rzb_saac/rzb_http.h, + src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c, + src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h, + src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h, + src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c: + Added Razorback SaaC to the dynamic-preprocessors. + Use --enable-rzb-saac to build it. Moved the initgroups call to a + separate function and call it from the main thread. + * src/detection-plugins/sp_clientserver.c: + Fixed an erroneous error check so that "no_frag" and "no_stream" can be + used in the same "flow" rule option. + * src/detection-plugins/sp_pattern_match.c: + Rules that use a "depth" value lower than the length of their content + now cause an error. Depth should be >= the content length. + * src/detection-plugins/sp_tcp_flag_check.c: + Changed the reserved bits flags "1, 2" to "C, E". The old values can still + be used for backwards compatability. + * preproc_rules/preprocessor.rules: + Added references to FTP and SMTP preprocessor rules. + * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h: + Removed extraneous ifdef + * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c, + dynamic-preprocessors/dcerpc2/dce2_config.c: + Added startup log message to show that the preprocessors are + inactive when added to snort.conf as "disabled". + Updated frag3 startup log to indicate the memcap frmo which prealloc + fragments were generated. + * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: + Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit + sparc platforms where 64bit pointer comparisons can cause bus + errors. Thanks to Stephan for reporting this issue. + * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h: + Portscan preprocessor's hash table is now allocated based on + the memcap, instead of being the same size. + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c: + Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly. + If extra bytes at the end of a request corrupt the next request, they + will be discarded. + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Updated the SSL preproc to count the packets it processes, + instead of counting all packets to enter the intiial function. + * doc/: faq.tex, faq.pdf: + Updated FAQ based on snort.org reorganization. + * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: + Updated cookie documentation. + Cookie buffer includes "Cookie" header name for HTTP requests and + "Set-Cookie" for HTTP responses. When enable_cookie is disabled, + cookie buffer points to the HTTP header + * src/preprocessors/snort_httpinspect.c: + Fixed the error message during parsing of HTTP inspect + server config. Make it a warning. + * src/: detection_util.h, preprocessors/snort_httpinspect.c, + preprocessors/spp_httpinspect.c, + preprocessors/HttpInspect/client/hi_client.c, + preprocessors/HttpInspect/include/hi_client.h, + preprocessors/HttpInspect/include/hi_norm.h, + preprocessors/HttpInspect/include/hi_ui_config.h, + preprocessors/HttpInspect/normalization/hi_norm.c, + preprocessors/HttpInspect/server/hi_server.c: + Fixed a false positive due to a large chunk length followed + by a small packet. + Moved the lookup table such that they are initialized only once. + When de-chunking returns error, the data is now inspected as a + normal body. + Moved the Initialize function out of hi_ui_config.h. + CRLFs are no longer placed in the status message buffer. + * many files: + Updated all Sourcefire copyright notices to the year 2011. + +2010-12-20 Ryan Jordan +Snort 2.9.0.3 + * src/build.h: + Increment Snort build number to 98 + * doc/: snort_manual.tex, snort_manual.pdf: + Fixed Snort manual descriptions of some rule options. + Changed whitespace in several areas to be more consistent. + Max mime mem example changed from 1000 to 4000. + Updated manual for distance / within / offset / depth combos. + Thanks to Joshua Kinard for submitting several fixes. + * doc/INSTALL: + Update doc/INSTALL with instructions for building on OpenBSD. + * src/dynamic-preprocessors/smtp/smtp_config.c: + Print alert_unknown_commands in SMTP config of snort output. + Print the SMTP MIME config details with snort output. + * src/: decode.c, decode.h, snort.c: + discriminate between ip4 and ip6 raw packets + Thanks to Gerald Maziarski for reporting this issue. + * src/detection-plugins/: detection_options.c, sp_byte_jump.c, + sp_pattern_match.c: + restore doe flags along with doe pointer. + * preproc_rules/preprocessor.rules: + Updated preprocessor.rules references to match VRT. + * src/dynamic-preprocessors/smtp/spp_smtp.c: + When the SMTP preprocessor is started in a + "disabled" state, it no longer requires Stream5. + * src/decode.c: + Truncated ESP traffic is now handled correctly. + Thanks to rmkml for bringing the issue to our attention. + * src/: decode.c, fpdetect.c: + Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP + header was malformed. + * preproc_rules/preprocessor.rules: + Added a reference to preprocessor.rules. + * src/dynamic-preprocessors/smtp/spp_smtp.c: + When the SMTP preprocessor is started in a + "disabled" state, it no longer requires Stream5. + * src/detection-plugins/: detection_options.c, sp_pattern_match.c: + Update content to check for HTTP_RESP_BODY in packet flag + if option is relative and not using rawbytes. + * etc/snort.conf: + Update with snort.conf from VRT + * src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h: + Bumped minor version number in example detection lib. + * src/preprocessors/spp_frag3.c: + Fix memory leak when there are two zero offset + fragments with different IP options. Previous code was blindly + copying new IP options over top of existing ones. + * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c, + sf_snort_plugin_api.h: + Fixed overlaps in various flags in the Shared Object rule API. + Shared Object rules from previous 2.9.0 versions need to be recompiled. + * src/detection-plugins/sp_pattern_match.c: + Moved non-zero initializations in the PatternMatchData struct + to the NewNode() function. This fixes the use of depth, offset, + distance, and within on uricontent options. + Reject invalid combinations of distance/within and offset/depth + including repeated keywords. + Thanks to Dave Bertouille and Daniel Clemens for pointing out issues here. + * src/: snort.c, util.c, util.h: + write correct pid to file for glibc2.2 / linux threads + * src/preprocessors/: snort_httpinspect.c, + HttpInspect/mode_inspection/hi_mi.c: + Fixed an instance where HTTP session data was not checked. +DAQ 0.5 + * daq/os-daq-modules/Makefile.am: + The IPFW DAQ now builds on OpenBSD. + Thanks to Ross Lawrie, Randall Rioux, and many others for reporting this. + +2010-11-15 Ryan Jordan +Snort 2.9.0.2 + * preproc_rules/preprocessor.rules: + Added a reference to an 0day ProFTP bug in a FTP + preprocessor rule. + * src/build.h: + Increment Snort build number to 92 + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Count only acked segs for flushing post-ack. Thanks to Eoin Miller + for helping track this issue and provide test scenarios. + * src/detection_util.h: + * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + fix file_data:mime in So rules. content matches following + file_data:mime should not enter fast pattern matcher. Reset file_data_ptr once + stream flush is done and stream reassembled packet is processed. + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Fix return value for SSL rule options + * src/: plugbase.h, preprocessors/snort_httpinspect.c: + Set the dce preproc bit in HTTP only when server flow depth is -1 + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_smb.c, + dce2_utils.c, dce2_utils.h, includes/smb.h: + use offset or remaining fields and overwrite + as appropriate instead of always appending data + * src/preprocessors/HttpInspect/server/hi_server.c: + * src/preprocessors/HttpInspect/client/hi_client.c: + Fixed a couple of memory leaks. + * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: + Fixed an error in the handling of HTTP Session Data. + * doc/: README.http_inspect,snort_manual.pdf, snort_manual.tex: + Update to the snort manual. remove the stream5 + alerts. reference the gen-msg.map. + * preprocessors/Stream5/snort_stream5_tcp.c: + urgent pointer handling corrected for one + byte of urgent data at the start of a segment. The general case + of an N-byte urgent payload prefix would be handled here by + removing the == 1 limit in urg_offset == 1 but that restrictio + is not safe until we flush urgent data. As is, urgent data is + never flushed in reassembled packets and can only be detected i + raw packets. + pointer handling. + * src/: decode.h, detection_util.h, plugbase.h, + preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/HttpInspect/server/hi_server.c, + Apply server flow depth on a session basis + rather than per packet basis. This change improves the + performance by disabling detect on packet when the packet is + beyond the specified flow depth. server_flow_depth now takes + values from -1 to 65535 + * src/parser.c: + Correct setting of dup_opt_func and cleanup existing opt_func list before + hand to address parse-time leak. + +2010-11-01 Ryan Jordan +Snort 2.9.0.1 + * doc/: snort_manual.pdf, snort_manual.tex: + Added "flush_factor". + Fixed incorrect line wrap (thx Shawn Thompson). + values for within and depth updated + * src/build.h: + Increment Snort build number to 82. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + HTTP header buffers (raw/normalized) now include the missing \n (of \r\n\r\n). + * src/target-based/sf_attribute_table.y: + Set YYMAXDEPTH to something that covers large number of services for a single host. + * src/parser.c, src/preprocessors/spp_stream5.c, + doc/snort_manual.pdf, doc/snort_manual.tex: + Fix use of config flowbits_size and update default to 1024. + * src/detection-plugins/sp_pcre.c: + Correct calculation of offset to its original now that libpcre is fixed. + * src/: detection-plugins/sp_pcre.c, win32/WIN32-Includes/pcre.h, + win32/WIN32-Includes/pcreposix.h, win32/WIN32-Libraries/pcre.lib: + Update Win32 libpcre to newer version and use --enable-newline-is-cr instead of + --enable-newline-is-any. Also added comments to sp_pcre.c in terms of how Snort is + interpreting the ovector from pcre_exec. + * etc/gen-msg.map: + Added rules 120:4 and 120:5 to gen-msg.map. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix issue when handling overlap limit enforcement. Thanks to rmkml + and Miguel Alvarez for pointing out the issue. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + fix flush after initial when acks are withheld + conditional on NORMALIZER + process stream after window slam unless normalizing + fully separate pre-ack flush from post-ack flush to ensure switching on policy for listener direction; + allow window limit greater than 16-bit; tweak flush point tracing. + added preprocessor rule 129:19, window slam + * src/preprocessors/Stream5/: snort_stream5_tcp.c, + stream5_common.h: + add stream5_tcp: flush_factor <#> + * doc/snort_manual.tex, src/detection-plugins/sp_ttl_check.c: + Allow >= and <= with ttl keyword. Also fix the parsing for ttl. Update manual + * src/util.c: + Make parent_wait variable volatile so it doesn't get optimized out. + * src/decode.c: + In CheckIPv4_MinTTL(), use the ttl passed as an argument instead of the packet's IP header. + * preproc_rules/preprocessor.rules: + adds preprocessor rule 129:19 + * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, + src/generators.h: + Ported .so rule for ICMP DOS to decoder. + * etc/gen-msg.map, src/generators.h, + * src/: active.c, encode.c, detection-plugins/sp_react.c: + set ack number appropriately + * src/preprocessors/snort_httpinspect.c: + file data ptr should be set to the decode buffer when the http response body is normalized. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + inspect stream inserted packets to check if they have a valid HTTP response. + When there is a single segment HTTP response inspect the body. + Dont wait for the reassembled packet ( due to flush point issues) + * src/: detection_util.h, fpdetect.c, + detection-plugins/sp_byte_check.c, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_jump.c, + detection-plugins/sp_ftpbounce.c, + detection-plugins/sp_isdataat.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pcre.c, preprocessors/snort_httpinspect.c, + preprocessors/HttpInspect/server/hi_server.c: + When extended_response_inspection is not enabled check for "HTTP". + If present, apply flow depth otherwise do not disable detect and dont apply flow depth. + * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: + Update Manual and README.http_inspect + * src/signature.c: + remove commented out printfs + * src/preprocessors/HttpInspect/server/hi_server.c: + inspect stream reassembled packets only when stream reassembly is turned on. + * tools/u2boat/Makefile.am: + Update Makefile to include docdir + * src/encode.c: + don't calculate checksum for pseudo-packets + * src/: decode.c, decode.h, detect.c, detection_util.c, + detection_util.h, fpdetect.c, log.c, log_text.c, mstring.c, + detection-plugins/detection_options.c, + detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c, + detection-plugins/sp_base64_decode.c, + detection-plugins/sp_byte_check.c, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_jump.c, + detection-plugins/sp_file_data.c, + detection-plugins/sp_ftpbounce.c, + detection-plugins/sp_isdataat.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pcre.c, detection-plugins/sp_urilen_check.c, + dynamic-plugins/sf_dynamic_common.h, + dynamic-plugins/sf_dynamic_engine.h, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_plugin_api.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + dynamic-preprocessors/ftptelnet/pp_ftp.c, + dynamic-preprocessors/ftptelnet/pp_telnet.c, + dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + dynamic-preprocessors/smtp/smtp_util.c, + dynamic-preprocessors/smtp/snort_smtp.c, + output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c, + preprocessors/spp_httpinspect.c, preprocessors/spp_rpc_decode.c, + preprocessors/HttpInspect/client/hi_client.c, + preprocessors/HttpInspect/normalization/hi_norm.c, + preprocessors/HttpInspect/server/hi_server.c, + preprocessors/HttpInspect/server/hi_server_norm.c, + preprocessors/Stream5/snort_stream5_tcp.c: + add buffer length attribute to alt decode buffer and don't set alt decode flag for alt_dsize changes + which are indicated by that value being non-zero. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + purge listener for pre-ack + Flip the direction to match that the configurations in stream5_tcp. + * src/: decode.h, preprocessors/spp_httpinspect.c, + preprocessors/HttpInspect/normalization/hi_norm.c: + add new keyword to http_encode to detect ascii encoding + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + Propigate noalert back to detection option tree. + * src/: parser.c, signature.c, signature.h: + Allow multiple .so rules to reference a single soid metadata. + * doc/: README.active, README.daq, snort_manual.pdf, + snort_manual.tex: + clarify use of multiple --daq and config daq. + * src/parser.c: + error on multiple --daq args + +2010-10-04 Ryan Jordan +Snort 2.9.0 + * doc/Makefile.am: + * doc/README.FLEXRESP: + * doc/README.FLEXRESP2: + * doc/README.http_inspect: + * doc/README.INLINE: + * doc/README.ipv6: + * doc/README.stream5: + * doc/README.wireless: + * doc/snort_manual.tex: + Removed obsolete README files. Updated README.ipv6. + Documented other changes made below. + + * etc/gen-msg.map: + * preproc_rules/preprocessor.rules: + * src/generators.h: + Added new preprocessor rules for HTTP Inspect and Frag3. + Removed an old preprocessor rule for the already-removed dcerpc + preprocessor. + + * rpm/snort.spec: + * src/build.h: + Updated version numbers. + + * src/dynamic-plugins/sp_dynamic.c: + * src/fpcreate.c: + Shared Object rules which use HTTP Content as their Fast Pattern + should now work correctly. + + * src/decode.c: + * src/decode.h: + * src/detection-plugins/detection_options.c: + * src/dynamic-plugins/sf_dynamic_engine.h: + * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: + * src/dynamic-plugins/sf_engine/sf_snort_packet.h: + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: + * src/dynamic-plugins/sp_preprocopt.c: + * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: + * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: + * src/dynamic-preprocessors/sdf/sdf_detection_option.c: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: + * src/dynamic-preprocessors/sdf/spp_sdf.c: + * src/dynamic-preprocessors/ssl/spp_ssl.c: + * src/parser.c: + * src/ppm.c: + * src/ppm.h: + * src/profiler.c: + * src/target-based/sf_attribute_table_parser.l: + Miscellaneous code cleanup. + Other preprocessor rules had to be modified as part of the new Stream5 + rule option listed below. + + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: + * src/preprocessors/HttpInspect/include/hi_eo_events.h: + * src/preprocessors/HttpInspect/include/hi_norm.h: + * src/preprocessors/HttpInspect/include/hi_server_norm.h: + * src/preprocessors/HttpInspect/include/hi_ui_config.h: + * src/preprocessors/HttpInspect/normalization/hi_norm.c: + * src/preprocessors/HttpInspect/server/hi_server.c: + * src/preprocessors/HttpInspect/server/hi_server_norm.c: + * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: + * src/preprocessors/snort_httpinspect.c: + * src/preprocessors/snort_httpinspect.h: + * src/preprocessors/spp_httpinspect.c: + * src/sfutil/util_utf.c: + * src/sfutil/util_utf.h: + * src/sfutil/Makefile.am: + * snort_head/snort/src/win32/WIN32-Prj/snort.dsp: + HTTP Inspect now handles "chunked" Transfer-Encoding for any Content-Encoding, + not just for gzipped responses. + HTTP Inspect now decompresses responses with "Content-Encoding: deflate". + HTTP Inspect now normalizes server responses that use UTF-16 or UTF-32 + charsets. + + * src/preprocessors/portscan.c: + * src/preprocessors/spp_sfportscan.c: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed an issue with some Stream5 sessions not being cleared until shutdown. + Fixed a bug that caused false positives on Stream5 rule 129:4. + Fixed a bug where Stream5 reassembled on all ports when sfportscan was in + snort.conf, but in a "disabled" state. + Added a preprocessor rule option, enabled by Stream5. The syntax is + "reassembly: , [,noalert]". It enables/disables + Stream reassembly for the session that matches the rule. + +2010-09-03 Ryan Jordan +Snort 2.9.0 RC + * Fixed clean shutdown after reload. + * Fixed tagging to log tagged packets regardless of filtering. + * Fixed mempool initialization of free list count bug reported by + zhangz@risinginfo.com. + * Snort resized packets are now dropped and injected as required by DAQs. + * Fixed Snort I/O Totals reporting injected packets with IPFW when NO + packets are injected externally. + * Tweaked Snort's dynamic preprocessor example. + * More informative dynamic preprocessor loading error messages. + * Added preprocessor alerts added to alert when Snort sees a client hello + after a server hello or when Snort sees a server hello without a client + hello when trustservers is disabled. + * Documentation Updates: Updates to HTTP inspect README and Snort Manual. + * Added parser error to fragoffset: Error when !, < and > operators are + used with each other. + * Updated README for daq with updated information on firewalls with FreeBSD + and OpenBSD + * Added more complete error checking to "byte_extract" rule option parsing. + * The Sensitive Data preprocessor no longer searches HTTP headers for PII, as + this introduced unnecessary false positives. In addition, the + "us_social_nodashes" rule is now off by default to avoid false positives. + * Added a new decoder alert for IPv6 extension headers that don't follow the + RFC's recommended order. + * Fixed a bug in the validation of IPv6 option lengths. + * Fixed a bug in the normalization of HTTP responses with both gzipped + Content-Encoding and chunked Transfer-Encoding. + * Teredo packets with another layer of UDP on top will now display the correct + port numbers in console output. + * Reduced false positives on decoder alerts when "config deep_teredo_inspection" + is enabled. + * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result + of rule evaluation on the outer UDP + * Changed the default search methond in snort.conf from "ac-bnfa" to "ac-split". + +2010-06-23 Steven Sturges + * doc/README.active: + * doc/README.http_inspect: + * doc/README.ssl: + * doc/snort_manual.tex: + Updated descripgions of rule options. + * etc/gen-msg.map: + Update messages for IPv6 decoder events. + * src/win32/Makefile.am: + * src/win32/WIN32-Includes/libnet/Devioctl.h: + * src/win32/WIN32-Includes/libnet/gnuc.h: + * src/win32/WIN32-Includes/libnet/ifaddrlist.h: + * src/win32/WIN32-Includes/libnet/IPExport.h: + * src/win32/WIN32-Includes/libnet/IPHlpApi.h: + * src/win32/WIN32-Includes/libnet/IPTypes.h: + * src/win32/WIN32-Includes/libnet/libnet-asn1.h: + * src/win32/WIN32-Includes/libnet/libnet-functions.h: + * src/win32/WIN32-Includes/libnet/libnet.h: + * src/win32/WIN32-Includes/libnet/libnet-headers.h: + * src/win32/WIN32-Includes/libnet/libnet-macros.h: + * src/win32/WIN32-Includes/libnet/LibnetNT.h: + * src/win32/WIN32-Includes/libnet/libnet-ospf.h: + * src/win32/WIN32-Includes/libnet/libnet-structures.h: + * src/win32/WIN32-Includes/libnet/Ntddpack.h: + * src/win32/WIN32-Includes/libnet/packet_types.h: + * src/win32/WIN32-Includes/libnet/NTDDNDIS.H: + * src/win32/WIN32-Includes/libnet/PACKET32.H: + * src/win32/WIN32-Includes/mysql/config-netware.h: + * src/win32/WIN32-Includes/mysql/config-os2.h: + * src/win32/WIN32-Includes/mysql/config-win.h: + * src/win32/WIN32-Includes/mysql/libmysqld.def: + * src/win32/WIN32-Includes/mysql/libmysql.def: + * src/win32/WIN32-Includes/mysql/m_ctype.h: + * src/win32/WIN32-Includes/mysql/m_string.h: + * src/win32/WIN32-Includes/mysql/my_dbug.h: + * src/win32/WIN32-Includes/mysql/my_getopt.h: + * src/win32/WIN32-Includes/mysql/my_global.h + * src/win32/WIN32-Includes/mysql/my_pthread.h: + * src/win32/WIN32-Includes/mysql/mysqld_error.h: + * src/win32/WIN32-Includes/mysql/mysql_embed.h: + * src/win32/WIN32-Includes/mysql/my_sys.h: + * src/win32/WIN32-Includes/mysql/raid.h: + * src/win32/WIN32-Libraries/libnet/LibnetNT.lib: + * src/inline.c: + * src/inline.h: + * src/detection-plugins/sp_respond.c: + * src/detection-plugins/sp_respond2.c: + Remove dead files. + * src/active.c: + * src/preprocessors/normalize.c: + * src/preprocessors/spp_normalize.c: + DAQ capability updates + * src/decode.c: + * src/decode.h: + * src/generators.h: + IPv6 decoding updates + * src/decode.c: + * src/log.c: + * src/log.h: + * src/log_text.c: + * src/log_text.h: + Improvement of packet output when obfuscating IP addresses. + * src/detection-plugins/sp_byte_jump.c: + Updates to multiplier parameter handling. + * src/detection-plugins/sp_react.c: + Added HTTP header to response payload. + * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: + Update to handling string format detection. + * src/dynamic-preprocessors/libs/ssl.c: + * src/dynamic-preprocessors/libs/ssl.h: + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Updates to handling of SSL rule options when handshake says SSLv2 + but certificate is SSLv3 and interaction with Stream reassembled + packets. + * src/dynamic-preprocessors/sdf/spp_sdf.c: + Display configuration information at startup. + * src/fpdetect.c: + Improved handling of gzip decoded buffer for fast pattern searches. + * src/parser.c: + Updates to parsing of IP variables with negated IP ranges. + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/server/hi_server.c: + Chunk encoding processing updates. + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/include/hi_ui_config.h: + * src/preprocessors/HttpInspect/include/Makefile.am: + * src/preprocessors/HttpInspect/include/hi_cmd_lookup.h: + * src/preprocessors/HttpInspect/Makefile.am: + * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: + * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: + * src/preprocessors/HttpInspect/utils/Makefile.am: + * src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c: + * src/preprocessors/snort_httpinspect.c: + * src/preprocessors/snort_httpinspect.h: + * src/preprocessors/spp_httpinspect.c: + Use lookup for HTTP method validation. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Updated state tracking for FIN_WAIT_2 and LAST_ACK + * src/sfdaq.c: + * src/sfdaq.h: + * src/snort.c: + * src/util.c: + Handle -g/-u limited with DAQ modules that require root privs. + +2010-06-16 Ryan Jordan +Snort 2.9.0 Beta + * Snort uses the DAQ library for packet acquisition and injection. + ./configure --enable-inline and --enable-ipfw are deleted. Just run ./snort + -Q to activate inline mode for DAQs that support it. See the README.daq there + for more. + * A normalizer preprocessor has been added to help minimize evasion vectors. + Use ./configure --enable-normalizer to build and config normalize_* to + enable. See README.normalize for more. + * Flexresp and flexresp2 have been replaced with a new flexresp3 module that + supports the rule keywords from each. ./configure --enable-flexresp + --enable-flexresp2 are deprecated. + * The react rule option has been rewritten to correct a number of issues. You + can also customize the injected content with config react. Use ./configure + --enable-react to build. + * config min_ttl is now policy specific. You can also set a normalization + value with config new_ttl. + * Snort has a new active response capability. Build it with ./configure + --enable-active-response. This mode enables automatically sending TCP resets + and ICMP unreachables. See README.active for more. + * Passive mode Snort can now inject packets for drop, sdrop, and reject rules. + In addition, block and sblock rules have been added as synonyms for drop and + sdrop to help avoid confusion between dropped packets and blocked packets. + Configure with config response. + * Snort shutdown output now includes new counts so you can see if any events + are not being reported due to event queue and pattern matching + configurations. Also, ./configure --enable-timestats has been eliminated but + the shutdown output of packet rates has been made standard. + * BPFs can be written for IPv6. + * ./snort -T has bee expanded to validate more than just the conf. For + example, you can now validate BPFs. + * Snort no longer depends on libnet and uses libdnet instead. + * Added the "byte_extract" detection option. This saves bytes from the packet + into variables for use by other options. + * Added support for byte_extract variables in the following rule options + * content (offset, depth, distance, within) + * byte_test (offset, comparison value) + * byte_jump (offset) + * isdataat (offset) + * Added decoder support for Teredo tunneling (IPv6 over UDP over IPv4). + * Added decoder support for Encapsulated Security Payload (ESP) with NULL encryption. + * Added 18 decoder rules for different types of malformed IPv6 headers. + * Moved 24 content-less rules into the packet decoder. + * The Sensitive Data preprocessor now prints its configuration on startup. + * Fixed the Snort RPM so that it installs the Sensitive Data preprocessor. + * Updated the description of the "-h" option in the Snort help output. + * Added a tools directory, with "u2boat" and "u2spewfoo". These programs can be + used to turn Unified2 files into pcaps and console output, respectively. + * Replaced Unified with Unified2 in snort.conf. + * Moved the rules/ directory into its own separate tarball. + * Snort will print encapsulated layers in text output. + * Initial iteration of DCE/RPC preprocessor removed. + * SO rule updates. Updated storeRuleData() and getRuleData() API + functions. Added dynamic allocation functions allocRuleData() and + freeRuleData() mainly for data stored on a stream session and to + utilize a new configuration option to put a memcap on the amount of + data SO rules allocate. + * Fixed possible non-runtime memory leak in SO rule preprocessor rule + options. + * Added negation support to SSL preprocessor rule options ssl_state and + ssl_version + * Added support for Intel's Soft CPM for use as a fast pattern matcher. + * Fixed issue when specifying a --pcap-dir where Snort would fatal + error if there was a broken symbolic link under the directory. + * Fixed an issue where copying an SO rule stub to modify the rule + action, IPs and/or ports didn't work as expected. + * Set state in SSL preprocessor even if record is truncated. + * Fixed inconsistency with flowbits behaviour if stream session timed + out. stream5 now resets flowbits on a timeout. + * Snort will now fatal error if adaptive profiles is enabled in any + policy other than the default policy. + * Fixed false positives caused by using the fast_pattern option with + the "only" argument on an http content in a rule. + * Fix OpenBSD compile with --enable-prelude. + * Fixed issue in SO rules converted to text rules that were not + setting mutliplier correctly. + * Fixed inconsistencies in behaviour with user defined rule types. + * Snort will now throw validation error for ipvar definition with + negated ip list that is more general that other ip list in + definition. + * Added support for IP variable substitution. + * Created new decoder event for ICMP PATH MTU denial of service + attempt. + * Fixed SSL preprocessor to potentially update state before + reassmebled packet is decoded. + * Added a new argument "mime" to the detection option "file_data". + This argument will set the doe_ptr to the start of the base64 decoded + MIME attachment. New config options "enable_mime_decoding", "max_mime_depth" + and "max_mime_mem" are added to SMTP configuration to support this feature. + * Added the "base64_decode" and "base64_data" detection option. + The "base64_decode" decodes the base64 encoded data. The "base64_data" + points the doe_ptr to the start of the base64 decoded buffer. + * Added a new mode "inline-test". This mode simulates the inline mode of snort, + allowing evaluation of inline behavior without affecting traffic. The command + line option --enable-inline-test and snort config option policy_mode:inline_test + added to support this feature. The drop rules will be loaded and will be + triggered as a Wdrop (Would Drop) alert. + * Added the support to extract the original client IP from the X-Forwarded-For + or True-Client-IP headers. This client IP will now be logged to the unified2 + output when HTTP Inspect is configured with enable_xff. + * Added support to u2spewfoo to read the Orginal Client IP, Wdrop Alerts, Gzip decompressed Data. + * Added support to print the Gzip decompressed data with cmg output. + +2010-04-16 Ryan Jordan + * doc/README.dcerpc: + * doc/README.dcerpc2: + * doc/README.flowbits: + * doc/README.frag3: + * doc/README.http_inspect: + * doc/README.PerfProfiling: + * doc/README.sensitive_data: + * doc/README.sfportscan: + * doc/README.stream5: + * doc/snort_manual.tex: + Updated Snort documentation + + * etc/classification.config: + * etc/gen-msg.map: + * etc/snort.conf: + Replaced snort.conf with the version we ship in the rules tarball. + Fixed a duplicate entry in gen-msg.map. + + * src/decode.c: + * src/decode.h: + Added alert for IPv6/UDP packets with zero checksum. + + * src/detection-plugins/detection_options.c: + * src/detection-plugins/sp_byte_check.c: + * src/detection-plugins/sp_byte_jump.c: + * src/detection-plugins/sp_isdataat.c: + For byte_test, byte_jump, and isdataat, only do an in bounds check of + the doe_ptr if the rule option is relative and will be using the doe_ptr. + * src/detection-plugins/sp_pattern_match.c: + Fixed a valgrind error. + * src/detection-plugins/sp_react.c: + Removed instances of the word "porn" from Snort. + + * src/dynamic-plugins/sf_convert_dynamic.c: + * src/dynamic-plugins/sf_engine/sf_snort_packet.h: + * src/dynamic-plugins/sp_dynamic.c: + Changed the parsing of dynamic detection plugins to register dynamic + rules per policy. + + * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: + * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: + * src/preprocessors/spp_stream5.c: + * src/preprocessors/stream_api.h: + * src/preprocessors/stream_ignore.h: + * src/target-based/sftarget_protocol_reference.c: + The FTP preprocessor now marks data channels with the "ftp-data" + service identifier. Adaptive profiling must be turned on for this. + + * src/dynamic-preprocessors/sdf/sdf_credit_card.c: + * src/dynamic-preprocessors/sdf/sdf_detection_option.c: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: + * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: + * src/dynamic-preprocessors/sdf/spp_sdf.c: + * src/dynamic-preprocessors/sdf/spp_sdf.h: + * src/generators.h: + Moved the sensitive data preprocessor's preproc rule to GID 139. + Fixed the ability to reload Snort with sensitive_data turned on. + Fixed bugs in the parsing of "sd_pattern" rules that overlapped. + U.S. Social Security numbers are now required to have non-digits on + either side in order to cause a match. + + * src/mempool.c: + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/include/hi_include.h: + * src/preprocessors/HttpInspect/include/hi_mi.h: + * src/preprocessors/HttpInspect/include/hi_server.h: + * src/preprocessors/HttpInspect/include/hi_ui_config.h: + * src/preprocessors/HttpInspect/include/hi_util.h: + * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: + * src/preprocessors/HttpInspect/normalization/hi_norm.c: + * src/preprocessors/HttpInspect/server/hi_server.c: + * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: + * src/preprocessors/snort_httpinspect.c: + * src/preprocessors/snort_httpinspect.h: + Added a "max_gzip_mem" option to http_inspect. Use this to set + the maximum amount of memory used for gzip decompression. + The "+" sign is now normalized to a space. + Added a "disable" option to http_inspect so that a memcap can + be set without enabling http_inspect across all VLANs. + + * src/preprocessors/sfprocpidstats.c: + * src/preprocessors/sfprocpidstats.h: + * src/preprocessors/spp_perfmonitor.c: + Fixed a memory leak. + + * src/preprocessors/Stream5/snort_stream5_session.c: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + * src/preprocessors/Stream5/snort_stream5_udp.c: + Fixed an issue that could cause Snort to take minutes to reload. + + * src/snort.c: + Unblocked signals that Snort does not handle itself. + + * src/win32/Makefile.am: + * src/win32/WIN32-Includes/config.h: + * src/win32/WIN32-Includes/mysql/config-netware.h: + * src/win32/WIN32-Includes/mysql/config-os2.h: + * src/win32/WIN32-Includes/mysql/config-win.h: + * src/win32/WIN32-Includes/mysql/errmsg.h: + * src/win32/WIN32-Includes/mysql/libmysqld.def: + * src/win32/WIN32-Includes/mysql/libmysql.def: + * src/win32/WIN32-Includes/mysql/m_ctype.h: + * src/win32/WIN32-Includes/mysql/m_string.h: + * src/win32/WIN32-Includes/mysql/my_alloc.h: + * src/win32/WIN32-Includes/mysql/my_dbug.h: + * src/win32/WIN32-Includes/mysql/my_getopt.h: + * src/win32/WIN32-Includes/mysql/my_global.h: + * src/win32/WIN32-Includes/mysql/my_list.h: + * src/win32/WIN32-Includes/mysql/my_pthread.h: + * src/win32/WIN32-Includes/mysql/mysql_com.h: + * src/win32/WIN32-Includes/mysql/mysqld_error.h: + * src/win32/WIN32-Includes/mysql/mysql_embed.h: + * src/win32/WIN32-Includes/mysql/mysql.h: + * src/win32/WIN32-Includes/mysql/mysql_time.h: + * src/win32/WIN32-Includes/mysql/mysql_version.h: + * src/win32/WIN32-Includes/mysql/my_sys.h: + * src/win32/WIN32-Includes/mysql/raid.h: + * src/win32/WIN32-Includes/mysql/typelib.h: + * src/win32/WIN32-Prj/snort.dsw: + * src/win32/WIN32-Prj/snort_installer.nsi: + Updated the MySQL client library in the Windows build. + Fixed a conflict between MSSQL headers and the newer Windows Platform SDK. + + +2010-01-27 Ryan Jordan + * doc/Makefile.am: + Added README.sensitive_data + * doc/README.dcerpc2: + Removed "events" from default configuration. + * doc/README.http_inspect: + Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri" + Changed the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer. + * doc/README.INLINE: + Content replacement now allows replacement strings of varying sizes. + * doc/README.multipleconfigs: + Limit number of individual networks per line to 512. + * doc/README.stream5: + Removed "min_ttl" option, added the latest stream alerts. + * doc/snort_manual.tex: + Fixed typos, updated the Snort manual to match the README updates. + Eliminated the kick-ass and the lotion. + Updated with new PCRE options. + * etc/classification.config: + Cleaned up classification.config. Thanks to Guise McAllaster for reporting this issue. + * etc/gen-msg.map: + Added sig ID for http_inspect's chunk size mismatch. + * etc/snort.conf: + Fixed typos. Default "dynamicengine" entry is now specified by directory. + * src/build.h: + Updated build number. + * src/checksum.h: + checksum calculation for icmpv6 added . also fixed a warning in hi_client.c + * src/configure.in: + Updated makefile/configure script to optionally build dynamic examples. + Thanks to Markus Lude for raising the issue. + + Fixed linker option on Solaris 10 to use nanosleep. + Thanks to Randal T. Rioux for reporting this issue. + * src/decode.c: + checksum calculation for icmpv6 added . also fixed a warning in hi_client.c + * src/decode.h: + Change the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer. + * src/detect.c: + Formatting changes. + * src/detection-plugins/sp_asn1.c: + * src/detection-plugins/sp_byte_check.c: + * src/detection-plugins/sp_ip_proto.c: + Replaced strol and strtoul with inline functions that reset errno first. + * src/detection-plugins/sp_pattern_match.c: + Check if file_data is within the packet boundaries and set the search depth accordingly. + * src/detection-plugins/sp_pcre.c: + Pcre new options fix. Raw options and status options werent matching as expected. + * src/detection-plugins/sp_replace.c: + checksum calculation for icmpv6 added . also fixed a warning in hi_client.c + * src/dynamic-examples/Makefile.am: + * src/Makefile.am: + Update makefile/configure script to optionally build dynamic examples. + * src/dynamic-plugins/sf_dynamic_plugins.c: + Replaced strol and strtoul with inline functions that reset errno first. + * src/dynamic-plugins/sf_dynamic_preprocessor.h: + * src/event_queue.c: + * src/event_queue.h: + * src/preprocessors/spp_frag3.c: + * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: + * src/sfutil/sfeventq.h: + * src/snort.c: + * src/snort.h: + Fixed a bug where Snort would log a packet other than the one triggering the alert. + * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: + * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: + * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: + * src/dynamic-preprocessors/libs/sfparser.c: + * src/output-plugins/spo_unified2.c: + * src/parser.c: + * src/preprocessors/spp_perfmonitor.c: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Replaced strol and strtoul with inline functions that reset errno first. + * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h: + * src/dynamic-preprocessors/dns/sf_preproc_info.h: + * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: + * src/dynamic-preprocessors/smtp/sf_preproc_info.h: + * src/dynamic-preprocessors/ssh/sf_preproc_info.h: + * src/dynamic-preprocessors/ssl/sf_preproc_info.h: + Updated build version number. + * src/dynamic-preprocessors/sdf/.cvsignore: + Added .cvsignore file + * src/dynamic-preprocessors/sdf/sdf_credit_card.c: + * src/dynamic-preprocessors/sdf/sdf_credit_card.h: + Added license text. + Added check for the Issuer Number in credit card numbers. + * src/dynamic-preprocessors/sdf/sdf_detection_option.c: + * src/dynamic-preprocessors/sdf/sdf_detection_option.h: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: + Added license text. + Fixed error when using the same sensitive data rule in multiple policies. + Sensitive data rules must use the preprocessor's generator ID. + * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: + * src/dynamic-preprocessors/sdf/sdf_us_ssn.h: + Added license text. + * src/dynamic-preprocessors/sdf/spp_sdf.c: + * src/dynamic-preprocessors/sdf/spp_sdf.h: + Fixed double-free when the preprocessor was enabled in multiple policies. + Added the ability to search HTTP Uri buffers for sensitive data. + Fixed the pcap header for pseudo-packets generated by the preprocessor. + * src/fpcreate.c: + OpenBSD update + * src/generators.h: + Added alert for HTTP chunk size mismatch. + * src/obfuscation.c: + Made a debug message optionally compilable. + * src/output-plugins/spo_log_tcpdump.c: + Fix use of -L option to work correctly. + Thanks to Allan Adkins for reporting this issue. + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: + * src/preprocessors/HttpInspect/include/hi_eo_events.h: + * src/preprocessors/HttpInspect/include/hi_ui_config.h: + * src/preprocessors/HttpInspect/include/hi_include.h: + * src/preprocessors/HttpInspect/include/hi_util.h: + * src/preprocessors/HttpInspect/server/hi_server.c: + Added http response stats. + Added support for extended ascii codes in HTTP request URI + using a new configurable option "extended_ascii_uri" + Added an alert for incorrect chunk size fields. + * src/preprocessors/perf.c: + Fixed null deref when "rotate stats" signal was caught w/out perfmon enabled. + * src/preprocessors/snort_httpinspect.c: + Fixed a case where the HTTP Inspect preprocessor would disable the Sensitive Data preprocessor. + * src/preprocessors/spp_httpinspect.c: + Decompressed bytes read will now be based on the total out of zstream. + * src/target-based/sftarget_reader.c: + attribute table printing - converting to host order before printing the ip address + * src/util.c: + * src/util.h: + adding zlib version information for snort -V + * src/win32/Makefile.am: + Add zlib 1.2.3 to Win32 build. + * src/win32/WIN32-Includes/config.h: + * src/win32/WIN32-Includes/zlib/zconf.h: + * src/win32/WIN32-Includes/zlib/zlib.h: + * src/win32/WIN32-Prj/snort.dsp: + Add zlib 1.2.3 to Win32 build. + * src/win32/WIN32-Prj/snort_installer.nsi: + Added Sensitive Data preproc to Windows installer script. + +2009-12-21 Ryan Jordan + * doc/README.dcerpc: + Added deprecation notice. + * doc/README.dcerpc2: + Added note about fast pattern contents. + * doc/README.filters: + Slight change to indicate that filters were introduced in 2.8.5, + which is no longer the current version. + * doc/README.flowbits: + Added documentation for flowbit groups. + * doc/README.http_inspect: + Added documentation for new HTTP rule options. + * doc/snort_manual.tex: + Updated for HTTP rule options and other cleanup. + * doc/TODO: + Removed obfuscation code from the TODO. + * etc/gen-msg.map: + Added new Stream5 alert for the "TCP 4-way handshake" + * etc/snort.conf: + Fixed typos. Added examples for Unified2 output and Sensitive Data + preprocessor config. + * rpm/snort.spec: + Updated version number. + * src/bounds.h: + Formatting change. Added "SafeMemCheck" function. Modified "SafeMemcpy" + and "SafeMemset" to use it. + * src/build.h: + Updated build number. + * src/debug.c: + Moved definition for snort_conf. + * src/decode.h: + Made changes for HTTP response gzip support. + * src/detect.c: + Updated to use new Obfuscation API. + * src/sfutil/mpse.c: + * src/sfutil/mpse.h: + * src/fpcreate.c: + * src/fpcreate.h: + * src/sfutil/acsmx2.c: + * src/sfutil/acsmx2.h: + Added support for ac "split" pattern matcher to use less memory with + improved performance over ac-bnfa. Thanks to Charlie Lasswell for + the ideas! + * src/detect.h: + * src/event_wrapper.c: + * src/event_wrapper.h: + * src/inline.c: + * src/profiler.c: + * src/rate_filter.h: + * src/rules.h: + * src/tag.c: + * src/tag.h: + * src/treenodes.h: + OTNs and RTNs were moved to their own header file. + * src/detection-plugins/detection_options.c: + * src/detection-plugins/Makefile.am: + * src/detection-plugins/sp_file_data.c: + * src/detection-plugins/sp_file_data.h: + New detection option "file_data" was added. + * src/detection-plugins/detection_options.h: + * src/rule_option_types.h: + Moved option_type_t to its own header file. + * src/detection-plugins/sp_flowbits.c: + * src/detection-plugins/sp_flowbits.h: + allowing flowbits group name only with set and toggle operations + check if the content rules have http modifiers. + * src/detection-plugins/sp_replace.c: + need to check from the relative depth for bounds + adjust the bounds while replacing to prevent buffer overflow. + allow replace with different size strings. enhancement to replace. + * src/detection-plugins/sp_isdataat.c: + negated isdataat support. + * src/detection-plugins/sp_pattern_match.c: + * src/detection-plugins/sp_pattern_match.h: + Update pattern match parsing to error on invalid rules. + * src/detection-plugins/sp_asn1.c: + * src/detection-plugins/sp_byte_check.c: + * src/detection-plugins/sp_byte_jump.c: + * src/detection-plugins/sp_clientserver.c: + * src/detection-plugins/sp_cvs.c: + * src/detection-plugins/sp_dsize_check.c: + * src/detection-plugins/sp_ftpbounce.c: + * src/detection-plugins/sp_icmp_code_check.c: + * src/detection-plugins/sp_icmp_id_check.c: + * src/detection-plugins/sp_icmp_seq_check.c: + * src/detection-plugins/sp_icmp_type_check.c: + * src/detection-plugins/sp_ip_fragbits.c: + * src/detection-plugins/sp_ip_id_check.c: + * src/detection-plugins/sp_ipoption_check.c: + * src/detection-plugins/sp_ip_proto.c: + * src/detection-plugins/sp_ip_proto.h: + * src/detection-plugins/sp_ip_same_check.c: + * src/detection-plugins/sp_ip_tos_check.c: + * src/detection-plugins/sp_pcre.c: + * src/detection-plugins/sp_pcre.h: + * src/detection-plugins/sp_react.c: + * src/detection-plugins/sp_respond2.c: + * src/detection-plugins/sp_respond.c: + * src/detection-plugins/sp_rpc_check.c: + * src/detection-plugins/sp_session.c: + * src/detection-plugins/sp_tcp_ack_check.c: + * src/detection-plugins/sp_tcp_flag_check.c: + * src/detection-plugins/sp_tcp_seq_check.c: + * src/detection-plugins/sp_tcp_win_check.c: + * src/detection-plugins/sp_ttl_check.c: + * src/detection-plugins/sp_urilen_check.c: + * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Updated calls to RegisterRuleOption() to match new definiton. + * src/dynamic-plugins/sf_convert_dynamic.c: + Updated conversion of Content and PCRE rule options to match HTTP changes. + * src/dynamic-plugins/sf_dynamic_common.h: + Updated HTTP flags. + * src/dynamic-plugins/sf_dynamic_engine.h: + * src/dynamic-plugins/sp_preprocopt.c: + * src/dynamic-plugins/sp_preprocopt.h: + Added definition of OTN Handler. A detection option or preprocessor can + register one of these to get the OTN of any rule using its rule option. + * src/dynamic-plugins/sf_dynamic_plugins.c: + * src/dynamic-plugins/sf_dynamic_preprocessor.h: + * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: + Added several items to DynamicPreprocessorData, to allow dynamic + preprocessors to call more Snort functions. + * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: + * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: + * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: + * src/dynamic-plugins/sp_dynamic.c: + * src/dynamic-plugins/sp_dynamic.h: + Check for HTTP modifiers to Content and PCRE options in shared object + rules. + * src/dynamic-plugins/sf_engine/sf_snort_packet.h: + Added missing Packet member to SFSnortPacket. + * src/dynamic-preprocessors/dcerpc/dcerpc.c: + * src/dynamic-preprocessors/dcerpc/dcerpc.h: + Moved DCERPC_FragType definition. + * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: + * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: + * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: + * src/dynamic-preprocessors/dcerpc2/dce2_co.c: + * src/dynamic-preprocessors/dcerpc2/dce2_config.c: + * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: + * src/preprocessors/portscan.h: + * src/preprocessors/spp_frag3.c: + * src/preprocessors/spp_sfportscan.c: + Added "disabled" option to frag3_global, stream5_global, portscan, + dcerpc, and dcerpc2 preprocessor configurations so that memcaps can be + specified in the default configuration w/o enabling that preprocessor. + This allows specification of the preprocessors only in the desired + configuration. + * src/dynamic-preprocessors/dcerpc/Makefile.am: + * src/dynamic-preprocessors/dcerpc2/Makefile.am: + * src/dynamic-preprocessors/dns/Makefile.am: + * src/dynamic-preprocessors/dns/sf_dns.dsp: + * src/dynamic-preprocessors/ftptelnet/Makefile.am: + * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: + * src/dynamic-preprocessors/smtp/Makefile.am: + * src/dynamic-preprocessors/ssh/Makefile.am: + * src/dynamic-preprocessors/ssl/Makefile.am: + * src/dynamic-preprocessors/smtp/sf_smtp.dsp: + * src/dynamic-preprocessors/ssh/sf_ssh.dsp: + * src/dynamic-preprocessors/ssl/sf_ssl.dsp: + Fix make dist to include all required files. + * src/dynamic-preprocessors/dcerpc2/dce2_event.c: + * src/dynamic-preprocessors/dcerpc2/dce2_list.h: + * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: + * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: + * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: + Changed use of some integers to enumerated types. + * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: + Added dce_iface options to the fast pattern matcher. + * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: + * src/dynamic-preprocessors/dcerpc2/dce2_config.h: + * src/dynamic-preprocessors/smtp/snort_smtp.c: + Added sensitive data to the list of preprocs that get re-enabled after + disabling detection. + * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: + Removed config file/line from error message since not set at this point. + Also removed redundant "dcerpc2 configuration" text. + * src/dynamic-preprocessors/Makefile.am: + * src/dynamic-preprocessors/treenodes.sed: + Included more header files for use in dynamic preprocessors. + * src/dynamic-preprocessors/sdf/Makefile.am: + * src/dynamic-preprocessors/sdf/sdf_credit_card.c: + * src/dynamic-preprocessors/sdf/sdf_credit_card.h: + * src/dynamic-preprocessors/sdf/sdf_detection_option.c: + * src/dynamic-preprocessors/sdf/sdf_detection_option.h: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: + * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: + * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: + * src/dynamic-preprocessors/sdf/sdf_us_ssn.h: + * src/dynamic-preprocessors/sdf/sf_preproc_info.h: + * src/dynamic-preprocessors/sdf/sf_sdf.dsp: + * src/dynamic-preprocessors/sdf/spp_sdf.c: + * src/dynamic-preprocessors/sdf/spp_sdf.h: + * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: + * src/preprocids.h: + * doc/README.sensitive_data: + * doc/snort_manual.tex: + Added Sensitive Data preprocessor. It performs detection of Personally + Identifiable Information, such as credit card numbers and U.S. Social + Security numbers. + * src/dynamic-preprocessors/ssh/spp_ssh.c: + Formatting change. + * src/fpcreate.c: + * src/fpcreate.h: + * src/fpdetect.c: + Content rules with the new HTTP modifiers can use the fast pattern + matcher. + * src/generators.h: + Added SIDs for new preprocessor alerts. + * src/Makefile.am: + Added new files to Makefile. + * src/obfuscation.c: + * src/obfuscation.h: + * src/util.c: + * src/util.h: + Fixed output obfuscation, and added an Obfuscation API for use in + preprocessors & output plugins. + * src/log.c: + * src/log.h: + * src/log_text.c: + * src/log_text.h: + * src/output-plugins/spo_alert_fast.c: + * src/output-plugins/spo_alert_full.c: + * src/output-plugins/spo_alert_prelude.c: + * src/output-plugins/spo_alert_sf_socket.c: + * src/output-plugins/spo_alert_syslog.c: + * src/output-plugins/spo_alert_test.c: + * src/output-plugins/spo_alert_unixsock.c: + * src/output-plugins/spo_csv.c: + * src/output-plugins/spo_database.c: + * src/output-plugins/spo_log_ascii.c: + * src/output-plugins/spo_log_null.c: + * src/output-plugins/spo_log_tcpdump.c: + * src/output-plugins/spo_unified2.c: + * src/output-plugins/spo_unified.c: + Modified several output plugins to print obfuscated data using the new + Obfuscation API. + * src/parser.c: + * src/parser.h: + Added support for OTN handlers. Added support for using new http + content options with the fast pattern matcher. + * src/pcrm.c: + * src/pcrm.h: + Formatting changes. + * src/plugbase.c: + * src/plugbase.h: + Added OTN handler argument to the RegisterRuleOption() function. + Initialized the "file_data" rule option. + * src/ppm.c: + * src/ppm.h: + Remove non-portlists code. + * src/preprocessors/HttpInspect/client/hi_client.c: + * src/preprocessors/HttpInspect/client/hi_client_norm.c: + * src/preprocessors/HttpInspect/include/hi_client.h: + * src/preprocessors/HttpInspect/include/hi_eo_events.h: + * src/preprocessors/HttpInspect/include/hi_mi.h: + * src/preprocessors/HttpInspect/include/hi_norm.h: + * src/preprocessors/HttpInspect/include/hi_server.h: + * src/preprocessors/HttpInspect/include/hi_server_norm.h: + * src/preprocessors/HttpInspect/include/hi_ui_config.h: + * src/preprocessors/HttpInspect/include/hi_util.h: + * src/preprocessors/HttpInspect/include/Makefile.am: + * src/preprocessors/HttpInspect/Makefile.am: + * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: + * src/preprocessors/HttpInspect/normalization/hi_norm.c: + * src/preprocessors/HttpInspect/server/hi_server.c: + * src/preprocessors/HttpInspect/server/hi_server_norm.c: + * src/preprocessors/HttpInspect/server/Makefile.am: + * src/preprocessors/HttpInspect/session_inspection/hi_si.c: + * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: + * src/preprocessors/snort_httpinspect.c: + * src/preprocessors/snort_httpinspect.h: + * src/preprocessors/spp_httpinspect.c: + New feature for HTTP Inspect to split requests into 5 components - + Method, URI, Header (non-cookie), Cookies, Body. + Added HTTP server specific configurations to normalize HTTP header + and/or cookie buffers. Provided content and PCRE modifiers to allow + searches within one or more of those individual buffers. Added content + modifier to allow rule writer to specify content to be used for fast + pattern matcher. Updated dynamic rule API to allow searches within + the new buffers. + * src/preprocessors/perf.c: + * src/preprocessors/spp_perfmonitor.c: + * src/preprocessors/perf-flow.c: + * src/preprocessors/perf-flow.h: + * src/preprocessors/perf.h: + * src/preprocessors/Stream5/snort_stream5_udp.c: + Add Flow-IP stats to the Performance Monitor preprocessor. + Write out a commented line to the now file the first time perfmon + Reduce performance overhead when FlowIP stats aren't enabled. + * src/preprocessors/sfprocpidstats.c: + Changed GetCpuName() to catch errno when sscanf() sets it. + * src/preprocessors/spp_rpc_decode.c: + Fixed warnings when compiled in Win32. + * src/preprocessors/spp_stream5.c: + * src/preprocessors/Stream5/snort_stream5_session.h: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + * src/preprocessors/Stream5/snort_stream5_tcp.h: + * src/preprocessors/Stream5/stream5_common.c: + * src/preprocessors/Stream5/stream5_common.h: + * src/preprocessors/stream_api.h: + Added detection of "4-way TCP Handshake" when require_3whs is enabled. + Added "disabled" option so that memcaps can be configured in the default + policy w/out enabling the preprocessor. Added support for output + obfuscation. + * src/prototypes.h: + * src/sys_include.h: + Removed more obsolete/unused files. + * src/sfthreshold.c: + * src/sfutil/acsmx2.c: + * src/sfutil/acsmx2.h: + * src/sfutil/bnfa_search.c: + * src/sfutil/ipobj.c: + * src/sfutil/ipobj.h: + * src/sfutil/Makefile.am: + * src/sfutil/mpse.c: + * src/sfutil/mpse.h: + * src/sfutil/sf_ip.c: + * src/sfutil/sf_ip.h: + * src/sfutil/sf_iph.c: + * src/sfutil/sf_ipvar.c: + * src/sfutil/sfksearch.c: + * src/sfutil/sfPolicyUserData.c: + * src/sfutil/sfPolicyUserData.h: + * src/sfutil/sfportobject.c: + * src/sfutil/sfxhash.c: + * src/sfutil/sfrf.c: + * src/sfutil/sfrt_trie.h: + * src/sfutil/sf_vartable.c: + Cleaned up warnings, especially when compiled with ICC. + * src/sfutil/util_net.c: + * src/sfutil/util_net.h: + Fix ip obfuscation to not modify packet data and only obfuscate for + text outputs. + * src/signature.c: + * src/signature.h: + * src/snort.c: + * src/snort.h: + Remove non-portlists code. + * src/target-based/sf_attribute_table_parser.l: + * src/target-based/sftarget_reader.c: + Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed. + * src/win32/WIN32-Code/syslog.c: + * src/win32/WIN32-Code/win32_service.c: + * src/win32/WIN32-Includes/config.h: + * src/win32/WIN32-Prj/snort.dsp: + * src/win32/WIN32-Prj/snort.dsw: + * src/win32/WIN32-Prj/snort_installer.nsi: + Win32 project files updated to reflect Makefile changes. + 2009-12-15 Ryan Jordan * doc/snort_manual.tex: Clarified the documentation for output plugins alert_fast, alert_full, diff -Nru snort-2.8.5.2/config.guess snort-2.9.2/config.guess --- snort-2.8.5.2/config.guess 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/config.guess 2011-12-07 19:23:17.000000000 +0000 @@ -1,10 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-27' +timestamp='2009-11-20' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,16 +27,16 @@ # the same distribution terms that you use for the rest of that program. -# Originally written by Per Bothner . -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# Originally written by Per Bothner. Please send patches (context +# diff format) to and include a ChangeLog +# entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and # exits with 0. Otherwise, it exits with 1. # -# The plan is that this can be called by configure scripts if you -# don't specify an explicit build system type. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD me=`echo "$0" | sed -e 's,.*/,,'` @@ -170,7 +170,7 @@ arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null + | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? @@ -333,6 +333,9 @@ sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + echo i386-pc-auroraux${UNAME_RELEASE} + exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" @@ -656,7 +659,7 @@ # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | - grep __LP64__ >/dev/null + grep -q __LP64__ then HP_ARCH="hppa2.0w" else @@ -807,12 +810,12 @@ i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; - *:Interix*:[3456]*) + *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; - EM64T | authenticamd | genuineintel) + authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) @@ -822,6 +825,9 @@ [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we @@ -851,6 +857,20 @@ i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ @@ -873,6 +893,17 @@ frv:Linux:*:*) echo frv-unknown-linux-gnu exit ;; + i*86:Linux:*:*) + LIBC=gnu + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; @@ -882,78 +913,34 @@ m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - mips:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips - #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } - ;; - mips64:Linux:*:*) + mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU - #undef mips64 - #undef mips64el + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el + CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 + CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) echo or32-unknown-linux-gnu exit ;; - ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu - exit ;; - ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu - exit ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; - EV56) UNAME_MACHINE=alphaev56 ;; - PCA56) UNAME_MACHINE=alphapca56 ;; - PCA57) UNAME_MACHINE=alphapca56 ;; - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; - esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} - exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu + exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in @@ -962,8 +949,11 @@ *) echo hppa-unknown-linux-gnu ;; esac exit ;; - parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux @@ -986,66 +976,6 @@ xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - i*86:Linux:*:*) - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. cd to the root directory to prevent - # problems with other programs or directories called `ld' in the path. - # Set LC_ALL=C to ensure ld outputs messages in English. - ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ - | sed -ne '/supported targets:/!d - s/[ ][ ]*/ /g - s/.*supported targets: *// - s/ .*// - p'` - case "$ld_supported_targets" in - elf32-i386) - TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" - ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit ;; - esac - # Determine whether the default compiler is a.out or elf - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #ifdef __ELF__ - # ifdef __GLIBC__ - # if __GLIBC__ >= 2 - LIBC=gnu - # else - LIBC=gnulibc1 - # endif - # else - LIBC=gnulibc1 - # endif - #else - #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) - LIBC=gnu - #else - LIBC=gnuaout - #endif - #endif - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^LIBC/{ - s: ::g - p - }'`" - test x"${LIBC}" != x && { - echo "${UNAME_MACHINE}-pc-linux-${LIBC}" - exit - } - test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } - ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both @@ -1074,7 +1004,7 @@ i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) @@ -1182,7 +1112,7 @@ rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) @@ -1275,6 +1205,16 @@ *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown case $UNAME_PROCESSOR in + i386) + eval $set_cc_for_build + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + UNAME_PROCESSOR="x86_64" + fi + fi ;; unknown) UNAME_PROCESSOR=powerpc ;; esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} diff -Nru snort-2.8.5.2/config.h.in snort-2.9.2/config.h.in --- snort-2.8.5.2/config.h.in 2009-10-19 21:17:54.000000000 +0000 +++ snort-2.9.2/config.h.in 2011-12-07 19:23:14.000000000 +0000 @@ -1,5 +1,8 @@ /* config.h.in. Generated from configure.in by autoheader. */ +/* Define if building universal (internal helper macro) */ +#undef AC_APPLE_UNIVERSAL_BUILD + /* Define if AIX */ #undef AIX @@ -9,18 +12,37 @@ /* Define if BSDi */ #undef BSDI +/* Don't close opened shared objects for valgrind leak testing of dynamic + libraries */ +#undef DISABLE_DLCLOSE_FOR_VALGRIND_TESTING + /* Define if errlist is predefined */ #undef ERRLIST_PREDEFINED /* Define if FreeBSD */ #undef FREEBSD +/* Define to 1 if the system has the type `boolean'. */ +#undef HAVE_BOOLEAN + +/* Define to 1 if you have the `daq_acquire_with_meta' function. */ +#undef HAVE_DAQ_ACQUIRE_WITH_META + +/* Define to 1 if you have the `daq_hup_apply' function. */ +#undef HAVE_DAQ_HUP_APPLY + /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define to 1 if you have the header file. */ #undef HAVE_DNET_H +/* Define to 1 if you have the header file. */ +#undef HAVE_DUMBNET_H + +/* Define to 1 if you have the `inet_ntop' function. */ +#undef HAVE_INET_NTOP + /* Define to 1 if the system has the type `int16_t'. */ #undef HAVE_INT16_T @@ -36,27 +58,15 @@ /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H -/* Define to 1 if you have the `c' library (-lc). */ -#undef HAVE_LIBC - -/* Define to 1 if you have the `dl' library (-ldl). */ -#undef HAVE_LIBDL - /* Define to 1 if you have the `dnet' library (-ldnet). */ #undef HAVE_LIBDNET -/* Define to 1 if you have the `ipq' library (-lipq). */ -#undef HAVE_LIBIPQ +/* Define to 1 if you have the `dumbnet' library (-ldumbnet). */ +#undef HAVE_LIBDUMBNET /* Define to 1 if you have the `m' library (-lm). */ #undef HAVE_LIBM -/* Define to 1 if you have the `net' library (-lnet). */ -#undef HAVE_LIBNET - -/* Define to 1 if you have the header file. */ -#undef HAVE_LIBNET_H - /* Define to 1 if you have the `nsl' library (-lnsl). */ #undef HAVE_LIBNSL @@ -75,9 +85,15 @@ /* Define whether Prelude support is enabled */ #undef HAVE_LIBPRELUDE +/* Define to 1 if you have the `rt' library (-lrt). */ +#undef HAVE_LIBRT + /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET +/* Define to 1 if you have the `uuid' library (-luuid). */ +#undef HAVE_LIBUUID + /* Define to 1 if you have the `z' library (-lz). */ #undef HAVE_LIBZ @@ -90,18 +106,33 @@ /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the `memrchr' function. */ +#undef HAVE_MEMRCHR + /* Define to 1 if you have the header file. */ #undef HAVE_PATHS_H +/* Can cleanup lex buffer stack created by pcap bpf filter */ +#undef HAVE_PCAP_LEX_DESTROY + +/* Can output the library version. */ +#undef HAVE_PCAP_LIB_VERSION + /* Define to 1 if you have the header file. */ #undef HAVE_PCRE_H /* Define to 1 if you have the header file. */ #undef HAVE_PFRING_H -/* Define to 1 if you have the `snprintf' function. */ +/* Define to 1 if you have the `sigaction' function. */ +#undef HAVE_SIGACTION + +/* snprintf function is available */ #undef HAVE_SNPRINTF +/* Define to 1 if stdbool.h conforms to C99. */ +#undef HAVE_STDBOOL_H + /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H @@ -150,6 +181,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H +/* Define to 1 if you have the header file. */ +#undef HAVE_UUID_UUID_H + /* Define to 1 if the system has the type `u_int16_t'. */ #undef HAVE_U_INT16_T @@ -177,6 +211,15 @@ /* Define to 1 if you have the `wprintf' function. */ #undef HAVE_WPRINTF +/* Define whether yylex_destroy is supported in flex version */ +#undef HAVE_YYLEX_DESTROY + +/* Define to 1 if you have the header file. */ +#undef HAVE_ZLIB_H + +/* Define to 1 if the system has the type `_Bool'. */ +#undef HAVE__BOOL + /* Define if the compiler understands __FUNCTION__. */ #undef HAVE___FUNCTION__ @@ -192,14 +235,12 @@ /* Define if Irix 6 */ #undef IRIX -/* For libpcap versions that accumulate stats */ -#undef LIBPCAP_ACCUMULATES - /* Define if Linux */ #undef LINUX -/* For Linux libpcap versions 0.9.0 to 0.9.4 */ -#undef LINUX_LIBPCAP_DOUBLES_STATS +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ +#undef LT_OBJDIR /* Define if MacOS */ #undef MACOS @@ -234,8 +275,17 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* Define if pcap timeout is ignored */ -#undef PCAP_TIMEOUT_IGNORED +/* Set by user */ +#undef SIGNAL_SNORT_DUMP_STATS + +/* Set by user */ +#undef SIGNAL_SNORT_READ_ATTR_TBL + +/* Set by user */ +#undef SIGNAL_SNORT_RELOAD + +/* Set by user */ +#undef SIGNAL_SNORT_ROTATE_STATS /* The size of `char', as computed by sizeof. */ #undef SIZEOF_CHAR @@ -284,3 +334,9 @@ /* Define __FUNCTION__ as required. */ #undef __FUNCTION__ + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +#undef inline +#endif diff -Nru snort-2.8.5.2/config.sub snort-2.9.2/config.sub --- snort-2.8.5.2/config.sub 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/config.sub 2011-12-07 19:23:17.000000000 +0000 @@ -1,10 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-17' +timestamp='2009-11-20' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -32,13 +32,16 @@ # Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# diff and a properly formatted GNU ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD + # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. @@ -149,10 +152,13 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray) + -apple | -axis | -knuth | -cray | -microblaze) os= basic_machine=$1 ;; + -bluegene*) + os=-cnk + ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 @@ -281,6 +287,7 @@ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ + | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ @@ -288,13 +295,14 @@ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ + | ubicom32 \ | v850 | v850e \ | we32k \ | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12) + m6811 | m68hc11 | m6812 | m68hc12 | picochip) # Motorola 68HC11/12. basic_machine=$basic_machine-unknown os=-none @@ -337,7 +345,7 @@ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -365,7 +373,7 @@ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ - | romp-* | rs6000-* \ + | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ @@ -374,6 +382,7 @@ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \ | tron-* \ + | ubicom32-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ @@ -467,6 +476,10 @@ basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; c90) basic_machine=c90-cray os=-unicos @@ -719,6 +732,9 @@ basic_machine=ns32k-utek os=-sysv ;; + microblaze) + basic_machine=microblaze-xilinx + ;; mingw32) basic_machine=i386-pc os=-mingw32 @@ -1240,6 +1256,9 @@ # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. + -auroraux) + os=-auroraux + ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; @@ -1260,9 +1279,9 @@ # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ - | -kopensolaris* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ @@ -1283,7 +1302,7 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1613,7 +1632,7 @@ -sunos*) vendor=sun ;; - -aix*) + -cnk*|-aix*) vendor=ibm ;; -beos*) diff -Nru snort-2.8.5.2/configure snort-2.9.2/configure --- snort-2.8.5.2/configure 2009-10-19 21:18:06.000000000 +0000 +++ snort-2.9.2/configure 2011-12-07 19:23:25.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61. +# Generated by GNU Autoconf 2.63. # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## --------------------- ## @@ -15,7 +15,7 @@ if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST @@ -37,17 +37,45 @@ as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then - echo "#! /bin/sh" >conf$$.sh - echo "exit 0" >>conf$$.sh - chmod +x conf$$.sh - if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then - PATH_SEPARATOR=';' - else - PATH_SEPARATOR=: - fi - rm -f conf$$.sh + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } fi # Support unset when possible. @@ -63,8 +91,6 @@ # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) -as_nl=' -' IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. @@ -87,7 +113,7 @@ as_myself=$0 fi if test ! -f "$as_myself"; then - echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 { (exit 1); exit 1; } fi @@ -100,17 +126,10 @@ PS4='+ ' # NLS nuisances. -for as_var in \ - LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ - LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ - LC_TELEPHONE LC_TIME -do - if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then - eval $as_var=C; export $as_var - else - ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var - fi -done +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE # Required to use basename. if expr a : '\(a\)' >/dev/null 2>&1 && @@ -132,7 +151,7 @@ $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || -echo X/"$0" | +$as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q @@ -158,7 +177,7 @@ as_have_required=no fi - if test $as_have_required = yes && (eval ": + if test $as_have_required = yes && (eval ": (as_func_return () { (exit \$1) } @@ -240,7 +259,7 @@ if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST @@ -261,7 +280,7 @@ if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST @@ -341,10 +360,10 @@ if test "x$CONFIG_SHELL" != x; then for as_var in BASH_ENV ENV - do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var - done - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} + do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var + done + export CONFIG_SHELL + exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} fi @@ -413,9 +432,10 @@ test \$exitcode = 0") || { echo No shell found that supports shell functions. - echo Please tell autoconf@gnu.org about your system, - echo including any error possibly output before this - echo message + echo Please tell bug-autoconf@gnu.org about your system, + echo including any error possibly output before this message. + echo This can help us improve future autoconf versions. + echo Configuration will now proceed without shell functions. } @@ -451,7 +471,7 @@ s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || - { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 { (exit 1); exit 1; }; } # Don't try to exec as it changes $[0], causing all sort of problems @@ -479,7 +499,6 @@ *) ECHO_N='-n';; esac - if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr @@ -492,19 +511,22 @@ rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir - mkdir conf$$.dir + mkdir conf$$.dir 2>/dev/null fi -echo >conf$$.file -if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else as_ln_s='cp -p' -elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln + fi else as_ln_s='cp -p' fi @@ -529,10 +551,10 @@ as_test_x=' eval sh -c '\'' if test -d "$1"; then - test -d "$1/."; + test -d "$1/."; else case $1 in - -*)set "./$1";; + -*)set "./$1";; esac; case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in ???[sx]*):;;*)false;;esac;fi @@ -553,22 +575,22 @@ # Check that we are running under the correct shell. SHELL=${CONFIG_SHELL-/bin/sh} -case X$ECHO in +case X$lt_ECHO in X*--fallback-echo) # Remove one level of quotation (which was required for Make). - ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','` + ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','` ;; esac -echo=${ECHO-echo} +ECHO=${lt_ECHO-echo} if test "X$1" = X--no-reexec; then # Discard the --no-reexec flag, and continue. shift elif test "X$1" = X--fallback-echo; then # Avoid inline document here, it may be left over : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then - # Yippee, $echo works! +elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then + # Yippee, $ECHO works! : else # Restart under the correct shell. @@ -578,9 +600,9 @@ if test "X$1" = X--fallback-echo; then # used as fallback echo shift - cat </dev/null 2>&1 && unset CDPATH -if test -z "$ECHO"; then -if test "X${echo_test_string+set}" != Xset; then -# find a string as large as possible, as long as the shell can cope with it - for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do - # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... - if (echo_test_string=`eval $cmd`) 2>/dev/null && - echo_test_string=`eval $cmd` && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null - then - break - fi - done -fi +if test -z "$lt_ECHO"; then + if test "X${echo_test_string+set}" != Xset; then + # find a string as large as possible, as long as the shell can cope with it + for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do + # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... + if { echo_test_string=`eval $cmd`; } 2>/dev/null && + { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null + then + break + fi + done + fi -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. + if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + : + else + # The Solaris, AIX, and Digital Unix default echo programs unquote + # backslashes. This makes it impossible to quote backslashes using + # echo "$something" | sed 's/\\/\\\\/g' + # + # So, first we look for a working echo in the user's PATH. - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for dir in $PATH /usr/ucb; do + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + for dir in $PATH /usr/ucb; do + IFS="$lt_save_ifs" + if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && + test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && + echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + ECHO="$dir/echo" + break + fi + done IFS="$lt_save_ifs" - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$lt_save_ifs" - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running configure again with it. - ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL $0 --fallback-echo" - elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL $0 --fallback-echo" + if test "X$ECHO" = Xecho; then + # We didn't find a better echo, so look for alternatives. + if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + # This shell has a builtin print -r that does the trick. + ECHO='print -r' + elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } && + test "X$CONFIG_SHELL" != X/bin/ksh; then + # If we have ksh, try running configure again with it. + ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} + export ORIGINAL_CONFIG_SHELL + CONFIG_SHELL=/bin/ksh + export CONFIG_SHELL + exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"} else - # maybe with a smaller string... - prev=: + # Try using printf. + ECHO='printf %s\n' + if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && + echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + # Cool, printf works + : + elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && + test "X$echo_testing_string" = 'X\t' && + echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL + export CONFIG_SHELL + SHELL="$CONFIG_SHELL" + export SHELL + ECHO="$CONFIG_SHELL $0 --fallback-echo" + elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && + test "X$echo_testing_string" = 'X\t' && + echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && + test "X$echo_testing_string" = "X$echo_test_string"; then + ECHO="$CONFIG_SHELL $0 --fallback-echo" + else + # maybe with a smaller string... + prev=: - for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null - then - break - fi - prev="$cmd" - done + for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do + if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null + then + break + fi + prev="$cmd" + done - if test "$prev" != 'sed 50q "$0"'; then - echo_test_string=`eval $prev` - export echo_test_string - exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi + if test "$prev" != 'sed 50q "$0"'; then + echo_test_string=`eval $prev` + export echo_test_string + exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"} + else + # Oops. We lost completely, so just stick with echo. + ECHO=echo + fi + fi fi fi fi fi -fi # Copy echo and quote the copy suitably for passing to libtool from # the Makefile, instead of quoting the original, which is used later. -ECHO=$echo -if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then - ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo" +lt_ECHO=$ECHO +if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then + lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo" fi -tagnames=${tagnames+${tagnames},}CXX - -tagnames=${tagnames+${tagnames},}F77 - exec 7<&0 &1 # Name of the host. @@ -767,151 +784,263 @@ # include #endif" -ac_subst_vars='SHELL -PATH_SEPARATOR -PACKAGE_NAME -PACKAGE_TARNAME -PACKAGE_VERSION -PACKAGE_STRING -PACKAGE_BUGREPORT -exec_prefix -prefix -program_transform_name -bindir -sbindir -libexecdir -datarootdir -datadir -sysconfdir -sharedstatedir -localstatedir -includedir -oldincludedir -docdir -infodir -htmldir -dvidir -pdfdir -psdir -libdir -localedir -mandir -DEFS -ECHO_C -ECHO_N -ECHO_T -LIBS +ac_subst_vars='am__EXEEXT_FALSE +am__EXEEXT_TRUE +LTLIBOBJS +LIBOBJS +ICONFIGFLAGS +CCONFIGFLAGS +CONFIGFLAGS +INCLUDES +WANT_SF_SAAC_FALSE +WANT_SF_SAAC_TRUE +RAZORBACK_LIBS +RAZORBACK_CFLAGS +PKG_CONFIG +HAVE_SHARED_REP_FALSE +HAVE_SHARED_REP_TRUE +HAVE_INTEL_SOFT_CPM_FALSE +HAVE_INTEL_SOFT_CPM_TRUE +BUILD_RESPOND3_FALSE +BUILD_RESPOND3_TRUE +BUILD_REACT_FALSE +BUILD_REACT_TRUE +LIBPRELUDE_CONFIG_PREFIX +LIBPRELUDE_PREFIX +LIBPRELUDE_LIBS +LIBPRELUDE_LDFLAGS +LIBPRELUDE_PTHREAD_CFLAGS +LIBPRELUDE_CFLAGS +LIBPRELUDE_CONFIG +BUILD_PRELUDE_FALSE +BUILD_PRELUDE_TRUE +BUILD_PROCPIDSTATS_FALSE +BUILD_PROCPIDSTATS_TRUE +HAVE_TARGET_BASED_FALSE +HAVE_TARGET_BASED_TRUE +HAVE_ZLIB_FALSE +HAVE_ZLIB_TRUE +HAVE_SUP_IP6_FALSE +HAVE_SUP_IP6_TRUE +BUILD_DYNAMIC_EXAMPLES_FALSE +BUILD_DYNAMIC_EXAMPLES_TRUE +BUILD_CONTROL_SOCKET_FALSE +BUILD_CONTROL_SOCKET_TRUE +SO_WITH_STATIC_LIB_FALSE +SO_WITH_STATIC_LIB_TRUE +HAVE_DYNAMIC_PLUGINS_FALSE +HAVE_DYNAMIC_PLUGINS_TRUE +SIGNAL_SNORT_READ_ATTR_TBL +SIGNAL_SNORT_ROTATE_STATS +SIGNAL_SNORT_DUMP_STATS +SIGNAL_SNORT_RELOAD +BUILD_SNPRINTF_FALSE +BUILD_SNPRINTF_TRUE +LEX +YACC +XCCFLAGS +extra_incl +CPP +OTOOL64 +OTOOL +LIPO +NMEDIT +DSYMUTIL +lt_ECHO +RANLIB +AR +OBJDUMP +LN_S +NM +ac_ct_DUMPBIN +DUMPBIN +LD +FGREP +EGREP +GREP +SED +host_os +host_vendor +host_cpu +host +build_os +build_vendor +build_cpu +build +LIBTOOL +am__fastdepCC_FALSE +am__fastdepCC_TRUE +CCDEPMODE +AMDEPBACKSLASH +AMDEP_FALSE +AMDEP_TRUE +am__quote +am__include +DEPDIR +OBJEXT +EXEEXT +ac_ct_CC +CPPFLAGS +LDFLAGS +CFLAGS +CC +MAINT +MAINTAINER_MODE_FALSE +MAINTAINER_MODE_TRUE +am__untar +am__tar +AMTAR +am__leading_dot +SET_MAKE +AWK +mkdir_p +MKDIR_P +INSTALL_STRIP_PROGRAM +STRIP +install_sh +MAKEINFO +AUTOHEADER +AUTOMAKE +AUTOCONF +ACLOCAL +VERSION +PACKAGE +CYGPATH_W +am__isrc +INSTALL_DATA +INSTALL_SCRIPT +INSTALL_PROGRAM +target_alias +host_alias build_alias +LIBS +ECHO_T +ECHO_N +ECHO_C +DEFS +mandir +localedir +libdir +psdir +pdfdir +dvidir +htmldir +infodir +docdir +oldincludedir +includedir +localstatedir +sharedstatedir +sysconfdir +datadir +datarootdir +libexecdir +sbindir +bindir +program_transform_name +prefix +exec_prefix +PACKAGE_BUGREPORT +PACKAGE_STRING +PACKAGE_VERSION +PACKAGE_TARNAME +PACKAGE_NAME +PATH_SEPARATOR +SHELL' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +enable_maintainer_mode +enable_dependency_tracking +enable_shared +enable_static +with_pic +enable_fast_install +with_gnu_ld +enable_libtool_lock +enable_64bit_gcc +with_libpcap_includes +with_libpcap_libraries +with_libpfring_includes +with_libpfring_libraries +with_libpcre_includes +with_libpcre_libraries +enable_dynamicplugin +enable_so_with_static_lib +enable_control_socket +with_dnet_includes +with_dnet_libraries +with_daq_includes +with_daq_libraries +enable_static_daq +enable_build_dynamic_examples +enable_dlclose +enable_ipv6 +enable_zlib +enable_gre +enable_mpls +enable_targetbased +enable_decoder_preprocessor_rules +enable_ppm +enable_perfprofiling +enable_linux_smp_stats +enable_inline_init_failopen +enable_prelude +with_libprelude_prefix +enable_pthread +enable_debug_msgs +enable_debug +enable_gdb +enable_profile +enable_ppm_test +enable_sourcefire +enable_corefiles +enable_active_response +enable_normalizer +enable_reload +enable_reload_error_restart +with_mysql +with_mysql_includes +with_mysql_libraries +with_odbc +with_postgresql +with_pgsql_includes +with_oracle +enable_paf +enable_react +enable_flexresp3 +enable_aruba +enable_intel_soft_cpm +with_intel_soft_cpm_includes +with_intel_soft_cpm_libraries +enable_shared_rep +enable_rzb_saac +with_librzb_api +enable_large_pcap +' + ac_precious_vars='build_alias host_alias target_alias -INSTALL_PROGRAM -INSTALL_SCRIPT -INSTALL_DATA -am__isrc -CYGPATH_W -PACKAGE -VERSION -ACLOCAL -AUTOCONF -AUTOMAKE -AUTOHEADER -MAKEINFO -install_sh -STRIP -INSTALL_STRIP_PROGRAM -mkdir_p -AWK -SET_MAKE -am__leading_dot -AMTAR -am__tar -am__untar -MAINTAINER_MODE_TRUE -MAINTAINER_MODE_FALSE -MAINT CC CFLAGS LDFLAGS -CPPFLAGS -ac_ct_CC -EXEEXT -OBJEXT -DEPDIR -am__include -am__quote -AMDEP_TRUE -AMDEP_FALSE -AMDEPBACKSLASH -CCDEPMODE -am__fastdepCC_TRUE -am__fastdepCC_FALSE -build -build_cpu -build_vendor -build_os -host -host_cpu -host_vendor -host_os -SED -GREP -EGREP -LN_S -ECHO -AR -RANLIB -CPP -CXX -CXXFLAGS -ac_ct_CXX -CXXDEPMODE -am__fastdepCXX_TRUE -am__fastdepCXX_FALSE -CXXCPP -F77 -FFLAGS -ac_ct_F77 -LIBTOOL -extra_incl -YACC -LEX -HAVE_DYNAMIC_PLUGINS_TRUE -HAVE_DYNAMIC_PLUGINS_FALSE -HAVE_SUP_IP6_TRUE -HAVE_SUP_IP6_FALSE -HAVE_TARGET_BASED_TRUE -HAVE_TARGET_BASED_FALSE -LIBPRELUDE_CONFIG -LIBPRELUDE_CFLAGS -LIBPRELUDE_PTHREAD_CFLAGS -LIBPRELUDE_LDFLAGS -LIBPRELUDE_LIBS -LIBPRELUDE_PREFIX -LIBPRELUDE_CONFIG_PREFIX -INCLUDES -LIBOBJS -LTLIBOBJS' -ac_subst_files='' - ac_precious_vars='build_alias -host_alias -target_alias -CC -CFLAGS -LDFLAGS -LIBS +LIBS CPPFLAGS CPP -CXX -CXXFLAGS -CCC -CXXCPP -F77 -FFLAGS' +SIGNAL_SNORT_RELOAD +SIGNAL_SNORT_DUMP_STATS +SIGNAL_SNORT_ROTATE_STATS +SIGNAL_SNORT_READ_ATTR_TBL +PKG_CONFIG +RAZORBACK_CFLAGS +RAZORBACK_LIBS' # Initialize some variables set by options. ac_init_help= ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null @@ -1010,13 +1139,21 @@ datarootdir=$ac_optarg ;; -disable-* | --disable-*) - ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. - expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid feature name: $ac_feature" >&2 + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 { (exit 1); exit 1; }; } - ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` - eval enable_$ac_feature=no ;; + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; @@ -1029,13 +1166,21 @@ dvidir=$ac_optarg ;; -enable-* | --enable-*) - ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. - expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid feature name: $ac_feature" >&2 + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 { (exit 1); exit 1; }; } - ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` - eval enable_$ac_feature=\$ac_optarg ;; + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ @@ -1226,22 +1371,38 @@ ac_init_version=: ;; -with-* | --with-*) - ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. - expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid package name: $ac_package" >&2 + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 { (exit 1); exit 1; }; } - ac_package=`echo $ac_package | sed 's/[-.]/_/g'` - eval with_$ac_package=\$ac_optarg ;; + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) - ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'` + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. - expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid package name: $ac_package" >&2 + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 { (exit 1); exit 1; }; } - ac_package=`echo $ac_package | sed 's/[-.]/_/g'` - eval with_$ac_package=no ;; + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. @@ -1261,7 +1422,7 @@ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; - -*) { echo "$as_me: error: unrecognized option: $ac_option + -*) { $as_echo "$as_me: error: unrecognized option: $ac_option Try \`$0 --help' for more information." >&2 { (exit 1); exit 1; }; } ;; @@ -1270,16 +1431,16 @@ ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid variable name: $ac_envvar" >&2 + { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2 { (exit 1); exit 1; }; } eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. - echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && - echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} ;; @@ -1288,22 +1449,38 @@ if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` - { echo "$as_me: error: missing argument to $ac_option" >&2 + { $as_echo "$as_me: error: missing argument to $ac_option" >&2 { (exit 1); exit 1; }; } fi -# Be sure to have absolute directory names. +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) { $as_echo "$as_me: error: unrecognized options: $ac_unrecognized_opts" >&2 + { (exit 1); exit 1; }; } ;; + *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac - { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 + { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 { (exit 1); exit 1; }; } done @@ -1318,7 +1495,7 @@ if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe - echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. + $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. If a cross compiler is detected then cross compile mode will be used." >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes @@ -1334,10 +1511,10 @@ ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || - { echo "$as_me: error: Working directory cannot be determined" >&2 + { $as_echo "$as_me: error: working directory cannot be determined" >&2 { (exit 1); exit 1; }; } test "X$ac_ls_di" = "X$ac_pwd_ls_di" || - { echo "$as_me: error: pwd does not report name of working directory" >&2 + { $as_echo "$as_me: error: pwd does not report name of working directory" >&2 { (exit 1); exit 1; }; } @@ -1345,12 +1522,12 @@ if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. - ac_confdir=`$as_dirname -- "$0" || -$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$0" : 'X\(//\)[^/]' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -echo X"$0" | + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q @@ -1377,12 +1554,12 @@ fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." - { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 + { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 { (exit 1); exit 1; }; } fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( - cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2 + cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2 { (exit 1); exit 1; }; } pwd)` # When building in place, set srcdir=. @@ -1431,9 +1608,9 @@ Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] + [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [PREFIX] + [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify @@ -1443,25 +1620,25 @@ For better control, use the options below. Fine tuning of the installation directories: - --bindir=DIR user executables [EPREFIX/bin] - --sbindir=DIR system admin executables [EPREFIX/sbin] - --libexecdir=DIR program executables [EPREFIX/libexec] - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] - --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] - --datadir=DIR read-only architecture-independent data [DATAROOTDIR] - --infodir=DIR info documentation [DATAROOTDIR/info] - --localedir=DIR locale-dependent data [DATAROOTDIR/locale] - --mandir=DIR man documentation [DATAROOTDIR/man] - --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] - --htmldir=DIR html documentation [DOCDIR] - --dvidir=DIR dvi documentation [DOCDIR] - --pdfdir=DIR pdf documentation [DOCDIR] - --psdir=DIR ps documentation [DOCDIR] + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF @@ -1482,6 +1659,7 @@ cat <<\_ACEOF Optional Features: + --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-maintainer-mode enable make rules and dependencies not useful @@ -1494,53 +1672,61 @@ optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10). - --enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) - --enable-ipv6 Enable IPv6 support - --enable-gre Enable GRE and IP in IP encapsulation support - --enable-mpls Enable MPLS support - --enable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) - --enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events - --enable-ppm Enable packet/rule performance monitor - --enable-timestats Enable TimeStats functionality - --enable-perfprofiling Enable preprocessor and rule performance profiling + --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) + --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library + --enable-control-socket Enable the control socket + --disable-static-daq Link static DAQ modules. + --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default) + --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. + --disable-ipv6 Disable IPv6 support + --disable-zlib Enable Http Response Decompression + --disable-gre Enable GRE and IP in IP encapsulation support + --disable-mpls Enable MPLS support + --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) + --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events + --disable-ppm Enable packet/rule performance monitor + --disable-perfprofiling Enable preprocessor and rule performance profiling --enable-linux-smp-stats Enable statistics reporting through proc - --enable-inline Use the libipq interface for inline snort - --enable-ipfw Enable ipfw Divert mode for use with inline --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly) --enable-prelude Enable Prelude Hybrid IDS support - --enable-pthread Enable pthread support + --disable-pthread Disable pthread support + --enable-debug-msgs Enable debug printing options (bugreports and developers only) --enable-debug Enable debugging options (bugreports and developers only) + --enable-gdb Enable gdb debugging information --enable-profile Enable profiling options (developers only) - --enable-ppm-test Enable packet/rule performance monitor - --enable-sourcefire Enable Sourcefire specific build options + --disable-ppm-test Enable packet/rule performance monitor + --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm --disable-corefiles Prevent Snort from generating core files - --enable-reload Enable reloading a configuration without restarting - --enable-reload-error-restart Enable restarting on reload error + --disable-active-response Enable reject injection + --disable-normalizer Enable packet/stream normalizations + --disable-reload Enable reloading a configuration without restarting + --disable-reload-error-restart Enable restarting on reload error + --disable-paf disable protocol aware flushing + --disable-react Intercept and terminate offending HTTP accesses + --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts --enable-aruba Enable Aruba output plugin - --enable-react Intercept and terminate offending HTTP accesses - --enable-flexresp Flexible Responses (v1) on hostile connection attempts - --enable-flexresp2 Flexible Responses (v2) on hostile connection attempts + --enable-intel-soft-cpm Enable Intel Soft CPM support + --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) + --enable-rzb-saac Enable Razorback SaaC support + --enable-large-pcap Enable support for pcaps larger than 2 GB Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-pic try to use only PIC/non-PIC objects [default=use both] - --with-tags[=TAGS] include additional configurations [automatic] + --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-libpcap-includes=DIR libpcap include directory --with-libpcap-libraries=DIR libpcap library directory --with-libpfring-includes=DIR libpfring include directory --with-libpfring-libraries=DIR libpfring library directory --with-libpcre-includes=DIR libpcre include directory --with-libpcre-libraries=DIR libpcre library directory - --with-libipq-includes=DIR libipq include directory - --with-libipq-libraries=DIR libipq library directory - --with-libprelude-prefix=PFX Prefix where libprelude is installed (optional) - --with-libnet-includes=DIR libnet include directory - --with-libnet-libraries=DIR libnet library directory --with-dnet-includes=DIR libdnet include directory --with-dnet-libraries=DIR libdnet library directory + --with-daq-includes=DIR DAQ include directory + --with-daq-libraries=DIR DAQ library directory + --with-libprelude-prefix=PFX Prefix where libprelude is installed (optional) --with-mysql=DIR Support for MySQL --with-mysql-includes=DIR MySQL include directory --with-mysql-libraries=DIR MySQL library directory @@ -1548,6 +1734,9 @@ --with-postgresql=DIR Support for PostgreSQL --with-pgsql-includes=DIR PostgreSQL include directory --with-oracle=DIR Support for Oracle + --with-intel-soft-cpm-includes=DIR Intel Soft CPM include directory + --with-intel-soft-cpm-libraries=DIR Intel Soft CPM library directory + --with-librzb-api=DIR librazorback_api directory Some influential environment variables: CC C compiler command @@ -1558,11 +1747,19 @@ CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor - CXX C++ compiler command - CXXFLAGS C++ compiler flags - CXXCPP C++ preprocessor - F77 Fortran 77 compiler command - FFLAGS Fortran 77 compiler flags + SIGNAL_SNORT_RELOAD + set the SIGNAL_SNORT_RELOAD value + SIGNAL_SNORT_DUMP_STATS + set the SIGNAL_SNORT_DUMP_STATS value + SIGNAL_SNORT_ROTATE_STATS + set the SIGNAL_SNORT_ROTATE_STATS value + SIGNAL_SNORT_READ_ATTR_TBL + set the SIGNAL_SNORT_READ_ATTR_TBL value + PKG_CONFIG path to pkg-config utility + RAZORBACK_CFLAGS + C compiler flags for RAZORBACK, overriding pkg-config + RAZORBACK_LIBS + linker flags for RAZORBACK, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. @@ -1574,15 +1771,17 @@ if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue - test -d "$ac_dir" || continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; @@ -1618,7 +1817,7 @@ echo && $SHELL "$ac_srcdir/configure" --help=recursive else - echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done @@ -1628,10 +1827,10 @@ if $ac_init_version; then cat <<\_ACEOF configure -generated by GNU Autoconf 2.61 +generated by GNU Autoconf 2.63 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF @@ -1642,7 +1841,7 @@ running configure, to aid debugging if configure makes a mistake. It was created by $as_me, which was -generated by GNU Autoconf 2.61. Invocation command line was +generated by GNU Autoconf 2.63. Invocation command line was $ $0 $@ @@ -1678,7 +1877,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - echo "PATH: $as_dir" + $as_echo "PATH: $as_dir" done IFS=$as_save_IFS @@ -1713,7 +1912,7 @@ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) - ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; @@ -1765,11 +1964,12 @@ case $ac_val in #( *${as_nl}*) case $ac_var in #( - *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 -echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) $as_unset $ac_var ;; esac ;; esac @@ -1799,9 +1999,9 @@ do eval ac_val=\$$ac_var case $ac_val in - *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac - echo "$ac_var='\''$ac_val'\''" + $as_echo "$ac_var='\''$ac_val'\''" done | sort echo @@ -1816,9 +2016,9 @@ do eval ac_val=\$$ac_var case $ac_val in - *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac - echo "$ac_var='\''$ac_val'\''" + $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi @@ -1834,8 +2034,8 @@ echo fi test "$ac_signal" != 0 && - echo "$as_me: caught signal $ac_signal" - echo "$as_me: exit $exit_status" + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && @@ -1877,21 +2077,24 @@ # Let the site file select an alternate cache file if it wants to. -# Prefer explicitly selected file to automatically selected ones. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE if test -n "$CONFIG_SITE"; then - set x "$CONFIG_SITE" + ac_site_file1=$CONFIG_SITE elif test "x$prefix" != xNONE; then - set x "$prefix/share/config.site" "$prefix/etc/config.site" + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site else - set x "$ac_default_prefix/share/config.site" \ - "$ac_default_prefix/etc/config.site" + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site fi -shift -for ac_site_file +for ac_site_file in "$ac_site_file1" "$ac_site_file2" do + test "x$ac_site_file" = xNONE && continue if test -r "$ac_site_file"; then - { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 -echo "$as_me: loading site script $ac_site_file" >&6;} + { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" fi @@ -1901,16 +2104,16 @@ # Some versions of bash will fail to source /dev/null (special # files actually), so we avoid doing that. if test -f "$cache_file"; then - { echo "$as_me:$LINENO: loading cache $cache_file" >&5 -echo "$as_me: loading cache $cache_file" >&6;} + { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else - { echo "$as_me:$LINENO: creating cache $cache_file" >&5 -echo "$as_me: creating cache $cache_file" >&6;} + { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi @@ -1924,29 +2127,38 @@ eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) - { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) - { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 -echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then - { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 -echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - { echo "$as_me:$LINENO: former value: $ac_old_val" >&5 -echo "$as_me: former value: $ac_old_val" >&2;} - { echo "$as_me:$LINENO: current value: $ac_new_val" >&5 -echo "$as_me: current value: $ac_new_val" >&2;} - ac_cache_corrupted=: + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:$LINENO: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:$LINENO: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in - *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in @@ -1956,10 +2168,12 @@ fi done if $ac_cache_corrupted; then - { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 -echo "$as_me: error: changes in the environment can compromise the build" >&2;} - { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 -echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} + { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 +$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} { (exit 1); exit 1; }; } fi @@ -1988,11 +2202,12 @@ +#LT_PREREQ([2.2.6]) ac_config_headers="$ac_config_headers config.h" # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" -am__api_version='1.10' +am__api_version='1.11' ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do @@ -2011,8 +2226,8 @@ fi done if test -z "$ac_aux_dir"; then - { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5 -echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;} + { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5 +$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;} { (exit 1); exit 1; }; } fi @@ -2038,11 +2253,12 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. -{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 -echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; } +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if test "${ac_cv_path_install+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -2071,17 +2287,29 @@ # program-specific install script used by HP pwplus--don't use. : else - ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" - break 3 + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi fi fi done done ;; esac + done IFS=$as_save_IFS +rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then @@ -2094,8 +2322,8 @@ INSTALL=$ac_install_sh fi fi -{ echo "$as_me:$LINENO: result: $INSTALL" >&5 -echo "${ECHO_T}$INSTALL" >&6; } +{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. @@ -2105,21 +2333,38 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' -{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5 -echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5 +$as_echo_n "checking whether build environment is sane... " >&6; } # Just in case sleep 1 echo timestamp > conftest.file +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[\\\"\#\$\&\'\`$am_lf]*) + { { $as_echo "$as_me:$LINENO: error: unsafe absolute working directory name" >&5 +$as_echo "$as_me: error: unsafe absolute working directory name" >&2;} + { (exit 1); exit 1; }; };; +esac +case $srcdir in + *[\\\"\#\$\&\'\`$am_lf\ \ ]*) + { { $as_echo "$as_me:$LINENO: error: unsafe srcdir value: \`$srcdir'" >&5 +$as_echo "$as_me: error: unsafe srcdir value: \`$srcdir'" >&2;} + { (exit 1); exit 1; }; };; +esac + # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` + set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$*" != "X $srcdir/configure conftest.file" \ @@ -2129,9 +2374,9 @@ # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". - { { echo "$as_me:$LINENO: error: ls -t appears to fail. Make sure there is not a broken + { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail. Make sure there is not a broken alias in your environment" >&5 -echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken +$as_echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken alias in your environment" >&2;} { (exit 1); exit 1; }; } fi @@ -2142,45 +2387,158 @@ # Ok. : else - { { echo "$as_me:$LINENO: error: newly created file is older than distributed files! + { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files! Check your system clock" >&5 -echo "$as_me: error: newly created file is older than distributed files! +$as_echo "$as_me: error: newly created file is older than distributed files! Check your system clock" >&2;} { (exit 1); exit 1; }; } fi -{ echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. test "$program_suffix" != NONE && program_transform_name="s&\$&$program_suffix&;$program_transform_name" -# Double any \ or $. echo might interpret backslashes. +# Double any \ or $. # By default was `s,x,x', remove it if useless. -cat <<\_ACEOF >conftest.sed -s/[\\$]/&&/g;s/;s,x,x,$// -_ACEOF -program_transform_name=`echo $program_transform_name | sed -f conftest.sed` -rm -f conftest.sed +ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' +program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` # expand $ac_aux_dir to an absolute path am_aux_dir=`cd $ac_aux_dir && pwd` -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " else am_missing_run= - { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5 -echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5 +$as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} +fi + +if test x"${install_sh}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; + *) + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac +fi + +# Installed binaries are usually stripped using `strip' when the user +# run `make install-strip'. However `strip' might not be the right +# tool to use in cross-compilation environments, therefore Automake +# will honor the `STRIP' environment variable to overrule this program. +if test "$cross_compiling" != no; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. +set dummy ${ac_tool_prefix}strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$STRIP"; then + ac_cv_prog_STRIP="$STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +STRIP=$ac_cv_prog_STRIP +if test -n "$STRIP"; then + { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 +$as_echo "$STRIP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_STRIP"; then + ac_ct_STRIP=$STRIP + # Extract the first word of "strip", so it can be a program name with args. +set dummy strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_STRIP"; then + ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP +if test -n "$ac_ct_STRIP"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 +$as_echo "$ac_ct_STRIP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_STRIP" = x; then + STRIP=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + STRIP=$ac_ct_STRIP + fi +else + STRIP="$ac_cv_prog_STRIP" +fi + fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" -{ echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5 -echo $ECHO_N "checking for a thread-safe mkdir -p... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5 +$as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if test "${ac_cv_path_mkdir+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin @@ -2215,8 +2573,8 @@ MKDIR_P="$ac_install_sh -d" fi fi -{ echo "$as_me:$LINENO: result: $MKDIR_P" >&5 -echo "${ECHO_T}$MKDIR_P" >&6; } +{ $as_echo "$as_me:$LINENO: result: $MKDIR_P" >&5 +$as_echo "$MKDIR_P" >&6; } mkdir_p="$MKDIR_P" case $mkdir_p in @@ -2228,10 +2586,10 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_AWK+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then ac_cv_prog_AWK="$AWK" # Let the user override the test. @@ -2244,7 +2602,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AWK="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2255,22 +2613,23 @@ fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then - { echo "$as_me:$LINENO: result: $AWK" >&5 -echo "${ECHO_T}$AWK" >&6; } + { $as_echo "$as_me:$LINENO: result: $AWK" >&5 +$as_echo "$AWK" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi test -n "$AWK" && break done -{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5 -echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; } -set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` +{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5 +$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } +set x ${MAKE-make} +ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh @@ -2287,12 +2646,12 @@ rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } SET_MAKE= else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi @@ -2311,8 +2670,8 @@ am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then - { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5 -echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} + { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5 +$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} { (exit 1); exit 1; }; } fi fi @@ -2329,7 +2688,7 @@ # Define the identity of the package. PACKAGE=snort - VERSION=2.8.5.2 + VERSION=2.9.2 cat >>confdefs.h <<_ACEOF @@ -2357,112 +2716,6 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} -install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"} - -# Installed binaries are usually stripped using `strip' when the user -# run `make install-strip'. However `strip' might not be the right -# tool to use in cross-compilation environments, therefore Automake -# will honor the `STRIP' environment variable to overrule this program. -if test "$cross_compiling" != no; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. -set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$STRIP"; then - ac_cv_prog_STRIP="$STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_STRIP="${ac_tool_prefix}strip" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS - -fi -fi -STRIP=$ac_cv_prog_STRIP -if test -n "$STRIP"; then - { echo "$as_me:$LINENO: result: $STRIP" >&5 -echo "${ECHO_T}$STRIP" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_STRIP"; then - ac_ct_STRIP=$STRIP - # Extract the first word of "strip", so it can be a program name with args. -set dummy strip; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_STRIP"; then - ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_STRIP="strip" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS - -fi -fi -ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP -if test -n "$ac_ct_STRIP"; then - { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 -echo "${ECHO_T}$ac_ct_STRIP" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi - - if test "x$ac_ct_STRIP" = x; then - STRIP=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} -ac_tool_warned=yes ;; -esac - STRIP=$ac_ct_STRIP - fi -else - STRIP="$ac_cv_prog_STRIP" -fi - -fi -INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" - # We need awk for the "check" target. The system "awk" is bad on # some platforms. # Always define AMTAR for backward compatibility. @@ -2488,8 +2741,9 @@ fi # Disable annoying practice of recursively re-running the autotools -{ echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5 -echo $ECHO_N "checking whether to enable maintainer-specific portions of Makefiles... $ECHO_C" >&6; } + +{ $as_echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5 +$as_echo_n "checking whether to enable maintainer-specific portions of Makefiles... " >&6; } # Check whether --enable-maintainer-mode was given. if test "${enable_maintainer_mode+set}" = set; then enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval @@ -2497,8 +2751,8 @@ USE_MAINTAINER_MODE=no fi - { echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5 -echo "${ECHO_T}$USE_MAINTAINER_MODE" >&6; } + { $as_echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5 +$as_echo "$USE_MAINTAINER_MODE" >&6; } if test $USE_MAINTAINER_MODE = yes; then MAINTAINER_MODE_TRUE= MAINTAINER_MODE_FALSE='#' @@ -2518,40 +2772,40 @@ am_make=${MAKE-make} cat > confinc << 'END' am__doit: - @echo done + @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. -{ echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5 -echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5 +$as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# We grep out `Entering directory' and `Leaving directory' -# messages which can occur if `w' ends up in MAKEFLAGS. -# In particular we don't look at `^make:' because GNU make might -# be invoked under some other name (usually "gmake"), in which -# case it prints its new name instead of `make'. -if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then - am__include=include - am__quote= - _am_result=GNU -fi +# Ignore all kinds of additional output from `make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf - if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then - am__include=.include - am__quote="\"" - _am_result=BSD - fi + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac fi -{ echo "$as_me:$LINENO: result: $_am_result" >&5 -echo "${ECHO_T}$_am_result" >&6; } +{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5 +$as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. @@ -2580,10 +2834,10 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -2596,7 +2850,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2607,11 +2861,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -2620,10 +2874,10 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. @@ -2636,7 +2890,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2647,11 +2901,11 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then @@ -2659,12 +2913,8 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC @@ -2677,10 +2927,10 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -2693,7 +2943,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2704,11 +2954,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -2717,10 +2967,10 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -2738,7 +2988,7 @@ continue fi ac_cv_prog_CC="cc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2761,11 +3011,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -2776,10 +3026,10 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -2792,7 +3042,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2803,11 +3053,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -2820,10 +3070,10 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. @@ -2836,7 +3086,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -2847,11 +3097,11 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -2863,12 +3113,8 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC @@ -2878,44 +3124,50 @@ fi -test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH +test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH See \`config.log' for more details." >&5 -echo "$as_me: error: no acceptable C compiler found in \$PATH +$as_echo "$as_me: error: no acceptable C compiler found in \$PATH See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } # Provide some information about the compiler. -echo "$as_me:$LINENO: checking for C compiler version" >&5 -ac_compiler=`set X $ac_compile; echo $2` +$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 { (ac_try="$ac_compiler --version >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler --version >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } { (ac_try="$ac_compiler -v >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler -v >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } { (ac_try="$ac_compiler -V >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler -V >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } cat >conftest.$ac_ext <<_ACEOF @@ -2934,27 +3186,22 @@ } _ACEOF ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.exe b.out" +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. -{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 -echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; } -ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` -# -# List of possible output files, starting from the most likely. -# The algorithm is not robust to junk in `.', hence go to wildcards (a.*) -# only as a last resort. b.out is created by i960 compilers. -ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out' -# -# The IRIX 6 linker writes into existing files which may not be -# executable, retaining their permissions. Remove them first so a -# subsequent execution test works. +{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + ac_rmfiles= for ac_file in $ac_files do case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done @@ -2965,10 +3212,11 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link_default") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; then # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' @@ -2979,7 +3227,7 @@ do test -f "$ac_file" || continue case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most @@ -3006,25 +3254,27 @@ ac_file='' fi -{ echo "$as_me:$LINENO: result: $ac_file" >&5 -echo "${ECHO_T}$ac_file" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } if test -z "$ac_file"; then - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { echo "$as_me:$LINENO: error: C compiler cannot create executables +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables See \`config.log' for more details." >&5 -echo "$as_me: error: C compiler cannot create executables +$as_echo "$as_me: error: C compiler cannot create executables See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } fi ac_exeext=$ac_cv_exeext # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. -{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5 -echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } # FIXME: These cross compiler hacks should be removed for Autoconf 3.0 # If not cross compiling, check that we can run a simple program. if test "$cross_compiling" != yes; then @@ -3033,49 +3283,53 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else - { { echo "$as_me:$LINENO: error: cannot run C compiled programs. + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run C compiled programs. +$as_echo "$as_me: error: cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } fi fi fi -{ echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } -rm -f a.out a.exe conftest$ac_cv_exeext b.out +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. -{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 -echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; } -{ echo "$as_me:$LINENO: result: $cross_compiling" >&5 -echo "${ECHO_T}$cross_compiling" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } -{ echo "$as_me:$LINENO: checking for suffix of executables" >&5 -echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; then # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will @@ -3084,31 +3338,33 @@ for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else - { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute suffix of executables: cannot compile and link +$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } fi rm -f conftest$ac_cv_exeext -{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 -echo "${ECHO_T}$ac_cv_exeext" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT -{ echo "$as_me:$LINENO: checking for suffix of object files" >&5 -echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } if test "${ac_cv_objext+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -3131,40 +3387,43 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; then for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;; + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute suffix of object files: cannot compile +$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 -echo "${ECHO_T}$ac_cv_objext" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT -{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 -echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if test "${ac_cv_c_compiler_gnu+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -3190,20 +3449,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_compiler_gnu=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_compiler_gnu=no @@ -3213,15 +3473,19 @@ ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 -echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; } -GCC=`test $ac_compiler_gnu = yes && echo yes` +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS -{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 -echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } if test "${ac_cv_prog_cc_g+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes @@ -3248,20 +3512,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 CFLAGS="" @@ -3286,20 +3551,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_c_werror_flag=$ac_save_c_werror_flag @@ -3325,20 +3591,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -3353,8 +3620,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi -{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then @@ -3370,10 +3637,10 @@ CFLAGS= fi fi -{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 -echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if test "${ac_cv_prog_cc_c89+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC @@ -3444,20 +3711,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -3473,15 +3741,15 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { echo "$as_me:$LINENO: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; xno) - { echo "$as_me:$LINENO: result: unsupported" >&5 -echo "${ECHO_T}unsupported" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac @@ -3493,10 +3761,10 @@ depcc="$CC" am_compiler_list= -{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 -echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 +$as_echo_n "checking dependency style of $depcc... " >&6; } if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up @@ -3521,6 +3789,11 @@ if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi + am__universal=false + case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac + for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and @@ -3538,7 +3811,17 @@ done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested @@ -3548,19 +3831,23 @@ break fi ;; + msvisualcpp | msvcmsys) + # This compiler won't grok `-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; none) break ;; esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message @@ -3584,8 +3871,8 @@ fi fi -{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 -echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; } +{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 +$as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type if @@ -3601,10 +3888,10 @@ case $ac_cv_prog_cc_stdc in no) ac_cv_prog_cc_c99=no; ac_cv_prog_cc_c89=no ;; - *) { echo "$as_me:$LINENO: checking for $CC option to accept ISO C99" >&5 -echo $ECHO_N "checking for $CC option to accept ISO C99... $ECHO_C" >&6; } + *) { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C99" >&5 +$as_echo_n "checking for $CC option to accept ISO C99... " >&6; } if test "${ac_cv_prog_cc_c99+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c99=no ac_save_CC=$CC @@ -3751,7 +4038,7 @@ return 0; } _ACEOF -for ac_arg in '' -std=gnu99 -c99 -qlanglvl=extc99 +for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -xc99=all -qlanglvl=extc99 do CC="$ac_save_CC $ac_arg" rm -f conftest.$ac_objext @@ -3760,20 +4047,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c99=$ac_arg else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -3789,23 +4077,23 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c99" in x) - { echo "$as_me:$LINENO: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; xno) - { echo "$as_me:$LINENO: result: unsupported" >&5 -echo "${ECHO_T}unsupported" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c99" - { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c99" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_c99" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c99" >&5 +$as_echo "$ac_cv_prog_cc_c99" >&6; } ;; esac if test "x$ac_cv_prog_cc_c99" != xno; then ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 else - { echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 -echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if test "${ac_cv_prog_cc_c89+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC @@ -3876,20 +4164,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -3905,15 +4194,15 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { echo "$as_me:$LINENO: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; xno) - { echo "$as_me:$LINENO: result: unsupported" >&5 -echo "${ECHO_T}unsupported" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 @@ -3926,19 +4215,19 @@ ;; esac - { echo "$as_me:$LINENO: checking for $CC option to accept ISO Standard C" >&5 -echo $ECHO_N "checking for $CC option to accept ISO Standard C... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO Standard C" >&5 +$as_echo_n "checking for $CC option to accept ISO Standard C... " >&6; } if test "${ac_cv_prog_cc_stdc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 fi case $ac_cv_prog_cc_stdc in - no) { echo "$as_me:$LINENO: result: unsupported" >&5 -echo "${ECHO_T}unsupported" >&6; } ;; - '') { echo "$as_me:$LINENO: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6; } ;; - *) { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6; } ;; + no) { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + '') { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + *) { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5 +$as_echo "$ac_cv_prog_cc_stdc" >&6; } ;; esac @@ -3950,10 +4239,10 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -3966,7 +4255,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -3977,11 +4266,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -3990,10 +4279,10 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. @@ -4006,7 +4295,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -4017,11 +4306,11 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then @@ -4029,12 +4318,8 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC @@ -4047,10 +4332,10 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -4063,7 +4348,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -4074,11 +4359,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -4087,10 +4372,10 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -4108,7 +4393,7 @@ continue fi ac_cv_prog_CC="cc" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -4131,11 +4416,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -4146,10 +4431,10 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. @@ -4162,7 +4447,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -4173,11 +4458,11 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { echo "$as_me:$LINENO: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -4190,10 +4475,10 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. @@ -4206,7 +4491,7 @@ for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -4217,11 +4502,11 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6; } + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi @@ -4233,12 +4518,8 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC @@ -4248,50 +4529,56 @@ fi -test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH +test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH See \`config.log' for more details." >&5 -echo "$as_me: error: no acceptable C compiler found in \$PATH +$as_echo "$as_me: error: no acceptable C compiler found in \$PATH See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } # Provide some information about the compiler. -echo "$as_me:$LINENO: checking for C compiler version" >&5 -ac_compiler=`set X $ac_compile; echo $2` +$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 { (ac_try="$ac_compiler --version >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler --version >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } { (ac_try="$ac_compiler -v >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler -v >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } { (ac_try="$ac_compiler -V >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compiler -V >&5") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } -{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 -echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if test "${ac_cv_c_compiler_gnu+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -4317,20 +4604,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_compiler_gnu=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_compiler_gnu=no @@ -4340,15 +4628,19 @@ ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 -echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; } -GCC=`test $ac_compiler_gnu = yes && echo yes` +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS -{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 -echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } if test "${ac_cv_prog_cc_g+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes @@ -4375,20 +4667,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 CFLAGS="" @@ -4413,20 +4706,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_c_werror_flag=$ac_save_c_werror_flag @@ -4452,20 +4746,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -4480,8 +4775,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi -{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then @@ -4497,10 +4792,10 @@ CFLAGS= fi fi -{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 -echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if test "${ac_cv_prog_cc_c89+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC @@ -4571,20 +4866,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -4600,15 +4896,15 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { echo "$as_me:$LINENO: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; xno) - { echo "$as_me:$LINENO: result: unsupported" >&5 -echo "${ECHO_T}unsupported" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;; + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac @@ -4620,10 +4916,10 @@ depcc="$CC" am_compiler_list= -{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 -echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 +$as_echo_n "checking dependency style of $depcc... " >&6; } if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up @@ -4648,6 +4944,11 @@ if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi + am__universal=false + case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac + for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and @@ -4665,7 +4966,17 @@ done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested @@ -4675,19 +4986,23 @@ break fi ;; + msvisualcpp | msvcmsys) + # This compiler won't grok `-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; none) break ;; esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message @@ -4711,8 +5026,8 @@ fi fi -{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 -echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; } +{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 +$as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type if @@ -4726,108 +5041,61 @@ fi -# Check whether --enable-shared was given. -if test "${enable_shared+set}" = set; then - enableval=$enable_shared; p=${PACKAGE-default} - case $enableval in - yes) enable_shared=yes ;; - no) enable_shared=no ;; - *) - enable_shared=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_shared=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac -else - enable_shared=yes -fi +case `pwd` in + *\ * | *\ *) + { $as_echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 +$as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;; +esac + + + +macro_version='2.2.6b' +macro_revision='1.3017' + + + + + -# Check whether --enable-static was given. -if test "${enable_static+set}" = set; then - enableval=$enable_static; p=${PACKAGE-default} - case $enableval in - yes) enable_static=yes ;; - no) enable_static=no ;; - *) - enable_static=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_static=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac -else - enable_static=yes -fi -# Check whether --enable-fast-install was given. -if test "${enable_fast_install+set}" = set; then - enableval=$enable_fast_install; p=${PACKAGE-default} - case $enableval in - yes) enable_fast_install=yes ;; - no) enable_fast_install=no ;; - *) - enable_fast_install=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for pkg in $enableval; do - IFS="$lt_save_ifs" - if test "X$pkg" = "X$p"; then - enable_fast_install=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac -else - enable_fast_install=yes -fi + + +ltmain="$ac_aux_dir/ltmain.sh" + # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || - { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 -echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} + { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 +$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} { (exit 1); exit 1; }; } -{ echo "$as_me:$LINENO: checking build system type" >&5 -echo $ECHO_N "checking build system type... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking build system type" >&5 +$as_echo_n "checking build system type... " >&6; } if test "${ac_cv_build+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && - { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 -echo "$as_me: error: cannot guess build type; you must specify one" >&2;} + { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 +$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} { (exit 1); exit 1; }; } ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || - { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 -echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} { (exit 1); exit 1; }; } fi -{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5 -echo "${ECHO_T}$ac_cv_build" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 +$as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; -*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 -echo "$as_me: error: invalid value of canonical build" >&2;} +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 +$as_echo "$as_me: error: invalid value of canonical build" >&2;} { (exit 1); exit 1; }; };; esac build=$ac_cv_build @@ -4844,27 +5112,27 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac -{ echo "$as_me:$LINENO: checking host system type" >&5 -echo $ECHO_N "checking host system type... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking host system type" >&5 +$as_echo_n "checking host system type... " >&6; } if test "${ac_cv_host+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || - { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 -echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} { (exit 1); exit 1; }; } fi fi -{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5 -echo "${ECHO_T}$ac_cv_host" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 +$as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; -*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 -echo "$as_me: error: invalid value of canonical host" >&2;} +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 +$as_echo "$as_me: error: invalid value of canonical host" >&2;} { (exit 1); exit 1; }; };; esac host=$ac_cv_host @@ -4881,101 +5149,121 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac -{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5 -echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; } -if test "${lt_cv_path_SED+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # Loop through the user's path and test for sed and gsed. -# Then use that list of sed's as ones to test for truncation. -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5 +$as_echo_n "checking for a sed that does not truncate output... " >&6; } +if test "${ac_cv_path_SED+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ + for ac_i in 1 2 3 4 5 6 7; do + ac_script="$ac_script$as_nl$ac_script" + done + echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed + $as_unset ac_script || ac_script= + if test -z "$SED"; then + ac_path_SED_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for lt_ac_prog in sed gsed; do + for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then - lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" - fi + ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue +# Check for GNU ac_path_SED and select it if it is found. + # Check for GNU $ac_path_SED +case `"$ac_path_SED" --version 2>&1` in +*GNU*) + ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo '' >> "conftest.nl" + "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + ac_count=`expr $ac_count + 1` + if test $ac_count -gt ${ac_path_SED_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_SED="$ac_path_SED" + ac_path_SED_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_SED_found && break 3 done done done IFS=$as_save_IFS -lt_ac_max=0 -lt_ac_count=0 -# Add /usr/xpg4/bin/sed as it is typically found on Solaris -# along with /bin/sed that truncates output. -for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do - test ! -f $lt_ac_sed && continue - cat /dev/null > conftest.in - lt_ac_count=0 - echo $ECHO_N "0123456789$ECHO_C" >conftest.in - # Check for GNU sed and select it if it is found. - if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then - lt_cv_path_SED=$lt_ac_sed - break + if test -z "$ac_cv_path_SED"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable sed could be found in \$PATH" >&5 +$as_echo "$as_me: error: no acceptable sed could be found in \$PATH" >&2;} + { (exit 1); exit 1; }; } fi - while true; do - cat conftest.in conftest.in >conftest.tmp - mv conftest.tmp conftest.in - cp conftest.in conftest.nl - echo >>conftest.nl - $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break - cmp -s conftest.out conftest.nl || break - # 10000 chars as input seems more than enough - test $lt_ac_count -gt 10 && break - lt_ac_count=`expr $lt_ac_count + 1` - if test $lt_ac_count -gt $lt_ac_max; then - lt_ac_max=$lt_ac_count - lt_cv_path_SED=$lt_ac_sed - fi - done -done +else + ac_cv_path_SED=$SED +fi fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5 +$as_echo "$ac_cv_path_SED" >&6; } + SED="$ac_cv_path_SED" + rm -f conftest.sed -SED=$lt_cv_path_SED +test -z "$SED" && SED=sed +Xsed="$SED -e 1s/^X//" -{ echo "$as_me:$LINENO: result: $SED" >&5 -echo "${ECHO_T}$SED" >&6; } -{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5 -echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; } -if test "${ac_cv_path_GREP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # Extract the first word of "grep ggrep" to use in msg output -if test -z "$GREP"; then -set dummy grep ggrep; ac_prog_name=$2 + + + + + + + + + +{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5 +$as_echo_n "checking for grep that handles long lines and -e... " >&6; } if test "${ac_cv_path_GREP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else + if test -z "$GREP"; then ac_path_GREP_found=false -# Loop through the user's path and test for each of PROGNAME-LIST -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue - # Check for GNU ac_path_GREP and select it if it is found. + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue +# Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 - echo $ECHO_N "0123456789$ECHO_C" >"conftest.in" + $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" - echo 'GREP' >> "conftest.nl" + $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break ac_count=`expr $ac_count + 1` @@ -4990,74 +5278,60 @@ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac - - $ac_path_GREP_found && break 3 + $ac_path_GREP_found && break 3 + done done done - -done IFS=$as_save_IFS - - -fi - -GREP="$ac_cv_path_GREP" -if test -z "$GREP"; then - { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 -echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + if test -z "$ac_cv_path_GREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} { (exit 1); exit 1; }; } -fi - + fi else ac_cv_path_GREP=$GREP fi - fi -{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5 -echo "${ECHO_T}$ac_cv_path_GREP" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5 +$as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" -{ echo "$as_me:$LINENO: checking for egrep" >&5 -echo $ECHO_N "checking for egrep... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } if test "${ac_cv_path_EGREP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else - # Extract the first word of "egrep" to use in msg output -if test -z "$EGREP"; then -set dummy egrep; ac_prog_name=$2 -if test "${ac_cv_path_EGREP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else + if test -z "$EGREP"; then ac_path_EGREP_found=false -# Loop through the user's path and test for each of PROGNAME-LIST -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue - # Check for GNU ac_path_EGREP and select it if it is found. + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue +# Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 - echo $ECHO_N "0123456789$ECHO_C" >"conftest.in" + $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" - echo 'EGREP' >> "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break ac_count=`expr $ac_count + 1` @@ -5072,34 +5346,113 @@ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac - - $ac_path_EGREP_found && break 3 + $ac_path_EGREP_found && break 3 + done done done - -done IFS=$as_save_IFS - - + if test -z "$ac_cv_path_EGREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } + fi +else + ac_cv_path_EGREP=$EGREP fi -EGREP="$ac_cv_path_EGREP" -if test -z "$EGREP"; then - { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 -echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} - { (exit 1); exit 1; }; } + fi fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + +{ $as_echo "$as_me:$LINENO: checking for fgrep" >&5 +$as_echo_n "checking for fgrep... " >&6; } +if test "${ac_cv_path_FGREP+set}" = set; then + $as_echo_n "(cached) " >&6 else - ac_cv_path_EGREP=$EGREP -fi + if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 + then ac_cv_path_FGREP="$GREP -F" + else + if test -z "$FGREP"; then + ac_path_FGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in fgrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue +# Check for GNU ac_path_FGREP and select it if it is found. + # Check for GNU $ac_path_FGREP +case `"$ac_path_FGREP" --version 2>&1` in +*GNU*) + ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'FGREP' >> "conftest.nl" + "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + ac_count=`expr $ac_count + 1` + if test $ac_count -gt ${ac_path_FGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_FGREP="$ac_path_FGREP" + ac_path_FGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + $ac_path_FGREP_found && break 3 + done + done +done +IFS=$as_save_IFS + if test -z "$ac_cv_path_FGREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } + fi +else + ac_cv_path_FGREP=$FGREP +fi fi fi -{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 -echo "${ECHO_T}$ac_cv_path_EGREP" >&6; } - EGREP="$ac_cv_path_EGREP" +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5 +$as_echo "$ac_cv_path_FGREP" >&6; } + FGREP="$ac_cv_path_FGREP" + + +test -z "$GREP" && GREP=grep + + + + + + + + + + + + + + + + @@ -5113,8 +5466,8 @@ ac_prog=ld if test "$GCC" = yes; then # Check if gcc -print-prog-name=ld gives a path. - { echo "$as_me:$LINENO: checking for ld used by $CC" >&5 -echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5 +$as_echo_n "checking for ld used by $CC... " >&6; } case $host in *-*-mingw*) # gcc leaves a trailing carriage return which upsets mingw @@ -5127,9 +5480,9 @@ [\\/]* | ?:[\\/]*) re_direlt='/[^/][^/]*/\.\./' # Canonicalize the pathname of ld - ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'` - while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do - ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"` + ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` + while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do + ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` done test -z "$LD" && LD="$ac_prog" ;; @@ -5143,14 +5496,14 @@ ;; esac elif test "$with_gnu_ld" = yes; then - { echo "$as_me:$LINENO: checking for GNU ld" >&5 -echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5 +$as_echo_n "checking for GNU ld... " >&6; } else - { echo "$as_me:$LINENO: checking for non-GNU ld" >&5 -echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5 +$as_echo_n "checking for non-GNU ld... " >&6; } fi if test "${lt_cv_path_LD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -z "$LD"; then lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR @@ -5180,19 +5533,19 @@ LD="$lt_cv_path_LD" if test -n "$LD"; then - { echo "$as_me:$LINENO: result: $LD" >&5 -echo "${ECHO_T}$LD" >&6; } + { $as_echo "$as_me:$LINENO: result: $LD" >&5 +$as_echo "$LD" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5 -echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} +test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5 +$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} { (exit 1); exit 1; }; } -{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5 -echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5 +$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } if test "${lt_cv_prog_gnu_ld+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else # I'd rather use --version here, but apparently some GNU lds only accept -v. case `$LD -v 2>&1 &5 -echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; } +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5 +$as_echo "$lt_cv_prog_gnu_ld" >&6; } with_gnu_ld=$lt_cv_prog_gnu_ld -{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5 -echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; } -if test "${lt_cv_ld_reload_flag+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_ld_reload_flag='-r' -fi -{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5 -echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; } -reload_flag=$lt_cv_ld_reload_flag -case $reload_flag in -"" | " "*) ;; -*) reload_flag=" $reload_flag" ;; -esac -reload_cmds='$LD$reload_flag -o $output$reload_objs' -case $host_os in - darwin*) - if test "$GCC" = yes; then - reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs' - else - reload_cmds='$LD$reload_flag -o $output$reload_objs' - fi - ;; -esac -{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5 -echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; } + + + + + + +{ $as_echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5 +$as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } if test "${lt_cv_path_NM+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else if test -n "$NM"; then # Let the user override the test. @@ -5280,835 +5615,693 @@ done IFS="$lt_save_ifs" done - test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm + : ${lt_cv_path_NM=no} fi fi -{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5 -echo "${ECHO_T}$lt_cv_path_NM" >&6; } -NM="$lt_cv_path_NM" - -{ echo "$as_me:$LINENO: checking whether ln -s works" >&5 -echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; } -LN_S=$as_ln_s -if test "$LN_S" = "ln -s"; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } +{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5 +$as_echo "$lt_cv_path_NM" >&6; } +if test "$lt_cv_path_NM" != "no"; then + NM="$lt_cv_path_NM" else - { echo "$as_me:$LINENO: result: no, using $LN_S" >&5 -echo "${ECHO_T}no, using $LN_S" >&6; } -fi - -{ echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5 -echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6; } -if test "${lt_cv_deplibs_check_method+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + # Didn't find any BSD compatible name lister, look for dumpbin. + if test -n "$ac_tool_prefix"; then + for ac_prog in "dumpbin -symbols" "link -dump -symbols" + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_DUMPBIN+set}" = set; then + $as_echo_n "(cached) " >&6 else - lt_cv_file_magic_cmd='$MAGIC_CMD' -lt_cv_file_magic_test_file= -lt_cv_deplibs_check_method='unknown' -# Need to set the preceding variable on all platforms that support -# interlibrary dependencies. -# 'none' -- dependencies not supported. -# `unknown' -- same as none, but documents that we really don't know. -# 'pass_all' -- all dependencies passed with no checks. -# 'test_compile' -- check by making test program. -# 'file_magic [[regex]]' -- check by looking for files in library path -# which responds to the $file_magic_cmd with a given extended regex. -# If you have `file' or equivalent on your system and you're not sure -# whether `pass_all' will *always* work, you probably want this one. + if test -n "$DUMPBIN"; then + ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -case $host_os in -aix4* | aix5*) - lt_cv_deplibs_check_method=pass_all - ;; +fi +fi +DUMPBIN=$ac_cv_prog_DUMPBIN +if test -n "$DUMPBIN"; then + { $as_echo "$as_me:$LINENO: result: $DUMPBIN" >&5 +$as_echo "$DUMPBIN" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -beos*) - lt_cv_deplibs_check_method=pass_all - ;; -bsdi[45]*) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)' - lt_cv_file_magic_cmd='/usr/bin/file -L' - lt_cv_file_magic_test_file=/shlib/libc.so - ;; + test -n "$DUMPBIN" && break + done +fi +if test -z "$DUMPBIN"; then + ac_ct_DUMPBIN=$DUMPBIN + for ac_prog in "dumpbin -symbols" "link -dump -symbols" +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_DUMPBIN"; then + ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -cygwin*) - # func_win32_libid is a shell function defined in ltmain.sh - lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' - lt_cv_file_magic_cmd='func_win32_libid' - ;; +fi +fi +ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN +if test -n "$ac_ct_DUMPBIN"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5 +$as_echo "$ac_ct_DUMPBIN" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -mingw* | pw32*) - # Base MSYS/MinGW do not provide the 'file' command needed by - # func_win32_libid shell function, so use a weaker test based on 'objdump'. - lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' - lt_cv_file_magic_cmd='$OBJDUMP -f' - ;; -darwin* | rhapsody*) - lt_cv_deplibs_check_method=pass_all - ;; + test -n "$ac_ct_DUMPBIN" && break +done -freebsd* | kfreebsd*-gnu | dragonfly*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - case $host_cpu in - i*86 ) - # Not sure whether the presence of OpenBSD here was a mistake. - # Let's accept both of them until this is cleared up. - lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` - ;; - esac + if test "x$ac_ct_DUMPBIN" = x; then + DUMPBIN=":" else - lt_cv_deplibs_check_method=pass_all + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + DUMPBIN=$ac_ct_DUMPBIN fi - ;; - -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; +fi -hpux10.20* | hpux11*) - lt_cv_file_magic_cmd=/usr/bin/file - case $host_cpu in - ia64*) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64' - lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so - ;; - hppa*64*) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]' - lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl - ;; - *) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library' - lt_cv_file_magic_test_file=/usr/lib/libc.sl - ;; - esac - ;; -interix3*) - # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here - lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$' - ;; + if test "$DUMPBIN" != ":"; then + NM="$DUMPBIN" + fi +fi +test -z "$NM" && NM=nm -irix5* | irix6* | nonstopux*) - case $LD in - *-32|*"-32 ") libmagic=32-bit;; - *-n32|*"-n32 ") libmagic=N32;; - *-64|*"-64 ") libmagic=64-bit;; - *) libmagic=never-match;; - esac - lt_cv_deplibs_check_method=pass_all - ;; -# This must be Linux ELF. -linux*) - lt_cv_deplibs_check_method=pass_all - ;; -netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' - else - lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$' - fi - ;; -newos6*) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=/usr/lib/libnls.so - ;; -nto-qnx*) - lt_cv_deplibs_check_method=unknown - ;; -openbsd*) - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$' - else - lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' +{ $as_echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5 +$as_echo_n "checking the name lister ($NM) interface... " >&6; } +if test "${lt_cv_nm_interface+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_nm_interface="BSD nm" + echo "int some_variable = 0;" > conftest.$ac_ext + (eval echo "\"\$as_me:5746: $ac_compile\"" >&5) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&5 + (eval echo "\"\$as_me:5749: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&5 + (eval echo "\"\$as_me:5752: output\"" >&5) + cat conftest.out >&5 + if $GREP 'External.*some_variable' conftest.out > /dev/null; then + lt_cv_nm_interface="MS dumpbin" fi - ;; + rm -f conftest* +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5 +$as_echo "$lt_cv_nm_interface" >&6; } -osf3* | osf4* | osf5*) - lt_cv_deplibs_check_method=pass_all - ;; +{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5 +$as_echo_n "checking whether ln -s works... " >&6; } +LN_S=$as_ln_s +if test "$LN_S" = "ln -s"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5 +$as_echo "no, using $LN_S" >&6; } +fi -solaris*) - lt_cv_deplibs_check_method=pass_all - ;; +# find the maximum length of command line arguments +{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5 +$as_echo_n "checking the maximum length of command line arguments... " >&6; } +if test "${lt_cv_sys_max_cmd_len+set}" = set; then + $as_echo_n "(cached) " >&6 +else + i=0 + teststring="ABCD" -sysv4 | sysv4.3*) - case $host_vendor in - motorola) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]' - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` - ;; - ncr) - lt_cv_deplibs_check_method=pass_all - ;; - sequent) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' - ;; - sni) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib" - lt_cv_file_magic_test_file=/lib/libc.so - ;; - siemens) - lt_cv_deplibs_check_method=pass_all - ;; - pc) - lt_cv_deplibs_check_method=pass_all + case $build_os in + msdosdjgpp*) + # On DJGPP, this test can blow up pretty badly due to problems in libc + # (any single argument exceeding 2000 bytes causes a buffer overrun + # during glob expansion). Even if it were fixed, the result of this + # check would be larger than it should be. + lt_cv_sys_max_cmd_len=12288; # 12K is about right ;; - esac - ;; -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - lt_cv_deplibs_check_method=pass_all - ;; -esac - -fi -{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5 -echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; } -file_magic_cmd=$lt_cv_file_magic_cmd -deplibs_check_method=$lt_cv_deplibs_check_method -test -z "$deplibs_check_method" && deplibs_check_method=unknown + gnu*) + # Under GNU Hurd, this test is not required because there is + # no limit to the length of command line arguments. + # Libtool will interpret -1 as no limit whatsoever + lt_cv_sys_max_cmd_len=-1; + ;; + cygwin* | mingw* | cegcc*) + # On Win9x/ME, this test blows up -- it succeeds, but takes + # about 5 minutes as the teststring grows exponentially. + # Worse, since 9x/ME are not pre-emptively multitasking, + # you end up with a "frozen" computer, even though with patience + # the test eventually succeeds (with a max line length of 256k). + # Instead, let's just punt: use the minimum linelength reported by + # all of the supported platforms: 8192 (on NT/2K/XP). + lt_cv_sys_max_cmd_len=8192; + ;; + amigaos*) + # On AmigaOS with pdksh, this test takes hours, literally. + # So we just punt and use a minimum line length of 8192. + lt_cv_sys_max_cmd_len=8192; + ;; + netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) + # This has been around since 386BSD, at least. Likely further. + if test -x /sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` + elif test -x /usr/sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` + else + lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs + fi + # And add a safety zone + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + ;; -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} + interix*) + # We know the value 262144 and hardcode it with a safety zone (like BSD) + lt_cv_sys_max_cmd_len=196608 + ;; -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} + osf*) + # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure + # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not + # nice to cause kernel panics so lets avoid the loop below. + # First set a reasonable default. + lt_cv_sys_max_cmd_len=16384 + # + if test -x /sbin/sysconfig; then + case `/sbin/sysconfig -q proc exec_disable_arg_limit` in + *1*) lt_cv_sys_max_cmd_len=-1 ;; + esac + fi + ;; + sco3.2v5*) + lt_cv_sys_max_cmd_len=102400 + ;; + sysv5* | sco5v6* | sysv4.2uw2*) + kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` + if test -n "$kargmax"; then + lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ ]//'` + else + lt_cv_sys_max_cmd_len=32768 + fi + ;; + *) + lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` + if test -n "$lt_cv_sys_max_cmd_len"; then + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + else + # Make teststring a little bigger before we do anything with it. + # a 1K string should be a reasonable start. + for i in 1 2 3 4 5 6 7 8 ; do + teststring=$teststring$teststring + done + SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \ + = "XX$teststring$teststring"; } >/dev/null 2>&1 && + test $i != 17 # 1/2 MB should be enough + do + i=`expr $i + 1` + teststring=$teststring$teststring + done + # Only check the string length outside the loop. + lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` + teststring= + # Add a significant safety factor because C++ compilers can tack on + # massive amounts of additional arguments before passing them to the + # linker. It appears as though 1/2 is a usable value. + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + fi + ;; + esac -# Allow CC to be a program name with arguments. -compiler=$CC +fi + +if test -n $lt_cv_sys_max_cmd_len ; then + { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5 +$as_echo "$lt_cv_sys_max_cmd_len" >&6; } +else + { $as_echo "$as_me:$LINENO: result: none" >&5 +$as_echo "none" >&6; } +fi +max_cmd_len=$lt_cv_sys_max_cmd_len -# Check whether --enable-libtool-lock was given. -if test "${enable_libtool_lock+set}" = set; then - enableval=$enable_libtool_lock; + + + + +: ${CP="cp -f"} +: ${MV="mv -f"} +: ${RM="rm -f"} + +{ $as_echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5 +$as_echo_n "checking whether the shell understands some XSI constructs... " >&6; } +# Try some XSI features +xsi_shell=no +( _lt_dummy="a/b/c" + test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \ + = c,a/b,, \ + && eval 'test $(( 1 + 1 )) -eq 2 \ + && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ + && xsi_shell=yes +{ $as_echo "$as_me:$LINENO: result: $xsi_shell" >&5 +$as_echo "$xsi_shell" >&6; } + + +{ $as_echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5 +$as_echo_n "checking whether the shell understands \"+=\"... " >&6; } +lt_shell_append=no +( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \ + >/dev/null 2>&1 \ + && lt_shell_append=yes +{ $as_echo "$as_me:$LINENO: result: $lt_shell_append" >&5 +$as_echo "$lt_shell_append" >&6; } + + +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + lt_unset=unset +else + lt_unset=false fi -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes -# Some flags need to be propagated to the compiler or linker for good -# libtool support. -case $host in -ia64-*-hpux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *ELF-32*) - HPUX_IA64_MODE="32" - ;; - *ELF-64*) - HPUX_IA64_MODE="64" - ;; - esac - fi - rm -rf conftest* + + + +# test EBCDIC or ASCII +case `echo X|tr X '\101'` in + A) # ASCII based system + # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr + lt_SP2NL='tr \040 \012' + lt_NL2SP='tr \015\012 \040\040' ;; -*-*-irix6*) - # Find out which ABI we are using. - echo '#line 5527 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - if test "$lt_cv_prog_gnu_ld" = yes; then - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -melf32bsmip" - ;; - *N32*) - LD="${LD-ld} -melf32bmipn32" - ;; - *64-bit*) - LD="${LD-ld} -melf64bmip" - ;; - esac - else - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -32" - ;; - *N32*) - LD="${LD-ld} -n32" - ;; - *64-bit*) - LD="${LD-ld} -64" - ;; - esac - fi - fi - rm -rf conftest* + *) # EBCDIC based system + lt_SP2NL='tr \100 \n' + lt_NL2SP='tr \r\n \100\100' ;; +esac -x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.o` in - *32-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_i386" - ;; - ppc64-*linux*|powerpc64-*linux*) - LD="${LD-ld} -m elf32ppclinux" - ;; - s390x-*linux*) - LD="${LD-ld} -m elf_s390" - ;; - sparc64-*linux*) - LD="${LD-ld} -m elf32_sparc" - ;; - esac - ;; - *64-bit*) - case $host in - x86_64-*linux*) - LD="${LD-ld} -m elf_x86_64" - ;; - ppc*-*linux*|powerpc*-*linux*) - LD="${LD-ld} -m elf64ppc" - ;; - s390*-*linux*) - LD="${LD-ld} -m elf64_s390" - ;; - sparc*-*linux*) - LD="${LD-ld} -m elf64_sparc" - ;; - esac - ;; - esac - fi - rm -rf conftest* - ;; -*-*-sco3.2v5*) - # On SCO OpenServer 5, we need -belf to get full-featured binaries. - SAVE_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -belf" - { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5 -echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; } -if test "${lt_cv_cc_needs_belf+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -int -main () -{ - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; + + + + +{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5 +$as_echo_n "checking for $LD option to reload object files... " >&6; } +if test "${lt_cv_ld_reload_flag+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_reload_flag='-r' +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5 +$as_echo "$lt_cv_ld_reload_flag" >&6; } +reload_flag=$lt_cv_ld_reload_flag +case $reload_flag in +"" | " "*) ;; +*) reload_flag=" $reload_flag" ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - lt_cv_cc_needs_belf=yes +reload_cmds='$LD$reload_flag -o $output$reload_objs' +case $host_os in + darwin*) + if test "$GCC" = yes; then + reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs' + else + reload_cmds='$LD$reload_flag -o $output$reload_objs' + fi + ;; +esac + + + + + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. +set dummy ${ac_tool_prefix}objdump; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_OBJDUMP+set}" = set; then + $as_echo_n "(cached) " >&6 else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + if test -n "$OBJDUMP"; then + ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - lt_cv_cc_needs_belf=no +fi +fi +OBJDUMP=$ac_cv_prog_OBJDUMP +if test -n "$OBJDUMP"; then + { $as_echo "$as_me:$LINENO: result: $OBJDUMP" >&5 +$as_echo "$OBJDUMP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext - ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu fi -{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5 -echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; } - if test x"$lt_cv_cc_needs_belf" != x"yes"; then - # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf - CFLAGS="$SAVE_CFLAGS" - fi - ;; -sparc*-*solaris*) - # Find out which ABI we are using. - echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.o` in - *64-bit*) - case $lt_cv_prog_gnu_ld in - yes*) LD="${LD-ld} -m elf64_sparc" ;; - *) LD="${LD-ld} -64" ;; - esac - ;; - esac +if test -z "$ac_cv_prog_OBJDUMP"; then + ac_ct_OBJDUMP=$OBJDUMP + # Extract the first word of "objdump", so it can be a program name with args. +set dummy objdump; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_OBJDUMP"; then + ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_OBJDUMP="objdump" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 fi - rm -rf conftest* - ;; +done +done +IFS=$as_save_IFS +fi +fi +ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP +if test -n "$ac_ct_OBJDUMP"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_OBJDUMP" >&5 +$as_echo "$ac_ct_OBJDUMP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + if test "x$ac_ct_OBJDUMP" = x; then + OBJDUMP="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; esac + OBJDUMP=$ac_ct_OBJDUMP + fi +else + OBJDUMP="$ac_cv_prog_OBJDUMP" +fi -need_locks="$enable_libtool_lock" +test -z "$OBJDUMP" && OBJDUMP=objdump -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5 -echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; } -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= -fi -if test -z "$CPP"; then - if test "${ac_cv_prog_CPP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # Double quotes because CPP needs to be expanded - for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" - do - ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - : -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.$ac_ext - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.$ac_ext -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - break -fi - done - ac_cv_prog_CPP=$CPP -fi - CPP=$ac_cv_prog_CPP -else - ac_cv_prog_CPP=$CPP -fi -{ echo "$as_me:$LINENO: result: $CPP" >&5 -echo "${ECHO_T}$CPP" >&6; } -ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - : +{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5 +$as_echo_n "checking how to recognize dependent libraries... " >&6; } +if test "${lt_cv_deplibs_check_method+set}" = set; then + $as_echo_n "(cached) " >&6 else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + lt_cv_file_magic_cmd='$MAGIC_CMD' +lt_cv_file_magic_test_file= +lt_cv_deplibs_check_method='unknown' +# Need to set the preceding variable on all platforms that support +# interlibrary dependencies. +# 'none' -- dependencies not supported. +# `unknown' -- same as none, but documents that we really don't know. +# 'pass_all' -- all dependencies passed with no checks. +# 'test_compile' -- check by making test program. +# 'file_magic [[regex]]' -- check by looking for files in library path +# which responds to the $file_magic_cmd with a given extended regex. +# If you have `file' or equivalent on your system and you're not sure +# whether `pass_all' will *always* work, you probably want this one. - # Broken: fails on valid input. -continue -fi +case $host_os in +aix[4-9]*) + lt_cv_deplibs_check_method=pass_all + ;; -rm -f conftest.err conftest.$ac_ext +beos*) + lt_cv_deplibs_check_method=pass_all + ;; - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +bsdi[45]*) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)' + lt_cv_file_magic_cmd='/usr/bin/file -L' + lt_cv_file_magic_test_file=/shlib/libc.so + ;; - # Passes both tests. -ac_preproc_ok=: -break -fi +cygwin*) + # func_win32_libid is a shell function defined in ltmain.sh + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + ;; -rm -f conftest.err conftest.$ac_ext +mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by + # func_win32_libid shell function, so use a weaker test based on 'objdump', + # unless we find 'file', for example because we are cross-compiling. + if ( file / ) >/dev/null 2>&1; then + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + else + lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + fi + ;; -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - : -else - { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details." >&5 -echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -fi +cegcc) + # use the weaker test based on 'objdump'. See mingw*. + lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + ;; -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu +darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; +freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) + # Not sure whether the presence of OpenBSD here was a mistake. + # Let's accept both of them until this is cleared up. + lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` + ;; + esac + else + lt_cv_deplibs_check_method=pass_all + fi + ;; -{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5 -echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; } -if test "${ac_cv_header_stdc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -#include -#include -#include +gnu*) + lt_cv_deplibs_check_method=pass_all + ;; -int -main () -{ +hpux10.20* | hpux11*) + lt_cv_file_magic_cmd=/usr/bin/file + case $host_cpu in + ia64*) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64' + lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so + ;; + hppa*64*) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]' + lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl + ;; + *) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library' + lt_cv_file_magic_test_file=/usr/lib/libc.sl + ;; + esac + ;; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_header_stdc=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +interix[3-9]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$' + ;; - ac_cv_header_stdc=no -fi +irix5* | irix6* | nonstopux*) + case $LD in + *-32|*"-32 ") libmagic=32-bit;; + *-n32|*"-n32 ") libmagic=N32;; + *-64|*"-64 ") libmagic=64-bit;; + *) libmagic=never-match;; + esac + lt_cv_deplibs_check_method=pass_all + ;; -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# This must be Linux ELF. +linux* | k*bsd*-gnu) + lt_cv_deplibs_check_method=pass_all + ;; -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include +netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$' + fi + ;; -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "memchr" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* +newos6*) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=/usr/lib/libnls.so + ;; -fi +*nto* | *qnx*) + lt_cv_deplibs_check_method=pass_all + ;; -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include +openbsd*) + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + fi + ;; -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "free" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* +osf3* | osf4* | osf5*) + lt_cv_deplibs_check_method=pass_all + ;; -fi +rdos*) + lt_cv_deplibs_check_method=pass_all + ;; -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -#include -#if ((' ' & 0x0FF) == 0x020) -# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#else -# define ISLOWER(c) \ - (('a' <= (c) && (c) <= 'i') \ - || ('j' <= (c) && (c) <= 'r') \ - || ('s' <= (c) && (c) <= 'z')) -# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) -#endif +solaris*) + lt_cv_deplibs_check_method=pass_all + ;; -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int -main () -{ - int i; - for (i = 0; i < 256; i++) - if (XOR (islower (i), ISLOWER (i)) - || toupper (i) != TOUPPER (i)) - return 2; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + lt_cv_deplibs_check_method=pass_all + ;; -( exit $ac_status ) -ac_cv_header_stdc=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi +sysv4 | sysv4.3*) + case $host_vendor in + motorola) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]' + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` + ;; + ncr) + lt_cv_deplibs_check_method=pass_all + ;; + sequent) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' + ;; + sni) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib" + lt_cv_file_magic_test_file=/lib/libc.so + ;; + siemens) + lt_cv_deplibs_check_method=pass_all + ;; + pc) + lt_cv_deplibs_check_method=pass_all + ;; + esac + ;; +tpf*) + lt_cv_deplibs_check_method=pass_all + ;; +esac fi -fi -{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5 -echo "${ECHO_T}$ac_cv_header_stdc" >&6; } -if test $ac_cv_header_stdc = yes; then +{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5 +$as_echo "$lt_cv_deplibs_check_method" >&6; } +file_magic_cmd=$lt_cv_file_magic_cmd +deplibs_check_method=$lt_cv_deplibs_check_method +test -z "$deplibs_check_method" && deplibs_check_method=unknown -cat >>confdefs.h <<\_ACEOF -#define STDC_HEADERS 1 -_ACEOF -fi -# On IRIX 5.3, sys/types and inttypes.h are conflicting. @@ -6118,226 +6311,121 @@ -for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ - inttypes.h stdint.h unistd.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. +set dummy ${ac_tool_prefix}ar; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_AR+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default - -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - eval "$as_ac_Header=yes" + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AR="${ac_tool_prefix}ar" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - eval "$as_ac_Header=no" fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - +AR=$ac_cv_prog_AR +if test -n "$AR"; then + { $as_echo "$as_me:$LINENO: result: $AR" >&5 +$as_echo "$AR" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -done - - -for ac_header in dlfcn.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +if test -z "$ac_cv_prog_AR"; then + ac_ct_AR=$AR + # Extract the first word of "ar", so it can be a program name with args. +set dummy ar; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_AR+set}" = set; then + $as_echo_n "(cached) " >&6 else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes + if test -n "$ac_ct_AR"; then + ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_AR="ar" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - ac_header_compiler=no +fi +fi +ac_ct_AR=$ac_cv_prog_ac_ct_AR +if test -n "$ac_ct_AR"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5 +$as_echo "$ac_ct_AR" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } - -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include <$ac_header> -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; + if test "x$ac_ct_AR" = x; then + AR="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes + AR=$ac_ct_AR + fi else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_header_preproc=no + AR="$ac_cv_prog_AR" fi -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } +test -z "$AR" && AR=ar +test -z "$AR_FLAGS" && AR_FLAGS=cru -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=\$ac_header_preproc" -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF -fi -done -ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -if test -z "$CXX"; then - if test -n "$CCC"; then - CXX=$CCC - else - if test -n "$ac_tool_prefix"; then - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_CXX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. +set dummy ${ac_tool_prefix}strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$CXX"; then - ac_cv_prog_CXX="$CXX" # Let the user override the test. + if test -n "$STRIP"; then + ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -6346,8 +6434,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -6356,32 +6444,28 @@ fi fi -CXX=$ac_cv_prog_CXX -if test -n "$CXX"; then - { echo "$as_me:$LINENO: result: $CXX" >&5 -echo "${ECHO_T}$CXX" >&6; } +STRIP=$ac_cv_prog_STRIP +if test -n "$STRIP"; then + { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 +$as_echo "$STRIP" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - test -n "$CXX" && break - done fi -if test -z "$CXX"; then - ac_ct_CXX=$CXX - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test -z "$ac_cv_prog_STRIP"; then + ac_ct_STRIP=$STRIP + # Extract the first word of "strip", so it can be a program name with args. +set dummy strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$ac_ct_CXX"; then - ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. + if test -n "$ac_ct_STRIP"; then + ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -6390,8 +6474,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CXX="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -6400,1018 +6484,201 @@ fi fi -ac_ct_CXX=$ac_cv_prog_ac_ct_CXX -if test -n "$ac_ct_CXX"; then - { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5 -echo "${ECHO_T}$ac_ct_CXX" >&6; } +ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP +if test -n "$ac_ct_STRIP"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 +$as_echo "$ac_ct_STRIP" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - - test -n "$ac_ct_CXX" && break -done - - if test "x$ac_ct_CXX" = x; then - CXX="g++" + if test "x$ac_ct_STRIP" = x; then + STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac - CXX=$ac_ct_CXX + STRIP=$ac_ct_STRIP fi +else + STRIP="$ac_cv_prog_STRIP" fi - fi -fi -# Provide some information about the compiler. -echo "$as_me:$LINENO: checking for C++ compiler version" >&5 -ac_compiler=`set X $ac_compile; echo $2` -{ (ac_try="$ac_compiler --version >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler --version >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -v >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler -v >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -V >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler -V >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } +test -z "$STRIP" && STRIP=: -{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5 -echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; } -if test "${ac_cv_cxx_compiler_gnu+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -int -main () -{ -#ifndef __GNUC__ - choke me -#endif - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_compiler_gnu=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_compiler_gnu=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -ac_cv_cxx_compiler_gnu=$ac_compiler_gnu - -fi -{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5 -echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; } -GXX=`test $ac_compiler_gnu = yes && echo yes` -ac_test_CXXFLAGS=${CXXFLAGS+set} -ac_save_CXXFLAGS=$CXXFLAGS -{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5 -echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; } -if test "${ac_cv_prog_cxx_g+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_save_cxx_werror_flag=$ac_cxx_werror_flag - ac_cxx_werror_flag=yes - ac_cv_prog_cxx_g=no - CXXFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_prog_cxx_g=yes +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - CXXFLAGS="" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - : + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cxx_werror_flag=$ac_save_cxx_werror_flag - CXXFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_prog_cxx_g=yes +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_cxx_werror_flag=$ac_save_cxx_werror_flag +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5 -echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; } -if test "$ac_test_CXXFLAGS" = set; then - CXXFLAGS=$ac_save_CXXFLAGS -elif test $ac_cv_prog_cxx_g = yes; then - if test "$GXX" = yes; then - CXXFLAGS="-g -O2" + + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" else - CXXFLAGS="-g" + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB fi else - if test "$GXX" = yes; then - CXXFLAGS="-O2" - else - CXXFLAGS= - fi + RANLIB="$ac_cv_prog_RANLIB" fi -ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -depcc="$CXX" am_compiler_list= +test -z "$RANLIB" && RANLIB=: -{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 -echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; } -if test "${am_cv_CXX_dependencies_compiler_type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then - # We make a subdir and do the tests there. Otherwise we can end up - # making bogus files that we don't know about and never remove. For - # instance it was reported that on HP-UX the gcc test will end up - # making a dummy file named `D' -- because `-MD' means `put the output - # in D'. - mkdir conftest.dir - # Copy depcomp to subdir because otherwise we won't find it if we're - # using a relative directory. - cp "$am_depcomp" conftest.dir - cd conftest.dir - # We will build objects and dependencies in a subdirectory because - # it helps to detect inapplicable dependency modes. For instance - # both Tru64's cc and ICC support -MD to output dependencies as a - # side effect of compilation, but ICC will put the dependencies in - # the current directory while Tru64 will put them in the object - # directory. - mkdir sub - am_cv_CXX_dependencies_compiler_type=none - if test "$am_compiler_list" = ""; then - am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` - fi - for depmode in $am_compiler_list; do - # Setup a source with many dependencies, because some compilers - # like to wrap large dependency lists on column 80 (with \), and - # we should not choose a depcomp mode which is confused by this. - # - # We need to recreate these files for each test, as the compiler may - # overwrite some of them when testing with obscure command lines. - # This happens at least with the AIX C compiler. - : > sub/conftest.c - for i in 1 2 3 4 5 6; do - echo '#include "conftst'$i'.h"' >> sub/conftest.c - # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with - # Solaris 8's {/usr,}/bin/sh. - touch sub/conftst$i.h - done - echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf - case $depmode in - nosideeffect) - # after this tag, mechanisms are not by side-effect, so they'll - # only be used when explicitly requested - if test "x$enable_dependency_tracking" = xyes; then - continue - else - break - fi - ;; - none) break ;; - esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. - if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ - depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ - >/dev/null 2>conftest.err && - grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && - ${MAKE-make} -s -f confmf > /dev/null 2>&1; then - # icc doesn't choke on unknown options, it will just issue warnings - # or remarks (even with -Werror). So we grep stderr for any message - # that says an option was ignored or not supported. - # When given -MP, icc 7.0 and 7.1 complain thusly: - # icc: Command line warning: ignoring option '-M'; no argument required - # The diagnosis changed in icc 8.0: - # icc: Command line remark: option '-MP' not supported - if (grep 'ignoring option' conftest.err || - grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else - am_cv_CXX_dependencies_compiler_type=$depmode - break - fi - fi - done - cd .. - rm -rf conftest.dir -else - am_cv_CXX_dependencies_compiler_type=none -fi -fi -{ echo "$as_me:$LINENO: result: $am_cv_CXX_dependencies_compiler_type" >&5 -echo "${ECHO_T}$am_cv_CXX_dependencies_compiler_type" >&6; } -CXXDEPMODE=depmode=$am_cv_CXX_dependencies_compiler_type - if - test "x$enable_dependency_tracking" != xno \ - && test "$am_cv_CXX_dependencies_compiler_type" = gcc3; then - am__fastdepCXX_TRUE= - am__fastdepCXX_FALSE='#' -else - am__fastdepCXX_TRUE='#' - am__fastdepCXX_FALSE= +# Determine commands to create old-style static archives. +old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' +old_postinstall_cmds='chmod 644 $oldlib' +old_postuninstall_cmds= + +if test -n "$RANLIB"; then + case $host_os in + openbsd*) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" + ;; + *) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" + ;; + esac + old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" fi -if test -n "$CXX" && ( test "X$CXX" != "Xno" && - ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || - (test "X$CXX" != "Xg++"))) ; then - ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5 -echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; } -if test -z "$CXXCPP"; then - if test "${ac_cv_prog_CXXCPP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # Double quotes because CXXCPP needs to be expanded - for CXXCPP in "$CXX -E" "/lib/cpp" - do - ac_preproc_ok=false -for ac_cxx_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" || - test ! -s conftest.err - }; then - : -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.$ac_ext - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" || - test ! -s conftest.err - }; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.$ac_ext -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - break -fi - done - ac_cv_prog_CXXCPP=$CXXCPP -fi - CXXCPP=$ac_cv_prog_CXXCPP -else - ac_cv_prog_CXXCPP=$CXXCPP -fi -{ echo "$as_me:$LINENO: result: $CXXCPP" >&5 -echo "${ECHO_T}$CXXCPP" >&6; } -ac_preproc_ok=false -for ac_cxx_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" || - test ! -s conftest.err - }; then - : -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.$ac_ext - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" || - test ! -s conftest.err - }; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.$ac_ext -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - : -else - { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check -See \`config.log' for more details." >&5 -echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -fi -ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -fi -ac_ext=f -ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5' -ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_f77_compiler_gnu -if test -n "$ac_tool_prefix"; then - for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_F77+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$F77"; then - ac_cv_prog_F77="$F77" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_F77="$ac_tool_prefix$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS -fi -fi -F77=$ac_cv_prog_F77 -if test -n "$F77"; then - { echo "$as_me:$LINENO: result: $F77" >&5 -echo "${ECHO_T}$F77" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi - test -n "$F77" && break - done -fi -if test -z "$F77"; then - ac_ct_F77=$F77 - for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_F77+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_F77"; then - ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_F77="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS -fi -fi -ac_ct_F77=$ac_cv_prog_ac_ct_F77 -if test -n "$ac_ct_F77"; then - { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5 -echo "${ECHO_T}$ac_ct_F77" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi - test -n "$ac_ct_F77" && break -done - if test "x$ac_ct_F77" = x; then - F77="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} -ac_tool_warned=yes ;; -esac - F77=$ac_ct_F77 - fi -fi -# Provide some information about the compiler. -echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5 -ac_compiler=`set X $ac_compile; echo $2` -{ (ac_try="$ac_compiler --version >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler --version >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -v >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler -v >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -V >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compiler -V >&5") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -rm -f a.out -# If we don't use `.F' as extension, the preprocessor is not run on the -# input file. (Note that this only needs to work for GNU compilers.) -ac_save_ext=$ac_ext -ac_ext=F -{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5 -echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; } -if test "${ac_cv_f77_compiler_gnu+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF - program main -#ifndef __GNUC__ - choke me -#endif - end -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_f77_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_compiler_gnu=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_compiler_gnu=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -ac_cv_f77_compiler_gnu=$ac_compiler_gnu - -fi -{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5 -echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; } -ac_ext=$ac_save_ext -ac_test_FFLAGS=${FFLAGS+set} -ac_save_FFLAGS=$FFLAGS -FFLAGS= -{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5 -echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; } -if test "${ac_cv_prog_f77_g+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - FFLAGS=-g -cat >conftest.$ac_ext <<_ACEOF - program main - - end -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_f77_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_prog_f77_g=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_prog_f77_g=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - -fi -{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5 -echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; } -if test "$ac_test_FFLAGS" = set; then - FFLAGS=$ac_save_FFLAGS -elif test $ac_cv_prog_f77_g = yes; then - if test "x$ac_cv_f77_compiler_gnu" = xyes; then - FFLAGS="-g -O2" - else - FFLAGS="-g" - fi -else - if test "x$ac_cv_f77_compiler_gnu" = xyes; then - FFLAGS="-O2" - else - FFLAGS= - fi -fi - -G77=`test $ac_compiler_gnu = yes && echo yes` -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - -# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers! - -# find the maximum length of command line arguments -{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5 -echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; } -if test "${lt_cv_sys_max_cmd_len+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - i=0 - teststring="ABCD" - - case $build_os in - msdosdjgpp*) - # On DJGPP, this test can blow up pretty badly due to problems in libc - # (any single argument exceeding 2000 bytes causes a buffer overrun - # during glob expansion). Even if it were fixed, the result of this - # check would be larger than it should be. - lt_cv_sys_max_cmd_len=12288; # 12K is about right - ;; - - gnu*) - # Under GNU Hurd, this test is not required because there is - # no limit to the length of command line arguments. - # Libtool will interpret -1 as no limit whatsoever - lt_cv_sys_max_cmd_len=-1; - ;; - - cygwin* | mingw*) - # On Win9x/ME, this test blows up -- it succeeds, but takes - # about 5 minutes as the teststring grows exponentially. - # Worse, since 9x/ME are not pre-emptively multitasking, - # you end up with a "frozen" computer, even though with patience - # the test eventually succeeds (with a max line length of 256k). - # Instead, let's just punt: use the minimum linelength reported by - # all of the supported platforms: 8192 (on NT/2K/XP). - lt_cv_sys_max_cmd_len=8192; - ;; - - amigaos*) - # On AmigaOS with pdksh, this test takes hours, literally. - # So we just punt and use a minimum line length of 8192. - lt_cv_sys_max_cmd_len=8192; - ;; - - netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) - # This has been around since 386BSD, at least. Likely further. - if test -x /sbin/sysctl; then - lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` - elif test -x /usr/sbin/sysctl; then - lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` - else - lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs - fi - # And add a safety zone - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` - ;; - - interix*) - # We know the value 262144 and hardcode it with a safety zone (like BSD) - lt_cv_sys_max_cmd_len=196608 - ;; - - osf*) - # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure - # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not - # nice to cause kernel panics so lets avoid the loop below. - # First set a reasonable default. - lt_cv_sys_max_cmd_len=16384 - # - if test -x /sbin/sysconfig; then - case `/sbin/sysconfig -q proc exec_disable_arg_limit` in - *1*) lt_cv_sys_max_cmd_len=-1 ;; - esac - fi - ;; - sco3.2v5*) - lt_cv_sys_max_cmd_len=102400 - ;; - sysv5* | sco5v6* | sysv4.2uw2*) - kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` - if test -n "$kargmax"; then - lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ ]//'` - else - lt_cv_sys_max_cmd_len=32768 - fi - ;; - *) - # If test is not a shell built-in, we'll probably end up computing a - # maximum length that is only half of the actual maximum length, but - # we can't tell. - SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} - while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \ - = "XX$teststring") >/dev/null 2>&1 && - new_result=`expr "X$teststring" : ".*" 2>&1` && - lt_cv_sys_max_cmd_len=$new_result && - test $i != 17 # 1/2 MB should be enough - do - i=`expr $i + 1` - teststring=$teststring$teststring - done - teststring= - # Add a significant safety factor because C++ compilers can tack on massive - # amounts of additional arguments before passing them to the linker. - # It appears as though 1/2 is a usable value. - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` - ;; - esac - -fi -if test -n $lt_cv_sys_max_cmd_len ; then - { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5 -echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; } -else - { echo "$as_me:$LINENO: result: none" >&5 -echo "${ECHO_T}none" >&6; } -fi +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} +# Allow CC to be a program name with arguments. +compiler=$CC # Check for command to grab the raw symbol name followed by C symbol from nm. -{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5 -echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5 +$as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else # These are sane defaults that work on at least a few old systems. @@ -7423,33 +6690,18 @@ # Regexp to match symbols that can be accessed directly from C. sympat='\([_A-Za-z][_A-Za-z0-9]*\)' -# Transform an extracted symbol line into a proper C declaration -lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'" - -# Transform an extracted symbol line into symbol name and symbol address -lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - # Define system-specific variables. case $host_os in aix*) symcode='[BCDT]' ;; -cygwin* | mingw* | pw32*) +cygwin* | mingw* | pw32* | cegcc*) symcode='[ABCDGISTW]' ;; -hpux*) # Its linker distinguishes data from code symbols +hpux*) if test "$host_cpu" = ia64; then symcode='[ABCDEGRST]' fi - lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - ;; -linux*) - if test "$host_cpu" = ia64; then - symcode='[ABCDGIRSTW]' - lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - fi ;; irix* | nonstopux*) symcode='[BCDEGRST]' @@ -7474,56 +6726,84 @@ ;; esac +# If we're using GNU nm, then use its standard symbol codes. +case `$NM -V 2>&1` in +*GNU* | *'with BFD'*) + symcode='[ABCDGIRSTW]' ;; +esac + +# Transform an extracted symbol line into a proper C declaration. +# Some systems (esp. on ia64) link data and code symbols differently, +# so use this general approach. +lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" + +# Transform an extracted symbol line into symbol name and symbol address +lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (void *) \&\2},/p'" +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"lib\2\", (void *) \&\2},/p'" + # Handle CRLF in mingw tool chain opt_cr= case $build_os in mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp + opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp ;; esac -# If we're using GNU nm, then use its standard symbol codes. -case `$NM -V 2>&1` in -*GNU* | *'with BFD'*) - symcode='[ABCDGIRSTW]' ;; -esac - -# Try without a prefix undercore, then with it. +# Try without a prefix underscore, then with it. for ac_symprfx in "" "_"; do # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. symxfrm="\\1 $ac_symprfx\\2 \\2" # Write the raw and C identifiers. - lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Fake it for dumpbin and say T for any non-static function + # and D for any global variable. + # Also find C++ and __fastcall symbols from MSVC++, + # which start with @ or ?. + lt_cv_sys_global_symbol_pipe="$AWK '"\ +" {last_section=section; section=\$ 3};"\ +" /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ +" \$ 0!~/External *\|/{next};"\ +" / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ +" {if(hide[section]) next};"\ +" {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\ +" {split(\$ 0, a, /\||\r/); split(a[2], s)};"\ +" s[1]~/^[@?]/{print s[1], s[1]; next};"\ +" s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\ +" ' prfx=^$ac_symprfx" + else + lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + fi # Check to see that the pipe works correctly. pipe_works=no rm -f conftest* - cat > conftest.$ac_ext < conftest.$ac_ext <<_LT_EOF #ifdef __cplusplus extern "C" { #endif char nm_test_var; -void nm_test_func(){} +void nm_test_func(void); +void nm_test_func(void){} #ifdef __cplusplus } #endif int main(){nm_test_var='a';nm_test_func();return(0);} -EOF +_LT_EOF if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; then # Now try to grab the symbols. nlist=conftest.nm if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5 (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then @@ -7533,42 +6813,44 @@ fi # Make sure that we snagged all the symbols we need. - if grep ' nm_test_var$' "$nlist" >/dev/null; then - if grep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext + if $GREP ' nm_test_var$' "$nlist" >/dev/null; then + if $GREP ' nm_test_func$' "$nlist" >/dev/null; then + cat <<_LT_EOF > conftest.$ac_ext #ifdef __cplusplus extern "C" { #endif -EOF +_LT_EOF # Now generate the symbol file. - eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext' + eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr_t void * -#else -# define lt_ptr_t char * -# define const -#endif + cat <<_LT_EOF >> conftest.$ac_ext -/* The mapping between symbol names and symbols. */ +/* The mapping between symbol names and symbols. */ const struct { const char *name; - lt_ptr_t address; + void *address; } -lt_preloaded_symbols[] = +lt__PROGRAM__LTX_preloaded_symbols[] = { -EOF - $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr_t) 0} + { "@PROGRAM@", (void *) 0 }, +_LT_EOF + $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext + cat <<\_LT_EOF >> conftest.$ac_ext + {0, (void *) 0} }; +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt__PROGRAM__LTX_preloaded_symbols; +} +#endif + #ifdef __cplusplus } #endif -EOF +_LT_EOF # Now try linking the two files. mv conftest.$ac_objext conftstm.$ac_objext lt_save_LIBS="$LIBS" @@ -7578,7 +6860,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && test -s conftest${ac_exeext}; then pipe_works=yes fi @@ -7597,7 +6879,7 @@ echo "$progname: failed program was:" >&5 cat conftest.$ac_ext >&5 fi - rm -f conftest* conftst* + rm -rf conftest* conftst* # Do not use the global_symbol_pipe unless it works. if test "$pipe_works" = yes; then @@ -7613,127 +6895,310 @@ lt_cv_sys_global_symbol_to_cdecl= fi if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then - { echo "$as_me:$LINENO: result: failed" >&5 -echo "${ECHO_T}failed" >&6; } + { $as_echo "$as_me:$LINENO: result: failed" >&5 +$as_echo "failed" >&6; } else - { echo "$as_me:$LINENO: result: ok" >&5 -echo "${ECHO_T}ok" >&6; } + { $as_echo "$as_me:$LINENO: result: ok" >&5 +$as_echo "ok" >&6; } fi -{ echo "$as_me:$LINENO: checking for objdir" >&5 -echo $ECHO_N "checking for objdir... $ECHO_C" >&6; } -if test "${lt_cv_objdir+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - lt_cv_objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - lt_cv_objdir=_libs -fi -rmdir .libs 2>/dev/null -fi -{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5 -echo "${ECHO_T}$lt_cv_objdir" >&6; } -objdir=$lt_cv_objdir -case $host_os in -aix3*) - # AIX sometimes has problems with the GCC collect2 program. For some - # reason, if we set the COLLECT_NAMES environment variable, the problems - # vanish in a puff of smoke. - if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES - fi - ;; -esac -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e 1s/^X//' -sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g' -# Same as above, but do not quote variable references. -double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g' -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' -# Sed substitution to avoid accidental globbing in evaled expressions -no_glob_subst='s/\*/\\\*/g' -# Constants: -rm="rm -f" -# Global variables: -default_ofile=libtool -can_build_shared=yes -# All known linkers require a `.a' archive for static linking (except MSVC, -# which needs '.lib'). -libext=a -ltmain="$ac_aux_dir/ltmain.sh" -ofile="$default_ofile" -with_gnu_ld="$lt_cv_prog_gnu_ld" -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. -set dummy ${ac_tool_prefix}ar; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_AR+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$AR"; then - ac_cv_prog_AR="$AR" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_AR="${ac_tool_prefix}ar" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS -fi -fi -AR=$ac_cv_prog_AR -if test -n "$AR"; then - { echo "$as_me:$LINENO: result: $AR" >&5 -echo "${ECHO_T}$AR" >&6; } + + + + + + + + +# Check whether --enable-libtool-lock was given. +if test "${enable_libtool_lock+set}" = set; then + enableval=$enable_libtool_lock; +fi + +test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes + +# Some flags need to be propagated to the compiler or linker for good +# libtool support. +case $host in +ia64-*-hpux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + case `/usr/bin/file conftest.$ac_objext` in + *ELF-32*) + HPUX_IA64_MODE="32" + ;; + *ELF-64*) + HPUX_IA64_MODE="64" + ;; + esac + fi + rm -rf conftest* + ;; +*-*-irix6*) + # Find out which ABI we are using. + echo '#line 6958 "configure"' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + if test "$lt_cv_prog_gnu_ld" = yes; then + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -melf32bsmip" + ;; + *N32*) + LD="${LD-ld} -melf32bmipn32" + ;; + *64-bit*) + LD="${LD-ld} -melf64bmip" + ;; + esac + else + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -32" + ;; + *N32*) + LD="${LD-ld} -n32" + ;; + *64-bit*) + LD="${LD-ld} -64" + ;; + esac + fi + fi + rm -rf conftest* + ;; + +x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +s390*-*linux*|s390*-*tpf*|sparc*-*linux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_i386_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_i386" + ;; + ppc64-*linux*|powerpc64-*linux*) + LD="${LD-ld} -m elf32ppclinux" + ;; + s390x-*linux*) + LD="${LD-ld} -m elf_s390" + ;; + sparc64-*linux*) + LD="${LD-ld} -m elf32_sparc" + ;; + esac + ;; + *64-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_x86_64_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; + ppc*-*linux*|powerpc*-*linux*) + LD="${LD-ld} -m elf64ppc" + ;; + s390*-*linux*|s390*-*tpf*) + LD="${LD-ld} -m elf64_s390" + ;; + sparc*-*linux*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; + +*-*-sco3.2v5*) + # On SCO OpenServer 5, we need -belf to get full-featured binaries. + SAVE_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -belf" + { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5 +$as_echo_n "checking whether the C compiler needs -belf... " >&6; } +if test "${lt_cv_cc_needs_belf+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + lt_cv_cc_needs_belf=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + lt_cv_cc_needs_belf=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5 +$as_echo "$lt_cv_cc_needs_belf" >&6; } + if test x"$lt_cv_cc_needs_belf" != x"yes"; then + # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf + CFLAGS="$SAVE_CFLAGS" + fi + ;; +sparc*-*solaris*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + case `/usr/bin/file conftest.o` in + *64-bit*) + case $lt_cv_prog_gnu_ld in + yes*) LD="${LD-ld} -m elf64_sparc" ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; +esac + +need_locks="$enable_libtool_lock" + + + case $host_os in + rhapsody* | darwin*) + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. +set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_DSYMUTIL+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$DSYMUTIL"; then + ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +DSYMUTIL=$ac_cv_prog_DSYMUTIL +if test -n "$DSYMUTIL"; then + { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5 +$as_echo "$DSYMUTIL" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi fi -if test -z "$ac_cv_prog_AR"; then - ac_ct_AR=$AR - # Extract the first word of "ar", so it can be a program name with args. -set dummy ar; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_AR+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test -z "$ac_cv_prog_DSYMUTIL"; then + ac_ct_DSYMUTIL=$DSYMUTIL + # Extract the first word of "dsymutil", so it can be a program name with args. +set dummy dsymutil; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$ac_ct_AR"; then - ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. + if test -n "$ac_ct_DSYMUTIL"; then + ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -7742,8 +7207,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_AR="ar" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -7752,44 +7217,40 @@ fi fi -ac_ct_AR=$ac_cv_prog_ac_ct_AR -if test -n "$ac_ct_AR"; then - { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5 -echo "${ECHO_T}$ac_ct_AR" >&6; } +ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL +if test -n "$ac_ct_DSYMUTIL"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5 +$as_echo "$ac_ct_DSYMUTIL" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - if test "x$ac_ct_AR" = x; then - AR="false" + if test "x$ac_ct_DSYMUTIL" = x; then + DSYMUTIL=":" else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac - AR=$ac_ct_AR + DSYMUTIL=$ac_ct_DSYMUTIL fi else - AR="$ac_cv_prog_AR" + DSYMUTIL="$ac_cv_prog_DSYMUTIL" fi -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. +set dummy ${ac_tool_prefix}nmedit; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_NMEDIT+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. + if test -n "$NMEDIT"; then + ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -7798,8 +7259,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -7808,28 +7269,28 @@ fi fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - { echo "$as_me:$LINENO: result: $RANLIB" >&5 -echo "${ECHO_T}$RANLIB" >&6; } +NMEDIT=$ac_cv_prog_NMEDIT +if test -n "$NMEDIT"; then + { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5 +$as_echo "$NMEDIT" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test -z "$ac_cv_prog_NMEDIT"; then + ac_ct_NMEDIT=$NMEDIT + # Extract the first word of "nmedit", so it can be a program name with args. +set dummy nmedit; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. + if test -n "$ac_ct_NMEDIT"; then + ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -7838,8 +7299,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_ac_ct_NMEDIT="nmedit" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -7848,44 +7309,40 @@ fi fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 -echo "${ECHO_T}$ac_ct_RANLIB" >&6; } +ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT +if test -n "$ac_ct_NMEDIT"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5 +$as_echo "$ac_ct_NMEDIT" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - if test "x$ac_ct_RANLIB" = x; then - RANLIB=":" + if test "x$ac_ct_NMEDIT" = x; then + NMEDIT=":" else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac - RANLIB=$ac_ct_RANLIB + NMEDIT=$ac_ct_NMEDIT fi else - RANLIB="$ac_cv_prog_RANLIB" + NMEDIT="$ac_cv_prog_NMEDIT" fi -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. -set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args. +set dummy ${ac_tool_prefix}lipo; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_LIPO+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$STRIP"; then - ac_cv_prog_STRIP="$STRIP" # Let the user override the test. + if test -n "$LIPO"; then + ac_cv_prog_LIPO="$LIPO" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -7894,8 +7351,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_STRIP="${ac_tool_prefix}strip" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_LIPO="${ac_tool_prefix}lipo" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -7904,28 +7361,28 @@ fi fi -STRIP=$ac_cv_prog_STRIP -if test -n "$STRIP"; then - { echo "$as_me:$LINENO: result: $STRIP" >&5 -echo "${ECHO_T}$STRIP" >&6; } +LIPO=$ac_cv_prog_LIPO +if test -n "$LIPO"; then + { $as_echo "$as_me:$LINENO: result: $LIPO" >&5 +$as_echo "$LIPO" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi fi -if test -z "$ac_cv_prog_STRIP"; then - ac_ct_STRIP=$STRIP - # Extract the first word of "strip", so it can be a program name with args. -set dummy strip; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test -z "$ac_cv_prog_LIPO"; then + ac_ct_LIPO=$LIPO + # Extract the first word of "lipo", so it can be a program name with args. +set dummy lipo; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test -n "$ac_ct_STRIP"; then - ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. + if test -n "$ac_ct_LIPO"; then + ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -7934,8 +7391,8 @@ test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_STRIP="strip" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + ac_cv_prog_ac_ct_LIPO="lipo" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done @@ -7944,4246 +7401,2756 @@ fi fi -ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP -if test -n "$ac_ct_STRIP"; then - { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 -echo "${ECHO_T}$ac_ct_STRIP" >&6; } +ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO +if test -n "$ac_ct_LIPO"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5 +$as_echo "$ac_ct_LIPO" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - if test "x$ac_ct_STRIP" = x; then - STRIP=":" + if test "x$ac_ct_LIPO" = x; then + LIPO=":" else case $cross_compiling:$ac_tool_warned in yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac - STRIP=$ac_ct_STRIP + LIPO=$ac_ct_LIPO fi else - STRIP="$ac_cv_prog_STRIP" + LIPO="$ac_cv_prog_LIPO" fi + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args. +set dummy ${ac_tool_prefix}otool; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_OTOOL+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$OTOOL"; then + ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_OTOOL="${ac_tool_prefix}otool" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -old_CC="$CC" -old_CFLAGS="$CFLAGS" - -# Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as -test -z "$CC" && CC=cc -test -z "$LTCC" && LTCC=$CC -test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS -test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$NM" && NM=nm -test -z "$SED" && SED=sed -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: -test -z "$ac_objext" && ac_objext=o - -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - case $host_os in - openbsd*) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" - ;; - *) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" - ;; - esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" fi - -for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` +fi +OTOOL=$ac_cv_prog_OTOOL +if test -n "$OTOOL"; then + { $as_echo "$as_me:$LINENO: result: $OTOOL" >&5 +$as_echo "$OTOOL" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -# Only perform the check for file, if the check method requires it -case $deplibs_check_method in -file_magic*) - if test "$file_magic_cmd" = '$MAGIC_CMD'; then - { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5 -echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +if test -z "$ac_cv_prog_OTOOL"; then + ac_ct_OTOOL=$OTOOL + # Extract the first word of "otool", so it can be a program name with args. +set dummy otool; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then + $as_echo_n "(cached) " >&6 else - case $MAGIC_CMD in -[\\/*] | ?:[\\/]*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; -*) - lt_save_MAGIC_CMD="$MAGIC_CMD" - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" - for ac_dir in $ac_dummy; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/${ac_tool_prefix}file; then - lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - $EGREP "$file_magic_regex" > /dev/null; then - : - else - cat <&2 + if test -n "$ac_ct_OTOOL"; then + ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_OTOOL="otool" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org +fi +fi +ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL +if test -n "$ac_ct_OTOOL"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5 +$as_echo "$ac_ct_OTOOL" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -EOF - fi ;; - esac - fi - break - fi - done - IFS="$lt_save_ifs" - MAGIC_CMD="$lt_save_MAGIC_CMD" - ;; + if test "x$ac_ct_OTOOL" = x; then + OTOOL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; esac + OTOOL=$ac_ct_OTOOL + fi +else + OTOOL="$ac_cv_prog_OTOOL" fi -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 -echo "${ECHO_T}$MAGIC_CMD" >&6; } + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args. +set dummy ${ac_tool_prefix}otool64; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_OTOOL64+set}" = set; then + $as_echo_n "(cached) " >&6 else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi + if test -n "$OTOOL64"; then + ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -if test -z "$lt_cv_path_MAGIC_CMD"; then - if test -n "$ac_tool_prefix"; then - { echo "$as_me:$LINENO: checking for file" >&5 -echo $ECHO_N "checking for file... $ECHO_C" >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +fi +OTOOL64=$ac_cv_prog_OTOOL64 +if test -n "$OTOOL64"; then + { $as_echo "$as_me:$LINENO: result: $OTOOL64" >&5 +$as_echo "$OTOOL64" >&6; } else - case $MAGIC_CMD in -[\\/*] | ?:[\\/]*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; -*) - lt_save_MAGIC_CMD="$MAGIC_CMD" - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" - for ac_dir in $ac_dummy; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/file; then - lt_cv_path_MAGIC_CMD="$ac_dir/file" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - $EGREP "$file_magic_regex" > /dev/null; then - : - else - cat <&2 + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org -EOF - fi ;; - esac - fi - break - fi - done - IFS="$lt_save_ifs" - MAGIC_CMD="$lt_save_MAGIC_CMD" - ;; -esac fi +if test -z "$ac_cv_prog_OTOOL64"; then + ac_ct_OTOOL64=$OTOOL64 + # Extract the first word of "otool64", so it can be a program name with args. +set dummy otool64; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_OTOOL64"; then + ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_OTOOL64="otool64" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 -echo "${ECHO_T}$MAGIC_CMD" >&6; } +fi +fi +ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64 +if test -n "$ac_ct_OTOOL64"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5 +$as_echo "$ac_ct_OTOOL64" >&6; } else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi + if test "x$ac_ct_OTOOL64" = x; then + OTOOL64=":" else - MAGIC_CMD=: + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + OTOOL64=$ac_ct_OTOOL64 fi +else + OTOOL64="$ac_cv_prog_OTOOL64" fi - fi - ;; -esac -enable_dlopen=no -enable_win32_dll=no -# Check whether --enable-libtool-lock was given. -if test "${enable_libtool_lock+set}" = set; then - enableval=$enable_libtool_lock; -fi -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes -# Check whether --with-pic was given. -if test "${with_pic+set}" = set; then - withval=$with_pic; pic_mode="$withval" -else - pic_mode=default -fi -test -z "$pic_mode" && pic_mode=default -# Use C for the default configuration in the libtool script -tagname= -lt_save_CC="$CC" -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -# Source file extension for C test sources. -ac_ext=c -# Object file extension for compiled C test sources. -objext=o -objext=$objext -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" -# Code to be used in simple link tests -lt_simple_link_test_code='int main(){return(0);}\n' -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -# Allow CC to be a program name with arguments. -compiler=$CC -# save warnings/boilerplate of simple test code -ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* -ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* -lt_prog_compiler_no_builtin_flag= -if test "$GCC" = yes; then - lt_prog_compiler_no_builtin_flag=' -fno-builtin' -{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 -echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_compiler_rtti_exceptions=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="-fno-rtti -fno-exceptions" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8253: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:8257: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_cv_prog_compiler_rtti_exceptions=yes - fi - fi - $rm conftest* -fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; } - -if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then - lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions" + { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5 +$as_echo_n "checking for -single_module linker flag... " >&6; } +if test "${lt_cv_apple_cc_single_mod+set}" = set; then + $as_echo_n "(cached) " >&6 else - : + lt_cv_apple_cc_single_mod=no + if test -z "${LT_MULTI_MODULE}"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + rm -rf libconftest.dylib* + echo "int foo(void){return 1;}" > conftest.c + echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ +-dynamiclib -Wl,-single_module conftest.c" >&5 + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib -Wl,-single_module conftest.c 2>conftest.err + _lt_result=$? + if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then + lt_cv_apple_cc_single_mod=yes + else + cat conftest.err >&5 + fi + rm -rf libconftest.dylib* + rm -f conftest.* + fi fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5 +$as_echo "$lt_cv_apple_cc_single_mod" >&6; } + { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5 +$as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } +if test "${lt_cv_ld_exported_symbols_list+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -fi +int +main () +{ -lt_prog_compiler_wl= -lt_prog_compiler_pic= -lt_prog_compiler_static= + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + lt_cv_ld_exported_symbols_list=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 -echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; } + lt_cv_ld_exported_symbols_list=no +fi - if test "$GCC" = yes; then - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_static='-static' +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$save_LDFLAGS" +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5 +$as_echo "$lt_cv_ld_exported_symbols_list" >&6; } case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static='-Bstatic' - fi - ;; - - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4' - ;; - - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; + rhapsody* | darwin1.[012]) + _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + darwin*) # darwin 5.x on + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[91]*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + 10.[012]*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test "$lt_cv_apple_cc_single_mod" = "yes"; then + _lt_dar_single_mod='$single_module' + fi + if test "$lt_cv_ld_exported_symbols_list" = "yes"; then + _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' + else + _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' + fi + if test "$DSYMUTIL" != ":"; then + _lt_dsymutil='~$DSYMUTIL $lib || :' + else + _lt_dsymutil= + fi + ;; + esac - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic='-DDLL_EXPORT' - ;; +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if test "${ac_cv_prog_CPP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - lt_prog_compiler_pic='-fno-common' - ;; + # Broken: fails on valid input. +continue +fi - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. - ;; +rm -f conftest.err conftest.$ac_ext - msdosdjgpp*) - # Just because we use GCC doesn't mean we suddenly get shared libraries - # on systems that don't support them. - lt_prog_compiler_can_build_shared=no - enable_shared=no - ;; + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + # Broken: success on invalid input. +continue +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - sysv4*MP*) - if test -d /usr/nec; then - lt_prog_compiler_pic=-Kconform_pic - fi - ;; + # Passes both tests. +ac_preproc_ok=: +break +fi - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic='-fPIC' - ;; - esac - ;; +rm -f conftest.err conftest.$ac_ext - *) - lt_prog_compiler_pic='-fPIC' - ;; - esac - else - # PORTME Check for flag to pass linker flags through the system compiler. - case $host_os in - aix*) - lt_prog_compiler_wl='-Wl,' - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static='-Bstatic' - else - lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp' - fi - ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - lt_prog_compiler_pic='-qnocommon' - lt_prog_compiler_wl='-Wl,' - ;; - esac - ;; +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then + break +fi - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic='-DDLL_EXPORT' - ;; - - hpux9* | hpux10* | hpux11*) - lt_prog_compiler_wl='-Wl,' - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic='+Z' - ;; - esac - # Is there a better lt_prog_compiler_static that works with the bundled CC? - lt_prog_compiler_static='${wl}-a ${wl}archive' - ;; - - irix5* | irix6* | nonstopux*) - lt_prog_compiler_wl='-Wl,' - # PIC (with -KPIC) is the default. - lt_prog_compiler_static='-non_shared' - ;; - - newsos6) - lt_prog_compiler_pic='-KPIC' - lt_prog_compiler_static='-Bstatic' - ;; - - linux*) - case $cc_basename in - icc* | ecc*) - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_pic='-KPIC' - lt_prog_compiler_static='-static' - ;; - pgcc* | pgf77* | pgf90* | pgf95*) - # Portland Group compilers (*not* the Pentium gcc compiler, - # which looks to be a dead project) - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_pic='-fpic' - lt_prog_compiler_static='-Bstatic' - ;; - ccc*) - lt_prog_compiler_wl='-Wl,' - # All Alpha code is PIC. - lt_prog_compiler_static='-non_shared' - ;; - esac - ;; - - osf3* | osf4* | osf5*) - lt_prog_compiler_wl='-Wl,' - # All OSF/1 code is PIC. - lt_prog_compiler_static='-non_shared' - ;; - - solaris*) - lt_prog_compiler_pic='-KPIC' - lt_prog_compiler_static='-Bstatic' - case $cc_basename in - f77* | f90* | f95*) - lt_prog_compiler_wl='-Qoption ld ';; - *) - lt_prog_compiler_wl='-Wl,';; - esac - ;; - - sunos4*) - lt_prog_compiler_wl='-Qoption ld ' - lt_prog_compiler_pic='-PIC' - lt_prog_compiler_static='-Bstatic' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3*) - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_pic='-KPIC' - lt_prog_compiler_static='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - lt_prog_compiler_pic='-Kconform_pic' - lt_prog_compiler_static='-Bstatic' - fi - ;; - - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_pic='-KPIC' - lt_prog_compiler_static='-Bstatic' - ;; - - unicos*) - lt_prog_compiler_wl='-Wl,' - lt_prog_compiler_can_build_shared=no - ;; - - uts4*) - lt_prog_compiler_pic='-pic' - lt_prog_compiler_static='-Bstatic' - ;; - - *) - lt_prog_compiler_can_build_shared=no - ;; - esac - fi - -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic" >&6; } - -# -# Check to make sure the PIC flag actually works. -# -if test -n "$lt_prog_compiler_pic"; then - -{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 -echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_pic_works+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_pic_works=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$lt_prog_compiler_pic -DPIC" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8521: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:8525: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_pic_works=yes - fi - fi - $rm conftest* + done + ac_cv_prog_CPP=$CPP fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6; } - -if test x"$lt_prog_compiler_pic_works" = xyes; then - case $lt_prog_compiler_pic in - "" | " "*) ;; - *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;; - esac + CPP=$ac_cv_prog_CPP else - lt_prog_compiler_pic= - lt_prog_compiler_can_build_shared=no + ac_cv_prog_CPP=$CPP fi +{ $as_echo "$as_me:$LINENO: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Broken: fails on valid input. +continue fi -case $host_os in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - lt_prog_compiler_pic= - ;; - *) - lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" - ;; -esac -# -# Check to make sure the static flag actually works. -# -wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" -{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 -echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_static_works+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f conftest.err conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + # Broken: success on invalid input. +continue else - lt_prog_compiler_static_works=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $lt_tmp_static_flag" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The linker can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&5 - $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_static_works=yes - fi - else - lt_prog_compiler_static_works=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Passes both tests. +ac_preproc_ok=: +break fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5 -echo "${ECHO_T}$lt_prog_compiler_static_works" >&6; } -if test x"$lt_prog_compiler_static_works" = xyes; then - : +rm -f conftest.err conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then + : else - lt_prog_compiler_static= + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + +{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5 +$as_echo_n "checking for ANSI C header files... " >&6; } +if test "${ac_cv_header_stdc+set}" = set; then + $as_echo_n "(cached) " >&6 else - lt_cv_prog_compiler_c_o=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#include +#include - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8625: $lt_compile\"" >&5) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&5 - echo "$as_me:8629: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp - $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 - if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then - lt_cv_prog_compiler_c_o=yes - fi - fi - chmod u+w . 2>&5 - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_header_stdc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_header_stdc=no fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -hard_links="nottested" -if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 -echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; } - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - { echo "$as_me:$LINENO: result: $hard_links" >&5 -echo "${ECHO_T}$hard_links" >&6; } - if test "$hard_links" = no; then - { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 -echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} - need_locks=warn - fi +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "memchr" >/dev/null 2>&1; then + : else - need_locks=no + ac_cv_header_stdc=no fi +rm -f conftest* -{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; } - - runpath_var= - allow_undefined_flag= - enable_shared_with_static_runtimes=no - archive_cmds= - archive_expsym_cmds= - old_archive_From_new_cmds= - old_archive_from_expsyms_cmds= - export_dynamic_flag_spec= - whole_archive_flag_spec= - thread_safe_flag_spec= - hardcode_libdir_flag_spec= - hardcode_libdir_flag_spec_ld= - hardcode_libdir_separator= - hardcode_direct=no - hardcode_minus_L=no - hardcode_shlibpath_var=unsupported - link_all_deplibs=unknown - hardcode_automatic=no - module_cmds= - module_expsym_cmds= - always_export_symbols=no - export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - # include_expsyms should be a list of space-separated symbols to be *always* - # included in the symbol list - include_expsyms= - # exclude_expsyms can be an extended regexp of symbols to exclude - # it will be wrapped by ` (' and `)$', so one must not match beginning or - # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', - # as well as any symbol that contains `d'. - exclude_expsyms="_GLOBAL_OFFSET_TABLE_" - # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out - # platforms (ab)use it in PIC code, but their linkers get confused if - # the symbol is explicitly referenced. Since portable code cannot - # rely on this symbol name, it's probably fine to never include it in - # preloaded symbol tables. - extract_expsyms_cmds= - # Just being paranoid about ensuring that cc_basename is set. - for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` +fi - case $host_os in - cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++) - with_gnu_ld=yes - ;; - openbsd*) - with_gnu_ld=no - ;; - esac +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include - ld_shlibs=yes - if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "free" >/dev/null 2>&1; then + : +else + ac_cv_header_stdc=no +fi +rm -f conftest* - # Set some defaults for GNU ld with shared library support. These - # are reset later if shared libraries are not supported. Putting them - # here allows them to be overridden if necessary. - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec='${wl}--export-dynamic' - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec= - fi - supports_anon_versioning=no - case `$LD -v 2>/dev/null` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 - *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... - *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... - *\ 2.11.*) ;; # other 2.11 versions - *) supports_anon_versioning=yes ;; - esac +fi - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - ld_shlibs=no - cat <&2 +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. + if test "$cross_compiling" = yes; then + : +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#if ((' ' & 0x0FF) == 0x020) +# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#else +# define ISLOWER(c) \ + (('a' <= (c) && (c) <= 'i') \ + || ('j' <= (c) && (c) <= 'r') \ + || ('s' <= (c) && (c) <= 'z')) +# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) +#endif -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) +int +main () +{ + int i; + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) + return 2; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -EOF - fi - ;; - - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can't use - # them. - ld_shlibs=no - ;; - - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs=no - fi - ;; - - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, - # as there is no search path for DLLs. - hardcode_libdir_flag_spec='-L$libdir' - allow_undefined_flag=unsupported - always_export_symbols=no - enable_shared_with_static_runtimes=yes - export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - ld_shlibs=no - fi - ;; - - interix3*) - hardcode_direct=no - hardcode_shlibpath_var=no - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - export_dynamic_flag_spec='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; - - linux*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - tmp_addflag= - case $cc_basename,$host_cpu in - pgcc*) # Portland Group C compiler - whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag' - ;; - pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers - whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag -Mnomain' ;; - ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 - tmp_addflag=' -i_dynamic' ;; - efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 - tmp_addflag=' -i_dynamic -nofor_main' ;; - ifc* | ifort*) # Intel Fortran compiler - tmp_addflag=' -nofor_main' ;; - esac - archive_cmds='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - - if test $supports_anon_versioning = yes; then - archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~ - cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ - $echo "local: *; };" >> $output_objdir/$libname.ver~ - $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' - fi - else - ld_shlibs=no - fi - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; - - solaris*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - ld_shlibs=no - cat <&2 - -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. +( exit $ac_status ) +ac_cv_header_stdc=no +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi -EOF - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) - case `$LD -v 2>&1` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) - ld_shlibs=no - cat <<_LT_EOF 1>&2 +fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then -*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not -*** reliably create shared libraries on SCO systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.16.91.0.3 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. +cat >>confdefs.h <<\_ACEOF +#define STDC_HEADERS 1 +_ACEOF -_LT_EOF - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`' - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - esac - ;; +fi - sunos4*) - archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; +# On IRIX 5.3, sys/types and inttypes.h are conflicting. - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - esac - if test "$ld_shlibs" = no; then - runpath_var= - hardcode_libdir_flag_spec= - export_dynamic_flag_spec= - whole_archive_flag_spec= - fi - else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - allow_undefined_flag=unsupported - always_export_symbols=yes - archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L=yes - if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct=unsupported - fi - ;; - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - aix_use_runtimelinking=no - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - ;; - esac - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - archive_cmds='' - hardcode_direct=yes - hardcode_libdir_separator=':' - link_all_deplibs=yes - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct=yes - else - # We have old collect2 - hardcode_direct=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L=yes - hardcode_libdir_flag_spec='-L$libdir' - hardcode_libdir_separator= - fi - ;; - esac - shared_flag='-shared' - if test "$aix_use_runtimelinking" = yes; then - shared_flag="$shared_flag "'${wl}-G' - fi - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - always_export_symbols=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - allow_undefined_flag='-berok' - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +$ac_includes_default -int -main () -{ - - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 + eval "$as_ac_Header=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi +fi - hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" - archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' - allow_undefined_flag="-z nodefs" - archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF +done + + + +for ac_header in dlfcn.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +$ac_includes_default -int -main () -{ - - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 + eval "$as_ac_Header=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi +fi - hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - no_undefined_flag=' ${wl}-bernotok' - allow_undefined_flag=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - whole_archive_flag_spec='$convenience' - archive_cmds_need_lc=yes - # This is similar to how AIX traditionally builds its shared libraries. - archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' - fi - fi - ;; +done - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - # see comment about different semantics on the GNU ld section - ld_shlibs=no - ;; - bsdi[45]*) - export_dynamic_flag_spec=-rdynamic - ;; - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec=' ' - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext_cmds=".dll" - # FIXME: Setting linknames here is a bad hack. - archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_From_new_cmds='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path='`cygpath -w "$srcfile"`' - enable_shared_with_static_runtimes=yes - ;; +# Set options - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[012]) - allow_undefined_flag='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[012]) - allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - archive_cmds_need_lc=no - hardcode_direct=no - hardcode_automatic=yes - hardcode_shlibpath_var=unsupported - whole_archive_flag_spec='' - link_all_deplibs=yes - if test "$GCC" = yes ; then - output_verbose_link_cmd='echo' - archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - ld_shlibs=no - ;; - esac - fi - ;; - dgux*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; - freebsd1*) - ld_shlibs=no - ;; + enable_dlopen=no - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; + enable_win32_dll=no - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | kfreebsd*-gnu | dragonfly*) - archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no + + # Check whether --enable-shared was given. +if test "${enable_shared+set}" = set; then + enableval=$enable_shared; p=${PACKAGE-default} + case $enableval in + yes) enable_shared=yes ;; + no) enable_shared=no ;; + *) + enable_shared=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_shared=yes + fi + done + IFS="$lt_save_ifs" ;; + esac +else + enable_shared=yes +fi - hpux9*) - if test "$GCC" = yes; then - archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - fi - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - export_dynamic_flag_spec='${wl}-E' - ;; - hpux10*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - export_dynamic_flag_spec='${wl}-E' - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - fi - ;; - hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - case $host_cpu in - hppa*64*) - archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - else - case $host_cpu in - hppa*64*) - archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - case $host_cpu in - hppa*64*|ia64*) - hardcode_libdir_flag_spec_ld='+b $libdir' - hardcode_direct=no - hardcode_shlibpath_var=no - ;; - *) - hardcode_direct=yes - export_dynamic_flag_spec='${wl}-E' - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - ;; - esac - fi - ;; - irix5* | irix6* | nonstopux*) - if test "$GCC" = yes; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec_ld='-rpath $libdir' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - link_all_deplibs=yes + # Check whether --enable-static was given. +if test "${enable_static+set}" = set; then + enableval=$enable_static; p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_static=yes + fi + done + IFS="$lt_save_ifs" ;; + esac +else + enable_static=yes +fi - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - newsos6) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_shlibpath_var=no - ;; - openbsd*) - hardcode_direct=yes - hardcode_shlibpath_var=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - export_dynamic_flag_spec='${wl}-E' - else - case $host_os in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-R$libdir' - ;; - *) - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - esac - fi - ;; - os2*) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - allow_undefined_flag=unsupported - archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - osf3*) - if test "$GCC" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp' - # Both c and cxx compiler support -rpath directly - hardcode_libdir_flag_spec='-rpath $libdir' - fi - hardcode_libdir_separator=: - ;; - solaris*) - no_undefined_flag=' -z text' - if test "$GCC" = yes; then - wlarc='${wl}' - archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp' - else - wlarc='' - archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - fi - hardcode_libdir_flag_spec='-R$libdir' - hardcode_shlibpath_var=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) - # The compiler driver will combine linker options so we - # cannot just pass the convience library names through - # without $wl, iff we do not link with $LD. - # Luckily, gcc supports the same syntax we need for Sun Studio. - # Supported since Solaris 2.6 (maybe 2.5.1?) - case $wlarc in - '') - whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;; - *) - whole_archive_flag_spec='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; - esac ;; - esac - link_all_deplibs=yes - ;; - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - hardcode_libdir_flag_spec='-L$libdir' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; - sysv4) - case $host_vendor in - sni) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes # is this really true??? - ;; - siemens) - ## LD is ld it makes a PLAMLIB - ## CC just makes a GrossModule. - archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' - reload_cmds='$CC -r -o $output$reload_objs' - hardcode_direct=no - ;; - motorola) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=no #Motorola manual says yes, but my tests say they lie - ;; - esac - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var=no - ;; +# Check whether --with-pic was given. +if test "${with_pic+set}" = set; then + withval=$with_pic; pic_mode="$withval" +else + pic_mode=default +fi - sysv4.3*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - export_dynamic_flag_spec='-Bexport' - ;; - sysv4*MP*) - if test -d /usr/nec; then - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ld_shlibs=yes - fi - ;; +test -z "$pic_mode" && pic_mode=default + - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) - no_undefined_flag='${wl}-z,text' - archive_cmds_need_lc=no - hardcode_shlibpath_var=no - runpath_var='LD_RUN_PATH' - if test "$GCC" = yes; then - archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - no_undefined_flag='${wl}-z,text' - allow_undefined_flag='${wl}-z,nodefs' - archive_cmds_need_lc=no - hardcode_shlibpath_var=no - hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - hardcode_libdir_separator=':' - link_all_deplibs=yes - export_dynamic_flag_spec='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - if test "$GCC" = yes; then - archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; - uts4*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; + # Check whether --enable-fast-install was given. +if test "${enable_fast_install+set}" = set; then + enableval=$enable_fast_install; p=${PACKAGE-default} + case $enableval in + yes) enable_fast_install=yes ;; + no) enable_fast_install=no ;; *) - ld_shlibs=no + enable_fast_install=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_fast_install=yes + fi + done + IFS="$lt_save_ifs" ;; esac - fi +else + enable_fast_install=yes +fi -{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5 -echo "${ECHO_T}$ld_shlibs" >&6; } -test "$ld_shlibs" = no && can_build_shared=no -# -# Do we need to explicitly link libc? -# -case "x$archive_cmds_need_lc" in -x|xyes) - # Assume -lc should be added - archive_cmds_need_lc=yes - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $archive_cmds in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 -echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_prog_compiler_wl - pic_flag=$lt_prog_compiler_pic - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$allow_undefined_flag - allow_undefined_flag= - if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5 - (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } - then - archive_cmds_need_lc=no - else - archive_cmds_need_lc=yes - fi - allow_undefined_flag=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5 -echo "${ECHO_T}$archive_cmds_need_lc" >&6; } - ;; - esac - fi - ;; -esac -{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 -echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; } -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext_cmds=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi -else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' - ;; -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}${shared_ext}$major' - fi - shlibpath_var=LIBPATH - fi - ;; -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' - ;; -beos*) - library_names_spec='${libname}${shared_ext}' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - ;; +# This can be used to rebuild libtool when needed +LIBTOOL_DEPS="$ltmain" -bsdi[45]*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; +# Always use our own libtool. +LIBTOOL='$(SHELL) $(top_builddir)/libtool' -cygwin* | mingw* | pw32*) - version_type=windows - shrext_cmds=".dll" - need_version=no - need_lib_prefix=no - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) - library_names_spec='$libname.dll.a' - # DLL is installed to $(libdir)/../bin by postinstall_cmds - postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog $dir/$dlname \$dldir/$dlname~ - chmod a+x \$dldir/$dlname' - postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - shlibpath_overrides_runpath=yes - case $host_os in - cygwin*) - # Cygwin DLLs use 'cyg' prefix rather than 'lib' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" - ;; - mingw*) - # MinGW DLLs use traditional 'lib' prefix - soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi - ;; - pw32*) - # pw32 DLLs use 'pw' prefix rather than 'lib' - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - ;; - esac - ;; - *) - library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' - soname_spec='${libname}${release}${major}$shared_ext' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi - sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' - ;; -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; -freebsd1*) - dynamic_linker=no - ;; -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; -freebsd* | dragonfly*) - # DragonFly does not have aout. When/if they implement a new - # versioning mechanism, adjust this. - if test -x /usr/bin/objformat; then - objformat=`/usr/bin/objformat` - else - case $host_os in - freebsd[123]*) objformat=aout ;; - *) objformat=elf ;; - esac - fi - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ - freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - freebsd*) # from 4.6 on - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - esac - ;; -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - version_type=sunos - need_lib_prefix=no - need_version=no - case $host_cpu in - ia64*) - shrext_cmds='.so' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - if test "X$HPUX_IA64_MODE" = X32; then - sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" - else - sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" - fi - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - hppa*64*) - shrext_cmds='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) - shrext_cmds='.sl' - dynamic_linker="$host_os dld.sl" - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - ;; - esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; -interix3*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; -irix5* | irix6* | nonstopux*) - case $host_os in - nonstopux*) version_type=nonstopux ;; - *) - if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux - else - version_type=irix - fi ;; - esac - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' - case $host_os in - irix5* | nonstopux*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") - libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") - libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") - libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - hardcode_into_libs=yes - ;; -# No shared lib support for Linux oldld, aout, or coff. -linux*oldld* | linux*aout* | linux*coff*) - dynamic_linker=no - ;; -# This must be Linux ELF. -linux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - # find out which ABI we are using - libsuff= - case "$host_cpu" in - x86_64*|s390x*|powerpc64*) - echo '#line 10090 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *64-bit*) - libsuff=64 - sys_lib_search_path_spec="/lib${libsuff} /usr/lib${libsuff} /usr/local/lib${libsuff}" - ;; - esac - fi - rm -rf conftest* - ;; - esac - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/^ *//;s/#.*//;/^[^\/]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra" - fi - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; -newsos6) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; -nto-qnx*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; -openbsd*) - version_type=sunos - sys_lib_dlsearch_path_spec="/usr/lib" - need_lib_prefix=no - # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. - case $host_os in - openbsd3.3 | openbsd3.3.*) need_version=yes ;; - *) need_version=no ;; - esac - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in - openbsd2.[89] | openbsd2.[89].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac - else - shlibpath_overrides_runpath=yes - fi - ;; -os2*) - libname_spec='$name' - shrext_cmds=".dll" - need_lib_prefix=no - library_names_spec='$libname${shared_ext} $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; -osf3* | osf4* | osf5*) - version_type=osf - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; +test -z "$LN_S" && LN_S="ln -s" -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; -sysv4 | sysv4.3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' - runpath_var=LD_RUN_PATH - ;; - siemens) - need_lib_prefix=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' - soname_spec='$libname${shared_ext}.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - version_type=freebsd-elf - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - if test "$with_gnu_ld" = yes; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - shlibpath_overrides_runpath=no - else - sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' - shlibpath_overrides_runpath=yes - case $host_os in - sco3.2v5*) - sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" - ;; - esac - fi - sys_lib_dlsearch_path_spec='/usr/lib' - ;; -uts4*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; -*) - dynamic_linker=no - ;; -esac -{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5 -echo "${ECHO_T}$dynamic_linker" >&6; } -test "$dynamic_linker" = no && can_build_shared=no -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi -{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 -echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; } -hardcode_action= -if test -n "$hardcode_libdir_flag_spec" || \ - test -n "$runpath_var" || \ - test "X$hardcode_automatic" = "Xyes" ; then - # We can hardcode non-existant directories. - if test "$hardcode_direct" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no && - test "$hardcode_minus_L" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action=unsupported -fi -{ echo "$as_me:$LINENO: result: $hardcode_action" >&5 -echo "${ECHO_T}$hardcode_action" >&6; } -if test "$hardcode_action" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless + + + +if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST fi -striplib= -old_striplib= -{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5 -echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; } -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } +{ $as_echo "$as_me:$LINENO: checking for objdir" >&5 +$as_echo_n "checking for objdir... " >&6; } +if test "${lt_cv_objdir+set}" = set; then + $as_echo_n "(cached) " >&6 else -# FIXME - insert some real tests, host_os isn't really good enough - case $host_os in - darwin*) - if test -n "$STRIP" ; then - striplib="$STRIP -x" - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + rm -f .libs 2>/dev/null +mkdir .libs 2>/dev/null +if test -d .libs; then + lt_cv_objdir=.libs +else + # MS-DOS does not allow filenames that begin with a dot. + lt_cv_objdir=_libs fi - ;; - *) - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - ;; - esac +rmdir .libs 2>/dev/null fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5 +$as_echo "$lt_cv_objdir" >&6; } +objdir=$lt_cv_objdir -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else - lt_cv_dlopen=no - lt_cv_dlopen_libs= - case $host_os in - beos*) - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - mingw* | pw32*) - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - cygwin*) - lt_cv_dlopen="dlopen" - lt_cv_dlopen_libs= - ;; - darwin*) - # if libdl is installed we need to link against it - { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 -echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ +cat >>confdefs.h <<_ACEOF +#define LT_OBJDIR "$lt_cv_objdir/" _ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dl_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_dl_dlopen=no -fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 -echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; } -if test $ac_cv_lib_dl_dlopen = yes; then - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - lt_cv_dlopen="dyld" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes -fi - ;; - *) - { echo "$as_me:$LINENO: checking for shl_load" >&5 -echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; } -if test "${ac_cv_func_shl_load+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define shl_load to an innocuous variant, in case declares shl_load. - For example, HP-UX 11i declares gettimeofday. */ -#define shl_load innocuous_shl_load -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char shl_load (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ -#ifdef __STDC__ -# include -#else -# include -#endif -#undef shl_load -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_shl_load || defined __stub___shl_load -choke me -#endif -int -main () -{ -return shl_load (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_func_shl_load=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_func_shl_load=no -fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5 -echo "${ECHO_T}$ac_cv_func_shl_load" >&6; } -if test $ac_cv_func_shl_load = yes; then - lt_cv_dlopen="shl_load" -else - { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5 -echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; } -if test "${ac_cv_lib_dld_shl_load+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load (); -int -main () -{ -return shl_load (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; + + +case $host_os in +aix3*) + # AIX sometimes has problems with the GCC collect2 program. For some + # reason, if we set the COLLECT_NAMES environment variable, the problems + # vanish in a puff of smoke. + if test "X${COLLECT_NAMES+set}" != Xset; then + COLLECT_NAMES= + export COLLECT_NAMES + fi + ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dld_shl_load=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_dld_shl_load=no -fi +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +sed_quote_subst='s/\(["`$\\]\)/\\\1/g' -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5 -echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; } -if test $ac_cv_lib_dld_shl_load = yes; then - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld" -else - { echo "$as_me:$LINENO: checking for dlopen" >&5 -echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; } -if test "${ac_cv_func_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define dlopen to an innocuous variant, in case declares dlopen. - For example, HP-UX 11i declares gettimeofday. */ -#define dlopen innocuous_dlopen +# Same as above, but do not quote variable references. +double_quote_subst='s/\(["`\\]\)/\\\1/g' -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char dlopen (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ +# Sed substitution to delay expansion of an escaped shell variable in a +# double_quote_subst'ed string. +delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' -#ifdef __STDC__ -# include -#else -# include -#endif +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' -#undef dlopen +# Sed substitution to avoid accidental globbing in evaled expressions +no_glob_subst='s/\*/\\\*/g' -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_dlopen || defined __stub___dlopen -choke me -#endif +# Global variables: +ofile=libtool +can_build_shared=yes -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_func_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +# All known linkers require a `.a' archive for static linking (except MSVC, +# which needs '.lib'). +libext=a - ac_cv_func_dlopen=no -fi +with_gnu_ld="$lt_cv_prog_gnu_ld" -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5 -echo "${ECHO_T}$ac_cv_func_dlopen" >&6; } -if test $ac_cv_func_dlopen = yes; then - lt_cv_dlopen="dlopen" -else - { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 -echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ +old_CC="$CC" +old_CFLAGS="$CFLAGS" -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dl_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +# Set sane defaults for various variables +test -z "$CC" && CC=cc +test -z "$LTCC" && LTCC=$CC +test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS +test -z "$LD" && LD=ld +test -z "$ac_objext" && ac_objext=o - ac_cv_lib_dl_dlopen=no -fi +for cc_temp in $compiler""; do + case $cc_temp in + compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; + distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; + \-*) ;; + *) break;; + esac +done +cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 -echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; } -if test $ac_cv_lib_dl_dlopen = yes; then - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5 -echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; } -if test "${ac_cv_lib_svld_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsvld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_svld_dlopen=yes +# Only perform the check for file, if the check method requires it +test -z "$MAGIC_CMD" && MAGIC_CMD=file +case $deplibs_check_method in +file_magic*) + if test "$file_magic_cmd" = '$MAGIC_CMD'; then + { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5 +$as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then + $as_echo_n "(cached) " >&6 else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + case $MAGIC_CMD in +[\\/*] | ?:[\\/]*) + lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD="$MAGIC_CMD" + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" + for ac_dir in $ac_dummy; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/${ac_tool_prefix}file; then + lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD="$lt_cv_path_MAGIC_CMD" + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 - ac_cv_lib_svld_dlopen=no -fi +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS="$lt_save_ifs" + MAGIC_CMD="$lt_save_MAGIC_CMD" + ;; +esac fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5 -echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; } -if test $ac_cv_lib_svld_dlopen = yes; then - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" -else - { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5 -echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; } -if test "${ac_cv_lib_dld_dld_link+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dld_link (); -int -main () -{ -return dld_link (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dld_dld_link=yes +MAGIC_CMD="$lt_cv_path_MAGIC_CMD" +if test -n "$MAGIC_CMD"; then + { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 +$as_echo "$MAGIC_CMD" >&6; } else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_dld_dld_link=no + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5 -echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; } -if test $ac_cv_lib_dld_dld_link = yes; then - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld" -fi -fi -fi - - -fi +if test -z "$lt_cv_path_MAGIC_CMD"; then + if test -n "$ac_tool_prefix"; then + { $as_echo "$as_me:$LINENO: checking for file" >&5 +$as_echo_n "checking for file... " >&6; } +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then + $as_echo_n "(cached) " >&6 +else + case $MAGIC_CMD in +[\\/*] | ?:[\\/]*) + lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD="$MAGIC_CMD" + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" + for ac_dir in $ac_dummy; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/file; then + lt_cv_path_MAGIC_CMD="$ac_dir/file" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD="$lt_cv_path_MAGIC_CMD" + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS="$lt_save_ifs" + MAGIC_CMD="$lt_save_MAGIC_CMD" + ;; +esac fi - +MAGIC_CMD="$lt_cv_path_MAGIC_CMD" +if test -n "$MAGIC_CMD"; then + { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 +$as_echo "$MAGIC_CMD" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - ;; - esac - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes else - enable_dlopen=no + MAGIC_CMD=: fi +fi - case $lt_cv_dlopen in - dlopen) - save_CPPFLAGS="$CPPFLAGS" - test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + fi + ;; +esac - save_LDFLAGS="$LDFLAGS" - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" +# Use C for the default configuration in the libtool script - save_LIBS="$LIBS" - LIBS="$lt_cv_dlopen_libs $LIBS" +lt_save_CC="$CC" +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu - { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5 -echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; } -if test "${lt_cv_dlopen_self+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self=cross -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif +# Source file extension for C test sources. +ac_ext=c -#include +# Object file extension for compiled C test sources. +objext=o +objext=$objext -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif +# Code to be used in simple compile tests +lt_simple_compile_test_code="int some_variable = 0;" -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif +# Code to be used in simple link tests +lt_simple_link_test_code='int main(){return(0);}' -#ifdef __cplusplus -extern "C" void exit (int); -#endif -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - else - puts (dlerror ()); - exit (status); -} -EOF - if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) >&5 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; - x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self=no - fi -fi -rm -fr conftest* -fi -{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5 -echo "${ECHO_T}$lt_cv_dlopen_self" >&6; } - if test "x$lt_cv_dlopen_self" = xyes; then - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" - { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5 -echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; } -if test "${lt_cv_dlopen_self_static+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self_static=cross -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -#include +# Allow CC to be a program name with arguments. +compiler=$CC -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif +# Save the default compiler, since it gets overwritten when the other +# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. +compiler_DEFAULT=$CC -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif +# save warnings/boilerplate of simple test code +ac_outfile=conftest.$ac_objext +echo "$lt_simple_compile_test_code" >conftest.$ac_ext +eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_compiler_boilerplate=`cat conftest.err` +$RM conftest* -#ifdef __cplusplus -extern "C" void exit (int); -#endif +ac_outfile=conftest.$ac_objext +echo "$lt_simple_link_test_code" >conftest.$ac_ext +eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_linker_boilerplate=`cat conftest.err` +$RM -r conftest* -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - else - puts (dlerror ()); +if test -n "$compiler"; then - exit (status); -} -EOF - if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) >&5 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self_static=no - fi -fi -rm -fr conftest* +lt_prog_compiler_no_builtin_flag= +if test "$GCC" = yes; then + lt_prog_compiler_no_builtin_flag=' -fno-builtin' -fi -{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5 -echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; } - fi - - CPPFLAGS="$save_CPPFLAGS" - LDFLAGS="$save_LDFLAGS" - LIBS="$save_LIBS" - ;; - esac + { $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 +$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } +if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_rtti_exceptions=no + ac_outfile=conftest.$ac_objext + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="-fno-rtti -fno-exceptions" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:8811: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:8815: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_rtti_exceptions=yes + fi + fi + $RM conftest* - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 +$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; } - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac +if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then + lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions" +else + : fi +fi -# Report which library types will actually be built -{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5 -echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; } -{ echo "$as_me:$LINENO: result: $can_build_shared" >&5 -echo "${ECHO_T}$can_build_shared" >&6; } - -{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5 -echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; } -test "$can_build_shared" = "no" && enable_shared=no -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; -aix4* | aix5*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no - fi - ;; -esac -{ echo "$as_me:$LINENO: result: $enable_shared" >&5 -echo "${ECHO_T}$enable_shared" >&6; } -{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5 -echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; } -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -{ echo "$as_me:$LINENO: result: $enable_static" >&5 -echo "${ECHO_T}$enable_static" >&6; } - -# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - compiler \ - CC \ - LD \ - lt_prog_compiler_wl \ - lt_prog_compiler_pic \ - lt_prog_compiler_static \ - lt_prog_compiler_no_builtin_flag \ - export_dynamic_flag_spec \ - thread_safe_flag_spec \ - whole_archive_flag_spec \ - enable_shared_with_static_runtimes \ - old_archive_cmds \ - old_archive_from_new_cmds \ - predep_objects \ - postdep_objects \ - predeps \ - postdeps \ - compiler_lib_search_path \ - archive_cmds \ - archive_expsym_cmds \ - postinstall_cmds \ - postuninstall_cmds \ - old_archive_from_expsyms_cmds \ - allow_undefined_flag \ - no_undefined_flag \ - export_symbols_cmds \ - hardcode_libdir_flag_spec \ - hardcode_libdir_flag_spec_ld \ - hardcode_libdir_separator \ - hardcode_automatic \ - module_cmds \ - module_expsym_cmds \ - lt_cv_prog_compiler_c_o \ - exclude_expsyms \ - include_expsyms; do - - case $var in - old_archive_cmds | \ - old_archive_from_new_cmds | \ - archive_cmds | \ - archive_expsym_cmds | \ - module_cmds | \ - module_expsym_cmds | \ - old_archive_from_expsyms_cmds | \ - export_symbols_cmds | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done - case $lt_echo in - *'\$0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` - ;; - esac -cfgfile="${ofile}T" - trap "$rm \"$cfgfile\"; exit 1" 1 2 15 - $rm -f "$cfgfile" - { echo "$as_me:$LINENO: creating $ofile" >&5 -echo "$as_me: creating $ofile" >&6;} + lt_prog_compiler_wl= +lt_prog_compiler_pic= +lt_prog_compiler_static= - cat <<__EOF__ >> "$cfgfile" -#! $SHELL +{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 +$as_echo_n "checking for $compiler option to produce PIC... " >&6; } -# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltmain.sh. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# -# This file is part of GNU Libtool: -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. + if test "$GCC" = yes; then + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_static='-static' -# A sed program that does not truncate output. -SED=$lt_SED + case $host_os in + aix*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + lt_prog_compiler_static='-Bstatic' + fi + ;; -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="$SED -e 1s/^X//" + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + lt_prog_compiler_pic='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the `-m68020' flag to GCC prevents building anything better, + # like `-m68040'. + lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; -# The names of the tagged configurations supported by this script. -available_tags= + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + lt_prog_compiler_pic='-DDLL_EXPORT' + ;; -# ### BEGIN LIBTOOL CONFIG + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + lt_prog_compiler_pic='-fno-common' + ;; -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + # +Z the default + ;; + *) + lt_prog_compiler_pic='-fPIC' + ;; + esac + ;; -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL + interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared + msdosdjgpp*) + # Just because we use GCC doesn't mean we suddenly get shared libraries + # on systems that don't support them. + lt_prog_compiler_can_build_shared=no + enable_shared=no + ;; -# Whether or not to build static libraries. -build_old_libs=$enable_static + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + lt_prog_compiler_pic='-fPIC -shared' + ;; -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$archive_cmds_need_lc + sysv4*MP*) + if test -d /usr/nec; then + lt_prog_compiler_pic=-Kconform_pic + fi + ;; -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes + *) + lt_prog_compiler_pic='-fPIC' + ;; + esac + else + # PORTME Check for flag to pass linker flags through the system compiler. + case $host_os in + aix*) + lt_prog_compiler_wl='-Wl,' + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + lt_prog_compiler_static='-Bstatic' + else + lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp' + fi + ;; -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + lt_prog_compiler_pic='-DDLL_EXPORT' + ;; -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os + hpux9* | hpux10* | hpux11*) + lt_prog_compiler_wl='-Wl,' + # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but + # not for PA HP-UX. + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + lt_prog_compiler_pic='+Z' + ;; + esac + # Is there a better lt_prog_compiler_static that works with the bundled CC? + lt_prog_compiler_static='${wl}-a ${wl}archive' + ;; -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os + irix5* | irix6* | nonstopux*) + lt_prog_compiler_wl='-Wl,' + # PIC (with -KPIC) is the default. + lt_prog_compiler_static='-non_shared' + ;; -# An echo program that does not interpret backslashes. -echo=$lt_echo + linux* | k*bsd*-gnu) + case $cc_basename in + # old Intel for x86_64 which still supported -KPIC. + ecc*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-static' + ;; + # icc used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + icc* | ifort*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + # Lahey Fortran 8.1. + lf95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='--shared' + lt_prog_compiler_static='--static' + ;; + pgcc* | pgf77* | pgf90* | pgf95*) + # Portland Group compilers (*not* the Pentium gcc compiler, + # which looks to be a dead project) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fpic' + lt_prog_compiler_static='-Bstatic' + ;; + ccc*) + lt_prog_compiler_wl='-Wl,' + # All Alpha code is PIC. + lt_prog_compiler_static='-non_shared' + ;; + xl*) + # IBM XL C 8.0/Fortran 10.1 on PPC + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-qpic' + lt_prog_compiler_static='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C 5.9 + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='-Wl,' + ;; + *Sun\ F*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='' + ;; + esac + ;; + esac + ;; -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS + newsos6) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; -# A C compiler. -LTCC=$lt_LTCC + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + lt_prog_compiler_pic='-fPIC -shared' + ;; -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS + osf3* | osf4* | osf5*) + lt_prog_compiler_wl='-Wl,' + # All OSF/1 code is PIC. + lt_prog_compiler_static='-non_shared' + ;; -# A language-specific compiler. -CC=$lt_compiler + rdos*) + lt_prog_compiler_static='-non_shared' + ;; -# Is the compiler the GNU C compiler? -with_gcc=$GCC + solaris*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + case $cc_basename in + f77* | f90* | f95*) + lt_prog_compiler_wl='-Qoption ld ';; + *) + lt_prog_compiler_wl='-Wl,';; + esac + ;; -# An ERE matcher. -EGREP=$lt_EGREP - -# The linker used to build libraries. -LD=$lt_LD - -# Whether we need hard or soft links. -LN_S=$lt_LN_S - -# A BSD-compatible nm program. -NM=$lt_NM - -# A symbol stripping program -STRIP=$lt_STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" + sunos4*) + lt_prog_compiler_wl='-Qoption ld ' + lt_prog_compiler_pic='-PIC' + lt_prog_compiler_static='-Bstatic' + ;; -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" + sysv4 | sysv4.2uw2* | sysv4.3*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; -# Used on cygwin: assembler. -AS="$AS" + sysv4*MP*) + if test -d /usr/nec ;then + lt_prog_compiler_pic='-Kconform_pic' + lt_prog_compiler_static='-Bstatic' + fi + ;; -# The name of the directory that contains temporary libtool files. -objdir=$objdir + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds + unicos*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_can_build_shared=no + ;; -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl + uts4*) + lt_prog_compiler_pic='-pic' + lt_prog_compiler_static='-Bstatic' + ;; -# Object file suffix (normally "o"). -objext="$ac_objext" + *) + lt_prog_compiler_can_build_shared=no + ;; + esac + fi -# Old archive suffix (normally "a"). -libext="$libext" +case $host_os in + # For platforms which do not support PIC, -DPIC is meaningless: + *djgpp*) + lt_prog_compiler_pic= + ;; + *) + lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" + ;; +esac +{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5 +$as_echo "$lt_prog_compiler_pic" >&6; } -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' -# Executable file suffix (normally ""). -exeext="$exeext" -# Additional compiler flags for building library objects. -pic_flag=$lt_lt_prog_compiler_pic -pic_mode=$pic_mode -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_lt_cv_prog_compiler_c_o -# Must we lock files when doing compilation? -need_locks=$lt_need_locks +# +# Check to make sure the PIC flag actually works. +# +if test -n "$lt_prog_compiler_pic"; then + { $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 +$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } +if test "${lt_cv_prog_compiler_pic_works+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_pic_works=no + ac_outfile=conftest.$ac_objext + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic -DPIC" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:9150: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:9154: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_pic_works=yes + fi + fi + $RM conftest* -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5 +$as_echo "$lt_cv_prog_compiler_pic_works" >&6; } -# Do we need a version for libraries? -need_version=$need_version +if test x"$lt_cv_prog_compiler_pic_works" = xyes; then + case $lt_prog_compiler_pic in + "" | " "*) ;; + *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;; + esac +else + lt_prog_compiler_pic= + lt_prog_compiler_can_build_shared=no +fi -# Whether dlopen is supported. -dlopen_support=$enable_dlopen +fi -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_lt_prog_compiler_static -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec +# +# Check to make sure the static flag actually works. +# +wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" +{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 +$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } +if test "${lt_cv_prog_compiler_static_works+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_static_works=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&5 + $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_static_works=yes + fi + else + lt_cv_prog_compiler_static_works=yes + fi + fi + $RM -r conftest* + LDFLAGS="$save_LDFLAGS" -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5 +$as_echo "$lt_cv_prog_compiler_static_works" >&6; } -# Library versioning type. -version_type=$version_type +if test x"$lt_cv_prog_compiler_static_works" = xyes; then + : +else + lt_prog_compiler_static= +fi -# Format of library name prefix. -libname_spec=$lt_libname_spec -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds -archive_expsym_cmds=$lt_archive_expsym_cmds -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds + { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 +$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } +if test "${lt_cv_prog_compiler_c_o+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_c_o=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_module_cmds -module_expsym_cmds=$lt_module_expsym_cmds + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:9255: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:9259: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + lt_cv_prog_compiler_c_o=yes + fi + fi + chmod u+w . 2>&5 + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 +$as_echo "$lt_cv_prog_compiler_c_o" >&6; } -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_predep_objects - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_postdep_objects - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_predeps - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_postdeps - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_compiler_lib_search_path -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds + { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 +$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } +if test "${lt_cv_prog_compiler_c_o+set}" = set; then + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_c_o=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:9310: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:9314: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + lt_cv_prog_compiler_c_o=yes + fi + fi + chmod u+w . 2>&5 + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 +$as_echo "$lt_cv_prog_compiler_c_o" >&6; } -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address -# This is the shared library runtime path variable. -runpath_var=$runpath_var -# This is the shared library path variable. -shlibpath_var=$shlibpath_var +hard_links="nottested" +if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then + # do not overwrite the value of need_locks provided by the user + { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 +$as_echo_n "checking if we can lock with hard links... " >&6; } + hard_links=yes + $RM conftest* + ln conftest.a conftest.b 2>/dev/null && hard_links=no + touch conftest.a + ln conftest.a conftest.b 2>&5 || hard_links=no + ln conftest.a conftest.b 2>/dev/null && hard_links=no + { $as_echo "$as_me:$LINENO: result: $hard_links" >&5 +$as_echo "$hard_links" >&6; } + if test "$hard_links" = no; then + { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 +$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} + need_locks=warn + fi +else + need_locks=no +fi -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator + { $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 +$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; } -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct + runpath_var= + allow_undefined_flag= + always_export_symbols=no + archive_cmds= + archive_expsym_cmds= + compiler_needs_object=no + enable_shared_with_static_runtimes=no + export_dynamic_flag_spec= + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + hardcode_automatic=no + hardcode_direct=no + hardcode_direct_absolute=no + hardcode_libdir_flag_spec= + hardcode_libdir_flag_spec_ld= + hardcode_libdir_separator= + hardcode_minus_L=no + hardcode_shlibpath_var=unsupported + inherit_rpath=no + link_all_deplibs=unknown + module_cmds= + module_expsym_cmds= + old_archive_from_new_cmds= + old_archive_from_expsyms_cmds= + thread_safe_flag_spec= + whole_archive_flag_spec= + # include_expsyms should be a list of space-separated symbols to be *always* + # included in the symbol list + include_expsyms= + # exclude_expsyms can be an extended regexp of symbols to exclude + # it will be wrapped by ` (' and `)$', so one must not match beginning or + # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', + # as well as any symbol that contains `d'. + exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*' + # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out + # platforms (ab)use it in PIC code, but their linkers get confused if + # the symbol is explicitly referenced. Since portable code cannot + # rely on this symbol name, it's probably fine to never include it in + # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. + extract_expsyms_cmds= -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test "$GCC" != yes; then + with_gnu_ld=no + fi + ;; + interix*) + # we just hope/assume this is gcc and not c89 (= MSVC++) + with_gnu_ld=yes + ;; + openbsd*) + with_gnu_ld=no + ;; + esac -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var + ld_shlibs=yes + if test "$with_gnu_ld" = yes; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='${wl}' -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$hardcode_automatic + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + export_dynamic_flag_spec='${wl}--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + whole_archive_flag_spec= + fi + supports_anon_versioning=no + case `$LD -v 2>&1` in + *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" + # See if GNU ld supports shared libraries. + case $host_os in + aix[3-9]*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + ld_shlibs=no + cat <<_LT_EOF 1>&2 -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs +*** Warning: the GNU linker, at least up to release 2.9.1, is reported +*** to be unable to reliably create shared libraries on AIX. +*** Therefore, libtool is disabling shared libraries support. If you +*** really care for shared libraries, you may want to modify your PATH +*** so that a non-GNU linker is found, and then restart. -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +_LT_EOF + fi + ;; -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='' + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + ;; + esac + ;; -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path" + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + allow_undefined_flag=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + else + ld_shlibs=no + fi + ;; -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, + # as there is no search path for DLLs. + hardcode_libdir_flag_spec='-L$libdir' + allow_undefined_flag=unsupported + always_export_symbols=no + enable_shared_with_static_runtimes=yes + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file (1st line + # is EXPORTS), use it as is; otherwise, prepend... + archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + ld_shlibs=no + fi + ;; -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds + interix[3-9]*) + hardcode_direct=no + hardcode_shlibpath_var=no + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + export_dynamic_flag_spec='${wl}-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms + gnu* | linux* | tpf* | k*bsd*-gnu) + tmp_diet=no + if test "$host_os" = linux-dietlibc; then + case $cc_basename in + diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) + esac + fi + if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ + && test "$tmp_diet" = no + then + tmp_addflag= + tmp_sharedflag='-shared' + case $cc_basename,$host_cpu in + pgcc*) # Portland Group C compiler + whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag' + ;; + pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers + whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag -Mnomain' ;; + ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 + tmp_addflag=' -i_dynamic' ;; + efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 + tmp_addflag=' -i_dynamic -nofor_main' ;; + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + lf95*) # Lahey Fortran 8.1 + whole_archive_flag_spec= + tmp_sharedflag='--shared' ;; + xl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below) + tmp_sharedflag='-qmkshrobj' + tmp_addflag= ;; + esac + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C 5.9 + whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + compiler_needs_object=yes + tmp_sharedflag='-G' ;; + *Sun\ F*) # Sun Fortran 8.3 + tmp_sharedflag='-G' ;; + esac + archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms + if test "x$supports_anon_versioning" = xyes; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi -# ### END LIBTOOL CONFIG + case $cc_basename in + xlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' + hardcode_libdir_flag_spec= + hardcode_libdir_flag_spec_ld='-rpath $libdir' + archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib' + if test "x$supports_anon_versioning" = xyes; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + fi + ;; + esac + else + ld_shlibs=no + fi + ;; -__EOF__ + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= + else + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + fi + ;; + solaris*) + if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then + ld_shlibs=no + cat <<_LT_EOF 1>&2 - case $host_os in - aix3*) - cat <<\EOF >> "$cfgfile" +*** Warning: The releases 2.8.* of the GNU linker cannot reliably +*** create shared libraries on Solaris systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.9.1 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac +_LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? - sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1) + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) + ld_shlibs=no + cat <<_LT_EOF 1>&2 - mv -f "$cfgfile" "$ofile" || \ - (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") - chmod +x "$ofile" +*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not +*** reliably create shared libraries on SCO systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.16.91.0.3 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi -fi - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -CC="$lt_save_CC" - - -# Check whether --with-tags was given. -if test "${with_tags+set}" = set; then - withval=$with_tags; tagnames="$withval" -fi - - -if test -f "$ltmain" && test -n "$tagnames"; then - if test ! -f "${ofile}"; then - { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5 -echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;} - fi - - if test -z "$LTCC"; then - eval "`$SHELL ${ofile} --config | grep '^LTCC='`" - if test -z "$LTCC"; then - { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5 -echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;} - else - { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5 -echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;} - fi - fi - if test -z "$LTCFLAGS"; then - eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`" - fi +_LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; + esac + ;; - # Extract list of available tagged configurations in $ofile. - # Note that this assumes the entire list is on one line. - available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` + sunos4*) + archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for tagname in $tagnames; do - IFS="$lt_save_ifs" - # Check whether tagname contains only valid characters - case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in - "") ;; - *) { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5 -echo "$as_me: error: invalid tag name: $tagname" >&2;} - { (exit 1); exit 1; }; } - ;; + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; esac - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null - then - { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5 -echo "$as_me: error: tag name \"$tagname\" already exists" >&2;} - { (exit 1); exit 1; }; } + if test "$ld_shlibs" = no; then + runpath_var= + hardcode_libdir_flag_spec= + export_dynamic_flag_spec= + whole_archive_flag_spec= fi + else + # PORTME fill in a description of your system's linker (not GNU ld) + case $host_os in + aix3*) + allow_undefined_flag=unsupported + always_export_symbols=yes + archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + hardcode_minus_L=yes + if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + hardcode_direct=unsupported + fi + ;; - # Update the list of available tags. - if test -n "$tagname"; then - echo appending configuration tag \"$tagname\" to $ofile - - case $tagname in - CXX) - if test -n "$CXX" && ( test "X$CXX" != "Xno" && - ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || - (test "X$CXX" != "Xg++"))) ; then - ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu - + aix[4-9]*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag="" + else + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + else + export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + fi + aix_use_runtimelinking=no + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) + for ld_flag in $LDFLAGS; do + if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then + aix_use_runtimelinking=yes + break + fi + done + ;; + esac + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi -archive_cmds_need_lc_CXX=no -allow_undefined_flag_CXX= -always_export_symbols_CXX=no -archive_expsym_cmds_CXX= -export_dynamic_flag_spec_CXX= -hardcode_direct_CXX=no -hardcode_libdir_flag_spec_CXX= -hardcode_libdir_flag_spec_ld_CXX= -hardcode_libdir_separator_CXX= -hardcode_minus_L_CXX=no -hardcode_shlibpath_var_CXX=unsupported -hardcode_automatic_CXX=no -module_cmds_CXX= -module_expsym_cmds_CXX= -link_all_deplibs_CXX=unknown -old_archive_cmds_CXX=$old_archive_cmds -no_undefined_flag_CXX= -whole_archive_flag_spec_CXX= -enable_shared_with_static_runtimes_CXX=no - -# Dependencies to place before and after the object being linked: -predep_objects_CXX= -postdep_objects_CXX= -predeps_CXX= -postdeps_CXX= -compiler_lib_search_path_CXX= + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. -# Source file extension for C++ test sources. -ac_ext=cpp + archive_cmds='' + hardcode_direct=yes + hardcode_direct_absolute=yes + hardcode_libdir_separator=':' + link_all_deplibs=yes + file_list_spec='${wl}-f,' -# Object file extension for compiled C++ test sources. -objext=o -objext_CXX=$objext + if test "$GCC" = yes; then + case $host_os in aix4.[012]|aix4.[012].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + hardcode_direct=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + hardcode_minus_L=yes + hardcode_libdir_flag_spec='-L$libdir' + hardcode_libdir_separator= + fi + ;; + esac + shared_flag='-shared' + if test "$aix_use_runtimelinking" = yes; then + shared_flag="$shared_flag "'${wl}-G' + fi + else + # not using gcc + if test "$host_cpu" = ia64; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test "$aix_use_runtimelinking" = yes; then + shared_flag='${wl}-G' + else + shared_flag='${wl}-bM:SRE' + fi + fi + fi -# Code to be used in simple compile tests -lt_simple_compile_test_code="int some_variable = 0;\n" + export_dynamic_flag_spec='${wl}-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to export. + always_export_symbols=yes + if test "$aix_use_runtimelinking" = yes; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + allow_undefined_flag='-berok' + # Determine the default libpath from the value encoded in an + # empty executable. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# Code to be used in simple link tests -lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n' +int +main () +{ -# ltmain only uses $CC for tagged configurations so make sure $CC is set. + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} +lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\(.*\)$/\1/ + p + } + }' +aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` +# Check for a 64-bit object if we didn't find anything. +if test -z "$aix_libpath"; then + aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` +fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -# Allow CC to be a program name with arguments. -compiler=$CC +fi +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi -# save warnings/boilerplate of simple test code -ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* + hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" + archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + else + if test "$host_cpu" = ia64; then + hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' + allow_undefined_flag="-z nodefs" + archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* +int +main () +{ + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then -# Allow CC to be a program name with arguments. -lt_save_CC=$CC -lt_save_LD=$LD -lt_save_GCC=$GCC -GCC=$GXX -lt_save_with_gnu_ld=$with_gnu_ld -lt_save_path_LD=$lt_cv_path_LD -if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then - lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx -else - $as_unset lt_cv_prog_gnu_ld +lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\(.*\)$/\1/ + p + } + }' +aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` +# Check for a 64-bit object if we didn't find anything. +if test -z "$aix_libpath"; then + aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi -if test -n "${lt_cv_path_LDCXX+set}"; then - lt_cv_path_LD=$lt_cv_path_LDCXX else - $as_unset lt_cv_path_LD -fi -test -z "${LDCXX+set}" || LD=$LDCXX -CC=${CXX-"c++"} -compiler=$CC -compiler_CXX=$CC -for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# We don't want -fno-exception wen compiling C++ code, so set the -# no_builtin_flag separately -if test "$GXX" = yes; then - lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin' -else - lt_prog_compiler_no_builtin_flag_CXX= fi -if test "$GXX" = yes; then - # Set up default GNU C++ configuration - - -# Check whether --with-gnu-ld was given. -if test "${with_gnu_ld+set}" = set; then - withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes -else - with_gnu_ld=no -fi +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi -ac_prog=ld -if test "$GCC" = yes; then - # Check if gcc -print-prog-name=ld gives a path. - { echo "$as_me:$LINENO: checking for ld used by $CC" >&5 -echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; } - case $host in - *-*-mingw*) - # gcc leaves a trailing carriage return which upsets mingw - ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; - *) - ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; - esac - case $ac_prog in - # Accept absolute paths. - [\\/]* | ?:[\\/]*) - re_direlt='/[^/][^/]*/\.\./' - # Canonicalize the pathname of ld - ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'` - while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do - ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"` - done - test -z "$LD" && LD="$ac_prog" + hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + no_undefined_flag=' ${wl}-bernotok' + allow_undefined_flag=' ${wl}-berok' + # Exported symbols can be pulled into shared objects from archives + whole_archive_flag_spec='$convenience' + archive_cmds_need_lc=yes + # This is similar to how AIX traditionally builds its shared libraries. + archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + fi + fi ;; - "") - # If it fails, then pretend we aren't using GCC. - ac_prog=ld - ;; - *) - # If it is relative, then search for the first ld in PATH. - with_gnu_ld=unknown - ;; - esac -elif test "$with_gnu_ld" = yes; then - { echo "$as_me:$LINENO: checking for GNU ld" >&5 -echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; } -else - { echo "$as_me:$LINENO: checking for non-GNU ld" >&5 -echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; } -fi -if test "${lt_cv_path_LD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -z "$LD"; then - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH; do - IFS="$lt_save_ifs" - test -z "$ac_dir" && ac_dir=. - if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then - lt_cv_path_LD="$ac_dir/$ac_prog" - # Check to see if the program is GNU ld. I'd rather use --version, - # but apparently some variants of GNU ld only accept -v. - # Break only if it was the GNU/non-GNU ld that we prefer. - case `"$lt_cv_path_LD" -v 2>&1 &5 -echo "${ECHO_T}$LD" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi -test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5 -echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} - { (exit 1); exit 1; }; } -{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5 -echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; } -if test "${lt_cv_prog_gnu_ld+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # I'd rather use --version here, but apparently some GNU lds only accept -v. -case `$LD -v 2>&1 &5 -echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; } -with_gnu_ld=$lt_cv_prog_gnu_ld + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='' + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + ;; + esac + ;; + bsdi[45]*) + export_dynamic_flag_spec=-rdynamic + ;; + cygwin* | mingw* | pw32* | cegcc*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + hardcode_libdir_flag_spec=' ' + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + old_archive_from_new_cmds='true' + # FIXME: Should let the user specify the lib program. + old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' + fix_srcfile_path='`cygpath -w "$srcfile"`' + enable_shared_with_static_runtimes=yes + ;; - # Check if GNU C++ uses GNU ld as the underlying linker, since the - # archiving commands below assume that GNU ld is being used. - if test "$with_gnu_ld" = yes; then - archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + darwin* | rhapsody*) - hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec_CXX='${wl}--export-dynamic' - # If archive_cmds runs LD, not CC, wlarc should be empty - # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to - # investigate it a little bit more. (MM) - wlarc='${wl}' + archive_cmds_need_lc=no + hardcode_direct=no + hardcode_automatic=yes + hardcode_shlibpath_var=unsupported + whole_archive_flag_spec='' + link_all_deplibs=yes + allow_undefined_flag="$_lt_dar_allow_undefined" + case $cc_basename in + ifort*) _lt_dar_can_shared=yes ;; + *) _lt_dar_can_shared=$GCC ;; + esac + if test "$_lt_dar_can_shared" = "yes"; then + output_verbose_link_cmd=echo + archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" + module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" + archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" + module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" - # ancient GNU ld didn't support --whole-archive et. al. - if eval "`$CC -print-prog-name=ld` --help 2>&1" | \ - grep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec_CXX= - fi else - with_gnu_ld=no - wlarc= - - # A generic and very simple default shared library creation - # command for GNU C++ for the case where it uses the native - # linker, instead of GNU ld. If possible, this setting should - # overridden to take advantage of the native linker features on - # the platform it is being used on. - archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + ld_shlibs=no fi - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' + ;; -else - GXX=no - with_gnu_ld=no - wlarc= -fi + dgux*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_shlibpath_var=no + ;; -# PORTME: fill in a description of your system's C++ link characteristics -{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; } -ld_shlibs_CXX=yes -case $host_os in - aix3*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - aix_use_runtimelinking=no + freebsd1*) + ld_shlibs=no + ;; - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) - for ld_flag in $LDFLAGS; do - case $ld_flag in - *-brtl*) - aix_use_runtimelinking=yes - break - ;; - esac - done - ;; - esac + # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor + # support. Future versions do this automatically, but an explicit c++rt0.o + # does not break anything, and helps significantly (at the cost of a little + # extra space). + freebsd2.2*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi + # Unfortunately, older versions of FreeBSD 2 do not have this feature. + freebsd2*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no + ;; - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - archive_cmds_CXX='' - hardcode_direct_CXX=yes - hardcode_libdir_separator_CXX=':' - link_all_deplibs_CXX=yes - - if test "$GXX" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct_CXX=yes - else - # We have old collect2 - hardcode_direct_CXX=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L_CXX=yes - hardcode_libdir_flag_spec_CXX='-L$libdir' - hardcode_libdir_separator_CXX= - fi - ;; - esac - shared_flag='-shared' - if test "$aix_use_runtimelinking" = yes; then - shared_flag="$shared_flag "'${wl}-G' - fi - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; + + hpux9*) + if test "$GCC" = yes; then + archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi + archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' fi - fi - - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - always_export_symbols_CXX=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - allow_undefined_flag_CXX='-berok' - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_separator=: + hardcode_direct=yes - hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath" + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + export_dynamic_flag_spec='${wl}-E' + ;; - archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib' - allow_undefined_flag_CXX="-z nodefs" - archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + hpux10*) + if test "$GCC" = yes -a "$with_gnu_ld" = no; then + archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' else - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test "$with_gnu_ld" = no; then + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_flag_spec_ld='+b $libdir' + hardcode_libdir_separator=: + hardcode_direct=yes + hardcode_direct_absolute=yes + export_dynamic_flag_spec='${wl}-E' + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + fi + ;; - ; - return 0; -} + hpux11*) + if test "$GCC" = yes -a "$with_gnu_ld" = no; then + case $host_cpu in + hppa*64*) + archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + else + case $host_cpu in + hppa*64*) + archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + fi + if test "$with_gnu_ld" = no; then + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_separator=: + + case $host_cpu in + hppa*64*|ia64*) + hardcode_direct=no + hardcode_shlibpath_var=no + ;; + *) + hardcode_direct=yes + hardcode_direct_absolute=yes + export_dynamic_flag_spec='${wl}-E' + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + ;; + esac + fi + ;; + + irix5* | irix6* | nonstopux*) + if test "$GCC" = yes; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + # Try to use the -exported_symbol ld option, if it does not + # work, assume that -exports_file does not work either and + # implicitly export all symbols. + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" + cat >conftest.$ac_ext <<_ACEOF +int foo(void) {} _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext if { (ac_try="$ac_link" @@ -12191,1516 +10158,631 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || + test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi + LDFLAGS="$save_LDFLAGS" + else + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' + fi + archive_cmds_need_lc='no' + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: + inherit_rpath=yes + link_all_deplibs=yes + ;; - hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - no_undefined_flag_CXX=' ${wl}-bernotok' - allow_undefined_flag_CXX=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - whole_archive_flag_spec_CXX='$convenience' - archive_cmds_need_lc_CXX=yes - # This is similar to how AIX traditionally builds its shared libraries. - archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else + archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF fi - fi - ;; + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag_CXX=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs_CXX=no - fi - ;; + newsos6) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: + hardcode_shlibpath_var=no + ;; - chorus*) - case $cc_basename in - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - esac - ;; + *nto* | *qnx*) + ;; - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless, - # as there is no search path for DLLs. - hardcode_libdir_flag_spec_CXX='-L$libdir' - allow_undefined_flag_CXX=unsupported - always_export_symbols_CXX=no - enable_shared_with_static_runtimes_CXX=yes - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - ld_shlibs_CXX=no - fi - ;; - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[012]) - allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[012]) - allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - archive_cmds_need_lc_CXX=no - hardcode_direct_CXX=no - hardcode_automatic_CXX=yes - hardcode_shlibpath_var_CXX=unsupported - whole_archive_flag_spec_CXX='' - link_all_deplibs_CXX=yes - - if test "$GXX" = yes ; then - lt_int_apple_cc_single_mod=no - output_verbose_link_cmd='echo' - if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then - lt_int_apple_cc_single_mod=yes - fi - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - else - archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - fi - module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - if test "X$lt_int_apple_cc_single_mod" = Xyes ; then - archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - fi - module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + openbsd*) + if test -f /usr/libexec/ld.so; then + hardcode_direct=yes + hardcode_shlibpath_var=no + hardcode_direct_absolute=yes + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + export_dynamic_flag_spec='${wl}-E' + else + case $host_os in + openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + hardcode_libdir_flag_spec='-R$libdir' + ;; + *) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + ;; + esac + fi else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - ld_shlibs_CXX=no - ;; - esac + ld_shlibs=no fi - ;; + ;; - dgux*) - case $cc_basename in - ec++*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - ghcx*) - # Green Hills C++ Compiler - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - esac - ;; - freebsd[12]*) - # C++ shared libraries reported to be fairly broken before switch to ELF - ld_shlibs_CXX=no - ;; - freebsd-elf*) - archive_cmds_need_lc_CXX=no - ;; - freebsd* | kfreebsd*-gnu | dragonfly*) - # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF - # conventions - ld_shlibs_CXX=yes - ;; - gnu*) - ;; - hpux9*) - hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_CXX=: - export_dynamic_flag_spec_CXX='${wl}-E' - hardcode_direct_CXX=yes - hardcode_minus_L_CXX=yes # Not in the search PATH, - # but as the default - # location of the library. - - case $cc_basename in - CC*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - aCC*) - archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' + os2*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + allow_undefined_flag=unsupported + archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' + old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' ;; - *) - if test "$GXX" = yes; then - archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + + osf3*) + if test "$GCC" = yes; then + allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' else - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' fi + archive_cmds_need_lc='no' + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: ;; - esac - ;; - hpux10*|hpux11*) - if test $with_gnu_ld = no; then - hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_CXX=: - case $host_cpu in - hppa*64*|ia64*) - hardcode_libdir_flag_spec_ld_CXX='+b $libdir' - ;; - *) - export_dynamic_flag_spec_CXX='${wl}-E' - ;; - esac - fi - case $host_cpu in - hppa*64*|ia64*) - hardcode_direct_CXX=no - hardcode_shlibpath_var_CXX=no - ;; - *) - hardcode_direct_CXX=yes - hardcode_minus_L_CXX=yes # Not in the search PATH, - # but as the default - # location of the library. + osf4* | osf5*) # as osf3* with the addition of -msym flag + if test "$GCC" = yes; then + allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + else + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ + $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly + hardcode_libdir_flag_spec='-rpath $libdir' + fi + archive_cmds_need_lc='no' + hardcode_libdir_separator=: ;; - esac - case $cc_basename in - CC*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - aCC*) - case $host_cpu in - hppa*64*) - archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - ia64*) - archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + solaris*) + no_undefined_flag=' -z defs' + if test "$GCC" = yes; then + wlarc='${wl}' + archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + else + case `$CC -V 2>&1` in + *"Compilers 5.0"*) + wlarc='' + archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' ;; *) - archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + wlarc='${wl}' + archive_cmds='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' ;; esac - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; + fi + hardcode_libdir_flag_spec='-R$libdir' + hardcode_shlibpath_var=no + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; *) - if test "$GXX" = yes; then - if test $with_gnu_ld = no; then - case $host_cpu in - hppa*64*) - archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - ia64*) - archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - *) - archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - ;; - esac - fi + # The compiler driver will combine and reorder linker options, + # but understands `-z linker_flag'. GCC discards it without `$wl', + # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) + if test "$GCC" = yes; then + whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' else - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - fi - ;; - esac - ;; - interix3*) - hardcode_direct_CXX=no - hardcode_shlibpath_var_CXX=no - hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' - export_dynamic_flag_spec_CXX='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; - irix5* | irix6*) - case $cc_basename in - CC*) - # SGI C++ - archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - - # Archives containing C++ object files must be created using - # "CC -ar", where "CC" is the IRIX C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs' - ;; - *) - if test "$GXX" = yes; then - if test "$with_gnu_ld" = no; then - archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib' - fi + whole_archive_flag_spec='-z allextract$convenience -z defaultextract' fi - link_all_deplibs_CXX=yes - ;; - esac - hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_CXX=: - ;; - linux*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - - hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir' - export_dynamic_flag_spec_CXX='${wl}--export-dynamic' - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs' - ;; - icpc*) - # Intel C++ - with_gnu_ld=yes - # version 8.0 and above of icpc choke on multiply defined symbols - # if we add $predep_objects and $postdep_objects, however 7.1 and - # earlier do not add the objects themselves. - case `$CC -V 2>&1` in - *"Version 7."*) - archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - ;; - *) # Version 8.0 or newer - tmp_idyn= - case $host_cpu in - ia64*) tmp_idyn=' -i_dynamic';; - esac - archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - ;; - esac - archive_cmds_need_lc_CXX=no - hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' - export_dynamic_flag_spec_CXX='${wl}--export-dynamic' - whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive' ;; - pgCC*) - # Portland Group C++ compiler - archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' - archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' - - hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec_CXX='${wl}--export-dynamic' - whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - ;; - cxx*) - # Compaq C++ - archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' + esac + link_all_deplibs=yes + ;; - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec_CXX='-rpath $libdir' - hardcode_libdir_separator_CXX=: + sunos4*) + if test "x$host_vendor" = xsequent; then + # Use $CC to link under sequent, because it throws in some extra .o + # files that make .init and .fini sections work. + archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi + hardcode_libdir_flag_spec='-L$libdir' + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no + ;; - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - esac - ;; - lynxos*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - m88k*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - mvs*) - case $cc_basename in - cxx*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no + sysv4) + case $host_vendor in + sni) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes # is this really true??? ;; - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no + siemens) + ## LD is ld it makes a PLAMLIB + ## CC just makes a GrossModule. + archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' + reload_cmds='$CC -r -o $output$reload_objs' + hardcode_direct=no + ;; + motorola) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=no #Motorola manual says yes, but my tests say they lie ;; - esac - ;; - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds_CXX='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' - wlarc= - hardcode_libdir_flag_spec_CXX='-R$libdir' - hardcode_direct_CXX=yes - hardcode_shlibpath_var_CXX=no - fi - # Workaround some broken pre-1.5 toolchains - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' - ;; - openbsd2*) - # C++ shared libraries are fairly broken - ld_shlibs_CXX=no - ;; - openbsd*) - hardcode_direct_CXX=yes - hardcode_shlibpath_var_CXX=no - archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' - hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' - export_dynamic_flag_spec_CXX='${wl}-E' - whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - fi - output_verbose_link_cmd='echo' - ;; - osf3*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' - hardcode_libdir_separator_CXX=: - - # Archives containing C++ object files must be created using - # "CC -Bstatic", where "CC" is the KAI C++ compiler. - old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs' + esac + runpath_var='LD_RUN_PATH' + hardcode_shlibpath_var=no + ;; - ;; - RCC*) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - cxx*) - allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - - hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_CXX=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - - hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_CXX=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' + sysv4.3*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_shlibpath_var=no + export_dynamic_flag_spec='-Bexport' + ;; - else - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - fi - ;; - esac - ;; - osf4* | osf5*) - case $cc_basename in - KCC*) - # Kuck and Associates, Inc. (KAI) C++ Compiler - - # KCC will only create a shared library if the output file - # ends with ".so" (or ".sl" for HP-UX), so rename the library - # to its proper name (with version) after linking. - archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' - - hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' - hardcode_libdir_separator_CXX=: - - # Archives containing C++ object files must be created using - # the KAI C++ compiler. - old_archive_cmds_CXX='$CC -o $oldlib $oldobjs' - ;; - RCC*) - # Rational C++ 2.4.1 - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - cxx*) - allow_undefined_flag_CXX=' -expect_unresolved \*' - archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ - echo "-hidden">> $lib.exp~ - $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~ - $rm $lib.exp' - - hardcode_libdir_flag_spec_CXX='-rpath $libdir' - hardcode_libdir_separator_CXX=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - # - # There doesn't appear to be a way to prevent this compiler from - # explicitly linking system object files so we need to strip them - # from the output so that they don't get included in the library - # dependencies. - output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' - ;; - *) - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - - hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_CXX=: - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"' + sysv4*MP*) + if test -d /usr/nec; then + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_shlibpath_var=no + runpath_var=LD_RUN_PATH + hardcode_runpath_var=yes + ld_shlibs=yes + fi + ;; - else - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - fi - ;; - esac - ;; - psos*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - sunos4*) - case $cc_basename in - CC*) - # Sun C++ 4.x - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - lcc*) - # Lucid - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - esac - ;; - solaris*) - case $cc_basename in - CC*) - # Sun C++ 4.2, 5.x and Centerline C++ - archive_cmds_need_lc_CXX=yes - no_undefined_flag_CXX=' -zdefs' - archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' - archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - hardcode_libdir_flag_spec_CXX='-R$libdir' - hardcode_shlibpath_var_CXX=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) - # The C++ compiler is used as linker so we must use $wl - # flag to pass the commands to the underlying system - # linker. We must also pass each convience library through - # to the system linker between allextract/defaultextract. - # The C++ compiler will combine linker options so we - # cannot just pass the convience library names through - # without $wl. - # Supported since Solaris 2.6 (maybe 2.5.1?) - whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' - ;; - esac - link_all_deplibs_CXX=yes + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + no_undefined_flag='${wl}-z,text' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no + runpath_var='LD_RUN_PATH' - output_verbose_link_cmd='echo' + if test "$GCC" = yes; then + archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; - # Archives containing C++ object files must be created using - # "CC -xar", where "CC" is the Sun C++ compiler. This is - # necessary to make sure instantiated templates are included - # in the archive. - old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs' - ;; - gcx*) - # Green Hills C++ Compiler - archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + sysv5* | sco3.2v5* | sco5v6*) + # Note: We can NOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + no_undefined_flag='${wl}-z,text' + allow_undefined_flag='${wl}-z,nodefs' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no + hardcode_libdir_flag_spec='${wl}-R,$libdir' + hardcode_libdir_separator=':' + link_all_deplibs=yes + export_dynamic_flag_spec='${wl}-Bexport' + runpath_var='LD_RUN_PATH' - # The C++ compiler must be used to create the archive. - old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs' - ;; - *) - # GNU C++ compiler with Solaris linker - if test "$GXX" = yes && test "$with_gnu_ld" = no; then - no_undefined_flag_CXX=' ${wl}-z ${wl}defs' - if $CC --version | grep -v '^2\.7' > /dev/null; then - archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - else - # g++ 2.7 appears to require `-G' NOT `-shared' on this - # platform. - archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' - archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp' - - # Commands to make compiler produce verbose output that lists - # what "hidden" libraries, object files and flags are used when - # linking a shared library. - output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\"" - fi + if test "$GCC" = yes; then + archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; - hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir' - fi - ;; - esac - ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) - no_undefined_flag_CXX='${wl}-z,text' - archive_cmds_need_lc_CXX=no - hardcode_shlibpath_var_CXX=no - runpath_var='LD_RUN_PATH' - - case $cc_basename in - CC*) - archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - ;; - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - # For security reasons, it is highly recommended that you always - # use absolute paths for naming shared libraries, and exclude the - # DT_RUNPATH tag from executables and libraries. But doing so - # requires that you compile everything twice, which is a pain. - # So that behaviour is only enabled if SCOABSPATH is set to a - # non-empty value in the environment. Most likely only useful for - # creating official distributions of packages. - # This is a hack until libtool officially supports absolute path - # names for shared libraries. - no_undefined_flag_CXX='${wl}-z,text' - allow_undefined_flag_CXX='${wl}-z,nodefs' - archive_cmds_need_lc_CXX=no - hardcode_shlibpath_var_CXX=no - hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - hardcode_libdir_separator_CXX=':' - link_all_deplibs_CXX=yes - export_dynamic_flag_spec_CXX='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - - case $cc_basename in - CC*) - archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - ;; - tandem*) - case $cc_basename in - NCC*) - # NonStop-UX NCC 3.20 - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - esac - ;; - vxworks*) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; - *) - # FIXME: insert proper C++ library support - ld_shlibs_CXX=no - ;; -esac -{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5 -echo "${ECHO_T}$ld_shlibs_CXX" >&6; } -test "$ld_shlibs_CXX" = no && can_build_shared=no + uts4*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_shlibpath_var=no + ;; -GCC_CXX="$GXX" -LD_CXX="$LD" + *) + ld_shlibs=no + ;; + esac + if test x$host_vendor = xsni; then + case $host in + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + export_dynamic_flag_spec='${wl}-Blargedynsym' + ;; + esac + fi + fi -cat > conftest.$ac_ext <&5 +$as_echo "$ld_shlibs" >&6; } +test "$ld_shlibs" = no && can_build_shared=no -if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # Parse the compiler output and extract the necessary - # objects, libraries and library flags. +with_gnu_ld=$with_gnu_ld - # Sentinel used to keep track of whether or not we are before - # the conftest object file. - pre_test_object_deps_done=no - - # The `*' in the case matches for architectures that use `case' in - # $output_verbose_cmd can trigger glob expansion during the loop - # eval without this substitution. - output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"` - - for p in `eval $output_verbose_link_cmd`; do - case $p in - - -L* | -R* | -l*) - # Some compilers place space between "-{L,R}" and the path. - # Remove the space. - if test $p = "-L" \ - || test $p = "-R"; then - prev=$p - continue - else - prev= - fi - if test "$pre_test_object_deps_done" = no; then - case $p in - -L* | -R*) - # Internal compiler library paths should come after those - # provided the user. The postdeps already come after the - # user supplied libs so there is no need to process them. - if test -z "$compiler_lib_search_path_CXX"; then - compiler_lib_search_path_CXX="${prev}${p}" - else - compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}" - fi - ;; - # The "-l" case would never come before the object being - # linked, so don't bother handling this case. - esac - else - if test -z "$postdeps_CXX"; then - postdeps_CXX="${prev}${p}" - else - postdeps_CXX="${postdeps_CXX} ${prev}${p}" - fi - fi - ;; - *.$objext) - # This assumes that the test object file only shows up - # once in the compiler output. - if test "$p" = "conftest.$objext"; then - pre_test_object_deps_done=yes - continue - fi - if test "$pre_test_object_deps_done" = no; then - if test -z "$predep_objects_CXX"; then - predep_objects_CXX="$p" - else - predep_objects_CXX="$predep_objects_CXX $p" - fi - else - if test -z "$postdep_objects_CXX"; then - postdep_objects_CXX="$p" - else - postdep_objects_CXX="$postdep_objects_CXX $p" - fi - fi - ;; - *) ;; # Ignore the rest. - esac - done - # Clean up. - rm -f a.out a.exe -else - echo "libtool.m4: error: problem compiling CXX test program" -fi -$rm -f confest.$objext -# PORTME: override above test on systems where it is broken -case $host_os in -interix3*) - # Interix 3.5 installs completely hosed .la files for C++, so rather than - # hack all around it, let's just trust "g++" to DTRT. - predep_objects_CXX= - postdep_objects_CXX= - postdeps_CXX= - ;; -solaris*) - case $cc_basename in - CC*) - # Adding this requires a known-good setup of shared libraries for - # Sun compiler versions before 5.6, else PIC objects from an old - # archive will be linked into the output, leading to subtle bugs. - postdeps_CXX='-lCstd -lCrun' - ;; - esac - ;; -esac -case " $postdeps_CXX " in -*" -lc "*) archive_cmds_need_lc_CXX=no ;; -esac -lt_prog_compiler_wl_CXX= -lt_prog_compiler_pic_CXX= -lt_prog_compiler_static_CXX= -{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 -echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; } - # C++ specific cases for pic, static, wl, etc. - if test "$GXX" = yes; then - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_static_CXX='-static' +# +# Do we need to explicitly link libc? +# +case "x$archive_cmds_need_lc" in +x|xyes) + # Assume -lc should be added + archive_cmds_need_lc=yes - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_CXX='-Bstatic' - fi - ;; - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4' - ;; - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - mingw* | os2* | pw32*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic_CXX='-DDLL_EXPORT' - ;; - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - lt_prog_compiler_pic_CXX='-fno-common' - ;; - *djgpp*) - # DJGPP does not support shared libraries at all - lt_prog_compiler_pic_CXX= - ;; - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. + if test "$enable_shared" = yes && test "$GCC" = yes; then + case $archive_cmds in + *'~'*) + # FIXME: we may have to deal with multi-command sequences. ;; - sysv4*MP*) - if test -d /usr/nec; then - lt_prog_compiler_pic_CXX=-Kconform_pic + '$CC '*) + # Test whether the compiler implicitly links with -lc since on some + # systems, -lgcc has to come before -lc. If gcc already passes -lc + # to ld, don't add -lc before -lgcc. + { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 +$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } + $RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } 2>conftest.err; then + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$lt_prog_compiler_wl + pic_flag=$lt_prog_compiler_pic + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$allow_undefined_flag + allow_undefined_flag= + if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5 + (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + then + archive_cmds_need_lc=no + else + archive_cmds_need_lc=yes + fi + allow_undefined_flag=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 fi - ;; - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - ;; - *) - lt_prog_compiler_pic_CXX='-fPIC' - ;; - esac - ;; - *) - lt_prog_compiler_pic_CXX='-fPIC' + $RM conftest* + { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5 +$as_echo "$archive_cmds_need_lc" >&6; } ;; esac - else - case $host_os in - aix4* | aix5*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_CXX='-Bstatic' - else - lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp' - fi - ;; - chorus*) - case $cc_basename in - cxch68*) - # Green Hills C++ Compiler - # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" - ;; - esac - ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - lt_prog_compiler_pic_CXX='-qnocommon' - lt_prog_compiler_wl_CXX='-Wl,' - ;; - esac - ;; - dgux*) - case $cc_basename in - ec++*) - lt_prog_compiler_pic_CXX='-KPIC' - ;; - ghcx*) - # Green Hills C++ Compiler - lt_prog_compiler_pic_CXX='-pic' - ;; - *) - ;; - esac - ;; - freebsd* | kfreebsd*-gnu | dragonfly*) - # FreeBSD uses GNU C++ - ;; - hpux9* | hpux10* | hpux11*) - case $cc_basename in - CC*) - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_static_CXX='${wl}-a ${wl}archive' - if test "$host_cpu" != ia64; then - lt_prog_compiler_pic_CXX='+Z' - fi - ;; - aCC*) - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_static_CXX='${wl}-a ${wl}archive' - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic_CXX='+Z' - ;; - esac - ;; - *) - ;; - esac - ;; - interix*) - # This is c89, which is MS Visual C++ (no shared libs) - # Anyone wants to do a port? - ;; - irix5* | irix6* | nonstopux*) - case $cc_basename in - CC*) - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_static_CXX='-non_shared' - # CC pic flag -KPIC is the default. - ;; - *) - ;; - esac - ;; - linux*) - case $cc_basename in - KCC*) - # KAI C++ Compiler - lt_prog_compiler_wl_CXX='--backend -Wl,' - lt_prog_compiler_pic_CXX='-fPIC' - ;; - icpc* | ecpc*) - # Intel C++ - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_pic_CXX='-KPIC' - lt_prog_compiler_static_CXX='-static' - ;; - pgCC*) - # Portland Group C++ compiler. - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_pic_CXX='-fpic' - lt_prog_compiler_static_CXX='-Bstatic' - ;; - cxx*) - # Compaq C++ - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - lt_prog_compiler_pic_CXX= - lt_prog_compiler_static_CXX='-non_shared' - ;; - *) - ;; - esac - ;; - lynxos*) - ;; - m88k*) - ;; - mvs*) - case $cc_basename in - cxx*) - lt_prog_compiler_pic_CXX='-W c,exportall' - ;; - *) - ;; - esac - ;; - netbsd*) - ;; - osf3* | osf4* | osf5*) - case $cc_basename in - KCC*) - lt_prog_compiler_wl_CXX='--backend -Wl,' - ;; - RCC*) - # Rational C++ 2.4.1 - lt_prog_compiler_pic_CXX='-pic' - ;; - cxx*) - # Digital/Compaq C++ - lt_prog_compiler_wl_CXX='-Wl,' - # Make sure the PIC flag is empty. It appears that all Alpha - # Linux and Compaq Tru64 Unix objects are PIC. - lt_prog_compiler_pic_CXX= - lt_prog_compiler_static_CXX='-non_shared' - ;; - *) - ;; - esac - ;; - psos*) - ;; - solaris*) - case $cc_basename in - CC*) - # Sun C++ 4.2, 5.x and Centerline C++ - lt_prog_compiler_pic_CXX='-KPIC' - lt_prog_compiler_static_CXX='-Bstatic' - lt_prog_compiler_wl_CXX='-Qoption ld ' - ;; - gcx*) - # Green Hills C++ Compiler - lt_prog_compiler_pic_CXX='-PIC' - ;; - *) - ;; - esac - ;; - sunos4*) - case $cc_basename in - CC*) - # Sun C++ 4.x - lt_prog_compiler_pic_CXX='-pic' - lt_prog_compiler_static_CXX='-Bstatic' - ;; - lcc*) - # Lucid - lt_prog_compiler_pic_CXX='-pic' - ;; - *) - ;; - esac - ;; - tandem*) - case $cc_basename in - NCC*) - # NonStop-UX NCC 3.20 - lt_prog_compiler_pic_CXX='-KPIC' - ;; - *) - ;; - esac - ;; - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - case $cc_basename in - CC*) - lt_prog_compiler_wl_CXX='-Wl,' - lt_prog_compiler_pic_CXX='-KPIC' - lt_prog_compiler_static_CXX='-Bstatic' - ;; - esac - ;; - vxworks*) - ;; - *) - lt_prog_compiler_can_build_shared_CXX=no - ;; - esac fi + ;; +esac -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; } -# -# Check to make sure the PIC flag actually works. -# -if test -n "$lt_prog_compiler_pic_CXX"; then -{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5 -echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_pic_works_CXX=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13390: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:13394: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_pic_works_CXX=yes - fi - fi - $rm conftest* -fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6; } -if test x"$lt_prog_compiler_pic_works_CXX" = xyes; then - case $lt_prog_compiler_pic_CXX in - "" | " "*) ;; - *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;; - esac -else - lt_prog_compiler_pic_CXX= - lt_prog_compiler_can_build_shared_CXX=no -fi -fi -case $host_os in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - lt_prog_compiler_pic_CXX= - ;; - *) - lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC" - ;; -esac -# -# Check to make sure the static flag actually works. -# -wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\" -{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 -echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_static_works_CXX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_static_works_CXX=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $lt_tmp_static_flag" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The linker can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&5 - $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_static_works_CXX=yes - fi - else - lt_prog_compiler_static_works_CXX=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" -fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_CXX" >&5 -echo "${ECHO_T}$lt_prog_compiler_static_works_CXX" >&6; } -if test x"$lt_prog_compiler_static_works_CXX" = xyes; then - : -else - lt_prog_compiler_static_CXX= -fi -{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_compiler_c_o_CXX=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13494: $lt_compile\"" >&5) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&5 - echo "$as_me:13498: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp - $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 - if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then - lt_cv_prog_compiler_c_o_CXX=yes - fi - fi - chmod u+w . 2>&5 - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* -fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; } -hard_links="nottested" -if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 -echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; } - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - { echo "$as_me:$LINENO: result: $hard_links" >&5 -echo "${ECHO_T}$hard_links" >&6; } - if test "$hard_links" = no; then - { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 -echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} - need_locks=warn - fi -else - need_locks=no -fi -{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; } - export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - case $host_os in - aix4* | aix5*) - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - ;; - pw32*) - export_symbols_cmds_CXX="$ltdll_cmds" - ;; - cygwin* | mingw*) - export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([^ ]*\) [^ ]*/\1 DATA/;/^I /d;/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' - ;; - *) - export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - ;; - esac -{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5 -echo "${ECHO_T}$ld_shlibs_CXX" >&6; } -test "$ld_shlibs_CXX" = no && can_build_shared=no -# -# Do we need to explicitly link libc? -# -case "x$archive_cmds_need_lc_CXX" in -x|xyes) - # Assume -lc should be added - archive_cmds_need_lc_CXX=yes - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $archive_cmds_CXX in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 -echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_prog_compiler_wl_CXX - pic_flag=$lt_prog_compiler_pic_CXX - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$allow_undefined_flag_CXX - allow_undefined_flag_CXX= - if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5 - (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } - then - archive_cmds_need_lc_CXX=no - else - archive_cmds_need_lc_CXX=yes - fi - allow_undefined_flag_CXX=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5 -echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; } - ;; - esac - fi - ;; -esac -{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 -echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; } -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext_cmds=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi -else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' - ;; -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + { $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 +$as_echo_n "checking dynamic linker characteristics... " >&6; } + +if test "$GCC" = yes; then + case $host_os in + darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; + *) lt_awk_arg="/^libraries:/" ;; + esac + lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"` + if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'` + else + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # Ok, now we have the path, separated by spaces, we can step through it + # and add multilib dir if necessary. + lt_tmp_lt_search_path_spec= + lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` + for lt_sys_path in $lt_search_path_spec; do + if test -d "$lt_sys_path/$lt_multi_os_dir"; then + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" + else + test -d "$lt_sys_path" && \ + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" + fi + done + lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk ' +BEGIN {RS=" "; FS="/|\n";} { + lt_foo=""; + lt_count=0; + for (lt_i = NF; lt_i > 0; lt_i--) { + if ($lt_i != "" && $lt_i != ".") { + if ($lt_i == "..") { + lt_count++; + } else { + if (lt_count == 0) { + lt_foo="/" $lt_i lt_foo; + } else { + lt_count--; + } + } + } + } + if (lt_foo != "") { lt_freq[lt_foo]++; } + if (lt_freq[lt_foo] == 1) { print lt_foo; } +}'` + sys_lib_search_path_spec=`$ECHO $lt_search_path_spec` +else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +fi +library_names_spec= +libname_spec='lib$name' +soname_spec= +shrext_cmds=".so" +postinstall_cmds= +postuninstall_cmds= +finish_cmds= +finish_eval= +shlibpath_var= +shlibpath_overrides_runpath=unknown +version_type=none +dynamic_linker="$host_os ld.so" +sys_lib_dlsearch_path_spec="/lib /usr/lib" +need_lib_prefix=unknown +hardcode_into_libs=no + +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +need_version=unknown + +case $host_os in +aix3*) + version_type=linux + library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' + shlibpath_var=LIBPATH + + # AIX 3 has no versioning support, so we append a major version to the name. + soname_spec='${libname}${release}${shared_ext}$major' + ;; + +aix[4-9]*) + version_type=linux + need_lib_prefix=no + need_version=no + hardcode_into_libs=yes + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line `#! .'. This would cause the generated library to + # depend on `.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + case $host_os in + aix4 | aix4.[01] | aix4.[01].*) if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then + echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then : else can_build_shared=no @@ -13726,9 +10808,18 @@ ;; amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + case $host_cpu in + powerpc) + # Since July 2007 AmigaOS4 officially supports .so libraries. + # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + ;; + m68k) + library_names_spec='$libname.ixlibrary $libname.a' + # Create ${libname}_ixlibrary.a entries in /sys/libs. + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + ;; + esac ;; beos*) @@ -13751,25 +10842,28 @@ # libtool to hard-code these into programs ;; -cygwin* | mingw* | pw32*) +cygwin* | mingw* | pw32* | cegcc*) version_type=windows shrext_cmds=".dll" need_version=no need_lib_prefix=no case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) + yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*) library_names_spec='$libname.dll.a' # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ dldir=$destdir/`dirname \$dlpath`~ test -d \$dldir || mkdir -p \$dldir~ $install_prog $dir/$dlname \$dldir/$dlname~ - chmod a+x \$dldir/$dlname' + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ dlpath=$dir/\$dldll~ - $rm \$dlpath' + $RM \$dlpath' shlibpath_overrides_runpath=yes case $host_os in @@ -13778,20 +10872,20 @@ soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" ;; - mingw*) + mingw* | cegcc*) # MinGW DLLs use traditional 'lib' prefix soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then + sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` + if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then # It is most probably a Windows format PATH printed by # mingw gcc, but we are running on Cygwin. Gcc prints its search # path with ; separators, and with drive letters. We can handle the # drive letters (cygwin fileutils understands them), so leave them, # especially as we might pass files found there to a mingw objdump, # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` fi ;; pw32*) @@ -13815,17 +10909,13 @@ version_type=darwin need_lib_prefix=no need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' + library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext' soname_spec='${libname}${release}${major}$shared_ext' shlibpath_overrides_runpath=yes shlibpath_var=DYLD_LIBRARY_PATH shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi + + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib" sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' ;; @@ -13842,18 +10932,6 @@ dynamic_linker=no ;; -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. @@ -13891,7 +10969,7 @@ shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; - freebsd*) # from 4.6 on + *) # from 4.6 on, and DragonFly shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; @@ -13930,18 +11008,18 @@ fi sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; - hppa*64*) - shrext_cmds='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) + hppa*64*) + shrext_cmds='.sl' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + *) shrext_cmds='.sl' dynamic_linker="$host_os dld.sl" shlibpath_var=SHLIB_PATH @@ -13954,7 +11032,7 @@ postinstall_cmds='chmod 555 $lib' ;; -interix3*) +interix[3-9]*) version_type=linux need_lib_prefix=no need_version=no @@ -14009,7 +11087,7 @@ ;; # This must be Linux ELF. -linux*) +linux* | k*bsd*-gnu) version_type=linux need_lib_prefix=no need_version=no @@ -14018,40 +11096,80 @@ finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # find out which ABI we are using - libsuff= - case "$host_cpu" in - x86_64*|s390x*|powerpc64*) - echo '#line 14030 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *64-bit*) - libsuff=64 - sys_lib_search_path_spec="/lib${libsuff} /usr/lib${libsuff} /usr/local/lib${libsuff}" - ;; - esac - fi - rm -rf conftest* - ;; - esac + # Some binutils ld are patched to set DT_RUNPATH + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ + LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/^ *//;s/#.*//;/^[^\/]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra" - fi +int +main () +{ - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then + shlibpath_overrides_runpath=yes +fi + +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on + # powerpc, because MkLinux only supported shared libraries with the # GNU dynamic linker. Since this was broken with cross compilers, # most powerpc-linux boxes support dynamic linking these days and # people can always --disable-shared, the test was removed, and we @@ -14059,23 +11177,11 @@ dynamic_linker='GNU/Linux ld.so' ;; -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - netbsd*) version_type=sunos need_lib_prefix=no need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' dynamic_linker='NetBSD (a.out) ld.so' @@ -14096,14 +11202,16 @@ shlibpath_overrides_runpath=yes ;; -nto-qnx*) - version_type=linux +*nto* | *qnx*) + version_type=qnx need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='ldqnx.so' ;; openbsd*) @@ -14112,13 +11220,13 @@ need_lib_prefix=no # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. case $host_os in - openbsd3.3 | openbsd3.3.*) need_version=yes ;; - *) need_version=no ;; + openbsd3.3 | openbsd3.3.*) need_version=yes ;; + *) need_version=no ;; esac library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then case $host_os in openbsd2.[89] | openbsd2.[89].*) shlibpath_overrides_runpath=no @@ -14152,6 +11260,10 @@ sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" ;; +rdos*) + dynamic_linker=no + ;; + solaris*) version_type=linux need_lib_prefix=no @@ -14186,7 +11298,6 @@ sni) shlibpath_overrides_runpath=no need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' runpath_var=LD_RUN_PATH ;; siemens) @@ -14217,13 +11328,12 @@ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes hardcode_into_libs=yes if test "$with_gnu_ld" = yes; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - shlibpath_overrides_runpath=no else sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' - shlibpath_overrides_runpath=yes case $host_os in sco3.2v5*) sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" @@ -14233,6 +11343,17 @@ sys_lib_dlsearch_path_spec='/usr/lib' ;; +tpf*) + # TPF is a cross-target only. Preferred cross-host = GNU/Linux. + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + uts4*) version_type=linux library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -14244,8 +11365,8 @@ dynamic_linker=no ;; esac -{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5 -echo "${ECHO_T}$dynamic_linker" >&6; } +{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5 +$as_echo "$dynamic_linker" >&6; } test "$dynamic_linker" = no && can_build_shared=no variables_saved_for_relink="PATH $shlibpath_var $runpath_var" @@ -14253,1444 +11374,655 @@ variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" fi -{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 -echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; } -hardcode_action_CXX= -if test -n "$hardcode_libdir_flag_spec_CXX" || \ - test -n "$runpath_var_CXX" || \ - test "X$hardcode_automatic_CXX" = "Xyes" ; then - - # We can hardcode non-existant directories. - if test "$hardcode_direct_CXX" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no && - test "$hardcode_minus_L_CXX" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action_CXX=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action_CXX=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action_CXX=unsupported +if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then + sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" fi -{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5 -echo "${ECHO_T}$hardcode_action_CXX" >&6; } - -if test "$hardcode_action_CXX" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless +if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then + sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" fi -# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - compiler_CXX \ - CC_CXX \ - LD_CXX \ - lt_prog_compiler_wl_CXX \ - lt_prog_compiler_pic_CXX \ - lt_prog_compiler_static_CXX \ - lt_prog_compiler_no_builtin_flag_CXX \ - export_dynamic_flag_spec_CXX \ - thread_safe_flag_spec_CXX \ - whole_archive_flag_spec_CXX \ - enable_shared_with_static_runtimes_CXX \ - old_archive_cmds_CXX \ - old_archive_from_new_cmds_CXX \ - predep_objects_CXX \ - postdep_objects_CXX \ - predeps_CXX \ - postdeps_CXX \ - compiler_lib_search_path_CXX \ - archive_cmds_CXX \ - archive_expsym_cmds_CXX \ - postinstall_cmds_CXX \ - postuninstall_cmds_CXX \ - old_archive_from_expsyms_cmds_CXX \ - allow_undefined_flag_CXX \ - no_undefined_flag_CXX \ - export_symbols_cmds_CXX \ - hardcode_libdir_flag_spec_CXX \ - hardcode_libdir_flag_spec_ld_CXX \ - hardcode_libdir_separator_CXX \ - hardcode_automatic_CXX \ - module_cmds_CXX \ - module_expsym_cmds_CXX \ - lt_cv_prog_compiler_c_o_CXX \ - exclude_expsyms_CXX \ - include_expsyms_CXX; do - - case $var in - old_archive_cmds_CXX | \ - old_archive_from_new_cmds_CXX | \ - archive_cmds_CXX | \ - archive_expsym_cmds_CXX | \ - module_cmds_CXX | \ - module_expsym_cmds_CXX | \ - old_archive_from_expsyms_cmds_CXX | \ - export_symbols_cmds_CXX | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done - - case $lt_echo in - *'\$0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` - ;; - esac - -cfgfile="$ofile" - - cat <<__EOF__ >> "$cfgfile" -# ### BEGIN LIBTOOL TAG CONFIG: $tagname -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared -# Whether or not to build static libraries. -build_old_libs=$enable_static -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$archive_cmds_need_lc_CXX -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os -# An echo program that does not interpret backslashes. -echo=$lt_echo -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS -# A C compiler. -LTCC=$lt_LTCC -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS -# A language-specific compiler. -CC=$lt_compiler_CXX -# Is the compiler the GNU C compiler? -with_gcc=$GCC_CXX -# An ERE matcher. -EGREP=$lt_EGREP -# The linker used to build libraries. -LD=$lt_LD_CXX -# Whether we need hard or soft links. -LN_S=$lt_LN_S -# A BSD-compatible nm program. -NM=$lt_NM -# A symbol stripping program -STRIP=$lt_STRIP -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" -# Used on cygwin: assembler. -AS="$AS" -# The name of the directory that contains temporary libtool files. -objdir=$objdir -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl_CXX -# Object file suffix (normally "o"). -objext="$ac_objext" -# Old archive suffix (normally "a"). -libext="$libext" -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' -# Executable file suffix (normally ""). -exeext="$exeext" -# Additional compiler flags for building library objects. -pic_flag=$lt_lt_prog_compiler_pic_CXX -pic_mode=$pic_mode -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX -# Must we lock files when doing compilation? -need_locks=$lt_need_locks -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix -# Do we need a version for libraries? -need_version=$need_version -# Whether dlopen is supported. -dlopen_support=$enable_dlopen -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_lt_prog_compiler_static_CXX -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX -# Library versioning type. -version_type=$version_type -# Format of library name prefix. -libname_spec=$lt_libname_spec -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds_CXX -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds_CXX -archive_expsym_cmds=$lt_archive_expsym_cmds_CXX -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_module_cmds_CXX -module_expsym_cmds=$lt_module_expsym_cmds_CXX -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_predep_objects_CXX - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_postdep_objects_CXX - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_predeps_CXX - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_postdeps_CXX - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_compiler_lib_search_path_CXX -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag_CXX -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag_CXX -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address -# This is the shared library runtime path variable. -runpath_var=$runpath_var -# This is the shared library path variable. -shlibpath_var=$shlibpath_var -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action_CXX -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX - -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct_CXX - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L_CXX - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX - -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$hardcode_automatic_CXX -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs_CXX -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path_CXX" -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols_CXX -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds_CXX -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms_CXX -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms_CXX -# ### END LIBTOOL TAG CONFIG: $tagname -__EOF__ + { $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 +$as_echo_n "checking how to hardcode library paths into programs... " >&6; } +hardcode_action= +if test -n "$hardcode_libdir_flag_spec" || + test -n "$runpath_var" || + test "X$hardcode_automatic" = "Xyes" ; then -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" + # We can hardcode non-existent directories. + if test "$hardcode_direct" != no && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test "$_LT_TAGVAR(hardcode_shlibpath_var, )" != no && + test "$hardcode_minus_L" != no; then + # Linking always hardcodes the temporary library directory. + hardcode_action=relink + else + # We can link without hardcoding, and we can hardcode nonexisting dirs. + hardcode_action=immediate fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + hardcode_action=unsupported fi +{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5 +$as_echo "$hardcode_action" >&6; } +if test "$hardcode_action" = relink || + test "$inherit_rpath" = yes; then + # Fast installation is not supported + enable_fast_install=no +elif test "$shlibpath_overrides_runpath" = yes || + test "$enable_shared" = no; then + # Fast installation is not necessary + enable_fast_install=needless +fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -CC=$lt_save_CC -LDCXX=$LD -LD=$lt_save_LD -GCC=$lt_save_GCC -with_gnu_ldcxx=$with_gnu_ld -with_gnu_ld=$lt_save_with_gnu_ld -lt_cv_path_LDCXX=$lt_cv_path_LD -lt_cv_path_LD=$lt_save_path_LD -lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld -lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld - else - tagname="" - fi - ;; - F77) - if test -n "$F77" && test "X$F77" != "Xno"; then -ac_ext=f -ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5' -ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_f77_compiler_gnu - - -archive_cmds_need_lc_F77=no -allow_undefined_flag_F77= -always_export_symbols_F77=no -archive_expsym_cmds_F77= -export_dynamic_flag_spec_F77= -hardcode_direct_F77=no -hardcode_libdir_flag_spec_F77= -hardcode_libdir_flag_spec_ld_F77= -hardcode_libdir_separator_F77= -hardcode_minus_L_F77=no -hardcode_automatic_F77=no -module_cmds_F77= -module_expsym_cmds_F77= -link_all_deplibs_F77=unknown -old_archive_cmds_F77=$old_archive_cmds -no_undefined_flag_F77= -whole_archive_flag_spec_F77= -enable_shared_with_static_runtimes_F77=no -# Source file extension for f77 test sources. -ac_ext=f -# Object file extension for compiled f77 test sources. -objext=o -objext_F77=$objext + if test "x$enable_dlopen" != xyes; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= -# Code to be used in simple compile tests -lt_simple_compile_test_code=" subroutine t\n return\n end\n" + case $host_os in + beos*) + lt_cv_dlopen="load_add_on" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; -# Code to be used in simple link tests -lt_simple_link_test_code=" program t\n end\n" + mingw* | pw32* | cegcc*) + lt_cv_dlopen="LoadLibrary" + lt_cv_dlopen_libs= + ;; -# ltmain only uses $CC for tagged configurations so make sure $CC is set. + cygwin*) + lt_cv_dlopen="dlopen" + lt_cv_dlopen_libs= + ;; -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} + darwin*) + # if libdl is installed we need to link against it + { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Allow CC to be a program name with arguments. -compiler=$CC + ac_cv_lib_dl_dlopen=no +fi +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" +else -# save warnings/boilerplate of simple test code -ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* + lt_cv_dlopen="dyld" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes -ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* +fi + ;; -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${F77-"f77"} -compiler=$CC -compiler_F77=$CC -for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` + *) + { $as_echo "$as_me:$LINENO: checking for shl_load" >&5 +$as_echo_n "checking for shl_load... " >&6; } +if test "${ac_cv_func_shl_load+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define shl_load to an innocuous variant, in case declares shl_load. + For example, HP-UX 11i declares gettimeofday. */ +#define shl_load innocuous_shl_load +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char shl_load (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ -{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5 -echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; } -{ echo "$as_me:$LINENO: result: $can_build_shared" >&5 -echo "${ECHO_T}$can_build_shared" >&6; } +#ifdef __STDC__ +# include +#else +# include +#endif -{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5 -echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; } -test "$can_build_shared" = "no" && enable_shared=no +#undef shl_load -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; -aix4* | aix5*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no - fi - ;; +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_shl_load || defined __stub___shl_load +choke me +#endif + +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac -{ echo "$as_me:$LINENO: result: $enable_shared" >&5 -echo "${ECHO_T}$enable_shared" >&6; } +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_shl_load=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5 -echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; } -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -{ echo "$as_me:$LINENO: result: $enable_static" >&5 -echo "${ECHO_T}$enable_static" >&6; } - -GCC_F77="$G77" -LD_F77="$LD" - -lt_prog_compiler_wl_F77= -lt_prog_compiler_pic_F77= -lt_prog_compiler_static_F77= + ac_cv_func_shl_load=no +fi -{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 -echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; } +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5 +$as_echo "$ac_cv_func_shl_load" >&6; } +if test "x$ac_cv_func_shl_load" = x""yes; then + lt_cv_dlopen="shl_load" +else + { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5 +$as_echo_n "checking for shl_load in -ldld... " >&6; } +if test "${ac_cv_lib_dld_shl_load+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ - if test "$GCC" = yes; then - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_static_F77='-static' +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dld_shl_load=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_F77='-Bstatic' - fi - ;; + ac_cv_lib_dld_shl_load=no +fi - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4' - ;; +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5 +$as_echo "$ac_cv_lib_dld_shl_load" >&6; } +if test "x$ac_cv_lib_dld_shl_load" = x""yes; then + lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" +else + { $as_echo "$as_me:$LINENO: checking for dlopen" >&5 +$as_echo_n "checking for dlopen... " >&6; } +if test "${ac_cv_func_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define dlopen to an innocuous variant, in case declares dlopen. + For example, HP-UX 11i declares gettimeofday. */ +#define dlopen innocuous_dlopen - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char dlopen (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic_F77='-DDLL_EXPORT' - ;; +#ifdef __STDC__ +# include +#else +# include +#endif - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - lt_prog_compiler_pic_F77='-fno-common' - ;; +#undef dlopen - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. - ;; - - msdosdjgpp*) - # Just because we use GCC doesn't mean we suddenly get shared libraries - # on systems that don't support them. - lt_prog_compiler_can_build_shared_F77=no - enable_shared=no - ;; - - sysv4*MP*) - if test -d /usr/nec; then - lt_prog_compiler_pic_F77=-Kconform_pic - fi - ;; - - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic_F77='-fPIC' - ;; - esac - ;; - - *) - lt_prog_compiler_pic_F77='-fPIC' - ;; - esac - else - # PORTME Check for flag to pass linker flags through the system compiler. - case $host_os in - aix*) - lt_prog_compiler_wl_F77='-Wl,' - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_F77='-Bstatic' - else - lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp' - fi - ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - lt_prog_compiler_pic_F77='-qnocommon' - lt_prog_compiler_wl_F77='-Wl,' - ;; - esac - ;; - - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic_F77='-DDLL_EXPORT' - ;; - - hpux9* | hpux10* | hpux11*) - lt_prog_compiler_wl_F77='-Wl,' - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic_F77='+Z' - ;; - esac - # Is there a better lt_prog_compiler_static that works with the bundled CC? - lt_prog_compiler_static_F77='${wl}-a ${wl}archive' - ;; - - irix5* | irix6* | nonstopux*) - lt_prog_compiler_wl_F77='-Wl,' - # PIC (with -KPIC) is the default. - lt_prog_compiler_static_F77='-non_shared' - ;; - - newsos6) - lt_prog_compiler_pic_F77='-KPIC' - lt_prog_compiler_static_F77='-Bstatic' - ;; - - linux*) - case $cc_basename in - icc* | ecc*) - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_pic_F77='-KPIC' - lt_prog_compiler_static_F77='-static' - ;; - pgcc* | pgf77* | pgf90* | pgf95*) - # Portland Group compilers (*not* the Pentium gcc compiler, - # which looks to be a dead project) - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_pic_F77='-fpic' - lt_prog_compiler_static_F77='-Bstatic' - ;; - ccc*) - lt_prog_compiler_wl_F77='-Wl,' - # All Alpha code is PIC. - lt_prog_compiler_static_F77='-non_shared' - ;; - esac - ;; - - osf3* | osf4* | osf5*) - lt_prog_compiler_wl_F77='-Wl,' - # All OSF/1 code is PIC. - lt_prog_compiler_static_F77='-non_shared' - ;; - - solaris*) - lt_prog_compiler_pic_F77='-KPIC' - lt_prog_compiler_static_F77='-Bstatic' - case $cc_basename in - f77* | f90* | f95*) - lt_prog_compiler_wl_F77='-Qoption ld ';; - *) - lt_prog_compiler_wl_F77='-Wl,';; - esac - ;; - - sunos4*) - lt_prog_compiler_wl_F77='-Qoption ld ' - lt_prog_compiler_pic_F77='-PIC' - lt_prog_compiler_static_F77='-Bstatic' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3*) - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_pic_F77='-KPIC' - lt_prog_compiler_static_F77='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - lt_prog_compiler_pic_F77='-Kconform_pic' - lt_prog_compiler_static_F77='-Bstatic' - fi - ;; - - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_pic_F77='-KPIC' - lt_prog_compiler_static_F77='-Bstatic' - ;; - - unicos*) - lt_prog_compiler_wl_F77='-Wl,' - lt_prog_compiler_can_build_shared_F77=no - ;; - - uts4*) - lt_prog_compiler_pic_F77='-pic' - lt_prog_compiler_static_F77='-Bstatic' - ;; - - *) - lt_prog_compiler_can_build_shared_F77=no - ;; - esac - fi - -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; } - -# -# Check to make sure the PIC flag actually works. -# -if test -n "$lt_prog_compiler_pic_F77"; then +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_dlopen || defined __stub___dlopen +choke me +#endif -{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5 -echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_pic_works_F77+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_pic_works_F77=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$lt_prog_compiler_pic_F77" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15085: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:15089: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_pic_works_F77=yes - fi - fi - $rm conftest* +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_func_dlopen=no fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6; } -if test x"$lt_prog_compiler_pic_works_F77" = xyes; then - case $lt_prog_compiler_pic_F77 in - "" | " "*) ;; - *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;; - esac -else - lt_prog_compiler_pic_F77= - lt_prog_compiler_can_build_shared_F77=no +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5 +$as_echo "$ac_cv_func_dlopen" >&6; } +if test "x$ac_cv_func_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" +else + { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -fi -case $host_os in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - lt_prog_compiler_pic_F77= - ;; - *) - lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77" - ;; +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac - -# -# Check to make sure the static flag actually works. -# -wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\" -{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 -echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_static_works_F77+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlopen=yes else - lt_prog_compiler_static_works_F77=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $lt_tmp_static_flag" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The linker can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&5 - $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_static_works_F77=yes - fi - else - lt_prog_compiler_static_works_F77=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_lib_dl_dlopen=no fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_F77" >&5 -echo "${ECHO_T}$lt_prog_compiler_static_works_F77" >&6; } -if test x"$lt_prog_compiler_static_works_F77" = xyes; then - : -else - lt_prog_compiler_static_F77= +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi - - -{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else - lt_cv_prog_compiler_c_o_F77=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext + { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5 +$as_echo_n "checking for dlopen in -lsvld... " >&6; } +if test "${ac_cv_lib_svld_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsvld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15189: $lt_compile\"" >&5) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&5 - echo "$as_me:15193: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp - $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 - if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then - lt_cv_prog_compiler_c_o_F77=yes - fi - fi - chmod u+w . 2>&5 - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_svld_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_lib_svld_dlopen=no fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; } - -hard_links="nottested" -if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 -echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; } - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - { echo "$as_me:$LINENO: result: $hard_links" >&5 -echo "${ECHO_T}$hard_links" >&6; } - if test "$hard_links" = no; then - { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 -echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} - need_locks=warn - fi -else - need_locks=no +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5 +$as_echo "$ac_cv_lib_svld_dlopen" >&6; } +if test "x$ac_cv_lib_svld_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" +else + { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5 +$as_echo_n "checking for dld_link in -ldld... " >&6; } +if test "${ac_cv_lib_dld_dld_link+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; } - - runpath_var= - allow_undefined_flag_F77= - enable_shared_with_static_runtimes_F77=no - archive_cmds_F77= - archive_expsym_cmds_F77= - old_archive_From_new_cmds_F77= - old_archive_from_expsyms_cmds_F77= - export_dynamic_flag_spec_F77= - whole_archive_flag_spec_F77= - thread_safe_flag_spec_F77= - hardcode_libdir_flag_spec_F77= - hardcode_libdir_flag_spec_ld_F77= - hardcode_libdir_separator_F77= - hardcode_direct_F77=no - hardcode_minus_L_F77=no - hardcode_shlibpath_var_F77=unsupported - link_all_deplibs_F77=unknown - hardcode_automatic_F77=no - module_cmds_F77= - module_expsym_cmds_F77= - always_export_symbols_F77=no - export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - # include_expsyms should be a list of space-separated symbols to be *always* - # included in the symbol list - include_expsyms_F77= - # exclude_expsyms can be an extended regexp of symbols to exclude - # it will be wrapped by ` (' and `)$', so one must not match beginning or - # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', - # as well as any symbol that contains `d'. - exclude_expsyms_F77="_GLOBAL_OFFSET_TABLE_" - # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out - # platforms (ab)use it in PIC code, but their linkers get confused if - # the symbol is explicitly referenced. Since portable code cannot - # rely on this symbol name, it's probably fine to never include it in - # preloaded symbol tables. - extract_expsyms_cmds= - # Just being paranoid about ensuring that cc_basename is set. - for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` - - case $host_os in - cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++) - with_gnu_ld=yes - ;; - openbsd*) - with_gnu_ld=no - ;; - esac - - ld_shlibs_F77=yes - if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' - - # Set some defaults for GNU ld with shared library support. These - # are reset later if shared libraries are not supported. Putting them - # here allows them to be overridden if necessary. - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec_F77='${wl}--export-dynamic' - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec_F77= - fi - supports_anon_versioning=no - case `$LD -v 2>/dev/null` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 - *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... - *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... - *\ 2.11.*) ;; # other 2.11 versions - *) supports_anon_versioning=yes ;; - esac - - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - ld_shlibs_F77=no - cat <&2 - -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. - -EOF - fi - ;; - - amigaos*) - archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_minus_L_F77=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can't use - # them. - ld_shlibs_F77=no - ;; - - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag_F77=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs_F77=no - fi - ;; - - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless, - # as there is no search path for DLLs. - hardcode_libdir_flag_spec_F77='-L$libdir' - allow_undefined_flag_F77=unsupported - always_export_symbols_F77=no - enable_shared_with_static_runtimes_F77=yes - export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' - - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - ld_shlibs_F77=no - fi - ;; - - interix3*) - hardcode_direct_F77=no - hardcode_shlibpath_var_F77=no - hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' - export_dynamic_flag_spec_F77='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; - - linux*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - tmp_addflag= - case $cc_basename,$host_cpu in - pgcc*) # Portland Group C compiler - whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag' - ;; - pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers - whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag -Mnomain' ;; - ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 - tmp_addflag=' -i_dynamic' ;; - efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 - tmp_addflag=' -i_dynamic -nofor_main' ;; - ifc* | ifort*) # Intel Fortran compiler - tmp_addflag=' -nofor_main' ;; - esac - archive_cmds_F77='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - - if test $supports_anon_versioning = yes; then - archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~ - cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ - $echo "local: *; };" >> $output_objdir/$libname.ver~ - $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' - fi - else - ld_shlibs_F77=no - fi - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; - - solaris*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - ld_shlibs_F77=no - cat <&2 - -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. - -EOF - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs_F77=no - fi - ;; - - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) - case `$LD -v 2>&1` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) - ld_shlibs_F77=no - cat <<_LT_EOF 1>&2 - -*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not -*** reliably create shared libraries on SCO systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.16.91.0.3 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. - -_LT_EOF - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`' - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib' - archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib' - else - ld_shlibs_F77=no - fi - ;; - esac - ;; - - sunos4*) - archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - hardcode_direct_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs_F77=no - fi - ;; - esac - - if test "$ld_shlibs_F77" = no; then - runpath_var= - hardcode_libdir_flag_spec_F77= - export_dynamic_flag_spec_F77= - whole_archive_flag_spec_F77= - fi - else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - allow_undefined_flag_F77=unsupported - always_export_symbols_F77=yes - archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L_F77=yes - if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct_F77=unsupported - fi - ;; - - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - aix_use_runtimelinking=no - - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - ;; - esac - - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - archive_cmds_F77='' - hardcode_direct_F77=yes - hardcode_libdir_separator_F77=':' - link_all_deplibs_F77=yes - - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct_F77=yes - else - # We have old collect2 - hardcode_direct_F77=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L_F77=yes - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_libdir_separator_F77= - fi - ;; - esac - shared_flag='-shared' - if test "$aix_use_runtimelinking" = yes; then - shared_flag="$shared_flag "'${wl}-G' - fi - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - always_export_symbols_F77=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - allow_undefined_flag_F77='-berok' - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF - program main - - end -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_f77_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi - - hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath" - archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib' - allow_undefined_flag_F77="-z nodefs" - archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF - program main - - end +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dld_link (); +int +main () +{ +return dld_link (); + ; + return 0; +} _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext if { (ac_try="$ac_link" @@ -15698,4886 +12030,3278 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { - test -z "$ac_f77_werror_flag" || + test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi - - hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - no_undefined_flag_F77=' ${wl}-bernotok' - allow_undefined_flag_F77=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - whole_archive_flag_spec_F77='$convenience' - archive_cmds_need_lc_F77=yes - # This is similar to how AIX traditionally builds its shared libraries. - archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' - fi - fi - ;; - - amigaos*) - archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_minus_L_F77=yes - # see comment about different semantics on the GNU ld section - ld_shlibs_F77=no - ;; - - bsdi[45]*) - export_dynamic_flag_spec_F77=-rdynamic - ;; - - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec_F77=' ' - allow_undefined_flag_F77=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext_cmds=".dll" - # FIXME: Setting linknames here is a bad hack. - archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_From_new_cmds_F77='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path_F77='`cygpath -w "$srcfile"`' - enable_shared_with_static_runtimes_F77=yes - ;; - - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[012]) - allow_undefined_flag_F77='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[012]) - allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - archive_cmds_need_lc_F77=no - hardcode_direct_F77=no - hardcode_automatic_F77=yes - hardcode_shlibpath_var_F77=unsupported - whole_archive_flag_spec_F77='' - link_all_deplibs_F77=yes - if test "$GCC" = yes ; then - output_verbose_link_cmd='echo' - archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - ld_shlibs_F77=no - ;; - esac - fi - ;; - - dgux*) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_shlibpath_var_F77=no - ;; - - freebsd1*) - ld_shlibs_F77=no - ;; - - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - hardcode_libdir_flag_spec_F77='-R$libdir' - hardcode_direct_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_F77=yes - hardcode_minus_L_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | kfreebsd*-gnu | dragonfly*) - archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec_F77='-R$libdir' - hardcode_direct_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - hpux9*) - if test "$GCC" = yes; then - archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - fi - hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_F77=: - hardcode_direct_F77=yes - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_F77=yes - export_dynamic_flag_spec_F77='${wl}-E' - ;; - - hpux10*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_F77=: - - hardcode_direct_F77=yes - export_dynamic_flag_spec_F77='${wl}-E' - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_F77=yes - fi - ;; - - hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - case $host_cpu in - hppa*64*) - archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - else - case $host_cpu in - hppa*64*) - archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_F77=: - - case $host_cpu in - hppa*64*|ia64*) - hardcode_libdir_flag_spec_ld_F77='+b $libdir' - hardcode_direct_F77=no - hardcode_shlibpath_var_F77=no - ;; - *) - hardcode_direct_F77=yes - export_dynamic_flag_spec_F77='${wl}-E' - - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_F77=yes - ;; - esac - fi - ;; - - irix5* | irix6* | nonstopux*) - if test "$GCC" = yes; then - archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec_ld_F77='-rpath $libdir' - fi - hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_F77=: - link_all_deplibs_F77=yes - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - hardcode_libdir_flag_spec_F77='-R$libdir' - hardcode_direct_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - newsos6) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_F77=yes - hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_F77=: - hardcode_shlibpath_var_F77=no - ;; - - openbsd*) - hardcode_direct_F77=yes - hardcode_shlibpath_var_F77=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' - hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' - export_dynamic_flag_spec_F77='${wl}-E' - else - case $host_os in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_F77='-R$libdir' - ;; - *) - archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' - ;; - esac - fi - ;; - - os2*) - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_minus_L_F77=yes - allow_undefined_flag_F77=unsupported - archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - - osf3*) - if test "$GCC" = yes; then - allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag_F77=' -expect_unresolved \*' - archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_F77=: - ;; - - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir' - else - allow_undefined_flag_F77=' -expect_unresolved \*' - archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp' - - # Both c and cxx compiler support -rpath directly - hardcode_libdir_flag_spec_F77='-rpath $libdir' - fi - hardcode_libdir_separator_F77=: - ;; - - solaris*) - no_undefined_flag_F77=' -z text' - if test "$GCC" = yes; then - wlarc='${wl}' - archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp' - else - wlarc='' - archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - fi - hardcode_libdir_flag_spec_F77='-R$libdir' - hardcode_shlibpath_var_F77=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) - # The compiler driver will combine linker options so we - # cannot just pass the convience library names through - # without $wl, iff we do not link with $LD. - # Luckily, gcc supports the same syntax we need for Sun Studio. - # Supported since Solaris 2.6 (maybe 2.5.1?) - case $wlarc in - '') - whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;; - *) - whole_archive_flag_spec_F77='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; - esac ;; - esac - link_all_deplibs_F77=yes - ;; - - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_direct_F77=yes - hardcode_minus_L_F77=yes - hardcode_shlibpath_var_F77=no - ;; - - sysv4) - case $host_vendor in - sni) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_F77=yes # is this really true??? - ;; - siemens) - ## LD is ld it makes a PLAMLIB - ## CC just makes a GrossModule. - archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags' - reload_cmds_F77='$CC -r -o $output$reload_objs' - hardcode_direct_F77=no - ;; - motorola) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie - ;; - esac - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var_F77=no - ;; - - sysv4.3*) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var_F77=no - export_dynamic_flag_spec_F77='-Bexport' - ;; - - sysv4*MP*) - if test -d /usr/nec; then - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var_F77=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ld_shlibs_F77=yes - fi - ;; - - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) - no_undefined_flag_F77='${wl}-z,text' - archive_cmds_need_lc_F77=no - hardcode_shlibpath_var_F77=no - runpath_var='LD_RUN_PATH' - - if test "$GCC" = yes; then - archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; - - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - no_undefined_flag_F77='${wl}-z,text' - allow_undefined_flag_F77='${wl}-z,nodefs' - archive_cmds_need_lc_F77=no - hardcode_shlibpath_var_F77=no - hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - hardcode_libdir_separator_F77=':' - link_all_deplibs_F77=yes - export_dynamic_flag_spec_F77='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - - if test "$GCC" = yes; then - archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; - - uts4*) - archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_F77='-L$libdir' - hardcode_shlibpath_var_F77=no - ;; - - *) - ld_shlibs_F77=no - ;; - esac - fi - -{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5 -echo "${ECHO_T}$ld_shlibs_F77" >&6; } -test "$ld_shlibs_F77" = no && can_build_shared=no - -# -# Do we need to explicitly link libc? -# -case "x$archive_cmds_need_lc_F77" in -x|xyes) - # Assume -lc should be added - archive_cmds_need_lc_F77=yes - - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $archive_cmds_F77 in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 -echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_prog_compiler_wl_F77 - pic_flag=$lt_prog_compiler_pic_F77 - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$allow_undefined_flag_F77 - allow_undefined_flag_F77= - if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5 - (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } - then - archive_cmds_need_lc_F77=no - else - archive_cmds_need_lc_F77=yes - fi - allow_undefined_flag_F77=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5 -echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; } - ;; - esac - fi - ;; -esac - -{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 -echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; } -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext_cmds=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi -else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no - -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown - -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' - ;; - -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}${shared_ext}$major' - fi - shlibpath_var=LIBPATH - fi - ;; - -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' - ;; - -beos*) - library_names_spec='${libname}${shared_ext}' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - ;; - -bsdi[45]*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; - -cygwin* | mingw* | pw32*) - version_type=windows - shrext_cmds=".dll" - need_version=no - need_lib_prefix=no - - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) - library_names_spec='$libname.dll.a' - # DLL is installed to $(libdir)/../bin by postinstall_cmds - postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog $dir/$dlname \$dldir/$dlname~ - chmod a+x \$dldir/$dlname' - postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - shlibpath_overrides_runpath=yes - - case $host_os in - cygwin*) - # Cygwin DLLs use 'cyg' prefix rather than 'lib' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" - ;; - mingw*) - # MinGW DLLs use traditional 'lib' prefix - soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi - ;; - pw32*) - # pw32 DLLs use 'pw' prefix rather than 'lib' - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - ;; - esac - ;; - - *) - library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; - -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' - soname_spec='${libname}${release}${major}$shared_ext' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi - sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' - ;; - -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -freebsd1*) - dynamic_linker=no - ;; - -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - -freebsd* | dragonfly*) - # DragonFly does not have aout. When/if they implement a new - # versioning mechanism, adjust this. - if test -x /usr/bin/objformat; then - objformat=`/usr/bin/objformat` - else - case $host_os in - freebsd[123]*) objformat=aout ;; - *) objformat=elf ;; - esac - fi - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ - freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - freebsd*) # from 4.6 on - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - esac - ;; - -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; - -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - version_type=sunos - need_lib_prefix=no - need_version=no - case $host_cpu in - ia64*) - shrext_cmds='.so' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - if test "X$HPUX_IA64_MODE" = X32; then - sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" - else - sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" - fi - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - hppa*64*) - shrext_cmds='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) - shrext_cmds='.sl' - dynamic_linker="$host_os dld.sl" - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - ;; - esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -interix3*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - -irix5* | irix6* | nonstopux*) - case $host_os in - nonstopux*) version_type=nonstopux ;; - *) - if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux - else - version_type=irix - fi ;; - esac - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' - case $host_os in - irix5* | nonstopux*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") - libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") - libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") - libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - hardcode_into_libs=yes - ;; - -# No shared lib support for Linux oldld, aout, or coff. -linux*oldld* | linux*aout* | linux*coff*) - dynamic_linker=no - ;; - -# This must be Linux ELF. -linux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # find out which ABI we are using - libsuff= - case "$host_cpu" in - x86_64*|s390x*|powerpc64*) - echo '#line 16634 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *64-bit*) - libsuff=64 - sys_lib_search_path_spec="/lib${libsuff} /usr/lib${libsuff} /usr/local/lib${libsuff}" - ;; - esac - fi - rm -rf conftest* - ;; - esac - - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/^ *//;s/#.*//;/^[^\/]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; - -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; - -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - -newsos6) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -nto-qnx*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -openbsd*) - version_type=sunos - sys_lib_dlsearch_path_spec="/usr/lib" - need_lib_prefix=no - # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. - case $host_os in - openbsd3.3 | openbsd3.3.*) need_version=yes ;; - *) need_version=no ;; - esac - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in - openbsd2.[89] | openbsd2.[89].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac - else - shlibpath_overrides_runpath=yes - fi - ;; - -os2*) - libname_spec='$name' - shrext_cmds=".dll" - need_lib_prefix=no - library_names_spec='$libname${shared_ext} $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' - runpath_var=LD_RUN_PATH - ;; - siemens) - need_lib_prefix=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' - soname_spec='$libname${shared_ext}.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - version_type=freebsd-elf - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - if test "$with_gnu_ld" = yes; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - shlibpath_overrides_runpath=no - else - sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' - shlibpath_overrides_runpath=yes - case $host_os in - sco3.2v5*) - sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" - ;; - esac - fi - sys_lib_dlsearch_path_spec='/usr/lib' - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -*) - dynamic_linker=no - ;; -esac -{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5 -echo "${ECHO_T}$dynamic_linker" >&6; } -test "$dynamic_linker" = no && can_build_shared=no - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi - -{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 -echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; } -hardcode_action_F77= -if test -n "$hardcode_libdir_flag_spec_F77" || \ - test -n "$runpath_var_F77" || \ - test "X$hardcode_automatic_F77" = "Xyes" ; then - - # We can hardcode non-existant directories. - if test "$hardcode_direct_F77" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no && - test "$hardcode_minus_L_F77" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action_F77=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action_F77=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action_F77=unsupported -fi -{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5 -echo "${ECHO_T}$hardcode_action_F77" >&6; } - -if test "$hardcode_action_F77" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi - - -# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - compiler_F77 \ - CC_F77 \ - LD_F77 \ - lt_prog_compiler_wl_F77 \ - lt_prog_compiler_pic_F77 \ - lt_prog_compiler_static_F77 \ - lt_prog_compiler_no_builtin_flag_F77 \ - export_dynamic_flag_spec_F77 \ - thread_safe_flag_spec_F77 \ - whole_archive_flag_spec_F77 \ - enable_shared_with_static_runtimes_F77 \ - old_archive_cmds_F77 \ - old_archive_from_new_cmds_F77 \ - predep_objects_F77 \ - postdep_objects_F77 \ - predeps_F77 \ - postdeps_F77 \ - compiler_lib_search_path_F77 \ - archive_cmds_F77 \ - archive_expsym_cmds_F77 \ - postinstall_cmds_F77 \ - postuninstall_cmds_F77 \ - old_archive_from_expsyms_cmds_F77 \ - allow_undefined_flag_F77 \ - no_undefined_flag_F77 \ - export_symbols_cmds_F77 \ - hardcode_libdir_flag_spec_F77 \ - hardcode_libdir_flag_spec_ld_F77 \ - hardcode_libdir_separator_F77 \ - hardcode_automatic_F77 \ - module_cmds_F77 \ - module_expsym_cmds_F77 \ - lt_cv_prog_compiler_c_o_F77 \ - exclude_expsyms_F77 \ - include_expsyms_F77; do - - case $var in - old_archive_cmds_F77 | \ - old_archive_from_new_cmds_F77 | \ - archive_cmds_F77 | \ - archive_expsym_cmds_F77 | \ - module_cmds_F77 | \ - module_expsym_cmds_F77 | \ - old_archive_from_expsyms_cmds_F77 | \ - export_symbols_cmds_F77 | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done - - case $lt_echo in - *'\$0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` - ;; - esac - -cfgfile="$ofile" - - cat <<__EOF__ >> "$cfgfile" -# ### BEGIN LIBTOOL TAG CONFIG: $tagname - -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: - -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$archive_cmds_need_lc_F77 - -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77 - -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install - -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os - -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os - -# An echo program that does not interpret backslashes. -echo=$lt_echo - -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS - -# A C compiler. -LTCC=$lt_LTCC - -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS - -# A language-specific compiler. -CC=$lt_compiler_F77 - -# Is the compiler the GNU C compiler? -with_gcc=$GCC_F77 - -# An ERE matcher. -EGREP=$lt_EGREP - -# The linker used to build libraries. -LD=$lt_LD_F77 - -# Whether we need hard or soft links. -LN_S=$lt_LN_S - -# A BSD-compatible nm program. -NM=$lt_NM - -# A symbol stripping program -STRIP=$lt_STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" - -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" - -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds - -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl_F77 - -# Object file suffix (normally "o"). -objext="$ac_objext" - -# Old archive suffix (normally "a"). -libext="$libext" - -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' - -# Executable file suffix (normally ""). -exeext="$exeext" - -# Additional compiler flags for building library objects. -pic_flag=$lt_lt_prog_compiler_pic_F77 -pic_mode=$pic_mode - -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len - -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77 - -# Must we lock files when doing compilation? -need_locks=$lt_need_locks - -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix - -# Do we need a version for libraries? -need_version=$need_version - -# Whether dlopen is supported. -dlopen_support=$enable_dlopen - -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static - -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_lt_prog_compiler_static_F77 - -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77 - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77 - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77 - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77 - -# Library versioning type. -version_type=$version_type - -# Format of library name prefix. -libname_spec=$lt_libname_spec - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec - -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec - -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds_F77 -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77 - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77 - -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds_F77 -archive_expsym_cmds=$lt_archive_expsym_cmds_F77 -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds - -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_module_cmds_F77 -module_expsym_cmds=$lt_module_expsym_cmds_F77 - -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib - -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_predep_objects_F77 - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_postdep_objects_F77 - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_predeps_F77 - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_postdeps_F77 - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_compiler_lib_search_path_F77 - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag_F77 - -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag_F77 - -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl - -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address - -# This is the shared library runtime path variable. -runpath_var=$runpath_var - -# This is the shared library path variable. -shlibpath_var=$shlibpath_var - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath - -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action_F77 - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs - -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77 - -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77 - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77 - -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct_F77 - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L_F77 - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var_F77 - -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$hardcode_automatic_F77 - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs_F77 - -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec - -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path_F77" - -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols_F77 - -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds_F77 - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms_F77 - -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms_F77 - -# ### END LIBTOOL TAG CONFIG: $tagname - -__EOF__ - - -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi -fi - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -CC="$lt_save_CC" - - else - tagname="" - fi - ;; - - GCJ) - if test -n "$GCJ" && test "X$GCJ" != "Xno"; then - - -# Source file extension for Java test sources. -ac_ext=java - -# Object file extension for compiled Java test sources. -objext=o -objext_GCJ=$objext - -# Code to be used in simple compile tests -lt_simple_compile_test_code="class foo {}\n" - -# Code to be used in simple link tests -lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n' - -# ltmain only uses $CC for tagged configurations so make sure $CC is set. - -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} - -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} - -# Allow CC to be a program name with arguments. -compiler=$CC - - -# save warnings/boilerplate of simple test code -ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* - -ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* - - -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${GCJ-"gcj"} -compiler=$CC -compiler_GCJ=$CC -for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` - - -# GCJ did not exist at the time GCC didn't implicitly link libc in. -archive_cmds_need_lc_GCJ=no - -old_archive_cmds_GCJ=$old_archive_cmds - - -lt_prog_compiler_no_builtin_flag_GCJ= - -if test "$GCC" = yes; then - lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin' - - -{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 -echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_compiler_rtti_exceptions=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="-fno-rtti -fno-exceptions" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17408: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:17412: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_cv_prog_compiler_rtti_exceptions=yes - fi - fi - $rm conftest* - -fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; } - -if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then - lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions" -else - : -fi - -fi - -lt_prog_compiler_wl_GCJ= -lt_prog_compiler_pic_GCJ= -lt_prog_compiler_static_GCJ= - -{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 -echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; } - - if test "$GCC" = yes; then - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_static_GCJ='-static' - - case $host_os in - aix*) - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_GCJ='-Bstatic' - fi - ;; - - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4' - ;; - - beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic_GCJ='-DDLL_EXPORT' - ;; - - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - lt_prog_compiler_pic_GCJ='-fno-common' - ;; - - interix3*) - # Interix 3.x gcc -fpic/-fPIC options generate broken code. - # Instead, we relocate shared libraries at runtime. - ;; - - msdosdjgpp*) - # Just because we use GCC doesn't mean we suddenly get shared libraries - # on systems that don't support them. - lt_prog_compiler_can_build_shared_GCJ=no - enable_shared=no - ;; - - sysv4*MP*) - if test -d /usr/nec; then - lt_prog_compiler_pic_GCJ=-Kconform_pic - fi - ;; - - hpux*) - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic_GCJ='-fPIC' - ;; - esac - ;; - - *) - lt_prog_compiler_pic_GCJ='-fPIC' - ;; - esac - else - # PORTME Check for flag to pass linker flags through the system compiler. - case $host_os in - aix*) - lt_prog_compiler_wl_GCJ='-Wl,' - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_prog_compiler_static_GCJ='-Bstatic' - else - lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp' - fi - ;; - darwin*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - case $cc_basename in - xlc*) - lt_prog_compiler_pic_GCJ='-qnocommon' - lt_prog_compiler_wl_GCJ='-Wl,' - ;; - esac - ;; - - mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_prog_compiler_pic_GCJ='-DDLL_EXPORT' - ;; - - hpux9* | hpux10* | hpux11*) - lt_prog_compiler_wl_GCJ='-Wl,' - # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but - # not for PA HP-UX. - case $host_cpu in - hppa*64*|ia64*) - # +Z the default - ;; - *) - lt_prog_compiler_pic_GCJ='+Z' - ;; - esac - # Is there a better lt_prog_compiler_static that works with the bundled CC? - lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive' - ;; - - irix5* | irix6* | nonstopux*) - lt_prog_compiler_wl_GCJ='-Wl,' - # PIC (with -KPIC) is the default. - lt_prog_compiler_static_GCJ='-non_shared' - ;; - - newsos6) - lt_prog_compiler_pic_GCJ='-KPIC' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - - linux*) - case $cc_basename in - icc* | ecc*) - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_pic_GCJ='-KPIC' - lt_prog_compiler_static_GCJ='-static' - ;; - pgcc* | pgf77* | pgf90* | pgf95*) - # Portland Group compilers (*not* the Pentium gcc compiler, - # which looks to be a dead project) - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_pic_GCJ='-fpic' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - ccc*) - lt_prog_compiler_wl_GCJ='-Wl,' - # All Alpha code is PIC. - lt_prog_compiler_static_GCJ='-non_shared' - ;; - esac - ;; - - osf3* | osf4* | osf5*) - lt_prog_compiler_wl_GCJ='-Wl,' - # All OSF/1 code is PIC. - lt_prog_compiler_static_GCJ='-non_shared' - ;; - - solaris*) - lt_prog_compiler_pic_GCJ='-KPIC' - lt_prog_compiler_static_GCJ='-Bstatic' - case $cc_basename in - f77* | f90* | f95*) - lt_prog_compiler_wl_GCJ='-Qoption ld ';; - *) - lt_prog_compiler_wl_GCJ='-Wl,';; - esac - ;; - - sunos4*) - lt_prog_compiler_wl_GCJ='-Qoption ld ' - lt_prog_compiler_pic_GCJ='-PIC' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3*) - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_pic_GCJ='-KPIC' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - lt_prog_compiler_pic_GCJ='-Kconform_pic' - lt_prog_compiler_static_GCJ='-Bstatic' - fi - ;; - - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_pic_GCJ='-KPIC' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - - unicos*) - lt_prog_compiler_wl_GCJ='-Wl,' - lt_prog_compiler_can_build_shared_GCJ=no - ;; - - uts4*) - lt_prog_compiler_pic_GCJ='-pic' - lt_prog_compiler_static_GCJ='-Bstatic' - ;; - - *) - lt_prog_compiler_can_build_shared_GCJ=no - ;; - esac - fi - -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; } - -# -# Check to make sure the PIC flag actually works. -# -if test -n "$lt_prog_compiler_pic_GCJ"; then - -{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5 -echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_pic_works_GCJ=no - ac_outfile=conftest.$ac_objext - printf "$lt_simple_compile_test_code" > conftest.$ac_ext - lt_compiler_flag="$lt_prog_compiler_pic_GCJ" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - # The option is referenced via a variable to avoid confusing sed. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17676: $lt_compile\"" >&5) - (eval "$lt_compile" 2>conftest.err) - ac_status=$? - cat conftest.err >&5 - echo "$as_me:17680: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s "$ac_outfile"; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings other than the usual output. - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_pic_works_GCJ=yes - fi - fi - $rm conftest* + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dld_dld_link=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_lib_dld_dld_link=no fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6; } -if test x"$lt_prog_compiler_pic_works_GCJ" = xyes; then - case $lt_prog_compiler_pic_GCJ in - "" | " "*) ;; - *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;; - esac -else - lt_prog_compiler_pic_GCJ= - lt_prog_compiler_can_build_shared_GCJ=no +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5 +$as_echo "$ac_cv_lib_dld_dld_link" >&6; } +if test "x$ac_cv_lib_dld_dld_link" = x""yes; then + lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" fi + fi -case $host_os in - # For platforms which do not support PIC, -DPIC is meaningless: - *djgpp*) - lt_prog_compiler_pic_GCJ= - ;; - *) - lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ" - ;; -esac -# -# Check to make sure the static flag actually works. -# -wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\" -{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 -echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_static_works_GCJ+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_prog_compiler_static_works_GCJ=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $lt_tmp_static_flag" - printf "$lt_simple_link_test_code" > conftest.$ac_ext - if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then - # The linker can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - # Append any errors to the config.log. - cat conftest.err 1>&5 - $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp - $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 - if diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_static_works_GCJ=yes - fi - else - lt_prog_compiler_static_works_GCJ=yes - fi - fi - $rm conftest* - LDFLAGS="$save_LDFLAGS" fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_GCJ" >&5 -echo "${ECHO_T}$lt_prog_compiler_static_works_GCJ" >&6; } -if test x"$lt_prog_compiler_static_works_GCJ" = xyes; then - : -else - lt_prog_compiler_static_GCJ= + fi -{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; } -if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_compiler_c_o_GCJ=no - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - mkdir out - printf "$lt_simple_compile_test_code" > conftest.$ac_ext +fi - lt_compiler_flag="-o out/conftest2.$ac_objext" - # Insert the option either (1) after the last *FLAGS variable, or - # (2) before a word containing "conftest.", or (3) at the end. - # Note that $ac_compile itself does not contain backslashes and begins - # with a dollar sign (not a hyphen), so the echo should work correctly. - lt_compile=`echo "$ac_compile" | $SED \ - -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ - -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ - -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17780: $lt_compile\"" >&5) - (eval "$lt_compile" 2>out/conftest.err) - ac_status=$? - cat out/conftest.err >&5 - echo "$as_me:17784: \$? = $ac_status" >&5 - if (exit $ac_status) && test -s out/conftest2.$ac_objext - then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp - $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 - if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then - lt_cv_prog_compiler_c_o_GCJ=yes - fi - fi - chmod u+w . 2>&5 - $rm conftest* - # SGI C++ compiler will create directory out/ii_files/ for - # template instantiation - test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files - $rm out/* && rmdir out - cd .. - rmdir conftest - $rm conftest* fi -{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5 -echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; } + ;; + esac -hard_links="nottested" -if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 -echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; } - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - { echo "$as_me:$LINENO: result: $hard_links" >&5 -echo "${ECHO_T}$hard_links" >&6; } - if test "$hard_links" = no; then - { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 -echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} - need_locks=warn + if test "x$lt_cv_dlopen" != xno; then + enable_dlopen=yes + else + enable_dlopen=no fi + + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS="$CPPFLAGS" + test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + + save_LDFLAGS="$LDFLAGS" + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" + + save_LIBS="$LIBS" + LIBS="$lt_cv_dlopen_libs $LIBS" + + { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5 +$as_echo_n "checking whether a program can dlopen itself... " >&6; } +if test "${lt_cv_dlopen_self+set}" = set; then + $as_echo_n "(cached) " >&6 else - need_locks=no -fi + if test "$cross_compiling" = yes; then : + lt_cv_dlopen_self=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line 12113 "configure" +#include "confdefs.h" -{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; } +#if HAVE_DLFCN_H +#include +#endif - runpath_var= - allow_undefined_flag_GCJ= - enable_shared_with_static_runtimes_GCJ=no - archive_cmds_GCJ= - archive_expsym_cmds_GCJ= - old_archive_From_new_cmds_GCJ= - old_archive_from_expsyms_cmds_GCJ= - export_dynamic_flag_spec_GCJ= - whole_archive_flag_spec_GCJ= - thread_safe_flag_spec_GCJ= - hardcode_libdir_flag_spec_GCJ= - hardcode_libdir_flag_spec_ld_GCJ= - hardcode_libdir_separator_GCJ= - hardcode_direct_GCJ=no - hardcode_minus_L_GCJ=no - hardcode_shlibpath_var_GCJ=unsupported - link_all_deplibs_GCJ=unknown - hardcode_automatic_GCJ=no - module_cmds_GCJ= - module_expsym_cmds_GCJ= - always_export_symbols_GCJ=no - export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' - # include_expsyms should be a list of space-separated symbols to be *always* - # included in the symbol list - include_expsyms_GCJ= - # exclude_expsyms can be an extended regexp of symbols to exclude - # it will be wrapped by ` (' and `)$', so one must not match beginning or - # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', - # as well as any symbol that contains `d'. - exclude_expsyms_GCJ="_GLOBAL_OFFSET_TABLE_" - # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out - # platforms (ab)use it in PIC code, but their linkers get confused if - # the symbol is explicitly referenced. Since portable code cannot - # rely on this symbol name, it's probably fine to never include it in - # preloaded symbol tables. - extract_expsyms_cmds= - # Just being paranoid about ensuring that cc_basename is set. - for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` +#include - case $host_os in - cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++) - with_gnu_ld=yes - ;; - openbsd*) - with_gnu_ld=no - ;; - esac +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif - ld_shlibs_GCJ=yes - if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif - # Set some defaults for GNU ld with shared library support. These - # are reset later if shared libraries are not supported. Putting them - # here allows them to be overridden if necessary. - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec_GCJ='${wl}--export-dynamic' - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec_GCJ= - fi - supports_anon_versioning=no - case `$LD -v 2>/dev/null` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 - *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... - *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... - *\ 2.11.*) ;; # other 2.11 versions - *) supports_anon_versioning=yes ;; - esac +void fnord() { int i=42;} +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - ld_shlibs_GCJ=no - cat <&2 + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + /* dlclose (self); */ + } + else + puts (dlerror ()); -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. + return status; +} +_LT_EOF + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self=no + fi +fi +rm -fr conftest* -EOF - fi - ;; - amigaos*) - archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_minus_L_GCJ=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can't use - # them. - ld_shlibs_GCJ=no - ;; +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5 +$as_echo "$lt_cv_dlopen_self" >&6; } - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag_GCJ=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs_GCJ=no - fi - ;; + if test "x$lt_cv_dlopen_self" = xyes; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5 +$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } +if test "${lt_cv_dlopen_self_static+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then : + lt_cv_dlopen_self_static=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line 12209 "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif - cygwin* | mingw* | pw32*) - # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless, - # as there is no search path for DLLs. - hardcode_libdir_flag_spec_GCJ='-L$libdir' - allow_undefined_flag_GCJ=unsupported - always_export_symbols_GCJ=no - enable_shared_with_static_runtimes_GCJ=yes - export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' +#include - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is; otherwise, prepend... - archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname.def; - else - echo EXPORTS > $output_objdir/$soname.def; - cat $export_symbols >> $output_objdir/$soname.def; - fi~ - $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' - else - ld_shlibs_GCJ=no - fi - ;; +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif - interix3*) - hardcode_direct_GCJ=no - hardcode_shlibpath_var_GCJ=no - hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' - export_dynamic_flag_spec_GCJ='${wl}-E' - # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. - # Instead, shared libraries are loaded at an image base (0x10000000 by - # default) and relocated if they conflict, which is a slow very memory - # consuming and fragmenting process. To avoid this, we pick a random, - # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link - # time. Moving up from 0x10000000 also allows more sbrk(2) space. - archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' - ;; +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif - linux*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - tmp_addflag= - case $cc_basename,$host_cpu in - pgcc*) # Portland Group C compiler - whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag' - ;; - pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers - whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' - tmp_addflag=' $pic_flag -Mnomain' ;; - ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 - tmp_addflag=' -i_dynamic' ;; - efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 - tmp_addflag=' -i_dynamic -nofor_main' ;; - ifc* | ifort*) # Intel Fortran compiler - tmp_addflag=' -nofor_main' ;; - esac - archive_cmds_GCJ='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' +void fnord() { int i=42;} +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; - if test $supports_anon_versioning = yes; then - archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~ - cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ - $echo "local: *; };" >> $output_objdir/$libname.ver~ - $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' - fi - else - ld_shlibs_GCJ=no - fi - ;; + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + /* dlclose (self); */ + } + else + puts (dlerror ()); - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; + return status; +} +_LT_EOF + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self_static=no + fi +fi +rm -fr conftest* - solaris*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - ld_shlibs_GCJ=no - cat <&2 -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5 +$as_echo "$lt_cv_dlopen_self_static" >&6; } + fi -EOF - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs_GCJ=no - fi - ;; + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + ;; + esac - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) - case `$LD -v 2>&1` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) - ld_shlibs_GCJ=no - cat <<_LT_EOF 1>&2 + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac -*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not -*** reliably create shared libraries on SCO systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.16.91.0.3 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi -_LT_EOF - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`' - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib' - archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib' - else - ld_shlibs_GCJ=no - fi - ;; - esac - ;; - sunos4*) - archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - hardcode_direct_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs_GCJ=no - fi - ;; - esac - if test "$ld_shlibs_GCJ" = no; then - runpath_var= - hardcode_libdir_flag_spec_GCJ= - export_dynamic_flag_spec_GCJ= - whole_archive_flag_spec_GCJ= - fi - else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - allow_undefined_flag_GCJ=unsupported - always_export_symbols_GCJ=yes - archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L_GCJ=yes - if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct_GCJ=unsupported - fi - ;; - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | grep 'GNU' > /dev/null; then - export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - aix_use_runtimelinking=no - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - ;; - esac - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - archive_cmds_GCJ='' - hardcode_direct_GCJ=yes - hardcode_libdir_separator_GCJ=':' - link_all_deplibs_GCJ=yes - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - # We only want to do this on AIX 4.2 and lower, the check - # below for broken collect2 doesn't work under 4.3+ - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct_GCJ=yes - else - # We have old collect2 - hardcode_direct_GCJ=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L_GCJ=yes - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_libdir_separator_GCJ= - fi - ;; - esac - shared_flag='-shared' - if test "$aix_use_runtimelinking" = yes; then - shared_flag="$shared_flag "'${wl}-G' - fi - else - # not using gcc - if test "$host_cpu" = ia64; then - # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release - # chokes on -Wl,-G. The following line is correct: - shared_flag='-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - # It seems that -bexpall does not export symbols beginning with - # underscore (_), so it is better to generate a list of symbols to export. - always_export_symbols_GCJ=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - allow_undefined_flag_GCJ='-berok' - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -int -main () -{ - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + +striplib= +old_striplib= +{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5 +$as_echo_n "checking whether stripping libraries is possible... " >&6; } +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + ;; + *) + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + ;; + esac fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi - hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath" - archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib' - allow_undefined_flag_GCJ="-z nodefs" - archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" - else - # Determine the default libpath from the value encoded in an empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -int -main () -{ - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'`; fi -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 -fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi - hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath" - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - no_undefined_flag_GCJ=' ${wl}-bernotok' - allow_undefined_flag_GCJ=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - whole_archive_flag_spec_GCJ='$convenience' - archive_cmds_need_lc_GCJ=yes - # This is similar to how AIX traditionally builds its shared libraries. - archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' - fi - fi - ;; - amigaos*) - archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_minus_L_GCJ=yes - # see comment about different semantics on the GNU ld section - ld_shlibs_GCJ=no - ;; - bsdi[45]*) - export_dynamic_flag_spec_GCJ=-rdynamic - ;; - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec_GCJ=' ' - allow_undefined_flag_GCJ=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext_cmds=".dll" - # FIXME: Setting linknames here is a bad hack. - archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_From_new_cmds_GCJ='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`' - enable_shared_with_static_runtimes_GCJ=yes - ;; + # Report which library types will actually be built + { $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5 +$as_echo_n "checking if libtool supports shared libraries... " >&6; } + { $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5 +$as_echo "$can_build_shared" >&6; } - darwin* | rhapsody*) - case $host_os in - rhapsody* | darwin1.[012]) - allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress' - ;; - *) # Darwin 1.3 on - if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then - allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - else - case ${MACOSX_DEPLOYMENT_TARGET} in - 10.[012]) - allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' - ;; - 10.*) - allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup' - ;; - esac - fi - ;; - esac - archive_cmds_need_lc_GCJ=no - hardcode_direct_GCJ=no - hardcode_automatic_GCJ=yes - hardcode_shlibpath_var_GCJ=unsupported - whole_archive_flag_spec_GCJ='' - link_all_deplibs_GCJ=yes - if test "$GCC" = yes ; then - output_verbose_link_cmd='echo' - archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - else - case $cc_basename in - xlc*) - output_verbose_link_cmd='echo' - archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' - module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - ;; - *) - ld_shlibs_GCJ=no - ;; - esac - fi - ;; + { $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5 +$as_echo_n "checking whether to build shared libraries... " >&6; } + test "$can_build_shared" = "no" && enable_shared=no - dgux*) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_shlibpath_var_GCJ=no - ;; + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; - freebsd1*) - ld_shlibs_GCJ=no - ;; + aix[4-9]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + { $as_echo "$as_me:$LINENO: result: $enable_shared" >&5 +$as_echo "$enable_shared" >&6; } - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - hardcode_libdir_flag_spec_GCJ='-R$libdir' - hardcode_direct_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; + { $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5 +$as_echo_n "checking whether to build static libraries... " >&6; } + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + { $as_echo "$as_me:$LINENO: result: $enable_static" >&5 +$as_echo "$enable_static" >&6; } - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_GCJ=yes - hardcode_minus_L_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | kfreebsd*-gnu | dragonfly*) - archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec_GCJ='-R$libdir' - hardcode_direct_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; - hpux9*) - if test "$GCC" = yes; then - archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - else - archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' - fi - hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_GCJ=: - hardcode_direct_GCJ=yes - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_GCJ=yes - export_dynamic_flag_spec_GCJ='${wl}-E' - ;; +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu - hpux10*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_GCJ=: +CC="$lt_save_CC" - hardcode_direct_GCJ=yes - export_dynamic_flag_spec_GCJ='${wl}-E' - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_GCJ=yes - fi - ;; - hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - case $host_cpu in - hppa*64*) - archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - else - case $host_cpu in - hppa*64*) - archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - ;; - ia64*) - archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' - ;; - *) - archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' - ;; - esac - fi - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir' - hardcode_libdir_separator_GCJ=: - case $host_cpu in - hppa*64*|ia64*) - hardcode_libdir_flag_spec_ld_GCJ='+b $libdir' - hardcode_direct_GCJ=no - hardcode_shlibpath_var_GCJ=no - ;; - *) - hardcode_direct_GCJ=yes - export_dynamic_flag_spec_GCJ='${wl}-E' - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L_GCJ=yes - ;; - esac - fi - ;; - irix5* | irix6* | nonstopux*) - if test "$GCC" = yes; then - archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir' - fi - hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_GCJ=: - link_all_deplibs_GCJ=yes - ;; - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - hardcode_libdir_flag_spec_GCJ='-R$libdir' - hardcode_direct_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; - newsos6) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_GCJ=yes - hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_GCJ=: - hardcode_shlibpath_var_GCJ=no - ;; - openbsd*) - hardcode_direct_GCJ=yes - hardcode_shlibpath_var_GCJ=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' - hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' - export_dynamic_flag_spec_GCJ='${wl}-E' - else - case $host_os in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_GCJ='-R$libdir' - ;; - *) - archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' - ;; - esac - fi - ;; - os2*) - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_minus_L_GCJ=yes - allow_undefined_flag_GCJ=unsupported - archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - osf3*) - if test "$GCC" = yes; then - allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag_GCJ=' -expect_unresolved \*' - archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator_GCJ=: - ;; - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir' - else - allow_undefined_flag_GCJ=' -expect_unresolved \*' - archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp' - # Both c and cxx compiler support -rpath directly - hardcode_libdir_flag_spec_GCJ='-rpath $libdir' - fi - hardcode_libdir_separator_GCJ=: - ;; + ac_config_commands="$ac_config_commands libtool" - solaris*) - no_undefined_flag_GCJ=' -z text' - if test "$GCC" = yes; then - wlarc='${wl}' - archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp' - else - wlarc='' - archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - fi - hardcode_libdir_flag_spec_GCJ='-R$libdir' - hardcode_shlibpath_var_GCJ=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) - # The compiler driver will combine linker options so we - # cannot just pass the convience library names through - # without $wl, iff we do not link with $LD. - # Luckily, gcc supports the same syntax we need for Sun Studio. - # Supported since Solaris 2.6 (maybe 2.5.1?) - case $wlarc in - '') - whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;; - *) - whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; - esac ;; - esac - link_all_deplibs_GCJ=yes - ;; - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_direct_GCJ=yes - hardcode_minus_L_GCJ=yes - hardcode_shlibpath_var_GCJ=no - ;; - sysv4) - case $host_vendor in - sni) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_GCJ=yes # is this really true??? - ;; - siemens) - ## LD is ld it makes a PLAMLIB - ## CC just makes a GrossModule. - archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags' - reload_cmds_GCJ='$CC -r -o $output$reload_objs' - hardcode_direct_GCJ=no - ;; - motorola) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie - ;; - esac - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var_GCJ=no - ;; - sysv4.3*) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var_GCJ=no - export_dynamic_flag_spec_GCJ='-Bexport' - ;; +# Only expand once: - sysv4*MP*) - if test -d /usr/nec; then - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var_GCJ=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ld_shlibs_GCJ=yes - fi - ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) - no_undefined_flag_GCJ='${wl}-z,text' - archive_cmds_need_lc_GCJ=no - hardcode_shlibpath_var_GCJ=no - runpath_var='LD_RUN_PATH' +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - if test "$GCC" = yes; then - archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi - sysv5* | sco3.2v5* | sco5v6*) - # Note: We can NOT use -z defs as we might desire, because we do not - # link with -lc, and that would cause any symbols used from libc to - # always be unresolved, which means just about no library would - # ever link correctly. If we're not using GNU ld we use -z text - # though, which does catch some bad symbols but isn't as heavy-handed - # as -z defs. - no_undefined_flag_GCJ='${wl}-z,text' - allow_undefined_flag_GCJ='${wl}-z,nodefs' - archive_cmds_need_lc_GCJ=no - hardcode_shlibpath_var_GCJ=no - hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - hardcode_libdir_separator_GCJ=':' - link_all_deplibs_GCJ=yes - export_dynamic_flag_spec_GCJ='${wl}-Bexport' - runpath_var='LD_RUN_PATH' - if test "$GCC" = yes; then - archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - ;; +fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS - uts4*) - archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec_GCJ='-L$libdir' - hardcode_shlibpath_var_GCJ=no - ;; +fi +fi +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi - *) - ld_shlibs_GCJ=no - ;; - esac + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB fi +else + RANLIB="$ac_cv_prog_RANLIB" +fi -{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5 -echo "${ECHO_T}$ld_shlibs_GCJ" >&6; } -test "$ld_shlibs_GCJ" = no && can_build_shared=no - -# -# Do we need to explicitly link libc? -# -case "x$archive_cmds_need_lc_GCJ" in -x|xyes) - # Assume -lc should be added - archive_cmds_need_lc_GCJ=yes - if test "$enable_shared" = yes && test "$GCC" = yes; then - case $archive_cmds_GCJ in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 -echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } - $rm conftest* - printf "$lt_simple_compile_test_code" > conftest.$ac_ext + { $as_echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5 +$as_echo_n "checking whether byte ordering is bigendian... " >&6; } +if test "${ac_cv_c_bigendian+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_c_bigendian=unknown + # See if we're dealing with a universal compiler. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifndef __APPLE_CC__ + not a universal capable compiler + #endif + typedef int dummy; - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_prog_compiler_wl_GCJ - pic_flag=$lt_prog_compiler_pic_GCJ - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ - allow_undefined_flag_GCJ= - if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5 - (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } - then - archive_cmds_need_lc_GCJ=no - else - archive_cmds_need_lc_GCJ=yes - fi - allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $rm conftest* - { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5 -echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; } - ;; - esac - fi - ;; +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then -{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 -echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; } -library_names_spec= -libname_spec='lib$name' -soname_spec= -shrext_cmds=".so" -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then - # if the path contains ";" then we assume it to be the separator - # otherwise default to the standard path separator (i.e. ":") - it is - # assumed that no part of a normal pathname contains ";" but that should - # okay in the real world where ";" in dirpaths is itself problematic. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi + # Check for potential -arch flags. It is not universal unless + # there are some -arch flags. Note that *ppc* also matches + # ppc64. This check is also rather less than ideal. + case "${CC} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS}" in #( + *-arch*ppc*|*-arch*i386*|*-arch*x86_64*) ac_cv_c_bigendian=universal;; + esac else - sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" -fi -need_lib_prefix=unknown -hardcode_into_libs=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -need_version=unknown -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' - shlibpath_var=LIBPATH +fi - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}${shared_ext}$major' - ;; +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test $ac_cv_c_bigendian = unknown; then + # See if sys/param.h defines the BYTE_ORDER macro. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + #include -aix4* | aix5*) - version_type=linux - need_lib_prefix=no - need_version=no - hardcode_into_libs=yes - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}${shared_ext}$major' - fi - shlibpath_var=LIBPATH - fi - ;; +int +main () +{ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ + && LITTLE_ENDIAN) + bogus endian macros + #endif -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' - ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + # It does; now see whether it defined to BIG_ENDIAN or not. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + #include -beos*) - library_names_spec='${libname}${shared_ext}' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - ;; +int +main () +{ +#if BYTE_ORDER != BIG_ENDIAN + not big endian + #endif -bsdi[45]*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_bigendian=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -cygwin* | mingw* | pw32*) - version_type=windows - shrext_cmds=".dll" - need_version=no - need_lib_prefix=no + ac_cv_c_bigendian=no +fi - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32*) - library_names_spec='$libname.dll.a' - # DLL is installed to $(libdir)/../bin by postinstall_cmds - postinstall_cmds='base_file=`basename \${file}`~ - dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog $dir/$dlname \$dldir/$dlname~ - chmod a+x \$dldir/$dlname' - postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - shlibpath_overrides_runpath=yes +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - case $host_os in - cygwin*) - # Cygwin DLLs use 'cyg' prefix rather than 'lib' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" - ;; - mingw*) - # MinGW DLLs use traditional 'lib' prefix - soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi - ;; - pw32*) - # pw32 DLLs use 'pw' prefix rather than 'lib' - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - ;; - esac - ;; - *) - library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; +fi -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext' - soname_spec='${libname}${release}${major}$shared_ext' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' - # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. - if test "$GCC" = yes; then - sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` - else - sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' - fi - sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' - ;; +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; +int +main () +{ +#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) + bogus endian macros + #endif -freebsd1*) - dynamic_linker=no - ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + # It does; now see whether it defined to _BIG_ENDIAN or not. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include -kfreebsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; +int +main () +{ +#ifndef _BIG_ENDIAN + not big endian + #endif -freebsd* | dragonfly*) - # DragonFly does not have aout. When/if they implement a new - # versioning mechanism, adjust this. - if test -x /usr/bin/objformat; then - objformat=`/usr/bin/objformat` - else - case $host_os in - freebsd[123]*) objformat=aout ;; - *) objformat=elf ;; - esac - fi - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ - freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - freebsd*) # from 4.6 on - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - esac - ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_bigendian=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; + ac_cv_c_bigendian=no +fi -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - version_type=sunos - need_lib_prefix=no - need_version=no - case $host_cpu in - ia64*) - shrext_cmds='.so' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - if test "X$HPUX_IA64_MODE" = X32; then - sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" - else - sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - hppa*64*) - shrext_cmds='.sl' - hardcode_into_libs=yes - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" - sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec - ;; - *) - shrext_cmds='.sl' - dynamic_linker="$host_os dld.sl" - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - ;; - esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; + if test $ac_cv_c_bigendian = unknown; then + # Compile a test program. + if test "$cross_compiling" = yes; then + # Try to guess by grepping values from an object file. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +short int ascii_mm[] = + { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; + short int ascii_ii[] = + { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; + int use_ascii (int i) { + return ascii_mm[i] + ascii_ii[i]; + } + short int ebcdic_ii[] = + { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; + short int ebcdic_mm[] = + { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; + int use_ebcdic (int i) { + return ebcdic_mm[i] + ebcdic_ii[i]; + } + extern int foo; -interix3*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; +int +main () +{ +return use_ascii (foo) == use_ebcdic (foo); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + ac_cv_c_bigendian=yes + fi + if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if test "$ac_cv_c_bigendian" = unknown; then + ac_cv_c_bigendian=no + else + # finding both strings is unlikely to happen, but who knows? + ac_cv_c_bigendian=unknown + fi + fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -irix5* | irix6* | nonstopux*) - case $host_os in - nonstopux*) version_type=nonstopux ;; - *) - if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux - else - version_type=irix - fi ;; - esac - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' - case $host_os in - irix5* | nonstopux*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") - libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") - libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") - libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - hardcode_into_libs=yes - ;; -# No shared lib support for Linux oldld, aout, or coff. -linux*oldld* | linux*aout* | linux*coff*) - dynamic_linker=no - ;; +fi -# This must be Linux ELF. -linux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ - # find out which ABI we are using - libsuff= - case "$host_cpu" in - x86_64*|s390x*|powerpc64*) - echo '#line 19245 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long int l; + char c[sizeof (long int)]; + } u; + u.l = 1; + return u.c[sizeof (long int) - 1] == 1; + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *64-bit*) - libsuff=64 - sys_lib_search_path_spec="/lib${libsuff} /usr/lib${libsuff} /usr/local/lib${libsuff}" - ;; - esac - fi - rm -rf conftest* - ;; - esac + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_c_bigendian=no +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/^ *//;s/#.*//;/^[^\/]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra" - fi +( exit $ac_status ) +ac_cv_c_bigendian=yes +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; -knetbsd*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='GNU ld.so' - ;; + fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5 +$as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + cat >>confdefs.h <<\_ACEOF +#define WORDS_BIGENDIAN 1 +_ACEOF +;; #( + no) + ;; #( + universal) -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; +cat >>confdefs.h <<\_ACEOF +#define AC_APPLE_UNIVERSAL_BUILD 1 +_ACEOF -newsos6) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; + ;; #( + *) + { { $as_echo "$as_me:$LINENO: error: unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" >&5 +$as_echo "$as_me: error: unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" >&2;} + { (exit 1); exit 1; }; } ;; + esac + +{ $as_echo "$as_me:$LINENO: checking for inline" >&5 +$as_echo_n "checking for inline... " >&6; } +if test "${ac_cv_c_inline+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_c_inline=no +for ac_kw in inline __inline__ __inline; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifndef __cplusplus +typedef int foo_t; +static $ac_kw foo_t static_foo () {return 0; } +$ac_kw foo_t foo () {return 0; } +#endif + +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_inline=$ac_kw +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -nto-qnx*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; -openbsd*) - version_type=sunos - sys_lib_dlsearch_path_spec="/usr/lib" - need_lib_prefix=no - # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. - case $host_os in - openbsd3.3 | openbsd3.3.*) need_version=yes ;; - *) need_version=no ;; - esac - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in - openbsd2.[89] | openbsd2.[89].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac - else - shlibpath_overrides_runpath=yes - fi - ;; +fi -os2*) - libname_spec='$name' - shrext_cmds=".dll" - need_lib_prefix=no - library_names_spec='$libname${shared_ext} $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + test "$ac_cv_c_inline" != no && break +done -osf3* | osf4* | osf5*) - version_type=osf - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}${shared_ext}$major' - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5 +$as_echo "$ac_cv_c_inline" >&6; } -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; +case $ac_cv_c_inline in + inline | yes) ;; + *) + case $ac_cv_c_inline in + no) ac_val=;; + *) ac_val=$ac_cv_c_inline;; + esac + cat >>confdefs.h <<_ACEOF +#ifndef __cplusplus +#define inline $ac_val +#endif +_ACEOF + ;; +esac -sysv4 | sysv4.3*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - need_lib_prefix=no - export_dynamic_flag_spec='${wl}-Blargedynsym' - runpath_var=LD_RUN_PATH - ;; - siemens) - need_lib_prefix=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' - soname_spec='$libname${shared_ext}.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; +#AC_CANONICAL_HOST +linux="no" +sunos4="no" +so_with_static_lib="yes" -sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - version_type=freebsd-elf - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - if test "$with_gnu_ld" = yes; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - shlibpath_overrides_runpath=no - else - sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' - shlibpath_overrides_runpath=yes - case $host_os in - sco3.2v5*) - sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" - ;; - esac - fi - sys_lib_dlsearch_path_spec='/usr/lib' - ;; +case "$host" in + *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) -uts4*) - version_type=linux - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - ;; +cat >>confdefs.h <<\_ACEOF +#define OPENBSD 1 +_ACEOF -*) - dynamic_linker=no - ;; -esac -{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5 -echo "${ECHO_T}$dynamic_linker" >&6; } -test "$dynamic_linker" = no && can_build_shared=no -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi +cat >>confdefs.h <<\_ACEOF +#define BROKEN_SIOCGIFMTU 1 +_ACEOF -{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 -echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; } -hardcode_action_GCJ= -if test -n "$hardcode_libdir_flag_spec_GCJ" || \ - test -n "$runpath_var_GCJ" || \ - test "X$hardcode_automatic_GCJ" = "Xyes" ; then + so_with_static_lib="no" - # We can hardcode non-existant directories. - if test "$hardcode_direct_GCJ" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no && - test "$hardcode_minus_L_GCJ" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action_GCJ=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action_GCJ=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action_GCJ=unsupported -fi -{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5 -echo "${ECHO_T}$hardcode_action_GCJ" >&6; } + ;; + *-openbsd*) -if test "$hardcode_action_GCJ" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi +cat >>confdefs.h <<\_ACEOF +#define OPENBSD 1 +_ACEOF + so_with_static_lib="no" -# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - compiler_GCJ \ - CC_GCJ \ - LD_GCJ \ - lt_prog_compiler_wl_GCJ \ - lt_prog_compiler_pic_GCJ \ - lt_prog_compiler_static_GCJ \ - lt_prog_compiler_no_builtin_flag_GCJ \ - export_dynamic_flag_spec_GCJ \ - thread_safe_flag_spec_GCJ \ - whole_archive_flag_spec_GCJ \ - enable_shared_with_static_runtimes_GCJ \ - old_archive_cmds_GCJ \ - old_archive_from_new_cmds_GCJ \ - predep_objects_GCJ \ - postdep_objects_GCJ \ - predeps_GCJ \ - postdeps_GCJ \ - compiler_lib_search_path_GCJ \ - archive_cmds_GCJ \ - archive_expsym_cmds_GCJ \ - postinstall_cmds_GCJ \ - postuninstall_cmds_GCJ \ - old_archive_from_expsyms_cmds_GCJ \ - allow_undefined_flag_GCJ \ - no_undefined_flag_GCJ \ - export_symbols_cmds_GCJ \ - hardcode_libdir_flag_spec_GCJ \ - hardcode_libdir_flag_spec_ld_GCJ \ - hardcode_libdir_separator_GCJ \ - hardcode_automatic_GCJ \ - module_cmds_GCJ \ - module_expsym_cmds_GCJ \ - lt_cv_prog_compiler_c_o_GCJ \ - exclude_expsyms_GCJ \ - include_expsyms_GCJ; do - - case $var in - old_archive_cmds_GCJ | \ - old_archive_from_new_cmds_GCJ | \ - archive_cmds_GCJ | \ - archive_expsym_cmds_GCJ | \ - module_cmds_GCJ | \ - module_expsym_cmds_GCJ | \ - old_archive_from_expsyms_cmds_GCJ | \ - export_symbols_cmds_GCJ | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done + ;; + *-sgi-irix5*) + +cat >>confdefs.h <<\_ACEOF +#define IRIX 1 +_ACEOF - case $lt_echo in - *'\$0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` + no_libsocket="yes" + no_libnsl="yes" + if test -z "$GCC"; then + sgi_cc="yes" + fi + LDFLAGS="${LDFLAGS} -L/usr/local/lib" + extra_incl="-I/usr/local/include" ;; - esac + *-sgi-irix6*) -cfgfile="$ofile" +cat >>confdefs.h <<\_ACEOF +#define IRIX 1 +_ACEOF - cat <<__EOF__ >> "$cfgfile" -# ### BEGIN LIBTOOL TAG CONFIG: $tagname + no_libsocket="yes" + no_libnsl="yes" + if test -z "$GCC"; then + sgi_cc="yes" + fi + LDFLAGS="${LDFLAGS} -L/usr/local/lib" + extra_incl="-I/usr/local/include" + ;; + *-solaris*) -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +cat >>confdefs.h <<\_ACEOF +#define SOLARIS 1 +_ACEOF -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL + CONFIGFLAGS="${CONFIGFLAGS} -DBSD_COMP -D_REENTRANT" + rt_nanosleep="yes" + ;; + *-sunos*) -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared +cat >>confdefs.h <<\_ACEOF +#define SUNOS 1 +_ACEOF -# Whether or not to build static libraries. -build_old_libs=$enable_static + sunos4="yes" + ;; + *-linux*) + linux="yes" -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$archive_cmds_need_lc_GCJ +cat >>confdefs.h <<\_ACEOF +#define LINUX 1 +_ACEOF -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install + extra_incl="-I/usr/include/pcap" + ;; + *-hpux10*|*-hpux11*) -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os +cat >>confdefs.h <<\_ACEOF +#define HPUX 1 +_ACEOF -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os -# An echo program that does not interpret backslashes. -echo=$lt_echo +cat >>confdefs.h <<\_ACEOF +#define WORDS_BIGENDIAN 1 +_ACEOF -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS -# A C compiler. -LTCC=$lt_LTCC + extra_incl="-I/usr/local/include" + ;; + *-freebsd*) + +cat >>confdefs.h <<\_ACEOF +#define FREEBSD 1 +_ACEOF + + ;; + *-bsdi*) -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS +cat >>confdefs.h <<\_ACEOF +#define BSDI 1 +_ACEOF -# A language-specific compiler. -CC=$lt_compiler_GCJ + ;; + *-aix*) -# Is the compiler the GNU C compiler? -with_gcc=$GCC_GCJ +cat >>confdefs.h <<\_ACEOF +#define AIX 1 +_ACEOF -# An ERE matcher. -EGREP=$lt_EGREP + ;; + *-osf4*) -# The linker used to build libraries. -LD=$lt_LD_GCJ +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF -# Whether we need hard or soft links. -LN_S=$lt_LN_S + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; + *-osf5.1*) -# A BSD-compatible nm program. -NM=$lt_NM +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF -# A symbol stripping program -STRIP=$lt_STRIP + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; + *-tru64*) -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; +# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment + *-apple*) -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" +cat >>confdefs.h <<\_ACEOF +#define MACOS 1 +_ACEOF -# Used on cygwin: assembler. -AS="$AS" -# The name of the directory that contains temporary libtool files. -objdir=$objdir +cat >>confdefs.h <<\_ACEOF +#define BROKEN_SIOCGIFMTU 1 +_ACEOF -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds + LDFLAGS="${LDFLAGS} -L/sw/lib" + extra_incl="-I/sw/include" +esac -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl_GCJ +{ $as_echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5 +$as_echo_n "checking for stdbool.h that conforms to C99... " >&6; } +if test "${ac_cv_header_stdbool_h+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# Object file suffix (normally "o"). -objext="$ac_objext" +#include +#ifndef bool + "error: bool is not defined" +#endif +#ifndef false + "error: false is not defined" +#endif +#if false + "error: false is not 0" +#endif +#ifndef true + "error: true is not defined" +#endif +#if true != 1 + "error: true is not 1" +#endif +#ifndef __bool_true_false_are_defined + "error: __bool_true_false_are_defined is not defined" +#endif -# Old archive suffix (normally "a"). -libext="$libext" + struct s { _Bool s: 1; _Bool t; } s; -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' + char a[true == 1 ? 1 : -1]; + char b[false == 0 ? 1 : -1]; + char c[__bool_true_false_are_defined == 1 ? 1 : -1]; + char d[(bool) 0.5 == true ? 1 : -1]; + bool e = &s; + char f[(_Bool) 0.0 == false ? 1 : -1]; + char g[true]; + char h[sizeof (_Bool)]; + char i[sizeof s.t]; + enum { j = false, k = true, l = false * true, m = true * 256 }; + /* The following fails for + HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */ + _Bool n[m]; + char o[sizeof n == m * sizeof n[0] ? 1 : -1]; + char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1]; +# if defined __xlc__ || defined __GNUC__ + /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0 + reported by James Lemley on 2005-10-05; see + http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html + This test is not quite right, since xlc is allowed to + reject this program, as the initializer for xlcbug is + not one of the forms that C requires support for. + However, doing the test right would require a runtime + test, and that would make cross-compilation harder. + Let us hope that IBM fixes the xlc bug, and also adds + support for this kind of constant expression. In the + meantime, this test will reject xlc, which is OK, since + our stdbool.h substitute should suffice. We also test + this with GCC, where it should work, to detect more + quickly whether someone messes up the test in the + future. */ + char digs[] = "0123456789"; + int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1); +# endif + /* Catch a bug in an HP-UX C compiler. See + http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html + http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html + */ + _Bool q = true; + _Bool *pq = &q; -# Executable file suffix (normally ""). -exeext="$exeext" +int +main () +{ -# Additional compiler flags for building library objects. -pic_flag=$lt_lt_prog_compiler_pic_GCJ -pic_mode=$pic_mode + *pq |= q; + *pq |= ! q; + /* Refer to every declared value, to avoid compiler optimizations. */ + return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l + + !m + !n + !o + !p + !q + !pq); -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_header_stdbool_h=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ + ac_cv_header_stdbool_h=no +fi -# Must we lock files when doing compilation? -need_locks=$lt_need_locks +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5 +$as_echo "$ac_cv_header_stdbool_h" >&6; } +{ $as_echo "$as_me:$LINENO: checking for _Bool" >&5 +$as_echo_n "checking for _Bool... " >&6; } +if test "${ac_cv_type__Bool+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type__Bool=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (_Bool)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((_Bool))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix + ac_cv_type__Bool=yes +fi -# Do we need a version for libraries? -need_version=$need_version +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Whether dlopen is supported. -dlopen_support=$enable_dlopen -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self +fi -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5 +$as_echo "$ac_cv_type__Bool" >&6; } +if test "x$ac_cv_type__Bool" = x""yes; then -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_lt_prog_compiler_static_GCJ +cat >>confdefs.h <<_ACEOF +#define HAVE__BOOL 1 +_ACEOF -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ +fi -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ +if test $ac_cv_header_stdbool_h = yes; then -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ +cat >>confdefs.h <<\_ACEOF +#define HAVE_STDBOOL_H 1 +_ACEOF -# Library versioning type. -version_type=$version_type +fi -# Format of library name prefix. -libname_spec=$lt_libname_spec -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec +# ICC stuff +ICC=no +if eval "echo $CC | grep icc > /dev/null" ; then + if eval "$CC -help | grep libcxa > /dev/null" ; then + CFLAGS="$CFLAGS -static-libcxa" + LDFLAGS="$LDFLAGS -static-libcxa" + XCCFLAGS="-XCClinker -static-libcxa" + else + CFLAGS="$CFLAGS -static-intel" + LDFLAGS="$LDFLAGS -static-intel" + XCCFLAGS="-XCClinker -static-intel" + fi + #CFLAGS=`echo $CFLAGS | sed 's/-O2/-O3/'` + CFLAGS="$CFLAGS -O3 -ip -w1" + ICC=yes + GCC= +fi -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds_GCJ -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds +# This is really meant for Solaris Sparc v9 where it has 32bit and 64bit +# capability but builds 32bit by default +# Check whether --enable-64bit-gcc was given. +if test "${enable_64bit_gcc+set}" = set; then + enableval=$enable_64bit_gcc; enable_64bit_gcc="$enableval" +else + enable_64bit_gcc="no" +fi -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ +if test "x$enable_64bit_gcc" = "xyes"; then + CFLAGS="$CFLAGS -m64" +fi -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ +# AC_PROG_YACC defaults to "yacc" when not found +# this check defaults to "none" +for ac_prog in bison yacc +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_YACC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$YACC"; then + ac_cv_prog_YACC="$YACC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_YACC="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds_GCJ -archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds +fi +fi +YACC=$ac_cv_prog_YACC +if test -n "$YACC"; then + { $as_echo "$as_me:$LINENO: result: $YACC" >&5 +$as_echo "$YACC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_module_cmds_GCJ -module_expsym_cmds=$lt_module_expsym_cmds_GCJ -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib + test -n "$YACC" && break +done +test -n "$YACC" || YACC="none" -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_predep_objects_GCJ - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_postdep_objects_GCJ - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_predeps_GCJ - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_postdeps_GCJ - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ +# AC_PROG_YACC includes the -y arg if bison is found +if test "x$YACC" = "xbison"; then + YACC="$YACC -y" +fi -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method +# AC_PROG_LEX defaults to ":" when not found +# this check defaults to "none" +# We're using flex specific options so we don't support lex +for ac_prog in flex +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_LEX+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$LEX"; then + ac_cv_prog_LEX="$LEX" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_LEX="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd +fi +fi +LEX=$ac_cv_prog_LEX +if test -n "$LEX"; then + { $as_echo "$as_me:$LINENO: result: $LEX" >&5 +$as_echo "$LEX" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag_GCJ -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag_GCJ + test -n "$LEX" && break +done +test -n "$LEX" || LEX="none" -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval +# -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address -# This is the shared library runtime path variable. -runpath_var=$runpath_var -# This is the shared library path variable. -shlibpath_var=$shlibpath_var -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action_GCJ -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ - -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct_GCJ - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L_GCJ - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ - -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$hardcode_automatic_GCJ +for ac_header in \ + inttypes.h \ + math.h \ + paths.h \ + stdlib.h \ + string.h \ + strings.h \ + unistd.h \ + wchar.h \ + sys/sockio.h \ -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs_GCJ + ac_header_compiler=no +fi -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path_GCJ" + ac_header_preproc=no +fi -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols_GCJ +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds_GCJ +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms_GCJ +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms_GCJ +fi -# ### END LIBTOOL TAG CONFIG: $tagname +done -__EOF__ +if test "x$ac_cv_header_wchar_h" = "xyes"; then + CONFIGFLAGS="${CONFIGFLAGS} -DSF_WCHAR" +fi +{ $as_echo "$as_me:$LINENO: checking for floor in -lm" >&5 +$as_echo_n "checking for floor in -lm... " >&6; } +if test "${ac_cv_lib_m_floor+set}" = set; then + $as_echo_n "(cached) " >&6 else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi -fi + ac_check_lib_save_LIBS=$LIBS +LIBS="-lm $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char floor (); +int +main () +{ +return floor (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_m_floor=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu + ac_cv_lib_m_floor=no +fi -CC="$lt_save_CC" +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_m_floor" >&5 +$as_echo "$ac_cv_lib_m_floor" >&6; } +if test "x$ac_cv_lib_m_floor" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBM 1 +_ACEOF - else - tagname="" - fi - ;; + LIBS="-lm $LIBS" - RC) +fi -# Source file extension for RC test sources. -ac_ext=rc +{ $as_echo "$as_me:$LINENO: checking for ceil in -lm" >&5 +$as_echo_n "checking for ceil in -lm... " >&6; } +if test "${ac_cv_lib_m_ceil+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lm $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# Object file extension for compiled RC test sources. -objext=o -objext_RC=$objext +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ceil (); +int +main () +{ +return ceil (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_m_ceil=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Code to be used in simple compile tests -lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n' + ac_cv_lib_m_ceil=no +fi -# Code to be used in simple link tests -lt_simple_link_test_code="$lt_simple_compile_test_code" +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_m_ceil" >&5 +$as_echo "$ac_cv_lib_m_ceil" >&6; } +if test "x$ac_cv_lib_m_ceil" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBM 1 +_ACEOF -# ltmain only uses $CC for tagged configurations so make sure $CC is set. + LIBS="-lm $LIBS" -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} +fi -# If no C compiler flags were specified, use CFLAGS. -LTCFLAGS=${LTCFLAGS-"$CFLAGS"} -# Allow CC to be a program name with arguments. -compiler=$CC +for ac_header in uuid/uuid.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# save warnings/boilerplate of simple test code -ac_outfile=conftest.$ac_objext -printf "$lt_simple_compile_test_code" >conftest.$ac_ext -eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_compiler_boilerplate=`cat conftest.err` -$rm conftest* + ac_header_compiler=no +fi -ac_outfile=conftest.$ac_objext -printf "$lt_simple_link_test_code" >conftest.$ac_ext -eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err -_lt_linker_boilerplate=`cat conftest.err` -$rm conftest* +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Allow CC to be a program name with arguments. -lt_save_CC="$CC" -CC=${RC-"windres"} -compiler=$CC -compiler_RC=$CC -for cc_temp in $compiler""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` + ac_header_preproc=no +fi -lt_cv_prog_compiler_c_o_RC=yes +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -# The else clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - # See if we are running on zsh, and set the options which allow our commands through - # without removal of \ escapes. - if test -n "${ZSH_VERSION+set}" ; then - setopt NO_GLOB_SUBST - fi - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \ - SED SHELL STRIP \ - libname_spec library_names_spec soname_spec extract_expsyms_cmds \ - old_striplib striplib file_magic_cmd finish_cmds finish_eval \ - deplibs_check_method reload_flag reload_cmds need_locks \ - lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \ - lt_cv_sys_global_symbol_to_c_name_address \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - old_postinstall_cmds old_postuninstall_cmds \ - compiler_RC \ - CC_RC \ - LD_RC \ - lt_prog_compiler_wl_RC \ - lt_prog_compiler_pic_RC \ - lt_prog_compiler_static_RC \ - lt_prog_compiler_no_builtin_flag_RC \ - export_dynamic_flag_spec_RC \ - thread_safe_flag_spec_RC \ - whole_archive_flag_spec_RC \ - enable_shared_with_static_runtimes_RC \ - old_archive_cmds_RC \ - old_archive_from_new_cmds_RC \ - predep_objects_RC \ - postdep_objects_RC \ - predeps_RC \ - postdeps_RC \ - compiler_lib_search_path_RC \ - archive_cmds_RC \ - archive_expsym_cmds_RC \ - postinstall_cmds_RC \ - postuninstall_cmds_RC \ - old_archive_from_expsyms_cmds_RC \ - allow_undefined_flag_RC \ - no_undefined_flag_RC \ - export_symbols_cmds_RC \ - hardcode_libdir_flag_spec_RC \ - hardcode_libdir_flag_spec_ld_RC \ - hardcode_libdir_separator_RC \ - hardcode_automatic_RC \ - module_cmds_RC \ - module_expsym_cmds_RC \ - lt_cv_prog_compiler_c_o_RC \ - exclude_expsyms_RC \ - include_expsyms_RC; do - - case $var in - old_archive_cmds_RC | \ - old_archive_from_new_cmds_RC | \ - archive_cmds_RC | \ - archive_expsym_cmds_RC | \ - module_cmds_RC | \ - module_expsym_cmds_RC | \ - old_archive_from_expsyms_cmds_RC | \ - export_symbols_cmds_RC | \ - extract_expsyms_cmds | reload_cmds | finish_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - case $lt_echo in - *'\$0 --fallback-echo"') - lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` ;; - esac +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -cfgfile="$ofile" +{ $as_echo "$as_me:$LINENO: checking for uuid_parse in -luuid" >&5 +$as_echo_n "checking for uuid_parse in -luuid... " >&6; } +if test "${ac_cv_lib_uuid_uuid_parse+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-luuid $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ - cat <<__EOF__ >> "$cfgfile" -# ### BEGIN LIBTOOL TAG CONFIG: $tagname +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char uuid_parse (); +int +main () +{ +return uuid_parse (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_uuid_uuid_parse=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: + ac_cv_lib_uuid_uuid_parse=no +fi -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_uuid_uuid_parse" >&5 +$as_echo "$ac_cv_lib_uuid_uuid_parse" >&6; } +if test "x$ac_cv_lib_uuid_uuid_parse" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBUUID 1 +_ACEOF -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared + LIBS="-luuid $LIBS" -# Whether or not to build static libraries. -build_old_libs=$enable_static +fi -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$archive_cmds_need_lc_RC +fi -# Whether or not to disallow shared libs when runtime libs are static -allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC +done -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install -# The host system. -host_alias=$host_alias -host=$host -host_os=$host_os +if test "x$rt_nanosleep" = "xyes"; then -# The build system. -build_alias=$build_alias -build=$build -build_os=$build_os +{ $as_echo "$as_me:$LINENO: checking for nanosleep in -lrt" >&5 +$as_echo_n "checking for nanosleep in -lrt... " >&6; } +if test "${ac_cv_lib_rt_nanosleep+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lrt $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# An echo program that does not interpret backslashes. -echo=$lt_echo +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nanosleep (); +int +main () +{ +return nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_rt_nanosleep=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS + ac_cv_lib_rt_nanosleep=no +fi -# A C compiler. -LTCC=$lt_LTCC +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_rt_nanosleep" >&5 +$as_echo "$ac_cv_lib_rt_nanosleep" >&6; } +if test "x$ac_cv_lib_rt_nanosleep" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBRT 1 +_ACEOF -# LTCC compiler flags. -LTCFLAGS=$lt_LTCFLAGS + LIBS="-lrt $LIBS" -# A language-specific compiler. -CC=$lt_compiler_RC +fi -# Is the compiler the GNU C compiler? -with_gcc=$GCC_RC +fi -# An ERE matcher. -EGREP=$lt_EGREP +if test -z "$no_libnsl"; then -# The linker used to build libraries. -LD=$lt_LD_RC +{ $as_echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5 +$as_echo_n "checking for inet_ntoa in -lnsl... " >&6; } +if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnsl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# Whether we need hard or soft links. -LN_S=$lt_LN_S +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntoa (); +int +main () +{ +return inet_ntoa (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_nsl_inet_ntoa=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# A BSD-compatible nm program. -NM=$lt_NM + ac_cv_lib_nsl_inet_ntoa=no +fi -# A symbol stripping program -STRIP=$lt_STRIP +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5 +$as_echo "$ac_cv_lib_nsl_inet_ntoa" >&6; } +if test "x$ac_cv_lib_nsl_inet_ntoa" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSL 1 +_ACEOF -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD + LIBS="-lnsl $LIBS" -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" +fi -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" +fi -# Used on cygwin: assembler. -AS="$AS" +if test -z "$no_libsocket"; then -# The name of the directory that contains temporary libtool files. -objdir=$objdir +{ $as_echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 +$as_echo_n "checking for socket in -lsocket... " >&6; } +if test "${ac_cv_lib_socket_socket+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsocket $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char socket (); +int +main () +{ +return socket (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_socket_socket=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl_RC + ac_cv_lib_socket_socket=no +fi -# Object file suffix (normally "o"). -objext="$ac_objext" +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 +$as_echo "$ac_cv_lib_socket_socket" >&6; } +if test "x$ac_cv_lib_socket_socket" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSOCKET 1 +_ACEOF -# Old archive suffix (normally "a"). -libext="$libext" + LIBS="-lsocket $LIBS" -# Shared library suffix (normally ".so"). -shrext_cmds='$shrext_cmds' +fi -# Executable file suffix (normally ""). -exeext="$exeext" +fi -# Additional compiler flags for building library objects. -pic_flag=$lt_lt_prog_compiler_pic_RC -pic_mode=$pic_mode +# SunOS4 has several things `broken' +if test "$sunos4" != "no"; then -# What is the maximum length of a command? -max_cmd_len=$lt_cv_sys_max_cmd_len +for ac_func in vsnprintf +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ -# Must we lock files when doing compilation? -need_locks=$lt_need_locks +#ifdef __STDC__ +# include +#else +# include +#endif -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix +#undef $ac_func -# Do we need a version for libraries? -need_version=$need_version +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif -# Whether dlopen is supported. -dlopen_support=$enable_dlopen +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self + eval "$as_ac_var=no" +fi -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_lt_prog_compiler_static_RC +else + LIBS="$LIBS -ldb" +fi +done -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC +for ac_func in strtoul +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC +#ifdef __STDC__ +# include +#else +# include +#endif -# Library versioning type. -version_type=$version_type +#undef $ac_func -# Format of library name prefix. -libname_spec=$lt_libname_spec +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec + eval "$as_ac_var=no" +fi -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds_RC -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC +else + LIBS="$LIBS -l44bsd" +fi +done -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC +fi -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds_RC -archive_expsym_cmds=$lt_archive_expsym_cmds_RC -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds +# some funky macro to be backwards compatible with earlier autoconfs +# in current they have AC_CHECK_DECLS -# Commands used to build a loadable module (assumed same as above if empty) -module_cmds=$lt_module_cmds_RC -module_expsym_cmds=$lt_module_expsym_cmds_RC -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$lt_predep_objects_RC - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$lt_postdep_objects_RC - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$lt_predeps_RC - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$lt_postdeps_RC - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$lt_compiler_lib_search_path_RC -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method +# some stuff for declarations which were missed on sunos4 platform too. +# +# add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader +# fails to work properly with custom macroses. +# you will see also #undef for each SN_CHECK_DECLS macros invocation +# because autoheader doesn't execute shell script commands. +# it is possible to make loops using m4 but the code would look even +# more confusing.. +for sn_decl in printf fprintf syslog puts fputs fputc fopen \ + fclose fwrite fflush getopt bzero bcopy memset strtol \ + strcasecmp strncasecmp strerror perror socket sendto \ + vsnprintf snprintf strtoul +do +sn_def_decl=`echo $sn_decl | tr a-z A-Z` -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd +{ $as_echo "$as_me:$LINENO: checking whether $sn_decl must be declared" >&5 +$as_echo_n "checking whether $sn_decl must be declared... " >&6; } +if { as_var=sn_cv_decl_needed_$sn_decl; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag_RC +#include +#ifdef HAVE_STRING_H +#include +#endif +#ifdef HAVE_STRINGS_H +#include +#endif +#ifdef HAVE_STDLIB_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#include +#include +#include -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag_RC +int +main () +{ +char *(*pfn); pfn = (char *(*)) $sn_decl; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "sn_cv_decl_needed_$sn_decl=no" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds + eval "sn_cv_decl_needed_$sn_decl=yes" +fi -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl +if eval "test \"`echo '$sn_cv_decl_needed_'$sn_decl`\" != no"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address -# This is the shared library runtime path variable. -runpath_var=$runpath_var +cat >>confdefs.h <<_ACEOF +#define NEED_DECL_$sn_def_decl 1 +_ACEOF -# This is the shared library path variable. -shlibpath_var=$shlibpath_var -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action_RC +fi +done -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC -# If ld is used when linking, flag to hardcode \$libdir into -# a binary during linking. This must work even if \$libdir does -# not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC - -# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct_RC - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L_RC - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var_RC - -# Set to yes if building a shared library automatically hardcodes DIR into the library -# and all subsequent libraries and executables linked against it. -hardcode_automatic=$hardcode_automatic_RC -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs_RC -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path_RC" -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols_RC -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds_RC +for ac_func in sigaction strlcpy strlcat strerror vswprintf wprintf memrchr inet_ntop +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms_RC +#ifdef __STDC__ +# include +#else +# include +#endif -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms_RC +#undef $ac_func -# ### END LIBTOOL TAG CONFIG: $tagname +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif -__EOF__ +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + eval "$as_ac_var=no" +fi -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'` - if test -f "$ltmain_in"; then - test -f Makefile && make "$ltmain" - fi +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF +fi +done -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -CC="$lt_save_CC" +{ $as_echo "$as_me:$LINENO: checking for snprintf" >&5 +$as_echo_n "checking for snprintf... " >&6; } +if test "${ac_cv_func_snprintf+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define snprintf to an innocuous variant, in case declares snprintf. + For example, HP-UX 11i declares gettimeofday. */ +#define snprintf innocuous_snprintf - ;; +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char snprintf (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ - *) - { { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5 -echo "$as_me: error: Unsupported tag name: $tagname" >&2;} - { (exit 1); exit 1; }; } - ;; - esac +#ifdef __STDC__ +# include +#else +# include +#endif - # Append the new tag name to the list of available tags. - if test -n "$tagname" ; then - available_tags="$available_tags $tagname" - fi - fi - done - IFS="$lt_save_ifs" +#undef snprintf - # Now substitute the updated list of available tags. - if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then - mv "${ofile}T" "$ofile" - chmod +x "$ofile" - else - rm -f "${ofile}T" - { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5 -echo "$as_me: error: unable to update list of available tagged configurations." >&2;} - { (exit 1); exit 1; }; } - fi -fi +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char snprintf (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_snprintf || defined __stub___snprintf +choke me +#endif +int +main () +{ +return snprintf (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_snprintf=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_func_snprintf=no +fi -# This can be used to rebuild libtool when needed -LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh" +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_snprintf" >&5 +$as_echo "$ac_cv_func_snprintf" >&6; } +if test "x$ac_cv_func_snprintf" = x""yes; then + have_snprintf="yes" +else + have_snprintf="no" +fi -# Always use our own libtool. -LIBTOOL='$(SHELL) $(top_builddir)/libtool' + if test "x$have_snprintf" != "xyes"; then + BUILD_SNPRINTF_TRUE= + BUILD_SNPRINTF_FALSE='#' +else + BUILD_SNPRINTF_TRUE='#' + BUILD_SNPRINTF_FALSE= +fi -# Prevent multiple expansion +if test "x$have_snprintf" = "xyes"; then +cat >>confdefs.h <<\_ACEOF +#define HAVE_SNPRINTF /**/ +_ACEOF +fi +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of char" >&5 +$as_echo_n "checking size of char... " >&6; } +if test "${ac_cv_sizeof_char+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) >= 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) < 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) >= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr '(' $ac_mid ')' + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_char=$ac_lo;; +'') if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (char) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (char) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_char=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (char)); } +static unsigned long int ulongval () { return (long int) (sizeof (char)); } +#include +#include +int +main () +{ + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (char))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (char)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (char)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_char=`cat conftest.val` else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (char) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (char) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_char=0 + fi fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - { echo "$as_me:$LINENO: result: $RANLIB" >&5 -echo "${ECHO_T}$RANLIB" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } +rm -f conftest.val fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_char" >&5 +$as_echo "$ac_cv_sizeof_char" >&6; } -fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS -fi -fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 -echo "${ECHO_T}$ac_ct_RANLIB" >&6; } +cat >>confdefs.h <<_ACEOF +#define SIZEOF_CHAR $ac_cv_sizeof_char +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of short" >&5 +$as_echo_n "checking size of short... " >&6; } +if test "${ac_cv_sizeof_short+set}" = set; then + $as_echo_n "(cached) " >&6 else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) >= 0)]; +test_array [0] = 0 - if test "x$ac_ct_RANLIB" = x; then - RANLIB=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&5 -echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools -whose name does not start with the host triplet. If you think this -configuration is useful to you, please write to autoconf@gnu.org." >&2;} -ac_tool_warned=yes ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac - RANLIB=$ac_ct_RANLIB - fi +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - RANLIB="$ac_cv_prog_RANLIB" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -{ echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5 -echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6; } -if test "${ac_cv_c_bigendian+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - # See if sys/param.h defines the BYTE_ORDER macro. -cat >conftest.$ac_ext <<_ACEOF + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include -#include - +$ac_includes_default int main () { -#if ! (defined BYTE_ORDER && defined BIG_ENDIAN && defined LITTLE_ENDIAN \ - && BYTE_ORDER && BIG_ENDIAN && LITTLE_ENDIAN) - bogus endian macros -#endif +static int test_array [1 - 2 * !(((long int) (sizeof (short))) < 0)]; +test_array [0] = 0 ; return 0; @@ -20589,33 +15313,32 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - # It does; now see whether it defined to BIG_ENDIAN or not. -cat >conftest.$ac_ext <<_ACEOF + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include -#include - +$ac_includes_default int main () { -#if BYTE_ORDER != BIG_ENDIAN - not big endian -#endif +static int test_array [1 - 2 * !(((long int) (sizeof (short))) >= $ac_mid)]; +test_array [0] = 0 ; return 0; @@ -20627,50 +15350,60 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_c_bigendian=yes + ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_c_bigendian=no + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - # It does not; compile a test program. -if test "$cross_compiling" = yes; then - # try to guess the endianness by grepping values into an object file - ac_cv_c_bigendian=unknown + ac_lo= ac_hi= +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; -short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; -void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; } -short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; -short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; -void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; } +$ac_includes_default int main () { - _ascii (); _ebcdic (); +static int test_array [1 - 2 * !(((long int) (sizeof (short))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } @@ -20681,36 +15414,42 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then - ac_cv_c_bigendian=yes -fi -if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then - if test "$ac_cv_c_bigendian" = unknown; then - ac_cv_c_bigendian=no - else - # finding both strings is unlikely to happen, but who knows? - ac_cv_c_bigendian=unknown - fi -fi + ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - + ac_lo=`expr '(' $ac_mid ')' + 1` fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_short=$ac_lo;; +'') if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (short) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (short) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_short=0 + fi ;; +esac else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -20719,18 +15458,34 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default +static long int longval () { return (long int) (sizeof (short)); } +static unsigned long int ulongval () { return (long int) (sizeof (short)); } +#include +#include int main () { - /* Are we little or big endian? From Harbison&Steele. */ - union - { - long int l; - char c[sizeof (long int)]; - } u; - u.l = 1; - return u.c[sizeof (long int) - 1] == 1; + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (short))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (short)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (short)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; ; return 0; @@ -20742,354 +15497,426 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - ac_cv_c_bigendian=no + ac_cv_sizeof_short=`cat conftest.val` else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -ac_cv_c_bigendian=yes +if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (short) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (short) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_short=0 + fi fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - - -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest.val fi -{ echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5 -echo "${ECHO_T}$ac_cv_c_bigendian" >&6; } -case $ac_cv_c_bigendian in - yes) - -cat >>confdefs.h <<\_ACEOF -#define WORDS_BIGENDIAN 1 -_ACEOF - ;; - no) - ;; - *) - { { echo "$as_me:$LINENO: error: unknown endianness -presetting ac_cv_c_bigendian=no (or yes) will help" >&5 -echo "$as_me: error: unknown endianness -presetting ac_cv_c_bigendian=no (or yes) will help" >&2;} - { (exit 1); exit 1; }; } ;; -esac - - -#AC_CANONICAL_HOST -linux="no" -sunos4="no" - -case "$host" in - *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) - -cat >>confdefs.h <<\_ACEOF -#define OPENBSD 1 -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define BROKEN_SIOCGIFMTU 1 -_ACEOF - - - ;; - *-openbsd*) - -cat >>confdefs.h <<\_ACEOF -#define OPENBSD 1 -_ACEOF - - - ;; - *-sgi-irix5*) - -cat >>confdefs.h <<\_ACEOF -#define IRIX 1 -_ACEOF - - no_libsocket="yes" - no_libnsl="yes" - if test -z "$GCC"; then - sgi_cc="yes" - fi - LDFLAGS="${LDFLAGS} -L/usr/local/lib" - extra_incl="-I/usr/local/include" - ;; - *-sgi-irix6*) - -cat >>confdefs.h <<\_ACEOF -#define IRIX 1 -_ACEOF - - no_libsocket="yes" - no_libnsl="yes" - if test -z "$GCC"; then - sgi_cc="yes" - fi - LDFLAGS="${LDFLAGS} -L/usr/local/lib" - extra_incl="-I/usr/local/include" - ;; - *-solaris*) - -cat >>confdefs.h <<\_ACEOF -#define SOLARIS 1 -_ACEOF - - CPPFLAGS="${CPPFLAGS} -DBSD_COMP -D_REENTRANT" - ;; - *-sunos*) - -cat >>confdefs.h <<\_ACEOF -#define SUNOS 1 -_ACEOF - - sunos4="yes" - ;; - *-linux*) - linux="yes" - -cat >>confdefs.h <<\_ACEOF -#define LINUX 1 -_ACEOF - - # libpcap doesn't even LOOK at the timeout you give it under Linux +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_short" >&5 +$as_echo "$ac_cv_sizeof_short" >&6; } -cat >>confdefs.h <<\_ACEOF -#define PCAP_TIMEOUT_IGNORED 1 -_ACEOF - extra_incl="-I/usr/include/pcap" - ;; - *-hpux10*|*-hpux11*) - -cat >>confdefs.h <<\_ACEOF -#define HPUX 1 +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SHORT $ac_cv_sizeof_short _ACEOF -cat >>confdefs.h <<\_ACEOF -#define WORDS_BIGENDIAN 1 +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of int" >&5 +$as_echo_n "checking size of int... " >&6; } +if test "${ac_cv_sizeof_int+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) >= 0)]; +test_array [0] = 0 - - extra_incl="-I/usr/local/include" - ;; - - *-freebsd*) - -cat >>confdefs.h <<\_ACEOF -#define FREEBSD 1 + ; + return 0; +} _ACEOF - - - ;; - *-bsdi*) - -cat >>confdefs.h <<\_ACEOF -#define BSDI 1 +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) <= $ac_mid)]; +test_array [0] = 0 - ;; - *-aix*) - -cat >>confdefs.h <<\_ACEOF -#define AIX 1 + ; + return 0; +} _ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - ;; - *-osf4*) - -cat >>confdefs.h <<\_ACEOF -#define OSF1 1 -_ACEOF + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi - ;; - *-osf5.1*) +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -cat >>confdefs.h <<\_ACEOF -#define OSF1 1 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) < 0)]; +test_array [0] = 0 - ;; - *-tru64*) - -cat >>confdefs.h <<\_ACEOF -#define OSF1 1 + ; + return 0; +} _ACEOF - - ;; -# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment - *-apple*) - -cat >>confdefs.h <<\_ACEOF -#define MACOS 1 +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) >= $ac_mid)]; +test_array [0] = 0 - -cat >>confdefs.h <<\_ACEOF -#define BROKEN_SIOCGIFMTU 1 + ; + return 0; +} _ACEOF - - LDFLAGS="${LDFLAGS} -L/sw/lib" - extra_incl="-I/sw/include" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac - -# This is really meant for Solaris Sparc v9 where it has 32bit and 64bit -# capability but builds 32bit by default -# Check whether --enable-64bit-gcc was given. -if test "${enable_64bit_gcc+set}" = set; then - enableval=$enable_64bit_gcc; enable_64bit_gcc="$enableval" +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break else - enable_64bit_gcc="no" -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -if test "x$enable_64bit_gcc" = "xyes"; then - CFLAGS="$CFLAGS -m64" + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi -# AC_PROG_YACC defaults to "yacc" when not found -# this check defaults to "none" -for ac_prog in bison yacc -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_YACC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$YACC"; then - ac_cv_prog_YACC="$YACC" # Let the user override the test. +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_YACC="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= fi -fi -YACC=$ac_cv_prog_YACC -if test -n "$YACC"; then - { echo "$as_me:$LINENO: result: $YACC" >&5 -echo "${ECHO_T}$YACC" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) <= $ac_mid)]; +test_array [0] = 0 - test -n "$YACC" && break -done -test -n "$YACC" || YACC="none" + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# AC_PROG_YACC includes the -y arg if bison is found -if test "x$YACC" = "xbison"; then - YACC="$YACC -y" + ac_lo=`expr '(' $ac_mid ')' + 1` fi -# AC_PROG_LEX defaults to ":" when not found -# this check defaults to "none" -# We're using flex specific options so we don't support lex -for ac_prog in flex -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_prog_LEX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$LEX"; then - ac_cv_prog_LEX="$LEX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_LEX="$ac_prog" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done -IFS=$as_save_IFS +case $ac_lo in +?*) ac_cv_sizeof_int=$ac_lo;; +'') if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (int)); } +static unsigned long int ulongval () { return (long int) (sizeof (int)); } +#include +#include +int +main () +{ + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_int=`cat conftest.val` +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_int=0 + fi fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -LEX=$ac_cv_prog_LEX -if test -n "$LEX"; then - { echo "$as_me:$LINENO: result: $LEX" >&5 -echo "${ECHO_T}$LEX" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } +rm -f conftest.val fi - - - test -n "$LEX" && break -done -test -n "$LEX" || LEX="none" - - -# - - - - - +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_int" >&5 +$as_echo "$ac_cv_sizeof_int" >&6; } +cat >>confdefs.h <<_ACEOF +#define SIZEOF_INT $ac_cv_sizeof_int +_ACEOF -for ac_header in strings.h string.h stdlib.h unistd.h sys/sockio.h paths.h inttypes.h wchar.h math.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of long int" >&5 +$as_echo_n "checking size of long int... " >&6; } +if test "${ac_cv_sizeof_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -21097,7 +15924,15 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -#include <$ac_header> +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) >= 0)]; +test_array [0] = 0 + + ; + return 0; +} _ACEOF rm -f conftest.$ac_objext if { (ac_try="$ac_compile" @@ -21105,655 +15940,483 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_header_compiler=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } - -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include <$ac_header> +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || test ! -s conftest.err - }; then - ac_header_preproc=yes + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_preproc=no + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - eval "$as_ac_Header=\$ac_header_preproc" -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) < 0)]; +test_array [0] = 0 -fi - -done - - -{ echo "$as_me:$LINENO: checking for floor in -lm" >&5 -echo $ECHO_N "checking for floor in -lm... $ECHO_C" >&6; } -if test "${ac_cv_lib_m_floor+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lm $LIBS" -cat >conftest.$ac_ext <<_ACEOF + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char floor (); +$ac_includes_default int main () { -return floor (); +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) >= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_m_floor=yes + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_m_floor=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_m_floor" >&5 -echo "${ECHO_T}$ac_cv_lib_m_floor" >&6; } -if test $ac_cv_lib_m_floor = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBM 1 -_ACEOF - LIBS="-lm $LIBS" +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi -{ echo "$as_me:$LINENO: checking for ceil in -lm" >&5 -echo $ECHO_N "checking for ceil in -lm... $ECHO_C" >&6; } -if test "${ac_cv_lib_m_ceil+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lm $LIBS" -cat >conftest.$ac_ext <<_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ceil (); +$ac_includes_default int main () { -return ceil (); +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_m_ceil=yes + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_m_ceil=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_m_ceil" >&5 -echo "${ECHO_T}$ac_cv_lib_m_ceil" >&6; } -if test $ac_cv_lib_m_ceil = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBM 1 -_ACEOF - - LIBS="-lm $LIBS" - -fi - - -if test -z "$no_libnsl"; then + ac_lo=`expr '(' $ac_mid ')' + 1` +fi -{ echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5 -echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6; } -if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_long_int=$ac_lo;; +'') if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_int=0 + fi ;; +esac else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnsl $LIBS" -cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char inet_ntoa (); +$ac_includes_default +static long int longval () { return (long int) (sizeof (long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (long int)); } +#include +#include int main () { -return inet_ntoa (); + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext +rm -f conftest$ac_exeext if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_nsl_inet_ntoa=yes + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_long_int=`cat conftest.val` else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_nsl_inet_ntoa=no +( exit $ac_status ) +if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_int=0 + fi fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5 -echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6; } -if test $ac_cv_lib_nsl_inet_ntoa = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBNSL 1 -_ACEOF +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_int" >&6; } - LIBS="-lnsl $LIBS" -fi -fi +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +_ACEOF -if test -z "$no_libsocket"; then -{ echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 -echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6; } -if test "${ac_cv_lib_socket_socket+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of long long int" >&5 +$as_echo_n "checking size of long long int... " >&6; } +if test "${ac_cv_sizeof_long_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket $LIBS" + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char socket (); +$ac_includes_default int main () { -return socket (); +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) >= 0)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_socket_socket=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_socket_socket=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 -echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6; } -if test $ac_cv_lib_socket_socket = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSOCKET 1 -_ACEOF - - LIBS="-lsocket $LIBS" - -fi - -fi - -# SunOS4 has several things `broken' -if test "$sunos4" != "no"; then - -for ac_func in vsnprintf -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif - +$ac_includes_default int main () { -return $ac_func (); +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - eval "$as_ac_var=yes" + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - eval "$as_ac_var=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -ac_res=`eval echo '${'$as_ac_var'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -else - LIBS="$LIBS -ldb" + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -done - -for ac_func in strtoul -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -return $ac_func (); +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) < 0)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - eval "$as_ac_var=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -ac_res=`eval echo '${'$as_ac_var'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -else - LIBS="$LIBS -l44bsd" -fi -done - -fi - -# some funky macro to be backwards compatible with earlier autoconfs -# in current they have AC_CHECK_DECLS - - - - -# some stuff for declarations which were missed on sunos4 platform too. -# -# add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader -# fails to work properly with custom macroses. -# you will see also #undef for each SN_CHECK_DECLS macros invocation -# because autoheader doesn't execute shell script commands. -# it is possible to make loops using m4 but the code would look even -# more confusing.. -for sn_decl in printf fprintf syslog puts fputs fputc fopen \ - fclose fwrite fflush getopt bzero bcopy memset strtol \ - strcasecmp strncasecmp strerror perror socket sendto \ - vsnprintf snprintf strtoul -do -sn_def_decl=`echo $sn_decl | tr a-z A-Z` - -{ echo "$as_me:$LINENO: checking whether $sn_decl must be declared" >&5 -echo $ECHO_N "checking whether $sn_decl must be declared... $ECHO_C" >&6; } -if { as_var=sn_cv_decl_needed_$sn_decl; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -#include -#ifdef HAVE_STRING_H -#include -#endif -#ifdef HAVE_STRINGS_H -#include -#endif -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include -#include - +$ac_includes_default int main () { -char *(*pfn); pfn = (char *(*)) $sn_decl; +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) >= $ac_mid)]; +test_array [0] = 0 + ; return 0; } @@ -21764,151 +16427,106 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - eval "sn_cv_decl_needed_$sn_decl=no" + ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - eval "sn_cv_decl_needed_$sn_decl=yes" + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - - -if eval "test \"`echo '$sn_cv_decl_needed_'$sn_decl`\" != no"; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - - -cat >>confdefs.h <<_ACEOF -#define NEED_DECL_$sn_def_decl 1 -_ACEOF - - + done else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= fi -done - - - - - - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi -for ac_func in snprintf strlcpy strlcat strerror vswprintf wprintf -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif - +$ac_includes_default int main () { -return $ac_func (); +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - eval "$as_ac_var=yes" + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - eval "$as_ac_var=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext + ac_lo=`expr '(' $ac_mid ')' + 1` fi -ac_res=`eval echo '${'$as_ac_var'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF -fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done - - -{ echo "$as_me:$LINENO: checking for char" >&5 -echo $ECHO_N "checking for char... $ECHO_C" >&6; } -if test "${ac_cv_type_char+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +case $ac_lo in +?*) ac_cv_sizeof_long_long_int=$ac_lo;; +'') if test "$ac_cv_type_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_long_int=0 + fi ;; +esac else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -21917,56 +16535,103 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef char ac__type_new_; +static long int longval () { return (long int) (sizeof (long long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (long long int)); } +#include +#include int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (long long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (long long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (long long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_char=yes + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_long_long_int=`cat conftest.val` else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_char=no +( exit $ac_status ) +if test "$ac_cv_type_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_long_int=0 + fi fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_char" >&5 -echo "${ECHO_T}$ac_cv_type_char" >&6; } +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_long_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int +_ACEOF + # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of char" >&5 -echo $ECHO_N "checking size of char... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_char+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking size of unsigned int" >&5 +$as_echo_n "checking size of unsigned int... " >&6; } +if test "${ac_cv_sizeof_unsigned_int+set}" = set; then + $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. @@ -21977,11 +16642,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) >= 0)]; test_array [0] = 0 ; @@ -21994,13 +16658,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22014,11 +16679,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22031,20 +16695,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr $ac_mid + 1` @@ -22058,7 +16723,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 cat >conftest.$ac_ext <<_ACEOF @@ -22068,11 +16733,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) < 0)]; test_array [0] = 0 ; @@ -22085,13 +16749,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22105,11 +16770,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) >= $ac_mid)]; test_array [0] = 0 ; @@ -22122,20 +16786,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_hi=`expr '(' $ac_mid ')' - 1` @@ -22149,7 +16814,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo= ac_hi= @@ -22169,11 +16834,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22186,20 +16850,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr '(' $ac_mid ')' + 1` @@ -22208,15 +16873,17 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in -?*) ac_cv_sizeof_char=$ac_lo;; -'') if test "$ac_cv_type_char" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (char) +?*) ac_cv_sizeof_unsigned_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (char) +$as_echo "$as_me: error: cannot compute sizeof (unsigned int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_char=0 + ac_cv_sizeof_unsigned_int=0 fi ;; esac else @@ -22227,9 +16894,8 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef char ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } +static long int longval () { return (long int) (sizeof (unsigned int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned int)); } #include #include int @@ -22239,20 +16905,22 @@ FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) + if (((long int) (sizeof (unsigned int))) < 0) { long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned int)))) return 1; - fprintf (f, "%ld\n", i); + fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned int)))) return 1; - fprintf (f, "%lu\n", i); + fprintf (f, "%lu", i); } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ return ferror (f) || fclose (f) != 0; ; @@ -22265,113 +16933,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - ac_cv_sizeof_char=`cat conftest.val` + ac_cv_sizeof_unsigned_int=`cat conftest.val` else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -if test "$ac_cv_type_char" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (char) +if test "$ac_cv_type_unsigned_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (char) +$as_echo "$as_me: error: cannot compute sizeof (unsigned int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_char=0 + ac_cv_sizeof_unsigned_int=0 fi fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi rm -f conftest.val fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_char" >&5 -echo "${ECHO_T}$ac_cv_sizeof_char" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_int" >&6; } cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHAR $ac_cv_sizeof_char -_ACEOF - - -{ echo "$as_me:$LINENO: checking for short" >&5 -echo $ECHO_N "checking for short... $ECHO_C" >&6; } -if test "${ac_cv_type_short+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef short ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_short=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_type_short=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_short" >&5 -echo "${ECHO_T}$ac_cv_type_short" >&6; } # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of short" >&5 -echo $ECHO_N "checking size of short... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_short+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking size of unsigned long int" >&5 +$as_echo_n "checking size of unsigned long int... " >&6; } +if test "${ac_cv_sizeof_unsigned_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. @@ -22382,11 +17001,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) >= 0)]; test_array [0] = 0 ; @@ -22399,13 +17017,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22419,11 +17038,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22436,20 +17054,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr $ac_mid + 1` @@ -22463,7 +17082,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 cat >conftest.$ac_ext <<_ACEOF @@ -22473,11 +17092,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) < 0)]; test_array [0] = 0 ; @@ -22490,13 +17108,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22510,11 +17129,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) >= $ac_mid)]; test_array [0] = 0 ; @@ -22527,20 +17145,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_hi=`expr '(' $ac_mid ')' - 1` @@ -22554,7 +17173,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo= ac_hi= @@ -22574,11 +17193,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22591,20 +17209,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr '(' $ac_mid ')' + 1` @@ -22613,15 +17232,17 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in -?*) ac_cv_sizeof_short=$ac_lo;; -'') if test "$ac_cv_type_short" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (short) +?*) ac_cv_sizeof_unsigned_long_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (short) +$as_echo "$as_me: error: cannot compute sizeof (unsigned long int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_short=0 + ac_cv_sizeof_unsigned_long_int=0 fi ;; esac else @@ -22632,9 +17253,8 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef short ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } +static long int longval () { return (long int) (sizeof (unsigned long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned long int)); } #include #include int @@ -22644,20 +17264,22 @@ FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) + if (((long int) (sizeof (unsigned long int))) < 0) { long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned long int)))) return 1; - fprintf (f, "%ld\n", i); + fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned long int)))) return 1; - fprintf (f, "%lu\n", i); + fprintf (f, "%lu", i); } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ return ferror (f) || fclose (f) != 0; ; @@ -22670,113 +17292,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - ac_cv_sizeof_short=`cat conftest.val` + ac_cv_sizeof_unsigned_long_int=`cat conftest.val` else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -if test "$ac_cv_type_short" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (short) +if test "$ac_cv_type_unsigned_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (short) +$as_echo "$as_me: error: cannot compute sizeof (unsigned long int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_short=0 + ac_cv_sizeof_unsigned_long_int=0 fi fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi rm -f conftest.val fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_short" >&5 -echo "${ECHO_T}$ac_cv_sizeof_short" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_long_int" >&6; } cat >>confdefs.h <<_ACEOF -#define SIZEOF_SHORT $ac_cv_sizeof_short -_ACEOF - - -{ echo "$as_me:$LINENO: checking for int" >&5 -echo $ECHO_N "checking for int... $ECHO_C" >&6; } -if test "${ac_cv_type_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef int ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#define SIZEOF_UNSIGNED_LONG_INT $ac_cv_sizeof_unsigned_long_int _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_int=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_type_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_int" >&5 -echo "${ECHO_T}$ac_cv_type_int" >&6; } # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of int" >&5 -echo $ECHO_N "checking size of int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking size of unsigned long long int" >&5 +$as_echo_n "checking size of unsigned long long int... " >&6; } +if test "${ac_cv_sizeof_unsigned_long_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. @@ -22787,11 +17360,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) >= 0)]; test_array [0] = 0 ; @@ -22804,13 +17376,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22824,11 +17397,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22841,20 +17413,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr $ac_mid + 1` @@ -22868,7 +17441,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 cat >conftest.$ac_ext <<_ACEOF @@ -22878,11 +17451,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) < 0)]; test_array [0] = 0 ; @@ -22895,13 +17467,14 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err @@ -22915,11 +17488,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) >= $ac_mid)]; test_array [0] = 0 ; @@ -22932,20 +17504,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_lo=$ac_mid; break else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_hi=`expr '(' $ac_mid ')' - 1` @@ -22959,7 +17532,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo= ac_hi= @@ -22979,11 +17552,10 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) <= $ac_mid)]; test_array [0] = 0 ; @@ -22996,20 +17568,21 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_hi=$ac_mid else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_lo=`expr '(' $ac_mid ')' + 1` @@ -23018,15 +17591,17 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in -?*) ac_cv_sizeof_int=$ac_lo;; -'') if test "$ac_cv_type_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (int) +?*) ac_cv_sizeof_unsigned_long_long_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (int) +$as_echo "$as_me: error: cannot compute sizeof (unsigned long long int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_int=0 + ac_cv_sizeof_unsigned_long_long_int=0 fi ;; esac else @@ -23037,9 +17612,8 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } +static long int longval () { return (long int) (sizeof (unsigned long long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned long long int)); } #include #include int @@ -23049,20 +17623,22 @@ FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) + if (((long int) (sizeof (unsigned long long int))) < 0) { long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned long long int)))) return 1; - fprintf (f, "%ld\n", i); + fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) + if (i != ((long int) (sizeof (unsigned long long int)))) return 1; - fprintf (f, "%lu\n", i); + fprintf (f, "%lu", i); } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ return ferror (f) || fclose (f) != 0; ; @@ -23075,116 +17651,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - ac_cv_sizeof_int=`cat conftest.val` + ac_cv_sizeof_unsigned_long_long_int=`cat conftest.val` else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -if test "$ac_cv_type_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (int) +if test "$ac_cv_type_unsigned_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (int) +$as_echo "$as_me: error: cannot compute sizeof (unsigned long long int) See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } + { (exit 77); exit 77; }; }; } else - ac_cv_sizeof_int=0 + ac_cv_sizeof_unsigned_long_long_int=0 fi fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi rm -f conftest.val fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_int" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_long_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_long_long_int" >&6; } cat >>confdefs.h <<_ACEOF -#define SIZEOF_INT $ac_cv_sizeof_int -_ACEOF - - -{ echo "$as_me:$LINENO: checking for long int" >&5 -echo $ECHO_N "checking for long int... $ECHO_C" >&6; } -if test "${ac_cv_type_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef long int ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#define SIZEOF_UNSIGNED_LONG_LONG_INT $ac_cv_sizeof_unsigned_long_long_int _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_long_int=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_long_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_long_int" >&5 -echo "${ECHO_T}$ac_cv_type_long_int" >&6; } -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of long int" >&5 -echo $ECHO_N "checking size of long int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +# Check for int types +{ $as_echo "$as_me:$LINENO: checking for u_int8_t" >&5 +$as_echo_n "checking for u_int8_t... " >&6; } +if test "${ac_cv_type_u_int8_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. + ac_cv_type_u_int8_t=no cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -23192,13 +17716,11 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; -test_array [0] = 0 - +if (sizeof (u_int8_t)) + return 0; ; return 0; } @@ -23209,33 +17731,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=0 ac_mid=0 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((u_int8_t))) + return 0; ; return 0; } @@ -23246,50 +17765,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr $ac_mid + 1` - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid + 1` + ac_cv_type_u_int8_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - cat >conftest.$ac_ext <<_ACEOF + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int8_t" >&5 +$as_echo "$ac_cv_type_u_int8_t" >&6; } +if test "x$ac_cv_type_u_int8_t" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_U_INT8_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for u_int16_t" >&5 +$as_echo_n "checking for u_int16_t... " >&6; } +if test "${ac_cv_type_u_int16_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_u_int16_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; -test_array [0] = 0 - +if (sizeof (u_int16_t)) + return 0; ; return 0; } @@ -23300,33 +17833,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=-1 ac_mid=-1 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((u_int16_t))) + return 0; ; return 0; } @@ -23337,60 +17867,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_hi=`expr '(' $ac_mid ')' - 1` - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid` + ac_cv_type_u_int16_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo= ac_hi= + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int16_t" >&5 +$as_echo "$ac_cv_type_u_int16_t" >&6; } +if test "x$ac_cv_type_u_int16_t" = x""yes; then -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` - cat >conftest.$ac_ext <<_ACEOF +cat >>confdefs.h <<_ACEOF +#define HAVE_U_INT16_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for u_int32_t" >&5 +$as_echo_n "checking for u_int32_t... " >&6; } +if test "${ac_cv_type_u_int32_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_u_int32_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof (u_int32_t)) + return 0; ; return 0; } @@ -23401,40 +17935,18 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_lo=`expr '(' $ac_mid ')' + 1` -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in -?*) ac_cv_sizeof_long_int=$ac_lo;; -'') if test "$ac_cv_type_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_long_int=0 - fi ;; -esac -else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -23442,109 +17954,113 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } -#include -#include int main () { - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) - { - long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%ld\n", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%lu\n", i); - } - return ferror (f) || fclose (f) != 0; - +if (sizeof ((u_int32_t))) + return 0; ; return 0; } _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_sizeof_long_int=`cat conftest.val` + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -if test "$ac_cv_type_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_long_int=0 - fi -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -rm -f conftest.val + ac_cv_type_u_int32_t=yes fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_long_int" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int32_t" >&5 +$as_echo "$ac_cv_type_u_int32_t" >&6; } +if test "x$ac_cv_type_u_int32_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +#define HAVE_U_INT32_T 1 _ACEOF -{ echo "$as_me:$LINENO: checking for long long int" >&5 -echo $ECHO_N "checking for long long int... $ECHO_C" >&6; } -if test "${ac_cv_type_long_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +{ $as_echo "$as_me:$LINENO: checking for u_int64_t" >&5 +$as_echo_n "checking for u_int64_t... " >&6; } +if test "${ac_cv_type_u_int64_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_cv_type_u_int64_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef long long int ac__type_new_; int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) +if (sizeof (u_int64_t)) + return 0; + ; return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((u_int64_t))) + return 0; ; return 0; } @@ -23555,41 +18071,52 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_long_long_int=yes + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_u_int64_t=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_long_long_int=no + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_long_long_int" >&5 -echo "${ECHO_T}$ac_cv_type_long_long_int" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int64_t" >&5 +$as_echo "$ac_cv_type_u_int64_t" >&6; } +if test "x$ac_cv_type_u_int64_t" = x""yes; then -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of long long int" >&5 -echo $ECHO_N "checking size of long long int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_long_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +cat >>confdefs.h <<_ACEOF +#define HAVE_U_INT64_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for uint8_t" >&5 +$as_echo_n "checking for uint8_t... " >&6; } +if test "${ac_cv_type_uint8_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. + ac_cv_type_uint8_t=no cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -23597,13 +18124,11 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; -test_array [0] = 0 - +if (sizeof (uint8_t)) + return 0; ; return 0; } @@ -23614,33 +18139,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=0 ac_mid=0 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((uint8_t))) + return 0; ; return 0; } @@ -23651,50 +18173,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr $ac_mid + 1` - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid + 1` + ac_cv_type_uint8_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - cat >conftest.$ac_ext <<_ACEOF + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5 +$as_echo "$ac_cv_type_uint8_t" >&6; } +if test "x$ac_cv_type_uint8_t" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_UINT8_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for uint16_t" >&5 +$as_echo_n "checking for uint16_t... " >&6; } +if test "${ac_cv_type_uint16_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_uint16_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; -test_array [0] = 0 - +if (sizeof (uint16_t)) + return 0; ; return 0; } @@ -23705,33 +18241,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=-1 ac_mid=-1 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((uint16_t))) + return 0; ; return 0; } @@ -23742,60 +18275,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_hi=`expr '(' $ac_mid ')' - 1` - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid` + ac_cv_type_uint16_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo= ac_hi= + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5 +$as_echo "$ac_cv_type_uint16_t" >&6; } +if test "x$ac_cv_type_uint16_t" = x""yes; then -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` - cat >conftest.$ac_ext <<_ACEOF +cat >>confdefs.h <<_ACEOF +#define HAVE_UINT16_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for uint32_t" >&5 +$as_echo_n "checking for uint32_t... " >&6; } +if test "${ac_cv_type_uint32_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_uint32_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof (uint32_t)) + return 0; ; return 0; } @@ -23806,40 +18343,18 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_lo=`expr '(' $ac_mid ')' + 1` -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in -?*) ac_cv_sizeof_long_long_int=$ac_lo;; -'') if test "$ac_cv_type_long_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (long long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_long_long_int=0 - fi ;; -esac -else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -23847,109 +18362,113 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef long long int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } -#include -#include int main () { - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) - { - long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%ld\n", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%lu\n", i); - } - return ferror (f) || fclose (f) != 0; - +if (sizeof ((uint32_t))) + return 0; ; return 0; } _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_sizeof_long_long_int=`cat conftest.val` -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -if test "$ac_cv_type_long_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (long long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_long_long_int=0 - fi -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -rm -f conftest.val + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_uint32_t=yes fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_long_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_long_long_int" >&6; } + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5 +$as_echo "$ac_cv_type_uint32_t" >&6; } +if test "x$ac_cv_type_uint32_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int +#define HAVE_UINT32_T 1 _ACEOF -{ echo "$as_me:$LINENO: checking for unsigned int" >&5 -echo $ECHO_N "checking for unsigned int... $ECHO_C" >&6; } -if test "${ac_cv_type_unsigned_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +{ $as_echo "$as_me:$LINENO: checking for uint64_t" >&5 +$as_echo_n "checking for uint64_t... " >&6; } +if test "${ac_cv_type_uint64_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_cv_type_uint64_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef unsigned int ac__type_new_; int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) +if (sizeof (uint64_t)) + return 0; + ; return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((uint64_t))) + return 0; ; return 0; } @@ -23960,41 +18479,53 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_unsigned_int=yes + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_unsigned_int=no + ac_cv_type_uint64_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_unsigned_int" >&5 -echo "${ECHO_T}$ac_cv_type_unsigned_int" >&6; } -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of unsigned int" >&5 -echo $ECHO_N "checking size of unsigned int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_unsigned_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5 +$as_echo "$ac_cv_type_uint64_t" >&6; } +if test "x$ac_cv_type_uint64_t" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_UINT64_T 1 +_ACEOF + + +fi + +{ $as_echo "$as_me:$LINENO: checking for int8_t" >&5 +$as_echo_n "checking for int8_t... " >&6; } +if test "${ac_cv_type_int8_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. + ac_cv_type_int8_t=no cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -24002,13 +18533,11 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; -test_array [0] = 0 - +if (sizeof (int8_t)) + return 0; ; return 0; } @@ -24019,33 +18548,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=0 ac_mid=0 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((int8_t))) + return 0; ; return 0; } @@ -24056,50 +18582,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr $ac_mid + 1` - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid + 1` + ac_cv_type_int8_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - cat >conftest.$ac_ext <<_ACEOF + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5 +$as_echo "$ac_cv_type_int8_t" >&6; } +if test "x$ac_cv_type_int8_t" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_INT8_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for int16_t" >&5 +$as_echo_n "checking for int16_t... " >&6; } +if test "${ac_cv_type_int16_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_int16_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; -test_array [0] = 0 - +if (sizeof (int16_t)) + return 0; ; return 0; } @@ -24110,33 +18650,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=-1 ac_mid=-1 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((int16_t))) + return 0; ; return 0; } @@ -24147,60 +18684,64 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_hi=`expr '(' $ac_mid ')' - 1` - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid` + ac_cv_type_int16_t=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo= ac_hi= + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5 +$as_echo "$ac_cv_type_int16_t" >&6; } +if test "x$ac_cv_type_int16_t" = x""yes; then -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` - cat >conftest.$ac_ext <<_ACEOF +cat >>confdefs.h <<_ACEOF +#define HAVE_INT16_T 1 +_ACEOF + + +fi +{ $as_echo "$as_me:$LINENO: checking for int32_t" >&5 +$as_echo_n "checking for int32_t... " >&6; } +if test "${ac_cv_type_int32_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_int32_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof (int32_t)) + return 0; ; return 0; } @@ -24211,40 +18752,18 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_lo=`expr '(' $ac_mid ')' + 1` -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in -?*) ac_cv_sizeof_unsigned_int=$ac_lo;; -'') if test "$ac_cv_type_unsigned_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_int=0 - fi ;; -esac -else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -24252,109 +18771,113 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } -#include -#include int main () { - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) - { - long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%ld\n", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%lu\n", i); - } - return ferror (f) || fclose (f) != 0; - +if (sizeof ((int32_t))) + return 0; ; return 0; } _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_sizeof_unsigned_int=`cat conftest.val` + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -if test "$ac_cv_type_unsigned_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_int=0 - fi -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -rm -f conftest.val + ac_cv_type_int32_t=yes fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_unsigned_int" >&6; } + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5 +$as_echo "$ac_cv_type_int32_t" >&6; } +if test "x$ac_cv_type_int32_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int +#define HAVE_INT32_T 1 _ACEOF -{ echo "$as_me:$LINENO: checking for unsigned long int" >&5 -echo $ECHO_N "checking for unsigned long int... $ECHO_C" >&6; } -if test "${ac_cv_type_unsigned_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +{ $as_echo "$as_me:$LINENO: checking for int64_t" >&5 +$as_echo_n "checking for int64_t... " >&6; } +if test "${ac_cv_type_int64_t+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_cv_type_int64_t=no +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef unsigned long int ac__type_new_; int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) +if (sizeof (int64_t)) + return 0; + ; return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((int64_t))) + return 0; ; return 0; } @@ -24365,41 +18888,54 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_unsigned_long_int=yes + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_int64_t=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_unsigned_long_int=no + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_unsigned_long_int" >&5 -echo "${ECHO_T}$ac_cv_type_unsigned_long_int" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5 +$as_echo "$ac_cv_type_int64_t" >&6; } +if test "x$ac_cv_type_int64_t" = x""yes; then -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of unsigned long int" >&5 -echo $ECHO_N "checking size of unsigned long int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_unsigned_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +cat >>confdefs.h <<_ACEOF +#define HAVE_INT64_T 1 +_ACEOF + + +fi + + +{ $as_echo "$as_me:$LINENO: checking for boolean" >&5 +$as_echo_n "checking for boolean... " >&6; } +if test "${ac_cv_type_boolean+set}" = set; then + $as_echo_n "(cached) " >&6 else - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. + ac_cv_type_boolean=no cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -24407,13 +18943,11 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; -test_array [0] = 0 - +if (sizeof (boolean)) + return 0; ; return 0; } @@ -24424,33 +18958,30 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=0 ac_mid=0 - while :; do - cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned long int ac__type_sizeof_; int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +if (sizeof ((boolean))) + return 0; ; return 0; } @@ -24461,87 +18992,142 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid; break + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr $ac_mid + 1` - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid + 1` + ac_cv_type_boolean=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - cat >conftest.$ac_ext <<_ACEOF + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_boolean" >&5 +$as_echo "$ac_cv_type_boolean" >&6; } +if test "x$ac_cv_type_boolean" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_BOOLEAN 1 +_ACEOF + + +fi + + +# In case INADDR_NONE is not defined (like on Solaris) +have_inaddr_none="no" +{ $as_echo "$as_me:$LINENO: checking for INADDR_NONE" >&5 +$as_echo_n "checking for INADDR_NONE... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } +else + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long int ac__type_sizeof_; + +#include +#include +#include + int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; -test_array [0] = 0 + + if (inet_addr("10,5,2") == INADDR_NONE); + return 0; ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_hi=-1 ac_mid=-1 - while :; do - cat >conftest.$ac_ext <<_ACEOF + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + have_inaddr_none="yes" +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +have_inaddr_none="no" +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + +{ $as_echo "$as_me:$LINENO: result: $have_inaddr_none" >&5 +$as_echo "$have_inaddr_none" >&6; } +if test "x$have_inaddr_none" = "xno"; then + +cat >>confdefs.h <<\_ACEOF +#define INADDR_NONE -1 +_ACEOF + +fi + +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long int ac__type_sizeof_; + +#include + int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; -test_array [0] = 0 - +const char *foo; foo = sys_errlist[0]; ; return 0; } @@ -24552,60 +19138,47 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=$ac_mid; break -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_hi=`expr '(' $ac_mid ')' - 1` - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid` -fi +cat >>confdefs.h <<\_ACEOF +#define ERRLIST_PREDEFINED 1 +_ACEOF -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo= ac_hi= -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` - cat >conftest.$ac_ext <<_ACEOF + +{ $as_echo "$as_me:$LINENO: checking for __FUNCTION__" >&5 +$as_echo_n "checking for __FUNCTION__... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long int ac__type_sizeof_; + +#include + int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +printf ("%s", __FUNCTION__); ; return 0; } @@ -24616,195 +19189,262 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid + sn_cv_have___FUNCTION__=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr '(' $ac_mid ')' + 1` + sn_cv__have___FUNCTION__=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in -?*) ac_cv_sizeof_unsigned_long_int=$ac_lo;; -'') if test "$ac_cv_type_unsigned_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_long_int=0 - fi ;; -esac +if test "x$sn_cv_have___FUNCTION__" = "xyes"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<\_ACEOF +#define HAVE___FUNCTION__ 1 +_ACEOF + else - cat >conftest.$ac_ext <<_ACEOF + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:$LINENO: checking for __func__" >&5 +$as_echo_n "checking for __func__... " >&6; } + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } + #include -#include + int main () { - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) - { - long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%ld\n", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%lu\n", i); - } - return ferror (f) || fclose (f) != 0; - +printf ("%s", __func__); ; return 0; } _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_sizeof_unsigned_long_int=`cat conftest.val` + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + sn_cv_have___func__=yes else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -if test "$ac_cv_type_unsigned_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_long_int=0 - fi + sn_cv__have___func__=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test "x$sn_cv_have___func__" = "xyes"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<\_ACEOF +#define HAVE___func__ 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define __FUNCTION__ __func__ +_ACEOF + + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + cat >>confdefs.h <<\_ACEOF +#define __FUNCTION__ "mystery function" +_ACEOF + + fi +fi + + +# Check whether --with-libpcap_includes was given. +if test "${with_libpcap_includes+set}" = set; then + withval=$with_libpcap_includes; with_libpcap_includes="$withval" +else + with_libpcap_includes="no" +fi + + + +# Check whether --with-libpcap_libraries was given. +if test "${with_libpcap_libraries+set}" = set; then + withval=$with_libpcap_libraries; with_libpcap_libraries="$withval" +else + with_libpcap_libraries="no" +fi + + + +if test "x$with_libpcap_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext + +if test "x$with_libpcap_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" fi -rm -f conftest.val + +# --with-libpfring-* options + +# Check whether --with-libpfring_includes was given. +if test "${with_libpfring_includes+set}" = set; then + withval=$with_libpfring_includes; with_libpfring_includes="$withval" +else + with_libpfring_includes="no" fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_unsigned_long_int" >&6; } -cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG_INT $ac_cv_sizeof_unsigned_long_int -_ACEOF +# Check whether --with-libpfring_libraries was given. +if test "${with_libpfring_libraries+set}" = set; then + withval=$with_libpfring_libraries; with_libpfring_libraries="$withval" +else + with_libpfring_libraries="no" +fi + + +if test "x$with_libpfring_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_libpfring_includes}" +fi + +if test "x$with_libpfring_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_libpfring_libraries}" +fi +LPCAP="" -{ echo "$as_me:$LINENO: checking for unsigned long long int" >&5 -echo $ECHO_N "checking for unsigned long long int... $ECHO_C" >&6; } -if test "${ac_cv_type_unsigned_long_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking for pcap_datalink in -lpcap" >&5 +$as_echo_n "checking for pcap_datalink in -lpcap... " >&6; } +if test "${ac_cv_lib_pcap_pcap_datalink+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpcap $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef unsigned long long int ac__type_new_; + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pcap_datalink (); int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; +return pcap_datalink (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_unsigned_long_long_int=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_pcap_pcap_datalink=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_unsigned_long_long_int=no + ac_cv_lib_pcap_pcap_datalink=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_unsigned_long_long_int" >&5 -echo "${ECHO_T}$ac_cv_type_unsigned_long_long_int" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pcap_datalink" >&5 +$as_echo "$ac_cv_lib_pcap_pcap_datalink" >&6; } +if test "x$ac_cv_lib_pcap_pcap_datalink" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPCAP 1 +_ACEOF + + LIBS="-lpcap $LIBS" -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ echo "$as_me:$LINENO: checking size of unsigned long long int" >&5 -echo $ECHO_N "checking size of unsigned long long int... $ECHO_C" >&6; } -if test "${ac_cv_sizeof_unsigned_long_long_int+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 else - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. + LPCAP="no" +fi + + +# If the normal AC_CHECK_LIB for pcap fails then check to see if we are +# using a pfring-enabled pcap. +if test "x$LPCAP" = "xno"; then + PFRING_H="" + +for ac_header in pfring.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -24812,16 +19452,7 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default - typedef unsigned long long int ac__type_sizeof_; -int -main () -{ -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= 0)]; -test_array [0] = 0 - - ; - return 0; -} +#include <$ac_header> _ACEOF rm -f conftest.$ac_objext if { (ac_try="$ac_compile" @@ -24829,231 +19460,310 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_lo=0 ac_mid=0 - while :; do - cat >conftest.$ac_ext <<_ACEOF + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long long int ac__type_sizeof_; -int -main () -{ -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +if { (ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid; break + }; then + ac_header_preproc=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr $ac_mid + 1` - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid + 1` + ac_header_preproc=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default - typedef unsigned long long int ac__type_sizeof_; -int -main () -{ -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) < 0)]; -test_array [0] = 0 - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_hi=-1 ac_mid=-1 - while :; do - cat >conftest.$ac_ext <<_ACEOF +else + PFRING_H="no" +fi + +done + + +# It is important to have the AC_CHECK_LIB for the pfring library BEFORE +# the one for pfring-enabled pcap. When the Makefile is created, all the +# libraries used during linking are added to the LIBS variable in the +# Makefile in the opposite order that their AC_CHECK_LIB macros appear +# in configure.in. Durring linking, the pfring library (-lpfring) MUST come +# _after_ the libpcap library (-lpcap) or linking will fail. + PFRING_L="" + +{ $as_echo "$as_me:$LINENO: checking for pfring_open in -lpfring" >&5 +$as_echo_n "checking for pfring_open in -lpfring... " >&6; } +if test "${ac_cv_lib_pfring_pfring_open+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpfring $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long long int ac__type_sizeof_; + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pfring_open (); int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) >= $ac_mid)]; -test_array [0] = 0 - +return pfring_open (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_lo=$ac_mid; break -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_hi=`expr '(' $ac_mid ')' - 1` - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - ac_mid=`expr 2 '*' $ac_mid` -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_pfring_pfring_open=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo= ac_hi= + ac_cv_lib_pfring_pfring_open=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pfring_pfring_open" >&5 +$as_echo "$ac_cv_lib_pfring_pfring_open" >&6; } +if test "x$ac_cv_lib_pfring_pfring_open" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPFRING 1 +_ACEOF -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` - cat >conftest.$ac_ext <<_ACEOF + LIBS="-lpfring $LIBS" + +else + PFRING_L="no" +fi + + + LPFRING_PCAP="" + +{ $as_echo "$as_me:$LINENO: checking for pfring_open in -lpcap" >&5 +$as_echo_n "checking for pfring_open in -lpcap... " >&6; } +if test "${ac_cv_lib_pcap_pfring_open+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpcap -lpfring $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long long int ac__type_sizeof_; + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pfring_open (); int main () { -static int test_array [1 - 2 * !(((long int) (sizeof (ac__type_sizeof_))) <= $ac_mid)]; -test_array [0] = 0 - +return pfring_open (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_hi=$ac_mid + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_pcap_pfring_open=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_lo=`expr '(' $ac_mid ')' + 1` + ac_cv_lib_pcap_pfring_open=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in -?*) ac_cv_sizeof_unsigned_long_long_int=$ac_lo;; -'') if test "$ac_cv_type_unsigned_long_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pfring_open" >&5 +$as_echo "$ac_cv_lib_pcap_pfring_open" >&6; } +if test "x$ac_cv_lib_pcap_pfring_open" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPCAP 1 +_ACEOF + + LIBS="-lpcap $LIBS" + +else + LPFRING_PCAP="no" +fi + +fi + +# If both the AC_CHECK_LIB for normal pcap and pfring-enabled pcap fail then exit. +if test "x$LPCAP" = "xno"; then + if test "x$LPFRING_PCAP" = "xno"; then + echo + echo " ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)" + echo " not found, go get it from http://www.tcpdump.org" + echo " or use the --with-libpcap-* options, if you have it installed" + echo " in unusual place. Also check if your libpcap depends on another" + echo " shared library that may be installed in an unusual place" + exit 1 + fi +fi + +{ $as_echo "$as_me:$LINENO: checking for pcap_lex_destroy" >&5 +$as_echo_n "checking for pcap_lex_destroy... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned long long int) +$as_echo "$as_me: error: cannot run test program while cross compiling See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_long_long_int=0 - fi ;; -esac + { (exit 1); exit 1; }; }; } else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -25061,34 +19771,14 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default - typedef unsigned long long int ac__type_sizeof_; -static long int longval () { return (long int) (sizeof (ac__type_sizeof_)); } -static unsigned long int ulongval () { return (long int) (sizeof (ac__type_sizeof_)); } -#include -#include + +#include + int main () { - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (((long int) (sizeof (ac__type_sizeof_))) < 0) - { - long int i = longval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%ld\n", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ((long int) (sizeof (ac__type_sizeof_)))) - return 1; - fprintf (f, "%lu\n", i); - } - return ferror (f) || fclose (f) != 0; + pcap_lex_destroy(); ; return 0; @@ -25100,259 +19790,170 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - ac_cv_sizeof_unsigned_long_long_int=`cat conftest.val` + have_pcap_lex_destroy="yes" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -if test "$ac_cv_type_unsigned_long_long_int" = yes; then - { { echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot compute sizeof (unsigned long long int) -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; } - else - ac_cv_sizeof_unsigned_long_long_int=0 - fi +have_pcap_lex_destroy="no" fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -rm -f conftest.val -fi -{ echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_long_int" >&5 -echo "${ECHO_T}$ac_cv_sizeof_unsigned_long_long_int" >&6; } +{ $as_echo "$as_me:$LINENO: result: $have_pcap_lex_destroy" >&5 +$as_echo "$have_pcap_lex_destroy" >&6; } +if test "x$have_pcap_lex_destroy" = "xyes"; then -cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG_LONG_INT $ac_cv_sizeof_unsigned_long_long_int +cat >>confdefs.h <<\_ACEOF +#define HAVE_PCAP_LEX_DESTROY 1 _ACEOF +fi - -# Check for int types -{ echo "$as_me:$LINENO: checking for u_int8_t" >&5 -echo $ECHO_N "checking for u_int8_t... $ECHO_C" >&6; } -if test "${ac_cv_type_u_int8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF +{ $as_echo "$as_me:$LINENO: checking for pcap_lib_version" >&5 +$as_echo_n "checking for pcap_lib_version... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef u_int8_t ac__type_new_; +#include int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; +pcap_lib_version(); + ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_u_int8_t=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + have_pcap_lib_version="yes" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_u_int8_t=no -fi + have_pcap_lib_version="no" -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int8_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int8_t" >&6; } -if test $ac_cv_type_u_int8_t = yes; then -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT8_T 1 -_ACEOF +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $have_pcap_lib_version" >&5 +$as_echo "$have_pcap_lib_version" >&6; } +if test "x$have_pcap_lib_version" = "xyes"; then -fi -{ echo "$as_me:$LINENO: checking for u_int16_t" >&5 -echo $ECHO_N "checking for u_int16_t... $ECHO_C" >&6; } -if test "${ac_cv_type_u_int16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef u_int16_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +cat >>confdefs.h <<\_ACEOF +#define HAVE_PCAP_LIB_VERSION 1 _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_u_int16_t=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_u_int16_t=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int16_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int16_t" >&6; } -if test $ac_cv_type_u_int16_t = yes; then -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT16_T 1 -_ACEOF -fi -{ echo "$as_me:$LINENO: checking for u_int32_t" >&5 -echo $ECHO_N "checking for u_int32_t... $ECHO_C" >&6; } -if test "${ac_cv_type_u_int32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef u_int32_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_u_int32_t=yes +# Check whether --with-libpcre_includes was given. +if test "${with_libpcre_includes+set}" = set; then + withval=$with_libpcre_includes; with_libpcre_includes="$withval" else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + with_libpcre_includes="no" +fi - ac_cv_type_u_int32_t=no + + +# Check whether --with-libpcre_libraries was given. +if test "${with_libpcre_libraries+set}" = set; then + withval=$with_libpcre_libraries; with_libpcre_libraries="$withval" +else + with_libpcre_libraries="no" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test "x$with_libpcre_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_libpcre_includes}" +else + CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int32_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int32_t" >&6; } -if test $ac_cv_type_u_int32_t = yes; then -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT32_T 1 -_ACEOF +if test "x$with_libpcre_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" +else + LDFLAGS="${LDFLAGS} `pcre-config --libs`" +fi +# PCRE configuration (required) +# Verify that we have the headers +PCRE_H="" +for ac_header in pcre.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 fi -{ echo "$as_me:$LINENO: checking for u_int64_t" >&5 -echo $ECHO_N "checking for u_int64_t... $ECHO_C" >&6; } -if test "${ac_cv_type_u_int64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } else - cat >conftest.$ac_ext <<_ACEOF + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef u_int64_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#include <$ac_header> _ACEOF rm -f conftest.$ac_objext if { (ac_try="$ac_compile" @@ -25360,366 +19961,443 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_u_int64_t=yes + ac_header_compiler=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_u_int64_t=no + ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int64_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int64_t" >&6; } -if test $ac_cv_type_u_int64_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT64_T 1 -_ACEOF +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } - -fi -{ echo "$as_me:$LINENO: checking for uint8_t" >&5 -echo $ECHO_N "checking for uint8_t... $ECHO_C" >&6; } -if test "${ac_cv_type_uint8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef uint8_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +if { (ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_uint8_t=yes + }; then + ac_header_preproc=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_uint8_t=no + ac_header_preproc=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint8_t" >&6; } -if test $ac_cv_type_uint8_t = yes; then +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT8_T 1 +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF +else + PCRE_H="no" +fi + +done +if test "x$PCRE_H" = "xno"; then + echo + echo " ERROR! Libpcre header not found." + echo " Get it from http://www.pcre.org" + exit 1 fi -{ echo "$as_me:$LINENO: checking for uint16_t" >&5 -echo $ECHO_N "checking for uint16_t... $ECHO_C" >&6; } -if test "${ac_cv_type_uint16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + +# Verify that we have the library +PCRE_L="" +pcre_version_six="" + +{ $as_echo "$as_me:$LINENO: checking for pcre_compile in -lpcre" >&5 +$as_echo_n "checking for pcre_compile in -lpcre... " >&6; } +if test "${ac_cv_lib_pcre_pcre_compile+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpcre $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef uint16_t ac__type_new_; + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pcre_compile (); int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; +return pcre_compile (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_uint16_t=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_pcre_pcre_compile=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_uint16_t=no + ac_cv_lib_pcre_pcre_compile=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint16_t" >&6; } -if test $ac_cv_type_uint16_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT16_T 1 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcre_pcre_compile" >&5 +$as_echo "$ac_cv_lib_pcre_pcre_compile" >&6; } +if test "x$ac_cv_lib_pcre_pcre_compile" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPCRE 1 _ACEOF + LIBS="-lpcre $LIBS" +else + PCRE_L="no" fi -{ echo "$as_me:$LINENO: checking for uint32_t" >&5 -echo $ECHO_N "checking for uint32_t... $ECHO_C" >&6; } -if test "${ac_cv_type_uint32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + +if test "x$PCRE_L" = "xno"; then + echo + echo " ERROR! Libpcre library not found." + echo " Get it from http://www.pcre.org" + echo + exit 1 else - cat >conftest.$ac_ext <<_ACEOF + { $as_echo "$as_me:$LINENO: checking for libpcre version 6.0 or greater" >&5 +$as_echo_n "checking for libpcre version 6.0 or greater... " >&6; } + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef uint32_t ac__type_new_; +#include int main () { -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; + + #if (PCRE_MAJOR < 6) + #error "Version failure" + #else + int a, b = 0, c = 0, d = 0; + pcre *tmp = NULL; + a = pcre_copy_named_substring(tmp, "", &b, c, "", "", d); + #endif + ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_uint32_t=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + pcre_version_six="yes" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_uint32_t=no + pcre_version_six="no" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi + +if test "x$pcre_version_six" != "xyes"; then + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + echo + echo " ERROR! Libpcre library version >= 6.0 not found." + echo " Get it from http://www.pcre.org" + echo + exit 1 +else + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint32_t" >&6; } -if test $ac_cv_type_uint32_t = yes; then + + + +if test "x$SIGNAL_SNORT_RELOAD" != "x" ; then cat >>confdefs.h <<_ACEOF -#define HAVE_UINT32_T 1 +#define SIGNAL_SNORT_RELOAD $SIGNAL_SNORT_RELOAD _ACEOF +fi + + +if test "x$SIGNAL_SNORT_DUMP_STATS" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_DUMP_STATS $SIGNAL_SNORT_DUMP_STATS +_ACEOF fi -{ echo "$as_me:$LINENO: checking for uint64_t" >&5 -echo $ECHO_N "checking for uint64_t... $ECHO_C" >&6; } -if test "${ac_cv_type_uint64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ + + +if test "x$SIGNAL_SNORT_ROTATE_STATS" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_ROTATE_STATS $SIGNAL_SNORT_ROTATE_STATS _ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef uint64_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} + +fi + + +if test "x$SIGNAL_SNORT_READ_ATTR_TBL" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_READ_ATTR_TBL $SIGNAL_SNORT_READ_ATTR_TBL _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_uint64_t=yes + +fi + +# Check whether --enable-dynamicplugin was given. +if test "${enable_dynamicplugin+set}" = set; then + enableval=$enable_dynamicplugin; enable_dynamicplugin="$enableval" +else + enable_dynamicplugin="yes" +fi + + if test "x$enable_dynamicplugin" = "xyes"; then + HAVE_DYNAMIC_PLUGINS_TRUE= + HAVE_DYNAMIC_PLUGINS_FALSE='#' +else + HAVE_DYNAMIC_PLUGINS_TRUE='#' + HAVE_DYNAMIC_PLUGINS_FALSE= +fi + + +if test "x$enable_dynamicplugin" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" +fi + +# Check whether --enable-so_with_static_lib was given. +if test "${enable_so_with_static_lib+set}" = set; then + enableval=$enable_so_with_static_lib; enable_so_with_static_lib="$enableval" +else + enable_so_with_static_lib=$so_with_static_lib +fi + + if test "x$enable_so_with_static_lib" = "xyes"; then + SO_WITH_STATIC_LIB_TRUE= + SO_WITH_STATIC_LIB_FALSE='#' +else + SO_WITH_STATIC_LIB_TRUE='#' + SO_WITH_STATIC_LIB_FALSE= +fi + + +# Check whether --enable-control_socket was given. +if test "${enable_control_socket+set}" = set; then + enableval=$enable_control_socket; enable_control_socket="$enableval" +else + enable_control_socket="no" +fi + +if test "x$linux" != "xyes"; then + if test "x$enable_control_socket" = "xyes"; then + { $as_echo "$as_me:$LINENO: WARNING: The control socket is only supported on Linux systems." >&5 +$as_echo "$as_me: WARNING: The control socket is only supported on Linux systems." >&2;} + enable_control_socket="no" + fi +fi + if test "x$enable_control_socket" = "xyes"; then + BUILD_CONTROL_SOCKET_TRUE= + BUILD_CONTROL_SOCKET_FALSE='#' else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + BUILD_CONTROL_SOCKET_TRUE='#' + BUILD_CONTROL_SOCKET_FALSE= +fi - ac_cv_type_uint64_t=no +if test "x$enable_control_socket" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DCONTROL_SOCKET" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# check for dnet first since some DAQs need it + +# Check whether --with-dnet_includes was given. +if test "${with_dnet_includes+set}" = set; then + withval=$with_dnet_includes; with_dnet_includes="$withval" +else + with_dnet_includes="no" fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint64_t" >&6; } -if test $ac_cv_type_uint64_t = yes; then -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT64_T 1 -_ACEOF +# Check whether --with-dnet_libraries was given. +if test "${with_dnet_libraries+set}" = set; then + withval=$with_dnet_libraries; with_dnet_libraries="$withval" +else + with_dnet_libraries="no" fi -{ echo "$as_me:$LINENO: checking for int8_t" >&5 -echo $ECHO_N "checking for int8_t... $ECHO_C" >&6; } -if test "${ac_cv_type_int8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -typedef int8_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_int8_t=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_int8_t=no +if test "x$with_dnet_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" +else + CPPFLAGS="${CPPFLAGS} `dnet-config --cflags 2>/dev/null`" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +if test "x$with_dnet_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" +else + LDFLAGS="${LDFLAGS} `dnet-config --libs 2>/dev/null`" fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5 -echo "${ECHO_T}$ac_cv_type_int8_t" >&6; } -if test $ac_cv_type_int8_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT8_T 1 -_ACEOF +for ac_header in dnet.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 fi -{ echo "$as_me:$LINENO: checking for int16_t" >&5 -echo $ECHO_N "checking for int16_t... $ECHO_C" >&6; } -if test "${ac_cv_type_int16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } else - cat >conftest.$ac_ext <<_ACEOF + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef int16_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#include <$ac_header> _ACEOF rm -f conftest.$ac_objext if { (ac_try="$ac_compile" @@ -25727,121 +20405,147 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_int16_t=yes + ac_header_compiler=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_int16_t=no + ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5 -echo "${ECHO_T}$ac_cv_type_int16_t" >&6; } -if test $ac_cv_type_int16_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT16_T 1 -_ACEOF +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } - -fi -{ echo "$as_me:$LINENO: checking for int32_t" >&5 -echo $ECHO_N "checking for int32_t... $ECHO_C" >&6; } -if test "${ac_cv_type_int32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -typedef int32_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +if { (ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_type_int32_t=yes + }; then + ac_header_preproc=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_int32_t=no + ac_header_preproc=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5 -echo "${ECHO_T}$ac_cv_type_int32_t" >&6; } -if test $ac_cv_type_int32_t = yes; then +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -cat >>confdefs.h <<_ACEOF -#define HAVE_INT32_T 1 +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF +else + DNET_H="no" +fi + +done + +for ac_header in dumbnet.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 fi -{ echo "$as_me:$LINENO: checking for int64_t" >&5 -echo $ECHO_N "checking for int64_t... $ECHO_C" >&6; } -if test "${ac_cv_type_int64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } else - cat >conftest.$ac_ext <<_ACEOF + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default -typedef int64_t ac__type_new_; -int -main () -{ -if ((ac__type_new_ *) 0) - return 0; -if (sizeof (ac__type_new_)) - return 0; - ; - return 0; -} +#include <$ac_header> _ACEOF rm -f conftest.$ac_objext if { (ac_try="$ac_compile" @@ -25849,165 +20553,138 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then - ac_cv_type_int64_t=yes + ac_header_compiler=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_type_int64_t=no + ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5 -echo "${ECHO_T}$ac_cv_type_int64_t" >&6; } -if test $ac_cv_type_int64_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT64_T 1 -_ACEOF - - -fi +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } - -# In case INADDR_NONE is not defined (like on Solaris) -have_inaddr_none="no" -{ echo "$as_me:$LINENO: checking for INADDR_NONE" >&5 -echo $ECHO_N "checking for INADDR_NONE... $ECHO_C" >&6; } -if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -#include -#include -#include - -int -main () -{ - - if (inet_addr("10,5,2") == INADDR_NONE); - return 0; - - ; - return 0; -} +#include <$ac_header> _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +if { (ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - have_inaddr_none="yes" + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -have_inaddr_none="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - - -{ echo "$as_me:$LINENO: result: $have_inaddr_none" >&5 -echo "${ECHO_T}$have_inaddr_none" >&6; } -if test "x$have_inaddr_none" = "xno"; then - -cat >>confdefs.h <<\_ACEOF -#define INADDR_NONE -1 -_ACEOF - + ac_header_preproc=no fi -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -#include +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -int -main () -{ -const char *foo; foo = sys_errlist[0]; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -cat >>confdefs.h <<\_ACEOF -#define ERRLIST_PREDEFINED 1 +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + DUMBNET_H="no" +fi + +done +if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then + echo + echo " ERROR! dnet header not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" + echo " options, if you have it installed in an unusual place" + exit fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: checking for __FUNCTION__" >&5 -echo $ECHO_N "checking for __FUNCTION__... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for eth_set in -ldnet" >&5 +$as_echo_n "checking for eth_set in -ldnet... " >&6; } +if test "${ac_cv_lib_dnet_eth_set+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldnet $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26015,184 +20692,199 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include - +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char eth_set (); int main () { -printf ("%s", __FUNCTION__); +return eth_set (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - sn_cv_have___FUNCTION__=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dnet_eth_set=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - sn_cv__have___FUNCTION__=no + ac_cv_lib_dnet_eth_set=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -if test "x$sn_cv_have___FUNCTION__" = "xyes"; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - -cat >>confdefs.h <<\_ACEOF -#define HAVE___FUNCTION__ 1 +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_eth_set" >&5 +$as_echo "$ac_cv_lib_dnet_eth_set" >&6; } +if test "x$ac_cv_lib_dnet_eth_set" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDNET 1 _ACEOF + LIBS="-ldnet $LIBS" + else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - { echo "$as_me:$LINENO: checking for __func__" >&5 -echo $ECHO_N "checking for __func__... $ECHO_C" >&6; } - cat >conftest.$ac_ext <<_ACEOF + DNET="no" +fi + + +{ $as_echo "$as_me:$LINENO: checking for eth_set in -ldumbnet" >&5 +$as_echo_n "checking for eth_set in -ldumbnet... " >&6; } +if test "${ac_cv_lib_dumbnet_eth_set+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldumbnet $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include - +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char eth_set (); int main () { -printf ("%s", __func__); +return eth_set (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - sn_cv_have___func__=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dumbnet_eth_set=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - sn_cv__have___func__=no + ac_cv_lib_dumbnet_eth_set=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - if test "x$sn_cv_have___func__" = "xyes"; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - -cat >>confdefs.h <<\_ACEOF -#define HAVE___func__ 1 -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define __FUNCTION__ __func__ -_ACEOF - - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - cat >>confdefs.h <<\_ACEOF -#define __FUNCTION__ "mystery function" -_ACEOF - - fi +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dumbnet_eth_set" >&5 +$as_echo "$ac_cv_lib_dumbnet_eth_set" >&6; } +if test "x$ac_cv_lib_dumbnet_eth_set" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDUMBNET 1 +_ACEOF + LIBS="-ldumbnet $LIBS" -# Check whether --with-libpcap_includes was given. -if test "${with_libpcap_includes+set}" = set; then - withval=$with_libpcap_includes; with_libpcap_includes="$withval" else - with_libpcap_includes="no" + DUMBNET="no" fi - -# Check whether --with-libpcap_libraries was given. -if test "${with_libpcap_libraries+set}" = set; then - withval=$with_libpcap_libraries; with_libpcap_libraries="$withval" -else - with_libpcap_libraries="no" +if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then + echo + echo " ERROR! dnet library not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" + echo " options, if you have it installed in an unusual place" + exit fi - -if test "x$with_libpcap_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" +# Check whether --with-daq_includes was given. +if test "${with_daq_includes+set}" = set; then + withval=$with_daq_includes; with_daq_includes="$withval" +else + with_daq_includes="no" fi -if test "x$with_libpcap_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" -fi -# --with-libpfring-* options -# Check whether --with-libpfring_includes was given. -if test "${with_libpfring_includes+set}" = set; then - withval=$with_libpfring_includes; with_libpfring_includes="$withval" +# Check whether --with-daq_libraries was given. +if test "${with_daq_libraries+set}" = set; then + withval=$with_daq_libraries; with_daq_libraries="$withval" else - with_libpfring_includes="no" + with_daq_libraries="no" fi - -# Check whether --with-libpfring_libraries was given. -if test "${with_libpfring_libraries+set}" = set; then - withval=$with_libpfring_libraries; with_libpfring_libraries="$withval" -else - with_libpfring_libraries="no" +if test "x$with_daq_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_daq_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_daq_includes}" fi - -if test "x$with_libpfring_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libpfring_includes}" +if test "x$with_daq_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_daq_libraries}" fi -if test "x$with_libpfring_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libpfring_libraries}" +# Check whether --enable-static_daq was given. +if test "${enable_static_daq+set}" = set; then + enableval=$enable_static_daq; enable_static_daq="$enableval" +else + enable_static_daq="yes" fi -LPCAP="" -{ echo "$as_me:$LINENO: checking for pcap_datalink in -lpcap" >&5 -echo $ECHO_N "checking for pcap_datalink in -lpcap... $ECHO_C" >&6; } -if test "${ac_cv_lib_pcap_pcap_datalink+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if test "x$enable_static_daq" = "xyes" \ + -o "x$enable_dynamicplugin" = "xyes" ; \ +then + { $as_echo "$as_me:$LINENO: checking for dlsym in -ldl" >&5 +$as_echo_n "checking for dlsym in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlsym+set}" = set; then + $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lpcap $LIBS" +LIBS="-ldl $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26206,11 +20898,11 @@ #ifdef __cplusplus extern "C" #endif -char pcap_datalink (); +char dlsym (); int main () { -return pcap_datalink (); +return dlsym (); ; return 0; } @@ -26221,206 +20913,218 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_pcap_pcap_datalink=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlsym=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_pcap_pcap_datalink=no + ac_cv_lib_dl_dlsym=no fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pcap_datalink" >&5 -echo "${ECHO_T}$ac_cv_lib_pcap_pcap_datalink" >&6; } -if test $ac_cv_lib_pcap_pcap_datalink = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPCAP 1 -_ACEOF - - LIBS="-lpcap $LIBS" - +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlsym" >&5 +$as_echo "$ac_cv_lib_dl_dlsym" >&6; } +if test "x$ac_cv_lib_dl_dlsym" = x""yes; then + DLLIB="yes" else - LPCAP="no" + DLLIB="no" fi -# If the normal AC_CHECK_LIB for pcap fails then check to see if we are -# using a pfring-enabled pcap. -if test "x$LPCAP" = "xno"; then - PFRING_H="" - -for ac_header in pfring.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } + if test "$DLLIB" != "no"; then + LIBS="${LIBS} -ldl" + else + { $as_echo "$as_me:$LINENO: checking for dlsym in -lc" >&5 +$as_echo_n "checking for dlsym in -lc... " >&6; } +if test "${ac_cv_lib_c_dlsym+set}" = set; then + $as_echo_n "(cached) " >&6 else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -$ac_includes_default -#include <$ac_header> + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlsym (); +int +main () +{ +return dlsym (); + ; + return 0; +} _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_c_dlsym=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_compiler=no + ac_cv_lib_c_dlsym=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_dlsym" >&5 +$as_echo "$ac_cv_lib_c_dlsym" >&6; } +if test "x$ac_cv_lib_c_dlsym" = x""yes; then + DLLIB="yes" +else + DLLIB="no" +fi -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } + if test "$DLLIB" = "no"; then + echo + echo " ERROR! programmatic interface to dynamic link loader" + echo " not found. Cannot build Snort." + echo + exit 1 + fi + fi +fi + +if test "x$enable_static_daq" = "xyes"; then + LDAQ="" + LIBS="${LIBS} `daq-modules-config --static --libs`" + { $as_echo "$as_me:$LINENO: checking for daq_load_modules in -ldaq_static" >&5 +$as_echo_n "checking for daq_load_modules in -ldaq_static... " >&6; } +if test "${ac_cv_lib_daq_static_daq_load_modules+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldaq_static $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include <$ac_header> + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char daq_load_modules (); +int +main () +{ +return daq_load_modules (); + ; + return 0; +} _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext }; then - ac_header_preproc=yes + ac_cv_lib_daq_static_daq_load_modules=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_preproc=no -fi - -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=\$ac_header_preproc" + ac_cv_lib_daq_static_daq_load_modules=no fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_daq_static_daq_load_modules" >&5 +$as_echo "$ac_cv_lib_daq_static_daq_load_modules" >&6; } +if test "x$ac_cv_lib_daq_static_daq_load_modules" = x""yes; then + LIBS="-ldaq_static ${LIBS}" else - PFRING_H="no" + LDAQ="no" fi -done - - -# It is important to have the AC_CHECK_LIB for the pfring library BEFORE -# the one for pfring-enabled pcap. When the Makefile is created, all the -# libraries used during linking are added to the LIBS variable in the -# Makefile in the opposite orded that their AC_CHECK_LIB macros appear -# in configure.in. Durring linking, the pfring library (-lpfring) MUST come -# _after_ the libpcap library (-lpcap) or linking will fail. - PFRING_L="" -{ echo "$as_me:$LINENO: checking for pfring_open in -lpfring" >&5 -echo $ECHO_N "checking for pfring_open in -lpfring... $ECHO_C" >&6; } -if test "${ac_cv_lib_pfring_pfring_open+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + if test "x$LDAQ" = "xno"; then + echo + echo " ERROR! daq_static library not found, go get it from" + echo " http://www.snort.org/." + #AC_MSG_ERROR("Fatal!") # FIXTHIS switch over to this macro + exit 1 # instead of raw exits! + fi +else + LDAQ="" + { $as_echo "$as_me:$LINENO: checking for daq_load_modules in -ldaq" >&5 +$as_echo_n "checking for daq_load_modules in -ldaq... " >&6; } +if test "${ac_cv_lib_daq_daq_load_modules+set}" = set; then + $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lpfring $LIBS" +LIBS="-ldaq $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26434,11 +21138,11 @@ #ifdef __cplusplus extern "C" #endif -char pfring_open (); +char daq_load_modules (); int main () { -return pfring_open (); +return daq_load_modules (); ; return 0; } @@ -26449,59 +21153,84 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_pfring_pfring_open=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_daq_daq_load_modules=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_pfring_pfring_open=no + ac_cv_lib_daq_daq_load_modules=no fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_pfring_pfring_open" >&5 -echo "${ECHO_T}$ac_cv_lib_pfring_pfring_open" >&6; } -if test $ac_cv_lib_pfring_pfring_open = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPFRING 1 -_ACEOF +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_daq_daq_load_modules" >&5 +$as_echo "$ac_cv_lib_daq_daq_load_modules" >&6; } +if test "x$ac_cv_lib_daq_daq_load_modules" = x""yes; then + LIBS="${LIBS} -ldaq" +else + LDAQ="no" +fi - LIBS="-lpfring $LIBS" -else - PFRING_L="no" + if test "x$LDAQ" = "xno"; then + echo + echo " ERROR! daq library not found, go get it from" + echo " http://www.snort.org/." + #AC_MSG_ERROR("Fatal!") + exit 1 + fi fi - LPFRING_PCAP="" -{ echo "$as_me:$LINENO: checking for pfring_open in -lpcap" >&5 -echo $ECHO_N "checking for pfring_open in -lpcap... $ECHO_C" >&6; } -if test "${ac_cv_lib_pcap_pfring_open+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +for ac_func in daq_hup_apply daq_acquire_with_meta +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpcap -lpfring $LIBS" -cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC @@ -26509,11 +21238,18 @@ #ifdef __cplusplus extern "C" #endif -char pfring_open (); +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + int main () { -return pfring_open (); +return $ac_func (); ; return 0; } @@ -26524,73 +21260,83 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_pcap_pfring_open=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_pcap_pfring_open=no + eval "$as_ac_var=no" fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pfring_open" >&5 -echo "${ECHO_T}$ac_cv_lib_pcap_pfring_open" >&6; } -if test $ac_cv_lib_pcap_pfring_open = yes; then +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPCAP 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF - LIBS="-lpcap $LIBS" - -else - LPFRING_PCAP="no" fi +done -fi -# If both the AC_CHECK_LIB for normal pcap and pfring-enabled pcap fail then exit. -if test "x$LPCAP" = "xno"; then - if test "x$LPFRING_PCAP" = "xno"; then - echo - echo " ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)" - echo " not found, go get it from http://www.tcpdump.org" - echo " or use the --with-libpcap-* options, if you have it installed" - echo " in unusual place. Also check if your libpcap depends on another" - echo " shared library that may be installed in an unusual place" - exit 1 - fi +# any sparc platform has to have this one defined. +{ $as_echo "$as_me:$LINENO: checking for sparc" >&5 +$as_echo_n "checking for sparc... " >&6; } +if eval "echo $host_cpu|grep -i sparc >/dev/null"; then + +cat >>confdefs.h <<\_ACEOF +#define WORDS_MUSTALIGN 1 +_ACEOF + + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + + # gcc, sparc and optimization not so good + if test -n "$GCC"; then + NO_OPTIMIZE="yes" + fi +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -# This is to determine which pcap library version is being used. The reason being -# that versions < 0.9 do not accumulate packet statistics whereas >= 0.9 do accumulate. -# This is Linux only. The check is done after pcre because the code below uses pcre. -# It seems Phil Wood's pcap does not accumulate - 0.9x -pcap_version_check="yes" -if test "x$linux" = "xyes"; then - if test "x$pcap_version_check" = "xyes"; then - { echo "$as_me:$LINENO: checking for libpcap version >= 0.9" >&5 -echo $ECHO_N "checking for libpcap version >= 0.9... $ECHO_C" >&6; } - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling +# check for sparc %time register +if eval "echo $host_cpu|grep -i sparc >/dev/null"; then + OLD_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -mcpu=v9 " + { $as_echo "$as_me:$LINENO: checking for sparc %time register" >&5 +$as_echo_n "checking for sparc %time register... " >&6; } + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling +$as_echo "$as_me: error: cannot run test program while cross compiling See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + { (exit 1); exit 1; }; }; } else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -26599,19 +21345,12 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - #include - #include - extern char pcap_version[]; - int main () { - if (strcmp(pcap_version, "0.9x") == 0) - return 1; - - if (strcmp(pcap_version, "0.9.0") < 0) - return 1; + int val; + __asm__ __volatile__("rd %%tick, %0" : "=r"(val)); ; return 0; @@ -26623,191 +21362,218 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - libpcap_version_09="yes" + sparcv9="yes" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) -libpcap_version_09="no" +sparcv9="no" fi +rm -rf conftest.dSYM rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { echo "$as_me:$LINENO: result: $libpcap_version_09" >&5 -echo "${ECHO_T}$libpcap_version_09" >&6; } - if test "x$libpcap_version_09" = "xyes"; then + { $as_echo "$as_me:$LINENO: result: $sparcv9" >&5 +$as_echo "$sparcv9" >&6; } + if test "x$sparcv9" = "xyes"; then cat >>confdefs.h <<\_ACEOF -#define LIBPCAP_ACCUMULATES 1 +#define SPARCV9 1 _ACEOF - fi else - libpcap_version_09="no" + CFLAGS="$OLD_CFLAGS" + fi +fi -cat >>confdefs.h <<\_ACEOF -#define LIBPCAP_ACCUMULATES 1 -_ACEOF +# modified from gnulib/m4/visibility.m4 - fi - # there is a bug in the Linux code in 0.9.0 - 0.9.4 where the pcap - # stats are doubled. - if test "x$libpcap_version_09" = "xyes"; then - { echo "$as_me:$LINENO: checking for libpcap version 0.9.0 - 0.9.4" >&5 -echo $ECHO_N "checking for libpcap version 0.9.0 - 0.9.4... $ECHO_C" >&6; } - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + + { $as_echo "$as_me:$LINENO: checking for visibility support" >&5 +$as_echo_n "checking for visibility support... " >&6; } + if test "${gl_cv_cc_visibility+set}" = set; then + $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + + gl_save_CFLAGS="$CFLAGS" + # Add -Werror flag since some compilers, e.g. icc 7.1, don't support it, + # but only warn about it instead of compilation failing + CFLAGS="$CFLAGS -Werror -fvisibility=hidden" + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - #include - #include - extern char pcap_version[]; - + extern __attribute__((__visibility__("hidden"))) int hiddenvar; + extern __attribute__((__visibility__("default"))) int exportedvar; + extern __attribute__((__visibility__("hidden"))) int hiddenfunc (void); + extern __attribute__((__visibility__("default"))) int exportedfunc (void); int main () { - if (strcmp(pcap_version, "0.9.5") < 0) - return 1; - ; return 0; } _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - libpcap_version_09_bug="no" + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + gl_cv_cc_visibility="yes" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -libpcap_version_09_bug="yes" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext + gl_cv_cc_visibility="no" fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - { echo "$as_me:$LINENO: result: $libpcap_version_09_bug" >&5 -echo "${ECHO_T}$libpcap_version_09_bug" >&6; } - else - libpcap_version_09_bug="no" - fi +fi - if test "x$libpcap_version_09_bug" = "xyes"; then + { $as_echo "$as_me:$LINENO: result: $gl_cv_cc_visibility" >&5 +$as_echo "$gl_cv_cc_visibility" >&6; } + CFLAGS="$gl_save_CFLAGS" + if test "x$gl_cv_cc_visibility" = "xyes"; then + CCONFIGFLAGS="${CCONFIGFLAGS} -DSF_VISIBILITY -fvisibility=hidden" cat >>confdefs.h <<\_ACEOF -#define LINUX_LIBPCAP_DOUBLES_STATS 1 +#define HAVE_VISIBILITY 1 _ACEOF fi -else -cat >>confdefs.h <<\_ACEOF -#define LIBPCAP_ACCUMULATES 1 -_ACEOF +# Check whether --enable-build-dynamic-examples was given. +if test "${enable_build_dynamic_examples+set}" = set; then + enableval=$enable_build_dynamic_examples; build_dynamic_examples="$enableval" +else + build_dynamic_examples="no" fi + if test "x$build_dynamic_examples" = "xyes"; then + BUILD_DYNAMIC_EXAMPLES_TRUE= + BUILD_DYNAMIC_EXAMPLES_FALSE='#' +else + BUILD_DYNAMIC_EXAMPLES_TRUE='#' + BUILD_DYNAMIC_EXAMPLES_FALSE= +fi +if test "x$build_dynamic_examples" = "xyes"; then + if test "x$enable_dynamicplugin" = "xno"; then + echo " ERROR! attempting to build dynamic examples without" + echo " enabling dynamic plugins." + echo + exit 1 + fi +fi - -# Check whether --with-libpcre_includes was given. -if test "${with_libpcre_includes+set}" = set; then - withval=$with_libpcre_includes; with_libpcre_includes="$withval" +# Check whether --enable-dlclose was given. +if test "${enable_dlclose+set}" = set; then + enableval=$enable_dlclose; enable_dlclose="$enableval" else - with_libpcre_includes="no" + enable_dlclose="yes" fi +if test "x$enable_dlclose" = "xno"; then +cat >>confdefs.h <<\_ACEOF +#define DISABLE_DLCLOSE_FOR_VALGRIND_TESTING 1 +_ACEOF -# Check whether --with-libpcre_libraries was given. -if test "${with_libpcre_libraries+set}" = set; then - withval=$with_libpcre_libraries; with_libpcre_libraries="$withval" +fi + +# Check whether --enable-ipv6 was given. +if test "${enable_ipv6+set}" = set; then + enableval=$enable_ipv6; enable_ipv6="$enableval" else - with_libpcre_libraries="no" + enable_ipv6="yes" +fi + +if test "x$enable_ipv6" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" +fi + if test "x$enable_ipv6" = "xyes"; then + HAVE_SUP_IP6_TRUE= + HAVE_SUP_IP6_FALSE='#' +else + HAVE_SUP_IP6_TRUE='#' + HAVE_SUP_IP6_FALSE= fi -if test "x$with_libpcre_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" +# Check whether --enable-zlib was given. +if test "${enable_zlib+set}" = set; then + enableval=$enable_zlib; enable_zlib="$enableval" else - CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" + enable_zlib="yes" fi -if test "x$with_libpcre_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" + if test "x$enable_zlib" = "xyes"; then + HAVE_ZLIB_TRUE= + HAVE_ZLIB_FALSE='#' else - LDFLAGS="${LDFLAGS} `pcre-config --libs`" + HAVE_ZLIB_TRUE='#' + HAVE_ZLIB_FALSE= fi -# PCRE configuration (required) -# Verify that we have the headers -PCRE_H="" +if test "x$enable_zlib" = "xyes"; then + Z_LIB="" -for ac_header in pcre.h +for ac_header in zlib.h do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } else # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26823,32 +21589,33 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then ac_header_compiler=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } # Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26862,95 +21629,97 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then ac_header_preproc=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_header_preproc=no fi rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} ac_header_preproc=yes ;; no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} ;; esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + $as_echo_n "(cached) " >&6 else eval "$as_ac_Header=\$ac_header_preproc" fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else - PCRE_H="no" + Z_LIB="no" fi done -if test "x$PCRE_H" = "xno"; then - echo - echo " ERROR! Libpcre header not found." - echo " Get it from http://www.pcre.org" - exit 1 -fi + if test "x$Z_LIB" = "xno"; then + echo + echo " ERROR! zlib header not found, go get it from" + echo " http://www.zlib.net" + exit + fi -# Verify that we have the library -PCRE_L="" -pcre_version_six="" + Z_LIB="" -{ echo "$as_me:$LINENO: checking for pcre_compile in -lpcre" >&5 -echo $ECHO_N "checking for pcre_compile in -lpcre... $ECHO_C" >&6; } -if test "${ac_cv_lib_pcre_pcre_compile+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking for inflate in -lz" >&5 +$as_echo_n "checking for inflate in -lz... " >&6; } +if test "${ac_cv_lib_z_inflate+set}" = set; then + $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lpcre $LIBS" +LIBS="-lz $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26964,11 +21733,11 @@ #ifdef __cplusplus extern "C" #endif -char pcre_compile (); +char inflate (); int main () { -return pcre_compile (); +return inflate (); ; return 0; } @@ -26979,412 +21748,422 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_pcre_pcre_compile=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_z_inflate=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_pcre_pcre_compile=no + ac_cv_lib_z_inflate=no fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_pcre_pcre_compile" >&5 -echo "${ECHO_T}$ac_cv_lib_pcre_pcre_compile" >&6; } -if test $ac_cv_lib_pcre_pcre_compile = yes; then +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_inflate" >&5 +$as_echo "$ac_cv_lib_z_inflate" >&6; } +if test "x$ac_cv_lib_z_inflate" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPCRE 1 +#define HAVE_LIBZ 1 _ACEOF - LIBS="-lpcre $LIBS" + LIBS="-lz $LIBS" else - PCRE_L="no" + Z_LIB="no" fi -if test "x$PCRE_L" = "xno"; then - echo - echo " ERROR! Libpcre library not found." - echo " Get it from http://www.pcre.org" - echo - exit 1 -else - { echo "$as_me:$LINENO: checking for libpcre version 6.0 or greater" >&5 -echo $ECHO_N "checking for libpcre version 6.0 or greater... $ECHO_C" >&6; } - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -int -main () -{ - - #if (PCRE_MAJOR < 6) - #error "Version failure" - #else - int a, b = 0, c = 0, d = 0; - pcre *tmp = NULL; - a = pcre_copy_named_substring(tmp, "", &b, c, "", "", d); - #endif + if test "x$Z_LIB" = "xno"; then + echo + echo " ERROR! zlib library not found, go get it from" + echo " http://www.zlib.net" + exit + fi + CPPFLAGS="$CPPFLAGS -DZLIB" + LIBS="$LIBS -lz" +fi - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - pcre_version_six="yes" +# Check whether --enable-gre was given. +if test "${enable_gre+set}" = set; then + enableval=$enable_gre; enable_gre="$enableval" else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - pcre_version_six="no" + enable_gre="yes" fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +if test "x$enable_gre" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DGRE" fi -if test "x$pcre_version_six" != "xyes"; then - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - echo - echo " ERROR! Libpcre library version >= 6.0 not found." - echo " Get it from http://www.pcre.org" - echo - exit 1 +# Check whether --enable-mpls was given. +if test "${enable_mpls+set}" = set; then + enableval=$enable_mpls; enable_mpls="$enableval" else - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } + enable_mpls="yes" fi +if test "x$enable_mpls" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DMPLS" +fi -# any sparc platform has to have this one defined. -{ echo "$as_me:$LINENO: checking for sparc" >&5 -echo $ECHO_N "checking for sparc... $ECHO_C" >&6; } -if eval "echo $host_cpu|grep -i sparc >/dev/null"; then +# Check whether --enable-targetbased was given. +if test "${enable_targetbased+set}" = set; then + enableval=$enable_targetbased; enable_targetbased="$enableval" +else + enable_targetbased="yes" +fi -cat >>confdefs.h <<\_ACEOF -#define WORDS_MUSTALIGN 1 -_ACEOF - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } + if test "x$enable_targetbased" = "xyes"; then + HAVE_TARGET_BASED_TRUE= + HAVE_TARGET_BASED_FALSE='#' +else + HAVE_TARGET_BASED_TRUE='#' + HAVE_TARGET_BASED_FALSE= +fi - # gcc, sparc and optimization not so good - if test -n "$GCC"; then - NO_OPTIMIZE="yes" +if test "x$enable_targetbased" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DTARGET_BASED" + LIBS="$LIBS -lpthread" + if test "$LEX" = "none"; then + echo + echo " ERROR! flex not found." + echo " Get it from http://flex.sourceforge.net/" + echo " (You may also try lex instead.)" + echo + exit 1 + fi + if test "$YACC" = "none"; then + echo + echo " ERROR! bison not found." + echo " Get it from http://www.gnu.org/software/bison/" + echo " (You may also try byacc or yacc instead.)" + echo + exit 1 fi -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } fi -# check for sparc %time register -if eval "echo $host_cpu|grep -i sparc >/dev/null"; then - OLD_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -mcpu=v9 " - { echo "$as_me:$LINENO: checking for sparc %time register" >&5 -echo $ECHO_N "checking for sparc %time register... $ECHO_C" >&6; } - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } +# Check whether --enable-decoder-preprocessor-rules was given. +if test "${enable_decoder_preprocessor_rules+set}" = set; then + enableval=$enable_decoder_preprocessor_rules; enable_decoder_preprocessor_rules="$enableval" else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ + enable_decoder_preprocessor_rules="yes" +fi - int val; - __asm__ __volatile__("rd %%tick, %0" : "=r"(val)); +if test "x$enable_decoder_preprocessor_rules" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" +fi - ; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - sparcv9="yes" +# Check whether --enable-ppm was given. +if test "${enable_ppm+set}" = set; then + enableval=$enable_ppm; enable_ppm="$enableval" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -sparcv9="no" + enable_ppm="yes" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - - - { echo "$as_me:$LINENO: result: $sparcv9" >&5 -echo "${ECHO_T}$sparcv9" >&6; } - if test "x$sparcv9" = "xyes"; then - -cat >>confdefs.h <<\_ACEOF -#define SPARCV9 1 -_ACEOF - else - CFLAGS="$OLD_CFLAGS" - fi +if test "x$enable_ppm" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi -# modified from gnulib/m4/visibility.m4 - - - - { echo "$as_me:$LINENO: checking for visibility support" >&5 -echo $ECHO_N "checking for visibility support... $ECHO_C" >&6; } - if test "${gl_cv_cc_visibility+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +# Check whether --enable-perfprofiling was given. +if test "${enable_perfprofiling+set}" = set; then + enableval=$enable_perfprofiling; enable_perfprofiling="$enableval" else + enable_perfprofiling="yes" +fi - gl_save_CFLAGS="$CFLAGS" - # Add -Werror flag since some compilers, e.g. icc 7.1, don't support it, - # but only warn about it instead of compilation failing - CFLAGS="$CFLAGS -Werror -fvisibility=hidden" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - - extern __attribute__((__visibility__("hidden"))) int hiddenvar; - extern __attribute__((__visibility__("default"))) int exportedvar; - extern __attribute__((__visibility__("hidden"))) int hiddenfunc (void); - extern __attribute__((__visibility__("default"))) int exportedfunc (void); -int -main () -{ +if test "x$enable_perfprofiling" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" +fi - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - gl_cv_cc_visibility="yes" +# Check whether --enable-linux-smp-stats was given. +if test "${enable_linux_smp_stats+set}" = set; then + enableval=$enable_linux_smp_stats; enable_linux_smp_stats="$enableval" +else + enable_linux_smp_stats="no" +fi + + if test "x$enable_linux_smp_stats" = "xyes"; then + BUILD_PROCPIDSTATS_TRUE= + BUILD_PROCPIDSTATS_FALSE='#' else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + BUILD_PROCPIDSTATS_TRUE='#' + BUILD_PROCPIDSTATS_FALSE= +fi - gl_cv_cc_visibility="no" +if test "x$enable_linux_smp_stats" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DLINUX_SMP" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Check whether --enable-inline-init-failopen was given. +if test "${enable_inline_init_failopen+set}" = set; then + enableval=$enable_inline_init_failopen; enable_inline_init_failopen="$enableval" +else + enable_inline_init_failopen="no" +fi +if test "x$enable_inline_init_failopen" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DINLINE_FAILOPEN" + LIBS="$LIBS -lpthread" fi - { echo "$as_me:$LINENO: result: $gl_cv_cc_visibility" >&5 -echo "${ECHO_T}$gl_cv_cc_visibility" >&6; } - if test "x$gl_cv_cc_visibility" = "xyes"; then - CFLAGS="$gl_save_CFLAGS -fvisibility=hidden" +# Check whether --enable-prelude was given. +if test "${enable_prelude+set}" = set; then + enableval=$enable_prelude; enable_prelude="$enableval" +else + enable_prelude="no" +fi -cat >>confdefs.h <<\_ACEOF -#define HAVE_VISIBILITY 1 -_ACEOF - else - CFLAGS="$gl_save_CFLAGS" - fi + if test "x$enable_prelude" = "xyes"; then + BUILD_PRELUDE_TRUE= + BUILD_PRELUDE_FALSE='#' +else + BUILD_PRELUDE_TRUE='#' + BUILD_PRELUDE_FALSE= +fi +if test "x$enable_prelude" = "xyes"; then -# Check whether --enable-dynamicplugin was given. -if test "${enable_dynamicplugin+set}" = set; then - enableval=$enable_dynamicplugin; enable_dynamicplugin="$enableval" +# Check whether --with-libprelude-prefix was given. +if test "${with_libprelude_prefix+set}" = set; then + withval=$with_libprelude_prefix; libprelude_config_prefix="$withval" else - enable_dynamicplugin="yes" + libprelude_config_prefix="" fi - if test "x$enable_dynamicplugin" = "xyes"; then - HAVE_DYNAMIC_PLUGINS_TRUE= - HAVE_DYNAMIC_PLUGINS_FALSE='#' + + if test x$libprelude_config_prefix != x ; then + if test x${LIBPRELUDE_CONFIG+set} != xset ; then + LIBPRELUDE_CONFIG=$libprelude_config_prefix/bin/libprelude-config + fi + fi + + # Extract the first word of "libprelude-config", so it can be a program name with args. +set dummy libprelude-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_LIBPRELUDE_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 else - HAVE_DYNAMIC_PLUGINS_TRUE='#' - HAVE_DYNAMIC_PLUGINS_FALSE= + case $LIBPRELUDE_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_LIBPRELUDE_CONFIG="$LIBPRELUDE_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_LIBPRELUDE_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + test -z "$ac_cv_path_LIBPRELUDE_CONFIG" && ac_cv_path_LIBPRELUDE_CONFIG="no" + ;; +esac +fi +LIBPRELUDE_CONFIG=$ac_cv_path_LIBPRELUDE_CONFIG +if test -n "$LIBPRELUDE_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $LIBPRELUDE_CONFIG" >&5 +$as_echo "$LIBPRELUDE_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -if test "x$enable_dynamicplugin" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" -{ echo "$as_me:$LINENO: checking for dlsym in -ldl" >&5 -echo $ECHO_N "checking for dlsym in -ldl... $ECHO_C" >&6; } -if test "${ac_cv_lib_dl_dlsym+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 + min_libprelude_version=0.9.6 + { $as_echo "$as_me:$LINENO: checking for libprelude - version >= $min_libprelude_version" >&5 +$as_echo_n "checking for libprelude - version >= $min_libprelude_version... " >&6; } + no_libprelude="" + if test "$LIBPRELUDE_CONFIG" = "no" ; then + no_libprelude=yes + else + LIBPRELUDE_CFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --cflags` + LIBPRELUDE_PTHREAD_CFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --pthread-cflags` + LIBPRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --ldflags` + LIBPRELUDE_LIBS=`$LIBPRELUDE_CONFIG $libprelude_config_args --libs` + LIBPRELUDE_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --prefix` + LIBPRELUDE_CONFIG_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --config-prefix` + libprelude_config_version=`$LIBPRELUDE_CONFIG $libprelude_config_args --version` + + + ac_save_CFLAGS="$CFLAGS" + ac_save_LDFLAGS="$LDFLAGS" + ac_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS" + LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" + LIBS="$LIBS $LIBPRELUDE_LIBS" + rm -f conf.libpreludetest + if test "$cross_compiling" = yes; then + echo $ac_n "cross compiling; assumed OK... $ac_c" else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlsym (); +#include +#include +#include +#include + int main () { -return dlsym (); - ; - return 0; + system ("touch conf.libpreludetest"); + + if( strcmp( prelude_check_version(NULL), "$libprelude_config_version" ) ) + { + printf("\n*** 'libprelude-config --version' returned %s, but LIBPRELUDE (%s)\n", + "$libprelude_config_version", prelude_check_version(NULL) ); + printf("*** was found! If libprelude-config was correct, then it is best\n"); + printf("*** to remove the old version of LIBPRELUDE. You may also be able to fix the error\n"); + printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); + printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); + printf("*** required on your system.\n"); + printf("*** If libprelude-config was wrong, set the environment variable LIBPRELUDE_CONFIG\n"); + printf("*** to point to the correct copy of libprelude-config, and remove the file config.cache\n"); + printf("*** before re-running configure\n"); + } + else if ( strcmp(prelude_check_version(NULL), LIBPRELUDE_VERSION ) ) + { + printf("\n*** LIBPRELUDE header file (version %s) does not match\n", LIBPRELUDE_VERSION); + printf("*** library (version %s)\n", prelude_check_version(NULL) ); + } + else + { + if ( prelude_check_version( "$min_libprelude_version" ) ) + { + return 0; + } + else + { + printf("no\n*** An old version of LIBPRELUDE (%s) was found.\n", + prelude_check_version(NULL) ); + printf("*** You need a version of LIBPRELUDE newer than %s. The latest version of\n", + "$min_libprelude_version" ); + printf("*** LIBPRELUDE is always available from http://www.prelude-ids.org/download/releases.\n"); + printf("*** \n"); + printf("*** If you have already installed a sufficiently new version, this error\n"); + printf("*** probably means that the wrong copy of the libprelude-config shell script is\n"); + printf("*** being found. The easiest way to fix this is to remove the old version\n"); + printf("*** of LIBPRELUDE, but you can also set the LIBPRELUDE_CONFIG environment to point to the\n"); + printf("*** correct copy of libprelude-config. (In this case, you will have to\n"); + printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); + printf("*** so that the correct libraries are found at run-time))\n"); + } + } + return 1; } + _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext +rm -f conftest$ac_exeext if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dl_dlsym=yes + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_dl_dlsym=no +( exit $ac_status ) +no_libprelude=yes fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlsym" >&5 -echo "${ECHO_T}$ac_cv_lib_dl_dlsym" >&6; } -if test $ac_cv_lib_dl_dlsym = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBDL 1 -_ACEOF - - LIBS="-ldl $LIBS" -else - DLLIB="no" -fi - if test "$DLLIB" != "no"; then - LIBS="$LIBS -ldl" - else + CFLAGS="$ac_save_CFLAGS" + LIBS="$ac_save_LIBS" + LDFLAGS="$ac_save_LDFLAGS" + fi -{ echo "$as_me:$LINENO: checking for dlsym in -lc" >&5 -echo $ECHO_N "checking for dlsym in -lc... $ECHO_C" >&6; } -if test "${ac_cv_lib_c_dlsym+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lc $LIBS" -cat >conftest.$ac_ext <<_ACEOF + if test "x$no_libprelude" = x ; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + use_prelude="yes" + else + if test -f conf.libpreludetest ; then + : + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + if test "$LIBPRELUDE_CONFIG" = "no" ; then + echo "*** The libprelude-config script installed by LIBPRELUDE could not be found" + echo "*** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in" + echo "*** your path, or set the LIBPRELUDE_CONFIG environment variable to the" + echo "*** full path to libprelude-config." + else + if test -f conf.libpreludetest ; then + : + else + echo "*** Could not run libprelude test program, checking why..." + CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS" + LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" + LIBS="$LIBS $LIBPRELUDE_LIBS" + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlsym (); +#include +#include +#include +#include + int main () { -return dlsym (); + return !!prelude_check_version(NULL); ; return 0; } @@ -27395,375 +22174,414 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_c_dlsym=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + echo "*** The test program compiled, but did not run. This usually means" + echo "*** that the run-time linker is not finding LIBPRELUDE or finding the wrong" + echo "*** version of LIBPRELUDE. If it is not finding LIBPRELUDE, you'll need to set your" + echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" + echo "*** to the installed location Also, make sure you have run ldconfig if that" + echo "*** is required on your system" + echo "***" + echo "*** If you have an old version installed, it is best to remove it, although" + echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" + echo "***" else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_c_dlsym=no + echo "*** The test program failed to compile or link. See the file config.log for the" + echo "*** exact error that occured. This usually means LIBPRELUDE was incorrectly installed" + echo "*** or that you have moved LIBPRELUDE since it was installed. In the latter case, you" + echo "*** may want to edit the libprelude-config script: $LIBPRELUDE_CONFIG" fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_dlsym" >&5 -echo "${ECHO_T}$ac_cv_lib_c_dlsym" >&6; } -if test $ac_cv_lib_c_dlsym = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBC 1 -_ACEOF + CFLAGS="$ac_save_CFLAGS" + LDFLAGS="$ac_save_LDFLAGS" + LIBS="$ac_save_LIBS" + fi + fi + LIBPRELUDE_CFLAGS="" + LIBPRELUDE_LDFLAGS="" + LIBPRELUDE_LIBS="" + use_prelude="no" + fi + rm -f conf.libpreludetest - LIBS="-lc $LIBS" -else - DLCLIB="no" -fi - if test "$DLCLIB" = "no"; then - echo - echo " ERROR! programmatic interface to dynamic link loader" - echo " not found. Cannot use dynamic plugin libraries." - echo - exit 1 - fi + + + + + if test "$use_prelude" = "yes"; then + LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LDFLAGS}" + LIBS="$LIBS ${LIBPRELUDE_LIBS}" + CFLAGS="$CFLAGS ${LIBPRELUDE_PTHREAD_CFLAGS}" + +cat >>confdefs.h <<\_ACEOF +#define HAVE_LIBPRELUDE 1 +_ACEOF + fi fi -# Check whether --enable-ipv6 was given. -if test "${enable_ipv6+set}" = set; then - enableval=$enable_ipv6; enable_ipv6="$enableval" +# Check whether --enable-pthread was given. +if test "${enable_pthread+set}" = set; then + enableval=$enable_pthread; enable_pthread="$enableval" else - enable_ipv6="no" + enable_pthread="yes" fi -if test "x$enable_ipv6" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSUP_IP6" -fi - if test "x$enable_ipv6" = "xyes"; then - HAVE_SUP_IP6_TRUE= - HAVE_SUP_IP6_FALSE='#' -else - HAVE_SUP_IP6_TRUE='#' - HAVE_SUP_IP6_FALSE= -fi +if test "x$enable_pthread" = "xyes"; then + LIBS="$LIBS -lpthread" +fi -# Check whether --enable-gre was given. -if test "${enable_gre+set}" = set; then - enableval=$enable_gre; enable_gre="$enableval" +# Check whether --enable-debug-msgs was given. +if test "${enable_debug_msgs+set}" = set; then + enableval=$enable_debug_msgs; enable_debug_msgs="$enableval" else - enable_gre="no" + enable_debug_msgs="no" fi -if test "x$enable_gre" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DGRE" +if test "x$enable_debug_msgs" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DDEBUG_MSGS" fi -# Check whether --enable-mpls was given. -if test "${enable_mpls+set}" = set; then - enableval=$enable_mpls; enable_mpls="$enableval" +# Check whether --enable-debug was given. +if test "${enable_debug+set}" = set; then + enableval=$enable_debug; enable_debug="$enableval" else - enable_mpls="no" + enable_debug="no" fi -if test "x$enable_mpls" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DMPLS" + +if test "x$enable_debug" = "xyes"; then + NO_OPTIMIZE="yes" + + # in case user override doesn't include -g + if echo $CFLAGS | grep -qve -g ; then + CFLAGS="$CFLAGS -g" + fi + + CPPFLAGS="$CPPFLAGS -DDEBUG" fi -# Check whether --enable-targetbased was given. -if test "${enable_targetbased+set}" = set; then - enableval=$enable_targetbased; enable_targetbased="$enableval" +# Check whether --enable-gdb was given. +if test "${enable_gdb+set}" = set; then + enableval=$enable_gdb; enable_gdb="$enableval" else - enable_targetbased="no" + enable_gdb="no" fi - if test "x$enable_targetbased" = "xyes"; then - HAVE_TARGET_BASED_TRUE= - HAVE_TARGET_BASED_FALSE='#' +if test "x$enable_gdb" = "xyes"; then + CFLAGS="$CFLAGS -g -ggdb" +fi + +# Check whether --enable-profile was given. +if test "${enable_profile+set}" = set; then + enableval=$enable_profile; enable_profile="$enableval" else - HAVE_TARGET_BASED_TRUE='#' - HAVE_TARGET_BASED_FALSE= + enable_profile="no" fi -if test "x$enable_targetbased" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTARGET_BASED" - LIBS="$LIBS -lpthread" - if test "$LEX" = "none"; then - echo - echo " ERROR! flex not found." - echo " Get it from http://flex.sourceforge.net/" - echo " (You may also try lex instead.)" - echo - exit 1 - fi - if test "$YACC" = "none"; then - echo - echo " ERROR! bison not found." - echo " Get it from http://www.gnu.org/software/bison/" - echo " (You may also try byacc or yacc instead.)" - echo - exit 1 + +if test "x$enable_profile" = "xyes"; then + if test -n "$GCC"; then + CPPFLAGS="$CPPFLAGS -DPROFILE" + CFLAGS="$CFLAGS -pg" + else + CPPFLAGS="$CPPFLAGS -DPROFILE" fi fi -# Check whether --enable-decoder-preprocessor-rules was given. -if test "${enable_decoder_preprocessor_rules+set}" = set; then - enableval=$enable_decoder_preprocessor_rules; enable_decoder_preprocessor_rules="$enableval" +# Check whether --enable-ppm-test was given. +if test "${enable_ppm_test+set}" = set; then + enableval=$enable_ppm_test; enable_ppm_test="$enableval" else - enable_decoder_preprocessor_rules="no" + enable_ppm_test="no" fi -if test "x$enable_decoder_preprocessor_rules" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" + +if test "x$enable_ppm_test" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DPPM_TEST" fi -# Check whether --enable-ppm was given. -if test "${enable_ppm+set}" = set; then - enableval=$enable_ppm; enable_ppm="$enableval" +# Check whether --enable-sourcefire was given. +if test "${enable_sourcefire+set}" = set; then + enableval=$enable_sourcefire; enable_sourcefire="$enableval" else - enable_ppm="no" + enable_sourcefire="no" fi -if test "x$enable_ppm" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPPM_MGR" + +if test "x$enable_sourcefire" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi -# Check whether --enable-timestats was given. -if test "${enable_timestats+set}" = set; then - enableval=$enable_timestats; enable_timestats="$enableval" +# Check whether --enable-corefiles was given. +if test "${enable_corefiles+set}" = set; then + enableval=$enable_corefiles; enable_corefiles="$enableval" else - enable_timestats="no" + enable_corefiles="yes" fi -if test "x$enable_timestats" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTIMESTATS" + +if test "x$enable_corefiles" = "xno"; then + CPPFLAGS="$CPPFLAGS -DNOCOREFILE" fi -# Check whether --enable-perfprofiling was given. -if test "${enable_perfprofiling+set}" = set; then - enableval=$enable_perfprofiling; enable_perfprofiling="$enableval" +# Check whether --enable-active-response was given. +if test "${enable_active_response+set}" = set; then + enableval=$enable_active_response; enable_active_response="$enableval" else - enable_perfprofiling="no" + enable_active_response="yes" fi -if test "x$enable_perfprofiling" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPERF_PROFILING" -fi -# Check whether --enable-linux-smp-stats was given. -if test "${enable_linux_smp_stats+set}" = set; then - enableval=$enable_linux_smp_stats; enable_linux_smp_stats="$enableval" +# Check whether --enable-normalizer was given. +if test "${enable_normalizer+set}" = set; then + enableval=$enable_normalizer; enable_normalizer="$enableval" else - enable_linux_smp_stats="no" + enable_normalizer="yes" fi -if test "x$enable_linux_smp_stats" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DLINUX_SMP" -fi -# Check whether --enable-inline was given. -if test "${enable_inline+set}" = set; then - enableval=$enable_inline; enable_inline="$enableval" +# Check whether --enable-reload was given. +if test "${enable_reload+set}" = set; then + enableval=$enable_reload; enable_reload="$enableval" else - enable_inline="no" + enable_reload="yes" fi -# Check whether --enable-ipfw was given. -if test "${enable_ipfw+set}" = set; then - enableval=$enable_ipfw; enable_ipfw="$enableval" +# Check whether --enable-reload-error-restart was given. +if test "${enable_reload_error_restart+set}" = set; then + enableval=$enable_reload_error_restart; enable_reload_error_restart="$enableval" else - enable_ipfw="no" + enable_reload_error_restart="yes" fi -if test "$enable_inline" != "no"; then - if test "$enable_inline" = "yes"; then - CPPFLAGS="$CPPFLAGS -DGIDS" - if test "$enable_ipfw" = "yes"; then - CPPFLAGS="$CPPFLAGS -DIPFW" - else +if test "x$enable_reload" = "xyes"; then + if test "x$enable_reload_error_restart" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD" + else + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" + fi -# Check whether --with-libipq_includes was given. -if test "${with_libipq_includes+set}" = set; then - withval=$with_libipq_includes; with_libipq_includes="$withval" -else - with_libipq_includes="no" + LIBS="$LIBS -lpthread" fi +configuring_database="no" + -# Check whether --with-libipq_libraries was given. -if test "${with_libipq_libraries+set}" = set; then - withval=$with_libipq_libraries; with_libipq_libraries="$withval" +# Check whether --with-mysql was given. +if test "${with_mysql+set}" = set; then + withval=$with_mysql; with_mysql="$withval" else - with_libipq_libraries="no" + with_mysql="no" fi - if test "$with_libipq_includes" != "no"; then - CPPFLAGS="${CPPFLAGS} -I${with_libipq_includes}" - fi - if test "${ac_cv_header_libipq_h+set}" = set; then - { echo "$as_me:$LINENO: checking for libipq.h" >&5 -echo $ECHO_N "checking for libipq.h... $ECHO_C" >&6; } -if test "${ac_cv_header_libipq_h+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -{ echo "$as_me:$LINENO: result: $ac_cv_header_libipq_h" >&5 -echo "${ECHO_T}$ac_cv_header_libipq_h" >&6; } -else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking libipq.h usability" >&5 -echo $ECHO_N "checking libipq.h usability... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes + +# Check whether --with-mysql_includes was given. +if test "${with_mysql_includes+set}" = set; then + withval=$with_mysql_includes; with_mysql_includes="$withval"; with_mysql="yes" else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + with_mysql_includes="no" +fi - ac_header_compiler=no + + +# Check whether --with-mysql_libraries was given. +if test "${with_mysql_libraries+set}" = set; then + withval=$with_mysql_libraries; with_mysql_libraries="$withval"; with_mysql="yes" +else + with_mysql_libraries="no" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } -# Is the header present? -{ echo "$as_me:$LINENO: checking libipq.h presence" >&5 -echo $ECHO_N "checking libipq.h presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +default_directory="/usr /usr/local" +if test "x$with_mysql" != "xno"; then + configuring_database="yes" + if test "x$with_mysql" = "xyes"; then + if test "x$with_mysql_includes" != "xno"; then + mysql_inc_directory="$with_mysql_includes"; + else + mysql_inc_directory="$default_directory"; + fi + if test "x$with_mysql_libraries" != "xno"; then + mysql_lib_directory="$with_mysql_libraries"; + else + mysql_lib_directory="$default_directory"; + fi + mysql_fail="yes" + elif test -d "$withval"; then + { $as_echo "$as_me:$LINENO: WARNING: Providing a directory for the --with-mysql option" >&5 +$as_echo "$as_me: WARNING: Providing a directory for the --with-mysql option" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: will be deprecated in the future in favour of" >&5 +$as_echo "$as_me: WARNING: will be deprecated in the future in favour of" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: --with-mysql-libraries and --with-mysql-includes" >&5 +$as_echo "$as_me: WARNING: --with-mysql-libraries and --with-mysql-includes" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: options to address issues with non-standard" >&5 +$as_echo "$as_me: WARNING: options to address issues with non-standard" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: installations and 64bit platforms." >&5 +$as_echo "$as_me: WARNING: installations and 64bit platforms." >&2;} + mysql_inc_directory="$withval" + mysql_lib_directory="$withval" + mysql_fail="yes" + elif test "x$with_mysql" = "x"; then + mysql_inc_directory="$default_directory" + mysql_lib_directory="$default_directory" + mysql_fail="yes" + fi + + { $as_echo "$as_me:$LINENO: checking for mysql" >&5 +$as_echo_n "checking for mysql... " >&6; } - ac_header_preproc=no -fi + for i in $mysql_inc_directory; do + if test -r "$i/mysql.h"; then + MYSQL_INC_DIR="$i" + elif test -r "$i/include/mysql.h"; then + MYSQL_INC_DIR="$i/include" + elif test -r "$i/include/mysql/mysql.h"; then + MYSQL_INC_DIR="$i/include/mysql" + elif test -r "$i/mysql/mysql.h"; then + MYSQL_INC_DIR="$i/mysql" + elif test -r "$i/mysql/include/mysql.h"; then + MYSQL_INC_DIR="$i/mysql/include" + fi + done -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } + for i in $mysql_lib_directory; do + if test -z "$MYSQL_LIB_DIR"; then + str="$i/libmysqlclient.*" + for j in `echo $str`; do + if test -r $j; then + MYSQL_LIB_DIR=$i + break 2 + fi + done + fi + if test -z "$MYSQL_LIB_DIR"; then + str="$i/lib/libmysqlclient.*" + for j in `echo $str`; do + if test -r "$j"; then + MYSQL_LIB_DIR="$i/lib" + break 2 + fi + done + fi + if test -z "$MYSQL_LIB_DIR"; then + str="$i/mysql/libmysqlclient.*" + for j in `echo $str`; do + if test -r "$j"; then + MYSQL_LIB_DIR="$i/mysql" + break 2 + fi + done + fi + if test -z "$MYSQL_LIB_DIR"; then + str="$i/mysql/lib/libmysqlclient.*" + for j in `echo $str`; do + if test -r "$j"; then + MYSQL_LIB_DIR="$i/mysql/lib" + break 2 + fi + done + fi + if test -z "$MYSQL_LIB_DIR"; then + str="$i/lib/mysql/libmysqlclient.*" + for j in `echo $str`; do + if test -r "$j"; then + MYSQL_LIB_DIR="$i/lib/mysql" + break 2 + fi + done + fi + done -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: libipq.h: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: libipq.h: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: libipq.h: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: libipq.h: present but cannot be compiled" >&5 -echo "$as_me: WARNING: libipq.h: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: libipq.h: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: libipq.h: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: libipq.h: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: libipq.h: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: libipq.h: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: libipq.h: in the future, the compiler will take precedence" >&2;} + if test -z "$MYSQL_INC_DIR"; then + if test "x$mysql_fail" != "xno"; then + tmp="" + for i in $mysql_inc_directory; do + tmp="$tmp $i $i/include $i/include/mysql $i/mysql $i/mysql/include" + done - ;; -esac -{ echo "$as_me:$LINENO: checking for libipq.h" >&5 -echo $ECHO_N "checking for libipq.h... $ECHO_C" >&6; } -if test "${ac_cv_header_libipq_h+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_header_libipq_h=$ac_header_preproc -fi -{ echo "$as_me:$LINENO: result: $ac_cv_header_libipq_h" >&5 -echo "${ECHO_T}$ac_cv_header_libipq_h" >&6; } + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "mysql headers (mysql.h)" + echo " checked in the following places" + for i in `echo $tmp`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 -fi -if test $ac_cv_header_libipq_h = yes; then - : -else - { { echo "$as_me:$LINENO: error: libipq.h not found ..." >&5 -echo "$as_me: error: libipq.h not found ..." >&2;} - { (exit 1); exit 1; }; } -fi + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + if test -z "$MYSQL_LIB_DIR"; then + if test "x$mysql_fail" != "xno"; then + tmp="" + for i in $mysql_lib_directory; do + tmp="$tmp $i $i/lib $i/mysql $i/mysql/lib $i/lib/mysql" + done - if test "$with_libipq_libraries" != "no"; then - LDFLAGS="${LDFLAGS} -L${with_libipq_libraries}" - fi + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "mysqlclient library (libmysqlclient.*)" + echo " checked in the following places" + for i in `echo $tmp`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 - LIPQ="" + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="${LDFLAGS} -L${MYSQL_LIB_DIR}" + CPPFLAGS="${CPPFLAGS} -I${MYSQL_INC_DIR} -DENABLE_MYSQL" -{ echo "$as_me:$LINENO: checking for ipq_set_mode in -lipq" >&5 -echo $ECHO_N "checking for ipq_set_mode in -lipq... $ECHO_C" >&6; } -if test "${ac_cv_lib_ipq_ipq_set_mode+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +{ $as_echo "$as_me:$LINENO: checking for compress in -lz" >&5 +$as_echo_n "checking for compress in -lz... " >&6; } +if test "${ac_cv_lib_z_compress+set}" = set; then + $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lipq $LIBS" +LIBS="-lz $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -27777,11 +22595,11 @@ #ifdef __cplusplus extern "C" #endif -char ipq_set_mode (); +char compress (); int main () { -return ipq_set_mode (); +return compress (); ; return 0; } @@ -27792,200 +22610,212 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_ipq_ipq_set_mode=yes + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_z_compress=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_ipq_ipq_set_mode=no + ac_cv_lib_z_compress=no fi +rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_ipq_ipq_set_mode" >&5 -echo "${ECHO_T}$ac_cv_lib_ipq_ipq_set_mode" >&6; } -if test $ac_cv_lib_ipq_ipq_set_mode = yes; then +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_compress" >&5 +$as_echo "$ac_cv_lib_z_compress" >&6; } +if test "x$ac_cv_lib_z_compress" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_LIBIPQ 1 +#define HAVE_LIBZ 1 _ACEOF - LIBS="-lipq $LIBS" + LIBS="-lz $LIBS" -else - LIPQ="no" fi + LIBS="-lmysqlclient ${LIBS}" + fi + fi - if test "$LIPQ" = "no"; then - echo - echo " ERROR! Libipq library/headers not found, go get it from" - echo " www.netfilter.org or use the --with-libipq-* options, " - echo " if you have it installed in unusual place" - echo - exit 1 - fi - fi + { $as_echo "$as_me:$LINENO: checking for mysql default client reconnect" >&5 +$as_echo_n "checking for mysql default client reconnect... " >&6; } - LIBNET_INC_DIR="" - if test -n "$with_libnet_includes" -a "$with_libnet_includes" != "no"; then - libnet_dir="${with_libnet_includes}" - else - libnet_dir="/usr/include /usr/local/include /sw/include" - fi - { echo "$as_me:$LINENO: checking \"for libnet.h version 1.0.x\"" >&5 -echo $ECHO_N "checking \"for libnet.h version 1.0.x\"... $ECHO_C" >&6; } - for i in $libnet_dir; do - if test -r "$i/libnet.h"; then - LIBNET_INC_DIR="$i" - fi - done + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ - if test "$LIBNET_INC_DIR" != ""; then - if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0 >/dev/null"; then + #include - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "libnet 1.0.x (libnet.h)" - echo " checked in the following places" - for i in `echo $LIBNET_INC_DIR`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 +int +main () +{ - fi - CFLAGS="${CFLAGS} `libnet-config --defines` `libnet-config --cflags`" - LIBS="${LIBS} `libnet-config --libs`" - CPPFLAGS="${CPPFLAGS} -I${LIBNET_INC_DIR}" - { echo "$as_me:$LINENO: result: $i" >&5 -echo "${ECHO_T}$i" >&6; } - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - { { echo "$as_me:$LINENO: error: \"libnet 1.0.x could not be found. please download and install the library from http://www.packetfactory.net/libnet/\"" >&5 -echo "$as_me: error: \"libnet 1.0.x could not be found. please download and install the library from http://www.packetfactory.net/libnet/\"" >&2;} - { (exit 1); exit 1; }; } - fi - fi -fi + if (mysql_get_client_version() < 50003) + return 1; -# Check whether --enable-inline-init-failopen was given. -if test "${enable_inline_init_failopen+set}" = set; then - enableval=$enable_inline_init_failopen; enable_inline_init_failopen="$enableval" + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + mysql_default_reconnect="no" else - enable_inline_init_failopen="no" -fi + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -if test "x$enable_inline_init_failopen" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DINLINE_FAILOPEN" - LIBS="$LIBS -lpthread" +( exit $ac_status ) +mysql_default_reconnect="yes" +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -# Check whether --enable-prelude was given. -if test "${enable_prelude+set}" = set; then - enableval=$enable_prelude; enable_prelude="$enableval" + + + { $as_echo "$as_me:$LINENO: result: $mysql_default_reconnect" >&5 +$as_echo "$mysql_default_reconnect" >&6; } + + if test "x$mysql_default_reconnect" = "xno"; then + { $as_echo "$as_me:$LINENO: checking for mysql reconnect option" >&5 +$as_echo_n "checking for mysql reconnect option... " >&6; } + + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - enable_prelude="no" -fi + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + #include + +int +main () +{ -if test "x$enable_prelude" = "xyes"; then + if (mysql_get_client_version() < 50013) + return 1; -# Check whether --with-libprelude-prefix was given. -if test "${with_libprelude_prefix+set}" = set; then - withval=$with_libprelude_prefix; libprelude_config_prefix="$withval" + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + mysql_has_reconnect="yes" else - libprelude_config_prefix="" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +mysql_has_reconnect="no" +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - if test x$libprelude_config_prefix != x ; then - if test x${LIBPRELUDE_CONFIG+set} != xset ; then - LIBPRELUDE_CONFIG=$libprelude_config_prefix/bin/libprelude-config - fi - fi - # Extract the first word of "libprelude-config", so it can be a program name with args. -set dummy libprelude-config; ac_word=$2 -{ echo "$as_me:$LINENO: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } -if test "${ac_cv_path_LIBPRELUDE_CONFIG+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - case $LIBPRELUDE_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_LIBPRELUDE_CONFIG="$LIBPRELUDE_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_path_LIBPRELUDE_CONFIG="$as_dir/$ac_word$ac_exec_ext" - echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS + { $as_echo "$as_me:$LINENO: result: $mysql_has_reconnect" >&5 +$as_echo "$mysql_has_reconnect" >&6; } - test -z "$ac_cv_path_LIBPRELUDE_CONFIG" && ac_cv_path_LIBPRELUDE_CONFIG="no" - ;; -esac -fi -LIBPRELUDE_CONFIG=$ac_cv_path_LIBPRELUDE_CONFIG -if test -n "$LIBPRELUDE_CONFIG"; then - { echo "$as_me:$LINENO: result: $LIBPRELUDE_CONFIG" >&5 -echo "${ECHO_T}$LIBPRELUDE_CONFIG" >&6; } -else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } -fi + if test "x$mysql_has_reconnect" = "xyes"; then +cat >>confdefs.h <<\_ACEOF +#define MYSQL_HAS_OPT_RECONNECT 1 +_ACEOF - min_libprelude_version=0.9.6 - { echo "$as_me:$LINENO: checking for libprelude - version >= $min_libprelude_version" >&5 -echo $ECHO_N "checking for libprelude - version >= $min_libprelude_version... $ECHO_C" >&6; } - no_libprelude="" - if test "$LIBPRELUDE_CONFIG" = "no" ; then - no_libprelude=yes - else - LIBPRELUDE_CFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --cflags` - LIBPRELUDE_PTHREAD_CFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --pthread-cflags` - LIBPRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --ldflags` - LIBPRELUDE_LIBS=`$LIBPRELUDE_CONFIG $libprelude_config_args --libs` - LIBPRELUDE_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --prefix` - LIBPRELUDE_CONFIG_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --config-prefix` - libprelude_config_version=`$LIBPRELUDE_CONFIG $libprelude_config_args --version` + { $as_echo "$as_me:$LINENO: checking for mysql setting of reconnect option before connect bug" >&5 +$as_echo_n "checking for mysql setting of reconnect option before connect bug... " >&6; } - ac_save_CFLAGS="$CFLAGS" - ac_save_LDFLAGS="$LDFLAGS" - ac_save_LIBS="$LIBS" - CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS" - LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" - LIBS="$LIBS $LIBPRELUDE_LIBS" - rm -f conf.libpreludetest - if test "$cross_compiling" = yes; then - echo $ac_n "cross compiling; assumed OK... $ac_c" + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -27994,60 +22824,18 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include -#include -#include -#include + #include int main () { - system ("touch conf.libpreludetest"); - if( strcmp( prelude_check_version(NULL), "$libprelude_config_version" ) ) - { - printf("\n*** 'libprelude-config --version' returned %s, but LIBPRELUDE (%s)\n", - "$libprelude_config_version", prelude_check_version(NULL) ); - printf("*** was found! If libprelude-config was correct, then it is best\n"); - printf("*** to remove the old version of LIBPRELUDE. You may also be able to fix the error\n"); - printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); - printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); - printf("*** required on your system.\n"); - printf("*** If libprelude-config was wrong, set the environment variable LIBPRELUDE_CONFIG\n"); - printf("*** to point to the correct copy of libprelude-config, and remove the file config.cache\n"); - printf("*** before re-running configure\n"); - } - else if ( strcmp(prelude_check_version(NULL), LIBPRELUDE_VERSION ) ) - { - printf("\n*** LIBPRELUDE header file (version %s) does not match\n", LIBPRELUDE_VERSION); - printf("*** library (version %s)\n", prelude_check_version(NULL) ); - } - else - { - if ( prelude_check_version( "$min_libprelude_version" ) ) - { - return 0; - } - else - { - printf("no\n*** An old version of LIBPRELUDE (%s) was found.\n", - prelude_check_version(NULL) ); - printf("*** You need a version of LIBPRELUDE newer than %s. The latest version of\n", - "$min_libprelude_version" ); - printf("*** LIBPRELUDE is always available from http://www.prelude-ids.org/download/releases.\n"); - printf("*** \n"); - printf("*** If you have already installed a sufficiently new version, this error\n"); - printf("*** probably means that the wrong copy of the libprelude-config shell script is\n"); - printf("*** being found. The easiest way to fix this is to remove the old version\n"); - printf("*** of LIBPRELUDE, but you can also set the LIBPRELUDE_CONFIG environment to point to the\n"); - printf("*** correct copy of libprelude-config. (In this case, you will have to\n"); - printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); - printf("*** so that the correct libraries are found at run-time))\n"); - } - } - return 1; -} + if (mysql_get_client_version() < 50019) + return 1; + ; + return 0; +} _ACEOF rm -f conftest$ac_exeext if { (ac_try="$ac_link" @@ -28055,78 +22843,305 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' { (case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_try") 2>&5 ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - : + mysql_has_reconnect_bug="no" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -no_libprelude=yes +( exit $ac_status ) +mysql_has_reconnect_bug="yes" +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + + { $as_echo "$as_me:$LINENO: result: $mysql_has_reconnect_bug" >&5 +$as_echo "$mysql_has_reconnect_bug" >&6; } + + if test "x$mysql_has_reconnect_bug" = "xyes"; then + +cat >>confdefs.h <<\_ACEOF +#define MYSQL_HAS_OPT_RECONNECT_BUG 1 +_ACEOF + + fi + fi + fi +fi + + +# Check whether --with-odbc was given. +if test "${with_odbc+set}" = set; then + withval=$with_odbc; with_odbc="$withval" +else + with_odbc="no" +fi + + +if test "x$with_odbc" != "xno"; then + configuring_database="yes" + if test "x$with_odbc" = "xyes"; then + odbc_directory="$default_directory" + odbc_fail="yes" + elif test -d $withval; then + odbc_directory="$withval $default_directory"; + odbc_fail="yes" + elif test "x$with_odbc" = "x"; then + odbc_directory="$default_directory" + odbc_fail="no" + fi + + { $as_echo "$as_me:$LINENO: checking \"for odbc\"" >&5 +$as_echo_n "checking \"for odbc\"... " >&6; } + + for i in $odbc_directory; do + if test -r "$i/include/sql.h"; then + if test -r "$i/include/sqlext.h"; then + if test -r "$i/include/sqltypes.h"; then + ODBC_DIR="$i" + ODBC_INC_DIR="$i/include" + fi fi fi + done + + if test -z "$ODBC_DIR"; then + if test "x$odbc_fail" != "xno"; then + tmp="" + for i in $odbc_directory; do + tmp="$tmp $i/include" + done + + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "odbc headers (sql.h sqlext.h sqltypes.h)" + echo " checked in the following places" + for i in `echo $tmp`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 + + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + + str="$ODBC_DIR/lib/libodbc.*" + for j in `echo $str`; do + if test -r "$j"; then + ODBC_LIB_DIR="$ODBC_DIR/lib" + ODBC_LIB="odbc" + fi + done + + + if test -z "$ODBC_LIB_DIR"; then + if test "x$odbc_fail" != "xno"; then + + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "odbc library (libodbc)" + echo " checked in the following places" + for i in `echo "$ODBC_DIR/lib"`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 + + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="${LDFLAGS} -L${ODBC_LIB_DIR}" + CPPFLAGS="${CPPFLAGS} -I${ODBC_INC_DIR} -DENABLE_ODBC" + LIBS="${LIBS} -l$ODBC_LIB" + fi + fi +fi + + +# Check whether --with-postgresql was given. +if test "${with_postgresql+set}" = set; then + withval=$with_postgresql; with_postgresql="$withval" +else + with_postgresql="no" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext + + + +# Check whether --with-pgsql_includes was given. +if test "${with_pgsql_includes+set}" = set; then + withval=$with_pgsql_includes; with_pgsql_includes="$withval" +else + with_pgsql_includes="no" fi - CFLAGS="$ac_save_CFLAGS" - LIBS="$ac_save_LIBS" - LDFLAGS="$ac_save_LDFLAGS" +if test "x$with_postgresql" != "xno"; then + configuring_database="yes" + if test "x$with_postgresql" = "xyes"; then + postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local" + postgresql_fail="yes" + elif test -d $withval; then + postgresql_directory="$withval $default_directory /usr/local/pgsql /usr/pgsql" + postgresql_fail="yes" + elif test "$with_postgresql" = ""; then + postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql" + postgresql_fail="no" fi - if test "x$no_libprelude" = x ; then - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - use_prelude="yes" + { $as_echo "$as_me:$LINENO: checking for postgresql" >&5 +$as_echo_n "checking for postgresql... " >&6; } + + if test "x$with_pgsql_includes" != "xno"; then + for i in $with_pgsql_includes $postgresql_directory; do + if test -r "$i/libpq-fe.h"; then + POSTGRESQL_INC_DIR="$i" + elif test -r "$i/include/pgsql/libpq-fe.h"; then + POSTGRESQL_INC_DIR="$i/include/pgsql" + elif test -r "$i/include/libpq-fe.h"; then + POSTGRESQL_INC_DIR="$i/include" + elif test -r "$i/include/postgresql/libpq-fe.h"; then + POSTGRESQL_INC_DIR="$i/include/postgresql" + fi + done + fi + + if test -z "$POSTGRESQL_INC_DIR"; then + for i in $postgresql_directory; do + if test -r "$i/include/pgsql/libpq-fe.h"; then + POSTGRESQL_DIR="$i" + POSTGRESQL_INC_DIR="$i/include/pgsql" + elif test -r "$i/include/libpq-fe.h"; then + POSTGRESQL_DIR="$i" + POSTGRESQL_INC_DIR="$i/include" + elif test -r "$i/include/postgresql/libpq-fe.h"; then + POSTGRESQL_DIR="$i" + POSTGRESQL_INC_DIR="$i/include/postgresql" + fi + done + fi + + if test -z "$POSTGRESQL_INC_DIR"; then + if test "x$postgresql_fail" != "xno"; then + tmp="" + if test "x$with_pgsql_includes" != "xno"; then + tmp="$tmp $with_pgsql_includes" + fi + for i in $postgresql_directory; do + tmp="$tmp $i/include $i/include/pgsql" + done + + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "postgresql header file (libpq-fe.h)" + echo " checked in the following places" + for i in `echo $tmp`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 + + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + fi + + if test -z "$POSTGRESQL_DIR"; then + for dir in $postgresql_directory; do + for i in "lib" "lib/pgsql"; do + str="$dir/$i/libpq.*" + for j in `echo $str`; do + if test -r $j; then + POSTGRESQL_LIB_DIR="$dir/$i" + break 2 + fi + done + done + done else - if test -f conf.libpreludetest ; then - : + POSTGRESQL_LIB_DIR="$POSTGRESQL_DIR/lib" + fi + + if test -z "$POSTGRESQL_LIB_DIR"; then + if test "$postgresql_fail" != "no"; then + + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "postgresql library libpq" + echo " checked in the following places" + for i in `echo "$POSTGRESQL_DIR/lib $POSTGRESQL_DIR/lib/pgsql"`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 + else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; }; fi - if test "$LIBPRELUDE_CONFIG" = "no" ; then - echo "*** The libprelude-config script installed by LIBPRELUDE could not be found" - echo "*** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in" - echo "*** your path, or set the LIBPRELUDE_CONFIG environment variable to the" - echo "*** full path to libprelude-config." - else - if test -f conf.libpreludetest ; then - : - else - echo "*** Could not run libprelude test program, checking why..." - CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS" - LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" - LIBS="$LIBS $LIBPRELUDE_LIBS" - cat >conftest.$ac_ext <<_ACEOF + else + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="${LDFLAGS} -L${POSTGRESQL_LIB_DIR}" + CPPFLAGS="${CPPFLAGS} -I${POSTGRESQL_INC_DIR} -DENABLE_POSTGRESQL" + +{ $as_echo "$as_me:$LINENO: checking for PQexec in -lpq" >&5 +$as_echo_n "checking for PQexec in -lpq... " >&6; } +if test "${ac_cv_lib_pq_PQexec+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpq $LIBS" +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include -#include -#include -#include - +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char PQexec (); int main () { - return !!prelude_check_version(NULL); +return PQexec (); ; return 0; } @@ -28137,3311 +23152,3286 @@ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - echo "*** The test program compiled, but did not run. This usually means" - echo "*** that the run-time linker is not finding LIBPRELUDE or finding the wrong" - echo "*** version of LIBPRELUDE. If it is not finding LIBPRELUDE, you'll need to set your" - echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" - echo "*** to the installed location Also, make sure you have run ldconfig if that" - echo "*** is required on your system" - echo "***" - echo "*** If you have an old version installed, it is best to remove it, although" - echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" - echo "***" + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_pq_PQexec=yes else - echo "$as_me: failed program was:" >&5 + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - echo "*** The test program failed to compile or link. See the file config.log for the" - echo "*** exact error that occured. This usually means LIBPRELUDE was incorrectly installed" - echo "*** or that you have moved LIBPRELUDE since it was installed. In the latter case, you" - echo "*** may want to edit the libprelude-config script: $LIBPRELUDE_CONFIG" -fi + ac_cv_lib_pq_PQexec=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQexec" >&5 +$as_echo "$ac_cv_lib_pq_PQexec" >&6; } +if test "x$ac_cv_lib_pq_PQexec" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPQ 1 +_ACEOF + + LIBS="-lpq $LIBS" + +else + PQLIB="no" +fi + + if test "x$PQLIB" != "xno"; then + LIBS="${LIBS} -lpq" + else + echo + echo " ERROR! libpq (postgresql) not found!" + echo + exit 1 + fi + fi +fi + + +# Check whether --with-oracle was given. +if test "${with_oracle+set}" = set; then + withval=$with_oracle; with_oracle="$withval" +else + with_oracle="no" +fi + + +if test "x$with_oracle" != "xno"; then + configuring_database="yes" + if test "x$with_oracle" = "xyes"; then + oracle_directory="$default_directory ${ORACLE_HOME}" + oracle_fail="yes" + elif test -d $withval; then + oracle_directory="$withval $default_directory ${ORACLE_HOME}" + oracle_fail="yes" + elif test "x$with_oracle" = "x"; then + oracle_directory="$default_directory ${ORACLE_HOME}" + oracle_fail="no" + fi + + { $as_echo "$as_me:$LINENO: checking for oracle" >&5 +$as_echo_n "checking for oracle... " >&6; } + + for i in $oracle_directory; do + if test -r "$i/rdbms/demo/oci.h"; then + ORACLE_DIR="$i" + fi + done + + if test -z "$ORACLE_DIR"; then + if test "x$oracle_fail" != "xno"; then + tmp="" + for i in $oracle_directory; do + tmp="$tmp $i/rdbms/demo" + done + + echo + echo + echo "**********************************************" + echo " ERROR: unable to find" "OCI header file (oci.h)" + echo " checked in the following places" + for i in `echo $tmp`; do + echo " $i" + done + echo "**********************************************" + echo + exit 1 + + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + for i in "rdbms/demo" "rdbms/public" "network/public"; do + ORACLE_CPP_FLAGS="$ORACLE_CPP_FLAGS -I$ORACLE_DIR/$i" + done + ORACLE_LIB_DIR="$ORACLE_DIR/lib" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + + LDFLAGS="${LDFLAGS} -L${ORACLE_LIB_DIR}" + CPPFLAGS="${CPPFLAGS} ${ORACLE_CPP_FLAGS} -DENABLE_ORACLE" -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext - CFLAGS="$ac_save_CFLAGS" - LDFLAGS="$ac_save_LDFLAGS" - LIBS="$ac_save_LIBS" - fi - fi - LIBPRELUDE_CFLAGS="" - LIBPRELUDE_LDFLAGS="" - LIBPRELUDE_LIBS="" - use_prelude="no" + ORACLE_LIBS="-lclntsh" + if test -r "$ORACLE_LIB_DIR/libwtc9.so"; then + ORACLE_LIBS="${ORACLE_LIBS} -lwtc9" + elif test -r "$ORACLE_LIB_DIR/libwtc8.so"; then + ORACLE_LIBS="${ORACLE_LIBS} -lwtc8" + fi + LIBS="${LIBS} ${ORACLE_LIBS}" fi - rm -f conf.libpreludetest +fi + +# Check whether --enable-paf was given. +if test "${enable_paf+set}" = set; then + enableval=$enable_paf; enable_paf="$enableval" +else + enable_paf="yes" +fi +if test "x$enable_paf" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_PAF" +fi +# Check whether --enable-react was given. +if test "${enable_react+set}" = set; then + enableval=$enable_react; enable_react="$enableval" +else + enable_react="yes" +fi +# Check whether --enable-flexresp3 was given. +if test "${enable_flexresp3+set}" = set; then + enableval=$enable_flexresp3; enable_flexresp3="$enableval" +else + enable_flexresp3="yes" +fi - if test "$use_prelude" = "yes"; then - LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LDFLAGS}" - LIBS="$LIBS ${LIBPRELUDE_LIBS}" - CFLAGS="$CFLAGS ${LIBPRELUDE_PTHREAD_CFLAGS}" +# Check whether --enable-aruba was given. +if test "${enable_aruba+set}" = set; then + enableval=$enable_aruba; enable_aruba="$enableval" +else + enable_aruba="no" +fi -cat >>confdefs.h <<\_ACEOF -#define HAVE_LIBPRELUDE 1 -_ACEOF +if test "x$enable_aruba" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DARUBA" +fi +# test for invalid configurations here after all AC_ARG_ENABLEs +if test "x$enable_flexresp3" = "xyes"; then + # flexresp3 options are a union of flexresp (deleted) and flexresp2 + # options so we assume flexresp3 if multiple are enabled. + if test "x$enable_flexresp2" = "xyes"; then + echo "WARNING: multiple flexresp versions enabled; using flexresp3." + enable_flexresp2="no" fi fi -# Check whether --enable-pthread was given. -if test "${enable_pthread+set}" = set; then - enableval=$enable_pthread; enable_pthread="$enableval" + if test "x$enable_react" = "xyes"; then + BUILD_REACT_TRUE= + BUILD_REACT_FALSE='#' else - enable_pthread="no" + BUILD_REACT_TRUE='#' + BUILD_REACT_FALSE= fi -if test "x$enable_pthread" = "xyes"; then - LIBS="$LIBS -lpthread" +if test "x$enable_react" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_REACT" fi -# Check whether --enable-debug was given. -if test "${enable_debug+set}" = set; then - enableval=$enable_debug; enable_debug="$enableval" + if test "x$enable_flexresp3" = "xyes"; then + BUILD_RESPOND3_TRUE= + BUILD_RESPOND3_FALSE='#' else - enable_debug="no" + BUILD_RESPOND3_TRUE='#' + BUILD_RESPOND3_FALSE= fi -if test "x$enable_debug" = "xyes"; then - NO_OPTIMIZE="yes" - CPPFLAGS="$CPPFLAGS -DDEBUG" +if test "x$enable_flexresp3" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE3" +fi - # in case user override doesn't include -g - if echo $CFLAGS | grep -qve -g ; then - CFLAGS="$CFLAGS -g" - fi +if test "x$enable_normalizer" = "xyes" \ + -o "x$enable_sourcefire" = "xyes" ; \ +then + CONFIGFLAGS="${CONFIGFLAGS} -DNORMALIZER" fi -# Check whether --enable-profile was given. -if test "${enable_profile+set}" = set; then - enableval=$enable_profile; enable_profile="$enableval" +if test "x$enable_active_response" = "xyes" \ + -o "x$enable_flexresp3" = "xyes" \ + -o "x$enable_react" = "xyes" \ + -o "x$enable_sourcefire" = "xyes" ; \ +then + CONFIGFLAGS="${CONFIGFLAGS} -DACTIVE_RESPONSE" +fi + +# Check whether --enable-intel_soft_cpm was given. +if test "${enable_intel_soft_cpm+set}" = set; then + enableval=$enable_intel_soft_cpm; enable_intel_soft_cpm="$enableval" else - enable_profile="no" + enable_intel_soft_cpm="no" fi -if test "x$enable_profile" = "xyes"; then - if test -n "$GCC"; then - CPPFLAGS="$CPPFLAGS -DPROFILE" - CFLAGS="$CFLAGS -pg" - else - CPPFLAGS="$CPPFLAGS -DPROFILE" - fi + + +# Check whether --with-intel_soft_cpm_includes was given. +if test "${with_intel_soft_cpm_includes+set}" = set; then + withval=$with_intel_soft_cpm_includes; with_intel_soft_cpm_includes="$withval" +else + with_intel_soft_cpm_includes="no" fi -# Check whether --enable-ppm-test was given. -if test "${enable_ppm_test+set}" = set; then - enableval=$enable_ppm_test; enable_ppm_test="$enableval" + + +# Check whether --with-intel_soft_cpm_libraries was given. +if test "${with_intel_soft_cpm_libraries+set}" = set; then + withval=$with_intel_soft_cpm_libraries; with_intel_soft_cpm_libraries="$withval" else - enable_ppm_test="no" + with_intel_soft_cpm_libraries="no" fi -if test "x$enable_ppm_test" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPPM_TEST" + +if test "x$with_intel_soft_cpm_includes" != "xno"; then + enable_intel_soft_cpm="yes" + CPPFLAGS="${CPPFLAGS} -I${with_intel_soft_cpm_includes}" fi -# Check whether --enable-sourcefire was given. -if test "${enable_sourcefire+set}" = set; then - enableval=$enable_sourcefire; enable_sourcefire="$enableval" +if test "x$with_intel_soft_cpm_libraries" != "xno"; then + enable_intel_soft_cpm="yes" + LDFLAGS="${LDFLAGS} -L${with_intel_soft_cpm_libraries}" + LIBS="${LIBS} -lpm" +fi + + if test "x$enable_intel_soft_cpm" = "xyes"; then + HAVE_INTEL_SOFT_CPM_TRUE= + HAVE_INTEL_SOFT_CPM_FALSE='#' else - enable_sourcefire="no" + HAVE_INTEL_SOFT_CPM_TRUE='#' + HAVE_INTEL_SOFT_CPM_FALSE= fi -if test "x$enable_sourcefire" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" +if test "x$enable_intel_soft_cpm" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DINTEL_SOFT_CPM" fi -# Check whether --enable-corefiles was given. -if test "${enable_corefiles+set}" = set; then - enableval=$enable_corefiles; enable_corefiles="$enableval" +# Check whether --enable-shared_rep was given. +if test "${enable_shared_rep+set}" = set; then + enableval=$enable_shared_rep; enable_shared_rep="$enableval" else - enable_corefiles="yes" + enable_shared_rep="no" fi -if test "x$enable_corefiles" = "xno"; then - CPPFLAGS="$CPPFLAGS -DNOCOREFILE" + +if test "x$enable_shared_rep" = "xyes"; then + if test "x$linux" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DSHARED_REP" + LIBS="$LIBS -lrt" + else + echo "WARNING: shared reputation is only available on linux." + enable_shared_rep="no" + fi fi -# Check whether --enable-reload was given. -if test "${enable_reload+set}" = set; then - enableval=$enable_reload; enable_reload="$enableval" + if test "x$enable_shared_rep" = "xyes"; then + HAVE_SHARED_REP_TRUE= + HAVE_SHARED_REP_FALSE='#' else - enable_reload="no" + HAVE_SHARED_REP_TRUE='#' + HAVE_SHARED_REP_FALSE= fi -# Check whether --enable-reload-error-restart was given. -if test "${enable_reload_error_restart+set}" = set; then - enableval=$enable_reload_error_restart; enable_reload_error_restart="$enableval" +# Check whether --enable-rzb-saac was given. +if test "${enable_rzb_saac+set}" = set; then + enableval=$enable_rzb_saac; enable_rzb_saac="$enableval" else - enable_reload_error_restart="yes" + enable_rzb_saac="no" fi -if test "x$enable_reload" = "xyes"; then - if test "x$enable_reload_error_restart" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD" - else - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" - fi - LIBS="$LIBS -lpthread" +# Check whether --with-librzb_api was given. +if test "${with_librzb_api+set}" = set; then + withval=$with_librzb_api; with_librzb_api="$withval" +else + with_librzb_api="no" +fi + + +if test "x$with_librzb_api" = "xno"; then + export PKG_CONFIG_PATH=$prefix/lib/pkgconfig:$PKG_CONFIG_PATH +else + export PKG_CONFIG_PATH=$with_librzb_api/lib/pkgconfig:$PKG_CONFIG_PATH +fi + +if test "x$enable_rzb_saac" = "xyes"; then + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$PKG_CONFIG"; then + ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_PKG_CONFIG="yes" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +PKG_CONFIG=$ac_cv_prog_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi -# Check whether --with-libnet_includes was given. -if test "${with_libnet_includes+set}" = set; then - withval=$with_libnet_includes; with_libnet_includes="$withval" + if test "x$PKG_CONFIG" != "xyes"; then + echo + echo + echo " ERROR! pkg-config not found, go get it from" + echo " http://freedesktop.org" + exit + fi + + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } else - with_libnet_includes="no" + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi -# Check whether --with-libnet_libraries was given. -if test "${with_libnet_libraries+set}" = set; then - withval=$with_libnet_libraries; with_libnet_libraries="$withval" + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi else - with_libnet_libraries="no" + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" fi +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi -if test "x$with_libnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libnet_includes}" fi -if test "x$with_libnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libnet_libraries}" +pkg_failed=no +{ $as_echo "$as_me:$LINENO: checking for RAZORBACK" >&5 +$as_echo_n "checking for RAZORBACK... " >&6; } + +if test -n "$RAZORBACK_CFLAGS"; then + pkg_cv_RAZORBACK_CFLAGS="$RAZORBACK_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"razorback >= 0.1.3\"") >&5 + ($PKG_CONFIG --exists --print-errors "razorback >= 0.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + pkg_cv_RAZORBACK_CFLAGS=`$PKG_CONFIG --cflags "razorback >= 0.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$RAZORBACK_LIBS"; then + pkg_cv_RAZORBACK_LIBS="$RAZORBACK_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"razorback >= 0.1.3\"") >&5 + ($PKG_CONFIG --exists --print-errors "razorback >= 0.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + pkg_cv_RAZORBACK_LIBS=`$PKG_CONFIG --libs "razorback >= 0.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried fi -# Check whether --with-dnet_includes was given. -if test "${with_dnet_includes+set}" = set; then - withval=$with_dnet_includes; with_dnet_includes="$withval" + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes else - with_dnet_includes="no" + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + RAZORBACK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "razorback >= 0.1.3" 2>&1` + else + RAZORBACK_PKG_ERRORS=`$PKG_CONFIG --print-errors "razorback >= 0.1.3" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$RAZORBACK_PKG_ERRORS" >&5 + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + LRZB=no +elif test $pkg_failed = untried; then + LRZB=no +else + RAZORBACK_CFLAGS=$pkg_cv_RAZORBACK_CFLAGS + RAZORBACK_LIBS=$pkg_cv_RAZORBACK_LIBS + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + if test "x$LRZB" = "xno"; then + echo + echo " ERROR! razorback_api library not found, go get it from" + echo " http://sourceforge.net/projects/razorbacktm/" + exit + fi fi + if test x$enable_rzb_saac = xyes; then + WANT_SF_SAAC_TRUE= + WANT_SF_SAAC_FALSE='#' +else + WANT_SF_SAAC_TRUE='#' + WANT_SF_SAAC_FALSE= +fi -# Check whether --with-dnet_libraries was given. -if test "${with_dnet_libraries+set}" = set; then - withval=$with_dnet_libraries; with_dnet_libraries="$withval" +# Check whether --enable-large-pcap was given. +if test "${enable_large_pcap+set}" = set; then + enableval=$enable_large_pcap; enable_large_pcap="$enableval" else - with_dnet_libraries="no" + enable_large_pcap="no" fi -if test "x$with_dnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" +if test "x$enable_large_pcap" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" fi -if test "x$with_dnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" +# let's make some fixes.. + +CFLAGS="${CFLAGS} ${CCONFIGFLAGS}" +CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` +CPPFLAGS="${CPPFLAGS} ${CONFIGFLAGS}" +CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` + +if test "x$GCC" = "xyes" ; then + echo `$CC -v 2>&1` | grep "version 4" > /dev/null + if test $? = 0 ; then + CFLAGS="$CFLAGS -fno-strict-aliasing" + fi fi +if test "x$linux" = "xyes"; then + { $as_echo "$as_me:$LINENO: checking for linuxthreads" >&5 +$as_echo_n "checking for linuxthreads... " >&6; } + tstr=`getconf GNU_LIBPTHREAD_VERSION 2>&1` + if test $? = 0; then # GNU_LIBPTHREAD_VERSION is a valid system variable + echo $tstr | grep -i linuxthreads > /dev/null 2>&1 + if test $? = 0; then -# Check whether --with-mysql was given. -if test "${with_mysql+set}" = set; then - withval=$with_mysql; with_mysql="$withval" -else - with_mysql="no" -fi +cat >>confdefs.h <<\_ACEOF +#define HAVE_LINUXTHREADS 1 +_ACEOF + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + else + # Use libc.so to see if linuxthreads is being used + $( ldd `which --skip-alias ls` | grep libc.so | awk '{print $3}' ) | grep -i linuxthreads > /dev/null 2>&1 + if test $? = 0; then +cat >>confdefs.h <<\_ACEOF +#define HAVE_LINUXTHREADS 1 +_ACEOF -# Check whether --with-mysql_includes was given. -if test "${with_mysql_includes+set}" = set; then - withval=$with_mysql_includes; with_mysql_includes="$withval"; with_mysql="yes" -else - with_mysql_includes="no" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + fi fi +if test "$LEX" != "none"; then + { $as_echo "$as_me:$LINENO: checking for yylex_destroy support" >&5 +$as_echo_n "checking for yylex_destroy support... " >&6; } + + version=`$LEX --version | awk '{print $3}'` + if test -z $version; then + version=`$LEX --version | awk '{print $2}'` + fi + + have_yylex_destroy="no" + if test $version; then + major=`echo $version | awk -F. '{ print $1 }'` + minor=`echo $version | awk -F. '{ print $2 }'` + subminor=`echo $version | awk -F. '{ print $3 }'` + + if test $major -a $minor -a $subminor; then + if test $major -gt 2; then + have_yylex_destroy="yes" + else + if test $major -eq 2; then + if test $minor -gt 5; then + have_yylex_destroy="yes" + else + if test $minor -eq 5; then + if test $subminor -ge 9; then + have_yylex_destroy="yes" + fi + fi + fi + fi + fi + fi + fi + if test "x$have_yylex_destroy" = "xyes"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } -# Check whether --with-mysql_libraries was given. -if test "${with_mysql_libraries+set}" = set; then - withval=$with_mysql_libraries; with_mysql_libraries="$withval"; with_mysql="yes" -else - with_mysql_libraries="no" -fi - +cat >>confdefs.h <<\_ACEOF +#define HAVE_YYLEX_DESTROY 1 +_ACEOF -default_directory="/usr /usr/local" -if test "x$with_mysql" != "xno"; then - if test "x$with_mysql" = "xyes"; then - if test "x$with_mysql_includes" != "xno"; then - mysql_inc_directory="$with_mysql_includes"; else - mysql_inc_directory="$default_directory"; + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } fi - if test "x$with_mysql_libraries" != "xno"; then - mysql_lib_directory="$with_mysql_libraries"; - else - mysql_lib_directory="$default_directory"; +fi + +# Set to no optimization regardless of what user or autostuff set +if test "x$NO_OPTIMIZE" = "xyes"; then + CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"` + + # in case user override doesn't include -O + if echo $CFLAGS | grep -qve -O0 ; then + CFLAGS="$CFLAGS -O0" fi - mysql_fail="yes" - elif test -d "$withval"; then - { echo "$as_me:$LINENO: WARNING: Providing a directory for the --with-mysql option" >&5 -echo "$as_me: WARNING: Providing a directory for the --with-mysql option" >&2;} - { echo "$as_me:$LINENO: WARNING: will be deprecated in the future in favour of" >&5 -echo "$as_me: WARNING: will be deprecated in the future in favour of" >&2;} - { echo "$as_me:$LINENO: WARNING: --with-mysql-libraries and --with-mysql-includes" >&5 -echo "$as_me: WARNING: --with-mysql-libraries and --with-mysql-includes" >&2;} - { echo "$as_me:$LINENO: WARNING: options to address issues with non-standard" >&5 -echo "$as_me: WARNING: options to address issues with non-standard" >&2;} - { echo "$as_me:$LINENO: WARNING: installations and 64bit platforms." >&5 -echo "$as_me: WARNING: installations and 64bit platforms." >&2;} - mysql_inc_directory="$withval" - mysql_lib_directory="$withval" - mysql_fail="yes" - elif test "x$with_mysql" = "x"; then - mysql_inc_directory="$default_directory" - mysql_lib_directory="$default_directory" - mysql_fail="yes" - fi +fi - { echo "$as_me:$LINENO: checking for mysql" >&5 -echo $ECHO_N "checking for mysql... $ECHO_C" >&6; } +if test "x$ADD_WERROR" = "xyes"; then + CFLAGS="$CFLAGS -Werror" +fi - for i in $mysql_inc_directory; do - if test -r "$i/mysql.h"; then - MYSQL_INC_DIR="$i" - elif test -r "$i/include/mysql.h"; then - MYSQL_INC_DIR="$i/include" - elif test -r "$i/include/mysql/mysql.h"; then - MYSQL_INC_DIR="$i/include/mysql" - elif test -r "$i/mysql/mysql.h"; then - MYSQL_INC_DIR="$i/mysql" - elif test -r "$i/mysql/include/mysql.h"; then - MYSQL_INC_DIR="$i/mysql/include" - fi - done +if test -n "$GCC"; then + CFLAGS="$CFLAGS -Wall" +fi - for i in $mysql_lib_directory; do - if test -z "$MYSQL_LIB_DIR"; then - str="$i/libmysqlclient.*" - for j in `echo $str`; do - if test -r $j; then - MYSQL_LIB_DIR=$i - break 2 - fi - done - fi - if test -z "$MYSQL_LIB_DIR"; then - str="$i/lib/libmysqlclient.*" - for j in `echo $str`; do - if test -r "$j"; then - MYSQL_LIB_DIR="$i/lib" - break 2 - fi - done - fi - if test -z "$MYSQL_LIB_DIR"; then - str="$i/mysql/libmysqlclient.*" - for j in `echo $str`; do - if test -r "$j"; then - MYSQL_LIB_DIR="$i/mysql" - break 2 - fi - done - fi - if test -z "$MYSQL_LIB_DIR"; then - str="$i/mysql/lib/libmysqlclient.*" - for j in `echo $str`; do - if test -r "$j"; then - MYSQL_LIB_DIR="$i/mysql/lib" - break 2 - fi - done - fi - if test -z "$MYSQL_LIB_DIR"; then - str="$i/lib/mysql/libmysqlclient.*" - for j in `echo $str`; do - if test -r "$j"; then - MYSQL_LIB_DIR="$i/lib/mysql" - break 2 - fi - done - fi - done +echo $CFLAGS > cflags.out +echo $CPPFLAGS > cppflags.out - if test -z "$MYSQL_INC_DIR"; then - if test "x$mysql_fail" != "xno"; then - tmp="" - for i in $mysql_inc_directory; do - tmp="$tmp $i $i/include $i/include/mysql $i/mysql $i/mysql/include" - done +INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based -I$(top_srcdir)/src/control' - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "mysql headers (mysql.h)" - echo " checked in the following places" - for i in `echo $tmp`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - if test -z "$MYSQL_LIB_DIR"; then - if test "x$mysql_fail" != "xno"; then - tmp="" - for i in $mysql_lib_directory; do - tmp="$tmp $i $i/lib $i/mysql $i/mysql/lib $i/lib/mysql" - done - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "mysqlclient library (libmysqlclient.*)" - echo " checked in the following places" - for i in `echo $tmp`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - LDFLAGS="${LDFLAGS} -L${MYSQL_LIB_DIR}" - CPPFLAGS="${CPPFLAGS} -I${MYSQL_INC_DIR} -DENABLE_MYSQL" -{ echo "$as_me:$LINENO: checking for compress in -lz" >&5 -echo $ECHO_N "checking for compress in -lz... $ECHO_C" >&6; } -if test "${ac_cv_lib_z_compress+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AmigaOS /C/install, which installs bootblocks on floppy discs +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# OS/2's system install, which has a completely different semantic +# ./install, which can be erroneously created by make from ./install.sh. +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } +if test -z "$INSTALL"; then +if test "${ac_cv_path_install+set}" = set; then + $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lz $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char compress (); -int -main () -{ -return compress (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in + ./ | .// | /cC/* | \ + /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ + ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ + /usr/ucb/* ) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + elif test $ac_prog = install && + grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # program-specific install script used by HP pwplus--don't use. + : + else + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi + fi + fi + done + done + ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_z_compress=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_z_compress=no -fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_z_compress" >&5 -echo "${ECHO_T}$ac_cv_lib_z_compress" >&6; } -if test $ac_cv_lib_z_compress = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBZ 1 -_ACEOF +done +IFS=$as_save_IFS - LIBS="-lz $LIBS" +rm -rf conftest.one conftest.two conftest.dir fi - - LIBS="-lmysqlclient ${LIBS}" - fi + if test "${ac_cv_path_install+set}" = set; then + INSTALL=$ac_cv_path_install + else + # As a last resort, use the slow shell script. Don't cache a + # value for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + INSTALL=$ac_install_sh fi +fi +{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } - { echo "$as_me:$LINENO: checking for mysql default client reconnect" >&5 -echo $ECHO_N "checking for mysql default client reconnect... $ECHO_C" >&6; } +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' - #include +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' -int -main () -{ +ac_config_files="$ac_config_files snort.pc Makefile src/Makefile src/sfutil/Makefile src/control/Makefile src/detection-plugins/Makefile src/dynamic-examples/Makefile src/dynamic-examples/dynamic-preprocessor/Makefile src/dynamic-examples/dynamic-rule/Makefile src/dynamic-plugins/Makefile src/dynamic-plugins/sf_engine/Makefile src/dynamic-plugins/sf_engine/examples/Makefile src/dynamic-plugins/sf_preproc_example/Makefile src/dynamic-preprocessors/Makefile src/dynamic-preprocessors/libs/Makefile src/dynamic-preprocessors/libs/snort_preproc.pc src/dynamic-preprocessors/ftptelnet/Makefile src/dynamic-preprocessors/smtp/Makefile src/dynamic-preprocessors/ssh/Makefile src/dynamic-preprocessors/sip/Makefile src/dynamic-preprocessors/reputation/Makefile src/dynamic-preprocessors/gtp/Makefile src/dynamic-preprocessors/dcerpc2/Makefile src/dynamic-preprocessors/pop/Makefile src/dynamic-preprocessors/imap/Makefile src/dynamic-preprocessors/sdf/Makefile src/dynamic-preprocessors/dns/Makefile src/dynamic-preprocessors/ssl/Makefile src/dynamic-preprocessors/modbus/Makefile src/dynamic-preprocessors/dnp3/Makefile src/dynamic-preprocessors/rzb_saac/Makefile src/output-plugins/Makefile src/preprocessors/Makefile src/preprocessors/HttpInspect/Makefile src/preprocessors/HttpInspect/include/Makefile src/preprocessors/HttpInspect/utils/Makefile src/preprocessors/HttpInspect/anomaly_detection/Makefile src/preprocessors/HttpInspect/client/Makefile src/preprocessors/HttpInspect/event_output/Makefile src/preprocessors/HttpInspect/mode_inspection/Makefile src/preprocessors/HttpInspect/normalization/Makefile src/preprocessors/HttpInspect/server/Makefile src/preprocessors/HttpInspect/session_inspection/Makefile src/preprocessors/HttpInspect/user_interface/Makefile src/preprocessors/Stream5/Makefile src/parser/Makefile src/target-based/Makefile doc/Makefile contrib/Makefile rpm/Makefile preproc_rules/Makefile m4/Makefile etc/Makefile schemas/Makefile templates/Makefile tools/Makefile tools/control/Makefile tools/u2boat/Makefile tools/u2spewfoo/Makefile src/win32/Makefile" - if (mysql_get_client_version() < 50003) - return 1; +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. - ; - return 0; -} _ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - mysql_default_reconnect="no" -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -mysql_default_reconnect="yes" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) $as_unset $ac_var ;; + esac ;; + esac + done - { echo "$as_me:$LINENO: result: $mysql_default_reconnect" >&5 -echo "${ECHO_T}$mysql_default_reconnect" >&6; } + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + test "x$cache_file" != "x/dev/null" && + { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + cat confcache >$cache_file + else + { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache - if test "x$mysql_default_reconnect" = "xno"; then - { echo "$as_me:$LINENO: checking for mysql reconnect option" >&5 -echo $ECHO_N "checking for mysql reconnect option... $ECHO_C" >&6; } +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ +DEFS=-DHAVE_CONFIG_H - #include +ac_libobjs= +ac_ltlibobjs= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" + ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs -int -main () -{ +LTLIBOBJS=$ac_ltlibobjs - if (mysql_get_client_version() < 50013) - return 1; - ; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - mysql_has_reconnect="yes" + if test -n "$EXEEXT"; then + am__EXEEXT_TRUE= + am__EXEEXT_FALSE='#' else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + am__EXEEXT_TRUE='#' + am__EXEEXT_FALSE= +fi -( exit $ac_status ) -mysql_has_reconnect="no" +if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi + +if test -z "${BUILD_SNPRINTF_TRUE}" && test -z "${BUILD_SNPRINTF_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_SNPRINTF\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_SNPRINTF\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_DYNAMIC_PLUGINS_TRUE}" && test -z "${HAVE_DYNAMIC_PLUGINS_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${SO_WITH_STATIC_LIB_TRUE}" && test -z "${SO_WITH_STATIC_LIB_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"SO_WITH_STATIC_LIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"SO_WITH_STATIC_LIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_CONTROL_SOCKET_TRUE}" && test -z "${BUILD_CONTROL_SOCKET_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_CONTROL_SOCKET\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_CONTROL_SOCKET\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_DYNAMIC_EXAMPLES_TRUE}" && test -z "${BUILD_DYNAMIC_EXAMPLES_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_DYNAMIC_EXAMPLES\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_DYNAMIC_EXAMPLES\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +if test -z "${HAVE_SUP_IP6_TRUE}" && test -z "${HAVE_SUP_IP6_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_SUP_IP6\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_SUP_IP6\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_ZLIB_TRUE}" && test -z "${HAVE_ZLIB_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_ZLIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_ZLIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_TARGET_BASED_TRUE}" && test -z "${HAVE_TARGET_BASED_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_TARGET_BASED\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_TARGET_BASED\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_PROCPIDSTATS_TRUE}" && test -z "${BUILD_PROCPIDSTATS_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_PROCPIDSTATS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_PROCPIDSTATS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_PRELUDE_TRUE}" && test -z "${BUILD_PRELUDE_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_PRELUDE\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_PRELUDE\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_REACT_TRUE}" && test -z "${BUILD_REACT_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_REACT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_REACT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_RESPOND3_TRUE}" && test -z "${BUILD_RESPOND3_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_RESPOND3\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_RESPOND3\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_INTEL_SOFT_CPM_TRUE}" && test -z "${HAVE_INTEL_SOFT_CPM_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_INTEL_SOFT_CPM\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_INTEL_SOFT_CPM\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_SHARED_REP_TRUE}" && test -z "${HAVE_SHARED_REP_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_SHARED_REP\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_SHARED_REP\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${WANT_SF_SAAC_TRUE}" && test -z "${WANT_SF_SAAC_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"WANT_SF_SAAC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"WANT_SF_SAAC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi +: ${CONFIG_STATUS=./config.status} +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. - - { echo "$as_me:$LINENO: result: $mysql_has_reconnect" >&5 -echo "${ECHO_T}$mysql_has_reconnect" >&6; } - - if test "x$mysql_has_reconnect" = "xyes"; then - -cat >>confdefs.h <<\_ACEOF -#define MYSQL_HAS_OPT_RECONNECT 1 +debug=false +ac_cs_recheck=false +ac_cs_silent=false +SHELL=\${CONFIG_SHELL-$SHELL} _ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## - { echo "$as_me:$LINENO: checking for mysql setting of reconnect option before connect bug" >&5 -echo $ECHO_N "checking for mysql setting of reconnect option before connect bug... $ECHO_C" >&6; } - - if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - - #include - -int -main () -{ - - if (mysql_get_client_version() < 50019) - return 1; - - ; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - mysql_has_reconnect_bug="no" -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -mysql_has_reconnect_bug="yes" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { echo "$as_me:$LINENO: result: $mysql_has_reconnect_bug" >&5 -echo "${ECHO_T}$mysql_has_reconnect_bug" >&6; } - if test "x$mysql_has_reconnect_bug" = "xyes"; then - -cat >>confdefs.h <<\_ACEOF -#define MYSQL_HAS_OPT_RECONNECT_BUG 1 -_ACEOF +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits - fi - fi +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' fi +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi -# Check whether --with-odbc was given. -if test "${with_odbc+set}" = set; then - withval=$with_odbc; with_odbc="$withval" +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset else - with_odbc="no" + as_unset=false fi -if test "x$with_odbc" != "xno"; then - if test "x$with_odbc" = "xyes"; then - odbc_directory="$default_directory" - odbc_fail="yes" - elif test -d $withval; then - odbc_directory="$withval $default_directory"; - odbc_fail="yes" - elif test "x$with_odbc" = "x"; then - odbc_directory="$default_directory" - odbc_fail="no" - fi - - { echo "$as_me:$LINENO: checking \"for odbc\"" >&5 -echo $ECHO_N "checking \"for odbc\"... $ECHO_C" >&6; } - - for i in $odbc_directory; do - if test -r "$i/include/sql.h"; then - if test -r "$i/include/sqlext.h"; then - if test -r "$i/include/sqltypes.h"; then - ODBC_DIR="$i" - ODBC_INC_DIR="$i/include" - fi fi fi - done - - if test -z "$ODBC_DIR"; then - if test "x$odbc_fail" != "xno"; then - tmp="" - for i in $odbc_directory; do - tmp="$tmp $i/include" - done - - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "odbc headers (sql.h sqlext.h sqltypes.h)" - echo " checked in the following places" - for i in `echo $tmp`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 - - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - - str="$ODBC_DIR/lib/libodbc.*" - for j in `echo $str`; do - if test -r "$j"; then - ODBC_LIB_DIR="$ODBC_DIR/lib" - ODBC_LIB="odbc" - fi - done - - - if test -z "$ODBC_LIB_DIR"; then - if test "x$odbc_fail" != "xno"; then +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "odbc library (libodbc)" - echo " checked in the following places" - for i in `echo "$ODBC_DIR/lib"`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 +# Find who we are. Look in the path if we contain no directory separator. +case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done +IFS=$as_save_IFS - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - LDFLAGS="${LDFLAGS} -L${ODBC_LIB_DIR}" - CPPFLAGS="${CPPFLAGS} -I${ODBC_INC_DIR} -DENABLE_ODBC" - LIBS="${LIBS} -l$ODBC_LIB" - fi - fi + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + { (exit 1); exit 1; } fi +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE -# Check whether --with-postgresql was given. -if test "${with_postgresql+set}" = set; then - withval=$with_postgresql; with_postgresql="$withval" +# Required to use basename. +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr else - with_postgresql="no" + as_expr=false fi - - -# Check whether --with-pgsql_includes was given. -if test "${with_pgsql_includes+set}" = set; then - withval=$with_pgsql_includes; with_pgsql_includes="$withval" +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename else - with_pgsql_includes="no" + as_basename=false fi -if test "x$with_postgresql" != "xno"; then - if test "x$with_postgresql" = "xyes"; then - postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local" - postgresql_fail="yes" - elif test -d $withval; then - postgresql_directory="$withval $default_directory /usr/local/pgsql /usr/pgsql" - postgresql_fail="yes" - elif test "$with_postgresql" = ""; then - postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql" - postgresql_fail="no" - fi - - { echo "$as_me:$LINENO: checking for postgresql" >&5 -echo $ECHO_N "checking for postgresql... $ECHO_C" >&6; } - - if test "x$with_pgsql_includes" != "xno"; then - for i in $with_pgsql_includes $postgresql_directory; do - if test -r "$i/libpq-fe.h"; then - POSTGRESQL_INC_DIR="$i" - elif test -r "$i/include/pgsql/libpq-fe.h"; then - POSTGRESQL_INC_DIR="$i/include/pgsql" - elif test -r "$i/include/libpq-fe.h"; then - POSTGRESQL_INC_DIR="$i/include" - elif test -r "$i/include/postgresql/libpq-fe.h"; then - POSTGRESQL_INC_DIR="$i/include/postgresql" - fi - done - fi - - if test -z "$POSTGRESQL_INC_DIR"; then - for i in $postgresql_directory; do - if test -r "$i/include/pgsql/libpq-fe.h"; then - POSTGRESQL_DIR="$i" - POSTGRESQL_INC_DIR="$i/include/pgsql" - elif test -r "$i/include/libpq-fe.h"; then - POSTGRESQL_DIR="$i" - POSTGRESQL_INC_DIR="$i/include" - elif test -r "$i/include/postgresql/libpq-fe.h"; then - POSTGRESQL_DIR="$i" - POSTGRESQL_INC_DIR="$i/include/postgresql" - fi - done - fi +# Name of the executable. +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` - if test -z "$POSTGRESQL_INC_DIR"; then - if test "x$postgresql_fail" != "xno"; then - tmp="" - if test "x$with_pgsql_includes" != "xno"; then - tmp="$tmp $with_pgsql_includes" - fi - for i in $postgresql_directory; do - tmp="$tmp $i/include $i/include/pgsql" - done +# CDPATH. +$as_unset CDPATH - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "postgresql header file (libpq-fe.h)" - echo " checked in the following places" - for i in `echo $tmp`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - fi - if test -z "$POSTGRESQL_DIR"; then - for dir in $postgresql_directory; do - for i in "lib" "lib/pgsql"; do - str="$dir/$i/libpq.*" - for j in `echo $str`; do - if test -r $j; then - POSTGRESQL_LIB_DIR="$dir/$i" - break 2 - fi - done - done - done - else - POSTGRESQL_LIB_DIR="$POSTGRESQL_DIR/lib" - fi + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { - if test -z "$POSTGRESQL_LIB_DIR"; then - if test "$postgresql_fail" != "no"; then + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "postgresql library libpq" - echo " checked in the following places" - for i in `echo "$POSTGRESQL_DIR/lib $POSTGRESQL_DIR/lib/pgsql"`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; }; - fi - else - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - LDFLAGS="${LDFLAGS} -L${POSTGRESQL_LIB_DIR}" - CPPFLAGS="${CPPFLAGS} -I${POSTGRESQL_INC_DIR} -DENABLE_POSTGRESQL" -{ echo "$as_me:$LINENO: checking for PQexec in -lpq" >&5 -echo $ECHO_N "checking for PQexec in -lpq... $ECHO_C" >&6; } -if test "${ac_cv_lib_pq_PQexec+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpq $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ + as_dirname=false +fi -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char PQexec (); -int -main () -{ -return PQexec (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in +-n*) + case `echo 'x\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + *) ECHO_C='\c';; + esac;; +*) + ECHO_N='-n';; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_pq_PQexec=yes +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_pq_PQexec=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS + as_expr=false fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQexec" >&5 -echo "${ECHO_T}$ac_cv_lib_pq_PQexec" >&6; } -if test $ac_cv_lib_pq_PQexec = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPQ 1 -_ACEOF - - LIBS="-lpq $LIBS" +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file else - PQLIB="no" + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null fi - - if test "x$PQLIB" != "xno"; then - LIBS="${LIBS} -lpq" - else - echo - echo " ERROR! libpq (postgresql) not found!" - echo - exit 1 - fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' fi +else + as_ln_s='cp -p' fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null - -# Check whether --with-oracle was given. -if test "${with_oracle+set}" = set; then - withval=$with_oracle; with_oracle="$withval" +if mkdir -p . 2>/dev/null; then + as_mkdir_p=: else - with_oracle="no" + test -d ./-p && rmdir ./-p + as_mkdir_p=false fi - -if test "x$with_oracle" != "xno"; then - if test "x$with_oracle" = "xyes"; then - oracle_directory="$default_directory ${ORACLE_HOME}" - oracle_fail="yes" - elif test -d $withval; then - oracle_directory="$withval $default_directory ${ORACLE_HOME}" - oracle_fail="yes" - elif test "x$with_oracle" = "x"; then - oracle_directory="$default_directory ${ORACLE_HOME}" - oracle_fail="no" +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x - { echo "$as_me:$LINENO: checking for oracle" >&5 -echo $ECHO_N "checking for oracle... $ECHO_C" >&6; } +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" - for i in $oracle_directory; do - if test -r "$i/rdbms/demo/oci.h"; then - ORACLE_DIR="$i" - fi - done +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - if test -z "$ORACLE_DIR"; then - if test "x$oracle_fail" != "xno"; then - tmp="" - for i in $oracle_directory; do - tmp="$tmp $i/rdbms/demo" - done - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "OCI header file (oci.h)" - echo " checked in the following places" - for i in `echo $tmp`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 +exec 6>&1 - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - for i in "rdbms/demo" "rdbms/public" "network/public"; do - ORACLE_CPP_FLAGS="$ORACLE_CPP_FLAGS -I$ORACLE_DIR/$i" - done - ORACLE_LIB_DIR="$ORACLE_DIR/lib" - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } +# Save the log message, to keep $[0] and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by $as_me, which was +generated by GNU Autoconf 2.63. Invocation command line was - LDFLAGS="${LDFLAGS} -L${ORACLE_LIB_DIR}" - CPPFLAGS="${CPPFLAGS} ${ORACLE_CPP_FLAGS} -DENABLE_ORACLE" + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ - ORACLE_LIBS="-lclntsh" - if test -r "$ORACLE_LIB_DIR/libwtc9.so"; then - ORACLE_LIBS="${ORACLE_LIBS} -lwtc9" - elif test -r "$ORACLE_LIB_DIR/libwtc8.so"; then - ORACLE_LIBS="${ORACLE_LIBS} -lwtc8" - fi - LIBS="${LIBS} ${ORACLE_LIBS}" - fi -fi +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" -# Check whether --enable-aruba was given. -if test "${enable_aruba+set}" = set; then - enableval=$enable_aruba; enable_aruba="$enableval" -else - enable_aruba="no" -fi +_ACEOF -if test "x$enable_aruba" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DARUBA" -fi +case $ac_config_files in *" +"*) set x $ac_config_files; shift; ac_config_files=$*;; +esac -# Check whether --enable-react was given. -if test "${enable_react+set}" = set; then - enableval=$enable_react; enable_react="$enableval" -else - enable_react="no" -fi +case $ac_config_headers in *" +"*) set x $ac_config_headers; shift; ac_config_headers=$*;; +esac -if test "x$enable_react" = "xyes"; then - CPPFLAGS="${CPPFLAGS} -DENABLE_REACT" -fi -# Check whether --enable-flexresp was given. -if test "${enable_flexresp+set}" = set; then - enableval=$enable_flexresp; enable_flexresp="$enableval" -else - enable_flexresp="no" -fi +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" +config_commands="$ac_config_commands" -if test "x$enable_flexresp" = "xyes"; then - CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE" -fi +_ACEOF -# Check whether --enable-flexresp2 was given. -if test "${enable_flexresp2+set}" = set; then - enableval=$enable_flexresp2; enable_flexresp2="$enableval" -else - enable_flexresp2="no" -fi +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files from templates according to the +current configuration. -if test "x$enable_flexresp2" = "xyes"; then - CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE2 `dnet-config --cflags`" - # this will probably add a redundant path and lib (eg, -ldnet is added - # to LIBS by AC_CHECK_LIB() below) but w/o this AC_CHECK_LIB() will - # fail if dnet isn't in a standard place. of course, if dnet isn't - # installed at all, dnet-config will fail, but we won't know that - # until we get around to calling AC_CHECK_LIB(). same story with - # libnet and pcre. - LDFLAGS="${LDFLAGS} `dnet-config --libs`" -fi +Usage: $0 [OPTION]... [FILE]... -# test for invalid configurations here after all AC_ARG_ENABLEs + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + -q, --quiet, --silent + do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE -if test "x$enable_flexresp" = "xyes" -a "x$enable_flexresp2" = "xyes"; then - echo - echo " ERROR! --enable-flexresp cannot be used with --enable-flexresp2" - exit -fi +Configuration files: +$config_files -if test "x$enable_flexresp" = "xyes" -o "x$enable_react" = "xyes"; then - if test `libnet-config --cflags | wc -c` = "1"; then - CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" - LIBNET_CONFIG_BROKEN_CFLAGS="yes" - else - CPPFLAGS="${CPPFLAGS} `libnet-config --cflags`" - fi - CPPFLAGS="${CPPFLAGS} `libnet-config --defines`" - LDFLAGS="${LDFLAGS} `libnet-config --libs`" +Configuration headers: +$config_headers - if test `libnet-config --libs | wc -c` = "1"; then - { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system. If you" >&5 -echo "$as_me: WARNING: libnet-config --libs is broken on your system. If you" >&2;} - { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5 -echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;} - { echo "$as_me:$LINENO: WARNING: maintainer." >&5 -echo "$as_me: WARNING: maintainer." >&2;} - LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/sw/lib" - LIBS="${LIBS} -lnet" - fi +Configuration commands: +$config_commands - LNET="" +Report bugs to ." -for ac_header in libnet.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include <$ac_header> _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_header_compiler=no -fi +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_version="\\ +config.status +configured by $0, generated by GNU Autoconf 2.63, + with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } +Copyright (C) 2008 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include <$ac_header> +ac_pwd='$ac_pwd' +srcdir='$srcdir' +INSTALL='$INSTALL' +MKDIR_P='$MKDIR_P' +AWK='$AWK' +test -n "\$AWK" || AWK=awk _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_preproc=no -fi +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + CONFIG_FILES="$CONFIG_FILES '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + CONFIG_HEADERS="$CONFIG_HEADERS '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + { $as_echo "$as_me: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; };; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) { $as_echo "$as_me: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } + *) ac_config_targets="$ac_config_targets $1" + ac_need_defaults=false ;; -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + esac + shift +done - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=\$ac_header_preproc" -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +ac_configure_extra_args= +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF -else - LNET="no" +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" fi -done - - if test "x$LNET" = "xno"; then - echo - echo " ERROR! Libnet header not found, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - echo " or use the --with-libnet-* options, if you have it installed" - echo " in unusual place" - exit 1 - fi - - { echo "$as_me:$LINENO: checking for libnet version 1.0.2a" >&5 -echo $ECHO_N "checking for libnet version 1.0.2a... $ECHO_C" >&6; } - if test "x${LIBNET_CONFIG_BROKEN_CFLAGS}" = "xyes"; then - if test -n "$with_libnet_includes" -a "x$with_libnet_includes" != "xno"; then - libnet_dir="${with_libnet_includes}" - else - libnet_dir="/usr/include /usr/local/include /sw/include" - fi - else - libnet_dir=`libnet-config --cflags | cut -dI -f2` - fi - - LIBNET_INC_DIR="" - for i in $libnet_dir; do - if test -r "$i/libnet.h"; then - LIBNET_INC_DIR="$i" - fi - done - - if test "x$LIBNET_INC_DIR" != "x"; then - if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0.2a >/dev/null"; then - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - echo - echo " ERROR! Snort with --enable-flexresp will *only* work with" - echo " libnet version 1.0.2a, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "libnet 1.0.2a (libnet.h)" - echo " checked in the following places" - for i in `echo $LIBNET_INC_DIR`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 - fi - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# +# INIT-COMMANDS +# +AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" - echo - echo - echo "**********************************************" - echo " ERROR: unable to find" "libnet 1.0.2a (libnet.h)" - echo " checked in the following places" - for i in `echo $libnet_dir`; do - echo " $i" - done - echo "**********************************************" - echo - exit 1 - fi +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - LNET="" +sed_quote_subst='$sed_quote_subst' +double_quote_subst='$double_quote_subst' +delay_variable_subst='$delay_variable_subst' +macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`' +macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`' +enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`' +enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`' +pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`' +enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`' +host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`' +host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`' +host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`' +build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`' +build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`' +build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`' +SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`' +Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`' +GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`' +EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`' +FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`' +LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`' +NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`' +LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`' +max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`' +ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`' +exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`' +lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`' +lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`' +lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`' +reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`' +reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`' +OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`' +deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`' +file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`' +AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`' +AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`' +STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`' +RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`' +old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' +old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' +old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`' +CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`' +CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`' +compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`' +GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`' +objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`' +SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`' +ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`' +MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`' +lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`' +lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`' +lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`' +lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`' +lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`' +need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`' +DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`' +NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`' +LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`' +OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`' +OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`' +libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`' +shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`' +extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`' +archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`' +enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`' +export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' +whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' +compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`' +old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`' +old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`' +archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`' +archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`' +module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`' +module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`' +with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`' +allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`' +no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`' +inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`' +link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`' +fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`' +always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`' +export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`' +exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`' +include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`' +prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`' +file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`' +variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`' +need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`' +need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`' +version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`' +runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`' +shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`' +shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`' +libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`' +library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`' +soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`' +postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' +postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' +finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`' +finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`' +sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`' +sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`' +hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`' +enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`' +enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`' +enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`' +old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`' +striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`' + +LTCC='$LTCC' +LTCFLAGS='$LTCFLAGS' +compiler='$compiler_DEFAULT' + +# Quote evaled strings. +for var in SED \ +GREP \ +EGREP \ +FGREP \ +LD \ +NM \ +LN_S \ +lt_SP2NL \ +lt_NL2SP \ +reload_flag \ +OBJDUMP \ +deplibs_check_method \ +file_magic_cmd \ +AR \ +AR_FLAGS \ +STRIP \ +RANLIB \ +CC \ +CFLAGS \ +compiler \ +lt_cv_sys_global_symbol_pipe \ +lt_cv_sys_global_symbol_to_cdecl \ +lt_cv_sys_global_symbol_to_c_name_address \ +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \ +SHELL \ +ECHO \ +lt_prog_compiler_no_builtin_flag \ +lt_prog_compiler_wl \ +lt_prog_compiler_pic \ +lt_prog_compiler_static \ +lt_cv_prog_compiler_c_o \ +need_locks \ +DSYMUTIL \ +NMEDIT \ +LIPO \ +OTOOL \ +OTOOL64 \ +shrext_cmds \ +export_dynamic_flag_spec \ +whole_archive_flag_spec \ +compiler_needs_object \ +with_gnu_ld \ +allow_undefined_flag \ +no_undefined_flag \ +hardcode_libdir_flag_spec \ +hardcode_libdir_flag_spec_ld \ +hardcode_libdir_separator \ +fix_srcfile_path \ +exclude_expsyms \ +include_expsyms \ +file_list_spec \ +variables_saved_for_relink \ +libname_spec \ +library_names_spec \ +soname_spec \ +finish_eval \ +old_striplib \ +striplib; do + case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + *[\\\\\\\`\\"\\\$]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done -{ echo "$as_me:$LINENO: checking for libnet_build_ip in -lnet" >&5 -echo $ECHO_N "checking for libnet_build_ip in -lnet... $ECHO_C" >&6; } -if test "${ac_cv_lib_net_libnet_build_ip+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnet $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ +# Double-quote double-evaled strings. +for var in reload_cmds \ +old_postinstall_cmds \ +old_postuninstall_cmds \ +old_archive_cmds \ +extract_expsyms_cmds \ +old_archive_from_new_cmds \ +old_archive_from_expsyms_cmds \ +archive_cmds \ +archive_expsym_cmds \ +module_cmds \ +module_expsym_cmds \ +export_symbols_cmds \ +prelink_cmds \ +postinstall_cmds \ +postuninstall_cmds \ +finish_cmds \ +sys_lib_search_path_spec \ +sys_lib_dlsearch_path_spec; do + case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + *[\\\\\\\`\\"\\\$]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char libnet_build_ip (); -int -main () -{ -return libnet_build_ip (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; +# Fix-up fallback echo if it was mangled by the above quoting rules. +case \$lt_ECHO in +*'\\\$0 --fallback-echo"') lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\` + ;; esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_net_libnet_build_ip=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_net_libnet_build_ip=no -fi +ac_aux_dir='$ac_aux_dir' +xsi_shell='$xsi_shell' +lt_shell_append='$lt_shell_append' -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +# See if we are running on zsh, and set the options which allow our +# commands through without removal of \ escapes INIT. +if test -n "\${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_net_libnet_build_ip" >&5 -echo "${ECHO_T}$ac_cv_lib_net_libnet_build_ip" >&6; } -if test $ac_cv_lib_net_libnet_build_ip = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBNET 1 -_ACEOF - LIBS="-lnet $LIBS" -else - LNET="no" -fi + PACKAGE='$PACKAGE' + VERSION='$VERSION' + TIMESTAMP='$TIMESTAMP' + RM='$RM' + ofile='$ofile' - if test "x$LNET" = "xno"; then - echo - echo " ERROR! Libnet library not found, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - echo " or use the --with-libnet-* options, if you have it installed" - echo " in unusual place" - exit 1 - fi -fi -if test "x$enable_flexresp2" = "xyes" ; then - DNET="" -for ac_header in dnet.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_compiler=no -fi +_ACEOF -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include <$ac_header> -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; + "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; + "snort.pc") CONFIG_FILES="$CONFIG_FILES snort.pc" ;; + "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; + "src/sfutil/Makefile") CONFIG_FILES="$CONFIG_FILES src/sfutil/Makefile" ;; + "src/control/Makefile") CONFIG_FILES="$CONFIG_FILES src/control/Makefile" ;; + "src/detection-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/detection-plugins/Makefile" ;; + "src/dynamic-examples/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/Makefile" ;; + "src/dynamic-examples/dynamic-preprocessor/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/dynamic-preprocessor/Makefile" ;; + "src/dynamic-examples/dynamic-rule/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/dynamic-rule/Makefile" ;; + "src/dynamic-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/Makefile" ;; + "src/dynamic-plugins/sf_engine/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_engine/Makefile" ;; + "src/dynamic-plugins/sf_engine/examples/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_engine/examples/Makefile" ;; + "src/dynamic-plugins/sf_preproc_example/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_preproc_example/Makefile" ;; + "src/dynamic-preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/Makefile" ;; + "src/dynamic-preprocessors/libs/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/libs/Makefile" ;; + "src/dynamic-preprocessors/libs/snort_preproc.pc") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/libs/snort_preproc.pc" ;; + "src/dynamic-preprocessors/ftptelnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ftptelnet/Makefile" ;; + "src/dynamic-preprocessors/smtp/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/smtp/Makefile" ;; + "src/dynamic-preprocessors/ssh/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssh/Makefile" ;; + "src/dynamic-preprocessors/sip/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/sip/Makefile" ;; + "src/dynamic-preprocessors/reputation/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/reputation/Makefile" ;; + "src/dynamic-preprocessors/gtp/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/gtp/Makefile" ;; + "src/dynamic-preprocessors/dcerpc2/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dcerpc2/Makefile" ;; + "src/dynamic-preprocessors/pop/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/pop/Makefile" ;; + "src/dynamic-preprocessors/imap/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/imap/Makefile" ;; + "src/dynamic-preprocessors/sdf/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/sdf/Makefile" ;; + "src/dynamic-preprocessors/dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dns/Makefile" ;; + "src/dynamic-preprocessors/ssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssl/Makefile" ;; + "src/dynamic-preprocessors/modbus/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/modbus/Makefile" ;; + "src/dynamic-preprocessors/dnp3/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dnp3/Makefile" ;; + "src/dynamic-preprocessors/rzb_saac/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/rzb_saac/Makefile" ;; + "src/output-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/output-plugins/Makefile" ;; + "src/preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/Makefile" ;; + "src/preprocessors/HttpInspect/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/Makefile" ;; + "src/preprocessors/HttpInspect/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/include/Makefile" ;; + "src/preprocessors/HttpInspect/utils/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/utils/Makefile" ;; + "src/preprocessors/HttpInspect/anomaly_detection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/anomaly_detection/Makefile" ;; + "src/preprocessors/HttpInspect/client/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/client/Makefile" ;; + "src/preprocessors/HttpInspect/event_output/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/event_output/Makefile" ;; + "src/preprocessors/HttpInspect/mode_inspection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/mode_inspection/Makefile" ;; + "src/preprocessors/HttpInspect/normalization/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/normalization/Makefile" ;; + "src/preprocessors/HttpInspect/server/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/server/Makefile" ;; + "src/preprocessors/HttpInspect/session_inspection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/session_inspection/Makefile" ;; + "src/preprocessors/HttpInspect/user_interface/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/user_interface/Makefile" ;; + "src/preprocessors/Stream5/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/Stream5/Makefile" ;; + "src/parser/Makefile") CONFIG_FILES="$CONFIG_FILES src/parser/Makefile" ;; + "src/target-based/Makefile") CONFIG_FILES="$CONFIG_FILES src/target-based/Makefile" ;; + "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; + "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;; + "rpm/Makefile") CONFIG_FILES="$CONFIG_FILES rpm/Makefile" ;; + "preproc_rules/Makefile") CONFIG_FILES="$CONFIG_FILES preproc_rules/Makefile" ;; + "m4/Makefile") CONFIG_FILES="$CONFIG_FILES m4/Makefile" ;; + "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;; + "schemas/Makefile") CONFIG_FILES="$CONFIG_FILES schemas/Makefile" ;; + "templates/Makefile") CONFIG_FILES="$CONFIG_FILES templates/Makefile" ;; + "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; + "tools/control/Makefile") CONFIG_FILES="$CONFIG_FILES tools/control/Makefile" ;; + "tools/u2boat/Makefile") CONFIG_FILES="$CONFIG_FILES tools/u2boat/Makefile" ;; + "tools/u2spewfoo/Makefile") CONFIG_FILES="$CONFIG_FILES tools/u2spewfoo/Makefile" ;; + "src/win32/Makefile") CONFIG_FILES="$CONFIG_FILES src/win32/Makefile" ;; - ac_header_preproc=no + *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 +$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;} + { (exit 1); exit 1; }; };; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers + test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= + trap 'exit_status=$? + { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status +' 0 + trap '{ (exit 1); exit 1; }' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -n "$tmp" && test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || +{ + $as_echo "$as_me: cannot create a temporary directory in ." >&2 + { (exit 1); exit 1; } +} - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=\$ac_header_preproc" -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF +ac_cr=' ' +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' else - DNET="no" + ac_cs_awk_cr=$ac_cr fi -done +echo 'BEGIN {' >"$tmp/subs1.awk" && +_ACEOF - if test "x$DNET" = "xno"; then - echo - echo " ERROR! Libdnet header not found, go get it from" - echo " http://libdnet.sourceforge.net or use the --with-dnet-*" - echo " options, if you have it installed in an unusual place" - exit - fi - DNET="" +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } +ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } -{ echo "$as_me:$LINENO: checking for eth_set in -ldnet" >&5 -echo $ECHO_N "checking for eth_set in -ldnet... $ECHO_C" >&6; } -if test "${ac_cv_lib_dnet_eth_set+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldnet $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ + ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` + if test $ac_delim_n = $ac_delim_num; then + break + elif $ac_last_try; then + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$tmp/subs1.awk" <<\\_ACAWK && _ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\).*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\).*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' >$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char eth_set (); -int -main () -{ -return eth_set (); - ; - return 0; } +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ + || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5 +$as_echo "$as_me: error: could not setup config files machinery" >&2;} + { (exit 1); exit 1; }; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_dnet_eth_set=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_cv_lib_dnet_eth_set=no +# VPATH may cause trouble with some makes, so we remove $(srcdir), +# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=/{ +s/:*\$(srcdir):*/:/ +s/:*\${srcdir}:*/:/ +s/:*@srcdir@:*/:/ +s/^\([^=]*=[ ]*\):*/\1/ +s/:*$// +s/^[^=]*=[ ]*$// +}' fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_eth_set" >&5 -echo "${ECHO_T}$ac_cv_lib_dnet_eth_set" >&6; } -if test $ac_cv_lib_dnet_eth_set = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBDNET 1 +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$tmp/defines.awk" <<\_ACAWK || +BEGIN { _ACEOF - LIBS="-ldnet $LIBS" +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. -else - DNET="no" -fi +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_t=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_t"; then + break + elif $ac_last_try; then + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_HEADERS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_HEADERS" >&2;} + { (exit 1); exit 1; }; } + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done - if test "x$DNET" = "xno"; then - echo - echo " ERROR! Libdnet library not found, go get it from" - echo " http://libdnet.sourceforge.net or use the --with-dnet-*" - echo " options, if you have it installed in an unusual place" - exit +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' >$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + prefix = substr(line, 1, index(line, defundef) - 1) + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", prefix defundef, macro, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + { { $as_echo "$as_me:$LINENO: error: could not setup config headers machinery" >&5 +$as_echo "$as_me: error: could not setup config headers machinery" >&2;} + { (exit 1); exit 1; }; } +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: invalid tag $ac_tag" >&5 +$as_echo "$as_me: error: invalid tag $ac_tag" >&2;} + { (exit 1); exit 1; }; };; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 +$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;} + { (exit 1); exit 1; }; };; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + ac_file_inputs="$ac_file_inputs '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:$LINENO: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} fi -fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$tmp/stdin" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + { as_dir="$ac_dir" + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } + ac_builddir=. -# let's make some fixes.. +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix -CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` -CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix -if test "x$GCC" = "xyes" ; then - echo `$CC -v 2>&1` | grep "version 4" > /dev/null - if test $? = 0 ; then - CFLAGS="$CFLAGS -fno-strict-aliasing" - fi -fi -if test "x$linux" = "xyes"; then - { echo "$as_me:$LINENO: checking for linuxthreads" >&5 -echo $ECHO_N "checking for linuxthreads... $ECHO_C" >&6; } - tstr=`getconf GNU_LIBPTHREAD_VERSION 2>&1` - if test $? = 0; then # GNU_LIBPTHREAD_VERSION is a valid system variable - echo $tstr | grep -i linuxthreads > /dev/null 2>&1 - if test $? = 0; then + case $ac_mode in + :F) + # + # CONFIG_FILE + # -cat >>confdefs.h <<\_ACEOF -#define HAVE_LINUXTHREADS 1 + case $INSTALL in + [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; + *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; + esac + ac_MKDIR_P=$MKDIR_P + case $MKDIR_P in + [\\/$]* | ?:[\\/]* ) ;; + */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; + esac _ACEOF - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - else - # Use libc.so to see if linuxthreads is being used - $( ldd `which --skip-alias ls` | grep libc.so | awk '{print $3}' ) | grep -i linuxthreads > /dev/null 2>&1 - if test $? = 0; then +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= -cat >>confdefs.h <<\_ACEOF -#define HAVE_LINUXTHREADS 1 +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p +' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac _ACEOF - { echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6; } - else - { echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6; } - fi - fi -fi +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +s&@INSTALL@&$ac_INSTALL&;t t +s&@MKDIR_P@&$ac_MKDIR_P&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } -# Set to no optimization regardless of what user or autostuff set -if test "x$NO_OPTIMIZE" = "xyes"; then - CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"` +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&2;} - # in case user override doesn't include -O - if echo $CFLAGS | grep -qve -O0 ; then - CFLAGS="$CFLAGS -O0" + rm -f "$tmp/stdin" + case $ac_file in + -) cat "$tmp/out" && rm -f "$tmp/out";; + *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; + esac \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" + } >"$tmp/config.h" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:$LINENO: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$tmp/config.h" "$ac_file" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } fi -fi - -if test "x$ADD_WERROR" = "xyes"; then - CFLAGS="$CFLAGS -Werror" -fi - -if test -n "$GCC"; then - CFLAGS="$CFLAGS -Wall" -fi - -echo $CFLAGS > cflags.out -echo $CPPFLAGS > cppflags.out - -INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based' - - - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AmigaOS /C/install, which installs bootblocks on floppy discs -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# OS/2's system install, which has a completely different semantic -# ./install, which can be erroneously created by make from ./install.sh. -{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 -echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; } -if test -z "$INSTALL"; then -if test "${ac_cv_path_install+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in - ./ | .// | /cC/* | \ - /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ - ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ - /usr/ucb/* ) ;; - *) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then - if test $ac_prog = install && - grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - elif test $ac_prog = install && - grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # program-specific install script used by HP pwplus--don't use. - : - else - ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" - break 3 - fi - fi - done - done - ;; -esac + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \ + || { { $as_echo "$as_me:$LINENO: error: could not create -" >&5 +$as_echo "$as_me: error: could not create -" >&2;} + { (exit 1); exit 1; }; } + fi +# Compute "$ac_file"'s index in $config_headers. +_am_arg="$ac_file" +_am_stamp_count=1 +for _am_header in $config_headers :; do + case $_am_header in + $_am_arg | $_am_arg:* ) + break ;; + * ) + _am_stamp_count=`expr $_am_stamp_count + 1` ;; + esac done -IFS=$as_save_IFS +echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || +$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$_am_arg" : 'X\(//\)[^/]' \| \ + X"$_am_arg" : 'X\(//\)$' \| \ + X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$_am_arg" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'`/stamp-h$_am_stamp_count + ;; + :C) { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5 +$as_echo "$as_me: executing $ac_file commands" >&6;} + ;; + esac -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL=$ac_cv_path_install - else - # As a last resort, use the slow shell script. Don't cache a - # value for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the value is a relative name. - INSTALL=$ac_install_sh - fi -fi -{ echo "$as_me:$LINENO: result: $INSTALL" >&5 -echo "${ECHO_T}$INSTALL" >&6; } -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + case $ac_file$ac_mode in + "depfiles":C) test x"$AMDEP_TRUE" != x"" || { + # Autoconf 2.62 quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`$as_dirname -- "$mf" || +$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$mf" : 'X\(//\)[^/]' \| \ + X"$mf" : 'X\(//\)$' \| \ + X"$mf" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$mf" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`$as_dirname -- "$file" || +$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$file" : 'X\(//\)[^/]' \| \ + X"$file" : 'X\(//\)$' \| \ + X"$file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + { as_dir=$dirpart/$fdir + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done + done +} + ;; + "libtool":C) -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' + # See if we are running on zsh, and set the options which allow our + # commands through without removal of \ escapes. + if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST + fi -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + cfgfile="${ofile}T" + trap "$RM \"$cfgfile\"; exit 1" 1 2 15 + $RM "$cfgfile" -ac_config_files="$ac_config_files snort.pc Makefile src/Makefile src/sfutil/Makefile src/detection-plugins/Makefile src/dynamic-examples/Makefile src/dynamic-examples/dynamic-preprocessor/Makefile src/dynamic-examples/dynamic-rule/Makefile src/dynamic-plugins/Makefile src/dynamic-plugins/sf_engine/Makefile src/dynamic-plugins/sf_engine/examples/Makefile src/dynamic-plugins/sf_preproc_example/Makefile src/dynamic-preprocessors/Makefile src/dynamic-preprocessors/libs/Makefile src/dynamic-preprocessors/ftptelnet/Makefile src/dynamic-preprocessors/smtp/Makefile src/dynamic-preprocessors/ssh/Makefile src/dynamic-preprocessors/dcerpc/Makefile src/dynamic-preprocessors/dcerpc2/Makefile src/dynamic-preprocessors/dns/Makefile src/dynamic-preprocessors/ssl/Makefile src/output-plugins/Makefile src/preprocessors/Makefile src/preprocessors/HttpInspect/Makefile src/preprocessors/HttpInspect/include/Makefile src/preprocessors/HttpInspect/utils/Makefile src/preprocessors/HttpInspect/anomaly_detection/Makefile src/preprocessors/HttpInspect/client/Makefile src/preprocessors/HttpInspect/event_output/Makefile src/preprocessors/HttpInspect/mode_inspection/Makefile src/preprocessors/HttpInspect/normalization/Makefile src/preprocessors/HttpInspect/server/Makefile src/preprocessors/HttpInspect/session_inspection/Makefile src/preprocessors/HttpInspect/user_interface/Makefile src/preprocessors/Stream5/Makefile src/parser/Makefile src/target-based/Makefile doc/Makefile contrib/Makefile schemas/Makefile rpm/Makefile preproc_rules/Makefile m4/Makefile etc/Makefile templates/Makefile src/win32/Makefile" + cat <<_LT_EOF >> "$cfgfile" +#! $SHELL -cat >confcache <<\_ACEOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs, see configure's option --config-cache. -# It is not useful on other systems. If it contains results you don't -# want to keep, you may remove or edit it. +# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. +# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# NOTE: Changes made to this file will be lost: look at ltmain.sh. # -# config.status only pays attention to the cache file if you give it -# the --recheck option to rerun configure. +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, +# 2006, 2007, 2008 Free Software Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 # -# `ac_cv_env_foo' variables (set or unset) will be overridden when -# loading this file, other *unset* `ac_cv_foo' will be assigned the -# following values. - -_ACEOF - -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, we kill variables containing newlines. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -( - for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 -echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - *) $as_unset $ac_var ;; - esac ;; - esac - done - - (set) 2>&1 | - case $as_nl`(ac_space=' '; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" - ;; #( - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) | - sed ' - /^ac_cv_env_/b end - t clear - :clear - s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ - t end - s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ - :end' >>confcache -if diff "$cache_file" confcache >/dev/null 2>&1; then :; else - if test -w "$cache_file"; then - test "x$cache_file" != "x/dev/null" && - { echo "$as_me:$LINENO: updating cache $cache_file" >&5 -echo "$as_me: updating cache $cache_file" >&6;} - cat confcache >$cache_file - else - { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 -echo "$as_me: not updating unwritable cache $cache_file" >&6;} - fi -fi -rm -f confcache +# This file is part of GNU Libtool. +# +# GNU Libtool is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GNU Libtool; see the file COPYING. If not, a copy +# can be downloaded from http://www.gnu.org/licenses/gpl.html, or +# obtained by writing to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -test "x$prefix" = xNONE && prefix=$ac_default_prefix -# Let make expand exec_prefix. -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' -DEFS=-DHAVE_CONFIG_H +# The names of the tagged configurations supported by this script. +available_tags="" -ac_libobjs= -ac_ltlibobjs= -for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue - # 1. Remove the extension, and $U if already installed. - ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' - ac_i=`echo "$ac_i" | sed "$ac_script"` - # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR - # will be set to the directory where LIBOBJS objects are built. - ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" - ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' -done -LIBOBJS=$ac_libobjs +# ### BEGIN LIBTOOL CONFIG -LTLIBOBJS=$ac_ltlibobjs +# Which release of libtool.m4 was used? +macro_version=$macro_version +macro_revision=$macro_revision +# Whether or not to build shared libraries. +build_libtool_libs=$enable_shared -if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_DYNAMIC_PLUGINS_TRUE}" && test -z "${HAVE_DYNAMIC_PLUGINS_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_SUP_IP6_TRUE}" && test -z "${HAVE_SUP_IP6_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"HAVE_SUP_IP6\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_SUP_IP6\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_TARGET_BASED_TRUE}" && test -z "${HAVE_TARGET_BASED_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"HAVE_TARGET_BASED\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_TARGET_BASED\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi +# Whether or not to build static libraries. +build_old_libs=$enable_static -: ${CONFIG_STATUS=./config.status} -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 -echo "$as_me: creating $CONFIG_STATUS" >&6;} -cat >$CONFIG_STATUS <<_ACEOF -#! $SHELL -# Generated by $as_me. -# Run this file to recreate the current configuration. -# Compiler output produced by configure, useful for debugging -# configure, is in config.log if it exists. +# What type of objects to build. +pic_mode=$pic_mode -debug=false -ac_cs_recheck=false -ac_cs_silent=false -SHELL=\${CONFIG_SHELL-$SHELL} -_ACEOF +# Whether or not to optimize for fast installation. +fast_install=$enable_fast_install -cat >>$CONFIG_STATUS <<\_ACEOF -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## +# The host system. +host_alias=$host_alias +host=$host +host_os=$host_os -# Be more Bourne compatible -DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in - *posix*) set -o posix ;; -esac +# The build system. +build_alias=$build_alias +build=$build +build_os=$build_os -fi +# A sed program that does not truncate output. +SED=$lt_SED +# Sed that helps us avoid accidentally triggering echo(1) options like -n. +Xsed="\$SED -e 1s/^X//" +# A grep program that handles long lines. +GREP=$lt_GREP +# An ERE matcher. +EGREP=$lt_EGREP -# PATH needs CR -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits +# A literal string matcher. +FGREP=$lt_FGREP -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - echo "#! /bin/sh" >conf$$.sh - echo "exit 0" >>conf$$.sh - chmod +x conf$$.sh - if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then - PATH_SEPARATOR=';' - else - PATH_SEPARATOR=: - fi - rm -f conf$$.sh -fi +# A BSD- or MS-compatible name lister. +NM=$lt_NM -# Support unset when possible. -if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi +# Whether we need soft or hard links. +LN_S=$lt_LN_S +# What is the maximum length of a command? +max_cmd_len=$max_cmd_len -# IFS -# We need space, tab and new line, in precisely that order. Quoting is -# there to prevent editors from complaining about space-tab. -# (If _AS_PATH_WALK were called with IFS unset, it would disable word -# splitting by setting IFS to empty value.) -as_nl=' -' -IFS=" "" $as_nl" +# Object file suffix (normally "o"). +objext=$ac_objext -# Find who we are. Look in the path if we contain no directory separator. -case $0 in - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done -IFS=$as_save_IFS +# Executable file suffix (normally ""). +exeext=$exeext - ;; -esac -# We did not find ourselves, most probably we were run as `sh COMMAND' -# in which case we are not to be found in the path. -if test "x$as_myself" = x; then - as_myself=$0 -fi -if test ! -f "$as_myself"; then - echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - { (exit 1); exit 1; } -fi +# whether the shell understands "unset". +lt_unset=$lt_unset -# Work around bugs in pre-3.0 UWIN ksh. -for as_var in ENV MAIL MAILPATH -do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -done -PS1='$ ' -PS2='> ' -PS4='+ ' +# turn spaces into newlines. +SP2NL=$lt_lt_SP2NL -# NLS nuisances. -for as_var in \ - LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ - LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ - LC_TELEPHONE LC_TIME -do - if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then - eval $as_var=C; export $as_var - else - ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var - fi -done +# turn newlines into spaces. +NL2SP=$lt_lt_NL2SP -# Required to use basename. -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi +# How to create reloadable object files. +reload_flag=$lt_reload_flag +reload_cmds=$lt_reload_cmds -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi +# An object symbol dumper. +OBJDUMP=$lt_OBJDUMP +# Method to check whether dependent libraries are shared objects. +deplibs_check_method=$lt_deplibs_check_method -# Name of the executable. -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` +# Command to use when deplibs_check_method == "file_magic". +file_magic_cmd=$lt_file_magic_cmd -# CDPATH. -$as_unset CDPATH +# The archiver. +AR=$lt_AR +AR_FLAGS=$lt_AR_FLAGS +# A symbol stripping program. +STRIP=$lt_STRIP +# Commands used to install an old-style archive. +RANLIB=$lt_RANLIB +old_postinstall_cmds=$lt_old_postinstall_cmds +old_postuninstall_cmds=$lt_old_postuninstall_cmds - as_lineno_1=$LINENO - as_lineno_2=$LINENO - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { +# A C compiler. +LTCC=$lt_CC - # Create $as_me.lineno as a copy of $as_myself, but with $LINENO - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line after each line using $LINENO; the second 'sed' - # does the real work. The second script uses 'N' to pair each - # line-number line with the line containing $LINENO, and appends - # trailing '-' during substitution so that $LINENO is not a special - # case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # scripts with optimization help from Paolo Bonzini. Blame Lee - # E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= - ' <$as_myself | - sed ' - s/[$]LINENO.*/&-/ - t lineno - b - :lineno - N - :loop - s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ - t loop - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || - { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 - { (exit 1); exit 1; }; } +# LTCC compiler flags. +LTCFLAGS=$lt_CFLAGS - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). - . "./$as_me.lineno" - # Exit status is that of the last command. - exit -} +# Take the output of nm and produce a listing of raw symbols and C names. +global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe +# Transform the output of nm in a proper C declaration. +global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi +# Transform the output of nm in a C name address pair. +global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in --n*) - case `echo 'x\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - *) ECHO_C='\c';; - esac;; -*) - ECHO_N='-n';; -esac +# Transform the output of nm in a C name address pair when lib prefix is needed. +global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi +# The name of the directory that contains temporary libtool files. +objdir=$objdir -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file -else - rm -f conf$$.dir - mkdir conf$$.dir -fi -echo >conf$$.file -if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' -elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln -else - as_ln_s='cp -p' -fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null +# Shell to use when invoking shell scripts. +SHELL=$lt_SHELL -if mkdir -p . 2>/dev/null; then - as_mkdir_p=: -else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -fi +# An echo program that does not interpret backslashes. +ECHO=$lt_ECHO -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' -else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -fi -as_executable_p=$as_test_x +# Used to examine libraries when file_magic_cmd begins with "file". +MAGIC_CMD=$MAGIC_CMD + +# Must we lock files when doing compilation? +need_locks=$lt_need_locks -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +# Tool to manipulate archived DWARF debug symbol files on Mac OS X. +DSYMUTIL=$lt_DSYMUTIL -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +# Tool to change global to local symbols on Mac OS X. +NMEDIT=$lt_NMEDIT +# Tool to manipulate fat objects and archives on Mac OS X. +LIPO=$lt_LIPO -exec 6>&1 +# ldd/readelf like tool for Mach-O binaries on Mac OS X. +OTOOL=$lt_OTOOL -# Save the log message, to keep $[0] and so on meaningful, and to -# report actual input values of CONFIG_FILES etc. instead of their -# values after options handling. -ac_log=" -This file was extended by $as_me, which was -generated by GNU Autoconf 2.61. Invocation command line was +# ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4. +OTOOL64=$lt_OTOOL64 - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS - CONFIG_LINKS = $CONFIG_LINKS - CONFIG_COMMANDS = $CONFIG_COMMANDS - $ $0 $@ +# Old archive suffix (normally "a"). +libext=$libext -on `(hostname || uname -n) 2>/dev/null | sed 1q` -" +# Shared library suffix (normally ".so"). +shrext_cmds=$lt_shrext_cmds -_ACEOF +# The commands to extract the exported symbol list from a shared archive. +extract_expsyms_cmds=$lt_extract_expsyms_cmds -cat >>$CONFIG_STATUS <<_ACEOF -# Files that config.status was made for. -config_files="$ac_config_files" -config_headers="$ac_config_headers" -config_commands="$ac_config_commands" +# Variables whose values should be saved in libtool wrapper scripts and +# restored at link time. +variables_saved_for_relink=$lt_variables_saved_for_relink -_ACEOF +# Do we need the "lib" prefix for modules? +need_lib_prefix=$need_lib_prefix -cat >>$CONFIG_STATUS <<\_ACEOF -ac_cs_usage="\ -\`$as_me' instantiates files from templates according to the -current configuration. +# Do we need a version for libraries? +need_version=$need_version -Usage: $0 [OPTIONS] [FILE]... +# Library versioning type. +version_type=$version_type - -h, --help print this help, then exit - -V, --version print version number and configuration settings, then exit - -q, --quiet do not print progress messages - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions - --file=FILE[:TEMPLATE] - instantiate the configuration file FILE - --header=FILE[:TEMPLATE] - instantiate the configuration header FILE +# Shared library runtime path variable. +runpath_var=$runpath_var -Configuration files: -$config_files +# Shared library path variable. +shlibpath_var=$shlibpath_var -Configuration headers: -$config_headers +# Is shlibpath searched before the hard-coded library search path? +shlibpath_overrides_runpath=$shlibpath_overrides_runpath -Configuration commands: -$config_commands +# Format of library name prefix. +libname_spec=$lt_libname_spec -Report bugs to ." +# List of archive names. First name is the real one, the rest are links. +# The last name is the one that the linker finds with -lNAME +library_names_spec=$lt_library_names_spec -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF -ac_cs_version="\\ -config.status -configured by $0, generated by GNU Autoconf 2.61, - with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" +# The coded name of the library, if different from the real name. +soname_spec=$lt_soname_spec -Copyright (C) 2006 Free Software Foundation, Inc. -This config.status script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it." +# Command to use after installation of a shared archive. +postinstall_cmds=$lt_postinstall_cmds -ac_pwd='$ac_pwd' -srcdir='$srcdir' -INSTALL='$INSTALL' -MKDIR_P='$MKDIR_P' -_ACEOF +# Command to use after uninstallation of a shared archive. +postuninstall_cmds=$lt_postuninstall_cmds -cat >>$CONFIG_STATUS <<\_ACEOF -# If no file are specified by the user, then we need to provide default -# value. By we need to know if files were specified by the user. -ac_need_defaults=: -while test $# != 0 -do - case $1 in - --*=*) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` - ac_shift=: - ;; - *) - ac_option=$1 - ac_optarg=$2 - ac_shift=shift - ;; - esac +# Commands used to finish a libtool library installation in a directory. +finish_cmds=$lt_finish_cmds - case $ac_option in - # Handling of the options. - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - ac_cs_recheck=: ;; - --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) - echo "$ac_cs_version"; exit ;; - --debug | --debu | --deb | --de | --d | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - $ac_shift - CONFIG_FILES="$CONFIG_FILES $ac_optarg" - ac_need_defaults=false;; - --header | --heade | --head | --hea ) - $ac_shift - CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg" - ac_need_defaults=false;; - --he | --h) - # Conflict between --help and --header - { echo "$as_me: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; };; - --help | --hel | -h ) - echo "$ac_cs_usage"; exit ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil | --si | --s) - ac_cs_silent=: ;; +# As "finish_cmds", except a single script fragment to be evaled but +# not shown. +finish_eval=$lt_finish_eval - # This is an error. - -*) { echo "$as_me: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; } ;; +# Whether we should hardcode library paths into libraries. +hardcode_into_libs=$hardcode_into_libs - *) ac_config_targets="$ac_config_targets $1" - ac_need_defaults=false ;; +# Compile-time system search path for libraries. +sys_lib_search_path_spec=$lt_sys_lib_search_path_spec - esac - shift -done +# Run-time system search path for libraries. +sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec -ac_configure_extra_args= +# Whether dlopen is supported. +dlopen_support=$enable_dlopen -if $ac_cs_silent; then - exec 6>/dev/null - ac_configure_extra_args="$ac_configure_extra_args --silent" -fi +# Whether dlopen of programs is supported. +dlopen_self=$enable_dlopen_self -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF -if \$ac_cs_recheck; then - echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6 - CONFIG_SHELL=$SHELL - export CONFIG_SHELL - exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -fi +# Whether dlopen of statically linked programs is supported. +dlopen_self_static=$enable_dlopen_self_static -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF -exec 5>>config.log -{ - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX -## Running $as_me. ## -_ASBOX - echo "$ac_log" -} >&5 +# Commands to strip libraries. +old_striplib=$lt_old_striplib +striplib=$lt_striplib -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF -# -# INIT-COMMANDS -# -AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" -_ACEOF +# The linker used to build libraries. +LD=$lt_LD -cat >>$CONFIG_STATUS <<\_ACEOF +# Commands used to build an old-style archive. +old_archive_cmds=$lt_old_archive_cmds -# Handling of arguments. -for ac_config_target in $ac_config_targets -do - case $ac_config_target in - "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; - "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; - "snort.pc") CONFIG_FILES="$CONFIG_FILES snort.pc" ;; - "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; - "src/sfutil/Makefile") CONFIG_FILES="$CONFIG_FILES src/sfutil/Makefile" ;; - "src/detection-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/detection-plugins/Makefile" ;; - "src/dynamic-examples/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/Makefile" ;; - "src/dynamic-examples/dynamic-preprocessor/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/dynamic-preprocessor/Makefile" ;; - "src/dynamic-examples/dynamic-rule/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/dynamic-rule/Makefile" ;; - "src/dynamic-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/Makefile" ;; - "src/dynamic-plugins/sf_engine/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_engine/Makefile" ;; - "src/dynamic-plugins/sf_engine/examples/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_engine/examples/Makefile" ;; - "src/dynamic-plugins/sf_preproc_example/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_preproc_example/Makefile" ;; - "src/dynamic-preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/Makefile" ;; - "src/dynamic-preprocessors/libs/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/libs/Makefile" ;; - "src/dynamic-preprocessors/ftptelnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ftptelnet/Makefile" ;; - "src/dynamic-preprocessors/smtp/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/smtp/Makefile" ;; - "src/dynamic-preprocessors/ssh/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssh/Makefile" ;; - "src/dynamic-preprocessors/dcerpc/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dcerpc/Makefile" ;; - "src/dynamic-preprocessors/dcerpc2/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dcerpc2/Makefile" ;; - "src/dynamic-preprocessors/dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dns/Makefile" ;; - "src/dynamic-preprocessors/ssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssl/Makefile" ;; - "src/output-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/output-plugins/Makefile" ;; - "src/preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/Makefile" ;; - "src/preprocessors/HttpInspect/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/Makefile" ;; - "src/preprocessors/HttpInspect/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/include/Makefile" ;; - "src/preprocessors/HttpInspect/utils/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/utils/Makefile" ;; - "src/preprocessors/HttpInspect/anomaly_detection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/anomaly_detection/Makefile" ;; - "src/preprocessors/HttpInspect/client/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/client/Makefile" ;; - "src/preprocessors/HttpInspect/event_output/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/event_output/Makefile" ;; - "src/preprocessors/HttpInspect/mode_inspection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/mode_inspection/Makefile" ;; - "src/preprocessors/HttpInspect/normalization/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/normalization/Makefile" ;; - "src/preprocessors/HttpInspect/server/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/server/Makefile" ;; - "src/preprocessors/HttpInspect/session_inspection/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/session_inspection/Makefile" ;; - "src/preprocessors/HttpInspect/user_interface/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/user_interface/Makefile" ;; - "src/preprocessors/Stream5/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/Stream5/Makefile" ;; - "src/parser/Makefile") CONFIG_FILES="$CONFIG_FILES src/parser/Makefile" ;; - "src/target-based/Makefile") CONFIG_FILES="$CONFIG_FILES src/target-based/Makefile" ;; - "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; - "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;; - "schemas/Makefile") CONFIG_FILES="$CONFIG_FILES schemas/Makefile" ;; - "rpm/Makefile") CONFIG_FILES="$CONFIG_FILES rpm/Makefile" ;; - "preproc_rules/Makefile") CONFIG_FILES="$CONFIG_FILES preproc_rules/Makefile" ;; - "m4/Makefile") CONFIG_FILES="$CONFIG_FILES m4/Makefile" ;; - "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;; - "templates/Makefile") CONFIG_FILES="$CONFIG_FILES templates/Makefile" ;; - "src/win32/Makefile") CONFIG_FILES="$CONFIG_FILES src/win32/Makefile" ;; +# A language specific compiler. +CC=$lt_compiler - *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 -echo "$as_me: error: invalid argument: $ac_config_target" >&2;} - { (exit 1); exit 1; }; };; - esac -done +# Is the compiler the GNU compiler? +with_gcc=$GCC +# Compiler flag to turn off builtin functions. +no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag -# If the user did not use the arguments to specify the items to instantiate, -# then the envvar interface is used. Set only those that are not. -# We use the long form for the default assignment because of an extremely -# bizarre bug on SunOS 4.1.3. -if $ac_need_defaults; then - test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files - test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers - test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands -fi +# How to pass a linker flag through the compiler. +wl=$lt_lt_prog_compiler_wl -# Have a temporary directory for convenience. Make it in the build tree -# simply because there is no reason against having it here, and in addition, -# creating and moving files from /tmp can sometimes cause problems. -# Hook for its removal unless debugging. -# Note that there is a small window in which the directory will not be cleaned: -# after its creation but before its name has been assigned to `$tmp'. -$debug || -{ - tmp= - trap 'exit_status=$? - { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status -' 0 - trap '{ (exit 1); exit 1; }' 1 2 13 15 -} -# Create a (secure) tmp directory for tmp files. +# Additional compiler flags for building library objects. +pic_flag=$lt_lt_prog_compiler_pic + +# Compiler flag to prevent dynamic linking. +link_static_flag=$lt_lt_prog_compiler_static + +# Does compiler simultaneously support -c and -o options? +compiler_c_o=$lt_lt_cv_prog_compiler_c_o + +# Whether or not to add -lc for building shared libraries. +build_libtool_need_lc=$archive_cmds_need_lc + +# Whether or not to disallow shared libs when runtime libs are static. +allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes + +# Compiler flag to allow reflexive dlopens. +export_dynamic_flag_spec=$lt_export_dynamic_flag_spec -{ - tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && - test -n "$tmp" && test -d "$tmp" -} || -{ - tmp=./conf$$-$RANDOM - (umask 077 && mkdir "$tmp") -} || -{ - echo "$me: cannot create a temporary directory in ." >&2 - { (exit 1); exit 1; } -} +# Compiler flag to generate shared objects directly from archives. +whole_archive_flag_spec=$lt_whole_archive_flag_spec -# -# Set up the sed scripts for CONFIG_FILES section. -# +# Whether the compiler copes with passing no objects directly. +compiler_needs_object=$lt_compiler_needs_object -# No need to generate the scripts if there are no CONFIG_FILES. -# This happens for instance when ./config.status config.h -if test -n "$CONFIG_FILES"; then +# Create an old-style archive from a shared archive. +old_archive_from_new_cmds=$lt_old_archive_from_new_cmds -_ACEOF +# Create a temporary old-style archive to link instead of a shared archive. +old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds +# Commands used to build a shared archive. +archive_cmds=$lt_archive_cmds +archive_expsym_cmds=$lt_archive_expsym_cmds +# Commands used to build a loadable module if different from building +# a shared archive. +module_cmds=$lt_module_cmds +module_expsym_cmds=$lt_module_expsym_cmds -ac_delim='%!_!# ' -for ac_last_try in false false false false false :; do - cat >conf$$subs.sed <<_ACEOF -SHELL!$SHELL$ac_delim -PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim -PACKAGE_NAME!$PACKAGE_NAME$ac_delim -PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim -PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim -PACKAGE_STRING!$PACKAGE_STRING$ac_delim -PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim -exec_prefix!$exec_prefix$ac_delim -prefix!$prefix$ac_delim -program_transform_name!$program_transform_name$ac_delim -bindir!$bindir$ac_delim -sbindir!$sbindir$ac_delim -libexecdir!$libexecdir$ac_delim -datarootdir!$datarootdir$ac_delim -datadir!$datadir$ac_delim -sysconfdir!$sysconfdir$ac_delim -sharedstatedir!$sharedstatedir$ac_delim -localstatedir!$localstatedir$ac_delim -includedir!$includedir$ac_delim -oldincludedir!$oldincludedir$ac_delim -docdir!$docdir$ac_delim -infodir!$infodir$ac_delim -htmldir!$htmldir$ac_delim -dvidir!$dvidir$ac_delim -pdfdir!$pdfdir$ac_delim -psdir!$psdir$ac_delim -libdir!$libdir$ac_delim -localedir!$localedir$ac_delim -mandir!$mandir$ac_delim -DEFS!$DEFS$ac_delim -ECHO_C!$ECHO_C$ac_delim -ECHO_N!$ECHO_N$ac_delim -ECHO_T!$ECHO_T$ac_delim -LIBS!$LIBS$ac_delim -build_alias!$build_alias$ac_delim -host_alias!$host_alias$ac_delim -target_alias!$target_alias$ac_delim -INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim -INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim -INSTALL_DATA!$INSTALL_DATA$ac_delim -am__isrc!$am__isrc$ac_delim -CYGPATH_W!$CYGPATH_W$ac_delim -PACKAGE!$PACKAGE$ac_delim -VERSION!$VERSION$ac_delim -ACLOCAL!$ACLOCAL$ac_delim -AUTOCONF!$AUTOCONF$ac_delim -AUTOMAKE!$AUTOMAKE$ac_delim -AUTOHEADER!$AUTOHEADER$ac_delim -MAKEINFO!$MAKEINFO$ac_delim -install_sh!$install_sh$ac_delim -STRIP!$STRIP$ac_delim -INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim -mkdir_p!$mkdir_p$ac_delim -AWK!$AWK$ac_delim -SET_MAKE!$SET_MAKE$ac_delim -am__leading_dot!$am__leading_dot$ac_delim -AMTAR!$AMTAR$ac_delim -am__tar!$am__tar$ac_delim -am__untar!$am__untar$ac_delim -MAINTAINER_MODE_TRUE!$MAINTAINER_MODE_TRUE$ac_delim -MAINTAINER_MODE_FALSE!$MAINTAINER_MODE_FALSE$ac_delim -MAINT!$MAINT$ac_delim -CC!$CC$ac_delim -CFLAGS!$CFLAGS$ac_delim -LDFLAGS!$LDFLAGS$ac_delim -CPPFLAGS!$CPPFLAGS$ac_delim -ac_ct_CC!$ac_ct_CC$ac_delim -EXEEXT!$EXEEXT$ac_delim -OBJEXT!$OBJEXT$ac_delim -DEPDIR!$DEPDIR$ac_delim -am__include!$am__include$ac_delim -am__quote!$am__quote$ac_delim -AMDEP_TRUE!$AMDEP_TRUE$ac_delim -AMDEP_FALSE!$AMDEP_FALSE$ac_delim -AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim -CCDEPMODE!$CCDEPMODE$ac_delim -am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim -am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim -build!$build$ac_delim -build_cpu!$build_cpu$ac_delim -build_vendor!$build_vendor$ac_delim -build_os!$build_os$ac_delim -host!$host$ac_delim -host_cpu!$host_cpu$ac_delim -host_vendor!$host_vendor$ac_delim -host_os!$host_os$ac_delim -SED!$SED$ac_delim -GREP!$GREP$ac_delim -EGREP!$EGREP$ac_delim -LN_S!$LN_S$ac_delim -ECHO!$ECHO$ac_delim -AR!$AR$ac_delim -RANLIB!$RANLIB$ac_delim -CPP!$CPP$ac_delim -CXX!$CXX$ac_delim -CXXFLAGS!$CXXFLAGS$ac_delim -ac_ct_CXX!$ac_ct_CXX$ac_delim -_ACEOF +# Whether we are building with GNU ld or not. +with_gnu_ld=$lt_with_gnu_ld - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then - break - elif $ac_last_try; then - { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 -echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done +# Flag that allows shared libraries with undefined symbols to be built. +allow_undefined_flag=$lt_allow_undefined_flag -ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed` -if test -n "$ac_eof"; then - ac_eof=`echo "$ac_eof" | sort -nru | sed 1q` - ac_eof=`expr $ac_eof + 1` -fi +# Flag that enforces no undefined symbols. +no_undefined_flag=$lt_no_undefined_flag -cat >>$CONFIG_STATUS <<_ACEOF -cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -_ACEOF -sed ' -s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g -s/^/s,@/; s/!/@,|#_!!_#|/ -:n -t n -s/'"$ac_delim"'$/,g/; t -s/$/\\/; p -N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n -' >>$CONFIG_STATUS >$CONFIG_STATUS <<_ACEOF -CEOF$ac_eof -_ACEOF +# Flag to hardcode \$libdir into a binary during linking. +# This must work even if \$libdir does not exist +hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec +# If ld is used when linking, flag to hardcode \$libdir into a binary +# during linking. This must work even if \$libdir does not exist. +hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld -ac_delim='%!_!# ' -for ac_last_try in false false false false false :; do - cat >conf$$subs.sed <<_ACEOF -CXXDEPMODE!$CXXDEPMODE$ac_delim -am__fastdepCXX_TRUE!$am__fastdepCXX_TRUE$ac_delim -am__fastdepCXX_FALSE!$am__fastdepCXX_FALSE$ac_delim -CXXCPP!$CXXCPP$ac_delim -F77!$F77$ac_delim -FFLAGS!$FFLAGS$ac_delim -ac_ct_F77!$ac_ct_F77$ac_delim -LIBTOOL!$LIBTOOL$ac_delim -extra_incl!$extra_incl$ac_delim -YACC!$YACC$ac_delim -LEX!$LEX$ac_delim -HAVE_DYNAMIC_PLUGINS_TRUE!$HAVE_DYNAMIC_PLUGINS_TRUE$ac_delim -HAVE_DYNAMIC_PLUGINS_FALSE!$HAVE_DYNAMIC_PLUGINS_FALSE$ac_delim -HAVE_SUP_IP6_TRUE!$HAVE_SUP_IP6_TRUE$ac_delim -HAVE_SUP_IP6_FALSE!$HAVE_SUP_IP6_FALSE$ac_delim -HAVE_TARGET_BASED_TRUE!$HAVE_TARGET_BASED_TRUE$ac_delim -HAVE_TARGET_BASED_FALSE!$HAVE_TARGET_BASED_FALSE$ac_delim -LIBPRELUDE_CONFIG!$LIBPRELUDE_CONFIG$ac_delim -LIBPRELUDE_CFLAGS!$LIBPRELUDE_CFLAGS$ac_delim -LIBPRELUDE_PTHREAD_CFLAGS!$LIBPRELUDE_PTHREAD_CFLAGS$ac_delim -LIBPRELUDE_LDFLAGS!$LIBPRELUDE_LDFLAGS$ac_delim -LIBPRELUDE_LIBS!$LIBPRELUDE_LIBS$ac_delim -LIBPRELUDE_PREFIX!$LIBPRELUDE_PREFIX$ac_delim -LIBPRELUDE_CONFIG_PREFIX!$LIBPRELUDE_CONFIG_PREFIX$ac_delim -INCLUDES!$INCLUDES$ac_delim -LIBOBJS!$LIBOBJS$ac_delim -LTLIBOBJS!$LTLIBOBJS$ac_delim -_ACEOF +# Whether we need a single "-rpath" flag with a separated argument. +hardcode_libdir_separator=$lt_hardcode_libdir_separator - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 27; then - break - elif $ac_last_try; then - { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 -echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done +# Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes +# DIR into the resulting binary. +hardcode_direct=$hardcode_direct -ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed` -if test -n "$ac_eof"; then - ac_eof=`echo "$ac_eof" | sort -nru | sed 1q` - ac_eof=`expr $ac_eof + 1` -fi - -cat >>$CONFIG_STATUS <<_ACEOF -cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end -_ACEOF -sed ' -s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g -s/^/s,@/; s/!/@,|#_!!_#|/ -:n -t n -s/'"$ac_delim"'$/,g/; t -s/$/\\/; p -N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n -' >>$CONFIG_STATUS >$CONFIG_STATUS <<_ACEOF -:end -s/|#_!!_#|//g -CEOF$ac_eof -_ACEOF +# Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes +# DIR into the resulting binary and the resulting library dependency is +# "absolute",i.e impossible to change by setting \${shlibpath_var} if the +# library is relocated. +hardcode_direct_absolute=$hardcode_direct_absolute +# Set to "yes" if using the -LDIR flag during linking hardcodes DIR +# into the resulting binary. +hardcode_minus_L=$hardcode_minus_L -# VPATH may cause trouble with some makes, so we remove $(srcdir), -# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and -# trailing colons and then remove the whole line if VPATH becomes empty -# (actually we leave an empty line to preserve line numbers). -if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=/{ -s/:*\$(srcdir):*/:/ -s/:*\${srcdir}:*/:/ -s/:*@srcdir@:*/:/ -s/^\([^=]*=[ ]*\):*/\1/ -s/:*$// -s/^[^=]*=[ ]*$// -}' -fi +# Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR +# into the resulting binary. +hardcode_shlibpath_var=$hardcode_shlibpath_var -cat >>$CONFIG_STATUS <<\_ACEOF -fi # test -n "$CONFIG_FILES" +# Set to "yes" if building a shared library automatically hardcodes DIR +# into the library and all subsequent libraries and executables linked +# against it. +hardcode_automatic=$hardcode_automatic +# Set to yes if linker adds runtime paths of dependent libraries +# to runtime path list. +inherit_rpath=$inherit_rpath -for ac_tag in :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS -do - case $ac_tag in - :[FHLC]) ac_mode=$ac_tag; continue;; - esac - case $ac_mode$ac_tag in - :[FHL]*:*);; - :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5 -echo "$as_me: error: Invalid tag $ac_tag." >&2;} - { (exit 1); exit 1; }; };; - :[FH]-) ac_tag=-:-;; - :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; - esac - ac_save_IFS=$IFS - IFS=: - set x $ac_tag - IFS=$ac_save_IFS - shift - ac_file=$1 - shift +# Whether libtool must link a program against all its dependency libraries. +link_all_deplibs=$link_all_deplibs - case $ac_mode in - :L) ac_source=$1;; - :[FH]) - ac_file_inputs= - for ac_f - do - case $ac_f in - -) ac_f="$tmp/stdin";; - *) # Look for the file first in the build tree, then in the source tree - # (if the path is not absolute). The absolute path cannot be DOS-style, - # because $ac_f cannot contain `:'. - test -f "$ac_f" || - case $ac_f in - [\\/$]*) false;; - *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; - esac || - { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 -echo "$as_me: error: cannot find input file: $ac_f" >&2;} - { (exit 1); exit 1; }; };; - esac - ac_file_inputs="$ac_file_inputs $ac_f" - done +# Fix the shell variable \$srcfile for the compiler. +fix_srcfile_path=$lt_fix_srcfile_path - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - configure_input="Generated from "`IFS=: - echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure." - if test x"$ac_file" != x-; then - configure_input="$ac_file. $configure_input" - { echo "$as_me:$LINENO: creating $ac_file" >&5 -echo "$as_me: creating $ac_file" >&6;} - fi +# Set to "yes" if exported symbols are required. +always_export_symbols=$always_export_symbols - case $ac_tag in - *:-:* | *:-) cat >"$tmp/stdin";; - esac - ;; - esac +# The commands to list exported symbols. +export_symbols_cmds=$lt_export_symbols_cmds - ac_dir=`$as_dirname -- "$ac_file" || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || -echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - { as_dir="$ac_dir" - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 -echo "$as_me: error: cannot create directory $as_dir" >&2;} - { (exit 1); exit 1; }; }; } - ac_builddir=. +# Symbols that should not be listed in the preloaded symbols. +exclude_expsyms=$lt_exclude_expsyms -case "$ac_dir" in -.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; -*) - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; - esac ;; -esac -ac_abs_top_builddir=$ac_pwd -ac_abs_builddir=$ac_pwd$ac_dir_suffix -# for backward compatibility: -ac_top_builddir=$ac_top_build_prefix +# Symbols that must always be exported. +include_expsyms=$lt_include_expsyms -case $srcdir in - .) # We are building in place. - ac_srcdir=. - ac_top_srcdir=$ac_top_builddir_sub - ac_abs_top_srcdir=$ac_pwd ;; - [\\/]* | ?:[\\/]* ) # Absolute name. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir - ac_abs_top_srcdir=$srcdir ;; - *) # Relative name. - ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_build_prefix$srcdir - ac_abs_top_srcdir=$ac_pwd/$srcdir ;; -esac -ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix +# Commands necessary for linking programs (against libraries) with templates. +prelink_cmds=$lt_prelink_cmds +# Specify filename containing input files. +file_list_spec=$lt_file_list_spec - case $ac_mode in - :F) - # - # CONFIG_FILE - # +# How to hardcode a shared library path into an executable. +hardcode_action=$hardcode_action - case $INSTALL in - [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; - *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; +# ### END LIBTOOL CONFIG + +_LT_EOF + + case $host_os in + aix3*) + cat <<\_LT_EOF >> "$cfgfile" +# AIX sometimes has problems with the GCC collect2 program. For some +# reason, if we set the COLLECT_NAMES environment variable, the problems +# vanish in a puff of smoke. +if test "X${COLLECT_NAMES+set}" != Xset; then + COLLECT_NAMES= + export COLLECT_NAMES +fi +_LT_EOF + ;; esac - ac_MKDIR_P=$MKDIR_P - case $MKDIR_P in - [\\/$]* | ?:[\\/]* ) ;; - */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; + + +ltmain="$ac_aux_dir/ltmain.sh" + + + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? + sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + case $xsi_shell in + yes) + cat << \_LT_EOF >> "$cfgfile" + +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; esac -_ACEOF +} -cat >>$CONFIG_STATUS <<\_ACEOF -# If the template does not know about datarootdir, expand it. -# FIXME: This hack should be removed a few years after 2.60. -ac_datarootdir_hack=; ac_datarootdir_seen= +# func_basename file +func_basename () +{ + func_basename_result="${1##*/}" +} -case `sed -n '/datarootdir/ { - p - q +# func_dirname_and_basename file append nondir_replacement +# perform func_basename and func_dirname in a single function +# call: +# dirname: Compute the dirname of FILE. If nonempty, +# add APPEND to the result, otherwise set result +# to NONDIR_REPLACEMENT. +# value returned in "$func_dirname_result" +# basename: Compute filename of FILE. +# value retuned in "$func_basename_result" +# Implementation must be kept synchronized with func_dirname +# and func_basename. For efficiency, we do not delegate to +# those functions but instead duplicate the functionality here. +func_dirname_and_basename () +{ + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; + esac + func_basename_result="${1##*/}" } -/@datadir@/p -/@docdir@/p -/@infodir@/p -/@localedir@/p -/@mandir@/p -' $ac_file_inputs` in -*datarootdir*) ac_datarootdir_seen=yes;; -*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) - { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 -echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF - ac_datarootdir_hack=' - s&@datadir@&$datadir&g - s&@docdir@&$docdir&g - s&@infodir@&$infodir&g - s&@localedir@&$localedir&g - s&@mandir@&$mandir&g - s&\\\${datarootdir}&$datarootdir&g' ;; -esac -_ACEOF -# Neutralize VPATH when `$srcdir' = `.'. -# Shell code in configure.ac might set extrasub. -# FIXME: do we really want to maintain this feature? -cat >>$CONFIG_STATUS <<_ACEOF - sed "$ac_vpsub -$extrasub -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF -:t -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -s&@configure_input@&$configure_input&;t t -s&@top_builddir@&$ac_top_builddir_sub&;t t -s&@srcdir@&$ac_srcdir&;t t -s&@abs_srcdir@&$ac_abs_srcdir&;t t -s&@top_srcdir@&$ac_top_srcdir&;t t -s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t -s&@builddir@&$ac_builddir&;t t -s&@abs_builddir@&$ac_abs_builddir&;t t -s&@abs_top_builddir@&$ac_abs_top_builddir&;t t -s&@INSTALL@&$ac_INSTALL&;t t -s&@MKDIR_P@&$ac_MKDIR_P&;t t -$ac_datarootdir_hack -" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +func_stripname () +{ + # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are + # positional parameters, so assign one to ordinary parameter first. + func_stripname_result=${3} + func_stripname_result=${func_stripname_result#"${1}"} + func_stripname_result=${func_stripname_result%"${2}"} +} -test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && - { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined." >&5 -echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined." >&2;} +# func_opt_split +func_opt_split () +{ + func_opt_split_opt=${1%%=*} + func_opt_split_arg=${1#*=} +} - rm -f "$tmp/stdin" - case $ac_file in - -) cat "$tmp/out"; rm -f "$tmp/out";; - *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;; +# func_lo2o object +func_lo2o () +{ + case ${1} in + *.lo) func_lo2o_result=${1%.lo}.${objext} ;; + *) func_lo2o_result=${1} ;; esac - ;; - :H) - # - # CONFIG_HEADER - # -_ACEOF +} -# Transform confdefs.h into a sed script `conftest.defines', that -# substitutes the proper values into config.h.in to produce config.h. -rm -f conftest.defines conftest.tail -# First, append a space to every undef/define line, to ease matching. -echo 's/$/ /' >conftest.defines -# Then, protect against being on the right side of a sed subst, or in -# an unquoted here document, in config.status. If some macros were -# called several times there might be several #defines for the same -# symbol, which is useless. But do not sort them, since the last -# AC_DEFINE must be honored. -ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* -# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where -# NAME is the cpp macro being defined, VALUE is the value it is being given. -# PARAMS is the parameter list in the macro definition--in most cases, it's -# just an empty string. -ac_dA='s,^\\([ #]*\\)[^ ]*\\([ ]*' -ac_dB='\\)[ (].*,\\1define\\2' -ac_dC=' ' -ac_dD=' ,' +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=${1%.*}.lo +} -uniq confdefs.h | - sed -n ' - t rset - :rset - s/^[ ]*#[ ]*define[ ][ ]*// - t ok - d - :ok - s/[\\&,]/\\&/g - s/^\('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p - s/^\('"$ac_word_re"'\)[ ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p - ' >>conftest.defines - -# Remove the space that was appended to ease matching. -# Then replace #undef with comments. This is necessary, for -# example, in the case of _POSIX_SOURCE, which is predefined and required -# on some systems where configure will not decide to define it. -# (The regexp can be short, since the line contains either #define or #undef.) -echo 's/ $// -s,^[ #]*u.*,/* & */,' >>conftest.defines - -# Break up conftest.defines: -ac_max_sed_lines=50 - -# First sed command is: sed -f defines.sed $ac_file_inputs >"$tmp/out1" -# Second one is: sed -f defines.sed "$tmp/out1" >"$tmp/out2" -# Third one will be: sed -f defines.sed "$tmp/out2" >"$tmp/out1" -# et cetera. -ac_in='$ac_file_inputs' -ac_out='"$tmp/out1"' -ac_nxt='"$tmp/out2"' - -while : -do - # Write a here document: - cat >>$CONFIG_STATUS <<_ACEOF - # First, check the format of the line: - cat >"\$tmp/defines.sed" <<\\CEOF -/^[ ]*#[ ]*undef[ ][ ]*$ac_word_re[ ]*\$/b def -/^[ ]*#[ ]*define[ ][ ]*$ac_word_re[( ]/b def -b -:def -_ACEOF - sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS - echo 'CEOF - sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS - ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in - sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail - grep . conftest.tail >/dev/null || break - rm -f conftest.defines - mv conftest.tail conftest.defines -done -rm -f conftest.defines conftest.tail +# func_arith arithmetic-term... +func_arith () +{ + func_arith_result=$(( $* )) +} -echo "ac_result=$ac_in" >>$CONFIG_STATUS -cat >>$CONFIG_STATUS <<\_ACEOF - if test x"$ac_file" != x-; then - echo "/* $configure_input */" >"$tmp/config.h" - cat "$ac_result" >>"$tmp/config.h" - if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then - { echo "$as_me:$LINENO: $ac_file is unchanged" >&5 -echo "$as_me: $ac_file is unchanged" >&6;} - else - rm -f $ac_file - mv "$tmp/config.h" $ac_file - fi +# func_len string +# STRING may not start with a hyphen. +func_len () +{ + func_len_result=${#1} +} + +_LT_EOF + ;; + *) # Bourne compatible functions. + cat << \_LT_EOF >> "$cfgfile" + +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + # Extract subdirectory from the argument. + func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" else - echo "/* $configure_input */" - cat "$ac_result" + func_dirname_result="$func_dirname_result${2}" fi - rm -f "$tmp/out12" -# Compute $ac_file's index in $config_headers. -_am_stamp_count=1 -for _am_header in $config_headers :; do - case $_am_header in - $ac_file | $ac_file:* ) - break ;; - * ) - _am_stamp_count=`expr $_am_stamp_count + 1` ;; - esac -done -echo "timestamp for $ac_file" >`$as_dirname -- $ac_file || -$as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X$ac_file : 'X\(//\)[^/]' \| \ - X$ac_file : 'X\(//\)$' \| \ - X$ac_file : 'X\(/\)' \| . 2>/dev/null || -echo X$ac_file | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'`/stamp-h$_am_stamp_count - ;; +} - :C) { echo "$as_me:$LINENO: executing $ac_file commands" >&5 -echo "$as_me: executing $ac_file commands" >&6;} - ;; +# func_basename file +func_basename () +{ + func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"` +} + + +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# func_strip_suffix prefix name +func_stripname () +{ + case ${2} in + .*) func_stripname_result=`$ECHO "X${3}" \ + | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;; + *) func_stripname_result=`$ECHO "X${3}" \ + | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;; esac +} +# sed scripts: +my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q' +my_sed_long_arg='1s/^-[^=]*=//' - case $ac_file$ac_mode in - "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # Grep'ing the whole file is not good either: AIX grep has a line - # limit of 2048, but all sed's we know have understand at least 4000. - if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then - dirpart=`$as_dirname -- "$mf" || -$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$mf" : 'X\(//\)[^/]' \| \ - X"$mf" : 'X\(//\)$' \| \ - X"$mf" : 'X\(/\)' \| . 2>/dev/null || -echo X"$mf" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`$as_dirname -- "$file" || -$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$file" : 'X\(//\)[^/]' \| \ - X"$file" : 'X\(//\)$' \| \ - X"$file" : 'X\(/\)' \| . 2>/dev/null || -echo X"$file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - { as_dir=$dirpart/$fdir - case $as_dir in #( - -*) as_dir=./$as_dir;; +# func_opt_split +func_opt_split () +{ + func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"` + func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"` +} + +# func_lo2o object +func_lo2o () +{ + func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"` +} + +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'` +} + +# func_arith arithmetic-term... +func_arith () +{ + func_arith_result=`expr "$@"` +} + +# func_len string +# STRING may not start with a hyphen. +func_len () +{ + func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len` +} + +_LT_EOF +esac + +case $lt_shell_append in + yes) + cat << \_LT_EOF >> "$cfgfile" + +# func_append var value +# Append VALUE to the end of shell variable VAR. +func_append () +{ + eval "$1+=\$2" +} +_LT_EOF + ;; + *) + cat << \_LT_EOF >> "$cfgfile" + +# func_append var value +# Append VALUE to the end of shell variable VAR. +func_append () +{ + eval "$1=\$$1\$2" +} + +_LT_EOF + ;; esac - test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 -echo "$as_me: error: cannot create directory $as_dir" >&2;} - { (exit 1); exit 1; }; }; } - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" - done -done + + + sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + mv -f "$cfgfile" "$ofile" || + (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") + chmod +x "$ofile" + ;; esac @@ -31453,6 +26443,11 @@ chmod +x $CONFIG_STATUS ac_clean_files=$ac_clean_files_save +test $ac_write_fail = 0 || + { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } + # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. @@ -31474,6 +26469,10 @@ # would make configure fail if this is the last instruction. $ac_cs_success || { (exit 1); exit 1; } fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:$LINENO: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +fi if test "x$mysql_has_reconnect" = "xno"; then @@ -31498,3 +26497,25 @@ EOF fi + +if test "x$configuring_database" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Database output plugins are deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3. The recommended approach to logging is to" + echo "!! use unified2 with barnyard2 or similar." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_aruba" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Arubu output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_prelude" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Prelude output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi diff -Nru snort-2.8.5.2/configure.in snort-2.9.2/configure.in --- snort-2.8.5.2/configure.in 2009-12-15 23:27:50.000000000 +0000 +++ snort-2.9.2/configure.in 2011-12-07 18:33:49.000000000 +0000 @@ -1,11 +1,12 @@ -# $Id$ +# $Id$ AC_INIT AC_CONFIG_SRCDIR([src/snort.c]) AC_PREREQ(2.50) +#LT_PREREQ([2.2.6]) AM_CONFIG_HEADER(config.h) # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" -AM_INIT_AUTOMAKE(snort,2.8.5.2) +AM_INIT_AUTOMAKE(snort,2.9.2) NO_OPTIMIZE="no" ADD_WERROR="no" @@ -25,19 +26,23 @@ AC_PROG_LIBTOOL AC_PROG_RANLIB AC_C_BIGENDIAN +AC_C_INLINE #AC_CANONICAL_HOST linux="no" sunos4="no" +so_with_static_lib="yes" case "$host" in *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if BROKEN_SIOCGIFMTU]) + so_with_static_lib="no" ;; *-openbsd*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD < 2.3]) + so_with_static_lib="no" ;; *-sgi-irix5*) @@ -62,7 +67,8 @@ ;; *-solaris*) AC_DEFINE([SOLARIS],[1],[Define if Solaris]) - CPPFLAGS="${CPPFLAGS} -DBSD_COMP -D_REENTRANT" + CONFIGFLAGS="${CONFIGFLAGS} -DBSD_COMP -D_REENTRANT" + rt_nanosleep="yes" ;; *-sunos*) AC_DEFINE([SUNOS],[1],[Define if SunOS]) @@ -71,8 +77,6 @@ *-linux*) linux="yes" AC_DEFINE([LINUX],[1],[Define if Linux]) - # libpcap doesn't even LOOK at the timeout you give it under Linux - AC_DEFINE([PCAP_TIMEOUT_IGNORED],[1],[Define if pcap timeout is ignored]) AC_SUBST(extra_incl) extra_incl="-I/usr/include/pcap" ;; @@ -82,10 +86,8 @@ AC_SUBST(extra_incl) extra_incl="-I/usr/local/include" ;; - *-freebsd*) AC_DEFINE([FREEBSD],[1],[Define if FreeBSD]) - ;; *-bsdi*) AC_DEFINE([BSDI],[1],[Define if BSDi]) @@ -95,14 +97,17 @@ ;; *-osf4*) AC_DEFINE([OSF1],[1],[Define if OSF-4]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-osf5.1*) AC_DEFINE([OSF1],[1],[Define if OSF-5.1]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-tru64*) AC_DEFINE([OSF1],[1],[Define if Tru64]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; -# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment +# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment *-apple*) AC_DEFINE([MACOS],[1],[Define if MacOS]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if broken SIOCGIFMTU]) @@ -110,6 +115,27 @@ extra_incl="-I/sw/include" esac +AC_HEADER_STDBOOL + +# ICC stuff +ICC=no +if eval "echo $CC | grep icc > /dev/null" ; then + if eval "$CC -help | grep libcxa > /dev/null" ; then + CFLAGS="$CFLAGS -static-libcxa" + LDFLAGS="$LDFLAGS -static-libcxa" + XCCFLAGS="-XCClinker -static-libcxa" + else + CFLAGS="$CFLAGS -static-intel" + LDFLAGS="$LDFLAGS -static-intel" + XCCFLAGS="-XCClinker -static-intel" + fi + #CFLAGS=`echo $CFLAGS | sed 's/-O2/-O3/'` + CFLAGS="$CFLAGS -O3 -ip -w1" + ICC=yes + GCC= +fi +AC_SUBST(XCCFLAGS) + # This is really meant for Solaris Sparc v9 where it has 32bit and 64bit # capability but builds 32bit by default AC_ARG_ENABLE(64bit-gcc, @@ -135,10 +161,30 @@ # dnl checking headers -AC_CHECK_HEADERS([strings.h string.h stdlib.h unistd.h sys/sockio.h paths.h inttypes.h wchar.h math.h]) +AC_CHECK_HEADERS([ \ + inttypes.h \ + math.h \ + paths.h \ + stdlib.h \ + string.h \ + strings.h \ + unistd.h \ + wchar.h \ + sys/sockio.h \ +]) + +if test "x$ac_cv_header_wchar_h" = "xyes"; then + CONFIGFLAGS="${CONFIGFLAGS} -DSF_WCHAR" +fi AC_CHECK_LIB([m],[floor]) AC_CHECK_LIB([m],[ceil]) +AC_CHECK_HEADERS(uuid/uuid.h, [AC_CHECK_LIB(uuid,uuid_parse)]) + +if test "x$rt_nanosleep" = "xyes"; then +AC_CHECK_LIB([rt],[nanosleep]) +fi + dnl make sure we've got all our libraries if test -z "$no_libnsl"; then AC_CHECK_LIB(nsl, inet_ntoa) @@ -179,7 +225,7 @@ #include ]], [[char *(*pfn); pfn = (char *(*)) $1;]])],[eval "sn_cv_decl_needed_$1=no"],[eval "sn_cv_decl_needed_$1=yes"]) ]) -if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then +if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) else @@ -207,13 +253,19 @@ # you will see also #undef for each SN_CHECK_DECLS macros invocation # because autoheader doesn't execute shell script commands. # it is possible to make loops using m4 but the code would look even -# more confusing.. +# more confusing.. SN_CHECK_DECLS(printf fprintf syslog puts fputs fputc fopen \ fclose fwrite fflush getopt bzero bcopy memset strtol \ strcasecmp strncasecmp strerror perror socket sendto \ vsnprintf snprintf strtoul) -AC_CHECK_FUNCS([snprintf strlcpy strlcat strerror vswprintf wprintf]) +AC_CHECK_FUNCS([sigaction strlcpy strlcat strerror vswprintf wprintf memrchr inet_ntop]) + +AC_CHECK_FUNC([snprintf],[have_snprintf="yes"],[have_snprintf="no"]) +AM_CONDITIONAL(BUILD_SNPRINTF, test "x$have_snprintf" != "xyes") +if test "x$have_snprintf" = "xyes"; then + AC_DEFINE([HAVE_SNPRINTF], [], [snprintf function is available]) +fi AC_CHECK_SIZEOF([char]) AC_CHECK_SIZEOF([short]) @@ -228,6 +280,8 @@ AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t]) AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t]) +AC_CHECK_TYPES([boolean]) + # In case INADDR_NONE is not defined (like on Solaris) have_inaddr_none="no" AC_MSG_CHECKING([for INADDR_NONE]) @@ -290,7 +344,7 @@ fi if test "x$with_libpcap_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" + LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" fi # --with-libpfring-* options @@ -320,11 +374,11 @@ AC_CHECK_HEADERS(pfring.h,, PFRING_H="no") # It is important to have the AC_CHECK_LIB for the pfring library BEFORE -# the one for pfring-enabled pcap. When the Makefile is created, all the -# libraries used during linking are added to the LIBS variable in the -# Makefile in the opposite orded that their AC_CHECK_LIB macros appear -# in configure.in. Durring linking, the pfring library (-lpfring) MUST come -# _after_ the libpcap library (-lpcap) or linking will fail. +# the one for pfring-enabled pcap. When the Makefile is created, all the +# libraries used during linking are added to the LIBS variable in the +# Makefile in the opposite order that their AC_CHECK_LIB macros appear +# in configure.in. Durring linking, the pfring library (-lpfring) MUST come +# _after_ the libpcap library (-lpcap) or linking will fail. PFRING_L="" AC_CHECK_LIB(pfring, pfring_open,, PFRING_L="no") @@ -345,66 +399,36 @@ fi fi -# This is to determine which pcap library version is being used. The reason being -# that versions < 0.9 do not accumulate packet statistics whereas >= 0.9 do accumulate. -# This is Linux only. The check is done after pcre because the code below uses pcre. -# It seems Phil Wood's pcap does not accumulate - 0.9x -pcap_version_check="yes" -if test "x$linux" = "xyes"; then - if test "x$pcap_version_check" = "xyes"; then - AC_MSG_CHECKING([for libpcap version >= 0.9]) - AC_RUN_IFELSE( - [AC_LANG_PROGRAM( - [[ - #include - #include - extern char pcap_version[]; - ]], - [[ - if (strcmp(pcap_version, "0.9x") == 0) - return 1; - - if (strcmp(pcap_version, "0.9.0") < 0) - return 1; - ]])], - [libpcap_version_09="yes"], - [libpcap_version_09="no"]) - AC_MSG_RESULT($libpcap_version_09) - if test "x$libpcap_version_09" = "xyes"; then - AC_DEFINE([LIBPCAP_ACCUMULATES],[1],[For libpcap versions that accumulate stats]) - fi - else - libpcap_version_09="no" - AC_DEFINE([LIBPCAP_ACCUMULATES],[1],[For libpcap versions that accumulate stats]) - fi - - # there is a bug in the Linux code in 0.9.0 - 0.9.4 where the pcap - # stats are doubled. - if test "x$libpcap_version_09" = "xyes"; then - AC_MSG_CHECKING(for libpcap version 0.9.0 - 0.9.4) - AC_RUN_IFELSE( - [AC_LANG_PROGRAM( - [[ - #include - #include - extern char pcap_version[]; - ]], - [[ - if (strcmp(pcap_version, "0.9.5") < 0) - return 1; - ]])], - [libpcap_version_09_bug="no"], - [libpcap_version_09_bug="yes"]) - AC_MSG_RESULT($libpcap_version_09_bug) - else - libpcap_version_09_bug="no" - fi +AC_MSG_CHECKING([for pcap_lex_destroy]) +AC_RUN_IFELSE( +[AC_LANG_PROGRAM( +[[ +#include +]], +[[ + pcap_lex_destroy(); +]])], +[have_pcap_lex_destroy="yes"], +[have_pcap_lex_destroy="no"]) +AC_MSG_RESULT($have_pcap_lex_destroy) +if test "x$have_pcap_lex_destroy" = "xyes"; then + AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter]) +fi - if test "x$libpcap_version_09_bug" = "xyes"; then - AC_DEFINE([LINUX_LIBPCAP_DOUBLES_STATS],[1],[For Linux libpcap versions 0.9.0 to 0.9.4]) - fi -else - AC_DEFINE([LIBPCAP_ACCUMULATES],[1],[For libpcap versions that accumulate stats]) +AC_MSG_CHECKING([for pcap_lib_version]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM( + [[#include ]], + [[pcap_lib_version();]] + )], + [have_pcap_lib_version="yes"], + [have_pcap_lib_version="no"] +) +AC_MSG_RESULT($have_pcap_lib_version) + +if test "x$have_pcap_lib_version" = "xyes"; then + AC_DEFINE([HAVE_PCAP_LIB_VERSION],[1], + [Can output the library version.]) fi AC_DEFUN([FAIL_MESSAGE],[ @@ -431,6 +455,7 @@ if test "x$with_libpcre_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_libpcre_includes}" else CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" fi @@ -457,7 +482,7 @@ pcre_version_six="" AC_CHECK_LIB(pcre, pcre_compile, ,PCRE_L="no") if test "x$PCRE_L" = "xno"; then - echo + echo echo " ERROR! Libpcre library not found." echo " Get it from http://www.pcre.org" echo @@ -477,7 +502,7 @@ if test "x$pcre_version_six" != "xyes"; then AC_MSG_RESULT(no) - echo + echo echo " ERROR! Libpcre library version >= 6.0 not found." echo " Get it from http://www.pcre.org" echo @@ -487,6 +512,166 @@ fi +AC_ARG_VAR(SIGNAL_SNORT_RELOAD, set the SIGNAL_SNORT_RELOAD value) +if test "x$SIGNAL_SNORT_RELOAD" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_RELOAD], [$SIGNAL_SNORT_RELOAD], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_DUMP_STATS, set the SIGNAL_SNORT_DUMP_STATS value) +if test "x$SIGNAL_SNORT_DUMP_STATS" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_DUMP_STATS], [$SIGNAL_SNORT_DUMP_STATS], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_ROTATE_STATS, set the SIGNAL_SNORT_ROTATE_STATS value) +if test "x$SIGNAL_SNORT_ROTATE_STATS" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_ROTATE_STATS], [$SIGNAL_SNORT_ROTATE_STATS], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_READ_ATTR_TBL, set the SIGNAL_SNORT_READ_ATTR_TBL value) +if test "x$SIGNAL_SNORT_READ_ATTR_TBL" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_READ_ATTR_TBL], [$SIGNAL_SNORT_READ_ATTR_TBL], [Set by user]) +fi + +AC_ARG_ENABLE(dynamicplugin, +[ --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], + enable_dynamicplugin="$enableval", enable_dynamicplugin="yes") +AM_CONDITIONAL(HAVE_DYNAMIC_PLUGINS, test "x$enable_dynamicplugin" = "xyes") + +if test "x$enable_dynamicplugin" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" +fi + +AC_ARG_ENABLE(so_with_static_lib, +[ --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library], + enable_so_with_static_lib="$enableval", enable_so_with_static_lib=$so_with_static_lib) +AM_CONDITIONAL(SO_WITH_STATIC_LIB, test "x$enable_so_with_static_lib" = "xyes") + +AC_ARG_ENABLE(control_socket, +[ --enable-control-socket Enable the control socket], + enable_control_socket="$enableval", enable_control_socket="no") +if test "x$linux" != "xyes"; then + if test "x$enable_control_socket" = "xyes"; then + AC_MSG_WARN([[The control socket is only supported on Linux systems.]]) + enable_control_socket="no" + fi +fi +AM_CONDITIONAL(BUILD_CONTROL_SOCKET, test "x$enable_control_socket" = "xyes") +if test "x$enable_control_socket" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DCONTROL_SOCKET" +fi + +# check for dnet first since some DAQs need it +AC_ARG_WITH(dnet_includes, + [ --with-dnet-includes=DIR libdnet include directory], + [with_dnet_includes="$withval"],[with_dnet_includes="no"]) + +AC_ARG_WITH(dnet_libraries, + [ --with-dnet-libraries=DIR libdnet library directory], + [with_dnet_libraries="$withval"],[with_dnet_libraries="no"]) + +if test "x$with_dnet_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" +else + CPPFLAGS="${CPPFLAGS} `dnet-config --cflags 2>/dev/null`" +fi + +if test "x$with_dnet_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" +else + LDFLAGS="${LDFLAGS} `dnet-config --libs 2>/dev/null`" +fi + +AC_CHECK_HEADERS(dnet.h,,DNET_H="no") +AC_CHECK_HEADERS(dumbnet.h,,DUMBNET_H="no") + +if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then + echo + echo " ERROR! dnet header not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" + echo " options, if you have it installed in an unusual place" + exit +fi + +AC_CHECK_LIB(dnet, eth_set,,[DNET="no"]) +AC_CHECK_LIB(dumbnet, eth_set,,[DUMBNET="no"]) + +if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then + echo + echo " ERROR! dnet library not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" + echo " options, if you have it installed in an unusual place" + exit +fi + +AC_ARG_WITH(daq_includes, + [ --with-daq-includes=DIR DAQ include directory], + [with_daq_includes="$withval"],[with_daq_includes="no"]) + +AC_ARG_WITH(daq_libraries, + [ --with-daq-libraries=DIR DAQ library directory], + [with_daq_libraries="$withval"],[with_daq_libraries="no"]) + +if test "x$with_daq_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_daq_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_daq_includes}" +fi + +if test "x$with_daq_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_daq_libraries}" +fi + +AC_ARG_ENABLE(static_daq, +[ --disable-static-daq Link static DAQ modules.], + enable_static_daq="$enableval", enable_static_daq="yes") + +if test "x$enable_static_daq" = "xyes" \ + -o "x$enable_dynamicplugin" = "xyes" ; \ +then + AC_CHECK_LIB(dl, dlsym, DLLIB="yes", DLLIB="no") + + if test "$DLLIB" != "no"; then + LIBS="${LIBS} -ldl" + else + AC_CHECK_LIB(c, dlsym, DLLIB="yes", DLLIB="no") + if test "$DLLIB" = "no"; then + echo + echo " ERROR! programmatic interface to dynamic link loader" + echo " not found. Cannot build Snort." + echo + exit 1 + fi + fi +fi + +if test "x$enable_static_daq" = "xyes"; then + LDAQ="" + LIBS="${LIBS} `daq-modules-config --static --libs`" + AC_CHECK_LIB([daq_static], [daq_load_modules], + [LIBS="-ldaq_static ${LIBS}"], [LDAQ="no"], [ ]) + + if test "x$LDAQ" = "xno"; then + echo + echo " ERROR! daq_static library not found, go get it from" + echo " http://www.snort.org/." + #AC_MSG_ERROR("Fatal!") # FIXTHIS switch over to this macro + exit 1 # instead of raw exits! + fi +else + LDAQ="" + AC_CHECK_LIB([daq], [daq_load_modules], + [LIBS="${LIBS} -ldaq"], [LDAQ="no"], [ ]) + + if test "x$LDAQ" = "xno"; then + echo + echo " ERROR! daq library not found, go get it from" + echo " http://www.snort.org/." + #AC_MSG_ERROR("Fatal!") + exit 1 + fi +fi + +AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta]) + # any sparc platform has to have this one defined. AC_MSG_CHECKING(for sparc) if eval "echo $host_cpu|grep -i sparc >/dev/null"; then @@ -543,66 +728,90 @@ [gl_cv_cc_visibility="no"]) ]) AC_MSG_RESULT([$gl_cv_cc_visibility]) + CFLAGS="$gl_save_CFLAGS" if test "x$gl_cv_cc_visibility" = "xyes"; then - CFLAGS="$gl_save_CFLAGS -fvisibility=hidden" + CCONFIGFLAGS="${CCONFIGFLAGS} -DSF_VISIBILITY -fvisibility=hidden" AC_DEFINE([HAVE_VISIBILITY],[1], [Define if the compiler supports visibility declarations.]) - else - CFLAGS="$gl_save_CFLAGS" fi ]) CC_VISIBILITY() -AC_ARG_ENABLE(dynamicplugin, -[ --enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], - enable_dynamicplugin="$enableval", enable_dynamicplugin="yes") -AM_CONDITIONAL(HAVE_DYNAMIC_PLUGINS, test "x$enable_dynamicplugin" = "xyes") -if test "x$enable_dynamicplugin" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" - AC_CHECK_LIB(dl, dlsym,, DLLIB="no") - if test "$DLLIB" != "no"; then - LIBS="$LIBS -ldl" - else - AC_CHECK_LIB(c, dlsym,, DLCLIB="no") - if test "$DLCLIB" = "no"; then - echo - echo " ERROR! programmatic interface to dynamic link loader" - echo " not found. Cannot use dynamic plugin libraries." - echo - exit 1 - fi +AC_ARG_ENABLE(build-dynamic-examples, +[ --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default)], + build_dynamic_examples="$enableval", build_dynamic_examples="no") +AM_CONDITIONAL(BUILD_DYNAMIC_EXAMPLES, test "x$build_dynamic_examples" = "xyes") +if test "x$build_dynamic_examples" = "xyes"; then + if test "x$enable_dynamicplugin" = "xno"; then + echo " ERROR! attempting to build dynamic examples without" + echo " enabling dynamic plugins." + echo + exit 1 fi fi +AC_ARG_ENABLE(dlclose, +[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], + enable_dlclose="$enableval", enable_dlclose="yes") +if test "x$enable_dlclose" = "xno"; then + AC_DEFINE([DISABLE_DLCLOSE_FOR_VALGRIND_TESTING],[1],[Don't close opened shared objects for valgrind leak testing of dynamic libraries]) +fi + AC_ARG_ENABLE(ipv6, -[ --enable-ipv6 Enable IPv6 support], - enable_ipv6="$enableval", enable_ipv6="no") +[ --disable-ipv6 Disable IPv6 support], + enable_ipv6="$enableval", enable_ipv6="yes") if test "x$enable_ipv6" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSUP_IP6" + CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" fi AM_CONDITIONAL(HAVE_SUP_IP6, test "x$enable_ipv6" = "xyes") +AC_ARG_ENABLE(zlib, +[ --disable-zlib Enable Http Response Decompression], + enable_zlib="$enableval", enable_zlib="yes") +AM_CONDITIONAL(HAVE_ZLIB, test "x$enable_zlib" = "xyes") +if test "x$enable_zlib" = "xyes"; then + Z_LIB="" + AC_CHECK_HEADERS(zlib.h,, Z_LIB="no") + if test "x$Z_LIB" = "xno"; then + echo + echo " ERROR! zlib header not found, go get it from" + echo " http://www.zlib.net" + exit + fi + + Z_LIB="" + AC_CHECK_LIB(z, inflate,, Z_LIB="no") + if test "x$Z_LIB" = "xno"; then + echo + echo " ERROR! zlib library not found, go get it from" + echo " http://www.zlib.net" + exit + fi + CPPFLAGS="$CPPFLAGS -DZLIB" + LIBS="$LIBS -lz" +fi + AC_ARG_ENABLE(gre, -[ --enable-gre Enable GRE and IP in IP encapsulation support], - enable_gre="$enableval", enable_gre="no") +[ --disable-gre Enable GRE and IP in IP encapsulation support], + enable_gre="$enableval", enable_gre="yes") if test "x$enable_gre" = "xyes"; then CPPFLAGS="$CPPFLAGS -DGRE" fi AC_ARG_ENABLE(mpls, -[ --enable-mpls Enable MPLS support], - enable_mpls="$enableval", enable_mpls="no") +[ --disable-mpls Enable MPLS support], + enable_mpls="$enableval", enable_mpls="yes") if test "x$enable_mpls" = "xyes"; then CPPFLAGS="$CPPFLAGS -DMPLS" fi AC_ARG_ENABLE(targetbased, -[ --enable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], - enable_targetbased="$enableval", enable_targetbased="no") +[ --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], + enable_targetbased="$enableval", enable_targetbased="yes") AM_CONDITIONAL(HAVE_TARGET_BASED, test "x$enable_targetbased" = "xyes") if test "x$enable_targetbased" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTARGET_BASED" + CONFIGFLAGS="$CONFIGFLAGS -DTARGET_BASED" LIBS="$LIBS -lpthread" if test "$LEX" = "none"; then echo @@ -623,110 +832,34 @@ fi AC_ARG_ENABLE(decoder-preprocessor-rules, -[ --enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], - enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="no") +[ --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], + enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="yes") if test "x$enable_decoder_preprocessor_rules" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" fi AC_ARG_ENABLE(ppm, -[ --enable-ppm Enable packet/rule performance monitor], - enable_ppm="$enableval", enable_ppm="no") +[ --disable-ppm Enable packet/rule performance monitor], + enable_ppm="$enableval", enable_ppm="yes") if test "x$enable_ppm" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi -AC_ARG_ENABLE(timestats, -[ --enable-timestats Enable TimeStats functionality], - enable_timestats="$enableval", enable_timestats="no") -if test "x$enable_timestats" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTIMESTATS" -fi - AC_ARG_ENABLE(perfprofiling, -[ --enable-perfprofiling Enable preprocessor and rule performance profiling], - enable_perfprofiling="$enableval", enable_perfprofiling="no") +[ --disable-perfprofiling Enable preprocessor and rule performance profiling], + enable_perfprofiling="$enableval", enable_perfprofiling="yes") if test "x$enable_perfprofiling" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPERF_PROFILING" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(linux-smp-stats, [ --enable-linux-smp-stats Enable statistics reporting through proc], enable_linux_smp_stats="$enableval", enable_linux_smp_stats="no") +AM_CONDITIONAL(BUILD_PROCPIDSTATS, test "x$enable_linux_smp_stats" = "xyes") if test "x$enable_linux_smp_stats" = "xyes"; then CPPFLAGS="$CPPFLAGS -DLINUX_SMP" fi -AC_ARG_ENABLE(inline, -[ --enable-inline Use the libipq interface for inline snort], - enable_inline="$enableval", enable_inline="no") - -AC_ARG_ENABLE(ipfw, -[ --enable-ipfw Enable ipfw Divert mode for use with inline], - enable_ipfw="$enableval", enable_ipfw="no") - -if test "$enable_inline" != "no"; then - if test "$enable_inline" = "yes"; then - CPPFLAGS="$CPPFLAGS -DGIDS" - if test "$enable_ipfw" = "yes"; then - CPPFLAGS="$CPPFLAGS -DIPFW" - else - AC_ARG_WITH(libipq_includes, - [ --with-libipq-includes=DIR libipq include directory], - [with_libipq_includes="$withval"],[with_libipq_includes="no"]) - AC_ARG_WITH(libipq_libraries, - [ --with-libipq-libraries=DIR libipq library directory], - [with_libipq_libraries="$withval"],[with_libipq_libraries="no"]) - if test "$with_libipq_includes" != "no"; then - CPPFLAGS="${CPPFLAGS} -I${with_libipq_includes}" - fi - - AC_CHECK_HEADER(libipq.h,,[AC_MSG_ERROR([libipq.h not found ...])]) - if test "$with_libipq_libraries" != "no"; then - LDFLAGS="${LDFLAGS} -L${with_libipq_libraries}" - fi - - LIPQ="" - AC_CHECK_LIB(ipq, ipq_set_mode,, LIPQ="no") - - if test "$LIPQ" = "no"; then - echo - echo " ERROR! Libipq library/headers not found, go get it from" - echo " www.netfilter.org or use the --with-libipq-* options, " - echo " if you have it installed in unusual place" - echo - exit 1 - fi - fi - - LIBNET_INC_DIR="" - if test -n "$with_libnet_includes" -a "$with_libnet_includes" != "no"; then - libnet_dir="${with_libnet_includes}" - else - libnet_dir="/usr/include /usr/local/include /sw/include" - fi - AC_MSG_CHECKING("for libnet.h version 1.0.x") - for i in $libnet_dir; do - if test -r "$i/libnet.h"; then - LIBNET_INC_DIR="$i" - fi - done - - if test "$LIBNET_INC_DIR" != ""; then - if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0 >/dev/null"; then - FAIL_MESSAGE("libnet 1.0.x (libnet.h)", $LIBNET_INC_DIR) - fi - CFLAGS="${CFLAGS} `libnet-config --defines` `libnet-config --cflags`" - LIBS="${LIBS} `libnet-config --libs`" - CPPFLAGS="${CPPFLAGS} -I${LIBNET_INC_DIR}" - AC_MSG_RESULT($i) - else - AC_MSG_RESULT(no) - AC_MSG_ERROR("libnet 1.0.x could not be found. please download and install the library from http://www.packetfactory.net/libnet/") - fi - fi -fi - AC_ARG_ENABLE(inline-init-failopen, [ --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly)], enable_inline_init_failopen="$enableval", enable_inline_init_failopen="no") @@ -738,6 +871,8 @@ AC_ARG_ENABLE(prelude, [ --enable-prelude Enable Prelude Hybrid IDS support], enable_prelude="$enableval", enable_prelude="no") + +AM_CONDITIONAL(BUILD_PRELUDE, test "x$enable_prelude" = "xyes") if test "x$enable_prelude" = "xyes"; then AM_PATH_LIBPRELUDE(0.9.6, use_prelude="yes", use_prelude="no") if test "$use_prelude" = "yes"; then @@ -748,29 +883,48 @@ fi fi -AC_ARG_ENABLE(pthread, -[ --enable-pthread Enable pthread support], - enable_pthread="$enableval", enable_pthread="no") +AC_ARG_ENABLE(pthread, +[ --disable-pthread Disable pthread support], + enable_pthread="$enableval", enable_pthread="yes") + if test "x$enable_pthread" = "xyes"; then LIBS="$LIBS -lpthread" fi +AC_ARG_ENABLE(debug-msgs, +[ --enable-debug-msgs Enable debug printing options (bugreports and developers only)], + enable_debug_msgs="$enableval", enable_debug_msgs="no") +if test "x$enable_debug_msgs" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DDEBUG_MSGS" +fi + AC_ARG_ENABLE(debug, [ --enable-debug Enable debugging options (bugreports and developers only)], enable_debug="$enableval", enable_debug="no") + if test "x$enable_debug" = "xyes"; then NO_OPTIMIZE="yes" - CPPFLAGS="$CPPFLAGS -DDEBUG" # in case user override doesn't include -g if echo $CFLAGS | grep -qve -g ; then CFLAGS="$CFLAGS -g" fi + + CPPFLAGS="$CPPFLAGS -DDEBUG" +fi + +AC_ARG_ENABLE(gdb, +[ --enable-gdb Enable gdb debugging information], + enable_gdb="$enableval", enable_gdb="no") + +if test "x$enable_gdb" = "xyes"; then + CFLAGS="$CFLAGS -g -ggdb" fi AC_ARG_ENABLE(profile, [ --enable-profile Enable profiling options (developers only)], enable_profile="$enableval", enable_profile="no") + if test "x$enable_profile" = "xyes"; then if test -n "$GCC"; then CPPFLAGS="$CPPFLAGS -DPROFILE" @@ -781,77 +935,59 @@ fi AC_ARG_ENABLE(ppm-test, -[ --enable-ppm-test Enable packet/rule performance monitor], +[ --disable-ppm-test Enable packet/rule performance monitor], enable_ppm_test="$enableval", enable_ppm_test="no") + if test "x$enable_ppm_test" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_TEST" fi AC_ARG_ENABLE(sourcefire, -[ --enable-sourcefire Enable Sourcefire specific build options], +[ --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm], enable_sourcefire="$enableval", enable_sourcefire="no") + if test "x$enable_sourcefire" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(corefiles, [ --disable-corefiles Prevent Snort from generating core files], enable_corefiles="$enableval", enable_corefiles="yes") + if test "x$enable_corefiles" = "xno"; then CPPFLAGS="$CPPFLAGS -DNOCOREFILE" fi +AC_ARG_ENABLE(active-response, +[ --disable-active-response Enable reject injection], + enable_active_response="$enableval", enable_active_response="yes") + +AC_ARG_ENABLE(normalizer, +[ --disable-normalizer Enable packet/stream normalizations], + enable_normalizer="$enableval", enable_normalizer="yes") + AC_ARG_ENABLE(reload, -[ --enable-reload Enable reloading a configuration without restarting], - enable_reload="$enableval", enable_reload="no") +[ --disable-reload Enable reloading a configuration without restarting], + enable_reload="$enableval", enable_reload="yes") AC_ARG_ENABLE(reload-error-restart, -[ --enable-reload-error-restart Enable restarting on reload error], +[ --disable-reload-error-restart Enable restarting on reload error], enable_reload_error_restart="$enableval", enable_reload_error_restart="yes") if test "x$enable_reload" = "xyes"; then if test "x$enable_reload_error_restart" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD" else - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" fi LIBS="$LIBS -lpthread" fi -AC_ARG_WITH(libnet_includes, - [ --with-libnet-includes=DIR libnet include directory], - [with_libnet_includes="$withval"],[with_libnet_includes="no"]) - -AC_ARG_WITH(libnet_libraries, - [ --with-libnet-libraries=DIR libnet library directory], - [with_libnet_libraries="$withval"],[with_libnet_libraries="no"]) - -if test "x$with_libnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libnet_includes}" -fi - -if test "x$with_libnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libnet_libraries}" -fi - -AC_ARG_WITH(dnet_includes, - [ --with-dnet-includes=DIR libdnet include directory], - [with_dnet_includes="$withval"],[with_dnet_includes="no"]) - -AC_ARG_WITH(dnet_libraries, - [ --with-dnet-libraries=DIR libdnet library directory], - [with_dnet_libraries="$withval"],[with_dnet_libraries="no"]) +configuring_database="no" -if test "x$with_dnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" -fi - -if test "x$with_dnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" -fi - -AC_ARG_WITH(mysql, +AC_ARG_WITH(mysql, [ --with-mysql=DIR Support for MySQL], [ with_mysql="$withval"], [ with_mysql="no" ]) @@ -866,6 +1002,7 @@ default_directory="/usr /usr/local" if test "x$with_mysql" != "xno"; then + configuring_database="yes" if test "x$with_mysql" = "xyes"; then if test "x$with_mysql_includes" != "xno"; then mysql_inc_directory="$with_mysql_includes"; @@ -935,7 +1072,7 @@ MYSQL_LIB_DIR="$i/mysql" break 2 fi - done + done fi if test -z "$MYSQL_LIB_DIR"; then str="$i/mysql/lib/libmysqlclient.*" @@ -1047,12 +1184,13 @@ fi fi -AC_ARG_WITH(odbc, +AC_ARG_WITH(odbc, [ --with-odbc=DIR Support for ODBC], [ with_odbc="$withval" ], [ with_odbc="no" ]) if test "x$with_odbc" != "xno"; then + configuring_database="yes" if test "x$with_odbc" = "xyes"; then odbc_directory="$default_directory" odbc_fail="yes" @@ -1089,7 +1227,7 @@ str="$ODBC_DIR/lib/libodbc.*" for j in `echo $str`; do - if test -r "$j"; then + if test -r "$j"; then ODBC_LIB_DIR="$ODBC_DIR/lib" ODBC_LIB="odbc" fi @@ -1098,7 +1236,7 @@ dnl if test -z "$ODBC_LIB_DIR"; then dnl str="$ODBC_DIR/lib/libiodbc.*" dnl for j in `echo $str`; do -dnl if test -r $j; then +dnl if test -r $j; then dnl ODBC_LIB_DIR="$ODBC_DIR/lib" dnl ODBC_LIB="iodbc" dnl fi @@ -1120,7 +1258,7 @@ fi fi -AC_ARG_WITH(postgresql, +AC_ARG_WITH(postgresql, [ --with-postgresql=DIR Support for PostgreSQL], [ with_postgresql="$withval" ], [ with_postgresql="no" ]) @@ -1131,6 +1269,7 @@ [with_pgsql_includes="no" ]) if test "x$with_postgresql" != "xno"; then + configuring_database="yes" if test "x$with_postgresql" = "xyes"; then postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local" postgresql_fail="yes" @@ -1227,12 +1366,13 @@ fi fi -AC_ARG_WITH(oracle, +AC_ARG_WITH(oracle, [ --with-oracle=DIR Support for Oracle], [ with_oracle="$withval" ], [ with_oracle="no" ]) if test "x$with_oracle" != "xno"; then + configuring_database="yes" if test "x$with_oracle" = "xyes"; then oracle_directory="$default_directory ${ORACLE_HOME}" oracle_fail="yes" @@ -1282,6 +1422,22 @@ fi fi +AC_ARG_ENABLE(paf, +[ --disable-paf disable protocol aware flushing], + enable_paf="$enableval", enable_paf="yes") + +if test "x$enable_paf" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_PAF" +fi + +AC_ARG_ENABLE(react, +[ --disable-react Intercept and terminate offending HTTP accesses], + enable_react="$enableval", enable_react="yes") + +AC_ARG_ENABLE(flexresp3, +[ --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts], + enable_flexresp3="$enableval", enable_flexresp3="yes") + AC_ARG_ENABLE(aruba, [ --enable-aruba Enable Aruba output plugin], enable_aruba="$enableval", enable_aruba="no") @@ -1289,146 +1445,137 @@ CPPFLAGS="$CPPFLAGS -DARUBA" fi -AC_ARG_ENABLE(react, -[ --enable-react Intercept and terminate offending HTTP accesses], - enable_react="$enableval", enable_react="no") +# test for invalid configurations here after all AC_ARG_ENABLEs +if test "x$enable_flexresp3" = "xyes"; then + # flexresp3 options are a union of flexresp (deleted) and flexresp2 + # options so we assume flexresp3 if multiple are enabled. + if test "x$enable_flexresp2" = "xyes"; then + echo "WARNING: multiple flexresp versions enabled; using flexresp3." + enable_flexresp2="no" + fi +fi + +AM_CONDITIONAL(BUILD_REACT, test "x$enable_react" = "xyes") if test "x$enable_react" = "xyes"; then CPPFLAGS="${CPPFLAGS} -DENABLE_REACT" fi -AC_ARG_ENABLE(flexresp, -[ --enable-flexresp Flexible Responses (v1) on hostile connection attempts], - enable_flexresp="$enableval", enable_flexresp="no") -if test "x$enable_flexresp" = "xyes"; then - CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE" -fi - -AC_ARG_ENABLE(flexresp2, -[ --enable-flexresp2 Flexible Responses (v2) on hostile connection attempts], - enable_flexresp2="$enableval", enable_flexresp2="no") -if test "x$enable_flexresp2" = "xyes"; then - CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE2 `dnet-config --cflags`" - # this will probably add a redundant path and lib (eg, -ldnet is added - # to LIBS by AC_CHECK_LIB() below) but w/o this AC_CHECK_LIB() will - # fail if dnet isn't in a standard place. of course, if dnet isn't - # installed at all, dnet-config will fail, but we won't know that - # until we get around to calling AC_CHECK_LIB(). same story with - # libnet and pcre. - LDFLAGS="${LDFLAGS} `dnet-config --libs`" +AM_CONDITIONAL(BUILD_RESPOND3, test "x$enable_flexresp3" = "xyes") +if test "x$enable_flexresp3" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE3" fi -# test for invalid configurations here after all AC_ARG_ENABLEs +if test "x$enable_normalizer" = "xyes" \ + -o "x$enable_sourcefire" = "xyes" ; \ +then + CONFIGFLAGS="${CONFIGFLAGS} -DNORMALIZER" +fi -if test "x$enable_flexresp" = "xyes" -a "x$enable_flexresp2" = "xyes"; then - echo - echo " ERROR! --enable-flexresp cannot be used with --enable-flexresp2" - exit +if test "x$enable_active_response" = "xyes" \ + -o "x$enable_flexresp3" = "xyes" \ + -o "x$enable_react" = "xyes" \ + -o "x$enable_sourcefire" = "xyes" ; \ +then + CONFIGFLAGS="${CONFIGFLAGS} -DACTIVE_RESPONSE" fi -if test "x$enable_flexresp" = "xyes" -o "x$enable_react" = "xyes"; then - if test `libnet-config --cflags | wc -c` = "1"; then - CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" - LIBNET_CONFIG_BROKEN_CFLAGS="yes" - else - CPPFLAGS="${CPPFLAGS} `libnet-config --cflags`" - fi - CPPFLAGS="${CPPFLAGS} `libnet-config --defines`" - LDFLAGS="${LDFLAGS} `libnet-config --libs`" +AC_ARG_ENABLE(intel_soft_cpm, +[ --enable-intel-soft-cpm Enable Intel Soft CPM support], + enable_intel_soft_cpm="$enableval", enable_intel_soft_cpm="no") - if test `libnet-config --libs | wc -c` = "1"; then - AC_MSG_WARN(libnet-config --libs is broken on your system. If you) - AC_MSG_WARN(are using a precompiled package please notify the) - AC_MSG_WARN(maintainer.) - LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/sw/lib" - LIBS="${LIBS} -lnet" - fi - - LNET="" - AC_CHECK_HEADERS(libnet.h,, LNET="no") - if test "x$LNET" = "xno"; then - echo - echo " ERROR! Libnet header not found, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - echo " or use the --with-libnet-* options, if you have it installed" - echo " in unusual place" - exit 1 - fi +AC_ARG_WITH(intel_soft_cpm_includes, + [ --with-intel-soft-cpm-includes=DIR Intel Soft CPM include directory], + [with_intel_soft_cpm_includes="$withval"],[with_intel_soft_cpm_includes="no"]) - AC_MSG_CHECKING(for libnet version 1.0.2a) - if test "x${LIBNET_CONFIG_BROKEN_CFLAGS}" = "xyes"; then - if test -n "$with_libnet_includes" -a "x$with_libnet_includes" != "xno"; then - libnet_dir="${with_libnet_includes}" - else - libnet_dir="/usr/include /usr/local/include /sw/include" - fi - else - libnet_dir=`libnet-config --cflags | cut -dI -f2` - fi +AC_ARG_WITH(intel_soft_cpm_libraries, + [ --with-intel-soft-cpm-libraries=DIR Intel Soft CPM library directory], + [with_intel_soft_cpm_libraries="$withval"],[with_intel_soft_cpm_libraries="no"]) - LIBNET_INC_DIR="" - for i in $libnet_dir; do - if test -r "$i/libnet.h"; then - LIBNET_INC_DIR="$i" - fi - done +if test "x$with_intel_soft_cpm_includes" != "xno"; then + enable_intel_soft_cpm="yes" + CPPFLAGS="${CPPFLAGS} -I${with_intel_soft_cpm_includes}" +fi - if test "x$LIBNET_INC_DIR" != "x"; then - if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0.2a >/dev/null"; then - AC_MSG_RESULT(no) - echo - echo " ERROR! Snort with --enable-flexresp will *only* work with" - echo " libnet version 1.0.2a, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $LIBNET_INC_DIR) - fi - AC_MSG_RESULT(yes) +if test "x$with_intel_soft_cpm_libraries" != "xno"; then + enable_intel_soft_cpm="yes" + LDFLAGS="${LDFLAGS} -L${with_intel_soft_cpm_libraries}" + LIBS="${LIBS} -lpm" +fi + +AM_CONDITIONAL(HAVE_INTEL_SOFT_CPM, test "x$enable_intel_soft_cpm" = "xyes") +if test "x$enable_intel_soft_cpm" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DINTEL_SOFT_CPM" +fi + +AC_ARG_ENABLE(shared_rep, + [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], + enable_shared_rep="$enableval", enable_shared_rep="no") + +if test "x$enable_shared_rep" = "xyes"; then + if test "x$linux" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DSHARED_REP" + LIBS="$LIBS -lrt" else - AC_MSG_RESULT(no) - FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $libnet_dir) + echo "WARNING: shared reputation is only available on linux." + enable_shared_rep="no" fi +fi - LNET="" - AC_CHECK_LIB(net, libnet_build_ip,, LNET="no") - if test "x$LNET" = "xno"; then - echo - echo " ERROR! Libnet library not found, go get it from" - echo " http://www.packetfactory.net/projects/libnet/" - echo " or use the --with-libnet-* options, if you have it installed" - echo " in unusual place" - exit 1 - fi +AM_CONDITIONAL(HAVE_SHARED_REP, test "x$enable_shared_rep" = "xyes") + +AC_ARG_ENABLE(rzb-saac, +[ --enable-rzb-saac Enable Razorback SaaC support], + enable_rzb_saac="$enableval", enable_rzb_saac="no") + +AC_ARG_WITH(librzb_api, + [ --with-librzb-api=DIR librazorback_api directory], + [with_librzb_api="$withval"],[with_librzb_api="no"]) + +if test "x$with_librzb_api" = "xno"; then + export PKG_CONFIG_PATH=$prefix/lib/pkgconfig:$PKG_CONFIG_PATH +else + export PKG_CONFIG_PATH=$with_librzb_api/lib/pkgconfig:$PKG_CONFIG_PATH fi -if test "x$enable_flexresp2" = "xyes" ; then - DNET="" - AC_CHECK_HEADERS(dnet.h,, DNET="no") - if test "x$DNET" = "xno"; then +if test "x$enable_rzb_saac" = "xyes"; then + AC_CHECK_PROG(PKG_CONFIG,pkg-config,yes) + if test "x$PKG_CONFIG" != "xyes"; then + echo echo - echo " ERROR! Libdnet header not found, go get it from" - echo " http://libdnet.sourceforge.net or use the --with-dnet-*" - echo " options, if you have it installed in an unusual place" + echo " ERROR! pkg-config not found, go get it from" + echo " http://freedesktop.org" exit fi - DNET="" - AC_CHECK_LIB(dnet, eth_set,, DNET="no") - if test "x$DNET" = "xno"; then + PKG_CHECK_MODULES([RAZORBACK], [razorback >= 0.1.3], [], [LRZB=no]) + if test "x$LRZB" = "xno"; then echo - echo " ERROR! Libdnet library not found, go get it from" - echo " http://libdnet.sourceforge.net or use the --with-dnet-*" - echo " options, if you have it installed in an unusual place" + echo " ERROR! razorback_api library not found, go get it from" + echo " http://sourceforge.net/projects/razorbacktm/" exit fi fi +AM_CONDITIONAL([WANT_SF_SAAC], [test x$enable_rzb_saac = xyes]) + +AC_ARG_ENABLE(large-pcap, +[ --enable-large-pcap Enable support for pcaps larger than 2 GB], + enable_large_pcap="$enableval", enable_large_pcap="no") + +if test "x$enable_large_pcap" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" +fi + # let's make some fixes.. +CFLAGS="${CFLAGS} ${CCONFIGFLAGS}" CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` +CPPFLAGS="${CPPFLAGS} ${CONFIGFLAGS}" CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` if test "x$GCC" = "xyes" ; then echo `$CC -v 2>&1` | grep "version 4" > /dev/null - if test $? = 0 ; then + if test $? = 0 ; then CFLAGS="$CFLAGS -fno-strict-aliasing" fi fi @@ -1456,6 +1603,47 @@ fi fi +if test "$LEX" != "none"; then + AC_MSG_CHECKING(for yylex_destroy support) + + version=`$LEX --version | awk '{print $3}'` + if test -z $version; then + version=`$LEX --version | awk '{print $2}'` + fi + + have_yylex_destroy="no" + if test $version; then + major=`echo $version | awk -F. '{ print $1 }'` + minor=`echo $version | awk -F. '{ print $2 }'` + subminor=`echo $version | awk -F. '{ print $3 }'` + + if test $major -a $minor -a $subminor; then + if test $major -gt 2; then + have_yylex_destroy="yes" + else + if test $major -eq 2; then + if test $minor -gt 5; then + have_yylex_destroy="yes" + else + if test $minor -eq 5; then + if test $subminor -ge 9; then + have_yylex_destroy="yes" + fi + fi + fi + fi + fi + fi + fi + + if test "x$have_yylex_destroy" = "xyes"; then + AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_YYLEX_DESTROY],[1],[Define whether yylex_destroy is supported in flex version]) + else + AC_MSG_RESULT(no) + fi +fi + # Set to no optimization regardless of what user or autostuff set if test "x$NO_OPTIMIZE" = "xyes"; then CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"` @@ -1477,9 +1665,12 @@ echo $CFLAGS > cflags.out echo $CPPFLAGS > cppflags.out -INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based' +INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based -I$(top_srcdir)/src/control' AC_SUBST(INCLUDES) +AC_SUBST(CONFIGFLAGS) +AC_SUBST(CCONFIGFLAGS) +AC_SUBST(ICONFIGFLAGS) AC_PROG_INSTALL AC_CONFIG_FILES([ \ @@ -1487,6 +1678,7 @@ Makefile \ src/Makefile \ src/sfutil/Makefile \ +src/control/Makefile \ src/detection-plugins/Makefile \ src/dynamic-examples/Makefile \ src/dynamic-examples/dynamic-preprocessor/Makefile \ @@ -1497,13 +1689,22 @@ src/dynamic-plugins/sf_preproc_example/Makefile \ src/dynamic-preprocessors/Makefile \ src/dynamic-preprocessors/libs/Makefile \ +src/dynamic-preprocessors/libs/snort_preproc.pc \ src/dynamic-preprocessors/ftptelnet/Makefile \ src/dynamic-preprocessors/smtp/Makefile \ src/dynamic-preprocessors/ssh/Makefile \ -src/dynamic-preprocessors/dcerpc/Makefile \ +src/dynamic-preprocessors/sip/Makefile \ +src/dynamic-preprocessors/reputation/Makefile \ +src/dynamic-preprocessors/gtp/Makefile \ src/dynamic-preprocessors/dcerpc2/Makefile \ +src/dynamic-preprocessors/pop/Makefile \ +src/dynamic-preprocessors/imap/Makefile \ +src/dynamic-preprocessors/sdf/Makefile \ src/dynamic-preprocessors/dns/Makefile \ src/dynamic-preprocessors/ssl/Makefile \ +src/dynamic-preprocessors/modbus/Makefile \ +src/dynamic-preprocessors/dnp3/Makefile \ +src/dynamic-preprocessors/rzb_saac/Makefile \ src/output-plugins/Makefile \ src/preprocessors/Makefile \ src/preprocessors/HttpInspect/Makefile \ @@ -1522,12 +1723,16 @@ src/target-based/Makefile \ doc/Makefile \ contrib/Makefile \ -schemas/Makefile \ rpm/Makefile \ preproc_rules/Makefile \ m4/Makefile \ etc/Makefile \ +schemas/Makefile \ templates/Makefile \ +tools/Makefile \ +tools/control/Makefile \ +tools/u2boat/Makefile \ +tools/u2spewfoo/Makefile \ src/win32/Makefile]) AC_OUTPUT @@ -1553,3 +1758,25 @@ EOF fi + +if test "x$configuring_database" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Database output plugins are deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3. The recommended approach to logging is to" + echo "!! use unified2 with barnyard2 or similar." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_aruba" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Arubu output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_prelude" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Prelude output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi diff -Nru snort-2.8.5.2/contrib/Makefile.in snort-2.9.2/contrib/Makefile.in --- snort-2.8.5.2/contrib/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/contrib/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -175,14 +193,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign contrib/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign contrib/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign contrib/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign contrib/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -200,6 +218,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -229,13 +248,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -263,6 +286,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -281,6 +305,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -289,18 +315,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -334,6 +370,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/debian/changelog snort-2.9.2/debian/changelog --- snort-2.8.5.2/debian/changelog 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/changelog 2012-02-14 10:47:26.000000000 +0000 @@ -1,3 +1,102 @@ +snort (2.9.2-3ubuntu1) precise; urgency=low + + * Merge from Debian testing. (LP: #931454) Remaining changes: + - debian/rules: use mysql_config to find libraries to fix FTBFS with + multiarch libmysqlclient. + * Dropped "Fixed typo in snort.8": patched upstream. + + -- Jean-Louis Dupond Tue, 14 Feb 2012 12:47:26 +0200 + +snort (2.9.2-3) unstable; urgency=low + + * Restore code from the 2.8.5.2-5 package onwards which was lost when + the version of experimental was moved to the archive. + - Now /var/lib/snort is created through package configuration, as + it should have been + - Remove md5sum files when purging (Closes: #657038) + * debian/rules: + - Enable IPv6 support which was optional in version 2.8 for the Snort + binary package. This is not enabled for the database binary packages + (snort-pgsql and snort-mysql) as the database schemas do not support + IPv6. (Closes: #633064) (LP: #703707) + - Include the quilt makefile and add dependencies in -stamp and + clean targets + * debian/snort.init.d: + - Do not abort if the package is not configured to use a database but + the db-pending-config semaphore is found. Remove it instead and + continue. This can happen if a database-related package was installed, + removed and then 'snort' is installed afterwards. + (LP: #316878, #639755, #722488, #754230, #798608, #876615, #816634, #891904, #918250) + * debian/snort-{mysql,pgsql}.postrm: + - Remove the db-pending-config semaphore file when removing the package. + This prevents errors with the snort.init.d logic if a database package + is left unconfigured and then replaced with the snort (non-database) + package. + * debian/README-database.Debian: Indicate that database support will be + deprecated in 2.9 and document that IPv6 is not supported either + * debian/control: + - Add Build-Depends on quilt + - Add VCS entries + - Put the complete maintainer's name in UTF-8 + - Change Uploaders, add Andrew Pollock and remove Pascal Hakim + - Update Standards Version + + -- Javier Fernández-Sanguino Peña Wed, 25 Jan 2012 22:24:30 +0100 + +snort (2.9.2-2) unstable; urgency=low + + * debian/control: Add net-tools to Depends: of snort, snort-mysql and + snort-pgsql since 'ifconfig' is required for the configuration script + to work. (Closes: #656445) + * debian/snort{,-mysql,-psql}.postinst: Create the checksum directory if it + does not exist right at the beginning since it might not be created. + (Closes: #656445) + + -- Javier Fernandez-Sanguino Pen~a Thu, 19 Jan 2012 20:34:02 +0100 + +snort (2.9.2-1) unstable; urgency=low + + [ Andrew Pollock ] + * New upstream release, upload to unstable + - Fixes CVE-2009-3641: DoS while printing specially-crafted IPv6 packet + using the -v option (Closes: 553584) + - The package no longer build-depends on iptables-dev and the negated list + of architectures is no longer used (Closes: 634660) + - debian/patches/config: Patch the configuration file to remove include + files not currently available (Closes: #619446) + - This version is fully supported rule-wise (LP: #872582) + * Switch to dpkg-source 3.0 (quilt) format + * Port across all changes from Snort 2.8.5.2-5 and later in unstable + * debian/snort.postinst: create the directory that the checksum for + snort.debian.conf will be created in if it doesn't already exist + * debian/rules: tell dh_makeshlibs to not call ldconfig in the + preinst/postinst of snort-common-libraries + * debian/rules: don't install README.WIN32 into snort-doc + + [ Javier Fernandez-Sanguino Peña ] + * debian/rules: + - Set enable-zlib when configuring all packages to force it to be + enabled as this is required by the http_inspect preprocessor which + is enabled by default (Closes: #631854) + - Included (commented) the patch provided by Clint Byrum and included in + Ubuntu to prevent snort from FTFS with libmysqlclient-dev which will be + multiarch in the future. The patch uses mysql_config to find libraries + to fix FTBFS with multiarch libmysqlclient. Not enabled since the + version of libmysqlclient in unstable currently does not support the + --variable=pkglibdir option + * debian/snort{,-inline}.config: Use LC_ALL=C when calling ifconfig to make + the postinst work when ifconfig's output is internationalised (Closes: 577033) + * debian/control: Fix link in the rules package, point to + http://www.snort.org/snort-rules/ (Closes: 646547) + * debian/my/snort-stat: Modify so that alerts with Priority but without classification + are analysed when parsing syslog information. Also set the class to 'Undefined' + instead of leaving it empty. (Closes: 590061) + * po-debconf translation updates: + - Danish, provided by Joe Dalton (Closes: 638678) + - Dutch, provided by Jeroen Schot (Closes: 654239) + + -- Javier Fernandez-Sanguino Pen~a Fri, 13 Jan 2012 21:54:25 +0100 + snort (2.8.5.2-9.1ubuntu2) precise; urgency=low * Fixed typo in snort.8 (LP: #889721) @@ -28,7 +127,7 @@ snort (2.8.5.2-9) unstable; urgency=low * debian/rules: Change gs-common Build-Depends-Indep to ghostscript fo fix - FTBFS, thanks to Andreas Metzler for the solution. (Closes: 618197) + FTBFS, thanks to Andreas Metzler for the solution. (Closes: 618197) -- Javier Fernandez-Sanguino Pen~a Sun, 10 Apr 2011 10:57:55 +0200 @@ -59,7 +158,7 @@ the situation in which a local admin has introduced changes in the /etc/snort/snort.debian.conf configuration file manually. Keep the local changes and leave the file untouched on upgrades. (Closes: #608590) - * debian/snort-{mysql,-pgsql}.postinst: + * debian/snort-{mysql,-pgsql}.postinst: - Introduce code to be able to manage the situation in which a local admin has introduced changes in /etc/snort/database.conf and has not used dpkg-reconfigure. Keep the local changes and do not touch the @@ -93,26 +192,35 @@ * Lintian fixes: * debian/control: Upgrade standards version, no changes required * debian/snort.init.d: add $remote_fs to Required-Start and Required-Stop - * debian/snort.templates: Move the config_error template over to + * debian/snort.templates: Move the config_error template over to debian/snort-common.templates as it is used there * debian/snort-{mysql,pgsql}.templates: remove the config_error template there as it is not used * debian/control: Upgrade the Build-Depends on debhelper * src/parser.c: Typo fix argu*e*ment -> argument * src/preprocessors/spp_perfmonitor.c, - src/dynamic-preprocessors/dns/spp_dns.c: + src/dynamic-preprocessors/dns/spp_dns.c: Typo fix: sep*e*rated --> separated - * rules/web-misc.rules: Limit the depth when searching for an HTTP version + * rules/web-misc.rules: Limit the depth when searching for an HTTP version to prevent false positives from apt-get User-Agent string (LP: #258155) * debian/snort.init.d: Separate warning message from main messages. * debian/TODO: review contents and update -- Javier Fernandez-Sanguino Pen~a Sun, 26 Dec 2010 13:20:25 +0100 +snort (2.9.0.1-2) experimental; urgency=low + + * [ The Merry Xmas for experimental users Release ! ] + * Forward port the changes introduced in the unstable package + to experimental tool to make for smoother upgrades to the + upstream release. + + -- Javier Fernandez-Sanguino Pen~a Fri, 24 Dec 2010 19:52:48 +0100 + snort (2.8.5.2-4) unstable; urgency=high * [ The Merry Xmas and Merry RC bug fixing Release! ] - * debian/snort-common.preinst: + * debian/snort-common.preinst: - Fix how the files are generated and use Perl instead of bash's echo as the latter will interpret content in the configuration file and will botch it @@ -121,10 +229,10 @@ - Only generate content in database.conf if the default configuration file contains the DBSTART line from previous versions. - Be cautious, if an empty configuration file is generated then - abort. + abort. (Closes: 607951) * debian/snort.preinst: Do not output information from usermod as this is - not needed + not needed * Disable an error in rules/comunity-smtp.rules that prevents snort from loading due to the use of !any (Closes: 607751) * debian/snort-{pgsql,mysql}.postinst: Fix syntax error in postinst scripts @@ -132,7 +240,6 @@ -- Javier Fernandez-Sanguino Pen~a Fri, 24 Dec 2010 19:39:51 +0100 - snort (2.8.5.2-3) unstable; urgency=low * Move the database configuration code for the -mysql and -pgsql packages @@ -155,6 +262,24 @@ -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2010 15:25:49 +0100 +snort (2.9.0.1-1) experimental; urgency=low + + * New upstream release. + * Change configure.in to use 'dumbnet' instead of 'dnet' since the library + is renamed in Debian + * debian/control: + - Make it Build-Depend on libdumbnet-dev since this release now requires + it (it was previously optional) + - Remove iptables-dev (no longer required) (Closes: 634660) + * debian/rules: + - Do not use --enable-smbalerts (no longer available) when configuring + * Remove the following documentation from the installation as it is no longer + available: doc/README.FLEXRESP, doc/README.FLEXRESP2 + + * Upload to experimental until I get wider testing. + + -- Javier Fernandez-Sanguino Pen~a Thu, 11 Nov 2010 00:32:49 +0100 + snort (2.8.5.2-2) unstable; urgency=low * Remove the reverse_order debconf option since Snort no longer supports the @@ -271,7 +396,7 @@ (Closes: 510704) * Move the code that detects if interfaces are down over to snort-pgsql and snort-mysql. This way, if the interface defined is not available it will - prompt again, raising the debconf priority (Closes: #502084) + prompt again, raising the debconf priority (Closes: #502084) * Change all the config_parameters debconf input from 'medium' to 'error' * Change all the needs_db_config debconf questions from 'medium' to 'high' since users that do not see this note will end up with a non-functioning diff -Nru snort-2.8.5.2/debian/control snort-2.9.2/debian/control --- snort-2.8.5.2/debian/control 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/control 2012-02-14 10:47:23.000000000 +0000 @@ -2,18 +2,48 @@ Section: net Priority: optional Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Javier Fernandez-Sanguino Pen~a -Uploaders: Pascal Hakim -Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (>= 5.0.0), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (>= 0.5.0), libprelude-dev, iptables-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libgnutls-dev -Build-Depends-Indep: texlive, texlive-latex-base, ghostscript -Standards-Version: 3.9.1 +XSBC-Original-Maintainer: Javier Fernández-Sanguino Peña +Uploaders: Andrew Pollock +Build-Depends: + libnet1-dev, + libpcap0.8-dev, + libpcre3-dev, + debhelper (>= 5.0.0), + libmysqlclient15-dev | libmysqlclient-dev, + libpq-dev, + po-debconf (>= 0.5.0), + libprelude-dev, + libgnutls-dev, + libdumbnet-dev, + libdaq-dev, + flex, + bison, + quilt +Build-Depends-Indep: + texlive, + texlive-latex-base, + ghostscript +Standards-Version: 3.9.2 Homepage: http://www.snort.org/ +Vcs-Git: git://git.debian.org/git/pkg-snort/pkg-snort.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-snort/pkg-snort.git Package: snort Architecture: any Pre-Depends: adduser (>= 3.11) -Depends: snort-common-libraries (>=${binary:Version}), snort-rules-default (>= ${source:Version}), debconf (>= 0.2.80) | debconf-2.0, rsyslog | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${source:Version}), logrotate, ${misc:Depends} -Conflicts: snort-mysql, snort-pgsql +Depends: + snort-common-libraries (>=${binary:Version}), + snort-rules-default (>= ${source:Version}), + snort-common (>= ${source:Version}), + debconf (>= 0.2.80) | debconf-2.0, + rsyslog | system-log-daemon, + logrotate, + net-tools, + ${shlibs:Depends}, + ${misc:Depends} +Conflicts: + snort-mysql, + snort-pgsql Replaces: snort-common (<< 2.0.2-3) Recommends: iproute Suggests: snort-doc @@ -33,7 +63,12 @@ Package: snort-common Architecture: all Pre-Depends: adduser (>= 3.11) -Depends: perl-modules, debconf (>= 0.2.80) | debconf-2.0, ${shlibs:Depends}, lsb-base, ${misc:Depends} +Depends: + perl-modules, + debconf (>= 0.2.80) | debconf-2.0, + lsb-base, + ${shlibs:Depends}, + ${misc:Depends} Conflicts: snort (<< ${binary:Version}) Replaces: snort (<< 1.8.4beta1-1) Suggests: snort-doc @@ -70,10 +105,21 @@ Architecture: any Priority: extra Pre-Depends: adduser (>= 3.11) -Depends: snort-common-libraries (>=${binary:Version}), snort-rules-default (>= ${source:Version}), debconf (>= 0.2.80) | debconf-2.0, rsyslog | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${source:Version}), logrotate, ${misc:Depends} +Depends: + snort-common-libraries (>=${binary:Version}), + snort-rules-default (>= ${source:Version}), + snort-common (>= ${source:Version}), + debconf (>= 0.2.80) | debconf-2.0, + rsyslog | system-log-daemon, + logrotate, + net-tools, + ${shlibs:Depends}, + ${misc:Depends} Recommends: iproute Suggests: snort-doc -Conflicts: snort, snort-pgsql +Conflicts: + snort, + snort-pgsql Homepage: http://www.snort.org/ Description: flexible Network Intrusion Detection System [MySQL] Distribution of Snort with support for logging to a MySQL database. @@ -91,10 +137,22 @@ Provides: snort Architecture: any Priority: optional -Depends: snort-common-libraries (>=${binary:Version}), snort-rules-default (>= ${source:Version}), debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), rsyslog | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${source:Version}), logrotate, ${misc:Depends} +Depends: + snort-common-libraries (>=${binary:Version}), + snort-rules-default (>= ${source:Version}), + snort-common (>= ${source:Version}), + debconf (>= 0.2.80) | debconf-2.0, + adduser (>= 3.11), + rsyslog | system-log-daemon, + logrotate, + net-tools, + ${shlibs:Depends}, + ${misc:Depends} Recommends: iproute Suggests: snort-doc -Conflicts: snort, snort-mysql +Conflicts: + snort, + snort-mysql Description: flexible Network Intrusion Detection System [PostgreSQL] Distribution of Snort with support for logging to a PostgreSQL dbase. . @@ -110,10 +168,14 @@ Package: snort-rules-default Provides: snort-rules Architecture: all -Depends: debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), ${shlibs:Depends}, ${misc:Depends} +Depends: + debconf (>= 0.2.80) | debconf-2.0, + adduser (>= 3.11), + ${shlibs:Depends}, + ${misc:Depends} Suggests: snort (>= 2.2.0) | snort-pgsql (>= 2.2.0) | snort-mysql (>= 2.2.0) Recommends: oinkmaster -Homepage: http://www.snort.org/rules/ +Homepage: http://www.snort.org/snort-rules/ Description: flexible Network Intrusion Detection System ruleset Snort default ruleset which provides a common set of accepted and test network intrusion detection rules developed by the Snort community. diff -Nru snort-2.8.5.2/debian/my/snort-stat snort-2.9.2/debian/my/snort-stat --- snort-2.8.5.2/debian/my/snort-stat 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/my/snort-stat 2012-01-25 20:12:11.000000000 +0000 @@ -72,7 +72,7 @@ $line=<>; } if ( $line =~ m/^\[Priority\:\s(\d+)\]/ox) { - $alert->{PRIORITY} = $1; + $alert->{CLASS} = "Undefined"; $alert->{PRIORITY} = $1; $line=<>; } if ( $line =~ m/^(\d+)\/(\d+)(?:\/\d+)?\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s @@ -83,6 +83,8 @@ $alert->{MIN} = $4; $alert->{SEC} = $5; $alert->{SADDR} = $7; $alert->{SPORT} = $8; $alert->{DADDR} = $9; $alert->{DPORT} = $10; $alert->{HOST} = "localhost"; + $alert->{CLASS} = "Undefined" if ! defined ($alert->{CLASS}); + $alert->{PRIORITY} = 0 if ! defined ($alert->{PRIORITY}); process_data($alert); $lastwassnort = 1; next; } } else { @@ -125,7 +127,10 @@ (?:\[Priority\:\s(\d+)\])//x ) { $alert->{CLASS} = $1; $alert->{PRIORITY} = $2; } - $alert->{TYPE} = "sys"; $alert->{PLUGIN} = "none"; + if ( $alert->{SIG} =~ s/^\[Priority\:\s(\d+)\]//x ) { + $alert->{CLASS} = "Undefined"; $alert->{PRIORITY} = $1; + } + $alert->{TYPE} = "sys"; $alert->{PLUGIN} = "none"; process_data($alert); $lastwassnort = 1; next; } } else { diff -Nru snort-2.8.5.2/debian/patches/config snort-2.9.2/debian/patches/config --- snort-2.8.5.2/debian/patches/config 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/config 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,162 @@ +Description: Debianize the upstream Snort configuration file + Make the paths FHS compliant + Add in additional rules shipped with the Debian package +Author: Javier Fernandez-Sanguino Pen~a +Origin: vendor +Last-Update: 2011-11-28 + +--- snort-2.9.2.orig/etc/snort.conf ++++ snort-2.9.2/etc/snort.conf +@@ -46,6 +46,7 @@ ipvar HOME_NET any + + # Set up the external network addresses. Leave as "any" in most situations + ipvar EXTERNAL_NET any ++#ipvar EXTERNAL_NET !$HOME_NET + + # List of DNS servers on your network + ipvar DNS_SERVERS $HOME_NET +@@ -95,9 +96,9 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.2 + # Path to your rules files (this can be a relative path) + # Note for Windows users: You are advised to make this an absolute path, + # such as: c:\snort\rules +-var RULE_PATH ../rules +-var SO_RULE_PATH ../so_rules +-var PREPROC_RULE_PATH ../preproc_rules ++var RULE_PATH /etc/snort/rules ++var SO_RULE_PATH /etc/snort/so_rules ++var PREPROC_RULE_PATH /etc/snort/preproc_rules + + ################################################### + # Step #2: Configure the decoder. For more information, see README.decode +@@ -217,13 +218,13 @@ config event_queue: max_queue 8 log 3 or + ################################################### + + # path to dynamic preprocessor libraries +-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ ++dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ + + # path to base preprocessor engine +-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ++dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so + + # path to dynamic rules libraries +-dynamicdetection directory /usr/local/lib/snort_dynamicrules ++# dynamicdetection directory /usr/lib/snort_dynamicrules + + ################################################### + # Step #5: Configure preprocessors +@@ -477,11 +478,19 @@ preprocessor pop: \ + # output alert_syslog: LOG_AUTH LOG_ALERT + + # pcap +-# output log_tcpdump: tcpdump.log ++output log_tcpdump: tcpdump.log + + # database + # output database: alert, , user= password= test dbname= host= + # output database: log, , user= password= test dbname= host= ++# ++# On Debian Systems, the database configuration is kept in a separate file: ++# /etc/snort/database.conf. ++# This file can be empty, if you are not using any database information ++# If you are using databases, please edit that file instead of this one, to ++# ensure smoother upgrades to future versions of this package. ++include database.conf ++# + + # prelude + # output alert_prelude +@@ -504,47 +513,63 @@ include $RULE_PATH/local.rules + include $RULE_PATH/attack-responses.rules + include $RULE_PATH/backdoor.rules + include $RULE_PATH/bad-traffic.rules +-include $RULE_PATH/blacklist.rules +-include $RULE_PATH/botnet-cnc.rules ++# include $RULE_PATH/blacklist.rules ++# include $RULE_PATH/botnet-cnc.rules + include $RULE_PATH/chat.rules +-include $RULE_PATH/content-replace.rules ++# include $RULE_PATH/content-replace.rules + include $RULE_PATH/ddos.rules + include $RULE_PATH/dns.rules + include $RULE_PATH/dos.rules ++include $RULE_PATH/community-dos.rules + include $RULE_PATH/exploit.rules ++include $RULE_PATH/community-exploit.rules + include $RULE_PATH/finger.rules + include $RULE_PATH/ftp.rules ++include $RULE_PATH/community-ftp.rules + include $RULE_PATH/icmp.rules + include $RULE_PATH/icmp-info.rules + include $RULE_PATH/imap.rules ++include $RULE_PATH/community-imap.rules + include $RULE_PATH/info.rules + include $RULE_PATH/misc.rules + include $RULE_PATH/multimedia.rules + include $RULE_PATH/mysql.rules + include $RULE_PATH/netbios.rules + include $RULE_PATH/nntp.rules ++include $RULE_PATH/community-nntp.rules + include $RULE_PATH/oracle.rules ++include $RULE_PATH/community-oracle.rules + include $RULE_PATH/other-ids.rules + include $RULE_PATH/p2p.rules +-include $RULE_PATH/phishing-spam.rules ++# include $RULE_PATH/phishing-spam.rules + include $RULE_PATH/policy.rules ++# include $RULE_PATH/community-policy.rules ++# include $RULE_PATH/community-inappropriate.rules ++# include $RULE_PATH/community-game.rules ++# include $RULE_PATH/community-misc.rules + include $RULE_PATH/pop2.rules + include $RULE_PATH/pop3.rules + include $RULE_PATH/rpc.rules + include $RULE_PATH/rservices.rules +-include $RULE_PATH/scada.rules ++# include $RULE_PATH/scada.rules + include $RULE_PATH/scan.rules ++# Note: this rule is extremely chatty, enable with care + include $RULE_PATH/shellcode.rules + include $RULE_PATH/smtp.rules ++include $RULE_PATH/community-smtp.rules + include $RULE_PATH/snmp.rules +-include $RULE_PATH/specific-threats.rules +-include $RULE_PATH/spyware-put.rules ++# include $RULE_PATH/specific-threats.rules ++# include $RULE_PATH/spyware-put.rules + include $RULE_PATH/sql.rules + include $RULE_PATH/telnet.rules + include $RULE_PATH/tftp.rules + include $RULE_PATH/virus.rules +-include $RULE_PATH/voip.rules +-include $RULE_PATH/web-activex.rules ++include $RULE_PATH/community-virus.rules ++include $RULE_PATH/community-bot.rules ++# include $RULE_PATH/voip.rules ++include $RULE_PATH/community-sip.rules ++# Specific web server rules: ++# include $RULE_PATH/web-activex.rules + include $RULE_PATH/web-attacks.rules + include $RULE_PATH/web-cgi.rules + include $RULE_PATH/web-client.rules +@@ -553,6 +578,20 @@ include $RULE_PATH/web-frontpage.rules + include $RULE_PATH/web-iis.rules + include $RULE_PATH/web-misc.rules + include $RULE_PATH/web-php.rules ++include $RULE_PATH/web-attacks.rules ++include $RULE_PATH/community-sql-injection.rules ++include $RULE_PATH/community-web-client.rules ++include $RULE_PATH/community-web-dos.rules ++include $RULE_PATH/community-web-iis.rules ++include $RULE_PATH/community-web-misc.rules ++include $RULE_PATH/community-web-php.rules ++include $RULE_PATH/web-attacks.rules ++include $RULE_PATH/community-sql-injection.rules ++include $RULE_PATH/community-web-client.rules ++include $RULE_PATH/community-web-dos.rules ++include $RULE_PATH/community-web-iis.rules ++include $RULE_PATH/community-web-misc.rules ++include $RULE_PATH/community-web-php.rules + include $RULE_PATH/x11.rules + + ################################################### diff -Nru snort-2.8.5.2/debian/patches/documentation snort-2.9.2/debian/patches/documentation --- snort-2.8.5.2/debian/patches/documentation 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/documentation 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,435 @@ +Description: Additional documentation +Last-Update: 2011-11-28 + +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.3 +@@ -0,0 +1,133 @@ ++2005-04-22 - Snort 2.3.3 Released ++ ++* Fixed sfPortscan Open Ports not getting suppressed. ++ ++* Added new mini-preprocessor to catch the X-Link2State vulnerability. ++ See Snort manual for details. ++ ++2005-03-10 - Snort 2.3.2 Released ++ ++* Removed end-of-line parser fix in favor of completely reworking ++ this at the next parser overhaul. ++ ++2005-03-09 - Snort 2.3.1 Released ++ ++* Fixed issue where the number of flowbits were too small. Thanks Marc ++ Norton for the fix. ++ ++* Fixed parsing of comments at end of line in config file. In ++ snort.conf, anything that follows a # on a line is considered a ++ comment. Thanks Steve Sturges for the fix. ++ ++* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. ++ Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and ++ Jonathan Miner for working with us on this. ++ ++2005-01-25 - Snort 2.3.0 Final Released ++ ++* Fixed issue with sfPortscan reporting incorrect IP datagram length. ++ Thanks Jon Hart for the test case and finding the bug, and Marc Norton ++ for resolving the issue. ++ ++* Threshold/Suppression now prints properly when logging to syslog. ++ Thanks Sekure for pointing out the problem. Thanks Steve Sturges for ++ working on the fix. ++ ++* Threshold memcap argument now correctly handles non-integer input. ++ Thanks nnposter for the patch. ++ ++* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were ++ not decoded properly. Thanks Dan Roelker for the fix. ++ ++* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your ++ work on putting it all together. ++ ++2004-12-15 - Snort 2.3.0 RC2 Released ++ ++* Small performance improvement to arpspoof and also fixed a problem ++ where the list of configured IP/MAC entries would contain only one ++ entry and leaked memory (Jeff Nathan). ++ ++* Fixed a problem affecting MacOS X where linking may fail with ++ non-standard libraries when global symbols are encountered multiple ++ times (Jeff Nathan). ++ ++* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP ++ alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. ++ ++* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the ++ logdir config will work if the default or command-line logdir does not ++ exist on the system. Thanks Dan Roelker. ++ ++* Fixed bug when setting the doe_ptr on a successful pcre match. ++ It is now set relative to base_ptr. Thanks Steve Sturges for the ++ fix. ++ ++* Added from_beginning and multiplier options for byte_jump. ++ from_beginning skips bytes from the beginning of the content, ++ instead of from the location immediately following the number ++ of bytes to skip. multiplier takes a numeric argument, and ++ skips x times that number of bytes. Thanks again to Steve Sturges. ++ ++* In "fast" output, now log only actual packet contents when UDP ++ data length is greater than actual data length. Thanks Brian ++ Caswell for spotting this, and Andrew Mullican for working on the fix. ++ ++* Please check the ChangeLog for further details. ++ ++2004-11-18 - Snort 2.3.0 RC1 Released ++ ++* Added IPS functionality from Snort-Inline. A big thanks to the ++ Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor ++ Julien). Also, Thanks Dan Roelker for doing the integrating of ++ Snort-Inline into the official Snort project. ++ ++* Added new portscan detector. The design and implementation was headed ++ up by Dan Roelker, and included Marc Norton and Jeremy Hewlett. ++ ++* Numerous changes for better 64bit Snort support from Jeremy Hewlett and ++ Marc Norton. Additionally, an --enable-64bit-gcc option was added to ++ configure. However, there are still some memory alignment issues to ++ work out before 64bit mode is fully functional, patches are welcomed. ++ Thanks Chris Baker for doing 64bit testing. ++ ++* Added not_established keyword to the flow detection option. This allows ++ snort to do dynamic firewall rulesets. Experimental for now. ++ ++* Added an enforce_state keyword to stream4 so we won't pick up midstream ++ sessions. This works well for asynchronous links and also for ++ just monitoring legitimate traffic. ++ ++* Relocated ./contrib files to http://www.snort.org/dl/contrib as many ++ are not maintained by Sourcefire and are out of date. The rpm and ++ schema files have been relocated in their respective 'rpm' and 'schemas' ++ directories under the snort parent directory. ++ ++* perfmonitor config line can now be configured with "accumulate" or ++ "reset." Thanks Marc Norton for the feature, and Barry Basselgia for ++ pointing out the issue. Thanks Scott Dexter and Andreas Ostling for ++ doing some initial testing. ++ ++* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson ++ and Clay McClure. Thanks guys. ++ ++* Fixed reference times to match log time for first packet, for an event ++ generated by a reassembled packet. Incremented event ID to give ++ unique ID for each packet. Also made unified logging compatible with ++ Windows. Thanks Andrew Mullican for the fix. ++ ++* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to ++ everyone that reported this bug. Thanks Dan Roelker for the fix. ++ ++* Get thresholding/suppression to work for alerts that do not ++ contain an ip header (primarily decode alerts). Thanks ++ Brian Caswell. ++ ++* Fix conditions where snort would log double web alerts that ++ contained only content options (no uricontents). Thanks to kawa for ++ finding and reporting this bug. ++ ++* Fix suppression/thresholding bug for non-rule alerts. Thanks to ++ Alex Butcher for reporting it to us. ++ ++* Many other bug fixes, please check the ChangeLog for details. +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.6 +@@ -0,0 +1,114 @@ ++2007-05-09 - Snort 2.6.1.5 Released ++[*] New Additions ++ * Updated HttpInspect to normalize parameters that are part of the ++ client request body in the same way it normalizes HTTP URIs. ++ Added a modifier keyword to be used in conjunction with a content ++ option in the rules to search only the normalized HTTP client request ++ body. Also added stats for HttpInspect to track number of various ++ types of normalizations and HTTP methods. ++ ++[*] Improvements ++ * Fix header files to avoid conflicts with system files on BSD for ++ IPv6 data structures. ++ ++ * Fix possible memory leak in Stream4 when HttpInspect is being ++ used. ++ ++2007-03-26 - Snort 2.6.1.4 Released ++[*] New Additions ++ * Added detection for BSD IPv6 fragmentation overflow (CVE-2007-1365). ++ New options configure the behavior of the detection and new decoder ++ alerts for truncated IPv6 headers and a Fragmentation alert for the ++ specific overflow attack. ++ ++[*] Security Improvements ++ * Updated code to use safer functions that perform bounds checking ++ when doing string or memory copies and snprintf buffer writes. ++ Ensure null termination on string buffers and perform initialization ++ on memory allocations. ++ ++2007-02-18 - Snort 2.6.1.3 Released ++[*] Improvements ++ * Updated DCE/RPC dynamic protocol normalizer to perform additional ++ boundary checking when reassembling SMB fragments. This addresses ++ a potential remotely exploitable stack-based buffer overflow. ++ ++ * Updated Frag3 to protect against potential for fragments without ++ ethernet header being passed from iptables to Snort inline. ++ ++2006-12-07 - Snort 2.6.1.2 Released ++[*] Improvements ++ * Fixed problem with snort using high CPU and potentially reprocessing ++ the same TCP reassembled packets with a sequence number wrap and ++ packets missing from the queue (out of order, dropped, or async ++ network). ++ ++ * Updated DCE/RPC dynamic protocol normalizer to protect against ++ integer underflow conditions. ++ ++ * Updated unified output plugin to work correctly on certain 64bit ++ platforms where timeval structure is a different size. A patch ++ to barnyard that is associated with this fix can be found at: ++ http://secure.lv/~nikns/stuff/barnyard_64bit.diff. ++ ++2006-11-22 - Snort 2.6.1.1 Released ++[*] Improvements ++ * Fixed problem with snort using high CPU and potentially reprocessing ++ the same TCP reassembled packets at session end or TCP ACK of only ++ part of a packet. ++ ++2006-11-16 - Snort 2.6.1 Released ++[*] New Additions ++ * Support for UDP "session" tracking to Stream4. Enable via ++ --enable-stream4udp option to configure script. This allows ++ the use of flow option with UDP rules. Includes tracking ++ of stats for UDP sessions. A session is created for rules that ++ use the flow or flowbits keywords. Also provided the ability to ++ ignore UDP any any -> any any rules as a performance improvement. ++ ++ * Stream5 (for Beta testing) as replacement for Stream4 ++ and Flow preprocessors. See README.stream for details. ++ ++ * Allow blocking of entire session in inline mode via stream API. ++ All subsequent packets on that session are blocked. ++ ++ * Dynamic DCE/RPC protocol normalizer and defragmentation ++ module. See README.dcerpc for details. ++ ++ * SSH (for Beta testing) protocol analyzer. See README.ssh for ++ details. ++ ++ * Support for GRE encapsulated protocol (experimental). Enable via ++ --enable-gre option to configure script. ++ ++ * Aruba networks output plugin (experimental). See README.ARUBA for ++ details. Enable via --enable-aruba option to configure script. ++ ++ * Smaller memory footprint pattern mattcher using Aho-Corasick, ++ using NFA. Use 'config detection: search-method ac-bnfa' to ++ enable. This will become the default pattern matcher in future ++ releases. Wu-Manhber has been deprecated (mwm). ++ ++[*] Improvements ++ ++ * Added parameter to dynamicengine to allow specification of ++ directory instead of implicit file. This will load all engine shared ++ libraries within the specified directory. Can also use ++ --dynamic-engine-lib-dir command-line option. Fix handling of ++ loading multiple instances of the same dynamic library (engine, ++ detection, or preprocessor). ++ ++ * Updates to HTTP inspect to handle different versions of IIS with ++ the related iis profiles. See README.httpinspect for details. ++ ++ * Cleaned up inline initialization to better handle test mode. ++ ++ * Updates to interface dependent variable definitions. ++ ++ * Added stats for packets not yet processed -- those that are still in ++ the buffer used by pcap. ++ ++ * Fixed issue with fewer alerts being generated when snort is compiled ++ with gcc 4.x by using no-strict-aliasing flag. ++ ++ * Require each rule to have a unique sid/gid pair. +--- snort-2.9.2.orig/doc/README.database ++++ snort-2.9.2/doc/README.database +@@ -332,6 +332,9 @@ IV. Changelog + + V. Changelog of Database schema + ++2007-03-15 -- v107 ++ + ALL: Updated to include signature.sig_gid to log the generator ID ++ + 2002-09-03 -- v106 + + ALL: added sensor.last_cid to store the last used cid for a + given sid +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.7 +@@ -0,0 +1,23 @@ ++2007-07-09 - Snort 2.7.0 ++ ++[*] New Additions ++ * Stream5 is now the default stream processor and replaces both flow ++ and Stream4. Refer to the Snort manual and README.stream5 for ++ details on how to configure it for OS target-specific TCP ++ processing. ++ ++[*] Improvements ++ * Fixed header files to avoid conflicts with system files on BSD for ++ IPv6 data structures. ++ ++ * Reduced memory footprint for smtp preprocessor. ++ ++ * Ensured Snort frees memory from preprocessors before exit. Only ++ outstanding memory in use is related to pattern matcher and ++ rules. ++ ++[*] Security Improvements ++ * Further updates that use safer functions that perform bounds checking ++ when doing string or memory copies and snprintf buffer writes. ++ Ensure null termination on string buffers and perform initialization ++ on memory allocations. +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.4 +@@ -0,0 +1,138 @@ ++2006-06-05 - Snort 2.4.5 Released ++ * Fixed potential evasion in URI content buffers ++ * Fixed potential evasion in Stream4 ++ ++2006-03-08 - Snort 2.4.4 Released ++[*] Improvements ++ * Fixed ip options handling in Frag3. ++ * Fixed bug in Wu-Manbher implementation regarding multiple ++ recurring patterns. ++ * Fixed a config file parsing bug which required DNS resolution ++ in certain circumstances. ++ * Updated perfmonitor to properly handle wraps on 64 bit platforms. ++ * Fixed crash in portscan related to bogus data in sfxhash. ++ * Fixed memory leak in Frag3. ++ * Allow use of 0 as a value to -G. ++ ++2005-10-17 - Snort 2.4.3 Released ++[*] Improvements ++ * Fixed possible buffer overflow in back orifice preprocessor. ++ * Added snort.conf options to bo preprocessor for finer control of ++ alerting and dropping of bo traffic. ++ * Added alert to detect the bo buffer overflow attack against snort. ++ ++2005-09-28 - Snort 2.4.2 Released ++[*] Improvements ++ * Fixed crash bug with -T and default logging setup first reported by ++ Zultan. ++ * Corrected Win32 directory setup for new WinPCAP. ++ ++2005-09-16 - Snort 2.4.1 Released ++[*] New additions ++ * Added a -K command line option to manually select the logging mode using ++ a single switch. The -b and -N switches will be deprecated in version ++ 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii" ++ to revert to old behavior. ++ ++[*] Improvements ++ * Win32 version now supports winpcap 3.1 and MySQL client 4.13. ++ * Added event on zero-length RPC fragments. ++ * Fixed TCP SACK processing for text based outputs that could result in a ++ DoS. ++ * General improvements to frag3 including Teardrop detection fix. ++ * Fixed a bug in the PPPoE decoder. ++ * Added patch for time stats from Bill Parker. Enable with configure ++ --enable-timestats. ++ * Fixed IDS mode bailing at startup if logdir is specified in snort.conf ++ and /var/log/snort doesn't exist. ++ * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch ++ (long time ago) and Chris Kuethe for reraising the issue. ++ * Allow snort to use usernames (-u) and groupnames (-g) that include ++ numbers. Thanks to Shaick for the patch. ++ * Fixed broken -T option. ++ * Change ip_proto to ip for portscan configuration. Thanks David Bianco ++ for pointing this out. ++ * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the ++ update. ++ * For content matches, when subsequent rule options fail, start searching ++ again in correct location. ++ * Updated Win32 to handle pflog patch. ++ * Added support for new OpenBSD pflog format. Older pflog format, ++ OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao ++ and Christian Reis for the patch. ++ * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml ++ for the patch. ++ ++2005-07-22 - Snort 2.4.0 Released ++ ++[*] Distribution Change ++ * Rules are no longer distributed as part of the Snort releases, they are ++ available as a separate download from snort.org. This was done for ++ three reasons: ++ 1) To better manage the new rules licensing. ++ 2) To reduce the size of the engine download. ++ 3) To move the thousands of documentation files for the rules into ++ the rules tarballs. If you've ever checked Snort out of CVS you'll ++ know why this is a Good Thing. ++ ++[*] New additions ++ * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor ++ is a target-based IP defragmentation module, and is intended as a ++ replacement for the frag2 module. Check out the README.frag3 for full ++ info on this new preprocessor. ++ ++ * Libprelude support has been added (enable with --enable-prelude). ++ Thanks Yoann Vandoorselaere! ++ ++ * An "ftpbounce" rule detection plugin was added for easier detection of ++ FTP bounce attacks. ++ ++ * Added a new Snort config option, "ignore_ports," to ignore packets ++ based on port number. This is similar to bpf filters, but done within ++ snort.conf. ++ ++[*] Improvements ++ * Snort startup messages printed in syslog now contain a PID before each ++ entry. Thanks Sekure for initially bringing this up. ++ ++ * Stream4: Performance improvements. ++ ++ * Stream4: Added 'max_session_limit' option which limits number of ++ concurrent sessions tracked. Added favor_old/favor_new options that ++ affect order in which packets are put together for reassembly. ++ ++ * Stream4: New configuration options to manage flushpoints for improved ++ anti-evasion. The flush_behavior option selects flushpoint management ++ mode. New flush_base, flush_range, and flush_seed manage randomized ++ flushing. Check out the snort.conf file for full config data on the ++ new flush options. ++ ++ * Added two more alerts for BackOrifice client and server packets. This ++ allows specific alerts to be suppressed. ++ ++ * PerfMon preprocessor updated to include more detailed stats for rebuilt ++ packets (applayer, wire, fragmented & TCP). Also added 'atexitonly' ++ option that dumps stats at exit of snort, and command line -Z flag to ++ specify the file to which stats are logged. ++ ++ * Added new Http Inspect config item, "tab_uri_delimiter," which if ++ specified, lets a tab character (0x09) act as the delimiter for a URI. ++ ++ * Added a '-G' command line flag to snort that specifies the Snort ++ instance log identifier. It takes a single argument that can be either ++ hex (prefaced with 0x) or decimal. The unified log files will include ++ the instance ID when the -G flag is used. ++ ++ * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now ++ handled in the IP decoder. Those sids are now considered obsolete. ++ ++ * Http_Inspect "flow_depth" option now accepts a -1 value which tells ++ Snort to ignore all server-side traffic. ++ ++ * RPMs have been updated to be more portable, and also now include a ++ "--with inline" option for those wanting to build Inline RPMs. Thanks ++ Daniel Wittenberg and JP Vossen for your help! ++ ++ * Many, many bug fixes have also gone into this release, please see the ++ ChangeLog for details. ++ diff -Nru snort-2.8.5.2/debian/patches/fix_ftbfs_in_faq.tex snort-2.9.2/debian/patches/fix_ftbfs_in_faq.tex --- snort-2.8.5.2/debian/patches/fix_ftbfs_in_faq.tex 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/fix_ftbfs_in_faq.tex 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,33 @@ +Description: Fix FTBFS caused by html.sty being unavailable +Author: Javier Fernandez-Sanguino Pen~a + +Origin: vendor +Bug-Debian: http://bugs.debian.org/365872 +Last-Update: 2011-12-28 + + +--- snort-2.9.2.orig/doc/faq.tex ++++ snort-2.9.2/doc/faq.tex +@@ -2,7 +2,7 @@ + + %latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex + \documentclass{article} +-\usepackage{html} ++\usepackage{hyperref} + \usepackage{graphicx} + \usepackage{fancyhdr} + \usepackage{makeidx} +@@ -98,11 +98,11 @@ book. (route++) + + \newpage + +-\begin{latexonly} ++%\begin{latexonly} + \tableofcontents + + \newpage +-\end{latexonly} ++%\end{latexonly} + + \section{Background} + diff -Nru snort-2.8.5.2/debian/patches/fix_ftbfs_in_manual.tex snort-2.9.2/debian/patches/fix_ftbfs_in_manual.tex --- snort-2.8.5.2/debian/patches/fix_ftbfs_in_manual.tex 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/fix_ftbfs_in_manual.tex 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,48 @@ +Description: Fix FTBFS in manual.tex caused by missing html.sty +Author: Michael Bienia +Origin: vendor +Bug-Debian: http://bugs.debian.org/436244 +Last-Update: 2011-11-28 + +--- snort-2.9.2.orig/doc/snort_manual.tex ++++ snort-2.9.2/doc/snort_manual.tex +@@ -16,7 +16,7 @@ + %\IfFileExists{url.sty}{\usepackage{url}} + % {\newcommand{\url}{\texttt}} + +-\usepackage{html} ++\usepackage{hyperref} + + % \makeatletter + +@@ -71,18 +71,18 @@ + } + %\end{latexonly} + +-\begin{htmlonly} +-\newenvironment{note}{ +- \begin{rawhtml} +-

+- Note:   +- \end{rawhtml} +-}{ +- \begin{rawhtml} +-

+- \end{rawhtml} +-} +-\end{htmlonly} ++%\begin{htmlonly} ++%\newenvironment{note}{ ++% \begin{rawhtml} ++%

++% Note:   ++% \end{rawhtml} ++%}{ ++% \begin{rawhtml} ++%

++% \end{rawhtml} ++%} ++%\end{htmlonly} + + \usepackage{babel} + diff -Nru snort-2.8.5.2/debian/patches/fix_upstream_typos snort-2.9.2/debian/patches/fix_upstream_typos --- snort-2.8.5.2/debian/patches/fix_upstream_typos 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/fix_upstream_typos 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,22 @@ +--- a/src/dynamic-preprocessors/dns/spp_dns.c ++++ b/src/dynamic-preprocessors/dns/spp_dns.c +@@ -279,7 +279,7 @@ + if (( !cur_tokenp ) || ( strcmp(cur_tokenp, "{" ))) + { + DynamicPreprocessorFatalMessage("%s(%d) Bad value specified for %s. Must start " +- "with '{' and be space seperated.\n", ++ "with '{' and be space separated.\n", + *(_dpd.config_file), *(_dpd.config_line), + DNS_PORTS_KEYWORD); + //free(argcpyp); +--- a/src/parser.c ++++ b/src/parser.c +@@ -4828,7 +4828,7 @@ + + if(filespec == NULL) + { +- FatalError("no arguement in this file option, remove extra ':' at the end of the alert option\n"); ++ FatalError("no argument in this file option, remove extra ':' at the end of the alert option\n"); + } + + /* look for ".." in the string and complain and exit if it is found */ diff -Nru snort-2.8.5.2/debian/patches/rules snort-2.9.2/debian/patches/rules --- snort-2.8.5.2/debian/patches/rules 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/patches/rules 2012-01-25 18:02:42.000000000 +0000 @@ -0,0 +1,12610 @@ +Description: Additional community rules +Origin: other +Last-Update: 2011-11-28 + +--- /dev/null ++++ b/rules/community-web-dos.rules +@@ -0,0 +1,5 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ ++ +--- /dev/null ++++ b/rules/pop2.rules +@@ -0,0 +1,26 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#-------------- ++# POP2 RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) +--- /dev/null ++++ b/rules/backdoor.rules +@@ -0,0 +1,119 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#--------------- ++# BACKDOOR RULES ++#--------------- ++# ++ ++alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;) ++alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;) ++ ++ ++alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) ++ ++alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;) ++ ++# 3150, 4120 ++alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;) ++alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;) ++alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;) ++ ++ ++alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;) ++alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;) ++ ++ ++alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;) ++alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;) ++ ++ ++alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;) ++alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;) ++alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;) ++alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;) ++ ++alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;) ++ ++alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;) ++alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;) ++alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;) ++alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;) ++alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;) ++alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;) ++alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;) ++# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;) ++alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;) ++alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;) ++alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;) ++alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;) ++alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;) ++ ++ ++alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;) ++alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;) ++alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;) ++ ++ ++# NOTES: this string should be within the first 3 bytes of the connection ++alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;) ++alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;) ++alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;) ++alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;) ++alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;) ++alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;) ++alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;) ++alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) +--- /dev/null ++++ b/rules/telnet.rules +@@ -0,0 +1,42 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $ ++#------------- ++# TELNET RULES ++#------------- ++# ++# These signatures are based on various telnet exploits and unpassword ++# protected accounts. ++# ++ ++ ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;) +--- /dev/null ++++ b/rules/experimental.rules +@@ -0,0 +1,27 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++# --------------- ++# EXPERIMENTAL RULES ++# --------------- ++# These signatures are experimental, new and may trigger way too often. ++# ++# Be forwarned, this is our testing ground. We put new signatures here for ++# testing before incorporating them into the default signature set. This is ++# for bleeding edge stuff only. ++# +--- /dev/null ++++ b/rules/web-php.rules +@@ -0,0 +1,162 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# WEB-PHP RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:" $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;) ++alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;) +--- /dev/null ++++ b/rules/web-coldfusion.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#--------------------- ++# WEB-COLDFUSION RULES ++#--------------------- ++# ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) +--- /dev/null ++++ b/rules/community-web-iis.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ ++ ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) +--- /dev/null ++++ b/rules/community-mail-client.rules +@@ -0,0 +1,4 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ +--- /dev/null ++++ b/rules/deleted.rules +@@ -0,0 +1,451 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#------------- ++# DELETED RULES ++#------------- ++# These signatures have been deleted for various reasons, but we are keeping ++# them here for historical purposes. ++ ++# Duplicate to 332 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;) ++ ++# Duplicate of 512 ++alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;) ++ ++# Duplicate of 514 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;) ++ ++# Duplicate of 557 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) ++ ++# Duplicate of 559 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) ++ ++# Duplicate of 844 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;) ++ ++# Yeah, so the one site that was vulnerable to edit.pl aint no more. ++# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;) ++ ++# duplicate of 987 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;) ++ ++# webmasters suck, so this happens ever so often. Its really not that bad, ++# so lets disable it. ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;) ++ ++# dup of 1660 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;) ++ ++# dup ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;) ++ ++ ++# Falses WAAAYYY too often. ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;) ++ ++# Replaced with 1801,1802,1803,1804 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;) ++ ++# duplicate of sid:1673 ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;) ++ ++# Port based only sigs suck, this is why stream4 has flow logs ++alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) ++ ++# basically duplicate of 330 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;) ++ ++# duplicate of 1478 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;) ++ ++# duplicate of 1248 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;) ++ ++# duplicate of 1249 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;) ++ ++# duplicate of 1755 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;) ++ ++# duplicate of 1538 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) ++ ++# This rule looks for the exploit for w3-msql, but very badly ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;) ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) ++ ++ ++# duplicate of 109 ++alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;) ++ ++# duplicate of 110 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;) ++ ++ ++# we have a backorifice preprocessor ++alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;) ++ ++# we have a backorifice preprocessor ++alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) ++ ++ ++ ++alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;) ++alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;) ++alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;) ++alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;) ++ ++# The following ftp rules look for specific exploits, which are not needed now ++# that initial protocol decoding is available. ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;) ++ ++# duplicate of 475 ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;) ++ ++ ++# not needed thanks to 1964 and 1965 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;) ++ ++# dup of 589 ++alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) ++# dup of 1275 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;) ++ ++# dup of 1280 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;) ++ ++# dup of 1281 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;) ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;) ++ ++# this has been replaced with sid 1905 and 1906 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;) ++ ++# these have been replaced by 1915, 1916, 1914, and 1913 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;) ++ ++# duplicate of 1088 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;) ++ ++ ++# these are obsolete ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;) ++ ++# what is this rule? we have no idea... ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;) ++ ++# These have been replaced by better rules (1915,1916,1913,1914) ++alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;) ++ ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;) ++ ++# specific example for sid:1549 ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;) ++ ++# this is properly caught by sid:527 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;) ++ ++# duplicate of 1546 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;) ++ ++# these are obsoleted by cleaning up 663 ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;) ++ ++# dup of 588 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;) ++# dup of 1274 ++alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;) ++ ++# these virus rules suck. ++alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;) ++alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;) ++alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;) ++alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;) ++# pcre makes this not needed ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;) ++ ++# historical reference... this used to be here... ++alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;) ++ ++# taken care of by http_inspect now ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;) ++ ++# better rule for 1054 caused these rules to not be needed ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;) ++ ++# these rules are dumb. sid:857 looks for the access, and thats all we can do ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;) ++ ++# dup of 2061 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;) ++ ++ ++ ++# squash all of the virus rules into one rule. go PCRE! ++alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;) ++ ++# uh, yeah this happens quite a bit. ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;) ++ ++# dup of 1485 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;) ++ ++# dup of 2339 ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;) ++ ++# these happen. more research = more better rules ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;) ++ ++ ++#nmap is no longer as dumb as it once was... ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) ++ ++# dup of 553 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;) ++ ++# dup of 2417, which is a better rule anyways ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;) ++ ++# ans1 goodness takes care of this one for us ++alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;) ++ ++ ++# because this rule sucks ++alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;) ++ ++ ++# http inspect does a better job than these rules do ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;) ++ ++# dup of 1672 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;) ++ ++# dup of 1229 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;) ++ ++# dup of 1757 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;) ++ ++# dup of 653 ++alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;) ++ ++# converted to a dup by 1437 moving to regex ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;) ++ ++# handled by 1212 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;) ++ +--- /dev/null ++++ b/rules/ddos.rules +@@ -0,0 +1,66 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#----------- ++# DDOS RULES ++#----------- ++ ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) ++ ++ ++alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) ++# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) ++ ++ ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) ++ ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) ++alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) ++alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) ++ ++ ++alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) +--- /dev/null ++++ b/rules/community-misc.rules +@@ -0,0 +1,48 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;) ++#Rule submitted by rmkml ++alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;) ++#Rules submitted by Thierry Chich ++alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;) ++alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;) ++#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;) ++#Rule submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;) ++#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet ++alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) ++#Rules submitted by Crusoe Researches Team ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;) ++#Rule submitted by Nigel Houghton ++alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;) ++ ++#Jabber/Google Talk traffic from the client submitted by Steven Alexander ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;) ++ ++# TOR Rules by Dan Ramaswami ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;) ++ ++# Additional GoogleTalk Rules by Will Young ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;) ++ ++# Rule submitted by dprotich@sagonet.com ++alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;) +--- /dev/null ++++ b/rules/chat.rules +@@ -0,0 +1,63 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $ ++#------------- ++# CHAT RULES ++#------------- ++# These signatures look for people using various types of chat programs (for ++# example: AIM, ICQ, and IRC) which may be against corporate policy ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;) ++ ++alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;) ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;) ++alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;) ++alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;) ++ ++alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;) ++alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;) ++ ++ ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) ++alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:" $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) +--- /dev/null ++++ b/rules/community-web-attacks.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;) +--- /dev/null ++++ b/rules/web-frontpage.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $ ++#-------------------- ++# WEB-FRONTPAGE RULES ++#-------------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) ++ +--- /dev/null ++++ b/rules/community-exploit.rules +@@ -0,0 +1,11 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) ++#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) +--- /dev/null ++++ b/rules/community-smtp.rules +@@ -0,0 +1,14 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) ++#Rule submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;) ++# Enable only if SMTP_SERVERS is not any ++# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;) +--- /dev/null ++++ b/rules/VRT-License.txt +@@ -0,0 +1,326 @@ ++ SOURCEFIRE, INC. ++ VRT CERTIFIED RULES LICENSE AGREEMENT ++ VERSION 1.1 ++ ++THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC. ++("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE ++AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR ++BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE ++BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND ++CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO ++NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. ++ ++1. Definitions. ++ ++ 1.1. "Commercial Purpose" means the use, reproduction or distribution of ++ (i) the VRT Certified Rules or any Modification, or any portion of the ++ foregoing, or (ii) a Compilation that includes, in whole or in part, the ++ VRT Certified Rules or any Modification that in either case is intended ++ to result in a direct or indirect pecuniary gain or any other ++ consideration or economic benefit to any person or entity involved in ++ such use, reproduction or distribution. Examples of a Commercial ++ Purpose, include without limitation, (v) integrating the VRT Certified ++ Rules with other software or hardware for sale, (w) licensing the VRT ++ Certified Rules for a fee, (x) using the VRT Certified Rules to provide ++ a service to a third party, (y) selling the VRT Certified Rules, or (z) ++ distributing the VRT Certified Rules for use with other products or ++ other services. ++ ++ 1.2. "Compilation" means a work which combines the VRT Certified Rules ++ or any Modification or portions thereof with any services, programs, ++ code or other products not governed by the terms of this Agreement. ++ ++ 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule ++ (or to a modified VRT Certified Rule) that corrects a bug, defect, or ++ error in such rule without affecting the overall functionality of such ++ VRT Certified Rule (or Modification thereof). ++ ++ 1.4. "Modifications" means any alteration, addition to or deletion from ++ the substance or structure of the VRT Certified Rules or any ++ Modifications of such, including, without limitation, ++ ++ (a) any addition to or deletion from the contents of a file ++ containing a VRT Certified Rule or a Modification; ++ (b) any derivative of the VRT Certified Rule or of any Modification; ++ or ++ (c) any new file that contains any part of the VRT Certified Rule or ++ Modifications. ++ ++ 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. ++ ++ 1.6. "Restricted Activities" shall have the meaning given such term in ++ Section 2.1. ++ ++ 1.7. "Snort(r) Registered User" shall mean an individual who has ++ registered or subscribed on www.snort.org to use the VRT Certified Rules. ++ ++ 1.8. "VRT Certified Rules" means those Snort(r) rules (in text form, ++ source code form, object code form and all documentation related ++ thereto) that have been created, developed, tested and officially ++ approved by Sourcefire. These rules are designated with SIDs of 3465 - ++ 1,000,000, except as otherwise noted in the license file. ++ ++ 1.9. "You" (or "your") means an individual exercising rights under this ++ Agreement. For legal entities, "you'' includes any entity which ++ controls, is controlled by, or is under common control with you or any ++ such entity you are acting on behalf of. For purposes of this ++ definition, "control'' means (a) the power, direct or indirect, to cause ++ the direction or management of such entity, whether by contract or ++ otherwise, or (b) ownership of more than forty percent (40%) of the ++ outstanding shares or beneficial ownership of such entity. ++ ++2. Sourcefire License Grant. ++ ++ 2.1. Grant of License; Permitted Use. Subject to the terms and ++ conditions of this Agreement, Sourcefire hereby grants you a world-wide, ++ non-exclusive license to do any of the following with respect to the VRT ++ Certified Rules: ++ ++ (a) use and deploy the VRT Certified Rules on management consoles and ++ sensors that you manage (over which you have administrative control); ++ ++ (b) use and deploy the VRT Certified Rules on behalf of your employer ++ on its internal management consoles and sensors (e.g., where a valid ++ employer-employee relationship exists between you and a legal entity); ++ ++ (c) modify the VRT Certified Rules and use those Modifications ++ consistent with paragraphs (a) and (b) above; ++ ++ (d) distribute those VRT Certified Rules and any Modifications ++ generally available to Snort(r) Registered Users on a limited basis ++ to other Snort(r) Registered Users; ++ ++ (e) distribute any Improvement generally available to Snort(r) ++ Registered Users on mailing lists commonly used by the Snort(r) user ++ community as a whole; ++ ++ (f) reproduce the VRT Certified Rules as strictly necessary in ++ exercising your rights under this Section 2.1; and ++ ++ (g) Make the VRT Certified Rules (or any Modification) available to ++ your or your employer's consultants, agents and subcontractors for ++ the limited purpose of exercising your rights under this Section 2.1 ++ provided that such use is in compliance with this Agreement. ++ ++ Paragraphs (a) though (g) of this Section 2.1 are collectively referred ++ to as the "Permitted Uses". All rights not granted under this Agreement ++ are reserved by Sourcefire. ++ ++ 2.2. Limitations on License; Restricted Activities. You recognize and ++ agree that the VRT Certified Rules are the property of Sourcefire, ++ contain valuable assets and proprietary information and property of ++ Sourcefire, and are provided to you under the terms and conditions of ++ this Agreement. Notwithstanding anything to the contrary in this ++ Agreement, You agree that you shall NOT do any of the following without ++ Sourcefire's prior written consent: ++ ++ (a) use, deploy, perform, modify, license, display, reproduce or ++ distribute the VRT Certified Rules or Modifications (even if merged ++ with other materials as a Compilation) other than as allowed under a ++ Permitted Use; ++ ++ (b) sell, license, transfer, rent, loan, use, modify, reproduce or ++ disclose the VRT Certified Rules or any Modifications (in whole or in ++ part and whether done independently or as part of a Compilation) for ++ a Commercial Purpose; ++ ++ (c) post or make generally available any VRT Certified Rule (in whole ++ or in part or any Modifications thereto) to individuals or a group of ++ individuals who have not agreed to the terms and conditions of this ++ Agreement, provided, however, that nothing in this Section 2.2(c) ++ shall preclude the Permitted Use in Section 2.1(e); ++ ++ (d) share any user authentication information and/or password ++ provided to you by Sourcefire with any third party to allow such ++ party access your snort.org account or to otherwise access the VRT ++ Certified Rules; ++ ++ (e) alter or remove any copyright notice or proprietary legend ++ contained in or on the VRT Certified Rules. ++ ++ Paragraphs (a) though (e) of this Section 2.2 are collectively referred ++ to as the "Restricted Activities"). ++ ++ 2.3. Reproduction Obligations. You agree that any embodiment of the VRT ++ Certified Rules permitted under this Agreement will contain the notices ++ set forth in Exhibit A. In addition, to the extent you make any copies ++ of or distribute the VRT Certified Rules or any Modifications under this ++ Agreement, you agree to ensure that any and all such copies shall contain: ++ ++ (a) a copy of an appropriate copyright notice and all other ++ applicable proprietary legends; ++ ++ (b) a disclaimer of any warranty consistent with this Agreement; and ++ ++ (c) any and all notices referencing this Agreement and absence of warranties. ++ ++3. Modifications; Derivative Works. In the event you create a ++Modification, the use, reproduction and distribution of such ++Modifications shall be governed by the terms and conditions of this ++Agreement. Additionally, you hereby grant Sourcefire and any other ++licensee of the VRT Certified Rules an irrevocable, perpetual, fully ++paid-up, world-wide, royalty-free, non-exclusive license to use, ++reproduce, modify, display, perform and distribute such Modifications ++(and the source code thereto), provided, however, that you and any ++recipient of such Modifications must include: ++ ++ (a) the original copyright notice and all other applicable ++ proprietary legends; ++ ++ (b) the original warranty disclaimer; ++ ++ (c) the original notices referencing this Agreement and absence of ++ warranties; and ++ ++ (d) a prominent notice stating that you changed the VRT Certified ++ Rule (or any Modification thereto) and the date of any change. ++ ++4. Distribution Obligations. ++ ++ 4.1. General. The source code version of the VRT Certified Rules (or ++ any Modification thereof) may be distributed only under the terms of ++ this Agreement, and you must include a copy of this Agreement with every ++ copy of the VRT Certified Rules you distribute. ++ ++ 4.2. Required Notices. You must duplicate the notice in Exhibit A in ++ each file of the source code. If it is not possible to put such notice ++ in a particular source code file due to its structure, then you must ++ include such notice in a location (such as a relevant directory) where a ++ user would be likely to look for such a notice. If you created one or ++ more Modification(s) you may add your name as a contributor to the ++ notice described in Exhibit A. You must also duplicate this Agreement in ++ any documentation for the source code where you describe recipients' ++ rights or ownership rights relating to the VRT Certified Rules. To the ++ extent you offer additional warranty, support, indemnity or liability ++ obligations, you may do so only on your own behalf, and not on behalf of ++ Sourcefire. You must make it absolutely clear that any such warranty, ++ support, indemnity or liability obligation is offered by you alone, and ++ you hereby agree to indemnify and hold Sourcefire harmless for any ++ liability incurred by Sourcefire as a result of any warranty, support, ++ indemnity or liability terms you offer. ++ ++5. Inability to Comply Due to Statute or Regulation. If it is ++impossible for you to comply with any of the terms of this Agreement ++with respect to some or all of the VRT Certified Rules due to statute, ++judicial order, or regulation then you must: (a) comply with the terms ++of this Agreement to the maximum extent possible; and (b) describe the ++limitations and the code they affect. Such description must be included ++with all distributions of the source code. Except to the extent ++prohibited by statute or regulation, such description must be ++sufficiently detailed for a recipient of ordinary skill to be able to ++understand it. ++ ++6. Application of this Agreement. This Agreement also applies to code ++to which Sourcefire has attached the notice in Exhibit A and to related ++Modifications created under Section 3. ++ ++7. Versions of the Agreement. ++ ++ 7.1. New Versions. Sourcefire may publish revised and/or new versions ++ of the Agreement from time to time. Each version will be given a ++ distinguishing version number. ++ ++ 7.2. Effect of New Versions. Once a VRT Certified Rule has been ++ published under a particular version of the Agreement, you may always ++ continue to use it under the terms of that version. You may also choose ++ to use such VRT Certified Rule under the terms of any subsequent version ++ of the Agreement published by Sourcefire. No one other than Sourcefire ++ has the right to modify the terms applicable to a VRT Certified Rule. ++ ++8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS IS ++ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY ++OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ++WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF ++DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. ++THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED ++RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR ++MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) ++ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS ++DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. ++NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED ++HEREUNDER EXCEPT UNDER THIS DISCLAIMER. ++ ++9. Termination. This Agreement and the rights granted hereunder will ++terminate automatically if you fail to comply with any or all of the ++terms herein and fail to cure such breach within 30 days of becoming ++aware of the breach. All sublicenses to the VRT Certified Rules, which ++are properly granted, shall survive any termination of this Agreement. ++Provisions which, by their nature, must remain in effect beyond the ++termination of this Agreement shall survive. ++ ++10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL ++THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, ++SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, ++SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER ++INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK ++STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR ++MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY ++SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS ++LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW ++PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE ++EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS ++EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. ++ ++11. Audit Rights. You will, from time to time and as requested by ++Sourcefire, provide assurances to Sourcefire that you are using the VRT ++Certified Rules consistent with a Permitted Use, and you grant ++Sourcefire access, at reasonable times and in a reasonable manner, to ++the VRT Certified Rules in your possession or control, and to your ++books, records and facilities to permit Sourcefire to verify appropriate ++use of the VRT Certified Rules and compliance with this Agreement. ++Sourcefire's non-exercise of this right, or its failure to discover or ++object to any inappropriate use or other breach of this Agreement by ++you, shall not constitute its consent thereto or waiver of Sourcefire's ++rights hereunder or under law. In the event your use of the VRT ++Certified Rules is not in compliance with a Permitted Use, or if you ++otherwise violate the terms of this Agreement, Sourcefire may, since ++remedies at law may be inadequate, in addition to its other remedies: ++(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your ++further use of the VRT Certified Rules; (c) assess you the cost of ++Sourcefire's inspection and enforcement efforts (including attorney ++fees); and/or (d) assess you a use fee appropriate to your actual use of ++the VRT Certified Rules. ++ ++12. United States Government Users. If the VRT Certified Rules or ++Modifications are being acquired by or on behalf of the U.S. Government ++or by a U.S. Government prime contractor or subcontractor (at any tier), ++then the Government's rights in the VRT Certified Rules and ++Modifications shall be subject to Sourcefire's standard commercial terms ++and only as set forth in this Agreement; and only with "Limited Rights" ++and "Restricted Rights" as defined the federal regulations if the ++commercial terms are deemed not to apply.. ++ ++13. Miscellaneous. This Agreement represents the complete agreement ++concerning subject matter hereof. If any provision of this Agreement is ++held to be unenforceable, such provision shall be reformed only to the ++extent necessary to make it enforceable. This Agreement shall be ++governed by Maryland law provisions (except to the extent applicable ++law, if any, provides otherwise), excluding its conflict-of-law ++provisions. Any litigation relating to this Agreement shall be subject ++to the jurisdiction of the state and Federal Courts serving Greenbelt, ++Maryland, with the losing party responsible for costs, including without ++limitation, court costs and reasonable attorneys' fees and expenses. ++You hereby submit to jurisdiction and venue in such courts. The ++application of the United Nations Convention on Contracts for the ++International Sale of Goods is expressly excluded. Any law or regulation ++which provides that the language of a contract shall be construed ++against the drafter shall not apply to this Agreement. Headings and ++section references are used for reference only and shall not be used ++define, limit or describe such section. ++ ++EXHIBIT A - VRT Certified Rules License Agreement ++The contents of this file are subject to the VRT Certified Rules License ++Agreement 1.1 (the "Agreement"). You may not use this file except in ++compliance with the Agreement. You may obtain a copy of the Agreement ++at www.snort.org. ++Software distributed under the Agreement is distributed on an "AS IS" ++basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the ++Agreement for the specific language governing rights and limitations ++under the Agreement. ++The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware ++corporation. ++Contributor: ++2005(c) Sourcefire, Inc. All Rights Reserved. Snort(r), Sourcefire(tm), ++the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire. ++ ++Note: A printer friendly version of this Agreement is available in PDF format. +--- /dev/null ++++ b/rules/community-inappropriate.rules +@@ -0,0 +1,8 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;) +--- /dev/null ++++ b/rules/misc.rules +@@ -0,0 +1,119 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# MISC RULES ++#----------- ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) ++alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) ++alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) ++alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) ++ ++# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; ++alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) ++# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) ++alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) ++ ++ ++# once we get response, check for content:"|03|"; offset:0; depth:1; ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) ++ ++alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) ++alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) ++ ++ ++# This rule needs some work since you don't have to pass BEGIN and END ++# anywhere near each other. ++# ++#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ ++#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ ++#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ ++#! within:255; classtype:misc-attack;) ++ ++ ++# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) ++ ++# this rule is specificly not looking for flow, since tcpdump handles lengths wrong ++alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) ++alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) ++alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) +--- /dev/null ++++ b/rules/exploit.rules +@@ -0,0 +1,121 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# EXPLOIT RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;) ++alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;) ++ ++alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;) ++alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;) ++ ++alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) ++alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) ++alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;) ++alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) ++alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;) ++alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;) +--- /dev/null ++++ b/rules/sid +@@ -0,0 +1 @@ ++3827 +--- /dev/null ++++ b/rules/dos.rules +@@ -0,0 +1,45 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ ++#---------- ++# DOS RULES ++#---------- ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) ++# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) ++# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) ++alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) ++# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) +--- /dev/null ++++ b/rules/LICENSE +@@ -0,0 +1,340 @@ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 ++ ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc. ++ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ Everyone is permitted to copy and distribute verbatim copies ++ of this license document, but changing it is not allowed. ++ ++ Preamble ++ ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Library General Public License instead.) You can apply it to ++your programs, too. ++ ++ When we speak of free software, we are referring to freedom, not ++price. Our General Public Licenses are designed to make sure that you ++have the freedom to distribute copies of free software (and charge for ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. ++ ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. ++ ++ For example, if you distribute copies of such a program, whether ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. ++ ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. ++ ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. ++ ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. ++ ++ The precise terms and conditions for copying, distribution and ++modification follow. ++ ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to ++this License. ++ ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or ++otherwise) that contradict the conditions of this License, they do not ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. ++ ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. ++ ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. ++ ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. ++ ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will ++be similar in spirit to the present version, but may differ in detail to ++address new problems or concerns. ++ ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. ++ ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. ++ ++ NO WARRANTY ++ ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. ++ ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. ++ ++ END OF TERMS AND CONDITIONS ++ ++ How to Apply These Terms to Your New Programs ++ ++ If you develop a new program, and you want it to be of the greatest ++possible use to the public, the best way to achieve this is to make it ++free software which everyone can redistribute and change under these terms. ++ ++ To do so, attach the following notices to the program. It is safest ++to attach them to the start of each source file to most effectively ++convey the exclusion of warranty; and each file should have at least ++the "copyright" line and a pointer to where the full notice is found. ++ ++ ++ Copyright (C) 19yy ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ ++ ++Also add information on how to contact you by electronic and paper mail. ++ ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: ++ ++ Gnomovision version 69, Copyright (C) 19yy name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ This is free software, and you are welcome to redistribute it ++ under certain conditions; type `show c' for details. ++ ++The hypothetical commands `show w' and `show c' should show the appropriate ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. ++ ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: ++ ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. ++ ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Library General ++Public License instead of this License. +--- /dev/null ++++ b/rules/smtp.rules +@@ -0,0 +1,94 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# SMTP RULES ++#----------- ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;) ++alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;) ++alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;) +--- /dev/null ++++ b/rules/community-deleted.rules +@@ -0,0 +1,7 @@ ++# Copyright 2006 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $ ++ ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;) +--- /dev/null ++++ b/rules/info.rules +@@ -0,0 +1,32 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $ ++#----------- ++# INFO RULES ++#----------- ++ ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) ++alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) ++alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;) +--- /dev/null ++++ b/rules/web-iis.rules +@@ -0,0 +1,167 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# WEB-IIS RULES ++#-------------- ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;) ++ ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;) ++# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;) ++ ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;) +--- /dev/null ++++ b/rules/web-client.rules +@@ -0,0 +1,54 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $ ++#--------------- ++# WEB-CLIENT RULES ++#--------------- ++# ++# These signatures look for two things: ++# * bad things coming from our users ++# * attacks against our web users ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*? $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;) +--- /dev/null ++++ b/rules/unicode.map +@@ -0,0 +1,104 @@ ++# Windows Version: 5.00.2195 ++# OEM codepage: 437 ++# ACP codepage: 1252 ++ ++# INSTALLED CODEPAGES ++10000 (MAC - Roman) ++ ++ ++10079 (MAC - Icelandic) ++ ++ ++1250 (ANSI - Central Europe) ++00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1251 (ANSI - Cyrillic) ++00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1252 (ANSI - Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1253 (ANSI - Greek) ++00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1254 (ANSI - Turkish) ++00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1255 (ANSI - Hebrew) ++0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1256 (ANSI - Arabic) ++00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1257 (ANSI - Baltic) ++ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1258 (ANSI/OEM - Viet Nam) ++ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++#INVALID CODEPAGE: 1361 ++20127 (US-ASCII) ++00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++20261 (T.61) ++f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f ++ ++20866 (Russian - KOI8) ++00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ++ ++28591 (ISO 8859-1 Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++28592 (ISO 8859-2 Central Europe) ++00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++#INVALID CODEPAGE: 28595 ++#INVALID CODEPAGE: 28597 ++28605 (ISO 8859-15 Latin 9) ++00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++37 (IBM EBCDIC - U.S./Canada) ++0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f ++ ++437 (OEM - United States) ++00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++500 (IBM EBCDIC - International) ++0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ++ ++850 (OEM - Multilingual Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++860 (OEM - Portuguese) ++00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++861 (OEM - Icelandic) ++00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++863 (OEM - Canadian French) ++00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++865 (OEM - Nordic) ++00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 ++ ++874 (ANSI/OEM - Thai) ++00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++932 (ANSI/OEM - Japanese Shift-JIS) ++00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 ++ ++936 (ANSI/OEM - Simplified Chinese GBK) ++00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 ++ ++949 (ANSI/OEM - Korean) ++00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c ++ ++950 (ANSI/OEM - Traditional Chinese Big5) ++00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 ++ ++65000 (UTF-7) ++ ++ ++65001 (UTF-8) ++ ++ +--- /dev/null ++++ b/rules/community-web-misc.rules +@@ -0,0 +1,215 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;) ++# Following rule submitted by Alexandru Ionica , and revised by Jason Haar ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;) ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;) ++alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;) ++ ++#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco ++alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;) ++ ++#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;) ++#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;) ++ ++# JBoss Rules from Jon Hart ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;) ++ ++# Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;) ++ ++# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;) +--- /dev/null ++++ b/rules/sid-msg.map +@@ -0,0 +1,3544 @@ ++103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ ++104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html ++105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html ++106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 ++107 || BACKDOOR subseven DEFCON8 2.1 access ++108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 ++109 || BACKDOOR netbus active || arachnids,401 ++110 || BACKDOOR netbus getinfo || arachnids,403 ++111 || BACKDOOR netbus getinfo || arachnids,403 ++112 || BACKDOOR BackOrifice access || arachnids,400 ++113 || BACKDOOR DeepThroat access || arachnids,405 ++114 || BACKDOOR netbus active || arachnids,401 ++115 || BACKDOOR NetBus Pro 2.0 connection established ++116 || BACKDOOR BackOrifice access || arachnids,399 ++117 || BACKDOOR Infector.1.x || arachnids,315 ++118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 ++119 || BACKDOOR Doly 2.0 access || arachnids,312 ++120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 ++121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 ++122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 ++124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 ++125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 ++126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 ++127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 ++128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 ++129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 ++130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 ++131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 ++132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 ++133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 ++134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 ++135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 ++136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 ++137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 ++138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 ++140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 ++141 || BACKDOOR HackAttack 1.20 Connect ++142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 ++143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 ++144 || FTP ADMw0rm ftp login attempt || arachnids,01 ++145 || BACKDOOR GirlFriendaccess || arachnids,98 ++146 || BACKDOOR NetSphere access || arachnids,76 ++147 || BACKDOOR GateCrasher || arachnids,99 ++148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 ++149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 ++150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 ++151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 ++152 || BACKDOOR BackConstruction 2.1 Connection ++153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 ++154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 ++155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 ++156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 ++157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request ++158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply ++159 || BACKDOOR NetMetro File List || arachnids,79 ++160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 ++161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 ++162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 ++163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 ++164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 ++165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 ++166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 ++167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 ++168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 ++169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 ++170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 ++171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 ++172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 ++173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 ++174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 ++175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 ++176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 ++177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 ++179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 ++180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 ++181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 ++182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 ++183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 ++184 || BACKDOOR Q access || arachnids,203 ++185 || BACKDOOR CDK || arachnids,263 ++186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 ++187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 ++188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 ++189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 ++190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 ++191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 ++192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 ++193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 ++194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 ++195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 ++196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 ++197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 ++198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 ++199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 ++200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 ++201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 ++202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 ++203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 ++204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 ++205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 ++206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 ++207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 ++208 || BACKDOOR PhaseZero Server Active on Network ++209 || BACKDOOR w00w00 attempt || arachnids,510 ++210 || BACKDOOR attempt ++211 || BACKDOOR MISC r00t attempt ++212 || BACKDOOR MISC rewt attempt ++213 || BACKDOOR MISC Linux rootkit attempt ++214 || BACKDOOR MISC Linux rootkit attempt lrkr0x ++215 || BACKDOOR MISC Linux rootkit attempt ++216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 ++217 || BACKDOOR MISC sm4ck attempt ++218 || BACKDOOR MISC Solaris 2.5 attempt ++219 || BACKDOOR HidePak backdoor attempt ++220 || BACKDOOR HideSource backdoor attempt ++221 || DDOS TFN Probe || arachnids,443 ++222 || DDOS tfn2k icmp possible communication || arachnids,425 ++223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 ++224 || DDOS Stacheldraht server spoof || arachnids,193 ++225 || DDOS Stacheldraht gag server response || arachnids,195 ++226 || DDOS Stacheldraht server response || arachnids,191 ++227 || DDOS Stacheldraht client spoofworks || arachnids,192 ++228 || DDOS TFN client command BE || arachnids,184 ++229 || DDOS Stacheldraht client check skillz || arachnids,190 ++230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml ++231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 ++232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm ++233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 ++234 || DDOS Trin00 Attacker to Master default password ++235 || DDOS Trin00 Attacker to Master default mdie password ++236 || DDOS Stacheldraht client check gag || arachnids,194 ++237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 ++238 || DDOS TFN server response || arachnids,182 ++239 || DDOS shaft handler to agent || arachnids,255 ++240 || DDOS shaft agent to handler || arachnids,256 ++241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 ++243 || DDOS mstream agent to handler ++244 || DDOS mstream handler to agent || cve,2000-0138 ++245 || DDOS mstream handler ping to agent || cve,2000-0138 ++246 || DDOS mstream agent pong to handler ++247 || DDOS mstream client to handler || cve,2000-0138 ++248 || DDOS mstream handler to client || cve,2000-0138 ++249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 ++250 || DDOS mstream handler to client || cve,2000-0138 ++251 || DDOS - TFN client command LE || arachnids,183 ++252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt ++253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority ++254 || DNS SPOOF query response with TTL of 1 min. and no authority ++255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 ++256 || DNS named authors attempt || arachnids,480 || nessus,10728 ++257 || DNS named version attempt || arachnids,278 || nessus,10028 ++258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 ++259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 ++260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html ++261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html ++262 || DNS EXPLOIT x86 Linux overflow attempt ++264 || DNS EXPLOIT x86 Linux overflow attempt ++265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 ++266 || DNS EXPLOIT x86 FreeBSD overflow attempt ++267 || DNS EXPLOIT sparc overflow attempt ++268 || DOS Jolt attack || cve,1999-0345 ++269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 ++270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html ++271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 ++272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx ++273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 ++274 || DOS ath || arachnids,264 || cve,1999-1228 ++275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx ++276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 ++277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 ++278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 ++279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 ++281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 ++282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 ++283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 ++284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 ++285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 ++286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 ++287 || POP3 EXPLOIT x86 BSD overflow ++288 || POP3 EXPLOIT x86 Linux overflow ++289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 ++290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 ++291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 ++292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 ++293 || IMAP EXPLOIT overflow ++295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 ++301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 ++302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 ++303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 ++304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 ++305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 ++306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html ++307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 ++308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 ++309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 ++310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 ++311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 ++312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 ++313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 ++314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 ++315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 ++319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 ++320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm ++321 || FINGER account enumeration attempt || nessus,10788 ++322 || FINGER search query || arachnids,375 || cve,1999-0259 ++323 || FINGER root query || arachnids,376 ++324 || FINGER null request || arachnids,377 ++325 || FINGER probe 0 attempt || arachnids,378 ++326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 ++327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 ++328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 ++329 || FINGER cybercop redirection || arachnids,11 ++330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 ++331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 ++332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 ++333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 ++334 || FTP .forward || arachnids,319 ++335 || FTP .rhosts || arachnids,328 ++336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 ++337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 ++338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 ++339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 ++340 || FTP EXPLOIT overflow ++341 || FTP EXPLOIT overflow ++342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 ++343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 ++344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 ++345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 ++346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 ++348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 ++349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368 ++353 || FTP adm scan || arachnids,332 ++354 || FTP iss scan || arachnids,331 ++355 || FTP pass wh00t || arachnids,324 ++356 || FTP passwd retrieval attempt || arachnids,213 ++357 || FTP piss scan ++358 || FTP saint scan || arachnids,330 ++359 || FTP satan scan || arachnids,329 ++360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 ++361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 ++362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 ++363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 ++364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 ++365 || ICMP PING undefined code ++366 || ICMP PING *NIX ++368 || ICMP PING BSDtype || arachnids,152 ++369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 ++370 || ICMP PING BeOS4.x || arachnids,151 ++371 || ICMP PING Cisco Type.x || arachnids,153 ++372 || ICMP PING Delphi-Piette Windows || arachnids,155 ++373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 ++374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 ++375 || ICMP PING LINUX/*BSD || arachnids,447 ++376 || ICMP PING Microsoft Windows || arachnids,159 ++377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 ++378 || ICMP PING Ping-O-MeterWindows || arachnids,164 ++379 || ICMP PING Pinger Windows || arachnids,163 ++380 || ICMP PING Seer Windows || arachnids,166 ++381 || ICMP PING Sun Solaris || arachnids,448 ++382 || ICMP PING Windows || arachnids,169 ++384 || ICMP PING ++385 || ICMP traceroute || arachnids,118 ++386 || ICMP Address Mask Reply ++387 || ICMP Address Mask Reply undefined code ++388 || ICMP Address Mask Request ++389 || ICMP Address Mask Request undefined code ++390 || ICMP Alternate Host Address ++391 || ICMP Alternate Host Address undefined code ++392 || ICMP Datagram Conversion Error ++393 || ICMP Datagram Conversion Error undefined code ++394 || ICMP Destination Unreachable Destination Host Unknown ++395 || ICMP Destination Unreachable Destination Network Unknown ++396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set ++397 || ICMP Destination Unreachable Host Precedence Violation ++398 || ICMP Destination Unreachable Host Unreachable for Type of Service ++399 || ICMP Destination Unreachable Host Unreachable ++400 || ICMP Destination Unreachable Network Unreachable for Type of Service ++401 || ICMP Destination Unreachable Network Unreachable ++402 || ICMP Destination Unreachable Port Unreachable ++403 || ICMP Destination Unreachable Precedence Cutoff in effect ++404 || ICMP Destination Unreachable Protocol Unreachable ++405 || ICMP Destination Unreachable Source Host Isolated ++406 || ICMP Destination Unreachable Source Route Failed ++407 || ICMP Destination Unreachable cndefined code ++408 || ICMP Echo Reply ++409 || ICMP Echo Reply undefined code ++410 || ICMP Fragment Reassembly Time Exceeded ++411 || ICMP IPV6 I-Am-Here ++412 || ICMP IPV6 I-Am-Here undefined code ++413 || ICMP IPV6 Where-Are-You ++414 || ICMP IPV6 Where-Are-You undefined code ++415 || ICMP Information Reply ++416 || ICMP Information Reply undefined code ++417 || ICMP Information Request ++418 || ICMP Information Request undefined code ++419 || ICMP Mobile Host Redirect ++420 || ICMP Mobile Host Redirect undefined code ++421 || ICMP Mobile Registration Reply ++422 || ICMP Mobile Registration Reply undefined code ++423 || ICMP Mobile Registration Request ++424 || ICMP Mobile Registration Request undefined code ++425 || ICMP Parameter Problem Bad Length ++426 || ICMP Parameter Problem Missing a Required Option ++427 || ICMP Parameter Problem Unspecified Error ++428 || ICMP Parameter Problem undefined Code ++429 || ICMP Photuris Reserved ++430 || ICMP Photuris Unknown Security Parameters Index ++431 || ICMP Photuris Valid Security Parameters, But Authentication Failed ++432 || ICMP Photuris Valid Security Parameters, But Decryption Failed ++433 || ICMP Photuris undefined code! ++436 || ICMP Redirect for TOS and Host ++437 || ICMP Redirect for TOS and Network ++438 || ICMP Redirect undefined code ++439 || ICMP Reserved for Security Type 19 ++440 || ICMP Reserved for Security Type 19 undefined code ++441 || ICMP Router Advertisement || arachnids,173 ++443 || ICMP Router Selection || arachnids,174 ++445 || ICMP SKIP ++446 || ICMP SKIP undefined code ++448 || ICMP Source Quench undefined code ++449 || ICMP Time-To-Live Exceeded in Transit ++450 || ICMP Time-To-Live Exceeded in Transit undefined code ++451 || ICMP Timestamp Reply ++452 || ICMP Timestamp Reply undefined code ++453 || ICMP Timestamp Request ++454 || ICMP Timestamp Request undefined code ++455 || ICMP Traceroute ipopts || arachnids,238 ++456 || ICMP Traceroute ++457 || ICMP Traceroute undefined code ++458 || ICMP unassigned type 1 ++459 || ICMP unassigned type 1 undefined code ++460 || ICMP unassigned type 2 ++461 || ICMP unassigned type 2 undefined code ++462 || ICMP unassigned type 7 ++463 || ICMP unassigned type 7 undefined code ++465 || ICMP ISS Pinger || arachnids,158 ++466 || ICMP L3retriever Ping || arachnids,311 ++467 || ICMP Nemesis v1.1 Echo || arachnids,449 ++469 || ICMP PING NMAP || arachnids,162 ++471 || ICMP icmpenum v1.1.1 || arachnids,450 ++472 || ICMP redirect host || arachnids,135 || cve,1999-0265 ++473 || ICMP redirect net || arachnids,199 || cve,1999-0265 ++474 || ICMP superscan echo ++475 || ICMP traceroute ipopts || arachnids,238 ++476 || ICMP webtrends scanner || arachnids,307 ++477 || ICMP Source Quench ++478 || ICMP Broadscan Smurf Scanner ++480 || ICMP PING speedera ++481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 ++482 || ICMP PING WhatsupGold Windows || arachnids,168 ++483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 ++484 || ICMP PING Sniffer Pro/NetXRay network scan ++485 || ICMP Destination Unreachable Communication Administratively Prohibited ++486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited ++487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited ++488 || INFO Connection Closed MSG from Port 80 ++489 || INFO FTP no password || arachnids,322 ++490 || INFO battle-mail traffic ++491 || INFO FTP Bad login ++492 || INFO TELNET login failed ++493 || INFO psyBNC access ++494 || ATTACK-RESPONSES command completed || bugtraq,1806 ++495 || ATTACK-RESPONSES command error ++496 || ATTACK RESPONSES directory listing ++497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 ++498 || ATTACK-RESPONSES id check returned root ++499 || ICMP Large ICMP Packet || arachnids,246 ++500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx ++501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx ++502 || MISC source route ssrr || arachnids,422 ++503 || MISC Source Port 20 to <1024 || arachnids,06 ++504 || MISC source port 53 to <1024 || arachnids,07 ++505 || MISC Insecure TIMBUKTU Password || arachnids,229 ++506 || MISC ramen worm incoming || arachnids,460 ++507 || MISC PCAnywhere Attempted Administrator Login ++508 || MISC gopher proxy || arachnids,409 ++509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783 ++510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 ++511 || MISC Invalid PCAnywhere Login ++512 || MISC PCAnywhere Failed Login || arachnids,240 ++513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 ++514 || MISC ramen worm || arachnids,461 ++516 || MISC SNMP NT UserList || nessus,10546 ++517 || MISC xdmcp query || arachnids,476 ++518 || TFTP Put || arachnids,148 || cve,1999-0183 ++519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 ++520 || TFTP root directory || arachnids,138 || cve,1999-0183 ++521 || MISC Large UDP Packet || arachnids,247 ++522 || MISC Tiny Fragments ++523 || BAD-TRAFFIC ip reserved bit set ++524 || BAD-TRAFFIC tcp port 0 traffic ++525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 ++526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html ++527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html ++528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php ++529 || NETBIOS DOS RFPoison || arachnids,454 ++530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 ++532 || NETBIOS SMB ADMIN$ share access ++533 || NETBIOS SMB C$ share access ++534 || NETBIOS SMB CD.. || arachnids,338 ++535 || NETBIOS SMB CD... || arachnids,337 ++536 || NETBIOS SMB D$ share access ++537 || NETBIOS SMB IPC$ share access ++538 || NETBIOS SMB IPC$ unicode share access ++539 || NETBIOS Samba clientaccess || arachnids,341 ++540 || CHAT MSN message ++541 || CHAT ICQ access ++542 || CHAT IRC nick change ++543 || POLICY FTP 'STOR 1MB' possible warez site ++544 || POLICY FTP 'RETR 1MB' possible warez site ++545 || POLICY FTP 'CWD / ' possible warez site ++546 || POLICY FTP 'CWD ' possible warez site ++547 || POLICY FTP 'MKD ' possible warez site ++548 || POLICY FTP 'MKD .' possible warez site ++549 || P2P napster login ++550 || P2P napster new user login ++551 || P2P napster download attempt ++552 || P2P napster upload request ++553 || POLICY FTP anonymous login attempt ++554 || POLICY FTP 'MKD / ' possible warez site ++555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 ++556 || P2P Outbound GNUTella client request ++557 || P2P GNUTella client request ++558 || INFO Outbound GNUTella client request ++559 || P2P Inbound GNUTella client request ++560 || POLICY VNC server response ++561 || P2P Napster Client Data ++562 || P2P Napster Client Data ++563 || P2P Napster Client Data ++564 || P2P Napster Client Data ++565 || P2P Napster Server Login ++566 || POLICY PCAnywhere server response || arachnids,239 ++567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html ++568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 ++569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html ++571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html ++572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 ++573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 ++574 || RPC mountd TCP export request || arachnids,26 ++575 || RPC portmap admind request UDP || arachnids,18 ++576 || RPC portmap amountd request UDP || arachnids,19 ++577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 ++578 || RPC portmap cmsd request UDP || arachnids,17 ++579 || RPC portmap mountd request UDP || arachnids,13 ++580 || RPC portmap nisd request UDP || arachnids,21 ++581 || RPC portmap pcnfsd request UDP || arachnids,22 ++582 || RPC portmap rexd request UDP || arachnids,23 ++583 || RPC portmap rstatd request UDP || arachnids,10 ++584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 ++585 || RPC portmap sadmind request UDP || arachnids,20 ++586 || RPC portmap selection_svc request UDP || arachnids,25 ++587 || RPC portmap status request UDP || arachnids,15 ++588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++589 || RPC portmap yppasswd request UDP || arachnids,14 ++590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 ++591 || RPC portmap ypupdated request TCP || arachnids,125 ++592 || RPC rstatd query || arachnids,9 ++593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 ++596 || RPC portmap listing || arachnids,429 ++597 || RPC portmap listing || arachnids,429 ++598 || RPC portmap listing TCP 111 || arachnids,428 ++599 || RPC portmap listing TCP 32771 || arachnids,429 ++600 || RPC EXPLOIT statdx || arachnids,442 ++601 || RSERVICES rlogin LinuxNIS ++602 || RSERVICES rlogin bin || arachnids,384 ++603 || RSERVICES rlogin echo++ || arachnids,385 ++604 || RSERVICES rsh froot || arachnids,387 ++605 || RSERVICES rlogin login failure || arachnids,393 ++606 || RSERVICES rlogin root || arachnids,389 ++607 || RSERVICES rsh bin || arachnids,390 ++608 || RSERVICES rsh echo + + || arachnids,388 ++609 || RSERVICES rsh froot || arachnids,387 ++610 || RSERVICES rsh root || arachnids,391 ++611 || RSERVICES rlogin login failure || arachnids,392 ++612 || RPC rusers query UDP || cve,1999-0626 ++613 || SCAN myscan || arachnids,439 ++614 || BACKDOOR hack-a-tack attempt || arachnids,314 ++615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ ++616 || SCAN ident version request || arachnids,303 ++617 || SCAN ssh-research-scanner ++618 || SCAN Squid Proxy attempt ++619 || SCAN cybercop os probe || arachnids,146 ++620 || SCAN Proxy Port 8080 attempt ++621 || SCAN FIN || arachnids,27 ++622 || SCAN ipEye SYN scan || arachnids,236 ++623 || SCAN NULL || arachnids,4 ++624 || SCAN SYN FIN || arachnids,198 ++625 || SCAN XMAS || arachnids,144 ++626 || SCAN cybercop os PA12 attempt || arachnids,149 ++627 || SCAN cybercop os SFU12 probe || arachnids,150 ++628 || SCAN nmap TCP || arachnids,28 ++629 || SCAN nmap fingerprint attempt || arachnids,05 ++630 || SCAN synscan portscan || arachnids,441 ++631 || SMTP ehlo cybercop attempt || arachnids,372 ++632 || SMTP expn cybercop attempt || arachnids,371 ++634 || SCAN Amanda client version request ++635 || SCAN XTACACS logout || arachnids,408 ++636 || SCAN cybercop udp bomb || arachnids,363 ++637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 ++638 || SHELLCODE SGI NOOP || arachnids,356 ++639 || SHELLCODE SGI NOOP || arachnids,357 ++640 || SHELLCODE AIX NOOP ++641 || SHELLCODE Digital UNIX NOOP || arachnids,352 ++642 || SHELLCODE HP-UX NOOP || arachnids,358 ++643 || SHELLCODE HP-UX NOOP || arachnids,359 ++644 || SHELLCODE sparc NOOP || arachnids,345 ++645 || SHELLCODE sparc NOOP || arachnids,353 ++646 || SHELLCODE sparc NOOP || arachnids,355 ++647 || SHELLCODE sparc setuid 0 || arachnids,282 ++648 || SHELLCODE x86 NOOP || arachnids,181 ++649 || SHELLCODE x86 setgid 0 || arachnids,284 ++650 || SHELLCODE x86 setuid 0 || arachnids,436 ++651 || SHELLCODE x86 stealth NOOP || arachnids,291 ++652 || SHELLCODE Linux shellcode || arachnids,343 ++653 || SHELLCODE x86 0x90 unicode NOOP ++654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 ++655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 ++656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 ++657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 ++658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx ++659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 ++660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 ++661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207 ++662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 ++663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 ++664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 ++665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 ++666 || SMTP sendmail 8.4.1 exploit || arachnids,120 ++667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 ++668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204 ++669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 ++670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 ++671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 ++672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 ++673 || MS-SQL sp_start_job - program execution ++674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++676 || MS-SQL/SMB sp_start_job - program execution ++677 || MS-SQL/SMB sp_password password change ++678 || MS-SQL/SMB sp_delete_alert log file deletion ++679 || MS-SQL/SMB sp_adduser database user creation ++680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 ++681 || MS-SQL/SMB xp_cmdshell program execution ++682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++683 || MS-SQL sp_password - password change ++684 || MS-SQL sp_delete_alert log file deletion ++685 || MS-SQL sp_adduser - database user creation ++686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 ++687 || MS-SQL xp_cmdshell - program execution ++688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 ++690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++691 || MS-SQL shellcode attempt ++692 || MS-SQL/SMB shellcode attempt ++693 || MS-SQL shellcode attempt ++694 || MS-SQL/SMB shellcode attempt ++695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 ++710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 ++711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 ++712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 ++713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 ++714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 ++715 || TELNET Attempted SU from wrong group ++716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 ++717 || TELNET not on console || arachnids,365 ++718 || INFO TELNET login incorrect || arachnids,127 ++719 || TELNET root login ++720 || Virus - SnowWhite Trojan Incoming ++721 || VIRUS OUTBOUND bad file attachment ++722 || Virus - Possible NAVIDAD Worm ++723 || Virus - Possible MyRomeo Worm ++724 || Virus - Possible MyRomeo Worm ++725 || Virus - Possible MyRomeo Worm ++726 || Virus - Possible MyRomeo Worm ++727 || Virus - Possible MyRomeo Worm ++728 || Virus - Possible MyRomeo Worm ++729 || VIRUS OUTBOUND .scr file attachment ++730 || VIRUS OUTBOUND .shs file attachment ++731 || Virus - Possible QAZ Worm || MCAFEE,98775 ++732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 ++733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 ++734 || Virus - Possible Matrix worm ++735 || Virus - Possible MyRomeo Worm ++736 || Virus - Successful eurocalculator execution ++737 || Virus - Possible eurocalculator.exe file ++738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 ++739 || Virus - Possible Triplesix Worm || MCAFEE,10389 ++740 || Virus - Possible Tune.vbs || MCAFEE,10497 ++741 || Virus - Possible NAIL Worm || MCAFEE,10109 ++742 || Virus - Possible NAIL Worm || MCAFEE,10109 ++743 || Virus - Possible NAIL Worm || MCAFEE,10109 ++744 || Virus - Possible NAIL Worm || MCAFEE,10109 ++745 || Virus - Possible Papa Worm || MCAFEE,10145 ++746 || Virus - Possible Freelink Worm || MCAFEE,10225 ++747 || Virus - Possible Simbiosis Worm ++748 || Virus - Possible BADASS Worm || MCAFEE,10388 ++749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 ++751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 ++752 || Virus Possible Suppl Worm || MCAFEE,10361 ++753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 ++754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 ++755 || Virus - Possible IROK Worm || MCAFEE,98552 ++756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 ++757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 ++758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 ++759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 ++760 || Virus - Possible Passion Worm || MCAFEE,10467 ++761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 ++762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 ++763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 ++764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 ++765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 ++766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 ++767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 ++768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 ++769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 ++770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 ++771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 ++772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 ++773 || Virus - Possible Happy99 Virus || MCAFEE,10144 ++774 || Virus - Possible CheckThis Trojan ++775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 ++776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 ++777 || Virus - Possible MyPics Worm || MCAFEE,10467 ++778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 ++779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 ++780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 ++781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 ++782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 ++783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 ++784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 ++785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 ++786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 ++787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 ++788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 ++789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 ++790 || Virus - Possible Common Sense Worm ++791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 ++792 || Virus - Possible Resume Worm || MCAFEE,98661 ++793 || VIRUS OUTBOUND .vbs file attachment ++794 || Virus - Possible Resume Worm || MCAFEE,98661 ++795 || Virus - Possible Worm - txt.vbs file ++796 || Virus - Possible Worm - xls.vbs file ++797 || Virus - Possible Worm - jpg.vbs file ++798 || Virus - Possible Worm - gif.vbs file ++799 || Virus - Possible Timofonica Worm || MCAFEE,98674 ++800 || Virus - Possible Resume Worm || MCAFEE,98661 ++801 || Virus - Possible Worm - doc.vbs file ++802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 ++803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 ++804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 ++805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 ++806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 ++807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 ++808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 ++809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 ++810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 ++811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 ++812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 ++813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 ++815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 ++817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 ++820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 ++821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 ++823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 ++824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 ++825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 ++826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 ++827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 ++828 || WEB-CGI maillist.pl access ++829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 ++830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 ++832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 ++834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm ++835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 ++836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 ++837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291 ++838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 ++839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 ++840 || WEB-CGI perlshop.cgi access || cve,1999-1374 ++841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 ++842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 ++843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 ++844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 ++845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 ++846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 ++847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 ++849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 ++850 || WEB-CGI wais.pl access ++851 || WEB-CGI files.pl access || cve,1999-1081 ++852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 ++853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 ++854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 ++855 || WEB-CGI edit.pl access || bugtraq,2713 ++856 || WEB-CGI environ.cgi access ++857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++858 || WEB-CGI filemail access || cve,1999-1154 ++859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 ++860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 ++861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 ++862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 ++864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 ++865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 ++867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 ++868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 ++870 || WEB-CGI snorkerz.cmd access ++871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 ++872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 ++874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 ++875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 ++877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++878 || WEB-CGI w3tvars.pm access ++879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 ++880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm ++881 || WEB-CGI archie access ++882 || WEB-CGI calendar access ++883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm ++884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 ++885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 ++887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 ++888 || WEB-CGI wwwadmin.pl access ++889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 ++890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt ++891 || WEB-CGI upload.pl access ++892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 ++893 || WEB-CGI MachineInfo access || cve,1999-1067 ++894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 ++895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 ++896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 ++897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 ++898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 ++899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 ++900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 ++901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 ++902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 ++903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 ++904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 ++905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 ++906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 ++907 || WEB-COLDFUSION addcontent.cfm access ++908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 ++909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 ++910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 ++911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 ++912 || WEB-COLDFUSION parks access || bugtraq,550 ++913 || WEB-COLDFUSION cfappman access || bugtraq,550 ++914 || WEB-COLDFUSION beaninfo access || bugtraq,550 ++915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 ++916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 ++917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 ++918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 ++919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 ++920 || WEB-COLDFUSION datasource attempt || bugtraq,550 ++921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 ++922 || WEB-COLDFUSION displayfile access || bugtraq,550 ++923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 ++924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 ++925 || WEB-COLDFUSION mainframeset access || bugtraq,550 ++926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 ++927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 ++928 || WEB-COLDFUSION exampleapp access ++929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 ++930 || WEB-COLDFUSION snippets attempt || bugtraq,550 ++931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 ++932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 ++933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 ++935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 ++936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 ++937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 ++939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx ++940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx ++941 || WEB-FRONTPAGE contents.htm access ++942 || WEB-FRONTPAGE orders.htm access ++943 || WEB-FRONTPAGE fpsrvadm.exe access ++944 || WEB-FRONTPAGE fpremadm.exe access ++945 || WEB-FRONTPAGE fpadmin.htm access ++946 || WEB-FRONTPAGE fpadmcgi.exe access ++947 || WEB-FRONTPAGE orders.txt access ++948 || WEB-FRONTPAGE form_results access || cve,1999-1052 ++949 || WEB-FRONTPAGE registrations.htm access ++950 || WEB-FRONTPAGE cfgwiz.exe access ++951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 ++952 || WEB-FRONTPAGE author.exe access ++953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 ++954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052 ++955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 ++956 || WEB-FRONTPAGE register.txt access ++957 || WEB-FRONTPAGE registrations.txt access ++958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 ++959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 ++960 || WEB-FRONTPAGE service.stp access ++961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 ++962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311 ++963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 ++964 || WEB-FRONTPAGE users.pwd access ++965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 ++966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 ++967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx ++968 || WEB-FRONTPAGE register.htm access ++969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 ++970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 ++971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx ++972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 ++973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 ++974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 ++975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ ++976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp ++977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 ++978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx ++979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx ++980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 ++981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 ++985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 ++986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066 ++987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 ++988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml ++989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 ++990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 ++991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 ++992 || WEB-IIS adctest.asp access ++993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 ++994 || WEB-IIS /scripts/iisadmin/default.htm access ++995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 ++996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 ++997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 ++998 || WEB-IIS asp-srch attempt ++999 || WEB-IIS bdir access || bugtraq,2280 ++1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 ++1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 ++1002 || WEB-IIS cmd.exe access ++1003 || WEB-IIS cmd? access ++1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 ++1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 ++1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx ++1008 || WEB-IIS del attempt ++1009 || WEB-IIS directory listing || nessus,10573 ++1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx ++1011 || WEB-IIS exec-src access ++1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 ++1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 ++1015 || WEB-IIS getdrvs.exe access ++1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 ++1017 || WEB-IIS idc-srch attempt || cve,1999-0874 ++1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 ++1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762 ++1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 ++1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx ++1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 ++1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 ++1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 ++1025 || WEB-IIS perl access ++1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 ++1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 ++1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 ++1029 || WEB-IIS scripts-browse access || nessus,11032 ++1030 || WEB-IIS search97.vts access || bugtraq,162 ++1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 ++1032 || WEB-IIS showcode access || nessus,10576 ++1033 || WEB-IIS showcode access || nessus,10576 ++1034 || WEB-IIS showcode access || nessus,10576 ++1035 || WEB-IIS showcode access || nessus,10576 ++1036 || WEB-IIS showcode access || nessus,10576 ++1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx ++1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 ++1039 || WEB-IIS srch.htm access ++1040 || WEB-IIS srchadm access || nessus,11032 ++1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360 ++1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778 ++1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576 ++1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097 ++1045 || WEB-IIS Unauthorized IP Access Attempt ++1046 || WEB-IIS site/iisamples access || nessus,10370 ++1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 ++1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 ++1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 ++1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 ++1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 ++1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 ++1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464 ++1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 ++1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 ++1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 ++1057 || WEB-MISC ftp attempt ++1058 || WEB-MISC xp_enumdsn attempt ++1059 || WEB-MISC xp_filelist attempt ++1060 || WEB-MISC xp_availablemedia attempt ++1061 || WEB-MISC xp_cmdshell attempt ++1062 || WEB-MISC nc.exe attempt ++1064 || WEB-MISC wsh attempt ++1065 || WEB-MISC rcmd attempt ++1066 || WEB-MISC telnet attempt ++1067 || WEB-MISC net attempt ++1068 || WEB-MISC tftp attempt ++1069 || WEB-MISC xp_regread attempt ++1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951 ++1071 || WEB-MISC .htpasswd access ++1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 ++1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097 ++1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 ++1076 || WEB-IIS repost.asp access || nessus,10372 ++1077 || WEB-MISC queryhit.htm access || nessus,10370 ++1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 ++1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 ++1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 ++1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 ++1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 ++1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025 ++1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049 ++1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 ++1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 ++1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532 ++1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 ++1090 || WEB-CGI Allaire Pro Web Shell attempt ++1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078 ++1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt ++1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 ++1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 ++1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html ++1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html ++1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 ++1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 ++1099 || WEB-MISC cybercop scan || arachnids,374 ++1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 ++1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 ++1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 ++1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 ++1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459 ++1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 ++1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 ++1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 ++1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 ++1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 ++1112 || WEB-MISC http directory traversal || arachnids,298 ++1113 || WEB-MISC http directory traversal || arachnids,297 ++1114 || WEB-MISC prefix-get // ++1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html ++1116 || WEB-MISC Lotus DelDoc attempt ++1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html ++1118 || WEB-MISC ls%20-l ++1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 ++1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 ++1121 || WEB-MISC O'Reilly args.bat access ++1122 || WEB-MISC /etc/passwd ++1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 ++1124 || WEB-MISC Ecommerce check.txt access ++1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 ++1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407 ++1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 ++1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360 ++1129 || WEB-MISC .htaccess access ++1130 || WEB-MISC .wwwacl access ++1131 || WEB-MISC .wwwacl access ++1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 ++1133 || SCAN cybercop os probe || arachnids,145 ++1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 ++1136 || WEB-MISC cd.. ++1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 ++1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 ++1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 ++1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 ++1142 || WEB-MISC /.... access ++1143 || WEB-MISC ///cgi-bin access || nessus,11032 ++1144 || WEB-MISC /cgi-bin/// access || nessus,11032 ++1145 || WEB-MISC /~root access ++1146 || WEB-MISC Ecommerce import.txt access ++1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 ++1148 || WEB-MISC Ecommerce import.txt access ++1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 ++1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 ++1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 ++1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 ++1153 || WEB-MISC Domino log.nsf access || nessus,10629 ++1154 || WEB-MISC Domino names.nsf access || nessus,10629 ++1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 ++1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 ++1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364 ++1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 ++1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 ++1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 ++1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 ++1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 ++1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 ++1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 ++1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 ++1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 ++1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 ++1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 ++1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 ++1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt ++1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 ++1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 ++1176 || WEB-MISC order.log access ++1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 ++1178 || WEB-PHP Phorum read access || arachnids,208 ++1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 ++1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 ++1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 ++1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 ++1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352 ++1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 ++1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 ++1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 ++1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 ++1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349 ++1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349 ++1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 ++1197 || WEB-PHP Phorum code access || arachnids,207 ++1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 ++1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx ++1201 || ATTACK-RESPONSES 403 Forbidden ++1202 || WEB-MISC search.vts access || bugtraq,162 ++1204 || WEB-CGI ax-admin.cgi access ++1205 || WEB-CGI axs.cgi access ++1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 ++1207 || WEB-MISC htgrep access || cve,2000-0832 ++1208 || WEB-CGI responder.cgi access || bugtraq,3155 ++1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709 ++1211 || WEB-CGI web-map.cgi access ++1212 || WEB-MISC Admin_files access ++1213 || WEB-MISC backup access ++1214 || WEB-MISC intranet access || nessus,11626 ++1215 || WEB-CGI ministats admin access ++1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 ++1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 ++1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 ++1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913 ++1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 ++1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 ++1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 ++1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 ++1225 || X11 MIT Magic Cookie detected || arachnids,396 ++1226 || X11 xopen || arachnids,395 ++1227 || X11 outbound client connection detected || arachnids,126 ++1228 || SCAN nmap XMAS || arachnids,30 ++1229 || FTP CWD ... || bugtraq,9237 ++1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 ++1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 ++1233 || WEB-CLIENT Outlook EML access || nessus,10767 ++1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1236 || WEB-MISC Tomcat sourecode view ++1237 || WEB-MISC Tomcat sourecode view ++1238 || WEB-MISC Tomcat sourecode view ++1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 ++1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 ++1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555 ++1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 ++1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 ++1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 ++1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 ++1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx ++1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 ++1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx ++1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 ++1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 ++1251 || INFO TELNET Bad Login ++1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 ++1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 ++1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 ++1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 ++1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html ++1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 ++1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 ++1259 || WEB-MISC SWEditServlet access || bugtraq,2868 ++1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 ++1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 ++1262 || RPC portmap admind request TCP || arachnids,18 ++1263 || RPC portmap amountd request TCP || arachnids,19 ++1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 ++1265 || RPC portmap cmsd request TCP || arachnids,17 ++1266 || RPC portmap mountd request TCP || arachnids,13 ++1267 || RPC portmap nisd request TCP || arachnids,21 ++1268 || RPC portmap pcnfsd request TCP || arachnids,22 ++1269 || RPC portmap rexd request TCP || arachnids,23 ++1270 || RPC portmap rstatd request TCP || arachnids,10 ++1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 ++1272 || RPC portmap sadmind request TCP || arachnids,20 ++1273 || RPC portmap selection_svc request TCP || arachnids,25 ++1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1275 || RPC portmap yppasswd request TCP || arachnids,14 ++1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 ++1277 || RPC portmap ypupdated request UDP || arachnids,125 ++1278 || RPC rstatd query || arachnids,9 ++1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++1280 || RPC portmap listing UDP 111 || arachnids,428 ++1281 || RPC portmap listing UDP 32771 || arachnids,429 ++1282 || RPC EXPLOIT statdx || arachnids,442 ++1283 || WEB-IIS outlook web dos || bugtraq,3223 ++1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html ++1285 || WEB-IIS msdac access || nessus,11032 ++1286 || WEB-IIS _mem_bin access || nessus,11032 ++1287 || WEB-IIS scripts access ++1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 ++1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html ++1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html ++1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 ++1292 || ATTACK-RESPONSES directory listing ++1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml ++1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml ++1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml ++1296 || RPC portmap request yppasswdd || bugtraq,2763 ++1297 || RPC portmap request yppasswdd || bugtraq,2763 ++1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 ++1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 ++1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 ++1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 ++1304 || WEB-CGI txt2html.cgi access ++1305 || WEB-CGI txt2html.cgi directory traversal attempt ++1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 ++1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 ++1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 ++1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt ++1322 || BAD-TRAFFIC bad frag bits ++1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 ++1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1328 || WEB-ATTACKS /bin/ps command attempt ++1329 || WEB-ATTACKS ps command attempt ++1330 || WEB-ATTACKS wget command attempt || bugtraq,10361 ++1331 || WEB-ATTACKS uname -a command attempt ++1332 || WEB-ATTACKS /usr/bin/id command attempt ++1333 || WEB-ATTACKS id command attempt ++1334 || WEB-ATTACKS echo command attempt ++1335 || WEB-ATTACKS kill command attempt ++1336 || WEB-ATTACKS chmod command attempt ++1337 || WEB-ATTACKS chgrp command attempt ++1338 || WEB-ATTACKS chown command attempt ++1339 || WEB-ATTACKS chsh command attempt ++1340 || WEB-ATTACKS tftp command attempt ++1341 || WEB-ATTACKS /usr/bin/gcc command attempt ++1342 || WEB-ATTACKS gcc command attempt ++1343 || WEB-ATTACKS /usr/bin/cc command attempt ++1344 || WEB-ATTACKS cc command attempt ++1345 || WEB-ATTACKS /usr/bin/cpp command attempt ++1346 || WEB-ATTACKS cpp command attempt ++1347 || WEB-ATTACKS /usr/bin/g++ command attempt ++1348 || WEB-ATTACKS g++ command attempt ++1349 || WEB-ATTACKS bin/python access attempt ++1350 || WEB-ATTACKS python access attempt ++1351 || WEB-ATTACKS bin/tclsh execution attempt ++1352 || WEB-ATTACKS tclsh execution attempt ++1353 || WEB-ATTACKS bin/nasm command attempt ++1354 || WEB-ATTACKS nasm command attempt ++1355 || WEB-ATTACKS /usr/bin/perl execution attempt ++1356 || WEB-ATTACKS perl execution attempt ++1357 || WEB-ATTACKS nt admin addition attempt ++1358 || WEB-ATTACKS traceroute command attempt ++1359 || WEB-ATTACKS ping command attempt ++1360 || WEB-ATTACKS netcat command attempt ++1361 || WEB-ATTACKS nmap command attempt ++1362 || WEB-ATTACKS xterm command attempt ++1363 || WEB-ATTACKS X application to remote host attempt ++1364 || WEB-ATTACKS lsof command attempt ++1365 || WEB-ATTACKS rm command attempt ++1366 || WEB-ATTACKS mail command attempt ++1367 || WEB-ATTACKS mail command attempt ++1368 || WEB-ATTACKS /bin/ls| command attempt ++1369 || WEB-ATTACKS /bin/ls command attempt ++1370 || WEB-ATTACKS /etc/inetd.conf access ++1371 || WEB-ATTACKS /etc/motd access ++1372 || WEB-ATTACKS /etc/shadow access ++1373 || WEB-ATTACKS conf/httpd.conf attempt ++1374 || WEB-MISC .htgroup access ++1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html ++1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 ++1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 ++1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 ++1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt ++1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 ++1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 ++1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt ++1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm ++1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx ++1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 ++1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 ++1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 ++1389 || WEB-MISC viewcode.jse access || bugtraq,3715 ++1390 || SHELLCODE x86 inc ebx NOOP ++1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 ++1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 ++1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ ++1394 || SHELLCODE x86 NOOP ++1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 ++1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 ++1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 ++1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html ++1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 ++1400 || WEB-IIS /scripts/samples/ access || nessus,10370 ++1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 ++1402 || WEB-IIS iissamples access || nessus,11032 ++1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 ++1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007 ++1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 ++1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 ++1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 ++1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 ++1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html ++1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 ++1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 ++1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 ++1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html ++1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 ++1424 || SHELLCODE x86 0xEB0C NOOP ++1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 ++1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html ++1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html ++1428 || MULTIMEDIA audio galaxy keepalive ++1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl ++1430 || TELNET Solaris memory mismanagement exploit attempt ++1431 || BAD-TRAFFIC syn to multicast address ++1432 || P2P GNUTella client request ++1433 || WEB-MISC .history access ++1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408 ++1435 || DNS named authors attempt || arachnids,480 || nessus,10728 ++1436 || MULTIMEDIA Quicktime User Agent access ++1437 || MULTIMEDIA Windows Media download ++1438 || MULTIMEDIA Windows Media Video download ++1439 || MULTIMEDIA Shoutcast playlist redirection ++1440 || MULTIMEDIA Icecast playlist redirection ++1441 || TFTP GET nc.exe ++1442 || TFTP GET shadow ++1443 || TFTP GET passwd ++1444 || TFTP Get ++1445 || POLICY FTP file_id.diz access possible warez site ++1446 || SMTP vrfy root ++1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx ++1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx ++1449 || POLICY FTP anonymous ftp login attempt ++1450 || SMTP expn *@ || cve,1999-1200 ++1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 ++1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 ++1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 ++1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 ++1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432 ++1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 ++1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 ++1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 ++1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 ++1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 ++1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 ++1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 ++1463 || CHAT IRC message ++1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 ++1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 ++1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 ++1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 ++1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 ++1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 ++1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 ++1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 ++1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 ++1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 ++1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 ++1475 || WEB-CGI mailit.pl access || nessus,10417 ++1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720 ++1477 || WEB-CGI swc attempt ++1478 || WEB-CGI swc access || nessus,10493 ++1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 ++1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 ++1481 || WEB-CGI upload.cgi access || nessus,10290 ++1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 ++1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645 ++1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 ++1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274 ++1486 || WEB-IIS ctss.idc access || nessus,10359 ++1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 ++1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 ++1489 || WEB-MISC /~nobody access || nessus,10484 ++1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 ++1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 ++1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521 ++1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521 ++1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725 ++1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 ++1496 || WEB-CGI spin_client.cgi access || nessus,10393 ++1497 || WEB-MISC cross site scripting attempt ++1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 ++1499 || WEB-MISC SiteScope Service access || nessus,10778 ++1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 ++1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html ++1504 || MISC AFS access || nessus,10441 ++1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 ++1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 ++1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013 ++1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 ++1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 ++1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1518 || WEB-MISC nstelemetry.adp access || nessus,10753 ++1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 ++1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html ++1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html ++1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 ++1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 ++1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 ++1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 ++1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601 ++1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601 ++1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 ++1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 ++1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 ++1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 ++1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 ++1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 ++1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 ++1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 ++1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 ++1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 ++1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 ++1541 || FINGER version query ++1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721 ++1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 ++1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 ++1545 || DOS Cisco attempt ++1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 ++1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 ++1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 ++1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 ++1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438 ++1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032 ++1552 || WEB-MISC cvsweb version access || cve,2000-0670 ++1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 ++1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 ++1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 ++1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 ++1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 ++1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 ++1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032 ++1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 ++1561 || WEB-MISC ?open access ++1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 ++1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 ++1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 ++1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 ++1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 ++1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx ++1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 ++1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092 ++1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092 ++1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 ++1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 ++1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 ++1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 ++1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 ++1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 ++1577 || WEB-MISC Domino setup.nsf access || nessus,10629 ++1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 ++1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629 ++1580 || WEB-MISC Domino events4.nsf access || nessus,10629 ++1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 ++1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 ++1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 ++1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 ++1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 ++1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 ++1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131 ++1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 ++1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 ++1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 ++1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 ++1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 ++1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 ++1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 ++1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 ++1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 ++1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 ++1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 ++1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 ++1603 || WEB-MISC DELETE attempt || nessus,10498 ++1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 ++1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 ++1606 || WEB-CGI icat access || cve,1999-1069 ++1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 ++1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 ++1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 ++1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532 ++1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 ++1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 ++1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 ++1615 || WEB-MISC htgrep attempt || cve,2000-0832 ++1616 || DNS named version attempt || arachnids,278 || nessus,10028 ++1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 ++1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 ++1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 ++1620 || BAD TRAFFIC Non-Standard IP protocol ++1621 || FTP CMD overflow attempt ++1622 || FTP RNFR ././ attempt ++1623 || FTP invalid MODE ++1624 || FTP large PWD command ++1625 || FTP large SYST command ++1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request ++1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers ++1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1629 || OTHER-IDS SecureNetPro traffic ++1631 || CHAT AIM login ++1632 || CHAT AIM send message ++1633 || CHAT AIM receive message ++1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 ++1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 ++1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 ++1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 ++1638 || SCAN SSH Version map attempt ++1639 || CHAT IRC DCC file transfer request ++1640 || CHAT IRC DCC chat request ++1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 ++1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 ++1643 || WEB-CGI db2www access || cve,2000-0677 ++1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 ++1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 ++1646 || WEB-CGI test.cgi access ++1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 ++1651 || WEB-CGI environ.pl access ++1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++1654 || WEB-CGI cart32.exe access || bugtraq,1153 ++1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174 ++1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174 ++1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 ++1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 ++1659 || WEB-COLDFUSION sendmail.cfm access ++1660 || WEB-IIS trace.axd access || nessus,10993 ++1661 || WEB-IIS cmd32.exe access ++1662 || WEB-MISC /~ftp access ++1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482 ++1664 || WEB-MISC mkplog.exe access ++1665 || WEB-MISC mkilog.exe access ++1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 ++1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902 ++1668 || WEB-CGI /cgi-bin/ access ++1669 || WEB-CGI /cgi-dos/ access ++1670 || WEB-MISC /home/ftp access || nessus,11032 ++1671 || WEB-MISC /home/www access || nessus,11032 ++1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 ++1673 || ORACLE EXECUTE_SYSTEM attempt ++1674 || ORACLE connect_data remote version detection attempt ++1675 || ORACLE misparsed login response ++1676 || ORACLE select union attempt ++1677 || ORACLE select like '%' attempt ++1678 || ORACLE select like '%' attempt backslash escaped ++1679 || ORACLE describe attempt ++1680 || ORACLE all_constraints access ++1681 || ORACLE all_views access ++1682 || ORACLE all_source access ++1683 || ORACLE all_tables access ++1684 || ORACLE all_tab_columns access ++1685 || ORACLE all_tab_privs access ++1686 || ORACLE dba_tablespace access ++1687 || ORACLE dba_tables access ++1688 || ORACLE user_tablespace access ++1689 || ORACLE sys.all_users access ++1690 || ORACLE grant attempt ++1691 || ORACLE ALTER USER attempt ++1692 || ORACLE drop table attempt ++1693 || ORACLE create table attempt ++1694 || ORACLE alter table attempt ++1695 || ORACLE truncate table attempt ++1696 || ORACLE create database attempt ++1697 || ORACLE alter database attempt ++1698 || ORACLE execute_system attempt ++1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com ++1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 ++1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 ++1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 ++1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 ++1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 ++1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464 ++1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt ++1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099 ++1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100 ++1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132 ++1714 || WEB-CGI newdesk access ++1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076 ++1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 ++1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022 ++1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113 ++1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420 ++1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420 ++1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226 ++1722 || WEB-CGI MachineInfo access || cve,1999-1067 ++1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 ++1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 ++1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx ++1726 || WEB-IIS doctodep.btr access ++1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 ++1728 || FTP CWD ~ attempt || bugtraq,2601 || cve,2001-0421 ++1729 || CHAT IRC channel join ++1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645 ++1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1732 || RPC portmap rwalld request UDP ++1733 || RPC portmap rwalld request TCP ++1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 ++1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 ++1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 ++1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 ++1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 ++1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 ++1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 ++1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 ++1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 ++1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 ++1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 ++1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 ++1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 ++1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 ++1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 ++1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access ++1750 || WEB-IIS users.xml access ++1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 ++1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ ++1753 || WEB-IIS as_web.exe access || bugtraq,4670 ++1754 || WEB-IIS as_web4.exe access || bugtraq,4670 ++1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 ++1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 ++1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 ++1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 ++1759 || MS-SQL xp_cmdshell program execution 445 ++1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt ++1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt ++1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 ++1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 ++1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 ++1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 ++1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html ++1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html ++1771 || POLICY IPSec PGPNet connection attempt ++1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx ++1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html ++1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html ++1775 || MYSQL root login attempt ++1776 || MYSQL show databases attempt ++1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1779 || FTP CWD .... attempt || bugtraq,4884 ++1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 ++1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 ++1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 ++1789 || CHAT IRC dns request ++1790 || CHAT IRC dns response ++1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 ++1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 ++1800 || VIRUS Klez Incoming ++1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 ++1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 ++1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 ++1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 ++1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 ++1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1813 || ICMP digital island bandwidth query ++1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013 ++1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 ++1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 ++1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 ++1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 ++1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 ++1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 ++1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 ++1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037 ++1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 ++1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 ++1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 ++1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 ++1831 || WEB-MISC jigsaw dos attempt || nessus,11047 ++1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 ++1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 ++1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 ++1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 ++1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 ++1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 ++1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 ++1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125 ++1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 ++1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 ++1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1846 || POLICY vncviewer Java applet download attempt || nessus,10758 ++1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 ++1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 ++1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 ++1850 || WEB-CGI way-board.cgi access || nessus,10610 ++1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 ++1852 || WEB-MISC robots.txt access || nessus,10302 ++1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 ++1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1857 || WEB-MISC robot.txt access || nessus,10302 ++1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 ++1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 ++1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 ++1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 ++1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 ++1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 ++1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 ++1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 ++1867 || MISC xdmcp info query || nessus,10891 ++1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 ++1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 ++1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 ++1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 ++1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 ++1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 ++1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 ++1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 ++1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 ++1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 ++1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 ++1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 ++1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 ++1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html ++1882 || ATTACK-RESPONSES id check returned userid ++1883 || ATTACK-RESPONSES id check returned nobody ++1884 || ATTACK-RESPONSES id check returned web ++1885 || ATTACK-RESPONSES id check returned http ++1886 || ATTACK-RESPONSES id check returned apache ++1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html ++1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 ++1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html ++1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 ++1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 ++1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 ++1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 ++1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 ++1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 ++1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 ++1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 ++1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html ++1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html ++1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977 ++1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 ++1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1917 || SCAN UPnP service discover attempt ++1918 || SCAN SolarWinds IP scan attempt ++1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 ++1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 ++1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 ++1922 || RPC portmap proxy attempt TCP ++1923 || RPC portmap proxy attempt UDP ++1924 || RPC mountd UDP export request || arachnids,26 ++1925 || RPC mountd TCP exportall request || arachnids,26 ++1926 || RPC mountd UDP exportall request || arachnids,26 ++1927 || FTP authorized_keys ++1928 || FTP shadow retrieval attempt ++1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com ++1930 || IMAP auth literal overflow attempt || cve,1999-0005 ++1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 ++1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 ++1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368 ++1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 ++1935 || POP2 FOLD arbitrary file attempt ++1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 ++1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 ++1938 || POP3 XTND overflow attempt ++1939 || MISC bootp hardware address length overflow || cve,1999-0798 ++1940 || MISC bootp invalid hardware type || cve,1999-0798 ++1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 ++1942 || FTP RMDIR overflow attempt || bugtraq,819 ++1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 ++1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 ++1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696 ++1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 ++1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 ++1949 || RPC portmap SET attempt TCP 111 ++1950 || RPC portmap SET attempt UDP 111 ++1951 || RPC mountd TCP mount request ++1952 || RPC mountd UDP mount request ++1953 || RPC AMD TCP pid request ++1954 || RPC AMD UDP pid request ++1955 || RPC AMD TCP version request ++1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 ++1957 || RPC sadmind UDP PING || bugtraq,866 ++1958 || RPC sadmind TCP PING || bugtraq,866 ++1959 || RPC portmap NFS request UDP ++1960 || RPC portmap NFS request TCP ++1961 || RPC portmap RQUOTA request UDP ++1962 || RPC portmap RQUOTA request TCP ++1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 ++1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 ++1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 ++1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 ++1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 ++1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 ++1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 ++1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx ++1971 || FTP SITE EXEC format string attempt ++1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 ++1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 ++1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 ++1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 ++1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 ++1977 || WEB-MISC xp_regwrite attempt ++1978 || WEB-MISC xp_regdeletekey attempt ++1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 ++1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 ++1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 ++1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 ++1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 ++1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 ++1985 || BACKDOOR Doly 1.5 server response ++1986 || CHAT MSN outbound file transfer request ++1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 ++1988 || CHAT MSN outbound file transfer accept ++1989 || CHAT MSN outbound file transfer rejected ++1990 || CHAT MSN user search ++1991 || CHAT MSN login attempt ++1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 ++1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 ++1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 ++1995 || WEB-CGI alya.cgi access || nessus,11118 ++1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107 ++1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 ++1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 ++1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 ++2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073 ++2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 ++2002 || WEB-PHP remote include path ++2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm ++2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm ++2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2008 || MISC CVS invalid user authentication response ++2009 || MISC CVS invalid repository response ++2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 ++2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 ++2012 || MISC CVS missing cvsroot response ++2013 || MISC CVS invalid module response ++2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 ++2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 ++2016 || RPC portmap status request TCP || arachnids,15 ++2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 ++2018 || RPC mountd TCP dump request ++2019 || RPC mountd UDP dump request ++2020 || RPC mountd TCP unmount request ++2021 || RPC mountd UDP unmount request ++2022 || RPC mountd TCP unmountall request ++2023 || RPC mountd UDP unmountall request ++2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 ++2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 ++2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 ++2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 ++2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 ++2035 || RPC portmap network-status-monitor request UDP ++2036 || RPC portmap network-status-monitor request TCP ++2037 || RPC network-status-monitor mon-callback request UDP ++2038 || RPC network-status-monitor mon-callback request TCP ++2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 ++2040 || POLICY xtacacs login attempt ++2041 || MISC xtacacs failed login response ++2042 || POLICY xtacacs accepted login response ++2043 || MISC isakmp login failed ++2044 || POLICY PPTP Start Control Request attempt ++2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 ++2047 || MISC rsyncd module list access ++2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 ++2049 || MS-SQL ping attempt || nessus,10674 ++2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 ++2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 ++2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html ++2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008 ++2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008 ++2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008 ++2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf ++2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 ++2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 ++2059 || WEB-MISC MsmMask.exe access || nessus,11163 ++2060 || WEB-MISC DB4Web access || nessus,11180 ++2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 ++2062 || WEB-MISC iPlanet .perf access || nessus,11220 ++2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 ++2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 ++2065 || WEB-MISC Lotus Notes .csp script source download attempt ++2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 ++2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 ++2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 ++2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 ++2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 ++2071 || WEB-MISC post32.exe access || bugtraq,1485 ++2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 ++2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 ++2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 ++2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 ++2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 ++2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 ++2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 ++2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 ++2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 ++2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 ++2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 ++2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 ++2088 || RPC ypupdated arbitrary command attempt UDP ++2089 || RPC ypupdated arbitrary command attempt TCP ++2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx ++2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx ++2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 ++2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 ++2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 ++2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 ++2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 ++2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx ++2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx ++2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt ++2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 ++2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 ++2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2107 || IMAP create buffer overflow attempt || bugtraq,7446 ++2108 || POP3 CAPA overflow attempt ++2109 || POP3 TOP overflow attempt ++2110 || POP3 STAT overflow attempt ++2111 || POP3 DELE overflow attempt ++2112 || POP3 RSET overflow attempt ++2113 || RSERVICES rexec username overflow attempt ++2114 || RSERVICES rexec password overflow attempt ++2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581 ++2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html ++2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 ++2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 ++2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 ++2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 ++2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 ++2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 ++2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 ++2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx ++2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 ++2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 ++2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx ++2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 ++2131 || WEB-IIS IISProtect access || nessus,11661 ++2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 ++2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx ++2134 || WEB-IIS register.asp access || nessus,11621 ++2135 || WEB-MISC philboard.mdb access || nessus,11682 ++2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 ++2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 ++2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 ++2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 ++2140 || WEB-PHP p-news.php access || nessus,11669 ++2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 ++2142 || WEB-PHP shoutbox.php access || nessus,11668 ++2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 ++2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 ++2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 ++2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 ++2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 ++2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 ++2149 || WEB-PHP Turba status.php access || nessus,11646 ++2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 ++2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 ++2152 || WEB-PHP test.php access || nessus,11617 ++2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 ++2154 || WEB-PHP autohtml.php access || nessus,11630 ++2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 ++2156 || WEB-MISC mod_gzip_status access || nessus,11685 ++2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 ++2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 ++2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 ++2160 || VIRUS OUTBOUND .exe file attachment ++2161 || VIRUS OUTBOUND .doc file attachment ++2162 || VIRUS OUTBOUND .hta file attachment ++2163 || VIRUS OUTBOUND .chm file attachment ++2164 || VIRUS OUTBOUND .reg file attachment ++2165 || VIRUS OUTBOUND .ini file attachment ++2166 || VIRUS OUTBOUND .bat file attachment ++2167 || VIRUS OUTBOUND .diz file attachment ++2168 || VIRUS OUTBOUND .cpp file attachment ++2169 || VIRUS OUTBOUND .dll file attachment ++2170 || VIRUS OUTBOUND .vxd file attachment ++2171 || VIRUS OUTBOUND .sys file attachment ++2172 || VIRUS OUTBOUND .com file attachment ++2173 || VIRUS OUTBOUND .hsq file attachment ++2174 || NETBIOS SMB winreg create tree attempt ++2175 || NETBIOS SMB winreg unicode create tree attempt ++2176 || NETBIOS SMB startup folder access ++2177 || NETBIOS SMB startup folder unicode access ++2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 ++2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 ++2180 || P2P BitTorrent announce request ++2181 || P2P BitTorrent transfer ++2182 || BACKDOOR typot trojan traffic || mcafee,100406 ++2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html ++2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 ++2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 ++2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 ++2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 ++2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 ++2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 ++2190 || NETBIOS DCERPC invalid bind attempt ++2191 || NETBIOS SMB DCERPC invalid bind attempt ++2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 ++2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 ++2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 ++2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 ++2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 ++2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 ++2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 ++2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 ++2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 ++2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748 ++2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 ++2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 ++2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 ++2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 ++2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 ++2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 ++2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 ++2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 ++2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 ++2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 ++2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 ++2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 ++2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 ++2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 ++2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 ++2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773 ++2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 ++2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 ++2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 ++2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 ++2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 ++2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 ++2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 ++2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 ++2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 ++2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 ++2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 ++2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730 ++2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 ++2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 ++2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 ++2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 ++2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 ++2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 ++2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 ++2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx ++2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx ++2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx ++2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx ++2255 || RPC sadmind query with root credentials attempt TCP ++2256 || RPC sadmind query with root credentials attempt UDP ++2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx ++2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx ++2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 ++2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 ++2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 ++2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 ++2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 ++2273 || IMAP login brute force attempt ++2274 || POP3 login brute force attempt ++2275 || SMTP AUTH LOGON brute force attempt ++2276 || WEB-MISC oracle portal demo access || nessus,11918 ++2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 ++2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 ++2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 ++2280 || WEB-PHP Title.php access || bugtraq,9057 ++2281 || WEB-PHP Setup.php access || bugtraq,9057 ++2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 ++2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 ++2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 ++2285 || WEB-PHP rolis guestbook access || bugtraq,9057 ++2286 || WEB-PHP friends.php access || bugtraq,9088 ++2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 ++2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 ++2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 ++2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 ++2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 ++2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 ++2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 ++2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 ++2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 ++2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 ++2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 ++2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 ++2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 ++2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 ++2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 ++2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 ++2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 ++2304 || WEB-PHP files.inc.php access || bugtraq,8910 ++2305 || WEB-PHP chatbox.php access || bugtraq,8930 ++2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 ++2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873 ++2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2312 || SHELLCODE x86 0x71FB7BAB NOOP ++2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode ++2314 || SHELLCODE x86 0x90 NOOP unicode ++2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 ++2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 ++2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 ++2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 ++2321 || WEB-IIS foxweb.exe access || nessus,11939 ++2322 || WEB-IIS foxweb.dll access || nessus,11939 ++2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 ++2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 ++2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 ++2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 ++2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 ++2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 ++2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx ++2330 || IMAP auth overflow attempt || bugtraq,8861 ++2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 ++2332 || FTP MKDIR format string attempt || bugtraq,9262 ++2333 || FTP RENAME format string attempt || bugtraq,9262 ++2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 ++2335 || FTP RMD / attempt || bugtraq,9159 ++2336 || TFTP NULL command attempt || bugtraq,7575 ++2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 ++2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx ++2339 || TFTP NULL command attempt || bugtraq,7575 ++2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 ++2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 ++2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 ++2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 ++2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 ++2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 ++2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 ++2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 ++2348 || NETBIOS SMB-DS DCERPC print spool bind attempt ++2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt ++2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 ++2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 ++2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 ++2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 ++2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 ++2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 ++2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 ++2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 ++2361 || WEB-PHP news.php file include || bugtraq,6674 ++2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 ++2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 ++2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 ++2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 ++2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 ++2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 ++2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 ++2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 ++2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 ++2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 ++2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html ++2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 ++2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 ++2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 ++2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 ++2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 ++2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 ++2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 ++2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 ++2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 ++2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 ++2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 ++2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 ++2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/ ++2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/ ++2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 ++2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 ++2400 || WEB-MISC edittag.pl access || bugtraq,6675 ++2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2405 || WEB-PHP phptest.php access || bugtraq,9737 ++2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 ++2407 || WEB-MISC util.pl access || bugtraq,9748 ++2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 ++2409 || POP3 APOP USER overflow attempt || bugtraq,9794 ++2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 ++2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html ++2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt ++2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 ++2417 || FTP format string attempt ++2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx ++2419 || MULTIMEDIA realplayer .ram playlist download attempt ++2420 || MULTIMEDIA realplayer .rmp playlist download attempt ++2421 || MULTIMEDIA realplayer .smi playlist download attempt ++2422 || MULTIMEDIA realplayer .rt playlist download attempt ++2423 || MULTIMEDIA realplayer .rp playlist download attempt ++2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 ++2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 ++2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 ++2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 ++2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 ++2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 ++2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 ++2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 ++2432 || NNTP article post without path attempt ++2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/ ++2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/ ++2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 ++2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 ++2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 ++2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 ++2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 ++2449 || FTP ALLO overflow attempt || bugtraq,9953 ++2450 || CHAT Yahoo IM successful logon ++2451 || CHAT Yahoo IM voicechat ++2452 || CHAT Yahoo IM ping ++2453 || CHAT Yahoo IM conference invitation ++2454 || CHAT Yahoo IM conference logon success ++2455 || CHAT Yahoo IM conference message ++2456 || CHAT Yahoo Messenger File Transfer Receive Request ++2457 || CHAT Yahoo IM message ++2458 || CHAT Yahoo IM successful chat join ++2459 || CHAT Yahoo IM conference offer invitation ++2460 || CHAT Yahoo IM conference request ++2461 || CHAT Yahoo IM conference watch ++2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2465 || NETBIOS SMB-DS IPC$ share access ++2466 || NETBIOS SMB-DS IPC$ unicode share access ++2467 || NETBIOS SMB D$ unicode share access ++2468 || NETBIOS SMB-DS D$ share access ++2469 || NETBIOS SMB-DS D$ unicode share access ++2470 || NETBIOS SMB C$ unicode share access ++2471 || NETBIOS SMB-DS C$ share access ++2472 || NETBIOS SMB-DS C$ unicode share access ++2473 || NETBIOS SMB ADMIN$ unicode share access ++2474 || NETBIOS SMB-DS ADMIN$ share access ++2475 || NETBIOS SMB-DS ADMIN$ unicode share access ++2476 || NETBIOS SMB-DS winreg create tree attempt ++2477 || NETBIOS SMB-DS winreg unicode create tree attempt ++2478 || NETBIOS SMB-DS winreg bind attempt ++2479 || NETBIOS SMB-DS winreg unicode bind attempt ++2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt ++2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt ++2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt ++2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt ++2484 || WEB-MISC source.jsp access || nessus,12119 ++2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 ++2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 ++2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 ++2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 ++2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 ++2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 ++2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2520 || WEB-MISC SSLv3 Client_Hello request ++2521 || WEB-MISC SSLv3 Server_Hello request ++2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm ++2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2527 || SMTP STARTTLS attempt ++2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2529 || IMAP SSLv3 Client_Hello request ++2530 || IMAP SSLv3 Server_Hello request ++2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2532 || POP3 SSLv3 Client_Hello request ++2533 || POP3 SSLv3 Server_Hello request ++2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2535 || POP3 SSLv3 Client_Hello request ++2536 || POP3 SSLv3 Server_Hello request ++2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2542 || SMTP SSLv3 Client_Hello request ++2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt ++2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 ++2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 ++2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 ++2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 ++2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt ++2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 ++2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 ++2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html ++2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html ++2565 || WEB-PHP modules.php access || bugtraq,9879 ++2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 ++2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 ++2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 ++2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 ++2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 ++2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 ++2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 ++2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 ++2574 || FTP RETR format string attempt || bugtraq,9800 ++2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 ++2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html ++2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 ++2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt ++2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt ++2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html ++2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx ++2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx ++2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 ++2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 ++2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 ++2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html ++2587 || P2P eDonkey server response || url,www.emule-project.net ++2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html ++2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx ++2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html ++2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 ++2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 ++2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt ++2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt ++2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html ++2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html ++2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt ++2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html ++2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt ++2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html ++2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt ++2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html ++2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html ++2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt ++2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt ++2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html ++2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt ++2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html ++2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html ++2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html ++2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt ++2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 ++2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 ++2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt ++2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt ++2658 || WEB-MISC SSLv2 Client_Hello request ++2659 || WEB-MISC SSLv2 Client_Hello with pad request ++2660 || WEB-MISC SSLv2 Server_Hello request ++2661 || WEB-MISC TLSv1 Client_Hello request ++2662 || WEB-MISC TLSv1 Server_Hello request ++2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 ++2664 || IMAP login format string attempt || bugtraq,10976 ++2665 || IMAP login literal format string attempt || bugtraq,10976 ++2666 || POP3 PASS format string attempt || bugtraq,10976 ++2667 || WEB-IIS ping.asp access || nessus,10968 ++2668 || WEB-CGI processit access || nessus,10649 ++2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 ++2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070 ++2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 ++2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186 ++2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 ++2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt ++2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt ++2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt ++2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt ++2678 || ORACLE ctx_output.start_log buffer overflow attempt ++2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt ++2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt ++2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt ++2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt ++2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt ++2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt ++2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt ++2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt ++2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt ++2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt ++2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt ++2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt ++2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt ++2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt ++2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt ++2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt ++2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt ++2697 || ORACLE alter file buffer overflow attempt ++2698 || ORACLE create file buffer overflow attempt ++2699 || ORACLE TO_CHAR buffer overflow attempt ++2700 || ORACLE numtoyminterval buffer overflow attempt ++2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx ++2706 || WEB-CLIENT JPEG transfer ++2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx ++2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010 ++2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010 ++2923 || NETBIOS SMB repeated logon failure ++2924 || NETBIOS SMB-DS repeated logon failure ++2925 || INFO web bug 0x0 gif attempt ++2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368 ++2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx ++2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 ++2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 ++2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 ++2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 ++2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 ++2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 ++2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 ++2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 ++2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 ++2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 ++2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 ++2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 ++2940 || NETBIOS SMB winreg bind attempt ++2941 || NETBIOS SMB winreg unicode bind attempt ++2942 || NETBIOS SMB InitiateSystemShutdown attempt ++2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt ++2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt ++2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt ++2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2950 || NETBIOS SMB too many stacked requests ++2951 || NETBIOS SMB-DS too many stacked requests ++2952 || NETBIOS SMB IPC$ andx share access ++2953 || NETBIOS SMB IPC$ unicode andx share access ++2954 || NETBIOS SMB-DS IPC$ andx share access ++2955 || NETBIOS SMB-DS IPC$ unicode andx share access ++2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2972 || NETBIOS SMB D$ andx share access ++2973 || NETBIOS SMB D$ unicode andx share access ++2974 || NETBIOS SMB-DS D$ andx share access ++2975 || NETBIOS SMB-DS D$ unicode andx share access ++2976 || NETBIOS SMB C$ andx share access ++2977 || NETBIOS SMB C$ unicode andx share access ++2978 || NETBIOS SMB-DS C$ andx share access ++2979 || NETBIOS SMB-DS C$ unicode andx share access ++2980 || NETBIOS SMB ADMIN$ andx share access ++2981 || NETBIOS SMB ADMIN$ unicode andx share access ++2982 || NETBIOS SMB-DS ADMIN$ andx share access ++2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access ++2984 || NETBIOS SMB winreg andx create tree attempt ++2985 || NETBIOS SMB winreg unicode andx create tree attempt ++2986 || NETBIOS SMB-DS winreg andx create tree attempt ++2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt ++2988 || NETBIOS SMB winreg andx bind attempt ++2989 || NETBIOS SMB winreg unicode andx bind attempt ++2990 || NETBIOS SMB-DS winreg andx bind attempt ++2991 || NETBIOS SMB-DS winreg unicode andx bind attempt ++2992 || NETBIOS SMB InitiateSystemShutdown andx attempt ++2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt ++2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt ++2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt ++2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt ++2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt ++2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt ++2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt ++3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785 ++3007 || IMAP delete overflow attempt || bugtraq,11675 ++3008 || IMAP delete literal overflow attempt || bugtraq,11675 ++3009 || BACKDOOR NetBus Pro 2.0 connection request ++3010 || BACKDOOR RUX the Tick get windows directory attempt ++3011 || BACKDOOR RUX the Tick get system directory attempt ++3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt ++3013 || BACKDOOR Asylum 0.1 connection request ++3014 || BACKDOOR Asylum 0.1 connection established ++3015 || BACKDOOR Insane Network 4.0 connection established ++3016 || BACKDOOR Insane Network 4.0 connection established port 63536 ++3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx ++3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 ++3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 ++3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 ++3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 ++3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 ++3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 ++3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 ++3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 ++3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 ++3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 ++3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 ++3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 ++3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 ++3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 ++3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 ++3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 ++3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 ++3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 ++3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 ++3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 ++3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 ++3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 ++3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 ++3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 ++3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt ++3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt ++3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt ++3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt ++3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3058 || IMAP copy literal overflow attempt || bugtraq,1110 ++3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request ++3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html ++3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 ++3063 || BACKDOOR Vampire 1.2 connection request ++3064 || BACKDOOR Vampire 1.2 connection confirmation ++3065 || IMAP append literal overflow attempt || bugtraq,11775 ++3066 || IMAP append overflow attempt || bugtraq,11775 ++3067 || IMAP examine literal overflow attempt || bugtraq,11775 ++3068 || IMAP examine overflow attempt || bugtraq,11775 ++3069 || IMAP fetch literal overflow attempt || bugtraq,11775 ++3070 || IMAP fetch overflow attempt || bugtraq,11775 ++3071 || IMAP status literal overflow attempt || bugtraq,11775 ++3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 ++3073 || IMAP subscribe literal overflow attempt || bugtraq,11775 ++3074 || IMAP subscribe overflow attempt || bugtraq,11775 ++3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775 ++3076 || IMAP unsubscribe overflow attempt || bugtraq,11775 ++3077 || FTP RNFR overflow attempt ++3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx ++3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 ++3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 ++3081 || BACKDOOR Y3KRAT 1.5 Connect ++3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response ++3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation ++3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172 ++3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636 ++3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408 ++3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134 ++3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730 ++3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 ++3090 || NETBIOS SMB llsrpc create tree attempt ++3091 || NETBIOS SMB llsrpc unicode create tree attempt ++3092 || NETBIOS SMB llsrpc andx create tree attempt ++3093 || NETBIOS SMB llsrpc unicode andx create tree attempt ++3094 || NETBIOS SMB-DS llsrpc create tree attempt ++3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt ++3096 || NETBIOS SMB-DS llsrpc andx create tree attempt ++3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt ++3098 || NETBIOS SMB llsrpc bind attempt ++3099 || NETBIOS SMB llsrpc little endian bind attempt ++3100 || NETBIOS SMB llsrpc unicode bind attempt ++3101 || NETBIOS SMB llsrpc unicode little endian bind attempt ++3102 || NETBIOS SMB llsrpc andx bind attempt ++3103 || NETBIOS SMB llsrpc little endian andx bind attempt ++3104 || NETBIOS SMB llsrpc unicode andx bind attempt ++3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt ++3106 || NETBIOS SMB-DS llsrpc bind attempt ++3107 || NETBIOS SMB-DS llsrpc little endian bind attempt ++3108 || NETBIOS SMB-DS llsrpc unicode bind attempt ++3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt ++3110 || NETBIOS SMB-DS llsrpc andx bind attempt ++3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt ++3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt ++3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt ++3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202 ++3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt ++3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt ++3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt ++3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt ++3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt ++3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt ++3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt ++3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt ++3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797 ++3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt ++3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx ++3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt ++3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915 ++3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 ++3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 ++3155 || BACKDOOR BackOrifice 2000 Inbound Traffic ++3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx ++3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 ++3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886 ++3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 ++3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 ++3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx ++3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx ++3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333 ++3202 || NETBIOS SMB winreg bind attempt ++3203 || NETBIOS SMB winreg little endian bind attempt ++3204 || NETBIOS SMB winreg unicode bind attempt ++3205 || NETBIOS SMB winreg unicode little endian bind attempt ++3206 || NETBIOS SMB winreg andx bind attempt ++3207 || NETBIOS SMB winreg little endian andx bind attempt ++3208 || NETBIOS SMB winreg unicode andx bind attempt ++3209 || NETBIOS SMB winreg unicode little endian andx bind attempt ++3210 || NETBIOS SMB-DS winreg bind attempt ++3211 || NETBIOS SMB-DS winreg little endian bind attempt ++3212 || NETBIOS SMB-DS winreg unicode bind attempt ++3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt ++3214 || NETBIOS SMB-DS winreg andx bind attempt ++3215 || NETBIOS SMB-DS winreg little endian andx bind attempt ++3216 || NETBIOS SMB-DS winreg unicode andx bind attempt ++3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt ++3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx ++3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 ++3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 ++3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 ++3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx ++3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 ++3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 ++3236 || NETBIOS DCERPC irot bind attempt ++3237 || NETBIOS DCERPC irot little endian bind attempt ++3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3240 || NETBIOS SMB irot bind attempt ++3241 || NETBIOS SMB irot little endian bind attempt ++3242 || NETBIOS SMB irot unicode bind attempt ++3243 || NETBIOS SMB irot unicode little endian bind attempt ++3244 || NETBIOS SMB irot andx bind attempt ++3245 || NETBIOS SMB irot little endian andx bind attempt ++3246 || NETBIOS SMB irot unicode andx bind attempt ++3247 || NETBIOS SMB irot unicode little endian andx bind attempt ++3248 || NETBIOS SMB-DS irot bind attempt ++3249 || NETBIOS SMB-DS irot little endian bind attempt ++3250 || NETBIOS SMB-DS irot unicode bind attempt ++3251 || NETBIOS SMB-DS irot unicode little endian bind attempt ++3252 || NETBIOS SMB-DS irot andx bind attempt ++3253 || NETBIOS SMB-DS irot little endian andx bind attempt ++3254 || NETBIOS SMB-DS irot unicode andx bind attempt ++3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt ++3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3272 || BACKDOOR mydoom.a backdoor upload/execute attempt ++3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 ++3275 || NETBIOS DCERPC IActivation bind attempt ++3276 || NETBIOS DCERPC IActivation little endian bind attempt ++3377 || NETBIOS SMB IActivation bind attempt ++3378 || NETBIOS SMB IActivation little endian bind attempt ++3379 || NETBIOS SMB IActivation unicode bind attempt ++3380 || NETBIOS SMB IActivation unicode little endian bind attempt ++3381 || NETBIOS SMB IActivation andx bind attempt ++3382 || NETBIOS SMB IActivation little endian andx bind attempt ++3383 || NETBIOS SMB IActivation unicode andx bind attempt ++3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt ++3385 || NETBIOS SMB-DS IActivation bind attempt ++3386 || NETBIOS SMB-DS IActivation little endian bind attempt ++3387 || NETBIOS SMB-DS IActivation unicode bind attempt ++3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt ++3389 || NETBIOS SMB-DS IActivation andx bind attempt ++3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt ++3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt ++3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt ++3393 || NETBIOS SMB ISystemActivator bind attempt ++3394 || NETBIOS SMB ISystemActivator little endian bind attempt ++3395 || NETBIOS SMB ISystemActivator unicode bind attempt ++3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt ++3397 || NETBIOS SMB ISystemActivator andx bind attempt ++3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt ++3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt ++3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt ++3401 || NETBIOS SMB-DS ISystemActivator bind attempt ++3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt ++3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt ++3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt ++3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt ++3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt ++3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt ++3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt ++3409 || NETBIOS SMB RemoteActivation attempt ++3410 || NETBIOS SMB RemoteActivation little endian attempt ++3411 || NETBIOS SMB RemoteActivation unicode attempt ++3412 || NETBIOS SMB RemoteActivation unicode little endian attempt ++3413 || NETBIOS SMB RemoteActivation andx attempt ++3414 || NETBIOS SMB RemoteActivation little endian andx attempt ++3415 || NETBIOS SMB RemoteActivation unicode andx attempt ++3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt ++3417 || NETBIOS SMB-DS RemoteActivation attempt ++3418 || NETBIOS SMB-DS RemoteActivation little endian attempt ++3419 || NETBIOS SMB-DS RemoteActivation unicode attempt ++3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt ++3421 || NETBIOS SMB-DS RemoteActivation andx attempt ++3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt ++3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt ++3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt ++3425 || NETBIOS SMB CoGetInstanceFromFile attempt ++3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt ++3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt ++3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt ++3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt ++3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt ++3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt ++3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt ++3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt ++3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt ++3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt ++3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt ++3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt ++3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt ++3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt ++3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt ++3441 || FTP PORT bounce attempt ++3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx ++3443 || MS-SQL DNS query with 1 requests ++3444 || MS-SQL DNS query with 2 requests ++3445 || MS-SQL DNS query with 3 requests ++3446 || MS-SQL DNS query with 4 requests ++3447 || MS-SQL DNS query with 5 requests ++3448 || MS-SQL DNS query with 6 requests ++3449 || MS-SQL DNS query with 7 requests ++3450 || MS-SQL DNS query with 8 requests ++3451 || MS-SQL DNS query with 9 requests ++3452 || MS-SQL DNS query with 10 requests ++3453 || MISC Arkeia client backup system info probe || bugtraq,12594 ++3454 || MISC Arkeia client backup generic info probe || bugtraq,12594 ++3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt ++3456 || MYSQL 4.0 root login attempt ++3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594 ++3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594 ++3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com ++3460 || FTP REST with numeric argument || bugtraq,7825 ++3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx ++3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx ++3463 || WEB-CGI awstats access || bugtraq,12572 ++3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572 ++3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812 ++3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727 ++3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882 ++3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182 ++3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/ ++3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html ++3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043 ++3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260 ++3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455 ++3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563 ++3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563 ++3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563 ++3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563 ++3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563 ++3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563 ++3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563 ++3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563 ++3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563 ++3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563 ++3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563 ++3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563 ++3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++3487 || IMAP SSLv2 Client_Hello request ++3488 || IMAP SSLv2 Client_Hello with pad request ++3489 || IMAP TLSv1 Client_Hello request ++3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request ++3491 || IMAP SSLv2 Server_Hello request ++3492 || IMAP TLSv1 Server_Hello request ++3493 || SMTP SSLv2 Client_Hello request ++3494 || SMTP SSLv2 Client_Hello with pad request ++3495 || SMTP TLSv1 Client_Hello request ++3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request ++3497 || SMTP SSLv2 Server_Hello request ++3498 || SMTP TLSv1 Server_Hello request ++3499 || POP3 SSLv2 Client_Hello request ++3500 || POP3 SSLv2 Client_Hello with pad request ++3501 || POP3 TLSv1 Client_Hello request ++3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request ++3503 || POP3 SSLv2 Server_Hello request ++3504 || POP3 TLSv1 Server_Hello request ++3505 || POP3 SSLv2 Client_Hello request ++3506 || POP3 SSLv2 Client_Hello with pad request ++3507 || POP3 TLSv1 Client_Hello request ++3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request ++3509 || POP3 SSLv2 Server_Hello request ++3510 || POP3 TLSv1 Server_Hello request ++3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749 ++3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749 ++3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749 ++3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749 ++3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749 ++3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581 ++3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265 ++3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265 ++3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581 ++3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581 ++3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581 ++3523 || FTP SITE INDEX format string attempt ++3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581 ++3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581 ++3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727 ++3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274 ++3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709 ++3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581 ++3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563 ++3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563 ++3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375 ++3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469 ++3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399 ++3535 || WEB-CLIENT GIF transfer ++3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399 ++3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469 ++3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699 ++3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699 ++3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 ++3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 ++3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673 ++3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673 ++3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481 ++3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481 ++3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481 ++3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481 ++3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481 ++3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553 ++3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553 ++3551 || WEB-CLIENT .hta download attempt ++3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063 ++3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553 ++3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt ++3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt ++3556 || NETBIOS DCERPC mqqm bind attempt ++3557 || NETBIOS DCERPC mqqm little endian bind attempt ++3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt ++3559 || NETBIOS SMB mqqm WriteAndX bind attempt ++3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt ++3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt ++3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt ++3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt ++3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt ++3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt ++3566 || NETBIOS SMB mqqm andx bind attempt ++3567 || NETBIOS SMB mqqm bind attempt ++3568 || NETBIOS SMB mqqm little endian andx bind attempt ++3569 || NETBIOS SMB mqqm little endian bind attempt ++3570 || NETBIOS SMB mqqm unicode andx bind attempt ++3571 || NETBIOS SMB mqqm unicode bind attempt ++3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt ++3573 || NETBIOS SMB mqqm unicode little endian bind attempt ++3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt ++3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt ++3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt ++3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt ++3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt ++3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt ++3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt ++3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt ++3582 || NETBIOS SMB-DS mqqm andx bind attempt ++3583 || NETBIOS SMB-DS mqqm bind attempt ++3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt ++3585 || NETBIOS SMB-DS mqqm little endian bind attempt ++3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt ++3587 || NETBIOS SMB-DS mqqm unicode bind attempt ++3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt ++3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt ++3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3626 || ICMP PATH MTU denial of service || cve,2004-1060 ++3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx ++3628 || POLICY IDA Pro startup license check attempt ++3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975 ++3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375 ++3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375 ++3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 ++3633 || WEB-CLIENT bitmap transfer ++3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 ++3635 || BACKDOOR Amanda 2.0 connection established ++3636 || BACKDOOR Crazzy Net 5.0 connection established ++3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581 ++3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926 ++3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 ++3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 ++3653 || SMTP SAML overflow attempt || bugtraq,11238 ++3654 || SMTP SOML overflow attempt || bugtraq,11238 ++3655 || SMTP SEND overflow attempt || bugtraq,11238 ++3656 || SMTP MAIL overflow attempt || bugtraq,11238 ++3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637 ++3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213 ++3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, ++3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, ++3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728 ++3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182 ++3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781 ++3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761 ++3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html ++3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html ++3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476 ++3680 || P2P AOL Instant Messenger Message Send ++3681 || P2P AOL Instant Messenger Message Receive ++3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx ++3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx ++3684 || WEB-CLIENT Bitmap Transfer ++3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566 ++3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555 ++3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx ++3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx ++3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx ++3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194 ++3691 || CHAT Yahoo Messenger Message ++3692 || CHAT Yahoo Messenger File Transfer Initiation Request ++3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853 ++3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174 ++3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773 ++3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772 ++3697 || NETBIOS DCERPC DIRECT veritas alter context attempt ++3698 || NETBIOS DCERPC DIRECT veritas bind attempt ++3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt ++3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt ++3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt ++3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt ++3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt ++3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt ++3705 || NETBIOS SMB veritas WriteAndX alter context attempt ++3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt ++3707 || NETBIOS SMB veritas WriteAndX andx bind attempt ++3708 || NETBIOS SMB veritas WriteAndX bind attempt ++3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt ++3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt ++3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt ++3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt ++3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt ++3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt ++3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt ++3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt ++3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt ++3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt ++3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt ++3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt ++3721 || NETBIOS SMB veritas alter context attempt ++3722 || NETBIOS SMB veritas andx alter context attempt ++3723 || NETBIOS SMB veritas andx bind attempt ++3724 || NETBIOS SMB veritas bind attempt ++3725 || NETBIOS SMB veritas little endian alter context attempt ++3726 || NETBIOS SMB veritas little endian andx alter context attempt ++3727 || NETBIOS SMB veritas little endian andx bind attempt ++3728 || NETBIOS SMB veritas little endian bind attempt ++3729 || NETBIOS SMB veritas unicode alter context attempt ++3730 || NETBIOS SMB veritas unicode andx alter context attempt ++3731 || NETBIOS SMB veritas unicode andx bind attempt ++3732 || NETBIOS SMB veritas unicode bind attempt ++3733 || NETBIOS SMB veritas unicode little endian alter context attempt ++3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt ++3735 || NETBIOS SMB veritas unicode little endian andx bind attempt ++3736 || NETBIOS SMB veritas unicode little endian bind attempt ++3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt ++3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt ++3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt ++3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt ++3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt ++3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt ++3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt ++3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt ++3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt ++3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt ++3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt ++3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt ++3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt ++3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt ++3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt ++3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt ++3753 || NETBIOS SMB-DS veritas alter context attempt ++3754 || NETBIOS SMB-DS veritas andx alter context attempt ++3755 || NETBIOS SMB-DS veritas andx bind attempt ++3756 || NETBIOS SMB-DS veritas bind attempt ++3757 || NETBIOS SMB-DS veritas little endian alter context attempt ++3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt ++3759 || NETBIOS SMB-DS veritas little endian andx bind attempt ++3760 || NETBIOS SMB-DS veritas little endian bind attempt ++3761 || NETBIOS SMB-DS veritas unicode alter context attempt ++3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt ++3763 || NETBIOS SMB-DS veritas unicode andx bind attempt ++3764 || NETBIOS SMB-DS veritas unicode bind attempt ++3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt ++3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt ++3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt ++3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt ++3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt ++3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt ++3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt ++3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt ++3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt ++3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt ++3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt ++3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt ++3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt ++3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt ++3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt ++3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt ++3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt ++3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt ++3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt ++3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt ++3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt ++3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt ++3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt ++3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt ++3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt ++3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt ++3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt ++3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt ++3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt ++3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt ++3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt ++3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt ++3797 || NETBIOS-DG SMB veritas alter context attempt ++3798 || NETBIOS-DG SMB veritas andx alter context attempt ++3799 || NETBIOS-DG SMB veritas andx bind attempt ++3800 || NETBIOS-DG SMB veritas bind attempt ++3801 || NETBIOS-DG SMB veritas little endian alter context attempt ++3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt ++3803 || NETBIOS-DG SMB veritas little endian andx bind attempt ++3804 || NETBIOS-DG SMB veritas little endian bind attempt ++3805 || NETBIOS-DG SMB veritas unicode alter context attempt ++3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt ++3807 || NETBIOS-DG SMB veritas unicode andx bind attempt ++3808 || NETBIOS-DG SMB veritas unicode bind attempt ++3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt ++3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt ++3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt ++3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt ++3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116 ++3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087 ++3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180 ++3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387 ++3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 ++3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 ++3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3822 || WEB-MISC Real Player realtext long URI request ++3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766 ++3824 || SMTP AUTH user overflow attempt || bugtraq,13772 ++3825 || POLICY AOL Instant Messenger Message Send ++3826 || POLICY AOL Instant Messenger Message Receive ++3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921 +--- /dev/null ++++ b/rules/dns.rules +@@ -0,0 +1,54 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#---------- ++# DNS RULES ++#---------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) ++ ++ ++ ++alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) ++alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) +--- /dev/null ++++ b/rules/community-icmp.rules +@@ -0,0 +1,8 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $ ++ ++#Rule submitted by rmkml ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;) +--- /dev/null ++++ b/rules/community-oracle.rules +@@ -0,0 +1,6 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;) +--- /dev/null ++++ b/rules/community-game.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) ++alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) +--- /dev/null ++++ b/rules/oracle.rules +@@ -0,0 +1,375 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ ++#---------- ++# ORACLE RULES ++#---------- ++# ++# These signatures detect unusual and potentially malicious oracle traffic. ++# These signatures are based from signatures written by Hank Leininger ++# for Enterasys's Dragon IDS that he released ++# publicly. ++# ++# These signatures are not enabled by default as they may generate false ++# positive alarms on networks that do oracle development. If you use an ++# Oracle based web application, you should set the destination port to ++# 80 to catch attackers attempting to exploit your web application. ++# ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) +--- /dev/null ++++ b/rules/x11.rules +@@ -0,0 +1,24 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#---------- ++# X11 RULES ++#---------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) +--- /dev/null ++++ b/rules/community-sql-injection.rules +@@ -0,0 +1,15 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;) ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;) +--- /dev/null ++++ b/rules/tftp.rules +@@ -0,0 +1,39 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# TFTP RULES ++#----------- ++# ++# These signatures are based on TFTP traffic. These include malicious files ++# that are distributed via TFTP. ++# ++# The last two signatures refer to generic GET and PUT via TFTP, which is ++# generally frowned upon on most networks, but may be used in some enviornments ++ ++alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) ++alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) ++alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) +--- /dev/null ++++ b/rules/policy.rules +@@ -0,0 +1,55 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $ ++#------------- ++# POLICY RULES ++#------------- ++# ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;) ++ ++alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;) ++ ++ ++# we have started to see multiple versions of this beyond 003.003, so we have ++# expanded this signature to take that into account. ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;) ++alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;) ++ ++# NOTES: This signature would be better off using uricontent, and having the ++# http decoder looking at 5800 and 5802, but that is on by default ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;) ++alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;) +--- /dev/null ++++ b/rules/mysql.rules +@@ -0,0 +1,31 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#---------- ++# MYSQL RULES ++#---------- ++# ++# These signatures detect unusual and potentially malicious mysql traffic. ++# ++# These signatures are not enabled by default as they may generate false ++# positive alarms on networks that do mysql development. ++# ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;) +--- /dev/null ++++ b/rules/purge-non-gpl.sh +@@ -0,0 +1,23 @@ ++#!/bin/sh ++# Purges non-GPL rules from a common set ++ ++if [ -z "$1" ] ; then ++ echo "Usage: $0 directory_with_rules" ++fi ++ ++if [ ! -d "$1" ] ; then ++ echo "ERROR: $1 is not a directory" ++ exit 1 ++fi ++ ++for file in $1/*rules; do ++ if [ -r "$file" ] ; then ++ name=`basename $file` ++ if [ ! -e "$name" ] ; then ++ cat $file |perl remove-non-gpl.pl >$name ++ else ++ echo "ERROR: Cowardly refusing to overwrite $name" ++ fi ++ fi ++done ++ +--- /dev/null ++++ b/rules/bad-traffic.rules +@@ -0,0 +1,41 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#------------------ ++# BAD TRAFFIC RULES ++#------------------ ++# These signatures are representitive of traffic that should never be seen on ++# any network. None of these signatures include datagram content checking ++# and are extremely quick signatures ++# ++ ++alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) ++alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) ++alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) ++# linux happens. Blah ++# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) ++alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) +--- /dev/null ++++ b/rules/generators +@@ -0,0 +1,39 @@ ++# Master Registry of Snort Generator Ids ++# ++# ++# This file is used to maintain unique generator ids for files even if ++# the default snort configuration doesn't include some patch that is ++# required for a specific preprocessor to work ++# ++# ++# ++# Maintainer: Chris Green ++# ++# Contact cmg@sourcefire.com for an assignment ++ ++rules_subsystem 1 # Snort Rules Engine ++tag_subsystem 2 # Tagging Subsystem ++portscan 100 # Portscan1 ++minfrag 101 # Minfrag [ removed ] ++http_decode 102 # HTTP decode 1/2 ++defrag 103 # First defragmenter [ removed ] ++spade 104 # SPADE [ not included anymore ] ++bo 105 # Back Orifice ++rpc_decode 106 # RPC Preprocessor ++stream2 107 # 2nd stream preprocessor [removed] ++stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ] ++telnet_neg 109 # telnet option decoder ++unidecode 110 # unicode decoder ++stream4 111 # Stream4 preprocessor ++arpspoof 112 # Arp Spoof detector ++frag2 113 # 2nd fragment preprocessor ++fnord 114 # NOP detector [ removed ] ++asn1 115 # ASN.1 Validator [ removed ] ++decode 116 # Snort Internal Decoder ++scan2 117 # portscan2 ++conversation 118 # conversation ++reserved 119 # TBA ++reserved 120 # TBA ++snmp 121 # Andrew Baker's newer SNMP decoder ++sfportscan 122 # Dan Roelkers portscan ++frag3 123 # Marty Roesch's ip frag reassembler +--- /dev/null ++++ b/rules/web-attacks.rules +@@ -0,0 +1,74 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++# ---------------- ++# WEB ATTACKS ++# ---------------- ++# These signatures are generic signatures that will catch common commands ++# used to exploit form variable vulnerabilities. These signatures should ++# not false very often. ++# ++# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net ++# if you find one of these signatures to be too false possitive. ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;) +--- /dev/null ++++ b/rules/pop3.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ ++#-------------- ++# POP3 RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;) ++ ++# bsd-qpopper.c ++# overflow in the reading of a line in qpopper ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;) ++alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) +--- /dev/null ++++ b/rules/web-misc.rules +@@ -0,0 +1,443 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#--------------- ++# WEB-MISC RULES ++#--------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:" ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3144.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++3144 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft systems using Server Message Block (SMB). ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++SMB is a client - server protocol used in sharing resources such as ++files, printers, ports, named pipes and other things, between machines ++on a network. ++ ++A vulnerability in the Microsoft implementation of SMB exists due to a ++programming error which may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain unauthorized access to the target host. ++ ++A malicious attacker can exploit the vulnerability by sending a ++malicious response from a server in response to a client request using ++SMB. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2003 ++ Microsoft Windows 2000 ++ Microsoft Windows XP ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message from the server ++containing code of their choosing to be run on the client. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Turn off windows file and print services. ++ ++Use Samba as an alternative. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++eEye: ++http://www.eeye.com/html/research/advisories/AD20050208.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/546.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++546 ++ ++-- ++Summary: ++This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space. ++ ++-- ++Impact: ++Unauthorized file storage. An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software. ++ ++-- ++Detailed Information: ++An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space. This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. ++ ++-- ++Affected Systems: ++FTP servers ++ ++-- ++Attack Scenarios: ++An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++It is remotely possible that an authorized directory exists with a name that begins with a space. ++ ++-- ++False Negatives: ++Hidden directories other than those with names that begin with a space may be used to store "warez" files. ++ ++-- ++Corrective Action: ++Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. ++ ++Regularly monitor directories for sudden or drastic increased use of space. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Snort documentation contributed by Chaos ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/432.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++ ++Sid: ++432 ++ ++-- ++ ++Summary: ++This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. ++ ++-- ++ ++Impact: ++ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. ++ ++-- ++ ++Detailed Information: ++Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++RFC2521 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2534.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2534 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3316.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3316 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3034.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3034 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1919.txt +@@ -0,0 +1,59 @@ ++Rule: ++-- ++Sid: ++1919 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow or denial of service vulnerability associated with FTP CWD command. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a denial of service or allow remote execution of arbitrary commands with privileges of the process running the FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit various vulnerabilities associated with the FTP CWD command of different FTP servers. It is possible to cause a denial of service attack or gain remote access to execute arbitrary commands with the privileges of the process running the FTP server by sending an overly long argument with the FTP CWD command. ++ ++-- ++Affected Systems: ++Hosts running BlackMoon FTP Server 1.0 through 1.5. ++Hosts running Argosoft FRP server 1.0. ++Hosts running TYPSoft FTP Server 0.7x. ++ ++-- ++Attack Scenarios: ++An attacker can supply an overly long file argument with the CWD command, causing a denial of service or buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0126 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1194 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/386.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++386 ++ ++-- ++Summary: ++This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. ++ ++-- ++Affected Systems: ++Any system that responds to ICMP address mask requests. ++ ++-- ++Attack Scenarios: ++An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. ++ ++-- ++Ease of Attack: ++Simple. Tools that use this method of information gathering are freely available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 ++ ++ArachNIDS ++http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000168.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000168 ++ ++-- ++Summary: ++The password-cracking tool Hydra has been detected in HTTP traffic. ++ ++-- ++Impact: ++An attacker may be attempting to break into one or more web servers monitored ++by Snort via a brute-force password attack. If successful, the attacker may ++gain unauthorized access to internal networks. ++ ++-- ++Detailed Information: ++Hydra is a password-cracking tool released by a group of security experts ++called THC, "The Hacker's Choice." Requests sent by this tool to a web server ++contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' ++User-Agent strings do not contain the string "(Hydra)", the presence of this ++string indicates that the Hydra tool is likely being used. ++ ++-- ++Affected Systems: ++Any system running a web server. ++ ++-- ++Attack Scenarios: ++Attackers will use the Hydra password-cracking tool. ++ ++-- ++Ease of Attack: ++Simple, as the program is publicly available and is well-documented. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Check system logs and Snort alert logs for suspicious activity, particularly ++unusual logons. Ensure that secure passwords are being used throughout your ++network. ++ ++-- ++Contributors: ++rmkml ++Sourcefire Research Team ++ ++-- ++Additional References ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000146.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++100000146 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++directory traversal associated with Imail Web Calendaring ++servicel ++ ++-- ++Impact: ++A successful attack can permit a user to navigate outside ++of the web root directory and read files. ++ ++-- ++Detailed Information: ++The Imail Web Calendaring Server does not properly sanitize ++a malformed URL that contains directory traversal characters. ++This vulnerability is associated with static objects identified ++by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This ++can permit an unauthorized user to examine files that may contain ++sensitive information. ++ ++-- ++Affected Systems: ++Ipswitch IMail Server 8.2 and prior ++Ipswitch IMail Server 8.15 and prior ++ ++-- ++Attack Scenarios: ++An attacker send a URI containing a directory traversal to view ++sensitive files on a vulnerable server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the most current non-affected version of the product. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References ++Other: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/355.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++355 ++ ++-- ++Summary: ++This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server. ++ ++-- ++Impact: ++Remote root access. The attack may indicate that the FTP server has been compromised. ++ ++-- ++Detailed Information: ++The password "wh00t" is a common backdoor password associated with a compromised root account. If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created. Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. ++ ++-- ++Affected Systems: ++FTP servers. ++ ++-- ++Attack Scenarios: ++An attacker may compromise a host and create a backdoor account. An attacker may attempt to locate FTP servers with a backdoor account. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++It is very remotely possible that a legitimate password of "wh00t" exists. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Examine the suspected compromised host for unauthorized changes. ++ ++Make sure that the suspected compromised host has all security patches applied. ++ ++Log activity to and from the suspected compromised host. ++ ++Examine other systems on the network for evidence of compromise. ++ ++If a compromised is discovered, reinstall the operating system. ++ ++-- ++Contributors: ++Orignal rule written by Ron Gula ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS324 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000550.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000550 ++-- ++Summary: ++This event is generated when an attempt is made to access the file "comment.php ++which contains known vulnerabilities in the "Project Eros BBSEngine" ++application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to access a file with known ++vulnerabilities from a remote machine used by the "Project Eros BBSEngine" ++application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Project Eros BBSEngine ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3428.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3428 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1571.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1571 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/658.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++658 ++ ++-- ++Summary: ++This event is generated when a denial of service is attempted on a Microsoft Exchange mail server. ++ ++-- ++Impact: ++Denial of service. This will cause the Exchange server to fail. ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'. The Exchange server does not properly handle this MIME header string, causing it to crash. ++ ++-- ++Affected Systems: ++Microsoft Exchange server 5.5 ++ ++-- ++Attack Scenarios: ++An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. ++ ++-- ++Ease of Attack: ++Easy. An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp ++ ++Miscellaneous: ++http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000778.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000778 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPMailList ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000500.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000500 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "PictureDis" application running on a webserver. ++Access to the file "wpfiles.php" using a remote file being passed as the "lang" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "lang" parameter in the "wpfiles.php" script used by the ++"PictureDis" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PictureDis ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2177.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2176 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access a system ++folder via SMB. ++ ++-- ++Impact: ++Serious. This folder contains important operating system information. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to access a folder ++containing important operating system files using SMB across the ++network. ++ ++-- ++Affected Systems: ++Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++If this folder is accessible via SMB the attacker can replace or view ++important operating system files. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2495.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2495 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft RPC service. ++ ++-- ++Impact: ++Denial of Service (DoS). Possible execution of arbitrary code leading to ++unauthorized remote access to the victim host. ++ ++-- ++Detailed Information: ++It may be possible for an attacker to cause a DoS condition in the ++Microsoft RPC service when multiple simultaneous requests are made to a ++vulnerable host. This can lead to an exhaustion of system resources ++causing the DoS. ++ ++-- ++Affected Systems: ++ Windows systems running RPC services ++ ++-- ++Attack Scenarios: ++An attacker may attempt to bind to the RPC service many times in an ++attempt to cause the DoS condition to occur. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3343.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3343 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000315.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000315 ++ ++-- ++Summary: ++This event is generated when an HTTP client issues a PUT request to upload ++a document into the web content area. ++ ++-- ++Impact: ++The PUT method is a legitimate HTTP command that allows an authorized user ++to upload a document into the web content tree. It is most often associated ++with the WebDAV content management protocol. ++ ++Although there are some legitimate uses for the PUT method, it is also a ++frequent source of web site defacement, as attackers can easily abuse ++misconfigured web servers that allow unrestricted PUT functionality from ++arbitrary users. ++ ++-- ++Detailed Information: ++The rule searches for HTTP requests using the PUT method, and tracks ++these sessions. The rule is intended to be used with SID 100000316 to ++track successful PUT requests, which may represent successful defacement ++attacks, instead of all PUT requests. ++ ++Administrators who wish to track all PUT requests (successful or not) should ++remove the "flowbits:noalert;" section of this rule. ++ ++-- ++Affected Systems: ++Any web server ++ ++-- ++Attack Scenarios: ++An attacker can issue a PUT reuqest via a script, many different pieces of ++software, or through a manual connection to any web server port. ++ ++-- ++Ease of Attack: ++Simple. Numerous tools exist for creating PUT requests, including some geared ++specifically towards web site defacement. ++ ++-- ++False Positives: ++Organizations that use WebDAV to manage their web content may experience ++false positives, as the PUT method is a normal part of the WebDAV protocol. ++Additionally, any other legitimate web applications which use the PUT method ++will generate false positives. ++ ++-- ++False Negatives: ++None ++ ++-- ++Corrective Action: ++In cases of web site defacement, delete the newly-created file(s) and/or ++restore them from a reliable backup. In all cases, be sure to tune web server ++configuration to allow PUT requests only where necessary for a legitimate web ++application to function. ++ ++-- ++Contributors: ++David J. Bianco, ++ ++-- ++Additional References: ++http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 +--- /dev/null ++++ snort-2.9.2/doc/signatures/2378.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2378 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Checkpoint VPN-1. ++ ++-- ++Impact: ++Unauthorized administrative access to Checkpoint VPN-1 systems ++ ++-- ++Detailed Information: ++Checkpoint VPN-1, SecuRemote and SecureClient contain an error that ++affects the processing of large Certificate requests to the VPN service. ++By sending a large amount of data in the Certificate Request payload an ++attacker may cause a buffer overflow condition to occur, presenting an ++opportunity to execute code of their choosing with the privileges of the ++user running the service, usually root. ++ ++-- ++Affected Systems: ++ CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 ++ CheckPoint Software FW-1 Next Generation FP1, FP0 ++ CheckPoint Software VPN-1 1.4.1 SP5a ++ CheckPoint Software VPN-1 Next Generation FP1, FP0 ++ ++-- ++Attack Scenarios: ++An attacker could supply a large Certificate Request payload containing ++code to be executed on the system. ++ ++-- ++Ease of Attack: ++Proof of concept code exists. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software ++ ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3172.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3172 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/642.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: 642 ++ ++-- ++Summary: ++This event is generated when a buffer overflow attack is attempted against a target machine. ++ ++-- ++Impact: ++Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. ++ ++ ++-- ++Detailed Information: ++This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. ++ ++A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. ++ ++-- ++Attack Scenarios: ++An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. ++ ++-- ++Ease of Attack: ++Simple ++ ++ ++-- ++False Positives: ++This event may be generated by legitimate traffic to the specified port. ++ ++ ++-- ++False Negatives: ++This event is specific to the shell code defined in the rule. ++Other shell code sequences may not be detected. ++ ++-- ++Corrective Action: ++Check the target host for other signs of compromise. ++ ++Look for other events concerning the target host. ++ ++Apply vendor supplied patches and keep the operating system up to date. ++ ++-- ++Contributors: ++Original Rule Writer Unkown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS358 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000445.txt +@@ -0,0 +1,61 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000445 ++ ++-- ++Summary: ++Particle Gallery is susceptible to an injection attack due to a lack ++of input validation on the imageid variable used in the viewimage.php ++component. ++ ++-- ++Impact: ++The injection attack could result in data leakage, or potential remote ++compromise. ++ ++-- ++Detailed Information: ++Particle Gallery is prone to an SQL-injection vulnerability. This issue is due ++to a failure in the application to properly sanitize user-supplied input ++before using it in an SQL query. ++ ++A successful exploit could allow an attacker to compromise the application, ++access or modify data, or exploit vulnerabilities in the underlying database ++implementation. ++ ++The data type assigned to the column referenced by the variable is int, so ++there should never be any text or characters outside of the int used to ++identify the image. ++ ++-- ++Attack Scenarios: ++Variable manipulation can be done with any browser. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Edit code and add input validation. ++ ++-- ++Contributors: ++Dan Ramaswami ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1012.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1012 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1238.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1238 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1577.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1577 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/385.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++385 ++ ++-- ++Summary: ++This event is generated when a Windows traceroute (tracert) is detected. ++ ++-- ++Impact: ++Information gathering. A traceroute can be used to discover live hosts and network topologies. ++ ++-- ++Detailed Information: ++A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. ++ ++Additionally There are at least three different implementations of ++traceroute. In one implementation traceroute works by sending an ICMP ++Echo Request packet to a destination host with a TTL value of 1. If the ++host is more than one hop away, the first route that receives the back ++will send back an ICMP packet indicating that the TTL was exceeded. The ++address of this router is then listed as the first hop. The packet is ++then sent out again with a TTL of 2. This continues until the ++destination host is able to reply or some maximum TTL value is reached. ++ ++The other two implementations use the same TTL-based concept with an ++ICMP type of 30(traceroute) or with an UDP packet destined for an ++ephemeral port. ++ ++-- ++Affected Systems: ++All ++ ++-- ++Attack Scenarios: ++An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++The traceroute command may be used to legitimately troubleshoot networking problems. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Block inbound ICMP echo requests. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++Snort documentation contributed by by Steven Alexander ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS118 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1961.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++1961 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rquotad is listening. ++ ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port rquotad is using. Attackers can also learn what versions of the rquotad protocol are accepted by rquotad. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rquotad run. The rquotad RPC service can be queried for user disk usage and the limits of a local file system which is mounted by a remote machine over NFS. A vulnerability associated with rquotad may permit the execution of arbitrary commands with the privileges of root. ++ ++-- ++Affected Systems: ++All hosts running the UNIX portmapper. ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where rquotad runs. This may be a precursor to accessing rquotad. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access rquotad, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for rquotad, not probes of the rquotad service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rquotad service itself. An attacker may attempt to go directly to the rquotad port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/227.txt +@@ -0,0 +1,56 @@ ++Rule: ++-- ++Sid: ++227 ++ ++-- ++Summary: ++This event is generated when a Stacheldraht handler attempts to confirm that an agent has the ability to spoof a source IP. ++ ++-- ++Impact: ++Severe. This indicates that a Stacheldraht agent exists on the destination host. ++ ++-- ++Detailed Information: ++The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. ++ ++There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. In order for an agent host to make a good participant in a distributed denial of service, it must be able to spoof source IPs to elude detection. After a host becomes an agent, a test is conducted to see whether the agent can spoof a source IP. If the handler receives such a communication from the agent, it responds with an ICMP echo request with an ICMP identification number of 1000 and a content of "spoofworks" in the payload. ++ ++-- ++Affected Systems: ++Any Stacheldraht compromised host. ++ ++-- ++Attack Scenarios: ++A host on which a Stacheldraht agent has been installed will attempt to send a packet with a spoofed source IP to the handler. If the handler receives this communication, it will reply to the agent informing it that all 32 bits of source IP of DDoS traffic can be spoofed. ++ ++-- ++Ease of Attack: ++Simple. Stacheldraht code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Use egress filtering in your network to prevent traffic leaving your network that is not part of the internal address space so source IPs cannot be spoofed. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS192 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/497.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: 497 ++ ++-- ++Summary: ++This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. ++ ++-- ++Impact: ++Serious. An attacker may have the ability to transfer files from the victim host. ++ ++-- ++Detailed Information: ++This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. ++ ++Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. ++ ++-- ++ ++Attack Scenarios: ++An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. ++ ++-- ++ ++Ease of Attack: ++Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Investigate the web server for other signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3270.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3270 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000463.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000463 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Joomla" application running on a webserver. ++Access to the file "joomla.php" using a remote file being passed as the ++"includepath" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "includepath" parameter in the "joomla.php" script used ++by the "Joomla" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Joomla ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/372.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++372 ++ ++-- ++Summary: ++This event is generated when an ICMP echo request is made from a Windows host running Delphi software. ++ ++-- ++Impact: ++Information gathering. An ICMP echo request can determine if a host is active. ++ ++-- ++Detailed Information: ++An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request. ++ ++-- ++Affected Systems: ++All ++ ++-- ++Attack Scenarios: ++An attacker may attempt to determine live hosts in a network prior to launching an attack. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++An ICMP echo request may be used to legimately troubleshoot networking problems. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block inbound ICMP echo requests. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS155 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3160.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3160 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1144.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1144 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3235.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3235 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1564.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1564 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2825.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2825 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure validate_flavor_definition ++. This procedure is included in ++sys.dbms_repcat_fla. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2389.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2389 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow vulnerability associated with WuFtpd RNTO command. ++ ++-- ++Impact: ++Remote access. A successful attack may permit the remote execution of ++arbitrary commands with system privileges. ++ ++-- ++Detailed Information: ++WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists ++with the RNTO command that can cause a buffer overflow and permit the ++execution of arbitrary commands with system privileges. The buffer ++overflow can be caused by supplying an overly long argument to the RNTO ++command. ++ ++The issue exists in the realpath() function. It is possible for an ++attacker to send malformed data to the realpath() function that will ++cause the overflow condition to occur. ++ ++-- ++Affected Systems: ++ Multiple systems using affected C libraries, libc ++ ++-- ++Attack Scenarios: ++An attacker can use one of the publicly available exploit scripts to ++cause the overflow to occur. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Use scp as an alternative to ftp ++ ++Disallow ftp access to internal resources from external sources ++ ++Recompile binaries statically linked to the system libc implementation ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1857.txt +@@ -0,0 +1,64 @@ ++Rule: ++-- ++Sid: ++1857 ++-- ++Summary: ++This event is generated when a client is requesting the file "robot.txt" ++from a web server. ++ ++-- ++Impact: ++Information Disclosure. This file may contain data that could provide an ++attacker with information that could assist in an attack on the server. ++ ++-- ++Detailed Information: ++In the early days of the web, when search engines first began indexing ++sites, it was often desirable to tell the indexing programs, referred ++to as robots, not to index certain parts of a site. A standarized ++method of accomplishing this was created; by placing a file called ++"robot.txt" or "robots.txt" in the root of your web site which search ++engines could read and which would tell them what parts of your site you ++did not want indexed. However, this file can also be very valuable to ++potential attackers if it contains information such as restricted ++directories, cgi-bin locations, etc. ++ ++-- ++Affected Systems: ++Any web site that uses this method to communicate with robots. ++ ++-- ++Attack Scenarios: ++An attacker can read the "robot.txt" file and use any sensitive data in ++it to profile your site in preparation for an attack. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. Any browser can request a copy of ++"robot.txt" from the server. ++ ++-- ++False Positives: ++Many. Most automated search engine indexing programs still request this ++file prior to crawling through a web site. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure that your "robot.txt" file, if you need one, does not contain any ++sensitive data. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Snort documentation contributed by Kevin Peuhkurinen ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/297.txt +@@ -0,0 +1,59 @@ ++SID: ++297 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is triggered when an attempt is made to overflow an imapd ++server. ++-- ++ ++Impact: ++Commands may be run on the IMAP server as the root user, This can lead ++to a complete compromise of the targeted system ++-- ++ ++Detailed Information: ++Failure to check the size of the value passed to the 'AUTHENTICATE' ++command on certain IMAPD implementations can lead to a buffer overflow. ++This in turn can allow arbitrary commands to be executed on the server. ++-- ++ ++Affected Systems: ++ Netscape Messaging Server 3.55, University of Washington imapd 10.234 ++-- ++ ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable imapd server, permitting ++the execution of arbitrary commands possibly with the privilege of user ++"root". ++-- ++ ++Ease of Attack: ++Simple. Sample exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Vendors have provided updated versions, upgrading will resolve this problem ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1729.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: 1729 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++IRC Protocol ++http://www.irchelp.org/irchelp/rfc/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/973.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++973 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the victim server. ++ ++-- ++Detailed Information: ++Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. ++ ++-- ++Affected Systems: ++IIS 4.0 hosts ++ ++-- ++Attack Scenarios: ++An attacker can send a malformed request of a .idc file that causes a buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to a more current version of IIS. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/307 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2506.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2506 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3220.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3220 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1072.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1072 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/640.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: 640 ++ ++-- ++Summary: ++This event is generated when a buffer overflow attack is attempted against a target machine. ++ ++-- ++Impact: ++Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. ++ ++ ++-- ++Detailed Information: ++This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. ++ ++A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. ++ ++-- ++Attack Scenarios: ++An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. ++ ++-- ++Ease of Attack: ++Simple ++ ++ ++-- ++False Positives: ++This event may be generated by legitimate traffic to the specified port. ++ ++ ++-- ++False Negatives: ++This event is specific to the shell code defined in the rule. ++Other shell code sequences may not be detected. ++ ++-- ++Corrective Action: ++Check the target host for other signs of compromise. ++ ++Look for other events concerning the target host. ++ ++Apply vendor supplied patches and keep the operating system up to date. ++ ++-- ++Contributors: ++Original Rule Writer Unkown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1288.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1288 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft FrontPage ++Server Extensions. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft FrontPage Server Extensions. Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. In particular this rule generates events when the directory ++_vti_bin is accessed. This directory contains sensitive files that may ++be utilized in an attack against the server. ++ ++-- ++Affected Systems: ++ All systems running Microsoft FrontPage Server Extensions ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++A user who is using the "discuss" toolbar in Microsoft Internet Explorer ++may inadvertently generate an event from this rule, due to the browser ++making a check for Office Server Extensions. See this URI for more ++details. ++ ++ http://www.webmasterworld.com/forum39/2158.htm ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000484.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000484 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "Confixx" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script ++used by the "Confixx" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Confixx ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000713.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000713 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPRaid ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/609.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 609 ++ ++-- ++Summary: ++This event is generated due to the use of a suspicious login attempt ++ ++-- ++Impact: ++Serious. If successful the attacker may have gained superuser access to the host. ++ ++-- ++Detailed Information: ++This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". ++ ++A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" ++ ++-- ++Attack Scenarios: ++If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++Disable the "rsh" service if not used, apply a patch if appropriate. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS387 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000555.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000555 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "VebiMiau" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "lid" parameter in the "error.php" script used ++by the "VebiMiau" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VebiMiau ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/158.txt +@@ -0,0 +1,103 @@ ++Rule: ++ ++-- ++Sid: ++152, 157-158 ++ ++-- ++Summary: ++Backdoor.Backconstruction is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Backconstruction ++sever to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++ SID Message ++ --- ------- ++ 152 BackConstruction 2.1 Connection (outgoing TCP ++connection) ++ 157 BackConstruction 2.1 Client FTP Open Request (incoming ++TCP connection) ++ 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP ++connection) ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Cmctl32.exe ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Shell = ":\WINDOWS\Cmctl32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Cmctl32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS505 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/backc/21/index.shtml ++ ++Pest Patrol: ++www.pestpatrol.com/PestInfo/b/back_construction.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3443.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++3443 ++ ++-- ++Summary: ++This rule does not generate an event. It is used in conjunction with ++other rules to reduce the possibility of false postives from occuring. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule does not generate an event. It is used in conjunction with ++other rules to reduce the possibility of false postives from occuring. ++ ++-- ++Affected Systems: ++ NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2892.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2892 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_nvarchar2 ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000648.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000648 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "whos.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "whos.php" script ++used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000510.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000510 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "VBZoom" application running on a webserver. Access to the ++file "rank.php" with SQL commands being passed as the "MemberID" parameter may ++indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "MemberID" parameter in the "rank.php" script used by ++the "VBZoom" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZoom ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/898.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++898 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2669.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2669 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the file ++ibillpm.pl. ++ ++-- ++Impact: ++Possible unauthorized administrative access to the victim host. ++Information disclosure. ++ ++-- ++Detailed Information: ++The script ibillpm.pl is used to process billing and payment via a CGI ++application over the Internet. ++ ++The application suffers from a weak default password scheme that could ++be used by an attacker to take control of a user account and view ++billing details. ++ ++-- ++Affected Systems: ++ iBill Internet Billing Company Processing Plus ++ ++-- ++Attack Scenarios: ++An attacker can supply the username and default password for a user to ++the script to gain control. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Uninstall the script ibillpm.pl ++ ++Only allow usage from authenticated users ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2554.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2554 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1083.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1083 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000820.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++100000820 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SaPHPLesson ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1353.txt +@@ -0,0 +1,46 @@ ++Rule: ++ ++-- ++Sid: ++1353 ++ ++-- ++Summary: ++Attempted nasm command access via web. ++ ++-- ++Impact: ++Attempt to compile a binary on a host. ++ ++-- ++Detailed Information: ++This is an attempt to compiile a program source on a host. NASM is the Netwide Assembler which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains '/bin/nasm'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased). ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2780.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2780 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_site_priority ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1200.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1200 ++ ++-- ++Summary: ++This event is generated when an invalid URL response is sent from a ++webserver to a client. ++ ++-- ++Impact: ++Information gathering and possible Denial of Service (DoS). ++ ++-- ++Detailed Information: ++This event is generated when an invalid URL response is sent from a ++webserver to a client. It is possible under some circumstances, to cause ++a DoS condition by supplying an invalid URL to a web server running an ++affected version of Microsoft IIS 4.0. Certain invalid URLs can cause ++the system to make an invalid memory request that will in turn stop the ++IIS service from running. ++ ++-- ++Affected Systems: ++ Microsoft IIS 4.0 on NT systems ++ ++-- ++Attack Scenarios: ++The attacker would merely need to make a web request using an invalid ++URL. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade the system to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1803.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1803 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/239.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++239 ++ ++-- ++Summary: ++This event is generated when a DDoS Shaft handler communicates with a Shaft agent. It is also possible that this event may be generated when any host attempts to discover a Shaft agent. ++ ++-- ++Impact: ++Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents. If the listed destination IP is in your network, it may be a Shaft agent. ++ ++-- ++Detailed Information: ++The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu. This communication checks if an agent is alive and uses a default password of "tijgu". ++ ++-- ++Affected Systems: ++Any Shaft compromised host. ++ ++-- ++Attack Scenarios: ++A Shaft handler needs to discover if an agent is alive before directing it to launch an attack. ++ ++-- ++Ease of Attack: ++Simple. Shaft code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS255 ++ ++Miscellaneous: ++http://biocserver.cwru.edu/~jose/shaft_analysis/ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2999.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2999 ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a Windows ++system via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a Windows ++system via SMB across the network. ++ ++It may be possible for an attacker to manipulate a Windows system ++from a remote location. Shutting down a system may lead to a Denial of ++Service for the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may be able to manipulate a target system using SMB. The ++attacker may gain complete control over the affected system. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++Disallow remote registry manipulation. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1627.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++1627 ++ ++-- ++Summary: ++This event is generated when packets on the network are using an ++unassigned or reserved IP protocol. ++ ++-- ++Impact: ++Possible prelude to system compromise. ++ ++-- ++Detailed Information: ++Under normal circumstances IP packets do not use unassigned or reserved ++protocols. ++ ++an indicator of unauthorized network use, reconnaisance activity or ++system compromise. These rules may also generate an event due to ++improperly configured network devices. ++ ++-- ++Affected Systems: ++ All ++ ++-- ++Attack Scenarios: ++The attacker may send specially crafted packets using an unassigned or ++reserved protocol. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++Research or testing of new protocols may trigger this event. ++ ++Novell use protocol 224 for the Cluster heart beat ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Use a packet filtering device to reject packets using an unknown ++protocol. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++IANA ++http://www.iana.org/assignments/protocol-numbers ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1718.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1718 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000468.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000468 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "WebprojectDB" application running on a webserver. ++Access to the file "lang.php" using a remote file being passed as the "INCDIR" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "INCDIR" parameter in the "lang.php" script used by the ++"WebprojectDB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using WebprojectDB ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/724.txt +@@ -0,0 +1,90 @@ ++Rule: ++ ++-- ++Sid: ++724 ++ ++-- ++Summary: ++This event is generated when worm activity is detected. More specifcally ++this event indicates possible "My Romeo" propogation. ++ ++-- ++Impact: ++Serious. The victim host may be infected with a worm. ++ ++-- ++Detailed Information: ++This worm propogates via electronic mail and exploits a known ++vulnerability in the way that versions of Microsoft Outlook and Internet ++Explorer handle trusted HTML pages. The worm is launched via a compiled ++HTML file (.chm) which is used by Microsoft WIndows Help. ++ ++The executable part of the worm is called from within the trusted ++compiled HTML file. The worm attempts to propagate using hard coded ++addresses of SMTP servers. ++ ++This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A ++ ++-- ++Affected Systems: ++ Microsoft Windows 9x ++ Microsoft Windows 2000 ++ ++-- ++Attack Scenarios: ++Symantec Anti-Virus center states that the worm arrives as an email ++message that has an HTML body and two attachments named Myjuliet.chm ++and Myromeo.exe. The subject of the email is selected at random from ++the following set: ++ ++Romeo&Juliet ++hello world ++subject ++ble bla, bee ++I Love You ;) ++sorry... ++Hey you ! ++Matrix has you... ++my picture ++from shake-beer ++ ++-- ++Ease of Attack: ++Simple. This is worm activity. ++ ++-- ++False Positives: ++Legitimate electronic mail containing the known subject lines used by ++MyRomeo may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Use Anti-Virus software to detect and delete virus laden email. ++ ++This worm makes changes to the system registry, removal of the affected ++registry keys should be done using an appropriate virus removal tool or ++by an experienced Windows administrator. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++McAfee ++http://vil.nai.com/vil/content/v_98894.htm ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1046.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1046 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2409.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2409 ++ ++-- ++Summary: ++This event is generated when an attempt is made to overflow a buffer by ++supplying a very long username to an APOP POP3 service. ++ ++-- ++Impact: ++Serious. Several POP3 servers are vulnerable to USER buffer overflows. ++ ++-- ++Detailed Information: ++By supplying more than 626 bytes of data to the APOP USER command on 1st ++Class Internet Solutions' 1st Class Mail Server, an attacker may ++overflow a buffer resulting in the opportunity to execute code of their ++choosing on the targeted machine with the privileges of the user running ++the service. ++ ++Other Mail software may be prone to this attack. ++ ++-- ++Affected Systems: ++ 1st Class Mail Server ++ ++-- ++Attack Scenarios: ++An attacker may connect to the service and supply an over-long username ++to overflow the buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Check for other events generated by the source IP address. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2689.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2689 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure disable_receiver_trace ++. This procedure is included in ++sys.dbms_internal_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000742.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000742 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3080.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++3080 ++ ++-- ++Summary: ++This event is generated when a remote attacker sends an overly long "secure" ++query to a host acting as an Unreal engine server. This may ++indicate an attempt to exploit a buffer overflow vulnerability. ++ ++-- ++Impact: ++Serious. A successful buffer overflow can permit the execution of arbitrary ++code on a vulnerable system. ++ ++-- ++Detailed Information: ++Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and ++available for Linux, Windows and Macintosh platforms. The Unreal engine is ++used for both client and server functionality. An overly long "secure" ++query can be sent to the game server, causing a buffer overflow and the ++subsequent execution of arbitrary code. ++ ++-- ++Affected Systems: ++ Multiple versions of the Unreal Engine running on Linux, Microsoft ++ Windows and Macintosh platforms. ++ ++-- ++Attack Scenarios: ++An attacker can send an overly long "secure" query to a vulnerable host, causing ++a buffer overflow and the subsequent execution of arbitrary code. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++Unreal servers can be configured to run on arbitrary ports. ++Administrators should either change the port used in the rule or create ++a variable for the ports to be used in the rule. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the most current nonaffected version of the software. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++OSVDB ++http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3286.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3286 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2458.txt +@@ -0,0 +1,52 @@ ++Rule: ++ ++-- ++Sid: ++2458 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. ++ ++-- ++Detailed Information: ++Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++No known attacks. ++ ++-- ++Ease of Attack: ++No known attacks. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1590.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1590 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1920.txt +@@ -0,0 +1,57 @@ ++Nigel: Old reference pointed to something totally unrelated. ++Rule: ++-- ++ ++Sid: ++1920 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a vulnerability associated with the FTP SITE NEWER command that may cause a denial of service or allow the upload of executable files. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a denial of service or allow the upload of executable files on the vulnerable FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a vulnerability associated with the WU-FTP server version of the SITE NEWER command. It is possible to cause a denial of service attack that consumes memory or upload files to execute arbitrary commands with the privileges of the process running the FTP server. ++ ++-- ++Affected Systems: ++Hosts running WU-FTPD 2.5.0. ++ ++-- ++Attack Scenarios: ++An attacker can cause a denial of service or upload files to execute arbitrary commands on the vulnerable FTP server. ++ ++-- ++Ease of Attack: ++Difficult. No known exploits available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/737 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3156.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3156 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/696.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++696 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/326.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: 326 ++ ++-- ++ ++Summary: ++This event is generated when a remote command execution exploit against ++a finger daemon is attempted. ++ ++-- ++Impact: ++Serious. The attacker may be presented with the opportunity to run a ++command of his choice on the target UNIX system ++ ++-- ++Detailed Information: ++This event is generated when a specific attack against a vulnerable ++version of finger daemon is detected. ++ ++The Finger daemon is used to provide information about users on a UNIX ++system. It used to be installed and enabled by default on most ++UNIX/Linux systems. The attack may allow an attacker to execute a ++command remotely on a target system with the privileges of the user ++running the "finger" daemon. The user is usually defined in the ++/etc/inetd.conf file and is commonly designated as "nobody". ++ ++-- ++Attack Scenarios: ++An attacker may try the attack and then executes a command to download a ++backdoor to the target system. He then connects to the system and may ++attempt to escalate his privileges by exploiting a local SUID ++application to gain "root" privileges. ++ ++-- ++Ease of Attack: ++Simple, no exploit software is required, just a specially formatted finger query ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disable the finger daemon or limit the addresses that can access the ++service via firewall or TCP wrappers. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS379 ++ ++Bugtraq: ++http://online.securityfocus.com/bid/974 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000355.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000355 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using eSyndiCat ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2887.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2887 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_delete_resolution ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/881.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++881 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Guide to network resource tools: ++http://www.acad.bg/beginner/gnrt/specialist/archie.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/993.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 993 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2629.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2629 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "register_user_repgroup" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the "privilege_type" variable ++to cause the overflow. The result could permit the attacker to gain ++escalated privileges and run code of their choosing. This attack ++requires an attacker to logon to the database with a valid username ++and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck94.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/313.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 313 ++ ++-- ++Summary: ++This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. ++ ++-- ++Detailed Information: ++Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. ++ ++Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. ++ ++Affected Versions: ++ Multiple vendors ++ ++-- ++Attack Scenarios: ++Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply vendor supplied patches. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/210 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000847.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000847 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Sitemap ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000677.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000677 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "topics.php" using a remote file being passed as the ++"header_prog" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "header_prog" parameter in the "topics.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1052.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1052 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2214.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++2214 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access mailview.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in MailStudio 2000 2.0 and earlier. ++ ++-- ++Impact: ++Information disclosure. ++ ++-- ++Detailed Information: ++MailStudio 2000 is mail server software for Solaris or Linux operating systems. It contains a vulnerability where data sent to mailview.cgi is not properly parsed. This can allow an attacker to use directory traversal techniques (/../) within the "html" parameter to view arbitrary files on the system, including other users' email, configuration files, and password files. ++ ++-- ++Affected Systems: ++Systems running MailStudio 2000 2.0 and earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends a specially crafted HTTP request to a vulnerable web server with another user's email file as the html argument. The attacker will then be able to view the file. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++If a legitimate remote user accesses mailview.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++It is not known if this vulnerability has been fixed. Contact the vendor, 3R Soft (http://www.3rsoft.com), for more information. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/1335 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3053.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3053 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2698.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++2698 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure create file. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/686.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained administrator access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are SQL database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disallow direct access to the SQL server from sources external to the protected network. ++ ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000174.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000174 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in RSA Security RSA Authentication Agent For Web. ++ ++-- ++Impact: ++Cross site scripting leading to possible inclusion of code of the attackers ++choosing. ++ ++-- ++Detailed Information: ++A vulnerability exists in RSA Security RSA Authentication Agent For Web that ++may allow an attacker to include code of their choosing due to the improper ++checking of user supplied input. ++ ++-- ++Affected Systems: ++RSA Security RSA Authentication Agent For Web 5.2 ++ ++-- ++Attack Scenarios: ++An attacker can supply a link to include code of their choosing in data ++supplied to RSA Security RSA Authentication Agent For Web. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000740.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000740 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000596.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000596 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_config_payment.php" using a remote file being passed as ++the "admin_template_path" parameter may indicate that an exploitation attempt ++has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"inv_config_payment.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/220.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++220 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Telnet server using the phrase "wank". This is a known password for ++the HideSource rootkit. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects UNIX operating systems: ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise may be due to the exploitation of another vulnerability and ++the attacker is leaving another way into the machine for further use. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Telnet access from external sources. ++ ++Use SSH as opposed to Telnet for access from external locations ++ ++Delete the Trojan and kill any associated processes. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2069.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++2069 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in devices using the IPC@CHIP from Beck IPC GmbH. ++ ++-- ++Impact: ++Information disclosure ++ ++-- ++Detailed Information: ++The IPC@CHIP from Beck IPC GmbH is used in network appliances for use in ++controlling those devices via a web interface. ++ ++The embedded webserver uses the system root as its default webserver ++root directory. This means an attacker can request any file on the ++system by making an http request for the file. ++ ++-- ++Affected Systems: ++All devices using this chip. ++ ++-- ++Attack Scenarios: ++The attacker needs to craft a special URI including chip.ini with a ++request for a file on the system. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Network devices using this chip should be closely monitored, access to ++the embedded webserver should be carefully controlled using a firewall ++or disabled where possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2775 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3011.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++3011 ++-- ++Summary: ++This event is generated when an attempt is made to find the System ++directory on a target host with the RUX the Tick Trojan. ++ ++-- ++Impact: ++If successful, the attacker would gain unauthorized access to the system, ++to upload and execute file on the target system. The attacker can use ++this function to upload additional backdoors to the victim's system and ++execute them. ++ ++-- ++Detailed Information: ++When executed, RUX the Tick opens up its assigned port (default is ++22222) for communication with the attacker. RUX the Tick has three ++functions: Get Windows Directory, Get System Directory, and Upload And ++Execute File. Get Windows Directory and Get System Directory are used ++for reconnaissance. Upload And Execute File is mainly used to upload and ++run other backdoors onto the victim's computer. ++ ++-- ++Affected Systems: ++ Windows 95/98/ME/NT/2000 ++ ++-- ++Attack Scenarios: ++The victim must first install the server. Be wary of suspicious files ++because they often can be backdoors in disguise. Once the victim ++mistakenly installs the server program, the attacker usually will employ ++an IP scanner program to find the IP addresses of victims that have ++installed the program. Then the attacker enters the IP address, port ++number (which is assigned to the server program by the attacker: ++default is 22222), and presses the connect button and he has access to ++the computer. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe. ++Use Windows Explorer to find ruxserver.exe and delete the file. ++ ++Keep anti-virus programs updated with the latest definitions. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Ricky Macatee ++ ++-- ++Additional References: ++ ++PestPatrol: ++http://www.pestpatrol.com/PestInfo/R/RUX.ASP ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1716.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1716 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1400.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1400 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1967.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1967 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2398.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2398 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit the PHP web ++application WAnewsletter. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the WAnewsletter PHP web application running on a server. ++Multiple vulnerabilities exist in the application which can lead to the ++execution of arbitrary code of the atttackers choosing. ++ ++-- ++Affected Systems: ++ WAnewsletter ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including a file in ++parameters supplied to the script newsletter.php or db_type.php. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000177.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000177 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Linksys WRT54G wireless router. ++ ++-- ++Impact: ++Unauthorized administrative access to the router and it's configuration. ++ ++-- ++Detailed Information: ++A vulnerability exists in the Linksys WRT54G wireless router that may present ++an attacker with the opportunity to take control of the victim hardware via a ++POST request to the web interface. ++ ++This is due to the apply.cgi script not performing proper checks on user ++supplied input that may allow the attacker to overflow a fixed length buffer ++and execute code of their choosing. ++ ++-- ++Affected Systems: ++Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior ++ ++-- ++Attack Scenarios: ++An attacker can supply a malformed POST request to the apply.cgi script on an ++affected piece of hardware. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied firmware upgrade. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3159.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3159 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3369.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3369 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1811.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1811 ++ ++-- ++Summary: ++This event is generated when a remote user has exploited a flaw in a ++local SSH server. ++ ++-- ++Impact: ++Serious ++ ++-- ++Detailed Information: ++OpenSSH has a flaw in the challenge-response mechanism when configured ++with either the "PAMAuthenticationViaKbdInt" or the ++"ChallengeResponseAuthentication" options. This flaw can be exploited by ++a user who is not authenicated and can lead to the attacker obtaining a ++root shell. ++ ++-- ++Affected Systems: ++OpenSSH versions 1.2 to 3.3, Solaris 9.0, IBM Linux ++Affinity Toolkit, and HP HP-UX Secure Shell A.03.10. ++ ++-- ++Attack Scenarios: ++An attacker can cause the service to restart or hang, leaving the ++service unavailable to users. ++ ++-- ++Ease of Attack: ++Simple. Exploit code available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to latest version of OpenSSH ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000388.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000388 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ovidentia ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/798.txt +@@ -0,0 +1,62 @@ ++ ++Rule: ++ ++-- ++Sid: ++798 ++ ++-- ++Summary: ++This rule has been placed in deleted.rules. It has been superceded by ++sid 721. ++ ++-- ++Impact: ++Mail worms may spread rapidly because users execute them. ++ ++-- ++Detailed Information: ++Windows systems are often configured not to display file extensions. ++By adding a second extension, users get confused and think that an ++executable is a picture - e.g. nicegirl.gif.vbs gets displayed as ++nicegirl.gif but is a visual basic script and not a picture. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. ++ ++-- ++Ease of Attack: ++Very easy. One needs to attach a file and hope that it gets executed. ++ ++-- ++False Positives: ++None Known ++Could be an error on sender's side. ++ ++-- ++False Negatives: ++None Known ++- ++ ++-- ++Corrective Action: ++Use antivirus software. Configure mail clients securely, especially when ++using windows desktops. Educate your mail users. Deny all attachments at ++the gateway if you can. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by tobias.haecker@to.com ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++See websites of antivirus companies. ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/350.txt +@@ -0,0 +1,63 @@ ++SID: ++350 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is generated when an attack attempt is made against an ftp ++server possibly running a vulnerable ftpd ++-- ++ ++Impact: ++Possible execution of commands on the affected server as with elevated user privileges ++-- ++ ++Detailed Information: ++The Washington University ftp daemon (wu-ftpd) has a problem with very ++log directory names. There is insufficent checking on directories ++created by users allowing possible insertion of data into the stack.This ++can lead to execution of code with root / elevated user privileges. ++-- ++ ++Affected Systems: ++NcFTP Software NcFTPD 2.3.5 ++Washington University wu-ftpd 2.4.2 (beta 18) VR10 ++RedHat wu-ftpd 2.4.2 b18-2 ++Washington University wu-ftpd 2.4.2 academ[BETA-18] ++Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. ++-- ++ ++Attack Scenarios: ++A local attacker will attempt to create long named directories on the ++ftp server wich are not checked correctly in the server code. This can ++allow commands to be executed with elevated user privileges ++-- ++ ++Ease of Attack: ++simple, Exploit code exists ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Upgrade to newest version of wuftpd, or replace with something more secure. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2329.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++2329 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Windows Data Access Components. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. Denial of Service ++(DoS) ++ ++-- ++Detailed Information: ++It may be possible for an attacker to send a specially crafted response ++to a client broadcast query searching for an SQL server. This response ++could take advantage of a buffer overrun condition in an MDAC component ++which may result in the attacker being presented with the opportunity to ++execute code of their choosing with the privileges of the user running ++the service on the client system. ++ ++A DoS condition may also manifest in MDAC version 2.8. ++ ++MDAC is included by default on many Microsoft Windows systems. Client ++workstations may make regular broadcast announcements in an attempt to ++find SQL servers. ++ ++-- ++Affected Systems: ++ Microsoft Data Access Components 2.5 ++ Microsoft Data Access Components 2.6 ++ Microsoft Data Access Components 2.7 ++ Microsoft Data Access Components 2.8 ++ ++-- ++Attack Scenarios: ++The attacker may spoof the response from an SQL server to exploit the ++vulnerability. ++ ++-- ++Ease of Attack: ++Moderate.. ++ ++-- ++False Positives: ++Since this rule cannot be constrained using ports and the connection ++state for MSDAC is not tracked, false positive events may occur under ++normal circumstances. The $SQL_SERVERS variable in snort.conf should be ++configured correctly to eliminate this behavior. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Disallow access to database servers from sources external to the ++protected network. ++ ++Disallow access to database servers from untrusted hosts. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/244.txt +@@ -0,0 +1,57 @@ ++Rule: ++-- ++Sid: ++244 ++ ++-- ++Summary: ++This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. ++ ++-- ++Impactn: ++Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. ++ ++-- ++Detailed Information: ++The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload. The target IP and duration of the attack will also be included in the payload. ++ ++-- ++Affected Systems: ++Any mstream compromised host. ++ ++-- ++Attack Scenarios: ++After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack. ++-- ++Ease of Attack: ++Simple. mstream code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++There are other known handler-to-agent ports in addition to 10498. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1889.txt +@@ -0,0 +1,56 @@ ++Nigel, Removed isc.incidents.org reference since it is no longer active. ++Rule: ++ ++-- ++Sid: ++1889 ++ ++-- ++Summary: ++This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel. ++ ++-- ++Impact: ++Remote access and potentially denial of service. A slapper worm infection indicates a successful compromise of the host. A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network. ++ ++-- ++Detailed Information: ++The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL. Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host. This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites. ++ ++-- ++Affected Systems: ++Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. ++ ++-- ++Attack Scenarios: ++The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts. This can be used, for instance, to coordinate a DDoS attack. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It has been observed that the port number for the communication channel may vary. Ports 1978 and 4156 have also been seen. ++ ++-- ++Corrective Action: ++Apply the appropriate patch or upgrade to the most current version of OpenSSL. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT ++http://www.cert.org/advisories/CA-2002-27.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000172.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000172 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Lynx text-based web browser. ++ ++-- ++Impact: ++Code execution on the victim machine with the privileges of the user running ++Lynx. ++ ++-- ++Detailed Information: ++A vulnerability exists in the way that Lynx handles links when browsing NNTP ++resources. The function that handles the display of information from article ++headers when listing available files on the server, inserts extra characters to ++handle certain character sets. This function does not properly check how much ++extra data is inserted and it is possible to overflow a static buffer and ++execute code in the context of the browser process. ++ ++-- ++Affected Systems: ++Lynx versions 2.8.6 and prior ++ ++-- ++Attack Scenarios: ++An attacker would need to supply a malicious link on an nntp server to the user ++using Lynx. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate patch. ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Original advisory posting: ++http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2589.txt +@@ -0,0 +1,93 @@ ++Rule: ++ ++-- ++Sid: ++2589 ++ ++-- ++Summary: ++This event is generated when an attempt is made to return to ++a web client a file in the Content-Disposition Header with a ++Class ID (CLSID) embedded in the file name. ++ ++-- ++Impact: ++A successful attack may trick a client on a vulnerable host to download ++a malicious file that will be executed by the Windows Shell. ++ ++-- ++Detailed Information: ++Internet Explorer does not correctly handle or display specially ++crafted files in the browser dialogue where the user choses the ++action (e.g., open, save, cancel) for a downloaded file. ++Specifically, these are overly long file names that employ URL ++encoding of "." %2E before the file extension and contain the ++Class ID (CLSID) associated with the Windows Shell in the file name. ++ ++This serves two purposes; the first is that the file name will ++be truncated in the user dialog so the user doesn't see the ++CLSID reference, making it appear to be a more innocuous file ++with a known extension such as mpg or pdf. Second, the downloaded ++file will actually contain malcious commands that will be ++executed by the Windows Shell when opened because of the hidden ++CLSID in the file name. ++ ++Currently, the only known CLSID that exploits this vulnerability ++is associated with the Windows Shell. Yet, it may be possible ++for another CLSID to be discovered in the future that would be ++associated with a COM component that could be used for malicious ++purposes. ++ ++-- ++Affected Systems: ++ Windows NT Workstation/Server 4.0 SP6a ++ Windows NT Workstation/Server 4.0 SP6a with Active Desktop ++ Windows NT Server 4.0 Terminal Server Edition SP6 ++ Windows 2000 SP2-SP4 ++ Windows XP and XP SP1 ++ Windows XP 64-Bit Edition SP1 ++ Windows XP 64-Bit Edition Version 2003 ++ Windows Server 2003 ++ Windows Server 2003 64-Bit Edition ++ ++-- ++Attack Scenarios: ++An attacker can entice a user to visit a web server that ++will return a malicious file with a file name that contains ++a CLSID, perhaps enabling the execution of the malicious ++code when the file is opened. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is publicly available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Judy Novak ++ ++-- ++Additional References ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/9510 ++ ++Other: ++http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000382.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000382 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpNuke ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1784.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++ ++1784 ++ ++-- ++Summary: ++This rule indicates that a webpage was visited the included the content "nude celeb". ++ ++-- ++Impact: ++Someone could be violating your company's policy regarding the browsing of inappropriate content. ++ ++-- ++Detailed Information: ++ ++This rule looks for a response from a webserver containing "nude celeb". ++ ++-- ++Affected Systems: ++ ++All ++ ++-- ++Attack Scenarios: ++ ++Not an attack. ++ ++-- ++Ease of Attack: ++ ++N/A. ++ ++-- ++False Positives: ++ ++This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc. ++ ++-- ++False Negatives: ++ ++None known. ++-- ++Corrective Action: ++ ++Dependent on your company's policies. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Steven Alexander ++-- ++Additional References: ++ ++ ++ ++ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2188.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2188 ++ ++-- ++Summary: ++This event is generated when a suspicious packet using an unusual ++protocol is sent to a router. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in multiple Cisco IOS versions such that a Denial ++of Service condition can be issued against a device by sending multiple ++packets using IP protocols 53, 55, 77 and 103 directly to that device. ++ ++Cisco IOS processes these packets and under certain circumstances, can ++be made to incorrectly flag an input interface as being full. ++ ++-- ++Affected Systems: ++Multiple versions of Cisco IOS. ++ ++-- ++Attack Scenarios: ++An attacker may send a large number of IP packets using one of the ++protocols 53, 55, 77 or 103 directly to a router. Exploit code exists. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3308.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3308 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2721.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2721 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_columns_to_flavor ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000321.txt +@@ -0,0 +1,78 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000321 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "ScozNet ScozNews" application running on a ++webserver. Access to the file "help.php" using a remote file being passed as ++the "main_path" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "main_path" parameter in the "help.php" script used by ++the "ScozNet ScozNews" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using ScozNet ScozNews ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2895.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2895 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_varchar2 ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3043.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3043 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1599.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1599 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/301.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 301 ++ ++-- ++Summary: ++This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng. ++ ++-- ++Impact: ++System compromize presenting the attacker with escalated system privileges . ++ ++-- ++Detailed Information: ++LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). ++ ++Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disallow access to LPRng port 515 from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1712 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3456.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++3456 ++ ++-- ++ ++Summary: ++This event is generated when the user "root" logs in to a MySQL database from an external source. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when someone using the name "root" logs in to a MySQL database. ++ ++The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. ++ ++-- ++ ++Ease of Attack: ++Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in as the root user from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2019.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2019 ++ ++-- ++Summary: ++The RPC service mountd enables clients to connect to networked file ++dismounted via UDP. ++ ++-- ++Impact: ++Denial of network resources to users on the local area network. ++ ++-- ++Detailed Information: ++This may be an attempt to deny access to network resources from an ++unauthorized source. It may also be indicative of an attacker probing ++for RPC services on a host in an attempt to discover a possible entry ++point to network resources via a vulnerable daemon. ++ ++-- ++Affected Systems: ++All systems allowing network shares to be unmounted by anonymous hosts, ++all systems allowing RPC services to be stopped by ordinary users and ++systems already compromised by an attacker via another vulnerability. ++ ++-- ++Attack Scenarios: ++This is an intelligence gathering activity, the attacker could remotely ++unmount a shared resource to deny a resource to the local area network ++or a probe to discover possible routes of entry into a system. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++When allowing hosts to mount an external network share, consider using a ++hosts.allow file. ++ ++Do not allow shares to be unmounted by unauthorized hosts or users. ++ ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++RPC services should also be disabled where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/159.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++159 ++ ++-- ++Summary: ++This event is generated when an attempt is made to list files on a host infected with the NetMetro Trojan Horse. ++ ++-- ++Impact: ++Limited control of the target host. ++ ++-- ++Detailed Information: ++Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++The server portion opens TCP port 5031 by default to establish a connection between client and server. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is named NMS.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++A reboot of the infected machine is recommended. The Trojan does not start automatically at boot time nor does it change any system registry settings. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS79 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/NetMetro/index.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000627.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000627 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_send.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_send.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1119.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1119 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1417.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++1417 ++ ++-- ++ ++Summary: ++This event is generated when an SNMP-Trap connection over UDP to an SNMP ++daemon is made. ++ ++-- ++ ++Impact: ++Information gathering ++ ++-- ++ ++Detailed Information: ++The SNMP (Simple Network Management Protocol) Trap daemon usually ++listens on port 161, tcp or udp. ++ ++An attacker may attempt to send this request to determine if a device is ++using SNMP. ++ ++-- ++ ++Affected Systems: ++Devices running SNMP daemons on well known ports. ++ ++-- ++ ++Attack Scenarios: ++An attacker sends a packet directed to udp port 161, if sucessful a ++reply is generated and the attacker may then launch further attacks ++against the SNMP daemon. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None known. ++ ++-- ++ ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Use a packet filtering firewall to protect devices using the SNMP ++protocol and only allow connections from well-known hosts. ++ ++-- ++ ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Chaos ++ ++-- ++ ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-7.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-7 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a tcp ++filtered portsweep was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2864.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2864 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_raw ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000734.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000734 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000513.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000513 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "SAPHPLesson" application running on a webserver. Access ++to the file "showcat.php" with SQL commands being passed as the "forumid" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "forumid" parameter in the "showcat.php" script used by ++the "SAPHPLesson" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SAPHPLesson ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1501.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1501 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1248.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1248 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft FrontPage ++Server Extensions. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft FrontPage Server Extensions. Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft FrontPage Server Extensions ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000509.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000509 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "RahnemaCo" application running on a webserver. ++Access to the file "page.php" using a remote file being passed as the "pageid" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "pageid" parameter in the "page.php" script used by the ++"RahnemaCo" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using RahnemaCo ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/440.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++ ++Sid: ++440 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. ++ ++-- ++ ++Impact: ++ICMP Type 19 datagrams are not currently used by any known devices. ++ ++-- ++ ++Detailed Information: ++ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/899.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++899 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/926.txt +@@ -0,0 +1,62 @@ ++SID: ++926 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This even indicates an attempt to exploit undocumented CFML tags on a ++Allaire ColdFusion Server ++-- ++ ++Impact: ++Extensive server data retrieval including settings and passwords ++-- ++ ++Detailed Information: ++Undocumented CFML tags allow reading and decryption of sensitive data ++contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This ++data can be accesses by constructing a hosted application that accesses ++these undocumented tags with the possibility of changing values on the ++server and reading admin and studio passwords ++-- ++ ++Affected Systems: ++ Allaire ColdFusion Server 2.0 - 4.0.1 ++-- ++ ++Attack Scenarios: ++A user with permission to create pages on the server installs an ++application that accesses the undocumented CFML tags, accessing this ++application would allow viewing and possible modifications of these ++settings ++-- ++ ++Ease of Attack: ++Medium, Attackers need the ability to add files to the server. No "In ++the Wild" exploits were available at type of writing ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Patches are available from Allaire, install them. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1563.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1563 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1514.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1514 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1386.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1386 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1812.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 1812 ++ ++-- ++Summary: ++Secure Shell (SSH) is used to remotely manage systems over encrypted TCP ++sessions. This event is generated when an attempt is made to exploit ++vulnerable versions of the SSH daemon. ++ ++-- ++Impact: ++System compromize presenting the attacker with either the opportunity to ++execute arbitrary code with the privileges of the user running the SSH daemon (usually root) or a possible Denial of Service (DoS). ++ ++-- ++Detailed Information: ++OpenSSH versions prior to 3.3 contain a flaw that could allow a remote attacker to compromise a vulnerable SSH daemon via an integer overflow on systems with BSD_AUTH or SKEY options compiled and PAM authentication or Challenge Response Authentication enabled. ++ ++Affected Systems: ++ OpenSSH versions 2.9 to 3.2 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++Enable the privilege separation option in OpenSSH 3.3 if possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Securityfocus: ++http://www.securityfocus.com/bid/5093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1534.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1534 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3465.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++3465 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cgi script ++show.pl. ++ ++-- ++Impact: ++Use of script as an open proxy. ++ ++-- ++Detailed Information: ++RiSearch is a collection of cgi scripts written in Perl to facilitate ++web site search functionality. Some versions of the script show.pl do ++not correctly sanitize user input. This may present an attacker with the ++opportunity to use the script as an open proxy server, possibly in ++attempts to execute web attacks against other systems anonymously. ++ ++Specifically, it may be possible for an attacker to supply their own ++input to the "uri" parameter. ++ ++-- ++Affected Systems: ++ RiSearch 0.99.8 and prior ++ RiSearch Pro 3.2.6 ++ ++-- ++Attack Scenarios: ++An attacker can supply a URI of their choosing as a value for the ++uri parameter ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3048.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3048 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3038.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3038 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1653.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1653 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++If the webserver has pages or directories by the name of campus this rule will ++fire often. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++False positive information contributed by Colin Harford ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000706.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000706 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SmartSiteCMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1186.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++1186 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++vulnerability in some versions of Netscape Enterprise Server. ++ ++-- ++Impact: ++Information leak which could provide an attacker with the data needed to ++launch further attacks or gain more detailed information about your web server. ++ ++-- ++Detailed Information: ++A user can see a directory listing by appending a Web Publishing command ++to the end of a directory URL, for example: "http://www.sun.com/?wp-ver-diff". ++ ++This exploit will work on Netscape Enterprise Server regardless of ++directory indexing settings. ++ ++It will not work on iPlanet Web Server if directory indexing is set to ++"none" or "fancy" (the default). Web Publishing need not be enabled for ++this exploit to work. ++ ++-- ++Affected Systems: ++ Netscape Enterprise Server 3.0, 3.51 and 3.6 ++ ++-- ++Attack Scenarios: ++The gathering of information such as directory listings is valuable when ++planning to attack a web server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required however, an automated tool for ++scanning exists as does an exploit script. ++ ++-- ++False Positives: ++A web server that uses URLs which contain web publishing commands. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable directory indexing. For earlier versions of Netscape Enterprise ++Server, this may not fix the problem. On iPlanet, you can also change ++the indexing type to "fancy". ++ ++To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. ++ ++-- ++Contributors: ++Snort documentation contributed by Kevin Peuhkurinen ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++iPlanet Knowledge Base Article 4302: ++http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html ++ ++iPlanet Knowledge Base Article 7761: ++http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1190.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++1190 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++vulnerability in some versions of Netscape Enterprise Server. ++ ++-- ++Impact: ++Information leak which could provide an attacker with the data needed to ++launch further attacks or gain more detailed information about your web server. ++ ++-- ++Detailed Information: ++A user can see a directory listing by appending a Web Publishing command ++to the end of a directory URL, for example: "http://www.sun.com/?wp-uncheckout". ++ ++This exploit will work on Netscape Enterprise Server regardless of ++directory indexing settings. ++ ++It will not work on iPlanet Web Server if directory indexing is set to ++"none" or "fancy" (the default). Web Publishing need not be enabled for ++this exploit to work. ++ ++-- ++Affected Systems: ++ Netscape Enterprise Server 3.0, 3.51 and 3.6 ++ ++-- ++Attack Scenarios: ++The gathering of information such as directory listings is valuable when ++planning to attack a web server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required however, an automated tool for ++scanning exists as does an exploit script. ++ ++-- ++False Positives: ++A web server that uses URLs which contain web publishing commands. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable directory indexing. For earlier versions of Netscape Enterprise ++Server, this may not fix the problem. On iPlanet, you can also change ++the indexing type to "fancy". ++ ++To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. ++ ++-- ++Contributors: ++Snort documentation contributed by Kevin Peuhkurinen ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++iPlanet Knowledge Base Article 4302: ++http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html ++ ++iPlanet Knowledge Base Article 7761: ++http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000591.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000591 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "editor_delete.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"editor_delete.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2139.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 2139 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a vulnerabliity in BEA Systems WebLogic server. ++ ++-- ++Impact: ++Information gathering, source code disclosure. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a vulnerabliity in BEA Systems WebLogic server. ++ ++A weakness in the configuration of the WebLogic server from BEA Systems allows an attacker to view the source code of .jsp and .jhtml pages that reside in the root directory of the webserver. A request for these documents prefixed with /*.shtml/ will exploit a vulnerability in the handling of Server Side Include Servlet (SSIServlet) such that the webserver will return the documents unparsed, rendering the source code viewable. ++ ++-- ++Affected Systems: ++BEA Systems WebLogic Enterprise 5.1 and 5.1.x ++ ++-- ++Attack Scenarios: ++An attacker can retrieve the source code of a .jsp file by making a web request in the form: http://www.foo.com/*.shtml/target.jsp. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3227.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3227 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3304.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3304 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2088.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2088 ++ ++-- ++Summary: ++vulnerability in the rcp service ypupdated. ++ ++-- ++Impact: ++Information disclosure and possible code execution. ++ ++Unauthorized super user access to the vulnerable host resulting in a ++compromise of all data on the host and any network resources that host ++is connected to. Full control of the victim is gained. ++ ++-- ++Detailed Information: ++The ypupdated service is used in conjunction with NIS servers to ++remotely update changes made in NIS databases. ++ ++On recieving a request the yupdated service executes a make command ++using the Bourne shell. It is possible to execute code using ++metacharacters in the request. ++ ++Commands and code after the metacharacters in the request will be ++executed with the privileges of the super user on the vulnerable system. ++ ++-- ++Affected Systems: ++ HP-UX 10.1, 10.10 and 10.20 ++ ++ IBM AIX 3.2 and 4.1 ++ ++ NEC EWS-UX/V (Rel4.2MP), (Rel4.2) ++ NEC UP-UX/V (Rel4.2MP) ++ NEC UX/4800 (64) ++ ++ SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3 ++ SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5 ++ SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3 ++ SGI IRIX 6.0, 6.0.1 XFS, 6.0.1 ++ ++ Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4 ++ ++-- ++Attack Scenarios: ++The attacker needs to craft a specially formulated request to the ++rpc.ypupdated service containing a long username. An exploit for this ++vulnerability exists. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply pacthes for the affected systems as soon as possible. ++ ++Disable the rpc.ypupdated daemon. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1749 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1644.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1644 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1323.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: 1323 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a format string vulnerability in the rwhois daemon from Network Solutions. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code. ++ ++-- ++Detailed Information: ++Certain versions of rwhoisd from Network Solutions contain a programming error that allows an attacker to execute arbitrary code. The error is present when used with the Start of Authority (soa) file directive. ++ ++Referral Whois (rwhois) is a directory service used to provide information on hosts and networks connected to the internet. ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0838 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/3474 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2966.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2966 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3307.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3307 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/459.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++459 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. ++ ++-- ++ ++Impact: ++ICMP Type 1 datagrams are not currently used by any known devices. ++ ++-- ++ ++Detailed Information: ++ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++Nigel Houghton ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2110.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: ++2110 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow condition in the Post Office Protocol (POP) command STAT. ++ ++-- ++Impact: ++Possible remote execution of arbitrary code leading to a remote root ++compromise. ++ ++-- ++Detailed Information: ++A vulnerability exists such that an attacker may overflow a buffer by ++sending a line feed character to a POP server via the STAT command. ++ ++-- ++Attack Scenarios: ++Simple. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++RFC 1939: ++http://www.faqs.org/rfcs/rfc1939.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2051.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2051 ++ ++-- ++Summary: ++designated root directory of a web server. ++ ++-- ++Impact: ++Theft of data and important system information may be disclosed to an ++unauthorized party. ++ ++-- ++Detailed Information: ++The script handling file viewing from the vendor moreover.com contains an error that allows files outside the designated root directory to be viewed in a browser. ++ ++The script does not perform checks for the characters ".." when supplied ++by a user in a URL. This allows a classic directory traversal attack to ++be performaed against the server. ++ ++-- ++Affected Systems: ++Version 1.0 from moreover.com ++ ++-- ++Attack Scenarios: ++The attacker merely needs to enter a URL using ../ to traverse the file ++system for example: ++http://www.foo.com/cgi-bin/cached_feed.cgi?../../../etc/passwd ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to version 2.0 or later ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1762 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0906 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1070.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++Sid: ++1070 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to initiate a WebDAV SEARCH ++on a web server. ++ ++-- ++Impact: ++Information gathering. Potential Denial of Service (DoS). ++ ++-- ++Detailed Information: ++IIS 5.0 includes an implementation of WebDAV for purposes of web publishing. ++As shipped, it contains two vulnerabilities that can allow an attacker ++to get a complete directory listing from the web root and to DoS the ++web server. ++ ++If the target is IIS 5.0, then an attacker may have gotten a complete ++directory listing from within the web root, which can be useful information ++for attackers (could be a prelude to a more serious attack). IIS 5.0's ++WebDAV implementation is also vulnerable to a Denial of Service vulnerability ++if the search string is too long. ++ ++-- ++Affected Systems: ++ IIS 5.0 ++ Any web server running WebDAV, though no exploits are known for servers ++ other than IIS 5.0. ++ ++-- ++Attack Scenarios: ++Attacker gets a listing by sending something like: ++SEARCH / HTTP/1.1 ++Attacker DoSes the web server using pre-existing tools. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Check the host for signs of compromise. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++Disallow WebDAV access to the server from resources external to the ++protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Original document author unkown ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000759.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000759 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using QTO File Manager ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000420.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000420 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Informium ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/105-1.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++105-1 ++ ++-- ++Summary: ++This event is generated when the pre-processor spp_bo detects network ++traffic that may constitute an attack. Specifically back orifice ++traffic was detected. ++ ++-- ++Impact: ++Unknown. This is possible Trojan activity. ++ ++-- ++Detailed Information: ++This event is generated when the spp_bo pre-processor detects network ++traffic that may consititute an attack. ++ ++Back Orifice is a Trojan horse program for Microsoft systems. This event ++may indicate that this Trojan is active and in use on the protected ++network. ++ ++-- ++Affected Systems: ++ Microsoft Windows 95, 98, ME, NT, 2000 ++ ++-- ++Attack Scenarios: ++This is Trojan activity. An attacker can use this Trojan to control the ++target host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2745.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2745 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_snapshot_propagation ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000140.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++100000140 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow in ++the MySQL MaxDB web server. ++ ++-- ++ ++Impact: ++A denial of service will occur, and arbitrary code may be executed with the ++privileges of the user running the web server. ++ ++-- ++Detailed Information: ++If an HTTP GET request beginning with a "%" character and followed by at least ++215 non-newline characters is sent to the MySQL MaxDB web server, a buffer ++overflow will occur. This will result in a denial of service, and possibly ++execution of arbitrary code with the privileges of the user running the web ++server. ++ ++-- ++Affected Systems: ++MySQL MaxDB >= 7.5.00.24 ++ ++-- ++ ++Attack Scenarios: ++This vulnerability may be exploited with a web browser or an automated script. ++ ++-- ++ ++Ease of Attack: ++Simple, as a web browser can be used. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Upgrade to version 7.5.00.26 or higher. ++ ++-- ++Contributors: ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/895.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++895 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3437.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3437 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000577.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000577 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "cat_path_update.php" using a remote file being passed as ++the "admin_template_path" parameter may indicate that an exploitation attempt ++has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"cat_path_update.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/675.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++675 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/267.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++267 ++ ++-- ++Summary: ++This event is generated when spurious DNS traffic is detected on the network. ++ ++-- ++Impact: ++Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). ++ ++-- ++Detailed Information: ++This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. ++ ++This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. ++ ++-- ++Affected Systems: ++Any DNS server. ++ ++-- ++Attack Scenarios: ++An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. ++ ++-- ++Ease of Attack: ++Simple to Difficult depending on the DNS implementation. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Consider using DNSSEC where appropriate. ++ ++Keep all DNS software up to date and correctly configured. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2313.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2313 ++ ++-- ++Summary: ++This event is generated when suspicious shell code is detected in ++network traffic. ++ ++-- ++Impact: ++Denial of Service (DoS) possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++This event is generated when suspicious shell code is detected. Many ++buffer overflow attacks contain large numbers of NOOP instrucions to pad ++out the request. Other attacks contain specific shell code sequences ++directed at certain applications or services. ++ ++The shellcode in question may also use Unicode encoding. ++ ++-- ++Affected Systems: ++ Any software running on x86 architecture. ++ ++-- ++Attack Scenarios: ++An attacker may exploit a DCERPC service by sending shellcode in the RPC ++data stream. Sending large amounts of data to the Microsoft Workstation ++service can cause a buffer overflow condition in the logging function ++thus presenting an attacker with the opportunity to issue a DoS attack ++or in some cases, to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++False positives may be generated by binary file transfers. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Make sure the target host has all current patches applied and has the ++latest software versions installed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2748.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2748 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_column_group ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2772.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2772 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3411.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3411 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2959.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2959 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2817.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2817 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_column_group_to_flavor ++. This procedure is included in ++sys.dbms_repcat_fla_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000327.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000327 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using ScozNet ScozNews ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2297.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2297 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 ++running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application Proxy2.de Advanced Poll ++2.0.2. This application does not perform stringent checks when handling ++user input, this may lead to the attacker being able to execute PHP ++code, include php files and possibly retrieve sensitive files from the ++server running the application. ++ ++-- ++Affected Systems: ++ All systems running Proxy2.de Advanced Poll 2.0.2 ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/875.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++875 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000823.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000823 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZooM ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/611.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 611 ++ ++-- ++Summary: ++This event is generated when a remote login attempt using rlogin fails. ++ ++-- ++Impact: ++Someone has tried to login using rlogin and failed ++ ++-- ++Detailed Information: ++This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. ++ ++Multiple events may indicate that an attacker is attempting a brute force password guessing attack. ++ ++-- ++Attack Scenarios: ++An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++A legitimate user may generate an event by entering an incorrect password. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS392 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000344.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000344 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SocketMail ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000622.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000622 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "mail_modify.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "mail_modify.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000393.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000393 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ovidentia ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1257.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1257 ++ ++-- ++Summary: ++This event is generated when an attempt is made to use WinNuke against a ++host. ++ ++-- ++Impact: ++Serious. Possible Denial of Service (DoS), this can cause a system to ++crash or lose network connectivity ++ ++-- ++Detailed Information: ++An attacker can send a malformed data packet to and networked host over ++TCP and cause a DoS, loss of network connectivity, or a system crash. ++ ++-- ++Affected Systems: ++ Windows NT Workstation and Server 4.0 ++ Windows NT Workstation and Server 3.5.x ++ Windows 3.1x ++ Windows 95 ++-- ++Attack Scenarios: ++Program is run against a system in an attempt to knock the system off ++the network. ++ ++-- ++Ease of Attack: ++Simple. An attacker runs WinNuke and enters an IP address of a target ++system. ++ ++-- ++False Positives: ++None Known. ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Since there is no known fix for several of the affected operating ++systems, SMB traffic should be blocked at the firewall and all TCP ++traffic on ports 139/135 should be dropped. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Mike Rivett ebiz@rivett.org ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1209.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1209 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1855.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++1855 ++ ++-- ++Summary: ++This event is generated when activity indicating the presence of a ++variant of the Stacheldraht DDOS tool is detected. ++ ++-- ++Impact: ++Distributed Denial of Service (DDoS) is possible. ++ ++-- ++Detailed Information: ++Stracheldraht is a Distributed denial of service tool normally found on ++Sun Solaris machines. It is made up of a Client, handler and agent. The ++clients connects to the handler. Handlers can connect with up to 1000 ++agents. Communication between the client and the handler is conducted ++using tcp and the communication between the handler and the agent can be ++either tcp or icmp_echoreply. This rule detects the a message sent from ++the agent to the handler. This message is used to tell the handler that ++the machine is still alive and able to take requests. The handler will ++then reply with the string "ficken". This traffic differs from the ++traffic described on ++http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the ++packets have an icmp id of 6666 rather than 666 as noted in the analysis. ++ ++-- ++Affected Systems: ++ Sun Solaris ++ ++-- ++Attack Scenarios: ++The agent can be used to mount a distributed denial of service attack. It ++also indicates that a machine is compromised. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++The icmp id along with the keywords may be changed in the ++source code which would then evade this rule. ++ ++-- ++Corrective Action: ++Disconnect power from the machine and perform forensic analysis on the ++hard drives. ++ ++-- ++Contributors: ++Snort documentation contributed by Ian Macdonald ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1815.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1815 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1704.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1704 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/884.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++884 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the CGI web application Formmail running on a server. ++ ++-- ++Impact: ++Several vulnerabilities include server access, information ++disclosure, spam relaying and mail anonymizing. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the perl cgi ++script Formmail. Early versions (1.6 and prior) had several vulnerabilities ++(Spam engine, ability to run commands under server id and set ++environment variables) and should be upgraded immediately. Newer ++versions can still be used by spammers for anonymizing email and ++defeating email relay controls. ++ ++-- ++Affected Systems: ++ All systems running Formmail ++ ++-- ++Attack Scenarios: ++Information can be appended to the URL to use your ++mail gateway avoiding SMTP relay controls. HTTP header information can ++be manipulated to avoid access control methods in script. Allows SMTP ++exploits that are normally available only to trusted (local) users such ++as Sendmail % hack. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++Legitimate use of the script can cause alerts. Verify ++packet payload and watch web/mailserver logfiles. ++ ++-- ++False Negatives: ++If the name of the script has been changed this rule will not generate ++an event. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/107.txt +@@ -0,0 +1,119 @@ ++Rule: ++ ++-- ++Sid: ++107 ++ ++-- ++Summary: ++Subseven22 is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. This Trojan ++also has the ability to delete data, steal passwords and disable the ++machine. Other versions are capable of launching DDoS attacks. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++No other systems are affected. This is a windows exceutable that makes ++changes to the system registry, Win.ini and System.ini. When first ++executed the Trojan replicates itself and in most cases, gives the copy ++a random name. This Trojan may use the file extensions ".exe" or ".dll". ++ ++Subseven is an improved version of the Netbus Trojan (see sids 114, ++115), Subseven DEFCON8 2.1 is an improved version of Subseven that ++affects Windows 95 and 98 implementations. ++ ++The Trojan changes system startup files and registry settings to add the ++Subseven sever to programs normally started on boot. ++ ++ SID Message ++ --- ------- ++ 103 subseven 22 (incoming TCP connection) ++ 107 subseven DEFCON8 2.1 access (outgoing TCP connection) ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++This is a particularly difficult Trojan to remove and should only be ++attempted by an experienced Windows Administrator. ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CLASSES_ROOT\exefile\shell\open\command ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices ++ HKEY_LOCAL_MACHINE\Hardware\Data ++ HKEY_LOCAL_MACHINE\Hardware\Enum ++ HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia ++ ++Registry keys added are: ++ ++ HKEY_CLASSES_ROOT\.dl ++ ++Removal of the replicant is also required, look for files ending in ++".exe" or ".dll" in the :\Windows\ or :\Windows\System\ ++folders that use alphanumeric file names. The name of the replicant may ++be in one of the registry keys above. ++ ++A machine reboot is required to clear the existing process from running ++in memory. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Hackfix ++http://www.hackfix.org/subseven/ ++ ++McAfee ++http://vil.mcafee.com/dispVirus.asp?virus_k=10566 ++http://vil.nai.com/vil/content/v_10566.htm ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven22.html ++ ++F-Secure: ++http://www.f-secure.com/v-descs/subseven.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000100.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000100 ++ ++-- ++Summary: ++This event is generated when a URI of 1,050 bytes ore more is requested from an ++internal web server. ++ ++-- ++ ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule is used in conjunction with SID 100000101 to detect buffer overflow ++attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This ++rule should never generate an alert. ++ ++-- ++Affected Systems: ++Adobe Acrobat 5.0 ++Adobe Acrobat 5.0.5 ++Adobe Acrobat 6.0 ++Adobe Acrobat 6.0.1 ++Adobe Acrobat Reader 5.0 ++Adobe Acrobat Reader 5.0.5 ++Adobe Acrobat Reader 5.1 ++Adobe Acrobat Reader 6.0 ++Adobe Acrobat Reader 6.0.1 ++ ++-- ++ ++Attack Scenarios: ++A web browser or automated script may be used to exploit this vulnerability. ++ ++-- ++ ++Ease of Attack: ++Simple, as simply typing a long URI into a web browser will suffice. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. ++An alternate workaround is available: disable "Display PDF in browser" under ++Edit -> Preferences. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Alex Kirk ++ ++-- ++Additional References: ++http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000595.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000595 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_config.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_config.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1363.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 1363 ++ ++-- ++Summary: ++This event is generated when execution of a common X Window system command is attempted via HTTP. ++ ++-- ++Impact: ++The attacker may be able to initiate an X session on the web server. ++ ++-- ++Detailed Information: ++This rule generates an event when an X Windows system command command is used with a parameter to set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. ++ ++The "display" parameter is used to specify an address for the X server to listen for connections. ++ ++The rule looks for the "display" parameter in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the parameter in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. ++ ++This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server. ++ ++-- ++Attack Scenarios: ++An attacker launches an "xterm" as the web server user and points it to his machine via the 'display" parameter. ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin. ++ ++This command may also be requested on a command line should the attacker gain access to the machine. ++ ++Non-essential binaries should be removed from a webserver once it is in production. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1333.txt +@@ -0,0 +1,80 @@ ++Rule: ++ ++-- ++Sid: ++1333 ++ ++-- ++Summary: ++Attempted id command access via web ++ ++-- ++Impact: ++Attempt to gain information on users and groups that exist on the host ++using the id command. ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence about the users on a webserver. ++id is a UNIX command that will return information about the system's ++users and groups. This information is valuable to an attacker who can ++use it to plan further attacks based on the users possible login ++information or be more effective in targeting specific users and groups ++who possess elevated privileges . The id command will return information ++on the user, the groups the user belings to and the users' "gid" and "uid". ++ ++The rule looks for the "id" command in the client to web server network ++traffic and does not indicate whether the command was actually ++successful in showing the user information. The presence of the "id" ++command web traffic indicates that an attacker attempted to trick the ++web server into executing system in non-interactive mode i.e. without a ++valid shell session. ++ ++Alternatively this rule may trigger in an unencrypted HTTP tunneling ++connection to the server or a shell connection via another exploit ++against the web server. ++ ++-- ++Attack Scenarios: ++1. The attacker can make a standard HTTP request that contains ++'/usr/bin/id' in the URI which can then return sensitive information on ++groups and users present on the host. ++ ++2. This command may also be requested on a command line should the ++attacker gain access to the machine. ++ ++3. An attacker uses a "id" command via a web server connection to test ++what username the web server runs under. He then looks for all the files ++writable by this user and find a web server configuration file with ++wrong permissions. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++Additional information from Anton Chuvakin ++ ++-- ++Additional References: ++sid: 1332 ++ ++man id ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1675.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1675 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2197.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2197 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access cvsview2.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in cvsview2.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the cvsview2.cgi file, providing the attacker with information about the server directory structure. ++ ++-- ++Affected Systems: ++Any system running Mozilla Bonsai 1.3. ++ ++-- ++Attack Scenarios: ++An attacker sends an erroneous request to cvsview2.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses cvsview2.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to a newer build of Mozilla Bonsai 1.3. ++ ++If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/5517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2991.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2991 ++ ++-- ++Summary: ++This event is generated when an attempt is made to bind to the winreg ++service. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to bind to the RPC ++service for winreg. ++ ++-- ++Affected Systems: ++ Windows systems ++ ++-- ++Attack Scenarios: ++An attacker may attempt to bind to the service to manipulate host ++settings. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++Microsoft Technet ++http://support.microsoft.com/support/kb/articles/q153/1/83.asp ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 ++Winreg ++http://www.rutherfurd.net/python/winreg/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1379.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++1379 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow vulnerability associated with IPSWITCH WS_FTP server for ++Windows hosts. ++ ++-- ++Impact: ++Remote administrator access. A successful attack can allow remote ++execution of arbitrary commands with privileges of administrator. ++ ++-- ++Detailed Information: ++A buffer overflow exists in WS_FTP server that may permit the execution ++of arbitrary commands with the privileges of administrator. The exploit ++can be generated by FTP client sending a STAT command accompanied by an ++argument greater than 479 bytes long. This exploit requires login ++access to the FTP server. ++ ++-- ++Affected Systems: ++Hosts running WS_FTP server 2.0.3. ++ ++-- ++Attack Scenarios: ++An attacker may login to a vulnerable WS_FTP server and supply an overly ++long file argument to cause a buffer overflow, allowing execution of ++arbitrary commands with the privileges of administrator. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Security Focus: ++http://www.securityfocus.com/advisories/3641 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3175.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3175 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1163.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++Sid: ++1163 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Web server running on an IRIX platform. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++IRIX versions 5.0 through 6.3 contain a CGI script (/var/www/cgi-bin/webdist.cgi) ++for remote administration purposes. This script, as originally released by ++SGI, contains a vulnerability that can allow an attacker to run any ++arbitrary command that the web server user has access to. ++ ++-- ++Affected Systems: ++ IRIX systems 5.0 to 6.3 ++ ++-- ++Attack Scenarios: ++An attacker makes a request for the script followed by a semi-colon ++character ";" and then the command to be executed. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of this script on the server. ++ ++Check for further signs of compromise. ++ ++-- ++Contributors: ++Original rule writer unknown ++Original document author unkown ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1841.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1841 ++ ++-- ++Summary: ++This event is generated when a client on the protected network has ++possibly visited a website containing malicious javascript code. ++ ++-- ++Impact: ++Minimal ++ ++-- ++Detailed Information: ++Certain versions of Mozilla and Netscape may allow script code to access ++local cookie data. ++ ++By accessing a maliciously coded webpage, a users cookie data from any ++domain may be viewed by the website's administrator. ++ ++-- ++Affected Systems: ++ Mozilla versions prior to 1.0.1 ++ Netscape versions prior to 6.2.1 ++ ++-- ++Attack Scenarios: ++A devious website admin creates a webpage with malicious code and ++obtains sensitive cookie data from a visiting user's web browser about ++any domain he wishes. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++Some peer-to-peer applications may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5293 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2356.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2356 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application WebChat. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++WebChat contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable ++WEBCHATPATH when making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root by supplying ++their code in the file db_mysql.php. ++ ++-- ++Affected Systems: ++ Webdev Webchat 0.77 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the WEBCHATPATH variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/348.txt +@@ -0,0 +1,61 @@ ++SID: ++348 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is generated when an attack attempt is made against an ftp ++server possibly running a vulnerable ftpd ++-- ++ ++Impact: ++Possible remote execution of commands on the affected server as the root user ++-- ++ ++Detailed Information: ++The Washington University ftp daemon (wu-ftpd) does not perform proper ++checking in its SITE EXEC implementation, and allows user input to be ++sent directly to printf. This allows an attacker to overwrite data and ++eventually execute code on the server. ++ ++This rule detects code from a published exploit called bobek.c ++-- ++ ++Affected Systems: ++Any system running wu-ftpd 2.6 .0 or below ++-- ++ ++Attack Scenarios: ++A remote attacker will attempt to execute commands on the ftp server ++with root user privileges, over writing or modifying system files. This ++can be done with anonymous and real user logins. ++-- ++ ++Ease of Attack: ++Simple, Exploits exist ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2282.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2282 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application MediaWiki running on a server. ++ ++-- ++Impact: ++Possible execution of arbitrary code and unauthorized administrative ++access to the target system. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application MediaWiki . This application ++does not perform stringent checks when handling user input, this may ++lead to the attacker being able to execute PHP code and include php files ++of the attackers choosing. ++ ++-- ++Affected Systems: ++ MediaWiki MediaWiki-stable 20031107 ++ MediaWiki MediaWiki-stable 20030829 ++ ++-- ++Attack Scenarios: ++An attacker can exploit weaknesses to gain access as the administrator ++by supplying input of their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000732.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000732 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2416.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2416 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic ++is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp ++server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of ++spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or ++it could be an attempt to compromise the FTP server by overflowing a ++buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party ++using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain ++access to a host, then upload a Trojan Horse program to gain control of ++that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected ++network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2581.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++2581 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a directory ++traversal associated with the Crystal Reports web viewer. ++ ++-- ++Impact: ++A successful attack may allow unauthorized files to be viewed or ++possibly deleted. ++ ++-- ++Detailed Information: ++A vulnerability exists in the Crystal Reports web viewer that may permit ++an attacker to view or delete unauthorized files. The is due to a ++failure to ensure that that a requested Crystal Report file location ++is in the web root directory, permitting unauthorized files to be ++viewed. ++ ++In addition, Crystal Reports assumes that the requested report ++file for viewing is a temporary file and deletes it after the ++web version has been viewed. This problem combined with the ++directory traversal vulnerability may allow sensitive or valuable ++files to be deleted. ++ ++-- ++Affected Systems: ++Crystal Reports 8.5 JAVA SDK ++Crystal Reports RAS 8.5 for UNIX ++Crystal Reports 9.0 ++Crystal Enterprise 9.0 ++Crystal Reports 10 ++Crystal Reports 10.0 ++ ++-- ++Attack Scenarios: ++An attacker can request to view a file not in the web root ++directory, permitting unauthorized information disclosure. ++The viewed file will be deleted subsequently possibly causing ++harm to the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 ++ ++Other: ++http://www.microsoft.com/security/bulletins/200406_crystal.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/568.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++568 ++ ++-- ++Summary: ++This event is generated when an attempt is made to change the message on ++the LCD display on a JetDirect enabled HP printer. ++ ++-- ++Impact: ++User confusion and comedy, mostly. ++ ++-- ++Detailed Information: ++HP JetDirect printers allow remote machines to change the message that ++is displayed on the LCD panel via the PJL command. This event indicates ++that this command has been used in network traffic. ++ ++-- ++Affected Systems: ++ HP JetDirect enabled printers ++ ++-- ++Attack Scenarios: ++As part of an attempt to confuse and annoy users, an attacker may ++attempt to change the message displayed on the printers LCD screen. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Update to the latest JetDirect, and investigate the possibility of ++restricting access to a central print-server using the "allow: ++" directive in a printer config file. ++ ++Disallow printer use from hosts outside the protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2410.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2410 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2196.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: ++2196 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access catgy.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Aktivate e-commerce software. ++ ++-- ++Impact: ++Arbitrary code execution, possible session hijack. ++ ++-- ++Detailed Information: ++Aktivate 1.03 is an e-commerce application for use on Linux and other UNIX-based operating systems. An attacker can craft a URL with malicious code in the "desc" command's argument that passes the commands to catgy.cgi. If a legitimate user activates the URL, malicious code may be executed on the client computer. ++ ++-- ++Affected Systems: ++Systems running Aktivate 1.03. ++ ++-- ++Attack Scenarios: ++An attacker may craft a URL that, when activated by a legitimate user, obtains the user's session cookie, thereby allowing the attacker to pose as the user for the duration of the session. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses catgy.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++It is not known if this vulnerability has been fixed. Contact the vendor, Allen & Keul Web Solutions (http://www.allen-keul.net) for more information. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++http://www.securityfocus.com/bid/3714 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2016.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2016 ++ ++-- ++Summary: ++Remote Procedure Call (RPC) is a facility that enables a machine to ++request a service from another remote machine. This is done without the ++request for available services on a host. ++ ++-- ++Impact: ++This may be an intelligence gathering activity that could be the prelude ++to an attack against a vulnerable service on the host. ++ ++-- ++Detailed Information: ++This RPC status request returns information pertaining to available RPC ++services running on a host. This is not an attack against a host by ++itself but may be an intelligence gathering activity in prelude to an ++attack against a vulnerable service running on a target host. ++ ++-- ++Affected Systems: ++All machines running RPC services. ++ ++-- ++Attack Scenarios: ++The attacker merely needs to request information about services being ++offered on a target machine using "rpcinfo" for example. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++When seen on a local area network a legitimate rpcinfo request will ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++Disable all RPC services where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats: ++http://www.whitehats.com/info/IDS15/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000132.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++100000132 ++ ++-- ++Summary: ++This event is generated when a connection is made to the Internet via a proxy ++server on your internal network. ++ ++-- ++ ++Impact: ++If the server is not legitimate, anyone with access to it can use your ++bandwidth to access the Internet; if users conduct malicious activity on the ++Internet through this server, the activity will appear to have come from the ++misconfigured machine. ++ ++-- ++Detailed Information: ++This rule looks for pieces of HTTP requests being made by a misconfigured ++Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is ++coming from is not a known proxy server, it indicates that the machine in ++question is either improperly configured or has been compromised. ++ ++False positives associated with this rule may be reduced considerably, or even ++eliminated, by the use of a custom variable. By editing your snort.conf to ++include "var KNOWN_PROXY_SERVERS = [ ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1060.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1060 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++NGS Whitepaper - Advanced SQL Injection ++www.nextgenss.com/papers/advanced_sql_injection.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2202.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++2202 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access edit_action.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Webmin 0.91. ++ ++-- ++Impact: ++Information gathering, possible execution of system utilities to which Webmin has rights. ++ ++-- ++Detailed Information: ++Webmin is a web-based system administration tool for Linux and UNIX-based operating systems. A malicious user could use directory traversal techniques within an argument sent to the edit_action.cgi script in order to view hidden files on the server or execute programs to which Webmin has security privileges. ++ ++-- ++Affected Systems: ++Systems running Webmin 0.91. ++ ++-- ++Attack Scenarios: ++An attacker creates a specially crafted an edit_action.cgi URL and transmits it to a vulnerable server. The attacker can then view or execute any arbitrary file included in the parameter, provided that Webmin has rights to access it. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses edit_action.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to Webmin 0.92 or higher. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/3698 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2254.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2254 ++ ++-- ++Summary: ++This rule has been deleted in favor of sid 2253. ++ ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Exchange Server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service ++(DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in versions of Microsoft Exchange Server such ++that it is possible for an attacker to execute arbitrary code or cause a ++DoS condition on the server without the need for prior authentication as ++a valid user. ++ ++It is possible for an attacker to connect to the Exchange server on port ++25 and send an extended verb request to the server that will cause a ++large amount of memory to be allocated. In Exchange Server 5.5 this may ++cause a DoS, whilst in Exchange Server 2000 this same condition could ++present the attacker with an opportunity to execute arbitrary code. ++ ++-- ++Affected Systems: ++ MIcrosoft Exchange Server 5.5 ++ Microsoft Exchange Server 2000 ++ ++-- ++Attack Scenarios: ++The attacker can connect to port 25 of the server and send a specially ++crafted verb request. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Corp. ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-046.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2609.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2609 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "cancel_statistics" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by long strings in some parameters for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to either the "sname" or ++"oname" variables to cause the overflow. The result could ++permit the attacker to gain escalated privileges and run code of their ++choosing. This attack requires an attacker to logon to the database ++with a valid username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck633.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1905.txt +@@ -0,0 +1,68 @@ ++Rule: ++-- ++Sid: ++1905 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow associated with the Remote Procedure Call (RPC) amd service. ++ ++-- ++Impact: ++Remote root access. This attack can permit execution of arbitrary ++commands with the privileges of the user running amd, typically root. ++ ++-- ++Detailed Information: ++The amd RPC service implements the automounter daemon on UNIX hosts. The ++amd service automatically mounts and unmounts requested file systems. ++There is a buffer overflow associated with amd logging that can allow ++execution of arbitrary commands with the privileges of the user running ++amd, typically root. ++ ++-- ++Affected Systems: ++ BSDI BSD/OS 3.1, 4.0.1 ++ FreeBSD 3.0, 3.1, 3.2 ++ Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where amd runs ++and then attack the amd port. Alternatively, an attacker may attempt to ++execute the exploit code on any listening port in the RPC range if the ++portmapper is blocked. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to ++RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2828.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2828 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_repgroup ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2190.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2190 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2333.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2333 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an FTP server. ++ ++-- ++Impact: ++Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious ++activity in FTP traffic between hosts. ++ ++It is possible for a user to supply data to an FTP ommand and have it ++interpreted as code. The attacker might then be able to run code of ++their choosing with the privileges of the user running the FTP service. ++ ++-- ++Affected Systems: ++ PlatinumFTP PlatinumFTPserver 1.0.18 ++ ++-- ++Attack Scenarios: ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a ++host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1592.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1592 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1352.txt +@@ -0,0 +1,48 @@ ++Rule: ++ ++-- ++Sid: ++1352 ++ ++-- ++Summary: ++Attempted tclsh command access via web ++ ++-- ++Impact: ++Attempt to gain information on system processes on webserver ++ ++-- ++Detailed Information: ++This is an attempt to execute a tclsh command or script on a webserver. tclsh is a shell application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains 'tclsh'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. ++ ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1351 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3060.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++3060 ++ ++-- ++Summary: ++This event is generated when an attempt is made to initiate a TLS ++connection via SSL version 2. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule indicates that an attempt has been made to initiate a TLS ++connection via SSL v2. This rule should not generate an event. ++ ++-- ++Affected Systems: ++ All implementations using SSL. ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000839.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000839 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHP Event Calendar ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3127.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3127 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2143.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 2143 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a weakness in the cafelog php application. ++ ++-- ++Impact: ++Arbitrary code execution. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a vulnerability in the cafelog PHP application. ++ ++It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. ++ ++-- ++Affected Systems: ++Any host using cafelog. ++ ++-- ++Attack Scenarios: ++An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the php implementation on the host. ++ ++Check the webserver log files for signs of this activity. ++ ++Where possible, ensure the webserver is run as an unprivileged process. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2701.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2701 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++-- ++Affected Systems: ++ Oracle iSQLPlus ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3223.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3223 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/153.txt +@@ -0,0 +1,88 @@ ++Rule: ++ ++-- ++Sid: ++153 ++ ++-- ++Summary: ++Donald Dick is a Trojan Horse allowing the attacker to access various ++resources on the victim host. This event is generated when the attackers ++client connects to the Trojan server. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows NT ++ ++The Trojan changes system registry settings to add the Donald Dick ++server to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++The default name of the server application is vmldir.vxd. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\ ++ ++Registry keys added: ++ ++ VMLDR ++ ++This contains the key StaticVxD = "vmldir.vxd" ++ ++Delete the registry key VMLDR. ++ ++Delete the Troajn application vmldir.vxd. ++ ++A reboot of the infected machine is needed. ++ ++-- ++Contributors: ++Original rule written by unknown persons. ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Hackfix ++http://www.hackfix.org/miscfix/dd.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/847.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++847 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/317.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 317 ++ ++-- ++Summary: ++This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. ++ ++-- ++Impact: ++System compromize presenting the attacker with escalated system privileges . ++ ++-- ++Detailed Information: ++Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. ++ ++The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. ++ ++Affected Systems: ++ Caldera OpenLinux Standard 1.2 ++ RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/121 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 ++ ++CERT: ++http://www.cert.org/advisories/CA-1998-12.html ++http://www.cert.org/summaries/CS-98-08.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1515.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1515 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2043.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++2043 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Internet Security Association and Key Management ++Protocol (ISAKMP). ++ ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++ISAKMP is a framework for authentication using cryptographic keys. It ++specifically defines the process of key exchange as opposed to the ++generation of a cryptographic key. ++ ++ISAKMP also details the procedures for the required security ++associations in network security services. ++ ++This event indicates that a key exchange using ISAKMP failed. ++ ++-- ++Affected Systems: ++All systems using cryptographic key exchange as an authentication ++method. ++ ++-- ++Attack Scenarios: ++The attacker may have a store of keys associated with valid users and ++may attempt to authenticate using a combination of username and key. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++A user may mistype a username or may be trying to authenticate using an ++expired key. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Ensure that key exchanges are only allowed between trusted hosts. ++ ++Check log files for disallowed login attempts. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ISAKMP: ++http://www.networksorcery.com/enp/protocol/isakmp.htm ++ ++RFC: ++http://www.ietf.org/rfc/rfc2407.txt ++http://www.ietf.org/rfc/rfc2408.txt ++ ++IANA: ++http://www.iana.org/assignments/isakmp-registry ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/698.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++698 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000454.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000454 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "KAPhotoservice" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" ++script used by the "KAPhotoservice" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using KAPhotoservice ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1728.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++1728 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known vulnerability in the ftp server included with version 2.6 of the Sun Solaris operating system. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++An error in the ftp daemon supplied with version 2.6 of Sun's Solaris operating system can cause the daemon to overflow a buffer and generate a core file that is world readable. ++ ++The attacker may also be able to fill the disk partition by generating core files. ++ ++-- ++Affected Systems: ++Sun Solaris 2.6 ++ ++-- ++Attack Scenarios: ++An attacker can use a non-standard ftp client or initiate a session with the ftp server and issue a CWD ~ command. The attacker may then be able to read the core file and recover usernames and passwords for other users on the system ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/494.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 494 ++ ++-- ++Summary: ++This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. ++ ++-- ++ ++Impact: ++Serious. An attacker may have the ability to execute commands remotely ++ ++-- ++Detailed Information: ++This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). ++ ++Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker. ++ ++-- ++ ++Attack Scenarios: ++An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands. ++ ++-- ++ ++Ease of Attack: ++Simple. This post-attack behavior can accompany different attacks. ++ ++-- ++ ++False Positives: ++This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate the web server for signs of compromise. ++ ++Look for other IDS events involving the same IP addresses. ++ ++-- ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Technet: ++http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/570.txt +@@ -0,0 +1,71 @@ ++SID: ++570 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event indicates an attempt to exploit the tool talk RPC database ++service ++-- ++ ++Impact: ++Possible unauthorized administrative access to the server or application ++or a denial of service to the affected application ++-- ++ ++Detailed Information: ++ToolTalk RPC database service (rpc.ttdbserverd) does not perform ++adequate input validation or provide a format string specifier argument ++when writing to syslog. This means a specifically crafted RPC request to ++the ToolTalk RPC database service overwriting specific locations in ++memory and therefore allowing execution of code with the same permission ++level as the user running ttdbserverd, usually root. ++-- ++ ++Affected Systems: ++ HP-UX 10.10 - 11.0 ++ AIX 4.1 - 4.3 ++ IRIX 5.2 - 6.4 ++ Solaris 1.1 - 2.6 ++ TriTeal TED CDE 4.3 ++ Xi Graphics Maximum CDE 1.2.3 ++ ++Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. ++-- ++ ++Attack Scenarios: ++An attacker will send a specially crafted RPC call to the ++rpc.ttdbserverd daemon running on an affected system. A sucessful ++attack will then run code on the server with the access level of the ++root user. ++-- ++ ++Ease of Attack: ++Simple, Exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Updates packages and patches are available from vendors, install them or ++disable the service if not needed. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3255.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3255 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1974.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1974 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with CesarFTPD FTP server REST command. ++ ++-- ++Impact: ++Remote access. A successful attack may permit the remote execution of arbitrary commands with system privileges. ++ ++-- ++Detailed Information: ++CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists with the REST command that can cause a buffer overflow and permit the execution of arbitrary commands with system privileges. The buffer overflow can be caused by supplying an overly long argument to the REST command. ++ ++-- ++Affected Systems: ++Hosts running CesarFTP 0.98b. ++ ++-- ++Attack Scenarios: ++An attacker can supply an overly long file argument with the REST command, causing a buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0826 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/157.txt +@@ -0,0 +1,103 @@ ++Rule: ++ ++-- ++Sid: ++152, 157-158 ++ ++-- ++Summary: ++Backdoor.Backconstruction is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Backconstruction ++sever to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++ SID Message ++ --- ------- ++ 152 BackConstruction 2.1 Connection (outgoing TCP ++connection) ++ 157 BackConstruction 2.1 Client FTP Open Request (incoming ++TCP connection) ++ 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP ++connection) ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Cmctl32.exe ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Shell = ":\WINDOWS\Cmctl32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Cmctl32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS505 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/backc/21/index.shtml ++ ++Pest Patrol: ++www.pestpatrol.com/PestInfo/b/back_construction.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/932.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++932 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a ColdFusion web server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Coldfusion. Many known vulnerabilities exist for this platform and ++the attack scenarios are legion. ++ ++-- ++Affected Systems: ++ All systems running ColdFusion ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1349.txt +@@ -0,0 +1,47 @@ ++Rule: ++ ++-- ++Sid: ++1349 ++ ++-- ++Summary: ++Attempted /bin/python access via web ++ ++-- ++Impact: ++Attempt to execute a python script on a host. ++ ++-- ++Detailed Information: ++This is an attempt to execute a python script on a host. Python is a scripting language that is available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP transaction that includes a reference to Python in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Python may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all python scripts on the host should be written using the restriceted access mode. This forces Python to execute the scripts in a "sandbox" which will disallow unsafe operations in the code. ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1350 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1454.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1454 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server, in this case ++the wwwwais cgi application. ++ ++-- ++Impact: ++Possible execution of arbitrary code of the attackers choosing. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Securiteam: ++http://www.securiteam.com/unixfocus/5SP140035A.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/501.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++501 ++ ++-- ++Summary: ++This event is generated when a packet is discovered with loose source routing set in the IP options. ++ ++-- ++Impact: ++Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing. ++ ++-- ++Detailed Information: ++Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it. ++ ++-- ++Affected Systems: ++Unless loose source routing is disabled, all hosts can accept them. ++ ++-- ++Attack Scenarios: ++An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++This even will trigger if you allow loose source routed packets into your network. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block all source routed (loose or strict) packets from entering your network. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/646 ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909 ++ ++Whitehats ++www.whitehats.com/info/IDS470 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2921.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2921 ++ ++-- ++Summary: ++This event is generated when an inverse query attempt is made using UDP. ++ ++-- ++ ++Impact: ++Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Bind 8 contains a programming error that may present an attacker with ++the opportunity to execute code of their choosing on an affected server. ++ ++The error occurs in the handling of malformed transactions. When using ++UDP this can result in the attacker causing a stack overflow in named. ++ ++-- ++Affected Systems: ++ Bind 8. ++ ++-- ++Attack Scenarios: ++An attacker needs to send a specially crafted and malformed query to an ++affected server. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/217.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++217 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Telnet server using the phrase "hax0r". This is a known password for ++the sm4ck Linux rootkit. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects Linux operating systems: ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise may be due to the exploitation of another vulnerability and ++the attacker is leaving another way into the machine for further use. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Telnet access from external sources. ++ ++Use SSH as opposed to Telnet for access from external locations ++ ++Delete the Trojan and kill any associated processes. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1733.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1733 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening. ++ ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port rwalld is using. Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run. The rwalld RPC service is used by UNIX hosts to send a message to current users on the host. There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform. ++ ++-- ++Affected Systems: ++Sun Solaris 2.5.1, 2.6, 7, and 8 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where rwalld runs. This may be a precursor to an attack to exploit the rwalld format string vulnerability. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access rwalld, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/advisories/CA-2002-10.html ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/357.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++357 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1474.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1474 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1391.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1391 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1110.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1110 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1384.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++1384 ++ ++-- ++Summary: ++This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server. ++ ++-- ++Impact: ++Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges. ++ ++-- ++Detailed Information: ++The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges. ++ ++-- ++ ++Affected Systems: ++Microsoft Windows 98, 98SE, ME, XP ++ ++-- ++Attack Scenarios: ++An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++This event will be generated if external hosts are permitted to query for UPnP devices. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block inbound UPnP traffic. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1730.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1730 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/516.txt +@@ -0,0 +1,61 @@ ++Nigel - added new references to the rule and bumped up revision number. ++Rule: ++ ++-- ++Sid: ++516 ++ ++-- ++Summary: ++This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. ++ ++-- ++Impact: ++Reconnaissance. An attacker may obtain SMB usernames of the remote host. ++ ++-- ++Detailed Information: ++Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. ++ ++-- ++Affected Systems: ++Hosts that run SMB and listen for SNMP requests. ++ ++-- ++Attack Scenarios: ++An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. ++ ++-- ++Ease of Attack: ++A Nessus script exists to list current SMB users. ++ ++-- ++False Positives: ++None. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block inbound SNMP traffic. ++ ++Disable SNMP as a listening service on the remote host unless it is required. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS333 ++ ++Nessus: ++http://cgi.nessus.org/plugins/dump.php3?id=10546 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1059.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1059 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++NGS Whitepaper - Advanced SQL Injection ++www.nextgenss.com/papers/advanced_sql_injection.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2093.txt +@@ -0,0 +1,86 @@ ++Rule: ++ ++-- ++Sid: ++2093 ++ ++-- ++Summary: ++vulnerability in xdrmem_getbytes used by XDR in RPC portmap services. ++ ++-- ++Impact: ++System compromise, denial of service, execution of arbitrary code, ++information disclosure. ++ ++-- ++Detailed Information: ++A vulnerability exists in various implementations of external data ++representation (XDR) libraries. An integer overflow in a component ++(xdrmem_getbytes) used by XDR can lead to a buffer overflow. ++ ++The XDR libraries are widely used by multiple vendors to provide a ++framework for data transmission across networks. This is most commonly ++used in RPC implementations. ++ ++A specially crafted rpc request can lead to remote system compromise and ++super user access to the target host. Additionally, a denial of service ++and execution of arbitrary code with the privilege of the super user is ++also possible. ++ ++-- ++Affected Systems: ++Multiple vendors including all those using: ++ Sun Microsystems Network Services Library (libnsl) ++ GNU C library with sunrpc (glibc) ++ BSD-derived libraries with XDR/RPC routines (libc) ++ ++-- ++Attack Scenarios: ++The attacker needs to send a specially crafted rpc request to the target ++host. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade the vendor libraries to the latest non-affected versions. Any ++statically linked binaries and applications must be recompiled and ++restarted after the upgrade. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/7123 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028 ++ ++CERT: ++http://www.cert.org/advisories/CA-2003-10.html ++http://www.kb.cert.org/vuls/id/516825 ++http://www.kb.cert.org/vuls/id/192995 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000110.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000110 ++ ++-- ++Summary: ++This event is generated when the Dabber virus attempts to exploit a ++vulnerability in the FTP server installed by the Sasser virus. ++ ++-- ++ ++Impact: ++If the Sasser virus is currently running on the affected system, then the ++Dabber virus will be able to install itself as well. ++ ++-- ++Detailed Information: ++Some variants of the Sasser virus install an FTP server that listens on port ++5554. However, this FTP server suffers from a buffer overflow in the PORT ++command, which can be exploited with a command of 100 or more characters. The ++Dabber virus makes use of this vulnerability as an infection vetor. ++ ++-- ++Affected Systems: ++Any machine with a variant of the Sasser virus whose FTP server listens on port ++5554. ++ ++-- ++ ++Attack Scenarios: ++A known virus scans the Internet in search of vulnerable systems. ++ ++-- ++ ++Ease of Attack: ++Simple, as the virus is in the wild. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Users should employ a virus removal tool to clean their system of both Dabber ++and Sasser, and then apply the latest security patches from Microsoft to ++prevent further infections. ++ ++-- ++Contributors: ++Matt Watchinski ++Alex Kirk ++ ++-- ++Additional References: ++ ++http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3330.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3330 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1610.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1610 ++ ++-- ++Summary: ++An attempt to access a script (formmail) in the cgi-bin which has known ++vulnerabilities. ++ ++Formmail is a freely available perl script that is used to send data ++collected via a form to specified addresses. ++ ++-- ++Impact: ++Attempt to gain information about the web-server environment variables. ++Could also be an attempt to execute commands on the web-server that will ++execute with the privilege of the user owning the daemon running the ++server. The script may also be used to relay SPAM or to disclose the ++contents of files on the host. ++ ++-- ++Detailed Information: ++This could be an attempt to gain intelligence about the web-server that ++might be used to further exploit the machine. The environment variables ++of the web-server might be retrieved and sent via email to an address of ++the attackers choosing. More importantly this could be an attempt to ++execute commands on the web-server. Should this be successful, the ++commands would execute with the privileges of the user owning the httpd daemon. ++ ++-- ++Attack Scenarios: ++Formmail receives information from a form via an HTTP POST. This ++includes the email addresses to which the form data is sent. A URI in ++the form of a POST to the formmail script could be crafted to send ++environment variables to a specified email address. ++ ++-- ++Ease of Attack: ++Simple. Exploit software is not required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Web-servers should not be allowed to view or execute files and binaries ++outside of it's designated web root or cgi-bin. The web-server httpd ++daemon should be run as a non-privileged user without login access to ++the host. The formmail script should be updated to a non-vulnerable ++version as soon as possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1830.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1830 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1446.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++1446 ++ ++-- ++Summary: ++This event is generated when an external attacker uses the "vrfy root" ++command to find the login name or mail alias of the system ++administrator. This may also indicate a vulnerability scan. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++An attacker may be able to obtain the email alias or actual email ++address of root users. This allows the attacker to know which email ++accounts may be more valuable to target, and can be used by spammers or ++as targets for denial of service attempts. ++ ++-- ++Affected Systems: ++Systems running Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker uses vrfy root to obtain the name of administrators on the ++server. The attacker now knows which accounts have administrative ++access, and may use this information to focus later attacks. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disable the vrfy command on your mail server, or update your Sendmail ++configuration file so that Sendmail displays non-sensitive information ++when it receives a vrfy root request. ++ ++-- ++Contributors: ++Original rule written by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++RFC 821: ++http://www.faqs.org/rfcs/rfc821.html ++ ++Security Space: ++http://www.securityspace.com/smysecure/catid.html?viewsrc=1&id=10249 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/718.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++718 ++ ++-- ++Summary: ++This event is generated when an attempted telnet login fails from a remote user. ++ ++-- ++Impact: ++Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination. ++ ++-- ++Detailed Information: ++A telnet server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. Telnet traffic is passed in clear text so it is not recommended for remote connections. Secure Shell is considered to be a more secure alternative. ++ ++-- ++Affected Systems: ++Telnet servers. ++ ++-- ++Attack Scenarios: ++An attacker may attempt to guess username and password combinations. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++This event may be triggered by a failed telnet login attempt from a remote user. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Consider using Secure Shell instead of telnet. ++ ++Block inbound telnet access if it is not required. ++ ++-- ++Contributors: ++Original rule writer Max Vision ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS127 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1368.txt +@@ -0,0 +1,48 @@ ++Rule: ++ ++-- ++Sid: ++1368 ++ ++-- ++Summary: ++Attempted ps command access via web ++ ++-- ++Impact: ++Attempt to gain information on system files and filestructure ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence on the filesystem on a webserver. The ls command lists the files and filesystem layout on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains '/bin/ls'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. ++ ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1369 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1098.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1098 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/141.txt +@@ -0,0 +1,94 @@ ++Rule: ++ ++-- ++Sid: ++141 ++ ++-- ++Summary: ++hack-a-tack is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. ++ ++-- ++Detailed Information: ++The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 141 HackAttack 1.20 Connect ++ 614 hack-a-tack attempt ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Expl32.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Explorer32 =":\windows\Expl32.exe" ++ Configuration Wizard = ":\windows=cfgwiz32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS314 ++http://www.whitehats.com/info/IDS504 ++ ++Hackfix.org ++http://www.hackfix.org/miscfix/hackatack.shtml ++ ++Commodon Communications ++http://www.commodon.com/threat/threat-hack.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1776.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: 1776 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to use the MySQL 'show' command to garner a list of databases. ++ ++-- ++Impact: ++Intelligence gathering. This may be the prelude to an attack against one the databases or the MySQL daemon. ++ ++-- ++Detailed Information: ++This event is generated when the MySQL command 'show' is used to garner a list of MySQL databases being served by the MySQL daemon. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++A MySQL implementation may inappropriately respond to connections from any host external to the protected network. The atttacker may be able to query the daemon to gain a list of databases available, then continue to garner information from the databases. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a legitimate user making a query to a MySQL daemon from an external source. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3416.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3416 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000687.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000687 ++ ++-- ++Summary: ++This event is generated when an empty CTCP NOTICE message is sent to an IRC ++channel. ++ ++-- ++Impact: ++If the EnergyMech IRC Bot receives such a message, a denial of service ++condition will occur. ++ ++-- ++Detailed Information: ++Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial ++of service condition occurs. Note that this rule is set to examine only default ++IRC ports, in order to conserve system resources; if you are particularly ++concerned about this exploit, you may wish to set the ports to "any", as IRC ++channels can exist on any port. ++ ++-- ++Affected Systems: ++EnergyMech <= 3.0.1 ++ ++-- ++Attack Scenarios: ++An attacker could exploit this vulnerability via any IRC client, or by using an ++automated script. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to version 3.0.2 or greater. ++ ++-- ++Contributors: ++VeriSign MSS Operations Team ++Joel Esler ++ ++-- ++Additional References: ++http://www.energymech.net/versions-3.0.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2345.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2345 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the ++search.php script which contains known vulnerabilities and ++is part of the phpGedView CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and possible cross site scripting attack. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the phpGedView CGI web application running on a server. ++Multiple vulnerabilities exist in the application which can lead to ++cross site scripting attacks. ++ ++-- ++Affected Systems: ++ phpGedView ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including it in the ++firstname parameter of the search.php script. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2227.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2227 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP application Pod.Board. ++ ++-- ++Impact: ++Execution of arbitrary code on the client machine connecting to the host ++running the application. Theft of cookie data not limited to ++authentication credentials is possible. ++ ++-- ++Detailed Information: ++The forum_details.php script does not properly check data supplied in ++input fields or via URI parameters which leads to HTML injection ++possibilites. This injection can include malicious script of the ++attackers choosing. ++ ++-- ++Affected Systems: ++ planetinsanity.de pod.board 1.1 ++ ++-- ++Attack Scenarios: ++A cross site scripting attack is possible, the attacker would need to ++entice the victim to use a link supplied by the attacker which could ++then divulge login and cookie information. ++ ++-- ++Ease of Attack: ++Moderate to Difficult. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1762.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1762 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2388.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++2388 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access ++view_broadcast.cgi on a server used for streaming media services. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. ++ ++-- ++Detailed Information: ++The view_broadcast.cgi script contains a known vulnerability that may ++allow an attacker to perform a variety of cross-site scripting attacks. ++This event is generated when an attempt is amde to access the script ++directly from a source external to the protected network. ++ ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000502.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000502 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Ji-Takz" application running on a webserver. ++Access to the file "tag.class.php" using a remote file being passed as the ++"mycfg" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "mycfg" parameter in the "tag.class.php" script used by ++the "Ji-Takz" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ji-Takz ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000493.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000493 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "DeluxeBB" application running on a webserver. ++Access to the file "postreply.php" using a remote file being passed as the ++"templatefolder" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "templatefolder" parameter in the "postreply.php" script ++used by the "DeluxeBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using DeluxeBB ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1674.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1674 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1486.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1486 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the file ctss.idc. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary ++commands on the vulnerable server. ++ ++-- ++Detailed Information: ++This mkilog.exe is a Common Gateway Interface (CGI) script that can be ++used to view and modify SQL database contents. It posts data to another ++module, ctss,idc, that creates a table based on the parameters passed to ++it. If an attacker passes parameters such as a valid username and ++password to create a table, it may be possible to alter the table to ++execute commands on the vulnerable server. ++ ++-- ++Affected Systems: ++ Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker can attempt to exploit this vulnerability to execute remote ++commands on the vulnerable server. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Delete file /scripts/tools/ctss.idc ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++SecurityFocus Mail Archive: ++http://www.securityfocus.com/archive/101/200779 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3231.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3231 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1155.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1155 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1873.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1873 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/446.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: ++446 ++ ++-- ++Summary: ++This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code. ++ ++-- ++Impact: ++Informational. This may indicate that the ICMP message has been crafted. ++ ++-- ++Detailed Information: ++An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. ++ ++ ++-- ++Affected Systems: ++This traffic should have no adverse impact. ++ ++-- ++Attack Scenarios: ++An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. ++ ++-- ++Ease of Attack: ++Simple. There are many packages available to generate ICMP messages. ++ ++-- ++False Positives: ++Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++None. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2736.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2736 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2014.txt +@@ -0,0 +1,76 @@ ++Rule: ++ ++-- ++Sid: ++2014 ++ ++-- ++Summary: ++Remote Procedure Call (RPC) is a facility that enables a machine to ++request a service from another remote machine. This is done without the ++need for detailed network information. Some versions of RPC have a ++vulnerability that allows an a remote host to register (and un-register) ++applications from a spoofed source. ++ ++-- ++Impact: ++Possible denial of service (DoS) against the target host. Potential ++remote root compromise of the target system. ++ ++-- ++Detailed Information: ++Certain versions of rpcbind portmapper contain a flaw that could allow ++an attacker capable of spoofing TCP packets to set and unset calls to ++arbitrary RPC programs. ++ ++A denial of service could be instigated against the target machine that ++could render network file system services and other such network ++available services unavailable to network users. ++ ++It is also possible for the attacker to gain super user access depending ++on the RPC service he is able to register. This could then lead to a ++compromise of all resources on the network the victim is attached to. ++ ++-- ++Affected Systems: ++All machines running vulnerable RPC services. ++ ++-- ++Attack Scenarios: ++The attacker could potentially spoof TCP packets for pmap_set to ++register an RPC service. The attacker might also spoof TCP packets to ++un-register needed services via pmap_unset. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++RPC services should also be disabled where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++BugTraq: ++http://www.securityfocus.com/bid/1892 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1431.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 1431 ++ ++-- ++Summary: ++This event is generated when packets with the SYN flag set are sent to ++multicast addresses. ++ ++-- ++Impact: ++Possible reconnaisance or evidence of a Denial of Service (DoS) attack. ++ ++-- ++Detailed Information: ++Under normal circumstances packets with the SYN flag set should not be ++sent to multicast addresses. ++ ++If the attacker has spoofed a multicast address when sending a SYN flood ++attack this traffic will be seen. ++ ++an indicator of unauthorized network use, reconnaisance activity or ++system compromise. These rules may also generate an event due to ++improperly configured network devices. ++ ++-- ++Affected Systems: ++ Any ++ ++-- ++Attack Scenarios: ++The attacker may have intiated an attack and could have spoofed a ++multicast address as the source. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Employ filtering at the firewall. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/607.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 607 ++ ++-- ++Summary: ++This event is generated when an attempt to login using the "bin" account is made. ++ ++-- ++Impact: ++An attacker may have gained the ability to initiate a remote interactive session on the server. ++ ++-- ++Detailed Information: ++This event is generated when a connection using the "bin" account via "rsh" is attempted. ++ ++This activity is indicative of attempts to abuse hosts using a default configuration. ++ ++Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. ++ ++-- ++Attack Scenarios: ++An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++If a local username is not the same as the remote one ("bin"), the rule will not generate an event. ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS384 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/542.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++542 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients ++is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown ++external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow ++users to transfer files directly between hosts. This can allow malicious ++users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain ++unauthorized access to a host. ++ ++This event indicates that an IRC nickname change has been made from a ++client originating from the protected network to an IRC server external ++to the protected network. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party ++using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access ++to a host, then upload a Trojan Horse program to gain control of that ++host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or ++implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++IRC Protocol: ++http://www.irchelp.org/irchelp/rfc/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2952.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2952 ++ ++-- ++Summary: ++This event is generated when an attempt is made to gain access to ++private resources using Samba. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to use Samba to gain ++access to private or administrative shares on a host. ++ ++-- ++Affected Systems: ++ All systems using Samba for file sharing. ++ All systems using file and print sharing for Windows. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++direct access to Windows adminsitrative shares. ++ ++-- ++Ease of Attack: ++Simple. Exploit software is not required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000503.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000503 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Nucleus CMS" application running on a webserver. ++Access to the file "action.php" using a remote file being passed as the ++"DIR_LIB" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "DIR_LIB" parameter in the "action.php" script used by ++the "Nucleus CMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Nucleus CMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000540.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000540 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "Enterprise Groupware" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "module" parameter in the "index.php" script ++used by the "Enterprise Groupware" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Enterprise Groupware ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1031.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1031 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1224.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1224 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/284.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++284 ++ ++-- ++Summary: ++This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". ++ ++-- ++Detailed Information: ++Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". ++ ++-- ++Affected Systems: ++Debian Linux 2.1 ++Redhat Linux 4.2, 5.0, 5.1, and 5.2 ++University of Washington imap 4.4 ++University of Washington pop2d 4.4 ++ ++-- ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are freely available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the pop2d version 4.51 or later. ++ ++Compile pop2d to not support anonymous proxing. ++ ++-- ++Contributors: ++Original rule writer unknown ++Documented by Steven Alexander ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/283 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000760.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000760 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using The Banner Engine ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1396.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1396 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/668.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++668 ++ ++-- ++Summary: ++This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed. ++ ++-- ++Impact: ++Severe. Remote execution of arbitrary code, leading to remote root compromise. ++ ++-- ++Detailed Information: ++Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. ++ ++-- ++Affected Systems: ++Systems running unpatched versions of Sendmail 8.6.10 or earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. ++ ++-- ++Ease of Attack: ++Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest version of Sendmail. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 ++ ++Bugtraq ++http://www.securityfocus.com/bid/2311 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1869.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1869 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2144.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 2144 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cafelog php application. ++ ++-- ++Impact: ++Possible arbitrary code execution. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the cafelog PHP application. ++ ++It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. ++ ++-- ++Affected Systems: ++Any host using cafelog. ++ ++-- ++Attack Scenarios: ++An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the php implementation on the host. ++ ++Check the webserver log files for signs of this activity. ++ ++Where possible, ensure the webserver is run as an unprivileged process. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000444.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000444 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using MiraksGalerie ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3203.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3203 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3033.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3033 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2264.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2264 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in versions of Sendmail. ++ ++-- ++Impact: ++Remote arbitrary code execution. ++ ++-- ++Detailed Information: ++A vulnerability exists in the prescan() function used in Sendmail prior ++to version 8.12.9. This function contains an error when converting a ++character to an integer value while processing SMTP headers. ++ ++-- ++Affected Systems: ++All systems using Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker could exploit this condition to process code of their ++choosing and open a listening shell bound to a high port, thus opening the ++system to further compromise. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade Sendmail to the latest non-affected verison. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/advisories/CA-2003-12.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1136.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1136 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000682.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000682 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "email.php" using a remote file being passed as the ++"header_prog" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "header_prog" parameter in the "email.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1719.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1719 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1573.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1573 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1146.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1146 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/298.txt +@@ -0,0 +1,60 @@ ++SID: ++298 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is triggered when an attempt is made to overflow an imapd server. ++-- ++ ++Impact: ++Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system ++-- ++ ++Detailed Information: ++Failure to check the size of the value passed to the 'AUTHENTICATE' ++command on certain IMAPD implementations can lead to a buffer overflow. ++This in turn can allow arbitrary commands to be executed on the server. ++-- ++ ++Affected Systems: ++ Netscape Messaging Server 3.55, University of Washington imapd 10.234 ++-- ++ ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable imapd server, permitting ++the execution of arbitrary commands possibly with the privilege of user ++"root". ++-- ++ ++Ease of Attack: ++Simple. Sample exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++Vendors have provided updated versions, upgrading will resolve this ++problem ++ ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/678.txt +@@ -0,0 +1,79 @@ ++Rule: ++ ++-- ++Sid: ++678 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an SQL database ++server that may result in a serious compromise of the data stored on ++that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained administrator access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an ++SQL database that may result in a serious compromise of all data stored ++on that system. ++ ++Such commands may be used to gain access to a system with the privileges ++of an administrator, delete data, add data, add users, delete users, ++return sensitive information or gain intelligence on the server software ++for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the ++result of spawning a remote shell as a consequence of a successful ++network exploit. ++ ++-- ++Affected Systems: ++ Microsoft SQL Servers ++ ++-- ++Attack Scenarios: ++Simple. These are SQL database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and ++issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disallow direct access to the SQL server from sources external to the ++protected network. ++ ++Ensure that this event was not generated by a legitimate session then ++investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft MSDN: ++http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1696.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1696 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000714.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000714 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPRaid ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1666.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++1666 ++ ++-- ++Summary: ++This event is generated when a webserver returns a directory listing of ++it's cgi-bin. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event is generated when a webserver returns a directory listing of ++it's cgi-bin. The scripts listed may be valuable to an attacker when ++planning further attacks against the webserver. It may also be possible ++for the attacker to download the contents of the cgi-bin and view the ++contents of the script sources. ++ ++-- ++Affected Systems: ++ All web server platforms. ++ ++-- ++Attack Scenarios: ++An attacker can list the contents of the cgi-bin, discover the filename ++of a vulnerable script and use the information to execute an exploit ++against the server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow directory content listing of the cgi-bin. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/541.txt +@@ -0,0 +1,51 @@ ++Rule: ++ ++-- ++Sid: 541 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/987.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++987 ++ ++-- ++Summary: ++This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. ++ ++-- ++Impact: ++Information gathering. Fragments of the source code of an ASP may be returned possibly disclosing sensitive information. ++ ++-- ++Detailed Information: ++HTR is an older scripting language still supported by Internet Information Service (IIS). HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests. This may disclose parts of the source code associated with a .asp file referenced in the request. ++ ++-- ++Affected Systems: ++ ++Microsoft IIS 4.0, 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the patch referenced in the Microsoft link. ++ ++Consider running the IIS Lockdown Tool to disable HTR functionality. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063 ++ ++Bugtraq ++http://www.securityfocus.com/bid/1488 ++ ++Microsoft ++http://www.microsoft.com/technet/security/bulletin/ms00-031.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000570.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000570 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "app_change_pwd.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"app_change_pwd.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2992.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2992 ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a Windows ++system via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a Windows ++system via SMB across the network. ++ ++It may be possible for an attacker to manipulate a Windows system ++from a remote location. Shutting down a system may lead to a Denial of ++Service for the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may be able to manipulate a target system using SMB. The ++attacker may gain complete control over the affected system. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++Disallow remote registry manipulation. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2471.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2471 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the C$ default ++administrative share of a Windows host. ++ ++-- ++Impact: ++Serious. Possible administrator access to the host. Information ++disclosure. ++ ++-- ++Detailed Information: ++By default, Windows hosts have default administrative shares of the ++local hard drives using the format %DRIVE_LETTER% + $. Anybody with ++administrative rights can remotely access the share. ++ ++-- ++Affected Systems: ++ Windows hosts. ++ ++-- ++Attack Scenarios: ++An attacker may be attempting to access files located on the C drive of ++the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Netbios access from external networks (tcp port 139). ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS339 ++ ++Microsoft: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1107.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1107 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3429.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3429 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1892.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1892 ++ ++-- ++Summary: ++This event is generated when SNMP communications contain a NULL value ++the authentication string. ++ ++-- ++Impact: ++Medium to Serious. Depending on if the community string was for ++read-only, read-create or read-write an attacker could gain a varying ++level of access to a system. ++ ++-- ++Detailed Information: ++An SNMP community string is the authentication process that a host ++running SNMP uses to grant access. ++ ++-- ++Affected Systems: ++Numerous. Routers, switches, servers, NAS systems, many others. ++ ++-- ++Attack Scenarios: ++An attacker can launch a scan of all network attached devices looking ++for port 161 (UDP) and then attempt to gain access using SNMP. ++ ++-- ++Ease of Attack: ++Simple. There are many free SNMP "tree walking" programs, an example of ++such is getIF. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Make sure that all devices that have SNMP turned on have complex ++passwords assigned. ++ ++Disable unneeded WRITE / CREATE community strings. ++ ++Since SNMP traffic is not encrypted, use a packet filtering firewall to ++restrict SNMP communications to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Mike Rivett ebiz@rivett.org ++ ++-- ++Additional References: ++ ++GetIF: ++http://www.wtcs.org/snmp4tpc/getif.htm ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/614.txt +@@ -0,0 +1,94 @@ ++Rule: ++ ++-- ++Sid: ++614 ++ ++-- ++Summary: ++hack-a-tack is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 141 HackAttack 1.20 Connect ++ 614 hack-a-tack attempt ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Expl32.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Explorer32 =":\windows\Expl32.exe" ++ Configuration Wizard = ":\windows=cfgwiz32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS314 ++http://www.whitehats.com/info/IDS504 ++ ++Hackfix.org ++http://www.hackfix.org/miscfix/hackatack.shtml ++ ++Commodon Communications ++http://www.commodon.com/threat/threat-hack.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3110.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3110 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1761.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1761 ++ ++-- ++Summary: ++This event is generated when network traffic indicating the use of an ++IDS system on the protected network is detected. ++ ++-- ++Impact: ++These tools may be used to compromise data on the network or may ++indicate mis-use of other IDS systems. ++ ++-- ++Detailed Information: ++This event indicates the use of an IDS tool. The source of the event ++should be investigated carefully. These tools may be used to gather data ++present in traffic on the protected network. ++ ++-- ++Affected Systems: ++ All networks. ++ ++-- ++Attack Scenarios: ++An unathorized user could use an IDS to gather data and observe traffic ++present on the network. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3248.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3248 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/237.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++237 ++ ++-- ++Summary: ++This event is generated when a trinoo DDoS master host communicates with a daemon host. ++ ++-- ++Impact: ++Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon. ++ ++-- ++Detailed Information: ++The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks. A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload. This string is the default password for the daemon. ++ ++-- ++Affected Systems: ++Any trinoo compromised host. ++ ++-- ++Attack Scenarios: ++A trinoo master will communicate with a daemon to direct it to launch attacks. ++ ++-- ++Ease of Attack: ++Simple. trinoo code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/incident_notes/IN-99-07.html#trinoo ++ ++Arachnids: ++http://www.whitehats.com/info/IDS197 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/890.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++890 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running on a web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2535.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2535 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++US-Cert: ++http://www.kb.cert.org/vuls/id/150236 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000416.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000416 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using MyBloggie ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/708.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: 708 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine. ++ ++-- ++Impact: ++Serious. A Denial of Service condition or execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server. ++ ++The attacker must gain access to the SQL Server to exploit this vulnerability. ++ ++-- ++ ++Attack Scenarios: ++Exploit code exists. ++ ++-- ++ ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Disallow direct access to the SQL server from sources external to the protected network. ++ ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2031 ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/ms00-092.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1520.txt +@@ -0,0 +1,90 @@ ++Rule: ++ ++-- ++Sid: ++1520 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access server-info. ++Using the Apache webserver, this url is generally handled by the ++mod_info module, which will happily disclose valuable information about ++your webserver which may aid in their attack. ++ ++-- ++Impact: ++Information disclosure. ++ ++-- ++Detailed Information: ++The mod_info module "provides a comprehensive overview of the server ++configuration including all installed modules and directives in the ++configuration files" for the Apache webserver. Successfully accessing the url ++that is handle by mod_info may give an attacker valuable information about ++the server. ++ ++If mod_info is in use and the attacking host is allowed to access it, ++every possible configuration option that the Apache server is using can ++be viewed. This includes ACLs, modules, file and directory names, and ++other valuable information that will help an attacker determine ways of ++attacking the server. ++ ++-- ++Affected Systems: ++ Apache webservers with mod_info enabled. ++ ++-- ++Attack Scenarios: ++As part of an attack against an Apache webserver, an attacker may try to ++access "/server-info" which is typically handled by the mod_info module. If ++sucessful, this will give valuable information about the webserver for ++use in further attacks. ++ ++-- ++Ease of Attack: ++Simple. No exploit software is required. ++ ++-- ++False Positives: ++Few, but certainly possible. Since this rule only checks for the ++existance of "/server-info" in the url, any url containing that string will ++trigger this rule. A few common false positives may include urls like: ++ ++http://victim/server-info/contact.html ++http://victim/really/long/directory/server-info.html ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Determine if server-info exists on the victim in question, and if the attacker ++is allowed to access it. ++ ++If mod_info is necessary on this server, consider restricting access to ++it via Apache directives, i.e.: ++ ++ ++ SetHandler server-info ++ Order deny,allow ++ Deny from all ++ Allow from .yourdomain.net ++ ++ ++ ++-- ++Contributors: ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++ ++-- ++Additional References: ++ ++Apache: ++http://httpd.apache.org/docs/mod/mod_info.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2724.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2724 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/391.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++391 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts. ++ ++-- ++ ++Impact: ++This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. ++ ++-- ++ ++Detailed Information: ++ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. ++ ++-- ++ ++Attack Scenarios: ++Attackers may use this ICMP Type to gather information about the network. ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 6 datagrams should be blocked at the firewall. ++ ++-- ++ ++Contributors: ++Original Rule wirter unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2124.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2124 ++ ++-- ++Summary: ++This event is generated when an attempt is made to connect to a host running a Remote PC Access Server. ++ ++-- ++Impact: ++Serious. System compromise leading to a compromise of all data on the target host. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated by an attacker using Nessus to scan for Remote PC Access. ++ ++Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection. ++ ++Login information is transmitted in clear text across a TCP connection, the attacker could recover this information by capturing a legitimate session. It may also be possible for an attacker to gain access by utilizing a brute force attack to discover the password to connect. ++ ++-- ++Affected Systems: ++Any host using the Remote PC Access Server. ++ ++-- ++Attack Scenarios: ++An attacker can connect to the Remote PC Access Server using the client program and gain complete control of the host if the password and username are known. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A legitimate login session may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable the Remote PC Access Server ++ ++Disallow connection to the server from clients external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/427.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++ ++Sid: ++427 ++ ++-- ++ ++Summary: ++This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram. ++ ++-- ++ ++Impact: ++This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination. ++ ++-- ++ ++Detailed Information: ++A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 12 Code 0 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1213.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1213 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000629.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000629 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_view.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_view.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1686.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1686 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2822.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2822 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure publish_flavor_definition ++. This procedure is included in ++sys.dbms_repcat_fla_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000556.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000556 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "VebiMiau" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "sid" parameter in the "error.php" script used ++by the "VebiMiau" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VebiMiau ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2623.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++2623 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in useful ++tasks. The "create_snapshot_repgroup" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the first variable to cause ++the overflow. The result could permit the attacker to gain escalated ++privileges and run code of their choosing. This attack requires an ++attacker to logon to the database with a valid username and password ++combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck97.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000701.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000701 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using WordPress ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1574.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1574 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/809.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++809 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2525.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2525 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overrun condition in Microsoft products via the Local Security Authority ++Subsystem Service (LSASS). ++ ++-- ++Impact: ++Remote execution of arbitrary code. ++ ++-- ++Detailed Information: ++A vulnerability exists in LSASS that may present an attacker with the ++opportunity to execute code of their choosing on an affected host. ++ ++The problem lies in an unchecked buffer in the LSASS service, suscessful ++exploitation may present the attacker with the opportunity to gain ++control of the affected system. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems. ++ ++-- ++Attack Scenarios: ++An attcker needs to make a specially crafted request to the LSASS ++service that could contain harmful code to gain further access to the ++system. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Use a packet filtering firewall to deny access to TCP and UDP ports 135 ++and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources ++outside the protected network. ++ ++Access should also be denied to ephemeral ports and any other ports used ++by RPC services from sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2157.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 2157 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). ++ ++The attacker can gain administrator access to the web server running IISProtect without the need to authenticate. ++ ++-- ++Affected Systems: ++Any host using IISProtect. ++ ++-- ++Attack Scenarios: ++An attacker can gain control of the web server without the need to authenticate. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000377.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000377 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpNuke ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1489.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1489 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1370.txt +@@ -0,0 +1,57 @@ ++Rule: ++-- ++Sid: ++1370 ++ ++-- ++Summary: ++Attempted inetd configuration access via web ++ ++-- ++Impact: ++Attempt to gain information on system processes on webserver ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence on the processes being run on a ++webserver. The inetd configuration lists the daemons executed at boot ++time on a UNIX or Linux based system. The attacker could possibly gain ++information needed for other attacks on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains ++'/etc/inetd.conf'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries ++outside of it's designated web root or cgi-bin. This file may also be ++requested on a command line should the attacker gain access to the ++machine. Making the file read only by the superuser on the system will ++disallow viewing of the file by other users. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000603.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000603 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_paid.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_paid.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2447.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2447 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the servlet ++administration scripts on a Novell Groupwise servlet server. ++ ++-- ++Impact: ++Possible unauthorized administrative access to the server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the servlet ++administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager. ++ ++The default installation has a known username and password for ++administration of the server. ++ ++-- ++Affected Systems: ++ Novell Groupwise 6.0 ++ Novell Groupwise Enhancement Pack 5.5 ++ ++-- ++Attack Scenarios: ++The attacker might login to the application using the default username ++and password gaining administrative access to the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/821.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++821 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/637.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++637 ++ ++-- ++Summary: ++This event is generated when a scan is detected. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to scan a host. ++ ++This may be the prelude to an attack. Scanners are used to ascertain ++which ports a host may be listening on, whether or not the ports are ++filtered by a firewall and if the host is vulnerable to a particular ++exploit. ++ ++-- ++Affected Systems: ++Any host. ++ ++-- ++Attack Scenarios: ++An attacker can determine if ports 21 and 20 are being used for FTP. ++Then the attacker might find out that the FTP service is vulnerable to a ++particular attack and is then able to compromise the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A scanner may be used in a security audit. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Determine whether or not the scan was legitimate then look for other ++events concerning the attacking IP address. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2610.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2610 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "cancel_statistics" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by long strings in some parameters for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to either the "sname" or ++"oname" variables to cause the overflow. The result could ++permit the attacker to gain escalated privileges and run code of their ++choosing. This attack requires an attacker to logon to the database ++with a valid username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck633.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1929.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1929 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Trojan server installed via compromised tcpdump or libpcap sources. ++ ++-- ++Impact: ++Control of the victim host. ++ ++-- ++Detailed Information: ++This Trojan affects UNIX operating systems: ++ ++Some versions of tcpdump and libpcap were compromised and Trojan code ++inserted into the source. The compromise is similar to that which ++affected OpenSSH. ++ ++Libpcap is a library used for capturing packets in Snort and other ++packet sniffing tools. ++ ++The Trojaned libpcap source contains code in the configure script that ++connects to a server at 212.146.0.34 on port 1963. The script then ++downloads source code for a Trojan horse and compiles it. ++ ++Tcpdump is a tool that is used for capturing network traffic, it ++utilizes libpcap. Some versions of tcpdump also contain the same Trojan. ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan is delivered to the target via the configure script. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Delete the Trojan and kill any associated processes. ++ ++Restore the system from known good backups. ++ ++Download non-trojaned versions of the library and re-compile. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Houston Linux Users Group ++http://www.hlug.org/trojan/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/423.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++423 ++ ++-- ++ ++Summary: ++This event is generated when a network host generates an ICMP Mobile Registration Request datagram. ++ ++-- ++ ++Impact: ++ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. ++ ++-- ++ ++Detailed Information: ++ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity ++ ++-- ++ ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000675.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000675 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "pfooter.php" using a remote file being passed as the ++"theme_root" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "theme_root" parameter in the "pfooter.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/575.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++575 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening. ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration. ++ ++-- ++Affected Systems: ++Any host running admind with weak authentication. ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access admind, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids ++http://www.whitehats.com/info/IDS18 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2277.txt +@@ -0,0 +1,58 @@ ++Rule: ++-- ++Sid: ++2277 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a directory ++traversal vulnerability in the cgi application PeopleSoft PeopleBooks. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event may indicate an attempt is made to exploit a directory ++traversal vulnerability in the cgi application PeopleSoft PeopleBooks. ++The script psdoccgi.exe does not sufficiently check script arguements ++for the "headername" and "footername" variables. An attacker may exploit ++this issue to access files outside the root of the web server. ++ ++-- ++Affected Systems: ++ PeopleTools versions 8.43 and earlier. ++ ++-- ++Attack Scenarios: ++An attacker can use directory traversal techniques to access sensitive ++system files to gain information necessary for further system ++compromise. ++ ++-- ++Ease of Attack: ++Simple. No exploit code required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2199.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2199 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access multidiff.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in multidiff.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the multidiff.cgi file, providing the attacker with information about the server directory structure. ++ ++-- ++Affected Systems: ++Any system running Mozilla Bonsai 1.3. ++ ++-- ++Attack Scenarios: ++An attacker sends an erroneous request to multidiff.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. ++ ++-- ++Ease of Attack: ++Simple. Proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses multidiff.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to a newer build of Mozilla Bonsai 1.3. ++ ++If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/5517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1088.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1088 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3297.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3297 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1360.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 1360 ++ ++-- ++Summary: ++A web command execution attack involving the use of a ++"netcat" command ++ ++-- ++Impact: ++Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using netcat to open another connection. ++ ++-- ++Detailed Information: ++The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access. ++ ++This rule generates an event when a "netcat" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "netcat" command may be used establish an interactive shell session to the machine and also transfer files over the connection. ++ ++The rule looks for the "netcat" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "netcat" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session. ++ ++Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server. ++ ++-- ++Attack Scenarios: ++An attacker uses a "netcat" command to move a rootkit to the system. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required ++ ++-- ++False Positives: ++Any string containing 'nc' followed by space in the URL will trigger the alarm. ++ ++-- ++False Negatives: ++none known ++ ++-- ++Corrective Action: ++Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Anton Chuvakin ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3252.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3252 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000626.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000626 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_edit.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_edit.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2342.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2342 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application DCP-Portal. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++DCP-Portal contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable root when ++making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root by supplying ++their code in a file included from an external source by modifying the ++variable "root" in the editor.php script. ++ ++-- ++Affected Systems: ++ DCP-Portal 5.0.1 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the root variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2859.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2859 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_char ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000148.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++100000148 ++ ++-- ++Summary: ++This event is generated when an attempt is made to perform a directory ++traversal attack against a system running Barracuda Spam Firewall. ++ ++-- ++Impact: ++Serious. Unauthorized remote command execution possibly leading to remote ++access. ++ ++-- ++Detailed Information: ++User supplied data to script parameters are not properly sanitized, this may ++permit an unauthorized attacker to execute commands of their choosing on an ++affected system. ++ ++Note: ++In order to utilize this rule, port 8000 must be added to the http_inspect ++configuration in snort.conf. ++ ++-- ++Affected Systems: ++Barracuda Spam Firewall 3.1.17 and prior. ++ ++-- ++Attack Scenarios: ++An attacker can supply commands as parameters to the img.pl script. ++ ++-- ++Ease of Attack: ++Simple, exploit software exists but is not necessary. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2845.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2845 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure register_snapshot_repgroup ++. This procedure is included in ++sys.dbms_repcat_sna_utl. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000605.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000605 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_unpaid.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1880.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1880 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/631.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++631 ++ ++-- ++Summary: ++This event is generated when an external user scans an internal SMTP ++server using Network Associates' Cybercop vulnerability scanner. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Cybercop Scanner is scanning software that searches for system ++vulnerabilities. As one of its scanning procedures, it sends an EHLO ++command to SMTP server ports to determine if the SMTP server will return ++a list of remote commands that it accepts. ++ ++-- ++Affected Systems: ++Any SMTP server that returns a list of acceptable commands for remote mailers. ++ ++-- ++Attack Scenarios: ++An attacker may run Cybercop Scanner against SMTP servers in order to ++determine vulnerabilities that can later be exploited. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure that your SMTP server does not provide more information than is ++necessary when it receives an EHLO request. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++General Cybercop information: ++http://www.securityfocus.com/products/126 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3403.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3403 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2913.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2913 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure repcat_import_check ++. This procedure is included in ++sys.dbms_repcat_sna. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3106.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3106 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/828.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++828 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1652.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1652 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in version 1.2 of NCSA web server. ++ ++-- ++Impact: ++File retrieval leading to compromise of confidential information, ++potential root exploit. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to manipulate a cgi ++script to retrieve files outside the web root of version 1.2 of the NCSA ++web server. ++ ++The vulnerability exists in the cgi script "campas" ++ ++-- ++Affected Systems: ++ web servers running a very old (1995) version of NCSA web ++ server may have this cgi script installed. ++ ++-- ++Attack Scenarios: ++The attacker can make an HTTP GET request to the script and include ++variables to retrieve a sensitive system file in the following manner: ++ ++GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a ++ ++-- ++Ease of Attack: ++Simple. No exploit software required ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2258.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft Windows Messenger service. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS), execution of arbitrary code is ++possible. ++ ++-- ++Detailed Information: ++Due to improper length validation in the Microsoft Windows Messenger ++service, it may be possible for an attacker to overwrite portions of ++memory. This can result in the attacker being presented with the ++opportunity to execute code of their choosing. Under some circumstances ++a Denial of Service condition may be possible against the target host. ++ ++Specifically, this vulnerability may present the attacker with the ++opportunity to execute code with the privileges of the local system ++account with full access to all resources on the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT Workstation 4.0, Service Pack 6a ++ Microsoft Windows NT Server 4.0, Service Pack 6a ++ Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 ++ Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 ++ Microsoft Windows XP Gold, Service Pack 1 ++ Microsoft Windows XP 64-bit Edition ++ Microsoft Windows XP 64-bit Edition Version 2003 ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2003 64-bit Edition ++ ++-- ++Attack Scenarios: ++The attacker may use one of the available exploits to target a ++vulnerable host. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Disable the Windows messenger service ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CERT: ++http://www.kb.cert.org/vuls/id/575892 ++ ++Microsoft: ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2319.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2319 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ebola from PLD Software. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. ++ ++-- ++Detailed Information: ++Ebola from PLD Software is used to improve the performance of Anti-Virus ++solutions on Linux systems. ++ ++A buffer overflow condition is present in the authentication mechanism ++such that it may be triggered by the generation of an error message from ++an unsuccessful authentication attempt. ++ ++-- ++Affected Systems: ++ All versions of Ebola prior to 0.1.5 ++ ++-- ++Attack Scenarios: ++An attacker can send specially crafted authentication attempts to the Ebola system and ++cause the buffer overflow thus presenting the opportunity to execute ++arbitrary code. ++ ++-- ++Ease of Attack: ++Simple. Expoits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3102.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3102 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000695.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000695 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VCard PRO ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1075.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1075 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2283.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2283 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application MediaWiki running on a server. ++ ++-- ++Impact: ++Possible execution of arbitrary code and unauthorized administrative ++access to the target system. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application MediaWiki . This application ++does not perform stringent checks when handling user input, this may ++lead to the attacker being able to execute PHP code and include php files ++of the attackers choosing. ++ ++-- ++Affected Systems: ++ MediaWiki MediaWiki-stable 20031107 ++ MediaWiki MediaWiki-stable 20030829 ++ ++-- ++Attack Scenarios: ++An attacker can exploit weaknesses to gain access as the administrator ++by supplying input of their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1527.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1527 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Basilix webmail PHP script. ++ ++An attacker can access mysql.class file to obtain MySQL login and use it ++for further attacks. ++ ++-- ++Impact: ++Serious. Password disclosure which can lead to further system ++compromise. ++ ++authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail ++ ++-- ++Detailed Information: ++A webserver usually sends files in the webroot to an anonymous user ++without further processing. PHP scripts often include files (which ++contain configuration variables, functions, etc.) that are stored ++using a suffix that does not prevent a webserver sending them in clear ++text. The ".class" suffix is not usually explicitly denied in a standard ++web server configuration and the file "mysql.class" may be sent to the ++attacker. ++ ++-- ++Attack Scenarios: ++An attacker gets mysql.class containing database login credentials. The attacker can then connect to the database server using the login provided by mysql.class file and modify the database. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++File doesn't exist or mysql.class is for example a java class file publicly available on the server ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Update Basilix script (www.basilix.org) ++ ++Check files which contain php code for a suffix that might be rendered in plaintext by the web server. ++ ++Workaround - register .class the same way that the extensions .php, .php3 or.php4 are registered in the web server configuration file. ++Note: .class is usually used by java applets ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Ueli Kistler, ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3042.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3042 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2039.txt +@@ -0,0 +1,89 @@ ++Rule: ++ ++-- ++Sid: ++2039 ++ ++-- ++Summary: ++The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue ++dynamic IP addresses from a server to client machines. A vulnerability ++exists such that arbitrary code may be executed on the server using the ++credential of the super user (root). ++ ++-- ++Impact: ++Execution of code and possible control of the targeted machine. ++ ++-- ++Detailed Information: ++A format string vulnerabilty in some versions of dhcpd may lead to the ++execution of arbitrary code as the root user via a DNS server response. ++This is due to the unsafe logging of user data. The option NSUPDATE ++option in the configuration of dhcpd must be enabled, although this is a ++default option in version 3.0 and later. ++ ++Two exploits for this vulnerability are known to exist. ++ ++-- ++Affected Systems: ++ISC DHCPD 3.0 ++ Caldera OpenLinux Server 3.1 and 3.1.1 ++ Caldera OpenLinux Workstation 3.1 and 3.1.1 ++ Conectiva Linux 8.0 ++ MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0 ++ MandrakeSoft Multi Network Firewall 8.2 ++ S.u.S.E. Linux 7.2, 7.3 and 8.0 ++ S.u.S.E. Linux Connectivity Server ++ S.u.S.E. Linux Database Server ++ S.u.S.E. Linux Enterprise Server 7 and S/390 ++ ++ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7 ++ FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5 ++ ++ISC DHCPD 3.0.1 rc6 ++ S.u.S.E. Linux 8.0 and 8.0 i386 ++ ++ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4 ++OpenPKG OpenPKG 1.0 ++ ++ISC DHCPD 3.0.1 rc3, rc2 and rc1 ++ ++-- ++Attack Scenarios: ++The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches from the vendor should be applied as soon as possible. ++ ++Upgrade to ISC DHCPD 3.0.1 rc 9. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/4701 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3098.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3098 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/106.txt +@@ -0,0 +1,92 @@ ++Rule: ++ ++-- ++Sid: ++106 ++ ++-- ++Summary: ++Backdoor.AckCmd is a Trojan Horse that uses TCP ACK segments to ++communicate. This Trojan may bypass firewalls that do not keep track of ++the session state in a TCP transaction. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. This Trojan ++also has the ability to delete data, steal passwords and disable the ++machine. Other versions are capable of launching DDoS attacks. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++No other systems are affected. This is a windows executable that does ++not make changes to the system registry. ++ ++AckCmd is a "proof of concept" Trojan. ++ ++ SID Message ++ --- ------- ++ 106 ACKcmdC trojan scan ++ ++This event is indicative of an attacker attempting to locate AckCmd ++servers. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Delete the file AckCmd.exe ++ ++A machine reboot is required to clear the existing process from running ++in memory. ++ ++In addition, the use of a firewall that correctly checks the state of a ++TCP session is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS485 ++ ++ntsecurity.nu ++ACK Tunneling Trojans ++http://ntsecurity.nu/papers/acktunneling/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3317.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3317 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2979.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2979 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the C$ default ++administrative share of a Windows host. ++ ++-- ++Impact: ++Serious. Possible administrator access to the host. Information ++disclosure. ++ ++-- ++Detailed Information: ++By default, Windows hosts have default administrative shares of the ++local hard drives using the format %DRIVE_LETTER% + $. Anybody with ++administrative rights can remotely access the share. ++ ++-- ++Affected Systems: ++ Windows hosts. ++ ++-- ++Attack Scenarios: ++An attacker may be attempting to access files located on the C drive of ++the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Netbios access from external networks (tcp port 139). ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS339 ++ ++Microsoft: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-21.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-21 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a udp ++filtered portscan was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2455.txt +@@ -0,0 +1,52 @@ ++Rule: ++ ++-- ++Sid: ++2455 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. ++ ++-- ++Detailed Information: ++A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++A Yahoo IM user may unwittingly accept a malicious file. ++ ++-- ++Ease of Attack: ++Easy to transfer a malicious file. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2835.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2835 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure purge_master_log ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/121-3.txt +@@ -0,0 +1,98 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++121-3 ++ ++-- ++Summary: ++This event is generated when the pre-processor flow-portscan detects ++network traffic that may constitute an attack. Specifically a fixed ++scale talker limit exceeded event was generated. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the flow-portscan pre-processor detects ++network traffic that may consititute an attack. ++ ++The flow-portscan pre-processor uses a flow based technique to identify ++portscanning in one-to-many and many-to-one scenarios based on flow ++creation in the flow pre-processor. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.flow-portscan in the docs directory ++of the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++detailed instructions and examples on how to tune and use the ++pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Chris Green ++Daniel Roelker ++Marc Norton ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000840.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000840 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using FlatNuke ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2662.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++2662 ++ ++-- ++Summary: ++This rule is intended to increase the accuracy of rules designed to ++generate events based on attempts to exploit implementations of Secure ++Socket Layer (SSL) version 2. ++ ++-- ++Impact: ++None. This is a protocol decode rule that does not generate events. ++ ++-- ++Detailed Information: ++This is a protocol decode rule that does not generate events. ++ ++-- ++Affected Systems: ++NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/329.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 329 ++ ++-- ++Summary: ++This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon ++ ++-- ++Impact: ++The attacker may obtain information about a third party host without making a direct connection to that host. ++ ++-- ++Detailed Information: ++The event is generated when an attempt to use a machine to run ++finger queries against a third party UNIX system is attempted by the ++Cybercop vulnerability scanner. ++ ++The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. ++ ++The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. ++ ++-- ++ ++Attack Scenarios: ++An attacker uses the Cybercop vulnerability scanner to test for this weakness. ++ ++-- ++ ++Ease of Attack: ++Simple, performed by a scanner ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disable the finger daemon or upgrade to a daemon without finger forwarding functionality ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS11 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2036.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2036 ++ ++-- ++Summary: ++Network Status Monitor (NSM) is used to indicate whether a host is up or ++for its status. ++ ++-- ++Impact: ++Intelligence gathering about the current state of a host and whether rpc ++services are available. ++ ++-- ++Detailed Information: ++NSM runs on client machines and informs other hosts of the status of ++that machine should a crash or reboot occur. Each remote application ++using an rpc service can therefore register with the host when services ++are once again available. ++ ++A request made to a machine will indicate to the attacker the status of ++that host and will also be indicative of rpc services being available. ++The attacker might then continue to ascertain which rpc services are ++being offered and then launch an attack on vulnerable daemons. ++ ++-- ++Affected Systems: ++Any system running the service. ++ ++-- ++Attack Scenarios: ++An attacker merely needs to request the status of the host using rpc. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++Use the hosts.allow file to restrict the hosts able to request the ++status of the server. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Network Status Monitor Protocol, The Open Group: ++http://www.opengroup.org/onlinepubs/009629799/chap11.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2654.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2654 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the web application PHPNuke. ++ ++-- ++Impact: ++SQL Injection is possible leading to a complete compromise of the data ++in the application database. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHPNuke web application running on a server. ++ ++Insufficient checks are made on user input supplied to the script ++"viewtopic.php", exploitation of this issue could present an attacker ++with the opportunity to inject SQL code of their choosing into a ++vulnerable system. ++ ++-- ++Affected Systems: ++ PHPNuke 6.0 ++ PHPNuke 6.5 RC2 ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including it in the ++URI that calls on viewtopic.php. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Consider reviewing the database permissions for the application. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Ricky MacAtee ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2559.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2559 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000848.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000848 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "PhpWebGallery" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "keyword" parameter in the "comments.php" ++script ++used by the "PhpWebGallery" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PhpWebGallery ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Chris Jacob ++ ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/232.txt +@@ -0,0 +1,70 @@ ++Rule: ++-- ++Sid: ++232 ++ ++-- ++Summary: ++This event is generated when a pong packet for the Trinoo (aka trin00) ++DDos suite is detected. ++ ++-- ++Impact: ++This may indicate a compromised system or be the prelude to a ++Distributed Denial of Service (DDoS) attack. ++ ++-- ++Detailed Information: ++Once a Trinoo client has been installed on a compromised machine and a master is ++ready and listening, the master sends a "png" (ping) command to its drones in ++an attempt to enumerate the drone network. A functioning client will respond to ++port 31335/udp with the text "PONG". ++ ++Once a machine becomes part of a trin00 network, a Denial of Service (DoS) ++is typically initiated against one (or more) victim machines. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++As part of a large scale attack against a machine or a network, an ++attacker will compromise large numbers of machines which will form the ++army that the trin00 master daemon will command. The master daemon ++typically instructs the clients to send mass-quantities of packets to ++a set of victim hosts. If the traffic is sufficient, the victim ++machines will become resource deprived and thus endure a DoS condition. ++ ++-- ++Ease of Attack: ++Simple. Trinoo client and master programs are widely available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disconnect infected machine(s) from the network immediately. ++ ++Use software to determine if a host has been compromised using a ++rootkit. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++SANS: ++http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2312.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2312 ++ ++-- ++Summary: ++This event is generated when suspicious shell code is detected in ++network traffic. ++ ++-- ++Impact: ++Denial of Service (DoS) possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++This event is generated when suspicious shell code is detected. Many ++buffer overflow attacks contain large numbers of NOOP instrucions to pad ++out the request. Other attacks contain specific shell code sequences ++directed at certain applications or services. ++ ++The shellcode in question may also use Unicode encoding. ++ ++-- ++Affected Systems: ++ Any software running on x86 architecture. ++ ++-- ++Attack Scenarios: ++An attacker may exploit a DCERPC service by sending shellcode in the RPC ++data stream. Sending large amounts of data to the Microsoft Workstation ++service can cause a buffer overflow condition in the logging function ++thus presenting an attacker with the opportunity to issue a DoS attack ++or in some cases, to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++False positives may be generated by binary file transfers. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Make sure the target host has all current patches applied and has the ++latest software versions installed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2871.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2871 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_priority_nchar ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1537.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1537 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit an ++authentication vulnerability in a web server or an application running ++on that server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a web server or an application running ona web server. Some ++applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2081.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++2081 ++ ++-- ++Summary: ++number for the rpc service xfsmd ++ ++-- ++Impact: ++Intelligence gathering ++ ++-- ++Detailed Information: ++This may be an attacker probing for vulnerable versions of rpc services. ++In this case, the rpc service xfsmd. ++ ++It is possible for an attacker to supply a meta character followed by ++any commands or code of his choosing to the xfsmd daemon. ++ ++Due to a programming error, the service does not correctly check for the ++characters and they are not stripped from the request. ++ ++The xfsmd daemon is not installed by default on IRIX systems but it is ++part of an optional package. ++ ++-- ++Affected Systems: ++ IRIX 6.2 ++ IRIX 6.3 ++ IRIX 6.4 ++ IRIX 6.5.x ++ ++-- ++Attack Scenarios: ++Exploits are widely available. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches are NOT available for this issue. ++ ++Disable and remove the xfsmd daemon. ++ ++Uprade to the latest non affected version of the operating system ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5075 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 ++ ++SGI IRIX: ++ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2235.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2235 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow in Trend Micro InterScan eManager. ++ ++-- ++Impact: ++Serious. Remote administrative access is possible. ++ ++-- ++Detailed Information: ++Versions of Trend Micro InterScan eManager suffer from a buffer overflow ++condition that can present an attacker with the opportunity to execute ++arbitrary code of their choosing which could lead to remote access to ++the server. ++ ++-- ++Affected Systems: ++ Trend Micro InterScan eManager 3.51 ++ ++-- ++Attack Scenarios: ++If the buffer overflow condition is met, the attacker can run code of ++their choosing on the affected host. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disable the web interface ++ ++Enable NTLM authentication for the administrative interface ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/3327 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/491.txt +@@ -0,0 +1,63 @@ ++Rule: ++-- ++Sid: ++491 ++ ++-- ++Summary: ++This event is generated when a failed attempt to login to an FTP server ++is detected. ++ ++-- ++Impact: ++Unknown. Multiple events may indicate an attempt to enumerate accounts ++and passwords using brute force methodology. ++ ++-- ++Detailed Information: ++This event is generated when a failed attempt to login to an FTP server ++is detected. ++ ++Multiple events may indicate an attempt to enumerate accounts ++and passwords using brute force methodology. ++ ++-- ++Affected Systems: ++ All FTP Servers ++ ++-- ++Attack Scenarios: ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Check FTP logs for access attempts. ++ ++Disallow FTP access from sources external to the protected network. ++ ++Consider using Secure Shell as a replacement for FTP services. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++RFC: ++http://www.faqs.org/rfcs/rfc959.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1261.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1261 ++ ++-- ++Summary: ++This event is genereated when an attempt to overflow the buffer of the ++IBM Program Database Name Server Daemon (PDNSD) is made. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity ++to gain remote access to the victim host or execute arbitrary code with ++the privileges of the superuser account. ++ ++-- ++Detailed Information: ++Some versions of IBM PDSND for AIX are vulnerable to a buffer overflow ++condition which can present the attacker with root privileges. ++ ++ ++Affected Systems: ++ PDSND versions 2 and 3 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disable the PDSND daemon. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CIAC: ++http://www.ciac.org/ciac/bulletins/j-059.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2460.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2460 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo ++Instant Messenger running requests to view a webcam listen to an audio ++message of another Yahoo IM user. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be ++appropriate in certain network environments. ++ ++-- ++Detailed Information: ++This event indicates that a Yahoo IM user in your network is requesting ++to view a webcam or listen to an audio message of another Yahoo IM user. ++While there are no known exploits associated with showing or viewing ++webcams, it is possible that this activity is inappropriate in certain ++environments. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++No known attack scenarios. ++ ++-- ++Ease of Attack: ++No known attack scenarios. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the ++default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or ++implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2241.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2241 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerablity in NetWin CWMail 2.7. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++Certain versions of NetWin CWMail suffer from a buffer overflow ++condition that can present an attacker with the opportunity to execute ++code of their choosing on the server. ++ ++-- ++Affected Systems: ++ NetWin CWMail 2.7, a, b, c, d, f, i, j, k, l, m, n, o, p, q, s and t ++ ++-- ++Attack Scenarios: ++The attacker would need to supply a large amount of characters to the ++"item=" parameter which could then cause the overflow condition to ++occur. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/4093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1617.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1617 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1394.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++ ++1394 ++ ++-- ++Summary: ++This event is generated when an attempt is made to possibly overflow a buffer. ++ ++The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code. ++ ++-- ++Impact: ++ ++This might indicate someone is trying to use a buffer overflow exploit. ++ ++Full compromise of system is possible if the exploit is successful. ++ ++-- ++Detailed Information: ++This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. ++ ++-- ++Affected Systems: ++ ++ Any x86 programs. ++ ++-- ++Attack Scenarios: ++An attacker uses a buffer overflow exploit which contains the following payload: ++ ++ 90 90 90 90 90 90 90 90 90 90 /bin/sh ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++High, This event may be generated by applications such as ftp and http ++when binary data is being transfered. ++ ++A false Positive can be generated if the snort sensor detects text from an IRC ++client or any other application that passes data plaintext. The event is ++generated if snort detects several (a) characters in a row - such as ++'aaaaaaaaaa'. ++ ++-- ++False Negatives: ++ ++None known ++ ++-- ++Corrective Action: ++Apply a non-executable user stack patch to your kernel ++ ++Secure programming/execution of a program ++ ++Check the destination host and service to verify if any buffer overflow vulnerability exists. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3222.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3222 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2365.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2365 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application newsPHP. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++newsPHP contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable LangFile when ++making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root. ++ ++-- ++Affected Systems: ++ newsPHP newsPHP 216 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the LangFile variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000483.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000483 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Wheatblog" application running on a webserver. ++Access to the file "view_links.php" using a remote file being passed as the ++"wb_inc_dir" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "wb_inc_dir" parameter in the "view_links.php" script ++used by the "Wheatblog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Wheatblog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2641.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2641 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "drop_site_instantiate" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the "refresh_template_name" ++variable to cause the overflow. The result could permit the attacker ++to gain escalated privileges and run code of their choosing. This ++attack requires an attacker to logon to the database with a valid ++username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck629.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1625.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++1625 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2483.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2176 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a service via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a service ++on a system using SMB across the network. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may try to deny services to other users. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/257.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++257 ++ ++-- ++Summary: ++This event is generated when an attempt is made to determine the version ++of BIND being used on a DNS server. ++ ++-- ++Impact: ++Information gathering. This activity may indicate reconnaisance before ++an impending attack. ++ ++-- ++Detailed Information: ++A remote machine attempted to determine the version of BIND running on a ++nameserver. ++ ++-- ++Affected Systems: ++ All DNS nameservers ++ ++-- ++Attack Scenarios: ++As part of reconnaissance leading upto a potential intrusion attempt, an ++attacker may attempt to determine the BIND version that is in use so ++that a vulnerable version can be used as an attack vector. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disable the ability for untrusted (remote) machines to determine the named ++version. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1016.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1016 ++ ++-- ++Summary: ++This event is generated when an attempt is made to craft a URL containing a reference to the "/global.asa" file. ++ ++-- ++Impact: ++Intelligence gathering. This attack may permit disclosure of the source code of global.asa file that is not normally available for viewing. ++ ++-- ++Detailed Information: ++Microsoft Internet Information Services (IIS) 5.0 contains scripting engines to support various advanced files types such as .ASP and .HTR. The scripting engines permit the execution of server-side processing. IIS determines which scripting engine is appropriate depending on the file extension. If an attacker crafts a URL request ending in 'Translate: f' and followed by a slash '/', IIS fails to send the file to the appropriate scripting engine for processing. Instead, it returns the source code of a referenced file, such as global.asa, to the browser. The Nessus vulnerability scanner references the global.asa file in a GET request to determine whether a host is susceptible to this exploit. ++ ++-- ++Affected Systems: ++Microsoft IIS 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can craft a URL that includes the 'Translate: f' followed by a '/' to disclose the source code of a file such as global.asa on the vulnerable server. ++ ++-- ++Ease of Attack: ++Simple. The Nessus vulnerability scanner can test for this exploit. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the patch referenced in the Microsoft link. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Microsoft ++http://www.microsoft.com/technet/security/bulletin/MS00-058.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1672.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++1672 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow associated with certain versions of the Sun Solaris FTP server. ++ ++-- ++Impact: ++Reconnaissance. An attacker may be able to examine records from the password shadow file. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with a globbing function in Sun Solaris FTP servers. An attacker may exploit this vulnerability by logging into the FTP server with a valid username and an invalid password then supplying the command "CWD ~". This may produce a core dump in the root directory with world-readable permissions that could be examined to discover valid FTP users for the server. ++ ++-- ++Affected Systems: ++ ++SPARC ++ ++ * Solaris 2.5 without patch 103577-13 ++ * Solaris 2.5.1 without patch 103603-16 ++ * Solaris 2.6 without patch 106301-03 ++ * Solaris 2.7 without patch 110646-02 ++ * Solaris 2.8 without patch 111606-01 ++ ++Intel ++ ++ * Solaris 2.5 without patch 103578-13 ++ * Solaris 2.5.1 without patch 103604-16 ++ * Solaris 2.6 without patch 106302-03 ++ * Solaris 2.7 without patch 110647-02 ++ * Solaris 2.8 without patch 111607-01 ++ ++-- ++Attack Scenarios: ++An attacker may attempt to exploit this vulnerability to learn valid FTP usernames to later attempt brute force guessing of passwords. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software or apply the appropriate patch. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2601 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0421 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2771.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2771 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_char ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2961.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2961 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/532.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++532 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access an administrative share on a Windows machine. ++ ++-- ++Impact: ++Serious. Possible administrator access on the victim machine. ++ ++-- ++Detailed Information: ++This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. ++ ++This is a poor security practice or an indication that a machine is being accessed remotely. ++ ++-- ++Affected Systems: ++ Windows 9x ++ Windows 2000 ++ Windows XP ++ ++-- ++Attack Scenario: ++This can be accessed from GUI "map network drive" remotely ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Use a packet filtering firewall to disallow Netbios access from the unprotected network. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Jake Babbin ++ ++-- ++References: ++ ++arachnids 340 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2560.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2560 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1252.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1252 ++ ++-- ++Summary: ++This event is generated after a sucessful exploit of the BSD derived Telnet daemon. ++ ++-- ++Impact: ++Remote root access. This may or may not indicate a successful root ++compromise of a telnet server. ++ ++-- ++Detailed Information: ++This event is generated after a possible sucessful attempt to compromise ++a server running a BSD derived version of Telnet. A buffer overflow ++condition exists that may present an attacker with the opportunity to ++execute code of their choosing. ++ ++The attacker does not need to login to the server to exploit this ++vulnerability, only a connection to the server is needed. ++ ++-- ++Affected Systems: ++ Multiple Vendor Telnet servers running versions of telnetd derived ++ from the BSD telnet daemon. ++ ++-- ++Attack Scenarios: ++An attacker may utilize one of the available exploit scripts. ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are publicly available. This vulnerability may ++also be exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Consider using Secure Shell instead of telnet. ++ ++Block inbound telnet access if it is not required. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1661.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: ++1661 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cmd32.exe file. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. ++ ++-- ++Detailed Information: ++The cmd32.exe file allows execution of commands on Windows hosts. This file is only accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal. This may permit the attacker to execute arbitrary commands on the vulnerable server. ++ ++-- ++Affected Systems: ++??? ++ ++-- ++Attack Scenarios: ++An attacker can attempt to access the cmd32.exe file to execute arbitrary commands on the vulernable server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Make sure that the cmd32.exe is not in the webroot directory. ++ ++Make sure that all appropriate patches have been applied. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1437.txt +@@ -0,0 +1,79 @@ ++Rule: ++ ++-- ++Sid: ++1437 ++ ++-- ++Summary: ++This event is generated when network traffic indicating the use of a ++multimedia application is detected. ++ ++-- ++Impact: ++This may be a violation of corporate policy since these applications can ++be used to bypass security measures designed to restrict the flow of ++corporate information to destinations external to the corporation. ++ ++-- ++Detailed Information: ++Multimedia client applications can be used to view movies and listen to ++music files. Some also include file sharing facilities. Use of these ++programs may constitute a violation of company policy. ++ ++Clients may also contain vulnerabilities that can give an attacker an ++attack vector for delivering Trojan horse programs and viruses. ++ ++This rule detects the following Windows Media file types: ++ ++ File extension MIME type ++ .wmz application/x-ms-wmz ++ .wmd application/x-ms-wmd ++ .wma audio/x-ms-wma ++ .wax audio/x-ms-wax ++ .wmv audio/x-ms-wmv ++ .asf video/x-ms-asf ++ .asx video/x-ms-asf ++ .wvx video/x-ms-wvx ++ .wm video/x-ms-wm ++ .wmx video/x-ms-wmx ++ ++-- ++Affected Systems: ++ All Windows systems running Windows Media player applications ++ ++-- ++Attack Scenarios: ++A user can download files from a source external to the protected ++network that may contain malicious code hidden in the file giving an ++attacker the opportunity to gain access to a host inside the protected ++network. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Windows Media file types: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;288102 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1113.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1113 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1676.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1676 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2255.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2255 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability associated with the Remote Procedure Call (RPC) sadmind. ++ ++-- ++Impact: ++Remote root access. This attack may permit execution of arbitrary commands with the privileges of root. ++ ++-- ++Detailed Information: ++The sadmind RPC service is used by Solaris Solstice AdminSuite ++applications to perform remote distributed system administration tasks ++such as adding new users. ++ ++This event indicates that an RPC query for the sadmind service has been ++made with the credentials of the root user supplied. ++ ++This may permit execution of arbitrary commands with the privileges of root. ++ ++-- ++Affected Systems: ++All systems using sadmind ++ ++-- ++Attack Scenarios: ++Exploit code can be used to attack a vulnerable sadmind to obtain root access to the remote host. ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/195.txt +@@ -0,0 +1,76 @@ ++Rule: ++ ++-- ++Sid: ++195 ++ ++-- ++Summary: ++Deepthroat is a Trojan Horse offering the attacker control of the target. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot. ++ ++See also rules with sids 195, 1980, 1981, 1982 and 1983. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Systemtray ++ ++Removal of the files pddt.dat and systray.exe from the Windows system directory is required. ++ ++Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS106 ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2095.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2095 ++ ++-- ++Summary: ++vulnerability in the rpc service for the Calendar Manager Service Daemon ++(CMSD) used by XDR. ++ ++-- ++Impact: ++System compromise, denial of service, execution of arbitrary code, ++information disclosure. ++ ++-- ++Detailed Information: ++A vulnerability exists in various implementations of external data ++representation (XDR) libraries. An integer overflow in a component ++(xdr_array) used by XDR can lead to a buffer overflow. ++ ++The XDR libraries are widely used by multiple vendors to provide a ++framework for data transmission across networks. This is most commonly ++used in RPC implementations. ++ ++A specially crafted rpc request containing a large number of arguments ++to xdr_array can lead to remote system compromise and super user access ++to the target host. Additionally, a denial of service and execution of ++arbitrary code with the privilege of the super user is also possible ++depending on the platform used. ++ ++-- ++Affected Systems: ++Multiple verndors including all those using: ++ Sun Microsystems Network Services Library (libnsl) ++ GNU C library with sunrpc (glibc) ++ BSD-derived libraries with XDR/RPC routines (libc) ++ ++-- ++Attack Scenarios: ++The attacker needs to send a specially crafted rpc request containing a ++large number of arguments for xdr_array to the target host. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade the vendor libraries to the latest non-affected versions. Any ++statically linked binaries and applications must be recompiled and ++restarted after the upgrade. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5356 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 ++ ++CERT: ++http://www.cert.org/advisories/CA-2002-25.html ++http://www.kb.cert.org/vuls/id/192995 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-27.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-27 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a open port ++was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2661.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++2661 ++ ++-- ++Summary: ++This rule is intended to increase the accuracy of rules designed to ++generate events based on attempts to exploit implementations of Secure ++Socket Layer (SSL) version 2. ++ ++-- ++Impact: ++None. This is a protocol decode rule that does not generate events. ++ ++-- ++Detailed Information: ++This is a protocol decode rule that does not generate events. ++ ++-- ++Affected Systems: ++NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2754.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2754 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_site_priority ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2160.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2160 ++ ++ ++-- ++Summary: ++This event is generated when a possible outgoing virus is detected. ++ ++-- ++Impact: ++Informational event. An virus on an infected host may be attempting to ++propogate. ++ ++-- ++Detailed Information: ++This event indicates that an outgoing email message possibly containing ++a virus has been detected. ++ ++This rule generates an event when a filename extension commonly used by ++viruses is detected. ++ ++-- ++Affected Systems: ++Any host. ++ ++-- ++Attack Scenarios: ++This is indicative of a virus infection. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A legitimate attachment to an email may generate this event. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of virus infection. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1561.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1561 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2267.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++2267 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in versions of Sendmail. ++ ++-- ++Impact: ++Remote arbitrary code execution. ++ ++-- ++Detailed Information: ++A vulnerability exists in the prescan() function used in Sendmail prior ++to version 8.12.9. This function contains an error when converting a ++character to an integer value while processing SMTP headers. ++ ++-- ++Affected Systems: ++All systems using Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker could exploit this condition to process code of their ++choosing and open a listening shell bound to a high port, thus opening the ++system to further compromise. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade Sendmail to the latest non-affected verison. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2193.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2193 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++This vulnerability is also exploited by the Billy/Blaster worm. The worm ++also uses the Trivial File Transfer Protocol (TFTP) to propagate. A ++number of events generated by this rule may indicate worm activity. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. This is also exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Block access to port 69 used by the worm to propogate. ++ ++Block access to port 4444 used by the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++Symantec: ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3186.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3186 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2295.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2295 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 ++running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application Proxy2.de Advanced Poll ++2.0.2. This application does not perform stringent checks when handling ++user input, this may lead to the attacker being able to execute PHP ++code, include php files and possibly retrieve sensitive files from the ++server running the application. ++ ++-- ++Affected Systems: ++ All systems running Proxy2.de Advanced Poll 2.0.2 ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/830.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++830 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3362.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3362 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1277.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++1277 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. ++ ++-- ++Affected Systems: ++HP HP-UX 10.1, 10.10, 10.20 ++IBM AIX 3.2, 4.1 ++NEC EWS-UX/V, UP-UX/V ++SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3,4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 ++Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access ypupdated, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/1749 ++ ++CERT ++http://www.cert.org/advisories/CA-1995-17.html ++ ++Arachnids ++http://www.whitehats.com/info/IDS125 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1764.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1764 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1529.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++1529 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow or denial of service vulnerability associated with FTP SITE command. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a ++denial of service or allow remote execution of arbitrary commands with ++privileges of the process running the FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit various ++vulnerabilities associated with the FTP SITE command of different FTP ++servers. The Windows Serv-U FTP server 2.5a can be made to crash when an ++overly long argument is supplied to the SITE PASS command. The GuildFTPd ++free Windows FTP server 0.97 is vulnerable to a buffer overflow caused ++by issuing a SITE command that is 261 bytes or longer. A buffer overflow ++exists in Debian Linux 2.2 FTP daemon that is caused by issuing a SITE ++command that is 400 bytes or longer. The buffer overflow attacks may ++permit the execution of arbitrary commands with the privileges of the ++process running the FTP server. All of these attacks require login ++access to the vulnerable server via an authenticated or anonymous user. ++ ++-- ++Affected Systems: ++ Serv-U FTP server 2.5a. ++ GuildFTPd Server 0.97. ++ Debian 2.2 FTP server. ++ ++-- ++Attack Scenarios: ++An attacker may login to a vulnerable FTP server and enter an overly ++long file argument with the SITE command, causing a denial of service or ++buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2967.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2967 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/119-13.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++119-13 ++ ++-- ++Summary: ++This event is generated when the pre-processor http_inspect ++detects network traffic that may constitute an attack. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This event is generated when the http_inspect pre-processor detects the ++use of a newline "\n" character as a delimeter. This is non-standard but ++is accepted by both Apache and IIS web servers. ++ ++-- ++Affected Systems: ++ All web servers ++ ++-- ++Attack Scenarios: ++An attacker may supply the newline character as the delimeter in a web ++request. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Daniel Roelker ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++HTTP IDS Evasions Revisited - Daniel Roelker ++http://docs.idsresearch.org/http_ids_evasions.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3241.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3241 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2375.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2375 ++ ++-- ++Summary: ++This event is generated when activity from the worm DoomJuice is ++detected. ++ ++-- ++Impact: ++This is indicative of worm activity which may launch of a Denial of ++Service condition against Microsoft from infected machines. ++ ++-- ++Detailed Information: ++This event is indicative of activity by the DoomJuice worm. This worm ++attempts to connect to random addresses on port 3127, if it receives a ++response it will attempt to upload a copy of itself to the target ++machine. If no response is received on that port, it will try on ports ++between 3127 and 3199. ++ ++If the date is between February 8th and February 28th 2004, the worm ++will attempt to launch a Denial of Service (DoS) attack against ++www.microsoft.com. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows Me ++ Windows NT ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++This is worm activity. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++It is possible to edit the binary data in the executable to create a ++variant of the worm. This may evade the rule. ++ ++-- ++Corrective Action: ++Use Anti-Virus software to remove the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000519.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000519 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "VUBB" application running on a webserver. Access to the ++file "index.php" with SQL commands being passed as the "user" parameter may ++indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "user" parameter in the "index.php" script used by the ++"VUBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VUBB ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3194.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++3194 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Internet Information Server. ++ ++-- ++Impact: ++Serious. Code execution leading to unauthorized administrative access ++on the target host. ++ ++-- ++Detailed Information: ++Microsoft IIS contains a programming error that may allow an attacker to ++execute commands of their choosing on a vulnerable system. If a valid ++request for an executable file on the system is made, the server will ++honor the request and execute any commands sent to the system. It may be ++possible for an attacker to execute system commands sent to cmd.exe or ++an executable batch file (.bat) for example. ++ ++-- ++Affected Systems: ++ Microsoft IIS 4.0 ++ Microsoft IIS 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can send a request to an executable file on the system and ++supply command arguments of their choice to the file. The server will ++honor the request and execute the attackers commands. ++ ++For example, http://www.target.com/scripts/cmd.bat"+&+somecommand ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1091.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1091 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000544.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000544 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "Dating Agent" application running on a webserver. Access ++to the file "search.php" with SQL commands being passed as the "relationship" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "relationship" parameter in the "search.php" script used ++by the "Dating Agent" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Dating Agent ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/478.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++ ++Sid: ++478 ++ ++-- ++ ++Summary: ++This event is generated when Broadscan Smurf Scanner generates an ICMP echo ++request message. ++ ++-- ++ ++Impact: ++ICMP echo requests are used to determine if a host is running at a ++specific IP address. A remote attacker can scan a large range of hosts ++using ICMP echo requests to determine what hosts are operational on the ++network. ++ ++-- ++ ++Detailed Information: ++The Broadscan Smurf Scanner generates an ICMP echo packet with a specific ++datagram signature. ++ ++-- ++ ++Attack Scenarios: ++A remote attacker might scan a large range of hosts using ICMP echo ++requests to determine what hosts are operational on the network. ++ ++-- ++ ++Ease of Attack: ++Simple. Packet generation tools can generate this type of ICMP packet ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++Packet generation tools can generate ICMP echo requests with ++user-defined payloads. This could allow attackers to replace this ++signature with binary values and conceal their operating system. ++ ++-- ++ ++Corrective Action: ++To prevent information gathering, use a firewall to block incoming ICMP ++Type 8 Code 0 traffic. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3328.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3328 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1511.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1511 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2832.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2832 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure do_deferred_repcat_admin ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1691.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1691 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1101.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1101 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000623.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000623 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "menu.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "menu.php" script ++used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3364.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3364 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000422.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000422 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpBB ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/421.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++421 ++ ++-- ++ ++Summary: ++This event is generated when a network host generates an ICMP Mobile Registration Reply datagram. ++ ++-- ++ ++Impact: ++ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams should never be seen in normal network conditions. ++ ++-- ++ ++Detailed Information: ++ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++ICMP Type 36 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity ++ ++-- ++ ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2705.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2705 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft GDI using a malformed JPEG image. ++ ++-- ++ ++Impact: ++Serious. Execution of arbitrary code is possible. Denial of Service ++(DoS), ++ ++-- ++Detailed Information: ++The Microsoft Graphics Device Interface contains a programming error ++in the handling of Joint Photographics Experts Group (JPEG) files. This ++error may allow an attacker to execute code of their choosing on a ++vulnerable system. ++ ++Due to the popularity of jpeg files, and in order to provide accurate ++detection for the GDI JPEG vulnerability, sid 2705 may generate false ++positive events in certain situations. Since this rule may generate ++a number of false positives it is disabled by default. ++ ++In order to avoid potential evasion techniques, http_inspect should be ++configured with "flow_depth 0" so that all HTTP server response traffic is ++inspected. ++ ++WARNING ++Setting flow_depth 0 will cause performance problems in some situations. ++WARNING ++ ++-- ++Affected Systems: ++ All Microsoft systems including multiple Microsoft products ++ ++-- ++Attack Scenarios: ++An attacker would need to supply a malformed jpeg image to a victim and ++have the use attempt to view the file. ++ ++-- ++Ease of Attack: ++Medium. ++ ++-- ++ ++False Positives: ++False positive events are known to occur with this rule, the incidence ++is low but may be an inconvenience in some installations. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2084.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2084 ++ ++-- ++Summary: ++xfsmd ++ ++-- ++Impact: ++Possible root access and code execution. ++ ++-- ++Detailed Information: ++It is possible for an attacker to exploit some versions of the xfsmd ++daemon. ++ ++Due to a programming error, the service does not correctly check for ++certain meta-characters and they are not stripped from the request. ++ ++The xfsmd daemon is not installed by default on IRIX systems but it is ++part of an optional package. ++ ++-- ++Affected Systems: ++ IRIX 6.2 ++ IRIX 6.3 ++ IRIX 6.4 ++ IRIX 6.5.x ++ ++-- ++Attack Scenarios: ++Exploits are widely available. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches are NOT available for this issue. ++ ++Disable and remove the xfsmd daemon. ++ ++Uprade to the latest non affected version of the operating system ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5075 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 ++ ++SGI IRIX: ++ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/819.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++819 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/669.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++669 ++ ++-- ++Summary: ++This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed. ++ ++-- ++Impact: ++Severe. Remote execution of arbitrary code, leading to remote root compromise. ++ ++-- ++Detailed Information: ++Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. ++ ++-- ++Affected Systems: ++Systems running unpatched versions of Sendmail 8.6.10 or earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. ++ ++-- ++Ease of Attack: ++Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest version of Sendmail. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 ++ ++Bugtraq ++http://www.securityfocus.com/bid/2311 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000826.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000826 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Phorum ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2033.txt +@@ -0,0 +1,85 @@ ++Rule: ++ ++-- ++Sid: ++2033 ++ ++-- ++Summary: ++A request has been made to rpc.ypserv from an external source that ++should not have access to this service. This may be indicative of an ++intelligence gathering activity as a prelude to a more serious ++compromise of system resources. ++ ++service against the target host. ++ ++-- ++Impact: ++Disclosure of sensitive system information to an unauthorized user. ++Possible denial of service. ++ ++-- ++Detailed Information: ++The rpc.ypserv daemon queries information in the local NIS maps. A ++response to this query may divulge important information to the user ++performing the query. This could lead to futher exploitation of ++resources on the network. ++ ++In addition, a vulnerability exists in ypserv on some Linux platforms ++that could lead to a buffer overflow and root compromise of the target ++host. This is achieved by making a multitude of requests for a NIS map ++that does not exist. ++ ++-- ++Affected Systems: ++Multiple systems running versions of ypserv prior to 2.5. ++ ++-- ++Attack Scenarios: ++The attacker can craft a malicious request to rpc.ypserv such that ++valuable information can be returned to the attacker. ++ ++In the case of a buffer overflow, the attacker might issue a large ++therefore, be seen many times. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++Upgrade ypserv to the latest version. ++ ++Use /var/yp/securenets to list the hosts allowed to access this resource ++where appropriate. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/6016 ++http://www.securityfocus.com/bid/5914 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1313.txt +@@ -0,0 +1,64 @@ ++Rule: ++-- ++Sid: ++ ++1313 ++ ++-- ++Summary: ++This rule indicates that a webpage was visited the included the content "up skirt". ++ ++-- ++Impact: ++Someone could be violating your company's policy regarding the browsing of inappropriate content. ++ ++-- ++Detailed Information: ++ ++This rule looks for a response from a webserver containing "up skirt". ++ ++-- ++Affected Systems: ++ ++All ++ ++-- ++Attack Scenarios: ++ ++Not an attack. ++ ++-- ++Ease of Attack: ++ ++N/A. ++ ++-- ++False Positives: ++ ++This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. ++ ++-- ++False Negatives: ++ ++None known. ++-- ++Corrective Action: ++ ++Dependent on your company's policies. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Steven Alexander ++-- ++Additional References: ++ ++ ++ ++ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1544.txt +@@ -0,0 +1,78 @@ ++Rule: ++-- ++Sid: ++1544 ++-- ++Summary: ++This event is generated when an attempt is made to list the user ++configuration file on a Cisco router or switch. ++-- ++Impact: ++If successful, the switch will reveal the local authentication user ++configuration file to an attacker without requiring prior ++authentication. ++-- ++Detailed Information: ++The HTTP server that is part of some versions of the Cisco IOS software ++allows remote command execution when the access control method is set to ++local authentication. ++ ++-- ++Affected Systems: ++The following Cisco products can be affected. Whether they actually ++are vulnerable or not depends on the version of IOS that they are ++running. To properly determine if your product is vulnerable, see the ++Cisco website referenced below. This is not exploitable if the device ++is using an access control method other than local authentication. ++Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, ++1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, ++AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 ++series. ++Most recent versions of the LS1010 ATM switch. ++The Catalyst 6000 and 5000 if they are running Cisco IOS software. ++The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco ++IOS software. ++The Catalyst 2900 and 3000 series LAN switches are affected. ++The Cisco Distributed Director. ++-- ++Attack Scenarios: ++By making the request to a vulnerable system, an attacker can take ++complete control of a Cisco device. ++-- ++Ease of Attack: ++Simple. HTTP GET request, a browser may be used. ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++This rule only looks for one particular command (show config cr). ++However, this vulnerability will allow any other command to be executed ++on the device at the highest privilege level, and this rule will ++not detect them. ++ ++This rule only looks for attacks against systems that are included ++in the $HTTP_SERVERS group. Many administrators do not consider ++routers or switches to be web servers, and therefore may not include ++vulnerable devices in this group, causing an attack to proceed ++unnoticed. If you think one of your routers or switches is vulnerable, ++reference it in the $HTTP_SERVERS group. ++-- ++Corrective Action: ++Turn off the web server functionality, use access lists to ensure only ++trusted hosts have access to the device, use TACACS+ or RADIUS for ++access control, or upgrade your version of IOS. ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Snort documentation contributed by Kevin Peuhkurinen ++ ++-- ++Additional References: ++ ++Cisco ++http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000505.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000505 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Nucleus CMS" application running on a webserver. ++Access to the file "server.php" using a remote file being passed as the ++"DIR_LIB" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "DIR_LIB" parameter in the "server.php" script used by ++the "Nucleus CMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Nucleus CMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3031.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3031 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3121.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3121 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2622.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++2622 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in useful ++tasks. The "drop_an_object" procedure contains a programming error ++that may allow an attacker to execute a buffer overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the third variable to cause ++the overflow. The result could permit the attacker to gain escalated ++privileges and run code of their choosing. This attack requires an ++attacker to logon to the database with a valid username and password ++combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck97.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2545.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2545 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in AppleFileServer. ++ ++-- ++ ++Impact: ++Serious. Unauthorized remote administrative access. ++ ++-- ++Detailed Information: ++AppleFileServer is used to share files and mount remote drives between ++machines using Apple Macintosh OS X. An error in the processing of ++PathName may lead to a buffer overflow. If the length of a string for ++AFPName is longer than the declared length, the buffer will be ++overflowed and may present an attacker with the opportunity to execute ++code of their choosing. ++ ++-- ++ ++Attack Scenarios: ++An attacker can supply an AFPName longer than what is expected by the ++service and overwrite portions of memory leading to the execution of ++code. ++ ++-- ++ ++Ease of Attack: ++Simple ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disable AFP if not needed ++ ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000822.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000822 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZooM ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1871.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1871 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access an Oracle ++Application Server's XSQLConfig.xml configuration file. ++ ++-- ++Impact: ++Serious ++ ++-- ++Detailed Information: ++With the default installation of Oracle's Application Server, it is ++possible for an unauthorized user to view the XSQLConfig.xml file. This ++file contains information such as the database server's name, user id's, ++and passwords. ++ ++-- ++Affected Systems: ++ Oracle 9i Application Server ++ ++-- ++Attack Scenarios: ++An attacker can use this to find out information about the database and ++then use that information to compromise the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply appropriate permissions to the file. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568 ++ ++Nessus: ++http://cgi.nessus.org/plugins/dump.php3?id=10855 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1705.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1705 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/121.txt +@@ -0,0 +1,112 @@ ++Rule: ++ ++-- ++Sid: ++121 ++ ++-- ++Summary: ++Infector is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Infector sever to ++programs normally started on boot. Due to the nature of this Trojan it ++is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 117 Infector 1.x ++ 120 Infector 1.6 Server to Client ++ 121 Infector 1.6 Client to Server Connection Request ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The Trojan also makes changes to the system registry and win.ini file. ++ ++Notification of an active server is achieved via IRC or ICQ. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Apxil32.exe a backup ++copy is made and usually named D3x32.drv. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices ++ ++Registry keys added are: ++ ++ apxil32 = apxil32.exe ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Apxil32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++A change is also made to the win.ini file, the line run=apxil32.exe ++apxil32.exe is added and should be deleted. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS315 ++http://www.whitehats.com/info/IDS502 ++http://www.whitehats.com/info/IDS503 ++ ++Diamond Computer Systems Security Advisory ++http://www.diamondcs.com.au/web/alerts/infector.htm ++ ++Megasecurity: ++http://www.megasecurity.org/trojans/i/infector/Infector_all.html ++ ++Simovits: ++http://www.simovits.com/trojans/tr_data/y1627.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1082.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1082 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2493.txt +@@ -0,0 +1,93 @@ ++Rule: ++ ++-- ++Sid: ++2493 ++ ++-- ++Summary: ++This rule no longer generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++This rule now uses flowbits and can be set to generate an event by ++modifying the rule slightly to remove the "flowbits:no_alert;" option. ++When traffic is detected that attempts to bind to the ISystemActivator ++object in MS RPC DCOM communications this rule now activates sids 2351 ++and 2352 to detect exploits against this service. Cool huh? ++ ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++This vulnerability is also exploited by the Billy/Blaster worm. The worm ++also uses the Trivial File Transfer Protocol (TFTP) to propagate. A ++number of events generated by this rule may indicate worm activity. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. This is also exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Block access to port 69 used by the worm to propogate. ++ ++Block access to port 4444 used by the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++Symantec: ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2344.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2344 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in ArGoSoft FTP Server. ++ ++-- ++Impact: ++Execution of arbitrary code. Possible unauthorized administrative access. ++ ++-- ++Detailed Information: ++ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the ++XCWD command. An attacker may exploit this vulnerability to execute code of ++their choosing as the user running the process. This may lead to remote ++administrative access to the server. ++ ++-- ++Affected Systems: ++ ArGoSoft FTP Server 1.4.1 .1 ++ ++-- ++Attack Scenarios: ++An attacker may connect to the server and supply spurious data to the ++XCWD command causing the overrun to occur. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- diff -Nru snort-2.8.5.2/debian/po/ca.po snort-2.9.2/debian/po/ca.po --- snort-2.8.5.2/debian/po/ca.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/ca.po 2012-01-25 21:33:36.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort_2.0.1-2_templates\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2005-02-26 10:41+0100\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Debian L10n Catalan \n" diff -Nru snort-2.8.5.2/debian/po/cs.po snort-2.9.2/debian/po/cs.po --- snort-2.8.5.2/debian/po/cs.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/cs.po 2012-01-25 21:33:53.000000000 +0000 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 12:13+0200\n" "Last-Translator: Jan Outrata \n" "Language-Team: Czech \n" diff -Nru snort-2.8.5.2/debian/po/da.po snort-2.9.2/debian/po/da.po --- snort-2.8.5.2/debian/po/da.po 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/po/da.po 2012-01-25 18:02:43.000000000 +0000 @@ -0,0 +1,574 @@ +# Danish translation snort. +# Copyright (C) 2011 snort og nedenstÃ¥ende oversættere. +# This file is distributed under the same license as the snort package. +# Joe Hansen (joedalton2@yahoo.dk), 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: snort\n" +"Report-Msgid-Bugs-To: snort@packages.debian.org\n" +"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"PO-Revision-Date: 2011-08-20 19:25+0200\n" +"Last-Translator: Joe Hansen \n" +"Language-Team: Danish \n" +"Language: da\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "boot" +msgstr "opstart" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "dialup" +msgstr "ring op" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "manual" +msgstr "manuelt" + +#. Type: select +#. Description +#: ../snort.templates:1002 ../snort-mysql.templates:1002 +#: ../snort-pgsql.templates:1002 +msgid "Snort start method:" +msgstr "Startmetode for snort:" + +#. Type: select +#. Description +#: ../snort.templates:1002 ../snort-mysql.templates:1002 +#: ../snort-pgsql.templates:1002 +msgid "" +"Snort can be started during boot, when connecting to the net with pppd or " +"only manually with the /usr/sbin/snort command." +msgstr "" +"Snort kan igangsættes ved opstart, nÃ¥r der forbindes til nettet med pppd " +"eller kun manuelt med kommandoen /usr/sbin/snort." + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "Interface(s) which Snort should listen on:" +msgstr "Grænseflader som Snort skal lytte pÃ¥:" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"This value is usually 'eth0', but this may be inappropriate in some network " +"environments; for a dialup connection 'ppp0' might be more appropiate (see " +"the output of '/sbin/ifconfig')." +msgstr "" +"Værdien er normalt »eth0«, men dette kan være upassende i nogle " +"netværksmiljøer; for en opkaldsforbindelse kan »ppp0« være mere passende " +"(se uddata for »/sbin/ifconfig«)." + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"Typically, this is the same interface as the 'default route' is on. You can " +"determine which interface is used for this by running '/sbin/route -n' (look " +"for '0.0.0.0')." +msgstr "" +"Typisk er dette den samme grænseflade som »standardruten« er pÃ¥. Du kan " +"bestemme hvilken grænseflade, der bruges, ved at køre »/sbin/route -n« (se " +"efter »0.0.0.0«)." + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"It is also not uncommon to use an interface with no IP address configured in " +"promiscuous mode. For such cases, select the interface in this system that " +"is physically connected to the network that should be inspected, enable " +"promiscuous mode later on and make sure that the network traffic is sent to " +"this interface (either connected to a 'port mirroring/spanning' port in a " +"switch, to a hub or to a tap)." +msgstr "" +"Det er heller ikke unormalt at bruge en grænseflade uden IP-adresse konfigureret " +"i fuldstændig Ã¥ben tilstand. I sÃ¥danne tilfælde sÃ¥ vælg grænsefladen i dette " +"system som er fysisk forbundet med netværket, som skal inspiceres, aktiver " +"fuldstændig Ã¥ben (promiscuous) tilstand senere og sikr dig at netværkstrafikken " +"sendes til denne grænseflade (enten forbundet til en »port mirroring/spanning« port " +"i en netværksveksler (switch), en hub eller en tap)." + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"You can configure multiple interfaces, just by adding more than one " +"interface name separated by spaces. Each interface can have its own specific " +"configuration." +msgstr "" +"Du kan konfigurere flere grænseflader, bare ved at tilføje mere end et " +"grænsefladenavn adskilt af mellemrum. Hver grænseflade kan have sin egen " +"specifikke konfiguration." + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "Address range for the local network:" +msgstr "Adresseinterval for det lokale netværk:" + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "" +"Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " +"addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" +"separated (without spaces)." +msgstr "" +"Brug venligst CIDR-formen - for eksempel 192.168.1.0/24 - for en blok af " +"256 adresser eller 192.168.1.42/32 for bare en. Flere værdier skal være " +"kommaadskilt (uden mellemrum)." + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "" +"Please note that if Snort is configured to use multiple interfaces, it will " +"use this value as the HOME_NET definition for all of them." +msgstr "" +"Bemærk venligst at hvis Snort er konfigureret til at bruge flere grænseflader " +"vil den bruge denne værdi som HOME_NET-definitionen for dem alle." + +#. Type: boolean +#. Description +#: ../snort.templates:4001 ../snort-mysql.templates:4001 +#: ../snort-pgsql.templates:4001 +msgid "Should Snort disable promiscuous mode on the interface?" +msgstr "" +"Skal Snort deaktivere fuldstændig Ã¥ben (promiscuous) tilstand pÃ¥ grænsefladen?" + +#. Type: boolean +#. Description +#: ../snort.templates:4001 ../snort-mysql.templates:4001 +#: ../snort-pgsql.templates:4001 +msgid "" +"Disabling promiscuous mode means that Snort will only see packets addressed " +"to the interface it is monitoring. Enabling it allows Snort to check every " +"packet that passes the Ethernet segment even if it's a connection between " +"two other computers." +msgstr "" +"Deaktivering af fuldstændig Ã¥ben tilstand betyder at Snort kun vil se pakker " +"adresseret til grænsefladen den overvÃ¥ger. Aktivering af den tillader Snort " +"at kontrollere hver pakke som passerer Ethernetsegmentet selv hvis det er en " +"forbindelse mellem to andre computere." + +#. Type: error +#. Description +#: ../snort.templates:5001 ../snort-mysql.templates:5001 +#: ../snort-pgsql.templates:5001 +msgid "Invalid interface" +msgstr "Ugyldig grænseflade" + +#. Type: error +#. Description +#: ../snort.templates:5001 ../snort-mysql.templates:5001 +#: ../snort-pgsql.templates:5001 +msgid "" +"Snort is trying to use an interface which does not exist or is down. Either " +"it is defaulting inappropriately to 'eth0', or you specified one which is " +"invalid." +msgstr "" +"Snort forsøger at bruge en grænseflade, som ikke findes eller er nede. Enten " +"er standarden upassende for »eth0« eller du angav en som er ugyldig." + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "Should daily summaries be sent by e-mail?" +msgstr "Skal daglige referater sendes med e-post?" + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "" +"A cron job can be set up to send daily summaries of Snort logs to a selected " +"e-mail address." +msgstr "" +"Et cronjob kan sættes op til at sende daglige refereater af Snortlogge til " +"en valgt e-post-adresse." + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "Please choose whether you want to activate this feature." +msgstr "Vælg venligst hvorvidt du ønsker at aktivere denne funktion." + +#. Type: string +#. Description +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 +msgid "Recipient of daily statistics mails:" +msgstr "Modtager af daglig statistikpost:" + +#. Type: string +#. Description +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 +msgid "" +"Please specify the e-mail address that should receive daily summaries of " +"Snort logs." +msgstr "" +"Angiv venligst e-post-adressen som skal modtage daglige referater af " +"Snortlogge." + +#. Type: string +#. Description +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 +msgid "Additional custom options:" +msgstr "Yderligere tilpassede indstillinger:" + +#. Type: string +#. Description +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 +msgid "Please specify any additional options Snort should use." +msgstr "Angiv venligst alle yderligere indstillinger som Snort skal bruge." + +#. Type: string +#. Description +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 +msgid "Minimum occurrences before alerts are reported:" +msgstr "Minimale forekomster før pÃ¥mindelser rapporteres:" + +#. Type: string +#. Description +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 +msgid "" +"Please enter the minimum number of alert occurrences before a given alert is " +"included in the daily statistics." +msgstr "" +"Indtast venligst det minimale antal pÃ¥mindelsesforekomster før en angivet " +"pÃ¥mindelse er inkluderet i den daglige statistik." + +#. Type: note +#. Description +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 +msgid "Snort restart required" +msgstr "Genstart af Snort er krævet" + +#. Type: note +#. Description +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 +msgid "" +"As Snort is manually launched, you need to run '/etc/init.d/snort' for the " +"changes to take place." +msgstr "" +"Da Snort startes manuelt, skal du køre »/etc/init.d/snort« for at ændringerne " +"træder i kraft." + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "Obsolete configuration file" +msgstr "Forældet konfigurationsfil" + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"This system uses an obsolete configuration file (/etc/snort/snort.common." +"parameters) which has been automatically converted into the new " +"configuration file format (at /etc/default/snort)." +msgstr "" +"Dette system bruger en forældet konfigurationsfil (/etc/snort/snort.common." +"parameters), som automatisk er blevet konverteret til det nye " +"konfigurationsfilformat (ved /etc/default/snort)." + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"Please review the new configuration and remove the obsolete one. Until you " +"do this, the initialization script will not use the new configuration and " +"you will not take advantage of the benefits introduced in newer releases." +msgstr "" +"Gennemse venligst den nye konfiguration og fjern den forældede. Indtil du " +"udfører dette, vil initialiseringskriptet ikke bruge den nye konfiguration " +"og du vil ikke fÃ¥ fordel af de fordele, som er blevet introduceret i nyere " +"udgivelser." + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 +msgid "Set up a database for snort-mysql to log to?" +msgstr "Opsæt en database som snort-mysql kan logge pÃ¥?" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"No database has been set up for Snort to log to. Before continuing, you " +"should make sure you have:" +msgstr "" +"Ingen database er blevet opsat for Snort at logge pÃ¥. Før du fortsætter, " +"skal du sikre dig, at du har:" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +" - the server host name (that server must allow TCP connections\n" +" from this machine);\n" +" - a database on that server;\n" +" - a username and password to access the database." +msgstr "" +" - serverværtsnavnet (den server skal tillade TCP-forbindelser\n" +" fra denne maskine);\n" +" - en database pÃ¥ den server;\n" +" - et brugernavn og adgangskode for at tilgÃ¥ databasen." + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"If some of these requirements are missing, reject this option and run with " +"regular file logging support." +msgstr "" +"Hvis nogle af disse krav mangler, sÃ¥ afvis denne indstilling og kør med " +"regulær fillogningsunderstøttelse." + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-mysql'." +msgstr "" +"Databaselogning kan omkonfigureres senere ved at køre »dpkg-reconfigure -" +"plow snort-mysql«." + +#. Type: string +#. Description +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 +msgid "Database server hostname:" +msgstr "Værtsnavn for databaseserver:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 +msgid "" +"Please specify the host name of a database server that allows incoming " +"connections from this host." +msgstr "" +"Angiv venligst værtsnavnet pÃ¥ en databaseserver, som tillader indgÃ¥ende " +"forbindelser fra denne vært." + +#. Type: string +#. Description +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +msgid "Database name:" +msgstr "Databasenavn:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +msgid "" +"Please specify the name of an existing database to which the database user " +"has write access." +msgstr "" +"Angiv venligst navnet pÃ¥ en eksisterende database hvortil databasebrugeren " +"har skriveadgang." + +#. Type: string +#. Description +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "Username for database access:" +msgstr "Brugernavn for databaseadgang:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "" +"Please specify a database server username with write access to the database." +msgstr "" +"Angiv venligst et brugernavn for databaseserveren med skriveadgang til " +"databasen." + +#. Type: password +#. Description +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "Password for the database connection:" +msgstr "Adgangskode for databaseforbindelsen:" + +#. Type: password +#. Description +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "" +"Please enter the password to use to connect to the Snort Alert database." +msgstr "" +"Indtast venligst adgangskoden at bruge for at forbinde til Snorts " +"pÃ¥mindelsesdatabase." + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "Configured database mandatory for Snort" +msgstr "Konfigureret database er et krav for Snort" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"Snort needs a configured database before it can successfully start up. In " +"order to create the structure you need to run the following commands AFTER " +"the package is installed:" +msgstr "" +"Snort kræver en konfigureret database, før den kan starte op. For at oprette " +"strukturen skal du køre de følgende kommandoer EFTER at pakken er installeret:" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 +msgid "" +" cd /usr/share/doc/snort-mysql/\n" +" zcat create_mysql.gz | mysql -u -h -p " +msgstr "" +" cd /usr/share/doc/snort-mysql/\n" +" zcat create_mysql.gz | mysql -u -h -p " + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. MySQL " +"will prompt you for the password." +msgstr "" +"Udfyld de korrekte værdier for brugeren, værten og databasenavnene. MySQL " +"vil spørge dig om adgangskoden." + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"After you have created the database structure, you will need to start Snort " +"manually." +msgstr "" +"Efter at du har oprettet databasestrukturen, skal du starte Snort manuelt." + +#. Type: boolean +#. Description +#: ../snort-pgsql.templates:12001 +msgid "Set up a database for snort-pgsql to log to?" +msgstr "Opsæt en database for snort-pgsql at logge pÃ¥?" + +#. Type: boolean +#. Description +#: ../snort-pgsql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-pgsql'." +msgstr "" +"Databaselogning kan omkonfigureres senere ved at køre »dpkg-reconfigure -" +"plow snort-pgsql«." + +#. Type: note +#. Description +#: ../snort-pgsql.templates:17001 +msgid "" +" cd /usr/share/doc/snort-pgsql/\n" +" zcat create_postgresql.gz | psql -U -h -W " +msgstr "" +" cd /usr/share/doc/snort-pgsql/\n" +" zcat create_postgresql.gz | psql -U -h -W " + +#. Type: note +#. Description +#: ../snort-pgsql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. " +"PostgreSQL will prompt you for the password." +msgstr "" +"Udfyld de korrekte værdier for brugeren, værten og databasenavnene. " +"PostgreSQL vil spørge dig om adgangskoden." + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "Deprecated configuration file" +msgstr "Forældet (deprecated) konfigurationsfil" + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "" +"The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " +"no longer available for this Snort release. Snort will not be able to start " +"unless you provide a correct configuration file. Either allow the " +"configuration file to be replaced with the one provided in this package or " +"fix it manually by removing deprecated options." +msgstr "" +"Snorts konfigurationsfil (/etc/snort/snort.conf) bruger forældede indstillinger, " +"som ikke længere er tilgængelige for denne Snortudgivelse. Snort vil ikke kunne " +"starte med mindre, at du angiver en gyldig konfigurationsfil. Tillad enten at " +"konfigurationsfilen bliver erstattet med konfigurationsfilen i denne pakke " +"eller ret det manuelt ved at fjerne forældede indstillinger." + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "" +"The following deprecated options were found in the configuration file: " +"${DEP_CONFIG}" +msgstr "" +"De følgende forældede indstillinger blev fundet i konfigurationsfilen: " +"${DEP_CONFIG}" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Konfigurationsfejl" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Den aktuelle Snortkonfiguration er ugyldig og vil forhindre Snort i at " +"starte op normalt. Gennemse og ret den venligst." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"For at diagnosticere en fejl i en Snortkonfigurationsfil sÃ¥ brug »/usr/sbin/snort " +"-T -c «." + diff -Nru snort-2.8.5.2/debian/po/de.po snort-2.9.2/debian/po/de.po --- snort-2.8.5.2/debian/po/de.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/de.po 2012-01-25 21:34:05.000000000 +0000 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort_2.7.0-10_de\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-20 22:17+0200\n" "Last-Translator: Erik Schanze \n" "Language-Team: German \n" diff -Nru snort-2.8.5.2/debian/po/es.po snort-2.9.2/debian/po/es.po --- snort-2.8.5.2/debian/po/es.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/es.po 2012-01-25 21:34:19.000000000 +0000 @@ -31,11 +31,11 @@ msgstr "" "Project-Id-Version: snort debconf 2.1.0-4.1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-27 23:44+0200\n" "Last-Translator: Javier Fernandez-Sanguino Peña \n" "Language-Team: Debian Spanish \n" -"Language: \n" +"Language: es\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" @@ -102,10 +102,10 @@ "environments; for a dialup connection 'ppp0' might be more appropiate (see " "the output of '/sbin/ifconfig')." msgstr "" -"Este valor suele ser «eth0», pero puede no ser correcto para algunos " -"entornos de red. Si está utilizando una conexión de marcación telefónica " -"mediante PPP a Internet puede ser más apropiado utilizar «ppp0» (consulte la " -"salida de «/sbin/ifconfig»)." +"Este valor suele ser «eth0», pero puede no ser correcto para algunos entornos " +"de red. Si está utilizando una conexión de marcación telefónica mediante PPP " +"a Internet puede ser más apropiado utilizar «ppp0» (consulte la salida de «/" +"sbin/ifconfig»)." #. Type: string #. Description @@ -662,9 +662,9 @@ #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" -#~ "El paquete ha intentado utilizar la interfaz por omisión («eth0») si no " -#~ "ha configurado un interfaz aquí, y esta interfaz para que no es válida en " -#~ "su sistema." +#~ "El paquete ha intentado utilizar la interfaz por omisión («eth0») si no ha " +#~ "configurado un interfaz aquí, y esta interfaz para que no es válida en su " +#~ "sistema." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " @@ -695,12 +695,11 @@ #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" -#~ "Se ejecuta diariamente una tarea del «cron» para resumir la información " -#~ "de los registros generados por Snort utilizando un programa llamado " -#~ "«snort-stat». Indique aquí el receptor de dichos mensajes. El valor por " -#~ "defecto es el administrator del sistema. Si mantiene este valor asegúrese " -#~ "de que los correos de dicha cuenta son reenviados o leídos por algún " -#~ "usuario." +#~ "Se ejecuta diariamente una tarea del «cron» para resumir la información de " +#~ "los registros generados por Snort utilizando un programa llamado «snort-" +#~ "stat». Indique aquí el receptor de dichos mensajes. El valor por defecto " +#~ "es el administrator del sistema. Si mantiene este valor asegúrese de que " +#~ "los correos de dicha cuenta son reenviados o leídos por algún usuario." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." @@ -745,10 +744,9 @@ #~ "que ejecuta la base de datos mysql permite realizar conexiones tcp desde " #~ "éste equipo, (2) hay una base de datos en ese servidor, (3) el nombre de " #~ "usuario y contraseña de acceso a la base de datos. Si no tiene _todos_ " -#~ "estos, escoja «no» y continúe con la configuración habitual de registro, " -#~ "o arregle esto. Siempre puede configurar la base de datos más adelante " -#~ "reconfigurando snort-mysql utilizando: «dpkg-reconfigure -plow snort-" -#~ "mysql»" +#~ "estos, escoja «no» y continúe con la configuración habitual de registro, o " +#~ "arregle esto. Siempre puede configurar la base de datos más adelante " +#~ "reconfigurando snort-mysql utilizando: «dpkg-reconfigure -plow snort-mysql»" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" @@ -768,15 +766,14 @@ #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" -#~ "Sólo tiene que hacer ésto la primera vez que instale snort-pgsql. Andes " +#~ "Sólo tiene que hacer ésto la primera vez que instale snort-pgsql. Antes " #~ "de seguir adelante asegúrese de que (1) el nombre de servidor del equipo " #~ "que ejecuta la base de datos mysql permite realizar conexiones tcp desde " #~ "éste equipo, (2) hay una base de datos en ese servidor, (3) el nombre de " #~ "usuario y contraseña de acceso a la base de datos. Si no tiene _todos_ " -#~ "estos, escoja «no» y continúe con la configuración habitual de registro, " -#~ "o arregle esto. Siempre puede configurar la base de datos más adelante " -#~ "reconfigurando snort-pgsql utilizando: «dpkg-reconfigure -plow snort-" -#~ "pgsql»" +#~ "estos, escoja «no» y continúe con la configuración habitual de registro, o " +#~ "arregle esto. Siempre puede configurar la base de datos más adelante " +#~ "reconfigurando snort-pgsql utilizando: «dpkg-reconfigure -plow snort-pgsql»" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " @@ -896,8 +893,8 @@ #~ "todo el tráfico que viene de Internet, así que la interfaz que se añade " #~ "aquí es generalmente la misma que tiene definida la ruta por omisión. " #~ "Para determinar qué interfaz se está utilizando para esto, ejecute bien " -#~ "«ip route show» o bien «/sbin/route -n» (busque aquellos valores " -#~ "asociados a «default» o «0.0.0.0»)." +#~ "«ip route show» o bien «/sbin/route -n» (busque aquellos valores asociados " +#~ "a «default» o «0.0.0.0»)." #~ msgid "Should Snort disable promiscous mode on the interface?" #~ msgstr "¿Debería Snort deshabilitar el modo promíscuo en la interfaz?" diff -Nru snort-2.8.5.2/debian/po/eu.po snort-2.9.2/debian/po/eu.po --- snort-2.8.5.2/debian/po/eu.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/eu.po 2012-01-25 20:13:03.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort-eu\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-30 12:13+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" diff -Nru snort-2.8.5.2/debian/po/fi.po snort-2.9.2/debian/po/fi.po --- snort-2.8.5.2/debian/po/fi.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/fi.po 2012-01-25 20:13:11.000000000 +0000 @@ -2,7 +2,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 07:39+0200\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: debian-l10n-finnish@lists.debian.org \n" diff -Nru snort-2.8.5.2/debian/po/fr.po snort-2.9.2/debian/po/fr.po --- snort-2.8.5.2/debian/po/fr.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/fr.po 2012-01-25 20:18:34.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-06 14:44+0200\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" @@ -73,9 +73,9 @@ "the output of '/sbin/ifconfig')." msgstr "" "La valeur habtuelle est « eth0 » mais elle peut varier selon l'environnement " -"réseau : pour une connexion ponctuelle (« dialup »), « ppp0 » est " -"probablement plus adapté. Il est suggéré d'utiliser l'affichage de la " -"commande « /sbin/ifconfig »." +"réseau : pour une connexion ponctuelle (« dialup »), « ppp0 » est probablement " +"plus adapté. Il est suggéré d'utiliser l'affichage de la commande « /sbin/" +"ifconfig »." #. Type: string #. Description @@ -87,8 +87,7 @@ "for '0.0.0.0')." msgstr "" "L'interface est celle qu'utilise la route par défaut. Vous pouvez obtenir " -"cette information avec la commande « /sbin/route -n » (rechercher " -"« 0.0.0.0 »)." +"cette information avec la commande « /sbin/route -n » (rechercher « 0.0.0.0 »)." #. Type: string #. Description @@ -103,10 +102,10 @@ "switch, to a hub or to a tap)." msgstr "" "Il est également fréquent d'utiliser Snort sur une interface sans adresse " -"IP, en mode « promiscuous ». Dans ce cas, choisissez l'interface connectée " -"au réseau que vous voulez analyser et activez ce mode plus tard. Assurez-" -"vous que le trafic réseau est bien envoyé à cette interface (soit connectée " -"à un port de miroir ou de répartition, « mirroring/spanning port » sur un " +"IP, en mode « promiscuous ». Dans ce cas, choisissez l'interface connectée au " +"réseau que vous voulez analyser et activez ce mode plus tard. Assurez-vous " +"que le trafic réseau est bien envoyé à cette interface (soit connectée à un " +"port de miroir ou de répartition, « mirroring/spanning port » sur un " "commutateur réseau, soit connectée à un répartiteur ou à un « tap »)." #. Type: string diff -Nru snort-2.8.5.2/debian/po/gl.po snort-2.9.2/debian/po/gl.po --- snort-2.8.5.2/debian/po/gl.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/gl.po 2012-01-25 20:13:24.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-06 20:22+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" diff -Nru snort-2.8.5.2/debian/po/it.po snort-2.9.2/debian/po/it.po --- snort-2.8.5.2/debian/po/it.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/it.po 2012-01-25 20:13:29.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-20 19:37+0100\n" "Last-Translator: Gianluca Cotrino \n" "Language-Team: Italian \n" diff -Nru snort-2.8.5.2/debian/po/ja.po snort-2.9.2/debian/po/ja.po --- snort-2.8.5.2/debian/po/ja.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/ja.po 2012-01-25 20:13:38.000000000 +0000 @@ -16,7 +16,7 @@ msgstr "" "Project-Id-Version: snort 2.8.1-2\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-12-21 22:26+0900\n" "Last-Translator: Hideki Yamane (Debian-JP) \n" "Language-Team: Japanese \n" diff -Nru snort-2.8.5.2/debian/po/nl.po snort-2.9.2/debian/po/nl.po --- snort-2.8.5.2/debian/po/nl.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/nl.po 2012-01-25 21:39:26.000000000 +0000 @@ -1,26 +1,21 @@ -# Translators, if you are not familiar with the PO format, gettext -# documentation is worth reading, especially sections dedicated to -# this format, e.g. by running: -# info -n '(gettext)PO Files' -# info -n '(gettext)Header Entry' -# Some information specific to po-debconf are available at -# /usr/share/doc/po-debconf/README-trans -# or http://www.debian.org/intl/l10n/po-debconf/README-trans -# Developers do not need to manually edit POT or PO files. +# Dutch translation of snort debconf templates. +# Copyright (C) 2005-2012 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the snort package. # Bart Cornelis , 2005. -# +# Peter Vandenabeele , 2008. +# Jeroen Schot , 2012. # msgid "" msgstr "" -"Project-Id-Version: snort\n" +"Project-Id-Version: snort 2.8.5.2-9.1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" -"PO-Revision-Date: 2008-04-06 09:33+0200\n" -"Last-Translator: Peter Vandenabeele \n" -"Language-Team: debian-l10n-dutch \n" -"Language: \n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" +"PO-Revision-Date: 2012-01-02 15:29+0100\n" +"Last-Translator: Jeroen Schot \n" +"Language-Team: Debian l10n Dutch \n" +"Language: nl\n" "MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=iso-8859-15\n" +"Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select @@ -42,14 +37,14 @@ #: ../snort.templates:1001 ../snort-mysql.templates:1001 #: ../snort-pgsql.templates:1001 msgid "manual" -msgstr "manueel" +msgstr "handmatig" #. Type: select #. Description #: ../snort.templates:1002 ../snort-mysql.templates:1002 #: ../snort-pgsql.templates:1002 msgid "Snort start method:" -msgstr "Snort opstart methode:" +msgstr "Opstartmethode van Snort:" # Type: select # Description @@ -61,7 +56,7 @@ "Snort can be started during boot, when connecting to the net with pppd or " "only manually with the /usr/sbin/snort command." msgstr "" -"Snort kan opgestart worden tijdens het opstarten van de computer, bij het " +"Snort kan gestart worden tijdens het opstarten van de computer, bij het " "openen van de netwerkverbinding door pppd of wanneer u het handmatig opstart." "via /usr/bin/snort." @@ -84,8 +79,8 @@ "the output of '/sbin/ifconfig')." msgstr "" "Deze waarde is normaal 'eth0', maar misschien wil u dit aanpassen " -"afhankelijk van uw omgeving. Als u een inbelverbinding gebruikt, is 'ppp0' " -"misschien meer geschikt (hint: gebruik 'ip link show' of 'ifconfig')." +"afhankelijk van uw netwerkomgeving. Als u een inbelverbinding gebruikt, is " +"'ppp0' misschien meer geschikt (hint: gebruik 'ip link show' of 'ifconfig')." #. Type: string #. Description @@ -128,7 +123,7 @@ "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" -"U kunt hier verschillende interfaces definiëren, door meer dan één naam van " +"U kunt hier verschillende interfaces definiëren, door meer dan één naam van " "een interface te vermelden, gescheiden door spaties. Elke interface kan zijn " "eigen specifieke configuratie hebben." @@ -153,8 +148,8 @@ "separated (without spaces)." msgstr "" "U dient de CIDR-vorm te gebruiken (dit is 192.168.1.0/24 voor een blok van " -"256 IP-adressen of 192.168.1.42/32 voor één enkel IP-adres). U kunt meerdere " -"adressen opgeven op één regel door ze te scheiden met kommas; spaties zijn " +"256 IP-adressen of 192.168.1.42/32 voor één enkel IP-adres). U kunt meerdere " +"adressen opgeven op één regel door ze te scheiden met komma's; spaties zijn " "hierbij niet toegestaan!" #. Type: string @@ -230,8 +225,8 @@ "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" -"Een cron job kan opgezet worden om dagelijks samenvattingen van Snort logs " -"naar een bepaald e-mail adres te sturen." +"Een cron job kan opgezet worden om dagelijks samenvattingen van de " +"logbestanden van Snort naar een bepaald e-mailadres te sturen." #. Type: boolean #. Description @@ -247,7 +242,7 @@ #: ../snort.templates:7001 ../snort-mysql.templates:7001 #: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" -msgstr "Ontvanger van de dagelijkse statistiekmails:" +msgstr "Ontvanger van de dagelijkse statistiek-e-mails:" #. Type: string #. Description @@ -257,8 +252,8 @@ "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" -"Gelieve het e-mail adres op te geven dat de dagelijkse samenvatting van de " -"Snort logs moet ontvangen." +"Gelieve het e-mailadres op te geven dat de dagelijkse samenvatting van de " +"logbestanden van Snort moet ontvangen." #. Type: string #. Description @@ -309,7 +304,7 @@ "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." msgstr "" -"Vermits Snort normaal manueel wordt gestart, moet u '/etc/init.d/snort' " +"Aangezien Snort normaal handmatig wordt gestart, moet u '/etc/init.d/snort' " "uitvoeren om de aanpassingen door te voeren." #. Type: error @@ -330,7 +325,7 @@ msgstr "" "Uw systeem heeft een verouderd configuratiebestand (/etc/snort/snort.common." "parameters) dat nu automatisch is omgezet in een nieuw " -"configuratiebestandsformaat (in /etc/default/snort)." +"configuratiebestandsindeling (in /etc/default/snort)." #. Type: error #. Description @@ -341,10 +336,10 @@ "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" -"Kijkt u aub het nieuwe configuratiebestand na en verwijder het verouderde " -"bestand. Tot u dit doet, zal het init.d script de nieuwe configratie niet " -"gebruiken en zal u niet kunnen genieten van de voordelen die de nieuwere " -"versies bieden." +"Gelieve het nieuwe configuratiebestand na te kijken en het verouderde " +"bestand te verwijderen. Tot u dit doet, zal het initialisatie-script de " +"nieuwe configuratie niet gebruiken en zal u niet kunnen genieten van de " +"voordelen die de nieuwere versies bieden." # Type: boolean # Description @@ -363,7 +358,7 @@ "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" msgstr "" -"Er is geen databank opgezet voor Snort om naar te loggen. Voor u verder kan " +"Er is geen database opgezet voor Snort om naar te loggen. Voor u verder kan " "gaan, moet u deze eerst opzetten:" #. Type: boolean @@ -375,9 +370,10 @@ " - a database on that server;\n" " - a username and password to access the database." msgstr "" -" - de server host naam (die server met TCP verbindingen van deze machine " -"accepteren) - een database op die server - een gebruikersnaam en paswoord om " -"toegang te krijgen tot de databank" +" - De computernaam van de server (deze moet TCP-verbindingen van\n" +" deze machine accepteren);\n" +" - een database op die server;\n" +" - een gebruikersnaam en wachtwoord om toegang te krijgen tot de database." #. Type: boolean #. Description @@ -387,7 +383,7 @@ "regular file logging support." msgstr "" "Als sommige van deze noodzakelijke elementen ontbreken, gebruik dan deze " -"optie niet en draai Snort met gewone logging naar een bestand" +"optie niet en draai Snort met gewone logging naar een bestand." #. Type: boolean #. Description @@ -396,14 +392,14 @@ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." msgstr "" -"Logging naar een databank kan later ook nog geconfigureerd worden met het " +"Logging naar een database kan later ook nog geconfigureerd worden met het " "commando 'dpkg-reconfigure -plow snort-mysql'" #. Type: string #. Description #: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" -msgstr "Database server hostnaam:" +msgstr "Computernaam van databaseserver:" # Type: string # Description @@ -414,15 +410,15 @@ "Please specify the host name of a database server that allows incoming " "connections from this host." msgstr "" -"Gelieve een hostnaam voor de databank server op te geven. U dient ervoorte " -"zorgen dat deze correct is ingesteld is om inkomende verbindingen vandeze " +"Gelieve een hostnaam voor de database server op te geven. U dient ervoor te " +"zorgen dat deze correct is ingesteld is om inkomende verbindingen van deze " "computer te aanvaarden!" #. Type: string #. Description #: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" -msgstr "Databanknaam:" +msgstr "databasenaam:" #. Type: string #. Description @@ -431,14 +427,14 @@ "Please specify the name of an existing database to which the database user " "has write access." msgstr "" -"Gelieve de naam van een bestaande databank op te geven waarnaar de databank " +"Gelieve de naam van een bestaande database op te geven waarnaar de database " "gebruiker schrijftoegang heeft" #. Type: string #. Description #: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" -msgstr "gebruikersnaam (account) voor database toegang:" +msgstr "Gebruikersnaam voor databasetoegang:" # Type: string # Description @@ -448,8 +444,8 @@ msgid "" "Please specify a database server username with write access to the database." msgstr "" -"Gelieve een databank gebruikersnaam op te geven met schrijfrechten in de " -"databank:" +"Gelieve een database-gebruikersnaam op te geven met schrijfrechten in de " +"database:" # Type: password # Description @@ -457,7 +453,7 @@ #. Description #: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" -msgstr "Gelieve het paswoord voor de databaseverbinding in te geven:" +msgstr "Gelieve het wachtwoord voor de databaseverbinding in te geven:" # Type: password # Description @@ -467,13 +463,13 @@ msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" -"Wat is het wachtwoord om verbinding te maken met de Snort-Alert databank?" +"Wat is het wachtwoord om verbinding te maken met de Snort-Alert database?" #. Type: note #. Description #: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" -msgstr "Een geconfigureerde databank is noodzakelijk voor Snort" +msgstr "Een geconfigureerde database is noodzakelijk voor Snort" # Type: note # Description @@ -487,7 +483,7 @@ msgstr "" "Snort heeft een geconfigureerde database nodig voor het succesvol kan " "opstarten. Om de structuur aan te maken, moet u volgende commando's " -"uitvoeren NADAT het pakket is geinstalleerd:" +"uitvoeren NADAT het pakket is geïnstalleerd:" #. Type: note #. Description @@ -496,8 +492,8 @@ " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " msgstr "" -"cd·/usr/share/doc/snort-mysql/zcat·create_mysql.gz·|·mysql·-u··-" -"h··-p·" +"cd·/usr/share/doc/snort-mysql/zcat·create_mysql.gz·|·mysql·-u··-" +"h··-p·" #. Type: note #. Description @@ -506,8 +502,8 @@ "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." msgstr "" -"Vul de correcte waarden in voor gebruiker, host en databank namen. MySQL zal " -"u vragen naar het paswoord." +"Vul de correcte waarden in voor gebruiker, host en database namen. MySQL zal " +"u vragen naar het wachtwoord." # Type: note # Description @@ -518,7 +514,8 @@ "After you have created the database structure, you will need to start Snort " "manually." msgstr "" -"Nadat u de databank struktuur heeft aangemaakt, moet u Snort manueel starten." +"Nadat u de database-indeling heeft aangemaakt, moet u Snort handmatig " +"starten." # Type: boolean # Description @@ -536,8 +533,8 @@ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." msgstr "" -"Logging naar een databank kan later geherconfigureerd worden met het " -"commando'dpkg-reconfigure -plow snort-pgslq'" +"Logging naar een database kan later opnieuw geconfigureerd worden met het " +"commando 'dpkg-reconfigure -plow snort-pgslq'" #. Type: note #. Description @@ -546,8 +543,8 @@ " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " msgstr "" -"·cd·/usr/share/doc/snort-pgsql/·zcat·create_postgresql.gz·|·psql·-U··-" -"h··-W·" +"·cd·/usr/share/doc/snort-pgsql/·zcat·create_postgresql.gz·|·psql·-U··-" +"h··-W·" #. Type: note #. Description @@ -556,8 +553,8 @@ "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." msgstr "" -"Vul de correcte waarden in voor gebruiker, host en databank namen.PostgreSQL " -"zal u later vragen om het paswoord." +"Vul de correcte waarden in voor gebruiker, host en database namen. " +"PostgreSQL zal u later vragen om het wachtwoord." #. Type: note #. Description @@ -584,10 +581,6 @@ #. Type: note #. Description #: ../snort-common.templates:1001 -#, fuzzy -#| msgid "" -#| "The following deprecated options were found in the configuration file: " -#| "${DEP_CONFIG}." msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" @@ -619,291 +612,5 @@ "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" "c '." msgstr "" -"Om een fout in een Snort congifuratiebestand te analyseren, gebruik '/usr/" -"sbin/snort -T -c '" - -# Type: boolean -# Description -#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -#~ msgstr "" -#~ "Moet de volgorde van het testen van de regels van Snort aangepast worden " -#~ "naar Pass|Alert|Log (doorlaten|alarmeren|loggen)?" - -#~ msgid "" -#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " -#~ "option, the order will be changed to Pass|Alert|Log, which can make it " -#~ "simpler to use Snort with some packet-filtering tools." -#~ msgstr "" -#~ "De standaard test volgorde van Snort is Alert|Pass|Log (Verwittigen|" -#~ "Doorlaten|Loggen); als je deze optie accepteert, zal de volgorde " -#~ "gewijzigd worden in Pass|Alert|Log (Doorlaten|Verwittigen|Loggen)' dit " -#~ "kan het eenvoudiger maken om Snort te gebruiken met sommige pakket " -#~ "filtering programma's." - -# Type: note -# Description -#~ msgid "You are running Snort manually" -#~ msgstr "U voert Snort handmatig uit." - -#~ msgid "There is an error in your configuration" -#~ msgstr "Er is een fout in uw configuratie" - -# Type: select -# Choices -#~ msgid "boot, dialup, manual" -#~ msgstr "bij het opstarten, bij het inbellen, handmatig" - -# Type: select -# Description -#~ msgid "When should Snort be started?" -#~ msgstr "Wanneer dient Snort opgestart te worden?" - -# Type: string -# Description -#~ msgid "" -#~ "If you want you can specify 'any', to not trust any side of the network." -#~ msgstr "" -#~ "Wanneer u geen enkel deel van het netwerk wilt vertrouwen, kunt 'any' " -#~ "opgeven." - -#~ msgid "" -#~ "One of the interfaces you specified is not valid (it might not exist on " -#~ "the system or be down). Please introduce a valid interface when answering " -#~ "the question of which interface(s) should Snort listen on." -#~ msgstr "" -#~ "Een van de interfaces die u hebt gespecifieerd is niet geldig " -#~ "(misschienbestaat het niet op het systeem of is het niet actief). Gelieve " -#~ "een geldigeinterface op te geven wanneer u de vraag beantwoordt op welke " -#~ "interfacesSnort moet luisteren." - -#~ msgid "" -#~ "If you did not configure an interface then the package is trying to use " -#~ "the default ('eth0') which does not seem to be valid in your system." -#~ msgstr "" -#~ "Als u geen interface hebt geconfigureerd, dan zal het programma " -#~ "proberenom de standaard interface ('eth0') te gebruiken die niet actief " -#~ "schijnt te zijnop dit systeem." - -# Type: boolean -# Description -#~ msgid "" -#~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " -#~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " -#~ "This will prevent people from having to make huge Berky Packet Filter " -#~ "command line arguments to filter their alert rules." -#~ msgstr "" -#~ "Wanneer u de volgorde van het testen van de regels van Snort verandert " -#~ "naar 'Pass|Alert|Log', zullen de regels toegepast worden in de volgorde " -#~ "Pass->Alert->Log, in plaats van Alert->Pass->Log. Dit voorkomt dat men " -#~ "enorme 'Berky Packet Filter' commandoregel-argumenten dient te gebruiken " -#~ "om de 'alert'-regels uit te filteren." - -#~ msgid "" -#~ "This Snort installation provides a cron job that runs daily and " -#~ "summarises the information of Snort logs to a selected email address. If " -#~ "you want to disable this feature say 'no' here." -#~ msgstr "" -#~ "Deze Snort installatie voorziet een cron job die dagelijks loopt en diede " -#~ "informatie van de Snort logs samenvat en verstuurt naar een geselecteerd " -#~ "e-mail adres. Als u deze functie wil desactiveren, zegt udan 'no' bij " -#~ "deze functie." - -#~ msgid "" -#~ "A cron job running daily will summarise the information of the logs " -#~ "generated by Snort using a script called 'snort-stat'. Introduce here the " -#~ "recipient of these mails. The default value is the system administrator. " -#~ "If you keep this value, make sure that the mail of the administrator is " -#~ "redirected to a user that actually reads those mails." -#~ msgstr "" -#~ "Een dagelijks uitgevoerde taak (cron job) vat de informatie in de door " -#~ "snort gegenereerde logboeken samen met een script (genaamd 'snort-stat'). " -#~ "Hier geeft u aan wie deze e-mails zal ontvangen. De standaardwaarde is de " -#~ "systeembeheerder. Als u dit zo laat, dient u ervoor te zorgen dat de e-" -#~ "mail van de beheerder omgeleid wordt naar een gebruiker die deze " -#~ "berichten ook daadwerkelijk nakijkt." - -# Type: string -# Description -#~| msgid "" -#~| "If you want to specify custom options to Snort, please specify them here." -#~ msgid "" -#~ "If you want to specify custom options to Snort, please specify them here." -#~ msgstr "" -#~ "Als u speciale opties aan Snort wil meegeven, kunt u deze hier opgeven." - -# Type: note -# Description -#~ msgid "" -#~ "Please restart Snort using:\n" -#~ " /etc/init.d/snort start\n" -#~ "to let the settings take effect." -#~ msgstr "" -#~ "Gelieve Snort te herstarten via:\n" -#~ " /etc/init.d/snort restart\n" -#~ "om de instellingen in werking te doen treden." - -#~ msgid "" -#~ "Your Snort configuration is not correct and Snort will not be able to " -#~ "start up normally. Please review your configuration and fix it. If you do " -#~ "not do this, Snort package upgrades will probably break. To check which " -#~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." -#~ "conf' (or point to an alternate configuration file if you are using " -#~ "different files for different interfaces)" -#~ msgstr "" -#~ "Uw Snort configuratie is niet correct en Snort zal niet in staat zijn om " -#~ "normaal op te starten. Gelieve uw configuratiebestand na te kijken en te " -#~ "corrigeren. Als u dit niet doet, zullen latere opwaarderingen " -#~ "vermoedelijk niet correct werken. Voer dan '/usr/sbin/snort -T -c /etc/" -#~ "snort/snort.conf' uit om te controleren welke fout wordt gegenereerd (of " -#~ "verwijs naar een alternatief configuratiebestand als u verschillende " -#~ "configuratiebestanden gebruikt voor verschillende interfaces)." - -# Type: boolean -# Description -#~ msgid "" -#~ "You only need to do this the first time you install snort-mysql. Before " -#~ "you go on, make sure you have (1) the hostname of a machine running a " -#~ "mysql server set up to allow tcp connections from this host, (2) a " -#~ "database on that server, (3) a username and password to access the " -#~ "database. If you don't have _all_ of these, either select 'no' and run " -#~ "with regular file logging support, or fix this first. You can always " -#~ "configure database logging later, by reconfiguring the snort-mysql " -#~ "package with 'dpkg-reconfigure -plow snort-mysql'" -#~ msgstr "" -#~ "Dit dient enkel de eerste keer dat u snort-mysql installeert te gebeuren. " -#~ "Voordat u verder gaat, dient u over de volgende informatie te " -#~ "beschikken:\n" -#~ " (1) de computernaam van een mysql-databaseserver die verbindingen van " -#~ "deze machine aanvaardt\n" -#~ " (2) een database op die server\n" -#~ " (3) een gebruikersnaam en wachtwoord die toegang verlenen tot die " -#~ "database\n" -#~ "Als u niet over _al_ deze informatie beschikt, kunt u daar ofwel eerst " -#~ "voor zorgen, ofwel 'nee' kiezen en het logboek gewoon in een bestand " -#~ "opslaan. U kunt het databaselogboek altijd later instellen via het " -#~ "commando 'dpkg-reconfigure -plow snort-mysql'" - -# Type: string -# Description -#~ msgid "Make sure this user has been created and has write access." -#~ msgstr "" -#~ "U dient ervoor te zorgen dat deze gebruiker aangemaakt is en " -#~ "schrijfrechten heeft." - -# Type: note -# Description -#~| msgid "Snort needs a configured database to log to before it starts." -#~ msgid "Snort needs a configured database to log to before it starts" -#~ msgstr "" -#~ "Snort heeft een geconfigureerde database nodig voor het logboek vóór " -#~ "het kan starten." - -# Type: boolean -# Description -#~ msgid "" -#~ "You only need to do this the first time you install snort-pgsql. Before " -#~ "you go on, make sure you have (1) the hostname of a machine running a " -#~ "pgsql server set up to allow tcp connections from this host, (2) a " -#~ "database on that server, (3) a username and password to access the " -#~ "database. If you don't have _all_ of these, either select 'no' and run " -#~ "with regular file logging support, or fix this first. You can always " -#~ "configure database logging later, by reconfiguring the snort-pgsql " -#~ "package with 'dpkg-reconfigure -plow snort-pgsql'" -#~ msgstr "" -#~ "Dit dient enkel de eerste keer dat u snort-pgsql installeert te gebeuren. " -#~ "Voordat u verder gaat, dient u over de volgende informatie te " -#~ "beschikken:\n" -#~ " (1) de computernaam van een pgql-databaseserver die verbindingen van " -#~ "deze machine aanvaardt\n" -#~ " (2) een database op die server\n" -#~ " (3) een gebruikersnaam en wachtwoord die toegang verlenen tot die " -#~ "database\n" -#~ "Als u niet over _al_ deze informatie beschikt, kunt u daar ofwel eerst " -#~ "voor zorgen, ofwel 'nee' kiezen en het logboek gewoon in een bestand " -#~ "opslaan. U kunt het databaselogboek altijd later instellen via het " -#~ "commando 'dpkg-reconfigure -plow snort-pgsql" - -# Type: note -# Description -#~ msgid "" -#~ "Snort needs a configured database before it can successfully start up. In " -#~ "order to create the structure you need to run the following commands " -#~ "AFTER the package is installed:\n" -#~ " cd /usr/share/doc/snort-pgsql/\n" -#~ " zcat create_postgresql.gz | psql -U -h -W \n" -#~ "Fill in the correct values for the user, host, and database names. " -#~ "PostgreSQL will prompt you for the password." -#~ msgstr "" -#~ "Snort heeft een geconfigureerde database nodig voor het succesvol kan " -#~ "opstarten. Om de struktuur aan te maken, moet u volgende commando's " -#~ "uitvoeren NADAT het pakket is geinstalleerd:\n" -#~ " cd /usr/share/doc/snort-pgsql/\n" -#~ " zcat create_postgresql.gz | psql -U -h -W " -#~ "\n" -#~ "Hierbij dient u de juiste waarden voor , , en " -#~ " in te vullen. PostgreSQL vraagt u om het wachtwoord." - -#~ msgid "Your configuration file is deprecated" -#~ msgstr "Uw configuratiebestand is verouderd" - -#~ msgid "" -#~ "Please enter the name(s) of the interface(s) which Snort should listen " -#~ "on. The names of the available interfaces are provided by either " -#~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " -#~ "you might want to vary this depending on your environment, if you are " -#~ "using a dialup connection 'ppp0' might be more appropiate." -#~ msgstr "" -#~ "Gelieve de naam in te geven van de interface(s) waarop Snort dient te " -#~ "luisteren. U kan de namen van de beschikbare interfaces te weten komen " -#~ "met het commando 'ip link show' of 'ifconfig'. Gewoonlijk is deze waarde " -#~ "'eth0', maar afhankelijk van uw omgeving wilt u dit misschien aanpassen. " -#~ "Als u een inbelverbinding gebruikt, is 'ppp0' waarschijnlijk meer van " -#~ "toepassing." - -# Type: string -# Description -#~ msgid "Please enter the address range that Snort will listen on." -#~ msgstr "Op welk adresbereik dient Snort te luisteren?" - -#~ msgid "" -#~ "Disable promiscuous mode if you are configuring Snort on an interface " -#~ "without a configured IP address." -#~ msgstr "" -#~ "Als u Snort instelt op een interface zonder IP-adres dient u de promiscue " -#~ "modus uit te schakelen." - -# Type: string -# Description -#~ msgid "Please enter the hostname of the mysql database server to use." -#~ msgstr "Wat is de computernaam van de te gebruiken MySQL-databaseserver?" - -# Type: string -# Description -#~ msgid "Please enter the name of the database to use." -#~ msgstr "Wat is de naam van de te gebruiken database?" - -# Type: string -# Description -#~ msgid "Please enter the name of the database user you want to use." -#~ msgstr "Wat is de naam van de te gebruiken databasegebruiker?" - -# Type: string -# Description -#~ msgid "Please enter the hostname of the pgsql database server to use." -#~ msgstr "Wat is de computernaam van de te gebruiken pgsql-databaseserver?" - -#~ msgid "" -#~ "Your system has an obsolete configuration file (/etc/snort/snort.common." -#~ "parameters) which has been automatically converted into the new " -#~ "configuration file format (at /etc/default/snort). Please review the new " -#~ "configuration and remove the obsolete one. Until you do this, the init.d " -#~ "script will not use the new configuration and you will not take advantage " -#~ "of the benefits introduced in newer releases." -#~ msgstr "" -#~ "Uw systeem heeft een verouderd configratiebestand (/etc/snort/snort." -#~ "common.parameters) dat automatisch is omgezet in het nieuwe " -#~ "configuratiebestandsformaat (in /etc/default/snort). Gelieve de nieuwe " -#~ "configuratie na te kijken en de verouderde configuratie te verwijderen. " -#~ "Zolang dit niet is gebeurd, zal het init.d script de nieuwe configuratie " -#~ "niet gebruiken en zal u geen gebruik kunnen maken van de voordelen die " -#~ "zijn geintroduceerd in de nieuwe versies." +"Om een fout in een Snort configuratiebestand te analyseren, gebruik '/usr/" +"sbin/snort -T -c '." diff -Nru snort-2.8.5.2/debian/po/pt_BR.po snort-2.9.2/debian/po/pt_BR.po --- snort-2.8.5.2/debian/po/pt_BR.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/pt_BR.po 2012-01-25 20:15:48.000000000 +0000 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2004-08-07 22:06-0300\n" "Last-Translator: André Luís Lopes \n" "Language-Team: Debian-BR Project \n" diff -Nru snort-2.8.5.2/debian/po/pt.po snort-2.9.2/debian/po/pt.po --- snort-2.8.5.2/debian/po/pt.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/pt.po 2012-01-25 20:15:53.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-10\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-08 22:04+0100\n" "Last-Translator: Miguel Figueiredo \n" "Language-Team: Portuguese \n" diff -Nru snort-2.8.5.2/debian/po/ro.po snort-2.9.2/debian/po/ro.po --- snort-2.8.5.2/debian/po/ro.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/ro.po 2012-01-25 20:15:59.000000000 +0000 @@ -10,7 +10,7 @@ msgstr "" "Project-Id-Version: ro\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-05-17 13:04+0300\n" "Last-Translator: Eddy PetriÈ™or \n" "Language-Team: Romanian \n" diff -Nru snort-2.8.5.2/debian/po/ru.po snort-2.9.2/debian/po/ru.po --- snort-2.8.5.2/debian/po/ru.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/ru.po 2012-01-25 20:16:20.000000000 +0000 @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-26\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2009-05-14 20:46+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" @@ -18,8 +18,8 @@ "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" -"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" +"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: select #. Choices diff -Nru snort-2.8.5.2/debian/po/sv.po snort-2.9.2/debian/po/sv.po --- snort-2.8.5.2/debian/po/sv.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/sv.po 2012-01-25 20:16:22.000000000 +0000 @@ -13,7 +13,7 @@ msgstr "" "Project-Id-Version: snort 2.3.3-1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-07-21 17:41+0100\n" "Last-Translator: Martin Bagge \n" "Language-Team: Swedish \n" diff -Nru snort-2.8.5.2/debian/po/ta.po snort-2.9.2/debian/po/ta.po --- snort-2.8.5.2/debian/po/ta.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/ta.po 2012-01-25 20:16:26.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2007-03-07 17:31+0530\n" "Last-Translator: Dr.T.Vasudevan \n" "Language-Team: TAMIL \n" diff -Nru snort-2.8.5.2/debian/po/templates.pot snort-2.9.2/debian/po/templates.pot --- snort-2.8.5.2/debian/po/templates.pot 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/templates.pot 2012-01-25 20:16:32.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff -Nru snort-2.8.5.2/debian/po/vi.po snort-2.9.2/debian/po/vi.po --- snort-2.8.5.2/debian/po/vi.po 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/po/vi.po 2012-01-25 20:16:38.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-15\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2011-01-02 02:11+0100\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 16:20+0930\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" diff -Nru snort-2.8.5.2/debian/README-database.Debian snort-2.9.2/debian/README-database.Debian --- snort-2.8.5.2/debian/README-database.Debian 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/README-database.Debian 2012-01-25 22:03:41.000000000 +0000 @@ -1,3 +1,11 @@ +!! The database output plugins are considered deprecated as of Snort 2.9.2 and +!! will be removed by the upstream maintainers in Snort 2.9.3. +!! +!! Consequently, the database packages for Debian will be removed with +!! the next Snort release. +!! +!! The recommended approach to logging is to use unified2 with barnyard2 +!! or similar. SNORT WITH DATABASE SUPPORT ------------------------------ @@ -102,6 +110,14 @@ host all all 127.0.0.1 255.255.255.255 ident sameuser ------------------------------------------------------------------------------ +KNOWN LIMITATIONS +----------------- + + In Debian, IPv6 support is not enabled when the database packages are used + because the database schemas for Snort do not log IPv6 addresses. + + This is not foreseen to change since upstream is dropping support of + the database modules for future releases. -- Javier Fernandez-Sanguino Pen~a - Sun, 02 Jan 2011 01:53:56 +0100 + Wed, 25 Jan 2012 23:00:05 +0100 diff -Nru snort-2.8.5.2/debian/rules snort-2.9.2/debian/rules --- snort-2.8.5.2/debian/rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/rules 2012-02-14 10:47:23.000000000 +0000 @@ -4,6 +4,8 @@ # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. # Some lines taken from debmake, by Christoph Lameter. +include /usr/share/quilt/quilt.make + export DH_VERBOSE=1 TMP=`pwd`/debian @@ -22,10 +24,7 @@ CONFFLAGS= --prefix=/usr \ --bindir=\$$\{exec_prefix\}/sbin \ --mandir=\$$\{exec_prefix\}/share/man \ - --enable-smbalerts \ - --enable-prelude -# Cannot enable flexresp since it builds only with libnet 1.0.2a -# --enable-flexresp \ + --enable-prelude aclocal.m4: aclocal-1.9 -I m4/ @@ -39,7 +38,7 @@ # Remove the flag that indicated that the sources were configured -rm -f configure-stamp -clean: clean-sources +clean: clean-sources unpatch dh_testdir dh_testroot # Clean all the stamps @@ -59,16 +58,18 @@ dh_clean configure: configure-stamp -configure-stamp: +configure-stamp: $(QUILT_STAMPFN) dh_testdir # Standard package support ./configure $(CONFFLAGS) \ --without-mysql \ - --without-postgresql + --without-postgresql \ + --enable-zlib \ + --enable-ipv6 touch $@ build-basic: build-basic-stamp -build-basic-stamp: configure +build-basic-stamp: $(QUILT_STAMPFN) configure # NOTE: We don't clean the sources on the first compilation dh_testdir # Basic package (no BBDD support): @@ -77,33 +78,35 @@ touch $@ build-pgsql: build-pgsql-stamp -build-pgsql-stamp: +build-pgsql-stamp: $(QUILT_STAMPFN) dh_testdir sh debian/clean_sources.sh # PostgreSQL package: ./configure $(CONFFLAGS) \ --without-mysql \ --with-postgresql \ - --with-pgsql-includes=`pg_config --includedir` + --with-pgsql-includes=`pg_config --includedir` \ + --enable-zlib $(MAKE) cp src/snort src/snort-pgsql touch $@ build-mysql: build-mysql-stamp -build-mysql-stamp: +build-mysql-stamp: $(QUILT_STAMPFN) dh_testdir sh debian/clean_sources.sh # MySQL package: ./configure $(CONFFLAGS) \ --with-mysql \ --with-mysql-libraries=`mysql_config --variable=pkglibdir` \ - --without-postgresql + --without-postgresql \ + --enable-zlib $(MAKE) cp src/snort src/snort-mysql touch $@ build-inline: build-inline-stamp -build-inline-stamp: +build-inline-stamp: $(QUILT_STAMPFN) dh_testdir sh debian/clean_sources.sh # Inline support @@ -111,7 +114,8 @@ --without-mysql \ --without-postgresql \ --enable-inline \ - --with-libipq-includes=/usr/include/libipq/ + --with-libipq-includes=/usr/include/libipq/ \ + --enable-zlib $(MAKE) cp src/snort src/snort-inline touch $@ @@ -147,20 +151,17 @@ dh_testroot dh_clean -k -s dh_installdirs -s - # Install the common binaries $(MAKE) install prefix=$(TMP)/snort-common/usr/ - rm -f $(TMP)/snort-common/usr/sbin/snort + rm -f $(TMP)/snort-common/usr/sbin/snort # clean dependency_libs find $(TMP)/snort-common/usr/lib -name "*.la" -exec \ sed -i -e "s,^dependency_libs=.*,dependency_libs=''," {} + - # Snort binaries install -m 755 -o root -g root src/snort-basic $(TMP)/snort/usr/sbin/snort install -m 755 -o root -g root src/snort-mysql $(TMP)/snort-mysql/usr/sbin/snort install -m 755 -o root -g root src/snort-pgsql $(TMP)/snort-pgsql/usr/sbin/snort # install -m 755 -o root -g root src/snort-inline $(TMP)/snort/usr/sbin/snort - # Default config # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort-mysql/etc/snort/snort.common.parameters # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort-pgsql/etc/snort/snort.common.parameters @@ -169,14 +170,11 @@ install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-mysql/etc/default/snort install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-pgsql/etc/default/snort # install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-inline/etc/default/snort - - # Install init.d initscripts install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-mysql/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-pgsql/etc/init.d/snort # install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-inline/etc/init.d/snort - # Install PPP initscripts install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort/etc/ppp/ip-down.d/snort @@ -186,19 +184,16 @@ install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort-pgsql/etc/ppp/ip-down.d/snort # install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort-inline/etc/ppp/ip-up.d/snort # install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort-inline/etc/ppp/ip-down.d/snort - # Logrotate files install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort/etc/logrotate.d/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-mysql/etc/logrotate.d/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-pgsql/etc/logrotate.d/snort # install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-inline/etc/logrotate.d/snort - # Move libraries to the snort-common-libraries package mv $(TMP)/snort-common/usr/lib/ $(TMP)/snort-common-libraries/usr/ # Remove headers, as this is not a -dev package # mv $(TMP)/snort-common/usr/src/ $(TMP)/snort-common-libraries/usr/ rm -rf $(TMP)/sort-common/usr/src/ - # Remove useless (empty) directories rmdir $(TMP)/snort-pgsql/usr/share/doc/snort rmdir $(TMP)/snort-mysql/usr/share/doc/snort @@ -210,7 +205,6 @@ dh_testroot dh_clean -k -i dh_installdirs -i - # Install Debian specific, scripts and files of the snort-common # package install -m 755 -o root -g root `pwd`/debian/snort.cron.daily $(TMP)/snort-common/etc/cron.daily/5snort @@ -218,31 +212,25 @@ install -m 644 -o root -g root `pwd`/etc/snort.conf $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/unicode.map $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/threshold.conf $(TMP)/snort-common/etc/snort/ - - # Install files of the arch-independent packages cp rules/*.rules $(TMP)/snort-rules-default/etc/snort/rules/ # mkdir -p $(TMP)/snort-rules-default/usr/share/snort/ # install -m 644 -o root -g root `pwd`/debian/oldrules.md5 $(TMP)/snort-rules-default/usr/share/snort/oldrules.md5 - - cp etc/sid-msg.map $(TMP)/snort-rules-default/etc/snort/ - cp etc/gen-msg.map $(TMP)/snort-rules-default/etc/snort/ - cp etc/community-sid-msg.map $(TMP)/snort-rules-default/etc/snort/ - cp etc/classification.config $(TMP)/snort-rules-default/etc/snort/ - cp etc/reference.config $(TMP)/snort-rules-default/etc/snort/ - +# install -m 644 etc/sid-msg.map $(TMP)/snort-rules-default/etc/snort/ + install -m 644 etc/gen-msg.map $(TMP)/snort-rules-default/etc/snort/ + install -m 644 etc/community-sid-msg.map $(TMP)/snort-rules-default/etc/snort/ + install -m 644 etc/classification.config $(TMP)/snort-rules-default/etc/snort/ + install -m 644 etc/reference.config $(TMP)/snort-rules-default/etc/snort/ # Remove useless directories rm -rf $(TMP)/snort-common/etc/ppp rm -rf $(TMP)/snort-doc/usr/share/doc - dh_install -i # Build architecture-independent files here. binary-indep: build-indep install-indep dh_testdir -i dh_testroot -i - - dh_installdocs -i + dh_installdocs -i -XREADME.WIN32 dh_installexamples -i dh_installdebconf -i dh_installman -i @@ -271,10 +259,10 @@ binary-arch: build-arch install-arch dh_testdir -a dh_testroot -a - dh_installdocs -a + dh_installdocs -a dh_installexamples -a dh_installdebconf -a - dh_installman -a + dh_installman -a cp $(TMP)/snort-mysql/usr/share/doc/snort-mysql/copyright $(TMP)/snort/usr/share/doc/snort/ rm -f $(TMP)/snort-mysql/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-pgsql/usr/share/man/man8/snort-stat.* @@ -282,19 +270,16 @@ rm -rf $(TMP)/snort-rules-default/usr/share/man rm -f $(TMP)/snort/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-common/usr/share/man/man8/snort.* - mkdir -p $(TMP)/snort-mysql/usr/share/doc/snort-mysql/ install -m 644 -o root -g root schemas/create_mysql $(TMP)/snort-mysql/usr/share/doc/snort-mysql/ - mkdir -p $(TMP)/snort-pgsql/usr/share/doc/snort-pgsql/ install -m 644 -o root -g root schemas/create_postgresql $(TMP)/snort-pgsql/usr/share/doc/snort-pgsql/ - dh_installchangelogs -a ChangeLog dh_link -a dh_strip -a dh_compress -a dh_fixperms -a - dh_makeshlibs -a + dh_makeshlibs -a -Xsnort-common-libraries dh_installdeb -a dh_perl -a dh_shlibdeps -a diff -Nru snort-2.8.5.2/debian/snort.config snort-2.9.2/debian/snort.config --- snort-2.8.5.2/debian/snort.config 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.config 2012-01-25 22:22:57.000000000 +0000 @@ -3,6 +3,7 @@ . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x +INTERFACES="" if [ -r /etc/snort/snort.debian.conf ] ; then . /etc/snort/snort.debian.conf # Set the variables in debconf using the configuration values diff -Nru snort-2.8.5.2/debian/snort-doc.docs snort-2.9.2/debian/snort-doc.docs --- snort-2.8.5.2/debian/snort-doc.docs 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-doc.docs 2012-01-25 20:05:49.000000000 +0000 @@ -1,4 +1,5 @@ debian/README.docs +doc/BUGS doc/NEWS doc/PROBLEMS doc/snort_schema_v106.pdf @@ -8,43 +9,5 @@ doc/USAGE doc/WISHLIST debian/my/lisapaper.txt -doc/README -doc/README.alert_order -doc/README.ARUBA -doc/README.asn1 -doc/README.csv -doc/README.database -doc/README.dcerpc -doc/README.dcerpc2 -doc/README.decode -doc/README.decoder_preproc_rules -doc/README.dns -doc/README.event_queue -doc/README.FLEXRESP -doc/README.FLEXRESP2 -doc/README.flowbits -doc/README.frag3 -doc/README.ftptelnet -doc/README.gre -doc/README.http_inspect -doc/README.INLINE -doc/README.ipip -doc/README.ipv6 -doc/README.pcap_readmode -doc/README.PerfProfiling -doc/README.PLUGINS -doc/README.ppm -doc/README.sfportscan -doc/README.SMTP -doc/README.ssh -doc/README.ssl -doc/README.stream5 -doc/README.tag -doc/README.thresholding -doc/README.UNSOCK -doc/README.variables -doc/README.wireless -doc/RELEASE.NOTES.2.3 -doc/RELEASE.NOTES.2.4 -doc/RELEASE.NOTES.2.6 -doc/RELEASE.NOTES.2.7 +doc/README* +doc/RELEASE.NOTES.* diff -Nru snort-2.8.5.2/debian/snort.docs snort-2.9.2/debian/snort.docs --- snort-2.8.5.2/debian/snort.docs 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.docs 2012-01-25 20:06:06.000000000 +0000 @@ -3,7 +3,6 @@ doc/CREDITS doc/NEWS doc/README -doc/README.FLEXRESP doc/README.PLUGINS doc/USAGE doc/README.database diff -Nru snort-2.8.5.2/debian/snort.init.d snort-2.9.2/debian/snort.init.d --- snort-2.8.5.2/debian/snort.init.d 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.init.d 2012-01-28 17:26:00.000000000 +0000 @@ -118,12 +118,19 @@ log_daemon_msg "Starting $DESC " "$NAME" if [ -e /etc/snort/db-pending-config ] ; then + # If the database config is not empty then complain + if [ -s /etc/snort/database.config ] ; then log_failure_msg "/etc/snort/db-pending-config file found" log_failure_msg "Snort will not start as its database is not yet configured." log_failure_msg "Please configure the database as described in" log_failure_msg "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian" log_failure_msg "and remove /etc/snort/db-pending-config" exit 6 + else + # We are not running Snort with database support, as the + # configuration file is empty, remove the semaphore and continue + rm -f /etc/snort/db-pending-config + fi fi if ! check_log_dir; then diff -Nru snort-2.8.5.2/debian/snort-inline.config snort-2.9.2/debian/snort-inline.config --- snort-2.8.5.2/debian/snort-inline.config 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-inline.config 2012-01-25 20:06:27.000000000 +0000 @@ -13,7 +13,7 @@ [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do - if ! ifconfig "$iface" | grep -w UP >/dev/null; then + if ! LC_ALL=C ifconfig "$iface" | grep -w UP >/dev/null; then return 1 fi done diff -Nru snort-2.8.5.2/debian/snort-inline.docs snort-2.9.2/debian/snort-inline.docs --- snort-2.8.5.2/debian/snort-inline.docs 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-inline.docs 2012-01-25 20:06:31.000000000 +0000 @@ -3,7 +3,6 @@ doc/CREDITS doc/NEWS doc/README -doc/README.FLEXRESP doc/README.PLUGINS doc/USAGE doc/README.database diff -Nru snort-2.8.5.2/debian/snort-inline.templates snort-2.9.2/debian/snort-inline.templates --- snort-2.8.5.2/debian/snort-inline.templates 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-inline.templates 2012-01-25 20:06:49.000000000 +0000 @@ -91,6 +91,15 @@ As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. +Template: snort-inline/config_error +Type: error +_Description: Configuration error + The current Snort configuration is invalid and will prevent Snort + starting up normally. Please review and correct it. + . + To diagnose an error in a Snort configuration file, use + '/usr/sbin/snort -T -c '. + Template: snort-inline/config_parameters Type: error _Description: Obsolete configuration file diff -Nru snort-2.8.5.2/debian/snort-mysql.docs snort-2.9.2/debian/snort-mysql.docs --- snort-2.8.5.2/debian/snort-mysql.docs 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-mysql.docs 2012-01-25 20:06:56.000000000 +0000 @@ -3,7 +3,6 @@ doc/CREDITS doc/NEWS doc/README -doc/README.FLEXRESP doc/README.PLUGINS doc/USAGE doc/README.database diff -Nru snort-2.8.5.2/debian/snort-mysql.postinst snort-2.9.2/debian/snort-mysql.postinst --- snort-2.8.5.2/debian/snort-mysql.postinst 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-mysql.postinst 2012-01-25 20:07:05.000000000 +0000 @@ -4,6 +4,11 @@ CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum DBCONFIG=/etc/snort/database.conf DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum +# Create the checksum directory if it does not exist +if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then + mkdir $(dirname $CONFIG_CHECKSUM) +fi + . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x diff -Nru snort-2.8.5.2/debian/snort-mysql.postrm snort-2.9.2/debian/snort-mysql.postrm --- snort-2.8.5.2/debian/snort-mysql.postrm 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-mysql.postrm 2012-01-28 17:54:19.000000000 +0000 @@ -39,11 +39,11 @@ if [ -e /etc/snort/database.conf ] ; then rm /etc/snort/database.conf fi -# Remove checksums - if [ -e /var/lib/snort/snort.debian.conf.md5sum ] ; then + # Remove files created to follow checksums + if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then rm /var/lib/snort/snort.debian.conf.md5sum - fi - if [ -e /var/lib/snort/database.conf.md5sum ] ; then + fi + if [ -e /var/lib/snort/database.conf.md5sum ]; then rm /var/lib/snort/database.conf.md5sum fi @@ -62,9 +62,11 @@ fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) - # nothing # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. + if [ -e /etc/snort/db-pending-config ] ; then + rm /etc/snort/db-pending-config + fi ;; esac diff -Nru snort-2.8.5.2/debian/snort-pgsql.docs snort-2.9.2/debian/snort-pgsql.docs --- snort-2.8.5.2/debian/snort-pgsql.docs 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-pgsql.docs 2012-01-25 20:07:46.000000000 +0000 @@ -3,7 +3,6 @@ doc/CREDITS doc/NEWS doc/README -doc/README.FLEXRESP doc/README.PLUGINS doc/USAGE doc/README.database diff -Nru snort-2.8.5.2/debian/snort-pgsql.postinst snort-2.9.2/debian/snort-pgsql.postinst --- snort-2.8.5.2/debian/snort-pgsql.postinst 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-pgsql.postinst 2012-01-25 20:07:52.000000000 +0000 @@ -4,6 +4,11 @@ CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum DBCONFIG=/etc/snort/database.conf DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum +# Create the checksum directory if it does not exist +if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then + mkdir $(dirname $CONFIG_CHECKSUM) +fi + . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x diff -Nru snort-2.8.5.2/debian/snort-pgsql.postrm snort-2.9.2/debian/snort-pgsql.postrm --- snort-2.8.5.2/debian/snort-pgsql.postrm 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort-pgsql.postrm 2012-01-28 17:54:35.000000000 +0000 @@ -39,11 +39,12 @@ if [ -e /etc/snort/database.conf ] ; then rm /etc/snort/database.conf fi -# Remove checksums - if [ -e /var/lib/snort/snort.debian.conf.md5sum ] ; then + + # Remove files created to follow checksums + if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then rm /var/lib/snort/snort.debian.conf.md5sum fi - if [ -e /var/lib/snort/database.conf.md5sum ] ; then + if [ -e /var/lib/snort/database.conf.md5sum ]; then rm /var/lib/snort/database.conf.md5sum fi @@ -62,9 +63,11 @@ fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) - # nothing # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. + if [ -e /etc/snort/db-pending-config ] ; then + rm /etc/snort/db-pending-config + fi ;; esac diff -Nru snort-2.8.5.2/debian/snort.postinst snort-2.9.2/debian/snort.postinst --- snort-2.8.5.2/debian/snort.postinst 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.postinst 2012-01-25 20:08:07.000000000 +0000 @@ -2,6 +2,10 @@ CONFIG=/etc/snort/snort.debian.conf CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum +# Create the checksum directory if it does not exist +if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then + mkdir $(dirname $CONFIG_CHECKSUM) +fi . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x diff -Nru snort-2.8.5.2/debian/snort.postrm snort-2.9.2/debian/snort.postrm --- snort-2.8.5.2/debian/snort.postrm 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.postrm 2012-01-25 20:09:36.000000000 +0000 @@ -33,10 +33,9 @@ if [ -e /etc/default/snort ] ; then rm /etc/default/snort fi - - # Remove checksums - if [ -e /var/lib/snort/snort.debian.conf.md5sum ] ; then - rm /var/lib/snort/snort.debian.conf.md5sum + # Remove files created to follow checksums + if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then + rm /var/lib/snort/snort.debian.conf.md5sum fi # Remove configuration dir diff -Nru snort-2.8.5.2/debian/snort.preinst snort-2.9.2/debian/snort.preinst --- snort-2.8.5.2/debian/snort.preinst 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.preinst 2012-01-25 20:08:25.000000000 +0000 @@ -73,7 +73,7 @@ usermod -c "Snort IDS" \ -d $LOGDIR \ -g $SNORTGROUP \ - $SNORTUSER >/dev/null + $SNORTUSER > /dev/null # 5. adjust file and directory permissions if ! dpkg-statoverride --list $LOGDIR >/dev/null then diff -Nru snort-2.8.5.2/debian/snort.TEMPLATE.templates snort-2.9.2/debian/snort.TEMPLATE.templates --- snort-2.8.5.2/debian/snort.TEMPLATE.templates 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/snort.TEMPLATE.templates 2012-01-25 20:08:30.000000000 +0000 @@ -91,6 +91,15 @@ As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. +Template: snort{PACKAGE}/config_error +Type: error +_Description: Configuration error + The current Snort configuration is invalid and will prevent Snort + starting up normally. Please review and correct it. + . + To diagnose an error in a Snort configuration file, use + '/usr/sbin/snort -T -c '. + Template: snort{PACKAGE}/config_parameters Type: error _Description: Obsolete configuration file diff -Nru snort-2.8.5.2/debian/source/format snort-2.9.2/debian/source/format --- snort-2.8.5.2/debian/source/format 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/debian/source/format 2012-02-14 11:37:46.000000000 +0000 @@ -0,0 +1 @@ +3.0 (quilt) diff -Nru snort-2.8.5.2/debian/TODO snort-2.9.2/debian/TODO --- snort-2.8.5.2/debian/TODO 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/TODO 2012-01-28 17:52:27.000000000 +0000 @@ -22,6 +22,15 @@ REVIEW: How does Snort use this to expand it in HOME_NET + Note, this has been requested at least in + https://bugs.launchpad.net/ubuntu/+source/snort/+bug/566543 + +- Fix bugs related to an interface being used which is not available + + This seems to break when configuring the package: + https://bugs.launchpad.net/ubuntu/+source/snort/+bug/655116 + + - snort-{mysql,pgsl}: Database configuration should ensure that only valid characters are included diff -Nru snort-2.8.5.2/debian/TODO-package snort-2.9.2/debian/TODO-package --- snort-2.8.5.2/debian/TODO-package 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/debian/TODO-package 2012-01-25 20:09:28.000000000 +0000 @@ -2,6 +2,9 @@ TODO for Snort's packaging -------------------------- +- Move to dpkg format v3. We have only a few changes in the source + package so that should be easy to do. + - Make it easier to do changes in maintainer's config files. Currently snort, snort-pgsql and snort-mysql config files share a lot of code which makes it unmaintainable and leads to bugs like #502084 which was fixed in Snort diff -Nru snort-2.8.5.2/depcomp snort-2.9.2/depcomp --- snort-2.8.5.2/depcomp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/depcomp 2011-12-07 19:23:23.000000000 +0000 @@ -0,0 +1,630 @@ +#! /bin/sh +# depcomp - compile a program generating dependencies as side-effects + +scriptversion=2009-04-28.21; # UTC + +# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free +# Software Foundation, Inc. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Originally written by Alexandre Oliva . + +case $1 in + '') + echo "$0: No command. Try \`$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: depcomp [--help] [--version] PROGRAM [ARGS] + +Run PROGRAMS ARGS to compile a file, generating dependencies +as side-effects. + +Environment variables: + depmode Dependency tracking mode. + source Source file read by `PROGRAMS ARGS'. + object Object file output by `PROGRAMS ARGS'. + DEPDIR directory where to store dependencies. + depfile Dependency file to output. + tmpdepfile Temporary file to use when outputing dependencies. + libtool Whether libtool is used (yes/no). + +Report bugs to . +EOF + exit $? + ;; + -v | --v*) + echo "depcomp $scriptversion" + exit $? + ;; +esac + +if test -z "$depmode" || test -z "$source" || test -z "$object"; then + echo "depcomp: Variables source, object and depmode must be set" 1>&2 + exit 1 +fi + +# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. +depfile=${depfile-`echo "$object" | + sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} +tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} + +rm -f "$tmpdepfile" + +# Some modes work just like other modes, but use different flags. We +# parameterize here, but still list the modes in the big case below, +# to make depend.m4 easier to write. Note that we *cannot* use a case +# here, because this file can only contain one case statement. +if test "$depmode" = hp; then + # HP compiler uses -M and no extra arg. + gccflag=-M + depmode=gcc +fi + +if test "$depmode" = dashXmstdout; then + # This is just like dashmstdout with a different argument. + dashmflag=-xM + depmode=dashmstdout +fi + +cygpath_u="cygpath -u -f -" +if test "$depmode" = msvcmsys; then + # This is just like msvisualcpp but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u="sed s,\\\\\\\\,/,g" + depmode=msvisualcpp +fi + +case "$depmode" in +gcc3) +## gcc 3 implements dependency tracking that does exactly what +## we want. Yay! Note: for some reason libtool 1.4 doesn't like +## it if -MD -MP comes after the -MF stuff. Hmm. +## Unfortunately, FreeBSD c89 acceptance of flags depends upon +## the command line argument order; so add the flags where they +## appear in depend2.am. Note that the slowdown incurred here +## affects only configure: in makefiles, %FASTDEP% shortcuts this. + for arg + do + case $arg in + -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; + *) set fnord "$@" "$arg" ;; + esac + shift # fnord + shift # $arg + done + "$@" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + mv "$tmpdepfile" "$depfile" + ;; + +gcc) +## There are various ways to get dependency output from gcc. Here's +## why we pick this rather obscure method: +## - Don't want to use -MD because we'd like the dependencies to end +## up in a subdir. Having to rename by hand is ugly. +## (We might end up doing this anyway to support other compilers.) +## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like +## -MM, not -M (despite what the docs say). +## - Using -M directly means running the compiler twice (even worse +## than renaming). + if test -z "$gccflag"; then + gccflag=-MD, + fi + "$@" -Wp,"$gccflag$tmpdepfile" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + echo "$object : \\" > "$depfile" + alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz +## The second -e expression handles DOS-style file names with drive letters. + sed -e 's/^[^:]*: / /' \ + -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" +## This next piece of magic avoids the `deleted header file' problem. +## The problem is that when a header file which appears in a .P file +## is deleted, the dependency causes make to die (because there is +## typically no way to rebuild the header). We avoid this by adding +## dummy dependencies for each header file. Too bad gcc doesn't do +## this for us directly. + tr ' ' ' +' < "$tmpdepfile" | +## Some versions of gcc put a space before the `:'. On the theory +## that the space means something, we add a space to the output as +## well. +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +sgi) + if test "$libtool" = yes; then + "$@" "-Wp,-MDupdate,$tmpdepfile" + else + "$@" -MDupdate "$tmpdepfile" + fi + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + + if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files + echo "$object : \\" > "$depfile" + + # Clip off the initial element (the dependent). Don't try to be + # clever and replace this with sed code, as IRIX sed won't handle + # lines with more than a fixed number of characters (4096 in + # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; + # the IRIX cc adds comments like `#:fec' to the end of the + # dependency line. + tr ' ' ' +' < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ + tr ' +' ' ' >> "$depfile" + echo >> "$depfile" + + # The second pass generates a dummy entry for each header file. + tr ' ' ' +' < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ + >> "$depfile" + else + # The sourcefile does not contain any dependencies, so just + # store a dummy comment line, to avoid errors with the Makefile + # "include basename.Plo" scheme. + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +aix) + # The C for AIX Compiler uses -M and outputs the dependencies + # in a .u file. In older versions, this file always lives in the + # current directory. Also, the AIX compiler puts `$object:' at the + # start of each line; $object doesn't have directory information. + # Version 6 uses the directory in both cases. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.u + tmpdepfile2=$base.u + tmpdepfile3=$dir.libs/$base.u + "$@" -Wc,-M + else + tmpdepfile1=$dir$base.u + tmpdepfile2=$dir$base.u + tmpdepfile3=$dir$base.u + "$@" -M + fi + stat=$? + + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + # Each line is of the form `foo.o: dependent.h'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" + # That's a tab and a space in the []. + sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" + else + # The sourcefile does not contain any dependencies, so just + # store a dummy comment line, to avoid errors with the Makefile + # "include basename.Plo" scheme. + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +icc) + # Intel's C compiler understands `-MD -MF file'. However on + # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c + # ICC 7.0 will fill foo.d with something like + # foo.o: sub/foo.c + # foo.o: sub/foo.h + # which is wrong. We want: + # sub/foo.o: sub/foo.c + # sub/foo.o: sub/foo.h + # sub/foo.c: + # sub/foo.h: + # ICC 7.1 will output + # foo.o: sub/foo.c sub/foo.h + # and will wrap long lines using \ : + # foo.o: sub/foo.c ... \ + # sub/foo.h ... \ + # ... + + "$@" -MD -MF "$tmpdepfile" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + # Each line is of the form `foo.o: dependent.h', + # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process this invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | + sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp2) + # The "hp" stanza above does not work with aCC (C++) and HP's ia64 + # compilers, which have integrated preprocessors. The correct option + # to use with these is +Maked; it writes dependencies to a file named + # 'foo.d', which lands next to the object file, wherever that + # happens to be. + # Much of this is similar to the tru64 case; see comments there. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir.libs/$base.d + "$@" -Wc,+Maked + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + "$@" +Maked + fi + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile" + # Add `dependent.h:' lines. + sed -ne '2,${ + s/^ *// + s/ \\*$// + s/$/:/ + p + }' "$tmpdepfile" >> "$depfile" + else + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" "$tmpdepfile2" + ;; + +tru64) + # The Tru64 compiler uses -MD to generate dependencies as a side + # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. + # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put + # dependencies in `foo.d' instead, so we check for that too. + # Subdirectories are respected. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + + if test "$libtool" = yes; then + # With Tru64 cc, shared objects can also be used to make a + # static library. This mechanism is used in libtool 1.4 series to + # handle both shared and static libraries in a single compilation. + # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d. + # + # With libtool 1.5 this exception was removed, and libtool now + # generates 2 separate objects for the 2 libraries. These two + # compilations output dependencies in $dir.libs/$base.o.d and + # in $dir$base.o.d. We have to check for both files, because + # one of the two compilations can be disabled. We should prefer + # $dir$base.o.d over $dir.libs/$base.o.d because the latter is + # automatically cleaned when .libs/ is deleted, while ignoring + # the former would cause a distcleancheck panic. + tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4 + tmpdepfile2=$dir$base.o.d # libtool 1.5 + tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5 + tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504 + "$@" -Wc,-MD + else + tmpdepfile1=$dir$base.o.d + tmpdepfile2=$dir$base.d + tmpdepfile3=$dir$base.d + tmpdepfile4=$dir$base.d + "$@" -MD + fi + + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" + # That's a tab and a space in the []. + sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" + else + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +#nosideeffect) + # This comment above is used by automake to tell side-effect + # dependency tracking mechanisms from slower ones. + +dashmstdout) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout, regardless of -o. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + # Remove `-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + test -z "$dashmflag" && dashmflag=-M + # Require at least two characters before searching for `:' + # in the target name. This is to cope with DOS-style filenames: + # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. + "$@" $dashmflag | + sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" + rm -f "$depfile" + cat < "$tmpdepfile" > "$depfile" + tr ' ' ' +' < "$tmpdepfile" | \ +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +dashXmstdout) + # This case only exists to satisfy depend.m4. It is never actually + # run, as this mode is specially recognized in the preamble. + exit 1 + ;; + +makedepend) + "$@" || exit $? + # Remove any Libtool call + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + # X makedepend + shift + cleared=no eat=no + for arg + do + case $cleared in + no) + set ""; shift + cleared=yes ;; + esac + if test $eat = yes; then + eat=no + continue + fi + case "$arg" in + -D*|-I*) + set fnord "$@" "$arg"; shift ;; + # Strip any option that makedepend may not understand. Remove + # the object too, otherwise makedepend will parse it as a source file. + -arch) + eat=yes ;; + -*|$object) + ;; + *) + set fnord "$@" "$arg"; shift ;; + esac + done + obj_suffix=`echo "$object" | sed 's/^.*\././'` + touch "$tmpdepfile" + ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" + rm -f "$depfile" + cat < "$tmpdepfile" > "$depfile" + sed '1,2d' "$tmpdepfile" | tr ' ' ' +' | \ +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" "$tmpdepfile".bak + ;; + +cpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + # Remove `-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + "$@" -E | + sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | + sed '$ s: \\$::' > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + cat < "$tmpdepfile" >> "$depfile" + sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +msvisualcpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + IFS=" " + for arg + do + case "$arg" in + -o) + shift + ;; + $object) + shift + ;; + "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") + set fnord "$@" + shift + shift + ;; + *) + set fnord "$@" "$arg" + shift + shift + ;; + esac + done + "$@" -E 2>/dev/null | + sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" + echo " " >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +msvcmsys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +none) + exec "$@" + ;; + +*) + echo "Unknown depmode $depmode" 1>&2 + exit 1 + ;; +esac + +exit 0 + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: Binary files /tmp/V0Dipj1n0e/snort-2.8.5.2/doc/faq.pdf and /tmp/F5HiNrDXpo/snort-2.9.2/doc/faq.pdf differ diff -Nru snort-2.8.5.2/doc/faq.tex snort-2.9.2/doc/faq.tex --- snort-2.8.5.2/doc/faq.tex 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/faq.tex 2011-10-26 18:28:51.000000000 +0000 @@ -2,7 +2,7 @@ %latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex \documentclass{article} -\usepackage{hyperref} +\usepackage{html} \usepackage{graphicx} \usepackage{fancyhdr} \usepackage{makeidx} @@ -86,7 +86,7 @@ If you do not see your name on this list and you have contributed to the faq, -please email \htmladdnormallink{bmc@snort.org}{mailto:bmc@snort.org}. +please email \htmladdnormallink{bugs@snort.org}{mailto:bugs@snort.org}. Dragos Ruiu: This version of this guide has been brought to you by the kind @@ -98,11 +98,11 @@ \newpage -%\begin{latexonly} +\begin{latexonly} \tableofcontents \newpage -%\end{latexonly} +\end{latexonly} \section{Background} @@ -118,8 +118,8 @@ \subsection{Where do I get more help on Snort?} -Check the website, \htmladdnormallink{http://www.snort.org/}{http://www.snort.org/}. Other good resources are available in the source distribution, including the \htmladdnormallink{Snort Users Manual}{http://www.snort.org/doc/SnortUsersManual.pdf} and the USAGE file. There is also a excellent mailing list, snort-users. You can find -info on how to signup at \htmladdnormallink{http://www.snort.org/lists.html}{http://www.snort.org/lists.html}. You can also join +Check the website, \htmladdnormallink{http://www.snort.org/}{http://www.snort.org/}. Other good resources are available in the source distribution, including the \htmladdnormallink{Snort Users Manual}{http://www.snort.org/docs} and the USAGE file. There is also a excellent mailing list, snort-users. You can find +info on how to signup at \htmladdnormallink{http://www.snort.org/community/mailing-lists/}{http://www.snort.org/community/mailing-lists}. You can also join \#snort on irc.freenode.net. \subsection{Where can I get more reading and courses about IDS?\label{courses}} @@ -296,9 +296,10 @@ Repeat after me: \begin{verbatim} - wget http://www.snort.org/downloads/snort-stable.tgz - tar zxvf snort-stable.tgz - cd snort-stable + Go to http://www.snort.org/snort-downloads + Click the link for the tar.gz + tar zxvf snort-.tar.gz + cd ./configure make su @@ -312,9 +313,10 @@ ...and if you want to use our binary package uninstaller :-): \begin{verbatim} - cd snort-stable; make uninstall + cd ; make uninstall \end{verbatim} -And if you must, you can find some binaries at \htmladdnormallink{http://www.snort.org/dl/binaries/}{http://www.snort.org/dl/binaries/}. + +And if you must, you can find some binaries at \htmladdnormallink{http://www.snort.org/snort-downloads}{http://www.snort.org/snort-downloads}. You can also find Snort in most BSD ports' trees. \subsection{How do I run Snort?} @@ -938,7 +940,7 @@ {\bf For $=>$ 2.0:} Please see the documents on v2.0 at: -\htmladdnormallink{http://www.snort.org/docs/\#devel}{http://www.snort.org/docs/\#devel}. +\htmladdnormallink{http://www.snort.org/docs/development-papers/}{http://www.snort.org/docs/development-papers/}. {\bf For $<=$ 1.9.X:} @@ -2114,9 +2116,9 @@ \subsection{Is it possible with snort to add a ipfilter/ipfw rule to a firewall? } -Yes, with additional software from the contrib section at -\htmladdnormallink{http://www.snort.org}{http://www.snort.org}. This can be dangerous and is not recommended -unless you know what you're doing. +Yes. Select the appropriate DAQ module for your system. IPQ, NFQ, and IPFW +DAQs are available, among others. See README.daq for details. Other +possibilities are listed below. \begin{itemize} \item SnortSam @@ -2952,23 +2954,30 @@ \begin{enumerate} \item ./configure --enable-debug -\item Look up the section of Snort you'd like to debug ( look at src/debug.h ) and add up the values. + +\item Look up the sections of Snort you'd like to debug ( look at src/snort\_debug.h ) +and bitwise-or the flags together to create a hex value. For example, \begin{verbatim} -#define DEBUG_PARSER 0x00000200 /* 512 */ +#define DEBUG_PARSER 0x00000002 ... -#define DEBUG_PATTERN_MATCH 0x00004000 /* 16384 */ +#define DEBUG_PATTERN_MATCH 0x00001000 +\end{verbatim} + +To debug just the parser: +\begin{verbatim} +export SNORT_DEBUG=0x2 \end{verbatim} -To debug just the parser, +To debug both the parser and pattern matcher: \begin{verbatim} -export SNORT_DEBUG=512 +export SNORT_DEBUG=0x1002 \end{verbatim} -To debug both the parser and pattern matcher: +Debugging preprocessors is similar, eg to debug frag3: \begin{verbatim} -export SNORT_DEBUG=16896 +export SNORT_PP_DEBUG=0x1 \end{verbatim} \item Run snort as normal. You will need to redirect output to a file diff -Nru snort-2.8.5.2/doc/INSTALL snort-2.9.2/doc/INSTALL --- snort-2.8.5.2/doc/INSTALL 2009-07-07 15:36:57.000000000 +0000 +++ snort-2.9.2/doc/INSTALL 2011-10-26 18:28:51.000000000 +0000 @@ -1,17 +1,38 @@ The "generic" notes for putting this thing together are below. Here's the short version. -1.) *** Make sure you have libpcap and libpcre installed!!! *** -2.) ./configure -3.) make -4.) make install -5.) Create a sample rules file (if you want to use rules, check out the - included snort.conf file) -6.) snort -? -7.) If you've used previous versions of Snort, you may need to rewrite your - rules to make them compliant to the rules format. See - snort_manual.pdf or http://www.snort.org for more information. -8.) Have fun! +1.) If you are upgrading from a prior version of Snort, it is generally a good + idea to start with `sudo make uninstall` in your old source tree to remove + any dynamic modules that could cause you grief later. + +2.) *** Make sure you have libdnet, libpcap, libpcre installed!!! *** + Also make sure that dnet-config, pcre-config, and daq-modules-config are in + your PATH (eg you should be able to `which` these). + +3.) ./configure + +4.) make + +5.) sudo make install + +6.) Check your rules file. By default, step 3 configures Snort for the features + required by the included etc/snort.conf. You can validate it with: + + src/snort -c etc/snort.conf -T + +7.) snort -? + +8.) If you've used previous versions of Snort, you may need to rewrite your + rules to make them compliant to the rules format. See snort_manual.pdf + or http://www.snort.org for more information. + +9.) If you used previous versions of Snort and the new Snort dies upon startup, + try this and then restart: + + sudo make uninstall + sudo make install + +10.) Have fun! Any questions? Sign up to the snort-users mailing list at http://www.snort.org! @@ -24,11 +45,15 @@ `--enable-pthread' Enable pthread support (causes snort to be linked with libpthread). +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The Prelude output plugin is considered deprecated as of Snort 2.9.2 and +!! will be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--enable-prelude' Enable Prelude Hydrid IDS support. `--enable-rulestate' - Enable rule state configuration feature that seperates the rule + Enable rule state configuration feature that separates the rule state (enabled/disabled) from the action (alert, drop, log, etc) and definition. @@ -36,6 +61,10 @@ Enable dynamically loadable preprocessors, detection engine and rules libraries. +`--enable-so-with-static-lib` + Enable linking of dynamically loaded preprocessors with a static + preprocessor library. + `--enable-timestats' Enable real-time performance statistics. @@ -45,30 +74,17 @@ `--enable-linux-smp-stats' Enable CPU performance statistics through proc. -`--enable-inline' - Use the libipq interface for inline mode. May require --with-libipq - options. - -`--enable-ipfw' - Use the IPFW divert sockets for inline mode. - `--enable-react' Enable interception and termination of offending HTTP accesses. -`--enable-flexresp' - Enable the 'Flexible Response' code, that allows you to - cancel hostile connections on IP-level when a rule matches. - When you enable this feature, you also need the 'libnet'-library - that can be found at http://www.packetfactory.net/libnet. - See README.FLEXRESP for details. - -`--enable-flexresp2' - Enable the 'Flexible Response, version 2' code, that allows you to - cancel hostile connections on IP-level when a rule matches. - When you enable this feature, you also need the 'libnet'-library - that can be found at http://www.packetfactory.net/libnet. - See README.FLEXRESP2 for details. - +`--enable-flexresp3' + Enable the 'Flexible Response, version 3' code, that allows you to + reset hostile sessions. See README.active for details. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The Aruba output plugin is considered deprecated as of Snort 2.9.2 and will +!! be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--enable-aruba' Enable the Aruba output plugin capability that allows you to send information to an Aruba Networks Mobility Controller. See @@ -79,10 +95,32 @@ Only supports GRE over IP. Only one layer of encapsulation will be decoded - packets with multiple GRE headers will be alerted and discarded/blocked. - + +`--enable-sourcefire' + Enable Sourcefire specific build options, encompasing --enable-perfprofiling, + --enable-decoder-preprocessor-rules, --enable-ppm. + `--with-snmp' Enable SNMP alerting code. +`--with-dnet-includes=DIR' + Specify libdnet include directory. + +`--with-dnet-libraries=DIR' + Specify libdnet library directory. + +`--with-libpcap-includes=DIR' + If the configuration script can't find the libpcap include files on its + own, the path can be set manually with this switch. + +`--with-libpcap-libraries=DIR' + If the configuration script can't find the libpcap library files on its + own, the path can be set manually with this switch. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! Database output plugins are considered deprecated as of Snort 2.9.2 and will +!! be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--with-mysql=DIR' Support for mysql, turn this on if you want to use ACID with MySQL. NOTE: Specifying a directory will be deprecated in the future. @@ -104,9 +142,6 @@ `--with-oracle=DIR' Support for Oracle databases, turn this on if you want to use ACID with Oracle. - -`--with-openssl=DIR' - Support for openssl (used by the XML output plugin). `--with-libpq-includes=DIR' Set the include directories for Postgres SQL database support to DIR. @@ -114,54 +149,32 @@ `--with-libpq-libraries=DIR' Set the library directories for Postgres SQL database support to DIR. Setting both of these values enables the Postgres output plugin module. - -`--with-libpcap-includes=DIR' - If the configuration script can't find the libpcap include files on its - own, the path can be set manually with this switch. - -`--with-libpcap-libraries=DIR' - If the configuration script can't find the libpcap library files on its - own, the path can be set manually with this switch. - -`--with-libxml2-includes=DIR' - Libxml2 include directory. - -`--with-libxml2-libraries=DIR' - Libxml2 library directory. - -`--with-libntp-libraries=DIR' - Libntp library directory. - -`--with-libidmef-includes=DIR' - Libidmef include directory. - -`--with-libidmef-libraries=DIR' - Libidmef library directory. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Basic Installation ================== - These are generic installation instructions. +These are generic installation instructions. - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, a file -`config.cache' that saves the results of its tests to speed up -reconfiguring, and a file `config.log' containing compiler output -(useful mainly for debugging `configure'). - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If at some point `config.cache' -contains results you don't want to keep, you may remove or edit it. - - The file `configure.in' is used to create `configure' by a program -called `autoconf'. You only need `configure.in' if you want to change -it or regenerate `configure' using a newer version of `autoconf'. +The `configure' shell script attempts to guess correct values for various +system-dependent variables used during compilation. It uses those values to +create a `Makefile' in each directory of the package. It may also create one +or more `.h' files containing system-dependent definitions. Finally, it +creates a shell script `config.status' that you can run in the future to +recreate the current configuration, a file `config.cache' that saves the +results of its tests to speed up reconfiguring, and a file `config.log' +containing compiler output (useful mainly for debugging `configure'). + +If you need to do unusual things to compile the package, please try to figure +out how `configure' could check whether to do them, and mail diffs or +instructions to the address given in the `README' so they can be considered for +the next release. If at some point `config.cache' contains results you don't +want to keep, you may remove or edit it. + +The file `configure.in' is used to create `configure' by a program called +`autoconf'. You only need `configure.in' if you want to change it or +regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: @@ -194,12 +207,11 @@ Compilers and Options ===================== - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. You can give `configure' -initial values for variables by setting them in the environment. Using -a Bourne-compatible shell, you can do that on the command line like -this: - CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure +Some systems require unusual options for compilation or linking that the +`configure' script does not know about. You can give `configure' initial +values for variables by setting them in the environment. Using a +Bourne-compatible shell, you can do that on the command line like this: CC=c89 +CFLAGS=-O2 LIBS=-lposix ./configure Or on systems that have the `env' program, you can do it like this: env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure @@ -207,104 +219,92 @@ Compiling For Multiple Architectures ==================================== - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you must use a version of `make' that -supports the `VPATH' variable, such as GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. - - If you have to use a `make' that does not supports the `VPATH' -variable, you have to compile the package for one architecture at a time -in the source code directory. After you have installed the package for -one architecture, use `make distclean' before reconfiguring for another -architecture. +You can compile the package for more than one kind of computer at the same +time, by placing the object files for each architecture in their own directory. +To do this, you must use a version of `make' that supports the `VPATH' +variable, such as GNU `make'. `cd' to the directory where you want the object +files and executables to go and run the `configure' script. `configure' +automatically checks for the source code in the directory that `configure' is +in and in `..'. + +If you have to use a `make' that does not supports the `VPATH' variable, you +have to compile the package for one architecture at a time in the source code +directory. After you have installed the package for one architecture, use +`make distclean' before reconfiguring for another architecture. Installation Names ================== - By default, `make install' will install the package's files in -`/usr/local/bin', `/usr/local/man', etc. You can specify an -installation prefix other than `/usr/local' by giving `configure' the -option `--prefix=PATH'. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -give `configure' the option `--exec-prefix=PATH', the package will use -PATH as the prefix for installing programs and libraries. -Documentation and other data files will still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=PATH' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. +By default, `make install' will install the package's files in +`/usr/local/bin', `/usr/local/man', etc. You can specify an installation +prefix other than `/usr/local' by giving `configure' the option +`--prefix=PATH'. + +You can specify separate installation prefixes for architecture-specific files +and architecture-independent files. If you give `configure' the option +`--exec-prefix=PATH', the package will use PATH as the prefix for installing +programs and libraries. Documentation and other data files will still use the +regular prefix. + +In addition, if you use an unusual directory layout you can give options like +`--bindir=PATH' to specify different values for particular kinds of files. Run +`configure --help' for a list of the directories you can set and what kinds of +files go in them. + +If the package supports it, you can cause programs to be installed with an +extra prefix or suffix on their names by giving `configure' the option +`--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - - The following configuration switches are available for Snort: - -`--enable-flexresp' - Enable the 'Flexible Response' code, that allows you to - cancel hostile connections on IP-level when a rule matches. - When you enable this feature, you also need the 'libnet'-library - that can be found at http://www.packetfactory.net/libnet. - See README.FLEXRESP for details. - This function is still ALPHA, so use with caution. +Some packages pay attention to `--enable-FEATURE' options to `configure', where +FEATURE indicates an optional part of the package. They may also pay attention +to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' +(for the X Window System). The `README' should mention any `--enable-' and +`--with-' options that the package recognizes. + +For packages that use the X Window System, `configure' can usually find the X +include and library files automatically, but if it doesn't, you can use the +`configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their +locations. + +The following configuration switches are available for Snort: Specifying the System Type ========================== - There may be some features `configure' can not figure out -automatically, but needs to determine by the type of host the package -will run on. Usually `configure' can figure that out, but if it prints -a message saying it can not guess the host type, give it the -`--host=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name with three fields: - CPU-COMPANY-SYSTEM +There may be some features `configure' can not figure out automatically, but +needs to determine by the type of host the package will run on. Usually +`configure' can figure that out, but if it prints a message saying it can not +guess the host type, give it the `--host=TYPE' option. TYPE can either be a +short name for the system type, such as `sun4', or a canonical name with three +fields: CPU-COMPANY-SYSTEM See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the host type. +`config.sub' isn't included in this package, then this package doesn't need to +know the host type. - If you are building compiler tools for cross-compiling, you can also -use the `--target=TYPE' option to select the type of system they will -produce code for and the `--build=TYPE' option to select the type of -system on which you are compiling the package. +If you are building compiler tools for cross-compiling, you can also use the +`--target=TYPE' option to select the type of system they will produce code for +and the `--build=TYPE' option to select the type of system on which you are +compiling the package. Sharing Defaults ================ - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. +If you want to set default values for `configure' scripts to share, you can +create a site shell script called `config.site' that gives default values for +variables like `CC', `cache_file', and `prefix'. `configure' looks for +`PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it +exists. Or, you can set the `CONFIG_SITE' environment variable to the location +of the site script. A warning: not all `configure' scripts look for a site +script. Operation Controls ================== - `configure' recognizes the following options to control how it -operates. + `configure' recognizes the following options to control how it operates. `--cache-file=FILE' Use and save the results of the tests in FILE instead of @@ -337,10 +337,10 @@ * 64bit platforms: ------------------ -On some 64bit Linux systems (e.g. with Fedora distributions), when -configuring snort with MySQL output support, the necessary library may -not be found automatically by the configure script, giving the -following error when 'configure' is run: +On some 64bit Linux systems (e.g. with Fedora distributions), when configuring +snort with MySQL output support, the necessary library may not be found +automatically by the configure script, giving the following error when +'configure' is run: ********************************************** ERROR: unable to find mysqlclient library (libmysqlclient.*) @@ -355,18 +355,17 @@ /usr/local/mysql/lib ********************************************** -In this case, libmysqlclient.* may actually be found in /usr/lib64/mysql, -and the path will need to be explicitly specified in this manner: -configure --with-mysql-libraries=/usr/lib64/mysql - -Note, you may also specify alternate locations for the mysql header -files using --with-mysql-includes. Specifying a directory as part -of the --with-mysql option to configure will be deprecated in the -future. - -Problems may also be encountered if both the 32bit and 64bit libraries -are installed on the system, and configuring snort with MySQL support -may result in a different error: +In this case, libmysqlclient.* may actually be found in /usr/lib64/mysql, and +the path will need to be explicitly specified in this manner: configure +--with-mysql-libraries=/usr/lib64/mysql + +Note, you may also specify alternate locations for the mysql header files using +--with-mysql-includes. Specifying a directory as part of the --with-mysql +option to configure will be deprecated in the future. + +Problems may also be encountered if both the 32bit and 64bit libraries are +installed on the system, and configuring snort with MySQL support may result in +a different error: checking for mysql... yes checking for compress in -lz... yes @@ -376,8 +375,8 @@ ERROR! programmatic interface to dynamic link loader not found. Cannot use dynamic plugin libraries. -Reading through config.log, you may see something like this (the -numbers are the line number and may differ): +Reading through config.log, you may see something like this (the numbers are +the line number and may differ): configure:24280: checking for dlsym in -ldl configure:24310: gcc -o conftest -g -O2 -Wall -DDYNAMIC_PLUGIN -I/usr/include/mysql -DENABLE_MYSQL -lpcre -L/usr/lib/mysql conftest.c -ldl -lmysqlclient -lz -lpcre -lpcap -lm -lnsl >&5 @@ -387,46 +386,44 @@ collect2: ld returned 1 exit status configure:24316: $? = 1 -This likely indicates a compability issue between a 32bit library -from mysql (found in its normal location), and a 64bit library for -libdl (dynamic loader). Use the --with-mysql-libraries option to -specify the location of the 64bit mysql library (e.g. /usr/lib64/mysql). +This likely indicates a compatibility issue between a 32bit library from mysql +(found in its normal location), and a 64bit library for libdl (dynamic loader). +Use the --with-mysql-libraries option to specify the location of the 64bit +mysql library (e.g. /usr/lib64/mysql). * Linux: --------- -With kernels 2.2.x and higher you may get `snort [pid] uses obsolete +-------- With kernels 2.2.x and higher you may get `snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings. This is because you use some older -implementation of libpcap library and you need an upgrade. The recent -version of libpcap could be found at www.tcpdump.org page. On linux -with kernels 2.2.x and higher you may also get feature to monitor -several interfaces down to network level (session + TCP + IP) if you -link your snort with the lattest version of libpcap which incorporates -Sebastian Krahmer's patch for interface 'any'. -(Consult http://www.tcpdump.org for details). +implementation of libpcap library and you need an upgrade. The recent version +of libpcap could be found at www.tcpdump.org page. On linux with kernels 2.2.x +and higher you may also get feature to monitor several interfaces down to +network level (session + TCP + IP) if you link your snort with the latest +version of libpcap which incorporates Sebastian Krahmer's patch for interface +'any'. (Consult http://www.tcpdump.org for details). * IRIX ------ [ noticed by Scott A. McIntyre ] -There's problem with GCC on IRIX platform which causes certain missbehaviour +There's problem with GCC on IRIX platform which causes certain misbehaviour of snort. From the SGI web site: -Gcc does not correctly pass/return structures which are smaller than 16 -bytes and which are not 8 bytes. The problem is very involved and difficult -to fix. It affects a number of other targets also, but irix6 is affected -the most, because it is a 64 bit target, and 4 byte structures are common. -The exact problem is that structures are being padded at the wrong end, e.g. -a 4 byte structure is loaded into the lower 4 bytes of the register when it -should be loaded into the upper 4 bytes of the register. - -Gcc is consistent with itself, but not consistent with the SGI C compiler -[and the SGI supplied runtime libraries], so the only failures that can -happen are when there are library functions that take/return such structures. -There are very few such library functions. I can only recall seeing a few of -them: inet_ntoa, inet_aton, inet_lnaof, inet_netof, and semctl. +Gcc does not correctly pass/return structures which are smaller than 16 bytes +and which are not 8 bytes. The problem is very involved and difficult to fix. +It affects a number of other targets also, but irix6 is affected the most, +because it is a 64 bit target, and 4 byte structures are common. The exact +problem is that structures are being padded at the wrong end, e.g. a 4 byte +structure is loaded into the lower 4 bytes of the register when it should be +loaded into the upper 4 bytes of the register. + +Gcc is consistent with itself, but not consistent with the SGI C compiler [and +the SGI supplied runtime libraries], so the only failures that can happen are +when there are library functions that take/return such structures. There are +very few such library functions. I can only recall seeing a few of them: +inet_ntoa, inet_aton, inet_lnaof, inet_netof, and semctl. A possible workaround: if you have a program that calls inet_ntoa and friends or semctl, and your kernel supports 64-bit binaries (i.e. uname -a prints @@ -439,9 +436,8 @@ * MAC OSX --------- -On Darwin (maybe others), the configure script shipped as part of the -source distribution may need to be recreated. To do this, run the -following commands: +On Darwin (maybe others), the configure script shipped as part of the source +distribution may need to be recreated. To do this, run the following commands: glibtoolize --force aclocal -I m4 @@ -449,8 +445,8 @@ automake --add-missing --copy autoconf -Snort needs to be linked using the two level namespace. To do this, set -the LD_TWOLEVEL_NAMESPACE environment variable to something prior to running +Snort needs to be linked using the two level namespace. To do this, set the +LD_TWOLEVEL_NAMESPACE environment variable to something prior to running configure. An example: $ export LD_TWOLEVEL_NAMESPACE=1 @@ -460,11 +456,11 @@ * MAC OSX TIGER & LEOPARD ------------------------- -For users of MAC OSX 10.5 (Leopard), the following environment variables -must be set before running configure & make. +For users of MAC OSX 10.5 (Leopard), the following environment variables must +be set before running configure & make. -For users of MAC OSX 10.4 (Tiger), this also applies if the compiler -has been updated, otherwise, the instructions above may be used. +For users of MAC OSX 10.4 (Tiger), this also applies if the compiler has been +updated, otherwise, the instructions above may be used. Reference information for MAC OSX can be found at these two links. @@ -479,37 +475,41 @@ * Open BSD / Free BSD / MAC OSX ------------------------------- -On certain BSD-based platforms, the make install may not symlink the -version specific shared libraries to the non-versioned shared library. -This could cause a failure to load when using dynamic libraries. +For Open BSD and some versions of Free BSD, use the --disable-static-daq +option to Snort's configure script. This is a work-around to an issue with +building shared libraries that link against a static library. Without this +option to configure, libsf_engine.so and the dynamic preprocessors may not +be built correctly. + +On certain BSD-based platforms, the make install may not symlink the version +specific shared libraries to the non-versioned shared library. This could +cause a failure to load when using dynamic libraries. Work arounds: -1) Create the symlink's by hand after make install. The shared libraries -can be located under /usr/local/lib/snort_dynamicengine and -/usr/local/lib/snort_dynamicpreprocessor. If necessary, symlink the .so.0 -or .0.so files to a corresponding .so. +1) Create the symlinks by hand after make install. The shared libraries can +be located under /usr/local/lib/snort_dynamicengine and +/usr/local/lib/snort_dynamicpreprocessor. If necessary, symlink the .so.0 or +.0.so files to a corresponding .so. 2) Use the --dynamic-preprocessor-lib (rather than ---dynamic-preprocessor-lib-dir) to load the version specific -shared library. +--dynamic-preprocessor-lib-dir) to load the version specific shared library. 3) Use the config directive dynamicpreprocessor file (rather than -dynamicpreprocessor directory) to load the version specific -shared library. +dynamicpreprocessor directory) to load the version specific shared library. +Note that on FreeBSD and OpenBSD, divert sockets don't work with bridges. Please +refer to the DAQ distro README for work arounds and more details. * FreeBSD 6.x ------------- +If you run the auto tools (instead of using the delivered configure script), +you may need to include -I /usr/local/share/aclocal (in addition to -I m4) as +arguments to aclocal. This is required to set up the correct info for using +LIBTOOL with aclocal version 1.9 that ships with FreeBSD. -If you run the auto tools (instead of using the delivered -configure script), you may need to include -I /usr/local/share/aclocal -(in addition to -I m4) as arguments to aclocal. This is required -to set up the correct info for using LIBTOOL with aclocal -version 1.9 that ships with FreeBSD. - -In this case, the following recommended commands should be used -to configure snort prior to using make: +In this case, the following recommended commands should be used to configure +snort prior to using make: libtoolize --automake --copy aclocal -I m4 -I /usr/local/share/aclocal diff -Nru snort-2.8.5.2/doc/Makefile.am snort-2.9.2/doc/Makefile.am --- snort-2.8.5.2/doc/Makefile.am 2009-07-07 15:36:57.000000000 +0000 +++ snort-2.9.2/doc/Makefile.am 2011-10-27 15:19:41.000000000 +0000 @@ -17,50 +17,58 @@ NEWS \ PROBLEMS \ README \ +README.active \ README.alert_order \ README.ARUBA \ README.asn1 \ +README.counts \ README.csv \ +README.daq \ README.database \ -README.dcerpc \ README.dcerpc2 \ README.decode \ README.decoder_preproc_rules \ +README.dnp3 \ README.dns \ README.event_queue \ README.filters \ -README.FLEXRESP \ -README.FLEXRESP2 \ README.flowbits \ README.frag3 \ README.ftptelnet \ README.gre \ +README.GTP \ README.http_inspect \ -README.INLINE \ +README.imap \ README.ipip \ README.ipv6 \ +README.modbus \ README.multipleconfigs \ +README.normalize \ README.pcap_readmode \ README.PerfProfiling \ README.PLUGINS \ +README.pop \ README.ppm \ README.reload \ +README.reputation \ +README.rzb_saac \ +README.sensitive_data \ README.sfportscan \ README.SMTP \ README.ssh \ README.ssl \ +README.sip \ README.stream5 \ README.tag \ README.thresholding \ README.UNSOCK \ README.variables \ README.WIN32 \ -README.wireless \ TODO \ USAGE \ WISHLIST -DISTCLEANFILES= snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out +DISTCLEANFILES= snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out faq.out snort_manual.idx faq.idx docdir = ${datadir}/doc/${PACKAGE} @@ -76,7 +84,7 @@ ps2pdf $< .tex.html: - latex2html -local_icons $< + latex2html -local_icons $< # perhaps one day, we will have a Makefile in the signatures directory... diff -Nru snort-2.8.5.2/doc/Makefile.in snort-2.9.2/doc/Makefile.in --- snort-2.8.5.2/doc/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/doc/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -43,6 +45,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -52,9 +55,23 @@ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(docdir)" -dist_docDATA_INSTALL = $(INSTALL_DATA) DATA = $(dist_doc_DATA) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -66,31 +83,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -103,12 +120,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -116,20 +139,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -161,6 +191,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -173,6 +204,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -192,50 +224,58 @@ NEWS \ PROBLEMS \ README \ +README.active \ README.alert_order \ README.ARUBA \ README.asn1 \ +README.counts \ README.csv \ +README.daq \ README.database \ -README.dcerpc \ README.dcerpc2 \ README.decode \ README.decoder_preproc_rules \ +README.dnp3 \ README.dns \ README.event_queue \ README.filters \ -README.FLEXRESP \ -README.FLEXRESP2 \ README.flowbits \ README.frag3 \ README.ftptelnet \ README.gre \ +README.GTP \ README.http_inspect \ -README.INLINE \ +README.imap \ README.ipip \ README.ipv6 \ +README.modbus \ README.multipleconfigs \ +README.normalize \ README.pcap_readmode \ README.PerfProfiling \ README.PLUGINS \ +README.pop \ README.ppm \ README.reload \ +README.reputation \ +README.rzb_saac \ +README.sensitive_data \ README.sfportscan \ README.SMTP \ README.ssh \ README.ssl \ +README.sip \ README.stream5 \ README.tag \ README.thresholding \ README.UNSOCK \ README.variables \ README.WIN32 \ -README.wireless \ TODO \ USAGE \ WISHLIST -DISTCLEANFILES = snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out +DISTCLEANFILES = snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out faq.out snort_manual.idx faq.idx SUFFIXES = .tex .dvi .ps all: all-am @@ -245,14 +285,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign doc/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign doc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -270,6 +310,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -279,20 +320,23 @@ install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" - @list='$(dist_doc_DATA)'; for p in $$list; do \ + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(dist_docDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(docdir)/$$f'"; \ - $(dist_docDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(docdir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) - @list='$(dist_doc_DATA)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(docdir)/$$f'"; \ - rm -f "$(DESTDIR)$(docdir)/$$f"; \ - done + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(docdir)" && rm -f $$files tags: TAGS TAGS: @@ -316,13 +360,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -353,6 +401,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) maintainer-clean-generic: @@ -372,6 +421,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -380,18 +431,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -437,10 +498,11 @@ ps2pdf $< .tex.html: - latex2html -local_icons $< + latex2html -local_icons $< # perhaps one day, we will have a Makefile in the signatures directory... # SUBDIRS = signatures + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/doc/README snort-2.9.2/doc/README --- snort-2.8.5.2/doc/README 2008-02-25 19:27:41.000000000 +0000 +++ snort-2.9.2/doc/README 2011-02-09 23:22:34.000000000 +0000 @@ -8,7 +8,7 @@ ****************************************************************************** COPYRIGHT -Copyright (C)2001-2008 Sourcefire Inc. +Copyright (C)2001-2011 Sourcefire Inc. Copyright (C)1998-2001 Martin Roesch This program is free software; you can redistribute it and/or modify @@ -297,8 +297,8 @@ Default is pass before alert, drop, etc. --treat-drop-as-alert - Converts drop, sdrop, and reject rules into alert rules - during startup. + Converts drop, and reject rules into alert rules + during startup. sdrop rules are not loaded. --process-all-events Process all triggered events in group order, per Rule Ordering @@ -310,6 +310,10 @@ --create-pidfile Create PID file, even when not in Daemon mode. + --enable-inline-test + Runs snort in "inline test mode". This option cannot be used + with -Q. + [*][FILTERS]: The "filters" are standard BPF style filters as seen in tcpdump. Look diff -Nru snort-2.8.5.2/doc/README.active snort-2.9.2/doc/README.active --- snort-2.8.5.2/doc/README.active 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.active 2011-06-08 00:33:00.000000000 +0000 @@ -0,0 +1,167 @@ +Snort 2.9 includes a number of changes to better handle inline operation, +including: + +* a single mechanism for all responses +* fully encoded reset or icmp unreachable packets +* updated flexible response rule option +* updated react rule option +* added block and sblock rule actions + +These changes are outlined below. + + +ENABLING ACTIVE RESPONSE +======================== + +This enables active responses (snort will send TCP RST or ICMP +unreachable/port) when dropping a session. + + ./configure --enable-active-response + + preprocessor stream5_global: \ + max_active_responses , \ + min_response_seconds + + ::= (0..25) + ::= (1..300) + +Active responses will be encoded based on the triggering packet. TTL will be +set to the value captured at session pickup. + + +CONFIGURE SNIPING +================= + +Configure the number of attempts to land a TCP RST within the session's current +window (so that it is accepted by the receiving TCP). This sequence "strafing" +is really only useful in passive mode. In inline mode the reset is put +straight into the stream in lieu of the triggering packet so strafing is not +necessary. + +Each attempt (sent in rapid succession) has a different sequence number. Each +active response will actually cause this number of TCP resets to be sent. TCP +data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is +sent, iff attempts > 0. + + ./configure --enable-active-response + + config response: [device ] [dst_mac ] attempts + + ::= ip | eth0 | etc. + ::= (1..20) + ::= nn:nn:nn:nn:nn:nn + (n is a hex number from 0-F) + +device ip will perform network layer injection. It is probably a better choice +to specify an interface and avoid kernel routing tables, etc. + +dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. +Otherwise, response destination MAC address is derived from packet. +Example: + config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2 + +FLEXRESP CHANGES +================ + +Flexresp and flexresp2 are replaced with flexresp3. + +* Flexresp is deleted; these features are no longer avaliable: + + ./configure --enable-flexresp + config flexresp: attempts 1 + +* Flexresp2 is deleted; these features are no longer avaliable: + + ./configure --enable-flexresp2 + + config flexresp2_interface: eth0 + config flexresp2_attempts: 4 + config flexresp2_memcap: 1000000 + config flexresp2_rows: 1000 + +* Flexresp3 is new: the resp rule option keyword is used to configure active + responses for rules that fire. + + ./configure --enable-flexresp3 + + alert tcp any any -> any 80 (content:"a"; resp:; sid:1;) + +* resp_t includes all flexresp and flexresp2 options: + + ::= \ + rst_snd | rst_rcv | rst_all | \ + reset_source | reset_dest | reset_both | icmp_net | \ + icmp_host | icmp_port | icmp_all + +See README.flexresp3 for more. + + +REACT CHANGES +============= + +react is a rule option keyword that enables sending an HTML page on a session +and then resetting it. This is built with: + + ./configure --enable-react + +The page to be sent can be read from a file: + + config react: + +or else the default is used: + + ::= \ + "HTTP/1.1 403 Forbidden\r\n" + "Connection: close\r\n" + "Content-Type: text/html; charset=utf-8\r\n" + "\r\n" + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "Access Denied\r\n" \ + "\r\n" \ + "\r\n" \ + "

Access Denied

\r\n" \ + "

%s

\r\n" \ + "\r\n" \ + "\r\n"; + +Note that the file must contain the entire response, includeing any HTTP headers. +In fact, the response isn't strictly limited to HTTP. You could craft a binary +payload of arbitrary content. + +When the rule is configured, the page is loaded and the %s is replaced with the +selected message, which defaults to: + + ::= \ + "You are attempting to access a forbidden site.
" \ + "Consult your system administrator for details."; + +This is an example rule: + + drop tcp any any -> any $HTTP_PORTS ( \ + content: "d"; msg:"Unauthorized Access Prohibited!"; \ + react: ; sid:4;) + + ::= [msg] [, ] + +These options are deprecated: + + ::= [block|warn], [proxy ] + +The original version sent the web page to one end of the session only if the +other end of the session was port 80 or the optional proxy port. The new +version always sends the page to the client. If no page should be sent, a resp +option can be used instead. The deprecated options are ignored. + + +RULE ACTION CHANGES +=================== + +The block and sblock actions have been introduced as synonyms for drop and +sdrop to help avoid confusion between packets dropped due to load (eg lack of +available buffers for incoming packets) and packets dropped due to Snort's +analysis. + diff -Nru snort-2.8.5.2/doc/README.ARUBA snort-2.9.2/doc/README.ARUBA --- snort-2.8.5.2/doc/README.ARUBA 2006-09-18 13:36:22.000000000 +0000 +++ snort-2.9.2/doc/README.ARUBA 2011-10-26 18:28:51.000000000 +0000 @@ -1,3 +1,8 @@ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! This output plugin is considered deprecated as of Snort 2.9.2 and will be +!! removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + Aruba Networks Integration ========================== Joshua Wright diff -Nru snort-2.8.5.2/doc/README.asn1 snort-2.9.2/doc/README.asn1 --- snort-2.8.5.2/doc/README.asn1 2007-12-10 19:12:30.000000000 +0000 +++ snort-2.9.2/doc/README.asn1 2010-04-06 14:05:45.000000000 +0000 @@ -57,7 +57,7 @@ This is the relative offset from the last content match or byte_test/jump. relative_offset has one argument and that is the offset number. So if you wanted to start decoding and ASN.1 sequence right after the content "foo", -you would specifiy 'content:"foo"; asn1: bitstring_overflow, +you would specify 'content:"foo"; asn1: bitstring_overflow, relative_offset, 0'. Offset may be positive or negative. Examples diff -Nru snort-2.8.5.2/doc/README.counts snort-2.9.2/doc/README.counts --- snort-2.8.5.2/doc/README.counts 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.counts 2011-07-13 22:43:17.000000000 +0000 @@ -0,0 +1,204 @@ +Snort does a lot of work and outputs some useful statistics when it is done. +Many of these are self-explanatory. The others are summarized below. This +does not include all possible output data, just the basics. + + +----------------- +Timing Statistics +----------------- + +This section provides basic timing statistics. It includes total seconds and +packets as well as packet processing rates. The rates are based on whole +seconds, minutes, etc. and only shown when non-zero. + +Example: + +=============================================================================== +Run time for packet processing was 175.856509 seconds +Snort processed 3716022 packets. +Snort ran for 0 days 0 hours 2 minutes 55 seconds + Pkts/min: 1858011 + Pkts/sec: 21234 +=============================================================================== + + +----------------- +Packet I/O Totals +----------------- + +This section shows basic packet acquisition and injection peg counts obtained +from the DAQ. If you are reading pcaps, the totals are for all pcaps combined, +unless you use --pcap-reset, in which case it is shown per pcap. + +* Outstanding indicates how many packets are buffered awaiting processing. The + way this is counted varies per DAQ so the DAQ documentation should be + consulted for more info. + +* Filtered packets are not shown for pcap DAQs. + +* Injected packets are the result of active response which can be configured for + inline or passive modes. + +Example: + +=============================================================================== +Packet I/O Totals: + Received: 3716022 + Analyzed: 3716022 (100.000%) + Dropped: 0 ( 0.000%) + Filtered: 0 ( 0.000%) +Outstanding: 0 ( 0.000%) + Injected: 0 +=============================================================================== + + +------------------- +Protocol Statistics +------------------- + +Traffic for all the protocols decoded by Snort is summarized in the breakdown +section. This traffic includes internal "pseudo-packets" if preprocessors such +as frag3 and stream5 are enabled so the total may be greater than the number of +analyzed packets in the packet I/O section. + +* Disc counts are discards due to basic encoding integrity flaws that prevents + Snort from decoding the packet. + +* Other includes packets that contained an encapsulation that Snort doesn't + decode. + +* S5 G 1/2 is the number of client/server sessions stream5 flushed due to cache + limit, session timeout, session reset. + +Example: + +=============================================================================== +Breakdown by protocol (includes rebuilt packets): + Eth: 3722347 (100.000%) + VLAN: 0 ( 0.000%) + IP4: 1782394 ( 47.884%) + Frag: 3839 ( 0.103%) + ICMP: 38860 ( 1.044%) + UDP: 137162 ( 3.685%) + TCP: 1619621 ( 43.511%) + IP6: 1781159 ( 47.850%) + IP6 Ext: 1787327 ( 48.016%) + IP6 Opts: 6168 ( 0.166%) + Frag6: 3839 ( 0.103%) + ICMP6: 1650 ( 0.044%) + UDP6: 140446 ( 3.773%) + TCP6: 1619633 ( 43.511%) + Teredo: 18 ( 0.000%) + ICMP-IP: 0 ( 0.000%) + EAPOL: 0 ( 0.000%) + IP4/IP4: 0 ( 0.000%) + IP4/IP6: 0 ( 0.000%) + IP6/IP4: 0 ( 0.000%) + IP6/IP6: 0 ( 0.000%) + GRE: 202 ( 0.005%) + GRE Eth: 0 ( 0.000%) + GRE VLAN: 0 ( 0.000%) + GRE IP4: 0 ( 0.000%) + GRE IP6: 0 ( 0.000%) +GRE IP6 Ext: 0 ( 0.000%) + GRE PPTP: 202 ( 0.005%) + GRE ARP: 0 ( 0.000%) + GRE IPX: 0 ( 0.000%) + GRE Loop: 0 ( 0.000%) + MPLS: 0 ( 0.000%) + ARP: 104840 ( 2.817%) + IPX: 60 ( 0.002%) + Eth Loop: 0 ( 0.000%) + Eth Disc: 0 ( 0.000%) + IP4 Disc: 0 ( 0.000%) + IP6 Disc: 0 ( 0.000%) + TCP Disc: 0 ( 0.000%) + UDP Disc: 1385 ( 0.037%) + ICMP Disc: 0 ( 0.000%) +All Discard: 1385 ( 0.037%) + Other: 57876 ( 1.555%) +Bad Chk Sum: 32135 ( 0.863%) + Bad TTL: 0 ( 0.000%) + S5 G 1: 1494 ( 0.040%) + S5 G 2: 1654 ( 0.044%) + Total: 3722347 +=============================================================================== + + +----------------------------- +Actions, Limits, and Verdicts +----------------------------- + +Action and verdict counts show what Snort did with the packets it analyzed. +This information is only output in IDS mode (when snort is run with the -c + option). + +* Alerts is the number of activate, alert, and block actions processed as + determined by the rule actions. Here block includes block, drop, and reject + actions. + +Limits arise due to real world constraints on processing time and available +memory. These indicate potential actions that did not happen: + +* Match Limit > 0 means that rule matches were not processed due to the + config detection: max_queue_events setting. The default is 5. + +* Queue Limit > 0 means that events couldn't be stored in the event queue + due to the config event_queue: max_queue setting. The default is 8. + +* Log Limit > 0 means that events were not alerted due to the + config event_queue: log setting. The default is 3. + +* Event Limit > 0 means that events were not alerted due to event_filter + limits. + +* Alert Limit > 0 means that events were not alerted because they already + were triggered on the session. + +Verdicts are rendered by Snort on each packet: + +* Allow = packets Snort analyzed and did not take action on. + +* Block = packets Snort did not forward, eg due to a block rule. "Block" is + used instead of "Drop" to avoid confusion between dropped packets (those + Snort didn't actually see) and blocked packets (those Snort did not allow to + pass). + +* Replace = packets Snort modified, for example, due to normalization or + replace rules. This can only happen in inline mode with a compatible DAQ. + +* Whitelist = packets that caused Snort to allow a flow to pass w/o inspection + by any analysis program. Like blacklist, this is done by the DAQ or by Snort + on subsequent packets. + +* Blacklist = packets that caused Snort to block a flow from passing. This is + the case when a block TCP rule fires. If the DAQ supports this in hardware, + no further packets will be seen by Snort for that session. If not, snort + will block each packet and this count will be higher. + +* Ignore = packets that caused Snort to allow a flow to pass w/o inspection + by this instance of Snort. Like blacklist, this is done by the DAQ or by + Snort on subsequent packets. + +Example: + +=============================================================================== +Action Stats: + Alerts: 0 ( 0.000%) + Logged: 0 ( 0.000%) + Passed: 0 ( 0.000%) +Limits: + Match: 0 + Queue: 0 + Log: 0 + Event: 0 + Alert: 0 +Verdicts: + Allow: 3716022 (100.000%) + Block: 0 ( 0.000%) + Replace: 0 ( 0.000%) + Whitelist: 0 ( 0.000%) + Blacklist: 0 ( 0.000%) + Ignore: 0 ( 0.000%) +=============================================================================== + diff -Nru snort-2.8.5.2/doc/README.daq snort-2.9.2/doc/README.daq --- snort-2.8.5.2/doc/README.daq 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.daq 2010-11-01 18:16:42.000000000 +0000 @@ -0,0 +1,95 @@ +Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The +DAQ replaces direct calls to PCAP functions with an abstraction layer that +facilitates operation on a variety of hardware and software interfaces without +requiring changes to Snort. It is possible to select the DAQ type and mode +when invoking Snort to perform PCAP readback or inline operation, etc. + +This README summarizes the important things you need to know to use the DAQ. + +See the README in the DAQ tarball for information on building and installing +the DAQ and for information specific to DAQ modules. + +See README.active and README.normalize for more information on the other packet +handling changes in 2.9. + + +Building Snort +============== + +If you install the DAQ libraries in a non-standard place, you can configure +Snort accordingly with: + + ./configure --with-daq-includes= + --with-daq-libraries= + +By default, snort will be built with a few static DAQ modules including pcap, +afpacket, and dump. If you don't want any static DAQ modules built into Snort, +you can use this configure option: + + ./configure --disable-static-daq + +PCAP is the default DAQ, but you can change that like this: + + ./configure "CPPFLAGS=-DDEFAULT_DAQ=" + +You can also do this: + + make "DEFAULT_DAQ=" + +If you used --with-libpcap-includes or --with-libpcap-libraries when building +the DAQ, you will also need --with-libpcap-includes and +--with-libpcap-libraries when building Snort. + +Note that configure runs daq-modules-config which must be in your PATH. If you +configured the DAQ with a non-standard prefix then you may need to put that in +your path like this before running configure: + + PATH=/daq/install/prefix:$PATH + + +Configuring Snort +================= + +Assuming that you did not disable static modules or change the default DAQ +type, you can run Snort just as you always did for file readback or sniffing an +interface. However, you can select and configure the DAQ when Snort is invoked +as follows: + + ./snort \ + [--daq ] \ + [--daq-mode ] \ + [--daq-dir ] \ + [--daq-var ] + + config daq: + config daq_dir: + config daq_var: + config daq_mode: + + ::= pcap | afpacket | dump | nfq | ipq | ipfw + ::= read-file | passive | inline + ::= arbitrary = passed to DAQ + ::= path where to look for DAQ module so's + +The DAQ type, mode, variable, and directory may be specified either via the +command line or in the conf file. You may include as many variables and +directories as needed by repeating the arg / config. DAQ type may be specified +at most once in the conf and once on the command line; if configured in both +places, the command line overrides the conf. + +If the mode is not set explicitly, -Q will force it to inline, and if that +hasn't been set, -r will force it to read-file, and if that hasn't been set, +the mode defaults to passive. Also, -Q and --daq-mode inline are allowed, +since there is no conflict, but -Q and any other DAQ mode will cause a fatal +error at start-up. + +Note that if Snort finds multiple versions of a given library, the most recent +version is selected. This applies to static and dynamic versions of the same +library. + + ./snort [--daq-list ] + +The above command searches the specified directory for DAQ modules and prints +type, version, and attributes of each. This feature is not available in the +conf. + diff -Nru snort-2.8.5.2/doc/README.database snort-2.9.2/doc/README.database --- snort-2.8.5.2/doc/README.database 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/README.database 2011-10-26 18:28:51.000000000 +0000 @@ -1,3 +1,11 @@ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The database output plugins are considered deprecated as of Snort 2.9.2 and +!! will be removed in Snort 2.9.3. +!! +!! The recommended approach to logging is to use unified2 with barnyard2 +!! or similar. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + I. Summary The database output plug-in enables snort to log to @@ -324,9 +332,6 @@ V. Changelog of Database schema -2007-03-15 -- v107 - + ALL: Updated to include signature.sig_gid to log the generator ID - 2002-09-03 -- v106 + ALL: added sensor.last_cid to store the last used cid for a given sid diff -Nru snort-2.8.5.2/doc/README.dcerpc snort-2.9.2/doc/README.dcerpc --- snort-2.8.5.2/doc/README.dcerpc 2008-08-12 18:30:40.000000000 +0000 +++ snort-2.9.2/doc/README.dcerpc 1970-01-01 00:00:00.000000000 +0000 @@ -1,149 +0,0 @@ - -DCE/RPC Preprocessor -==================== -Andrew Mullican - -Overview -======== -The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. -It is primarily interested in DCE/RPC requests, and only decodes SMB -to get to the potential DCE/RPC requests carried by SMB. - -Currently, the preprocessor only handles desegmentation (at SMB -and TCP layers) and defragmentation of DCE/RPC. Snort rules can -be evaded by using both types of fragmentation. With the -preprocessor enabled, the rules are given reassembled DCE/RPC data -to examine. - -At the SMB layer, only segmentation using WriteAndX is currently -reassembled. Other methods will be handled in future versions of -the preprocessor. - -Autodetection of SMB is done by looking for "\xFFSMB" at the start of -the SMB data, as well as checking the NetBIOS header (which is always -present for SMB) for the type "Session Message". - -Autodetection of DCE/RPC is not as reliable. Currently, two bytes are -checked in the packet. Assuming that the data is a DCE/RPC header, -one byte is checked for DCE/RPC version 5 and another for a DCE/RPC -PDU type of Request. If both match, the preprocessor proceeds with the -assumption that it is looking at DCE/RPC data. If subsequent checks -are nonsensical, it ends processing. - - -Configuration -============= -The proprocessor has several optional configuration options. -They are described below: - -The configuration options are described below: - -* autodetect - In addition to configured ports, try to autodetect DCE/RPC sessions. - Note that DCE/RPC can run on practically any port in addition to the - more common ports. - This option is not configured by default. - -* ports smb { [] } - Ports that the preprocessor monitors for SMB traffic. - Default are ports 139 and 445. - -* ports dcerpc { [] } - Ports that the preprocessor monitors for DCE/RPC over TCP traffic. - Default is port 135. - -* disable_smb_frag - Do not do SMB desegmentation. Unless you are experiencing severe performance - issues, this option should not be configured as SMB segmentation provides - for an easy evasion opportunity. - This option is not configured by default. - -* disable_dcerpc_frag - Do not do DCE/RPC defragmentation. Unless you are experiencing severe - performance issues, this option should not be configured as DCE/RPC - fragmentation provides for an easy evasion opportunity. - This option is not configured by default. - -* max_frag_size - Maximum DCE/RPC fragment size to put in defragmentation buffer, in bytes. - Default is 3000 bytes. - -* memcap - Maximum amount of memory available to the DCE/RPC preprocessor for - desegmentation and defragmentation, in kilobytes. - Default is 100000 kilobytes. - -* alert_memcap - Alert if memcap is exceeded. - This option is not configured by default. - -* reassemble_increment - This option specifies how often the preprocessor should create a reassembled - packet to send to the detection engine with the data that's been accrued in - the segmentation and fragmentation reassembly buffers, before the final - desegmentation or defragmentation of the DCE/RPC request takes place. This - will potentially catch an attack earlier and is useful if in inline mode. - Since the preprocessor looks at TCP reassembled packets (to avoid TCP overlaps - and segmentation evasions), the last packet of an attack using DCE/RPC - segmented/fragmented evasion techniques may have already gone through before - the preprocessor looks at it, so looking at the data early will likely catch - the attack before all of the exploit data has gone through. - Note, however, that in using this option, Snort will potentially take a - performance hit. Not recommended if Snort is running in passive mode as it's - not really needed. - The argument to the option specifies how often the preprocessor should create - a reassembled packet if there is data in the segmentation/fragmentation buffers. - If not specified, this option is disabled. A value of 0 will in effect disable - this option as well. - - -Examples --------- -In addition to defaults, autodetect SMB and DCE/RPC sessions on -non-configured ports. Don't do desegmentation on SMB writes. Truncate -DCE/RPC fragment if greater than 4000 bytes. - -preprocessor dcerpc: \ - autodetect \ - disable_smb_frag \ - max_frag_size 4000 - -In addition to defaults, don't do DCE/RPC defragmentation. Set memory cap -for desegmentation/defragmentation to 50,000 kilobytes. (Since no DCE/RPC -defragmentation will be done the memory cap will only apply to desegmentation.) - -preprocessor dcerpc: \ - disable_dcerpc_frag \ - memcap 50000 - -In addition to the defaults, detect on DCE/RPC (or TCP) ports 135 and 2103 -(overrides default). Set memory cap for desegmentation/defragmentation to -200,000 kilobytes. Create a reassembly packet every time through the preprocessor -if there is data in the desegmentation/defragmentation buffers. - -preprocessor dcerpc: \ - ports dcerpc { 135 2103 } \ - memcap 200000 \ - reassemble_increment 1 - --- Default -- -preprocessor dcerpc: \ - ports smb { 139 445 } \ - ports dcerpc { 135 } \ - max_frag_size 3000 \ - memcap 100000 \ - reassemble_increment 0 - - -Preprocessor Events -=================== -The DCE/RPC preprocessor uses generator ID 130 for the following events: - -SID Description ---- ----------- -1 Maximum memory usage reached - --- Note -- -At the current time, there is not much to do with the dcerpc preprocessor -other than turn it on and let it reassemble fragmented DCE/RPC packets. - diff -Nru snort-2.8.5.2/doc/README.dcerpc2 snort-2.9.2/doc/README.dcerpc2 --- snort-2.8.5.2/doc/README.dcerpc2 2009-01-26 16:10:37.000000000 +0000 +++ snort-2.9.2/doc/README.dcerpc2 2010-08-25 20:10:46.000000000 +0000 @@ -185,8 +185,9 @@ memcap NO memcap 102400 disable_defrag NONE NO OFF max_frag_len NO OFF - events NO events [smb, co, cl] + events NO OFF reassemble_threshold NO OFF + disabled NONE NO OFF memcap = 1024-4194303 (kilobytes) max-frag-len = 1514-65535 @@ -201,6 +202,12 @@ Specifies the maximum amount of run-time memory that can be allocated. Run-time memory includes any memory allocated after configuration. Default is 100 MB. + disabled + This optional keyword is allowed with any policy to avoid packet processing. + This option disables the preprocessor. When the preprocessor is disabled + only the memcap option is applied when specified with the configuration. + The other options are parsed but not used. Any valid configuration may have + "disabled" added to it. disable_defrag Tells the preprocessor not to do DCE/RPC defragmentation. Default is to do defragmentation. @@ -208,7 +215,7 @@ Specifies the maximum fragment size that will be added to the defragmention module. If a fragment is greater than this size, it is truncated before being added to the defragmentation module. Default is - not set. + set to -1. The allowed ranges for this option are 1514 - 65535. events Specifies the classes of events to enable. (See Events section for an enumeration and explanation of events.) @@ -222,7 +229,6 @@ cl Stands for connectionless DCE/RPC. Alert on events related to connectionless DCE/RPC processing. - Defaults are smb, co and cl. reassemble_threshold Specifies a minimum number of bytes in the DCE/RPC desegmentation and defragmentation buffers before creating a reassembly packet to send to @@ -253,7 +259,7 @@ preprocessor dcerpc2: reassemble_threshold 500 Default configuration - preprocessor dcerpc2: memcap 102400, events [smb, co, cl] + preprocessor dcerpc2: memcap 102400 Server Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -433,7 +439,7 @@ Complete dcerpc2 default configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - preprocessor dcerpc2: memcap 102400, events [smb, co, cl] + preprocessor dcerpc2: memcap 102400 preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ @@ -724,6 +730,18 @@ which case only the interface UUID and version need match. Note that a defragmented DCE/RPC request will be considered a full request. +Using this rule option will automatically insert fast pattern contents into +the fast pattern matcher. For UDP rules, the interface UUID, in both big and +little endian format will be inserted into the fast pattern matcher. For TCP +rules, (1) if the rule option "flow:to_server|from_client" is used, |05 00 00| +will be inserted into the fast pattern matcher, (2) if the rule option +"flow:from_server|to_client" is used, |05 00 02| will be inserted into the +fast pattern matcher and (3) if the flow isn't known, |05 00| will be inserted +into the fast pattern matcher. Note that if the rule already has content rule +options in it, the best (meaning longest) pattern will be used. If a content +in the rule uses the fast_pattern rule option, it will unequivocally be used +over the above mentioned patterns. + dce_opnum ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The opnum represents a specific function call to an interface. After is has diff -Nru snort-2.8.5.2/doc/README.dnp3 snort-2.9.2/doc/README.dnp3 --- snort-2.8.5.2/doc/README.dnp3 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.dnp3 2011-10-26 18:28:51.000000000 +0000 @@ -0,0 +1,237 @@ +DNP3 Preprocessor +================= + + +Overview +======== +The DNP3 preprocessor is a Snort module that decodes and reassembles the DNP3 +protocol. It also provides rule options to access certain protocol fields. +This allows a user to write rules for DNP3 packets without decoding the +protocol with a series of "content" and "byte_test" options. + +DNP3 is a protocol used in SCADA networks. If your network does not contain any +DNP3-enabled devices, we recommend leaving this preprocessor turned off. + +Dependencies +============ +The Stream5 preprocessor must be enabled for the DNP3 preprocessor to work. +Protocol-Aware Flushing (PAF) is also required. See README.stream5 for more +information. + +Preprocessor Configuration +========================== +DNP3 configuration is split into two parts: the preprocessor config, and the +rule options. The preprocessor config starts with: + +preprocesor dnp3: + +Options are as follows: + + Option Argument Required Default + -------------------------------------------------------------- + ports , or NO ports 20000 + { port [port] ... } + memcap NO memcap 262144 + check_crc NONE NO OFF + disabled NONE NO OFF + +Option explanations + ports + This sets the port numbers on which DNP3 traffic is inspected. + A single port number may be provided, or a space-separated list + enclosed in curly brackets. The default is port 20000. + + memcap + This sets a maximum to the amount of memory allocated to the DNP3 + preprocessor for session-tracking purposes. The argument is given + in bytes. + Each session requires about 4 KB to track, and the default is 256 kB. + This gives the preprocessor the ability to track 63 DNP3 sessions + simultaneously. + Setting the memcap below 4144 bytes will cause a fatal error. + When multiple configs are used, the memcap in the non-default configs + will be overwritten by the memcap in the default config. If the default + config isn't intended to inspect DNP3 traffic, use the "disabled" + keyword. (See README.multipleconfigs for more info) + + check_crc + This option makes the preprocessor validate the checksums contained in + DNP3 Link-Layer Frames. Frames with invalid checksums will be ignored. + If the corresponding preprocessor rule is enabled, invalid checksums + will generate alerts. + The corresponding rule is GID 145, SID 1. + + disabled + This option is used for loading the preprocessor without inspecting + any DNP3 traffic. The "disabled" keyword is only useful when the DNP3 + preprocessor is turned on in a separate policy. + (See README.multipleconfigs for information on Multiple Policies) + +Example preprocessor config + +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +Multiple policy example: + +snort.conf +---------- + +preprocessor dnp3: memcap 262144 disabled +config binding: snort.conf.dnp3net net + +snort.conf.dnp3net +------------------ +preprocessor dnp3: ports 20000, check_crc + + +Rule Options +============ +The DNP3 preprocessor adds 4 new rule options. These rule options match on +various pieces of the DNP3 headers. + +The preprocessor must be enabled for these rule options to work. + +dnp3_func +--------- +This option matches against the Function Code inside of a DNP3 +Application-Layer request/response header. The code may be a number +(in decimal format), or a string from the list provided below. + +Syntax: + dnp3_func: + + code = 0-255 + confirm + read + write + select + operate + direct_operate + direct_operate_nr + immed_freeze + immed_freeze_nr + freeze_clear + freeze_clear_nr + freeze_at_time + freeze_at_time_nr + cold_restart + warm_restart + initialize_data + initialize_appl + start_appl + stop_appl + save_config + enable_unsolicited + disable_unsolicited + assign_class + delay_measure + record_current_time + open_file + close_file + delete_file + get_file_info + authenticate_file + abort_file + activate_config + authenticate_req + authenticate_err + response + unsolicited_response + authenticate_resp + +Example: + alert tcp any any -> any 20000 (msg:"DNP3 Write request"; dnp3_func:write; sid:1;) + +dnp3_ind +-------- +This option matches on the Internal Indicators flags present in a +DNP3 Application Response Header. Much like the TCP flags rule option, +providing multiple flags in one option will cause the rule to fire if *ANY* one +of the flags is set. To alert on a combination of flags, use multiple rule +options. + +Syntax: + dnp3_ind:[,...] + + flag = all_stations + class_1_events + class_2_events + class_3_events + need_time + local_control + device_trouble + device_restart + no_func_code_support + object_unknown + parameter_error + event_buffer_overflow + already_executing + config_corrupt + reserved_2 + reserved_1 + +Examples: + # Alerts on reserved_1 OR reserved_2 being set + alert tcp any 20000 -> any any (msg:"Reserved DNP3 Indicator set"; \ + dnp3_ind:reserved_1,reserved_2; sid:1;) + + # Alerts on class_1 AND class_2 AND class_3 events being set + alert tcp any 20000 -> any any (msg:"Lots of DNP3 events"; \ + dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events; \ + sid:2;) + +dnp3_obj +-------- +This option matches on DNP3 object headers present in a request or response. + +Syntax: + dnp3_obj:, + + group = 0 - 255 + var = 0 - 255 + +Example: + alert tcp any any -> any any (msg:"DNP3 Time and Date object"; \ + dnp3_obj:50,1; sid:1;) + +dnp3_data +--------- +As Snort processes DNP3 packets, the DNP3 preprocessor collects Link-Layer +Frames and reassembles them back into Application-Layer Fragments. This rule +option sets the cursor to the beginning of an Application-Layer +Fragment, so that other rule options can work on the reassembled data. + +With the dnp3_data rule option, you can write rules based on the data within +Fragments without splitting up the data and adding CRCs every 16 bytes. + +Syntax: + dnp3_data; + + No options. + +Example: + +alert tcp any any -> any any (msg:"String 'badstuff' in DNP3 message"; \ + dnp3_data; content:"badstuff"; sid:1;) + + +Preprocessor Rules +================== +The DNP3 preprocessor uses GID 145 for its preprocessor events. + +SID Description +-------------------------------------------------------------------- + 1 A Link-Layer Frame contained an invalid CRC. + (Enable "check_crc" in the preprocessor config to get this alert.) + 2 A DNP3 Link-Layer Frame was dropped, due to an invalid length. + 3 A Transport-Layer Segment was dropped during reassembly. + This happens when segments have invalid sequence numbers. + 4 The DNP3 Reassembly buffer was cleared before a complete fragment + could be reassembled. + This happens when a segment carrying the "FIR" flag appears after + some other segments have been queued. + 5 A DNP3 Link-Layer Frame is larger than 260 bytes. + 6 A DNP3 Link-Layer Frame uses an address that is reserved. + 7 A DNP3 request or response uses a reserved function code. diff -Nru snort-2.8.5.2/doc/README.filters snort-2.9.2/doc/README.filters --- snort-2.8.5.2/doc/README.filters 2009-10-02 20:29:53.000000000 +0000 +++ snort-2.9.2/doc/README.filters 2009-12-22 02:56:51.000000000 +0000 @@ -1,8 +1,9 @@ OVERVIEW OF FILTERS =================== -This document describes the detection, rate, and event filtering in Snort 2.8.5 -which control the generation, processing, and logging of events as follows: +This document describes the detection, rate, and event filtering, introduced +in Snort 2.8.5, which control the generation, processing, and logging of events +as follows: * detection_filter is a new rule option that replaces the current threshold keyword in a rule. It defines a rate which must be exceeded by a source or diff -Nru snort-2.8.5.2/doc/README.FLEXRESP snort-2.9.2/doc/README.FLEXRESP --- snort-2.8.5.2/doc/README.FLEXRESP 2000-08-07 02:41:28.000000000 +0000 +++ snort-2.9.2/doc/README.FLEXRESP 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -FlexResp allows snort to actively close offending connections. To use FlexResp -you must build and install LibNet, which is available from: - - http://www.packetfactory.net - -Just add the following to a rule: - - resp=[,...] - -where resp_modifier is one or more of - - rst_snd send TCP-RST packets to the sending socket - rst_rcv send TCP-RST packets to the receiving socket - rst_all send TCP_RST packets in both directions - - icmp_net send a ICMP_NET_UNREACH to the sender - icmp_host send a ICMP_HOST_UNREACH to the sender - icmp_port send a ICMP_PORT_UNREACH to the sender - icmp_all send all above ICMP packets to the sender - -All these options can be combined (e.g. resp=rst_snd,icmp_all). The -default is rst_snd. - -Rules can be written like this: - - # just stop the offender - var RESP_TCP resp:rst_snd; - - # also kill a possible local counterpart - var RESP_TCP_URG resp:rst_all; - - # tell'em we're gone ... - var RESP_UDP resp:icmp_port,icmp_host; - - . - . - . - - alert tcp !$HOME_NET any -> $HOME_NET 1524 (msg: "default Backdoor access!"; flags: S; $RESP_TCP_URG) - alert udp any any -> $HOME_NET 31 (msg:"Hackers Paradise"; $RESP_UDP) - alert udp any any -> $HOME_NET 456 (msg:"Hackers Paradise"; $RESP_UDP) - alert udp any any -> $HOME_NET 555 (msg:"iNi Killer/Phase Zero/Stealth Spy"; $RESP_UDP) - alert tcp any any -> $HOME_NET 10752 (msg:"Linux mountd backdoor"; $RESP_TCP) - - . - . - . - - -To enable this feature, use 'configure' with --enable-flexresp - -Consider this code as ALPHA. Heavy testing is needed. - - -Christian Lademann diff -Nru snort-2.8.5.2/doc/README.FLEXRESP2 snort-2.9.2/doc/README.FLEXRESP2 --- snort-2.8.5.2/doc/README.FLEXRESP2 2004-09-13 21:37:26.000000000 +0000 +++ snort-2.9.2/doc/README.FLEXRESP2 1970-01-01 00:00:00.000000000 +0000 @@ -1,246 +0,0 @@ -$Id$ - -Snort flexresp2 README. -(C) 2004 Jeff Nathan - -Warning -------- - -Active response is not guaranteed to sucessfully terminate connections. Snort -is a passive system (except when used in 'inline' mode). In a passive -configuration, the process of active response is a race between Snort and the -endpoints in network communication. Depending on the CPU and/or bus speed of -a system running Snort, available memory, I/O states, and network latency, -Snort may or may not win this race in which case active response will have NO -EFFECT. - -Active response is a supplementary tool, something deployed in addition to -other security technologies. It should not be relied upon solely to protect -systems or services that are known to be vulnerable. - -The process of transmitting active response packets will "block" the rest of -the system, meaning that while Snort is busy sending TCP reset or ICMP -unreachable packets, it is unable to capture packets and perform other -intrusion detection functions. The amount of time spent performing active -response is extremely small (measured in milliseconds) but can result in a -degredation of performance in high-speed environments. - -A determined attacker can easily attack from behind a firewall configured to -silently block all incoming traffic. Sending TCP resets to the source of an -attack is most likely a waste of time. Only when the source is a system -on your own network should you expect TCP resets to reach this system. Keep -in mind that Snort has both attack rules and attack-response rules. Attack -response rules will trigger when a host has sent traffic indicative of being -effected by an attack. I believe the only situation in which you should -send TCP resets to the sender is in conjunction with attack-response rules. - - -Notice ------- - -Please note, flexresp and flexresp2 are *NOT* the same. - -The Snort source code distribution includes an older version of flexresp. This -version does not operate in the same way as flexresp2. While the Snort source -code contains the flexresp code, not every Snort binary is compiled to include -the older flexresp functionality. - -Conversely, flexresp2 is not included within the Snort source code -distribution at this time. If you do not apply a source code patch to your -copy of the Snort 2.2.x source code, the --enable-flexresp2 switch will have -no effect when you run the configure script. - -If you attempt to use the resp keyword in a Snort rule and you receive an -error message indicating the resp keyword is unknown, your Snort binary -has not been compiled with either flexresp or flexresp2 functionality. - - -Introduction ------------- - -The flexresp2 detection plugin for Snort allows users to configure rules -that will attempt to actively terminate connection attempts. The process of -active response consists of two steps. - -First, You must create some Snort rules that use the resp keyword. The resp -keyword accepts the following modifiers: - - reset_dest send TCP reset packets to the destination of an attack - - reset_source send TCP reset packets to the source of an attack - this is best used with attack-response rules - - reset_both send TCP reset packets to both the source and destination - of an attack (the destination resets are sent first) - - icmp_net send an ICMP network unreachable packet to the attack source - - icmp_host send an ICMP host unreachable packet to the attack source - - icmp_port send an ICMP port unrechable packet to the attack source - - icmp_all send all of the above to the attack source - -Second, when a Snort rule specifying a resp keyword is matched, Snort will -generate one or several packets in an attempt to actively terminate the -connection. - - -Flexresp2 features ----------------------------------------------------------- - -To compensate for the fact that it's unlikely a TCP reset packet will reach -either the client or server before the host reacts to the attack packet, Snort -tries to shutdown the connection with brute-force. Flexpresp transmits a -minimum of 4 TCP reset packets with shifting TCP sequence and ack numbers in -an attempt to brute-force the connection into an unusable state. This -brute-forcing is achived using a technique called sequence strafing. Flexresp2 -ddoes NOT examine TCP flags to determine whether or not a TCP packet should -be reset. This is primarily due to inconsistencies in establishing TCP -connections. Reference: -http://www.securityfocus.com/archive/1/296122/2002-10-19/2002-10-25/2 - -Flexresp2 will automatically calculate the original TTL when sending a -response packet (to make fingerprinting attempts more difficult). - -Flexresp2 will not respond to its own packets! (avoiding a potential DoS). -This is achieved using a hash to rate-limit responses. - -Flexresp2 can be configured to send responses from a link-layer (Ethernet) -interface specified by you, the user. When an Ethernet interface is -specified, the kernel routing table is bypassed and Snort will ALWAYS send TCP -resets and ICMP unreachable packets using that interface. - -Snort no longer requires root privileges to use active response (flexresp2) -on Unix-like operating systems. It's now possible to use the -u and -g command -line switches with active response. - - -Configuration -------------- - -Enabling link-layer response in snort.conf on Unix-like systems: - config flexresp2_interface: - -Enabling link-layer response in snort.conf on Windows systems: - config flexresp2_interface: - -* Use the -W command line option to list network devices by number. - -Configure the number of brute-force TCP resets in snort.conf: - config flexresp2_attempts: - -Configure the memcap of the cache of previous responses in snort.conf: - config flexresp2_memcap: - -Configure the number of rows in the cache of previous responses in snort.conf: - config flexresp2_rows: - -To add a resp action to a Snort rule, the resp keyword must be followed -by a colon (:) followed by one or several response modified (multiple -modifiers are separated by commas). Here are a few examples: - -(A simple TCP example) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:11; resp:reset_dest;) - - -(A simple TCP attack-response example) - -alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:3; resp:reset_source;) - - -(A simple UDP example) - -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728; reference:arachnids,480; classtype:attempted-recon; sid:256; rev:3; resp:icmp_port;) - - -(A complex TCP example) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase;offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1; resp:reset_dest;) - - -(A complex TCP attack-response example) - -alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows"; content:"(C) Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:1; resp:reset_source;) - - -Make sure to read the Snort users guide for a complete explanation of the -Snort rules language. The user's guide is in the same directory as this file -and it's available on the Snort website. - - -Notes for Unix-like systems ---------------------------- - -To compile and use flexresp2 on Unix-like systems you must compile and install -the libdnet library written by Dug Song. If your system doesn't have the -library installed, download the source code at http://libdnet.sourceforge.net - -Once libdnet has been compiled AND installed (don't forget make install) on a -Unix-like system, follow the directions in the section below for building -Snort with flexresp2. - -Unix-like systems with multiple network interfaces can avoid routing problems -using the instructions in the Configuration section above. - - -Build instructions for Unix-like systems ----------------------------------------- - -!!!!! The following instructions require GNU autoconf and GNU automake !!!!! - -Anything following a hash character (#) is a command. - -a) copy the patch into the top level Snort source distribution directory - if your Snort directory uses a different name, this is not a problem - just make sure you know which version of Snort you intend to compile - # cd snort-2.2.0RC1 - # cp . - -b) decompress the patch with gzip - # gzip -d sp_respond2.diff.gz - -c) patch the Snort source code - # patch -p0 < sp_respond2.diff - -d) regenerate the configure script (this step REQUIRES that GNU autoconf and - GNU automake are installed) - # ./autojunk.sh - - NOTE: systems with multiple versions of GNU autoconf should use version 2.5x - of autoheader and autoconf. - -e) run the configure script with your desired arguments - # ./configure --enable-flexresp2 - -f) compile Snort - # make - -If Snort is unable to locate either the libdnet header file (dnet.h) or the -libnet library (either dnet.a or dnet.so) there are two additional -configure options that can be used to specify extra directories to search: - ---with-dnet-includes=DIR - If the configuration script can't find the libdnet include files on its - own, the path can be set manually with this switch. - ---with-dnet-libraries=DIR - If the configuration script can't find the libdnet library files on its - own, the path can be set manually with this switch. - - -NOTE: When specifying a directory with either --with-dnet-includes or ---with-dnet-libraries a trailing / character should *NOT* be specified. - - -Notes for Microsoft Windows ---------------------------- - -Coming soon. - - -Build instructions for Windows systems --------------------------------------- - -Coming soon. diff -Nru snort-2.8.5.2/doc/README.flowbits snort-2.9.2/doc/README.flowbits --- snort-2.8.5.2/doc/README.flowbits 2004-02-03 21:39:59.000000000 +0000 +++ snort-2.9.2/doc/README.flowbits 2010-04-06 14:05:45.000000000 +0000 @@ -2,12 +2,21 @@ ----------------------------- The flowbits detection plugin uses the flow preprocessor to track rule state -across transport protocol sessions. This is most useful for TCP sessions, as +during a transport protocol session. This is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol. The general configuration of the flowbits rule option is: - flowbits:[,]; + flowbits:[,][,]; + + : This specifies the group to which the flowbits belong. When the +GROUP_NAME isnt specified the flowbits belong to the default group. All the flowbits +in a particular group (with an exception of default group) are mutually exclusive. +This means when one flowbits is set in a particular group all the other flowbits +in that group will be unset. A particular flow cannot belong to more than one +group. The group name should be limited to any alphanumeric string including periods, +dashes, and underscores. This argument is allowed only with set and toggle keywords. + Flowbits Keywords ----------------- @@ -19,10 +28,10 @@ set --- -This keyword sets a STATE_NAME for a particular flow. This keyword always -returns true. +This keyword sets a STATE_NAME for a particular flow and unsets all the other flowbits +in a group when the GROUP_NAME is passed. This keyword always returns true. -Usage: flowbits:set,FOO; +Usage: flowbits:set,FOO[,BAR]; unset ----- @@ -33,10 +42,11 @@ toggle ------ -This keyword sets a STATE_NAME if unset, and unsets a STATE_NAME if set. This -keyword always returns true. +This keyword sets a STATE_NAME if unset and clears out all the other flowbits in a +group when the GROUP_NAME is passed, and unsets a STATE_NAME if set. This keyword +always returns true. -Usage: flowbits:toggle,FOO; +Usage: flowbits:toggle,FOO[,BAR]; isset ----- @@ -75,3 +85,4 @@ alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in;) alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB"; flowbits:isset,logged_in;) alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;) +alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase; flowbits:set,http.jpg,file_type;) diff -Nru snort-2.8.5.2/doc/README.frag3 snort-2.9.2/doc/README.frag3 --- snort-2.8.5.2/doc/README.frag3 2009-08-10 20:41:33.000000000 +0000 +++ snort-2.9.2/doc/README.frag3 2011-06-08 00:33:00.000000000 +0000 @@ -7,22 +7,16 @@ Overview -------- The frag3 preprocessor is a target-based IP defragmentation module for Snort. -Frag3 is intended as a replacement for the frag2 defragmentation module and -was designed with the following goals: +Frag3 is designed with the following goals: -1) Faster execution that frag2 with less complex data management. +1) Faster execution with less complex data management. 2) Target-based host modeling anti-evasion techniques. -The frag2 preprocessor used splay trees extensively for managing the data -structures associated with defragmenting packets. Splay trees are excellent -data structures to use when you have some assurance of locality of reference -for the data that you are handling but in high speed, heavily fragmented -environments the nature of the splay trees worked against the system and -actually hindered performance. Frag3 uses the sfxhash data structure and -linked lists for data handling internally which allows it to have much more -predictable and deterministic performance in any environment which should -aid us in managing heavily fragmented environments. +Frag3 uses the sfxhash data structure and linked lists for data handling +internally which allows it to have much more predictable and deterministic +performance in any environment which should aid us in managing heavily +fragmented environments. Target-based analysis is a relatively new concept in network-based intrusion detection. The idea of a target-based system is to model the actual targets @@ -31,7 +25,7 @@ systems, they are usually implemented by people who read the RFCs and then their interpretation of what the RFC outlines into code. Unfortunately, there are ambiguities in the way that the RFCs define some of the edge conditions -that may occurr and when this happens differnt people implement certain aspects +that may occur and when this happens differnt people implement certain aspects of their IP stacks differently. For an IDS this is a big problem. In an environment where the attacker can determine what style of IP @@ -67,11 +61,10 @@ Configuration ------------- -Frag3 configuration is somewhat more complex than frag2. There are at least -two preprocessor directives required to activate frag3, a global configuration -directive and an engine instantiation. There can be an arbitrary number of -engines defined at startup with their own configuration, but only one global -configuration. +There are at least two preprocessor directives required to activate frag3, a +global configuration directive and an engine instantiation. There can be an +arbitrary number of engines defined at startup with their own configuration, +but only one global configuration. Global configuration - Preprocessor name: frag3_global @@ -86,6 +79,19 @@ prealloc_frags - alternate memory management mode, use preallocated fragment nodes based on a static number (faster in some situations) + disabled - This optional keyword is allowed with any + policy to avoid packet processing. This + option disables the preprocessor for this + config, but not for other instances of + multiple configurations. Use the disable + keyword in the base configuration to specify + values for the options memcap, prealloc_memcap, + and prealloc_frags without having the + preprocessor inspect traffic for traffic + applying to the base configuration. The other + options are parsed but not used. Any valid + configuration may have "disabled" added to it. + Engine Configuration - Preprocessor name: frag3_engine @@ -95,20 +101,20 @@ longer than this period will be automatically dropped. Default is 60 seconds. min_ttl - Minimum acceptable TTL value for a fragment packet. - Default is 1. + Default is 1. The accepted range for this option is 1 - 255. detect_anomalies - Detect fragment anomalies bind_to - IP List to bind this engine to. This engine will only run for packets with destination addresses contained within the IP List. Default value is "all". overlap_limit - Limits the number of overlapping fragments per packet. The default - is "0" (unlimited), the minimum is "0", and the maximum is "255". This is an - optional parameter. detect_anomalies option must be configured for this option - to take effect. + is "0" (unlimited). This config option takes values equal to or greater than zero. This is an + optional parameter. detect_anomalies option must be configured for this option + to take effect. min_fragment_length - Defines smallest fragment size (payload size) that should be considered valid. - Fragments smaller than or equal to this limit are considered malicious and an event is raised, - if detect_anomalies is also configured. The default is "0" (check is disabled), the minimum is "0", - and the maximum is "255". - This is an optional parameter. detect_anomalies option must be configured for this option to take effect. + Fragments smaller than or equal to this limit are considered malicious and an event is raised, + if detect_anomalies is also configured. The default is "0" (check is disabled). This config + option takes values equal to or greater than zero. This is an optional parameter. + detect_anomalies option must be configured for this option to take effect. policy - Select a target-based defragmentation mode. Available types are first, last, bsd, bsd-right, linux, windows and solaris. Default type is bsd. diff -Nru snort-2.8.5.2/doc/README.ftptelnet snort-2.9.2/doc/README.ftptelnet --- snort-2.8.5.2/doc/README.ftptelnet 2009-08-10 20:41:33.000000000 +0000 +++ snort-2.9.2/doc/README.ftptelnet 2010-06-09 22:04:48.000000000 +0000 @@ -100,7 +100,7 @@ In order to support certain options, Telnet supports subnegotiation. Per the Telnet RFC, subnegotiation begins with SB (subnegotiation begin) and must end with an SE (subnegotiation end). However, certain implementations of -Telnet servers will ignore the SB without a cooresponding SE. This is +Telnet servers will ignore the SB without a corresponding SE. This is anomalous behavior which could be an evasion case. Being that FTP uses the Telnet protocol on the control connection, it is also susceptible to this behavior. The detect_anomalies option enables alerting on Telnet SB without @@ -287,6 +287,9 @@ bounce_to { 192.168.1.1,20020,20040 } 3) This allows bounces to 192.168.1.1 port 20020 and 192.168.1.2 port 20030 bounce_to { 192.168.1.1,20020 192.168.1.2,20030 } +4) This allows bounces to IPv6 address fe8::5 port 59340. NOTE: IPv6 support + must be enabled. + bounce_to { fe8::5,59340 } * telnet_cmds yes/no * Detect and alert when telnet cmds are seen on the FTP command channel. diff -Nru snort-2.8.5.2/doc/README.GTP snort-2.9.2/doc/README.GTP --- snort-2.8.5.2/doc/README.GTP 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.GTP 2011-10-26 18:28:51.000000000 +0000 @@ -0,0 +1,653 @@ +GTP Decoder and Preprocessor +================================================================================ +Hui Cao + +Overview +================================================================================ +GTP (GPRS Tunneling Protocol) is used in core communication networks to establish +a channel between GSNs (GPRS Serving Node). GTP decoding & preprocessor provides +ways to tackle intrusion attempts to those networks through GTP. It also makes +detecting new attacks easier. + +Two components are developed: GTP decoder and GTP preprocessor. +GTP decoder extracts payload inside GTP PDU; +GTP preprocessor inspects all the signaling messages and provide keywords for +further inspection + +Sections: + Dependency Requirements + GTP Data Channel Decoder Configuration + GTP Control Channel Preprocessor Configuration + GTP Decoder Events + GTP Preprocessor Events + Rule Options + +Dependency Requirements +================================================================================ +For proper functioning of the preprocessor: + + Stream session tracking must be enabled, i.e. stream5. UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep + its data. + IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + + +GTP Data Channel Decoder Configuration +================================================================================ +GTP decoder extracts payload from GTP PDU. The following configuration sets +GTP decoding: + +config enable_gtp + +By default, GTP decoder uses port number 2152 (GTPv1) and 3386 (GTPv0). +If users want to change those values, they can use portvar GTP_PORTS: + +portvar GTP_PORTS [2152,3386] + + +GTP Control Channel Preprocessor Configuration +================================================================================ +Different from GTP decoder, GTP preprocessor examines all signaling messages. +The preprocessor configuration name is "gtp". + +preprocessor sip + +Option Argument Required Default +ports No ports { 2123 3386 } + +Option explanations + + ports + This specifies on what ports to check for GTP control messages. Typically, + this includes 2123 3386. + + Syntax: + ports { [< ... >] } + + Examples: + ports { 2123 3386 } + + Note: there are spaces before and after '{' and '}' + + +Configuration examples + preprocessor gtp + preprocessor sip: ports { 2123 3386 2152 } + +Default configuration + preprocessor sip + +GTP Decoder Events +================================================================================ + +SID Description +-------------------------------------------------------------------------------- + 297 Two or more GTP encapsulation layers present + 298 GTP header length is invalid + +GTP Preprocessor Events +================================================================================ +The preprocessor uses GID 143 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Message length is invalid. + 2 Information element length is invalid. + 3 Information elements are out of order. + +Rule Options +================================================================================ +New rule options are supported by enabling the GTP preprocessor: + +gtp_type +gtp_info +gtp_version + + + gtp_type + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_type keyword is used to check for specific GTP types. User can input + message type value, an integer in [0, 255], or a string defined in the Table + below. More than one type can be specified, via a comma separated list, and + are OR'ed together. If the type used in a rule is not listed in the + preprocessor configuration, an error will be thrown. + + Same message type might have different message type value in different GTP + versions. For example, sgsn_context_request has message type value 50 in + GTPv0 and GTPv1, but 130 in GTPv2. gtp_type will match to a different value + depending on the version number in the packet. In this example, evaluating + a GTPv0 or GTPv1 packet will check whether the message type value is 50; + evaluating a GTPv2 packet will check whether the message type value is 130. + When a message type is not defined in a version, any packet in that version + will always return "No match". + + If an integer is used to specify message type, every GTP packet is evaluated, + no matter what version the packet is. If the message type matches the value + in packet, it will return "Match". + + Syntax: + gtp_type:; + type-list = type|type, type-list + type = "0-255"| + | "echo_request" | "echo_response" ... + Examples: + gtp_type:10, 11, echo_request; + + GTPv0 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 create_aa_pdp_context_request + 23 create_aa_pdp_context_response + 24 delete_aa_pdp_context_request + 25 delete_aa_pdp_context_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 240 data_record_transfer_request + 241 data_record_transfer_response + 255 pdu + + GTPv1 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 init_pdp_context_activation_request + 23 init_pdp_context_activation_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 31 supported_ext_header_notification + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 53 forward_relocation_request + 54 forward_relocation_response + 55 forward_relocation_complete + 56 relocation_cancel_request + 57 relocation_cancel_response + 58 forward_srns_contex + 59 forward_relocation_complete_ack + 60 forward_srns_contex_ack + 70 ran_info_relay + 96 mbms_notification_request + 97 mbms_notification_response + 98 mbms_notification_reject_request + 99 mbms_notification_reject_response + 100 create_mbms_context_request + 101 create_mbms_context_response + 102 update_mbms_context_request + 103 update_mbms_context_response + 104 delete_mbms_context_request + 105 delete_mbms_context_response + 112 mbms_register_request + 113 mbms_register_response + 114 mbms_deregister_request + 115 mbms_deregister_response + 116 mbms_session_start_request + 117 mbms_session_start_response + 118 mbms_session_stop_request + 119 mbms_session_stop_response + 120 mbms_session_update_request + 121 mbms_session_update_response + 128 ms_info_change_request + 129 ms_info_change_response + 240 data_record_transfer_request + 241 data_record_transfer_response + 254 end_marker + 255 pdu + + GTPv2 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 32 create_session_request + 33 create_session_response + 34 modify_bearer_request + 35 modify_bearer_response + 36 delete_session_request + 37 delete_session_response + 38 change_notification_request + 39 change_notification_response + 64 modify_bearer_command + 65 modify_bearer_failure_indication + 66 delete_bearer_command + 67 delete_bearer_failure_indication + 68 bearer_resource_command + 69 bearer_resource_failure_indication + 70 downlink_failure_indication + 71 trace_session_activation + 72 trace_session_deactivation + 73 stop_paging_indication + 95 create_bearer_request + 96 create_bearer_response + 97 update_bearer_request + 98 update_bearer_response + 99 delete_bearer_request + 100 delete_bearer_response + 101 delete_pdn_request + 102 delete_pdn_response + 128 identification_request + 129 identification_response + 130 sgsn_context_request + 131 sgsn_context_response + 132 sgsn_context_ack + 133 forward_relocation_request + 134 forward_relocation_response + 135 forward_relocation_complete + 136 forward_relocation_complete_ack + 137 forward_access + 138 forward_access_ack + 139 relocation_cancel_request + 140 relocation_cancel_response + 141 configuration_transfer_tunnel + 149 detach + 150 detach_ack + 151 cs_paging + 152 ran_info_relay + 153 alert_mme + 154 alert_mme_ack + 155 ue_activity + 156 ue_activity_ack + 160 create_forward_tunnel_request + 161 create_forward_tunnel_response + 162 suspend + 163 suspend_ack + 164 resume + 165 resume_ack + 166 create_indirect_forward_tunnel_request + 167 create_indirect_forward_tunnel_response + 168 delete_indirect_forward_tunnel_request + 169 delete_indirect_forward_tunnel_response + 170 release_access_bearer_request + 171 release_access_bearer_response + 176 downlink_data + 177 downlink_data_ack + 179 pgw_restart + 180 pgw_restart_ack + 200 update_pdn_request + 201 update_pdn_response + 211 modify_access_bearer_request + 212 modify_access_bearer_response + 231 mbms_session_start_request + 232 mbms_session_start_response + 233 mbms_session_update_request + 234 mbms_session_update_response + 235 mbms_session_stop_request + 236 mbms_session_stop_response + + gtp_info + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_info keyword is used to check for specific GTP information element. + This keyword restricts the search to the information element field. User can + input information element value, an integer in [0, 255], or a string defined + in the Table below. If the information element used in this rule is not + listed in the preprocessor configuration, an error will be thrown. + + When there are several information elements with the same type in the message, + this keyword restricts the search to the total consecutive buffer. Because + the standard requires same types group together, this feature will be + available for all valid messages. In the case of "out of order information + elements", this keyword restricts the search to the last buffer. + + Similar to message type, same information element might have different + information element value in different GTP versions. For example, "cause" has + value 1 in GTPv0 and GTPv1, but 2 in GTPv2. gtp_info will match to different + value depending on the version number in the packet. When an information + element is not defined in a version, any packet in that version will always + return "No match". + + If an integer is used to specify information element type, every GTP packet + is evaluated, no matter what version the packet is. If the message type + matches the value in packet, it will return "Match". + + Syntax: + gtp_info:; + ie = "0-255"| + "rai" | "tmsi"... + Examples: + gtp_info: 16; + gtp_info: tmsi + + GTPv0 information elements: + + Value Information elements + *********************************************** + 1 cause + 2 imsi + 3 rai + 4 tlli + 5 p_tmsi + 6 qos + 8 recording_required + 9 authentication + 11 map_cause + 12 p_tmsi_sig + 13 ms_validated + 14 recovery + 15 selection_mode + 16 flow_label_data_1 + 17 flow_label_signalling + 18 flow_label_data_2 + 19 ms_unreachable + 127 charge_id + 128 end_user_address + 129 mm_context + 130 pdp_context + 131 apn + 132 protocol_config + 133 gsn + 134 msisdn + 251 charging_gateway_addr + 255 private_extension + + GTPv1 information elements: + + Value Information elements + *********************************************** + 1 cause + 2 imsi + 3 rai + 4 tlli + 5 p_tmsi + 8 recording_required + 9 authentication + 11 map_cause + 12 p_tmsi_sig + 13 ms_validated + 14 recovery + 15 selection_mode + 16 teid_1 + 17 teid_control + 18 teid_2 + 19 teardown_ind + 20 nsapi + 21 ranap + 22 rab_context + 23 radio_priority_sms + 24 radio_priority + 25 packet_flow_id + 26 charging_char + 27 trace_ref + 28 trace_type + 29 ms_unreachable + 127 charge_id + 128 end_user_address + 129 mm_context + 130 pdp_context + 131 apn + 132 protocol_config + 133 gsn + 134 msisdn + 135 qos + 136 authentication_qu + 137 tft + 138 target_id + 139 utran_trans + 140 rab_setup + 141 ext_header + 142 trigger_id + 143 omc_id + 144 ran_trans + 145 pdp_context_pri + 146 addi_rab_setup + 147 sgsn_number + 148 common_flag + 149 apn_restriction + 150 radio_priority_lcs + 151 rat_type + 152 user_loc_info + 153 ms_time_zone + 154 imei_sv + 155 camel + 156 mbms_ue_context + 157 tmp_mobile_group_id + 158 rim_routing_addr + 159 mbms_config + 160 mbms_service_area + 161 src_rnc_pdcp + 162 addi_trace_info + 163 hop_counter + 164 plmn_id + 165 mbms_session_id + 166 mbms_2g3g_indicator + 167 enhanced_nsapi + 168 mbms_session_duration + 169 addi_mbms_trace_info + 170 mbms_session_repetition_num + 171 mbms_time_to_data + 173 bss + 174 cell_id + 175 pdu_num + 177 mbms_bearer_capab + 178 rim_routing_disc + 179 list_pfc + 180 ps_xid + 181 ms_info_change_report + 182 direct_tunnel_flags + 183 correlation_id + 184 bearer_control_mode + 185 mbms_flow_id + 186 mbms_ip_multicast + 187 mbms_distribution_ack + 188 reliable_inter_rat_handover + 189 rfsp_index + 190 fqdn + 191 evolved_allocation1 + 192 evolved_allocation2 + 193 extended_flags + 194 uci + 195 csg_info + 196 csg_id + 197 cmi + 198 apn_ambr + 199 ue_network + 200 ue_ambr + 201 apn_ambr_nsapi + 202 ggsn_backoff_timer + 203 signalling_priority_indication + 204 signalling_priority_indication_nsapi + 205 high_bitrate + 206 max_mbr + 251 charging_gateway_addr + 255 private_extension + + GTPv2 information elements: + + Value Information elements + *********************************************** + 1 imsi + 1 echo_request + 2 cause + 2 echo_response + 3 recovery + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 create_aa_pdp_context_request + 23 create_aa_pdp_context_response + 24 delete_aa_pdp_context_request + 25 delete_aa_pdp_context_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 71 apn + 72 ambr + 73 ebi + 74 ip_addr + 75 mei + 76 msisdn + 77 indication + 78 pco + 79 paa + 80 bearer_qos + 81 flow_qos + 82 rat_type + 83 serving_network + 84 bearer_tft + 85 tad + 86 uli + 87 f_teid + 88 tmsi + 89 cn_id + 90 s103pdf + 91 s1udf + 92 delay_value + 93 bearer_context + 94 charging_id + 95 charging_char + 96 trace_info + 97 bearer_flag + 99 pdn_type + 100 pti + 101 drx_parameter + 103 gsm_key_tri + 104 umts_key_cipher_quin + 105 gsm_key_cipher_quin + 106 umts_key_quin + 107 eps_quad + 108 umts_key_quad_quin + 109 pdn_connection + 110 pdn_number + 111 p_tmsi + 112 p_tmsi_sig + 113 hop_counter + 114 ue_time_zone + 115 trace_ref + 116 complete_request_msg + 117 guti + 118 f_container + 119 f_cause + 120 plmn_id + 121 target_id + 123 packet_flow_id + 124 rab_contex + 125 src_rnc_pdcp + 126 udp_src_port + 127 apn_restriction + 128 selection_mode + 129 src_id + 131 change_report_action + 132 fq_csid + 133 channel + 134 emlpp_pri + 135 node_type + 136 fqdn + 137 ti + 138 mbms_session_duration + 139 mbms_service_area + 140 mbms_session_id + 141 mbms_flow_id + 142 mbms_ip_multicast + 143 mbms_distribution_ack + 144 rfsp_index + 145 uci + 146 csg_info + 147 csg_id + 148 cmi + 149 service_indicator + 150 detach_type + 151 ldn + 152 node_feature + 153 mbms_time_to_transfer + 154 throttling + 155 arp + 156 epc_timer + 157 signalling_priority_indication + 158 tmgi + 159 mm_srvcc + 160 flags_srvcc + 161 mmbr + 240 data_record_transfer_request + 241 data_record_transfer_response + 255 private_extension + 255 pdu + + gtp_version + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_version keyword is used to check for specific GTP version. + Because different GTP version defines different message types and information + elements, this keyword should combine with gtp_type and gtp_info. + + Syntax: + gtp_version:; + version = "0, 1, 2' + + Example: + gtp_version: 1; + \ No newline at end of file diff -Nru snort-2.8.5.2/doc/README.http_inspect snort-2.9.2/doc/README.http_inspect --- snort-2.8.5.2/doc/README.http_inspect 2009-07-07 15:36:58.000000000 +0000 +++ snort-2.9.2/doc/README.http_inspect 2011-10-26 18:28:51.000000000 +0000 @@ -56,6 +56,60 @@ use alerts for web users that aren't using the configured proxies or are using a rogue proxy server. +* compress_depth * +This option specifies the maximum amount of packet payload to decompress. This +value can be set from 1 to 65535. The default for this option is 1460. + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of unlimited_decompress this should be set to its max value. This value should be specified +in the default policy even when the HTTP inspect preprocessor is turned off using the disabled keyword. + +* decompress_depth * +This option specifies the maximum amount of decompressed data to obtain from the +compressed packet payload. This value can be set from 1 to 65535. The default for +this option is 2920. + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of unlimited_decompress this should be set to its max value. This value should be specified +in the default policy even when the HTTP inspect preprocessor is turned off using the disabled keyword. + +* max_gzip_mem * +This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor +will use for decompression. This value can be set from 3276 bytes to 100MB. This option +along with compress and decompress depth determines the gzip sessions that will be +decompressed at any given instant. The default value for this option is 838860. + +Note: This value should be specified in the default policy even when the HTTP inspect preprocessor is +turned off using the disabled keyword. It is suggested to set this value such that the max gzip +session calculated as follows is atleast 1. + +max gzip session = max_gzip_mem /(decompress_depth + compress_depth) + +* memcap * +This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor +will use for logging the URI and Hostname data. This value can be set from 2304 to 603979776 (576 MB). +This option along with the maximum uri and hostname logging size (which is defined in snort) will +determine the maximum HTTP sessions that will log the URI and hostname data at any given instant. The +maximum size for logging URI data is 2048 and for hostname is 256. The default value for this +option is 150994944 (144 MB). + +Note: This value should be specified in the default policy even when the HTTP inspect preprocessor is +turned off using the "disabled" keyword. In case of multiple policies, the value specified in the +default policy will overwrite the value specified in other policies. + +max http sessions logged = memcap /( max uri logging size + max hostname logging size ) +max uri logging size defined in snort : 2048 +max hostname logging size defined in snort : 256 + +* disabled * +This optional keyword is allowed with any policy to avoid packet processing. +This option disables the preprocessor. When the preprocessor is disabled +only the "memcap", "max_gzip_mem", "compress_depth" and "decompress_depth" options +are applied when specified with the configuration. Other options are +parsed but not used. Any valid configuration may have "disabled" added to it. + Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts. So, please only use this feature with traditional proxy environments. Blind firewall proxies don't count. @@ -103,8 +157,20 @@ - oversize_dir_length - normalize_headers - normalize_cookies + - normalize_utf - max_header_length - max_headers + - max_spaces + - enable_cookie + - extended_response_inspection + - inspect_gzip + - normalize_javascript + - max_javascript_whitespaces + - enable_xff + - unlimited_decompress + - http_methods + - log_uri + - log_hostname These options must be specified after the 'profile' option. Example: @@ -140,7 +206,7 @@ Encrypted traffic (SSL) cannot be decoded, so adding ports 443 will only yield encoding false positives. -* iis_unicode_map [file (located in config dir(] [codemap (integer)] * +* iis_unicode_map [file (located in config dir)] [codemap (integer)] * The IIS Unicode Map is generated by the program ms_unicode_generator.c. This program is located in src/preprocessors/HttpInspect/util. Executing this program generates a unicode map for the system that it was run on. So to get @@ -154,49 +220,200 @@ code page by looking at the available code pages that the ms_unicode_generator outputs. +* extended_response_inspection * +This enables the extended HTTP response inspection. The default http response +inspection does not inspect the various fields of a HTTP response. By turning +this option the HTTP response will be thoroughly inspected. The different fields +of a HTTP response such as status code, status message, headers, cookie (when +enable_cookie is configured) and body are extracted and saved into buffers. +Different rule options are provided to inspect these buffers. + +When this option is turned on, if the HTTP response packet has a body then any +content pattern matches ( without http modifiers ) will search the response body +(decompressed in case of gzip) and not the entire packet payload. To search for +patterns in the header of the response, one should use the http modifiers with +content such as http_header, http_stat_code, http_stat_msg and http_cookie. + +* enable_cookie * +This options turns on the cookie extraction from HTTP requests and HTTP response. +By default the cookie inspection and extraction will be turned off. The cookie +from the "Cookie" header line is extracted and stored in HTTP Cookie buffer for +HTTP requests and cookie from the "Set-Cookie" is extracted and stored in HTTP +Cookie buffer for HTTP responses. The "Cookie:" and "Set-Cookie:" header names +itself along with the leading spaces and the CRLF terminating the header line +are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer. + +Ex: Set-Cookie: mycookie \r\n + +In this case, Set-Cookie: \r\n will be in the HTTP header buffer and the pattern +mycookie will be in the HTTP cookie buffer. + +* inspect_gzip * +This option specifies the HTTP inspect module to uncompress the compressed +data(gzip/deflate) in HTTP response. You should select the config option +"extended_response_inspection" before configuring this option. Snort should +be configured with --enable-zlib for this option to work as expected. +Decompression is done across packets. So the decompression will end when +either the 'compress_depth' or 'decompress_depth' is reached or when the +compressed data ends. When the compressed data is spanned across multiple +packets, the state of the last decompressed packet is used to decompressed +the data of the next packet. But the decompressed data are individually +inspected. (i.e. the decompressed data from different packets are not combined +while inspecting). Also the amount of decompressed data that will be inspected +depends on the server_flow_depth configured. + +Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompression +fails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspect +will also provide the detection module with the data that was decompressed by zlib. + +* unlimited_decompress * +This option enables the user to decompress unlimited gzip data (across multiple +packets).Decompression will stop when the compressed data ends or when a out of +sequence packet is received. To ensure unlimited decompression, user should set +the 'compress_depth' and 'decompress_depth' to its maximum values in the default policy. +The decompression in a single packet is still limited by the 'compress_depth' and +'decompress_depth'. + +* normalize_javascript * +This option enables the normalization of Javascript within the HTTP response body. +You should select the config option "extended_response_inspection" before configuring this option. +When this option is turned on, Http Inspect searches for a Javascript within the +HTTP response body by searching for the + + + +The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when normalize_javascript +is turned on. + +Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type +of encodings within the escaped/encoded data. + +For example: + +unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"); +String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33) + +The above obfuscation will generate the preprocessor alert with GID 120 and SID 11. + +This option is turned off by default in HTTP Inspect. + +* max_javascript_whitespaces [positive integer] * +This option takes an integer as an argument. The integer determines the maximum number +of consecutive whitespaces allowed within the Javascript obfuscated data in a HTTP +response body. The config option "normalize_javascript" should be turned on before configuring + this config option. When the whitespaces in the javascript obfuscated data is equal to or more +than this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for +this option is 200. To enable, specify an integer argument to max_spaces of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + +* enable_xff * +This option enables Snort to parse and log the original client IP present in the +X-Forwarded-For or True-Client-IP HTTP request headers along with the generated +events. The XFF/True-Client-IP Original client IP address is logged only with +unified2 output and is not logged with console (-A cmg) output. + +NOTE: The original client IP from XFF/True-Client-IP in unified2 logs can be viewed +using the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of +snort source tree. + * server_flow_depth [integer] * * flow_depth [integer] * (to be deprecated) -This specifies the amount of server response payload to inspect. This option -significantly increases IDS performance because we are ignoring a large part of -the network traffic (HTTP server response payloads). A small percentage of -snort rules are targeted at this traffic and a small flow_depth value may -cause false negatives in some of these rules. Most of these rules target -either the HTTP header, or the content that is likely to be in the first -hundred or so bytes of non-header data. Headers are usually under 300 bytes -long, but your mileage may vary. - -This value can be set from -1 to 1460. A value of -1 causes Snort -to ignore all server side traffic for ports defined in "ports." -Inversely, a value of 0 causes Snort to inspect all HTTP server +This specifies the amount of server response payload to inspect. When +extended_response_inspection is turned on, it is applied to the HTTP response body +(decompressed data when inspect_gzip is turned on) and not the HTTP headers. +When extended_response_inspection is turned off the server_flow_depth is applied +to the entire HTTP response (including headers). Unlike client_flow_depth this +option is applied per TCP session. This option can be used to balance the needs of +IDS performance and level of inspection of HTTP server response data. Snort rules are +targeted at HTTP server response traffic and when used with a small flow_depth value +may cause false negatives. Most of these rules target either the HTTP header, or +the content that is likely to be in the first hundred or so bytes of non-header data. +Headers are usually under 300 bytes long, but your mileage may vary. +It is suggested to set the server_flow_depth to its maximum value. + +This value can be set from -1 to 65535. A value of -1 causes Snort +to ignore all server side traffic for ports defined in "ports" when +extended_response_inspection is turned off. When the extended_response_inspection + is turned on, value of -1 causes Snort to ignore the HTTP response body data and + not the HTTP headers. Inversely, a value of 0 causes Snort to inspect all HTTP server payloads defined in "ports" (note that this will likely slow down IDS performance). Values above 0 tell Snort the number of bytes to -inspect in the first packet of the server response. Only packets -payloads starting with 'HTTP' will be considered as the first packet of a -server response. If less than flow_depth bytes are in the payload -of the first packet, the entire payload will be inspected. If more than -flow_depth bytes are in the payload of the first packet only flow_depth -bytes of the payload will be inspected. Rules that are meant to -inspect data in the payload of the first packet of a server response -beyond 1460 bytes will be ineffective unless flow_depth is set to 0. -Note that the 1460 byte maximum flow_depth applies to stream -reassembled packets as well. +inspect of the server response (excluding the HTTP headers when extended_response_inspection is +turned on) in a given HTTP session. Only packets payloads starting with 'HTTP' will +be considered as the first packet of a server response. If less than flow_depth bytes +are in the payload of the HTTP response packets in a given session, the entire payload will be +inspected. If more than flow_depth bytes are in the payload of the HTTP response packet in a session +only flow_depth bytes of the payload will be inspected for that session. Rules that are meant to +inspect data in the payload of the HTTP response packets in a session beyond 65535 bytes will be +ineffective unless flow_depth is set to 0. The default value for server_flow_depth is 300. +Note that the 65535 byte maximum flow_depth applies to stream +reassembled packets as well. It is suggested to set the server_flow_depth +to its maximum value. * client_flow_depth [integer] * -This specifies the amount of raw client request payload to inspect. It is -similar to server_flow_depth (above), and has a default value of 300. It -primarily eliminates Snort fro inspecting larger HTTP Cookies that appear -at the end of many client request Headers. +This specifies the amount of raw client request payload to inspect. This +value can be set from -1 to 1460. Unlike server_flow_depth this value is applied +to the first packet of the HTTP request. It is not a session based flow depth. +It has a default value of 300. It primarily eliminates Snort from inspecting +larger HTTP Cookies that appear at the end of many client request Headers. + +A value of -1 causes Snort to ignore all client side traffic for ports +defined in "ports." Inversely, a value of 0 causes Snort to inspect all HTTP client + side traffic defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect in the first packet of the client request. If less than flow_depth bytes +are in the TCP payload (HTTP request) of the first packet, the entire payload will be inspected. +If more than flow_depth bytes are in the payload of the first packet only flow_depth +bytes of the payload will be inspected. Rules that are meant to +inspect data in the payload of the first packet of a client request beyond 1460 bytes will be +ineffective unless flow_depth is set to 0. Note that the 1460 byte maximum flow_depth +applies to stream reassembled packets as well. It is suggested to set the client_flow_depth +to its maximum value. * post_depth [integer] * This specifies the amount of data to inspect in a client post message. The -value can be set from 0 to 65495. The default value is 0. This increases -the perfomance by inspecting only specified bytes in the post message. +value can be set from -1 to 65495. The default value is -1. A value of -1 +causes Snort to ignore all the data in the post message. Inversely, a value +of 0 causes Snort to inspect all the client post message. This increases +the performance by inspecting only specified bytes in the post message. * ascii [yes/no] * The ASCII decode option tells us whether to decode encoded ASCII chars, a.k.a %2f = /, %2e = ., etc. I suggest you don't log alerts for ASCII since it is very common to see normal ASCII encoding usage in URLs. +* extended_ascii_uri * +This option enables the support for extended ascii codes in the HTTP request +URI. This option is turned off by default and is not supported with any of +the profiles. + * utf_8 [yes/no] * The UTF-8 decode option tells us to decode standard UTF-8 unicode sequences that are in the URI. This abides by the unicode standard and only uses % encoding. @@ -227,17 +444,6 @@ The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. -* base36 [yes/no] * -This is an option to decode base36 encoded chars. I didn't have access to -a server with this option, since it appears that this is related to certain -Asian versions of windows. I'm going off of info from: -http://www.yk.rim.or.jp/~shikap/patch/spp_http_decode.patch -So I hope that works for any of you with this option. Please note that if you -have enabled %u encoding, this option will not work. You have to use the -base36 option with the utf_8 option. Don't use the %u option, because base36 -won't work. When base36 is enabled, so is ascii encoding to enforce correct -behavior. - * iis_unicode [yes/no] * The iis_unicode option turns on the unicode codepoint mapping. If there is no iis_unicode_map option specified with the server config, iis_unicode uses the @@ -302,6 +508,20 @@ up the apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding. +* small_chunk_length { } * +This option is an evasion detector for consecutive small chunk sizes when +either the client or server use Transfer-Encoding: chunked. + specifies the maximum chunk size for which a chunk will be +considered small. specifies the number of consecutive +small chunks <= before an event will be generated. +This option is turned off by default. Maximum values for each are 255 and +a of 0 disables. +Events generated are gid:119,sid:27 for client small chunks and gid:120,sid:7 +for server small chunks. +Example: + small_chunk_length { 10 5 } +Meaning alert if we see 5 consecutive chunk sizes of 10 or less. + * no_pipeline_req * This option turns HTTP pipeline decoding off, and is a performance enhancement if needed. By default pipeline requests are inspected for attacks, but when @@ -362,6 +582,14 @@ enable, specify an integer argument to max_header_length of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. +* max_spaces [positive integer] * +This option takes an integer as an argument. The integer determines the maximum number +of whitespaces allowed with HTTP client request line folding. Requests headers +folded with whitespaces equal to or more than this value will cause a +"Space Saturation" alert with SID 26 and GID 119. The default value for this +option is 200. To enable, specify an integer argument to max_spaces of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + * webroot * This option generates an alert when a directory traversal traverses past the web server root directory. This generates much less false positives than @@ -388,19 +616,52 @@ etc.). It is useful for normalizing data in HTTP Cookies that may be encoded. +* normalize_utf * +This option turns on normalization of HTTP response bodies where the Content-Type +header lists the character set as "utf-16le", "utf-16be", "utf-32le", or +"utf-32be". HTTP Inspect will attempt to normalize these back into 8-bit encoding, +generating an alert if the extra bytes are non-zero. + * max_headers [positive integer] * This option takes an integer as an argument. The integer is the maximum number of HTTP client request header fields. Requests that contain more HTTP Headers than this value will cause a "Max Header" alert. The -alert is off by default. To enable, specify an integer argumnet to max_headers +alert is off by default. To enable, specify an integer argument to max_headers of 1 to 1024. Specifying a value of 0 is treated as disabling the alert. ---Options Available Under Stateful Inspection-- - -* base64 [yes/no] * - -Enables base64 decoding of certain fields where stateful inspection -determines that base64 encoding is present. +*http_methods { } * +This specifies additional HTTP Request Methods outside of those checked by +default within the preprocessor (GET and POST). The list should be enclosed +within braces and delimited by spaces or \t\n\r. The config option, braces and +methods also needs to be separated by braces. + +Example : http_methods { PUT CONNECT } + +Please note the maximum length for a method name is 256. + +* log_uri * +This option enables HTTP Inspect preprocessor to parse the URI data from the +HTTP request and log it along with all the generated events for that session. +Stream5 reassembly needs to be turned on HTTP ports to enable the logging. +If there are multiple HTTP requests in the session, the URI data of the most recent +HTTP request during the alert will be logged. The maximum URI logged is 2048. + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). u2spewfoo can be used to read this data from +the unified2. + +* log_hostname * +This option enables HTTP Inspect preprocessor to parse the hostname data from the +"Host" header of the HTTP request and log it along with all the generated events +for that session. Stream5 reassembly needs to be turned on HTTP ports to enable +the logging. If there are multiple HTTP requests in the session, the Hostname data +of the most recent HTTP request during the alert will be logged. In case of +multiple "Host" headers within one HTTP request, a preprocessor alert with sid 24 is +generated. The maximum hostname length logged is 256. + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). u2spewfoo can be used to read this data from +the unified2. -- Profile Breakout -- There are three profiles that users can select. Only the configuration @@ -421,6 +682,7 @@ utf_8 encoding (alert off) max_header_length 0 (header length not checked) max_headers 0 (number of headers not checked) +max_sapces 200 (number of allowed white spaces) * IIS * @@ -486,7 +748,7 @@ Port 80 server_flow_depth 300 client_flow_depth 300 -post_depth 0 +post_depth -1 non_strict URL parsing is set chunk encoding (alert on chunks larger than 500000 bytes) ascii decoding is on (alert off) @@ -499,6 +761,7 @@ max_header_length 0 (header length not checked) max_headers 0 (number of headers not checked) +-- Pattern Match with HTTP buffers -- -- Writing uricontent rules -- The uricontent parameter in the snort rule language searches the NORMALIZED request URI field. This means that if you are writing rules that include @@ -526,6 +789,122 @@ characters. You can accomplish this type of detection by using the 'content' rule parameter, since this rule inspects the unnormalized buffer. +-- Http Content Match Keywords -- + +* http_client_body * + +The http_client_body keyword is a content modifier that restricts the search +to the body of an HTTP client request. As this keyword is a modifier to the +previous 'content' keyword, there must be a content in the rule before +'http_client_body' is specified. + +The amount of data that is inspected with this option depends on the post_depth +config option of HttpInspect. Pattern matches with this keyword wont work when +post_depth is set to -1. + +* http_cookie * + +The http_cookie keyword is a content modifier that restricts the search to the +extracted Cookie Header field (excluding the header name itself and the CRLF terminating +the header line) of a HTTP client request or a HTTP server response. The Cookie buffer +does not include the header names ("Cookie:" for HTTP requests or "Set-Cookie:" for +HTTP responses) or leading spaces and the CRLF terminating the header line. +These are included in the HTTP header buffer. + +As this keyword is a modifier to the previous 'content' keyword, there must be a +content in the rule before 'http_cookie' is specified. This keyword is dependent +on the 'enable_cookie' config option. The Cookie Header field will be extracted +only when this option is configured. If enable_cookie is not specified, +the cookie still ends up in HTTP header. When enable_cookie is not specified, +using http_cookie is the same as using http_header. + +The extracted Cookie Header field will be NORMALIZED if the normalize_cookies is +configured with HttpInspect. + +* http_raw_cookie * + +The http_raw_cookie keyword is a content modifier that restricts the search to the +extracted UNNORMALIZED Cookie Header field of a HTTP client request or a HTTP server +response. As this keyword is a modifier to the previous 'content' keyword, there must be +a content in the rule before 'http_raw_cookie' is specified. This keyword is dependent +on the 'enable_cookie' config option. The Cookie Header field will be extracted only +when this option is configured. + +* http_header * + +The http_header keyword is a content modifier that restricts the search to the +extracted Header fields of a HTTP client request or a HTTP server response. +As this keyword is a modifier to the previous 'content' keyword, there must be +a content in the rule before 'http_header' is specified. + +The extracted Header fields will be NORMALIZED if the normalize_cookies is +configured with HttpInspect. + +* http_raw_header * + +The http_raw_header keyword is a content modifier that restricts the search to the +extracted UNNORMALIZED Header fields of a HTTP client request or a HTTP server +response. As this keyword is a modifier to the previous 'content' keyword, there must be +a content in the rule before 'http_raw_header' is specified. + +* http_method * + +The http_method keyword is a content modifier that restricts the search to the +extracted Method from a HTTP client request. As this keyword is a modifier to +the previous 'content' keyword, there must be a content in the rule before +'http_method' is specified. + +* http_uri * + +The http_uri keyword is a content modifier that restricts the search to the +NORMALIZED request URI field . Using a content rule option followed by a +http_uri modifier is the same as using a uricontent by itself. As this +keyword is a modifier to the previous 'content' keyword, there must be +a content in the rule before 'http_uri' is specified. + +* http_raw_uri * + +The http_raw_uri keyword is a content modifier that restricts the search to the +UNNORMALIZED request URI field . As this keyword is a modifier to the previous +'content' keyword, there must be a content in the rule before 'http_raw_uri' +is specified. + +* http_stat_code * + +The http_stat_code keyword is a content modifier that restricts the search to the +extracted Status code field from a HTTP server response. As this keyword is a +modifier to the previous 'content' keyword, there must be a content in the rule +before 'http_stat_code' is specified. + +The Status Code field will be extracted only if the extended_reponse_inspection is +configured for the HttpInspect. + +* http_stat_msg * + +The http_stat_msg keyword is a content modifier that restricts the search to the +extracted Status Message field from a HTTP server response. As this keyword is a +modifier to the previous 'content' keyword, there must be a content in the rule +before 'http_stat_msg' is specified. + +The Status Message field will be extracted only if the extended_reponse_inspection is +configured for the HttpInspect. + +* http_encode * + +The http_encode keyword will enable alerting based on encoding type present +in a HTTP client request or a HTTP server response. + +There are several keywords associated with http_encode. The keywords 'uri', 'header' +and 'cookie' determine the HTTP fields used to search for a particular encoding type. +The keywords 'utf8', 'double_encode', 'non_ascii', 'uencode', 'ascii', 'iis_encode' and 'bare_byte' +determine the encoding type which would trigger the alert. These keywords can be combined +using a OR operation. Negation is allowed on these keywords. + +The config option 'normalize_headers' needs to be turned on for rules to work with keyword 'header'. +The keyword 'cookie' is depedent on config options 'enable_cookie' and 'normalize_cookies' +This rule option will not be able to detect encodings if the specified HTTP fields are not NORMALIZED. + + -- Conclusion -- My suggestions are to stick with the "profile" options, since they are much easier to read and have been researched. @@ -546,7 +925,7 @@ 2 Double decoding attack 3 U encoding 4 Bare byte Unicode encoding -5 Base36 encoding +5 Base36 encoding # Deprecated in Snort 2.9.1 6 UTF-8 encoding 7 IIS Unicode codepoint encoding 8 multi-slash encoding @@ -561,9 +940,28 @@ 17 Unauthorized proxy use detected 18 Webroot directory traversal 19 Long header +20 Max headers +21 Multiple Content-Length headers +22 Chunk size mismatch +23 Invalid True-IP/XFF Orginal Client IP +24 Multiple Host headers +25 Hostname exceeds 255 characters +27 Chunked encoding - excessive consecutive small chunks +28 Unbounded POST (without Content-Length or Transfer-Encoding: chunked) The following alert is generated with generator ID 120: SID Description --- ----------- 1 Anomalous HTTP server on undefined HTTP port +2 Invalid HTTP response status code +3 No Content-Length or Transfer-Encoding in HTTP response +4 UTF Normalization failure +5 HTTP response has UTF-7 charset +6 HTTP response gzip decompression failed +7 Chunked encoding - excessive consecutive small chunks +8 Invalid Content-Length or chunk size in request or response +9 Javascript obfuscation levels exceeds 1 +10 Javascript consecutive whitespaces exceeds max allowed +11 Multiple encodings within Javascript obfuscated data + diff -Nru snort-2.8.5.2/doc/README.imap snort-2.9.2/doc/README.imap --- snort-2.8.5.2/doc/README.imap 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.imap 2011-07-13 22:43:17.000000000 +0000 @@ -0,0 +1,176 @@ +IMAP +==== + +-- Overview -- +IMAP is an IMAP4 decoder for user applications. Given a data buffer, +IMAP will decode the buffer and find IMAP4 commands and responses. +It will also mark the command, data header data body sections and +extract the IMAP4 attachments and decode it appropriately. + +IMAP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for IMAP. Please ensure that the IMAP ports are added + to the stream5 ports for proper reassembly. + + +-- Configuration -- + +The configuration options are described below: + +* ports { port [port] ... } * +This specifies on what ports to check for IMAP data. Typically, this will +include 143. Default ports if none are specified are 143 . + +* disabled * +Disables the IMAP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding in default config +without turning on the IMAP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A IMAP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the IMAP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A IMAP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A IMAP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments. +The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU IMAP attachments. A IMAP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* memcap * +This option determines (in bytes) the maximum amount of memory the IMAP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the IMAP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max imap session calculated as +follows is atleast 1. + +max imap session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max imap session = memcap/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the memcap of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable IMAP preprocessor in a config). + +When the memcap for decoding (memcap) is exceeded the IMAP preprocessor alert with sid 3 is +generated (when enabled). + +Example: +preprocessor imap: \ + ports { 143 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + +preprocessor imap: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled + +Default: +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 + +Events +================================================================================ +The IMAP preprocessor uses GID 141 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Alert if IMAP encounters an invalid IMAP4 command. + 2 Alert if IMAP encounters an invalid IMAP4 response. + 3 If the decoding memory cap (memcap) is reached and the preprocessor is configured to alert, + this alert will be created. + 4 If the decoding of a base64 MIME attachments fails or when the decoding stops due to exceeded + b64_decode_depth. + 5 If the decoding of a Quoted-Printable MIME attachments fails or when the decoding stops due to exceeded + qp_decode_depth. + 6 If the decoding of a 7bit/8bit/binary MIME attachments fails or when the decoding stops due to + exceeded bitenc_decode_depth. + 7 If the decoding of a Unix-to-Unix encoded attachments fails or when the decoding stops due to exceeded + uu_decode_depth. diff -Nru snort-2.8.5.2/doc/README.INLINE snort-2.9.2/doc/README.INLINE --- snort-2.8.5.2/doc/README.INLINE 2009-07-07 15:36:57.000000000 +0000 +++ snort-2.9.2/doc/README.INLINE 1970-01-01 00:00:00.000000000 +0000 @@ -1,179 +0,0 @@ -Creator: Jed Haile -Current Maintainer: Rob McMillen - William Metcalf - Victor Julien - -Snort-Inline takes packets from iptables instead of libpcap. It then uses -new rule types to help iptables make pass or drop decisions based on -snort rules. - -In order for Snort Inline to work properly, you must download and compile -the iptables code to include "make install-devel" (www.iptables.org). -This will install the libipq library that allows Snort Inline to interface -with iptables. Also, you must build and install LibNet, which is available -from www.packetfactory.net. - -The Snort Inline FAQ can be found at http://snort-inline.com/FAQ.html. - -NEW RULE TYPES AND WHAT THEY DO: - -drop - The drop rule type will tell iptables to drop the packet and log it - via usual snort means. -reject - The reject rule type will tell iptables to drop the packet, log it - via usual snort means, and send a TCP reset if the protocol is - TCP or an icmp port unreachable if the protocol is UDP. -sdrop - The sdrop rule type will tell iptables to drop the packet. Nothing - is logged. - -RESETS: We now have two options on how to send out resets. We can still use -a RAW socket which is the default behavior for Snort Inline in which case -we need to have an interface that has an ip assigned. If there is not an -interface with an ip address assigned with access to the source of the packet, -the packet will be logged and the reset packet will never make it onto the -network. - -We can also now perform resets via a physical device when using iptables. -We take the indev name from ip_queue and use this as the interface on which -to send resets. We no longer need a ip loaded on the bridge, and can remain -pretty stealthy as the config layer2_resets in snort.conf takes a source -mac address which we substitue for the mac of the bridge. For example: - -CONFIG OPTIONS - -config layer2resets - -tells Snort Inline to use layer2 rests and uses the mac address of the bridge -as the source mac in the packet. - -config layer2resets: 00:06:76:DD:5F:E3 - -will tell Snort Inline to use layer2 resets and uses the src mac of -00:06:76:DD:5F:E3 in the rest packet. - -STREAM4 OPTIONS - -There are two additional stream4 options: - -inline_state (no args) - This option causes snort to drop TCP packets that are not associated with - an existing TCP session, and is not a valid TCP initiator. - -midstream_drop_alerts (no args) - By default, when running in inline mode, snort will silently drop any - packets that were picked up in midstream and would have caused an alert - to be generated, if not for the 'flow: established' option. This is to - mitigate stick/snot type attacks when the user hasn't enabled - inline_state. If the user wants to see the alerts that are silently - dropped, then enable this keyword. Note that by enabling this keyword, - the user has opened themselves up to stick/snot type attacks. - -ALSO... - -Additionally, Jed's content replace code allows you to modify packets -before they leave the network. For example: - -alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";) -alert udp any any <> any 53 (msg: "udp replace"; \ - content: "yahoo"; replace: "xxxxx";) - -these rules will comb tcp port 80 traffic looking for GET, and udp port 53 -traffic looking for yahoo. Once they are found, they are replaced with BET -and xxxxx, respectively. The only catch is that the replace must be the same -length as the content. - -RULE APPLICATION ORDER: - -The current Rule application order: - ->activation->dynamic->drop->sdrop->reject->alert->pass->log - -This will ensure that a drop rule has precedence over an alert or log rule. -Also, the -o flag now changes the rule application order to: - ->activation->dynamic->pass->drop->sdrop->reject->alert->log - -INSTALL - -./configure --enable-inline -make -make install - -DROP RULES - -Mike Clark has taken the time and energy to go through -the snort ruleset to identify and consolidate rules that would meet the -drop criteria. These rules are located in the rules directory in -drop.rules, and should be considered "alpha". There is also a sample -drop.conf file located in the etc directory of the snort_inline.tgz. The -latest and greatest set of drop rules can always be found at: - -http://www.honeynet.org/papers/honeynet/tools/ - -Additionally, we have included a convert.sh script in the etc/ directory -that will convert all alert rules to drop rules. All you have to do is -copy it to the location of your snort rules and run it. It will convert -all alert rules to drop rules; change HOME_NET to HONEYNET; and reverse -the flow of the rules. Why reverse the flow of the rules? Because the -original purpose of Snort Inline is to control a compromised network; -therefore, we need to drop packets leaving the Honeynet not entering it. - -HONEYNET SNORT_INLINE TOOLKIT - -This is a statically compiled Snort Inline binary put together by the -Honeynet Project for the Linux Operating System. It comes with a set -of drop.rules, the snort binary (sometimes snort_inline), a snort-inline -rotation shell script, and a good README. It can be found at: - -http://www.honeynet.org/papers/honeynet/tools/ - -RUN - -First, you need to ensure that the ip_queue module is loaded. Then, -you need to send traffic to Snort Inline using the QUEUE target. For -example, - -iptables -A OUTPUT -p tcp --dport 80 -j QUEUE - -sends all tcp traffic leaving the firewall going to port 80 to the QUEUE -target. This is what sends the packet from kernel space to user space -(Snort Inline). A quick way to get all outbound traffic going to the -QUEUE is to use the rc.firewall script created and maintained by the -Honeynet Project (http://www.honeynet.org/papers/honeynet/tools/) -This script is well documented and allows you to direct packets -to Snort Inline by simply changing the QUEUE variable to yes. - -Finally, start Snort Inline. - -snort -QDc ../etc/drop.conf -l /var/log/snort - --Q => get packets from iptables. --D => run in daemon mode. pid in /var/run/snort.pid --c => read the following configuration file. --l => log to the following directory. - -Ideally, Snort Inline will be run using only its own drop.rules. If -you want to use Snort for just alerting, a separate process should be -running with its own ruleset. - -TROUBLESHOOTING - -If you execute Snort Inline, and you see something like this: - -Initializing Output Plugins! -Reading from iptables -Log directory = /var/log/snort -Initializing Inline mode -InlineInit: : Failed to send netlink message: Connection refused - -more than likely, the ip_queue module is not loaded or ip_queue -support is not compiled into your kernel. Either recompile -your kernel to support ip_queue, or load the module. - -The ip_queue module is loaded by executing: - -insmod ip_queue - -Also, if you want to ensure Snort Inline is getting packets, you can -start it in the following manner: - -snort -Qvc - -This will display the header of every packet that Snort Inline sees. diff -Nru snort-2.8.5.2/doc/README.ipv6 snort-2.9.2/doc/README.ipv6 --- snort-2.8.5.2/doc/README.ipv6 2007-09-07 17:55:28.000000000 +0000 +++ snort-2.9.2/doc/README.ipv6 2011-10-26 18:28:51.000000000 +0000 @@ -14,47 +14,25 @@ Portscan BO RPC Decode - -IPv6 support is not included for the following, but will be -added in a future release: - Frag3 - Database - Aruba - Prelude - Respond - Respond2 - Dynamic plugins (Shared Object rules) FTP Telnet DNS SMTP - Stream4 - Flow - - Note: For stream reassembly and flow, use Stream5. -All rule options are supported with the exception of the following: +IPv6 support is also included for the following. + Respond + Respond2 + Dynamic plugins (Shared Object rules) - react - resp +All rule options are supported with IPv6 IPv6 limitations ================ -IPv6 fragmentation reassembly is not presently supported. Fragmented packets -will be treated as individual, unfragmented packets. - -Various IP mapping techniques are ignored in Snort. If a user has a rule that -matches any IPv4 address a.b.c.d, but the target packet is tunneling IPv4 -within IPv6 using some IP-mapping that corresponds to the address a.b.c.d, the -rule will not match. - No rule options have yet been added to support inspection of specific IP extension headers. These will be added in a later release. -No special support is given to ICMP6; it is handled the same as ICMP. - IPv6 configuration ================== diff -Nru snort-2.8.5.2/doc/README.modbus snort-2.9.2/doc/README.modbus --- snort-2.8.5.2/doc/README.modbus 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.modbus 2011-10-26 18:28:51.000000000 +0000 @@ -0,0 +1,134 @@ +Modbus Preprocessor +=================== + + +Overview +======== +The Modbus preprocessor is a Snort module that decodes the Modbus protocol. It +also provides rule options to access certain protocol fields. This allows a +user to write rules for Modbus packets without decoding the protocol with a +series of "content" and "byte_test" options. + +Modbus is a protocol used in SCADA networks. If your network does not contain +any Modbus-enabled devices, we recommend leaving this preprocessor turned off. + +Dependencies +============ +The Stream5 preprocessor must be enabled for the Modbus preprocessor to work. +Protocol-Aware Flushing (PAF) is also required. See README.stream5 for more +information. + +Preprocessor Configuration +========================== +Modbus configuration is split into two parts: the preprocessor config, and the +rule options. The preprocessor config starts with: + +preprocesor modbus: + +Options are as follows: + + Option Argument Required Default + -------------------------------------------------------------- + ports , or NO ports 502 + { port [port] ... } + +Option explanations + ports + This sets the port numbers on which Modbus traffic is inspected. + A single port number may be provided, or a space-separated list + enclosed in curly brackets. The default is port 502. + +Example preprocessor config + +preprocessor modbus: ports { 502 } + +Rule Options +============ +The Modbus preprocessor adds 3 new rule options. These rule options match on +various pieces of the Modbus headers. + +The preprocessor must be enabled for these rule options to work. + +modbus_func +--------- +This option matches against the Function Code inside of a Modbus +Application-Layer request/response header. The code may be a number +(in decimal format), or a string from the list provided below. + +Syntax: + modbus_func: + + code = 0-255 + read_coils + read_discrete_inputs + read_holding_registers + read_input_registers + write_single_coil + write_single_register + read_exception_status + diagnostics + get_comm_event_counter + get_comm_event_log + write_multiple_coils + write_multiple_registers + report_slave_id + read_file_record + write_file_record + mask_write_register + read_write_multiple_registers + read_fifo_queue + encapsulated_interface_transport + +Example: + alert tcp any any -> any 502 (msg:"Modbus Write Coils request"; \ + modbus_func:write_multiple_coils; sid:1;) + +modbus_unit +----------- +This rule option matches against the Unit ID field in a Modbus header. + +Syntax: + modbus_unit: + + unit = 0-255 + +Example: + var MODBUS_ADMIN 192.168.1.2 + alert tcp !$MODBUS_ADMIN any -> any 502 (msg:"Modbus command to Unit 01 \ + from unauthorized host"; modbus_unit:1; sid:1;) + +modbus_data +--------- +This rule option sets the cursor at the beginning of the Data field in +a Modbus request/response. + +Syntax: + modbus_data; + + No options. + +Example: + +alert tcp any any -> any any (msg:"String 'badstuff' in Modbus message"; \ + modbus_data; content:"badstuff"; sid:1;) + + +Preprocessor Rules +================== +The Modbus preprocessor uses GID 144 for its preprocessor events. + +SID Description +-------------------------------------------------------------------- + 1 The length in the Modbus header does not match the length needed + by the Modbus function code. + + Each Modbus function has an expected format for requests and responses. + If the length of the message does not match the expected format, this + alert is generated. + + 2 Modbus protocol ID is non-zero. + The protocol ID field is used for multiplexing other protocols with + Modbus. Since the preprocessor cannot handle these other protocols, + this alert is generated instead. + + 3 Reserved Modbus function code in use. diff -Nru snort-2.8.5.2/doc/README.multipleconfigs snort-2.9.2/doc/README.multipleconfigs --- snort-2.8.5.2/doc/README.multipleconfigs 2009-07-07 15:36:58.000000000 +0000 +++ snort-2.9.2/doc/README.multipleconfigs 2011-10-26 18:28:51.000000000 +0000 @@ -17,17 +17,21 @@ config binding: vlan config binding: net +config binding: policy_id : Refers to the absolute or relative path to the snort.conf for specific configuration. - : Refers to the comma seperated list of vlandIds and vlanId + : Refers to the comma seperated list of vlandIds and vlanId ranges. The format for ranges is two vlanId separated by a "-". Spaces are allowed within ranges. Valid vlanId is any number in 0-4095 range. Negative vland Ids and alphanumeric are not supported. : Refers to ip subnets. Subnets can be CIDR blocks for IPV6 -or IPv4. +or IPv4. A maximum of 512 individual IPv4 or IPv6 addresses or CIDRs can be +specified. + + : Refers to the comma seperated list of 16bit policyIds NOTE: Vlan and Subnets can not be used in the same line. Configurations can be applied based on either Vlans or Subnets not both. diff -Nru snort-2.8.5.2/doc/README.normalize snort-2.9.2/doc/README.normalize --- snort-2.8.5.2/doc/README.normalize 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.normalize 2011-10-26 18:28:51.000000000 +0000 @@ -0,0 +1,213 @@ +When operating Snort in inline mode, it is helpful to normalize packets to help +minimize the chances of evasion. + +To enable the normalizer, use the following when configuring Snort: + + ./configure --enable-normalizer + +The normalize preprocessor is activated via the conf as outlined below. There +are also many new preprocessor and decoder rules to alert on or drop packets +with "abnormal" encodings. + +Note that in the following, fields are cleared only if they are non-zero. +Also, normalizations will only be enabled if the selected DAQ supports packet +replacement and is operating in inline mode. + +If a policy is configured for inline_test or passive mode, any normalization +statements in the policy config are ignored. + + +IP4 Normalizations +================== + +IP4 normalizations are enabled with: + + preprocessor normalize_ip4: [df], [rf], [tos], [trim] + +Base normalizations enabled with "preprocessor normalize_ip4" include: + +* TTL normalizaton if enabled (explained below). + +* NOP all options octets. + +Optional normalizations include: + +* df - don't fragment: clear this bit on incoming packets. + +* rf - reserved flag: clear this bit on incoming packets. + +* tos - type of service (differentiated services): clear this byte. + +* trim - truncate packets with excess payload to the datagram length specified in the + IP header + the layer 2 header (eg ethernet), but don't truncate below minimum + frame length. This is automatically disabled if the DAQ can't inject packets. + + +IP6 Normalizations +================== + +IP6 normalizations are enabled with: + + preprocessor normalize_ip6 + +Base normalizations enabled with "preprocessor normalize_ip6" include: + +* Hop limit normalizaton if enabled (explained below). + +* NOP all options octets in hop-by-hop and destination options extension + headers. + + +ICMP4/6 Normalizations +====================== + +ICMP4 and ICMP6 normalizations are enabled with: + + preprocessor normalize_icmp4 + preprocessor normalize_icmp6 + +Base normalizations enabled with the above include: + +* Clear the code field in echo requests and replies. + + +TCP Normalizations +================== + +TCP normalizations are enabled with: + + preprocessor normalize_tcp: \ + [ips], [urp], [trim], \ + [ecn ], \ + [opts [allow +]] + + ::= stream | packet + + ::= \ + sack | echo | partial_order | conn_count | alt_checksum | md5 | + + ::= { 4, 5 } + ::= { 6, 7 } + ::= { 9, 10 } + ::= { 11, 12, 13 } + ::= { 14, 15 } + ::= { 19 } + ::= (3..255) + +Base normalizations enabled with "preprocessor normalize_tcp" include: + +* Clear the reserved bits in the TCP header. + +* Clear the urgent pointer if the urgent flag is not set. + +* Clear the urgent pointer and the urgent flag if there is no payload. + +* Set the urgent pointer to the payload length if it is greater than the + payload length. + +* Clear the urgent flag if the urgent pointer is not set. + +* Clear any option padding bytes. + +Optional normalizations include: + +* ips: ensure consistency in retransmitted data (also forces reassembly policy + to "first"). Any segments that can't be properly reassembled will be dropped. + +* urp - urgent pointer: don't adjust the urgent pointer if it is greater than + payload length. + +* trim: remove data on SYN. + +* trim: remove any data from RST packet. + +* trim: trim data to window. + +* trim: trim data to MSS. + +* ecn packet: clear ECN flags on a per packet basis (regardless of + negotiation). + +* ecn stream: clear ECN flags if usage wasn't negotiated. Should also enable + require_3whs. + +* opts: NOP all option bytes other than maximum segment size, window scaling, + timestamp, and any explicitly allowed with the allow keyword. You can allow + options to pass by name or number. + +* opts: if timestamp is present but invalid, or valid but not negotiated, NOP + the timestamp octets. + +* opts: if timestamp was negotiated but not present, block the packet. + +* opts: clear TS ECR if ACK flag is not set. + +* opts: MSS and window scale options are NOP'd if SYN flag is not set. + + +TTL Normalization +================= + +TTL normalization pertains to both IP4 TTL (time-to-live) and IP6 (hop limit) +and is only performed if both the relevant base normalization is enabled (as +described above) and the minimum and new TTL values are configured, as follows: + + config min_ttl: + config new_ttl: + + ::= (1..255) + ::= (+1..255) + +If new_ttl > min_ttl, then if a packet is received with a TTL < min_ttl, the +TTL will be set to new_ttl. + +Note that this configuration item was deprecated in 2.8.6: + + preprocessor stream5_tcp: min_ttl <#> + +By default min_ttl = 1 and new_ttl = 0 (TTL normalization is disabled). + + +New Decoder and Preprocessor Rules +================================== + +116,424 Eth cap len < hdr len + +116,426 ICMP4 Any: len < min ICMP header +116,416 ICMP4 Echo Request: destination is a broadcast address (255.255.255.255/32) +116,415 ICMP4 Echo Request: destination is a multicast address (224.0.0.0/4) +116,417 ICMP4 Source Quench: to prevent DoS +116,418 ICMP4 other: (Other = all not decoded by Snort) + +116,427 ICMP6 Any: len < min ICMP header +116,432 ICMP6 Echo request: destination is a multicast address +116,431 ICMP6 other: (Other = all not decoded by Snort) + +116,430 IP4 DF set and offset > 0. +116,409 IP4 Dst addr is current network (0.0.0.0/8) +116,412 IP4 Dst addr is unused/reserved (240.0.0.0/4) +116,414 IP4 Dst addr is broadcast address (255.255.255.255/32) +116,407 IP4 offset + len > 64KB. +116,425 IP4 Len < header len. +116,408 IP4 Src addr is current network (0.0.0.0/8) +116,410 IP4 Src addr is multicast address (224.0.0.0/4) +116,413 IP4 Src addr is broadcast address (255.255.255.255/32) +116,411 IP4 Src addr is unused/reserved (240.0.0.0/4) + +129,11 TCP: no control flags set on data for established session +129,3 TCP: Data on closed session +129,8 TCP: Data after RST +116,422 TCP: FIN==1 && ACK==0 +116,422 TCP: PUSH==1 && ACK==0 +129,15 TCP: RST not in window +116,420 TCP: SYN==1 && FIN==1 +129,2 TCP: SYN with data +116,421 TCP: SYN==1 && RST==1 +116,423 TCP: SYN==0 && ACK==0 && RST==0 +129,1 TCP: SYN on established session +116,422 TCP: URG==1 && ACK==0 +116,419 TCP: URG==1 && (dsize==0 || urp > dsize) +129,6 TCP: Window Too large normalize_tcp +129,4 TCP TS option: packet fails PAWS test +129,14 TCP TS option: missing but negotiated in SYN + diff -Nru snort-2.8.5.2/doc/README.pcap_readmode snort-2.9.2/doc/README.pcap_readmode --- snort-2.8.5.2/doc/README.pcap_readmode 2008-03-04 20:00:36.000000000 +0000 +++ snort-2.9.2/doc/README.pcap_readmode 2010-04-06 14:05:45.000000000 +0000 @@ -12,7 +12,7 @@ -r Read a single pcap. --pcap-single= Same as -r. Added for completeness. --pcap-file= File that contains a list of pcaps to read. Can - specifiy path to pcap or directory to recurse to + specify path to pcap or directory to recurse to get pcaps. --pcap-list="" A space separated list of pcaps to read. --pcap-dir= A directory to recurse to look for pcaps. Sorted @@ -21,7 +21,7 @@ file or directory. This filter will apply to any --pcap-file or --pcap-dir args following. Use --pcap-no-filter to delete filter for following - --pcap-file or --pcap-dir args or specifiy + --pcap-file or --pcap-dir args or specify --pcap-filter again to forget previous filter and to apply to following --pcap-file or --pcap-dir args. --pcap-no-filter Reset to use no filter when getting pcaps from file diff -Nru snort-2.8.5.2/doc/README.PerfProfiling snort-2.9.2/doc/README.PerfProfiling --- snort-2.8.5.2/doc/README.PerfProfiling 2009-07-07 15:36:58.000000000 +0000 +++ snort-2.9.2/doc/README.PerfProfiling 2011-10-26 18:28:51.000000000 +0000 @@ -1,3 +1,6 @@ +# To use Rule or Preprocessor profiling, you must build snort using the +# --enable-perfprofiling option to configure. + # Rule Profiling Configuration # # syntax: @@ -64,7 +67,7 @@ High Checks and low Avg/Check is usually an ANY->ANY rule with few rule options and no content. Quick to check, the few options may or may not match. We are looking at moving some of these into code... Especially -those with low SIDs. +those with low SIDs. By default, this information will be printed to the console when Snort exits. You can use the "filename" option in snort.conf to specify a @@ -94,7 +97,7 @@ # # 3) Print all preprocessors, sorted by number of checks # config profile_preprocs: print all, sort checks -# +# # When printing a specific number of preprocessors all subtasks info # is printed for each layer 0 preprocessor stat. @@ -116,25 +119,49 @@ - Percent of caller For non layer 0 preprocessors -- ie, subroutines within preprocessors, this identifies the percent of the caller's ticks that is spent for - this subtask. + this subtask. -Example, using config profile_rules: print 3, sort total_ticks -Preprocessor Profile Statistics (worst 3) +Example, using config profile_preprocs: print 10, sort total_ticks +Preprocessor Profile Statistics (worst 10) ========================================================== - Num Preprocessor Layer Checks Exits Ticks Avg/Check Pct of Caller - === ============ ===== ====== ===== ===== ========= ============= - 1 s4 0 106323 106323 5457197986 51326.6 0.0 - 1 s4StateAction 1 106323 106323 1951276047 18352.3 35.8 - 2 s4ProcessRebuilt 1 1876 1876 1400764326 746676.1 25.7 - 3 s4State 1 106323 106323 685831114 6450.4 12.6 - 4 s4GetSess 1 106323 106323 565310684 5316.9 10.4 - 5 s4PktInsert 1 67828 67828 293546724 4327.8 5.4 - 6 s4Flush 1 4064 4064 74460923 18322.1 1.4 - 1 s4Rebuild 2 1876 1876 42991921 22916.8 57.7 - 7 s4NewSess 1 822 822 6625851 8060.6 0.1 - 8 s4Prune 1 30 30 3573059 119102.0 0.1 - 2 httpinspect 0 69704 69704 1090293755 15641.8 0.0 - 3 sfportscan 0 106323 106323 972732074 9148.8 0.0 + Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total + === ============ ===== ====== ===== ========= ========= ============= ============ + 1 detect 0 338181 338181 9054573 26.77 64.62 64.62 + 1 rule eval 1 256978 256978 2570596 10.00 28.39 18.35 + 1 rule tree eval 2 399860 399860 2520629 6.30 98.06 17.99 + 1 pcre 3 51328 51328 505636 9.85 20.06 3.61 + 2 byte_jump 3 6 6 7 1.30 0.00 0.00 + 3 content 3 1077588 1077588 1123373 1.04 44.57 8.02 + 4 uricontent 3 106498 106498 79685 0.75 3.16 0.57 + 5 byte_test 3 9951 9951 5709 0.57 0.23 0.04 + 6 isdataat 3 8486 8486 3192 0.38 0.13 0.02 + 7 flowbits 3 135739 135739 35365 0.26 1.40 0.25 + 8 flags 3 2 2 0 0.20 0.00 0.00 + 9 preproc_rule_options 3 15499 15499 1939 0.13 0.08 0.01 + 10 flow 3 394817 394817 36420 0.09 1.44 0.26 + 11 file_data 3 15957 15957 1264 0.08 0.05 0.01 + 12 ack 3 4 4 0 0.07 0.00 0.00 + 2 rtn eval 2 36928 36928 17500 0.47 0.68 0.12 + 2 mpse 1 646528 646528 5840244 9.03 64.50 41.68 + 2 s5 0 310080 310080 3270702 10.55 23.34 23.34 + 1 s5tcp 1 310080 310080 2993020 9.65 91.51 21.36 + 1 s5TcpState 2 304484 304484 2559085 8.40 85.50 18.26 + 1 s5TcpFlush 3 22148 22148 70681 3.19 2.76 0.50 + 1 s5TcpProcessRebuilt 4 22132 22132 2018748 91.21 2856.11 14.41 + 2 s5TcpBuildPacket 4 22132 22132 34965 1.58 49.47 0.25 + 2 s5TcpData 3 184186 184186 120794 0.66 4.72 0.86 + 1 s5TcpPktInsert 4 46249 46249 89299 1.93 73.93 0.64 + 2 s5TcpNewSess 2 5777 5777 37958 6.57 1.27 0.27 + 3 httpinspect 0 204751 204751 1814731 8.86 12.95 12.95 + 4 ssl 0 10780 10780 16283 1.51 0.12 0.12 + 5 decode 0 312638 312638 437860 1.40 3.12 3.12 + 6 DceRpcMain 0 155358 155358 186061 1.20 1.33 1.33 + 1 DceRpcSession 1 155358 155358 156193 1.01 83.95 1.11 + 7 backorifice 0 77 77 42 0.55 0.00 0.00 + 8 smtp 0 45197 45197 17126 0.38 0.12 0.12 + 9 ssh 0 26453 26453 7195 0.27 0.05 0.05 + 10 dns 0 28 28 5 0.18 0.00 0.00 + total total 0 311202 311202 14011946 45.03 0.00 0.00 Because of task swapping, non-instrumented code, and other factors, the Percent of caller field will not add up to 100% of the caller's time. diff -Nru snort-2.8.5.2/doc/README.pop snort-2.9.2/doc/README.pop --- snort-2.8.5.2/doc/README.pop 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.pop 2011-07-13 22:43:17.000000000 +0000 @@ -0,0 +1,176 @@ +POP +==== + +-- Overview -- +POP is an POP3 decoder for user applications. Given a data buffer, +POP will decode the buffer and find POP3 commands and responses. +It will also mark the command, data header data body sections and +extract the POP3 attachments and decode it appropriately. + +POP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for POP. Please ensure that the POP ports are added + to the stream5 ports for proper reassembly. + + +-- Configuration -- + +The configuration options are described below: + +* ports { port [port] ... } * +This specifies on what ports to check for POP data. Typically, this will +include 110. Default ports if none are specified are 110 . + +* disabled * +Disables the POP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding in default config +without turning on the POP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A POP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the POP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A POP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A POP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of POP attachments. +The value of 0 sets the decoding of UU encoded POP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU POP attachments. A POP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* memcap * +This option determines (in bytes) the maximum amount of memory the POP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the POP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max pop session calculated as +follows is atleast 1. + +max pop session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max pop session = memcap/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the memcap of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable POP preprocessor in a config). + +When the memcap for decoding (memcap) is exceeded the POP preprocessor alert with sid 3 is +generated (when enabled). + +Example: +preprocessor pop: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + +preprocessor pop: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled + +Default: +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 + +Events +================================================================================ +The POP preprocessor uses GID 142 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Alert if POP encounters an invalid POP3 command. + 2 Alert if POP encounters an invalid POP3 response. + 3 If the decoding memory cap (memcap) is reached and the preprocessor is configured to alert, + this alert will be created. + 4 If the decoding of a base64 MIME attachments fails or when the decoding stops due to exceeded + b64_decode_depth. + 5 If the decoding of a Quoted-Printable MIME attachments fails or when the decoding stops due to exceeded + qp_decode_depth. + 6 If the decoding of a 7bit/8bit/binary MIME attachments fails or when the decoding stops due to + exceeded bitenc_decode_depth. + 7 If the decoding of a Unix-to-Unix encoded attachments fails or when the decoding stops due to exceeded + uu_decode_depth. diff -Nru snort-2.8.5.2/doc/README.ppm snort-2.9.2/doc/README.ppm --- snort-2.8.5.2/doc/README.ppm 2007-08-20 17:42:08.000000000 +0000 +++ snort-2.9.2/doc/README.ppm 2010-06-09 22:04:48.000000000 +0000 @@ -61,7 +61,7 @@ - reasonable starting defaults: 100/250/1000 for 1G/100M/5M nets threshold - - sets the number of consecutive rule time excesses before disabling + - sets the number of cumulative rule time excesses before disabling a rule - default is 5 diff -Nru snort-2.8.5.2/doc/README.reload snort-2.9.2/doc/README.reload --- snort-2.8.5.2/doc/README.reload 2009-07-07 15:36:58.000000000 +0000 +++ snort-2.9.2/doc/README.reload 2011-11-21 20:15:24.000000000 +0000 @@ -72,10 +72,6 @@ config chroot config daemon config detection_filter -config flexresp2_attempts -config flexresp2_interface -config flexresp2_memcap -config flexresp2_rows config flowbits_size config interface config logdir @@ -84,6 +80,7 @@ config no_promisc config pkt_count config rate_filter +config response config read_bin_file config set_gid config set_uid @@ -130,3 +127,8 @@ track_udp track_icmp + +Caveats: +======== + +When Snort is run on the primary network interface of an OpenBSD system, the reload and failopen operations may not function as expected. diff -Nru snort-2.8.5.2/doc/README.reputation snort-2.9.2/doc/README.reputation --- snort-2.8.5.2/doc/README.reputation 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.reputation 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,253 @@ +Reputation Preprocessor +================================================================================ +Hui Cao + +########################################## +# THIS CODE IS STILL EXPERIMENTAL! +# DO NOT USE IN PRODUCTION ENVIRONMENTS. +# Please send any issues to the Snort team +########################################## + +Overview +================================================================================ +Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to +block/drop/pass traffic from IP addresses listed. In the past, we use standard +Snort rules to implement Reputation-based IP blocking. This preprocessor will +address the performance issue and make the IP reputation management easier. +Repuation preprocessor runs before other preprocessors. + +Sections: + Configuration + IP list file format + Events + Shared memory support + +Configuration +================================================================================ +The preprocessor configuration name is "reputation". + +preprocessor reputation + +Option Argument Required Default +memcap No memcap 500 +scan_local None No off +blacklist No NULL +whitelist No NULL +priority [blacklist whitelist] No priority whitelist +nested_ip [inner outer both] No nested_ip inner + + +memcap = 1 - 4095 Mbytes + +preprocessor reputation:\ + < memcap number >,\ + < scanLocal >, \ + < blacklist < list filename >>,\ + < whitelist < list filename >>,\ + < priority [blacklist whitelist] >,\ + < nested_ip [inner outer both] > +Options: + + < memcap number >: + maximum total memory allocated (in Megabytes). It can be set up to + 4095 Megabytes. + + < scan_local > : + Enable to inspect local address defined in RFC 1918: + 10.0.0.0 - 10.255.255.255 (10/8 prefix) + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) + + < list filename > : + The IP lists are loaded from external files. It supports relative + paths for inclusion and $variables for path. Multiple blacklists or + whitelists are supported. + + Note: if the same IP is redefined later, it will overwrite the + previous one. In other words, IP lists always favors the last file or + entry processed. + + < priority > : + Specify either blacklist or whitelist has higher priority when + source/destination is on blacklist while destination/source is on + whitelist. By default, whitelist has higher priority. In other words, + the packet will be passed when either source or destination is + whitelisted. + + Note: this only defines priority when there is a decision conflict, + during run-time. During initialization time, if the same IP address + is defined in whitelist and blacklist, whoever the last one defined + will be the final one. Priority does not work on this case. + + < nested_ip >: + Specify which IP address to be used when there is IP encapsulation. + + +Configuration examples + + Default configuration + # Standard blacklisting. + # If running in inline mode the packets will be dropped. + preprocessor reputation:\ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + Inspect inner and outer IP configuration + # Inspect both inner and outer, Also adds a whitelist entry + # to make exceptions. + preprocessor reputation: n + nested_ip both, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + Full configuration + # Blacklisting with scan local network, use both headers, + # and whitelist has higher priority. + # Also adds a whitelist entry to make exceptions. + preprocessor reputation: \ + memcap 200, scan_local, nested_ip both, \ + priority whitelist, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + Variable path/file configuration + + $REP_BLACK_FILE1 = ../dshield.list + $REP_BLACK_FILE2 = ../snort.org.list + preprocessor reputation: \ + blacklist $REP_BLACK_FILE1,\ + blacklist $REP_BLACK_FILE2 + +IP List File Format + + Syntax + The IP list file has 1 entry per line. The entry can be either IP entry or + comment. + + IP Entry + CIDR notation line break + Example: + 172.16.42.32/32 + + Comment + # + Example: + # This is a full line comment + + IP List File Example + ---------------------- + # This is a full line comment + 172.16.42.32/32 # This is an inline comment, line with single CIDR block + +Use case + + A user wants to protect his/her network from unwanted/unknown IPs, only + allowing some trusted IPs. Here is the configuration: + + preprocessor reputation: \ + blacklist /etc/snort/default.blacklist + whitelist /etc/snort/default.whitelist + + In file "default.blacklist" + # These two entries will match all ipv4 addresses + 1.0.0.0/1 + 128.0.0.0/1 + + In file "default.whitelist" + 68.177.102.22 # sourcefire.com + 74.125.93.104 # google.com + +Events +================================================================================ +The preprocessor uses GID 136 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Packets are blacklisted. + 2 Packets are whitelisted. + +Rule Options +================================================================================ + No rule options + +Shared memory support +================================================================================ + In order to minimize memory consumption when multiple Snort instances are + running concurrently, we introduce the support of shared memory. After + configured, all the snort instances share the same IP tables in shared memory. + +System requirement + This feature is supported only in Linux. + +Build configuration + + A new option, --enable-shared-rep is introduced to ./configure command. + This option enables the support for shared memory. + In order to signal Snort to reload the IP file lists, control socket feature + should be enabled also. --enable-control-socket + +Configuration + + shared_mem + + If the build supports shared memory, this configuration will enable shared + memory. If this option isn't set, standard memory is used. This option must + specify a path or directory where IP lists will be loaded in shared memory. + One snort instance will create and maintain the shared IP lists. + We use instance ID 1, specified in the snort -G option to be the master snort. + All the other snort instances are clients (readers). + + Syntax: + shared_mem: path + Examples: + shared_mem /user/reputation/iplists + + shared_refresh + + This option changes the period of checking new shared memory segment, in the + unit of second. By default, the refresh rate is 60 seconds. + + Syntax: + shared_refresh + period = "1 - 4294967295" + Examples: + shared_refresh 60 + + Steps to configure shared memory + + 1) When building Snort, add option -enable-shared-rep and --enable-control-socket + to ./configure. + For example: + ./configure --enable-gre --enable-sourcefire --enable-flexresp3 + --enable-dynamicplugin --enable-pthread --enable-linux-smp-stats --enable-mpls + --enable-targetbased --enable-shared-rep --enable-control-socket + + 2) Put your IP list file into a directory, where snort has full access + For example: /user/reputation/iplists + In order to separate whitelist with blacklist, you need to specify + whitelist with .wlf extension and blacklist with .blf extension. + 3) In snort config file, specify shared memory support with the path to IP files. + Example: shared_mem /user/reputation/iplists + If you want to change the period of checking new IP lists, add refresh period. + Example: shared_refresh 300 + 4) Start shared memory master(writer) with -G 1 option. Note: only one master + should be enabled. + 5) Start shared memory clients (readers) with -G 2 or other IDs. Note: for + one ID, only one snort instance should be enabled. + 6) You will see the IP lists got loaded and shared across snort instances! + + Reload IP list using control socket + 1) Run snort using command line with option --cs-dir + or configure snort with config cs_dir: + 2) (Optional) you can create a version file named "IPRVersion.dat" in the IP list + directory. This file helps managing reloading IP lists, by specifying version. + When the version isn't changed, IP lists will not be reloaded if they are + already in shared memory. + For example: + VERSION=19 + 3) In the ./src/tools/control directory, you will find snort_control command if + built with --enable-control-socket option. + 4) Type the following command to reload IP lists. Before typing this command, + make sure to update version file if you are using version file. + The is the same path in step 1). + /src/tools/control 1361 \ No newline at end of file diff -Nru snort-2.8.5.2/doc/README.rzb_saac snort-2.9.2/doc/README.rzb_saac --- snort-2.8.5.2/doc/README.rzb_saac 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.rzb_saac 2011-06-08 00:33:00.000000000 +0000 @@ -0,0 +1,39 @@ +#### EXPERIMENTAL #### + +RZB_SaaC +--- +Patrick Mullen +Ron Dempster + +Documentation last update 2011-01-05 + +== Overview == + +The Razorback SaaC preprocessor monitors SMTP and HTTP streams and extracts +documents that are forwarded to a Razorback dispatcher for analysis. HTTP +streams have a destination port of 80 and SMTP streams have a destination port +of 25. + +== Configuration == + +The only configuration that is accepted is rzb_conf +By default, all alerts are disabled and the preprocessor checks traffic on port +22. + +The available configuration options are described below: + +* rzb_conf + +This option specifies the name and location of the Razorback configuration file. +For information on Razorback functionality and configuration, please visit + +http://sourceforge.net/projects/razorbacktm/ + +and + +http://sourceforge.net/projects/nuggetfarm/ + +== Example Configuration == + +preprocessor rzb: rzb_conf /var/tmp/rzb.conf + diff -Nru snort-2.8.5.2/doc/README.sensitive_data snort-2.9.2/doc/README.sensitive_data --- snort-2.8.5.2/doc/README.sensitive_data 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.sensitive_data 2010-04-06 14:05:45.000000000 +0000 @@ -0,0 +1,153 @@ +Overview +======== +The Sensitive Data preprocessor is a Snort module that performs detection and +filtering of Personally Identifiable Information (PII). This information +includes credit card numbers, U.S. Social Security numbers, and email addresses. +A limited regular expression syntax is also included for defining your own PII. + +Sections: + Dependencies + Preprocessor Configuration + Rule Options + +Dependencies +============ +The Stream5 preprocessor must be enabled for the Sensitive Data preprocessor +to work. + +Preprocessor Configuration +========================== +Sensitive Data configuration is split into two parts: the preprocessor config, +and the rule options. The preprocessor config starts with: + +preprocessor sensitive_data: + +Options are as follows: + + Option Argument Required Default + --------------------------------------------------------------------------- + alert_threshold NO alert_threshold 25 + 1 - 4294067295 + mask_output NONE NO OFF + ssn_file NO OFF + +Option explanations + alert_threshold + The preprocessor will alert when any combination of PII are detected + in a session. This option specifies how many need to be detected before + alerting. + This should be set higher than the highest individual count in your + "sd_pattern" rules. + mask_output + This option replaces all but the last 4 digits of a detected PII with + "X"s. This is only done on credit card & Social Security numbers, where + an organization's regulations may prevent them from seeing unencrypted + numbers. + ssn_file + A Social Security number is broken up into 3 sections: + Area (3 digits), Group (2 digits), and Serial (4 digits). + On a monthly basis, the Social Security Administration publishes a list + of which Group numbers are in use for each Area. + These numbers can be updated in Snort by supplying a CSV file with the + new maximum Group numbers to use. + By default, Snort recognizes Social Security numbers issued up through + November 2009. + +Example preprocessor config + +preprocessor sensitive_data: alert_threshold 25 \ + mask_output \ + ssn_file ssn_groups_Jan10.csv + +Rule Options +============ +Snort rules are used to specify which PII the preprocessor should look for. +A new rule option is provided by the preprocessor: + +sd_pattern + +This rule option specifies what type of PII a rule should detect. + +Syntax: + sd_pattern: , + + count = 1-255 + pattern = any string + +Option Explanations: + + count + This dictates how many times a PII pattern must be matched for an alert + to be generated. The count is tracked across all packets in a session. + + pattern + This is where the pattern of the PII gets specified. There are a few + built-in patterns to choose from: + + credit_card: + The "credit_card" pattern matches 15- and 16-digit credit card + numbers. These numbers may have spaces, dashes, or nothing in + between groups. This covers Visa, Mastercard, Discover, and + American Express. + + Credit card numbers matched this way have their check digits + verified using the Luhn algorithm. + + us_social: + This pattern matches against 9-digit U.S. Social Security numbers. + The SSNs are expected to have dashes between the Area, Group, and + Serial sections. + + SSNs have no check digits, but the preprocessor will check matches + against the list of currently allocated group numbers. + + us_social_nodashes: + This pattern matches U.S. Social Security numbers without dashes + separating the Area, Group, and Serial sections. + + email: + This pattern matches against email addresses. + + If the pattern specified is not one of the above built-in patterns, + then it is the definition of a custom PII pattern. Custom PII types + are defined using a limited regex-style syntax. The following + special characters and escape sequences are supported: + + \d - matches any digit + \D - matches any non-digit + \l - matches any letter + \L - matches any non-letter + \w - matches any alphanumeric character + \W - matches any non-alphanumeric character + {num} - used to repeat a character or escape sequence "num" times. + example: "\d{3}" matches 3 digits. + ? - makes the previous character or escape sequence optional. + example: " ?" matches an optional space. + This behaves in a greedy manner. + \\ - matches a backslash + \{, \} - matches { and } + \? - matches a question mark. + + Other characters in the pattern will be matched literally. + + NOTE: Unlike PCRE, "\w" in this rule option does NOT match underscores. + + +Examples: + sd_pattern: 2,us_social; + Alerts when 2 social security numbers (with dashes) appear in a session. + + sd_pattern: 5,(\d{3})\d{3}-\d{4}; + Alerts on 5 U.S. phone numbers, following the format (123)456-7890 + + Whole rule example: + + alert tcp $HOME_NET $HIGH_PORTS -> $EXTERNAL_NET $SMTP_PORTS \ + (msg:"Credit Card numbers sent over email"; gid:138; sid:1000; rev:1; \ + sd_pattern:4,credit_card; metadata:service smtp;) + +Caveats: + sd_pattern is not compatible with other rule options. Trying to use + other rule options with sd_pattern will result in an error message. + + Rules using sd_pattern must use GID 138. diff -Nru snort-2.8.5.2/doc/README.sfportscan snort-2.9.2/doc/README.sfportscan --- snort-2.8.5.2/doc/README.sfportscan 2008-10-03 20:55:41.000000000 +0000 +++ snort-2.9.2/doc/README.sfportscan 2010-04-06 14:05:45.000000000 +0000 @@ -103,7 +103,7 @@ will also display any open ports that were scanned. On TCP sweep alerts however, sfPortscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based -off the orginal scan alert. +off the original scan alert. -- Configuration -- @@ -139,7 +139,7 @@ "Low" alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this - setting should see very few false postives. However, this setting + setting should see very few false positives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, afterwhich this window is reset. @@ -178,6 +178,13 @@ The maximum number of bytes to allocate for portscan detection. The higher this number the more nodes that can be tracked. +* disabled + This optional keyword is allowed with any policy to avoid packet processing. + This option disables the preprocessor. When the preprocessor is disabled + only the memcap option is applied when specified with the configuration. + The other options are parsed but not used. Any valid configuration may have + "disabled" added to it. + * logfile { } This option will output portscan events to the file specified. If does not contain a leading slash, this file will be placed in @@ -335,7 +342,7 @@ level, but for now the user must manually do this. The easiest way to determine false positives is through simple ratio estimations. The following is a list of ratios to estimate and the associated values that - indicate a legimite scan and not a false positive. + indicate a legitmate scan and not a false positive. Connection Count / IP Count: This ratio indicates an estimated average of connections per IP. For portscans, this ratio should be high, the higher diff -Nru snort-2.8.5.2/doc/README.sip snort-2.9.2/doc/README.sip --- snort-2.8.5.2/doc/README.sip 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/doc/README.sip 2011-07-13 22:43:17.000000000 +0000 @@ -0,0 +1,329 @@ +SIP Preprocessor +================================================================================ +Hui Cao + +Overview +================================================================================ +Session Initiation Protocol (SIP) is an application-layer control (signaling) +protocol for creating, modifying, and terminating sessions with one or more +participants. These sessions include Internet telephone calls, multimedia +distribution, and multimedia conferences. SIP Preprocessor provides ways to +tackle Common Vulnerabilities and Exposures (CVEs) related with SIP found over +the past few years. It also makes detecting new attacks easier. + +Sections: + Dependency Requirements + Configuration + Events + Rule Options + + +Dependency Requirements +================================================================================ +For proper functioning of the preprocessor: + + Stream session tracking must be enabled, i.e. stream5. Both TCP and UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. In addition, Stream API is able to provide correct support for ignoring + audio/video data channel. + IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + + +Configuration +================================================================================ +The preprocessor configuration name is "sip". + +preprocessor sip + +Option Argument Required Default +disabled None No OFF +max_sessions No max_sessions 10000 +ports No ports { 5060 5061 } +methods No methods { invite cancel ack bye + register options } +max_uri_len No max_uri_len 256 +max_call_id_len No max_call_id_len 256 +max_requestName_len No max_requestName_len 20 +max_from_len No max_from_len 256 +max_to_len No max_to_len 256 +max_via_len No max_via_len 1024 +max_contact_len No max_contact_len 256 +max_content_len No max_content_len 1024 +ignore_call_channel None No OFF + +max_sessions = 1024 - 4194303 +methods = "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "message" + | "notify" | "prack" +max_uri_len = 0 - 65535 +max_call_id_len = 0 - 65535 +max_requestName_len = 0 - 65535 +max_from_len = 0 - 65535 +max_to_len = 0 - 65535 +max_via_len = 0 - 65535 +max_contact_len = 0 - 65535 +max_content_len = 0 - 65535 + +Option explanations + + disabled + SIP dynamic preprocessor can be enabled/disabled through configuration. + By default this value is turned off. When the preprocessor is disabled, + only the max_sessions option is applied when specified with the configuration. + + max_sessions + This specifies the maximum number of sessions that can be allocated. + Those sessions are stream sessions, so they are bounded by maximum number of + stream sessions. Default is 10000. + + ports + This specifies on what ports to check for SIP messages. Typically, this will + include 5060, 5061. + + Syntax: + ports { [< ... >] } + + Examples: + ports { 5060 5061 } + + Note: there are spaces before and after '{' and '}' + + methods + This specifies on what methods to check for SIP messages: (1) invite, + (2) cancel, (3) ack, (4) bye, (5) register, (6) options, (7) refer, + (8) subscribe, (9) update (10) join (11) info (12) message (13) notify + (14) prack + Note: those 14 methods are up to date list (Feb. 2011). New methods can be + added to the list. Up to 32 methods supported. + + Syntax: + methods { } + method-list = method|method method-list + method = "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "message" + | "notify"| "prack" + Examples: + methods { invite cancel ack bye register options } + Add new method "information": + methods { invite cancel ack bye register options information } + + Note: there are spaces before and after '{' and '}' + + max_uri_len + This specifies the maximum Request_URI field size. If the Request_URI field + is greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_call_id_len + This specifies the maximum Call-ID field size. If the Call-ID field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_requestName_len + This specifies the maximum request name size that is part of the CSeq ID. + If the request name is greater than this size, an alert is generated. + Default is set to 20. The allowed range for this option is 0 - 65535. + "0" means never alert. + + max_from_len + This specifies the maximum From field size. If the From field is greater + than this size, an alert is generated. Default is set to 256. The allowed + range for this option is 0 - 65535. "0" means never alert. + + max_to_len + This specifies the maximum To field size. If the To field is greater than + this size, an alert is generated. Default is set to 256. The allowed range + for this option is 0 - 65535. "0" means never alert. + + max_via_len + This specifies the maximum Via field size. If the Via field is greater than + this size, an alert is generated. Default is set to 1024. The allowed range + for this option is 0 - 65535. "0" means never alert. + + max_contact_len + This specifies the maximum Contact field size. If the Contact field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_content_len + This specifies the maximum content length of the message body. If the + content length is greater than this number, an alert is generated. + Default is set to 1024. The allowed range for this option is 0 - 65535. + "0" means never alert. + + ignore_call_channel + This enables the support for ignoring audio/video data channel + (through Stream API). By default, this is disabled. + +Option examples + max_sessions 30000 + disabled + ports { 5060 5061 } + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } + max_uri_len 1024 + max_call_id_len 1024 + max_requestName_len 10 + max_from_len 1024 + max_to_len 1024 + max_via_len 1024 + max_contact_len 1024 + max_content_len 1024 + max_content_len + ignore_call_channel + +Configuration examples + preprocessor sip + preprocessor sip: max_sessions 500000 + preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \ + cancel ack bye register options } , ignore_call_channel + preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + preprocessor sip: disabled + preprocessor sip: ignore_call_channel + +Default configuration + preprocessor sip + +Events +================================================================================ +The preprocessor uses GID 140 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 If the memory cap is reached and the preprocessor is configured to alert, + this alert will be created. + 2 Request_URI is required. When Request_URI is empty, this alert will be created. + 3 The Request_URI is larger than the defined length in configuration. + 4 When Call-ID is empty, this alert will be created. + 5 The Call-ID is larger than the defined length in configuration. + 6 The sequence e number value MUST be expressible as a 32-bit unsigned integer + and MUST be less than 2**31. + 7 The request name in the CSeq is larger than the defined length in configuration. + 8 From field is empty. + 9 From field is larger than the defined length in configuration. + 10 To field is empty. + 11 To field is larger than the defined length in configuration. + 12 Via filed is empty. + 13 Via filed is larger than the defined length in configuration. + 14 Contact is empty, but it is required non-empty for the message. + 15 The Contact is larger than the defined length in configuration. + 16 The content length is larger than the defined length in configuration or is negative. + 17 There are multiple requests in a single packet. Old SIP protocol supports + multiple sip messages within one packet. + 18 There are inconsistencies between Content-Length in SIP header and + actual body data. + 19 Request name is invalid in response. + 20 Authenticated invite message received, but no challenge from server received. + This is the case of InviteReplay billing attack. + 21 Authenticated invite message received, but session information has been changed. + This is different from re-INVITE, where the dialog has been established. + and authenticated. This is can prevent FakeBusy billing attack. + 22 Response status code is not a 3 digit number. + 23 Content type header field is required if the message body is not empty. + 24 SIP version other than 2.0, 1.0, and 1.1 is invalid + 25 Mismatch in Method of request and the CSEQ header + 26 The method is unknown + +Rule Options +================================================================================ +New rule options are supported by enabling the sip preprocessor: + +sip_method +sip_stat_code +sip_header +sip_body + +Overload modifiers to existing pcre rule options: + +H: Match SIP request or SIP response header, Similar to sip_header. +P: Match SIP request or SIP response body, Similar to sip_body. + + sip_method + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_method keyword is used to check for specific SIP request methods. + The list of methods is: invite, cancel, ack, bye, register, options, refer, + subscribe, update, join, info, message, notify, prack. More than one method + can be specified, via a comma separated list, and are OR'ed together. + It will be applied in fast pattern match if available. If the method used + in this rule is not listed in the preprocessor configuration, it will be added + to the preprocessor configuration for the associated policy. + + Syntax: + sip_method:; + method-list = method|method, method-list + method = ["!"] "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "notify" | + | "message"| "prack" + Note: if "!" is used, only one method is allowed in sip_method. + + Examples: + sip_method:invite, cancel + sip_method:!invite + + If a user wants to use "and", they can use something like this: + sip_method:!invite; sip_method:!bye + + sip_stat_code + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_stat_code is used to check the SIP response status code. This option + matches if any one of the state codes specified matches the status codes of + the SIP response. + + Syntax: + sip_stat_code: ; + code_list = state_code|state_code, code_list + code = "100-999"|"1-9" + Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", "3xx", "4xx", "5xx", + ,"6xx"... reponses. + Example: + This rule searches for the response with state code "200". + sip_stat_code:200 + This rule searches for all the 2xx responses. + sip_stat_code: 2 + This rule searches for either 200, or 180 responses. + sip_stat_code: 200, 180 + + sip_header + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_header keyword restricts the search to the extracted Header fields of + a SIP message request or a response. + + Syntax: + sip_header; + + Example: + This rule constrains the search for the pattern "CSeq" to the extracted Header + fields of a SIP message. + alert udp any any -> any 5060 (sip_header; content: "CSeq"; ) + + sip_body + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_body keyword places the cursor at the beginning of the Body fields + of a SIP message. This works similar to file_data and dce_stub_data.The message + body includes channel information using SDP protocol (Session Description Protocol). + + Syntax: + sip_body; + Example: + This rule searches for the pattern "c=IN 0.0.0.0" in the Body fields + of a SIP message. + alert udp any any -> any 5060 (sip_body; content: "C=IN 0.0.0.0"; within 100;) + + pcre + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + SIP overloads two options for pcre: + + H: Match SIP request or SIP response header, Similar to sip_header. + P: Match SIP request or SIP response body, Similar to sip_body. + + Example: + This rule searches for the pattern "INVITE" in the Header fields of a SIP message. + alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) + This rule searches for the pattern "m=" in the Body fields of a SIP message. + alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) + \ No newline at end of file diff -Nru snort-2.8.5.2/doc/README.SMTP snort-2.9.2/doc/README.SMTP --- snort-2.8.5.2/doc/README.SMTP 2007-08-20 16:54:52.000000000 +0000 +++ snort-2.9.2/doc/README.SMTP 2011-07-13 22:43:17.000000000 +0000 @@ -103,6 +103,199 @@ List all commands understood by the preprocessor. This not normally printed out with the configuration because it prints so much data. +* disabled * +Disables the SMTP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding max_mime_mem in default config +without turning on the SMTP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A SMTP preprocessor +alert with sid 10 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +This option replaces the deprecated options, enable_mime_decoding and max_mime_depth. +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A SMTP +preprocessor alert with sid 11 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary/text extraction +depth used to extract the 7bit/8bit/binary encoded or plain text MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A SMTP +preprocessor alert with sid 12 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary/text MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments. +The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU SMTP attachments. A SMTP +preprocessor alert with sid 13 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* enable_mime_decoding * +Enables Base64 decoding of Mime attachments/data. Multiple base64 encoded MIME +attachments/data in one packet are pipelined. When stateful inspection is turned +on the base64 encoded MIME attachments/data across multiple packets are decoded too. +The decoding of base64 encoded attachments/data ends when either the max_mime_depth +or maximum MIME sessions (calculated using max_mime_depth and max_mime_mem) is +reached or when the encoded data ends. The decoded data is available for detection +using the rule option file_data. See file_data rule option for more details. + +Please note, this option is deprecated. Use the option b64_decode_depth to turn off +or on the base64 decoding instead. + +* max_mime_depth * +Specifies the maximum number of base64 encoded data to decode per SMTP session. +The option take values ranging from 4 to 20480 bytes. The default value for this +in snort in 1460 bytes. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +Please note, this option is deprecated. Use the b64_decode_depth to set the decoding +depth for base64 decoding instead. + +* max_mime_mem * +This option determines (in bytes) the maximum amount of memory the SMTP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the SMTP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max smtp session calculated as +follows is atleast 1. + +max smtp session = max_mime_mem /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max smtp session = max_mime_mem/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the max_mime_mem of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable SMTP preprocessor in a config). + +When the memcap for decoding (max_mime_mem) is exceeded the SMTP preprocessor alert with sid 9 is +generated (when enabled). + +* log_mailfrom * +This option enables SMTP preprocessor to parse and log the sender's email address extracted +from the "MAIL FROM" command along with all the generated events for that session. The maximum +number of bytes logged for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +* log_rcptto * +This option enables SMTP preprocessor to parse and log the recipient email addresses +extracted from the "RCPT TO" command along with all the generated events for that session. +Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024. + +Please note, this is loggged only with the unified2 output and is not logged with console output (-A cmg). +U2spewfoo can be used to read this data from the unified2. + +* log_filename * +This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted +from the Content-Disposition header within the MIME body along with all the generated events +for that session. Multiple filenames are appended with commas. The maximum number of bytes +logged for this option is 1024. + +Please note,this is logged only with the unified2 output and is not logged with the +console output (-A cmg). u2spewfoo can be used to read this data from the unified2. + +* log_email_hdrs * +This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from +SMTP data along with all generated events for that session. The number of bytes extracted and +logged depends upon the email_hdrs_log_depth. + +Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +* email_hdrs_log_depth * +This option specifies the depth for logging email headers. The allowed range for this option is +0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. + +Please note, in case of multiple configs, this default config's value is used. The values specified in + the non-default config will be ignored and overwritten by the default config's values. +This option must be configured in the default config even if the SMTP configuration is disabled. + +* memcap * +This option determines in bytes the maximum amount of memory the SMTP preprocessor will +use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value +along with the buffer size used to log MAIL FROM, RCPT TO, filenames and email_hdrs_log_depth will +determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap is +reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers +until memory becomes available. + +Max SMTP sessions logging email headers at any given time + = memcap/(1024 + 1024 + 1024 + email_hdrs_log_depth) + +The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses. + +Default value for this option is 838860. The allowed range for this option is 3276 to 104857600. +The value specified in the default config is used when this option is specified in multiple configs. +This option must be configured in the default config even if the SMTP configuration is disabled. + + Example: preprocessor SMTP: \ ports { 25 } \ @@ -119,7 +312,22 @@ invalid_cmds { } \ valid_cmds { } \ xlink2state { disable } \ - print_cmds + print_cmds \ + log_filename \ + log_email_hdrs \ + log_mailfrom \ + log_rcptto \ + email_hdrs_log_depth 2920 \ + memcap 6000 + + + +preprocessor SMTP: \ + max_mime_depth 100 \ + max_mime_mem 4000 \ + memcap 6000 \ + email_hdrs_log_depth 2920 \ + disabled Default: preprocessor SMTP: \ diff -Nru snort-2.8.5.2/doc/README.ssh snort-2.9.2/doc/README.ssh --- snort-2.8.5.2/doc/README.ssh 2009-08-10 20:41:34.000000000 +0000 +++ snort-2.9.2/doc/README.ssh 2010-04-06 14:05:45.000000000 +0000 @@ -17,7 +17,7 @@ (20kb+) to the server immediately after the authentication challenge. To detect the attacks, the SSH preprocessor counts the number of bytes transmitted to the server. If those bytes exceed a pre-defined limit within a pre-define number of -packets, an alert is generated. Since Challenge-Respone Overflow only effects +packets, an alert is generated. Since Challenge-Response Overflow only effects SSHv2 and CRC 32 only effects SSHv1, the SSH version string exchange is used to distinguish the attacks. diff -Nru snort-2.8.5.2/doc/README.ssl snort-2.9.2/doc/README.ssl --- snort-2.8.5.2/doc/README.ssl 2008-03-06 19:01:26.000000000 +0000 +++ snort-2.9.2/doc/README.ssl 2010-08-25 20:10:46.000000000 +0000 @@ -10,10 +10,6 @@ inspected. Once the traffic is determined to be encrypted, no further inspection of the data on the connection is made. -SSLv2 traffic is not currently supported and will be treated as though they -were unrecognized by the decoder. - - SSL Detection and Decoding ========================== @@ -46,27 +42,40 @@ server_hello client_keyx server_keyx + unknown The ssl_version keyword takes the following identifiers as arguments: + sslv2 sslv3 tls1.0 tls1.1 tls1.2 More than one identifier can be specified, to either rule keyword, via a comma -separated list. Lists of identifiers are OR'ed together. +separated list. Lists of identifiers are OR'ed together, such that if any +of them match, the rule option will match. -The rule option does not support negation. If you wish to specify a negated -argument, simply specify all of the other options: +The option will match if the connection is currently in any one of the OR'ed +states. To ensure the connection has reached each of a set of states, multiple +rules using the ssl_state rule option should be used. - Invalid: - - ssl_state:!client_hello +The rule options support negation. Some examples: + + # Not client hello + ssl_state:!client_hello; + + # server hello OR not client hello + ssl_state:server_hello,!client_hello; + + # server hello AND not server key exchange + ssl_state:server_hello; ssl_state:!server_keyx; - Valid equivalent: + # not sslv2 + ssl_version:!sslv2; - ssl_state:server_hello,server_keyx,client_keyx + # sslv3 and not sslv2 + ssl_version:sslv3; ssl_version:!sslv2; Usage diff -Nru snort-2.8.5.2/doc/README.stream5 snort-2.9.2/doc/README.stream5 --- snort-2.8.5.2/doc/README.stream5 2009-01-26 18:54:32.000000000 +0000 +++ snort-2.9.2/doc/README.stream5 2011-07-13 22:43:17.000000000 +0000 @@ -44,11 +44,27 @@ detected on a per-target basis. For example, a few operating systems allow data in TCP SYN packets, while others do not. +Protocol Aware Flushing (PAF) +----------------------------- +Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option: + +config paf_max: + +where is between zero (off) and 63780. This allows Snort to +statefully scan a stream and reassemble a complete PDU regardless of +segmentation. For example, multiple PDUs within a single TCP segment, +as well as one PDU spanning multiple TCP segments will be reassembled +into one PDU per packet for each PDU. PDUs larger than the configured +maximum will be split into multiple packets. + Rule Options ------------- -Stream5 adds the 'stream_size' rule option. The option allows a rule to -match traffic according to the number of bytes observed, as determined by the -TCP sequence numbers. +============ +Stream5 adds support for a few rule options described below. + +stream_size +----------- +The 'stream_size' rule option allows a rule to match traffic according to +the number of bytes observed, as determined by the TCP sequence numbers. stream_size takes a number of comma-separated arguments in the following format: @@ -75,6 +91,26 @@ stream_size:client,<,6; +stream_reassemble +----------------- +The 'stream_reassemble' rule option allows a rule to enable or disable TCP +stream reassembly on matching traffic. + +stream_reassemble takes a number of comma-separated arguments in the following +format: + + stream_reassemble:, [,noalert] [,fastpath] + +- The optional noalert parameter causes the rule to not generate an alert when it matches. +- The optional fastpath parameter causes Snort to ignore the rest of the connection. + +For example: + +To disable TCP reassembly for client traffic when we see a HTTP 200 Ok Response message: + + alert tcp any 80 -> any any (flow:to_client,established; content:"200 OK"; + stream_reassemble:disable,client,noalert;) + Configuration ============= Global Configuration @@ -85,16 +121,16 @@ - Options: track_tcp - Track sessions for TCP. The default is "yes". max_tcp - Max concurrent sessions for TCP. The default - is "256000", maximum is "1052672", minimum is "1". + is "262144", maximum is "1048576", minimum is "1". memcap - Memcap for TCP packet storage. The default is "8388608" (8MB), maximum is "1073741824" (1GB), minimum is "32768" (32KB). track_udp - Track sessions for UDP. The default is "yes". max_udp - Max concurrent sessions for UDP. The default - is "128000", maximum is "1052672", minimum is "1". - track_icmp - Track sessions for ICMP. The default is "yes". + is "131072", maximum is "1048576", minimum is "1". + track_icmp - Track sessions for ICMP. The default is "no". max_icmp - Max concurrent sessions for ICMP. The default - is "64000", maximum is "1052672", minimum is "1". + is "65536", maximum is "1048576", minimum is "1". flush_on_alert - Backwards compatibility. Flush a TCP stream when an alert is generated on that stream. The default is set to off. @@ -103,13 +139,22 @@ prune_log_max - Print a message when a session terminates that was consuming more than the specified number of bytes. The default is "1048576" (1MB), minimum - is "0" (unlimited), maximum is not bounded, other - than by the memcap. + can be either "0" (disabled) or if not disabled + the minimum is "1024" and maximum is "1073741824". + disabled - This optional keyword is allowed with any policy + to avoid packet processing. This option disables + the preprocessor. When the preprocessor is disabled + only the options memcap, max_tcp, max_udp and + max_icmp are applied when specified with the + configuration. The other options are parsed but + not used. Any valid configuration may have + "disabled" added to it. + TCP Configuration ----------------- Provides a means on a per IP address target to configure a TCP policy. -This can have multiple occurances, per policy that is bound to an IP +This can have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network. @@ -142,8 +187,6 @@ macos - MacOS 10.3 and newer The default is "bsd". - min_ttl - Minimum Time To Live. The default is "1", the - minimum is "1" and the maximum is "255". overlap_limit - Limits number of overlapping packets. The default is "0" (unlimited), the minimum is "0", and the maximum is "255". @@ -203,6 +246,22 @@ minimum of "2", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced. + small_segments bytes [ignore_ports port list] + - Configure the maximum small segments queued. + This feature requires that detect_anomalies be enabled. + num1 is the number of consecutive segments that will + trigger the detection rule. The default value is + "0" (disabled),with a maximum of "2048". + num2 is the minimum bytes for a segment to be + considered "small". The default value is "0" (disabled), + with a maximum of "2048". + ignore_ports is optional, defines the list of + ports in which will be ignored for this rule. + The number of ports can be up to "65535". + Example: + small_segments 3 bytes 15 ignore_ports 33 44 55 + A message is written to console/syslog when this + limit is enforced. The generated alert is 129:12 ports [all|space separated port list] - Specify the client, server, or both and list of ports in which to perform reassembly. This can @@ -234,7 +293,7 @@ UDP Configuration ----------------- Configuration for UDP session tracking. Since there is no target based -binding, there should be only one occurance of the UDP configuration. +binding, there should be only one occurrence of the UDP configuration. - Preprocessor name: stream5_udp - Options: timeout - Session timeout. The default is "30", the @@ -268,7 +327,7 @@ for use in production networks. It is not turned on by default. Configuration for ICMP session tracking. Since there is no target based -binding, there should be only one occurance of the ICMP configuration. +binding, there should be only one occurrence of the ICMP configuration. - Preprocessor name: stream5_icmp - Options: timeout - Session timeout. The default is "30", the @@ -312,3 +371,7 @@ 8 Data after Reset packet 9 Possible Hijacked Client 10 Possible Hijacked Server +11 TCP packet with any control flags set +12 Limit on number of consecutive small segments reached +13 4-way handshake detected +14 Packet missing timestamp diff -Nru snort-2.8.5.2/doc/README.tag snort-2.9.2/doc/README.tag --- snort-2.8.5.2/doc/README.tag 2007-01-18 21:37:31.000000000 +0000 +++ snort-2.9.2/doc/README.tag 2011-06-08 00:33:00.000000000 +0000 @@ -1,25 +1,27 @@ Introduction ------------------ -Tagging packets is a way to continue logging packets from a session or host that -generated an event in Snort. When an event is generated based on a rule that contains -a tag option, information such as the IPs and ports involved, the type of tagging -decision that should be made (by session or host), for how long to tag packets -(the number of packets, seconds and/or bytes), the event id of the packet that generated -the alert (to be included in the logging information with each tagged packet), etc. are -saved into a data structure so that subsequent packets can be checked against this -information and a decision can be made whether or not to tag/log the packet. Tagged -traffic is logged to allow analysis of response codes and post-attack traffic. Tag -alerts will be sent to the same output plugins as the original alert, but it is the -responsibility of the output plugin to properly handle these special alerts. Currently, -the database output plugin does not properly handle tag alerts. - -Snort will only check to see whether or not it should tag a packet if that packet did -not generate an event. An exception to this is if the event was based on a PASS rule -and that rule does not contain a tag option, that packet will be checked. +------------ +Tagging packets is a way to continue logging packets from a session or host +that generated an event in Snort. When an event is generated based on a rule +that contains a tag option, information such as the IPs and ports involved, the +type of tagging decision that should be made (by session or host), for how long +to tag packets (the number of packets, seconds and/or bytes), the event id of +the packet that generated the alert (to be included in the logging information +with each tagged packet), etc. are saved into a data structure so that +subsequent packets can be checked against this information and a decision can +be made whether or not to tag/log the packet. Tagged traffic is logged to +allow analysis of response codes and post-attack traffic. Tag alerts will be +sent to the same output plugins as the original alert, but it is the +responsibility of the output plugin to properly handle these special alerts. +Currently, the database output plugin does not properly handle tag alerts. + +Snort will only check to see whether or not it should tag a packet if that +packet did not generate an event. An exception to this is if the event was +based on a PASS rule and that rule does not contain a tag option, that packet +will be checked. Format ---------- +------ tag: , , , [direction] @@ -28,7 +30,8 @@ host - Log packets from the host that caused the tag to activate (uses [direction] modifier) -count - Count is specified as a number of units. Units are specified in the field. +count - Count is specified as a number of units. Units are specified in the + field. metric packets - Tag the host/session for packets @@ -36,38 +39,34 @@ bytes - Tag the host/session for bytes direction - only relevant if host type is used. - src - Tag packets containing the source IP address of the packet that generated - the initial event. - dst - Tag packets containing the destination IP address of the packet that - generated the initial event. - -Note that the stream preprocessor is not checked for the existence of a session. A -session here is based only on socket (IP address:port) pairs, so that a session could -end, but if a new session is started using the same socket pair, packets will continue -to get tagged. - -The default direction for host type tagging is by source, so - tag:host,100,packets + src - Tag packets containing the source IP address of the packet that + generated the initial event. -is the same as + dst - Tag packets containing the destination IP address of the packet + that generated the initial event. - tag:host,100,packets,src +Note that the stream preprocessor is not checked for the existence of a +session. A session here is based only on socket (IP address:port) pairs, so +that a session could end, but if a new session is started using the same socket +pair, packets will continue to get tagged. +A tag option with the "host" type MUST specify a direction. Tagged Packet Limit ------------------------ -If you have a tag option in a rule that uses a metric other than packets, -a tagged_packet_limit will be used to limit the number of tagged packets +------------------- +If you have a tag option in a rule that uses a metric other than packets, a +tagged_packet_limit will be used to limit the number of tagged packets regardless of whether the seconds or bytes count has been reached. The default tagged packet limit value is 256 and can be modified by using a config option -in your snort.conf file. You can disable this packet limit for a particular rule -by adding a packets metric to your tag option and setting its count to 0 (This can -be done on a global scale by setting the tagged_packet_limit option in snort.conf -to 0). Doing this will ensure that packets are tagged for the full amount of seconds -or bytes and will not be cut off by the tagged_packet_limit. (Note that the -tagged_packet_limit was introduced to avoid DoS situations on high bandwidth sensors -for tag rules with a high seconds or bytes counts.) +in your snort.conf file. You can disable this packet limit for a particular +rule by adding a packets metric to your tag option and setting its count to 0 +(This can be done on a global scale by setting the tagged_packet_limit option +in snort.conf to 0). Doing this will ensure that packets are tagged for the +full amount of seconds or bytes and will not be cut off by the +tagged_packet_limit. (Note that the tagged_packet_limit was introduced to avoid +DoS situations on high bandwidth sensors for tag rules with a high seconds or +bytes counts.) Example: @@ -80,36 +79,37 @@ Examples ---------------- +-------- tag:host,100,seconds,src tagged_packet_limit = 256 -When an event is triggered on this rule, Snort will tag packets containing an IP address -that matches the source IP address of the packet that caused this rule to alert for the -next 100 seconds or 256 packets, whichever comes first. +When an event is triggered on this rule, Snort will tag packets containing an +IP address that matches the source IP address of the packet that caused this +rule to alert for the next 100 seconds or 256 packets, whichever comes first. tag:host,1000,bytes,100,packets,src tagged_packet_limit = 256 -When an event is triggered on this rule, Snort will tag packets containing an IP address -that matches the source IP address of the packet that caused this rule to alert for the -next 1000 bytes or 100 packets, whichever comes first. +When an event is triggered on this rule, Snort will tag packets containing an +IP address that matches the source IP address of the packet that caused this +rule to alert for the next 1000 bytes or 100 packets, whichever comes first. -NOTE: The tagged_packet_limit will be ignored whenever the packets metric is used in the - tag option. +NOTE: The tagged_packet_limit will be ignored whenever the packets metric is +used in the tag option. Using multiple metrics --------------------------------- +---------------------- -When the metrics used are bytes and seconds, Snort will not stop tagging packets -until at least each of the counts for both metrics are reached. Of course, if -you have not disabled the tagged_packet_limit, the packet limit will take precedence. +When the metrics used are bytes and seconds, Snort will not stop tagging +packets until at least each of the counts for both metrics are reached. Of +course, if you have not disabled the tagged_packet_limit, the packet limit will +take precedence. -The following tag option will tag relevant packets for at least 1000 bytes and at -least 100 seconds or until Snort has tagged 256 packets. +The following tag option will tag relevant packets for at least 1000 bytes and +at least 100 seconds or until Snort has tagged 256 packets. tag:host,1000,bytes,100,seconds,src tagged_packet_limit = 256 @@ -118,4 +118,3 @@ tag:host,1000,bytes,100,seconds,0,packets,src - diff -Nru snort-2.8.5.2/doc/README.wireless snort-2.9.2/doc/README.wireless --- snort-2.8.5.2/doc/README.wireless 2002-04-05 19:24:10.000000000 +0000 +++ snort-2.9.2/doc/README.wireless 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Wireless Sniffing -4/4/02 -Nick Petroni - -Overview: --------- -Recent changes in the LAN market have placed an emphasis on wireless -networking and specifically IEEE 802.11. As a result of the increasing -popularity of wireless, network administrators benefit from tools that -allow them to sniff, analyze, and audit wireless data frames. As a -packet sniffer, logger, and IDS Snort can maintain all of its -functionality while using a wireless device as the listening -interface. The provided changes allow Snort to sniff over a wireless -interface in RFMON (RF Monitor) mode and to decode packets. Further -changes allow snort to be put in "wireless" mode with the '-w' flag -in order to see all 802.11 frames. - -Regular Snort, wireless interface: ---------------------------------- -To use Snort over a wireless interface in RFMON mode, simply set the -card to that mode and start snort with the usual -i -flag. How is sniffing in RFMON mode different from sniffing in -Ethernet emulation mode (that is, the mode the card is usually in when -you are operating on your own network)? In RFMON mode the card is -associated with no particular network, rather it listens to all -traffic it can see from any device using 802.11 within range. Similar -to using different Virtual LANs on the same piece of wire, many 802.11 -networks operate in the same area. For those interested in -monitoring only their own network, it is recommended that they leave -their wireless card in Ethernet emulation mode. This is no different -than snort in the wired environment (and, in fact snort won't even -know the difference). For those interested in monitoring all wireless -networks within range, RFMON mode should be used. - -Snort in wireless mode: ----------------------- -IEEE 802.11 uses three types of frames: management, control, and -data. Without going into too much detail, control frames are used to -support delivery of management and data frames. Management frames -provide a means for setting up and maintaining wireless associations -(network connections). Data frames transport actual network messages -(layer 3 and above). Contrary to the usual wired paradigm, network -administrators are becoming increasingly concerned with layer 2 frames -and associations due to the unbounded nature of the physical -medium. For this reason, snort has a wireless mode in which all 802.11 -frames (including management and possibly control frames) are -displayed. To use snort in wireless mode, simply use the '-w' -flag. Along with the usual data frames, snort will also display any -management or control frames that are passed up by the card. - -Test Setup: ----------- -In order to use snort in wireless mode, you will need a wireless card -and an associated driver that allows the card to be put in RFMON -mode. Testing was done using a Cisco Aironet 340 PCMCIA card. There -are multiple drivers available for this card. The one used for testing -is available from http://airo-linux.sourceforge.net and works with the -PCMCIA package included in the Linux kernel. - -Packet Filters: --------------- -Because of the nature of wireless communication, the medium is -constantly filled with packets, even when data is not being -transferred. Management and control frames, especially Access Point -Beacons, tend to dominate traffic being captured in RFMON mode. For -this reason, users may benefit from capture filters. Since BPF was -written before the recent boom of wireless LANs there are no keywords -available for the 802.11 MAC. However, one commonly desired filter is -to do so by frame type. This can easily be achieved using link -offsets, since the first byte of a wireless frame indicates its -type. For example, a user wanting to run snort in wireless mode, but -wanting to filter out all beacons could run -snort -w -i -v -X link[0] != 0x80 -This is because beacon frames will have a first byte of -0x80. diff -Nru snort-2.8.5.2/doc/RELEASE.NOTES.2.3 snort-2.9.2/doc/RELEASE.NOTES.2.3 --- snort-2.8.5.2/doc/RELEASE.NOTES.2.3 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/RELEASE.NOTES.2.3 1970-01-01 00:00:00.000000000 +0000 @@ -1,133 +0,0 @@ -2005-04-22 - Snort 2.3.3 Released - -* Fixed sfPortscan Open Ports not getting suppressed. - -* Added new mini-preprocessor to catch the X-Link2State vulnerability. - See Snort manual for details. - -2005-03-10 - Snort 2.3.2 Released - -* Removed end-of-line parser fix in favor of completely reworking - this at the next parser overhaul. - -2005-03-09 - Snort 2.3.1 Released - -* Fixed issue where the number of flowbits were too small. Thanks Marc - Norton for the fix. - -* Fixed parsing of comments at end of line in config file. In - snort.conf, anything that follows a # on a line is considered a - comment. Thanks Steve Sturges for the fix. - -* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. - Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and - Jonathan Miner for working with us on this. - -2005-01-25 - Snort 2.3.0 Final Released - -* Fixed issue with sfPortscan reporting incorrect IP datagram length. - Thanks Jon Hart for the test case and finding the bug, and Marc Norton - for resolving the issue. - -* Threshold/Suppression now prints properly when logging to syslog. - Thanks Sekure for pointing out the problem. Thanks Steve Sturges for - working on the fix. - -* Threshold memcap argument now correctly handles non-integer input. - Thanks nnposter for the patch. - -* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were - not decoded properly. Thanks Dan Roelker for the fix. - -* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your - work on putting it all together. - -2004-12-15 - Snort 2.3.0 RC2 Released - -* Small performance improvement to arpspoof and also fixed a problem - where the list of configured IP/MAC entries would contain only one - entry and leaked memory (Jeff Nathan). - -* Fixed a problem affecting MacOS X where linking may fail with - non-standard libraries when global symbols are encountered multiple - times (Jeff Nathan). - -* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP - alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. - -* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the - logdir config will work if the default or command-line logdir does not - exist on the system. Thanks Dan Roelker. - -* Fixed bug when setting the doe_ptr on a successful pcre match. - It is now set relative to base_ptr. Thanks Steve Sturges for the - fix. - -* Added from_beginning and multiplier options for byte_jump. - from_beginning skips bytes from the beginning of the content, - instead of from the location immediately following the number - of bytes to skip. multiplier takes a numeric argument, and - skips x times that number of bytes. Thanks again to Steve Sturges. - -* In "fast" output, now log only actual packet contents when UDP - data length is greater than actual data length. Thanks Brian - Caswell for spotting this, and Andrew Mullican for working on the fix. - -* Please check the ChangeLog for further details. - -2004-11-18 - Snort 2.3.0 RC1 Released - -* Added IPS functionality from Snort-Inline. A big thanks to the - Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor - Julien). Also, Thanks Dan Roelker for doing the integrating of - Snort-Inline into the official Snort project. - -* Added new portscan detector. The design and implementation was headed - up by Dan Roelker, and included Marc Norton and Jeremy Hewlett. - -* Numerous changes for better 64bit Snort support from Jeremy Hewlett and - Marc Norton. Additionally, an --enable-64bit-gcc option was added to - configure. However, there are still some memory alignment issues to - work out before 64bit mode is fully functional, patches are welcomed. - Thanks Chris Baker for doing 64bit testing. - -* Added not_established keyword to the flow detection option. This allows - snort to do dynamic firewall rulesets. Experimental for now. - -* Added an enforce_state keyword to stream4 so we won't pick up midstream - sessions. This works well for asynchronous links and also for - just monitoring legitimate traffic. - -* Relocated ./contrib files to http://www.snort.org/dl/contrib as many - are not maintained by Sourcefire and are out of date. The rpm and - schema files have been relocated in their respective 'rpm' and 'schemas' - directories under the snort parent directory. - -* perfmonitor config line can now be configured with "accumulate" or - "reset." Thanks Marc Norton for the feature, and Barry Basselgia for - pointing out the issue. Thanks Scott Dexter and Andreas Ostling for - doing some initial testing. - -* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson - and Clay McClure. Thanks guys. - -* Fixed reference times to match log time for first packet, for an event - generated by a reassembled packet. Incremented event ID to give - unique ID for each packet. Also made unified logging compatible with - Windows. Thanks Andrew Mullican for the fix. - -* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to - everyone that reported this bug. Thanks Dan Roelker for the fix. - -* Get thresholding/suppression to work for alerts that do not - contain an ip header (primarily decode alerts). Thanks - Brian Caswell. - -* Fix conditions where snort would log double web alerts that - contained only content options (no uricontents). Thanks to kawa for - finding and reporting this bug. - -* Fix suppression/thresholding bug for non-rule alerts. Thanks to - Alex Butcher for reporting it to us. - -* Many other bug fixes, please check the ChangeLog for details. diff -Nru snort-2.8.5.2/doc/RELEASE.NOTES.2.4 snort-2.9.2/doc/RELEASE.NOTES.2.4 --- snort-2.8.5.2/doc/RELEASE.NOTES.2.4 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/RELEASE.NOTES.2.4 1970-01-01 00:00:00.000000000 +0000 @@ -1,138 +0,0 @@ -2006-06-05 - Snort 2.4.5 Released - * Fixed potential evasion in URI content buffers - * Fixed potential evasion in Stream4 - -2006-03-08 - Snort 2.4.4 Released -[*] Improvements - * Fixed ip options handling in Frag3. - * Fixed bug in Wu-Manbher implementation regarding multiple - recurring patterns. - * Fixed a config file parsing bug which required DNS resolution - in certain circumstances. - * Updated perfmonitor to properly handle wraps on 64 bit platforms. - * Fixed crash in portscan related to bogus data in sfxhash. - * Fixed memory leak in Frag3. - * Allow use of 0 as a value to -G. - -2005-10-17 - Snort 2.4.3 Released -[*] Improvements - * Fixed possible buffer overflow in back orifice preprocessor. - * Added snort.conf options to bo preprocessor for finer control of - alerting and dropping of bo traffic. - * Added alert to detect the bo buffer overflow attack against snort. - -2005-09-28 - Snort 2.4.2 Released -[*] Improvements - * Fixed crash bug with -T and default logging setup first reported by - Zultan. - * Corrected Win32 directory setup for new WinPCAP. - -2005-09-16 - Snort 2.4.1 Released -[*] New additions - * Added a -K command line option to manually select the logging mode using - a single switch. The -b and -N switches will be deprecated in version - 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii" - to revert to old behavior. - -[*] Improvements - * Win32 version now supports winpcap 3.1 and MySQL client 4.13. - * Added event on zero-length RPC fragments. - * Fixed TCP SACK processing for text based outputs that could result in a - DoS. - * General improvements to frag3 including Teardrop detection fix. - * Fixed a bug in the PPPoE decoder. - * Added patch for time stats from Bill Parker. Enable with configure - --enable-timestats. - * Fixed IDS mode bailing at startup if logdir is specified in snort.conf - and /var/log/snort doesn't exist. - * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch - (long time ago) and Chris Kuethe for reraising the issue. - * Allow snort to use usernames (-u) and groupnames (-g) that include - numbers. Thanks to Shaick for the patch. - * Fixed broken -T option. - * Change ip_proto to ip for portscan configuration. Thanks David Bianco - for pointing this out. - * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the - update. - * For content matches, when subsequent rule options fail, start searching - again in correct location. - * Updated Win32 to handle pflog patch. - * Added support for new OpenBSD pflog format. Older pflog format, - OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao - and Christian Reis for the patch. - * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml - for the patch. - -2005-07-22 - Snort 2.4.0 Released - -[*] Distribution Change - * Rules are no longer distributed as part of the Snort releases, they are - available as a separate download from snort.org. This was done for - three reasons: - 1) To better manage the new rules licensing. - 2) To reduce the size of the engine download. - 3) To move the thousands of documentation files for the rules into - the rules tarballs. If you've ever checked Snort out of CVS you'll - know why this is a Good Thing. - -[*] New additions - * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor - is a target-based IP defragmentation module, and is intended as a - replacement for the frag2 module. Check out the README.frag3 for full - info on this new preprocessor. - - * Libprelude support has been added (enable with --enable-prelude). - Thanks Yoann Vandoorselaere! - - * An "ftpbounce" rule detection plugin was added for easier detection of - FTP bounce attacks. - - * Added a new Snort config option, "ignore_ports," to ignore packets - based on port number. This is similar to bpf filters, but done within - snort.conf. - -[*] Improvements - * Snort startup messages printed in syslog now contain a PID before each - entry. Thanks Sekure for initially bringing this up. - - * Stream4: Performance improvements. - - * Stream4: Added 'max_session_limit' option which limits number of - concurrent sessions tracked. Added favor_old/favor_new options that - affect order in which packets are put together for reassembly. - - * Stream4: New configuration options to manage flushpoints for improved - anti-evasion. The flush_behavior option selects flushpoint management - mode. New flush_base, flush_range, and flush_seed manage randomized - flushing. Check out the snort.conf file for full config data on the - new flush options. - - * Added two more alerts for BackOrifice client and server packets. This - allows specific alerts to be suppressed. - - * PerfMon preprocessor updated to include more detailed stats for rebuilt - packets (applayer, wire, fragmented & TCP). Also added 'atexitonly' - option that dumps stats at exit of snort, and command line -Z flag to - specify the file to which stats are logged. - - * Added new Http Inspect config item, "tab_uri_delimiter," which if - specified, lets a tab character (0x09) act as the delimiter for a URI. - - * Added a '-G' command line flag to snort that specifies the Snort - instance log identifier. It takes a single argument that can be either - hex (prefaced with 0x) or decimal. The unified log files will include - the instance ID when the -G flag is used. - - * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now - handled in the IP decoder. Those sids are now considered obsolete. - - * Http_Inspect "flow_depth" option now accepts a -1 value which tells - Snort to ignore all server-side traffic. - - * RPMs have been updated to be more portable, and also now include a - "--with inline" option for those wanting to build Inline RPMs. Thanks - Daniel Wittenberg and JP Vossen for your help! - - * Many, many bug fixes have also gone into this release, please see the - ChangeLog for details. - diff -Nru snort-2.8.5.2/doc/RELEASE.NOTES.2.6 snort-2.9.2/doc/RELEASE.NOTES.2.6 --- snort-2.8.5.2/doc/RELEASE.NOTES.2.6 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/RELEASE.NOTES.2.6 1970-01-01 00:00:00.000000000 +0000 @@ -1,114 +0,0 @@ -2007-05-09 - Snort 2.6.1.5 Released -[*] New Additions - * Updated HttpInspect to normalize parameters that are part of the - client request body in the same way it normalizes HTTP URIs. - Added a modifier keyword to be used in conjunction with a content - option in the rules to search only the normalized HTTP client request - body. Also added stats for HttpInspect to track number of various - types of normalizations and HTTP methods. - -[*] Improvements - * Fix header files to avoid conflicts with system files on BSD for - IPv6 data structures. - - * Fix possible memory leak in Stream4 when HttpInspect is being - used. - -2007-03-26 - Snort 2.6.1.4 Released -[*] New Additions - * Added detection for BSD IPv6 fragmentation overflow (CVE-2007-1365). - New options configure the behavior of the detection and new decoder - alerts for truncated IPv6 headers and a Fragmentation alert for the - specific overflow attack. - -[*] Security Improvements - * Updated code to use safer functions that perform bounds checking - when doing string or memory copies and snprintf buffer writes. - Ensure null termination on string buffers and perform initialization - on memory allocations. - -2007-02-18 - Snort 2.6.1.3 Released -[*] Improvements - * Updated DCE/RPC dynamic protocol normalizer to perform additional - boundary checking when reassembling SMB fragments. This addresses - a potential remotely exploitable stack-based buffer overflow. - - * Updated Frag3 to protect against potential for fragments without - ethernet header being passed from iptables to Snort inline. - -2006-12-07 - Snort 2.6.1.2 Released -[*] Improvements - * Fixed problem with snort using high CPU and potentially reprocessing - the same TCP reassembled packets with a sequence number wrap and - packets missing from the queue (out of order, dropped, or async - network). - - * Updated DCE/RPC dynamic protocol normalizer to protect against - integer underflow conditions. - - * Updated unified output plugin to work correctly on certain 64bit - platforms where timeval structure is a different size. A patch - to barnyard that is associated with this fix can be found at: - http://secure.lv/~nikns/stuff/barnyard_64bit.diff. - -2006-11-22 - Snort 2.6.1.1 Released -[*] Improvements - * Fixed problem with snort using high CPU and potentially reprocessing - the same TCP reassembled packets at session end or TCP ACK of only - part of a packet. - -2006-11-16 - Snort 2.6.1 Released -[*] New Additions - * Support for UDP "session" tracking to Stream4. Enable via - --enable-stream4udp option to configure script. This allows - the use of flow option with UDP rules. Includes tracking - of stats for UDP sessions. A session is created for rules that - use the flow or flowbits keywords. Also provided the ability to - ignore UDP any any -> any any rules as a performance improvement. - - * Stream5 (for Beta testing) as replacement for Stream4 - and Flow preprocessors. See README.stream for details. - - * Allow blocking of entire session in inline mode via stream API. - All subsequent packets on that session are blocked. - - * Dynamic DCE/RPC protocol normalizer and defragmentation - module. See README.dcerpc for details. - - * SSH (for Beta testing) protocol analyzer. See README.ssh for - details. - - * Support for GRE encapsulated protocol (experimental). Enable via - --enable-gre option to configure script. - - * Aruba networks output plugin (experimental). See README.ARUBA for - details. Enable via --enable-aruba option to configure script. - - * Smaller memory footprint pattern mattcher using Aho-Corasick, - using NFA. Use 'config detection: search-method ac-bnfa' to - enable. This will become the default pattern matcher in future - releases. Wu-Manhber has been deprecated (mwm). - -[*] Improvements - - * Added parameter to dynamicengine to allow specification of - directory instead of implicit file. This will load all engine shared - libraries within the specified directory. Can also use - --dynamic-engine-lib-dir command-line option. Fix handling of - loading multiple instances of the same dynamic library (engine, - detection, or preprocessor). - - * Updates to HTTP inspect to handle different versions of IIS with - the related iis profiles. See README.httpinspect for details. - - * Cleaned up inline initialization to better handle test mode. - - * Updates to interface dependent variable definitions. - - * Added stats for packets not yet processed -- those that are still in - the buffer used by pcap. - - * Fixed issue with fewer alerts being generated when snort is compiled - with gcc 4.x by using no-strict-aliasing flag. - - * Require each rule to have a unique sid/gid pair. diff -Nru snort-2.8.5.2/doc/RELEASE.NOTES.2.7 snort-2.9.2/doc/RELEASE.NOTES.2.7 --- snort-2.8.5.2/doc/RELEASE.NOTES.2.7 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/RELEASE.NOTES.2.7 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -2007-07-09 - Snort 2.7.0 - -[*] New Additions - * Stream5 is now the default stream processor and replaces both flow - and Stream4. Refer to the Snort manual and README.stream5 for - details on how to configure it for OS target-specific TCP - processing. - -[*] Improvements - * Fixed header files to avoid conflicts with system files on BSD for - IPv6 data structures. - - * Reduced memory footprint for smtp preprocessor. - - * Ensured Snort frees memory from preprocessors before exit. Only - outstanding memory in use is related to pattern matcher and - rules. - -[*] Security Improvements - * Further updates that use safer functions that perform bounds checking - when doing string or memory copies and snprintf buffer writes. - Ensure null termination on string buffers and perform initialization - on memory allocations. diff -Nru snort-2.8.5.2/doc/signatures/100000100.txt snort-2.9.2/doc/signatures/100000100.txt --- snort-2.8.5.2/doc/signatures/100000100.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000100.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000100 - --- -Summary: -This event is generated when a URI of 1,050 bytes ore more is requested from an -internal web server. - --- - -Impact: -Unknown. - --- -Detailed Information: -This rule is used in conjunction with SID 100000101 to detect buffer overflow -attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This -rule should never generate an alert. - --- -Affected Systems: -Adobe Acrobat 5.0 -Adobe Acrobat 5.0.5 -Adobe Acrobat 6.0 -Adobe Acrobat 6.0.1 -Adobe Acrobat Reader 5.0 -Adobe Acrobat Reader 5.0.5 -Adobe Acrobat Reader 5.1 -Adobe Acrobat Reader 6.0 -Adobe Acrobat Reader 6.0.1 - --- - -Attack Scenarios: -A web browser or automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as simply typing a long URI into a web browser will suffice. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. -An alternate workaround is available: disable "Display PDF in browser" under -Edit -> Preferences. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Alex Kirk - --- -Additional References: -http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000101.txt snort-2.9.2/doc/signatures/100000101.txt --- snort-2.8.5.2/doc/signatures/100000101.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000101.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000101 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -vulnerability present in the Adobe Acrobat/Acrobat Reader ActiveX control, -pdf.ocx. - --- - -Impact: -By using properly crafted packets, attackers may execute arbitrary code of -their choosing with the privileges of the user running the affected software. - --- -Detailed Information: -This rule detects attempts to overflow the heap of the Adobe Acrobat/Acrobat -Reader ActiveX control, pdf.ocx. URI requests of 1,050 bytes or greater which -are received by this control will cause a buffer overflow and allow arbitrary -code execution with the privileges of the affected user. This rule is used in -conjunction with SID 100000100. - --- -Affected Systems: -Adobe Acrobat 5.0 -Adobe Acrobat 5.0.5 -Adobe Acrobat 6.0 -Adobe Acrobat 6.0.1 -Adobe Acrobat Reader 5.0 -Adobe Acrobat Reader 5.0.5 -Adobe Acrobat Reader 5.1 -Adobe Acrobat Reader 6.0 -Adobe Acrobat Reader 6.0.1 - --- - -Attack Scenarios: -A web browser or automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as simply typing a long URI into a web browser will suffice. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. -An alternate workaround is available: disable "Display PDF in browser" under -Edit -> Preferences. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Alex Kirk - --- -Additional References: -http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000102.txt snort-2.9.2/doc/signatures/100000102.txt --- snort-2.8.5.2/doc/signatures/100000102.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000102.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000102 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 2305, where -Halocon game servers typically listen. - --- - -Impact: -After receiving such a packet, the server will no longer listen on this port, -denying the administrator the ability to send remote commands. - --- -Detailed Information: -Halocon servers listen to UDP port 2305 for commands. Upon receiving an empty -UDP packet to that port, the server shuts down the port. Administrators can no -longer send remote commands to the server, effectively causing a denial of -service. The server must be restarted to re-open the port. - --- -Affected Systems: -Halocon 2.0.0.81 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000103.txt snort-2.9.2/doc/signatures/100000103.txt --- snort-2.8.5.2/doc/signatures/100000103.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000103.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000103 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 7649, where -Breed game servers typically listen. - --- - -Impact: -Upon receiving such a packet, the server will crash, causing a denial of -service condition. - --- -Detailed Information: -Breed game servers will pass a NULL pointer upon receiving an empty UDP packet -on port 7649, causing an immediate crash. The server must be restarted for -service to resume. - --- -Affected Systems: -Brat Designs Breed -Brat Designs Breed Patch #1 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000104.txt snort-2.9.2/doc/signatures/100000104.txt --- snort-2.8.5.2/doc/signatures/100000104.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000104.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000104 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 27777, where -Amp II 3D game servers typically listen. - --- - -Impact: -After receiving such a packet, the server will fall into an infinite loop, -potentially consuming all resources on the host system. The administrator will -need to restart the game server, and possibly the host system. - --- -Detailed Information: -Amp II 3D servers listen to UDP port 27777 for commands. Upon receiving an -empty UDP packet to that port, the server falls into an infinite loop, possibly -consuming all resources on the host system. The administrator must restart the -game server and/or the host system. - --- -Affected Systems: -Amp II 3D Game Engine -Amp Gore: Ultimate Soldier 1.50 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000105.txt snort-2.9.2/doc/signatures/100000105.txt --- snort-2.8.5.2/doc/signatures/100000105.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000105.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000105 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "lolita sex" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000106.txt snort-2.9.2/doc/signatures/100000106.txt --- snort-2.8.5.2/doc/signatures/100000106.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000106.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -100000106 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -Microsoft BizTalk Server DTA Interface. - --- - -Impact: -Attackers may retreive or modify sensitive in formation stored in the affected -database. Additionally, attackers may use the database's functionality to -execute arbitrary commands on the system with the priviliges of the user -running the script, typically Administrator. - --- -Detailed Information: -This rule looks specifically for attacks against the rawdocdata.asp module of -the DTA Interface which contain the string "exec", which is required to run -commands on the host system. Thus, this rule does not detect generic SQL -injection attempts, only command execution attempts. - --- -Affected Systems: -Microsoft BizTalk Server 2000 Developer Edition SP2 -Microsoft BizTalk Server 2000 Developer Edition SP1a -Microsoft BizTalk Server 2000 Developer Edition -Microsoft BizTalk Server 2000 Enterprise Edition SP2 -Microsoft BizTalk Server 2000 Enterprise Edition SP1a -Microsoft BizTalk Server 2000 Enterprise Edition -Microsoft BizTalk Server 2000 Standard Edition SP2 -Microsoft BizTalk Server 2000 Standard Edition SP1a -Microsoft BizTalk Server 2000 Standard Edition -Microsoft BizTalk Server 2002 Developer Edition -Microsoft BizTalk Server 2002 Enterprise Edition - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches which correct this problem are available from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: -Microsoft BizTalk Server 2000 Enterprise Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Developer Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Standard Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en - -Microsoft BizTalk Server 2002 Enterprise Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - -Microsoft BizTalk Server 2002 Developer Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - --- diff -Nru snort-2.8.5.2/doc/signatures/100000107.txt snort-2.9.2/doc/signatures/100000107.txt --- snort-2.8.5.2/doc/signatures/100000107.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000107.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -100000107 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -Microsoft BizTalk Server DTA Interface. - --- - -Impact: -Attackers may retreive or modify sensitive in formation stored in the affected -database. Additionally, attackers may use the database's functionality to -execute arbitrary commands on the system with the priviliges of the user -running the script, typically Administrator. - --- -Detailed Information: -This rule looks specifically for attacks against the RawCustomSearchField.asp -module of the DTA Interface which contain the string "exec", which is required -to run commands on the host system. Thus, this rule does not detect generic SQL -injection attempts, only command execution attempts. - --- -Affected Systems: -Microsoft BizTalk Server 2000 Developer Edition SP2 -Microsoft BizTalk Server 2000 Developer Edition SP1a -Microsoft BizTalk Server 2000 Developer Edition -Microsoft BizTalk Server 2000 Enterprise Edition SP2 -Microsoft BizTalk Server 2000 Enterprise Edition SP1a -Microsoft BizTalk Server 2000 Enterprise Edition -Microsoft BizTalk Server 2000 Standard Edition SP2 -Microsoft BizTalk Server 2000 Standard Edition SP1a -Microsoft BizTalk Server 2000 Standard Edition -Microsoft BizTalk Server 2002 Developer Edition -Microsoft BizTalk Server 2002 Enterprise Edition - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches which correct this problem are available from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: -Microsoft BizTalk Server 2000 Enterprise Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Developer Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Standard Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en - -Microsoft BizTalk Server 2002 Enterprise Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - -Microsoft BizTalk Server 2002 Developer Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - --- diff -Nru snort-2.8.5.2/doc/signatures/100000108.txt snort-2.9.2/doc/signatures/100000108.txt --- snort-2.8.5.2/doc/signatures/100000108.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000108.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000108 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -OpenBB web bulliten board system. - --- - -Impact: -Attackers may run arbitrary database commands with the privileges of the -affected script. - --- -Detailed Information: -This rule looks specifically for attacks against the board.php module of the -OpenBB program. Attackers must supply a variable whose value is numeric, -followed by a space, in order to exploit this vulnerability. - --- -Affected Systems: -OpenBB 1.0.5 -OpenBB 1.1.0 - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no vendor-supplied patches are available. A descripton of an -unverified workaround is available in the Additional References section. - --- -Contributors: -Alex Kirk - --- -Additional References: -http://www.securityfocus.com/archive/1/319714 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000109.txt snort-2.9.2/doc/signatures/100000109.txt --- snort-2.8.5.2/doc/signatures/100000109.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000109.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000109 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -OpenBB web bulliten board system. - --- - -Impact: -Attackers may run arbitrary database commands with the privileges of the -affected script. - --- -Detailed Information: -This rule looks specifically for attacks against the member.php module of the -OpenBB program. Attackers must supply a variable whose value is numeric, -followed by a space, in order to exploit this vulnerability. - --- -Affected Systems: -OpenBB 1.0.5 -OpenBB 1.1.0 - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no vendor-supplied patches are available. A descripton of an -unverified workaround is available in the Additional References section. - --- -Contributors: -Alex Kirk - --- -Additional References: -http://www.securityfocus.com/archive/1/319714 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000110.txt snort-2.9.2/doc/signatures/100000110.txt --- snort-2.8.5.2/doc/signatures/100000110.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000110.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000110 - --- -Summary: -This event is generated when the Dabber virus attempts to exploit a -vulnerability in the FTP server installed by the Sasser virus. - --- - -Impact: -If the Sasser virus is currently running on the affected system, then the -Dabber virus will be able to install itself as well. - --- -Detailed Information: -Some variants of the Sasser virus install an FTP server that listens on port -5554. However, this FTP server suffers from a buffer overflow in the PORT -command, which can be exploited with a command of 100 or more characters. The -Dabber virus makes use of this vulnerability as an infection vetor. - --- -Affected Systems: -Any machine with a variant of the Sasser virus whose FTP server listens on port -5554. - --- - -Attack Scenarios: -A known virus scans the Internet in search of vulnerable systems. - --- - -Ease of Attack: -Simple, as the virus is in the wild. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Users should employ a virus removal tool to clean their system of both Dabber -and Sasser, and then apply the latest security patches from Microsoft to -prevent further infections. - --- -Contributors: -Matt Watchinski -Alex Kirk - --- -Additional References: - -http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/100000111.txt snort-2.9.2/doc/signatures/100000111.txt --- snort-2.8.5.2/doc/signatures/100000111.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000111.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000111 - --- -Summary: -This event is generated when the Dabber virus attempts to exploit a -vulnerability in the FTP server installed by the Sasser virus. - --- - -Impact: -If the Sasser virus is currently running on the affected system, then the -Dabber virus will be able to install itself as well. - --- -Detailed Information: -Some variants of the Sasser virus install an FTP server that listens on port -1023. However, this FTP server suffers from a buffer overflow in the PORT -command, which can be exploited with a command of 100 or more characters. The -Dabber virus makes use of this vulnerability as an infection vetor. - --- -Affected Systems: -Any machine with a variant of the Sasser virus whose FTP server listens on port -1023. - --- - -Attack Scenarios: -A known virus scans the Internet in search of vulnerable systems. - --- - -Ease of Attack: -Simple, as the virus is in the wild. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Users should employ a virus removal tool to clean their system of both Dabber -and Sasser, and then apply the latest security patches from Microsoft to -prevent further infections. - --- -Contributors: -Matt Watchinski -Alex Kirk - --- -Additional References: - -http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/100000112.txt snort-2.9.2/doc/signatures/100000112.txt --- snort-2.8.5.2/doc/signatures/100000112.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000112.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -100000112 - --- -Summary: -This event is generated when the readfile.tcl script on a Nokia IPSO device is -accessed. - --- - -Impact: -Since the script does not perform any input validation, users can read any file -on the host operating system for which the script has permissions. - --- -Detailed Information: -An attacker may specify any file on the host operating system, and if the -script has read permissions for that file, it will be displayed in the web -browser. Users must be able to log into the Nokia web gui to perform this -attack. - --- -Affected Systems: -Nokia IPSO 3.3 SP4 -Nokia IPSO 3.3 SP3 -Nokia IPSO 3.3 SP2 -Nokia IPSO 3.3 SP1 -Nokia IPSO 3.3 -Nokia IPSO 3.3.1 -Nokia IPSO 3.4 -Nokia IPSO 3.4.1 -Nokia IPSO 3.4.2 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as attacks may be performed via a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no workarounds or patches are available. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000113.txt snort-2.9.2/doc/signatures/100000113.txt --- snort-2.8.5.2/doc/signatures/100000113.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000113.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000113 - --- -Summary: -This event is generated when an attacker attempts to execute arbitrary commands -on a system running the HappyMall E-Commerce suite. - --- - -Impact: -Attackers may run arbitrary commands of their choosing with the permissions of -the affected script. - --- -Detailed Information: -By specifying a value for the "file" parameter of the "member_html.cgi" script -that is enclosed by any combination of pipe or semicolon characters, attackers -may execute arbitrary commands on the host system with the privileges of the -affected script. - --- -Affected Systems: -HappyCGI HappyMall 4.3 -HappyCGI HappyMall 4.4 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as a web browser or publicly available exploits may be used. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unconfirmed patch is available at the URI listed in the Additional -References section. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000114.txt snort-2.9.2/doc/signatures/100000114.txt --- snort-2.8.5.2/doc/signatures/100000114.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000114.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000114 - --- -Summary: -This event is generated when an attacker attempts to execute arbitrary commands -on a system running the HappyMall E-Commerce suite. - --- - -Impact: -Attackers may run arbitrary commands of their choosing with the permissions of -the affected script. - --- -Detailed Information: -By specifying a value for the "file" parameter of the "normal_html.cgi" script -that is enclosed by any combination of pipe or semicolon characters, attackers -may execute arbitrary commands on the host system with the privileges of the -affected script. - --- -Affected Systems: -HappyCGI HappyMall 4.3 -HappyCGI HappyMall 4.4 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as a web browser or publicly available exploits may be used. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unconfirmed patch is available at the URI listed in the Additional -References section. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000115.txt snort-2.9.2/doc/signatures/100000115.txt --- snort-2.8.5.2/doc/signatures/100000115.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000115.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000115 - --- -Summary: -This event is generated when the PHP-Nuke program's Web_Links module is access -with a NULL value for the CID parameter. - --- - -Impact: -Sensitive path information may be disclosed, allowing an attacker to conduct -reconnaissance against the affected host. - --- -Detailed Information: -Queries made to PHP-Nuke's Web_Links module which omit the CID parameter, or -which leave its value blank, will generate an error that discloses sensitive -path information about the affected host. - --- -Affected Systems: -PHP-Nuke 6.0 -PHP-Nuke 6.5 -PHP-Nuke 6.5 RC1 -PHP-Nuke 6.5 RC2 -PHP-Nuke 6.5 RC3 -PHP-Nuke 6.5 BETA 1 -PHP-Nuke 6.5 FINAL - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser. --- - -Ease of Attack: -Simple, as example exploit URIs exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unsupported fix exists at the URI referenced in the Additional References -section. No vendor-supplied patch or workaround exists. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.securityfocus.com/archive/1/321313 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000116.txt snort-2.9.2/doc/signatures/100000116.txt --- snort-2.8.5.2/doc/signatures/100000116.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000116.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000116 - --- -Summary: -This event is generated when the PHP-Nuke program's Web_Links module is access -with a value for the CID parameter which is not numeric. - --- - -Impact: -Sensitive path information may be disclosed, allowing an attacker to conduct -reconnaissance against the affected host. - --- -Detailed Information: -Queries made to PHP-Nuke's Web_Links module which use non-numeric values for -the CID parameter will generate an error that discloses sensitive path -information about the affected host. - --- -Affected Systems: -PHP-Nuke 6.0 -PHP-Nuke 6.5 -PHP-Nuke 6.5 RC1 -PHP-Nuke 6.5 RC2 -PHP-Nuke 6.5 RC3 -PHP-Nuke 6.5 BETA 1 -PHP-Nuke 6.5 FINAL - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser. --- - -Ease of Attack: -Simple, as example exploit URIs exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unsupported fix exists at the URI referenced in the Additional References -section. No vendor-supplied patch or workaround exists. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.securityfocus.com/archive/1/321313 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000117.txt snort-2.9.2/doc/signatures/100000117.txt --- snort-2.8.5.2/doc/signatures/100000117.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000117.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000117 - --- -Summary: -This event is generated when an attempt is made to execute arbitrary commands -on a web server via the VBulliten system. - --- - -Impact: -Attackers may execute arbitrary code of their choosing with the privileges of -the affected script. - --- -Detailed Information: -The "comma" parameter of VBulliten's "forumdisplay.php" script is not -sufficiently santitized, and will allow users to run arbitrary commands with -the privileges of the affected script on the host system when the -"showforumusers" option has been enabled by the system administrator. - --- -Affected Systems: -VBulletin 3.0 -VBulletin 3.0 Beta 2 -VBulletin 3.0 Beta 3 -VBulletin 3.0 Beta 4 -VBulletin 3.0 Beta 5 -VBulletin 3.0 Beta 6 -VBulletin 3.0 Beta 7 -VBulletin 3.0 Gamma -VBulletin 3.0.1 -VBulletin 3.0.2 -VBulletin 3.0.3 -VBulletin 3.0.4 - --- - -Attack Scenarios: -A web browser or an automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -It has been reported that VBulliten versions 3.0.5 and above are not -vulnerable. Additionally, administrators may disable the "showforumusers" -configuration option as a workaround. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.vbulletin.com/ - --- diff -Nru snort-2.8.5.2/doc/signatures/100000118.txt snort-2.9.2/doc/signatures/100000118.txt --- snort-2.8.5.2/doc/signatures/100000118.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000118.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -100000118 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -present in Internet Explorer's urlmon.dll file. - --- - -Impact: -An attacker may execute arbitrary commands with the privileges of the user -running Internet Explorer. - --- -Detailed Information: -If a web server sends data with a Content-Type value of 300 or more bytes, a -buffer overflow is triggered, and commands may be executed with the privileges -of the user running Internet Explorer. - --- -Affected Systems: -Internet Explorer 5.0.1 -Internet Explorer 5.0.1 SP1 -Internet Explorer 5.0.1 SP2 -Internet Explorer 5.0.1 SP3 -Internet Explorer 5.5 -Internet Explorer 5.5 SP1 -Internet Explorer 5.5 SP2 -Internet Explorer 6.0 -Internet Explorer 6.0 SP1 - --- - -Attack Scenarios: -An attacker must entice a user to click on a link to a properly configured -server, which will return the necessary data. - --- - -Ease of Attack: -Medium. An attacker must control a properly configured web server, and entice -users to click on a link to that server. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the latest patches for Internet Explorer from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000119.txt snort-2.9.2/doc/signatures/100000119.txt --- snort-2.8.5.2/doc/signatures/100000119.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000119.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -100000119 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -present in Internet Explorer's urlmon.dll file. - --- - -Impact: -An attacker may execute arbitrary commands with the privileges of the user -running Internet Explorer. - --- -Detailed Information: -If a web server sends data with a Content-Encoding value of 300 or more bytes, -a buffer overflow is triggered, and commands may be executed with the -privileges of the user running Internet Explorer. - --- -Affected Systems: -Internet Explorer 5.0.1 -Internet Explorer 5.0.1 SP1 -Internet Explorer 5.0.1 SP2 -Internet Explorer 5.0.1 SP3 -Internet Explorer 5.5 -Internet Explorer 5.5 SP1 -Internet Explorer 5.5 SP2 -Internet Explorer 6.0 -Internet Explorer 6.0 SP1 - --- - -Attack Scenarios: -An attacker must entice a user to click on a link to a properly configured -server, which will return the necessary data. - --- - -Ease of Attack: -Simple. An attacker must control a properly configured web server, and entice -users to click on a link to that server. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the latest patches for Internet Explorer from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000121.txt snort-2.9.2/doc/signatures/100000121.txt --- snort-2.8.5.2/doc/signatures/100000121.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000121.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000121 - --- -Summary: -This event is generated when a script named "test" is accessed from a location -outside of EXTERNAL_NET. - --- - -Impact: -Varies depending upon the script. - --- -Detailed Information: -Generally speaking, scripts named "test" should not be accessed by anyone -outside of the developer's internal network. These scripts rarely lack proper -input sanitization, often allow unfettered access to sensitive resources, and -can suffer from a host of vulnerabilities due to the fact that developers -generally do not have security in mind when testing a script. - --- -Affected Systems: -Any system with an improperly secured developer test script. - --- - -Attack Scenarios: -Attacks vary depending upon the nature of the script. - --- - -Ease of Attack: -The ease of attacks vary depending upon the nature of the script. - --- - -False Positives: -Some scripts may legitimately be named "test", or developers may access these -scripts from outside of their internal development environment. Users who are -receiving an inordinate amount of false positives may wish to disable this rule. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Test scripts should be properly hardened if they are made publicly available, -or access to them should be restricted to authorized personnel. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000122.txt snort-2.9.2/doc/signatures/100000122.txt --- snort-2.8.5.2/doc/signatures/100000122.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000122.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -100000122 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in -the Macromedia mod_jrun module. - --- - -Impact: -The affected server will be crashed, and remote code execution with the -privileges of the server is possible. - --- -Detailed Information: -Specially crafted data which is sent to the vulnerable server that contains a -colon followed by 1,000 or more bytes will trigger this buffer overflow. The -affected server will crash, and remote code execution with the privileges of -the affected server is possible. -NOTE: This rule may severely impact performance. It is recommended that you -disable this rule if you are not running vulnerable software. - --- -Affected Systems: -Macromedia ColdFusion MX 6.0 -Macromedia ColdFusion MX 6.1 -Macromedia ColdFusion MX J2EE 6.1 -Macromedia JRun 3.0 -Macromedia JRun 3.1 -Macromedia JRun 4.0 -Hitachi Cosminexus Enterprise Enterprise Edition 01-02 -Hitachi Cosminexus Enterprise Enterprise Edition 01-01 -Hitachi Cosminexus Enterprise Standard Edition 01-02 -Hitachi Cosminexus Enterprise Standard Edition 01-01 -Hitachi Cosminexus Server Web Edition 01-02 -Hitachi Cosminexus Server Web Edition 01-01 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an attack is included as part of the Metasploit vulnerability -testing framework. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches are available from Macromedia. As a workaround, the vendor suggests -disabling the "verbose" debug mode on web server connectors, as it will stop -attackers from exploiting this vulnerability. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000123.txt snort-2.9.2/doc/signatures/100000123.txt --- snort-2.8.5.2/doc/signatures/100000123.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000123.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000123 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "pre-teen" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000124.txt snort-2.9.2/doc/signatures/100000124.txt --- snort-2.8.5.2/doc/signatures/100000124.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000124.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000124 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "girls gone wild" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000125.txt snort-2.9.2/doc/signatures/100000125.txt --- snort-2.8.5.2/doc/signatures/100000125.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000125.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000125 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer in the -SafeNet Sentinel License Manager. - --- - -Impact: -The affected server will be crashed, and remote code execution with system -privileges is possible. - --- -Detailed Information: -If the SafeNet Sentinel License Manager recieves a packet containing over 1,000 -bytes, a buffer will be overflowed. If properly crafted data is sent, arbitrary -code may be executed with system privileges. - --- -Affected Systems: -SafeNet Sentinel License Manager 7.2.0.2 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an attack is included as part of the Metasploit vulnerability -testing framework. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to version 8.0 of the affected software. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000126.txt snort-2.9.2/doc/signatures/100000126.txt --- snort-2.8.5.2/doc/signatures/100000126.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000126.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000126 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer in the -GoodTech Telenet server. - --- - -Impact: -The affected server will be crashed, and remote code execution with the -privileges of the user running the telnet server is possible. - --- -Detailed Information: -If the GoodTech telnet server recieves 10,083 bytes before a newline, a buffer -will be overflowed. If properly crafted data is sent, arbitrary code may be -executed with the privileges of the user running the server. Note that the rule -looks for 1,000 or more bytes before a newline, due to limitations which do not -allow a search for the full number of bytes required for the exploit. - --- -Affected Systems: -GoodTech Telnet Server 4.0 -GoodTech Telnet Server 5.0 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to version 5.0.7 of the affected software. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000127.txt snort-2.9.2/doc/signatures/100000127.txt --- snort-2.8.5.2/doc/signatures/100000127.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000127.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000127 - --- -Summary: -This event is generated when an attempt is made to link to an external script -as part of the Stadtaus.com PHP Form Mail program. - --- - -Impact: -The script being included will be run in the same security context as the -vulnerable program, enabling a variety of web-based attacks. - --- -Detailed Information: -The Stadtaus.com PHP Form Mail system's formmail.inc.php module, when including -other scripts by way of its script_root parameter, fails to validate the -location of these scripts, and thus allows attackers to include any malicious -script anywhere on the web. The included script will be executed with the same -permissions and in the same security context at the vulnerable program itself, -thus allowing a range of attacks. - --- -Affected Systems: -Stadtaus.com PHP Form Mail Script 2.3 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no vendor-supplied patches or workarounds. However, if it -is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' -directives in your environment, doing so may disable this vulnerability. -However, turning off these directives should be tested in a non-production -environment, in case doing so breaks other scripts on your system. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000128.txt snort-2.9.2/doc/signatures/100000128.txt --- snort-2.8.5.2/doc/signatures/100000128.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000128.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000128 - --- -Summary: -This event is generated when an attempt is made to link to an external script -as part of the Stadtaus.com PHP Form Mail program. - --- - -Impact: -The script being included will be run in the same security context as the -vulnerable program, enabling a variety of web-based attacks. - --- -Detailed Information: -The Stadtaus.com PHP Form Mail system's download_center_lite.inc.php module, -when including other scripts by way of its script_root parameter, fails to -validate the location of these scripts, and thus allows attackers to include -any malicious script anywhere on the web. The included script will be executed -with the same permissions and in the same security context at the vulnerable -program itself, thus allowing a range of attacks. - --- -Affected Systems: -Stadtaus.com PHP Form Mail Script 2.3 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no vendor-supplied patches or workarounds. However, if it -is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' -directives in your environment, doing so may disable this vulnerability. -However, turning off these directives should be tested in a non-production -environment, in case doing so breaks other scripts on your system. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000129.txt snort-2.9.2/doc/signatures/100000129.txt --- snort-2.8.5.2/doc/signatures/100000129.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000129.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,89 +0,0 @@ -Rule: - --- -Sid: -100000129 - --- -Summary: -This event is generated when a malformed URL is sent to a Cisco IOS HTTP -Router, which may cause a denial of service. - --- - -Impact: -If a router running a vulnerable version of the IOS HTTP server receives this -request, it will fall into an infinite loop, causing a denial of service. The -router will restart after two minutes, when the system's watchdog timer -realizes that the router has become unresponsive. - --- -Detailed Information: -If a "?" character immediately follows a "/" character in a URI, vulnerable -versions of the Cisco IOS HTTP Router will fall into an infinite loop, causing -a denial of service. The router will restart after two minutes, when the -system's watchdog timer realizes that the router has become unresponsive. - - --- -Affected Systems: -Cisco IOS 12.0 XJ -Cisco IOS 12.0 XH -Cisco IOS 12.0 XE -Cisco IOS 12.0 XA -Cisco IOS 12.0 W5 -Cisco IOS 12.0 T -Cisco IOS 12.1 XP -Cisco IOS 12.1 XL -Cisco IOS 12.1 XJ -Cisco IOS 12.1 XI -Cisco IOS 12.1 XH -Cisco IOS 12.1 XG -Cisco IOS 12.1 XF -Cisco IOS 12.1 XE -Cisco IOS 12.1 XD -Cisco IOS 12.1 XC -Cisco IOS 12.1 XB -Cisco IOS 12.1 XA -Cisco IOS 12.1 T -Cisco IOS 12.1 EC -Cisco IOS 12.1 E -Cisco IOS 12.1 DC -Cisco IOS 12.1 DB -Cisco IOS 12.1 DA -Cisco IOS 12.1 AA -Cisco IOS 12.1 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the vendor-supplied patch, available at Cisco.com. As a workaround, the -IOS HTTP server may be disabled by using the command "no ip http server". - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000130.txt snort-2.9.2/doc/signatures/100000130.txt --- snort-2.8.5.2/doc/signatures/100000130.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000130.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000130 - --- -Summary: -This event is generated when a request for the file "Filelist.html" is sent to -the PY Software Active Webcam Server. - --- - -Impact: -A denial of service will result, and the server will need to be manually -restarted. - --- -Detailed Information: -Requests for the file "Filelist.html" will cause the PY Software Active Webcam -Server to crash. This rule looks for such requests on port 8080, the default -port for this server. - --- -Affected Systems: -PY Software Active WebCam 4.3 -PY Software Active WebCam 5.5 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no known workarounds or fixes. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000131.txt snort-2.9.2/doc/signatures/100000131.txt --- snort-2.8.5.2/doc/signatures/100000131.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000131.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000131 - --- -Summary: -This event is generated when a request for a file residing on a floppy drive is -sent to the PY Software Active Webcam Server. - --- - -Impact: -A denial of service will result, and the server will need to be manually -restarted. - --- -Detailed Information: -Requests for files residing on a floppy drive will cause the PY Software Active -Webcam Server to crash. This rule looks for requests in the form of -"/A:file.ext" on port 8080, the default port for this server. - --- -Affected Systems: -PY Software Active WebCam 4.3 -PY Software Active WebCam 5.5 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no known workarounds or fixes. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000132.txt snort-2.9.2/doc/signatures/100000132.txt --- snort-2.8.5.2/doc/signatures/100000132.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000132.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -100000132 - --- -Summary: -This event is generated when a connection is made to the Internet via a proxy -server on your internal network. - --- - -Impact: -If the server is not legitimate, anyone with access to it can use your -bandwidth to access the Internet; if users conduct malicious activity on the -Internet through this server, the activity will appear to have come from the -misconfigured machine. - --- -Detailed Information: -This rule looks for pieces of HTTP requests being made by a misconfigured -Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is -coming from is not a known proxy server, it indicates that the machine in -question is either improperly configured or has been compromised. - -False positives associated with this rule may be reduced considerably, or even -eliminated, by the use of a custom variable. By editing your snort.conf to -include "var KNOWN_PROXY_SERVERS = [ -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000133.txt snort-2.9.2/doc/signatures/100000133.txt --- snort-2.8.5.2/doc/signatures/100000133.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000133.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000133 - --- -Summary: -This event is generated when an attempt is made to cause a denial of service -against the Xeneo web server by sending it a request with an overly large -number of "?" characters. - --- - -Impact: -A denial of service will occur, and it may be possible to execute arbitrary -code with the privileges of the user running the web server. - --- -Detailed Information: -The denial of service is triggered when a GET request is made with more than -4096 "?" characters. The rule actually looks for 250 consecutive "?" -characters, as even that should never occur, and looking for a smaller number -increases the rule's performance. - --- -Affected Systems: -Northern Solutions Xeneo Web Server 2.2.10 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or an automated script. - --- - -Ease of Attack: -Simple, as a web browser can be used. - --- - -False Positives: -If a valid request contains more than 250 and less than 4096 consecutive "?" -characters, a false positive will be generated. - --- -False Negatives: -None Known - --- - -Corrective Action: -Currently, no patches or upgrades are available from the vendor, and no -workarounds are known. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000134.txt snort-2.9.2/doc/signatures/100000134.txt --- snort-2.8.5.2/doc/signatures/100000134.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000134.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -100000134 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Tcpdump. In particular, this event indicates that the exploit -was attempted via a malformed Resource Reservation Protocol (RSVP) packet. - --- -Impact: -Serious. Denial of Service (DoS). Code execution may be possible. - --- -Detailed Information: -Tcpdump is a packet capture utility used on various BSD, Linux and UNIX style -operating systems. - -An error in the processing of the payload length in an RSVP packet may prevent -an attacker with the opportunity to overflow a fixed length buffer and execute -code of their choosing in the context of the user running tcpdump. This is -normally the super-user or administrator when tcpdump is used to sniff data -directly from a network interface. - --- -Affected Systems: -Tcpdump 3.9.1 and prior -Ethereal 0.10.10 and prior - --- -Attack Scenarios: -An attacker need to craft an RSVP packet with a packet payload length of 0 to -cause the overflow to manifest itself. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000135.txt snort-2.9.2/doc/signatures/100000135.txt --- snort-2.8.5.2/doc/signatures/100000135.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000135.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000135 - --- -Summary: -This event is generated when an attempt to exploit a format string attack -against the GNU Mailutils imap4d server. - --- - -Impact: -A denial of service will occur, and it may be possible to execute arbitrary -code with the privileges of the user running the imap server. - --- -Detailed Information: -The vulnerability is triggered when the request tag contains format string -characters. This will cause the server to read and/or write at invalid memory -locations, potentially allowing an attacker to execute arbitrary code. - --- -Affected Systems: -GNU Mailutils 0.5 -GNU Mailutils 0.6 - --- - -Attack Scenarios: -Publicly available scripts exist to exploit this vulnerability. - --- - -Ease of Attack: -Simple, exploit scripts exist. - --- - -False Positives: -None known. - --- -False Negatives: -None Known - --- - -Corrective Action: -Upgrade to version 0.6.90 or higher. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000136.txt snort-2.9.2/doc/signatures/100000136.txt --- snort-2.8.5.2/doc/signatures/100000136.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000136.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -100000136 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the gnu_mailutils IMAP4 server. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: - -A vulnerability exists in the way that the GNU Mailutils IMAP4 server handles -malformed IMAP commands containing format strings. This may permit the -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: -GNU Mailutils 0.5, 0.6 - --- -Attack Scenarios: -An attacker can send an IMAP command containing format strings, possibly -permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple, exploit scripts exist. - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to version 0.6.90 or higher. - --- -Contributors: -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000138.txt snort-2.9.2/doc/signatures/100000138.txt --- snort-2.8.5.2/doc/signatures/100000138.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000138.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000138 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server (IIS). - --- -Impact: -Serious. Information Disclosure, application source code may be disclosed. - --- -Detailed Information: -A programming error in an error page for Microsoft IIS may result in the -discloure of asp code disclosure on an affected system. - -By making a request to a server using a modified SERVER_NAME variable, the -underlying asp code is displayed in the error page returned to the requestor if -the asp page generates an error. - --- -Affected Systems: -Microsoft IIS 6.0 and prior - --- -Attack Scenarios: -An attacker can make a request to the server and modify the SERVER_NAME -variable to be either localhost or 127.0.0.1, if the page returns an error the -asp code is revealed. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000139.txt snort-2.9.2/doc/signatures/100000139.txt --- snort-2.8.5.2/doc/signatures/100000139.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000139.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000139 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server (IIS). - --- -Impact: -Serious. Information Disclosure, application source code may be disclosed. - --- -Detailed Information: -A programming error in an error page for Microsoft IIS may result in the -discloure of asp code disclosure on an affected system. - -By making a request to a server using a modified SERVER_NAME variable, the -underlying asp code is displayed in the error page returned to the requestor if -the asp page generates an error. - --- -Affected Systems: -Microsoft IIS 6.0 and prior - --- -Attack Scenarios: -An attacker can make a request to the server and modify the SERVER_NAME -variable to be either localhost or 127.0.0.1, if the page returns an error the -asp code is revealed. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000140.txt snort-2.9.2/doc/signatures/100000140.txt --- snort-2.8.5.2/doc/signatures/100000140.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000140.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000140 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in -the MySQL MaxDB web server. - --- - -Impact: -A denial of service will occur, and arbitrary code may be executed with the -privileges of the user running the web server. - --- -Detailed Information: -If an HTTP GET request beginning with a "%" character and followed by at least -215 non-newline characters is sent to the MySQL MaxDB web server, a buffer -overflow will occur. This will result in a denial of service, and possibly -execution of arbitrary code with the privileges of the user running the web -server. - --- -Affected Systems: -MySQL MaxDB >= 7.5.00.24 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or an automated script. - --- - -Ease of Attack: -Simple, as a web browser can be used. - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Upgrade to version 7.5.00.26 or higher. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000141.txt snort-2.9.2/doc/signatures/100000141.txt --- snort-2.8.5.2/doc/signatures/100000141.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000141.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000141 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000142.txt snort-2.9.2/doc/signatures/100000142.txt --- snort-2.8.5.2/doc/signatures/100000142.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000142.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000142 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000143.txt snort-2.9.2/doc/signatures/100000143.txt --- snort-2.8.5.2/doc/signatures/100000143.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000143.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000143 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000144.txt snort-2.9.2/doc/signatures/100000144.txt --- snort-2.8.5.2/doc/signatures/100000144.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000144.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000144 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000145.txt snort-2.9.2/doc/signatures/100000145.txt --- snort-2.8.5.2/doc/signatures/100000145.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000145.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000145 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000146.txt snort-2.9.2/doc/signatures/100000146.txt --- snort-2.8.5.2/doc/signatures/100000146.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000146.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000146 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000148.txt snort-2.9.2/doc/signatures/100000148.txt --- snort-2.8.5.2/doc/signatures/100000148.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000148.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000148 - --- -Summary: -This event is generated when an attempt is made to perform a directory -traversal attack against a system running Barracuda Spam Firewall. - --- -Impact: -Serious. Unauthorized remote command execution possibly leading to remote -access. - --- -Detailed Information: -User supplied data to script parameters are not properly sanitized, this may -permit an unauthorized attacker to execute commands of their choosing on an -affected system. - -Note: -In order to utilize this rule, port 8000 must be added to the http_inspect -configuration in snort.conf. - --- -Affected Systems: -Barracuda Spam Firewall 3.1.17 and prior. - --- -Attack Scenarios: -An attacker can supply commands as parameters to the img.pl script. - --- -Ease of Attack: -Simple, exploit software exists but is not necessary. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000152.txt snort-2.9.2/doc/signatures/100000152.txt --- snort-2.8.5.2/doc/signatures/100000152.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000152.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000152 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000153.txt snort-2.9.2/doc/signatures/100000153.txt --- snort-2.8.5.2/doc/signatures/100000153.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000153.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000153 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000154.txt snort-2.9.2/doc/signatures/100000154.txt --- snort-2.8.5.2/doc/signatures/100000154.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000154.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000154 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000155.txt snort-2.9.2/doc/signatures/100000155.txt --- snort-2.8.5.2/doc/signatures/100000155.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000155.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000155 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000158.txt snort-2.9.2/doc/signatures/100000158.txt --- snort-2.8.5.2/doc/signatures/100000158.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000158.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000158 - --- -Summary: -This event is generated when an abnormally larger number of SIP INVITE messages -is received in a short time frame. - --- -Impact: -This can be an indication of a denial of service attack in progress, or simply -a poorly configured or implemented user agent. - --- -Detailed Information: -This rule is used to detect overly large numbers of SIP INVITE messages coming -into hosts on an internal network, which may indicate a denial of service -attack in progress. Since this traffic could also be the the result of a poorly -configured user agent, or simply a very busy SIP proxy, careful analysis of -both the hosts receiving and sending this traffic is required before -determining that an attack has actually taken place. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with INVITE messages, causing -a denial of service. - --- -Ease of Attack: -Simple, as SIP is a public, well-documented protocol. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate INVITE requests, and -NAT devices may appear to be sending a larger number of INVITE requests than a -regular host. It is recommended that users whitelist known SIP proxies and NAT -devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000159.txt snort-2.9.2/doc/signatures/100000159.txt --- snort-2.8.5.2/doc/signatures/100000159.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000159.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000159 - --- -Summary: -This event is generated when an abnormally larger number of SIP REGISTER -messages is received in a short time frame. - --- -Impact: -This can be an indication of a denial of service attack in progress, or simply -a poorly configured or implemented user agent. - --- -Detailed Information: -This rule is used to detect overly large numbers of SIP REGISTER messages -coming into hosts on an internal network, which may indicate a denial of -service attack in progress. Since this traffic could also be the the result of -a poorly configured user agent, or simply a very busy SIP proxy, careful -analysis of both the hosts receiving and sending this traffic is required -before determining that an attack has actually taken place. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with REGISTER messages, -causing a denial of service. - --- -Ease of Attack: -Simple, as SIP is a public, well-documented protocol. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate REGISTER requests, -and NAT devices may appear to be sending a larger number of REGISTER requests -than a regular host. It is recommended that users whitelist known SIP proxies -and NAT devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000160.txt snort-2.9.2/doc/signatures/100000160.txt --- snort-2.8.5.2/doc/signatures/100000160.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000160.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000160 - --- -Summary: -This event is generated when an abnormally larger number of packets are -received from a single source by an SIP-enabled host in a short period of time. - --- -Impact: -This can be an indication of a denial of service attack in progress. - --- -Detailed Information: -This rule is designed to detect overly large amounts of traffic coming from a -single host to the SIP port on an internal host, as it is possible to cause a -denial of service by sending a large number of packets with invalid data. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with invalid messages, causing -a denial of service. - --- -Ease of Attack: -Simple, as it is trivial to write a script to generate random data. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate data, and NAT devices -may appear to be sending a larger amount of data than a regular host. It is -recommended that users whitelist known SIP proxies and NAT devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000161.txt snort-2.9.2/doc/signatures/100000161.txt --- snort-2.8.5.2/doc/signatures/100000161.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000161.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000161 - --- -Summary: -This event is generated when an abnormally larger number of unresolvable DNS -queries are generated by a particular host. - --- -Impact: -This can be an indication of a denial of service attack in progress. - --- -Detailed Information: -Since SIP systems can be overwhelmed by being forced to deal with an overly -large number of invalid hostnames, this rule is designed to detect such attacks -by searching for large volumes of DNS responses which contain the message "No -such name". - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with requests from invalid -hosts, causing a denial of service. - --- -Ease of Attack: -Simple, as it is trivial to write a script to generate requests with invalid -hostnames. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000162.txt snort-2.9.2/doc/signatures/100000162.txt --- snort-2.8.5.2/doc/signatures/100000162.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000162.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000162 - --- -Summary: -This event is generated when an abnormally larger number of 401 Unauthorized -messages are returned by an SIP-enabled host. - --- -Impact: -This can be an indication of either a brute force authentication attack or a -denial of service in progress. - --- -Detailed Information: -When a user attempts to send a REGISTER message with invalid credentials, a SIP -server returns a 401 Unauthorized message. A high volume of these may indicate -that an authentication attack, likely brute-force style, or a denial of service -is in progress. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to attempt a brute-force authentication attack -or a denial of service. - --- -Ease of Attack: -Simple, as it is easy to write a script to cycle through all possible -authentication values or to simply flood a system with unauthorized data. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000163.txt snort-2.9.2/doc/signatures/100000163.txt --- snort-2.8.5.2/doc/signatures/100000163.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000163.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000163 - --- -Summary: -This event is generated when an abnormally larger number of 407 Proxy -Authentication Required messages are returned by an SIP-enabled host. - --- -Impact: -This can be an indication of either a brute force authentication attack or a -denial of service in progress. - --- -Detailed Information: -When a user attempts to send an INVITE message with invalid credentials, a SIP -server returns a 401 Proxy Authentication Required message. A high volume of -these may indicate that an authentication attack, likely brute-force style, or -a denial of service is in progress. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to attempt a brute-force authentication attack -or a denial of service. - --- -Ease of Attack: -Simple, as it is easy to write a script to cycle through all possible -authentication values or to simply flood a system with unauthorized data. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000164.txt snort-2.9.2/doc/signatures/100000164.txt --- snort-2.8.5.2/doc/signatures/100000164.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000164.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000164 - --- -Summary: -This event is generated when an ICMP packet crafted to exploit a denial of -service vulnerability in the Linux kernel is detected. - --- -Impact: -A denial of service will be caused against vulnerable hosts. If an attacker -sends a continuous stream of such packets, the host can be prevented from -functioning properly for a prolonged period of time. - --- -Detailed Information: -Linux kernel versions below 2.6.13 contain a flaw which will result in a null -pointer dereference when processing ICMP packets that contain invalid SCTP -data. In order to be vulnerable, a host must have SCTP enabled. - --- -Affected Systems: -Any Linux system with a kernel version < 2.6.13 with SCTP enabled. - --- -Attack Scenarios: -An attacker could use a script to send malformed packets to a vulnerable host. - --- -Ease of Attack: -Simple, as a publicly available exploit script exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade Linux systems' kernel to version 2.6.13 or higher. Alternately, disable -SCTP or use a firewall to block ICMP traffic at your network's border. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -Other: -http://oss.sgi.com/projects/netdev/archive/2005-07/msg00142.html - --- diff -Nru snort-2.8.5.2/doc/signatures/100000165.txt snort-2.9.2/doc/signatures/100000165.txt --- snort-2.8.5.2/doc/signatures/100000165.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000165.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -100000165 - --- -Summary: -This event is generated when an overly large UDP packet is sent to port 5093, -where the Sentinel License Manager service typically listens. - --- -Impact: -A denial of service will occur, and arbitrary code may be executed with the -privileges of the user running the service. - --- -Detailed Information: -A stack-based buffer overflow exists within the Sentinel License Manager, which -will be triggered if 2048 or more characters are received by the service. -Authentication is not required, and no specific characters need be present in -malicious packets in order to trigger the vulnerability. - --- -Affected Systems: -SafeNet Sentinel License Manager 7.2.0.2 - --- -Attack Scenarios: -An attacker could use one of the publicly available exploit scripts, or create -a script which simply sends 2048 or more random characters to a vulnerable -server. - --- -Ease of Attack: -Simple, as public exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 8.0 or above. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/100000166.txt snort-2.9.2/doc/signatures/100000166.txt --- snort-2.8.5.2/doc/signatures/100000166.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000166.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000166 - --- -Summary: -This event is generated when a command is sent to an Oracle isqlplus instance -which contains a command to halt the Oracle TNS listener service. - --- -Impact: -Vulnerable Oracle servers may shut down their TNS listener service upon receipt -of this command, making the database unavailable for normal use until it is -restarted. - --- -Detailed Information: -iSQLPlus is a web interface to the Oracle SQLPlus system. A wide range of -commands may be sent to an Oracle server via this interface, including -administrative commands. If a request is sent which contains a command to halt -the TNS listener service, vulnerable versions of Oracle will execute the -command, halting the service and denying service to legitimate users until the -service is restarted. - --- -Affected Systems: -Oracle 9i Standard Edition 9.0.2.4 -Oracle 9i Personal Edition 9.0.2.4 -Oracle 9i Enterprise Edition 9.0.2.4 - --- -Attack Scenarios: -A web browser may be used to exploit this vulnerability. - --- -Ease of Attack: -Simple, as a publicly available exploit exists which may be executed via a web -browser. - --- -False Positives: -Any time an authorized administrator chooses to shut down the TNS listener -service via the iSQLPlus interface. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the Oracle Critical Patch Update from July 2005, available at -http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/100000167.txt snort-2.9.2/doc/signatures/100000167.txt --- snort-2.8.5.2/doc/signatures/100000167.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000167.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000167 - --- -Summary: -The password-cracking tool Hydra has been detected in SMTP traffic. - --- -Impact: -An attacker may be attempting to break into one or more mail servers monitored -by Snort via a brute-force password attack. If successful, the attacker may -gain unauthorized access to internal networks. - --- -Detailed Information: -Hydra is a password-cracking tool released by a group of security experts -called THC, "The Hacker's Choice." When connecting to a mail server, it will -begin communications by sending either "HELO hydra" or "EHLO hydra", depending -upon the commands accepted by the remote server. Since a valid HELO or EHLO -command will contain the domain name of the system mail is being sent from, the -presence of either of these strings indicates that the Hydra tool is likely -being used. - --- -Affected Systems: -Any system running a mail server. - --- -Attack Scenarios: -Attackers will use the Hydra password-cracking tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity, particularly -unusual logons. Ensure that secure passwords are being used throughout your -network. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/100000168.txt snort-2.9.2/doc/signatures/100000168.txt --- snort-2.8.5.2/doc/signatures/100000168.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000168.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000168 - --- -Summary: -The password-cracking tool Hydra has been detected in HTTP traffic. - --- -Impact: -An attacker may be attempting to break into one or more web servers monitored -by Snort via a brute-force password attack. If successful, the attacker may -gain unauthorized access to internal networks. - --- -Detailed Information: -Hydra is a password-cracking tool released by a group of security experts -called THC, "The Hacker's Choice." Requests sent by this tool to a web server -contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' -User-Agent strings do not contain the string "(Hydra)", the presence of this -string indicates that the Hydra tool is likely being used. - --- -Affected Systems: -Any system running a web server. - --- -Attack Scenarios: -Attackers will use the Hydra password-cracking tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity, particularly -unusual logons. Ensure that secure passwords are being used throughout your -network. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/100000169.txt snort-2.9.2/doc/signatures/100000169.txt --- snort-2.8.5.2/doc/signatures/100000169.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000169.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -100000169 - --- -Summary: -The application fingerprinting tool Amap has been detected in HTTP traffic. - --- -Impact: -An attacker may be attempting to gather information about services on a -monitored network, in order to discover vulnerabilities in those services. - --- -Detailed Information: -Amap is an application fingerprinting tool released by a group of security -experts called THC, "The Hacker's Choice"; it is designed to identify services -reliably irrespective of the port they are run on. Amap functions by sending -"triggers" to open ports on a remote system which are designed to elicit a -response from a particular service. This rule is designed to detect the SSL -trigger sent by the program. - --- -Affected Systems: -Any system running an SSL-enabled web server. - --- -Attack Scenarios: -Attackers will use the Amap application fingerprinting tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/100000170.txt snort-2.9.2/doc/signatures/100000170.txt --- snort-2.8.5.2/doc/signatures/100000170.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000170.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000170 - --- -Summary: -This event is generated when an overly long Host: parameter is sent in an HTTP -request, which will cause a buffer overflow to occur in the GFI MailSecurity -for Exchange/SMTP web interface. - --- -Impact: -A denial of service will occur in the vulnerable application, and remote code -may be executed with the priviliges of the user running the application. - --- -Detailed Information: -GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates -with Microsoft Exchange servers. Its web interface is vulnerable to a buffer -overflow attack, which may be triggered by sending a Host: parameter of 100 or -more bytes in an HTTP request. Vulnerable versions of the application will -crash, and code may be executed with the priviliges of the user running the -program. - --- -Affected Systems: -GFI MailSecurity for Exchange/SMTP 8.1 - --- -Attack Scenarios: -Attackers will likley exploit this with a script. - --- -Ease of Attack: -Simple, as no authentication is required, and HTTP is a well-documented -protocol, which allows for easy creation of malicious packets. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Download and apply the patch referenced below. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip - --- diff -Nru snort-2.8.5.2/doc/signatures/100000171.txt snort-2.9.2/doc/signatures/100000171.txt --- snort-2.8.5.2/doc/signatures/100000171.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000171.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000171 - --- -Summary: -This event is generated when an overly long Accept: parameter is sent in an -HTTP request, which will cause a buffer overflow to occur in the GFI -MailSecurity for Exchange/SMTP web interface. - --- -Impact: -A denial of service will occur in the vulnerable application, and remote code -may be executed with the priviliges of the user running the application. - --- -Detailed Information: -GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates -with Microsoft Exchange servers. Its web interface is vulnerable to a buffer -overflow attack, which may be triggered by sending a Accept: parameter of 100 -or more bytes in an HTTP request. Vulnerable versions of the application will -crash, and code may be executed with the priviliges of the user running the -program. - --- -Affected Systems: -GFI MailSecurity for Exchange/SMTP 8.1 - --- -Attack Scenarios: -Attackers will likley exploit this with a script. - --- -Ease of Attack: -Simple, as no authentication is required, and HTTP is a well-documented -protocol, which allows for easy creation of malicious packets. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Download and apply the patch referenced below. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip - --- diff -Nru snort-2.8.5.2/doc/signatures/100000172.txt snort-2.9.2/doc/signatures/100000172.txt --- snort-2.8.5.2/doc/signatures/100000172.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000172.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000172 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Lynx text-based web browser. - --- -Impact: -Code execution on the victim machine with the privileges of the user running -Lynx. - --- -Detailed Information: -A vulnerability exists in the way that Lynx handles links when browsing NNTP -resources. The function that handles the display of information from article -headers when listing available files on the server, inserts extra characters to -handle certain character sets. This function does not properly check how much -extra data is inserted and it is possible to overflow a static buffer and -execute code in the context of the browser process. - --- -Affected Systems: -Lynx versions 2.8.6 and prior - --- -Attack Scenarios: -An attacker would need to supply a malicious link on an nntp server to the user -using Lynx. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - -Original advisory posting: -http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html - --- diff -Nru snort-2.8.5.2/doc/signatures/100000173.txt snort-2.9.2/doc/signatures/100000173.txt --- snort-2.8.5.2/doc/signatures/100000173.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000173.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000173 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RSA Security RSA Authentication Agent For Web. - --- -Impact: -Cross site scripting leading to possible inclusion of code of the attackers -choosing. - --- -Detailed Information: -A vulnerability exists in RSA Security RSA Authentication Agent For Web that -may allow an attacker to include code of their choosing due to the improper -checking of user supplied input. - --- -Affected Systems: -RSA Security RSA Authentication Agent For Web 5.2 - --- -Attack Scenarios: -An attacker can supply a link to include code of their choosing in data -supplied to RSA Security RSA Authentication Agent For Web. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/100000174.txt snort-2.9.2/doc/signatures/100000174.txt --- snort-2.8.5.2/doc/signatures/100000174.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000174.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000174 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RSA Security RSA Authentication Agent For Web. - --- -Impact: -Cross site scripting leading to possible inclusion of code of the attackers -choosing. - --- -Detailed Information: -A vulnerability exists in RSA Security RSA Authentication Agent For Web that -may allow an attacker to include code of their choosing due to the improper -checking of user supplied input. - --- -Affected Systems: -RSA Security RSA Authentication Agent For Web 5.2 - --- -Attack Scenarios: -An attacker can supply a link to include code of their choosing in data -supplied to RSA Security RSA Authentication Agent For Web. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/100000175.txt snort-2.9.2/doc/signatures/100000175.txt --- snort-2.8.5.2/doc/signatures/100000175.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000175.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000175 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -vulnerability present in the Ethereal protocol analyzer's SLIMP3 decoder. - --- - -Impact: -By sending a properly crafted UDP packet, attackers may execute arbitrary code -of -their choosing with the privileges of the user running the affected software. - --- -Detailed Information: -This rule detects attempts to overflow a vulnerable buffer in the Ethereal -protocol analyzer's SLIMP3 decoder. It is specifically designed to search for -the payload present in a publicly circulating exploit. - --- -Affected Systems: -Ethereal 0.10.12 and below - --- - -Attack Scenarios: -An automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an exploit is publicly available. - --- - -False Positives: -None Known. - --- -False Negatives: -Other payloads which will overflow this buffer may be missed. - --- - -Corrective Action: -Upgrade to Ethereal 0.10.13 or higher. - --- -Contributors: -rmkml - --- -Additional References: -http://www.frsirt.com/english/advisories/2005/2148 - --- diff -Nru snort-2.8.5.2/doc/signatures/100000176.txt snort-2.9.2/doc/signatures/100000176.txt --- snort-2.8.5.2/doc/signatures/100000176.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000176.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000176 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the lpd service for HP-UX. - --- -Impact: -Denial of Service (DoS). Possible code execution. - --- -Detailed Information: -A vulnerability exists in the lpd service for HP-UX systems. An unauthenticated -attacker may issue a DoS attack on the victim lpd by sending malformed data to -the lpd service and attempting to overflow a fixed length buffer. It may also -be possible for an attacker to execute code of their choosing in the context of -the user running lpd. - --- -Affected Systems: -HP-UX 10.20 -HP-UX B11.10 and B11.11 - --- -Attack Scenarios: -An attacker can supply a malformed request to the lpd service on the victim -host that may leave the service unresponsive. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/100000177.txt snort-2.9.2/doc/signatures/100000177.txt --- snort-2.8.5.2/doc/signatures/100000177.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000177.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000177 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Linksys WRT54G wireless router. - --- -Impact: -Unauthorized administrative access to the router and it's configuration. - --- -Detailed Information: -A vulnerability exists in the Linksys WRT54G wireless router that may present -an attacker with the opportunity to take control of the victim hardware via a -POST request to the web interface. - -This is due to the apply.cgi script not performing proper checks on user -supplied input that may allow the attacker to overflow a fixed length buffer -and execute code of their choosing. - --- -Affected Systems: -Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior - --- -Attack Scenarios: -An attacker can supply a malformed POST request to the apply.cgi script on an -affected piece of hardware. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied firmware upgrade. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/100000178.txt snort-2.9.2/doc/signatures/100000178.txt --- snort-2.8.5.2/doc/signatures/100000178.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000178.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000178 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Hasbani Web server. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the Hasbani web server that may allow an attacker to -initiate a DoS condition on the server. Poor programming in the web server may -result in the server entering an endless loop when processing malformed GET -requests. This can lead to an exhaustion of system resources and a DoS -condition. - --- -Affected Systems: -Hasbani web server 2.0 - --- -Attack Scenarios: -An attacker can supply a malformed GET request to the web server to cause the -DoS. Alternately, exploit code exists for this vulnerability. - --- -Ease of Attack: -Simple. Exploits exists. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Use Apache. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/100000179.txt snort-2.9.2/doc/signatures/100000179.txt --- snort-2.8.5.2/doc/signatures/100000179.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000179.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000179 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server using the TRACE command. In this case, the attack -is aimed at the Solaris Management Console Java Web Interface. - --- -Impact: -Possible disclosure of information. - --- -Detailed Information: -The TRACE method is used when debugging a webserver to ensure that server -returns information to the client correctly. When used with other -vulnerabilities it is possible to use the TRACE method to return sensitive -information from a webserver such as authentication data and cookies. - -This is known as a Cross Site Tracing (XST) attack. - -Note: Users who are using sid 2056 with the HTTP_PORTS variable set to 898 do -not need to use this rule. - --- -Affected Systems: -All platforms running a webserver that responds to the TRACE method. - --- -Attack Scenarios: -The attacker needs to perform a TRACE request to a vulnerable server. - --- -Ease of Attack: -Simple - --- -False Positives: -The TRACE method is legitimate and may be used to debug a webserver or can be -used to debug other networking equipment. - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the webserver from responding to TRACE requests. - --- -Contributors: -Sid 2056 modification suggested by rmkml -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -RFC: -http://www.ietf.org/rfc/rfc2616.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/100000226.txt snort-2.9.2/doc/signatures/100000226.txt --- snort-2.8.5.2/doc/signatures/100000226.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000226.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000226 - --- -Summary: -This event is generated when a host connected to the Internet is first infected -with the BlackWorm/Nyxem virus. - --- -Impact: -The system generating the alert has likely been infected with the -BlackWorm/Nyxem virus. - --- -Detailed Information: -When a system is first infected with the BlackWorm/Nyxem virus, the malicious -program attempts to access -http://207.172.16.155/cgi-bin/Count.cgi?df=76547 in order to report a -successful installation. Numerous sources, including the Sourcefire VRT, have -confirmed that this URL is static. - --- -Affected Systems: -All Windows systems. - --- -Attack Scenarios: -The virus may arrive by e-mail, in which case a user must execute the file in -order to be infected. Once infected, hosts conduct NetBIOS scans and attempt to -infect other hosts via publicly accessible shares; in this method, no user -interaction is required. - --- -Ease of Attack: -Simple - --- -False Positives: -Any user who directs a web browser to -http://207.172.16.155/cgi-bin/Count.cgi?df=76547 will trigger this rule. - --- -False Negatives: -Hosts without Internet access which become infected (i.e. by another infected -system on their local network) will not trigger this rule until they connect to -the Internet, as they will be unable toaccess this web page. - --- -Corrective Action: -Several antivirus vendors have detection and removal capabilities. -Additionally, Microsoft has detailed instructions for manual removal on their -web site. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matthew Watchinski -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000315.txt snort-2.9.2/doc/signatures/100000315.txt --- snort-2.8.5.2/doc/signatures/100000315.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000315.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000315 - --- -Summary: -This event is generated when an HTTP client issues a PUT request to upload -a document into the web content area. - --- -Impact: -The PUT method is a legitimate HTTP command that allows an authorized user -to upload a document into the web content tree. It is most often associated -with the WebDAV content management protocol. - -Although there are some legitimate uses for the PUT method, it is also a -frequent source of web site defacement, as attackers can easily abuse -misconfigured web servers that allow unrestricted PUT functionality from -arbitrary users. - --- -Detailed Information: -The rule searches for HTTP requests using the PUT method, and tracks -these sessions. The rule is intended to be used with SID 100000316 to -track successful PUT requests, which may represent successful defacement -attacks, instead of all PUT requests. - -Administrators who wish to track all PUT requests (successful or not) should -remove the "flowbits:noalert;" section of this rule. - --- -Affected Systems: -Any web server - --- -Attack Scenarios: -An attacker can issue a PUT reuqest via a script, many different pieces of -software, or through a manual connection to any web server port. - --- -Ease of Attack: -Simple. Numerous tools exist for creating PUT requests, including some geared -specifically towards web site defacement. - --- -False Positives: -Organizations that use WebDAV to manage their web content may experience -false positives, as the PUT method is a normal part of the WebDAV protocol. -Additionally, any other legitimate web applications which use the PUT method -will generate false positives. - --- -False Negatives: -None - --- -Corrective Action: -In cases of web site defacement, delete the newly-created file(s) and/or -restore them from a reliable backup. In all cases, be sure to tune web server -configuration to allow PUT requests only where necessary for a legitimate web -application to function. - --- -Contributors: -David J. Bianco, - --- -Additional References: -http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 diff -Nru snort-2.8.5.2/doc/signatures/100000316.txt snort-2.9.2/doc/signatures/100000316.txt --- snort-2.8.5.2/doc/signatures/100000316.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000316.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000315 - --- -Summary: -This event is generated when an HTTP server issues a successful status -code in response to a request to update a web document via the PUT method. - --- -Impact: -The PUT method is a legitimate HTTP command that allows an authorized user -to upload a document into the web content tree. It is most often associated -with the WebDAV content management protocol. - -Although there are some legitimate uses for the PUT method, it is also a -frequent source of web site defacement, as attackers can easily abuse -misconfigured web servers that allow unrestricted PUT functionality from -arbitrary users. - --- -Detailed Information: -The rule searches for replies to HTTP PUT requests which indicate success. -When a successful reply is seen, it implies that the web content area has -been modified, which may be an indicaton that the web site has been -defaced. - -This rule is intended to be used with another SID 100000315, which detects -HTTP PUT requests. - --- -Affected Systems: -Any web server - --- -Attack Scenarios: -An attacker can issue a PUT reuqest via a script, many different pieces of -software, or through a manual connection to any web server port. - --- -Ease of Attack: -Simple. Numerous tools exist for creating PUT requests, including some geared -specifically towards web site defacement. - --- -False Positives: -Organizations that use WebDAV to manage their web content may experience -false positives, as the PUT method is a normal part of the WebDAV protocol. -Additionally, any other legitimate web applications which use the PUT method -will generate false positives. - --- -False Negatives: -None - --- -Corrective Action: -In cases of web site defacement, delete the newly-created file(s) and/or -restore them from a reliable backup. In all cases, be sure to tune web server -configuration to allow PUT requests only where necessary for a legitimate web -application to function. - --- -Contributors: -David J. Bianco, - --- -Additional References: -http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 diff -Nru snort-2.8.5.2/doc/signatures/100000317.txt snort-2.9.2/doc/signatures/100000317.txt --- snort-2.8.5.2/doc/signatures/100000317.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000317.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -100000317 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "phpBazar" application running on a webserver. -Access to the file "classified_right.php" using a remote file being passed as -the "language_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "language_dir" parameter in the "classified_right.php" -script used by the "phpBazar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBazar - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000318.txt snort-2.9.2/doc/signatures/100000318.txt --- snort-2.8.5.2/doc/signatures/100000318.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000318.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000318 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "phpBazar" application running on a webserver. -Access to the file "admin.php" using a remote file being passed as the -"action=edit_member&value=1" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "action=edit_member&value=1" parameter in the -"admin.php" script used by the "phpBazar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBazar - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000319.txt snort-2.9.2/doc/signatures/100000319.txt --- snort-2.8.5.2/doc/signatures/100000319.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000319.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000319 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ActualScripts" application running on a -webserver. Access to the file "direct.php" using a remote file being passed as -the "rf" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "rf" parameter in the "direct.php" script used by the -"ActualScripts" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ActualScripts - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000320.txt snort-2.9.2/doc/signatures/100000320.txt --- snort-2.8.5.2/doc/signatures/100000320.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000320.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000320 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "functions.php" using a remote file being passed -as the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "functions.php" script used -by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000321.txt snort-2.9.2/doc/signatures/100000321.txt --- snort-2.8.5.2/doc/signatures/100000321.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000321.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000321 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "help.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "help.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000322.txt snort-2.9.2/doc/signatures/100000322.txt --- snort-2.8.5.2/doc/signatures/100000322.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000322.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000322 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "mail.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "mail.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000323.txt snort-2.9.2/doc/signatures/100000323.txt --- snort-2.8.5.2/doc/signatures/100000323.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000323.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000323 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "news.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "news.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000324.txt snort-2.9.2/doc/signatures/100000324.txt --- snort-2.8.5.2/doc/signatures/100000324.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000324.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000324 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "template.php" using a remote file being passed -as the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "template.php" script used -by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000325.txt snort-2.9.2/doc/signatures/100000325.txt --- snort-2.8.5.2/doc/signatures/100000325.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000325.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000325 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_cats.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_cats.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000326.txt snort-2.9.2/doc/signatures/100000326.txt --- snort-2.8.5.2/doc/signatures/100000326.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000326.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000326 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_edit.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_edit.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000327.txt snort-2.9.2/doc/signatures/100000327.txt --- snort-2.8.5.2/doc/signatures/100000327.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000327.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000327 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000328.txt snort-2.9.2/doc/signatures/100000328.txt --- snort-2.8.5.2/doc/signatures/100000328.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000328.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000328 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_templates.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_templates.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000329.txt snort-2.9.2/doc/signatures/100000329.txt --- snort-2.8.5.2/doc/signatures/100000329.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000329.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000329 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "class_post.php" using a remote file being passed as the "post_icon" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "post_icon" parameter in the "class_post.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000330.txt snort-2.9.2/doc/signatures/100000330.txt --- snort-2.8.5.2/doc/signatures/100000330.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000330.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000330 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "moderate.php" using a remote file being passed as the "df" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "df" parameter in the "moderate.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000331.txt snort-2.9.2/doc/signatures/100000331.txt --- snort-2.8.5.2/doc/signatures/100000331.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000331.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000331 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ZixForum" application running on a webserver. Access to the file "settings.asp" using a remote file being passed as the "layid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "layid" parameter in the "settings.asp" script used by the "ZixForum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ZixForum - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000332.txt snort-2.9.2/doc/signatures/100000332.txt --- snort-2.8.5.2/doc/signatures/100000332.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000332.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000332 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "email" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "email" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Artmedic Newsletter - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000333.txt snort-2.9.2/doc/signatures/100000333.txt --- snort-2.8.5.2/doc/signatures/100000333.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000333.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000333 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "logfile" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "logfile" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Artmedic Newsletter - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000334.txt snort-2.9.2/doc/signatures/100000334.txt --- snort-2.8.5.2/doc/signatures/100000334.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000334.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000334 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "reconfig.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "reconfig.php" script used by the "CaLogic Calendars" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CaLogic Calendars - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000335.txt snort-2.9.2/doc/signatures/100000335.txt --- snort-2.8.5.2/doc/signatures/100000335.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000335.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000335 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "srxclr.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "srxclr.php" script used by the "CaLogic Calendars" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CaLogic Calendars - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000336.txt snort-2.9.2/doc/signatures/100000336.txt --- snort-2.8.5.2/doc/signatures/100000336.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000336.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000336 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "footer.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "footer.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000337.txt snort-2.9.2/doc/signatures/100000337.txt --- snort-2.8.5.2/doc/signatures/100000337.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000337.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000337 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "defaults_setup.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "defaults_setup.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000338.txt snort-2.9.2/doc/signatures/100000338.txt --- snort-2.8.5.2/doc/signatures/100000338.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000338.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000338 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "header.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "header.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000339.txt snort-2.9.2/doc/signatures/100000339.txt --- snort-2.8.5.2/doc/signatures/100000339.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000339.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000339 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "core.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "core.php" script used by the "V-Webmail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using V-Webmail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000340.txt snort-2.9.2/doc/signatures/100000340.txt --- snort-2.8.5.2/doc/signatures/100000340.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000340.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000340 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "pop3.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "pop3.php" script used by the "V-Webmail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using V-Webmail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000341.txt snort-2.9.2/doc/signatures/100000341.txt --- snort-2.8.5.2/doc/signatures/100000341.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000341.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000341 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "help.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "help.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000342.txt snort-2.9.2/doc/signatures/100000342.txt --- snort-2.8.5.2/doc/signatures/100000342.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000342.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000342 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "business.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "business.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000343.txt snort-2.9.2/doc/signatures/100000343.txt --- snort-2.8.5.2/doc/signatures/100000343.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000343.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000343 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "credits.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "credits.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000344.txt snort-2.9.2/doc/signatures/100000344.txt --- snort-2.8.5.2/doc/signatures/100000344.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000344.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000344 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SocketMail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000345.txt snort-2.9.2/doc/signatures/100000345.txt --- snort-2.8.5.2/doc/signatures/100000345.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000345.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000345 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "inc-common.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "inc-common.php" script used by the "SocketMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SocketMail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000346.txt snort-2.9.2/doc/signatures/100000346.txt --- snort-2.8.5.2/doc/signatures/100000346.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000346.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000346 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "prepend.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000347.txt snort-2.9.2/doc/signatures/100000347.txt --- snort-2.8.5.2/doc/signatures/100000347.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000347.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000347 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "form.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "form.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000348.txt snort-2.9.2/doc/signatures/100000348.txt --- snort-2.8.5.2/doc/signatures/100000348.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000348.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000348 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "customize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "customize.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000349.txt snort-2.9.2/doc/signatures/100000349.txt --- snort-2.8.5.2/doc/signatures/100000349.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000349.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000349 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "initialize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "initialize.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000350.txt snort-2.9.2/doc/signatures/100000350.txt --- snort-2.8.5.2/doc/signatures/100000350.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000350.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000350 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "ubbt.inc.php" using a remote file being passed as the "GLOBALS[thispath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[thispath]" parameter in the "ubbt.inc.php" script used by the "UBBThreads" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using UBBThreads - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000351.txt snort-2.9.2/doc/signatures/100000351.txt --- snort-2.8.5.2/doc/signatures/100000351.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000351.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000351 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "config[cookieprefix]" using a remote file being passed as the "w3t_language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "w3t_language" parameter in the "config[cookieprefix]" script used by the "UBBThreads" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using UBBThreads - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000352.txt snort-2.9.2/doc/signatures/100000352.txt --- snort-2.8.5.2/doc/signatures/100000352.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000352.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000352 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blend Portal" application running on a webserver. Access to the file "blend_common.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "blend_common.php" script used by the "Blend Portal" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blend Portal - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000353.txt snort-2.9.2/doc/signatures/100000353.txt --- snort-2.8.5.2/doc/signatures/100000353.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000353.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000353 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "tinyBB" application running on a webserver. Access to the file "footers.php" using a remote file being passed as the "tinybb_footers" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "tinybb_footers" parameter in the "footers.php" script used by the "tinyBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using tinyBB - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000354.txt snort-2.9.2/doc/signatures/100000354.txt --- snort-2.8.5.2/doc/signatures/100000354.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000354.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000354 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB-Amod" application running on a webserver. Access to the file "lang_activity.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "lang_activity.php" script used by the "phpBB-Amod" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBB-Amod - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000355.txt snort-2.9.2/doc/signatures/100000355.txt --- snort-2.8.5.2/doc/signatures/100000355.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000355.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000355 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using eSyndiCat - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000356.txt snort-2.9.2/doc/signatures/100000356.txt --- snort-2.8.5.2/doc/signatures/100000356.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000356.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000356 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_qry_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_qry_common.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000357.txt snort-2.9.2/doc/signatures/100000357.txt --- snort-2.8.5.2/doc/signatures/100000357.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000357.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000357 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_stat_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_stat_common.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000358.txt snort-2.9.2/doc/signatures/100000358.txt --- snort-2.8.5.2/doc/signatures/100000358.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000358.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000358 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_include.inc.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_include.inc.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000359.txt snort-2.9.2/doc/signatures/100000359.txt --- snort-2.8.5.2/doc/signatures/100000359.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000359.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000359 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000360.txt snort-2.9.2/doc/signatures/100000360.txt --- snort-2.8.5.2/doc/signatures/100000360.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000360.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000360 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken2.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken2.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000361.txt snort-2.9.2/doc/signatures/100000361.txt --- snort-2.8.5.2/doc/signatures/100000361.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000361.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000361 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "email_an_benutzer.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "email_an_benutzer.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000362.txt snort-2.9.2/doc/signatures/100000362.txt --- snort-2.8.5.2/doc/signatures/100000362.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000362.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000362 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "rechnung.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "rechnung.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000363.txt snort-2.9.2/doc/signatures/100000363.txt --- snort-2.8.5.2/doc/signatures/100000363.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000363.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000363 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "search.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000364.txt snort-2.9.2/doc/signatures/100000364.txt --- snort-2.8.5.2/doc/signatures/100000364.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000364.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000364 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "admin.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000365.txt snort-2.9.2/doc/signatures/100000365.txt --- snort-2.8.5.2/doc/signatures/100000365.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000365.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000365 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "index.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000366.txt snort-2.9.2/doc/signatures/100000366.txt --- snort-2.8.5.2/doc/signatures/100000366.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000366.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000366 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000367.txt snort-2.9.2/doc/signatures/100000367.txt --- snort-2.8.5.2/doc/signatures/100000367.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000367.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000367 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_board.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_board.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000368.txt snort-2.9.2/doc/signatures/100000368.txt --- snort-2.8.5.2/doc/signatures/100000368.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000368.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000368 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_disallow.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_disallow.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000369.txt snort-2.9.2/doc/signatures/100000369.txt --- snort-2.8.5.2/doc/signatures/100000369.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000369.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000369 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forumauth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forumauth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000370.txt snort-2.9.2/doc/signatures/100000370.txt --- snort-2.8.5.2/doc/signatures/100000370.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000370.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000370 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_groups.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_groups.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000371.txt snort-2.9.2/doc/signatures/100000371.txt --- snort-2.8.5.2/doc/signatures/100000371.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000371.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000371 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ranks.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ranks.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000372.txt snort-2.9.2/doc/signatures/100000372.txt --- snort-2.8.5.2/doc/signatures/100000372.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000372.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000372 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_styles.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_styles.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000373.txt snort-2.9.2/doc/signatures/100000373.txt --- snort-2.8.5.2/doc/signatures/100000373.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000373.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000373 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_user_ban.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_user_ban.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000374.txt snort-2.9.2/doc/signatures/100000374.txt --- snort-2.8.5.2/doc/signatures/100000374.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000374.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000374 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_words.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_words.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000375.txt snort-2.9.2/doc/signatures/100000375.txt --- snort-2.8.5.2/doc/signatures/100000375.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000375.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000375 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_avatar.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_avatar.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000376.txt snort-2.9.2/doc/signatures/100000376.txt --- snort-2.8.5.2/doc/signatures/100000376.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000376.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000376 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_db_utilities.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_db_utilities.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000377.txt snort-2.9.2/doc/signatures/100000377.txt --- snort-2.8.5.2/doc/signatures/100000377.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000377.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000377 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000378.txt snort-2.9.2/doc/signatures/100000378.txt --- snort-2.8.5.2/doc/signatures/100000378.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000378.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000378 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forums.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forums.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000379.txt snort-2.9.2/doc/signatures/100000379.txt --- snort-2.8.5.2/doc/signatures/100000379.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000379.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000379 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_mass_email.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_mass_email.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000380.txt snort-2.9.2/doc/signatures/100000380.txt --- snort-2.8.5.2/doc/signatures/100000380.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000380.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000380 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_smilies.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_smilies.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000381.txt snort-2.9.2/doc/signatures/100000381.txt --- snort-2.8.5.2/doc/signatures/100000381.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000381.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000381 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000382.txt snort-2.9.2/doc/signatures/100000382.txt --- snort-2.8.5.2/doc/signatures/100000382.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000382.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000382 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000383.txt snort-2.9.2/doc/signatures/100000383.txt --- snort-2.8.5.2/doc/signatures/100000383.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000383.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000383 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "OsTicket" application running on a webserver. Access to the file "open_form.php" using a remote file being passed as the "include_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "include_path" parameter in the "open_form.php" script used by the "OsTicket" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using OsTicket - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000384.txt snort-2.9.2/doc/signatures/100000384.txt --- snort-2.8.5.2/doc/signatures/100000384.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000384.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000384 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "index.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000385.txt snort-2.9.2/doc/signatures/100000385.txt --- snort-2.8.5.2/doc/signatures/100000385.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000385.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000385 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "error.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "error.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000386.txt snort-2.9.2/doc/signatures/100000386.txt --- snort-2.8.5.2/doc/signatures/100000386.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000386.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000386 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "main_class.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "main_class.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000387.txt snort-2.9.2/doc/signatures/100000387.txt --- snort-2.8.5.2/doc/signatures/100000387.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000387.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000387 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "index.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000388.txt snort-2.9.2/doc/signatures/100000388.txt --- snort-2.8.5.2/doc/signatures/100000388.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000388.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000388 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000389.txt snort-2.9.2/doc/signatures/100000389.txt --- snort-2.8.5.2/doc/signatures/100000389.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000389.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000389 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000390.txt snort-2.9.2/doc/signatures/100000390.txt --- snort-2.8.5.2/doc/signatures/100000390.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000390.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000390 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadmb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadmb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000391.txt snort-2.9.2/doc/signatures/100000391.txt --- snort-2.8.5.2/doc/signatures/100000391.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000391.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000391 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadma.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadma.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000392.txt snort-2.9.2/doc/signatures/100000392.txt --- snort-2.8.5.2/doc/signatures/100000392.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000392.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000392 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadm.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadm.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000393.txt snort-2.9.2/doc/signatures/100000393.txt --- snort-2.8.5.2/doc/signatures/100000393.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000393.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000393 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000394.txt snort-2.9.2/doc/signatures/100000394.txt --- snort-2.8.5.2/doc/signatures/100000394.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000394.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000394 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "search.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000395.txt snort-2.9.2/doc/signatures/100000395.txt --- snort-2.8.5.2/doc/signatures/100000395.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000395.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000395 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "posts.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "posts.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000396.txt snort-2.9.2/doc/signatures/100000396.txt --- snort-2.8.5.2/doc/signatures/100000396.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000396.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000396 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "options.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "options.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000397.txt snort-2.9.2/doc/signatures/100000397.txt --- snort-2.8.5.2/doc/signatures/100000397.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000397.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000397 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "login.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000398.txt snort-2.9.2/doc/signatures/100000398.txt --- snort-2.8.5.2/doc/signatures/100000398.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000398.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000398 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "frchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "frchart.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000399.txt snort-2.9.2/doc/signatures/100000399.txt --- snort-2.8.5.2/doc/signatures/100000399.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000399.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000399 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "flbchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "flbchart.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000400.txt snort-2.9.2/doc/signatures/100000400.txt --- snort-2.8.5.2/doc/signatures/100000400.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000400.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000400 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "fileman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "fileman.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000401.txt snort-2.9.2/doc/signatures/100000401.txt --- snort-2.8.5.2/doc/signatures/100000401.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000401.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000401 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "faq.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000402.txt snort-2.9.2/doc/signatures/100000402.txt --- snort-2.8.5.2/doc/signatures/100000402.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000402.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000402 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "event.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "event.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000403.txt snort-2.9.2/doc/signatures/100000403.txt --- snort-2.8.5.2/doc/signatures/100000403.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000403.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000403 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "directory.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "directory.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000404.txt snort-2.9.2/doc/signatures/100000404.txt --- snort-2.8.5.2/doc/signatures/100000404.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000404.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000404 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "articles.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "articles.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000405.txt snort-2.9.2/doc/signatures/100000405.txt --- snort-2.8.5.2/doc/signatures/100000405.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000405.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000405 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "artedit.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "artedit.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000406.txt snort-2.9.2/doc/signatures/100000406.txt --- snort-2.8.5.2/doc/signatures/100000406.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000406.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000406 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000407.txt snort-2.9.2/doc/signatures/100000407.txt --- snort-2.8.5.2/doc/signatures/100000407.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000407.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000407 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "calday.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "calday.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000408.txt snort-2.9.2/doc/signatures/100000408.txt --- snort-2.8.5.2/doc/signatures/100000408.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000408.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000408 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "cache_mngt.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "cache_mngt.php" script used by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000409.txt snort-2.9.2/doc/signatures/100000409.txt --- snort-2.8.5.2/doc/signatures/100000409.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000409.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000409 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "gallery_functions.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "gallery_functions.php" script used by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000410.txt snort-2.9.2/doc/signatures/100000410.txt --- snort-2.8.5.2/doc/signatures/100000410.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000410.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000410 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000411.txt snort-2.9.2/doc/signatures/100000411.txt --- snort-2.8.5.2/doc/signatures/100000411.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000411.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000411 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000412.txt snort-2.9.2/doc/signatures/100000412.txt --- snort-2.8.5.2/doc/signatures/100000412.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000412.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000412 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000413.txt snort-2.9.2/doc/signatures/100000413.txt --- snort-2.8.5.2/doc/signatures/100000413.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000413.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000413 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000414.txt snort-2.9.2/doc/signatures/100000414.txt --- snort-2.8.5.2/doc/signatures/100000414.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000414.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000414 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "community.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "community.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000415.txt snort-2.9.2/doc/signatures/100000415.txt --- snort-2.8.5.2/doc/signatures/100000415.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000415.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000415 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Bytehoard" application running on a webserver. Access to the file "server.php" using a remote file being passed as the "bhconfig[bhfilepath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "bhconfig[bhfilepath]" parameter in the "server.php" script used by the "Bytehoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Bytehoard - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000416.txt snort-2.9.2/doc/signatures/100000416.txt --- snort-2.8.5.2/doc/signatures/100000416.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000416.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000416 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyBloggie - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000417.txt snort-2.9.2/doc/signatures/100000417.txt --- snort-2.8.5.2/doc/signatures/100000417.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000417.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000417 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "scode.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "scode.php" script used by the "MyBloggie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyBloggie - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000418.txt snort-2.9.2/doc/signatures/100000418.txt --- snort-2.8.5.2/doc/signatures/100000418.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000418.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000418 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashheadlines.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashheadlines.php" script used by the "Ashwebstudio Ashnews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ashwebstudio Ashnews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000419.txt snort-2.9.2/doc/signatures/100000419.txt --- snort-2.8.5.2/doc/signatures/100000419.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000419.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000419 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashnews.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashnews.php" script used by the "Ashwebstudio Ashnews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ashwebstudio Ashnews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000420.txt snort-2.9.2/doc/signatures/100000420.txt --- snort-2.8.5.2/doc/signatures/100000420.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000420.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000420 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Informium - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000421.txt snort-2.9.2/doc/signatures/100000421.txt --- snort-2.8.5.2/doc/signatures/100000421.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000421.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000421 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Igloo" application running on a webserver. Access to the file "wiki.php" using a remote file being passed as the "c_node[class_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "c_node[class_path]" parameter in the "wiki.php" script used by the "Igloo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Igloo - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000422.txt snort-2.9.2/doc/signatures/100000422.txt --- snort-2.8.5.2/doc/signatures/100000422.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000422.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000422 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBB - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000423.txt snort-2.9.2/doc/signatures/100000423.txt --- snort-2.8.5.2/doc/signatures/100000423.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000423.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000423 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "index.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000424.txt snort-2.9.2/doc/signatures/100000424.txt --- snort-2.8.5.2/doc/signatures/100000424.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000424.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000424 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "feedback.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "feedback.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000425.txt snort-2.9.2/doc/signatures/100000425.txt --- snort-2.8.5.2/doc/signatures/100000425.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000425.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000425 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "printfriendly.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "printfriendly.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000426.txt snort-2.9.2/doc/signatures/100000426.txt --- snort-2.8.5.2/doc/signatures/100000426.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000426.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000426 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotClear" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "blog_dc_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "blog_dc_path" parameter in the "prepend.php" script used by the "DotClear" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotClear - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000430.txt snort-2.9.2/doc/signatures/100000430.txt --- snort-2.8.5.2/doc/signatures/100000430.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000430.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000430 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Faq.class.php" using a remote file being passed as the "APP[path][applications]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][applications]" parameter in the "Bs_Faq.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000431.txt snort-2.9.2/doc/signatures/100000431.txt --- snort-2.8.5.2/doc/signatures/100000431.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000431.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000431 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "fileBrowserInner.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "fileBrowserInner.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000432.txt snort-2.9.2/doc/signatures/100000432.txt --- snort-2.8.5.2/doc/signatures/100000432.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000432.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000432 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "file.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "file.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000433.txt snort-2.9.2/doc/signatures/100000433.txt --- snort-2.8.5.2/doc/signatures/100000433.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000433.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000433 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "viewer.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "viewer.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000434.txt snort-2.9.2/doc/signatures/100000434.txt --- snort-2.8.5.2/doc/signatures/100000434.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000434.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000434 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_ImageArchive.class.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "Bs_ImageArchive.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000435.txt snort-2.9.2/doc/signatures/100000435.txt --- snort-2.8.5.2/doc/signatures/100000435.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000435.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000435 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Ml_User.class.php" using a remote file being passed as the "GLOBALS[APP][path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[APP][path][core]" parameter in the "Bs_Ml_User.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000436.txt snort-2.9.2/doc/signatures/100000436.txt --- snort-2.8.5.2/doc/signatures/100000436.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000436.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000436 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Wse_Profile.class.php" using a remote file being passed as the "APP[path][plugins]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][plugins]" parameter in the "Bs_Wse_Profile.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000437.txt snort-2.9.2/doc/signatures/100000437.txt --- snort-2.8.5.2/doc/signatures/100000437.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000437.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000437 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CS-Cart" application running on a webserver. Access to the file "class.cs_phpmailer.php" using a remote file being passed as the "classes_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "classes_dir" parameter in the "class.cs_phpmailer.php" script used by the "CS-Cart" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CS-Cart --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000438.txt snort-2.9.2/doc/signatures/100000438.txt --- snort-2.8.5.2/doc/signatures/100000438.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000438.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000438 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "mambo.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "mambo.inc.php" script used by the "Claroline" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Claroline --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000439.txt snort-2.9.2/doc/signatures/100000439.txt --- snort-2.8.5.2/doc/signatures/100000439.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000439.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000439 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "postnuke.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "postnuke.inc.php" script used by the "Claroline" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Claroline --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000440.txt snort-2.9.2/doc/signatures/100000440.txt --- snort-2.8.5.2/doc/signatures/100000440.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000440.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000440 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CyBoards" application running on a webserver. Access to the file "common.php" using a remote file being passed as the "script_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "script_path" parameter in the "common.php" script used by the "CyBoards" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CyBoards --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000441.txt snort-2.9.2/doc/signatures/100000441.txt --- snort-2.8.5.2/doc/signatures/100000441.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000441.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000441 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Wikiwig" application running on a webserver. Access to the file "wk_lang.php" using a remote file being passed as the "WK[wkpath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "WK[wkpath]" parameter in the "wk_lang.php" script used by the "Wikiwig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wikiwig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000442.txt snort-2.9.2/doc/signatures/100000442.txt --- snort-2.8.5.2/doc/signatures/100000442.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000442.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000442 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "pcltar.lib.php" using a remote file being passed as the "g_pcltar_lib_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "g_pcltar_lib_dir" parameter in the "pcltar.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000443.txt snort-2.9.2/doc/signatures/100000443.txt --- snort-2.8.5.2/doc/signatures/100000443.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000443.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000443 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galimage.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galimage.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000444.txt snort-2.9.2/doc/signatures/100000444.txt --- snort-2.8.5.2/doc/signatures/100000444.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000444.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000444 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000445.txt snort-2.9.2/doc/signatures/100000445.txt --- snort-2.8.5.2/doc/signatures/100000445.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000445.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ - - -Rule: - --- -Sid: -100000445 - --- -Summary: -Particle Gallery is susceptible to an injection attack due to a lack -of input validation on the imageid variable used in the viewimage.php -component. - --- -Impact: -The injection attack could result in data leakage, or potential remote -compromise. - --- -Detailed Information: -Particle Gallery is prone to an SQL-injection vulnerability. This issue is due -to a failure in the application to properly sanitize user-supplied input -before using it in an SQL query. - -A successful exploit could allow an attacker to compromise the application, -access or modify data, or exploit vulnerabilities in the underlying database -implementation. - -The data type assigned to the column referenced by the variable is int, so -there should never be any text or characters outside of the int used to -identify the image. - --- -Attack Scenarios: -Variable manipulation can be done with any browser. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Edit code and add input validation. - --- -Contributors: -Dan Ramaswami - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000446.txt snort-2.9.2/doc/signatures/100000446.txt --- snort-2.8.5.2/doc/signatures/100000446.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000446.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000446 - --- -Summary: -Particle Wiki is susceptible to an injection attack due to a lack of input -validation on the version variable used in the index.php component. - --- -Impact: -The injection attack could result in data leakage, or potential remote -compromise. - --- -Detailed Information: -Particle Wiki is prone to an SQL-injection vulnerability. This issue is due to -a failure in the application to properly sanitize user-supplied input before -using it in an SQL query. - -A successful exploit could allow an attacker to compromise the application, -access or modify data, or exploit vulnerabilities in the underlying database -implementation. - --- -Attack Scenarios: -Variable manipulation can be done with any browser. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Edit code and add input validation. - --- -Contributors: -Dan Ramaswami - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000448.txt snort-2.9.2/doc/signatures/100000448.txt --- snort-2.8.5.2/doc/signatures/100000448.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000448.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000448 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "OfficeFlow" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sqlType" parameter in the "default.asp" script -used by the "OfficeFlow" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using OfficeFlow --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000449.txt snort-2.9.2/doc/signatures/100000449.txt --- snort-2.8.5.2/doc/signatures/100000449.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000449.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000449 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "OfficeFlow" application running on a webserver. Access to -the file "files.asp" with SQL commands being passed as the "Project" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Project" parameter in the "files.asp" script used by -the "OfficeFlow" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using OfficeFlow --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000450.txt snort-2.9.2/doc/signatures/100000450.txt --- snort-2.8.5.2/doc/signatures/100000450.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000450.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000450 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VanillaSoft Helpdesk" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "username" parameter in the "default.asp" -script used by the "VanillaSoft Helpdesk" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VanillaSoft Helpdesk --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000451.txt snort-2.9.2/doc/signatures/100000451.txt --- snort-2.8.5.2/doc/signatures/100000451.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000451.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000451 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cat" parameter in the "album.asp" script used -by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000452.txt snort-2.9.2/doc/signatures/100000452.txt --- snort-2.8.5.2/doc/signatures/100000452.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000452.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000452 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "albumid" parameter in the "album.asp" script -used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000453.txt snort-2.9.2/doc/signatures/100000453.txt --- snort-2.8.5.2/doc/signatures/100000453.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000453.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000453 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "apage" parameter in the "edtalbum.asp" script -used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000454.txt snort-2.9.2/doc/signatures/100000454.txt --- snort-2.8.5.2/doc/signatures/100000454.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000454.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000454 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" -script used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000455.txt snort-2.9.2/doc/signatures/100000455.txt --- snort-2.8.5.2/doc/signatures/100000455.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000455.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000455 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Axent Forum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "startrow" parameter in the "viewposts.cfm" -script used by the "Axent Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Axent Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000456.txt snort-2.9.2/doc/signatures/100000456.txt --- snort-2.8.5.2/doc/signatures/100000456.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000456.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000456 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "SSPwiz" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "message" parameter in the "index.cfm" script -used by the "SSPwiz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using SSPwiz --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000457.txt snort-2.9.2/doc/signatures/100000457.txt --- snort-2.8.5.2/doc/signatures/100000457.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000457.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000457 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "ASP Stats" application running on a webserver. Access to -the file "pages.asp" with SQL commands being passed as the "order" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "order" parameter in the "pages.asp" script used by the -"ASP Stats" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ASP Stats --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000458.txt snort-2.9.2/doc/signatures/100000458.txt --- snort-2.8.5.2/doc/signatures/100000458.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000458.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000458 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "DPVision Tradingeye Shop" application running -on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "image" parameter in the "details.cfm" script -used by the "DPVision Tradingeye Shop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using DPVision Tradingeye Shop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000459.txt snort-2.9.2/doc/signatures/100000459.txt --- snort-2.8.5.2/doc/signatures/100000459.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000459.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000459 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "WeBBoA" application running on a webserver. Access to the -file "yeni_host.asp" with SQL commands being passed as the "id" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "yeni_host.asp" script used by the -"WeBBoA" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WeBBoA --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000461.txt snort-2.9.2/doc/signatures/100000461.txt --- snort-2.8.5.2/doc/signatures/100000461.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000461.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000461 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Open WebMail" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "To" parameter in the "openwebmail-read.pl" -script used by the "Open WebMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Open WebMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000462.txt snort-2.9.2/doc/signatures/100000462.txt --- snort-2.8.5.2/doc/signatures/100000462.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000462.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000462 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Open WebMail" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "From" parameter in the "openwebmail-read.pl" -script used by the "Open WebMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Open WebMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000463.txt snort-2.9.2/doc/signatures/100000463.txt --- snort-2.8.5.2/doc/signatures/100000463.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000463.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000463 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Joomla" application running on a webserver. -Access to the file "joomla.php" using a remote file being passed as the -"includepath" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "includepath" parameter in the "joomla.php" script used -by the "Joomla" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Joomla --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000464.txt snort-2.9.2/doc/signatures/100000464.txt --- snort-2.8.5.2/doc/signatures/100000464.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000464.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000464 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "LoveCompass AEPartner" application running on a -webserver. Access to the file "design.inc.php" using a remote file being passed -as the "dir[data]" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "dir[data]" parameter in the "design.inc.php" script -used by the "LoveCompass AEPartner" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using LoveCompass AEPartner --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000465.txt snort-2.9.2/doc/signatures/100000465.txt --- snort-2.8.5.2/doc/signatures/100000465.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000465.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000465 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Empris" application running on a webserver. -Access to the file "sql_fcnsOLD.php" using a remote file being passed as the -"phormationdir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "phormationdir" parameter in the "sql_fcnsOLD.php" -script used by the "Empris" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Empris --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000466.txt snort-2.9.2/doc/signatures/100000466.txt --- snort-2.8.5.2/doc/signatures/100000466.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000466.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000466 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Free QBoard" application running on a webserver. -Access to the file "post.php" using a remote file being passed as the "qb_path" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "qb_path" parameter in the "post.php" script used by the -"Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000467.txt snort-2.9.2/doc/signatures/100000467.txt --- snort-2.8.5.2/doc/signatures/100000467.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000467.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000467 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "WebprojectDB" application running on a webserver. -Access to the file "nav.php" using a remote file being passed as the "INCDIR" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "INCDIR" parameter in the "nav.php" script used by the -"WebprojectDB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WebprojectDB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000468.txt snort-2.9.2/doc/signatures/100000468.txt --- snort-2.8.5.2/doc/signatures/100000468.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000468.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000468 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "WebprojectDB" application running on a webserver. -Access to the file "lang.php" using a remote file being passed as the "INCDIR" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "INCDIR" parameter in the "lang.php" script used by the -"WebprojectDB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WebprojectDB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000469.txt snort-2.9.2/doc/signatures/100000469.txt --- snort-2.8.5.2/doc/signatures/100000469.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000469.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000469 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "iFoto" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "dir" parameter in the "index.php" script used -by the "iFoto" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using iFoto --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000470.txt snort-2.9.2/doc/signatures/100000470.txt --- snort-2.8.5.2/doc/signatures/100000470.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000470.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000470 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Foing" application running on a webserver. Access -to the file "manage_songs.php" using a remote file being passed as the -"foing_root_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "foing_root_path" parameter in the "manage_songs.php" -script used by the "Foing" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Foing --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000471.txt snort-2.9.2/doc/signatures/100000471.txt --- snort-2.8.5.2/doc/signatures/100000471.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000471.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000471 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "show.php" with SQL commands being passed as the "objectID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "objectID" parameter in the "show.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000472.txt snort-2.9.2/doc/signatures/100000472.txt --- snort-2.8.5.2/doc/signatures/100000472.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000472.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000472 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "show.php" with SQL commands being passed as the "MAINID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MAINID" parameter in the "show.php" script used by the -"VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000473.txt snort-2.9.2/doc/signatures/100000473.txt --- snort-2.8.5.2/doc/signatures/100000473.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000473.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000473 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "language.php" with SQL commands being passed as the "Action" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Action" parameter in the "language.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000474.txt snort-2.9.2/doc/signatures/100000474.txt --- snort-2.8.5.2/doc/signatures/100000474.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000474.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000474 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "QuaranID" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "QuaranID" parameter in the "meaning.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000475.txt snort-2.9.2/doc/signatures/100000475.txt --- snort-2.8.5.2/doc/signatures/100000475.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000475.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000475 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "ShowByQuranID" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "ShowByQuranID" parameter in the "meaning.php" script -used by the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000476.txt snort-2.9.2/doc/signatures/100000476.txt --- snort-2.8.5.2/doc/signatures/100000476.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000476.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000476 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "Action" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Action" parameter in the "meaning.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000477.txt snort-2.9.2/doc/signatures/100000477.txt --- snort-2.8.5.2/doc/signatures/100000477.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000477.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000477 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "subject.php" with SQL commands being passed as the "MainID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MainID" parameter in the "subject.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000478.txt snort-2.9.2/doc/signatures/100000478.txt --- snort-2.8.5.2/doc/signatures/100000478.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000478.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000478 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "aWebNews" application running on a webserver. -Access to the file "visview.php" using a remote file being passed as the -"path_to_news" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "path_to_news" parameter in the "visview.php" script -used by the "aWebNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using aWebNews --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000479.txt snort-2.9.2/doc/signatures/100000479.txt --- snort-2.8.5.2/doc/signatures/100000479.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000479.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000479 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "CzarNews" application running on a webserver. -Access to the file "headlines.php" using a remote file being passed as the -"tpath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "tpath" parameter in the "headlines.php" script used by -the "CzarNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CzarNews --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000480.txt snort-2.9.2/doc/signatures/100000480.txt --- snort-2.8.5.2/doc/signatures/100000480.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000480.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000480 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Somery" application running on a webserver. -Access to the file "team.php" using a remote file being passed as the -"checkauth" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "checkauth" parameter in the "team.php" script used by -the "Somery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Somery --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000481.txt snort-2.9.2/doc/signatures/100000481.txt --- snort-2.8.5.2/doc/signatures/100000481.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000481.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000481 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Hinton Design PHPHG" application running on a -webserver. Access to the file "signed.php" using a remote file being passed as -the "phphg_real_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "phphg_real_path" parameter in the "signed.php" script -used by the "Hinton Design PHPHG" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Hinton Design PHPHG --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000482.txt snort-2.9.2/doc/signatures/100000482.txt --- snort-2.8.5.2/doc/signatures/100000482.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000482.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000482 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "BoastMachine" application running on a webserver. -Access to the file "vote.php" using a remote file being passed as the "bmc_dir" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "bmc_dir" parameter in the "vote.php" script used by the -"BoastMachine" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BoastMachine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000483.txt snort-2.9.2/doc/signatures/100000483.txt --- snort-2.8.5.2/doc/signatures/100000483.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000483.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000483 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Wheatblog" application running on a webserver. -Access to the file "view_links.php" using a remote file being passed as the -"wb_inc_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "wb_inc_dir" parameter in the "view_links.php" script -used by the "Wheatblog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wheatblog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000484.txt snort-2.9.2/doc/signatures/100000484.txt --- snort-2.8.5.2/doc/signatures/100000484.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000484.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000484 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Confixx" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script -used by the "Confixx" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Confixx --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000485.txt snort-2.9.2/doc/signatures/100000485.txt --- snort-2.8.5.2/doc/signatures/100000485.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000485.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000485 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "RahnemaCo" application running on a webserver. -Access to the file "page.php" using a remote file being passed as the "osCsid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "osCsid" parameter in the "page.php" script used by the -"RahnemaCo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RahnemaCo --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000486.txt snort-2.9.2/doc/signatures/100000486.txt --- snort-2.8.5.2/doc/signatures/100000486.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000486.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000486 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PhpBlueDragon CMS" application running on a -webserver. Access to the file "template.php" using a remote file being passed -as the "vsDragonRootPath" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "vsDragonRootPath" parameter in the "template.php" -script used by the "PhpBlueDragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PhpBlueDragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000487.txt snort-2.9.2/doc/signatures/100000487.txt --- snort-2.8.5.2/doc/signatures/100000487.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000487.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000487 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "server.inc.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"server.inc.php" script used by the "ISPConfig" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000488.txt snort-2.9.2/doc/signatures/100000488.txt --- snort-2.8.5.2/doc/signatures/100000488.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000488.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000488 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "app.inc.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"app.inc.php" script used by the "ISPConfig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000489.txt snort-2.9.2/doc/signatures/100000489.txt --- snort-2.8.5.2/doc/signatures/100000489.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000489.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000489 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "login.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"login.php" script used by the "ISPConfig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000490.txt snort-2.9.2/doc/signatures/100000490.txt --- snort-2.8.5.2/doc/signatures/100000490.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000490.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000490 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "trylogin.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"trylogin.php" script used by the "ISPConfig" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000491.txt snort-2.9.2/doc/signatures/100000491.txt --- snort-2.8.5.2/doc/signatures/100000491.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000491.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000491 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "posting.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "posting.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000492.txt snort-2.9.2/doc/signatures/100000492.txt --- snort-2.8.5.2/doc/signatures/100000492.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000492.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000492 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "newpm.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "newpm.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000493.txt snort-2.9.2/doc/signatures/100000493.txt --- snort-2.8.5.2/doc/signatures/100000493.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000493.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000493 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "postreply.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "postreply.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000494.txt snort-2.9.2/doc/signatures/100000494.txt --- snort-2.8.5.2/doc/signatures/100000494.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000494.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000494 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Zeroboard" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "$s_file_name" parameter in the "write_ok.php" -script used by the "Zeroboard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Zeroboard --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000495.txt snort-2.9.2/doc/signatures/100000495.txt --- snort-2.8.5.2/doc/signatures/100000495.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000495.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000495 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Zeroboard" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "$file_name" parameter in the "write_ok.php" -script used by the "Zeroboard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Zeroboard --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000496.txt snort-2.9.2/doc/signatures/100000496.txt --- snort-2.8.5.2/doc/signatures/100000496.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000496.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000496 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Chipmailer" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "anfang" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "anfang" parameter in the "index.php" script used by the -"Chipmailer" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Chipmailer --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000497.txt snort-2.9.2/doc/signatures/100000497.txt --- snort-2.8.5.2/doc/signatures/100000497.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000497.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000497 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Calendarix" application running on a webserver. Access to -the file "cal_event.php" with SQL commands being passed as the "id" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "cal_event.php" script used by the -"Calendarix" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Calendarix --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000498.txt snort-2.9.2/doc/signatures/100000498.txt --- snort-2.8.5.2/doc/signatures/100000498.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000498.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000498 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Calendarix" application running on a webserver. Access to -the file "cal_popup.php" with SQL commands being passed as the "id" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "cal_popup.php" script used by the -"Calendarix" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Calendarix --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000499.txt snort-2.9.2/doc/signatures/100000499.txt --- snort-2.8.5.2/doc/signatures/100000499.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000499.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000499 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "thumstbl.php" using a remote file being passed as the -"lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "thumstbl.php" script used by -the "PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000500.txt snort-2.9.2/doc/signatures/100000500.txt --- snort-2.8.5.2/doc/signatures/100000500.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000500.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000500 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "wpfiles.php" using a remote file being passed as the "lang" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "wpfiles.php" script used by the -"PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000501.txt snort-2.9.2/doc/signatures/100000501.txt --- snort-2.8.5.2/doc/signatures/100000501.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000501.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000501 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "wallpapr.php" using a remote file being passed as the -"lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "wallpapr.php" script used by -the "PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000502.txt snort-2.9.2/doc/signatures/100000502.txt --- snort-2.8.5.2/doc/signatures/100000502.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000502.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000502 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Ji-Takz" application running on a webserver. -Access to the file "tag.class.php" using a remote file being passed as the -"mycfg" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mycfg" parameter in the "tag.class.php" script used by -the "Ji-Takz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ji-Takz --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000503.txt snort-2.9.2/doc/signatures/100000503.txt --- snort-2.8.5.2/doc/signatures/100000503.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000503.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000503 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "action.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "action.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000504.txt snort-2.9.2/doc/signatures/100000504.txt --- snort-2.8.5.2/doc/signatures/100000504.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000504.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000504 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "media.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "media.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000505.txt snort-2.9.2/doc/signatures/100000505.txt --- snort-2.8.5.2/doc/signatures/100000505.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000505.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000505 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "server.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "server.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000506.txt snort-2.9.2/doc/signatures/100000506.txt --- snort-2.8.5.2/doc/signatures/100000506.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000506.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000506 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "api_metaweblog.inc.php" using a remote file being passed as -the "DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "api_metaweblog.inc.php" -script used by the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000507.txt snort-2.9.2/doc/signatures/100000507.txt --- snort-2.8.5.2/doc/signatures/100000507.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000507.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000507 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "FlashChat" application running on a webserver. -Access to the file "adminips.php" using a remote file being passed as the -"banned_file" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "banned_file" parameter in the "adminips.php" script -used by the "FlashChat" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlashChat --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000508.txt snort-2.9.2/doc/signatures/100000508.txt --- snort-2.8.5.2/doc/signatures/100000508.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000508.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000508 --- -Summary: -This event is generated when an attempt is made to access the file "wakka.php -which contains known vulnerabilities in the "Wikkawiki" application running on -a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Wikkawiki" application -running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wikkawiki --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000509.txt snort-2.9.2/doc/signatures/100000509.txt --- snort-2.8.5.2/doc/signatures/100000509.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000509.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000509 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "RahnemaCo" application running on a webserver. -Access to the file "page.php" using a remote file being passed as the "pageid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "pageid" parameter in the "page.php" script used by the -"RahnemaCo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RahnemaCo --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000510.txt snort-2.9.2/doc/signatures/100000510.txt --- snort-2.8.5.2/doc/signatures/100000510.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000510.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000510 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "rank.php" with SQL commands being passed as the "MemberID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MemberID" parameter in the "rank.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000511.txt snort-2.9.2/doc/signatures/100000511.txt --- snort-2.8.5.2/doc/signatures/100000511.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000511.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000511 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "message.php" with SQL commands being passed as the "UserID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "UserID" parameter in the "message.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000512.txt snort-2.9.2/doc/signatures/100000512.txt --- snort-2.8.5.2/doc/signatures/100000512.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000512.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000512 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "lng.php" with SQL commands being passed as the "QuranID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "QuranID" parameter in the "lng.php" script used by the -"VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000513.txt snort-2.9.2/doc/signatures/100000513.txt --- snort-2.8.5.2/doc/signatures/100000513.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000513.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000513 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "SAPHPLesson" application running on a webserver. Access -to the file "showcat.php" with SQL commands being passed as the "forumid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "forumid" parameter in the "showcat.php" script used by -the "SAPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SAPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000514.txt snort-2.9.2/doc/signatures/100000514.txt --- snort-2.8.5.2/doc/signatures/100000514.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000514.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000514 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "SAPHPLesson" application running on a webserver. Access -to the file "misc.php" with SQL commands being passed as the "action" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "action" parameter in the "misc.php" script used by the -"SAPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SAPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000515.txt snort-2.9.2/doc/signatures/100000515.txt --- snort-2.8.5.2/doc/signatures/100000515.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000515.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000515 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "CMS Faethon" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "mainpath" parameter in the "header.php" script -used by the "CMS Faethon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using CMS Faethon --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000516.txt snort-2.9.2/doc/signatures/100000516.txt --- snort-2.8.5.2/doc/signatures/100000516.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000516.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000516 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "CMS Faethon" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "mainpath" parameter in the "footer.php" script -used by the "CMS Faethon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using CMS Faethon --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000517.txt snort-2.9.2/doc/signatures/100000517.txt --- snort-2.8.5.2/doc/signatures/100000517.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000517.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000517 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "e107" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "ep" parameter in the "search.php" script used -by the "e107" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using e107 --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000518.txt snort-2.9.2/doc/signatures/100000518.txt --- snort-2.8.5.2/doc/signatures/100000518.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000518.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000518 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Live Helper" application running on a -webserver. Access to the file "initiate.php" using a remote file being passed -as the "abs_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "abs_path" parameter in the "initiate.php" script used -by the "PHP Live Helper" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Live Helper --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000519.txt snort-2.9.2/doc/signatures/100000519.txt --- snort-2.8.5.2/doc/signatures/100000519.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000519.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000519 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VUBB" application running on a webserver. Access to the -file "index.php" with SQL commands being passed as the "user" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "user" parameter in the "index.php" script used by the -"VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000520.txt snort-2.9.2/doc/signatures/100000520.txt --- snort-2.8.5.2/doc/signatures/100000520.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000520.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000520 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Xarancms" application running on a webserver. Access to -the file "xaramcms_haupt.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "xaramcms_haupt.php" script used -by the "Xarancms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Xarancms --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000521.txt snort-2.9.2/doc/signatures/100000521.txt --- snort-2.8.5.2/doc/signatures/100000521.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000521.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -100000521 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "TPL Design TplShop" application running on a webserver. -Access to the file "category.php" with SQL commands being passed as the -"first_row" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "first_row" parameter in the "category.php" script used -by the "TPL Design TplShop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using TPL Design TplShop --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000522.txt snort-2.9.2/doc/signatures/100000522.txt --- snort-2.8.5.2/doc/signatures/100000522.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000522.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000522 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "The Edge eCommerce Shop" application running on -a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cart_id" parameter in the "productDetail.php" -script used by the "The Edge eCommerce Shop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using The Edge eCommerce Shop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000523.txt snort-2.9.2/doc/signatures/100000523.txt --- snort-2.8.5.2/doc/signatures/100000523.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000523.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000523 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "CavoxCms" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "page" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "page" parameter in the "index.php" script used by the -"CavoxCms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CavoxCms --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000524.txt snort-2.9.2/doc/signatures/100000524.txt --- snort-2.8.5.2/doc/signatures/100000524.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000524.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000524 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Micro CMS" application running on a webserver. -Access to the file "microcms-include.php" using a remote file being passed as -the "microcms_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "microcms_path" parameter in the "microcms-include.php" -script used by the "Micro CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Micro CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000525.txt snort-2.9.2/doc/signatures/100000525.txt --- snort-2.8.5.2/doc/signatures/100000525.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000525.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000525 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyDirectory" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "PIC" parameter in the "offer-pix.php" script -used by the "PHPMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyDirectory --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000526.txt snort-2.9.2/doc/signatures/100000526.txt --- snort-2.8.5.2/doc/signatures/100000526.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000526.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000526 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyDirectory" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "from" parameter in the "index.php" script used -by the "PHPMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyDirectory --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000527.txt snort-2.9.2/doc/signatures/100000527.txt --- snort-2.8.5.2/doc/signatures/100000527.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000527.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000527 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "AssoCIateD" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "menu" parameter in the "index.php" script used -by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000528.txt snort-2.9.2/doc/signatures/100000528.txt --- snort-2.8.5.2/doc/signatures/100000528.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000528.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000528 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyForum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "highlight" parameter in the "topic.php" script -used by the "PHPMyForum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyForum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000529.txt snort-2.9.2/doc/signatures/100000529.txt --- snort-2.8.5.2/doc/signatures/100000529.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000529.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000529 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "NC Linklist" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cat" parameter in the "index.php" script used -by the "NC Linklist" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using NC Linklist --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000530.txt snort-2.9.2/doc/signatures/100000530.txt --- snort-2.8.5.2/doc/signatures/100000530.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000530.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000530 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "NC Linklist" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "view" parameter in the "index.php" script used -by the "NC Linklist" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using NC Linklist --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000531.txt snort-2.9.2/doc/signatures/100000531.txt --- snort-2.8.5.2/doc/signatures/100000531.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000531.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000531 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BtitTracker" application running on a webserver. Access -to the file "torrents.php" with SQL commands being passed as the "by" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "by" parameter in the "torrents.php" script used by the -"BtitTracker" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BtitTracker --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000532.txt snort-2.9.2/doc/signatures/100000532.txt --- snort-2.8.5.2/doc/signatures/100000532.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000532.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000532 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BtitTracker" application running on a webserver. Access -to the file "torrents.php" with SQL commands being passed as the "order" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "order" parameter in the "torrents.php" script used by -the "BtitTracker" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BtitTracker --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000533.txt snort-2.9.2/doc/signatures/100000533.txt --- snort-2.8.5.2/doc/signatures/100000533.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000533.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000533 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VUBB" application running on a webserver. Access to the -file "functions.php" with SQL commands being passed as the "email" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "email" parameter in the "functions.php" script used by -the "VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000534.txt snort-2.9.2/doc/signatures/100000534.txt --- snort-2.8.5.2/doc/signatures/100000534.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000534.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000534 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VUBB" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "user" parameter in the "english.php" script -used by the "VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000535.txt snort-2.9.2/doc/signatures/100000535.txt --- snort-2.8.5.2/doc/signatures/100000535.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000535.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000535 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "IMGallery" application running on a webserver. Access to -the file "galeria.php" with SQL commands being passed as the "start" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "start" parameter in the "galeria.php" script used by -the "IMGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IMGallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000536.txt snort-2.9.2/doc/signatures/100000536.txt --- snort-2.8.5.2/doc/signatures/100000536.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000536.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000536 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "IMGallery" application running on a webserver. Access to -the file "galeria.php" with SQL commands being passed as the "sort" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "sort" parameter in the "galeria.php" script used by the -"IMGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IMGallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000537.txt snort-2.9.2/doc/signatures/100000537.txt --- snort-2.8.5.2/doc/signatures/100000537.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000537.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000537 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "id" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "index.php" script used by the -"thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000538.txt snort-2.9.2/doc/signatures/100000538.txt --- snort-2.8.5.2/doc/signatures/100000538.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000538.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000538 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "catid" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "catid" parameter in the "index.php" script used by the -"thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000539.txt snort-2.9.2/doc/signatures/100000539.txt --- snort-2.8.5.2/doc/signatures/100000539.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000539.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000539 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "printarticle.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "printarticle.php" script used by -the "thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000540.txt snort-2.9.2/doc/signatures/100000540.txt --- snort-2.8.5.2/doc/signatures/100000540.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000540.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000540 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Enterprise Groupware" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "module" parameter in the "index.php" script -used by the "Enterprise Groupware" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Enterprise Groupware --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000541.txt snort-2.9.2/doc/signatures/100000541.txt --- snort-2.8.5.2/doc/signatures/100000541.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000541.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000541 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "picture.php" with SQL commands being passed as the "pid" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "pid" parameter in the "picture.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000542.txt snort-2.9.2/doc/signatures/100000542.txt --- snort-2.8.5.2/doc/signatures/100000542.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000542.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000542 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "mem.php" with SQL commands being passed as the "mid" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "mid" parameter in the "mem.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000543.txt snort-2.9.2/doc/signatures/100000543.txt --- snort-2.8.5.2/doc/signatures/100000543.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000543.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000543 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "search.php" with SQL commands being passed as the "sex" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "sex" parameter in the "search.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000544.txt snort-2.9.2/doc/signatures/100000544.txt --- snort-2.8.5.2/doc/signatures/100000544.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000544.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000544 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "search.php" with SQL commands being passed as the "relationship" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "relationship" parameter in the "search.php" script used -by the "Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000545.txt snort-2.9.2/doc/signatures/100000545.txt --- snort-2.8.5.2/doc/signatures/100000545.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000545.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000545 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "team_admin.php" using a remote file being passed -as the "DragonRootPath" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "team_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000546.txt snort-2.9.2/doc/signatures/100000546.txt --- snort-2.8.5.2/doc/signatures/100000546.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000546.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000546 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "rss_admin.php" using a remote file being passed -as the "DragonRootPath" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "rss_admin.php" script -used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000547.txt snort-2.9.2/doc/signatures/100000547.txt --- snort-2.8.5.2/doc/signatures/100000547.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000547.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000547 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "manual_admin.php" using a remote file being -passed as the "DragonRootPath" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "manual_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000548.txt snort-2.9.2/doc/signatures/100000548.txt --- snort-2.8.5.2/doc/signatures/100000548.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000548.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000548 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "forum_admin.php" using a remote file being -passed as the "DragonRootPath" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "forum_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000549.txt snort-2.9.2/doc/signatures/100000549.txt --- snort-2.8.5.2/doc/signatures/100000549.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000549.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000549 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Custom Datin Biz" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "u" parameter in the "user_view.php" script -used by the "Custom Datin Biz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Custom Datin Biz --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000550.txt snort-2.9.2/doc/signatures/100000550.txt --- snort-2.8.5.2/doc/signatures/100000550.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000550.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000550 --- -Summary: -This event is generated when an attempt is made to access the file "comment.php -which contains known vulnerabilities in the "Project Eros BBSEngine" -application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Project Eros BBSEngine" -application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Project Eros BBSEngine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000551.txt snort-2.9.2/doc/signatures/100000551.txt --- snort-2.8.5.2/doc/signatures/100000551.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000551.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000551 --- -Summary: -This event is generated when an attempt is made to access the file -"aolbonics.php which contains known vulnerabilities in the "Project Eros -BBSEngine" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Project Eros BBSEngine" -application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Project Eros BBSEngine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000552.txt snort-2.9.2/doc/signatures/100000552.txt --- snort-2.8.5.2/doc/signatures/100000552.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000552.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000552 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "SmartSiteCMS" application running on a webserver. -Access to the file "inc_foot.php" using a remote file being passed as the -"root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "root" parameter in the "inc_foot.php" script used by -the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000553.txt snort-2.9.2/doc/signatures/100000553.txt --- snort-2.8.5.2/doc/signatures/100000553.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000553.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000553 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHPMySMS" application running on a webserver. -Access to the file "gateway.php" using a remote file being passed as the -"ROOT_PATH" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "ROOT_PATH" parameter in the "gateway.php" script used -by the "PHPMySMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPMySMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000554.txt snort-2.9.2/doc/signatures/100000554.txt --- snort-2.8.5.2/doc/signatures/100000554.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000554.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000554 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "tid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000555.txt snort-2.9.2/doc/signatures/100000555.txt --- snort-2.8.5.2/doc/signatures/100000555.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000555.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000555 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "lid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000556.txt snort-2.9.2/doc/signatures/100000556.txt --- snort-2.8.5.2/doc/signatures/100000556.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000556.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000556 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000557.txt snort-2.9.2/doc/signatures/100000557.txt --- snort-2.8.5.2/doc/signatures/100000557.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000557.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000557 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "f_user" parameter in the "index.php" script -used by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000558.txt snort-2.9.2/doc/signatures/100000558.txt --- snort-2.8.5.2/doc/signatures/100000558.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000558.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000558 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "pag" parameter in the "messages.php" script -used by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000559.txt snort-2.9.2/doc/signatures/100000559.txt --- snort-2.8.5.2/doc/signatures/100000559.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000559.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000559 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Infinite Core Technologies ICT" application running on a -webserver. Access to the file "index.php" with SQL commands being passed as the -"post" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "post" parameter in the "index.php" script used by the -"Infinite Core Technologies ICT" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Infinite Core Technologies ICT --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000560.txt snort-2.9.2/doc/signatures/100000560.txt --- snort-2.8.5.2/doc/signatures/100000560.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000560.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000560 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "eNpaper1" application running on a webserver. -Access to the file "root_header.php" using a remote file being passed as the -"ppath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "ppath" parameter in the "root_header.php" script used -by the "eNpaper1" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using eNpaper1 --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000561.txt snort-2.9.2/doc/signatures/100000561.txt --- snort-2.8.5.2/doc/signatures/100000561.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000561.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000561 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "dotProject" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "login" parameter in the "ui.class.php" script -used by the "dotProject" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using dotProject --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000562.txt snort-2.9.2/doc/signatures/100000562.txt --- snort-2.8.5.2/doc/signatures/100000562.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000562.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000562 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sort" parameter in the "show.php" script used -by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000563.txt snort-2.9.2/doc/signatures/100000563.txt --- snort-2.8.5.2/doc/signatures/100000563.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000563.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000563 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "page" parameter in the "show.php" script used -by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000564.txt snort-2.9.2/doc/signatures/100000564.txt --- snort-2.8.5.2/doc/signatures/100000564.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000564.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000564 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "search" parameter in the "show.php" script -used by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000565.txt snort-2.9.2/doc/signatures/100000565.txt --- snort-2.8.5.2/doc/signatures/100000565.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000565.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000565 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "action" parameter in the "show.php" script -used by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000566.txt snort-2.9.2/doc/signatures/100000566.txt --- snort-2.8.5.2/doc/signatures/100000566.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000566.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000566 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "XennoBB" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "tid" parameter in the "messages.php" script -used by the "XennoBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using XennoBB --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000567.txt snort-2.9.2/doc/signatures/100000567.txt --- snort-2.8.5.2/doc/signatures/100000567.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000567.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000567 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Qdig" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "pre_gallery" parameter in the "index.php" -script used by the "Qdig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Qdig --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000568.txt snort-2.9.2/doc/signatures/100000568.txt --- snort-2.8.5.2/doc/signatures/100000568.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000568.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000568 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Qdig" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "post_gallery" parameter in the "index.php" -script used by the "Qdig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Qdig --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000569.txt snort-2.9.2/doc/signatures/100000569.txt --- snort-2.8.5.2/doc/signatures/100000569.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000569.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000569 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_change_email.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_change_email.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000570.txt snort-2.9.2/doc/signatures/100000570.txt --- snort-2.8.5.2/doc/signatures/100000570.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000570.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000570 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_change_pwd.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_change_pwd.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000571.txt snort-2.9.2/doc/signatures/100000571.txt --- snort-2.8.5.2/doc/signatures/100000571.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000571.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000571 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_mod_rewrite.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_mod_rewrite.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000572.txt snort-2.9.2/doc/signatures/100000572.txt --- snort-2.8.5.2/doc/signatures/100000572.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000572.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000572 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_page_caching.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_page_caching.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000573.txt snort-2.9.2/doc/signatures/100000573.txt --- snort-2.8.5.2/doc/signatures/100000573.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000573.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000573 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_setup.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "app_setup.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000574.txt snort-2.9.2/doc/signatures/100000574.txt --- snort-2.8.5.2/doc/signatures/100000574.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000574.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000574 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000575.txt snort-2.9.2/doc/signatures/100000575.txt --- snort-2.8.5.2/doc/signatures/100000575.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000575.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000575 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000576.txt snort-2.9.2/doc/signatures/100000576.txt --- snort-2.8.5.2/doc/signatures/100000576.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000576.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000576 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000577.txt snort-2.9.2/doc/signatures/100000577.txt --- snort-2.8.5.2/doc/signatures/100000577.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000577.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000577 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_path_update.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_path_update.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000578.txt snort-2.9.2/doc/signatures/100000578.txt --- snort-2.8.5.2/doc/signatures/100000578.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000578.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000578 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000579.txt snort-2.9.2/doc/signatures/100000579.txt --- snort-2.8.5.2/doc/signatures/100000579.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000579.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000579 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_struc.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_struc.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000580.txt snort-2.9.2/doc/signatures/100000580.txt --- snort-2.8.5.2/doc/signatures/100000580.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000580.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000580 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_view.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000581.txt snort-2.9.2/doc/signatures/100000581.txt --- snort-2.8.5.2/doc/signatures/100000581.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000581.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000581 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_hidden.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_hidden.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000582.txt snort-2.9.2/doc/signatures/100000582.txt --- snort-2.8.5.2/doc/signatures/100000582.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000582.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000582 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_hierarchy.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_hierarchy.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000583.txt snort-2.9.2/doc/signatures/100000583.txt --- snort-2.8.5.2/doc/signatures/100000583.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000583.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000583 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_registered_only.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_registered_only.php" script used by the "Indexu" application running -on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000584.txt snort-2.9.2/doc/signatures/100000584.txt --- snort-2.8.5.2/doc/signatures/100000584.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000584.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000584 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "checkurl_web.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"checkurl_web.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000585.txt snort-2.9.2/doc/signatures/100000585.txt --- snort-2.8.5.2/doc/signatures/100000585.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000585.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000585 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_alter.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_alter.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000586.txt snort-2.9.2/doc/signatures/100000586.txt --- snort-2.8.5.2/doc/signatures/100000586.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000586.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000586 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_alter_change.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"db_alter_change.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000587.txt snort-2.9.2/doc/signatures/100000587.txt --- snort-2.8.5.2/doc/signatures/100000587.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000587.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000587 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_backup.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_backup.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000588.txt snort-2.9.2/doc/signatures/100000588.txt --- snort-2.8.5.2/doc/signatures/100000588.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000588.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000588 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_export.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_export.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000589.txt snort-2.9.2/doc/signatures/100000589.txt --- snort-2.8.5.2/doc/signatures/100000589.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000589.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000589 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_import.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_import.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000590.txt snort-2.9.2/doc/signatures/100000590.txt --- snort-2.8.5.2/doc/signatures/100000590.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000590.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000590 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "editor_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000591.txt snort-2.9.2/doc/signatures/100000591.txt --- snort-2.8.5.2/doc/signatures/100000591.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000591.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000591 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"editor_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000592.txt snort-2.9.2/doc/signatures/100000592.txt --- snort-2.8.5.2/doc/signatures/100000592.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000592.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000592 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_validate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"editor_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000593.txt snort-2.9.2/doc/signatures/100000593.txt --- snort-2.8.5.2/doc/signatures/100000593.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000593.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000593 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "head.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "head.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000594.txt snort-2.9.2/doc/signatures/100000594.txt --- snort-2.8.5.2/doc/signatures/100000594.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000594.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000594 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "index.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "index.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000595.txt snort-2.9.2/doc/signatures/100000595.txt --- snort-2.8.5.2/doc/signatures/100000595.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000595.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000595 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_config.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_config.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000596.txt snort-2.9.2/doc/signatures/100000596.txt --- snort-2.8.5.2/doc/signatures/100000596.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000596.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000596 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_config_payment.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_config_payment.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000597.txt snort-2.9.2/doc/signatures/100000597.txt --- snort-2.8.5.2/doc/signatures/100000597.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000597.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000597 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_create.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_create.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000598.txt snort-2.9.2/doc/signatures/100000598.txt --- snort-2.8.5.2/doc/signatures/100000598.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000598.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000598 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000599.txt snort-2.9.2/doc/signatures/100000599.txt --- snort-2.8.5.2/doc/signatures/100000599.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000599.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000599 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000600.txt snort-2.9.2/doc/signatures/100000600.txt --- snort-2.8.5.2/doc/signatures/100000600.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000600.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000600 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_markpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_markpaid.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000601.txt snort-2.9.2/doc/signatures/100000601.txt --- snort-2.8.5.2/doc/signatures/100000601.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000601.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000601 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_markunpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_markunpaid.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000602.txt snort-2.9.2/doc/signatures/100000602.txt --- snort-2.8.5.2/doc/signatures/100000602.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000602.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000602 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_overdue.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_overdue.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000603.txt snort-2.9.2/doc/signatures/100000603.txt --- snort-2.8.5.2/doc/signatures/100000603.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000603.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000603 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_paid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_paid.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000604.txt snort-2.9.2/doc/signatures/100000604.txt --- snort-2.8.5.2/doc/signatures/100000604.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000604.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000604 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_send.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_send.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000605.txt snort-2.9.2/doc/signatures/100000605.txt --- snort-2.8.5.2/doc/signatures/100000605.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000605.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000605 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_unpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000606.txt snort-2.9.2/doc/signatures/100000606.txt --- snort-2.8.5.2/doc/signatures/100000606.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000606.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000606 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "lang_modify.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "lang_modify.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000607.txt snort-2.9.2/doc/signatures/100000607.txt --- snort-2.8.5.2/doc/signatures/100000607.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000607.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000607 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000608.txt snort-2.9.2/doc/signatures/100000608.txt --- snort-2.8.5.2/doc/signatures/100000608.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000608.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000608 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_bad.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_bad.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000609.txt snort-2.9.2/doc/signatures/100000609.txt --- snort-2.8.5.2/doc/signatures/100000609.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000609.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000609 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_bad_delete.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_bad_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000610.txt snort-2.9.2/doc/signatures/100000610.txt --- snort-2.8.5.2/doc/signatures/100000610.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000610.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000610 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_checkurl.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_checkurl.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000611.txt snort-2.9.2/doc/signatures/100000611.txt --- snort-2.8.5.2/doc/signatures/100000611.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000611.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000611 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000612.txt snort-2.9.2/doc/signatures/100000612.txt --- snort-2.8.5.2/doc/signatures/100000612.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000612.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000612 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_duplicate.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_duplicate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000613.txt snort-2.9.2/doc/signatures/100000613.txt --- snort-2.8.5.2/doc/signatures/100000613.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000613.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000613 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000614.txt snort-2.9.2/doc/signatures/100000614.txt --- snort-2.8.5.2/doc/signatures/100000614.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000614.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000614 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_premium_listing.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_premium_listing.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000615.txt snort-2.9.2/doc/signatures/100000615.txt --- snort-2.8.5.2/doc/signatures/100000615.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000615.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000615 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_premium_sponsored.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_premium_sponsored.php" script used by the "Indexu" application running on -a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000616.txt snort-2.9.2/doc/signatures/100000616.txt --- snort-2.8.5.2/doc/signatures/100000616.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000616.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000616 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000617.txt snort-2.9.2/doc/signatures/100000617.txt --- snort-2.8.5.2/doc/signatures/100000617.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000617.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000617 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_sponsored_listing.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_sponsored_listing.php" script used by the "Indexu" application running on -a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000618.txt snort-2.9.2/doc/signatures/100000618.txt --- snort-2.8.5.2/doc/signatures/100000618.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000618.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000618 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_validate.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000619.txt snort-2.9.2/doc/signatures/100000619.txt --- snort-2.8.5.2/doc/signatures/100000619.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000619.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000619 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_validate_edit.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_validate_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000620.txt snort-2.9.2/doc/signatures/100000620.txt --- snort-2.8.5.2/doc/signatures/100000620.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000620.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000620 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_view.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000621.txt snort-2.9.2/doc/signatures/100000621.txt --- snort-2.8.5.2/doc/signatures/100000621.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000621.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000621 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "log_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "log_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000622.txt snort-2.9.2/doc/signatures/100000622.txt --- snort-2.8.5.2/doc/signatures/100000622.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000622.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000622 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "mail_modify.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "mail_modify.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000623.txt snort-2.9.2/doc/signatures/100000623.txt --- snort-2.8.5.2/doc/signatures/100000623.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000623.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000623 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "menu.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "menu.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000624.txt snort-2.9.2/doc/signatures/100000624.txt --- snort-2.8.5.2/doc/signatures/100000624.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000624.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000624 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_create.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_create.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000625.txt snort-2.9.2/doc/signatures/100000625.txt --- snort-2.8.5.2/doc/signatures/100000625.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000625.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000625 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000626.txt snort-2.9.2/doc/signatures/100000626.txt --- snort-2.8.5.2/doc/signatures/100000626.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000626.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000626 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000627.txt snort-2.9.2/doc/signatures/100000627.txt --- snort-2.8.5.2/doc/signatures/100000627.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000627.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000627 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_send.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_send.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000628.txt snort-2.9.2/doc/signatures/100000628.txt --- snort-2.8.5.2/doc/signatures/100000628.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000628.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000628 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_subscriber.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_subscriber.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000629.txt snort-2.9.2/doc/signatures/100000629.txt --- snort-2.8.5.2/doc/signatures/100000629.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000629.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000629 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_view.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000630.txt snort-2.9.2/doc/signatures/100000630.txt --- snort-2.8.5.2/doc/signatures/100000630.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000630.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000630 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "review_validate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"review_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000631.txt snort-2.9.2/doc/signatures/100000631.txt --- snort-2.8.5.2/doc/signatures/100000631.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000631.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000631 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "review_validate_edit.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"review_validate_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000632.txt snort-2.9.2/doc/signatures/100000632.txt --- snort-2.8.5.2/doc/signatures/100000632.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000632.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000632 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "summary.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "summary.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000633.txt snort-2.9.2/doc/signatures/100000633.txt --- snort-2.8.5.2/doc/signatures/100000633.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000633.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000633 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_active.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_active.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000634.txt snort-2.9.2/doc/signatures/100000634.txt --- snort-2.8.5.2/doc/signatures/100000634.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000634.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000634 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_add_custom.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_add_custom.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000635.txt snort-2.9.2/doc/signatures/100000635.txt --- snort-2.8.5.2/doc/signatures/100000635.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000635.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000635 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_delete.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000636.txt snort-2.9.2/doc/signatures/100000636.txt --- snort-2.8.5.2/doc/signatures/100000636.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000636.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000636 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_delete_file.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_delete_file.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000637.txt snort-2.9.2/doc/signatures/100000637.txt --- snort-2.8.5.2/doc/signatures/100000637.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000637.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000637 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_duplicate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_duplicate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000638.txt snort-2.9.2/doc/signatures/100000638.txt --- snort-2.8.5.2/doc/signatures/100000638.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000638.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000638 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_export.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_export.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000639.txt snort-2.9.2/doc/signatures/100000639.txt --- snort-2.8.5.2/doc/signatures/100000639.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000639.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000639 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_import.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_import.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000640.txt snort-2.9.2/doc/signatures/100000640.txt --- snort-2.8.5.2/doc/signatures/100000640.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000640.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000640 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_manager.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_manager.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000641.txt snort-2.9.2/doc/signatures/100000641.txt --- snort-2.8.5.2/doc/signatures/100000641.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000641.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000641 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_modify.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_modify.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000642.txt snort-2.9.2/doc/signatures/100000642.txt --- snort-2.8.5.2/doc/signatures/100000642.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000642.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000642 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_modify_file.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_modify_file.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000643.txt snort-2.9.2/doc/signatures/100000643.txt --- snort-2.8.5.2/doc/signatures/100000643.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000643.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000643 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_rename.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_rename.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000644.txt snort-2.9.2/doc/signatures/100000644.txt --- snort-2.8.5.2/doc/signatures/100000644.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000644.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000644 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000645.txt snort-2.9.2/doc/signatures/100000645.txt --- snort-2.8.5.2/doc/signatures/100000645.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000645.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000645 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000646.txt snort-2.9.2/doc/signatures/100000646.txt --- snort-2.8.5.2/doc/signatures/100000646.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000646.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000646 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000647.txt snort-2.9.2/doc/signatures/100000647.txt --- snort-2.8.5.2/doc/signatures/100000647.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000647.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000647 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000648.txt snort-2.9.2/doc/signatures/100000648.txt --- snort-2.8.5.2/doc/signatures/100000648.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000648.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000648 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "whos.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "whos.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000649.txt snort-2.9.2/doc/signatures/100000649.txt --- snort-2.8.5.2/doc/signatures/100000649.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000649.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000649 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "comment" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000650.txt snort-2.9.2/doc/signatures/100000650.txt --- snort-2.8.5.2/doc/signatures/100000650.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000650.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000650 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000651.txt snort-2.9.2/doc/signatures/100000651.txt --- snort-2.8.5.2/doc/signatures/100000651.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000651.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000651 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000652.txt snort-2.9.2/doc/signatures/100000652.txt --- snort-2.8.5.2/doc/signatures/100000652.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000652.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000652 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "id" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000653.txt snort-2.9.2/doc/signatures/100000653.txt --- snort-2.8.5.2/doc/signatures/100000653.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000653.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000653 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000654.txt snort-2.9.2/doc/signatures/100000654.txt --- snort-2.8.5.2/doc/signatures/100000654.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000654.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000654 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000655.txt snort-2.9.2/doc/signatures/100000655.txt --- snort-2.8.5.2/doc/signatures/100000655.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000655.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000655 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "comment" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000656.txt snort-2.9.2/doc/signatures/100000656.txt --- snort-2.8.5.2/doc/signatures/100000656.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000656.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000656 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000657.txt snort-2.9.2/doc/signatures/100000657.txt --- snort-2.8.5.2/doc/signatures/100000657.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000657.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000657 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000658.txt snort-2.9.2/doc/signatures/100000658.txt --- snort-2.8.5.2/doc/signatures/100000658.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000658.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000658 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "number" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000659.txt snort-2.9.2/doc/signatures/100000659.txt --- snort-2.8.5.2/doc/signatures/100000659.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000659.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000659 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000660.txt snort-2.9.2/doc/signatures/100000660.txt --- snort-2.8.5.2/doc/signatures/100000660.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000660.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000660 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000661.txt snort-2.9.2/doc/signatures/100000661.txt --- snort-2.8.5.2/doc/signatures/100000661.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000661.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000661 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000662.txt snort-2.9.2/doc/signatures/100000662.txt --- snort-2.8.5.2/doc/signatures/100000662.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000662.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000662 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "edit.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000663.txt snort-2.9.2/doc/signatures/100000663.txt --- snort-2.8.5.2/doc/signatures/100000663.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000663.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000663 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "icq" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000664.txt snort-2.9.2/doc/signatures/100000664.txt --- snort-2.8.5.2/doc/signatures/100000664.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000664.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000664 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000665.txt snort-2.9.2/doc/signatures/100000665.txt --- snort-2.8.5.2/doc/signatures/100000665.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000665.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000665 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000666.txt snort-2.9.2/doc/signatures/100000666.txt --- snort-2.8.5.2/doc/signatures/100000666.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000666.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000666 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "files.php" using a remote file being passed as the -"footer_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "footer_prog" parameter in the "files.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000667.txt snort-2.9.2/doc/signatures/100000667.txt --- snort-2.8.5.2/doc/signatures/100000667.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000667.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000667 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "files.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "files.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000668.txt snort-2.9.2/doc/signatures/100000668.txt --- snort-2.8.5.2/doc/signatures/100000668.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000668.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000668 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "pheader.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "pheader.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000669.txt snort-2.9.2/doc/signatures/100000669.txt --- snort-2.8.5.2/doc/signatures/100000669.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000669.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000669 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "headlines.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "headlines.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000670.txt snort-2.9.2/doc/signatures/100000670.txt --- snort-2.8.5.2/doc/signatures/100000670.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000670.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000670 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "web_statsConfig.php" using a remote file being passed as -the "mod_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mod_dir" parameter in the "web_statsConfig.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000671.txt snort-2.9.2/doc/signatures/100000671.txt --- snort-2.8.5.2/doc/signatures/100000671.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000671.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000671 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "preload.php" using a remote file being passed as the -"func_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "func_prog" parameter in the "preload.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000672.txt snort-2.9.2/doc/signatures/100000672.txt --- snort-2.8.5.2/doc/signatures/100000672.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000672.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000672 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "users.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "users.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000673.txt snort-2.9.2/doc/signatures/100000673.txt --- snort-2.8.5.2/doc/signatures/100000673.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000673.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000673 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "web_statsConfig.php" using a remote file being passed as -the "php_ext" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "php_ext" parameter in the "web_statsConfig.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000674.txt snort-2.9.2/doc/signatures/100000674.txt --- snort-2.8.5.2/doc/signatures/100000674.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000674.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000674 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "footer.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "footer.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000675.txt snort-2.9.2/doc/signatures/100000675.txt --- snort-2.8.5.2/doc/signatures/100000675.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000675.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000675 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "pfooter.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "pfooter.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000676.txt snort-2.9.2/doc/signatures/100000676.txt --- snort-2.8.5.2/doc/signatures/100000676.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000676.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000676 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "missing.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "missing.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000677.txt snort-2.9.2/doc/signatures/100000677.txt --- snort-2.8.5.2/doc/signatures/100000677.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000677.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000677 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "topics.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "topics.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000678.txt snort-2.9.2/doc/signatures/100000678.txt --- snort-2.8.5.2/doc/signatures/100000678.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000678.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000678 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "header.php" using a remote file being passed as the -"mod_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mod_root" parameter in the "header.php" script used by -the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000679.txt snort-2.9.2/doc/signatures/100000679.txt --- snort-2.8.5.2/doc/signatures/100000679.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000679.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000679 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "index.php" using a remote file being passed as the -"func_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "func_prog" parameter in the "index.php" script used by -the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000680.txt snort-2.9.2/doc/signatures/100000680.txt --- snort-2.8.5.2/doc/signatures/100000680.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000680.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000680 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "search.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "search.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000681.txt snort-2.9.2/doc/signatures/100000681.txt --- snort-2.8.5.2/doc/signatures/100000681.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000681.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000681 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "header.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "header.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000682.txt snort-2.9.2/doc/signatures/100000682.txt --- snort-2.8.5.2/doc/signatures/100000682.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000682.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000682 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "email.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "email.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000683.txt snort-2.9.2/doc/signatures/100000683.txt --- snort-2.8.5.2/doc/signatures/100000683.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000683.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000683 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "cPanel" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "file" parameter in the "select.html" script -used by the "cPanel" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using cPanel --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000686.txt snort-2.9.2/doc/signatures/100000686.txt --- snort-2.8.5.2/doc/signatures/100000686.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000686.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000686 - --- -Summary: -This event is generated when an empty CTCP NOTICE message is sent to an IRC -channel. - --- -Impact: -If the EnergyMech IRC Bot receives such a message, a denial of service -condition will occur. - --- -Detailed Information: -Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial -of service condition occurs. Note that this rule is set to examine only default -IRC ports, in order to conserve system resources; if you are particularly -concerned about this exploit, you may wish to set the ports to "any", as IRC -channels can exist on any port. - --- -Affected Systems: -EnergyMech <= 3.0.1 - --- -Attack Scenarios: -An attacker could exploit this vulnerability via any IRC client, or by using an -automated script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 3.0.2 or greater. - --- -Contributors: -VeriSign MSS Operations Team -Joel Esler - --- -Additional References: -http://www.energymech.net/versions-3.0.html - --- diff -Nru snort-2.8.5.2/doc/signatures/100000687.txt snort-2.9.2/doc/signatures/100000687.txt --- snort-2.8.5.2/doc/signatures/100000687.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000687.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000687 - --- -Summary: -This event is generated when an empty CTCP NOTICE message is sent to an IRC -channel. - --- -Impact: -If the EnergyMech IRC Bot receives such a message, a denial of service -condition will occur. - --- -Detailed Information: -Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial -of service condition occurs. Note that this rule is set to examine only default -IRC ports, in order to conserve system resources; if you are particularly -concerned about this exploit, you may wish to set the ports to "any", as IRC -channels can exist on any port. - --- -Affected Systems: -EnergyMech <= 3.0.1 - --- -Attack Scenarios: -An attacker could exploit this vulnerability via any IRC client, or by using an -automated script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 3.0.2 or greater. - --- -Contributors: -VeriSign MSS Operations Team -Joel Esler - --- -Additional References: -http://www.energymech.net/versions-3.0.html - --- diff -Nru snort-2.8.5.2/doc/signatures/100000690.txt snort-2.9.2/doc/signatures/100000690.txt --- snort-2.8.5.2/doc/signatures/100000690.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000690.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ - - -Rule: - --- -Sid: -100000690 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BXCP" application running on a webserver. Access to the -file "index.php" with SQL commands being passed may indicate that an -exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "index.php" script used by the "BXCP" application -running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running BXCP version 0.3.0.4 and prior. - --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Currently, no patches or workarounds exist. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 -http://www.bxcp.com - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000691.txt snort-2.9.2/doc/signatures/100000691.txt --- snort-2.8.5.2/doc/signatures/100000691.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000691.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ - - -Rule: - --- -Sid: -100000691 - --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Diesel Joke Site" application running on a webserver. -Access to the file "category.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "category.php" script used by the -"Diesel Joke Site" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running the Diesel Joke Site system. - --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Currently, no patches or workarounds exist. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 -http://www.dieselscripts.com/diesel-joke-site.html - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000694.txt snort-2.9.2/doc/signatures/100000694.txt --- snort-2.8.5.2/doc/signatures/100000694.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000694.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000694 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "gbrowse.php" with SQL commands being passed as the "cat_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "cat_id" parameter in the "gbrowse.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000695.txt snort-2.9.2/doc/signatures/100000695.txt --- snort-2.8.5.2/doc/signatures/100000695.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000695.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000695 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000696.txt snort-2.9.2/doc/signatures/100000696.txt --- snort-2.8.5.2/doc/signatures/100000696.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000696.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000696 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "create.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "create.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000697.txt snort-2.9.2/doc/signatures/100000697.txt --- snort-2.8.5.2/doc/signatures/100000697.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000697.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000697 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "event_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "event_id" parameter in the "search.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000698.txt snort-2.9.2/doc/signatures/100000698.txt --- snort-2.8.5.2/doc/signatures/100000698.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000698.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000698 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "BXCP" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "where" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "where" parameter in the "index.php" script used by the "BXCP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BXCP --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000699.txt snort-2.9.2/doc/signatures/100000699.txt --- snort-2.8.5.2/doc/signatures/100000699.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000699.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000699 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "id" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Vincent Leclercq News --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000700.txt snort-2.9.2/doc/signatures/100000700.txt --- snort-2.8.5.2/doc/signatures/100000700.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000700.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000700 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "disable" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Vincent Leclercq News --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000701.txt snort-2.9.2/doc/signatures/100000701.txt --- snort-2.8.5.2/doc/signatures/100000701.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000701.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000701 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WordPress --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000702.txt snort-2.9.2/doc/signatures/100000702.txt --- snort-2.8.5.2/doc/signatures/100000702.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000702.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000702 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Webvizyon" application running on a webserver. Access to the file "SayfalaAltList.asp" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "SayfalaAltList.asp" script used by the "Webvizyon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Webvizyon --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000704.txt snort-2.9.2/doc/signatures/100000704.txt --- snort-2.8.5.2/doc/signatures/100000704.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000704.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000704 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comment.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comment.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000705.txt snort-2.9.2/doc/signatures/100000705.txt --- snort-2.8.5.2/doc/signatures/100000705.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000705.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000705 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "test.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "test.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000706.txt snort-2.9.2/doc/signatures/100000706.txt --- snort-2.8.5.2/doc/signatures/100000706.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000706.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000706 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000707.txt snort-2.9.2/doc/signatures/100000707.txt --- snort-2.8.5.2/doc/signatures/100000707.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000707.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000707 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "inc_adminfoot.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "inc_adminfoot.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000708.txt snort-2.9.2/doc/signatures/100000708.txt --- snort-2.8.5.2/doc/signatures/100000708.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000708.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000708 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comedit.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comedit.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000709.txt snort-2.9.2/doc/signatures/100000709.txt --- snort-2.8.5.2/doc/signatures/100000709.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000709.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000709 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "SquirrelMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mailbox" parameter in the "search.php" script used by the "SquirrelMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using SquirrelMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000710.txt snort-2.9.2/doc/signatures/100000710.txt --- snort-2.8.5.2/doc/signatures/100000710.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000710.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000710 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Xoops MyAds Module" application running on a webserver. Access to the file "annonces-p-f.php" with SQL commands being passed as the "lid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "lid" parameter in the "annonces-p-f.php" script used by the "Xoops MyAds Module" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Xoops MyAds Module --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000711.txt snort-2.9.2/doc/signatures/100000711.txt --- snort-2.8.5.2/doc/signatures/100000711.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000711.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000711 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "raids.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "raids.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000712.txt snort-2.9.2/doc/signatures/100000712.txt --- snort-2.8.5.2/doc/signatures/100000712.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000712.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000712 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "register.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "register.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000713.txt snort-2.9.2/doc/signatures/100000713.txt --- snort-2.8.5.2/doc/signatures/100000713.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000713.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000713 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000714.txt snort-2.9.2/doc/signatures/100000714.txt --- snort-2.8.5.2/doc/signatures/100000714.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000714.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000714 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000715.txt snort-2.9.2/doc/signatures/100000715.txt --- snort-2.8.5.2/doc/signatures/100000715.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000715.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000715 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "logs.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "logs.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000716.txt snort-2.9.2/doc/signatures/100000716.txt --- snort-2.8.5.2/doc/signatures/100000716.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000716.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000716 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "users.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "users.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000717.txt snort-2.9.2/doc/signatures/100000717.txt --- snort-2.8.5.2/doc/signatures/100000717.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000717.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000717 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "configuration.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "configuration.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000718.txt snort-2.9.2/doc/signatures/100000718.txt --- snort-2.8.5.2/doc/signatures/100000718.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000718.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000718 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "guilds.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "guilds.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000719.txt snort-2.9.2/doc/signatures/100000719.txt --- snort-2.8.5.2/doc/signatures/100000719.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000719.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000719 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "index.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000720.txt snort-2.9.2/doc/signatures/100000720.txt --- snort-2.8.5.2/doc/signatures/100000720.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000720.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000720 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "locations.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "locations.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000721.txt snort-2.9.2/doc/signatures/100000721.txt --- snort-2.8.5.2/doc/signatures/100000721.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000721.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000721 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "login.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000722.txt snort-2.9.2/doc/signatures/100000722.txt --- snort-2.8.5.2/doc/signatures/100000722.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000722.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000722 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "lua_output.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "lua_output.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000723.txt snort-2.9.2/doc/signatures/100000723.txt --- snort-2.8.5.2/doc/signatures/100000723.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000723.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000723 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "permissions.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "permissions.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000724.txt snort-2.9.2/doc/signatures/100000724.txt --- snort-2.8.5.2/doc/signatures/100000724.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000724.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000724 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "profile.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "profile.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000725.txt snort-2.9.2/doc/signatures/100000725.txt --- snort-2.8.5.2/doc/signatures/100000725.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000725.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000725 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" with SQL commands being passed as the "raid_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "raid_id" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000726.txt snort-2.9.2/doc/signatures/100000726.txt --- snort-2.8.5.2/doc/signatures/100000726.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000726.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000726 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Vincent-Leclercq News" application running on a webserver. Access to the file "diver.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "diver.php" script used by the "Vincent-Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Vincent-Leclercq News --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000727.txt snort-2.9.2/doc/signatures/100000727.txt --- snort-2.8.5.2/doc/signatures/100000727.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000727.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000727 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Softbiz Banner Exchange" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "city" parameter in the "insertmember.php" script used by the "Softbiz Banner Exchange" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Softbiz Banner Exchange --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000728.txt snort-2.9.2/doc/signatures/100000728.txt --- snort-2.8.5.2/doc/signatures/100000728.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000728.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000728 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000729.txt snort-2.9.2/doc/signatures/100000729.txt --- snort-2.8.5.2/doc/signatures/100000729.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000729.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000729 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000730.txt snort-2.9.2/doc/signatures/100000730.txt --- snort-2.8.5.2/doc/signatures/100000730.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000730.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000730 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "BlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "BlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000731.txt snort-2.9.2/doc/signatures/100000731.txt --- snort-2.8.5.2/doc/signatures/100000731.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000731.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000731 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "DeleteComment.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "DeleteComment.Action.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000732.txt snort-2.9.2/doc/signatures/100000732.txt --- snort-2.8.5.2/doc/signatures/100000732.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000732.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000732 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000733.txt snort-2.9.2/doc/signatures/100000733.txt --- snort-2.8.5.2/doc/signatures/100000733.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000733.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000733 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MTBlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MTBlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000734.txt snort-2.9.2/doc/signatures/100000734.txt --- snort-2.8.5.2/doc/signatures/100000734.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000734.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000734 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000735.txt snort-2.9.2/doc/signatures/100000735.txt --- snort-2.8.5.2/doc/signatures/100000735.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000735.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000735 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MailAdmin.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MailAdmin.Action.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000736.txt snort-2.9.2/doc/signatures/100000736.txt --- snort-2.8.5.2/doc/signatures/100000736.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000736.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000736 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelTrackback.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelTrackback.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000737.txt snort-2.9.2/doc/signatures/100000737.txt --- snort-2.8.5.2/doc/signatures/100000737.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000737.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000737 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditHeader.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditHeader.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000738.txt snort-2.9.2/doc/signatures/100000738.txt --- snort-2.8.5.2/doc/signatures/100000738.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000738.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000738 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIP.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIP.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000739.txt snort-2.9.2/doc/signatures/100000739.txt --- snort-2.8.5.2/doc/signatures/100000739.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000739.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000739 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "IPofUrl.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "IPofUrl.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000740.txt snort-2.9.2/doc/signatures/100000740.txt --- snort-2.8.5.2/doc/signatures/100000740.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000740.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000740 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000741.txt snort-2.9.2/doc/signatures/100000741.txt --- snort-2.8.5.2/doc/signatures/100000741.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000741.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000741 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "LogView.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "LogView.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000742.txt snort-2.9.2/doc/signatures/100000742.txt --- snort-2.8.5.2/doc/signatures/100000742.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000742.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000742 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000743.txt snort-2.9.2/doc/signatures/100000743.txt --- snort-2.8.5.2/doc/signatures/100000743.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000743.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000743 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "dbinstall.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "dbinstall.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000744.txt snort-2.9.2/doc/signatures/100000744.txt --- snort-2.8.5.2/doc/signatures/100000744.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000744.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000744 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "MyNewsGroups" application running on a webserver. Access to the file "tree.php" with SQL commands being passed as the "grp_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "grp_id" parameter in the "tree.php" script used by the "MyNewsGroups" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyNewsGroups --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000745.txt snort-2.9.2/doc/signatures/100000745.txt --- snort-2.8.5.2/doc/signatures/100000745.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000745.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000745 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Diesel Joke Site" application running on a webserver. Access to the file "category.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "category.php" script used by the "Diesel Joke Site" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Diesel Joke Site --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000746.txt snort-2.9.2/doc/signatures/100000746.txt --- snort-2.8.5.2/doc/signatures/100000746.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000746.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000746 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "header.inc.php" using a remote file being passed as the "dateiPfad" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "dateiPfad" parameter in the "header.inc.php" script used by the "Randshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Randshop --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000747.txt snort-2.9.2/doc/signatures/100000747.txt --- snort-2.8.5.2/doc/signatures/100000747.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000747.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000747 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "index.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000748.txt snort-2.9.2/doc/signatures/100000748.txt --- snort-2.8.5.2/doc/signatures/100000748.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000748.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000748 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "rss.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "rss.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000749.txt snort-2.9.2/doc/signatures/100000749.txt --- snort-2.8.5.2/doc/signatures/100000749.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000749.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000749 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "search.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000750.txt snort-2.9.2/doc/signatures/100000750.txt --- snort-2.8.5.2/doc/signatures/100000750.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000750.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000750 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "index.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000751.txt snort-2.9.2/doc/signatures/100000751.txt --- snort-2.8.5.2/doc/signatures/100000751.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000751.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000751 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "about.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "about.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000752.txt snort-2.9.2/doc/signatures/100000752.txt --- snort-2.8.5.2/doc/signatures/100000752.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000752.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000752 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "contact.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "contact.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000753.txt snort-2.9.2/doc/signatures/100000753.txt --- snort-2.8.5.2/doc/signatures/100000753.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000753.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000753 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "delete.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "delete.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000754.txt snort-2.9.2/doc/signatures/100000754.txt --- snort-2.8.5.2/doc/signatures/100000754.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000754.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000754 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "faq.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000755.txt snort-2.9.2/doc/signatures/100000755.txt --- snort-2.8.5.2/doc/signatures/100000755.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000755.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000755 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "features.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "features.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000756.txt snort-2.9.2/doc/signatures/100000756.txt --- snort-2.8.5.2/doc/signatures/100000756.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000756.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000756 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "history.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "history.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000757.txt snort-2.9.2/doc/signatures/100000757.txt --- snort-2.8.5.2/doc/signatures/100000757.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000757.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000757 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "delete" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000758.txt snort-2.9.2/doc/signatures/100000758.txt --- snort-2.8.5.2/doc/signatures/100000758.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000758.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000758 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "pathext" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000759.txt snort-2.9.2/doc/signatures/100000759.txt --- snort-2.8.5.2/doc/signatures/100000759.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000759.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000759 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000760.txt snort-2.9.2/doc/signatures/100000760.txt --- snort-2.8.5.2/doc/signatures/100000760.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000760.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000760 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using The Banner Engine --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000761.txt snort-2.9.2/doc/signatures/100000761.txt --- snort-2.8.5.2/doc/signatures/100000761.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000761.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000761 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPWebGallery" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "keyword" parameter in the "comments.php" script used by the "PHPWebGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPWebGallery --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000762.txt snort-2.9.2/doc/signatures/100000762.txt --- snort-2.8.5.2/doc/signatures/100000762.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000762.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000762 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "incl" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "incl" parameter in the "index.php" script used by the "Randshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Randshop --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000763.txt snort-2.9.2/doc/signatures/100000763.txt --- snort-2.8.5.2/doc/signatures/100000763.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000763.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000763 --- -Summary: -This event is generated when an attempt is made to access the file "config.inc which contains known vulnerabilities in the "Kamikaze-QSCM" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Kamikaze-QSCM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Kamikaze-QSCM --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000764.txt snort-2.9.2/doc/signatures/100000764.txt --- snort-2.8.5.2/doc/signatures/100000764.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000764.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000764 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyPHP CMS" application running on a webserver. Access to the file "global_header.php" using a remote file being passed as the "domain" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "domain" parameter in the "global_header.php" script used by the "MyPHP CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyPHP CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000765.txt snort-2.9.2/doc/signatures/100000765.txt --- snort-2.8.5.2/doc/signatures/100000765.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000765.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000765 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "LifeType" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "date" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "date" parameter in the "index.php" script used by the "LifeType" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using LifeType --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000766.txt snort-2.9.2/doc/signatures/100000766.txt --- snort-2.8.5.2/doc/signatures/100000766.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000766.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000766 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blog CMS" application running on a webserver. Access to the file "thumb.php" using a remote file being passed as the "gallery" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "gallery" parameter in the "thumb.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000767.txt snort-2.9.2/doc/signatures/100000767.txt --- snort-2.8.5.2/doc/signatures/100000767.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000767.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000767 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "item" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "item" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000768.txt snort-2.9.2/doc/signatures/100000768.txt --- snort-2.8.5.2/doc/signatures/100000768.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000768.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000768 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "blog" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "blog" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000769.txt snort-2.9.2/doc/signatures/100000769.txt --- snort-2.8.5.2/doc/signatures/100000769.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000769.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000769 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "member" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "member" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000770.txt snort-2.9.2/doc/signatures/100000770.txt --- snort-2.8.5.2/doc/signatures/100000770.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000770.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000770 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "typeface" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "typeface" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000771.txt snort-2.9.2/doc/signatures/100000771.txt --- snort-2.8.5.2/doc/signatures/100000771.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000771.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000771 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "results" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "results" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000772.txt snort-2.9.2/doc/signatures/100000772.txt --- snort-2.8.5.2/doc/signatures/100000772.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000772.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000772 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "DokiWiki" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "DokiWiki" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000773.txt snort-2.9.2/doc/signatures/100000773.txt --- snort-2.8.5.2/doc/signatures/100000773.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000773.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000773 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "archives" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "archives" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000774.txt snort-2.9.2/doc/signatures/100000774.txt --- snort-2.8.5.2/doc/signatures/100000774.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000774.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000774 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "category" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "category" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000775.txt snort-2.9.2/doc/signatures/100000775.txt --- snort-2.8.5.2/doc/signatures/100000775.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000775.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000775 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "PHPSESSID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "PHPSESSID" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000776.txt snort-2.9.2/doc/signatures/100000776.txt --- snort-2.8.5.2/doc/signatures/100000776.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000776.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000776 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "query" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "query" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000777.txt snort-2.9.2/doc/signatures/100000777.txt --- snort-2.8.5.2/doc/signatures/100000777.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000777.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000777 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "action.php" with SQL commands being passed as the "action" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "action" parameter in the "action.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000778.txt snort-2.9.2/doc/signatures/100000778.txt --- snort-2.8.5.2/doc/signatures/100000778.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000778.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000778 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMailList --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000779.txt snort-2.9.2/doc/signatures/100000779.txt --- snort-2.8.5.2/doc/signatures/100000779.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000779.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000779 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "index.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000780.txt snort-2.9.2/doc/signatures/100000780.txt --- snort-2.8.5.2/doc/signatures/100000780.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000780.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000780 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "problem.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000781.txt snort-2.9.2/doc/signatures/100000781.txt --- snort-2.8.5.2/doc/signatures/100000781.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000781.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000781 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "untrusted" parameter in the "go.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000782.txt snort-2.9.2/doc/signatures/100000782.txt --- snort-2.8.5.2/doc/signatures/100000782.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000782.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000782 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "url" parameter in the "go.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000783.txt snort-2.9.2/doc/signatures/100000783.txt --- snort-2.8.5.2/doc/signatures/100000783.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000783.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000783 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show_courses" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000784.txt snort-2.9.2/doc/signatures/100000784.txt --- snort-2.8.5.2/doc/signatures/100000784.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000784.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000784 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "current_cat" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000785.txt snort-2.9.2/doc/signatures/100000785.txt --- snort-2.8.5.2/doc/signatures/100000785.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000785.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000785 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "forgot" parameter in the "password_reminder.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000786.txt snort-2.9.2/doc/signatures/100000786.txt --- snort-2.8.5.2/doc/signatures/100000786.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000786.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000786 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cat" parameter in the "browse.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000787.txt snort-2.9.2/doc/signatures/100000787.txt --- snort-2.8.5.2/doc/signatures/100000787.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000787.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000787 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "submit" parameter in the "fix_content.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000788.txt snort-2.9.2/doc/signatures/100000788.txt --- snort-2.8.5.2/doc/signatures/100000788.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000788.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000788 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "FreeWebshop" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "page" parameter in the "search.php" script used by the "FreeWebshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using FreeWebshop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000789.txt snort-2.9.2/doc/signatures/100000789.txt --- snort-2.8.5.2/doc/signatures/100000789.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000789.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000789 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "FreeWebshop" application running on a webserver. Access to the file "details.php" with SQL commands being passed as the "prod" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "prod" parameter in the "details.php" script used by the "FreeWebshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FreeWebshop --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000790.txt snort-2.9.2/doc/signatures/100000790.txt --- snort-2.8.5.2/doc/signatures/100000790.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000790.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000790 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Pivot" application running on a webserver. Access to the file "edit_new.php" using a remote file being passed as the "Paths[extensions_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "Paths[extensions_path]" parameter in the "edit_new.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000791.txt snort-2.9.2/doc/signatures/100000791.txt --- snort-2.8.5.2/doc/signatures/100000791.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000791.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000791 --- -Summary: -This event is generated when an attempt is made to access the file "pv_core.php which contains known vulnerabilities in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000792.txt snort-2.9.2/doc/signatures/100000792.txt --- snort-2.8.5.2/doc/signatures/100000792.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000792.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000792 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "fg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000793.txt snort-2.9.2/doc/signatures/100000793.txt --- snort-2.8.5.2/doc/signatures/100000793.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000793.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000793 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000794.txt snort-2.9.2/doc/signatures/100000794.txt --- snort-2.8.5.2/doc/signatures/100000794.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000794.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000794 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000795.txt snort-2.9.2/doc/signatures/100000795.txt --- snort-2.8.5.2/doc/signatures/100000795.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000795.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000795 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "bg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000796.txt snort-2.9.2/doc/signatures/100000796.txt --- snort-2.8.5.2/doc/signatures/100000796.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000796.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000796 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000797.txt snort-2.9.2/doc/signatures/100000797.txt --- snort-2.8.5.2/doc/signatures/100000797.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000797.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000797 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000798.txt snort-2.9.2/doc/signatures/100000798.txt --- snort-2.8.5.2/doc/signatures/100000798.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000798.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000798 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c3" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000799.txt snort-2.9.2/doc/signatures/100000799.txt --- snort-2.8.5.2/doc/signatures/100000799.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000799.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000799 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c4" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000800.txt snort-2.9.2/doc/signatures/100000800.txt --- snort-2.8.5.2/doc/signatures/100000800.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000800.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000800 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000801.txt snort-2.9.2/doc/signatures/100000801.txt --- snort-2.8.5.2/doc/signatures/100000801.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000801.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000801 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "js_name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000802.txt snort-2.9.2/doc/signatures/100000802.txt --- snort-2.8.5.2/doc/signatures/100000802.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000802.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000802 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "index.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000803.txt snort-2.9.2/doc/signatures/100000803.txt --- snort-2.8.5.2/doc/signatures/100000803.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000803.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000803 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "recent.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "recent.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000804.txt snort-2.9.2/doc/signatures/100000804.txt --- snort-2.8.5.2/doc/signatures/100000804.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000804.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000804 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "account.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "account.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000805.txt snort-2.9.2/doc/signatures/100000805.txt --- snort-2.8.5.2/doc/signatures/100000805.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000805.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000805 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "classified.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "classified.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000806.txt snort-2.9.2/doc/signatures/100000806.txt --- snort-2.8.5.2/doc/signatures/100000806.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000806.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000806 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "search.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000807.txt snort-2.9.2/doc/signatures/100000807.txt --- snort-2.8.5.2/doc/signatures/100000807.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000807.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000807 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "CommonSense" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "q" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "q" parameter in the "search.php" script used by the "CommonSense" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CommonSense --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000808.txt snort-2.9.2/doc/signatures/100000808.txt --- snort-2.8.5.2/doc/signatures/100000808.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000808.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000808 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "AjaxPortal" application running on a webserver. Access to the file "ajaxp.php" with SQL commands being passed as the "username" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "username" parameter in the "ajaxp.php" script used by the "AjaxPortal" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AjaxPortal --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000809.txt snort-2.9.2/doc/signatures/100000809.txt --- snort-2.8.5.2/doc/signatures/100000809.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000809.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000809 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "RW Download" application running on a webserver. Access to the file "stats.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "stats.php" script used by the "RW Download" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RW Download --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000810.txt snort-2.9.2/doc/signatures/100000810.txt --- snort-2.8.5.2/doc/signatures/100000810.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000810.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000810 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "download.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "download.php" script used by the "PHPBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000811.txt snort-2.9.2/doc/signatures/100000811.txt --- snort-2.8.5.2/doc/signatures/100000811.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000811.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000811 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "attach_rules.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "attach_rules.php" script used by the "PHPBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000812.txt snort-2.9.2/doc/signatures/100000812.txt --- snort-2.8.5.2/doc/signatures/100000812.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000812.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000812 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "index.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000813.txt snort-2.9.2/doc/signatures/100000813.txt --- snort-2.8.5.2/doc/signatures/100000813.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000813.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000813 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "file_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "file_upload.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000814.txt snort-2.9.2/doc/signatures/100000814.txt --- snort-2.8.5.2/doc/signatures/100000814.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000814.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000814 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "image_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "image_upload.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000815.txt snort-2.9.2/doc/signatures/100000815.txt --- snort-2.8.5.2/doc/signatures/100000815.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000815.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000815 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "performs.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000816.txt snort-2.9.2/doc/signatures/100000816.txt --- snort-2.8.5.2/doc/signatures/100000816.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000816.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000816 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PC_CookBook" application running on a webserver. Access to the file "pccookbook.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "pccookbook.php" script used by the "PC_CookBook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PC_CookBook --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000817.txt snort-2.9.2/doc/signatures/100000817.txt --- snort-2.8.5.2/doc/signatures/100000817.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000817.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000817 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SMF Forum" application running on a webserver. Access to the file "smf.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "smf.php" script used by the "SMF Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SMF Forum --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000818.txt snort-2.9.2/doc/signatures/100000818.txt --- snort-2.8.5.2/doc/signatures/100000818.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000818.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000818 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Graffiti Forums" application running on a webserver. Access to the file "topics.php" with SQL commands being passed as the "f" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "f" parameter in the "topics.php" script used by the "Graffiti Forums" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Graffiti Forums --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000820.txt snort-2.9.2/doc/signatures/100000820.txt --- snort-2.8.5.2/doc/signatures/100000820.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000820.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000820 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SaPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000821.txt snort-2.9.2/doc/signatures/100000821.txt --- snort-2.8.5.2/doc/signatures/100000821.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000821.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000821 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sub-join.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sub-join.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000822.txt snort-2.9.2/doc/signatures/100000822.txt --- snort-2.8.5.2/doc/signatures/100000822.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000822.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000822 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000823.txt snort-2.9.2/doc/signatures/100000823.txt --- snort-2.8.5.2/doc/signatures/100000823.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000823.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000823 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000824.txt snort-2.9.2/doc/signatures/100000824.txt --- snort-2.8.5.2/doc/signatures/100000824.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000824.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000824 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sendmail.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sendmail.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000825.txt snort-2.9.2/doc/signatures/100000825.txt --- snort-2.8.5.2/doc/signatures/100000825.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000825.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000825 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Phorum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mode" parameter in the "posting.php" script used by the "Phorum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Phorum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000826.txt snort-2.9.2/doc/signatures/100000826.txt --- snort-2.8.5.2/doc/signatures/100000826.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000826.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000826 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Phorum --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000827.txt snort-2.9.2/doc/signatures/100000827.txt --- snort-2.8.5.2/doc/signatures/100000827.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000827.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000827 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000828.txt snort-2.9.2/doc/signatures/100000828.txt --- snort-2.8.5.2/doc/signatures/100000828.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000828.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000828 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cond" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000829.txt snort-2.9.2/doc/signatures/100000829.txt --- snort-2.8.5.2/doc/signatures/100000829.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000829.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000829 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000830.txt snort-2.9.2/doc/signatures/100000830.txt --- snort-2.8.5.2/doc/signatures/100000830.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000830.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000830 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "dayprune" parameter in the "index.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000831.txt snort-2.9.2/doc/signatures/100000831.txt --- snort-2.8.5.2/doc/signatures/100000831.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000831.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000831 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "data[to]" parameter in the "compose.email.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000832.txt snort-2.9.2/doc/signatures/100000832.txt --- snort-2.8.5.2/doc/signatures/100000832.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000832.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000832 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "markas" parameter in the "read.markas.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000833.txt snort-2.9.2/doc/signatures/100000833.txt --- snort-2.8.5.2/doc/signatures/100000833.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000833.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000833 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "HiveMail" application running on a webserver. Access to the file "search.results.php" with SQL commands being passed as the "fields[]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "fields[]" parameter in the "search.results.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000834.txt snort-2.9.2/doc/signatures/100000834.txt --- snort-2.8.5.2/doc/signatures/100000834.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000834.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000834 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "codes-english.php" script used by the "Lazarus" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Lazarus --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000835.txt snort-2.9.2/doc/signatures/100000835.txt --- snort-2.8.5.2/doc/signatures/100000835.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000835.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000835 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "img" parameter in the "picture.php" script used by the "Lazarus" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Lazarus --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000836.txt snort-2.9.2/doc/signatures/100000836.txt --- snort-2.8.5.2/doc/signatures/100000836.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000836.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000836 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "com_minibb.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "com_minibb.php" script used by the "MiniBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiniBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000837.txt snort-2.9.2/doc/signatures/100000837.txt --- snort-2.8.5.2/doc/signatures/100000837.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000837.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000837 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "index.php" script used by the "MiniBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiniBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000838.txt snort-2.9.2/doc/signatures/100000838.txt --- snort-2.8.5.2/doc/signatures/100000838.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000838.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000838 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PhotoCycle" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "phppage" parameter in the "photocycle.php" script used by the "PhotoCycle" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PhotoCycle --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000839.txt snort-2.9.2/doc/signatures/100000839.txt --- snort-2.8.5.2/doc/signatures/100000839.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000839.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000839 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Event Calendar --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000840.txt snort-2.9.2/doc/signatures/100000840.txt --- snort-2.8.5.2/doc/signatures/100000840.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000840.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000840 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlatNuke --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000841.txt snort-2.9.2/doc/signatures/100000841.txt --- snort-2.8.5.2/doc/signatures/100000841.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000841.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000841 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PerForms" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "performs.php" script used by the "PerForms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PerForms --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000842.txt snort-2.9.2/doc/signatures/100000842.txt --- snort-2.8.5.2/doc/signatures/100000842.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000842.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000842 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPBB 3" application running on a webserver. Access to the file "memberlist.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "memberlist.php" script used by the "PHPBB 3" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB 3 --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000843.txt snort-2.9.2/doc/signatures/100000843.txt --- snort-2.8.5.2/doc/signatures/100000843.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000843.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000843 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Koobi Pro" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Koobi Pro --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000844.txt snort-2.9.2/doc/signatures/100000844.txt --- snort-2.8.5.2/doc/signatures/100000844.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000844.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000844 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Koobi Pro" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "showtopic" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Koobi Pro --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000845.txt snort-2.9.2/doc/signatures/100000845.txt --- snort-2.8.5.2/doc/signatures/100000845.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000845.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000845 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "ipsclass.php" with SQL commands being passed as the "HTTP_CLIENT_IP" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "HTTP_CLIENT_IP" parameter in the "ipsclass.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000846.txt snort-2.9.2/doc/signatures/100000846.txt --- snort-2.8.5.2/doc/signatures/100000846.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000846.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000846 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Subberz Lite" application running on a webserver. Access to the file "user-func.php" using a remote file being passed as the "myadmindir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "myadmindir" parameter in the "user-func.php" script used by the "Subberz Lite" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Subberz Lite --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000847.txt snort-2.9.2/doc/signatures/100000847.txt --- snort-2.8.5.2/doc/signatures/100000847.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000847.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000847 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Sitemap --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000848.txt snort-2.9.2/doc/signatures/100000848.txt --- snort-2.8.5.2/doc/signatures/100000848.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000848.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000848 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PhpWebGallery" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "keyword" parameter in the "comments.php" -script -used by the "PhpWebGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PhpWebGallery --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000849.txt snort-2.9.2/doc/signatures/100000849.txt --- snort-2.8.5.2/doc/signatures/100000849.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000849.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000849 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000850.txt snort-2.9.2/doc/signatures/100000850.txt --- snort-2.8.5.2/doc/signatures/100000850.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000850.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000850 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000851.txt snort-2.9.2/doc/signatures/100000851.txt --- snort-2.8.5.2/doc/signatures/100000851.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000851.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000851 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000852.txt snort-2.9.2/doc/signatures/100000852.txt --- snort-2.8.5.2/doc/signatures/100000852.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000852.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000852 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000853.txt snort-2.9.2/doc/signatures/100000853.txt --- snort-2.8.5.2/doc/signatures/100000853.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000853.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000853 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "settings.html" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "settings.html" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000854.txt snort-2.9.2/doc/signatures/100000854.txt --- snort-2.8.5.2/doc/signatures/100000854.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000854.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000854 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ListMessenger" application running on a webserver. Access to the file "listmessenger.php" using a remote file being passed as the "lm_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lm_path" parameter in the "listmessenger.php" script used by the "ListMessenger" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ListMessenger --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000855.txt snort-2.9.2/doc/signatures/100000855.txt --- snort-2.8.5.2/doc/signatures/100000855.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000855.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000855 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "name" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "name" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000856.txt snort-2.9.2/doc/signatures/100000856.txt --- snort-2.8.5.2/doc/signatures/100000856.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000856.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000856 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "mail" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000857.txt snort-2.9.2/doc/signatures/100000857.txt --- snort-2.8.5.2/doc/signatures/100000857.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000857.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000857 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000858.txt snort-2.9.2/doc/signatures/100000858.txt --- snort-2.8.5.2/doc/signatures/100000858.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000858.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000858 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "text" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "text" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000859.txt snort-2.9.2/doc/signatures/100000859.txt --- snort-2.8.5.2/doc/signatures/100000859.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000859.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000859 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "hidemail" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "hidemail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000860.txt snort-2.9.2/doc/signatures/100000860.txt --- snort-2.8.5.2/doc/signatures/100000860.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000860.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000860 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Francisco Charrua Photo-Gallery" application running on a webserver. Access to the file "room.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "room.php" script used by the "Francisco Charrua Photo-Gallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Francisco Charrua Photo-Gallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000861.txt snort-2.9.2/doc/signatures/100000861.txt --- snort-2.8.5.2/doc/signatures/100000861.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000861.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000861 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlushCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000862.txt snort-2.9.2/doc/signatures/100000862.txt --- snort-2.8.5.2/doc/signatures/100000862.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000862.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000862 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlushCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.8.5.2/doc/signatures/100000863.txt snort-2.9.2/doc/signatures/100000863.txt --- snort-2.8.5.2/doc/signatures/100000863.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000863.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "PHPMyRing" application running on a webserver. Access to -the file "view_com.php" with SQL commands being passed as the "idsite" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "idsite" parameter in the "view_com.php" script used by -the "PHPMyRing" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPMyRing --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/100000927.txt snort-2.9.2/doc/signatures/100000927.txt --- snort-2.8.5.2/doc/signatures/100000927.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/100000927.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This rule detects certain phishing attempts sent via Microsoft Messenger. - --- -Impact: -Users who are fooled by the phising attempt may be tricked into downloading -malicious code. - --- -Detailed Information: -The Microsoft Messenger service, which is enabled by default on many Windows -systems, allows remote users to send pop-up messages to a given system. While -legitimate uses exist, many of these pop-ups contain adware, spyware, and/or -phishing attempts. This rule detects a common phishing attempt, which "warns" -users that their registry is corrupted and directs them to download software to -fix the "problem" at a malicious web site. - --- -Affected Systems: -Any Windows system with Microsoft Messenger enabled and reachable from the -Internet. - --- -Attack Scenarios: -Attackers will typically use publicly available scripts to send malicious -messages. - --- -Ease of Attack: -Simple; public scripts exist for sending malicious messages. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block Microsoft Messenger at your firewall and/or disable it on individual -machines, and educate your users regarding the dangers of following links in -such messages. - --- -Contributors: -Sourcefire Vulnerability Research Team -Sago Networks -Dan Protich - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/1000.txt snort-2.9.2/doc/signatures/1000.txt --- snort-2.8.5.2/doc/signatures/1000.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1000.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -1000 - --- -Summary: -This event is generated when an attempt is made to access the bdir.htr file. - --- -Impact: -Information gathering. This attack can disclose the directory structure on a vulnerable Internet Information Server(IIS). - --- -Detailed Information: -A vulnerability is exposed if an upgrade to IIS 4.0 is performed without deleting the remote administration scripts from IIS 3.0. Because of changes to the authentication methods between versions 3.0 and 4.0, these scripts can be accessed directly, and without authentication. An attacker can access one of these scripts, bdir.htr, to disclose the -vulnerable server's directory structure. - - --- -Affected Systems: -IIS 4.0 servers that are upgraded from IIS 3.0. - --- -Attack Scenarios: -An attacker can craft a URL to access the bdir.htr file, which can disclose the directory structures on the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the bdir.htr file if it is not required. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2280 - - - --- diff -Nru snort-2.8.5.2/doc/signatures/1001.txt snort-2.9.2/doc/signatures/1001.txt --- snort-2.8.5.2/doc/signatures/1001.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1001.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -1001 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability on an iCat Carbo Server. - --- -Impact: -Serious. Information disclosure. - --- -Detailed Information: -The iCat Carbo server, which is part of the Electronic Commerce Suite, -does not properly check HTTP requests and will give access to any file -object residing on the system when it receives a request such as -http://target/carbo.dll?icatcommand=..\..\directory/filename.ext&catalogname=catalog - --- -Affected Systems: - iCat Electronica Commerce Suite 3.0 - --- -Attack Scenarios: -An attacker can view any file on the server, including sensitive -password files. The information disclosed can then be used to facilitate -further attacks on the system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -None known. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2126 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1069 - --- diff -Nru snort-2.8.5.2/doc/signatures/1002.txt snort-2.9.2/doc/signatures/1002.txt --- snort-2.8.5.2/doc/signatures/1002.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1002.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: 1002 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre -can graph the occurence of worms attacks on a server against time. The -HotSaNIC system displays 'WEB-IIS cmd.exe access ' attempts on the -server in an image file named thumb-cmd.exe.gif. Each time this image -is accessed it generates an event. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -False positive information contributed by Chris McMahon - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/1003.txt snort-2.9.2/doc/signatures/1003.txt --- snort-2.8.5.2/doc/signatures/1003.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1003.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 1003 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/1004.txt snort-2.9.2/doc/signatures/1004.txt --- snort-2.8.5.2/doc/signatures/1004.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1004.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -1004 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/1005.txt snort-2.9.2/doc/signatures/1005.txt --- snort-2.8.5.2/doc/signatures/1005.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1005.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -1005 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/1007.txt snort-2.9.2/doc/signatures/1007.txt --- snort-2.8.5.2/doc/signatures/1007.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/1007.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -1007 - --- -Summary: -This event is generated when a cross-site scripting attack is being -attempted, or a potential attacker is testing your site to determine if -it is vulnerable. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -your web site. Attackers can potentially gain access to your users' -cookies or session ids, allowing the attacker to impersonate your -user. They could also set up elaborate fake logon screens to steal -user names and passwords. - --- -Detailed Information: -Whenever a web application accepts input (either via the URL or the -POST method) and then uses that input as part of the HTML of a new page -without filtering, the application is vulnerable to cross-site -scripting. The traditional means of exploiting this is to embed a -" - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2306.txt snort-2.9.2/doc/signatures/2306.txt --- snort-2.8.5.2/doc/signatures/2306.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2306.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Gallery running on a server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when an attempt is made to include script when -accessing the file index.php for the PHP application Gallery. This -application fails to properly check the source of an included file in -the script index.php. As a result an attacker is presented with the -opportunity to execute code of their choosing with the privileges of the -user running the web server. - --- -Affected Systems: - All systems running the PHP application Calerndar. - --- -Attack Scenarios: -An attacker can include code of their choosing by supplying a URI to -their script as a parameter to the HTTP GET request. - --- -Ease of Attack: -Simple. No exploit required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2307.txt snort-2.9.2/doc/signatures/2307.txt --- snort-2.8.5.2/doc/signatures/2307.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2307.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2307 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PayPal Storefront PHP web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PayPal Storefront PHP web application running -on a server. It may be possible for an attacker to include code of their -choosing from a source external to the server running the application. -This code will execute with the privileges of the user running the web -server. - -The vulnerability exists due to inadequate verification of include file -locations in the application. - --- -Affected Systems: - PayPal Store Front 3.0, others may also be affected. - --- -Attack Scenarios: -An attacker might include their code by including the URI to the script -in the HTTP GET parameters when calling index.php. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -The content/pcre criteria: "content:"page="; pcre:"/page=(http|https|ftp)/i"; -Are met frequently by the strings "page=http" and "lastpage=http" which -occur relatively often in the text of cookies, most commonly ones associated -with MSN passport. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -False positive information contributed by Alan Whinery - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2308.txt snort-2.9.2/doc/signatures/2308.txt --- snort-2.8.5.2/doc/signatures/2308.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2308.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2308 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2309.txt snort-2.9.2/doc/signatures/2309.txt --- snort-2.8.5.2/doc/signatures/2309.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2309.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2309 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/230.txt snort-2.9.2/doc/signatures/230.txt --- snort-2.8.5.2/doc/signatures/230.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/230.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: --- -Sid: -230 - --- -Summary: -This event is generated when a DDoS Shaft client communicates with a Shaft handler. It is also possible that this event may be generated when any host attempts to discover or detect a Shaft handler. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft client or a host attempting to discover Shaft handlers. If the listed destination IP is in your network, it may be a Shaft handler. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks. A client may communicate with a handler via TCP destination port 20432. - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft client needs to communicate with handlers to direct attacks. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -A legitimate server port of 20432 will cause this rule to fire. It may also create a false positive if port 20432 is selected as an FTP data port. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS254 - --- diff -Nru snort-2.8.5.2/doc/signatures/2310.txt snort-2.9.2/doc/signatures/2310.txt --- snort-2.8.5.2/doc/signatures/2310.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2310.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2310 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2311.txt snort-2.9.2/doc/signatures/2311.txt --- snort-2.8.5.2/doc/signatures/2311.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2311.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2311 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2312.txt snort-2.9.2/doc/signatures/2312.txt --- snort-2.8.5.2/doc/signatures/2312.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2312.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2312 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2313.txt snort-2.9.2/doc/signatures/2313.txt --- snort-2.8.5.2/doc/signatures/2313.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2313.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2313 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2314.txt snort-2.9.2/doc/signatures/2314.txt --- snort-2.8.5.2/doc/signatures/2314.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2314.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2314 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2315.txt snort-2.9.2/doc/signatures/2315.txt --- snort-2.8.5.2/doc/signatures/2315.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2315.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2315 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2316.txt snort-2.9.2/doc/signatures/2316.txt --- snort-2.8.5.2/doc/signatures/2316.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2316.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2316 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2317.txt snort-2.9.2/doc/signatures/2317.txt --- snort-2.8.5.2/doc/signatures/2317.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2317.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2317 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Concurrent Versions System (CVS). - --- -Impact: -Serious. Manipulation of the host file system is possible. - --- -Detailed Information: -Concurrent Versions System (CVS) is used to track the history of source -code files when developing software. - -Some versions of CVS contain a vulnerability that may allow an attacker -to create directories or files in the host filesystem external to the -cvsroot. This is achieved via a malformed module request. - --- -Affected Systems: - CVS versions prior to 1.11.10 - --- -Attack Scenarios: -An attacker may send a specially crafted request to a cvs server and -create files and directories of their choosing in the hosts root -filesystem. The attacker may then access these files at will to further -compromise the system. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None known. - --- -False Negatives: -If compression is being used in data communications between the CVS -server and clients, this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 - --- diff -Nru snort-2.8.5.2/doc/signatures/2318.txt snort-2.9.2/doc/signatures/2318.txt --- snort-2.8.5.2/doc/signatures/2318.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2318.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2318 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Concurrent Versions System (CVS). - --- -Impact: -Serious. Manipulation of the host file system is possible. - --- -Detailed Information: -Concurrent Versions System (CVS) is used to track the history of source -code files when developing software. - -Some versions of CVS contain a vulnerability that may allow an attacker -to create directories or files in the host filesystem external to the -cvsroot. This is achieved via a malformed module request. - --- -Affected Systems: - CVS versions prior to 1.11.10 - --- -Attack Scenarios: -An attacker may send a specially crafted request to a cvs server and -create files and directories of their choosing in the hosts root -filesystem. The attacker may then access these files at will to further -compromise the system. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None known. - --- -False Negatives: -If compression is being used in data communications between the CVS -server and clients, this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 - --- diff -Nru snort-2.8.5.2/doc/signatures/2319.txt snort-2.9.2/doc/signatures/2319.txt --- snort-2.8.5.2/doc/signatures/2319.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2319.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2319 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ebola from PLD Software. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Ebola from PLD Software is used to improve the performance of Anti-Virus -solutions on Linux systems. - -A buffer overflow condition is present in the authentication mechanism -such that it may be triggered by the generation of an error message from -an unsuccessful authentication attempt. - --- -Affected Systems: - All versions of Ebola prior to 0.1.5 - --- -Attack Scenarios: -An attacker can send specially crafted authentication attempts to the Ebola system and -cause the buffer overflow thus presenting the opportunity to execute -arbitrary code. - --- -Ease of Attack: -Simple. Expoits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/231.txt snort-2.9.2/doc/signatures/231.txt --- snort-2.8.5.2/doc/signatures/231.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/231.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -231 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2320.txt snort-2.9.2/doc/signatures/2320.txt --- snort-2.8.5.2/doc/signatures/2320.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2320.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2320 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ebola from PLD Software. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Ebola from PLD Software is used to improve the performance of Anti-Virus -solutions on Linux systems. - -A buffer overflow condition is present in the authentication mechanism -such that it may be triggered by the generation of an error message from -an unsuccessful authentication attempt. - --- -Affected Systems: - All versions of Ebola prior to 0.1.5 - --- -Attack Scenarios: -An attacker can send specially crafted authentication attempts to the Ebola system and -cause the buffer overflow thus presenting the opportunity to execute -arbitrary code. - --- -Ease of Attack: -Simple. Expoits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2321.txt snort-2.9.2/doc/signatures/2321.txt --- snort-2.8.5.2/doc/signatures/2321.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2321.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2321 - --- -Summary: -This event is generated when an attempt is made to access foxweb.exe, a -CGI web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -The FoxWeb application is used to communicate with FoxPro databases. The -program foxweb.exe contains an error that may allow an attacker to -execute arbitrary code of their choosing and possibly gain unauthorized -administrator access to the server. - --- -Affected Systems: - FoxWeb 2.5 and prior - --- -Attack Scenarios: -An attacker can exploit weaknesses to gain access as the administrator by supplying input of -their choosing to the CGI program. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2322.txt snort-2.9.2/doc/signatures/2322.txt --- snort-2.8.5.2/doc/signatures/2322.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2322.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2322 - --- -Summary: -This event is generated when an attempt is made to access foxweb.dll, a -component of the FoxWeb CGI web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -The FoxWeb application is used to communicate with FoxPro databases. The -program foxweb.exe contains an error that may allow an attacker to -execute arbitrary code of their choosing and possibly gain unauthorized -administrator access to the server. - --- -Affected Systems: - FoxWeb 2.5 and prior - --- -Attack Scenarios: -An attacker can exploit weaknesses to gain access as the administrator by supplying input of -their choosing to the CGI program. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2323.txt snort-2.9.2/doc/signatures/2323.txt --- snort-2.8.5.2/doc/signatures/2323.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2323.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2323 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the QuickStore CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to the QuickStore CGI application running on a web server. This -application does not perform stringent checks when validating the input -from a user to the script. - -The error document produced by the application may disclose sensitive -information about the installation of the application. - --- -Affected Systems: - QuickStore 2.12 and prior - --- -Attack Scenarios: -An attacker can supply input to the quickstore.cgi script using a single -quote character in the "store" parameter. This will cause the script to -generate an error and disclose the information described above. - -For example: http://vulnerable.com/cgi-bin/quickstore.cgi?store=' - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2324.txt snort-2.9.2/doc/signatures/2324.txt --- snort-2.8.5.2/doc/signatures/2324.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2324.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2324 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a -server. It may be possible to use SQL injection techniques to supply -SQL code of an attackers choosing to the database used in the -application. - --- -Affected Systems: - Virtual Programming VP-ASP 4.0 - Virtual Programming VP-ASP 5.0 - --- -Attack Scenarios: -An attacker can inject SQL code of their choosing to view and manipulate -data stored in the underlying database used by the application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2325.txt snort-2.9.2/doc/signatures/2325.txt --- snort-2.8.5.2/doc/signatures/2325.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2325.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2325 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a -server. It may be possible to use SQL injection techniques to supply -SQL code of an attackers choosing to the database used in the -application. - --- -Affected Systems: - Virtual Programming VP-ASP 4.0 - Virtual Programming VP-ASP 5.0 - --- -Attack Scenarios: -An attacker can inject SQL code of their choosing to view and manipulate -data stored in the underlying database used by the application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2326.txt snort-2.9.2/doc/signatures/2326.txt --- snort-2.8.5.2/doc/signatures/2326.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2326.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2326 - --- -Summary: -This event is generated when a cross-site scripting attack is being -attempted against the SGDynamo web application. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -a web site. Attackers can potentially gain access to a users' cookies -or session identification credentials, allowing the attacker to -impersonate the user. - --- -Detailed Information: -The SGDynamo web application does not correctly filter script code in -URL supplied parameters. It is possible for an attacker to place code of -their choosing in a link supplied to the application. The code is then -executed in the browser of a user who clicks on the link. - -The error occurs in checking the parameters supplied via the HTNAME -parameter in the application. - --- -Affected Systems: -Many older versions of web server software are affected, as are numerous -web applications. - --- -Attack Scenarios: -The most common avenue of attack is for the attacker to send an HTML -formatted email to the victim. The email will contain a link to a -specially crafted URL which contains the exploit. When the victim clicks -on the link, they are directed to the vulnerable web site and the attack -code is executed by their browser. - --- -Affected Systems: - Ecometry SGDynamo 5.32 U - Ecometry SGDynamo 5.32 T - Ecometry SGDynamo 6.1 - Ecometry SGDynamo 7.0 - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2327.txt snort-2.9.2/doc/signatures/2327.txt --- snort-2.8.5.2/doc/signatures/2327.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2327.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2327 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in BulletScript MailList CGI mailing list manager running on a server. - --- -Impact: -Information gathering and possible theft of user information. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in BulletScript MailList CGI mailing list manager running on a server. -The script bsml.pl does not perform stringent checks when processing -input supplied via the action parameter to the script. - -It may be possible for an attacker to compromise the integrity of the -database containing information pertaining to users of the mailing list -being managed. - --- -Affected Systems: - All systems running BulletScript MailList. - --- -Attack Scenarios: -An attacker can supply input of their choosing using the action -parameter. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2328.txt snort-2.9.2/doc/signatures/2328.txt --- snort-2.8.5.2/doc/signatures/2328.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2328.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2328 - --- -Summary: -This event is generated when an attempt is made to access the -authentication_index.php script which contains known vulnerabilities and -is part of the phpGedView CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the phpGedView CGI web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - phpGedView - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -paramters supplied to the script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2329.txt snort-2.9.2/doc/signatures/2329.txt --- snort-2.8.5.2/doc/signatures/2329.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2329.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2329 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Windows Data Access Components. - --- -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS) - --- -Detailed Information: -It may be possible for an attacker to send a specially crafted response -to a client broadcast query searching for an SQL server. This response -could take advantage of a buffer overrun condition in an MDAC component -which may result in the attacker being presented with the opportunity to -execute code of their choosing with the privileges of the user running -the service on the client system. - -A DoS condition may also manifest in MDAC version 2.8. - -MDAC is included by default on many Microsoft Windows systems. Client -workstations may make regular broadcast announcements in an attempt to -find SQL servers. - --- -Affected Systems: - Microsoft Data Access Components 2.5 - Microsoft Data Access Components 2.6 - Microsoft Data Access Components 2.7 - Microsoft Data Access Components 2.8 - --- -Attack Scenarios: -The attacker may spoof the response from an SQL server to exploit the -vulnerability. - --- -Ease of Attack: -Moderate.. - --- -False Positives: -Since this rule cannot be constrained using ports and the connection -state for MSDAC is not tracked, false positive events may occur under -normal circumstances. The $SQL_SERVERS variable in snort.conf should be -configured correctly to eliminate this behavior. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Disallow access to database servers from sources external to the -protected network. - -Disallow access to database servers from untrusted hosts. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/232.txt snort-2.9.2/doc/signatures/232.txt --- snort-2.8.5.2/doc/signatures/232.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/232.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -232 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2330.txt snort-2.9.2/doc/signatures/2330.txt --- snort-2.8.5.2/doc/signatures/2330.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2330.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2330 - --- -Summary: -This event is generated when a remote user sends an overly long string -to an IMAP server via the command AUTH. This may indicate an attempt to -exploit a buffer overflow condition. - --- -Impact: -Serious. Possible remote execution of arbitrary code, which may lead to -a remote root compromise. - --- -Detailed Information: -When a large amount of data is sent to a vulnerable IMAP server in the -AUTHENTICATE command, a buffer overflow condition may occur. This can -allow the attacker to execute arbitrary code, which may allow the -attacker to gain root access to the compromised server. - --- -Affected Systems: - IMAP servers - --- -Attack Scenarios: -An attacker can send a sufficiently long AUTHENTICATE command to the -IMAP server, creating a buffer overflow condition. This can then allow -the attacker to execute code of their choosing and possibly gain root -access to the compromised server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate patches for your operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2331.txt snort-2.9.2/doc/signatures/2331.txt --- snort-2.8.5.2/doc/signatures/2331.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2331.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2331 - --- -Summary: -This event is generated when an attempt is made to possibly gain -administrative access to the MatrikzGB Guestbook PHP application running -on a server. - --- -Impact: -Possible administrative access to the Guestbook. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the MatrikzGB Guestbook web application running on a server. - -It is possible for an attacker to modify the appropriate URI parameter -in the index.php script to gain administrative rightst to the MatrikzGB -Guestbook. - --- -Affected Systems: - MatrikzGB Guestbook 2.0 - --- -Attack Scenarios: -An attacker can supply "admin" to the "new_rights" parameter in the PHP -script index.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2332.txt snort-2.9.2/doc/signatures/2332.txt --- snort-2.8.5.2/doc/signatures/2332.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2332.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2332 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an FTP server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP ommand and have it -interpreted as code. The attacker might then be able to run code of -their choosing with the privileges of the user running the FTP service. - --- -Affected Systems: - PlatinumFTP PlatinumFTPserver 1.0.18 - --- -Attack Scenarios: -An attacker might utilize a vulnerability in an FTP daemon to gain access to a -host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2333.txt snort-2.9.2/doc/signatures/2333.txt --- snort-2.8.5.2/doc/signatures/2333.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2333.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2333 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an FTP server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP ommand and have it -interpreted as code. The attacker might then be able to run code of -their choosing with the privileges of the user running the FTP service. - --- -Affected Systems: - PlatinumFTP PlatinumFTPserver 1.0.18 - --- -Attack Scenarios: -An attacker might utilize a vulnerability in an FTP daemon to gain access to a -host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2334.txt snort-2.9.2/doc/signatures/2334.txt --- snort-2.8.5.2/doc/signatures/2334.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2334.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2334 - --- -Summary: -This event is generated when an attempt is made to access a Yak! FTP -server using the default username and password. - --- -Impact: -Administrative access to the server. - --- -Detailed Information: -Yak FTP servers have a default username and password of "user" and -"y049575046", if this is not changed by the administrator it is possible -for an attacker to gain unauthorised access to the server. - --- -Affected Systems: - Yak FTP servers - --- -Attack Scenarios: -An attacker merely needs to login to the server using the default -username and password. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Change the username and password. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2335.txt snort-2.9.2/doc/signatures/2335.txt --- snort-2.8.5.2/doc/signatures/2335.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2335.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2335 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in AppleShare IP FTP Server. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP command, in this case -RMD, and cause the service to become unavailble to other users. - --- -Affected Systems: - Apple AppleShare IP 5.0, 5.0.1, 5.0.2, 5.0.3 - Apple AppleShare IP 6.1, 6.2, 6.3, 6.3.1 - --- -Attack Scenarios: -An attacker needs to login to the service and use the RMD command in a -specific manner to cause the DoS. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2336.txt snort-2.9.2/doc/signatures/2336.txt --- snort-2.8.5.2/doc/signatures/2336.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2336.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2336 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Verilink NetEngine Broadband Router. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -TFTP is used to transfer files between hosts and devices. This event is indicative of spurious -activity in TFTP traffic between hosts. - -It is possible for an attacker to send a NULL opcode to a Verilink -NetEngine Broadband Router, this may cause the router to become -unresponsive. - --- -Affected Systems: - Verilink NetEngine 6100-4 - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to cause the -DoS. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2337.txt snort-2.9.2/doc/signatures/2337.txt --- snort-2.8.5.2/doc/signatures/2337.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2337.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2337 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Tellurian TftpdNT. - --- -Impact: -Execution of arbitrary code. Possible unauthorised root access. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for an attacker to expoit a buffer overrun condition in -Tellurian TftpdNT. User supplied filenames are not correctly handled by -some versions of Tellurian TftpdNT, this may result in an attacker being -able to cause the overrun condition to occur. - --- -Affected Systems: - Tellurian TftpdNT 2.0 and prior - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2338.txt snort-2.9.2/doc/signatures/2338.txt --- snort-2.8.5.2/doc/signatures/2338.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2338.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2338 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in GtkFtpd. - --- -Impact: -Execution of arbitrary code. Possible unauthorized root access. - --- -Detailed Information: -GtkFtpd fails to perform sufficient checks on user supplied data to the -daemon. An attacker may exploit this vulnerability to execute code of -their choosing as the root user. This may also lead to remote root -access to the server. - --- -Affected Systems: - GtkFtpd 1.0.2, 1.0.3 and 1.0.4 - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Use scp/sftp as an alternative to ftp. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2339.txt snort-2.9.2/doc/signatures/2339.txt --- snort-2.8.5.2/doc/signatures/2339.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2339.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2339 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Verilink Netengine Broadband Routers. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -TFTP is used to transfer files between hosts. This event is indicative of spurious -activity in TFTP traffic from a host to a router. - -It is possible for an attacker to expoit a DoS condition in -Netengine routers. If a UDP packet containing a double-null opcode is -sent to the router's TFTP port the router may crash, thus causing the -DoS. - --- -Affected Systems: - Verilink Netengine Broadband Routers - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/233.txt snort-2.9.2/doc/signatures/233.txt --- snort-2.8.5.2/doc/signatures/233.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/233.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -233 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2340.txt snort-2.9.2/doc/signatures/2340.txt --- snort-2.8.5.2/doc/signatures/2340.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2340.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2340 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with RhinoSoft Serv-u FTP Server CHMOD -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -Serv-u offers FTP servers for Windows hosts. A vulnerability exists -with the CHMOD command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the CHMOD -command. - --- -Affected Systems: - RhinoSoft Serv-u FTP Server prior to version 4.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the CHMOD -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2341.txt snort-2.9.2/doc/signatures/2341.txt --- snort-2.8.5.2/doc/signatures/2341.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2341.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2341 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application DCP-Portal. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -DCP-Portal contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in a file included from an external source by modifying the -variable "root" in the editor.php script. - --- -Affected Systems: - DCP-Portal 5.0.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2342.txt snort-2.9.2/doc/signatures/2342.txt --- snort-2.8.5.2/doc/signatures/2342.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2342.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2342 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application DCP-Portal. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -DCP-Portal contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in a file included from an external source by modifying the -variable "root" in the editor.php script. - --- -Affected Systems: - DCP-Portal 5.0.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2343.txt snort-2.9.2/doc/signatures/2343.txt --- snort-2.8.5.2/doc/signatures/2343.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2343.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2343 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd STOR command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the STOR command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the STOR -command. - -The issue exists in the SockPrintf() function. A server using the -MAIL_ADMIN option to send email notifications to the administrator when -files are uploaded to the server, is vulnerable to the attack. It is -possible for an attacker to send malformed data to the store() function -via sockprintf() that will cause the overflow condition to occur, the -error can be generated by the attacker creating a filename greater than -32768 bytes in length. - --- -Affected Systems: - - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the STOR -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Disable the MAIL_ADMIN option - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2344.txt snort-2.9.2/doc/signatures/2344.txt --- snort-2.8.5.2/doc/signatures/2344.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2344.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2344 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ArGoSoft FTP Server. - --- -Impact: -Execution of arbitrary code. Possible unauthorized administrative access. - --- -Detailed Information: -ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the -XCWD command. An attacker may exploit this vulnerability to execute code of -their choosing as the user running the process. This may lead to remote -administrative access to the server. - --- -Affected Systems: - ArGoSoft FTP Server 1.4.1 .1 - --- -Attack Scenarios: -An attacker may connect to the server and supply spurious data to the -XCWD command causing the overrun to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2345.txt snort-2.9.2/doc/signatures/2345.txt --- snort-2.8.5.2/doc/signatures/2345.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2345.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2345 - --- -Summary: -This event is generated when an attempt is made to access the -search.php script which contains known vulnerabilities and -is part of the phpGedView CGI web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the phpGedView CGI web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - phpGedView - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -firstname parameter of the search.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2346.txt snort-2.9.2/doc/signatures/2346.txt --- snort-2.8.5.2/doc/signatures/2346.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2346.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2346 - --- -Summary: -This event is generated when an attempt is made to access the -chatheader.php script which contains known vulnerabilities and -is part of the myPHPNuke web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the myPHPNuke web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - myPHPNuke 1.8.8 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -Default_Theme parameter of the chatheader.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2347.txt snort-2.9.2/doc/signatures/2347.txt --- snort-2.8.5.2/doc/signatures/2347.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2347.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2347 - --- -Summary: -This event is generated when an attempt is made to access the -partner.php script which contains known vulnerabilities and -is part of the myPHPNuke web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the myPHPNuke web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - myPHPNuke 1.8.8 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -Default_Theme parameter of the partner.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2348.txt snort-2.9.2/doc/signatures/2348.txt --- snort-2.8.5.2/doc/signatures/2348.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2348.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -2348 - --- -Summary: -This rule does not generate an event. I does activate sid 2349 however.s - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -This rule checks for a bind to a print spool using DCE RPC. This may be -an attempt to check for printer and printer services available on a -host. Sid 2349 will generate an event when an attempt is made to -enumerate the printer service on a host. - --- -Affected Systems: - All Microsoft DCE RPC enabled systems - --- -Attack Scenarios: - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2349.txt snort-2.9.2/doc/signatures/2349.txt --- snort-2.8.5.2/doc/signatures/2349.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2349.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -2349 - --- -Summary: -This event is generated when an attempt is made to enumerate the printer -service on a system using DCE RPC. - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -This rule checks for an attempt to enumerate a print spool service using DCE RPC. -This may be an attempt to check for printer and printer services available on a -host. - --- -Affected Systems: - All Microsoft DCE RPC enabled systems - --- -Attack Scenarios: -An attacker may identify the print service being used and exploit that -information in further attacks against the system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/234.txt snort-2.9.2/doc/signatures/234.txt --- snort-2.8.5.2/doc/signatures/234.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/234.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -234 - --- -Summary: -This event is generated when a trinoo DDoS attacker host communicates with a master host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks. An attacker may communicate with a master via TCP destination port 27665 with a string of "g0rave" in the payload. This string is the default master startup password. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo attacker will communicate with masters to direct them to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 -SecurityFocus: -http://www.securityfocus.com/archive/1/37706 - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - --- diff -Nru snort-2.8.5.2/doc/signatures/2350.txt snort-2.9.2/doc/signatures/2350.txt --- snort-2.8.5.2/doc/signatures/2350.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2350.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2192 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2351.txt snort-2.9.2/doc/signatures/2351.txt --- snort-2.8.5.2/doc/signatures/2351.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2351.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -Rule: - --- -Sid: -2351 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2352.txt snort-2.9.2/doc/signatures/2352.txt --- snort-2.8.5.2/doc/signatures/2352.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2352.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -Rule: - --- -Sid: -2192 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2353.txt snort-2.9.2/doc/signatures/2353.txt --- snort-2.8.5.2/doc/signatures/2353.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2353.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2353 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application IdeaBox. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -IdeaBox contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ideaDir when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file cord.php. - --- -Affected Systems: - PHPOutsourcing IdeaBox 1.0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ideaDir variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2354.txt snort-2.9.2/doc/signatures/2354.txt --- snort-2.8.5.2/doc/signatures/2354.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2354.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2354 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application IdeaBox. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -IdeaBox contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable gorumDir when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file notification.php. - --- -Affected Systems: - PHPOutsourcing IdeaBox 1.0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the gorumDir variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2355.txt snort-2.9.2/doc/signatures/2355.txt --- snort-2.8.5.2/doc/signatures/2355.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2355.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2355 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Invision Board. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Invision Board contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating a variable when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file emailer.php. - --- -Affected Systems: - Invision Power Services Invision Board 1.1.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the variable that defines the location of the emailer.php -script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2356.txt snort-2.9.2/doc/signatures/2356.txt --- snort-2.8.5.2/doc/signatures/2356.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2356.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2356 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application WebChat. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -WebChat contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable -WEBCHATPATH when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file db_mysql.php. - --- -Affected Systems: - Webdev Webchat 0.77 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the WEBCHATPATH variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2357.txt snort-2.9.2/doc/signatures/2357.txt --- snort-2.8.5.2/doc/signatures/2357.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2357.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2357 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application WebChat. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -WebChat contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable -WEBCHATPATH when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file english.php. - --- -Affected Systems: - Webdev Webchat 0.77 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the WEBCHATPATH variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2358.txt snort-2.9.2/doc/signatures/2358.txt --- snort-2.8.5.2/doc/signatures/2358.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2358.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2358 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Typo3. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Typo3 contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ONLY when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - Typo3 Typo3 3.5 b5 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ONLY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2359.txt snort-2.9.2/doc/signatures/2359.txt --- snort-2.8.5.2/doc/signatures/2359.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2359.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2359 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Invision Board. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Invision Board contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root_path when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file conf_global.php. - --- -Affected Systems: - Invision Power Services Invision Board 1.1.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root_path variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/235.txt snort-2.9.2/doc/signatures/235.txt --- snort-2.8.5.2/doc/signatures/235.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/235.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -235 - --- -Summary: -This event is generated when a trinoo DDoS attacker host communicates with a master host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks. An attacker may communicate with a master via TCP destination port 27665 with a string of "killme" in the payload. This string is a default mdie password. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo attacker will communicate with masters to direct them to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 -SecurityFocus: -http://www.securityfocus.com/archive/1/37706 - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - --- diff -Nru snort-2.8.5.2/doc/signatures/2360.txt snort-2.9.2/doc/signatures/2360.txt --- snort-2.8.5.2/doc/signatures/2360.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2360.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2360 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application MyphpPagetool. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -MyphpPagetool contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ptinclude when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file pt_config.inc. - --- -Affected Systems: - myphpPagetool 0.4.3 -1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ptinclude variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2361.txt snort-2.9.2/doc/signatures/2361.txt --- snort-2.8.5.2/doc/signatures/2361.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2361.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2361 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application YaBB SE. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -YaBB SE contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable template -in the script news.php when making a GET or POST request to a -vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - YaBB SE YaBB SE 0.8 - YaBB SE YaBB SE 1.4.1 - YaBB SE YaBB SE 1.5 .0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the template variable. - --- -Ease of Attack: -Simple. No exploit software required. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2362.txt snort-2.9.2/doc/signatures/2362.txt --- snort-2.8.5.2/doc/signatures/2362.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2362.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2362 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application YaBB SE. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -YaBB SE contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the location of the -script packer.php parameter when making a GET or POST request -to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - YaBB SE YaBB SE 0.8 - YaBB SE YaBB SE 1.4.1 - YaBB SE YaBB SE 1.5 .0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and supply their -own code in the packer.php script. - --- -Ease of Attack: -Simple. No exploit software required. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2363.txt snort-2.9.2/doc/signatures/2363.txt --- snort-2.8.5.2/doc/signatures/2363.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2363.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2363 - --- -Summary: -This event is generated when an attempt is made to access a file that -has a known vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made access the file -default_header.php used in the PHP application Cyboards. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Cyboards Cyboards PHP Lite 1.21 - Cyboards Cyboards PHP Lite 1.25 - --- -Attack Scenarios: -My manipulating certain variables contained in a PHP script an attacker -may be able to supply code of their choosing and execute it on the -server. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2364.txt snort-2.9.2/doc/signatures/2364.txt --- snort-2.8.5.2/doc/signatures/2364.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2364.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2364 - --- -Summary: -This event is generated when an attempt is made to access a file that -has a known vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made access the file -options_form.php used in the PHP application Cyboards. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Cyboards Cyboards PHP Lite 1.21 - Cyboards Cyboards PHP Lite 1.25 - --- -Attack Scenarios: -My manipulating certain variables contained in a PHP script an attacker -may be able to supply code of their choosing and execute it on the -server. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2365.txt snort-2.9.2/doc/signatures/2365.txt --- snort-2.8.5.2/doc/signatures/2365.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2365.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2365 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application newsPHP. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -newsPHP contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable LangFile when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - newsPHP newsPHP 216 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the LangFile variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2366.txt snort-2.9.2/doc/signatures/2366.txt --- snort-2.8.5.2/doc/signatures/2366.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2366.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2366 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2367.txt snort-2.9.2/doc/signatures/2367.txt --- snort-2.8.5.2/doc/signatures/2367.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2367.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2367 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-07.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2368.txt snort-2.9.2/doc/signatures/2368.txt --- snort-2.8.5.2/doc/signatures/2368.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2368.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2368 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2369.txt snort-2.9.2/doc/signatures/2369.txt --- snort-2.8.5.2/doc/signatures/2369.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2369.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2369 - --- -Summary: -This event is generated when an attempt is made to access ISAPISkeleton.dll on a -web server. This may indicate an attempt to exploit a cross-site -scripting vulnerability in BRS WebWeaver. - --- -Impact: -Arbitrary code execution, possible session hijack. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a -cross-site scripting vulnerability in BRS WebWeaver . -An attacker can pass an argument to ISAPISkeleton.dll that may contain -malicious code that could be executed on the victims machine. - --- -Affected Systems: - BRS WebWeaver - --- -Attack Scenarios: -An attacker can pass a specific argument to ISAPISkeleton.dll that may -contain malicious code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/236.txt snort-2.9.2/doc/signatures/236.txt --- snort-2.8.5.2/doc/signatures/236.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/236.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: --- -Sid: -236 - --- -Summary: -This event is generated when a Stacheldraht handler probes for a Stacheldraht agent on the destination host. - --- -Impact: -Severe. This indicates that a Stacheldraht handler may exist on the source host and an agent may exist on the destination host. - --- -Detailed Information: -The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  - -There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can discover if a particular host is a Stacheldraht agent by sending it an ICMP echo reply with an ICMP identification number of 668 and a string of "gesundheit!" in the payload. - --- -Affected Systems: -Any Stacheldraht compromised host. - --- -Attack Scenarios: -A handler may attempt to discover if the destination host is a Stacheldraht agent. A script named "gag" can be used to generate this communication for a defender or attacker to discover if a host is a Stacheldraht agent. - --- -Ease of Attack: -Simple. The gag script is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS194 - --- diff -Nru snort-2.8.5.2/doc/signatures/2370.txt snort-2.9.2/doc/signatures/2370.txt --- snort-2.8.5.2/doc/signatures/2370.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2370.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2370 - --- -Summary: -This event is generated when an attempt is made to access config.conf, a -component of the BugPort PHP web application running on a server. - --- -Impact: -Information disclosure. - --- -Detailed Information: -BugPort is a PHP application used for bug tracking purposes. It is -possible for a remote user to view the configuration file for the -application by making a request for the file using a web browser. - --- -Affected Systems: - BugPort prior to version 1.099 - --- -Attack Scenarios: -An attacker can view the configuration file for the server by using a -web browser to request the file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2371.txt snort-2.9.2/doc/signatures/2371.txt --- snort-2.8.5.2/doc/signatures/2371.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2371.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2371 - --- -Summary: -This event is generated when an attempt is made to access -Sample_showcode.html, a component of the Niti Telecom Caravan Business -Server. - --- -Impact: -Information disclosure. Possible directory traversal. - --- -Detailed Information: -Caravan Business Server is used to develop web applications. It is -possible for an external user to perform a directory traversal attack -against the server by maipulating the parameter fname in the -Sample_showcode.html file. - --- -Affected Systems: - Caravan Business Server 2.00/03D - --- -Attack Scenarios: -An attacker can view files on the system by performaing a directory -traversal attack using the fname parameter in the Sample_showcode.html -script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2372.txt snort-2.9.2/doc/signatures/2372.txt --- snort-2.8.5.2/doc/signatures/2372.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2372.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2372 - --- -Summary: -This event is generated when an attempt is made to access showphoto.php, a -component of the Photopost PHP web application running on a server. - --- -Impact: -Unauthorized administrative access to the underlying database. - --- -Detailed Information: -Photopost is a PHP photo gallery application. It is possible for a -remote attacker to perform SQL queries on the database used by Photopost -that could disclose sensitive information or compromise the data stored -on the server. - --- -Affected Systems: - Photopost PHP Pro version 4.6 and earlier - --- -Attack Scenarios: -An attacker can manipulate the photo parameter in the script -showphoto.php to perform SQL queries of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2373.txt snort-2.9.2/doc/signatures/2373.txt --- snort-2.8.5.2/doc/signatures/2373.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2373.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2373 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite XMKD -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists -with the XMKD command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the XMKD -command. - --- -Affected Systems: - Mollensoft Software Enceladus Server Suite 3.9.11 - Mollensoft Software Hyperion FTP Server 3.5.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the XMKD -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2374.txt snort-2.9.2/doc/signatures/2374.txt --- snort-2.8.5.2/doc/signatures/2374.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2374.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2374 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite NLST -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists -with the NLST command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the NLST -command. - --- -Affected Systems: - Mollensoft Software Enceladus Server Suite 3.9.11 - Mollensoft Software Hyperion FTP Server 3.5.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the NLST -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2375.txt snort-2.9.2/doc/signatures/2375.txt --- snort-2.8.5.2/doc/signatures/2375.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2375.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2375 - --- -Summary: -This event is generated when activity from the worm DoomJuice is -detected. - --- -Impact: -This is indicative of worm activity which may launch of a Denial of -Service condition against Microsoft from infected machines. - --- -Detailed Information: -This event is indicative of activity by the DoomJuice worm. This worm -attempts to connect to random addresses on port 3127, if it receives a -response it will attempt to upload a copy of itself to the target -machine. If no response is received on that port, it will try on ports -between 3127 and 3199. - -If the date is between February 8th and February 28th 2004, the worm -will attempt to launch a Denial of Service (DoS) attack against -www.microsoft.com. - --- -Affected Systems: - Windows 95 - Windows 98 - Windows Me - Windows NT - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -This is worm activity. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -It is possible to edit the binary data in the executable to create a -variant of the worm. This may evade the rule. - --- -Corrective Action: -Use Anti-Virus software to remove the worm. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2376.txt snort-2.9.2/doc/signatures/2376.txt --- snort-2.8.5.2/doc/signatures/2376.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2376.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2376 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2377.txt snort-2.9.2/doc/signatures/2377.txt --- snort-2.8.5.2/doc/signatures/2377.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2377.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2377 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2378.txt snort-2.9.2/doc/signatures/2378.txt --- snort-2.8.5.2/doc/signatures/2378.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2378.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2378 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2379.txt snort-2.9.2/doc/signatures/2379.txt --- snort-2.8.5.2/doc/signatures/2379.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2379.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2379 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/237.txt snort-2.9.2/doc/signatures/237.txt --- snort-2.8.5.2/doc/signatures/237.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/237.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -237 - --- -Summary: -This event is generated when a trinoo DDoS master host communicates with a daemon host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks. A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload. This string is the default password for the daemon. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo master will communicate with a daemon to direct it to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - -Arachnids: -http://www.whitehats.com/info/IDS197 - --- diff -Nru snort-2.8.5.2/doc/signatures/2380.txt snort-2.9.2/doc/signatures/2380.txt --- snort-2.8.5.2/doc/signatures/2380.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2380.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2380 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2381.txt snort-2.9.2/doc/signatures/2381.txt --- snort-2.8.5.2/doc/signatures/2381.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2381.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2381 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint Firewall-1 - --- -Impact: -Serious. Unauthorized administrative access to the firewall - --- -Detailed Information: -A vulnerability exists in Checkpoint Firewall-1 that may allow a remote -attacker to gain control of the firewall. The issues lies in the -handling of HTTP requests by the Security Server and Application -Intelligence modules of the Firewall's administration console. - -By supplying a malformed scheme in a URI an attacker may present the -attacker with the opportunity to send data of their choosing to the -sprintf() system call. - --- -Affected Systems: - Checkpoint Firewall-1 - --- -Attack Scenarios: -An attacker must supply specially crafted packets containing malformed -URI schema with the data they wish to send to the sprintf() function. -This may then present the attacker with administrative privileges on the -server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Disallow external access to the Firewall-1 administrative interface. - -Disable the Web interface to the firewall if possible - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2382.txt snort-2.9.2/doc/signatures/2382.txt --- snort-2.8.5.2/doc/signatures/2382.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2382.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2382 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2383.txt snort-2.9.2/doc/signatures/2383.txt --- snort-2.8.5.2/doc/signatures/2383.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2383.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2383 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2384.txt snort-2.9.2/doc/signatures/2384.txt --- snort-2.8.5.2/doc/signatures/2384.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2384.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2384 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2385.txt snort-2.9.2/doc/signatures/2385.txt --- snort-2.8.5.2/doc/signatures/2385.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2385.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2385 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2386.txt snort-2.9.2/doc/signatures/2386.txt --- snort-2.8.5.2/doc/signatures/2386.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2386.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2386 - --- -Summary: -This event is generated when an attempt is made to scan for a known -vulnerability in the Microsoft implementation of the ASN.1 Library using -Nessus. - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - -This event indicates a possible attempt to enumerate vulnerable hosts using -Nessus. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2387.txt snort-2.9.2/doc/signatures/2387.txt --- snort-2.8.5.2/doc/signatures/2387.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2387.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2387 - --- -Summary: -This event is generated when an attempt is made to view a URL with the string "view_broadcast.cgi" in the name. - --- -Impact: -Denial of service. - --- -Detailed Information: -A vulnerabilities exists in Apple Quick Time Streaming Server and -Apple Darwin Streaming Server running on Windows hosts, that may allow -a denial of service to occur. This happens when expected parameters are not -supplied to this script, causing the server to fail to accept new connections. - --- -Affected Systems: -QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows - --- -Attack Scenarios: -An attacker can craft a packet that contains a URL with the location of the view_broadcast.cgi script and not pass it required parameters. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate patches for the systems affected. - -Upgrade to the latest non affected versions of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/8257 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0422 - --- diff -Nru snort-2.8.5.2/doc/signatures/2388.txt snort-2.9.2/doc/signatures/2388.txt --- snort-2.8.5.2/doc/signatures/2388.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2388.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2388 - --- -Summary: -This event is generated when an attempt is made to access -view_broadcast.cgi on a server used for streaming media services. - --- -Impact: -Information gathering and system integrity compromise. - --- -Detailed Information: -The view_broadcast.cgi script contains a known vulnerability that may -allow an attacker to perform a variety of cross-site scripting attacks. -This event is generated when an attempt is amde to access the script -directly from a source external to the protected network. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2389.txt snort-2.9.2/doc/signatures/2389.txt --- snort-2.8.5.2/doc/signatures/2389.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2389.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2389 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd RNTO command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the RNTO command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the RNTO -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/238.txt snort-2.9.2/doc/signatures/238.txt --- snort-2.8.5.2/doc/signatures/238.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/238.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -238 - --- -Summary: -This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) daemon responds to a client request to spawn a shell. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a TFN daemon. If the listed destination IP is in your network, it may be a TFN client. - --- -Detailed Information: -The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to inform them to launch attacks. A daemon will respond with a client request to spawn a shell with an ICMP echo reply with an ICMP identification number of 123, an ICMP sequence number of 0 and a string of "shell bound to port" in the payload. - --- -Affected Systems: -Any TFN compromised host. - --- -Attack Scenarios: -After a host becomes a TFN daemon, it will respond to client requests. - --- -Ease of Attack: -Simple. TFN code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - -Arachnids: -http://www.whitehats.com/info/IDS182 - --- diff -Nru snort-2.8.5.2/doc/signatures/2390.txt snort-2.9.2/doc/signatures/2390.txt --- snort-2.8.5.2/doc/signatures/2390.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2390.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2390 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd STOU command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the STOU command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the STOU -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2391.txt snort-2.9.2/doc/signatures/2391.txt --- snort-2.8.5.2/doc/signatures/2391.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2391.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2391 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd APPE command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the APPE command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the APPE -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2392.txt snort-2.9.2/doc/signatures/2392.txt --- snort-2.8.5.2/doc/signatures/2392.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2392.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2392 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd RETR command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the RETR command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the RETR -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2393.txt snort-2.9.2/doc/signatures/2393.txt --- snort-2.8.5.2/doc/signatures/2393.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2393.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2393 - --- -Summary: -This event is generated when an attempt is made to access the /_admin directory. - --- -Impact: -Unauthorized file upload or information gathering. This can allow an attacker to upload unauthorized files to the web server or information disclosure. - --- -Detailed Information: -A vulnerability exists in the jbrowser web-based image gallery software that allows unchecked access to the _admin directory, possibly permitting an attacker to execute scripts found in this directory. Execution of admin scripts upload.php3 and upload_ftp.php3 may allow the attacker to upload malicious files to the server or replace existing files. Execution of the list_all.php script may allow an attacker to display files in directories, including those not in the web server root directory. - --- -Affected Systems: -Not reported. - --- -Attack Scenarios: -An attacker can craft a URL to execute the upload.php3, upload_ftp.php3, and list_all.php scripts to upload files or examine files on the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Restrict access to the '_admin' directory to authorized users only. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/9537 - -nessus: -http://cgi.nessus.org/plugins/dump.php3?id=12032 - --- diff -Nru snort-2.8.5.2/doc/signatures/2394.txt snort-2.9.2/doc/signatures/2394.txt --- snort-2.8.5.2/doc/signatures/2394.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2394.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2394 - --- -Summary: -This event is generated when a malformed request is sent to the Compaq Web-Based Management Agent. - --- -Impact: -Denial of service. - --- -Detailed Information: -Compaq Web-Based Management Agent is used to perform remote system administration for Windows hosts. A vulnerability exists in the software when traffic is sent t -o access to Compaq Web-Based Management Agent that contains a malformed request, possibly causing the service to crash. URL requests that contain the characters " -" or "" cause the denial of service to occur. Note that the rule uses an initial keyword of "content" instead of "urico -ntent" since uricontent only examines web server ports identified in the pre-processor http_inspect in the configuration setup. Default configurations do not incl -ude port 2301 as a web server port, preventing the event from being generated. - --- -Affected Systems: -Host running Compaq Web-Based Management Agent. - --- -Attack Scenarios: -An attacker can send a malformed request to the listening service, causing the system to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block inbound port 2301 traffic or restrict access to known authorized IP addresses. - --- -Contributors: -Sourcefire Research Team -Judy Novak - -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8014 - --- diff -Nru snort-2.8.5.2/doc/signatures/2395.txt snort-2.9.2/doc/signatures/2395.txt --- snort-2.8.5.2/doc/signatures/2395.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2395.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2395 - --- -Summary: -This event is generated when an attempt is made to view a URL with the string "InteractiveQuery.jsp" in the name. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -your web site. Attackers can potentially gain access to your users' -cookies or session ids, allowing the attacker to impersonate your -user. - --- -Detailed Information: -BEA WebLogic supplies a CGI script InteractiveQuery.jsp that may be susceptible to cross-site scripting. The vulnerability -occurs because of improper sanitizing of data to the argument 'person'. This may permit malicious code to be executed when -a user visits a vulnerable site. - --- -Affected Systems: -BEA WebLogic 8.1 and earlier versions. - --- -Attack Scenarios: -An attacker can lure a user to a website that is vulnerable, perhaps permitting the malicious code to be executed on the user's host. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Remove the InteractiveQuery.jsp script or move it from the server's CGI path. - -Upgrade to the latest non affected versions of the software. - -Configure the web browser to not allow the execution of code. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/8938 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0624 - --- diff -Nru snort-2.8.5.2/doc/signatures/2396.txt snort-2.9.2/doc/signatures/2396.txt --- snort-2.8.5.2/doc/signatures/2396.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2396.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2396 - --- -Summary: -This event is generated when an attacker attempts to execute an arbitrary command on a web server running the CCBill software. - --- -Impact: -Execution of arbitrary commands. - --- -Detailed Information: -The CCBill software is available to manage credit card information for UNIX and Windows hosts. The script whereami.cgi is used for technical support of the software. A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL. Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt. - --- -Affected Systems: -Hosts running CCBill software that has the whereami.cgi in the server's CGI path. - --- -Attack Scenarios: -An attacker can send a request to execute an arbitrary command. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the whereami.cgi command. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8095 - --- diff -Nru snort-2.8.5.2/doc/signatures/2397.txt snort-2.9.2/doc/signatures/2397.txt --- snort-2.8.5.2/doc/signatures/2397.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2397.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2397 - --- -Summary: -This event is generated when an attacker includes "/whereami.cgi" in a URL, typically aimed at a web server running the CCBill software. - --- -Impact: -Execution of arbitrary commands. - --- -Detailed Information: -The CCBill software is available to manage credit card information for UNIX and Windows hosts. The script whereami.cgi is used for technical support of the software. A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL. Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt. - --- -Affected Systems: -Hosts running CCBill software that has the whereami.cgi in the server's CGI path. - --- -Attack Scenarios: -An attacker can send a request to execute an arbitrary command. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the whereami.cgi command. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8095 - --- diff -Nru snort-2.8.5.2/doc/signatures/2398.txt snort-2.9.2/doc/signatures/2398.txt --- snort-2.8.5.2/doc/signatures/2398.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2398.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2398 - --- -Summary: -This event is generated when an attempt is made to exploit the PHP web -application WAnewsletter. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the WAnewsletter PHP web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - WAnewsletter - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -parameters supplied to the script newsletter.php or db_type.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2399.txt snort-2.9.2/doc/signatures/2399.txt --- snort-2.8.5.2/doc/signatures/2399.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2399.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2399 - --- -Summary: -This event is generated when an attempt is made to exploit the PHP web -application WAnewsletter. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the WAnewsletter PHP web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - WAnewsletter - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -parameters supplied to the script newsletter.php or db_type.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/239.txt snort-2.9.2/doc/signatures/239.txt --- snort-2.8.5.2/doc/signatures/239.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/239.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -239 - --- -Summary: -This event is generated when a DDoS Shaft handler communicates with a Shaft agent. It is also possible that this event may be generated when any host attempts to discover a Shaft agent. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents. If the listed destination IP is in your network, it may be a Shaft agent. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu. This communication checks if an agent is alive and uses a default password of "tijgu". - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft handler needs to discover if an agent is alive before directing it to launch an attack. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS255 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - - --- diff -Nru snort-2.8.5.2/doc/signatures/2400.txt snort-2.9.2/doc/signatures/2400.txt --- snort-2.8.5.2/doc/signatures/2400.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2400.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2400 - --- -Summary: -This event is generated when an attempt is made to access the CGI script -edittag.pl. - --- -Impact: -Information Disclosure - --- -Detailed Information: -EditTag is a perl script that can be used to manage web site content. - -The edittag.pl CGI script may allow an attacker to leverage a directory -traversal attack on a web server. Due to insufficient checks on user -supplied input, it may be possible for an attacker to supply encoded -"../" characters to traverse out of the web root and view sensitive -system files on the web server. - --- -Affected Systems: - EditTag - --- -Attack Scenarios: -An attacker can utilize this vulnerability to gain sensitive information -that may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2401.txt snort-2.9.2/doc/signatures/2401.txt --- snort-2.8.5.2/doc/signatures/2401.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2401.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2401 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -This rule may not generate an alert if a legitimate SMB request contains a password - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.8.5.2/doc/signatures/2402.txt snort-2.9.2/doc/signatures/2402.txt --- snort-2.8.5.2/doc/signatures/2402.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2402.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2402 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -This rule may not generate an alert if a legitimate SMB request contains a password - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.8.5.2/doc/signatures/2403.txt snort-2.9.2/doc/signatures/2403.txt --- snort-2.8.5.2/doc/signatures/2403.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2403.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2403 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.8.5.2/doc/signatures/2404.txt snort-2.9.2/doc/signatures/2404.txt --- snort-2.8.5.2/doc/signatures/2404.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2404.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,92 +0,0 @@ -Rule: - --- -Sid: -2404 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -Data transfer between a Windows 2003 file server and other Windows based -machines may cause this rule to generate events in some circumstances. -Ensure that the HOME_NET and EXTERNAL_NET variables are correctly set in -the snort.conf file to negate the effects of file transfers on local -subnets. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.8.5.2/doc/signatures/2405.txt snort-2.9.2/doc/signatures/2405.txt --- snort-2.8.5.2/doc/signatures/2405.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2405.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2405 - --- -Summary: -This event is generated when an attempt is made to access the file "phptest.php". -BadBlue Personal Edition 2.4 servers could disclose confidential -information on the software configuration towards an attacker. - --- -Impact: -Information gathering. -This signature is usually indicative of a reconaissance probe. -Succesful exploitation would provide the originator of the attack with the -installation path of the software. - --- -Detailed Information: -Web servers running BadBlue Personal Edition 2.4, a -personal file sharing server, are vulnerable to a path disclosure attack. -When a client requests the phptest.php file from such a server, the source -of the HTTP reply page contains the installation path of the software. -This path can be used as information for further attacks. - --- -Affected Systems: - BadBlue Personal Edition 2.4 - --- -Attack Scenarios: -During the reconaissance phase, an attacker could obtain the installation -path of the BadBlue server. This can become valuable information during -the later execution of directory traversal or buffer overflow attacks. - --- -Ease of Attack: -Simple. - --- -False Positives: -While not a true false positive, many PHP installation howtos advise the -creation of a small file "phptest.php" which contains a call for the -phpinfo() function. When this file is accessed legitimately by -someone testing a fresh install, this signature will also trigger. - -NOTE: The amount of information provided (installation directory, version -numbers, environment variables), could also constitute a vulnerability -if this file is present on a production web server. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Snort documentation contributed by Maarten Van Horenbeeck -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2406.txt snort-2.9.2/doc/signatures/2406.txt --- snort-2.8.5.2/doc/signatures/2406.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2406.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2406 - --- -Summary: -This event is generated when an attempt is made to access an APC device -using a known default administrative account and password via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the device. - --- -Detailed Information: -The APC Management card uses a known default administrative name and -password. This rule generates an event when these credentials are used -in a Telnet session. If this account and password have not been changed -this can lead to unauthorized administrative access to the device. - --- -Affected Systems: - APC WEB/SNMP Management Card (9606) Firmware 3.0 and 3.0.1 - --- -Attack Scenarios: -An attacker may try to use this password and username combination to -gain access to an affected device. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Change the administrative account username and password. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2407.txt snort-2.9.2/doc/signatures/2407.txt --- snort-2.8.5.2/doc/signatures/2407.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2407.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2407 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. This rule generates -an event on a request for the util.pl file, part of the CalaCode @mail -Webmail system. Some versions of this software are vulnerable to a cross -site scripting attack. - --- -Detailed Information: -When accessing the webmail service of @mail, a -cross site scripting bug can be abused in the util.pl file. When -addressing the "settings" bar, Javascript code can be inserted into the -"Displayed Name" field. - -This rule will also trigger on some scripted HTTP vulnerability -scans. Many vulnerability assessment tools include a check which will -verify whether the util.pl file is available on a web server. There are -multiple other known vulnerabilities in version 3.64 of the @mail system, -and the existance of this file would reveal its presence. - --- -Affected Systems: - @mail version 3.64 and prior - --- -Attack Scenarios: -A user can submit malicious Javascript to the "Displayed -Name" field. As usual with most browsers, this script will be executed -within the security context of the web site. The session ID of the -connection, which is available from within this security context, can be -abused by the attacker to obtain access to the session and the user's e-mail account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Snort documentation contributed by Maarten Van Horenbeeck, GCIA -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2408.txt snort-2.9.2/doc/signatures/2408.txt --- snort-2.8.5.2/doc/signatures/2408.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2408.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2408 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2409.txt snort-2.9.2/doc/signatures/2409.txt --- snort-2.8.5.2/doc/signatures/2409.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2409.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2409 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer by -supplying a very long username to an APOP POP3 service. - --- -Impact: -Serious. Several POP3 servers are vulnerable to USER buffer overflows. - --- -Detailed Information: -By supplying more than 626 bytes of data to the APOP USER command on 1st -Class Internet Solutions' 1st Class Mail Server, an attacker may -overflow a buffer resulting in the opportunity to execute code of their -choosing on the targeted machine with the privileges of the user running -the service. - -Other Mail software may be prone to this attack. - --- -Affected Systems: - 1st Class Mail Server - --- -Attack Scenarios: -An attacker may connect to the service and supply an over-long username -to overflow the buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Check for other events generated by the source IP address. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/240.txt snort-2.9.2/doc/signatures/240.txt --- snort-2.8.5.2/doc/signatures/240.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/240.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -240 - --- -Summary: -This event is generated when a DDoS Shaft agent communicates with a Shaft handler. It is also possible that this event may be generated when any host attempts to discover a Shaft handler. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent or a host attempting to discover Shaft handlers. If the listed destination IP is in your network, it may be a Shaft handler. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. An agent may communicate with a handler using a UDP packet to destination port 20433 with a content of "alive". - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft agent needs to communicate with a handler before it is given directions to launch an attack. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS256 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - --- diff -Nru snort-2.8.5.2/doc/signatures/2410.txt snort-2.9.2/doc/signatures/2410.txt --- snort-2.8.5.2/doc/signatures/2410.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2410.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2410 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2411.txt snort-2.9.2/doc/signatures/2411.txt --- snort-2.8.5.2/doc/signatures/2411.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2411.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2411 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RealNetworks Helix Media Server. - --- -Impact: -Serious. Execution of arbitrary code is possible. - --- -Detailed Information: -Versions of RealNetworks Helix Media Server and RealSystem Server are -vulnerable to a buffer overflow condition that may present the attacker -with the opportunity to execute code of their choosing on the target -system. - -This may then present the attacker with the opportunity to gain a remote -root shell, thus compromising the system. - --- -Affected Systems: - Helix Universal Server 9.01, versions 9.0.2.794 and earlier - RealSystem Server 8.0 & 7.0 - --- -Attack Scenarios: -The attacker may probe for the existence of an affected server and then -use one of the publicly available scripts to exploit the service. - --- -Ease of Attack: -Simple. Exploits exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -RealNetworks -http://www.service.real.com/help/faq/security/rootexploit091103.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2412.txt snort-2.9.2/doc/signatures/2412.txt --- snort-2.8.5.2/doc/signatures/2412.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2412.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2412 - --- -Summary: -This event is generated when a cross-site scripting attempt using -RealNetworks RealPlayer has been successful. - --- -Impact: -Cross site scripting, information disclosure. - --- -Detailed Information: -A vulnerability exists in versions of RealPlayer from RealNetworks that -may allow a remote attacker to launch a sucessful cross-site scripting -attack against a host running the application. - -This event is indicative of a successful attack. - --- -Affected Systems: - RealNetworks RealPlayer - --- -Attack Scenarios: -An attacker can supply a malformed file to the client making the request -and use the vulnerability to gain sensitive information from the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2413.txt snort-2.9.2/doc/signatures/2413.txt --- snort-2.8.5.2/doc/signatures/2413.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2413.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2413 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.8.5.2/doc/signatures/2414.txt snort-2.9.2/doc/signatures/2414.txt --- snort-2.8.5.2/doc/signatures/2414.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2414.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2414 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.8.5.2/doc/signatures/2415.txt snort-2.9.2/doc/signatures/2415.txt --- snort-2.8.5.2/doc/signatures/2415.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2415.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2415 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.8.5.2/doc/signatures/2416.txt snort-2.9.2/doc/signatures/2416.txt --- snort-2.8.5.2/doc/signatures/2416.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2416.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2416 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic -is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp -server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of -spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or -it could be an attempt to compromise the FTP server by overflowing a -buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain -access to a host, then upload a Trojan Horse program to gain control of -that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected -network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2417.txt snort-2.9.2/doc/signatures/2417.txt --- snort-2.8.5.2/doc/signatures/2417.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2417.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2417 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic -is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp -server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of -spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or -it could be an attempt to compromise the FTP server by overflowing a -buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain -access to a host, then upload a Trojan Horse program to gain control of -that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected -network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2418.txt snort-2.9.2/doc/signatures/2418.txt --- snort-2.8.5.2/doc/signatures/2418.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2418.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to connect to a -Microsoft Terminal Server without using encryption. - --- -Impact: -Serious. Denial of Service. - --- -Detailed Information: -Microsoft Windows Terminal Server for NT systems fails to correctly -validate RDP data from client machines that do not use encryption. - --- -Affected Systems: - Microsoft Windows Terminal Server - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the DoS. - --- -Ease of Attack: -Simple. Exploit software exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2419.txt snort-2.9.2/doc/signatures/2419.txt --- snort-2.8.5.2/doc/signatures/2419.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2419.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2419 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/241.txt snort-2.9.2/doc/signatures/241.txt --- snort-2.8.5.2/doc/signatures/241.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/241.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: --- -Sid: -241 - --- -Summary: -This event is generated when a DDoS Shaft handler agent launchs a SYN flood against a target. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent. If the listed destination IP is in your network, your host may be a target of a DDoS SYN flood. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Agents are hosts that are directed to launch attacks. One type of attack that may be launched is a SYN flood of a target. The SYN packets have a telltale initial sequence number of 674711609. - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft agent may attack a target using a SYN flood. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -It is possible that an innocuous SYN packet will have a sequence number of 674711609. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS253 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - --- diff -Nru snort-2.8.5.2/doc/signatures/2420.txt snort-2.9.2/doc/signatures/2420.txt --- snort-2.8.5.2/doc/signatures/2420.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2420.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2420 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2421.txt snort-2.9.2/doc/signatures/2421.txt --- snort-2.8.5.2/doc/signatures/2421.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2421.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2421 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2422.txt snort-2.9.2/doc/signatures/2422.txt --- snort-2.8.5.2/doc/signatures/2422.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2422.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2422 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2423.txt snort-2.9.2/doc/signatures/2423.txt --- snort-2.8.5.2/doc/signatures/2423.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2423.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2423 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2424.txt snort-2.9.2/doc/signatures/2424.txt --- snort-2.8.5.2/doc/signatures/2424.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2424.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2424 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2425.txt snort-2.9.2/doc/signatures/2425.txt --- snort-2.8.5.2/doc/signatures/2425.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2425.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2425 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2426.txt snort-2.9.2/doc/signatures/2426.txt --- snort-2.8.5.2/doc/signatures/2426.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2426.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2426 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2427.txt snort-2.9.2/doc/signatures/2427.txt --- snort-2.8.5.2/doc/signatures/2427.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2427.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2427 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2428.txt snort-2.9.2/doc/signatures/2428.txt --- snort-2.8.5.2/doc/signatures/2428.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2428.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2428 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2429.txt snort-2.9.2/doc/signatures/2429.txt --- snort-2.8.5.2/doc/signatures/2429.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2429.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2429 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2430.txt snort-2.9.2/doc/signatures/2430.txt --- snort-2.8.5.2/doc/signatures/2430.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2430.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2430 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2431.txt snort-2.9.2/doc/signatures/2431.txt --- snort-2.8.5.2/doc/signatures/2431.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2431.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2431 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2432.txt snort-2.9.2/doc/signatures/2432.txt --- snort-2.8.5.2/doc/signatures/2432.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2432.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2432 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Denial of Service. Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2433.txt snort-2.9.2/doc/signatures/2433.txt --- snort-2.8.5.2/doc/signatures/2433.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2433.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -2433 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Possible unauthorized administrative access to the server or application. -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -MDaemon is mail server software for Microsoft Windows systems. It uses a -CGI web interface to send email. The email form used to submit the -message does not properly check user supplied input. This may result in -an attacker being able to supply a "From" field larger than 249 bytes -which may in turn cause an error condition to occur in the executable -file handling the form input. This error may present the attacker with -the opportunity to gain administrative access to the server and also -execute code of their choosing. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Alt-N MDaemon 6.5.2 - Alt-N MDaemon 6.7.5, 6.7.9 - Alt-N MDaemon 6.8.0 through 6.8.5 - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2434.txt snort-2.9.2/doc/signatures/2434.txt --- snort-2.8.5.2/doc/signatures/2434.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2434.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -2434 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Possible unauthorized administrative access to the server or application. -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -MDaemon is mail server software for Microsoft Windows systems. It uses a -CGI web interface to send email. The email form used to submit the -message does not properly check user supplied input. This may result in -an attacker being able to supply a "From" field larger than 249 bytes -which may in turn cause an error condition to occur in the executable -file handling the form input. This error may present the attacker with -the opportunity to gain administrative access to the server and also -execute code of their choosing. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Alt-N MDaemon 6.5.2 - Alt-N MDaemon 6.7.5, 6.7.9 - Alt-N MDaemon 6.8.0 through 6.8.5 - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2435.txt snort-2.9.2/doc/signatures/2435.txt --- snort-2.8.5.2/doc/signatures/2435.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2435.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2435 - --- -Summary: -This event is generated when an attempt is made to access a file type -that may be subject to a known vulnerability in Microsoft Windows Explorer. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -When processing Windows Extended Metafile Format (.emf) files, Windows -Explorer sets a buffer size based on information in the header for the -file. If a malformed header is sent, it may be possible for an attacker -to cause a DoS condition to occur. It may also be possible for an -attacker to execute code of their choosing on a vulnerable host. - -This issue may also affect Microsoft Windows Metafile Format (.wmf) -files also. - --- -Affected Systems: - Microsoft Windows XP Home, Professional and Media Center Edition - Microsoft Windows XP Home and Professional SP-1 - --- -Attack Scenarios: -An attacker might supply a specially crafted request for such a file -that might cause the error condiion to occur. - --- -Ease of Attack: -Moderate/Difficult - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2436.txt snort-2.9.2/doc/signatures/2436.txt --- snort-2.8.5.2/doc/signatures/2436.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2436.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2436 - --- -Summary: -This event is generated when an attempt is made to access a file type -that may be subject to a known vulnerability in Microsoft Windows Explorer. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -When processing Windows Extended Metafile Format (.emf) files, Windows -Explorer sets a buffer size based on information in the header for the -file. If a malformed header is sent, it may be possible for an attacker -to cause a DoS condition to occur. It may also be possible for an -attacker to execute code of their choosing on a vulnerable host. - -This issue may also affect Microsoft Windows Metafile Format (.wmf) -files also. - --- -Affected Systems: - Microsoft Windows XP Home, Professional and Media Center Edition - Microsoft Windows XP Home and Professional SP-1 - --- -Attack Scenarios: -An attacker might supply a specially crafted request for such a file -that might cause the error condiion to occur. - --- -Ease of Attack: -Moderate/Difficult - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2437.txt snort-2.9.2/doc/signatures/2437.txt --- snort-2.8.5.2/doc/signatures/2437.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2437.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2437 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RealOne Player. - --- -Impact: -Serious. Execution of arbitrary code is possible. - --- -Detailed Information: -It may be possible for an attacker to execute code of their choosing by -using a vulnerability in RealOne Player from RealNetworks. If a -malicious URI is embedded in a SMIL presentation that points to script -of the attackers choosing, the code may be executed with privileges -assigned to the "My Computer" zone. - --- -Affected Systems: - RealOne Player for Windows - --- -Attack Scenarios: -An attacker could embed a URI of their choosing in a presentation and -entice a user to click the link from within RealOne Player. The code -referenced by this URI would then be executed on the client machine. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2438.txt snort-2.9.2/doc/signatures/2438.txt --- snort-2.8.5.2/doc/signatures/2438.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2438.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2438 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2439.txt snort-2.9.2/doc/signatures/2439.txt --- snort-2.8.5.2/doc/signatures/2439.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2439.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2439 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/243.txt snort-2.9.2/doc/signatures/243.txt --- snort-2.8.5.2/doc/signatures/243.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/243.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -243 - --- -Summary: -This event is generated when the mstream DDoS tool is used. - --- -Impact: -Severe. This indicates a host may have been compromised and mstream may have been installed. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. - -There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. An agent will attempt to contact its known handlers using a UDP packet to destination port 6838 with a string of "newserver" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes a mstream agent, it will attempt to communicate with its known handlers. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There may be ports other than 6838 used for agent-to-handler communications. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -NAI: -http://vil.nai.com/vil/content/v_98662.htm -SecurityFocus: -http://www.securityfocus.com/archive/82/58040 -CERT: -http://www.cert.org/incident_notes/IN-2000-05.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2440.txt snort-2.9.2/doc/signatures/2440.txt --- snort-2.8.5.2/doc/signatures/2440.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2440.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2440 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2441.txt snort-2.9.2/doc/signatures/2441.txt --- snort-2.8.5.2/doc/signatures/2441.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2441.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2441 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ExploreAnywhere Software's NETObserve. - --- -Impact: -Execution of commands or control of remote machines being managed by the -software. - --- -Detailed Information: -NETObserve is a software solution that can be used to remotely monitor -and control Windows based machines. It's interface is accessed via HTTP. - -By setting a cookie value, used to send login information to NETObserve, -to 0 an attacker can bypass any checks on login credentials. This can -present the attacker with administrative privileges to the NETObserve -application which can be used to manage other remote client machines. - --- -Affected Systems: - NETObserve - --- -Attack Scenarios: -An attacker can set 'Cookie login:0' in a web request to the -administrative interface and gain administrator access to the -application. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2442.txt snort-2.9.2/doc/signatures/2442.txt --- snort-2.8.5.2/doc/signatures/2442.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2442.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2442 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Apple Quicktime/Darwin Streaming Server. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -The Apple Quicktime Streaming Server is used to serve client machines -with streaming media content using TCP/IP. A vulnerability exists in the -processing of client requests that can cause a DoS. - -An overly long User-Agent field in DESCRIBE requests to the server can -cause this condition to occur. - --- -Affected Systems: - Apple Darwin Streaming Server 4.1.3 - Apple Quicktime Streaming Server 4.1.3 - --- -Attack Scenarios: -An attacker can supply a user agent field in excess of 255 characters in -a DESCRIBE request to trigger the DoS condition. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2443.txt snort-2.9.2/doc/signatures/2443.txt --- snort-2.8.5.2/doc/signatures/2443.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2443.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2443 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2444.txt snort-2.9.2/doc/signatures/2444.txt --- snort-2.8.5.2/doc/signatures/2444.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2444.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2444 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2445.txt snort-2.9.2/doc/signatures/2445.txt --- snort-2.8.5.2/doc/signatures/2445.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2445.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2445 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2446.txt snort-2.9.2/doc/signatures/2446.txt --- snort-2.8.5.2/doc/signatures/2446.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2446.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2446 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2447.txt snort-2.9.2/doc/signatures/2447.txt --- snort-2.8.5.2/doc/signatures/2447.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2447.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2447 - --- -Summary: -This event is generated when an attempt is made to access the servlet -administration scripts on a Novell Groupwise servlet server. - --- -Impact: -Possible unauthorized administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to access the servlet -administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager. - -The default installation has a known username and password for -administration of the server. - --- -Affected Systems: - Novell Groupwise 6.0 - Novell Groupwise Enhancement Pack 5.5 - --- -Attack Scenarios: -The attacker might login to the application using the default username -and password gaining administrative access to the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2448.txt snort-2.9.2/doc/signatures/2448.txt --- snort-2.8.5.2/doc/signatures/2448.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2448.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2448 - --- -Summary: -This event is generated when an attempt is made to access the file -setinfo.hts on a machine using HP Web JetAdmin. --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -HP Web JetAdmin is software used to remotely manage HP networked -peripheral devices. It may also be used to manage non-HP products also. -It may be possible for a remote user to execute code of their choosing -using the web interface. - -This is due to insufficient checking of user supplied input in the file -setinfo.hts. - --- -Affected Systems: - HP Web JetAdmin 7.5 - --- -Attack Scenarios: -An attacker can supply any code of their choosing directly to the script -in question and manipulate any device being managed by the software. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/2449.txt snort-2.9.2/doc/signatures/2449.txt --- snort-2.8.5.2/doc/signatures/2449.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2449.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2449 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Ipswitch WS FTP ALLO command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. A Denial of Service (DoS) -attack may also be possible. - --- -Detailed Information: -Ipswitch WS FTP is an FTP server. A vulnerability exists with the ALLO -command that can cause a buffer overflow and permit the execution of -arbitrary commands with system privileges. The buffer overflow can be -caused by supplying an overly long argument to the ALLO command. - --- -Affected Systems: - Ipswitch WS FTP Server 1.0.1 through 1.0.5, 2.0 through 2.0.4, - 3.0 1, 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.4, 4.0 2, 4.0 1 and 4.0 - Ipswitch WS_FTP Pro 6.0, 7.5, 8.0 3, 8.0 2 - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/244.txt snort-2.9.2/doc/signatures/244.txt --- snort-2.8.5.2/doc/signatures/244.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/244.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -244 - --- -Summary: -This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. - --- -Impactn: -Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload. The target IP and duration of the attack will also be included in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack. --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known handler-to-agent ports in addition to 10498. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2450.txt snort-2.9.2/doc/signatures/2450.txt --- snort-2.8.5.2/doc/signatures/2450.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2450.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2450 - --- -Summary: -This event is generated when a user in your network has successfully logged into Yahoo Instant Messenger. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A user must successfully logon to an Yahoo Instant Messenger server before participating in any exchanges, such sending or receiving messages, files, or webcams, or chatting by voice. Many of these activities are not appropriate in a corporate environment. Also, the exchanges are transacted via Yahoo IM servers so there is no assurance of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -Once logged in, a Yahoo IM user may unwittingly accept a malicious file that may contain a worm, virus, Trojan, or backdoor to name a few. - --- -Ease of Attack: -Easy. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2451.txt snort-2.9.2/doc/signatures/2451.txt --- snort-2.8.5.2/doc/signatures/2451.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2451.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2451 - --- -Summary: -This event is generated when a user in your network has successfully registered with a Yahoo Instant Messenger server to receive voice chat messages or is receiving voice chat messages. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM voice chat allows IM users to exchange audio messages. This activity may not be appropriate in a corporate environment. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM. - --- -Ease of Attack: -Easy to exchange voice messages. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2452.txt snort-2.9.2/doc/signatures/2452.txt --- snort-2.8.5.2/doc/signatures/2452.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2452.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2452 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to maintain contact with a Yahoo IM server. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Hosts running Yahoo IM periodically communicate with a Yahoo IM server to maintain their connection. This is a keep-alive message that simply indicates the presences of a host running Yahoo IM. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM. - --- -Ease of Attack: -A host running Yahoo IM will automatically ping a Yahoo IM server. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2453.txt snort-2.9.2/doc/signatures/2453.txt --- snort-2.8.5.2/doc/signatures/2453.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2453.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2453 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running is invited to participate in a Yahoo conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2454.txt snort-2.9.2/doc/signatures/2454.txt --- snort-2.8.5.2/doc/signatures/2454.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2454.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2454 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has successfully logged on to a Yahoo IM conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2455.txt snort-2.9.2/doc/signatures/2455.txt --- snort-2.8.5.2/doc/signatures/2455.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2455.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2455 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2456.txt snort-2.9.2/doc/signatures/2456.txt --- snort-2.8.5.2/doc/signatures/2456.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2456.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2456 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to send a file to another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. This may also provide a less scrutinized means of sharing unauthorized or inappropriate files with others. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2457.txt snort-2.9.2/doc/signatures/2457.txt --- snort-2.8.5.2/doc/signatures/2457.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2457.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -Rule: - --- -Sid: -2457 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger sends or receives a Yahoo Instant Messenger message. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM provides a means of allowing an interactive message exchange between user. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attacks. - --- -Ease of Attack: -No known attacks. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- diff -Nru snort-2.8.5.2/doc/signatures/2458.txt snort-2.9.2/doc/signatures/2458.txt --- snort-2.8.5.2/doc/signatures/2458.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2458.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2458 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attacks. - --- -Ease of Attack: -No known attacks. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2459.txt snort-2.9.2/doc/signatures/2459.txt --- snort-2.8.5.2/doc/signatures/2459.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2459.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2459 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running starts a webcam or sends an invitation to view a webcam to another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is sending a notification that he or she is starting a webcam or offering an invitation to view the webcam. While there are no known exploits associated with showing or viewing webcams, it is possible that this activity is inappropriate in certain environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No know attack scenarios. - --- -Ease of Attack: -No know attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/245.txt snort-2.9.2/doc/signatures/245.txt --- snort-2.8.5.2/doc/signatures/245.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/245.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: --- -Sid: -245 - --- -Summary: -This event is generated when an mstream handler attempts to identify active agents. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -A mstream handler may probe to see if an agent is active. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known handler-to-agent ports in addition to 10498. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2460.txt snort-2.9.2/doc/signatures/2460.txt --- snort-2.8.5.2/doc/signatures/2460.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2460.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2460 - --- -Summary: -This event is generated when a host in your network that has Yahoo -Instant Messenger running requests to view a webcam listen to an audio -message of another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be -appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is requesting -to view a webcam or listen to an audio message of another Yahoo IM user. -While there are no known exploits associated with showing or viewing -webcams, it is possible that this activity is inappropriate in certain -environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attack scenarios. - --- -Ease of Attack: -No known attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the -default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2461.txt snort-2.9.2/doc/signatures/2461.txt --- snort-2.8.5.2/doc/signatures/2461.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2461.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2461 - --- -Summary: -This event is generated when a user on a host in your network that is -running Yahoo Instant Messenger is viewing a webcam or listening to an -audio message of another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be -appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is requesting -to view a webcam of another Yahoo IM user. While there are no known -exploits associated with showing or viewing webcams, or listening to -audio messages. it is possible that this activity is inappropriate in -certain environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attack scenarios. - --- -Ease of Attack: -No known attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the -default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/2462.txt snort-2.9.2/doc/signatures/2462.txt --- snort-2.8.5.2/doc/signatures/2462.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2462.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account -overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; -byte_test:1,>,16,12; reference:cve,CAN-2004-0176; reference:bugtraq,9952; -classtype:attempted-admin; sid:2462; rev:1;) - --- -Sid: -2462 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Internet Group membership Authentication -Protocol (IGAP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal -or tethereal. This may permit the execution of arbitrary code with root or -LOCAL_SYSTEM privilege. The buffer overflow occurs when a larger than expected -User Account Size value is discovered in the IGAP payload. - --- -Affected Systems: -Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed IGAP packet, and if decoded by -a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952: - --- diff -Nru snort-2.8.5.2/doc/signatures/2463.txt snort-2.9.2/doc/signatures/2463.txt --- snort-2.8.5.2/doc/signatures/2463.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2463.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message -overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; -byte_test:1,>,64,13; reference:cve,CAN-2004-0176; reference:bugtraq,9952; -classtype:attempted-admin; sid:2463; rev:1;) - --- -Sid: -2463 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Internet Group membership Authentication -Protocol (IGAP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal -or tethereal. This may permit the execution of arbitrary code with root or -LOCAL_SYSTEM privilege. The buffer overflow occurs when a larger than expected -Message Size value is discovered in the IGAP payload. - --- -Affected Systems: -Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed IGAP packet, and if decoded by -a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952: - --- diff -Nru snort-2.8.5.2/doc/signatures/2464.txt snort-2.9.2/doc/signatures/2464.txt --- snort-2.8.5.2/doc/signatures/2464.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2464.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; -ip_proto:88; byte_test:1,>,32,44; reference:cve,CAN-2004-0176; -reference:bugtraq,9952; classtype:attempted-admin; sid:2464; rev:1;) - --- -Sid: -2464 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Enhanced Interior Gateway Routing Protocol -(EIGRP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed EIGRP packet is decoded. This -may permit the execution of arbitrary code with root or LOCAL_SYSTEM privilege. -The buffer overflow occurs when a larger than expected packet length value is -discovered in the EIGRP payload. - --- -Affected Systems: -Any host running Ethereal versions 0.8.14 through 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed EIGRP packet, and if decoded by -a vulnerable version of Ethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952 - --- diff -Nru snort-2.8.5.2/doc/signatures/2465.txt snort-2.9.2/doc/signatures/2465.txt --- snort-2.8.5.2/doc/signatures/2465.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2465.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2465 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2466.txt snort-2.9.2/doc/signatures/2466.txt --- snort-2.8.5.2/doc/signatures/2466.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2466.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2466 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2467.txt snort-2.9.2/doc/signatures/2467.txt --- snort-2.8.5.2/doc/signatures/2467.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2467.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2467 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2468.txt snort-2.9.2/doc/signatures/2468.txt --- snort-2.8.5.2/doc/signatures/2468.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2468.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2468 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2469.txt snort-2.9.2/doc/signatures/2469.txt --- snort-2.8.5.2/doc/signatures/2469.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2469.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2469 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/246.txt snort-2.9.2/doc/signatures/246.txt --- snort-2.8.5.2/doc/signatures/246.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/246.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -246 - --- -Summary: -This event is generated when an mstream agent responds to an mstream handler's "ping" request. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream agent. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload. An active agent will reply with a UDP packet to destination port 6838 with a string of "pong" in payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -A mstream agent may respond with a "pong" to a "ping" request from a handler. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known agent-to-handler ports in addition to 6838. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -NAI: -http://vil.nai.com/vil/content/v_98662.htm -SecurityFocus: -http://www.securityfocus.com/archive/82/58040 -CERT: -http://www.cert.org/incident_notes/IN-2000-05.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2470.txt snort-2.9.2/doc/signatures/2470.txt --- snort-2.8.5.2/doc/signatures/2470.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2470.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2470 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2471.txt snort-2.9.2/doc/signatures/2471.txt --- snort-2.8.5.2/doc/signatures/2471.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2471.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2471 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2472.txt snort-2.9.2/doc/signatures/2472.txt --- snort-2.8.5.2/doc/signatures/2472.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2472.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2472 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2473.txt snort-2.9.2/doc/signatures/2473.txt --- snort-2.8.5.2/doc/signatures/2473.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2473.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2473 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2474.txt snort-2.9.2/doc/signatures/2474.txt --- snort-2.8.5.2/doc/signatures/2474.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2474.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2474 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2475.txt snort-2.9.2/doc/signatures/2475.txt --- snort-2.8.5.2/doc/signatures/2475.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2475.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2475 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2476.txt snort-2.9.2/doc/signatures/2476.txt --- snort-2.8.5.2/doc/signatures/2476.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2476.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2476 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2477.txt snort-2.9.2/doc/signatures/2477.txt --- snort-2.8.5.2/doc/signatures/2477.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2477.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2477 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2478.txt snort-2.9.2/doc/signatures/2478.txt --- snort-2.8.5.2/doc/signatures/2478.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2478.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2478 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2479.txt snort-2.9.2/doc/signatures/2479.txt --- snort-2.8.5.2/doc/signatures/2479.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2479.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2479 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/247.txt snort-2.9.2/doc/signatures/247.txt --- snort-2.8.5.2/doc/signatures/247.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/247.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -247 - --- -Summary: -This event is generated when an mstream DDoS client communicates with a handler. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream client. If the listed destination IP is in your network, it may be an mstream handler. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream client, it will attempt to communicate with handlers. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known client-to-handler ports in addition to 12754. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2480.txt snort-2.9.2/doc/signatures/2480.txt --- snort-2.8.5.2/doc/signatures/2480.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2480.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2481.txt snort-2.9.2/doc/signatures/2481.txt --- snort-2.8.5.2/doc/signatures/2481.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2481.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2482.txt snort-2.9.2/doc/signatures/2482.txt --- snort-2.8.5.2/doc/signatures/2482.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2482.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2483.txt snort-2.9.2/doc/signatures/2483.txt --- snort-2.8.5.2/doc/signatures/2483.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2483.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2484.txt snort-2.9.2/doc/signatures/2484.txt --- snort-2.8.5.2/doc/signatures/2484.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2484.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -2484 - --- -Summary: -This event is generated when a remote user attempts to access source.jsp -on a Tomcat web server. This may indicate an attempt to exploit a -directory traversal vulnerability. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event may indicate an attempt to exploit a vulnerability in the -source.jsp script. An attacker can use directory traversal techniques -when accessing source.jsp to view hidden files and directories on the -web server with the access privileges of the server. - --- -Affected Systems: - Apache Tomcat on Novell Netware 6.0 - --- -Attack Scenarios: -An attacker can use directory traversal techniques when executing -source.jsp to view directories and files on the web server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2485.txt snort-2.9.2/doc/signatures/2485.txt --- snort-2.8.5.2/doc/signatures/2485.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2485.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2485 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with Norton Internet Security 2004 AntiSpam feature. - --- -Impact: -A successful attack may permit a buffer overflow that allows the -execution of arbitrary code in the context of LOCAL_SYSTEM. - --- -Detailed Information: -Norton Internet Security 2004 provides desktop security for Windows hosts. -A buffer overflow exists in a module associated with the AntiSpam feature of -Norton Internet Security. This is an ActiveX module that has been labeled -"safe for scripting" allowing it to be accessed and run via a client's -web browser on a host running a vulnerable version of Norton Internet -Security 2004. If an attacker can entice a user on a vulnerable host to -a malicious web server, it is possible to invoke the faulty ActiveX -component. This may cause a buffer overflow and the execution of arbitrary -code in the context of LOCAL_SYSTEM. - --- -Affected Systems: -Norton Internet Security 2004, Norton Internet Security Pro 2004 versions before 7.0.3.8 - --- -Attack Scenarios: -An attacker can entice a user on a vulnerable host to a malicious web -page and execute the faulty ActiveX component, possibly causing -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- Ease of Attack: -Difficult unless exploit code becomes available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://security.focus.com/bid/9916 - --- diff -Nru snort-2.8.5.2/doc/signatures/2486.txt snort-2.9.2/doc/signatures/2486.txt --- snort-2.8.5.2/doc/signatures/2486.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2486.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid -identification payload attempt"; content:"|05|"; offset:16; depth:1; -byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; -classtype:attempted-dos; sid:2486; rev:1;) - --- -Sid: -2486 - --- -Summary: -This event is generated when an attempt is made to exploit a denial of service -(DoS) associated with tcpdump decoding of an isakmp payload. - --- -Impact: -A successful attack may cause a DoS of the host running tcpdump. - --- -Detailed Information: -The tcpdump decode of an isakmp packet with an identification payload may be -susceptible to a DoS attack. This occurs because the code does not properly -convert the payload length field from network-to-host byte order. This may -cause tcpdump to crash when specific values are supplied to the payload length. - --- -Affected Systems: -Hosts running tcpdump versions 3.8.1 and earlier - --- -Attack Scenarios: -An attacker can create and send a malformed isakmp packet that may cause -a host running tcpdump and analyzing the packet to crash. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10004 - --- diff -Nru snort-2.8.5.2/doc/signatures/2487.txt snort-2.9.2/doc/signatures/2487.txt --- snort-2.8.5.2/doc/signatures/2487.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2487.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: --- - -Sid: -2487 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with winzip's processing of certain MIME archive files. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running winzip. - --- -Detailed Information: -Winzip is a program that is used for file compression on Windows hosts. -A buffer overflow exists when parsing specific header fields for certain -MIME file types. An overly long value passed to specific Content-Type attributes -may trigger the buffer overflow and allow the execution of arbitrary code -in the context of the user running winzip. - --- -Affected Systems: -Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions - --- -Attack Scenarios: -An attacker can entice a user to open a malformed MIME file that will -invoke winzip to process it, possibly causing a a buffer overflow -and the subsequent execution of arbitrary code on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://securityfocus.com/bid/9758 - --- diff -Nru snort-2.8.5.2/doc/signatures/2488.txt snort-2.9.2/doc/signatures/2488.txt --- snort-2.8.5.2/doc/signatures/2488.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2488.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2488 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with winzip's processing of certain MIME archive files. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running winzip. - --- -Detailed Information: -Winzip is a program that is used for file compression on Windows hosts. -A buffer overflow exists when parsing specific header fields for certain -MIME file types. An overly long value passed to the Content-Disposition -name field may trigger the buffer overflow and allow the execution of -arbitrary code in the context of the user running winzip. - --- -Affected Systems: -Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions - --- -Attack Scenarios: -An attacker can entice a user to open a malformed MIME file that will -invoke winzip to process it, possibly causing a a buffer overflow -and the subsequent execution of arbitrary code on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://securityfocus.com/bid/9758 - --- diff -Nru snort-2.8.5.2/doc/signatures/2489.txt snort-2.9.2/doc/signatures/2489.txt --- snort-2.8.5.2/doc/signatures/2489.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2489.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2489 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with eSignal software. - --- -Impact: -A successful attack may allow the execution of arbitrary code with -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -eSignal software provides real-time stock market data to client hosts. -There is a vulnerability associated with eSignal that may cause a buffer overflow, -permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. -The buffer overflow occurs when a larger than expected data payload is supplied -for certain message exchanges. - --- -Affected Systems: -eSignal versions 7.5 and 7.6 - --- -Attack Scenarios: -An attacker can create and send a malformed eSignal message that may cause a buffer overflow and -allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9978 - --- diff -Nru snort-2.8.5.2/doc/signatures/248.txt snort-2.9.2/doc/signatures/248.txt --- snort-2.8.5.2/doc/signatures/248.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/248.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -248 - --- -Summary: -This event is generated when an mstream DDoS handler responds to an mstream client. - --- -Impact: -Severe. If the list source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream client. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload. A handler responds to this with a TCP source port of 12754 and a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -An mstream handler may be respond to a communication from an mstream client. --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known client-to-handler ports in addition to 12754. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2490.txt snort-2.9.2/doc/signatures/2490.txt --- snort-2.8.5.2/doc/signatures/2490.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2490.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2490 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with eSignal software. - --- -Impact: -A successful attack may allow the execution of arbitrary code with -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -eSignal software provides real-time stock market data to client hosts. -There is a vulnerability associated with eSignal that may cause a buffer overflow, -permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. -The buffer overflow occurs when a larger than expected data payload is supplied -for certain message exchanges. - --- -Affected Systems: -eSignal versions 7.5 and 7.6 - --- -Attack Scenarios: -An attacker can create and send a malformed eSignal message that may cause a buffer overflow and -allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9978 - --- diff -Nru snort-2.8.5.2/doc/signatures/2491.txt snort-2.9.2/doc/signatures/2491.txt --- snort-2.8.5.2/doc/signatures/2491.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2491.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2491 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2492.txt snort-2.9.2/doc/signatures/2492.txt --- snort-2.8.5.2/doc/signatures/2492.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2492.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2492 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2493.txt snort-2.9.2/doc/signatures/2493.txt --- snort-2.8.5.2/doc/signatures/2493.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2493.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2493 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2494.txt snort-2.9.2/doc/signatures/2494.txt --- snort-2.8.5.2/doc/signatures/2494.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2494.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2494 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2495.txt snort-2.9.2/doc/signatures/2495.txt --- snort-2.8.5.2/doc/signatures/2495.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2495.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2495 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2496.txt snort-2.9.2/doc/signatures/2496.txt --- snort-2.8.5.2/doc/signatures/2496.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2496.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2496 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2497.txt snort-2.9.2/doc/signatures/2497.txt --- snort-2.8.5.2/doc/signatures/2497.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2497.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2497 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2498.txt snort-2.9.2/doc/signatures/2498.txt --- snort-2.8.5.2/doc/signatures/2498.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2498.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2498 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2499.txt snort-2.9.2/doc/signatures/2499.txt --- snort-2.8.5.2/doc/signatures/2499.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2499.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2499 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/249.txt snort-2.9.2/doc/signatures/249.txt --- snort-2.8.5.2/doc/signatures/249.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/249.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: --- -Sid: -249 - --- -Summary: -The event is generated when a DDoS mstream client makes contact with an mstream handler. - --- -Impact: -Severe. If the listed source IP is in your network, it is possibly an mstream client. If the listed destination IP is in your network, it is possibly an mstream handler. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may contact a handler using a TCP SYN packet to destination port 15104. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream handler, the client will attempt to communicate with the handler. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -A legitimate server port of 15104 will cause this rule to fire. This rule may also generate a false positive if port 15104 is selected as an FTP data port. - --- -False Negatives: -There are other known client-to-handler ports in addition to 15104. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering-firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.8.5.2/doc/signatures/2500.txt snort-2.9.2/doc/signatures/2500.txt --- snort-2.8.5.2/doc/signatures/2500.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2500.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2500 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2501.txt snort-2.9.2/doc/signatures/2501.txt --- snort-2.8.5.2/doc/signatures/2501.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2501.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2501 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2502.txt snort-2.9.2/doc/signatures/2502.txt --- snort-2.8.5.2/doc/signatures/2502.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2502.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2502 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2503.txt snort-2.9.2/doc/signatures/2503.txt --- snort-2.8.5.2/doc/signatures/2503.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2503.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2503 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2504.txt snort-2.9.2/doc/signatures/2504.txt --- snort-2.8.5.2/doc/signatures/2504.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2504.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2504 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2505.txt snort-2.9.2/doc/signatures/2505.txt --- snort-2.8.5.2/doc/signatures/2505.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2505.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2505 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2506.txt snort-2.9.2/doc/signatures/2506.txt --- snort-2.8.5.2/doc/signatures/2506.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2506.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2506 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2507.txt snort-2.9.2/doc/signatures/2507.txt --- snort-2.8.5.2/doc/signatures/2507.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2507.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2507 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2508.txt snort-2.9.2/doc/signatures/2508.txt --- snort-2.8.5.2/doc/signatures/2508.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2508.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2508 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2509.txt snort-2.9.2/doc/signatures/2509.txt --- snort-2.8.5.2/doc/signatures/2509.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2509.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2509 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/250.txt snort-2.9.2/doc/signatures/250.txt --- snort-2.8.5.2/doc/signatures/250.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/250.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -250 - --- -Summary: -The event is generated when a DDoS mstream handler responds to an mstream client. - --- -Impact: -Severe. If the source IP is in your network, it is possibly an mstream handler. If the destination IP is in your network, it is possibly an mstream client. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks. A client may contact a handler using a TCP SYN packet to destination port 15104. A listening handler would respond to this on source port 15104 with a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream handler, the client will attempt to communicate with the handler. A handler will respond to this communication. - - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -A legitimate server port of 15104 will cause this rule to fire. This rule may also generate a false positive if port 15104 is selected as an FTP data port. - --- -False Negatives: -There are other known client-to-handler ports in addition to 15104. - -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - - --- diff -Nru snort-2.8.5.2/doc/signatures/2510.txt snort-2.9.2/doc/signatures/2510.txt --- snort-2.8.5.2/doc/signatures/2510.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2510.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2510 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2511.txt snort-2.9.2/doc/signatures/2511.txt --- snort-2.8.5.2/doc/signatures/2511.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2511.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2511 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2512.txt snort-2.9.2/doc/signatures/2512.txt --- snort-2.8.5.2/doc/signatures/2512.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2512.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2512 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2513.txt snort-2.9.2/doc/signatures/2513.txt --- snort-2.8.5.2/doc/signatures/2513.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2513.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2513 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2514.txt snort-2.9.2/doc/signatures/2514.txt --- snort-2.8.5.2/doc/signatures/2514.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2514.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2514 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2515.txt snort-2.9.2/doc/signatures/2515.txt --- snort-2.8.5.2/doc/signatures/2515.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2515.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2515 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2516.txt snort-2.9.2/doc/signatures/2516.txt --- snort-2.8.5.2/doc/signatures/2516.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2516.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2516 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2517.txt snort-2.9.2/doc/signatures/2517.txt --- snort-2.8.5.2/doc/signatures/2517.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2517.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2517 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2518.txt snort-2.9.2/doc/signatures/2518.txt --- snort-2.8.5.2/doc/signatures/2518.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2518.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2518 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2519.txt snort-2.9.2/doc/signatures/2519.txt --- snort-2.8.5.2/doc/signatures/2519.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2519.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2519 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/251.txt snort-2.9.2/doc/signatures/251.txt --- snort-2.8.5.2/doc/signatures/251.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/251.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: --- -Sid: -238 - --- -Summary: -This event is generated when a command is sent to a Tribal Flood Network -(TFN) Distributed Denial of Service (DDoS) daemon. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a -TFN client. If the listed destination IP is in your network, it may be -a TFN daemon. - --- -Detailed Information: -The TFN DDoS uses a tiered structure of compromised hosts to coordinate -and participate in a distributed denial of service attack. Clients -communicate with daemons to inform them to launch attacks. - -This event is indicative of a client sending commands to a daemon. - --- -Affected Systems: -Any TFN compromised host. - --- -Attack Scenarios: -After a host becomes a TFN daemon, it will respond to client requests. - --- -Ease of Attack: -Simple. TFN code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - -Arachnids: -http://www.whitehats.com/info/IDS183 - --- diff -Nru snort-2.8.5.2/doc/signatures/2520.txt snort-2.9.2/doc/signatures/2520.txt --- snort-2.8.5.2/doc/signatures/2520.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2520.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2520 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2521.txt snort-2.9.2/doc/signatures/2521.txt --- snort-2.8.5.2/doc/signatures/2521.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2521.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2521 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2522.txt snort-2.9.2/doc/signatures/2522.txt --- snort-2.8.5.2/doc/signatures/2522.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2522.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2522 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2523.txt snort-2.9.2/doc/signatures/2523.txt --- snort-2.8.5.2/doc/signatures/2523.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2523.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2523 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Transmission Control Protocol (TCP) used in Border -Gateway Protocol (BGP). - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -The Border Gateway Protocol uses TCP to maintain sessions when handling -DNS queries. A vulnerability in the core implementation of TCP may make -it possible for an attacker to reset a number of connections and cause a -Denial of Service (DoS) to occur. - -The attack is possible because the listening service will accept a TCP -sequence number within a range of what is expected in an established -session. Since BGP relies on an established TCP session state, guessing -a suitable sequence number to reset connections is feasible. - --- -Affected Systems: - Various implementations of TCP by multiple vendors - --- -Attack Scenarios: -An attcker needs to send a specially crafted packet to reset a -connection. - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2524.txt snort-2.9.2/doc/signatures/2524.txt --- snort-2.8.5.2/doc/signatures/2524.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2524.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2524 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2525.txt snort-2.9.2/doc/signatures/2525.txt --- snort-2.8.5.2/doc/signatures/2525.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2525.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2525 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2526.txt snort-2.9.2/doc/signatures/2526.txt --- snort-2.8.5.2/doc/signatures/2526.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2526.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2526 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2527.txt snort-2.9.2/doc/signatures/2527.txt --- snort-2.8.5.2/doc/signatures/2527.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2527.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2527 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2528.txt snort-2.9.2/doc/signatures/2528.txt --- snort-2.8.5.2/doc/signatures/2528.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2528.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2528 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2529.txt snort-2.9.2/doc/signatures/2529.txt --- snort-2.8.5.2/doc/signatures/2529.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2529.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2529 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/252.txt snort-2.9.2/doc/signatures/252.txt --- snort-2.8.5.2/doc/signatures/252.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/252.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -252 - --- -Summary: -This event is generated when an attempt is made to send an inverse query -to a DNS server. This could indicate a future attack. - --- -Impact: -Intelligence gathering. This is just an attempt to see if the DNS server -responds to such a query. - --- -Detailed Information: -Certain versions of BIND fail to propery bound data recieved when -handling an inverse query. Upon being copied to memory, portions of the -program can be overwritten and arbitrary commands can be run on the -affected host. - --- -Affected Systems: - BIND pre 8.1.2 / 4.9.8 - --- -Attack Scenarios: -An attacker can send the reverse query and if the server responds the -attacker might then proceed to exploit the flaw in Bind. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade BIND. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -RFC: -http://www.rfc-editor.org/rfc/rfc1035.txt - -Bugtraq: -http://www.securityfocus.com/bid/134 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009 - -Arachnids: -http://www.whitehats.com/info/IDS277 - --- diff -Nru snort-2.8.5.2/doc/signatures/2530.txt snort-2.9.2/doc/signatures/2530.txt --- snort-2.8.5.2/doc/signatures/2530.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2530.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2530 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2531.txt snort-2.9.2/doc/signatures/2531.txt --- snort-2.8.5.2/doc/signatures/2531.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2531.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2531 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2532.txt snort-2.9.2/doc/signatures/2532.txt --- snort-2.8.5.2/doc/signatures/2532.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2532.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2532 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2533.txt snort-2.9.2/doc/signatures/2533.txt --- snort-2.8.5.2/doc/signatures/2533.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2533.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2533 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2534.txt snort-2.9.2/doc/signatures/2534.txt --- snort-2.8.5.2/doc/signatures/2534.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2534.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2534 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2535.txt snort-2.9.2/doc/signatures/2535.txt --- snort-2.8.5.2/doc/signatures/2535.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2535.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2535 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.8.5.2/doc/signatures/2536.txt snort-2.9.2/doc/signatures/2536.txt --- snort-2.8.5.2/doc/signatures/2536.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2536.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2536 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.8.5.2/doc/signatures/2537.txt snort-2.9.2/doc/signatures/2537.txt --- snort-2.8.5.2/doc/signatures/2537.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2537.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2537 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.8.5.2/doc/signatures/2538.txt snort-2.9.2/doc/signatures/2538.txt --- snort-2.8.5.2/doc/signatures/2538.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2538.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2538 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2539.txt snort-2.9.2/doc/signatures/2539.txt --- snort-2.8.5.2/doc/signatures/2539.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2539.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2539 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/253.txt snort-2.9.2/doc/signatures/253.txt --- snort-2.8.5.2/doc/signatures/253.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/253.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -253 - --- -Summary: -This event is generated when a specific DNS response. In this case, there are no DNS authority records for the queried pointer record and has a DNS time-to-live value of one minute. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query. An attacker may sniff a DNS query requesting an address record and attempt to respond before an actual DNS server can. The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record. A legitimate DNS response will likely return the names of the authoritative DNS servers. The response associated with this traffic has a DNS time-to-live value of one minute. It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response. - --- -Affected Systems: -Any DNS server not using DNSSEC. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Moderate. The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server. - --- -False Positives: -None Known. - --- -False Negatives: -This rule uses very specific DNS flag values that could be modified. Also, if the DNS TTL value is changed from 1, this rule will not trigger. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2540.txt snort-2.9.2/doc/signatures/2540.txt --- snort-2.8.5.2/doc/signatures/2540.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2540.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2540 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2541.txt snort-2.9.2/doc/signatures/2541.txt --- snort-2.8.5.2/doc/signatures/2541.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2541.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2541 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2542.txt snort-2.9.2/doc/signatures/2542.txt --- snort-2.8.5.2/doc/signatures/2542.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2542.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2542 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2543.txt snort-2.9.2/doc/signatures/2543.txt --- snort-2.8.5.2/doc/signatures/2543.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2543.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2543 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2544.txt snort-2.9.2/doc/signatures/2544.txt --- snort-2.8.5.2/doc/signatures/2544.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2544.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2544 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2545.txt snort-2.9.2/doc/signatures/2545.txt --- snort-2.8.5.2/doc/signatures/2545.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2545.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2545 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in AppleFileServer. - --- - -Impact: -Serious. Unauthorized remote administrative access. - --- -Detailed Information: -AppleFileServer is used to share files and mount remote drives between -machines using Apple Macintosh OS X. An error in the processing of -PathName may lead to a buffer overflow. If the length of a string for -AFPName is longer than the declared length, the buffer will be -overflowed and may present an attacker with the opportunity to execute -code of their choosing. - --- - -Attack Scenarios: -An attacker can supply an AFPName longer than what is expected by the -service and overwrite portions of memory leading to the execution of -code. - --- - -Ease of Attack: -Simple - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable AFP if not needed - -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2546.txt snort-2.9.2/doc/signatures/2546.txt --- snort-2.8.5.2/doc/signatures/2546.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2546.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2546 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Serv-U FTP server, namely the MDTM buffer overflow. - --- -Impact: -Serious. Denial of service is possible; when combined with shellcode, -arbitrary code can be remotely executed with SYSTEM privileges. - --- -Detailed Information: -The vulnerability in question is a buffer overflow present in the handling -of the MDTM command in the RhinoSoft Serv-U FTP server for Windows. - -The rule searches for an MDTM command which is not terminated within 100 -characters; no valid command would be longer than this. - --- -Affected Systems: -All versions of RhinoSoft Serv-U FTP 4.2 and earlier. - --- -Attack Scenarios: -Several scripts exist to exploit this flaw, and shellcode is publicly available. -An attacker could either use one of these scripts, craft their own, or simply -manually enter an MDTM command which triggers the overflow after having logged -into a vulnerable server. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk - --- Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2547.txt snort-2.9.2/doc/signatures/2547.txt --- snort-2.8.5.2/doc/signatures/2547.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2547.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2547 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow the execution of arbitrary code as root -on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability exists that allows the uploading -of unauthorized files using the script -/plugins/hpjwja/script/devices_update_printer_fw_upload.hts. This capability -was included to allow the upload of legitimate files, such as firmware updates, -by an authorized administrator. However, there is no file validation on the -uploaded file, allowing the upload of any random file. An attacker can upload -a file with a .hts extension that subsequently can be executed when the -attacker accesses the file using a web browser. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can create upload and execute a malicious file on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -An authorized administrator who uploads a file from an IP address outside the trusted -network will cause a false positive alert. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9971 - --- diff -Nru snort-2.8.5.2/doc/signatures/2548.txt snort-2.9.2/doc/signatures/2548.txt --- snort-2.8.5.2/doc/signatures/2548.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2548.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2548 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow unauthorized files to be read or the injection -of a .hts script on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability exists that allows unauthorized -files to be read or a .hts script to be executed. This is caused when the -/plugins/hpjdwm/script/test/setinfo.hts script is supplied a value to the -setinclude parameter that represents an unauthorized file to be read outside -the web root or represents a .hts file that will be executed with system -privileges on the vulnerable server. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can execute the vulnerable script and supply a value to setinclude -indicating an unauthorized file to be read or an .hts file to be executed. - --- -Ease of Attack: -Simple. - --- -False Positives: -An authorized administrator who uses the setinclude parameter with the above -script from a source IP outside of the trusted network will cause a false positive alert. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9972 - --- diff -Nru snort-2.8.5.2/doc/signatures/2549.txt snort-2.9.2/doc/signatures/2549.txt --- snort-2.8.5.2/doc/signatures/2549.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2549.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2549 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow a sensitive system file to be overwritten. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability is present that allows an existing file -on the server to be overwritten. This problem exists because the script -/plugins/framework/script/tree.xms does not sanitize the value supplied to -the parameter WriteToFile, permitting a directory traversal from the web root -directory to any file. An attacker can supply the data to write to the specified -file. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can overwrite a sensitive system file using the WriteToFile parameter -and supplying the data to write to the file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9973 - --- diff -Nru snort-2.8.5.2/doc/signatures/254.txt snort-2.9.2/doc/signatures/254.txt --- snort-2.8.5.2/doc/signatures/254.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/254.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -254 - --- -Summary: -This event is generated when a specific DNS response is returned. In this case, there are no DNS authority records for the queried address record and has a DNS time-to-live value of one minute. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile IP). - --- -Detailed Information: -This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query. An attacker may sniff a DNS query requeting an address record and attempt to respond before an actual DNS server can. The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record. A legitimate DNS response will likely return the names of the authoritative DNS servers. The response associated with this traffic has a DNS time-to-live value of one minute. It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response. - --- -Affected Systems: -Any DNS server not using DNSSEC. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent a host name to IP pairing. The forged IP number can direct a user to a potentially hostile IP address. - --- -Ease of Attack: -The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server. - --- -False Positives: -None Known. - --- -False Negatives: -This rule uses very specific DNS flag values that could be modified. Also, if the DNS TTL value is changed from 1, this rule will not trigger. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2550.txt snort-2.9.2/doc/signatures/2550.txt --- snort-2.8.5.2/doc/signatures/2550.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2550.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2550 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with Winamp's processing of a .XM file module name. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running Winamp. - --- -Detailed Information: -Winamp is a media file player for Windows developed by Nullsoft. A buffer -overflow exists because of insufficient bounds checking while parsing fields -in a .XM file. An overly long module name may cause the buffer overflow -permitting the execution of arbitrary code at the privilege level of the user -running Winamp. - --- -Affected Systems: -Winamp 2.x, 3.x, and 5.0-5.02 - --- -Attack Scenarios: -An attacker can create and send a malformed .XM tracker name that may cause -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References - -Other: -http://www.nextgenss.com/advisories/winampheap.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2551.txt snort-2.9.2/doc/signatures/2551.txt --- snort-2.8.5.2/doc/signatures/2551.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2551.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2551 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2552.txt snort-2.9.2/doc/signatures/2552.txt --- snort-2.8.5.2/doc/signatures/2552.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2552.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2552 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2553.txt snort-2.9.2/doc/signatures/2553.txt --- snort-2.8.5.2/doc/signatures/2553.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2553.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2553 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2554.txt snort-2.9.2/doc/signatures/2554.txt --- snort-2.8.5.2/doc/signatures/2554.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2554.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2554 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2555.txt snort-2.9.2/doc/signatures/2555.txt --- snort-2.8.5.2/doc/signatures/2555.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2555.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2555 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2556.txt snort-2.9.2/doc/signatures/2556.txt --- snort-2.8.5.2/doc/signatures/2556.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2556.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2556 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2557.txt snort-2.9.2/doc/signatures/2557.txt --- snort-2.8.5.2/doc/signatures/2557.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2557.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2557 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2558.txt snort-2.9.2/doc/signatures/2558.txt --- snort-2.8.5.2/doc/signatures/2558.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2558.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2558 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2559.txt snort-2.9.2/doc/signatures/2559.txt --- snort-2.8.5.2/doc/signatures/2559.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2559.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2559 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/255.txt snort-2.9.2/doc/signatures/255.txt --- snort-2.8.5.2/doc/signatures/255.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/255.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -255 - --- - -Summary: -This event is generated when an attempt is made to request a zone -transfer from a DNS Server - --- -Impact: -Information disclosure. - --- -Detailed Information: -DNS Zone transfers are normally used between DNS Servers to replicate -zone information. Zone transfers can also be used to gain information -about a network. - --- -Affected Systems: - All DNS Servers - --- -Attack Scenarios: -A malicious user may request a Zone Transfer to gather information -before commencing an attack. This can give the user a list of hosts to -target. - --- -Ease of Attack: -Simple. - --- -False Positives: -DNS Zone transfers may be part of normal traffic for DNS servers. - --- -False Negatives: -None known - --- -Corrective Action: -Configure the DNS servers to only allow zone transfers from authorised -hosts, limit the information available from publicly acessible DNS -server by using Split Horizon DNS or separate DNS Servers for internal -networks. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2560.txt snort-2.9.2/doc/signatures/2560.txt --- snort-2.8.5.2/doc/signatures/2560.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2560.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2560 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2561.txt snort-2.9.2/doc/signatures/2561.txt --- snort-2.8.5.2/doc/signatures/2561.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2561.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2561 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with rsync. - --- -Impact: -A successful attack may allow files to be existing files to be overwritten -or new files created on the rsync server. - --- -Detailed Information: -rsync is used to remote copy files. A command line option "--backup-dir" -can be used to specify a directory where backup files are to be placed. -There is no validation of the argument supplied to this option to scrutinize -it for proper formatting. A malicious user can try to overwrite existing -files or create new ones on a vulnerable host by supplying a value to -"--backup-dir" that is relative to the root directory. - --- -Affected Systems: -Many Unix and Linux distributions running rsync. -See http://www.securityfocus.com/bid/10247 for affected operating systems. - --- -Attack Scenarios: -An attacker can send a rsync command supplying the -backup-dir option -with a path relative to the root file system, overwriting or creating -new files on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. -Run the rsync server in a chroot environment. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 - -Bugtraq: -http://www.securityfocus.com/bid/10247 - --- diff -Nru snort-2.8.5.2/doc/signatures/2562.txt snort-2.9.2/doc/signatures/2562.txt --- snort-2.8.5.2/doc/signatures/2562.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2562.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2562 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the server component of McAfee's ePolicy Orchestrator (ePO). - --- -Impact: -A successful attack may permit an attacker to upload malicious code on -the ePolicy Orchestrator server that may subsequently deliver the -malicious code to ePolicy agents. - --- -Detailed Information: -There is a problem with access authentication in McAfee's ePolicy Orchestrator -server. This product is responsible for distributing packages and code to -ePolicy agents, making this a potentially widespread and damaging attack in -a network. Because of a failure to authenticate credentials, -an attacker can perform administrator functions, such as file uploads, by -connecting the the ePO web server. The malicious files may be pushed to -the ePO agents by the ePO Orchestrator. - --- -Affected Systems: -McAfee ePolicy Orchestrator 2.5.0 -McAfee ePolicy Orchestrator 2.5.1 before Patch 14 -McAfee ePolicy Orchestrator 3.0 before Patch 4 for 2.0 SP2A - --- -Attack Scenarios: -An attacker can attempt to upload a malicious file using the web -server of the ePO Orchestrator. The file may be subsequently -pushed by the Orchestrator to ePO agents. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a valid administrator connects to the ePO server and uploads -files, the alert will trigger. - --- -False Negatives: -If the ePO server listens on a port other than 81, no alert will -trigger. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0038 - -Bugtraq: -http://www.securityfocus.com/bid/10200 - --- diff -Nru snort-2.8.5.2/doc/signatures/2563.txt snort-2.9.2/doc/signatures/2563.txt --- snort-2.8.5.2/doc/signatures/2563.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2563.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2563 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Symantec Firewall. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution -of arbitrary code on the vulnerable host. - --- -Detailed Information: -There is a vulnerability in the way the Symantec Firewall handles NetBIOS -Name Service response packets. If an attacker crafts a malicious UDP NetBIOS -Name Service unsolicited response to a vulnerable Symantec Firewall that does -not block port 137, it is possible to cause a heap overflow and execute -abitrary code with kernel privileges. The vulnerability exists because of -improper validation of the existence of required fields for the NetBIOS name -returned. The default configuration does not allow UDP port 137 traffic and -should not be exploitable if UDP port 137 is blocked. - --- -Affected Systems: -Symantec Norton Internet Security and Professional 2002,2003,2004 -Symantec Norton Personal Firewall 2002,2003,2004 -Symantec Norton AntiSpam 2004 -Symantec Client Firewall 5.01, 5.1.1 -Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) - --- -Attack Scenarios: -An attacker can craft a malicious UDP NetBIOS Name Service response, -possibly causing a heap overflow and the subsequent execution of -arbitrary code with kernel privileges on an exploitable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444 - -Bugtraq: -http://www.securityfocus.com/bid/10335 - -Misc: -http://www.eeye.com/html/Research/Advisories/AD20040512C.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2564.txt snort-2.9.2/doc/signatures/2564.txt --- snort-2.8.5.2/doc/signatures/2564.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2564.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2564 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Symantec Firewall. - --- -Impact: -A successful attack may cause a buffer overflow, permitting the execution -of arbitrary code on the vulnerable host. - --- -Detailed Information: -There is a vulnerability in the way the Symantec Firewall handles NetBIOS -Name Service response packets. If an attacker crafts a malicious UDP NetBIOS -Name Service unsolicited response to a vulnerable Symantec Firewall that does -not block port 137, it is possible to cause a buffer overflow and execute -abitrary code with kernel privileges. The vulnerability exists because of -improper validation of the length field value for the NetBIOS name returned. -The default configuration does not allow UDP port 137 traffic and should -not be exploitable if UDP port 137 is blocked. - --- -Affected Systems: -Symantec Norton Internet Security and Professional 2002,2003,2004 -Symantec Norton Personal Firewall 2002,2003,2004 -Symantec Norton AntiSpam 2004 -Symantec Client Firewall 5.01, 5.1.1 -Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) - --- -Attack Scenarios: -An attacker can craft a malicious UDP NetBIOS Name Service response, -possibly causing a buffer overflow and the subsequent execution of -arbitrary code with kernel privileges on an exploitable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444 - -Bugtraq: -http://www.securityfocus.com/bid/10333 - -Misc: -http://www.eeye.com/html/Research/Advisories/AD20040512A.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2565.txt snort-2.9.2/doc/signatures/2565.txt --- snort-2.8.5.2/doc/signatures/2565.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2565.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2565 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2566.txt snort-2.9.2/doc/signatures/2566.txt --- snort-2.8.5.2/doc/signatures/2566.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2566.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2566 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2567.txt snort-2.9.2/doc/signatures/2567.txt --- snort-2.8.5.2/doc/signatures/2567.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2567.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2567 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2568.txt snort-2.9.2/doc/signatures/2568.txt --- snort-2.8.5.2/doc/signatures/2568.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2568.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2568 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2569.txt snort-2.9.2/doc/signatures/2569.txt --- snort-2.8.5.2/doc/signatures/2569.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2569.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2569 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/256.txt snort-2.9.2/doc/signatures/256.txt --- snort-2.8.5.2/doc/signatures/256.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/256.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -256 - --- -Summary: -This event is generated when an attempt is made to query authors.bind chaos -record on a DNS server. - --- -Impact: -Information gathering. This activity may indicate reconnaisance before -an impending attack. - --- -Detailed Information: -Bind 9.x allows you get the authors.bind chaos record. The ability to -retrieve this file indicates that the machine is running at least a -9.x variant of the bind nameserver. - --- -Affected Systems: - All DNS Servers using Bind - --- -Attack Scenarios: -As part of a reconnaissance mission, an attacker may attempt to glean -important information about network infrastructure by determining the -bind version on a nameserver. If authors.bind is retrievable, this -indicates that Bind 9.x is in use. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Remove the ability to retrieve the authors.bind chaos record by changing -the DNS configuration accordingly. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2570.txt snort-2.9.2/doc/signatures/2570.txt --- snort-2.8.5.2/doc/signatures/2570.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2570.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2570 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -In particular this rule generates events when a non-standard HTTP -request is made to a server. Some applications do not handle this -exception in an acceptable manner and may present an attacker with the -opportunity to exploit the application and server becasue of this. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - Seattle Lab Software SLMail Pro 2.0 to 2.0.9 inclusive - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -The use of some proxy servers like Inktomi, may cause this rule to -generate events. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2571.txt snort-2.9.2/doc/signatures/2571.txt --- snort-2.8.5.2/doc/signatures/2571.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2571.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2571 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2572.txt snort-2.9.2/doc/signatures/2572.txt --- snort-2.8.5.2/doc/signatures/2572.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2572.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2572 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2573.txt snort-2.9.2/doc/signatures/2573.txt --- snort-2.8.5.2/doc/signatures/2573.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2573.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2573 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2574.txt snort-2.9.2/doc/signatures/2574.txt --- snort-2.8.5.2/doc/signatures/2574.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2574.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2574 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an FTP server during authentication. - --- - -Impact: -Attempted Admin. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the FTP daemon. - --- - -Detailed Information: -Several FTP daemons are vulnerable to format string exploits during -authentication to the FTP server. A successful exploit attempt could -result in the remote attacker gaining unauthorized root access to the -vulnerable system. - --- -Affected Systems: - BolinTech Dream FTP Server version 1.02 - --- - -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Numerous attack scripts exist to exploit this vulnerabiliy. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2575.txt snort-2.9.2/doc/signatures/2575.txt --- snort-2.8.5.2/doc/signatures/2575.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2575.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2575 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2576.txt snort-2.9.2/doc/signatures/2576.txt --- snort-2.8.5.2/doc/signatures/2576.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2576.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2576 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use an inbuilt procedure to generate triggers -needed for database replication. The "generate_replication_support" -procedure contains a programming error that may allow an attacker to -execute a buffer overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -Oracle servers running on a Windows platform may listen on any arbitrary -port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this -is applicable to the protected network. - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "package_prefix" or -"procedure_prefix" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton - --- -Additional References: - -Application Security Inc. -https://www.appsecinc.com/Policy/PolicyCheck93.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2577.txt snort-2.9.2/doc/signatures/2577.txt --- snort-2.8.5.2/doc/signatures/2577.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2577.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2577 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Explorer. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Internet Explorer does not correctly handle the validation of data from -an external source when processing data in a frame from a redirected -source. This may lead to the execution of arbitrary code in the context -of the Local Machine zone. - -It may be possible for an attacker to supply an HTTP 300 response from a -webserver that points to a local file on the victim host. If the -attacker includes code of their choosing, this code is executed in the -context of the trusted Local Machine zone. - --- -Affected Systems: - Microsoft Internet Explorer - Microsoft Outlook - Microsoft Outlook Express - --- -Attack Scenarios: -An attacker would need to supply an HTTP 300 series code to redirect the -contents of a frame to a local resource on the victim host. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -A valid 300 server response that uses the Location parameter to redirect -users to a new location may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Disable Active Scripting and ActiveX - -Disable the use of HTML email - -Use a browser other than Internet Explorer - --- -Contributors: -Original Snort documentation contributed by nnposter@users.sourceforge.net -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2578.txt snort-2.9.2/doc/signatures/2578.txt --- snort-2.8.5.2/doc/signatures/2578.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2578.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2578 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Kerberos V5. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Kerberos V5 uses a non-default configuration of enabling rules-based -mapping, it is possible to cause a heap overflow and the subsequent -execution of arbitrary code on the vulnerable host. The attacker has -to successfully authenticate in order to exploit the vulnerability. -If an attacker supplies an overly long principal name, it may be possible -to cause a heap overflow on the vulnerable Kerberos-enabled server. - --- -Affected Systems: -MIT Kerberos V5 including krb5-1.3.3 - --- -Attack Scenarios: -An attacker authenticates to the Kerberos server and later supplies -an overly long principle name when attempting to connect to a server -that employs Kerberos authentication. This can cause a heap overflow -and subsequent execution of code on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Dan Roelker - --- -Additional References - -Other: -http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2579.txt snort-2.9.2/doc/signatures/2579.txt --- snort-2.8.5.2/doc/signatures/2579.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2579.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2579 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Kerberos V5. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Kerberos V5 uses a non-default configuration of enabling rules-based -mapping, it is possible to cause a heap overflow and the subsequent -execution of arbitrary code on the vulnerable host. The attacker has -to successfully authenticate in order to exploit the vulnerability. -If an attacker supplies an overly long principal name, it may be possible -to cause a heap overflow on the vulnerable Kerberos-enabled server. - --- -Affected Systems: -MIT Kerberos V5 including krb5-1.3.3 - --- -Attack Scenarios: -An attacker authenticates to the Kerberos server and later supplies -an overly long principle name when attempting to connect to a server -that employs Kerberos authentication. This can cause a heap overflow -and subsequent execution of code on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Dan Roelker - --- -Additional References - -Other: -http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/257.txt snort-2.9.2/doc/signatures/257.txt --- snort-2.8.5.2/doc/signatures/257.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/257.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -257 - --- -Summary: -This event is generated when an attempt is made to determine the version -of BIND being used on a DNS server. - --- -Impact: -Information gathering. This activity may indicate reconnaisance before -an impending attack. - --- -Detailed Information: -A remote machine attempted to determine the version of BIND running on a -nameserver. - --- -Affected Systems: - All DNS nameservers - --- -Attack Scenarios: -As part of reconnaissance leading upto a potential intrusion attempt, an -attacker may attempt to determine the BIND version that is in use so -that a vulnerable version can be used as an attack vector. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the ability for untrusted (remote) machines to determine the named -version. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2580.txt snort-2.9.2/doc/signatures/2580.txt --- snort-2.8.5.2/doc/signatures/2580.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2580.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2580 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Apache 1.3 proxy and cache module. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Apache 1.3 is used and the host is configured to be a web proxy, -reverse proxy and/or cache server, a vulnerability exists that may -allow a heap overflow and the subsequent execution of arbitrary code -on the vulnerable server. This may occur when the server receives -a malformed response from a malicious web server that includes a -negative content length value. This can cause invalid memory access -and a denial of service or heap overflow. - --- -Affected Systems: -Apache 1.3.x - --- -Attack Scenarios: -An attacker can entice a user to visit a malicious web server. If -a vulnerable server proxies the request and receives a malformed -response, a heap overflow may occur. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 - -Other: -http://www.guninski.com/modproxy1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2581.txt snort-2.9.2/doc/signatures/2581.txt --- snort-2.8.5.2/doc/signatures/2581.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2581.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -2581 - --- -Summary: -This event is generated when an attempt is made to exploit a directory -traversal associated with the Crystal Reports web viewer. - --- -Impact: -A successful attack may allow unauthorized files to be viewed or -possibly deleted. - --- -Detailed Information: -A vulnerability exists in the Crystal Reports web viewer that may permit -an attacker to view or delete unauthorized files. The is due to a -failure to ensure that that a requested Crystal Report file location -is in the web root directory, permitting unauthorized files to be -viewed. - -In addition, Crystal Reports assumes that the requested report -file for viewing is a temporary file and deletes it after the -web version has been viewed. This problem combined with the -directory traversal vulnerability may allow sensitive or valuable -files to be deleted. - --- -Affected Systems: -Crystal Reports 8.5 JAVA SDK -Crystal Reports RAS 8.5 for UNIX -Crystal Reports 9.0 -Crystal Enterprise 9.0 -Crystal Reports 10 -Crystal Reports 10.0 - --- -Attack Scenarios: -An attacker can request to view a file not in the web root -directory, permitting unauthorized information disclosure. -The viewed file will be deleted subsequently possibly causing -harm to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 - -Other: -http://www.microsoft.com/security/bulletins/200406_crystal.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2582.txt snort-2.9.2/doc/signatures/2582.txt --- snort-2.8.5.2/doc/signatures/2582.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2582.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -2582 - --- -Summary: -This event is generated when an attempt is made to exploit a directory -traversal associated with the Crystal Reports web viewer. - --- -Impact: -A successful attack may allow unauthorized files to be viewed or -possibly deleted. - --- -Detailed Information: -A vulnerability exists in the Crystal Reports web viewer that may permit -an attacker to view or delete unauthorized files. The is due to a -failure to ensure that that a requested Crystal Report file location -is in the web root directory, permitting unauthorized files to be -viewed. - -In addition, Crystal Reports assumes that the requested report -file for viewing is a temporary file and deletes it after the -web version has been viewed. This problem combined with the -directory traversal vulnerability may allow sensitive or valuable -files to be deleted. - --- -Affected Systems: -Crystal Reports 8.5 JAVA SDK -Crystal Reports RAS 8.5 for UNIX -Crystal Reports 9.0 -Crystal Enterprise 9.0 -Crystal Reports 10 -Crystal Reports 10.0 - --- -Attack Scenarios: -An attacker can request to view a file not in the web root -directory, permitting unauthorized information disclosure. -The viewed file will be deleted subsequently possibly causing -harm to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 - -Other: -http://www.microsoft.com/security/bulletins/200406_crystal.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2583.txt snort-2.9.2/doc/signatures/2583.txt --- snort-2.8.5.2/doc/signatures/2583.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2583.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2583 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with CVS. - --- -Impact: -A successful attack may perform a buffer overflow or a denial of service by -either causing the CVS server to terminate abruptly or causing an exhaustion of -disk resources. - --- -Detailed Information: -A CVS client transaction may reference a file using a relative path -requiring the use of a directory traversal. The Max-dotdot keyword and -appropriate argument are created by the CVS client software to handle -relative paths. The appropriate argument represents the maximum number of -directory levels to be traversed. It is possible for an attacker -to supply an overly large value to the Max-dotdot keyword, causing an -incorrect allocation of memory and possibly causing a buffer overflow or the CVS -server to crash. In addition, temporary files are not deleted enabling a disk -resource exhaustion attack, if repeated many times. It should be noted -that an attacker must have CVS access privileges in order to attempt -these attacks. - - --- -Affected Systems: -CVS versions 1.12.8 with the exception of version 1.11.17 - --- -Attack Scenarios: -An attacker can connect to a CVS server and craft an overly large Max-dotdot -argument value, causing a buffer overflow or causing the vulnerable CVS server -to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417 - -Bugtraq: -http://www.securityfocus.com/bid/10499 - - --- diff -Nru snort-2.8.5.2/doc/signatures/2584.txt snort-2.9.2/doc/signatures/2584.txt --- snort-2.8.5.2/doc/signatures/2584.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2584.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -1102 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the peer to peer (p2p) client eMule. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the p2p application eMule. The eMule client is prone to -a buffer overflow condition which may present an attacker with the -opportunity to execute code of their choosing on a vulnerable host. - -The issue surrounds the IRC module and the Web server portions of the -client. Sufficient bounds checking of user supplied data is not -correctly implemented causing the opportunity to overflow a buffer. - --- -Affected Systems: - All systems using eMule. - --- -Attack Scenarios: -An attacker can supply overly long data in an IRC session between two -clients to trigger the overflow. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2585.txt snort-2.9.2/doc/signatures/2585.txt --- snort-2.8.5.2/doc/signatures/2585.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2585.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2585 - --- -Summary: -This event is generated when an attempt is made to probe for a known -vulnerability on a web server or a web application resident on a web -server using Nessus. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to ascertain wether or -not a Web server or an application running on a web server is subject -to a possible vulnerability using the tool Nessus. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -An attacker merely needs to use Nessus against a server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2586.txt snort-2.9.2/doc/signatures/2586.txt --- snort-2.8.5.2/doc/signatures/2586.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2586.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2586 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. -This may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be configured -to share any file on the local machine. In particular this event is -generated when the p2p client eDonkey is used. - -This activity may not only use bandwidth but may also be used to transfer -company confidential information to unauthorized hosts external to the -protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using an eDonkey p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2587.txt snort-2.9.2/doc/signatures/2587.txt --- snort-2.8.5.2/doc/signatures/2587.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2587.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2587 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. -This may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be configured -to share any file on the local machine. In particular this event is -generated when the p2p client eDonkey is used. - -This activity may not only use bandwidth but may also be used to transfer -company confidential information to unauthorized hosts external to the -protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using an eDonkey p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2588.txt snort-2.9.2/doc/signatures/2588.txt --- snort-2.8.5.2/doc/signatures/2588.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2588.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2588 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application TUTOS. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application TUTOS. The PHP application -TUTOS is vulnerable to a path disclosure bug which may allow an attacker -to gain information that can be used in further attacks against the -system. - -The vulnerability surrounds the file note_overview.php, by manipulating -input to the file an attacker may be presented with sensitive -information regarding the system. - --- -Affected Systems: - All systems using TUTOS. - --- -Attack Scenarios: -An attacker can leverage this vulnerability to gain information that may -be useful in further attacks against the system. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2589.txt snort-2.9.2/doc/signatures/2589.txt --- snort-2.8.5.2/doc/signatures/2589.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2589.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2589 - --- -Summary: -This event is generated when an attempt is made to return to -a web client a file in the Content-Disposition Header with a -Class ID (CLSID) embedded in the file name. - --- -Impact: -A successful attack may trick a client on a vulnerable host to download -a malicious file that will be executed by the Windows Shell. - --- -Detailed Information: -Internet Explorer does not correctly handle or display specially -crafted files in the browser dialogue where the user choses the -action (e.g., open, save, cancel) for a downloaded file. -Specifically, these are overly long file names that employ URL -encoding of "." %2E before the file extension and contain the -Class ID (CLSID) associated with the Windows Shell in the file name. - -This serves two purposes; the first is that the file name will -be truncated in the user dialog so the user doesn't see the -CLSID reference, making it appear to be a more innocuous file -with a known extension such as mpg or pdf. Second, the downloaded -file will actually contain malcious commands that will be -executed by the Windows Shell when opened because of the hidden -CLSID in the file name. - -Currently, the only known CLSID that exploits this vulnerability -is associated with the Windows Shell. Yet, it may be possible -for another CLSID to be discovered in the future that would be -associated with a COM component that could be used for malicious -purposes. - --- -Affected Systems: - Windows NT Workstation/Server 4.0 SP6a - Windows NT Workstation/Server 4.0 SP6a with Active Desktop - Windows NT Server 4.0 Terminal Server Edition SP6 - Windows 2000 SP2-SP4 - Windows XP and XP SP1 - Windows XP 64-Bit Edition SP1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition - --- -Attack Scenarios: -An attacker can entice a user to visit a web server that -will return a malicious file with a file name that contains -a CLSID, perhaps enabling the execution of the malicious -code when the file is opened. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420 - -Bugtraq: -http://www.securityfocus.com/bid/9510 - -Other: -http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/258.txt snort-2.9.2/doc/signatures/258.txt --- snort-2.8.5.2/doc/signatures/258.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/258.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -258 - --- -Summary: -This event is generated when an exploit that targets vulnerabilities in -BIND 8.2 and 8.2.1 ("ADM named exploit 8.2/8.2.1") is executed against a -local DNS server. - --- -Impact: -Severe. Remote code execution with the privileges of the BIND DNS daemon -(named). - --- -Detailed Information: -BIND is DNS server software shipped with a number of UNIX and -Linux-based operating systems. Attackers can exploit multiple -vulnerabilities in BIND versions between 8.2 and 8.2.1 to obtain remote -shell access. This enables the attacker to execute arbitrary code from -the command shell with the security privileges of the BIND DNS daemon -(named). If named is running as root, the attacker automatically obtains -root privileges to the system. - --- -Affected Systems: -Any operating system running BIND implementations below 8.2.2. - --- -Attack Scenarios: -An attacker executes an exploit script against a vulnerable server, -obtaining shell access to the compromised machine. If named is running -as root, the attacker automatically obtains root privileges on the -server. Otherwise, the attacker can execute arbitrary code with the -privileges of named, which can lead to remote root compromise. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to BIND 8.2.2 or higher. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak (judy.novak@sourcefire.com) -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2590.txt snort-2.9.2/doc/signatures/2590.txt --- snort-2.8.5.2/doc/signatures/2590.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2590.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2590 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2591.txt snort-2.9.2/doc/signatures/2591.txt --- snort-2.8.5.2/doc/signatures/2591.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2591.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2591 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2592.txt snort-2.9.2/doc/signatures/2592.txt --- snort-2.8.5.2/doc/signatures/2592.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2592.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2592 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2593.txt snort-2.9.2/doc/signatures/2593.txt --- snort-2.8.5.2/doc/signatures/2593.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2593.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2593 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2594.txt snort-2.9.2/doc/signatures/2594.txt --- snort-2.8.5.2/doc/signatures/2594.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2594.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2594 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2595.txt snort-2.9.2/doc/signatures/2595.txt --- snort-2.8.5.2/doc/signatures/2595.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2595.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2595 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2596.txt snort-2.9.2/doc/signatures/2596.txt --- snort-2.8.5.2/doc/signatures/2596.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2596.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2596 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2597.txt snort-2.9.2/doc/signatures/2597.txt --- snort-2.8.5.2/doc/signatures/2597.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2597.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2597 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in the Samba Web Administration Tool (SWAT). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in SWAT that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in the functions that handle base64 decoding -during HTTP basic authentication. Exploitation of this vulnerability -may present the attacker with the opportunity to gain control of the -affected system. - --- -Affected Systems: - Versions of Samba greater than or equal to 3.0.2 and - less than 3.0.5 - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the SWAT -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 - -Bugtraq: -http://www.securityfocus.com/bid/10780 - --- diff -Nru snort-2.8.5.2/doc/signatures/2598.txt snort-2.9.2/doc/signatures/2598.txt --- snort-2.8.5.2/doc/signatures/2598.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2598.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2598 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in the Samba Web Administration Tool (SWAT). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in SWAT that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an the functions that handle base64 decoding -during HTTP basic authentication. Exploitation of this vulnerability -may present the attacker with the opportunity to gain control of the -affected system. - --- -Affected Systems: - Versions of Samba greater than or equal to 3.0.2 and - less than 3.0.5 - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the SWAT -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 - -Bugtraq: -http://www.securityfocus.com/bid/10780 - --- diff -Nru snort-2.8.5.2/doc/signatures/2599.txt snort-2.9.2/doc/signatures/2599.txt --- snort-2.8.5.2/doc/signatures/2599.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2599.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2599 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "add_grouped_column" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/259.txt snort-2.9.2/doc/signatures/259.txt --- snort-2.8.5.2/doc/signatures/259.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/259.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -259 - --- -Summary: -This event is generated by an attempted buffer overflow associated with incorrect validation of DNS NXT records. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker to execute arbitrary commands with the privileges of the user running BIND. - --- -Detailed Information: -Improper validation of DNS NXT records may allow at attacker to perform a buffer overflow. This can allow the attacker to execute arbitrary code with the privileges of the user running BIND. - --- -Affected Systems: -BIND versions 8.2 up to, but not including, 8.2.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -This rule examines content based on the exploit code written by ADM. If the content is changed, the rule may not fire. - --- -Corrective Action: -Upgrade to a version of BIND 8.2.2 or greater, or patch vulnerable versions of BIND. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1999-14.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833 - -Bugtraq: -http://www.securityfocus.com/bid/788 - - --- diff -Nru snort-2.8.5.2/doc/signatures/2600.txt snort-2.9.2/doc/signatures/2600.txt --- snort-2.8.5.2/doc/signatures/2600.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2600.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2600 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "add_grouped_column" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2601.txt snort-2.9.2/doc/signatures/2601.txt --- snort-2.8.5.2/doc/signatures/2601.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2601.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2601 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck87.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2602.txt snort-2.9.2/doc/signatures/2602.txt --- snort-2.8.5.2/doc/signatures/2602.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2602.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2602 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck87.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2603.txt snort-2.9.2/doc/signatures/2603.txt --- snort-2.8.5.2/doc/signatures/2603.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2603.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2603 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "create_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2604.txt snort-2.9.2/doc/signatures/2604.txt --- snort-2.8.5.2/doc/signatures/2604.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2604.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2604 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "create_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2605.txt snort-2.9.2/doc/signatures/2605.txt --- snort-2.8.5.2/doc/signatures/2605.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2605.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2605 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "compare_old_value" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck91.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2606.txt snort-2.9.2/doc/signatures/2606.txt --- snort-2.8.5.2/doc/signatures/2606.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2606.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2606 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "comment_on_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2607.txt snort-2.9.2/doc/signatures/2607.txt --- snort-2.8.5.2/doc/signatures/2607.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2607.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2607 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "comment_on_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2608.txt snort-2.9.2/doc/signatures/2608.txt --- snort-2.8.5.2/doc/signatures/2608.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2608.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2608 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "check_ddl_text" procedure contains a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the second variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2609.txt snort-2.9.2/doc/signatures/2609.txt --- snort-2.8.5.2/doc/signatures/2609.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2609.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2609 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "cancel_statistics" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/260.txt snort-2.9.2/doc/signatures/260.txt --- snort-2.8.5.2/doc/signatures/260.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/260.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -261 - --- -Summary: -This event is generated by an attempted buffer overflow associated with improperly formatted DNS inverse queries. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker access at the privilege level at which BIND runs. - --- -Detailed Information: -Certain versions of BIND do no perform correct bounds checking when responding to an inverse query. A maliciously formatted inverse query can cause the DNS server to crash and allow remote access with the privileges of the user running BIND. Inverse queries are disabled by default; this attack can affect DNS servers that have been configured to enable them. - --- -Affected Systems: -BIND 4.9 releases prior to 4.9.7 and BIND 8 releases prior to 8.1.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to a version of BIND that is not vulnerable to this attack. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1998-05.html - - --- diff -Nru snort-2.8.5.2/doc/signatures/2610.txt snort-2.9.2/doc/signatures/2610.txt --- snort-2.8.5.2/doc/signatures/2610.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2610.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2610 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "cancel_statistics" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2611.txt snort-2.9.2/doc/signatures/2611.txt --- snort-2.8.5.2/doc/signatures/2611.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2611.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2611 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can create a database link and supply it an overly -long string to the "USING" parameter of the "CREATE DATABASE LINK" -command. This long value is stored for later use. When subsequently -accessed via the link, a buffer overflow can occur. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i and earlier - --- -Attack Scenarios: -An attacker can create a database link and supply it an overly long -"USING" value. The result could permit the attacker to gain escalated -privileges and run code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0222 - -Bugtraq -http://www.securityfocus.com/bid/7453 - -Other: -http://archives.neohapsis.com/archives/bugtraq/2003-04/0360.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2612.txt snort-2.9.2/doc/signatures/2612.txt --- snort-2.8.5.2/doc/signatures/2612.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2612.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2612 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "revoke_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2613.txt snort-2.9.2/doc/signatures/2613.txt --- snort-2.8.5.2/doc/signatures/2613.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2613.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2613 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "revoke_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2614.txt snort-2.9.2/doc/signatures/2614.txt --- snort-2.8.5.2/doc/signatures/2614.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2614.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2614 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases allow a user to set a time zone for the session. -The "alter session set time_zone" command contains a programming -error that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the parameter for the -command. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as the value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/9587 - -Other: -http://www.nextgenss.com/advisories/ora_time_zone.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2615.txt snort-2.9.2/doc/signatures/2615.txt --- snort-2.8.5.2/doc/signatures/2615.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2615.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2615 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "grant_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2616.txt snort-2.9.2/doc/signatures/2616.txt --- snort-2.8.5.2/doc/signatures/2616.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2616.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2616 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "grant_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2617.txt snort-2.9.2/doc/signatures/2617.txt --- snort-2.8.5.2/doc/signatures/2617.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2617.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2617 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_mview_propagation" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2618.txt snort-2.9.2/doc/signatures/2618.txt --- snort-2.8.5.2/doc/signatures/2618.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2618.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2618 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_mview_propagation" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2619.txt snort-2.9.2/doc/signatures/2619.txt --- snort-2.8.5.2/doc/signatures/2619.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2619.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2619 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.8.5.2/doc/signatures/261.txt snort-2.9.2/doc/signatures/261.txt --- snort-2.8.5.2/doc/signatures/261.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/261.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -260 - --- -Summary: -This event is generated by an attempted buffer overflow associated with incorrect validation of NXT records. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker access with the privileges of the user running BIND. This attack is sometimes referred to as ADMROCKS because a subdirectory named ADMROCKS is placed in the directory associated with BIND software. - --- -Detailed Information: -Improper validation of DNS NXT records may allow an attacker to perform a buffer overflow. This can allow execution of arbitrary code with the privileges of the user running BIND. - --- -Affected Systems: -BIND versions 8.2 up to, but not including, 8.2.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to a version of BIND 8.2.2, or greater or patch vulnerable versions of BIND. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1999-14.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833 - -Bugtraq: -http://www.securityfocus.com/bid/788 - - --- diff -Nru snort-2.8.5.2/doc/signatures/2620.txt snort-2.9.2/doc/signatures/2620.txt --- snort-2.8.5.2/doc/signatures/2620.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2620.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2620 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2621.txt snort-2.9.2/doc/signatures/2621.txt --- snort-2.8.5.2/doc/signatures/2621.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2621.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2621 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "register_flavor_change" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the second variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2622.txt snort-2.9.2/doc/signatures/2622.txt --- snort-2.8.5.2/doc/signatures/2622.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2622.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2622 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "drop_an_object" procedure contains a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the third variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2623.txt snort-2.9.2/doc/signatures/2623.txt --- snort-2.8.5.2/doc/signatures/2623.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2623.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2623 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "create_snapshot_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the first variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2624.txt snort-2.9.2/doc/signatures/2624.txt --- snort-2.8.5.2/doc/signatures/2624.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2624.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2624 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "unregister_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2625.txt snort-2.9.2/doc/signatures/2625.txt --- snort-2.8.5.2/doc/signatures/2625.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2625.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2625 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "unregister_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2626.txt snort-2.9.2/doc/signatures/2626.txt --- snort-2.8.5.2/doc/signatures/2626.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2626.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2626 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "send_old_value" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck91.html -Action: - --- diff -Nru snort-2.8.5.2/doc/signatures/2627.txt snort-2.9.2/doc/signatures/2627.txt --- snort-2.8.5.2/doc/signatures/2627.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2627.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2627 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "repcat_import_check" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" or "gname" -variable to cause the overflow. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the -database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2628.txt snort-2.9.2/doc/signatures/2628.txt --- snort-2.8.5.2/doc/signatures/2628.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2628.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2628 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "repcat_import_check" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" or "gname" -variable to cause the overflow. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the -database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2629.txt snort-2.9.2/doc/signatures/2629.txt --- snort-2.8.5.2/doc/signatures/2629.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2629.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2629 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "register_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.8.5.2/doc/signatures/262.txt snort-2.9.2/doc/signatures/262.txt --- snort-2.8.5.2/doc/signatures/262.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/262.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -262 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2630.txt snort-2.9.2/doc/signatures/2630.txt --- snort-2.8.5.2/doc/signatures/2630.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2630.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2630 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "register_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2631.txt snort-2.9.2/doc/signatures/2631.txt --- snort-2.8.5.2/doc/signatures/2631.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2631.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2631 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "refresh_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2632.txt snort-2.9.2/doc/signatures/2632.txt --- snort-2.8.5.2/doc/signatures/2632.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2632.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2632 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "refresh_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2633.txt snort-2.9.2/doc/signatures/2633.txt --- snort-2.8.5.2/doc/signatures/2633.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2633.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2633 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify" -procedures are used to find and resolve inconsistencies between -two replicated sites. These procedures contain a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "sname1" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2634.txt snort-2.9.2/doc/signatures/2634.txt --- snort-2.8.5.2/doc/signatures/2634.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2634.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2634 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify" -procedures are used to find and resolve inconsistencies between -two replicated sites. These procedures contain a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "sname1" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2635.txt snort-2.9.2/doc/signatures/2635.txt --- snort-2.8.5.2/doc/signatures/2635.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2635.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2635 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_snapshot.begin_load" procedure is used for -offline instantiation of snapshots. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2636.txt snort-2.9.2/doc/signatures/2636.txt --- snort-2.8.5.2/doc/signatures/2636.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2636.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2636 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_snapshot.begin_load" procedure is used for -offline instantiation of snapshots. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2637.txt snort-2.9.2/doc/signatures/2637.txt --- snort-2.8.5.2/doc/signatures/2637.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2637.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2637 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2638.txt snort-2.9.2/doc/signatures/2638.txt --- snort-2.8.5.2/doc/signatures/2638.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2638.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2638 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2639.txt snort-2.9.2/doc/signatures/2639.txt --- snort-2.8.5.2/doc/signatures/2639.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2639.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2639 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2640.txt snort-2.9.2/doc/signatures/2640.txt --- snort-2.8.5.2/doc/signatures/2640.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2640.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2640 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2641.txt snort-2.9.2/doc/signatures/2641.txt --- snort-2.8.5.2/doc/signatures/2641.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2641.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2641 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_site_instantiate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck629.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2642.txt snort-2.9.2/doc/signatures/2642.txt --- snort-2.8.5.2/doc/signatures/2642.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2642.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2642 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_site_instantiate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck629.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2643.txt snort-2.9.2/doc/signatures/2643.txt --- snort-2.8.5.2/doc/signatures/2643.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2643.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2643 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "ensure_not_published" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to -cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck96.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2644.txt snort-2.9.2/doc/signatures/2644.txt --- snort-2.8.5.2/doc/signatures/2644.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2644.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2644 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases have a built-in function "from_tz" that is used to -convert the format of a timestamp. This function contains a programming -error that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the second parameter -of the function. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as the value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.nextgenss.com/advisories/ora_from_tz.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2645.txt snort-2.9.2/doc/signatures/2645.txt --- snort-2.8.5.2/doc/signatures/2645.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2645.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2645 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_offline" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2646.txt snort-2.9.2/doc/signatures/2646.txt --- snort-2.8.5.2/doc/signatures/2646.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2646.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2646 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_offline" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2647.txt snort-2.9.2/doc/signatures/2647.txt --- snort-2.8.5.2/doc/signatures/2647.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2647.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2647 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_online" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck631.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2648.txt snort-2.9.2/doc/signatures/2648.txt --- snort-2.8.5.2/doc/signatures/2648.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2648.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2648 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_online" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck631.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2649.txt snort-2.9.2/doc/signatures/2649.txt --- snort-2.8.5.2/doc/signatures/2649.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2649.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2649 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can attempt to connect to a database using an overly -long service_name value. This can cause a buffer overflow, allowing -an attacker to execute arbitrary code. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle7, Oracle8, Oracle8i, and Oracle9i - --- -Attack Scenarios: -An attacker can attempt to connect to a database supplying the -service_name an overly long value. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - ---Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck52.html - --- diff -Nru snort-2.8.5.2/doc/signatures/264.txt snort-2.9.2/doc/signatures/264.txt --- snort-2.8.5.2/doc/signatures/264.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/264.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -264 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2650.txt snort-2.9.2/doc/signatures/2650.txt --- snort-2.8.5.2/doc/signatures/2650.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2650.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2650 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can attempt to connect to a database using an overly -long user name value. This can cause a buffer overflow, allowing -an attacker to execute arbitrary code. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle8, Oracle8i, and Oracle9i - --- -Attack Scenarios: -An attacker can attempt to connect to a database supplying the -user an overly long value. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck62.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2651.txt snort-2.9.2/doc/signatures/2651.txt --- snort-2.8.5.2/doc/signatures/2651.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2651.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2651 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases have a built-in functions NUMTOYMINTERVAL and -NUMTODSINTERVAL that are used to convert a number to an interval -year to month or interval day to second literal. - -These functions contain a programming error that may allow an -attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the second parameter -of the function. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as a value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/9587 - -Other: -http://www.nextgenss.com/advisories/ora_numtodsinterval.txt -http://www.nextgenss.com/advisories/ora_numtoyminterval.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2652.txt snort-2.9.2/doc/signatures/2652.txt --- snort-2.8.5.2/doc/signatures/2652.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2652.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2652 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_og.begin_load" procedure is used for -offline instantiation of master groups. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2653.txt snort-2.9.2/doc/signatures/2653.txt --- snort-2.8.5.2/doc/signatures/2653.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2653.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2653 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_og.begin_load" procedure is used for -offline instantiation of master groups. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2654.txt snort-2.9.2/doc/signatures/2654.txt --- snort-2.8.5.2/doc/signatures/2654.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2654.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2654 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the web application PHPNuke. - --- -Impact: -SQL Injection is possible leading to a complete compromise of the data -in the application database. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHPNuke web application running on a server. - -Insufficient checks are made on user input supplied to the script -"viewtopic.php", exploitation of this issue could present an attacker -with the opportunity to inject SQL code of their choosing into a -vulnerable system. - --- -Affected Systems: - PHPNuke 6.0 - PHPNuke 6.5 RC2 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -URI that calls on viewtopic.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Consider reviewing the database permissions for the application. - --- -Contributors: -Sourcefire Research Team -Ricky MacAtee -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2655.txt snort-2.9.2/doc/signatures/2655.txt --- snort-2.8.5.2/doc/signatures/2655.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2655.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2655 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with an HP WebJetAdmin web server. - --- -Impact: -A successful attack may allow the execution of arbitrary code as root on UNIX -and SYSTEM on Windows on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin application allows users to manage HP JetDirect-connected -printers within their intranet using a browser. The httpd core supports an -exported function called ExecuteFile. A vulnerability exists that allows the -uploading and execution of unauthorized files by posting a malicious http -request with the script /plugins/framework/script/content.hts in conjunction -with ExecuteFile function to the web server. Discovery of the vulnerability is -credited to FX of Phenoelit. - --- -Affected Systems: - HP Web JetAdmin 6.5. - --- -Attack Scenarios: -An attacker can create upload and execute a malicious file on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a -different port on which to run the web server, no event will be -generated. In that case, the rule should be altered to reflect the -port on which the web server runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Thomas Alex -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Phenoelit: -http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt> - -Hewlett-Packard: -http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBPI01026 - --- diff -Nru snort-2.8.5.2/doc/signatures/2656.txt snort-2.9.2/doc/signatures/2656.txt --- snort-2.8.5.2/doc/signatures/2656.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2656.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2656 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with Netscape Network Security Services (NSS) message parsing. - --- -Impact: -A successful attack can cause a heap overflow and the subsequent execution -of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way NSS parses a client connect SSLv2 message -that can cause a heap overflow and the subsequent execution of arbitrary code -on a vulnerable server. This can occur when an overly long challenge length -and accompanying data are supplied in a Client Hello message. - --- -Affected Systems: -Netscape Enterprise Webserver all versions -Netscape Personalization Engine all versions -Nescape Directory Server all versions -Netscape Certificate Management Server all versions -Sun One/iPlanet all versions - --- -Attack Scenarios: -An attacker can send a Client Hello message with an overly long challenge -length and data, causing a heap overflow on a vulnerable server. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2657.txt snort-2.9.2/doc/signatures/2657.txt --- snort-2.8.5.2/doc/signatures/2657.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2657.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2657 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with Netscape Network Security Services (NSS) message parsing. - --- -Impact: -A successful attack can cause a heap overflow and the subsequent execution -of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way NSS parses a client connect SSLv2 message -that can cause a heap overflow and the subsequent execution of arbitrary code -on a vulnerable server. This can occur when an overly long challenge length -and accompanying data are supplied in a Client Hello message. - --- -Affected Systems: -Netscape Enterprise Webserver all versions -Netscape Personalization Engine all versions -Nescape Directory Server all versions -Netscape Certificate Management Server all versions -Sun One/iPlanet all versions - --- -Attack Scenarios: -An attacker can send a Client Hello message with an overly long challenge -length and data, causing a heap overflow on a vulnerable server. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives:None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2658.txt snort-2.9.2/doc/signatures/2658.txt --- snort-2.8.5.2/doc/signatures/2658.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2658.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2658 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2659.txt snort-2.9.2/doc/signatures/2659.txt --- snort-2.8.5.2/doc/signatures/2659.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2659.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2659 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/265.txt snort-2.9.2/doc/signatures/265.txt --- snort-2.8.5.2/doc/signatures/265.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/265.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -265 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2660.txt snort-2.9.2/doc/signatures/2660.txt --- snort-2.8.5.2/doc/signatures/2660.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2660.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2660 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2661.txt snort-2.9.2/doc/signatures/2661.txt --- snort-2.8.5.2/doc/signatures/2661.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2661.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2661 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2662.txt snort-2.9.2/doc/signatures/2662.txt --- snort-2.8.5.2/doc/signatures/2662.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2662.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2662 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2663.txt snort-2.9.2/doc/signatures/2663.txt --- snort-2.8.5.2/doc/signatures/2663.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2663.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2663 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web server of WhatsUp Gold. - --- -Impact: -A successful attack can cause a denial of service or a buffer overflow and -the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -WhatsUp Gold is a Windows application that can be used to monitor the status -of a network and the availability and performance of servers. A vulnerability -exists in the web server component of WhatsUp Gold that can cause a denial of -service or buffer overflow and the subsequent execution of arbitrary code on a -vulnerable server. This can occur when an overly long value is passed to the -parameter "instancename" when invoking the _maincfgret CGI. It should be noted -that the web server is not enabled by default in WhatsUp Gold. - --- -Affected Systems: -WhatsUp Gold 8.x. - --- -Attack Scenarios: -An attacker can connect to a web-enabled WhatsUp Gold server and send -an overly long value to the "instancename" when calling _maincfgret, -possibly causing a denial of service or buffer overflow. - --- -Ease of Attack: -Denial of service - simple, buffer overflow - harder. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References - -Other: -http://www.idefense.com/application/poi/display?id=133&type=vulnerabilities - --- diff -Nru snort-2.8.5.2/doc/signatures/2664.txt snort-2.9.2/doc/signatures/2664.txt --- snort-2.8.5.2/doc/signatures/2664.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2664.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2664 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an IMAP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the IMAP daemon. - --- -Detailed Information: -Some versions of the Courier IMAP daemon are vulnerable to format string -exploits prior to and during authentication to the IMAP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -This rule may generate an event if the password for a valid user contains -the character "%". - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2665.txt snort-2.9.2/doc/signatures/2665.txt --- snort-2.8.5.2/doc/signatures/2665.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2665.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2665 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an IMAP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the IMAP daemon. - --- -Detailed Information: -Some versions of the Courier IMAP daemon are vulnerable to format string -exploits prior to and during authentication to the IMAP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2666.txt snort-2.9.2/doc/signatures/2666.txt --- snort-2.8.5.2/doc/signatures/2666.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2666.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2664 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against a POP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the POP daemon. - --- -Detailed Information: -Some versions of the Courier POP daemon are vulnerable to format string -exploits prior to and during authentication to the POP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP/POP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2667.txt snort-2.9.2/doc/signatures/2667.txt --- snort-2.8.5.2/doc/signatures/2667.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2667.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2667 - --- -Summary: -This event is generated when an attempt is made to access the file -ping.asp. - --- -Impact: -Possible Denial of Service (DoS) - --- -Detailed Information: -The script ping.asp allows a user to use the system ping command to send -ICMP echo request messages to a third party from the web server hosting -the script. - -This script does not properly sanitize user input and may be used as a -tool in a DoS attack against that third party server. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker can supply the address of a target host and pass parameters -to the ping command via the web interface to cause a possible exhaustion -of resources on a target host to cause the DoS condition. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script ping.asp - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - -SecurityFocus mailing list: -http://online.securityfocus.com/archive/82/275088 - --- diff -Nru snort-2.8.5.2/doc/signatures/2668.txt snort-2.9.2/doc/signatures/2668.txt --- snort-2.8.5.2/doc/signatures/2668.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2668.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2668 - --- -Summary: -This event is generated when an attempt is made to access the file -processit.pl. - --- -Impact: -Information Disclosure. - --- -Detailed Information: -The script processit.pl returns envirnoment variables used by the server -hosting the application. This can divulge information valuable to an -attacker that can be used in further attacks against the host. - --- -Affected Systems: - All systems using processit.pl - --- -Attack Scenarios: -An attacker can retrieve environment variables by accessing the script -processit.pl, these can be used in further attacks against the system. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script processit.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2669.txt snort-2.9.2/doc/signatures/2669.txt --- snort-2.8.5.2/doc/signatures/2669.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2669.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2669 - --- -Summary: -This event is generated when an attempt is made to access the file -ibillpm.pl. - --- -Impact: -Possible unauthorized administrative access to the victim host. -Information disclosure. - --- -Detailed Information: -The script ibillpm.pl is used to process billing and payment via a CGI -application over the Internet. - -The application suffers from a weak default password scheme that could -be used by an attacker to take control of a user account and view -billing details. - --- -Affected Systems: - iBill Internet Billing Company Processing Plus - --- -Attack Scenarios: -An attacker can supply the username and default password for a user to -the script to gain control. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script ibillpm.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/266.txt snort-2.9.2/doc/signatures/266.txt --- snort-2.8.5.2/doc/signatures/266.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/266.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -266 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2670.txt snort-2.9.2/doc/signatures/2670.txt --- snort-2.8.5.2/doc/signatures/2670.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2670.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2670 - --- -Summary: -This event is generated when an attempt is made to access the file -pgpmail.pl. - --- -Impact: -Possible unauthorized administrative access to the victim host. - --- -Detailed Information: -The script pgpmail.pl does not properly sanitize user supplied input. -This may allow an attacker to supply commands of their choosing to the -victim host with the privileges of the user running the web server. - --- -Affected Systems: - pgpmail prior to and including 3.6 - --- -Attack Scenarios: -An attacker can supply arbitrary commands to the pgpmail.pl script. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script pgpmail.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2671.txt snort-2.9.2/doc/signatures/2671.txt --- snort-2.8.5.2/doc/signatures/2671.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2671.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2671 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Explorer. - --- -Impact: -A successful attack can cause a buffer overflow and present the attacker -with the opportunity to execute code of their choosing on a vulnerable -system. - --- -Detailed Information: -An error in the processing of bitmap images exists in Internet Explorer -that can present an attacker with the opportunity to execute code of -their choosing on a vulnerable system. - -The error exists due to poor boundary checking in the processing of -bitmap images. - --- -Affected Systems: - Microsoft Windows using Internet Explorer - --- -Attack Scenarios: -An attacker would need to supply a malformed bitmap image either in a -web page or possibly via HTML email to a victim host. - --- -Ease of Attack: -Simple, exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2672.txt snort-2.9.2/doc/signatures/2672.txt --- snort-2.8.5.2/doc/signatures/2672.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2672.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2672 - --- -Summary: -This event is generated when an attempt is made to access the file -sresult.exe. - --- -Impact: -Possible cross site scripting. - --- -Detailed Information: -The executable file sresult.exe does not properly sanitize user input, -as a result it may be possible for an attacker to leverage the binary in -a cross site scripting attack. - --- -Affected Systems: - Webcam Corp Webcam Watchdog 4.0.1 a - --- -Attack Scenarios: -An attacker can leverage the sresult.exe binary in a cross site -scripting attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script sresult.exe - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2673.txt snort-2.9.2/doc/signatures/2673.txt --- snort-2.8.5.2/doc/signatures/2673.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2673.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,89 +0,0 @@ -Rule: - --- -Sid: -2673 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -libpng. - --- -Impact: -A successful attack may cause a buffer overflow and the subsequent execution -of arbitrary code on a vulnerable client host. - --- -Detailed Information: -A vulnerability exists in the way libpng handles the transparency chunk of -a PNG file, enabling a buffer overflow and the subsequent execution of -arbitrary code on a vulnerable client. A PNG datastream consists of a PNG -marker followed by a sequence of chunks that have a specific format and -function. - -When libpng processes a PNG datastream, it expects to find chunk types -in a particular order. For an image with palette color type, the PLTE -(palette) chunk must precede a tRNS (transparency) chunk. If it does not, -an error is generated, but decoding continues. Due to a logic error, -the length associated with the tRNS chunk is not properly validated. A -length of greater than 256 bytes can cause a buffer overflow and the -subsequent execution of arbitrary code when the PNG image is processed. - --- -Affected Systems: -Hosts running libpng 1.2.5 and prior -Hosts running libpng 1.0.15 and prior - --- -Attack Scenarios: -An attacker can create a malformed PNG file on a web server, entice a user -to download it, possibly causing a buffer overflow on a vulnerable client. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -A false positive may be generated if both the PLTE and tRNS chunks of the PNG -datastream are not found in the first 300 bytes of the returned packet. The -flow_depth parameter of http_inspect can be configured to increase the default -size of the returned packet. It should be noted that altering this from the -default value of 300 bytes may slow performance depending on the type and volume -of traffic found on your network. - --- -False Negatives: -An alert may not be generated if PLTE and tRNS chunks of the PNG datastream are -not found in the first 300 bytes of the returned packet. The flow_depth -parameter of http_inspect can be configured to increase the default size of the -returned packet. It should be noted that altering this from the default value -of 300 bytes may slow performance depending on the type and volume of traffic -found on your network. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Joe Stewart -Judy Novak -Brian Caswell - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 - -Bugtraq: -http://www.securityfocus.com/bid/10872 - -Other: -http://scary.beasts.org/security/CESA-2004-001.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/2674.txt snort-2.9.2/doc/signatures/2674.txt --- snort-2.8.5.2/doc/signatures/2674.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2674.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2674 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2675.txt snort-2.9.2/doc/signatures/2675.txt --- snort-2.8.5.2/doc/signatures/2675.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2675.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2675 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_offline -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2676.txt snort-2.9.2/doc/signatures/2676.txt --- snort-2.8.5.2/doc/signatures/2676.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2676.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2676 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_instantiation -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2677.txt snort-2.9.2/doc/signatures/2677.txt --- snort-2.8.5.2/doc/signatures/2677.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2677.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2677 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_online -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2678.txt snort-2.9.2/doc/signatures/2678.txt --- snort-2.8.5.2/doc/signatures/2678.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2678.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2678 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure start_log -. This procedure is included in -ctx_output. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2679.txt snort-2.9.2/doc/signatures/2679.txt --- snort-2.8.5.2/doc/signatures/2679.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2679.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2679 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure ksdwrt -. This procedure is included in -sys.dbms_system. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/267.txt snort-2.9.2/doc/signatures/267.txt --- snort-2.8.5.2/doc/signatures/267.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/267.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -267 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2680.txt snort-2.9.2/doc/signatures/2680.txt --- snort-2.8.5.2/doc/signatures/2680.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2680.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2680 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure subindexpopulate -. This procedure is included in -ctxsys.driddlr. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2681.txt snort-2.9.2/doc/signatures/2681.txt --- snort-2.8.5.2/doc/signatures/2681.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2681.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2681 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure sdo_code_size -. This procedure is included in -mdsys.sdo_admin. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2682.txt snort-2.9.2/doc/signatures/2682.txt --- snort-2.8.5.2/doc/signatures/2682.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2682.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2682 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_geom -. This procedure is included in -mdsys.md2. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2683.txt snort-2.9.2/doc/signatures/2683.txt --- snort-2.8.5.2/doc/signatures/2683.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2683.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2683 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure sdo_code_size -. This procedure is included in -mdsys.md2. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2684.txt snort-2.9.2/doc/signatures/2684.txt --- snort-2.8.5.2/doc/signatures/2684.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2684.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2684 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure pushdeferredtxns -. This procedure is included in -sys.ltutil. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2685.txt snort-2.9.2/doc/signatures/2685.txt --- snort-2.8.5.2/doc/signatures/2685.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2685.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2685 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column -. This procedure is included in -sys.dbms_repcat_rq. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2686.txt snort-2.9.2/doc/signatures/2686.txt --- snort-2.8.5.2/doc/signatures/2686.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2686.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2686 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure differences -. This procedure is included in -sys.dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2687.txt snort-2.9.2/doc/signatures/2687.txt --- snort-2.8.5.2/doc/signatures/2687.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2687.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2687 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2688.txt snort-2.9.2/doc/signatures/2688.txt --- snort-2.8.5.2/doc/signatures/2688.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2688.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2688 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure enable_receiver_trace -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2689.txt snort-2.9.2/doc/signatures/2689.txt --- snort-2.8.5.2/doc/signatures/2689.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2689.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2689 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure disable_receiver_trace -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/268.txt snort-2.9.2/doc/signatures/268.txt --- snort-2.8.5.2/doc/signatures/268.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/268.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -268 - --- -Summary: -This event is generated when a remote attacker attempts to send large, fragmented IP packets to the internal network, indicating a Jolt Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -Jolt is a DoS attack characterized by large, fragmented IP packets that, when launched at a Windows system, can hang or crash the computer. - --- -Affected Systems: -Windows 95 -Windows 98 -Windows NT -Windows 2000 - --- -Attack Scenarios: -An attacker sends oversized, fragmented IP packets to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2690.txt snort-2.9.2/doc/signatures/2690.txt --- snort-2.8.5.2/doc/signatures/2690.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2690.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2690 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure enable_propagation_to_dblink -. This procedure is included in -sys.dbms_defer_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2691.txt snort-2.9.2/doc/signatures/2691.txt --- snort-2.8.5.2/doc/signatures/2691.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2691.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2691 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure parallel_push_recovery -. This procedure is included in -sys.dbms_defer_internal_sys. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2692.txt snort-2.9.2/doc/signatures/2692.txt --- snort-2.8.5.2/doc/signatures/2692.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2692.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2692 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types -. This procedure is included in -sys.dbms_aqadm_sys. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2693.txt snort-2.9.2/doc/signatures/2693.txt --- snort-2.8.5.2/doc/signatures/2693.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2693.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2693 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types_no_queue -. This procedure is included in -sys.dbms_aqadm. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2694.txt snort-2.9.2/doc/signatures/2694.txt --- snort-2.8.5.2/doc/signatures/2694.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2694.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2694 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types_get_nrp -. This procedure is included in -sys.dbms_aqadm. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2695.txt snort-2.9.2/doc/signatures/2695.txt --- snort-2.8.5.2/doc/signatures/2695.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2695.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2695 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure aq_table_defn_update -. This procedure is included in -sys.dbms_aq_import_internal. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2696.txt snort-2.9.2/doc/signatures/2696.txt --- snort-2.8.5.2/doc/signatures/2696.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2696.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2696 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure is_master -. This procedure is included in -sys.dbms_repcat_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2697.txt snort-2.9.2/doc/signatures/2697.txt --- snort-2.8.5.2/doc/signatures/2697.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2697.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2697 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter file. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2698.txt snort-2.9.2/doc/signatures/2698.txt --- snort-2.8.5.2/doc/signatures/2698.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2698.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2698 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create file. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2699.txt snort-2.9.2/doc/signatures/2699.txt --- snort-2.8.5.2/doc/signatures/2699.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2699.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2699 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure TO_CHAR. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/269.txt snort-2.9.2/doc/signatures/269.txt --- snort-2.8.5.2/doc/signatures/269.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/269.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: --- -Sid: -269 - --- -Summary: -A denial of service attack known as Land has been launched. Some TCP/IP -stacks crash or hang when sent a spoofed TCP SYN packet with the same -source and destination host and the same source and destination port. - --- -Impact: -Denial of service against a target host. - --- -Detailed Information: -The Land denial of service attack attempts to crash or disable a target -host by sending a spoofed TCP SYN packet with an identical source and -destination IP and identical source and destination port. Some target -hosts will crash others will be temporarily disabled. - --- -Affected Systems: - Windows 95 - Windows NT Any unpatched version - SCO CMW+ 3.0 - SCO Open Desktop/Open Server 3.0 - SCO Open Server 5.0 - SCO UnixWare 2.1.0 - Gauntlet 3.2/HP-UX 10.10 and Gauntlet 4.1/HP-UX 10.20 - --- -Attack Scenarios: -A malicious user crafts a packet to cause a Denial of Service against a -target host. - --- -Ease of Attack: -Simple to craft such a packet using any number of packet crafting tools -such as nmap and hping. - - --- -False Positives: -None known. This should have a very low likelihood of false positives. - --- -False Negatives: -The exploit code has an IP identification number and TCP sequence number -of 3868. If a user changes the source code to have a different IP -identification or TCP sequence number, the rule will not fire. - --- -Corrective Action: -Malicious outside attacks can be prevented by configuring your -packet-filtering device to block packets from entering your network that -have source IP's from your network address space. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References: - -CVE: -CAN-1999-0016 - -CERT: -CA-1997-28 - --- diff -Nru snort-2.8.5.2/doc/signatures/2700.txt snort-2.9.2/doc/signatures/2700.txt --- snort-2.8.5.2/doc/signatures/2700.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2700.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2700 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure numtoyminterval. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2701.txt snort-2.9.2/doc/signatures/2701.txt --- snort-2.8.5.2/doc/signatures/2701.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2701.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2701 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2702.txt snort-2.9.2/doc/signatures/2702.txt --- snort-2.8.5.2/doc/signatures/2702.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2702.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2702 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2703.txt snort-2.9.2/doc/signatures/2703.txt --- snort-2.8.5.2/doc/signatures/2703.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2703.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2703 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2704.txt snort-2.9.2/doc/signatures/2704.txt --- snort-2.8.5.2/doc/signatures/2704.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2704.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2704 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2705.txt snort-2.9.2/doc/signatures/2705.txt --- snort-2.8.5.2/doc/signatures/2705.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2705.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2705 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2706.txt snort-2.9.2/doc/signatures/2706.txt --- snort-2.8.5.2/doc/signatures/2706.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2706.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2706 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - -This rule does not generate an event, however, Sid 2707 depends -on this rule to function properly. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2707.txt snort-2.9.2/doc/signatures/2707.txt --- snort-2.8.5.2/doc/signatures/2707.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2707.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2707 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2708.txt snort-2.9.2/doc/signatures/2708.txt --- snort-2.8.5.2/doc/signatures/2708.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2708.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2708 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_change -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2709.txt snort-2.9.2/doc/signatures/2709.txt --- snort-2.8.5.2/doc/signatures/2709.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2709.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2709 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_instantiation -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/270.txt snort-2.9.2/doc/signatures/270.txt --- snort-2.8.5.2/doc/signatures/270.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/270.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -270 - --- -Summary: -This event is generated when an attempt is made to issue a Teardrop -Denial of Service (DoS) attack. - --- -Impact: -Denial of Service. - --- -Detailed Information: -Teardrop exploits a vulnerability in some TCP/IP stack implementations. - -The program sends a specially crafted fragmented packet where the first -fragment has offset 0 and data length N and the second fragment has an -offset less than N (The fragments overlap). The resulting packet cannot -be properly assembled. - -Systems may hang or crash. - --- -Affected Systems: - Windows 95 - Windows NT 4.0 SP3 and earlier - HP HPUX 10.34 and earlier - Linux kernels 2.0.31 and earlier - FreeBSD 3.0 prior to October 27, 1998 - --- -Attack Scenarios: -The can be done remotely against any open UDP port using a spoofed -address. - --- -Ease of Attack: -Simple. Tools are readily available and require little knowledge on the -part of the attacker. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Patches are available from all affected vendors. Newer versions from -each vendor are not vulnerable. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/124 - -CERT: -http://www.cert.org/advisories/CA-1997-28.html - -FreeBSD: -ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:08.fragment.asc - --- diff -Nru snort-2.8.5.2/doc/signatures/2710.txt snort-2.9.2/doc/signatures/2710.txt --- snort-2.8.5.2/doc/signatures/2710.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2710.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2710 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_load -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2711.txt snort-2.9.2/doc/signatures/2711.txt --- snort-2.8.5.2/doc/signatures/2711.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2711.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2711 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_flavor_change -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2712.txt snort-2.9.2/doc/signatures/2712.txt --- snort-2.8.5.2/doc/signatures/2712.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2712.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2712 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_instantiation -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2713.txt snort-2.9.2/doc/signatures/2713.txt --- snort-2.8.5.2/doc/signatures/2713.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2713.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2713 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_load -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2714.txt snort-2.9.2/doc/signatures/2714.txt --- snort-2.8.5.2/doc/signatures/2714.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2714.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2714 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_subset_of_masters -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2715.txt snort-2.9.2/doc/signatures/2715.txt --- snort-2.8.5.2/doc/signatures/2715.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2715.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2715 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_load -. This procedure is included in -dbms_offline_snapshot. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2716.txt snort-2.9.2/doc/signatures/2716.txt --- snort-2.8.5.2/doc/signatures/2716.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2716.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2716 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_load -. This procedure is included in -dbms_offline_snapshot. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2717.txt snort-2.9.2/doc/signatures/2717.txt --- snort-2.8.5.2/doc/signatures/2717.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2717.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2717 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure differences -. This procedure is included in -dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2718.txt snort-2.9.2/doc/signatures/2718.txt --- snort-2.8.5.2/doc/signatures/2718.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2718.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2718 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rectify -. This procedure is included in -dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2719.txt snort-2.9.2/doc/signatures/2719.txt --- snort-2.8.5.2/doc/signatures/2719.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2719.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2719 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure abort_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/271.txt snort-2.9.2/doc/signatures/271.txt --- snort-2.8.5.2/doc/signatures/271.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/271.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: --- -Sid: -271 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service attack against a host or network by generating traffic between -your udp echo port and their udp chargen port. - --- -Impact: -Potential Denial of service (DoS) condition for the target host, hosts -between the target host and the attacker, and more. - --- -Detailed Information: -Traffic was detected between the udp echo port on a host on the -protected network and the udp chargen (character generator) service. -Due to the connectionless nature of udp, a single packet from the udp chargen -service to a listening udp echo service will result in mass quantities -of traffic back and forth between the two services. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker will find a host that still provides the udp chargen service -and generate traffic between it and the udp echo service on a machine. -If proper ingress/egress filtering is not in place, this traffic can be -trivially spoofed provided the attacker has elevated privledges on the -attacking/initiating machine (the source port being less than 1024). - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the chargen service unless it is absolutely needed, and apply -ingress and egress filtering. - -Additionally, disable the udp echo service. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - - - --- diff -Nru snort-2.8.5.2/doc/signatures/2720.txt snort-2.9.2/doc/signatures/2720.txt --- snort-2.8.5.2/doc/signatures/2720.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2720.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2720 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column_group_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2721.txt snort-2.9.2/doc/signatures/2721.txt --- snort-2.8.5.2/doc/signatures/2721.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2721.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2721 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_columns_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2722.txt snort-2.9.2/doc/signatures/2722.txt --- snort-2.8.5.2/doc/signatures/2722.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2722.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2722 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_object_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2723.txt snort-2.9.2/doc/signatures/2723.txt --- snort-2.8.5.2/doc/signatures/2723.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2723.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2723 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2724.txt snort-2.9.2/doc/signatures/2724.txt --- snort-2.8.5.2/doc/signatures/2724.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2724.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2724 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2725.txt snort-2.9.2/doc/signatures/2725.txt --- snort-2.8.5.2/doc/signatures/2725.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2725.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2725 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2726.txt snort-2.9.2/doc/signatures/2726.txt --- snort-2.8.5.2/doc/signatures/2726.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2726.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2726 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2727.txt snort-2.9.2/doc/signatures/2727.txt --- snort-2.8.5.2/doc/signatures/2727.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2727.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2727 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2728.txt snort-2.9.2/doc/signatures/2728.txt --- snort-2.8.5.2/doc/signatures/2728.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2728.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2728 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2729.txt snort-2.9.2/doc/signatures/2729.txt --- snort-2.8.5.2/doc/signatures/2729.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2729.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2729 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/272.txt snort-2.9.2/doc/signatures/272.txt --- snort-2.8.5.2/doc/signatures/272.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/272.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -272 - --- -Summary: -This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98 SE -Microsoft Windows NT 4 - --- -Attack Scenarios: -An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/514 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms99-034.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2730.txt snort-2.9.2/doc/signatures/2730.txt --- snort-2.8.5.2/doc/signatures/2730.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2730.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2730 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2731.txt snort-2.9.2/doc/signatures/2731.txt --- snort-2.8.5.2/doc/signatures/2731.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2731.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2731 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2732.txt snort-2.9.2/doc/signatures/2732.txt --- snort-2.8.5.2/doc/signatures/2732.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2732.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2732 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2733.txt snort-2.9.2/doc/signatures/2733.txt --- snort-2.8.5.2/doc/signatures/2733.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2733.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2733 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_master_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2734.txt snort-2.9.2/doc/signatures/2734.txt --- snort-2.8.5.2/doc/signatures/2734.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2734.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2734 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_mview_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2735.txt snort-2.9.2/doc/signatures/2735.txt --- snort-2.8.5.2/doc/signatures/2735.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2735.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2735 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2736.txt snort-2.9.2/doc/signatures/2736.txt --- snort-2.8.5.2/doc/signatures/2736.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2736.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2736 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2737.txt snort-2.9.2/doc/signatures/2737.txt --- snort-2.8.5.2/doc/signatures/2737.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2737.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2737 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2738.txt snort-2.9.2/doc/signatures/2738.txt --- snort-2.8.5.2/doc/signatures/2738.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2738.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2738 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2739.txt snort-2.9.2/doc/signatures/2739.txt --- snort-2.8.5.2/doc/signatures/2739.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2739.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2739 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/273.txt snort-2.9.2/doc/signatures/273.txt --- snort-2.8.5.2/doc/signatures/273.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/273.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -273 - --- -Summary: -This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98 SE -Microsoft Windows NT 4 - --- -Attack Scenarios: -An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/514 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms99-034.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/2740.txt snort-2.9.2/doc/signatures/2740.txt --- snort-2.8.5.2/doc/signatures/2740.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2740.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2740 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2741.txt snort-2.9.2/doc/signatures/2741.txt --- snort-2.8.5.2/doc/signatures/2741.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2741.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2741 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2742.txt snort-2.9.2/doc/signatures/2742.txt --- snort-2.8.5.2/doc/signatures/2742.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2742.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2742 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2743.txt snort-2.9.2/doc/signatures/2743.txt --- snort-2.8.5.2/doc/signatures/2743.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2743.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2743 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2744.txt snort-2.9.2/doc/signatures/2744.txt --- snort-2.8.5.2/doc/signatures/2744.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2744.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2744 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2745.txt snort-2.9.2/doc/signatures/2745.txt --- snort-2.8.5.2/doc/signatures/2745.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2745.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2745 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2746.txt snort-2.9.2/doc/signatures/2746.txt --- snort-2.8.5.2/doc/signatures/2746.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2746.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2746 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure revoke_surrogate_repcat -. This procedure is included in -dbms_repcat_auth. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2747.txt snort-2.9.2/doc/signatures/2747.txt --- snort-2.8.5.2/doc/signatures/2747.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2747.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2747 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2748.txt snort-2.9.2/doc/signatures/2748.txt --- snort-2.8.5.2/doc/signatures/2748.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2748.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2748 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2749.txt snort-2.9.2/doc/signatures/2749.txt --- snort-2.8.5.2/doc/signatures/2749.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2749.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2749 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/274.txt snort-2.9.2/doc/signatures/274.txt --- snort-2.8.5.2/doc/signatures/274.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/274.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -274 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of Service attack that works against some modems. - --- -Impact: -The system may be disconnected from it's dial-up connection. - --- -Detailed Information: -An ICMP Echo Request is sent to a target system with a payload that -includes "+++ath". The "+++" is an attention sequence that allows a -user to enter commands to the modem. "ath" is the modem hangup command. -An ICMP Echo Reply includes the same payload as the associated request. -On some modems, when the machine tries to reply to this packet, "+++ath" -will be interpreted as a command and the modem will hangup. The remote -address can be spoofed. - --- -Affected Systems: -unknown - --- -Attack Scenarios: -A user can remotely cause a modem to disconnect. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Set a guard time on the modem. Contact the modem manufacturer for -details. A guard time will cause the modem to wait after receiving -"+++". Any further input during this wait, including "ath", will be -disregarded. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS264 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-1999-1228 - -Security Focus: -http://www.securityfocus.com/archive/1/10706 - --- diff -Nru snort-2.8.5.2/doc/signatures/2750.txt snort-2.9.2/doc/signatures/2750.txt --- snort-2.8.5.2/doc/signatures/2750.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2750.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2750 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_mview_repsites -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2751.txt snort-2.9.2/doc/signatures/2751.txt --- snort-2.8.5.2/doc/signatures/2751.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2751.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2751 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_priority_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2752.txt snort-2.9.2/doc/signatures/2752.txt --- snort-2.8.5.2/doc/signatures/2752.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2752.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2752 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2753.txt snort-2.9.2/doc/signatures/2753.txt --- snort-2.8.5.2/doc/signatures/2753.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2753.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2753 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repsites -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2754.txt snort-2.9.2/doc/signatures/2754.txt --- snort-2.8.5.2/doc/signatures/2754.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2754.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2754 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2755.txt snort-2.9.2/doc/signatures/2755.txt --- snort-2.8.5.2/doc/signatures/2755.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2755.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2755 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2756.txt snort-2.9.2/doc/signatures/2756.txt --- snort-2.8.5.2/doc/signatures/2756.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2756.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2756 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2757.txt snort-2.9.2/doc/signatures/2757.txt --- snort-2.8.5.2/doc/signatures/2757.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2757.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2757 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2758.txt snort-2.9.2/doc/signatures/2758.txt --- snort-2.8.5.2/doc/signatures/2758.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2758.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2758 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2759.txt snort-2.9.2/doc/signatures/2759.txt --- snort-2.8.5.2/doc/signatures/2759.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2759.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2759 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/275.txt snort-2.9.2/doc/signatures/275.txt --- snort-2.8.5.2/doc/signatures/275.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/275.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -275 - --- -Summary: -This event is generated when a remote attacker transmits a malformed TCP packet to an internal server. This may indicate a "NAPTHA" Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -An attacker can craft a TCP packet that, when transmitted to the target server, maintains the TCP session on the target server in an unresolved state. This consumes system resources and overwhelms the target server, causing the server to stop responding to other network requests. In some cases, this type of attack can crash the target server. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Microsoft Windows Millennium -Windows NT 4.0 -HP-UX 11 -IBM AIX 4.3 -Sun Solaris 7-8 -FreeBSD 4.0-REL -Redhat Linux 6.1 - 7.0 -Other Linux operating systems based on the Linux 2.0 kernel - - --- -Attack Scenarios: -An attacker sends a number of malformed TCP packets to a target computer. The computer attempts to maintain all incoming connections, causing it to slow down or stop responding to legitimate network requests. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. Patches and workarounds for Microsoft are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-091.asp. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2760.txt snort-2.9.2/doc/signatures/2760.txt --- snort-2.8.5.2/doc/signatures/2760.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2760.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2760 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2761.txt snort-2.9.2/doc/signatures/2761.txt --- snort-2.8.5.2/doc/signatures/2761.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2761.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2761 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_priority_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2762.txt snort-2.9.2/doc/signatures/2762.txt --- snort-2.8.5.2/doc/signatures/2762.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2762.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2762 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2763.txt snort-2.9.2/doc/signatures/2763.txt --- snort-2.8.5.2/doc/signatures/2763.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2763.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2763 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure do_deferred_repcat_admin -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2764.txt snort-2.9.2/doc/signatures/2764.txt --- snort-2.8.5.2/doc/signatures/2764.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2764.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2764 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2765.txt snort-2.9.2/doc/signatures/2765.txt --- snort-2.8.5.2/doc/signatures/2765.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2765.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2765 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2766.txt snort-2.9.2/doc/signatures/2766.txt --- snort-2.8.5.2/doc/signatures/2766.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2766.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2766 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_columns_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2767.txt snort-2.9.2/doc/signatures/2767.txt --- snort-2.8.5.2/doc/signatures/2767.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2767.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2767 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2768.txt snort-2.9.2/doc/signatures/2768.txt --- snort-2.8.5.2/doc/signatures/2768.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2768.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2768 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_grouped_column -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2769.txt snort-2.9.2/doc/signatures/2769.txt --- snort-2.8.5.2/doc/signatures/2769.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2769.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2769 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_mview_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/276.txt snort-2.9.2/doc/signatures/276.txt --- snort-2.8.5.2/doc/signatures/276.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/276.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -276 - --- -Summary: -This event is generated when a remote attacker transmits a malformed -request for a page on a RealNetworks RealServer port, which can indicate -a Denial of Service (DoS) attack on the RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming -audio to clients. When an attacker sends a request for a template file -in the /viewsource/ directory with an empty variable value, RealServer -crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source -functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a -RealServer audio server. RealServer crashes, stopping audio -transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source -functionality. The vendor has issued an advisory, workarounds, and -downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.8.5.2/doc/signatures/2770.txt snort-2.9.2/doc/signatures/2770.txt --- snort-2.8.5.2/doc/signatures/2770.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2770.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2770 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_object_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2771.txt snort-2.9.2/doc/signatures/2771.txt --- snort-2.8.5.2/doc/signatures/2771.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2771.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2771 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2772.txt snort-2.9.2/doc/signatures/2772.txt --- snort-2.8.5.2/doc/signatures/2772.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2772.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2772 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2773.txt snort-2.9.2/doc/signatures/2773.txt --- snort-2.8.5.2/doc/signatures/2773.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2773.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2773 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2774.txt snort-2.9.2/doc/signatures/2774.txt --- snort-2.8.5.2/doc/signatures/2774.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2774.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2774 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2775.txt snort-2.9.2/doc/signatures/2775.txt --- snort-2.8.5.2/doc/signatures/2775.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2775.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2775 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2776.txt snort-2.9.2/doc/signatures/2776.txt --- snort-2.8.5.2/doc/signatures/2776.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2776.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2776 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2777.txt snort-2.9.2/doc/signatures/2777.txt --- snort-2.8.5.2/doc/signatures/2777.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2777.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2777 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2778.txt snort-2.9.2/doc/signatures/2778.txt --- snort-2.8.5.2/doc/signatures/2778.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2778.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2778 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2779.txt snort-2.9.2/doc/signatures/2779.txt --- snort-2.8.5.2/doc/signatures/2779.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2779.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2779 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/277.txt snort-2.9.2/doc/signatures/277.txt --- snort-2.8.5.2/doc/signatures/277.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/277.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -277 - --- -Summary: -This event is generated when a remote attacker transmits a malformed request for a page on a RealNetworks RealServer port, which can indicate a Denial of Service (DoS) attack on the RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user attempts to use the View Source function on the RealServer, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.8.5.2/doc/signatures/2780.txt snort-2.9.2/doc/signatures/2780.txt --- snort-2.8.5.2/doc/signatures/2780.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2780.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2780 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2781.txt snort-2.9.2/doc/signatures/2781.txt --- snort-2.8.5.2/doc/signatures/2781.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2781.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2781 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2782.txt snort-2.9.2/doc/signatures/2782.txt --- snort-2.8.5.2/doc/signatures/2782.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2782.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2782 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2783.txt snort-2.9.2/doc/signatures/2783.txt --- snort-2.8.5.2/doc/signatures/2783.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2783.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2783 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2784.txt snort-2.9.2/doc/signatures/2784.txt --- snort-2.8.5.2/doc/signatures/2784.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2784.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2784 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2785.txt snort-2.9.2/doc/signatures/2785.txt --- snort-2.8.5.2/doc/signatures/2785.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2785.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2785 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure execute_ddl -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2786.txt snort-2.9.2/doc/signatures/2786.txt --- snort-2.8.5.2/doc/signatures/2786.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2786.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2786 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_package -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2787.txt snort-2.9.2/doc/signatures/2787.txt --- snort-2.8.5.2/doc/signatures/2787.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2787.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2787 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_online -. This procedure is included in -dbms_repcat_instantiate. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2788.txt snort-2.9.2/doc/signatures/2788.txt --- snort-2.8.5.2/doc/signatures/2788.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2788.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2788 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure make_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2789.txt snort-2.9.2/doc/signatures/2789.txt --- snort-2.8.5.2/doc/signatures/2789.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2789.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2789 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure obsolete_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/278.txt snort-2.9.2/doc/signatures/278.txt --- snort-2.8.5.2/doc/signatures/278.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/278.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -278 - --- -Summary: -This event is generated when a remote attacker transmits a malformed request for a page on a web server port, which can indicate a Denial of Service (DoS) attack on a RealNetworks RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user attempts to use the View Source function on RealServer, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.8.5.2/doc/signatures/2790.txt snort-2.9.2/doc/signatures/2790.txt --- snort-2.8.5.2/doc/signatures/2790.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2790.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2790 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure publish_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2791.txt snort-2.9.2/doc/signatures/2791.txt --- snort-2.8.5.2/doc/signatures/2791.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2791.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2791 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2792.txt snort-2.9.2/doc/signatures/2792.txt --- snort-2.8.5.2/doc/signatures/2792.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2792.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2792 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_master_log -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2793.txt snort-2.9.2/doc/signatures/2793.txt --- snort-2.8.5.2/doc/signatures/2793.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2793.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2793 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_statistics -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2794.txt snort-2.9.2/doc/signatures/2794.txt --- snort-2.8.5.2/doc/signatures/2794.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2794.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2794 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2795.txt snort-2.9.2/doc/signatures/2795.txt --- snort-2.8.5.2/doc/signatures/2795.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2795.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2795 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2796.txt snort-2.9.2/doc/signatures/2796.txt --- snort-2.8.5.2/doc/signatures/2796.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2796.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2796 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2797.txt snort-2.9.2/doc/signatures/2797.txt --- snort-2.8.5.2/doc/signatures/2797.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2797.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2797 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2798.txt snort-2.9.2/doc/signatures/2798.txt --- snort-2.8.5.2/doc/signatures/2798.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2798.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2798 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_statistics -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2799.txt snort-2.9.2/doc/signatures/2799.txt --- snort-2.8.5.2/doc/signatures/2799.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2799.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2799 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure relocate_masterdef -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/279.txt snort-2.9.2/doc/signatures/279.txt --- snort-2.8.5.2/doc/signatures/279.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/279.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -279 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service attack that causes Bay/Nortel Nautical Marlin bridges to crash. - --- -Impact: -Denial of Service. Network traffic can be disrupted. - --- -Detailed Information: -Nautica Marlin bridges will crash if a UDP packet is received on the -SNMP port (161) which has a data length of 0. - --- -Affected Systems: - Bay/Nortel Nautica Marlin Bridges - --- -Attack Scenarios: -The bridges can be crashed remotely. The offending packet uses UDP -(which is not connection oriented) and can be easily spoofed. - --- -Ease of Attack: -Simple. Tools are available that can exploit this vulnerability. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block connections to port 161 from unauthorized hosts using firewall or -router ACLs. The release notes for the only available upgrade for this -product do not mention this vulnerability. The product has been -discontinued. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2800.txt snort-2.9.2/doc/signatures/2800.txt --- snort-2.8.5.2/doc/signatures/2800.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2800.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2800 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rename_shadow_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2801.txt snort-2.9.2/doc/signatures/2801.txt --- snort-2.8.5.2/doc/signatures/2801.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2801.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2801 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_master_activity -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2802.txt snort-2.9.2/doc/signatures/2802.txt --- snort-2.8.5.2/doc/signatures/2802.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2802.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2802 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure check_ddl_text -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2803.txt snort-2.9.2/doc/signatures/2803.txt --- snort-2.8.5.2/doc/signatures/2803.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2803.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2803 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_instantiation -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2804.txt snort-2.9.2/doc/signatures/2804.txt --- snort-2.8.5.2/doc/signatures/2804.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2804.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2804 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure send_and_compare_old_values -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2805.txt snort-2.9.2/doc/signatures/2805.txt --- snort-2.8.5.2/doc/signatures/2805.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2805.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2805 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_columns -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2806.txt snort-2.9.2/doc/signatures/2806.txt --- snort-2.8.5.2/doc/signatures/2806.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2806.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2806 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2807.txt snort-2.9.2/doc/signatures/2807.txt --- snort-2.8.5.2/doc/signatures/2807.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2807.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2807 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure specify_new_masters -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2808.txt snort-2.9.2/doc/signatures/2808.txt --- snort-2.8.5.2/doc/signatures/2808.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2808.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2808 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure suspend_master_activity -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2809.txt snort-2.9.2/doc/signatures/2809.txt --- snort-2.8.5.2/doc/signatures/2809.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2809.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2809 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2810.txt snort-2.9.2/doc/signatures/2810.txt --- snort-2.8.5.2/doc/signatures/2810.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2810.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2810 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2811.txt snort-2.9.2/doc/signatures/2811.txt --- snort-2.8.5.2/doc/signatures/2811.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2811.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2811 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2812.txt snort-2.9.2/doc/signatures/2812.txt --- snort-2.8.5.2/doc/signatures/2812.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2812.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2812 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2813.txt snort-2.9.2/doc/signatures/2813.txt --- snort-2.8.5.2/doc/signatures/2813.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2813.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2813 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure abort_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2814.txt snort-2.9.2/doc/signatures/2814.txt --- snort-2.8.5.2/doc/signatures/2814.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2814.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2814 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_object_to_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2815.txt snort-2.9.2/doc/signatures/2815.txt --- snort-2.8.5.2/doc/signatures/2815.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2815.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2815 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2816.txt snort-2.9.2/doc/signatures/2816.txt --- snort-2.8.5.2/doc/signatures/2816.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2816.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2816 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_object_from_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2817.txt snort-2.9.2/doc/signatures/2817.txt --- snort-2.8.5.2/doc/signatures/2817.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2817.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2817 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column_group_to_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2818.txt snort-2.9.2/doc/signatures/2818.txt --- snort-2.8.5.2/doc/signatures/2818.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2818.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2818 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_columns_to_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2819.txt snort-2.9.2/doc/signatures/2819.txt --- snort-2.8.5.2/doc/signatures/2819.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2819.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2819 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group_from_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/281.txt snort-2.9.2/doc/signatures/281.txt --- snort-2.8.5.2/doc/signatures/281.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/281.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -281 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack that causes some Ascend routers to reboot. - --- -Impact: -Denial of Service. Traffic between network segments or between internal -and external networks can be disrupted. - --- -Detailed Information: -Some Ascend routers run configuration software that is able to locate -other Ascend routers by broadcasting on UDP port 9 (discard). This port -is listened on by the Java Configurator tool. A packet with a specially -crafted payload can cause the routers to reboot. - --- -Affected Systems: - Lucent Ascend MAX Router 5.0 and previous - Lucent Ascend Pipeline Router 6.0 and previous - Lucent Ascend Pipeline Router 6.0 and previous - - --- -Attack Scenarios: -Ascend routers can be forced to reboot remotely without authorization. -Since the offending packet is UDP (which is not connection oriented), -the sending address can be easily spoofed. - --- -Ease of Attack: -Simple. An exploit is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -An upgrade is available from the manufacturer. Filtering traffic to -port 9 will also prevent this exploit. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS262 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060 - -Bugtraq: -http://www.securityfocus.com/bid/714 - --- diff -Nru snort-2.8.5.2/doc/signatures/2820.txt snort-2.9.2/doc/signatures/2820.txt --- snort-2.8.5.2/doc/signatures/2820.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2820.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2820 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_columns_from_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2821.txt snort-2.9.2/doc/signatures/2821.txt --- snort-2.8.5.2/doc/signatures/2821.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2821.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2821 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure obsolete_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2822.txt snort-2.9.2/doc/signatures/2822.txt --- snort-2.8.5.2/doc/signatures/2822.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2822.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2822 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure publish_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2823.txt snort-2.9.2/doc/signatures/2823.txt --- snort-2.8.5.2/doc/signatures/2823.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2823.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2823 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2824.txt snort-2.9.2/doc/signatures/2824.txt --- snort-2.8.5.2/doc/signatures/2824.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2824.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2824 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2825.txt snort-2.9.2/doc/signatures/2825.txt --- snort-2.8.5.2/doc/signatures/2825.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2825.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2825 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2826.txt snort-2.9.2/doc/signatures/2826.txt --- snort-2.8.5.2/doc/signatures/2826.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2826.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2826 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2827.txt snort-2.9.2/doc/signatures/2827.txt --- snort-2.8.5.2/doc/signatures/2827.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2827.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2827 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_master_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2828.txt snort-2.9.2/doc/signatures/2828.txt --- snort-2.8.5.2/doc/signatures/2828.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2828.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2828 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2829.txt snort-2.9.2/doc/signatures/2829.txt --- snort-2.8.5.2/doc/signatures/2829.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2829.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2829 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/282.txt snort-2.9.2/doc/signatures/282.txt --- snort-2.8.5.2/doc/signatures/282.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/282.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: - -282 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a host running Arkiea backup software. - --- -Impact: -Denial of Service - --- -Detailed Information: - -Arkiea package is a backup application that is used to manage backups -for a number of systems. A Denial of Service (DoS) vulnerability -exists in nlservd program, if fed with large inputs, will cause a -program to crash. - -A vulnerability in the nlservd from the Arkiea backup application allows -remote users to shut it down by sending it large amounts of input over -the network. - --- -Affected Systems: - - Arkeia 4.0 - Arkeia 4.1 - --- -Attack Scenarios: - -An attacker sends a overly large strings to a nlservd daemon, the -service will crash immediately. - --- -Ease of Attack: - -Simple. - --- -False Positives: - -None known - --- -False Negatives: - -None known - --- -Corrective Action: - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Paul Bobby paul.bobby@lmco.com -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/662 - --- diff -Nru snort-2.8.5.2/doc/signatures/2830.txt snort-2.9.2/doc/signatures/2830.txt --- snort-2.8.5.2/doc/signatures/2830.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2830.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2830 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2831.txt snort-2.9.2/doc/signatures/2831.txt --- snort-2.8.5.2/doc/signatures/2831.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2831.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2831 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2832.txt snort-2.9.2/doc/signatures/2832.txt --- snort-2.8.5.2/doc/signatures/2832.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2832.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2832 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure do_deferred_repcat_admin -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2833.txt snort-2.9.2/doc/signatures/2833.txt --- snort-2.8.5.2/doc/signatures/2833.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2833.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2833 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_master_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2834.txt snort-2.9.2/doc/signatures/2834.txt --- snort-2.8.5.2/doc/signatures/2834.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2834.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2834 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_package -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2835.txt snort-2.9.2/doc/signatures/2835.txt --- snort-2.8.5.2/doc/signatures/2835.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2835.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2835 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_master_log -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2836.txt snort-2.9.2/doc/signatures/2836.txt --- snort-2.8.5.2/doc/signatures/2836.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2836.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2836 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure relocate_masterdef -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2837.txt snort-2.9.2/doc/signatures/2837.txt --- snort-2.8.5.2/doc/signatures/2837.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2837.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2837 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rename_shadow_column_group -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2838.txt snort-2.9.2/doc/signatures/2838.txt --- snort-2.8.5.2/doc/signatures/2838.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2838.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2838 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_master_activity -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2839.txt snort-2.9.2/doc/signatures/2839.txt --- snort-2.8.5.2/doc/signatures/2839.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2839.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2839 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure suspend_master_activity -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/283.txt snort-2.9.2/doc/signatures/283.txt --- snort-2.8.5.2/doc/signatures/283.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/283.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 283 - --- -Summary: -Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to a root shell listening on port 6968. This event is generated when a request is made to a web site exploiting this vulnerability. - --- -Impact: -System compromize presenting the attacker with the opportunity to -gain remote access to the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to gain a root shell on the victim host. - -A long password value in a form field may result in an attacker being able to execute arbitrary commands. - -Affected Systems: - Netscape Navigator 4.75 and prior - --- -Attack Scenarios: -The attacker would need to supply a link on a web page or HTML email that triggers the overflow. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1189 - -Arachnids: -http://www.whitehats.com/info/IDS215 - -Bugtraq: -http://www.securityfocus.com/bid/822 - --- diff -Nru snort-2.8.5.2/doc/signatures/2840.txt snort-2.9.2/doc/signatures/2840.txt --- snort-2.8.5.2/doc/signatures/2840.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2840.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2840 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2841.txt snort-2.9.2/doc/signatures/2841.txt --- snort-2.8.5.2/doc/signatures/2841.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2841.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2841 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2842.txt snort-2.9.2/doc/signatures/2842.txt --- snort-2.8.5.2/doc/signatures/2842.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2842.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2842 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2843.txt snort-2.9.2/doc/signatures/2843.txt --- snort-2.8.5.2/doc/signatures/2843.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2843.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2843 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2844.txt snort-2.9.2/doc/signatures/2844.txt --- snort-2.8.5.2/doc/signatures/2844.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2844.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2844 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2845.txt snort-2.9.2/doc/signatures/2845.txt --- snort-2.8.5.2/doc/signatures/2845.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2845.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2845 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2846.txt snort-2.9.2/doc/signatures/2846.txt --- snort-2.8.5.2/doc/signatures/2846.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2846.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2846 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure repcat_import_check -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2847.txt snort-2.9.2/doc/signatures/2847.txt --- snort-2.8.5.2/doc/signatures/2847.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2847.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2847 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2848.txt snort-2.9.2/doc/signatures/2848.txt --- snort-2.8.5.2/doc/signatures/2848.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2848.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2848 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_master_repobject -. This procedure is included in -sys.dbms_repcat_utl4. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2849.txt snort-2.9.2/doc/signatures/2849.txt --- snort-2.8.5.2/doc/signatures/2849.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2849.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2849 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_an_object -. This procedure is included in -sys.dbms_repcat_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/284.txt snort-2.9.2/doc/signatures/284.txt --- snort-2.8.5.2/doc/signatures/284.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/284.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -284 - --- -Summary: -This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". - --- -Detailed Information: -Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". - --- -Affected Systems: -Debian Linux 2.1 -Redhat Linux 4.2, 5.0, 5.1, and 5.2 -University of Washington imap 4.4 -University of Washington pop2d 4.4 - --- -Attack Scenarios: -An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". - --- -Ease of Attack: -Simple. Exploit scripts are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the pop2d version 4.51 or later. - -Compile pop2d to not support anonymous proxing. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/283 - --- diff -Nru snort-2.8.5.2/doc/signatures/2850.txt snort-2.9.2/doc/signatures/2850.txt --- snort-2.8.5.2/doc/signatures/2850.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2850.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2850 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_mview_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2851.txt snort-2.9.2/doc/signatures/2851.txt --- snort-2.8.5.2/doc/signatures/2851.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2851.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2851 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2852.txt snort-2.9.2/doc/signatures/2852.txt --- snort-2.8.5.2/doc/signatures/2852.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2852.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2852 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_mview_support -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2853.txt snort-2.9.2/doc/signatures/2853.txt --- snort-2.8.5.2/doc/signatures/2853.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2853.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2853 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_trigger -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2854.txt snort-2.9.2/doc/signatures/2854.txt --- snort-2.8.5.2/doc/signatures/2854.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2854.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2854 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_snapshot_support -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2855.txt snort-2.9.2/doc/signatures/2855.txt --- snort-2.8.5.2/doc/signatures/2855.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2855.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2855 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure remove_master_databases -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2856.txt snort-2.9.2/doc/signatures/2856.txt --- snort-2.8.5.2/doc/signatures/2856.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2856.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2856 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_mview_master -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2857.txt snort-2.9.2/doc/signatures/2857.txt --- snort-2.8.5.2/doc/signatures/2857.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2857.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2857 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2858.txt snort-2.9.2/doc/signatures/2858.txt --- snort-2.8.5.2/doc/signatures/2858.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2858.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2858 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2859.txt snort-2.9.2/doc/signatures/2859.txt --- snort-2.8.5.2/doc/signatures/2859.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2859.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2859 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/285.txt snort-2.9.2/doc/signatures/285.txt --- snort-2.8.5.2/doc/signatures/285.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/285.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -285 - --- -Summary: -This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". - --- -Detailed Information: -Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". - --- -Affected Systems: -Debian Linux 2.1 -Redhat Linux 4.2, 5.0, 5.1, and 5.2 -University of Washington imap 4.4 -University of Washington pop2d 4.4 - --- -Attack Scenarios: -An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". - --- -Ease of Attack: -Simple. Exploit scripts are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the pop2d version 4.51 or later. - -Compile pop2d to not support anonymous proxing. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/283 - - --- diff -Nru snort-2.8.5.2/doc/signatures/2860.txt snort-2.9.2/doc/signatures/2860.txt --- snort-2.8.5.2/doc/signatures/2860.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2860.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2860 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2861.txt snort-2.9.2/doc/signatures/2861.txt --- snort-2.8.5.2/doc/signatures/2861.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2861.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2861 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2862.txt snort-2.9.2/doc/signatures/2862.txt --- snort-2.8.5.2/doc/signatures/2862.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2862.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2862 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2863.txt snort-2.9.2/doc/signatures/2863.txt --- snort-2.8.5.2/doc/signatures/2863.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2863.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2863 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2864.txt snort-2.9.2/doc/signatures/2864.txt --- snort-2.8.5.2/doc/signatures/2864.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2864.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2864 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2865.txt snort-2.9.2/doc/signatures/2865.txt --- snort-2.8.5.2/doc/signatures/2865.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2865.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2865 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2866.txt snort-2.9.2/doc/signatures/2866.txt --- snort-2.8.5.2/doc/signatures/2866.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2866.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2866 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2867.txt snort-2.9.2/doc/signatures/2867.txt --- snort-2.8.5.2/doc/signatures/2867.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2867.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2867 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2868.txt snort-2.9.2/doc/signatures/2868.txt --- snort-2.8.5.2/doc/signatures/2868.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2868.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2868 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2869.txt snort-2.9.2/doc/signatures/2869.txt --- snort-2.8.5.2/doc/signatures/2869.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2869.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2869 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/286.txt snort-2.9.2/doc/signatures/286.txt --- snort-2.8.5.2/doc/signatures/286.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/286.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -286 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the POP3 qpopper service on BSD systems. - --- -Impact: -An attacker can gain access to a shell running with root privileges. - --- -Detailed Information: -This rule looks for a piece of shell code (executable code) that is -used to exploit a known vulnerability in an older version of the Qualcom -based POP3 daemon distributed with BSD Unixes. - --- -Affected Systems: -*BSD systems using Qualcomm Qpopper 2.4 - --- -Attack Scenarios: -The attack is done remotely and gives the attacker a command shell -running with root privileges. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/133 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-1999-0006 - --- diff -Nru snort-2.8.5.2/doc/signatures/2870.txt snort-2.9.2/doc/signatures/2870.txt --- snort-2.8.5.2/doc/signatures/2870.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2870.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2870 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2871.txt snort-2.9.2/doc/signatures/2871.txt --- snort-2.8.5.2/doc/signatures/2871.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2871.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2871 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2872.txt snort-2.9.2/doc/signatures/2872.txt --- snort-2.8.5.2/doc/signatures/2872.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2872.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2872 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2873.txt snort-2.9.2/doc/signatures/2873.txt --- snort-2.8.5.2/doc/signatures/2873.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2873.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2873 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2874.txt snort-2.9.2/doc/signatures/2874.txt --- snort-2.8.5.2/doc/signatures/2874.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2874.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2874 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2875.txt snort-2.9.2/doc/signatures/2875.txt --- snort-2.8.5.2/doc/signatures/2875.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2875.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2875 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2876.txt snort-2.9.2/doc/signatures/2876.txt --- snort-2.8.5.2/doc/signatures/2876.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2876.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2876 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2877.txt snort-2.9.2/doc/signatures/2877.txt --- snort-2.8.5.2/doc/signatures/2877.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2877.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2877 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2878.txt snort-2.9.2/doc/signatures/2878.txt --- snort-2.8.5.2/doc/signatures/2878.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2878.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2878 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2879.txt snort-2.9.2/doc/signatures/2879.txt --- snort-2.8.5.2/doc/signatures/2879.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2879.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2879 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure cancel_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/287.txt snort-2.9.2/doc/signatures/287.txt --- snort-2.8.5.2/doc/signatures/287.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/287.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -287 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -QUALCOMM Qpopper POP3 buffer overflow vulnerability in BSD operating -systems. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -An exploit is available that takes advantage of a buffer overflow -vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or -earlier. This exploit can be used to obtain root access to the -compromised server. - --- -Affected Systems: -BSD distributions that ship QUALCOMM Qpopper POP3 server version 2.53 or -earlier. - --- -Attack Scenarios: -An attacker executes exploit code against a vulnerable server and -obtains root privileges on the compromised computer. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of QUALCOMM Qpopper appropriate for your -BSD distribution. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CERT -http://www.cert.org/advisories/CA-1998-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2880.txt snort-2.9.2/doc/signatures/2880.txt --- snort-2.8.5.2/doc/signatures/2880.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2880.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2880 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2881.txt snort-2.9.2/doc/signatures/2881.txt --- snort-2.8.5.2/doc/signatures/2881.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2881.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2881 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_priority_group -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2882.txt snort-2.9.2/doc/signatures/2882.txt --- snort-2.8.5.2/doc/signatures/2882.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2882.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2882 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2883.txt snort-2.9.2/doc/signatures/2883.txt --- snort-2.8.5.2/doc/signatures/2883.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2883.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2883 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2884.txt snort-2.9.2/doc/signatures/2884.txt --- snort-2.8.5.2/doc/signatures/2884.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2884.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2884 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2885.txt snort-2.9.2/doc/signatures/2885.txt --- snort-2.8.5.2/doc/signatures/2885.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2885.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2885 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_priority_group -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2886.txt snort-2.9.2/doc/signatures/2886.txt --- snort-2.8.5.2/doc/signatures/2886.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2886.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2886 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2887.txt snort-2.9.2/doc/signatures/2887.txt --- snort-2.8.5.2/doc/signatures/2887.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2887.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2887 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2888.txt snort-2.9.2/doc/signatures/2888.txt --- snort-2.8.5.2/doc/signatures/2888.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2888.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2888 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2889.txt snort-2.9.2/doc/signatures/2889.txt --- snort-2.8.5.2/doc/signatures/2889.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2889.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2889 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/288.txt snort-2.9.2/doc/signatures/288.txt --- snort-2.8.5.2/doc/signatures/288.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/288.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -288 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the POP3 service on Linux systems. - --- -Impact: -An attacker can gain access to a shell running with root privileges. - --- -Detailed Information: -This rule looks for a piece of shell code (executable code) that is -used to exploit a known vulnerability in an older version of the POP3 -daemon distributed in Linux systems. - --- -Affected Systems: -Various Linux versions. - --- -Attack Scenarios: -The attack is done remotely and gives the attacker a command shell -running with root privileges. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your linux vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2890.txt snort-2.9.2/doc/signatures/2890.txt --- snort-2.8.5.2/doc/signatures/2890.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2890.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2890 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2891.txt snort-2.9.2/doc/signatures/2891.txt --- snort-2.8.5.2/doc/signatures/2891.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2891.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2891 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2892.txt snort-2.9.2/doc/signatures/2892.txt --- snort-2.8.5.2/doc/signatures/2892.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2892.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2892 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2893.txt snort-2.9.2/doc/signatures/2893.txt --- snort-2.8.5.2/doc/signatures/2893.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2893.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2893 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2894.txt snort-2.9.2/doc/signatures/2894.txt --- snort-2.8.5.2/doc/signatures/2894.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2894.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2894 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2895.txt snort-2.9.2/doc/signatures/2895.txt --- snort-2.8.5.2/doc/signatures/2895.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2895.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2895 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2896.txt snort-2.9.2/doc/signatures/2896.txt --- snort-2.8.5.2/doc/signatures/2896.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2896.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2896 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2897.txt snort-2.9.2/doc/signatures/2897.txt --- snort-2.8.5.2/doc/signatures/2897.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2897.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2897 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2898.txt snort-2.9.2/doc/signatures/2898.txt --- snort-2.8.5.2/doc/signatures/2898.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2898.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2898 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2899.txt snort-2.9.2/doc/signatures/2899.txt --- snort-2.8.5.2/doc/signatures/2899.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2899.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2899 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/289.txt snort-2.9.2/doc/signatures/289.txt --- snort-2.8.5.2/doc/signatures/289.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/289.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -289 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -QUALCOMM Qpopper POP3 buffer overflow vulnerability in SCO OpenServer -systems. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -An exploit is available that takes advantage of a buffer overflow -vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or -earlier. This exploit can be used to obtain root access to the -compromised server. - --- -Affected Systems: -SCO servers that ship QUALCOMM Qpopper POP3 server version 2.53 or -earlier: - -SCO OpenServer Enterprise System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Host System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Desktop System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Enterprise System Release 5.0.4 - -SCO OpenServer Host System Release 5.0.4 - -SCO OpenServer Desktop System Release 5.0.4 - --- -Attack Scenarios: -An attacker executes exploit code against a vulnerable server and -obtains root privileges on the compromised computer. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade QUALCOMM Qpopper. See ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.8/ for patched binaries for SCO OpenServer and an advisory with installation instructions. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CERT -http://www.cert.org/advisories/CA-1998-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/2900.txt snort-2.9.2/doc/signatures/2900.txt --- snort-2.8.5.2/doc/signatures/2900.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2900.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2900 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2901.txt snort-2.9.2/doc/signatures/2901.txt --- snort-2.8.5.2/doc/signatures/2901.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2901.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2901 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2902.txt snort-2.9.2/doc/signatures/2902.txt --- snort-2.8.5.2/doc/signatures/2902.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2902.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2902 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2903.txt snort-2.9.2/doc/signatures/2903.txt --- snort-2.8.5.2/doc/signatures/2903.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2903.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2903 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2904.txt snort-2.9.2/doc/signatures/2904.txt --- snort-2.8.5.2/doc/signatures/2904.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2904.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2904 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2905.txt snort-2.9.2/doc/signatures/2905.txt --- snort-2.8.5.2/doc/signatures/2905.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2905.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2905 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2906.txt snort-2.9.2/doc/signatures/2906.txt --- snort-2.8.5.2/doc/signatures/2906.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2906.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2906 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2907.txt snort-2.9.2/doc/signatures/2907.txt --- snort-2.8.5.2/doc/signatures/2907.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2907.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2907 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2908.txt snort-2.9.2/doc/signatures/2908.txt --- snort-2.8.5.2/doc/signatures/2908.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2908.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2908 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2909.txt snort-2.9.2/doc/signatures/2909.txt --- snort-2.8.5.2/doc/signatures/2909.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2909.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2909 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_snapshot_support -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/290.txt snort-2.9.2/doc/signatures/290.txt --- snort-2.8.5.2/doc/signatures/290.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/290.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -290 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in Qualcomm qpopper. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands with the privileges of root on the vulernable server. - --- -Detailed Information: -A buffer overflow exploit exists in version 3.x of Qualcomm qpopper daemon, permitting the execution of arbitrary commands with the privileges of root. The buffer overflow vulnerability is present because of improper bounds checking associated with vsprintf() and sprintf() calls in pop_msg.c. - --- -Affected Systems: -Qualcomm qpopper 3.0 b20 -Qualcomm qpopper 3.0 - --- -Attack Scenarios: -An attacker may exploit the qpopper buffer overflow vulnerability, permitting the execution of arbitrary commands with the privileges of root on the vulnerable server. - --- -Ease of Attack: -Simple. Exploit code is freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to qpopper3.0b22 - --- -Contributors: -Original rule writer unknown. -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0822 - -Bugtraq -http://www.securityfocus.com/bid/830 - --- diff -Nru snort-2.8.5.2/doc/signatures/2910.txt snort-2.9.2/doc/signatures/2910.txt --- snort-2.8.5.2/doc/signatures/2910.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2910.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2910 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2911.txt snort-2.9.2/doc/signatures/2911.txt --- snort-2.8.5.2/doc/signatures/2911.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2911.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2911 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2912.txt snort-2.9.2/doc/signatures/2912.txt --- snort-2.8.5.2/doc/signatures/2912.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2912.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2912 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2913.txt snort-2.9.2/doc/signatures/2913.txt --- snort-2.8.5.2/doc/signatures/2913.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2913.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2913 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure repcat_import_check -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2914.txt snort-2.9.2/doc/signatures/2914.txt --- snort-2.8.5.2/doc/signatures/2914.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2914.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2914 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2915.txt snort-2.9.2/doc/signatures/2915.txt --- snort-2.8.5.2/doc/signatures/2915.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2915.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2915 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2916.txt snort-2.9.2/doc/signatures/2916.txt --- snort-2.8.5.2/doc/signatures/2916.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2916.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2916 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2917.txt snort-2.9.2/doc/signatures/2917.txt --- snort-2.8.5.2/doc/signatures/2917.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2917.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2917 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2918.txt snort-2.9.2/doc/signatures/2918.txt --- snort-2.8.5.2/doc/signatures/2918.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2918.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2918 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2919.txt snort-2.9.2/doc/signatures/2919.txt --- snort-2.8.5.2/doc/signatures/2919.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2919.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2919 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_untrusted. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/291.txt snort-2.9.2/doc/signatures/291.txt --- snort-2.8.5.2/doc/signatures/291.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/291.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -291 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the Cassandra NNTP service. - --- -Impact: -Denial of Service. - --- -Detailed Information: -The denial of service is caused by providing an unusually long login -name. The rule looks for a data payload of over 512 characters. - --- -Affected Systems: - Cassandra NNTP server v1.10 - --- -Attack Scenarios: -The attack is done remotely and causes denial of service. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS274 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2000-0341 - --- diff -Nru snort-2.8.5.2/doc/signatures/2921.txt snort-2.9.2/doc/signatures/2921.txt --- snort-2.8.5.2/doc/signatures/2921.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2921.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2921 - --- -Summary: -This event is generated when an inverse query attempt is made using UDP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -UDP this can result in the attacker causing a stack overflow in named. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2922.txt snort-2.9.2/doc/signatures/2922.txt --- snort-2.8.5.2/doc/signatures/2922.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2922.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2922 - --- -Summary: -This event is generated when an inverse query attempt is made using TCP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -TCP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2923.txt snort-2.9.2/doc/signatures/2923.txt --- snort-2.8.5.2/doc/signatures/2923.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2923.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2923 - --- -Summary: -This event is generated when repeated failed attempts are made to access -an SMB share. - --- -Impact: -Unknown. Possible information disclosure and loss of data. - --- -Detailed Information: -This event indicates that multiple failed attempts have been made to -access an SMB network share. This may indicate a determined effort by an -unauthorized user to access information and data on a network share. - --- -Affected Systems: - All systems sharing resources using SMB - --- -Attack Scenarios: -An attacker can make repeated attempts to access network shares in an -attempt to gain information. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply strict access control to all networked resources. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2924.txt snort-2.9.2/doc/signatures/2924.txt --- snort-2.8.5.2/doc/signatures/2924.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2924.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2924 - --- -Summary: -This event is generated when repeated failed attempts are made to access -an SMB share. - --- -Impact: -Unknown. Possible information disclosure and loss of data. - --- -Detailed Information: -This event indicates that multiple failed attempts have been made to -access an SMB network share. This may indicate a determined effort by an -unauthorized user to access information and data on a network share. - --- -Affected Systems: - All systems sharing resources using SMB - --- -Attack Scenarios: -An attacker can make repeated attempts to access network shares in an -attempt to gain information. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply strict access control to all networked resources. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2925.txt snort-2.9.2/doc/signatures/2925.txt --- snort-2.8.5.2/doc/signatures/2925.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2925.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2925 - --- -Summary: -This event is generated when an image fitting the profile of a web bug -has been detected in network traffic. - --- - -Impact: -Information disclosure. - --- -Detailed Information: -Web bugs are 1x1 pixel image files that are found in web pages or HTML -email. These are often used to monitor and track a users activity on the -web. Information such as the browsers IP address, cookie information, -time, browser version and other user identifiable charateristics can be -collected using web bugs. - -This rule identifies an image that conforms to the usual size and format -of a web bug. - --- -Affected Systems: - All. - --- -Attack Scenarios: -An attacker can use this type of image in an HTML email or on a web -page to gather information about the host and user. Since these images -can be not only small but transparent, they are almost undetectable in -HTML pages. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow the use of HTML email - -Use a web proxy server to strip all web bug images from server -responses. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2926.txt snort-2.9.2/doc/signatures/2926.txt --- snort-2.8.5.2/doc/signatures/2926.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2926.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2926 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2927.txt snort-2.9.2/doc/signatures/2927.txt --- snort-2.8.5.2/doc/signatures/2927.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2927.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2927 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft implementation of the Network News Transport -Protocol (NNTP) for Internet Information Server (IIS). - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -The Microsoft implementation of NNTP for IIS contains a programming -error in the processing of user supplied input that may present an -attacker with multiple opportunites to execute code of their choosing on -an affected system. - --- -Affected Systems: -. Microsoft Windows NT Server 4.0 NNTP component -. Microsoft Windows 2000 Server NNTP component -. Microsoft Windows Server 2003 NNTP Component -. Microsoft Windows Server 2003 64-Bit Edition NNTP Component - --- -Attack Scenarios: -An attacker must supply specially crafted input to a vulnerable system -to cause the overflow to occur. - --- -Ease of Attack: -Moderate. Example code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CORE Technologies: -http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 - --- diff -Nru snort-2.8.5.2/doc/signatures/2928.txt snort-2.9.2/doc/signatures/2928.txt --- snort-2.8.5.2/doc/signatures/2928.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2928.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2928 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2929.txt snort-2.9.2/doc/signatures/2929.txt --- snort-2.8.5.2/doc/signatures/2929.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2929.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2929 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/292.txt snort-2.9.2/doc/signatures/292.txt --- snort-2.8.5.2/doc/signatures/292.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/292.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 292 - --- -Summary: -Versions of the file sharing software Samba 1.9.19 and prior contain a buffer overflow condition that can be exploited by supplying an overly long password to the Samba server. - --- -Impact: -System compromize presenting the attacker with the opportunity to -gain remote access to the victim host or execute arbitrary code with the privileges of the user running the Samba server. - --- -Detailed Information: -Samba is used to share files and printers between hosts on a network. A buffer overflow in the handling of passwords exists such that an overly long password can trigger the vulnerability presenting the attacker with an opportunity to remotely compromise the server running the Samba software. - -Affected Systems: - Samba 1.9.19 and prior - --- -Attack Scenarios: -The attacker would need to supply an excessively long password. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest version of Samba. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0182 - -Bugtraq: -http://www.securityfocus.com/bid/1816 - --- diff -Nru snort-2.8.5.2/doc/signatures/2930.txt snort-2.9.2/doc/signatures/2930.txt --- snort-2.8.5.2/doc/signatures/2930.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2930.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2930 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2931.txt snort-2.9.2/doc/signatures/2931.txt --- snort-2.8.5.2/doc/signatures/2931.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2931.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2931 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2932.txt snort-2.9.2/doc/signatures/2932.txt --- snort-2.8.5.2/doc/signatures/2932.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2932.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2932 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2933.txt snort-2.9.2/doc/signatures/2933.txt --- snort-2.8.5.2/doc/signatures/2933.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2933.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2933 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2934.txt snort-2.9.2/doc/signatures/2934.txt --- snort-2.8.5.2/doc/signatures/2934.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2934.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2934 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2935.txt snort-2.9.2/doc/signatures/2935.txt --- snort-2.8.5.2/doc/signatures/2935.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2935.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2935 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2936.txt snort-2.9.2/doc/signatures/2936.txt --- snort-2.8.5.2/doc/signatures/2936.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2936.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2936 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2937.txt snort-2.9.2/doc/signatures/2937.txt --- snort-2.8.5.2/doc/signatures/2937.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2937.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2937 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2938.txt snort-2.9.2/doc/signatures/2938.txt --- snort-2.8.5.2/doc/signatures/2938.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2938.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2938 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2939.txt snort-2.9.2/doc/signatures/2939.txt --- snort-2.8.5.2/doc/signatures/2939.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2939.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2939 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2940.txt snort-2.9.2/doc/signatures/2940.txt --- snort-2.8.5.2/doc/signatures/2940.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2940.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2940 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2941.txt snort-2.9.2/doc/signatures/2941.txt --- snort-2.8.5.2/doc/signatures/2941.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2941.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2941 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2942.txt snort-2.9.2/doc/signatures/2942.txt --- snort-2.8.5.2/doc/signatures/2942.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2942.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2942 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2943.txt snort-2.9.2/doc/signatures/2943.txt --- snort-2.8.5.2/doc/signatures/2943.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2943.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2943 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2944.txt snort-2.9.2/doc/signatures/2944.txt --- snort-2.8.5.2/doc/signatures/2944.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2944.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2944 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2945.txt snort-2.9.2/doc/signatures/2945.txt --- snort-2.8.5.2/doc/signatures/2945.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2945.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2945 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2946.txt snort-2.9.2/doc/signatures/2946.txt --- snort-2.8.5.2/doc/signatures/2946.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2946.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2946 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2947.txt snort-2.9.2/doc/signatures/2947.txt --- snort-2.8.5.2/doc/signatures/2947.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2947.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2947 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2948.txt snort-2.9.2/doc/signatures/2948.txt --- snort-2.8.5.2/doc/signatures/2948.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2948.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2948 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2949.txt snort-2.9.2/doc/signatures/2949.txt --- snort-2.8.5.2/doc/signatures/2949.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2949.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2949 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2950.txt snort-2.9.2/doc/signatures/2950.txt --- snort-2.8.5.2/doc/signatures/2950.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2950.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2950 - --- -Summary: -This event is generated when multiple stacked SMB requests are made. - --- -Impact: -Possible IDS evasion. - --- -Detailed Information: -This event is generated when multiple stacked SMB requests are detected. -This behavior does not occur on a regular basis in normal network -traffic. This event may indicate an attempt to evade an IDS. - --- -Affected Systems: - All systems using SMB. - --- -Attack Scenarios: -An attacker might create multiple stacked SMB requests in an attempt to -bypass an IDS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -If the second and third stacked requests are of a combined length that -is less than 37 bytes this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disallow the use of SMB. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2951.txt snort-2.9.2/doc/signatures/2951.txt --- snort-2.8.5.2/doc/signatures/2951.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2951.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2951 - --- -Summary: -This event is generated when multiple stacked SMB requests are made. - --- -Impact: -Possible IDS evasion. - --- -Detailed Information: -This event is generated when multiple stacked SMB requests are detected. -This behavior does not occur on a regular basis in normal network -traffic. This event may indicate an attempt to evade an IDS. - --- -Affected Systems: - All systems using SMB. - --- -Attack Scenarios: -An attacker might create multiple stacked SMB requests in an attempt to -bypass an IDS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -If the second and third stacked requests are of a combined length that -is less than 37 bytes this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disallow the use of SMB. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/2952.txt snort-2.9.2/doc/signatures/2952.txt --- snort-2.8.5.2/doc/signatures/2952.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2952.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2952 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2953.txt snort-2.9.2/doc/signatures/2953.txt --- snort-2.8.5.2/doc/signatures/2953.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2953.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2953 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2954.txt snort-2.9.2/doc/signatures/2954.txt --- snort-2.8.5.2/doc/signatures/2954.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2954.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2954 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2955.txt snort-2.9.2/doc/signatures/2955.txt --- snort-2.8.5.2/doc/signatures/2955.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2955.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2955 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2956.txt snort-2.9.2/doc/signatures/2956.txt --- snort-2.8.5.2/doc/signatures/2956.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2956.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2956 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2957.txt snort-2.9.2/doc/signatures/2957.txt --- snort-2.8.5.2/doc/signatures/2957.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2957.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2957 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2958.txt snort-2.9.2/doc/signatures/2958.txt --- snort-2.8.5.2/doc/signatures/2958.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2958.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2958 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2959.txt snort-2.9.2/doc/signatures/2959.txt --- snort-2.8.5.2/doc/signatures/2959.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2959.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2959 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/295.txt snort-2.9.2/doc/signatures/295.txt --- snort-2.8.5.2/doc/signatures/295.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/295.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -SID: -295 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55 - University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2960.txt snort-2.9.2/doc/signatures/2960.txt --- snort-2.8.5.2/doc/signatures/2960.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2960.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2960 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2961.txt snort-2.9.2/doc/signatures/2961.txt --- snort-2.8.5.2/doc/signatures/2961.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2961.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2961 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2962.txt snort-2.9.2/doc/signatures/2962.txt --- snort-2.8.5.2/doc/signatures/2962.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2962.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2962 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2963.txt snort-2.9.2/doc/signatures/2963.txt --- snort-2.8.5.2/doc/signatures/2963.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2963.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2963 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2964.txt snort-2.9.2/doc/signatures/2964.txt --- snort-2.8.5.2/doc/signatures/2964.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2964.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2964 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2965.txt snort-2.9.2/doc/signatures/2965.txt --- snort-2.8.5.2/doc/signatures/2965.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2965.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2965 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2966.txt snort-2.9.2/doc/signatures/2966.txt --- snort-2.8.5.2/doc/signatures/2966.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2966.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2966 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2967.txt snort-2.9.2/doc/signatures/2967.txt --- snort-2.8.5.2/doc/signatures/2967.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2967.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2967 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2968.txt snort-2.9.2/doc/signatures/2968.txt --- snort-2.8.5.2/doc/signatures/2968.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2968.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2968 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2969.txt snort-2.9.2/doc/signatures/2969.txt --- snort-2.8.5.2/doc/signatures/2969.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2969.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2969 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/296.txt snort-2.9.2/doc/signatures/296.txt --- snort-2.8.5.2/doc/signatures/296.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/296.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -SID: -296 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, - University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2970.txt snort-2.9.2/doc/signatures/2970.txt --- snort-2.8.5.2/doc/signatures/2970.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2970.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2970 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2971.txt snort-2.9.2/doc/signatures/2971.txt --- snort-2.8.5.2/doc/signatures/2971.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2971.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2971 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/2972.txt snort-2.9.2/doc/signatures/2972.txt --- snort-2.8.5.2/doc/signatures/2972.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2972.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -536 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2973.txt snort-2.9.2/doc/signatures/2973.txt --- snort-2.8.5.2/doc/signatures/2973.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2973.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2973 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2974.txt snort-2.9.2/doc/signatures/2974.txt --- snort-2.8.5.2/doc/signatures/2974.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2974.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2974 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2975.txt snort-2.9.2/doc/signatures/2975.txt --- snort-2.8.5.2/doc/signatures/2975.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2975.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2975 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2976.txt snort-2.9.2/doc/signatures/2976.txt --- snort-2.8.5.2/doc/signatures/2976.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2976.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -533 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2977.txt snort-2.9.2/doc/signatures/2977.txt --- snort-2.8.5.2/doc/signatures/2977.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2977.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2977 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2978.txt snort-2.9.2/doc/signatures/2978.txt --- snort-2.8.5.2/doc/signatures/2978.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2978.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2978 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2979.txt snort-2.9.2/doc/signatures/2979.txt --- snort-2.8.5.2/doc/signatures/2979.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2979.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2979 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/297.txt snort-2.9.2/doc/signatures/297.txt --- snort-2.8.5.2/doc/signatures/297.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/297.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -SID: -297 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2980.txt snort-2.9.2/doc/signatures/2980.txt --- snort-2.8.5.2/doc/signatures/2980.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2980.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -532 - --- -Summary: -This event is generated when an attempt is made to access an administrative share on a Windows machine. - --- -Impact: -Serious. Possible administrator access on the victim machine. - --- -Detailed Information: -This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. - -This is a poor security practice or an indication that a machine is being accessed remotely. - --- -Affected Systems: - Windows 9x - Windows 2000 - Windows XP - --- -Attack Scenario: -This can be accessed from GUI "map network drive" remotely - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to disallow Netbios access from the unprotected network. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -arachnids 340 - --- diff -Nru snort-2.8.5.2/doc/signatures/2981.txt snort-2.9.2/doc/signatures/2981.txt --- snort-2.8.5.2/doc/signatures/2981.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2981.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2981 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2982.txt snort-2.9.2/doc/signatures/2982.txt --- snort-2.8.5.2/doc/signatures/2982.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2982.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2982 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2983.txt snort-2.9.2/doc/signatures/2983.txt --- snort-2.8.5.2/doc/signatures/2983.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2983.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2983 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/2984.txt snort-2.9.2/doc/signatures/2984.txt --- snort-2.8.5.2/doc/signatures/2984.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2984.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2176 - --- -Summary: -This event is generated when an attempt is made to access a system -file via SMB. - --- -Impact: -Serious. This file contains important operating system information. - --- -Detailed Information: -This event indicates that an attempt was made to access a file -containing important operating system information using SMB across the -network. - --- -Affected Systems: -Microsoft Windows systems. - --- -Attack Scenarios: -If this file is accessible via SMB the attacker can manipulate the -operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2985.txt snort-2.9.2/doc/signatures/2985.txt --- snort-2.8.5.2/doc/signatures/2985.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2985.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2176 - --- -Summary: -This event is generated when an attempt is made to access a system -file via SMB. - --- -Impact: -Serious. This file contains important operating system information. - --- -Detailed Information: -This event indicates that an attempt was made to access a file -containing important operating system information using SMB across the -network. - --- -Affected Systems: -Microsoft Windows systems. - --- -Attack Scenarios: -If this file is accessible via SMB the attacker can manipulate the -operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2986.txt snort-2.9.2/doc/signatures/2986.txt --- snort-2.8.5.2/doc/signatures/2986.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2986.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2986 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2987.txt snort-2.9.2/doc/signatures/2987.txt --- snort-2.8.5.2/doc/signatures/2987.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2987.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2987 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2988.txt snort-2.9.2/doc/signatures/2988.txt --- snort-2.8.5.2/doc/signatures/2988.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2988.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2988 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2989.txt snort-2.9.2/doc/signatures/2989.txt --- snort-2.8.5.2/doc/signatures/2989.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2989.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2989 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/298.txt snort-2.9.2/doc/signatures/298.txt --- snort-2.8.5.2/doc/signatures/298.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/298.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -SID: -298 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known - --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem - --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2990.txt snort-2.9.2/doc/signatures/2990.txt --- snort-2.8.5.2/doc/signatures/2990.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2990.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2990 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2991.txt snort-2.9.2/doc/signatures/2991.txt --- snort-2.8.5.2/doc/signatures/2991.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2991.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2991 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.8.5.2/doc/signatures/2992.txt snort-2.9.2/doc/signatures/2992.txt --- snort-2.8.5.2/doc/signatures/2992.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2992.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2992 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2993.txt snort-2.9.2/doc/signatures/2993.txt --- snort-2.8.5.2/doc/signatures/2993.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2993.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2993 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2994.txt snort-2.9.2/doc/signatures/2994.txt --- snort-2.8.5.2/doc/signatures/2994.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2994.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2994 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2995.txt snort-2.9.2/doc/signatures/2995.txt --- snort-2.8.5.2/doc/signatures/2995.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2995.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2995 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2996.txt snort-2.9.2/doc/signatures/2996.txt --- snort-2.8.5.2/doc/signatures/2996.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2996.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2996 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2997.txt snort-2.9.2/doc/signatures/2997.txt --- snort-2.8.5.2/doc/signatures/2997.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2997.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2997 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2998.txt snort-2.9.2/doc/signatures/2998.txt --- snort-2.8.5.2/doc/signatures/2998.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2998.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2998 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/2999.txt snort-2.9.2/doc/signatures/2999.txt --- snort-2.8.5.2/doc/signatures/2999.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/2999.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2999 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/299.txt snort-2.9.2/doc/signatures/299.txt --- snort-2.8.5.2/doc/signatures/299.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/299.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -SID: -299 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3000.txt snort-2.9.2/doc/signatures/3000.txt --- snort-2.8.5.2/doc/signatures/3000.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3000.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3000 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3001.txt snort-2.9.2/doc/signatures/3001.txt --- snort-2.8.5.2/doc/signatures/3001.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3001.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3001 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3002.txt snort-2.9.2/doc/signatures/3002.txt --- snort-2.8.5.2/doc/signatures/3002.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3002.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3002 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3003.txt snort-2.9.2/doc/signatures/3003.txt --- snort-2.8.5.2/doc/signatures/3003.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3003.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3003 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition exists in the Microsoft implementation of -the ASN.1 Library. It may be possible for an attacker to exploit this -condition by sending specially crafted authentication packets to a host -running a vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3004.txt snort-2.9.2/doc/signatures/3004.txt --- snort-2.8.5.2/doc/signatures/3004.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3004.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3004 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3005.txt snort-2.9.2/doc/signatures/3005.txt --- snort-2.8.5.2/doc/signatures/3005.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3005.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3005 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3006.txt snort-2.9.2/doc/signatures/3006.txt --- snort-2.8.5.2/doc/signatures/3006.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3006.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3006 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Freespace 2. - --- -Impact: -A successful attack may present an attacker with the opportunity to -execute arbitrary code on a vulnerable system. - --- -Detailed Information: -A vulnerability exists in in Freespace 2 that may allow an attacker to -execute code of their choosing on a vulnerable system. - -The problem lies in the handling of data by the client application when -processing server responses. Proper checks are not performed by the -client application and large amounts of data in a server response may -trigger a buffer overflow condition to occur, thus presenting the -attacker with the opportunity to execute code. - --- -Affected Systems: - Freespace 2 - --- -Attack Scenarios: -An attacker may supply a large amount of data containing code of their -choosing in a server response to client requests. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3007.txt snort-2.9.2/doc/signatures/3007.txt --- snort-2.8.5.2/doc/signatures/3007.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3007.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3007 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the DELETE command of the IPSwitch IMail IMAP service. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch IMail IMAP service -handles a DELETE command. An excessively long user-supplied mailbox name -to be deleted can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch IMail IMAP4 server 8.13 - --- -Attack Scenarios: -An attacker can supply an overly long mailbox name for deletion, possibly causing -denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3008.txt snort-2.9.2/doc/signatures/3008.txt --- snort-2.8.5.2/doc/signatures/3008.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3008.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3008 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the DELETE command of the IPSwitch IMail IMAP service. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch IMail IMAP service -handles a DELETE command. An excessively long user-supplied mailbox name -to be deleted can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch IMail IMAP4 server 8.13 - --- -Attack Scenarios: -An attacker can supply an overly long mailbox name for deletion, possibly causing -denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3009.txt snort-2.9.2/doc/signatures/3009.txt --- snort-2.8.5.2/doc/signatures/3009.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3009.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,115 +0,0 @@ -Rule: - --- -Sid: -3009 - --- -Summary: -This event is generated when an attempt is made to request a connection -using the NetBus Pro 2.0 Trojan. - --- -Impact: -If connected, the attacker could execute files remotely on your computer, -capture an image of your desktop, send messages, steal your passwords, -open and close your CD-ROM, play sounds, print documents, and even -shutdown or reboot your computer, among many other things. The attacker -will have almost total control of the PC should he connect successfully. - --- -Detailed Information: -NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by -default, but it can be changed by the attacker. - -Its packets included a ten byte header followed by the packet's encrypted -data. The first two bytes of the header are static: 42 4E. The next two -bytes indicate the size of the packet, followed by two bytes -for the version number, followed by two random bytes, and the final ninth -and tenth byte make up the command code. To look for an attack from one of -these functions, the header of the suspicious packet will look like: - - 42 4E S1 S2 V1 V2 R1 R2 C1 C2 - -NOTE: S1 and S2 are size byte one and size byte two. V1 and V2 are version -number byte one and version number byte two. R1 and R2 are random bytes -one and two. C1 and C2 are the command code bytes. - -The following is a list of the command codes for many of Net Bus Pro 2.0's -functions: - - Capture Desktop Image: 41 01 - CD-ROM Open and Close: 60 01 - Client Chat: 08 00 - Execute File: 30 01 - Reading Directory Listing: 50 00 - Directory Traversal: 51 00 - Go To URL: 33 01 - Keyboard Tricks: 61 01 - Keylogger: 40 01 - Mouse Tricks: 65 01 - Open Document: 33 01 - Play Sound: 31 01 - Plugin Manager: 90 00 - Print Document: 34 01 - Record Sound: 43 01 - Redirect Application: 10 01 - Redirect Port: 00 01 - Registry Manager: 70 00 - Remote Control: 73 01 and 72 01 - Send Message: 40 00 - Send Text: 64 01 - Show Image: 32 01 - Sound System: 80 00 - System Administrator: 21 00 - System Information: 30 00 - Windows Manager: 60 00 - Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01 - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoor programs in disguise. - -Once the victim mistakenly installs the server program, the attacker -will usually employ an IP scanner program to find the IP addresses of -victims that have installed the program. The attacker then enters the IP -address, port number (which is assigned to the server program by the -attacker: default is 20034), and presses the connect button to gain access -to the targeted system. - --- -Ease of Attack: -Simple. Trojan Horse programs are widely available. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -In order to get rid of it, you will have to uninstall the program, -deleting the folder and its contents or uninstalling it from the -Add/Remove Programs option under the control panel. The Trojan usually -does not attempt to hide itself, making the process of finding it much easier. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/netbus/200/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/300.txt snort-2.9.2/doc/signatures/300.txt --- snort-2.8.5.2/doc/signatures/300.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/300.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 300 - --- -Summary: -This event is generated when a buffer overflow attempt is made against a host running Solaris x86. - --- -Impact: -System compromize presenting the attacker with the opportunity to -execute arbitrary code or gain remote access to the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the nlps_server daemon on certain versions of Solaris for x86 architecture. - -nlps_server is a network listener used for printing services. The buffer overflow can be generated by sending an excessively long string of characters to the daemon on port 2766 followed by the command to be executed. - -Affected Systems: - Solaris 2.4, 2.5 and 2.51 for x86 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2319 - --- diff -Nru snort-2.8.5.2/doc/signatures/3010.txt snort-2.9.2/doc/signatures/3010.txt --- snort-2.8.5.2/doc/signatures/3010.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3010.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -3010 - --- -Summary: -This event is generated when an attacker attempts to find the victim's -Windows directory with the RUX the Tick trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to your -system, enabling him to upload and execute file on your computer. The -attacker can use this function to upload additional backdoors to the -victim's sytem and execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. Get Windows Directory and Get System Directory are used -for reconnaissance. Upload And Execute File is mainly used to upload and -run other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -your computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and -server.exe. Use Windows Explorer to find ruxserver.exe and delete the file. - -Keep your anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Vulnerability Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.8.5.2/doc/signatures/3011.txt snort-2.9.2/doc/signatures/3011.txt --- snort-2.8.5.2/doc/signatures/3011.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3011.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -3011 --- -Summary: -This event is generated when an attempt is made to find the System -directory on a target host with the RUX the Tick Trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to the system, -to upload and execute file on the target system. The attacker can use -this function to upload additional backdoors to the victim's system and -execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. Get Windows Directory and Get System Directory are used -for reconnaissance. Upload And Execute File is mainly used to upload and -run other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -the computer. - --- - -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe. -Use Windows Explorer to find ruxserver.exe and delete the file. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.8.5.2/doc/signatures/3012.txt snort-2.9.2/doc/signatures/3012.txt --- snort-2.8.5.2/doc/signatures/3012.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3012.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -3012 --- -Summary: -This event is generated when an attacker attempts to remotely upload and -execute a file with the RUX the Tick trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to an -affected system, enabling him to upload and execute file on the machine. -The attacker can use this function to upload additional backdoors to the -victim's sytem and execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. - -Get Windows Directory and Get System Directory are used for -reconnaissance. Upload And Execute File is mainly used to upload and run -other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -the computer. - --- -Ease of Attack: -Simple. - - --- -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe -Use Windows Explorer to find ruxserver.exe and delete the file. - -This program may hide itself in the process list and can use different -names and can exist in many locations on an infected machine. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.8.5.2/doc/signatures/3013.txt snort-2.9.2/doc/signatures/3013.txt --- snort-2.8.5.2/doc/signatures/3013.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3013.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,85 +0,0 @@ -Rule: - --- -Sid: -3013 --- -Summary: -This event is generated when an attacker attempts to connect to the -victim using the Asylum 0.1 trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to the -system, enabling him to upload and execute files on the computer and -reboot it at will, resulting in a full compromise of the victim's computer. - --- -Detailed Information: -When executed, Asylum 0.1 opens up its assigned port (default is 23432) -for communication with the attacker. Asylum 0.1 has four functions: -Upload File, Open File, Reboot Computer, and Remove Server. - -Upload File: Look for traffic on port 23432 containing UPL followed by a file location. -Open File: Look for traffic on port 23432 containing RUN followed by a file location. -Reboot: Look for the string "RBT" on port 23432. -Remove Server: Look for the string "DIE" on port 23432. - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 23432), and presses the connect button and he has access to -the computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - -Delete the System Administration key (if found) in -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - -Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe - -Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe - -Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/A/Asylum.asp - -Dark-E: -http://www.dark-e.com/archive/trojans/asylum/01/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/3014.txt snort-2.9.2/doc/signatures/3014.txt --- snort-2.8.5.2/doc/signatures/3014.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3014.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -3014 - --- -Summary: -This event is generated when a victim host attempts to send a connection -confirmation to an attacker using the Asylum 0.1 trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to your system, enabling him to upload and execute files on your -computer and reboot it at will, resulting in a full compromise of the victim's computer. - --- -Detailed Information: -When executed, Asylum 0.1 opens up its assigned port (default is 23432) for communication with the attacker. -Asylum 0.1 has four functions: Upload File, Open File, Reboot Computer, and Remove Server. - -Upload File: Look for traffic on port 23432 containing UPL followed by a file location. -Open File: Look for traffic on port 23432 containing RUN followed by a file location. -Reboot: Look for the string "RBT" on port 23432. -Remove Server: Look for the string "DIE" on port 23432. - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 23432), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Delete the System Administration key (if found) in -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - -Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe - -Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe - -Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe. - -Keep your anti-virus programs updated with the latest definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/A/Asylum.asp -http://www.dark-e.com/archive/trojans/asylum/01/index.shtml - - --- diff -Nru snort-2.8.5.2/doc/signatures/3015.txt snort-2.9.2/doc/signatures/3015.txt --- snort-2.8.5.2/doc/signatures/3015.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3015.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -3015 --- -Summary: -This event is generated when an attempt is made to request a connection on port 2000 using the Insane Network 4.0 trojan. - --- - -Impact: -If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine. - --- -Detailed Information: -Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist. -Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack. -Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example, -to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets. - -Format: Name of function (Description of what it does *only if necessary*) - string to look for - -Bomb ("Bombs" monitor) - bomb -Snow (Makes monitor snowy) - snow -Melt ("Melts" the screen) - melt -Reverse (Reverses screen) - reverse -Copy File - cp followed by a file name and the destination path -Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable) -Delete File - rm followed by a file name, including path -File List - ls followed by directory -File Sharing (Gets shared file password information) - share -Dial-Up Passwords (Get Dial-up password information) - passwd -Make Text File - mktext -Popup Message - popup -Read File - cat followed by a file name, including path -Reboot - reboot -Registry Edit - regrun -Rename File - ren followed by a file and its new name -Run File - exec followed by a file name, including path -Shutdown - shutdown -Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable) -Telnet - telnet - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove insane network.exe and commands.txt -Kill insane network.exe in the process list - -Keep your anti-virus software updated with the latest virus definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/i/insane_network.asp - - --- diff -Nru snort-2.8.5.2/doc/signatures/3016.txt snort-2.9.2/doc/signatures/3016.txt --- snort-2.8.5.2/doc/signatures/3016.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3016.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -3016 --- -Summary: -This event is generated when an attempt is made to request a connection on port 63536 using the Insane Network 4.0 trojan. - --- - -Impact: -If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine. - --- -Detailed Information: -Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist. -Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack. -Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example, -to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets. - -Format: Name of function (Description of what it does *only if necessary*) - string to look for - -Bomb ("Bombs" monitor) - bomb -Snow (Makes monitor snowy) - snow -Melt ("Melts" the screen) - melt -Reverse (Reverses screen) - reverse -Copy File - cp followed by a file name and the destination path -Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable) -Delete File - rm followed by a file name, including path -File List - ls followed by directory -File Sharing (Gets shared file password information) - share -Dial-Up Passwords (Get Dial-up password information) - passwd -Make Text File - mktext -Popup Message - popup -Read File - cat followed by a file name, including path -Reboot - reboot -Registry Edit - regrun -Rename File - ren followed by a file and its new name -Run File - exec followed by a file name, including path -Shutdown - shutdown -Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable) -Telnet - telnet - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove insane network.exe and commands.txt -Kill insane network.exe in the process list - -Keep your anti-virus software updated with the latest virus definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/i/insane_network.asp - - --- diff -Nru snort-2.8.5.2/doc/signatures/3017.txt snort-2.9.2/doc/signatures/3017.txt --- snort-2.8.5.2/doc/signatures/3017.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3017.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3017 - --- -Summary: -An oversized request was sent to a WINS server. - --- -Impact: -Client-supplied data is written to client-specified locations in memory, -allowing for arbitrary code execution. Since WINS servers run with -administrative privileges, this allows an attacker to gain -administrative access remotely without any prior authentication. - --- -Detailed Information: -Vulnerable WINS servers write client-supplied data to a client-supplied -memory address. This allows clients to supply arbitrary code for -execution with administrative privileges. This attack does not require authentication. - -In order to reduce false positives, the rule looks for requests that are -greater than 204 bytes. As the maximum length of a hostname is 192 -bytes, and a standard request has 12 bytes of headers, no standard -request should exceed this length. Additionally, this rule checks to see -if particular flags that are required to exploit this vulnerability are -set in the client request. - --- -Affected Systems: -Microsoft Windows servers running the WINS service. - --- -Attack Scenarios: -Since WINS clients are programmed to not exceed the maximum length for a -request, an attacker would need to use a script which generated -malformed WINS requests. - --- -Ease of Attack: -Simple; exploits exist. - --- -False Positives: -This rule will generate false positives when replication occurs. -Additionally, there may be unknown scenarios which generate false positives. - --- -False Negatives: -None known. - --- -Corrective Action: -See the Microsoft Knowledge Base article referenced below. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk - --- -Additional References: -http://support.microsoft.com/kb/890710 - --- diff -Nru snort-2.8.5.2/doc/signatures/3018.txt snort-2.9.2/doc/signatures/3018.txt --- snort-2.8.5.2/doc/signatures/3018.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3018.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3018 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3019.txt snort-2.9.2/doc/signatures/3019.txt --- snort-2.8.5.2/doc/signatures/3019.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3019.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3019 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/301.txt snort-2.9.2/doc/signatures/301.txt --- snort-2.8.5.2/doc/signatures/301.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/301.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 301 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). - -Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Disallow access to LPRng port 515 from external sources using a packet filtering firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1712 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - --- diff -Nru snort-2.8.5.2/doc/signatures/3020.txt snort-2.9.2/doc/signatures/3020.txt --- snort-2.8.5.2/doc/signatures/3020.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3020.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3020 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3021.txt snort-2.9.2/doc/signatures/3021.txt --- snort-2.8.5.2/doc/signatures/3021.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3021.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3021 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3022.txt snort-2.9.2/doc/signatures/3022.txt --- snort-2.8.5.2/doc/signatures/3022.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3022.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3022 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3023.txt snort-2.9.2/doc/signatures/3023.txt --- snort-2.8.5.2/doc/signatures/3023.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3023.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3023 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3024.txt snort-2.9.2/doc/signatures/3024.txt --- snort-2.8.5.2/doc/signatures/3024.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3024.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3024 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3025.txt snort-2.9.2/doc/signatures/3025.txt --- snort-2.8.5.2/doc/signatures/3025.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3025.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3025 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3026.txt snort-2.9.2/doc/signatures/3026.txt --- snort-2.8.5.2/doc/signatures/3026.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3026.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3026 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3027.txt snort-2.9.2/doc/signatures/3027.txt --- snort-2.8.5.2/doc/signatures/3027.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3027.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3027 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3028.txt snort-2.9.2/doc/signatures/3028.txt --- snort-2.8.5.2/doc/signatures/3028.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3028.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3028 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3029.txt snort-2.9.2/doc/signatures/3029.txt --- snort-2.8.5.2/doc/signatures/3029.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3029.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3029 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/302.txt snort-2.9.2/doc/signatures/302.txt --- snort-2.8.5.2/doc/signatures/302.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/302.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 301 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng on RedHat systems. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). - -Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Disallow access to LPRng port 515 from external sources using a packet filtering firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1712 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - --- diff -Nru snort-2.8.5.2/doc/signatures/3030.txt snort-2.9.2/doc/signatures/3030.txt --- snort-2.8.5.2/doc/signatures/3030.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3030.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3030 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3031.txt snort-2.9.2/doc/signatures/3031.txt --- snort-2.8.5.2/doc/signatures/3031.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3031.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3031 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3032.txt snort-2.9.2/doc/signatures/3032.txt --- snort-2.8.5.2/doc/signatures/3032.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3032.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3032 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3033.txt snort-2.9.2/doc/signatures/3033.txt --- snort-2.8.5.2/doc/signatures/3033.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3033.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3033 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3034.txt snort-2.9.2/doc/signatures/3034.txt --- snort-2.8.5.2/doc/signatures/3034.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3034.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3034 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3035.txt snort-2.9.2/doc/signatures/3035.txt --- snort-2.8.5.2/doc/signatures/3035.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3035.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3035 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3036.txt snort-2.9.2/doc/signatures/3036.txt --- snort-2.8.5.2/doc/signatures/3036.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3036.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3036 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3037.txt snort-2.9.2/doc/signatures/3037.txt --- snort-2.8.5.2/doc/signatures/3037.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3037.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3037 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3038.txt snort-2.9.2/doc/signatures/3038.txt --- snort-2.8.5.2/doc/signatures/3038.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3038.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3038 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3039.txt snort-2.9.2/doc/signatures/3039.txt --- snort-2.8.5.2/doc/signatures/3039.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3039.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3039 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/303.txt snort-2.9.2/doc/signatures/303.txt --- snort-2.8.5.2/doc/signatures/303.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/303.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: --- -Sid: -303 - --- -Summary: -A specific inverse query has been performed against your DNS server as a -precursor to a possible transaction signature (TSIG) buffer overflow -attack. - --- -Impact: -attempt to gain access to information required for the TSIG exploit. A -TSIG buffer overflow exploit attempt will usually follow if there is a -response to the inverse query. - - --- -Detailed Information: -This is an attempt to perform a specific DNS inverse query against your -DNS server. While this specific action is not harmful itself, it -signals a precusor to a possible buffer overflow attack for a TSIG -vulernability. The inverse query is performed for reconnaissance for -the TSIG attack. - --- -Affected Systems: -BIND Versions 4 and through 8.2 are susceptible to the inverse query -information leak. - - --- -Attack Scenarios: -The envisioned scenario is that if a DNS server responds to the inverse -query and leaks information required in the actual attack, the exploit -code then attacks the TSIG buffer overflow vulnerability. If this is -successful, the attacker gains access to the DNS server at the privilege -of the DNS daemon, named (potentially root). - - --- -Ease of Attack: -Code is available to exploit the vulnerability. - --- -False Positives: -None Known. - --- -False Negatives: -A user could change the exploit code. For instance, a user could change -the DNS identification number in the code to be something other than -0xABCD and the rule would not fire. - --- -Corrective Action: -Update to BIND versions greater than 8.2 to prevent the information -leak. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2302 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010 - -Arachnids: -http://www.whitehats.com/info/IDS482 - --- diff -Nru snort-2.8.5.2/doc/signatures/3040.txt snort-2.9.2/doc/signatures/3040.txt --- snort-2.8.5.2/doc/signatures/3040.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3040.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3040 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3041.txt snort-2.9.2/doc/signatures/3041.txt --- snort-2.8.5.2/doc/signatures/3041.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3041.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3041 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3042.txt snort-2.9.2/doc/signatures/3042.txt --- snort-2.8.5.2/doc/signatures/3042.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3042.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3042 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3043.txt snort-2.9.2/doc/signatures/3043.txt --- snort-2.8.5.2/doc/signatures/3043.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3043.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3043 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3044.txt snort-2.9.2/doc/signatures/3044.txt --- snort-2.8.5.2/doc/signatures/3044.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3044.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3044 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3045.txt snort-2.9.2/doc/signatures/3045.txt --- snort-2.8.5.2/doc/signatures/3045.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3045.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3045 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3046.txt snort-2.9.2/doc/signatures/3046.txt --- snort-2.8.5.2/doc/signatures/3046.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3046.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3046 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3047.txt snort-2.9.2/doc/signatures/3047.txt --- snort-2.8.5.2/doc/signatures/3047.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3047.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3047 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3048.txt snort-2.9.2/doc/signatures/3048.txt --- snort-2.8.5.2/doc/signatures/3048.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3048.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3048 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3049.txt snort-2.9.2/doc/signatures/3049.txt --- snort-2.8.5.2/doc/signatures/3049.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3049.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3049 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/304.txt snort-2.9.2/doc/signatures/304.txt --- snort-2.8.5.2/doc/signatures/304.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/304.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 304 - --- -Summary: -This event is genereated when an attempt to overflow the buffer of a SCO server is attempted. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of SCO UNIX Calserver are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Affected Systems: - SCO Internet faststart 1.0, 1.1 - SCO Open Server 5.0, 5.0.2, 5.0.3 and 5.0.4 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306 - -Bugtraq: -http://www.securityfocus.com/bid/2353 - --- diff -Nru snort-2.8.5.2/doc/signatures/3050.txt snort-2.9.2/doc/signatures/3050.txt --- snort-2.8.5.2/doc/signatures/3050.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3050.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3050 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3051.txt snort-2.9.2/doc/signatures/3051.txt --- snort-2.8.5.2/doc/signatures/3051.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3051.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3051 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3052.txt snort-2.9.2/doc/signatures/3052.txt --- snort-2.8.5.2/doc/signatures/3052.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3052.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3052 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3053.txt snort-2.9.2/doc/signatures/3053.txt --- snort-2.8.5.2/doc/signatures/3053.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3053.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3053 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3054.txt snort-2.9.2/doc/signatures/3054.txt --- snort-2.8.5.2/doc/signatures/3054.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3054.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3054 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3055.txt snort-2.9.2/doc/signatures/3055.txt --- snort-2.8.5.2/doc/signatures/3055.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3055.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3055 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3056.txt snort-2.9.2/doc/signatures/3056.txt --- snort-2.8.5.2/doc/signatures/3056.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3056.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3056 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3057.txt snort-2.9.2/doc/signatures/3057.txt --- snort-2.8.5.2/doc/signatures/3057.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3057.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3057 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3058.txt snort-2.9.2/doc/signatures/3058.txt --- snort-2.8.5.2/doc/signatures/3058.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3058.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3058 - --- -Summary: -This event is generated when a remote user sends an overly long string -to an IMAP server via the command COPY. This may indicate an attempt to -exploit a buffer overflow condition. - --- -Impact: -Serious. Possible remote execution of arbitrary code, which may lead to -a remote root compromise. - --- -Detailed Information: -When a large amount of data is sent to a vulnerable IMAP server in the -COPY command, a buffer overflow condition may occur. This can allow the -attacker to execute arbitrary code, which may allow the attacker to gain -root access to the compromised server. - -The attacker must use a valid IMAP account to exploit this condition. - --- -Affected Systems: - IMAP servers - --- -Attack Scenarios: -An attacker can send a sufficiently long COPY command to the IMAP -server, creating a buffer overflow condition. This can then allow the -attacker to execute code of their choosing and possibly gain root access -to the compromised server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate patches for your operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3059.txt snort-2.9.2/doc/signatures/3059.txt --- snort-2.8.5.2/doc/signatures/3059.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3059.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3059 - --- -Summary: -This event is generated when an attempt is made to initiate a TLS -connection via SSL version 2. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule indicates that an attempt has been made to initiate a TLS -connection via SSL v2. This rule should not generate an event. - --- -Affected Systems: - All implementations using SSL. - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/305.txt snort-2.9.2/doc/signatures/305.txt --- snort-2.8.5.2/doc/signatures/305.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/305.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 305 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow condition in ElectroTechnical Laboratories Delegate proxy server. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host with the privileges of the root user. - --- -Detailed Information: -Numerous buffer overflow conditions exist in ElectroTechnical Laboratories Delegate proxy server. It is possible for a remote attacker to gain a root shell on the victim host. - -Affected Systems: - ETL Delegate 5.9.x - ETL Delegate 6.0.x - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unkown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0165 - -Bugtraq: -http://www.securityfocus.com/bid/808 - --- diff -Nru snort-2.8.5.2/doc/signatures/3060.txt snort-2.9.2/doc/signatures/3060.txt --- snort-2.8.5.2/doc/signatures/3060.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3060.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3060 - --- -Summary: -This event is generated when an attempt is made to initiate a TLS -connection via SSL version 2. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule indicates that an attempt has been made to initiate a TLS -connection via SSL v2. This rule should not generate an event. - --- -Affected Systems: - All implementations using SSL. - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3061.txt snort-2.9.2/doc/signatures/3061.txt --- snort-2.8.5.2/doc/signatures/3061.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3061.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3061 - --- -Summary: -This event is generated when an attempt is made to connect to the distcc -daemon. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: -Distcc is an open source distributed C/C++ compiler that can be used -to compile code on remote hosts that run the distcc daemon. A vulnerability -exists in the handling of commands that are generated via a distcc client. The -server does not ensure that compile commands only are sent to it. A command -sequence can be created that executes commands on a vulnerable server. No -authentication is required to execute a command on a distcc server. - --- -Affected Systems: - 2.18.3 and prior - --- -Attack Scenarios: -An attacker can generated a valid distcc command sequence that executes -a command other than a compile on a vulnerable distcc server. - --- -Ease of Attack: -Simple. - --- -False Positives: -This is a policy rule and requires proper customization for the -variable $EXTERNAL_NET for sites that allow distcc traffic from -remote hosts. The $EXTERNAL_NET variable should be replaced with -the IP address(es) of unauthorized client hosts only. - --- -False Negatives: -None known. - --- -Corrective Action: -Use the --allow option when starting the distcc daemon -to specify authorized client hosts. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3062.txt snort-2.9.2/doc/signatures/3062.txt --- snort-2.8.5.2/doc/signatures/3062.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3062.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -3062 - --- -Summary: -This event is generated when an attempt is made to access the -delhomepage.cgi script which contains known vulnerabilities and -is resident on Netscreen SA 5000 devices. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to access the -delhomepage.cgi script which is known to be vulnerable to a cross site -scripting attack - --- -Affected Systems: - Netscreen SA 5000 - --- -Attack Scenarios: -An attacker can supply code of their choosing to a client system by -using the cgi script as part of a cross site scripting attack. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3063.txt snort-2.9.2/doc/signatures/3063.txt --- snort-2.8.5.2/doc/signatures/3063.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3063.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,133 +0,0 @@ -Rule: - --- -Sid: -3063 - --- -Summary: -This event is generated when an attempt is made to request a connection using -the Vampire 1.2 trojan. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a -complete compromise of the victim's machine. - --- -Detailed Information: -Vampire 1.2 uses port 1020 by default. This port cannot be changed by the attacker. - -The following is a list of the commands for many of Vampier 1.2's functions -(Command Name: Command String): - -Chat With Victim: chat -Clear Recent Folder: cleardoc -Close Windows: endwin -Corrupt File: currfile -Crazy Mouse: crazy -Delete Directory: deletedir -Delete File: delete -Disk Space Left: space -Disable CTRL-ALT-DEL: ctrldisable -Enable CTRL-ALT-DEL: ctrlenable -Fill Hard Drive: fillhd -Find File: findfiles -Format: format -Get Active Windows: getact -Get ICQ Number: geticq -Get Local Time: gettime -Get Operating System: getos -Get Server Path: getpath -Get System Owner: getowner -Get Temp Directory: gettemp -Get Windows Directory: getwin -Get Current User: getname -Get Disk Serial Number: getserial -Get Hard Drive: gethd -Get Organization: getorg -Hang Up Modem: hangup -ISP Account Info: ispinfo -Kill Window: killtask\ -Logoff: logoff -Make Directory: makedir -Monitor Off: monitoroff -Monitor On: monitoron -Hide Mouse: hidemouse -Show Mouse: showmouse -Open Control Panel: panel -Open Date And Time: date -Open CD-ROM: cdopen -Close CD-ROM: cdclose -Open URL: www\ -Ping: ping -Read A Drive: reada -Reboot: reboot -Kill Registry: regfuck -Run Program: run -Screenshot: screenshot -Send Keys: text -Send Message: sndmsg -Set Computer Name: pcname -Set Volume Label: setvolumelabel -Shutdown: shutdown -Hide Task Bar: hidetask -Show Task Bar: showtask -Wacky CR-ROM: wackycd --- -Affected Systems: -Windows 95/98/ME - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because -they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually -will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the -attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has -installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -In order to get rid of it, you must kill the following processes: -vampire.exe or (if not there) server.exe - -You must delete the following files from your hard drive: -vampire.exe or (if not there) server.exe - -Keep your anti-virus software updated. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: - -Pestpatrol: -http://www.pestpatrol.com/pestinfo/v/vampire_1_2.asp - -Dark-E: -http://www.dark-e.com/archive/trojans/vampire/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/3064.txt snort-2.9.2/doc/signatures/3064.txt --- snort-2.8.5.2/doc/signatures/3064.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3064.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,158 +0,0 @@ -Rule: - --- -Sid: -3064 - --- -Summary: -This event is generated when an attempt is made by the victim to send a -connection confirmation to the attacker using the CrazzyNet trojan. - --- -Impact: -If connected, the attacker could remotetly execute a multitude of functions -resulting in a full compromise of the victim's machine. - --- -Detailed Information: -CrazzyNet uses port 17499. CrazzyNet has a number of functions. Each function is -associated with an attack signal string -that is sent to the victim. Be suspicious of the following strings: - -Format: Function Name - String To Look For - -Add Line To File - addlin -Overwrite File With Added Line - ovwlin -Add Icon To Desktop - addico -Beep Sound - sndbep -Change Windows Control Text - chgawc -Change Resolution - chgres -Chat - chatwy -Get Clipboard Text - clpget -Crazy Mouse On - crazym;1 -Crazy Mouse Off - crazym;0 -Delete File/Directory - delete -Remove Windows Functions - remwma;0 -Download File - getfil -Disable Ctl-Alt-Del - discad;0 -Enable Ctl-Alt-Del - discad;1 -Disable Windows Startup - wndsas;0 -Enable Windows Startup - wndsas;1 -Find Files - findfi -Format - format -Get Colors - getcol -Get Computer Name - getcon -Set Computer Name - setcon -Get Date - gettad -Set Date - settad -Get Internet Explorer Start Page - geties -Set Internet Explorer Start Page - chgies -Get Mouse Position - getpos -Set Mouse Position - setmse -Get Clients Connected - geticc -Get Computer Information - getinf -Hide Picture - hidpic -List Installed Programs - asplst -Keylogger - keylog;1 -Kill Mouse - kilmse -List Files And Directories - nextdr -List ICQ - icqlst -List Of Apps - lstapp -Make Directory - makdir -Monitor On - onmoni -Monitor Off - ofmoni -Get Mouse Double Click Time - getdcl -Set Mouse Double Click Time - setdcl -Open CD - opencd -Close CD - closcd -Ping - *ICMP Packet* Echo this string of data -Play Sound - playsd -Print Text - printt -Refresh File Listing - refdir -Run File - runfil -Screen Dump - screen -Get Screensaver - getfon -Set Screensaver - setscr -Enable Scrolling Text - scroll -Disable Scrolling Text - sscrol -Send To URL - senurl -Send Key - runkey -Send Message - msgbox -Set Clipboard Text - clpset -Set Desktop Image - chgdes -Show Clock - sclock;1 -Hide Clock - sclock;0 -Show Desktop Icons - deskic;1 -Hide Desktop Icons - deskic;0 -Show Start Bar - startb;1 -Hide Start Bar - startb;0 -Show Task Bar - sotask -Hide Task Bar - hitask -Show Task Bar Icons - staskb;1 -Hide Task Bar Icons - staskb;0 -Show Picture - shopic -Start CD loop - cdloop;1 -Stop CD loop - cdloop;0 -Steal Passwords - geticp -Swap Mouse Buttons On - swpmse;1 -Swap Mouse Buttons Off - swpmse;0 -Terminate Application - terapp -Get Text Box Cursor Blink Rate - getret -Set Text Box Cursor Blink Rate - setret -Upload File - uplfil -Change Volume - volume -Warp On - warpon -Warp Off - warpof -List Windows - wndlst - -- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because -they often can be backdoors in disguise. -Once the victim has unknowingly installed the server, the attacker will usually -employ an IP scanner tool to find vulnerable -systems. Once an IP is found, the attacker simply has to make the connection. --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has -installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -CrazzyNet copies itself to C:\WINDOWS\Registry32.exe -Delete the registry key Reg32=Registry32.exe found in -HKCUU\Software\Microsoft\Windows\CurrentVersion\Run -Delete Registry32.exe from Win.ini and System.ini -If found, delete Registry32.exe and server.exe -Make sure to keep your virus definitions updated on your anti-virus software. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: - -Pestpatrol: -http://www.pestpatrol.com/PestInfo/C/CrazzyNet.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/3065.txt snort-2.9.2/doc/signatures/3065.txt --- snort-2.8.5.2/doc/signatures/3065.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3065.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3065 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"append" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3066.txt snort-2.9.2/doc/signatures/3066.txt --- snort-2.8.5.2/doc/signatures/3066.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3066.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3066 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"append" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3067.txt snort-2.9.2/doc/signatures/3067.txt --- snort-2.8.5.2/doc/signatures/3067.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3067.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -3067 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"examine" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - -In the case of Ipswitch IMail, an overly long mailbox name supplied as a -parameter to the examine command may be a trigger condition of a buffer -overflow. A name of 259 bytes or more may cause this to occur. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - Ipswitch IMail 8.1.3 - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3068.txt snort-2.9.2/doc/signatures/3068.txt --- snort-2.8.5.2/doc/signatures/3068.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3068.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -3068 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"examine" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - -In the case of Ipswitch IMail, an overly long mailbox name supplied as a -parameter to the examine command may be a trigger condition of a buffer -overflow. A name of 259 bytes or more may cause this to occur. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - Ipswitch IMail 8.1.3 - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3069.txt snort-2.9.2/doc/signatures/3069.txt --- snort-2.8.5.2/doc/signatures/3069.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3069.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3069 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"fetch" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/306.txt snort-2.9.2/doc/signatures/306.txt --- snort-2.8.5.2/doc/signatures/306.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/306.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 306 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability in VQ Server to cause a Denial of Service (DoS). - --- -Impact: -Serious. A Denial of Service on the target server is possible. - --- -Detailed Information: -vqServer is a personal web server that runs on Microsoft Windows, Linux and Solaris. Version 1.4.49 suffers from a DoS condition if a long GET request is issued to the server. - -Affected Systems: - vqServer 1.4.49 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1610 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0766 - -vqSoft: -http://www.vqsoft.com/ - - --- diff -Nru snort-2.8.5.2/doc/signatures/3070.txt snort-2.9.2/doc/signatures/3070.txt --- snort-2.8.5.2/doc/signatures/3070.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3070.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3070 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"fetch" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3071.txt snort-2.9.2/doc/signatures/3071.txt --- snort-2.8.5.2/doc/signatures/3071.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3071.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3071 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"status" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3072.txt snort-2.9.2/doc/signatures/3072.txt --- snort-2.8.5.2/doc/signatures/3072.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3072.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3072 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"status" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3073.txt snort-2.9.2/doc/signatures/3073.txt --- snort-2.8.5.2/doc/signatures/3073.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3073.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3073 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"subscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3074.txt snort-2.9.2/doc/signatures/3074.txt --- snort-2.8.5.2/doc/signatures/3074.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3074.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3074 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"subscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3075.txt snort-2.9.2/doc/signatures/3075.txt --- snort-2.8.5.2/doc/signatures/3075.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3075.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3075 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"unsubscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3076.txt snort-2.9.2/doc/signatures/3076.txt --- snort-2.8.5.2/doc/signatures/3076.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3076.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3076 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"unsubscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3077.txt snort-2.9.2/doc/signatures/3077.txt --- snort-2.8.5.2/doc/signatures/3077.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3077.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3077 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the RNFR command of the IPSwitch WS_FTP server. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch WS_FTP service -handles the RNFR command. An excessively long parameter supplied to the -command can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch WS_FTP 4.x, 5.x - --- -Attack Scenarios: -An attacker can supplied an overly long parameter with the RNFR command, -possibly causing denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Secunia: -http://secunia.com/advisories/13334 - --- diff -Nru snort-2.8.5.2/doc/signatures/3078.txt snort-2.9.2/doc/signatures/3078.txt --- snort-2.8.5.2/doc/signatures/3078.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3078.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3078 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft implementation of the Network News Transport -Protocol (NNTP) for Internet Information Server (IIS). - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -The Microsoft implementation of NNTP for IIS contains a programming -error in the processing of user supplied input that may present an -attacker with multiple opportunites to execute code of their choosing on -an affected system. - --- -Affected Systems: -. Microsoft Windows NT Server 4.0 NNTP component -. Microsoft Windows 2000 Server NNTP component -. Microsoft Windows Server 2003 NNTP Component -. Microsoft Windows Server 2003 64-Bit Edition NNTP Component - --- -Attack Scenarios: -An attacker must supply specially crafted input to a vulnerable system -to cause the overflow to occur. - --- -Ease of Attack: -Moderate. Example code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CORE Technologies: -http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 - --- diff -Nru snort-2.8.5.2/doc/signatures/3079.txt snort-2.9.2/doc/signatures/3079.txt --- snort-2.8.5.2/doc/signatures/3079.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3079.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3079 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with Microsoft's processing of an animated cursor -file. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user downloading the -malicious file. - --- -Detailed Information: -A vulnerability exists in the way the Microsoft Windows LoadImage API validates -animated cursor (ANI) files. An invalid length associated with a structure -supporting the properties of the animated cursor can cause a buffer overflow -and the subsequent execution of arbirary code in the context of the current user. - --- -Affected Systems: - Windows 98, ME, NT, 2000, XP (not SP2), and Server 2003 - --- -Attack Scenarios: -An attacker can entice a user to download a malicious animated cursor -file, causing a buffer overflow and the subsequent execution of arbitrary -code on the vulnerable client. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Corrective Action: -Apply the patch(s) discussed in Microsoft bulletin MS05-002. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Microsoft Technet: -http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/307.txt snort-2.9.2/doc/signatures/307.txt --- snort-2.8.5.2/doc/signatures/307.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/307.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 307 - --- -Summary: -This event is generated when an attempt is made to exploit -vulnerable versions of the Chocoa IRC client. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code on the client. - --- -Detailed Information: -It is possible for a malicious attacker to exploit a vulnerability in the Chocoa IRC client by setting an IRC channel topic specially designed to cause a buffer overflow. - -Affected Systems: - Fujitsu Chocoa 1.0 beta 7r for Windows 9x and NT. - - --- -Attack Scenarios: -The attacker would need to set a specially crafted IRC channel topic to cause the overflow. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0672 - -Bugtraq: -http://www.securityfocus.com/bid/573 - --- diff -Nru snort-2.8.5.2/doc/signatures/3080.txt snort-2.9.2/doc/signatures/3080.txt --- snort-2.8.5.2/doc/signatures/3080.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3080.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3080 - --- -Summary: -This event is generated when a remote attacker sends an overly long "secure" -query to a host acting as an Unreal engine server. This may -indicate an attempt to exploit a buffer overflow vulnerability. - --- -Impact: -Serious. A successful buffer overflow can permit the execution of arbitrary -code on a vulnerable system. - --- -Detailed Information: -Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and -available for Linux, Windows and Macintosh platforms. The Unreal engine is -used for both client and server functionality. An overly long "secure" -query can be sent to the game server, causing a buffer overflow and the -subsequent execution of arbitrary code. - --- -Affected Systems: - Multiple versions of the Unreal Engine running on Linux, Microsoft - Windows and Macintosh platforms. - --- -Attack Scenarios: -An attacker can send an overly long "secure" query to a vulnerable host, causing -a buffer overflow and the subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -Unreal servers can be configured to run on arbitrary ports. -Administrators should either change the port used in the rule or create -a variable for the ports to be used in the rule. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - -OSVDB -http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup - --- diff -Nru snort-2.8.5.2/doc/signatures/3081.txt snort-2.9.2/doc/signatures/3081.txt --- snort-2.8.5.2/doc/signatures/3081.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3081.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,145 +0,0 @@ -Rule: - --- -Sid: -3081 --- -Summary: -This event is generated when a Y3KRAT 1.5 server attempts to respond to a client's connect request. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/3082.txt snort-2.9.2/doc/signatures/3082.txt --- snort-2.8.5.2/doc/signatures/3082.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3082.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,145 +0,0 @@ -Rule: - --- -Sid: -3082 --- -Summary: -This event is generated when a Y3KRAT 1.5 client attempts to respond to the Y3KRAT 1.5 server. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/3083.txt snort-2.9.2/doc/signatures/3083.txt --- snort-2.8.5.2/doc/signatures/3083.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3083.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,141 +0,0 @@ -Rule: - --- -Sid: -3083 --- -Summary: -This event is generated when a Y3KRAT 1.5 server attempts to confirm the client's response. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/3084.txt snort-2.9.2/doc/signatures/3084.txt --- snort-2.8.5.2/doc/signatures/3084.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3084.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -3084 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Veritas Back Exec Agent Browser. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: - -The Veritas Backup Agent Browser is the server component of the Backup -Exec software employed to provide a backup solution. Client agents -communicate with the Backup Agent Browser. A registration request from -a client that contains an overly long hostname value can cause a buffer -overflow and the subsequent execution of arbitrary code on a vulnerable -server. - --- -Affected Systems: -Veritas Software Backup Exec 8.0, 8.5, 8.6, 9.0, 9.1 - --- -Attack Scenarios: -An attacker can craft a registration request that contains an overly -long hostname, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3085.txt snort-2.9.2/doc/signatures/3085.txt --- snort-2.8.5.2/doc/signatures/3085.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3085.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rules: - --- -Sid: -3085 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with AOL Instant Messenger (AIM) goaway message. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: -AIM is instant messaging software supplied by AOL Time Warner. A malicious -URL offered in an AIM message or web page that sends an AIM client an overly -long AIM "Away" message can cause a buffer overflow on a vulnerable client. -This can permit the execution of arbitrary code on the client host. - --- -Affected Systems: -AOL Instant Messenger 5.5, 5.5.3415 Beta, 5.5.3595 - --- -Attack Scenarios: -An attacker can send an overly long AIM "Away" message or a user could be -enticed to view a site that embeds such a message. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -A Metasploit attack that exploits this vulnerability uses an HTTP port of -8080. Other HTTP ports can be used for this attack as well. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - -iDefense: -http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities --- diff -Nru snort-2.8.5.2/doc/signatures/3086.txt snort-2.9.2/doc/signatures/3086.txt --- snort-2.8.5.2/doc/signatures/3086.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3086.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3086 - --- -Summary: -This event is generated when an attempt is made to access the file -spp_sta.stm on a 3com wireless router. - --- - -Impact: -Intelligence gathering activity. - --- -Detailed Information: -The 3Com ADSL wireless router 3CRADSL72 is prone to an authentication -bypass issue that may allow a malicious third party to gain information -on the device and the networks it serves. It may also be possible for an -attacker to gain administrative privileges on the device. - --- -Affected Systems: - 3Com 3CRADSL72 ADSL wireless router - --- - -Attack Scenarios: -An attacker with access to the page can gain information on the networks -being served by the router and use the knowledge gained in further -attacks on the system. The attacker may also be able to gain -administrative access to the router. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None Known. - --- -False Negatives: -The address of the router should be added to the $HTTP_SERVERS variable -if the rule is used in the default form. Otherwise a $WIRELESS_ROUTERS -variable could be used in both the snort.conf and the rule to eliminate -any possible false positives. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/3087.txt snort-2.9.2/doc/signatures/3087.txt --- snort-2.8.5.2/doc/signatures/3087.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3087.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3087 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in Microsoft Browser Client Context Tool (W3Who.dll). - --- -Impact: -Denial of service or remote access. If the exploit is successful, -an attacker can gain remote access to the host with system privileges. - --- -Detailed Information: -W3Who is an Internet Server Application Programming Interface (ISAPI) -application dynamic-link library (DLL) that works within a Web page to -display information about the calling context of the client browser and -the configuration of the host server. W3Who is included in the Windows -2000 Server Resource Kit. - -A boundary error within the processing of parameters can be exploited -to cause a buffer overflow by passing an overly long parameter. - --- -Affected Systems: -Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed -with IIS.) - --- -Attack Scenarios: -An attacker can send a malformed HTTP request with an overly long -parameter to W3Who DLL, subsequently causing a buffer overflow. - --- -Ease of Attack: -Simple - --- -False Positives: -Any overly large request URI with a reference to w3who.dll will be -detected. - --- -False Negatives: -This rule only detects the attack when the parameters are passed -as part of the URI (GET method). - --- -Corrective Action: -Disable the W3Who.dll ISAPI extension. - --- -Contributors: -nnposter@users.sourceforge.net - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640 - --- diff -Nru snort-2.8.5.2/doc/signatures/3088.txt snort-2.9.2/doc/signatures/3088.txt --- snort-2.8.5.2/doc/signatures/3088.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3088.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3088 - --- -Summary: -This event is generated when an attempt is made to exploit a client buffer -overflow associated with Winamp's processing of a filename with an -extension of .cda. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running Winamp. - --- -Detailed Information: -Winamp is a media file player for Windows developed by Nullsoft. A buffer -overflow exists because of insufficient bounds checking while handling the -name of a CD audio format file (.cda extension) or a playlist that contains -a filename with a .cda extension. An overly long name may cause the buffer -overflow permitting the execution of arbitrary code at the privilege level -of the user running Winamp. - --- -Affected Systems: - Winamp 3.x, and 5.x - --- -Attack Scenarios: -An attacker can create and send a malformed .cda filename that may cause -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/3089.txt snort-2.9.2/doc/signatures/3089.txt --- snort-2.8.5.2/doc/signatures/3089.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3089.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3089 - --- -Summary: -This event is generated when an attempt is made to exploit a denial of -service associated with Squid Web Cache Communication Protocol (WCCP). - --- -Impact: -A successful attack can cause the Squid web cache server process to -terminate. - --- -Detailed Information: -A vulnerability exists in the way that a Squid server handles a WCCP -message. A WCCP I_SEE_YOU message that contains an invalid number of -web cache entries can create an out-of-bounds array reference. This may -result in a read access violation of memory, causing a denial of service. - --- -Affected Systems: - Squid Web Proxy Cache 2.5 STABLE7 and prior versions - --- -Attack Scenarios: -An attacker can craft a WCCP I_SEE_YOU message with an invalid number of -web cache entries, causing the web cache server process to terminate. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/308.txt snort-2.9.2/doc/signatures/308.txt --- snort-2.8.5.2/doc/signatures/308.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/308.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: 308 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow condition in certain versions of NextFTP for Windows. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code. - --- -Detailed Information: -Certain versions of the NextFTP client from ToxSoft contain a programming error that allows an FTP server to issue commands on the client via exploit code in the server reply. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use Secure Shell (ssh) for file transfer as opposed to FTP. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0671 - -Bugtraq: -http://www.securityfocus.com/bid/572 - --- diff -Nru snort-2.8.5.2/doc/signatures/3090.txt snort-2.9.2/doc/signatures/3090.txt --- snort-2.8.5.2/doc/signatures/3090.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3090.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3090 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3091.txt snort-2.9.2/doc/signatures/3091.txt --- snort-2.8.5.2/doc/signatures/3091.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3091.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3091 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3092.txt snort-2.9.2/doc/signatures/3092.txt --- snort-2.8.5.2/doc/signatures/3092.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3092.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3092 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3093.txt snort-2.9.2/doc/signatures/3093.txt --- snort-2.8.5.2/doc/signatures/3093.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3093.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3093 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3094.txt snort-2.9.2/doc/signatures/3094.txt --- snort-2.8.5.2/doc/signatures/3094.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3094.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3094 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3095.txt snort-2.9.2/doc/signatures/3095.txt --- snort-2.8.5.2/doc/signatures/3095.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3095.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3095 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3096.txt snort-2.9.2/doc/signatures/3096.txt --- snort-2.8.5.2/doc/signatures/3096.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3096.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3096 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3097.txt snort-2.9.2/doc/signatures/3097.txt --- snort-2.8.5.2/doc/signatures/3097.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3097.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3097 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3098.txt snort-2.9.2/doc/signatures/3098.txt --- snort-2.8.5.2/doc/signatures/3098.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3098.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3098 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3099.txt snort-2.9.2/doc/signatures/3099.txt --- snort-2.8.5.2/doc/signatures/3099.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3099.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3099 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/309.txt snort-2.9.2/doc/signatures/309.txt --- snort-2.8.5.2/doc/signatures/309.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/309.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 309 - --- -Summary: -This event is generated when an attempt to overflow the buffer of a UNIX or Linux system via Sniffit is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Sniffit is a network monitoring tool that can also be configured to log emails. If this is the case, some versions of the tool contain a vulnerability such that a stack overflow via this logging mechanism is possible by a remote attacker. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - -Use alternate tools such as Snort. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306 - -Bugtraq: -http://www.securityfocus.com/bid/2353 - --- diff -Nru snort-2.8.5.2/doc/signatures/3100.txt snort-2.9.2/doc/signatures/3100.txt --- snort-2.8.5.2/doc/signatures/3100.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3100.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3100 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3101.txt snort-2.9.2/doc/signatures/3101.txt --- snort-2.8.5.2/doc/signatures/3101.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3101.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3101 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3102.txt snort-2.9.2/doc/signatures/3102.txt --- snort-2.8.5.2/doc/signatures/3102.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3102.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3102 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3103.txt snort-2.9.2/doc/signatures/3103.txt --- snort-2.8.5.2/doc/signatures/3103.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3103.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3103 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3104.txt snort-2.9.2/doc/signatures/3104.txt --- snort-2.8.5.2/doc/signatures/3104.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3104.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3104 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3105.txt snort-2.9.2/doc/signatures/3105.txt --- snort-2.8.5.2/doc/signatures/3105.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3105.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3105 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3106.txt snort-2.9.2/doc/signatures/3106.txt --- snort-2.8.5.2/doc/signatures/3106.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3106.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3106 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3107.txt snort-2.9.2/doc/signatures/3107.txt --- snort-2.8.5.2/doc/signatures/3107.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3107.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3107 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3108.txt snort-2.9.2/doc/signatures/3108.txt --- snort-2.8.5.2/doc/signatures/3108.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3108.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3108 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3109.txt snort-2.9.2/doc/signatures/3109.txt --- snort-2.8.5.2/doc/signatures/3109.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3109.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3109 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/310.txt snort-2.9.2/doc/signatures/310.txt --- snort-2.8.5.2/doc/signatures/310.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/310.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 310 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability in SmartMax MailMax mailserver. - --- -Impact: -Serious. Execution of arbitrary code on the target server is possible. - --- -Detailed Information: -MailMax is an email server for Windows platforms. Certain versions of the software contain a vulnerability that can allow execution of arbitrary code on the server with the privileges of the user running MailMax. - -Affected Versions: - MailMax 1.0 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2312 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0404 - --- diff -Nru snort-2.8.5.2/doc/signatures/3110.txt snort-2.9.2/doc/signatures/3110.txt --- snort-2.8.5.2/doc/signatures/3110.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3110.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3110 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3111.txt snort-2.9.2/doc/signatures/3111.txt --- snort-2.8.5.2/doc/signatures/3111.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3111.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3111 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3112.txt snort-2.9.2/doc/signatures/3112.txt --- snort-2.8.5.2/doc/signatures/3112.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3112.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3112 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3113.txt snort-2.9.2/doc/signatures/3113.txt --- snort-2.8.5.2/doc/signatures/3113.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3113.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3113 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3114.txt snort-2.9.2/doc/signatures/3114.txt --- snort-2.8.5.2/doc/signatures/3114.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3114.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3114 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3115.txt snort-2.9.2/doc/signatures/3115.txt --- snort-2.8.5.2/doc/signatures/3115.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3115.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3115 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3116.txt snort-2.9.2/doc/signatures/3116.txt --- snort-2.8.5.2/doc/signatures/3116.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3116.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3116 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3117.txt snort-2.9.2/doc/signatures/3117.txt --- snort-2.8.5.2/doc/signatures/3117.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3117.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3117 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3118.txt snort-2.9.2/doc/signatures/3118.txt --- snort-2.8.5.2/doc/signatures/3118.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3118.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3118 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3119.txt snort-2.9.2/doc/signatures/3119.txt --- snort-2.8.5.2/doc/signatures/3119.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3119.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3119 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/311.txt snort-2.9.2/doc/signatures/311.txt --- snort-2.8.5.2/doc/signatures/311.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/311.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: 311 - --- -Summary: -Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to arbitrary code execution on the victim host. It is also possible to open a root shell listening on a high port on the victim host. This event is generated when a request is made to a web site exploiting this vulnerability. - --- -Impact: -System compromize presenting the attacker with the opportunity to -execute arbitrary code on the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to execute arbitrary code on the victim host. - -It is possible to crash Netscape Communicator if a large number of characters is supplied in a command from an interactive web page. - -Affected Systems: - Netscape Navigator 4.75 and prior - --- -Attack Scenarios: -The attacker would need to supply a link on a web page or HTML email that triggers the overflow. It is also possible to cause the overflow via HTML email. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1187 - -Bugtraq: -http://www.securityfocus.com/bid/822 - --- diff -Nru snort-2.8.5.2/doc/signatures/3120.txt snort-2.9.2/doc/signatures/3120.txt --- snort-2.8.5.2/doc/signatures/3120.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3120.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3120 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3121.txt snort-2.9.2/doc/signatures/3121.txt --- snort-2.8.5.2/doc/signatures/3121.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3121.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3121 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3122.txt snort-2.9.2/doc/signatures/3122.txt --- snort-2.8.5.2/doc/signatures/3122.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3122.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3122 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3123.txt snort-2.9.2/doc/signatures/3123.txt --- snort-2.8.5.2/doc/signatures/3123.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3123.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3123 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3124.txt snort-2.9.2/doc/signatures/3124.txt --- snort-2.8.5.2/doc/signatures/3124.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3124.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3124 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3125.txt snort-2.9.2/doc/signatures/3125.txt --- snort-2.8.5.2/doc/signatures/3125.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3125.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3125 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3126.txt snort-2.9.2/doc/signatures/3126.txt --- snort-2.8.5.2/doc/signatures/3126.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3126.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3126 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3127.txt snort-2.9.2/doc/signatures/3127.txt --- snort-2.8.5.2/doc/signatures/3127.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3127.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3127 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3128.txt snort-2.9.2/doc/signatures/3128.txt --- snort-2.8.5.2/doc/signatures/3128.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3128.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3128 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3129.txt snort-2.9.2/doc/signatures/3129.txt --- snort-2.8.5.2/doc/signatures/3129.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3129.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3129 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/312.txt snort-2.9.2/doc/signatures/312.txt --- snort-2.8.5.2/doc/signatures/312.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/312.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: 312 - --- -Summary: -This event is generated when an attempt to exploit a buffer overflow condition in ntpd is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of the Network Time Protocol Daemon (ntpd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Ntp is used to synchronize system time with a time server. This may also be used on various network devices. - -Affected Versions: - ntpd versions prior to an including 4.0.99k - xntpd and xntp3 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0414 - -Bugtraq: -http://www.securityfocus.com/bid/2540 - --- diff -Nru snort-2.8.5.2/doc/signatures/3130.txt snort-2.9.2/doc/signatures/3130.txt --- snort-2.8.5.2/doc/signatures/3130.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3130.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3130 - --- -Summary: -This alert is generated when a malicious PNG file is sent to an MSN Messenger -client. Vulnerable clients which receive such a file are vulnerable to remote -code execution attacks. - --- -Impact: -Arbitrary code may be executed in the context of the user running MSN Messenger. -Their messenger client may or may not crash, depending upon the way the PNG file -is written. - --- -Detailed Information: -This vulnerability is due to a buffer overflow in the processing of tRNS chunks -of PNG files. In order to trigger the overflow, the color type field of the IHDR -chunk must be set to 0x03, and the length of the tRNS chunk must be greater than -256. - --- -Affected Systems: - MSN Messenger 6.1 - MSN Messenger 6.2 - --- -Attack Scenarios: -An attacker may send a malicious PNG through a direct file transfer, as a -thumbnail for a file transfer, as a custom emoticon, or by setting their buddy -icon to be the malicious PNG. In all cases, the PNG is sent via an MSN file -transfer. - --- -Ease of Attack: -Very simple. Example PNGs with shellcode are available on the web, and attacking -via all but the file transfer thumbnail vector is accomplished with simple, -everyday MSN Messenger tasks. - --- -False Positives: -None Known. - --- -False Negatives: -Thumbnails of image transfers are sent in an encoded format. As a result, they -cannot be detected. However, making the thumbnail contain malicious data is -exponentially more difficult than any of the other attack vectors, as an -attacker cannot manually specify the thumbnail to be sent. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3131.txt snort-2.9.2/doc/signatures/3131.txt --- snort-2.8.5.2/doc/signatures/3131.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3131.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3131 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in GNU Mailman. - --- -Impact: -Information disclosure. - --- -Detailed Information: -GNU Mailman is used to manage mailing lists. It is written in Python and -is available on a variety of platforms. - -GNU Mailman when used with webservers that do not remove extra slashes -from URLs, is prone to a directory traversal attack that may allow an -attacker access to sensitive files on an affected system. - --- -Affected Systems: - GNU Mailman in conjunction with Apache 1.3.x - --- -Attack Scenarios: -An attacker can supply extra slashes and dots (....///) to a URL to -escape the web root and access other parts of the host filesystem. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3132.txt snort-2.9.2/doc/signatures/3132.txt --- snort-2.8.5.2/doc/signatures/3132.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3132.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3132 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3133.txt snort-2.9.2/doc/signatures/3133.txt --- snort-2.8.5.2/doc/signatures/3133.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3133.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3133 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3134.txt snort-2.9.2/doc/signatures/3134.txt --- snort-2.8.5.2/doc/signatures/3134.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3134.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3134 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3135.txt snort-2.9.2/doc/signatures/3135.txt --- snort-2.8.5.2/doc/signatures/3135.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3135.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3135 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3136.txt snort-2.9.2/doc/signatures/3136.txt --- snort-2.8.5.2/doc/signatures/3136.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3136.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3136 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3137.txt snort-2.9.2/doc/signatures/3137.txt --- snort-2.8.5.2/doc/signatures/3137.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3137.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3137 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3138.txt snort-2.9.2/doc/signatures/3138.txt --- snort-2.8.5.2/doc/signatures/3138.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3138.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3138 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3139.txt snort-2.9.2/doc/signatures/3139.txt --- snort-2.8.5.2/doc/signatures/3139.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3139.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3139 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/313.txt snort-2.9.2/doc/signatures/313.txt --- snort-2.8.5.2/doc/signatures/313.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/313.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 313 - --- -Summary: -This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. - -Affected Versions: - Multiple vendors - --- -Attack Scenarios: -Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/210 - --- diff -Nru snort-2.8.5.2/doc/signatures/3140.txt snort-2.9.2/doc/signatures/3140.txt --- snort-2.8.5.2/doc/signatures/3140.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3140.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3140 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3141.txt snort-2.9.2/doc/signatures/3141.txt --- snort-2.8.5.2/doc/signatures/3141.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3141.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3141 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3142.txt snort-2.9.2/doc/signatures/3142.txt --- snort-2.8.5.2/doc/signatures/3142.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3142.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3142 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3143.txt snort-2.9.2/doc/signatures/3143.txt --- snort-2.8.5.2/doc/signatures/3143.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3143.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3143 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3144.txt snort-2.9.2/doc/signatures/3144.txt --- snort-2.8.5.2/doc/signatures/3144.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3144.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3144 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3145.txt snort-2.9.2/doc/signatures/3145.txt --- snort-2.8.5.2/doc/signatures/3145.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3145.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3145 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3146.txt snort-2.9.2/doc/signatures/3146.txt --- snort-2.8.5.2/doc/signatures/3146.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3146.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3146 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3147.txt snort-2.9.2/doc/signatures/3147.txt --- snort-2.8.5.2/doc/signatures/3147.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3147.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3147 - --- -Summary: -This event is generated when an attempt is made to exploit a known -buffer overflow vulnerability affecting "login" via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the target host. - --- -Detailed Information: -The login binary is used when establishing an interactive session on a -system. It is used locally and by protocols that allow remote access. A -buffer overflow condition exists in some versions of login that can be -triggered by the manipulation of environment variables. - -This event is generated when an attempt is made to overflow login via -telnet by manipulating the TTYPROMPT environment variable. - --- -Affected Systems: - Systems using Sys V derived login - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting 6 bytes of data followed -by 65 characters and a newline into the TTYPROMPT variable. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3148.txt snort-2.9.2/doc/signatures/3148.txt --- snort-2.8.5.2/doc/signatures/3148.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3148.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3148 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Windows Help. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. - --- -Detailed Information: -Microsoft Windows Help can use ActiveX controls when dealing with -Windows Help files. - -A programming error in the processing of a buffer that handles the -"item" parameter of a help file can lead to the exposure of a buffer -overflow condition. An attacker may be able to overflow this buffer and -supply code of their choosing to be executed on the system with the -privileges of the administrative account. - -In addition, applications may treat Windows Help as a trusted program -and further exploitation and host firewall bypass may be possible. - --- -Affected Systems: - Systems using Microsoft Windows - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the input -parameter of a malicious help file. The attacker may then insert code of -their choosing to either run commands on the system or execute the code -with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3149.txt snort-2.9.2/doc/signatures/3149.txt --- snort-2.8.5.2/doc/signatures/3149.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3149.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3149 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Internet Explorer. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. - --- -Detailed Information: -Microsoft Internet Explorer uses the Object tag to identify ActiveX -controls sometimes used in web content. - -A programming error in the processing of a buffer that handles the -"item" parameter of an object tag can lead to the exposure of a buffer -overflow condition. An attacker may be able to overflow this buffer and -supply code of their choosing to be executed on the system with the -privileges of the administrative account. - -The procedure that checks the length of a buffer that handles the item -parameter may be bypassed by using the slash character either directly -or via encoding methods. This vulnerability may be exploited whenever -Internet Explorer is used to read HTML files. - --- -Affected Systems: - Systems using Microsoft Windows - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the input -parameter of a malicious html file. The attacker may then insert code of -their choosing to either run commands on the system or execute the code -with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/314.txt snort-2.9.2/doc/signatures/314.txt --- snort-2.8.5.2/doc/signatures/314.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/314.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -303 - --- -Summary: -This event is generated when a specific inverse query is performed against your DNS server as a precursor to a possible TSIG (transaction signature) buffer overflow attack. - --- -Impact: -Intelligence gathering. This event generates as a result of an inverse query of the DNS server in an attempt to gain access to information required for the TSIG exploit. An attacker will usually attempt a buffer overflow exploit if there is a response to the inverse query. - --- -Detailed Information: -This is an attempt to perform a specific DNS inverse query against your DNS server. While this specific action is not harmful itself, it signals a precusor to a possible buffer overflow attack for a TSIG vulernability. The inverse query is performed as a reconnaissance for the TSIG attack. - --- -Affected Systems: -BIND Versions 4 and Versions 8 through 8.2 are susceptible to the inverse query information leak. - --- -Attack Scenarios: -If a DNS server responds to the inverse query and leaks information required for the actual attack, the attacker exploitsthe TSIG buffer overflow vulnerability. If this is successful, the attacker gains access to the DNS server at the privilege of the "named" daemon. - --- -Ease of Attack: -Easy. Code is available to exploit the vulnerability. - --- -False Positives: -None Known. - --- -False Negatives: -An attacker could change the exploit code. For instance, an attacker could change the DNS identification number in the code to be something other than 0xABCD and the rule would not fire. - --- -Corrective Action: -Update to BIND versions greater than 8.2 to prevent the information leak. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2302 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010 - -Arachnids: -http://www.whitehats.com/info/IDS482 - - --- diff -Nru snort-2.8.5.2/doc/signatures/3150.txt snort-2.9.2/doc/signatures/3150.txt --- snort-2.8.5.2/doc/signatures/3150.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3150.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3150 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Windows SQL Server. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft Windows SQL Server 2000 uses the SQLXML component to process -database queries via XML. - -Due to a programming error a buffer overrun condition is present in the -SQLXML ISAPI component that processes the XML queries via HTTP. The -overrun condition can be exploited by manipulating the contenttype -variable used to control the Content-Type header. The ISAPI extension -does not correctly check the length of the contenttype parameter. It may -be possible for an attacker with user privileges on the target host to -exploit the condition by supplying extra data in the affected parameter. - --- -Affected Systems: - Microsoft SQL Server 2000 - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the -contenttype parameter of a malicious XML query. The attacker may then -insert code of their choosing to either run commands on the system or -execute the code with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3151.txt snort-2.9.2/doc/signatures/3151.txt --- snort-2.8.5.2/doc/signatures/3151.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3151.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3151 - --- -Summary: -This event is generated when an attempt is made to access the host -filestem via fingerd. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable -version of the finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX -system. A certain version of fingerd shipped with one release of FreeBSD -4.1.1 contained an added feature that allows a remote user to request -some files via the use of finger. This event indicates that such a -request has been made. - -The feature also allowed any file or directory structure on the host -readable by the "nobody" user to also be accessed, leading to -unauthorized information disclosure. - --- -Affected Systems: - FreeBSD 4.1.1 Release - --- -Attack Scenarios: -An attacker can use finger to read a directory structure or file by -making a request via finger. - --- -Ease of Attack: -Simple, no exploit software is required, just a specially formatted -finger query. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or limit the addresses that can access the -service via a firewall or TCP wrappers. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3152.txt snort-2.9.2/doc/signatures/3152.txt --- snort-2.8.5.2/doc/signatures/3152.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3152.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3152 - --- -Summary: -This event is generated when an attempt is made to access a host running -Microsoft SQL Server or utilizing MSDE via the default "sa" account. - --- -Impact: -Information disclosure. Unauthorized access to the host. - --- -Detailed Information: -This event is generated when an attempt is made to access a host via the -"sa" account using brute force techniques to guess a password. - -Microsoft SQL server and MSDE components use a default "sa" account with -a default password as the administrative user for the database -installation. This event indicates that numerous failed attempts have -been made to access the target host using this account. - --- -Affected Systems: - Microsoft SQL Server 2000 - Microsoft SQL Server 7.0 - Systems using Microsoft MSDE components - --- -Attack Scenarios: -An attacker can use an automated script to gain access to a host and the -database contents as an administrator by repeatly attempting to login -using the "sa" account and different passwords. - -Some worms also try to brute force entry using this methodology. - --- -Ease of Attack: -Simple, - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Change the default "sa" password - -Disable the "sa" account. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3153.txt snort-2.9.2/doc/signatures/3153.txt --- snort-2.8.5.2/doc/signatures/3153.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3153.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3153 - --- -Summary: -This event is generated when an inverse query attempt is made using TCP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -TCP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/3154.txt snort-2.9.2/doc/signatures/3154.txt --- snort-2.8.5.2/doc/signatures/3154.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3154.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2922 - --- -Summary: -This event is generated when an inverse query attempt is made using UDP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -UDP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/3155.txt snort-2.9.2/doc/signatures/3155.txt --- snort-2.8.5.2/doc/signatures/3155.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3155.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,92 +0,0 @@ -Rule: - --- -Sid: -3155 - --- -Summary: -BackOrifice is a Trojan Horse. - -Server Port: 31337 although in later versions this port can be changed -to a value between 1 and 65535 Protocol: UDP although in later versions -TCP can also be used - --- -Impact: -Possible theft of data and control of the targeted machine leading to a -compromise of all resources the machine is connected to. This Trojan -also has the ability to delete data, steal passwords and disable the -machine. - --- -Detailed Information: -The Trojan changes system registry settings to add the BackOrifice sever -to programs normally started on boot. Due to the nature of this Trojan -it is unlikely that the attacker's client IP address has been spoofed. - -The default name of the server application is UMGR32, which can be -changed on first use. The new application may be installed in the system -or system32 direcory and the original may also be deleted. - --- -Affected Systems: - Windows 95 - Windows 98 - Windows ME - Windows NT - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This -event is indicative of an existing infection being activated. Initial -compromise can be in the form of a Win32 installation program that may -use the extension ".jpg" or ".bmp" when delivered via e-mail for -example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. -Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -Edit the system registry to remove the extra keys or restore a -previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices - -Registry keys added may vary, look for spurious entries in the above -locations. - -BackOrifice may hide the process from viewing inthe Windows task -manager. A reboot of the infected machine is recommended. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec Security Response -http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3156.txt snort-2.9.2/doc/signatures/3156.txt --- snort-2.8.5.2/doc/signatures/3156.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3156.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3156 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3157.txt snort-2.9.2/doc/signatures/3157.txt --- snort-2.8.5.2/doc/signatures/3157.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3157.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3157 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3158.txt snort-2.9.2/doc/signatures/3158.txt --- snort-2.8.5.2/doc/signatures/3158.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3158.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3158 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3159.txt snort-2.9.2/doc/signatures/3159.txt --- snort-2.8.5.2/doc/signatures/3159.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3159.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3159 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/315.txt snort-2.9.2/doc/signatures/315.txt --- snort-2.8.5.2/doc/signatures/315.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/315.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 315 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3160.txt snort-2.9.2/doc/signatures/3160.txt --- snort-2.8.5.2/doc/signatures/3160.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3160.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3160 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3161.txt snort-2.9.2/doc/signatures/3161.txt --- snort-2.8.5.2/doc/signatures/3161.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3161.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3161 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3162.txt snort-2.9.2/doc/signatures/3162.txt --- snort-2.8.5.2/doc/signatures/3162.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3162.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3162 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3163.txt snort-2.9.2/doc/signatures/3163.txt --- snort-2.8.5.2/doc/signatures/3163.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3163.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3163 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3164.txt snort-2.9.2/doc/signatures/3164.txt --- snort-2.8.5.2/doc/signatures/3164.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3164.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3164 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3165.txt snort-2.9.2/doc/signatures/3165.txt --- snort-2.8.5.2/doc/signatures/3165.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3165.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3165 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3166.txt snort-2.9.2/doc/signatures/3166.txt --- snort-2.8.5.2/doc/signatures/3166.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3166.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3166 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3167.txt snort-2.9.2/doc/signatures/3167.txt --- snort-2.8.5.2/doc/signatures/3167.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3167.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3167 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3168.txt snort-2.9.2/doc/signatures/3168.txt --- snort-2.8.5.2/doc/signatures/3168.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3168.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3168 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3169.txt snort-2.9.2/doc/signatures/3169.txt --- snort-2.8.5.2/doc/signatures/3169.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3169.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3169 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/316.txt snort-2.9.2/doc/signatures/316.txt --- snort-2.8.5.2/doc/signatures/316.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/316.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 316 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3170.txt snort-2.9.2/doc/signatures/3170.txt --- snort-2.8.5.2/doc/signatures/3170.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3170.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3170 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3171.txt snort-2.9.2/doc/signatures/3171.txt --- snort-2.8.5.2/doc/signatures/3171.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3171.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3171 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3172.txt snort-2.9.2/doc/signatures/3172.txt --- snort-2.8.5.2/doc/signatures/3172.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3172.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3172 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3173.txt snort-2.9.2/doc/signatures/3173.txt --- snort-2.8.5.2/doc/signatures/3173.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3173.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3173 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3174.txt snort-2.9.2/doc/signatures/3174.txt --- snort-2.8.5.2/doc/signatures/3174.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3174.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3174 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3175.txt snort-2.9.2/doc/signatures/3175.txt --- snort-2.8.5.2/doc/signatures/3175.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3175.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3175 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3176.txt snort-2.9.2/doc/signatures/3176.txt --- snort-2.8.5.2/doc/signatures/3176.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3176.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3176 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3177.txt snort-2.9.2/doc/signatures/3177.txt --- snort-2.8.5.2/doc/signatures/3177.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3177.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3177 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3178.txt snort-2.9.2/doc/signatures/3178.txt --- snort-2.8.5.2/doc/signatures/3178.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3178.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3178 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3179.txt snort-2.9.2/doc/signatures/3179.txt --- snort-2.8.5.2/doc/signatures/3179.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3179.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3179 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/317.txt snort-2.9.2/doc/signatures/317.txt --- snort-2.8.5.2/doc/signatures/317.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/317.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 317 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3180.txt snort-2.9.2/doc/signatures/3180.txt --- snort-2.8.5.2/doc/signatures/3180.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3180.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3180 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3181.txt snort-2.9.2/doc/signatures/3181.txt --- snort-2.8.5.2/doc/signatures/3181.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3181.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3181 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3182.txt snort-2.9.2/doc/signatures/3182.txt --- snort-2.8.5.2/doc/signatures/3182.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3182.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3182 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3183.txt snort-2.9.2/doc/signatures/3183.txt --- snort-2.8.5.2/doc/signatures/3183.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3183.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3183 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3184.txt snort-2.9.2/doc/signatures/3184.txt --- snort-2.8.5.2/doc/signatures/3184.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3184.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3184 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3185.txt snort-2.9.2/doc/signatures/3185.txt --- snort-2.8.5.2/doc/signatures/3185.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3185.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3185 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3186.txt snort-2.9.2/doc/signatures/3186.txt --- snort-2.8.5.2/doc/signatures/3186.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3186.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3186 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3187.txt snort-2.9.2/doc/signatures/3187.txt --- snort-2.8.5.2/doc/signatures/3187.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3187.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3187 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3188.txt snort-2.9.2/doc/signatures/3188.txt --- snort-2.8.5.2/doc/signatures/3188.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3188.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3188 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3189.txt snort-2.9.2/doc/signatures/3189.txt --- snort-2.8.5.2/doc/signatures/3189.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3189.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3189 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/318.txt snort-2.9.2/doc/signatures/318.txt --- snort-2.8.5.2/doc/signatures/318.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/318.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -SID: -318 --- - -Rule: --- - -Summary: -This event is generated when an attempt is made to exploit a vulnerable -version of bootpd --- - -Impact: -If attack is successful, total system compromise from a remote attacker --- - -Detailed Information: -Due to improper handling of bounds checking in bootp request packets -Bootpd version 2.4.3(and earlier) is susceptible to several types of -buffer overflows. A successful exploit will result in complete -compromise of the attacked system. Any system running Bootpd version -Stanford University bootpd 2.4.3 should consider themselves vulnerable --- - -Affected Systems: - Debian Linux 1.1 - Debian Linux 1.2 - Debian Linux 1.3 - Debian Linux 1.3.1 - Debian Linux 2.0 - Stanford University bootpd 2.4.3 --- - -Attack Scenarios: -An attacker can exploit vulnerable bootpd servers and modify system -files as the root user or create a shell with root privileges --- - -Ease of Attack: -Simple, Sample code exists --- - -False Positives: -none --- - -False Negatives: -none --- - -Corrective Action: -Vendors have supplied patched versions of bootpd, upgrade --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3190.txt snort-2.9.2/doc/signatures/3190.txt --- snort-2.8.5.2/doc/signatures/3190.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3190.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3190 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3191.txt snort-2.9.2/doc/signatures/3191.txt --- snort-2.8.5.2/doc/signatures/3191.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3191.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3191 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3192.txt snort-2.9.2/doc/signatures/3192.txt --- snort-2.8.5.2/doc/signatures/3192.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3192.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3192 - --- -Summary: -This event is generated when an attempt is made to exploit a host via a -vulnerability in Windows Media Player. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -to the target host. - --- -Detailed Information: -A directory traversal vulnerability in Windows Media Player can be -exploited via a malicious skin file downloaded from a remote machine. -This may allow an attacker to execute code of their choosing on an -affected host and gain administrative access to that host. - --- -Affected Systems: - Microsoft Windows Media Player 7.1 - Windows Media Player for Windows XP - --- -Attack Scenarios: -An attacker can create a malformed skin file and make it available for -automatic download and installation by a user. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3193.txt snort-2.9.2/doc/signatures/3193.txt --- snort-2.8.5.2/doc/signatures/3193.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3193.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3193 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -on the target host. - --- -Detailed Information: -Microsoft IIS contains a programming error that may allow an attacker to -execute commands of their choosing on a vulnerable system. If a valid -request for an executable file on the system is made, the server will -honor the request and execute any commands sent to the system. It may be -possible for an attacker to execute system commands sent to cmd.exe or -an executable batch file (.bat) for example. - --- -Affected Systems: - Microsoft IIS 4.0 - Microsoft IIS 5.0 - --- -Attack Scenarios: -An attacker can send a request to an executable file on the system and -supply command arguments of their choice to the file. The server will -honor the request and execute the attackers commands. - -For example, http://www.target.com/scripts/cmd.bat"+&+somecommand - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3194.txt snort-2.9.2/doc/signatures/3194.txt --- snort-2.8.5.2/doc/signatures/3194.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3194.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3194 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -on the target host. - --- -Detailed Information: -Microsoft IIS contains a programming error that may allow an attacker to -execute commands of their choosing on a vulnerable system. If a valid -request for an executable file on the system is made, the server will -honor the request and execute any commands sent to the system. It may be -possible for an attacker to execute system commands sent to cmd.exe or -an executable batch file (.bat) for example. - --- -Affected Systems: - Microsoft IIS 4.0 - Microsoft IIS 5.0 - --- -Attack Scenarios: -An attacker can send a request to an executable file on the system and -supply command arguments of their choice to the file. The server will -honor the request and execute the attackers commands. - -For example, http://www.target.com/scripts/cmd.bat"+&+somecommand - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3195.txt snort-2.9.2/doc/signatures/3195.txt --- snort-2.8.5.2/doc/signatures/3195.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3195.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3195 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3196.txt snort-2.9.2/doc/signatures/3196.txt --- snort-2.8.5.2/doc/signatures/3196.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3196.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3196 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3197.txt snort-2.9.2/doc/signatures/3197.txt --- snort-2.8.5.2/doc/signatures/3197.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3197.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,84 +0,0 @@ -Rule: - --- -Sid: -3197 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This event indicates that an attempt to exploit this vulnerability via -the ISystemActivator component has been made. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3198.txt snort-2.9.2/doc/signatures/3198.txt --- snort-2.8.5.2/doc/signatures/3198.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3198.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,84 +0,0 @@ -Rule: - --- -Sid: -3198 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This event indicates that an attempt to exploit this vulnerability via -the ISystemActivator component has been made. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3199.txt snort-2.9.2/doc/signatures/3199.txt --- snort-2.8.5.2/doc/signatures/3199.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3199.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3199 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/319.txt snort-2.9.2/doc/signatures/319.txt --- snort-2.8.5.2/doc/signatures/319.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/319.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -SID: -319 --- - -Rule: --- - -Summary: -This event is generated when an attempt is made to exploit a vulnerable -version of bootpd --- - -Impact: -If attack is successful, total system compromise from a remote attacker --- - -Detailed Information: -Due to improper handling of bounds checking in bootp request packets -Bootpd version 2.4.3(and earlier) is susceptible to several types of -buffer overflows. A successful exploit will result in complete -compromise of the attacked system. Any system running Bootpd version -Stanford University bootpd 2.4.3 should consider themselves vulnerable --- - -Affected Systems: - Debian Linux 1.1 - Debian Linux 1.2 - Debian Linux 1.3 - Debian Linux 1.3.1 - Debian Linux 2.0 - Stanford University bootpd 2.4.3 --- - -Attack Scenarios: -An attacker can exploit vulnerable bootpd servers and modify system -files as the root user or create a shell with root privileges --- - -Ease of Attack: -Simple, Sample code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have supplied patched versions of bootpd, upgrade --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3200.txt snort-2.9.2/doc/signatures/3200.txt --- snort-2.8.5.2/doc/signatures/3200.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3200.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3200 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3201.txt snort-2.9.2/doc/signatures/3201.txt --- snort-2.8.5.2/doc/signatures/3201.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3201.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3201 - --- -Summary: -This event is generated when an attempt is made to access the file -httpodbc.dll. - --- -Impact: -Serious. Remote code execution is possible. - --- -Detailed Information: -Versions of Microsoft Internet Information Server (IIS) and Microsoft -Personal Web Server (PWS) are vulnerable to a directory traversal attack -that may lead to access of certain sensitive system files. - -This event is generated when an attempt is made to access the file -httpodbc.dll. This may indicate nimda worm activity. - --- -Affected Systems: - Microsoft IIS 3.0 - Microsoft IIS 4.0 - Microsoft PWS - --- -Attack Scenarios: -This may indicate worm activity. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3202.txt snort-2.9.2/doc/signatures/3202.txt --- snort-2.8.5.2/doc/signatures/3202.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3202.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3202 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3203.txt snort-2.9.2/doc/signatures/3203.txt --- snort-2.8.5.2/doc/signatures/3203.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3203.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3203 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3204.txt snort-2.9.2/doc/signatures/3204.txt --- snort-2.8.5.2/doc/signatures/3204.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3204.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3204 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3205.txt snort-2.9.2/doc/signatures/3205.txt --- snort-2.8.5.2/doc/signatures/3205.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3205.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3205 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3206.txt snort-2.9.2/doc/signatures/3206.txt --- snort-2.8.5.2/doc/signatures/3206.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3206.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3206 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3207.txt snort-2.9.2/doc/signatures/3207.txt --- snort-2.8.5.2/doc/signatures/3207.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3207.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3207 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3208.txt snort-2.9.2/doc/signatures/3208.txt --- snort-2.8.5.2/doc/signatures/3208.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3208.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3208 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3209.txt snort-2.9.2/doc/signatures/3209.txt --- snort-2.8.5.2/doc/signatures/3209.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3209.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3209 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/320.txt snort-2.9.2/doc/signatures/320.txt --- snort-2.8.5.2/doc/signatures/320.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/320.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 320 - --- -Summary: -This event is generated when access to a known UNIX backdoor deployed by attackers is attempted. In this case it may be a connection to a Trojaned version of fingerd. - --- - -Impact: -Remote system compromise leading to a compromise of all resources the host is connected to. - --- -Detailed Information: -The rule generates an event when access to a "fingerd" backdoor is attempted, this was often found on compromised UNIX machines in the late 1990s. The Trojan finger daemon runs as "root" and is started by inetd with parameters from inetd.conf file unlike the regular finger daemon which runs as "nobody" and replaces the regular "fingerd" binary. It allows its owner to execute several commands remotely by sending a finger request to a specific user. Particularly, the finger request for the user "cmd_rootsh" spawns a root shell bound to the finger port and allows remote command execution. - --- - -Attack Scenarios: -An attacker gains access to a UNIX machine via a remote exploit, then downloads and deploys the "fingerd" trojan. Next, the attacker only needs to send a finger request to gain root access with no password. - --- - -Ease of Attack: -The victim host is most likely already compromised. - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: - -Restore the system from a known good backup. - -Reinstall the operating system. - --- -Contributors: -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10070 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660 - -SANS: -http://www.sans.org/y2k/TFN_toolkit.htm -http://www.sans.org/y2k/fingerd.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/3210.txt snort-2.9.2/doc/signatures/3210.txt --- snort-2.8.5.2/doc/signatures/3210.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3210.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3210 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3211.txt snort-2.9.2/doc/signatures/3211.txt --- snort-2.8.5.2/doc/signatures/3211.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3211.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3211 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3212.txt snort-2.9.2/doc/signatures/3212.txt --- snort-2.8.5.2/doc/signatures/3212.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3212.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3212 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3213.txt snort-2.9.2/doc/signatures/3213.txt --- snort-2.8.5.2/doc/signatures/3213.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3213.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3213 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3214.txt snort-2.9.2/doc/signatures/3214.txt --- snort-2.8.5.2/doc/signatures/3214.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3214.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3214 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3215.txt snort-2.9.2/doc/signatures/3215.txt --- snort-2.8.5.2/doc/signatures/3215.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3215.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3215 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3216.txt snort-2.9.2/doc/signatures/3216.txt --- snort-2.8.5.2/doc/signatures/3216.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3216.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3216 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3217.txt snort-2.9.2/doc/signatures/3217.txt --- snort-2.8.5.2/doc/signatures/3217.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3217.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3217 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3218.txt snort-2.9.2/doc/signatures/3218.txt --- snort-2.8.5.2/doc/signatures/3218.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3218.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3218 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3219.txt snort-2.9.2/doc/signatures/3219.txt --- snort-2.8.5.2/doc/signatures/3219.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3219.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3219 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/321.txt snort-2.9.2/doc/signatures/321.txt --- snort-2.8.5.2/doc/signatures/321.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/321.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 321 - --- -Summary: -An information leak exploit against the old Solaris finger daemon - --- -Impact: -Intelligence gathering activity. The attacker may be trying to obtain a list of accounts on the victim host. - --- -Detailed Information: -The rule generates an event when an attempt is made to exploit a bug in the Solaris "fingerd" daemon. The bug allows the attacker to obtain the lists of accounts existing on the Sun system by issuing a specially crafted finger request. - -Obtaining a list of accounts may precipitate a password guessing attack, an email attack or other abuses against those accounts. - --- -Attack Scenarios: -An attacker may learn that a "guest" account exists on the system and has never been used. He might then guesse the password for this account and is now able to log in to the system remotely using telnet or ssh for example. This might then lead to further system compromise and escalated privileges for the attacker. - --- -Ease of Attack: -Simple -No exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Look for other IDS events involving the same IP addresses - -Check system logs for suspicious logins to the affected system, - -Disable the fingerd daemon - -Apply a vendor patch that removes the vulnerability - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10788 - -Securiteam -http://www.securiteam.com/unixfocus/6B00M0U2UW.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3220.txt snort-2.9.2/doc/signatures/3220.txt --- snort-2.8.5.2/doc/signatures/3220.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3220.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3220 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3221.txt snort-2.9.2/doc/signatures/3221.txt --- snort-2.8.5.2/doc/signatures/3221.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3221.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3221 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3222.txt snort-2.9.2/doc/signatures/3222.txt --- snort-2.8.5.2/doc/signatures/3222.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3222.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3222 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3223.txt snort-2.9.2/doc/signatures/3223.txt --- snort-2.8.5.2/doc/signatures/3223.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3223.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3223 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3224.txt snort-2.9.2/doc/signatures/3224.txt --- snort-2.8.5.2/doc/signatures/3224.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3224.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3224 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3225.txt snort-2.9.2/doc/signatures/3225.txt --- snort-2.8.5.2/doc/signatures/3225.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3225.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3225 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3226.txt snort-2.9.2/doc/signatures/3226.txt --- snort-2.8.5.2/doc/signatures/3226.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3226.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3226 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3227.txt snort-2.9.2/doc/signatures/3227.txt --- snort-2.8.5.2/doc/signatures/3227.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3227.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3227 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3228.txt snort-2.9.2/doc/signatures/3228.txt --- snort-2.8.5.2/doc/signatures/3228.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3228.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3228 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3229.txt snort-2.9.2/doc/signatures/3229.txt --- snort-2.8.5.2/doc/signatures/3229.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3229.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3229 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/322.txt snort-2.9.2/doc/signatures/322.txt --- snort-2.8.5.2/doc/signatures/322.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/322.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: 322 - --- -Summary: -This event is genrated when an attempt is made to query the finger daemon to ascertain a list of usernames on a system. - --- - -Impact: -Information gatthering, the attacker may obtain the list of some accounts existing on the victim system as a prelude to further compromize. - --- -Detailed Information: - -The rule is triggerred when an attempt to use a search feature in -"cfingerd" version of a finger daemon is attempted. The search feature -allows the attacker to obtain the lists of accounts existing on the -target system by issuing a specially crafted finger request to -"search" for information. Knowing the list of accounts might -facilitate a password guessing attacks, email attacks or other abuse. - --- - -Attack Scenarios: an attacker learns that "guest" account exists and -has never been used. He then guesses that the password for this -account and logs in to the system remotely using telnet. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Look for other IDS events involving the same IP addresses. - -Look for suspicious logins to the affected system. - -Disable the finger daemon or apply a vendor patch that removes the vulnerability - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS375 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0259 - --- diff -Nru snort-2.8.5.2/doc/signatures/3230.txt snort-2.9.2/doc/signatures/3230.txt --- snort-2.8.5.2/doc/signatures/3230.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3230.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3230 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3231.txt snort-2.9.2/doc/signatures/3231.txt --- snort-2.8.5.2/doc/signatures/3231.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3231.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3231 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3232.txt snort-2.9.2/doc/signatures/3232.txt --- snort-2.8.5.2/doc/signatures/3232.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3232.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3232 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3233.txt snort-2.9.2/doc/signatures/3233.txt --- snort-2.8.5.2/doc/signatures/3233.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3233.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3233 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3234.txt snort-2.9.2/doc/signatures/3234.txt --- snort-2.8.5.2/doc/signatures/3234.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3234.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3234 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3235.txt snort-2.9.2/doc/signatures/3235.txt --- snort-2.8.5.2/doc/signatures/3235.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3235.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3235 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3236.txt snort-2.9.2/doc/signatures/3236.txt --- snort-2.8.5.2/doc/signatures/3236.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3236.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3236 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3237.txt snort-2.9.2/doc/signatures/3237.txt --- snort-2.8.5.2/doc/signatures/3237.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3237.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3237 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3238.txt snort-2.9.2/doc/signatures/3238.txt --- snort-2.8.5.2/doc/signatures/3238.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3238.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3238 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3239.txt snort-2.9.2/doc/signatures/3239.txt --- snort-2.8.5.2/doc/signatures/3239.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3239.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3239 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/323.txt snort-2.9.2/doc/signatures/323.txt --- snort-2.8.5.2/doc/signatures/323.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/323.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 323 - --- - -Summary: -This is an intelligence gathering activity. - --- - -Impact: -The attacker may obtain detailed information about the administrative super user account. - --- -Detailed Information: -This event is generated when an attempt to access information about the administrative account "root" on a UNIX system is made via the finger service. - -The information that can be collected includes time and source address of the last login and/or current login sessions, type of shell, path to home directory, mail forwarding address (often reflecting the name of the person administrering the system) and the time when "root" email was last read. This information can be used in planning further attacks against the host. - --- - -Attack Scenarios: -The attacker learns that "root" has not logged in for a long time. He hypothesizes that the system is not often used and thus not likely to be patched or secured and may therefore, be vulnerable to a number of other attacks. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS376 - --- diff -Nru snort-2.8.5.2/doc/signatures/3240.txt snort-2.9.2/doc/signatures/3240.txt --- snort-2.8.5.2/doc/signatures/3240.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3240.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3240 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3241.txt snort-2.9.2/doc/signatures/3241.txt --- snort-2.8.5.2/doc/signatures/3241.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3241.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3241 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3242.txt snort-2.9.2/doc/signatures/3242.txt --- snort-2.8.5.2/doc/signatures/3242.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3242.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3242 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3243.txt snort-2.9.2/doc/signatures/3243.txt --- snort-2.8.5.2/doc/signatures/3243.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3243.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3243 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3244.txt snort-2.9.2/doc/signatures/3244.txt --- snort-2.8.5.2/doc/signatures/3244.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3244.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3244 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3245.txt snort-2.9.2/doc/signatures/3245.txt --- snort-2.8.5.2/doc/signatures/3245.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3245.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3245 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3246.txt snort-2.9.2/doc/signatures/3246.txt --- snort-2.8.5.2/doc/signatures/3246.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3246.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3246 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3247.txt snort-2.9.2/doc/signatures/3247.txt --- snort-2.8.5.2/doc/signatures/3247.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3247.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3247 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3248.txt snort-2.9.2/doc/signatures/3248.txt --- snort-2.8.5.2/doc/signatures/3248.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3248.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3248 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3249.txt snort-2.9.2/doc/signatures/3249.txt --- snort-2.8.5.2/doc/signatures/3249.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3249.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3249 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/324.txt snort-2.9.2/doc/signatures/324.txt --- snort-2.8.5.2/doc/signatures/324.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/324.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: - -324 - --- -Summary: -This event is generated when a null character in a Finger request is -detected. - --- -Impact: -Some systems will respond to a null finger request by supplying a list -of usernames present on the host. - -Disclosure of usernames is an Information Gathering risk. The remote -user can use this information in other exploits that require knowing -user names, or as a basis for social engineering. - --- -Detailed Information: -A packet is transmitted to server port 79 (Finger) with a null character -in the data. Some Unix finger commands will respond with a full list of -usernames. A remote attacker could use this information for other -exploits, including dictionary-based password attacks and social -engineering attempts. - --- -Affected Systems: - Some UNIX based systems - --- -Attack Scenarios: -See detailed information section above. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Disable the finger daemon in inetd.conf, or block untrusted access to -port 79 using a packet filtering firewall. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: CVE-1999-0612, - -Arachnids: -http://www.whitehats.com/info/IDS377 (Arachnids,377) - --- diff -Nru snort-2.8.5.2/doc/signatures/3250.txt snort-2.9.2/doc/signatures/3250.txt --- snort-2.8.5.2/doc/signatures/3250.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3250.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3250 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3251.txt snort-2.9.2/doc/signatures/3251.txt --- snort-2.8.5.2/doc/signatures/3251.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3251.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3251 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3252.txt snort-2.9.2/doc/signatures/3252.txt --- snort-2.8.5.2/doc/signatures/3252.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3252.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3252 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3253.txt snort-2.9.2/doc/signatures/3253.txt --- snort-2.8.5.2/doc/signatures/3253.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3253.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3253 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3254.txt snort-2.9.2/doc/signatures/3254.txt --- snort-2.8.5.2/doc/signatures/3254.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3254.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3254 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3255.txt snort-2.9.2/doc/signatures/3255.txt --- snort-2.8.5.2/doc/signatures/3255.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3255.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3255 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3256.txt snort-2.9.2/doc/signatures/3256.txt --- snort-2.8.5.2/doc/signatures/3256.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3256.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3256 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3257.txt snort-2.9.2/doc/signatures/3257.txt --- snort-2.8.5.2/doc/signatures/3257.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3257.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3257 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3258.txt snort-2.9.2/doc/signatures/3258.txt --- snort-2.8.5.2/doc/signatures/3258.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3258.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3258 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3259.txt snort-2.9.2/doc/signatures/3259.txt --- snort-2.8.5.2/doc/signatures/3259.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3259.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3259 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/325.txt snort-2.9.2/doc/signatures/325.txt --- snort-2.8.5.2/doc/signatures/325.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/325.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 325 - --- - -Summary: -This is an intelligence gathering activity. - --- - -Impact: -The attacker may obtain a list of accounts existing on the target host. - --- -Detailed Information: -This event is generated when an attempt is made to use a finger command against a host with a username of "0". A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). - -Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse. - --- - -Attack Scenarios: -An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS378 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host - --- diff -Nru snort-2.8.5.2/doc/signatures/3260.txt snort-2.9.2/doc/signatures/3260.txt --- snort-2.8.5.2/doc/signatures/3260.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3260.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3260 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3261.txt snort-2.9.2/doc/signatures/3261.txt --- snort-2.8.5.2/doc/signatures/3261.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3261.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3261 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3262.txt snort-2.9.2/doc/signatures/3262.txt --- snort-2.8.5.2/doc/signatures/3262.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3262.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3262 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3263.txt snort-2.9.2/doc/signatures/3263.txt --- snort-2.8.5.2/doc/signatures/3263.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3263.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3263 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3264.txt snort-2.9.2/doc/signatures/3264.txt --- snort-2.8.5.2/doc/signatures/3264.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3264.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3264 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3265.txt snort-2.9.2/doc/signatures/3265.txt --- snort-2.8.5.2/doc/signatures/3265.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3265.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3265 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3266.txt snort-2.9.2/doc/signatures/3266.txt --- snort-2.8.5.2/doc/signatures/3266.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3266.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3266 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3267.txt snort-2.9.2/doc/signatures/3267.txt --- snort-2.8.5.2/doc/signatures/3267.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3267.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3267 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3268.txt snort-2.9.2/doc/signatures/3268.txt --- snort-2.8.5.2/doc/signatures/3268.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3268.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3268 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3269.txt snort-2.9.2/doc/signatures/3269.txt --- snort-2.8.5.2/doc/signatures/3269.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3269.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3269 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/326.txt snort-2.9.2/doc/signatures/326.txt --- snort-2.8.5.2/doc/signatures/326.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/326.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: 326 - --- - -Summary: -This event is generated when a remote command execution exploit against -a finger daemon is attempted. - --- -Impact: -Serious. The attacker may be presented with the opportunity to run a -command of his choice on the target UNIX system - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable -version of finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX -system. It used to be installed and enabled by default on most -UNIX/Linux systems. The attack may allow an attacker to execute a -command remotely on a target system with the privileges of the user -running the "finger" daemon. The user is usually defined in the -/etc/inetd.conf file and is commonly designated as "nobody". - --- -Attack Scenarios: -An attacker may try the attack and then executes a command to download a -backdoor to the target system. He then connects to the system and may -attempt to escalate his privileges by exploiting a local SUID -application to gain "root" privileges. - --- -Ease of Attack: -Simple, no exploit software is required, just a specially formatted finger query - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or limit the addresses that can access the -service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS379 - -Bugtraq: -http://online.securityfocus.com/bid/974 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150 - --- diff -Nru snort-2.8.5.2/doc/signatures/3270.txt snort-2.9.2/doc/signatures/3270.txt --- snort-2.8.5.2/doc/signatures/3270.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3270.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3270 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3271.txt snort-2.9.2/doc/signatures/3271.txt --- snort-2.8.5.2/doc/signatures/3271.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3271.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3271 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3273.txt snort-2.9.2/doc/signatures/3273.txt --- snort-2.8.5.2/doc/signatures/3273.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3273.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3152 - --- -Summary: -This event is generated when an attempt is made to access a host running -Microsoft SQL Server or utilizing MSDE via the default "sa" account. - --- -Impact: -Information disclosure. Unauthorized access to the host. - --- -Detailed Information: -This event is generated when an attempt is made to access a host via the -"sa" account using brute force techniques to guess a password. - -Microsoft SQL server and MSDE components use a default "sa" account with -a default password as the administrative user for the database -installation. This event indicates that numerous failed attempts have -been made to access the target host using this account. - --- -Affected Systems: - Microsoft SQL Server 2000 - Microsoft SQL Server 7.0 - Systems using Microsoft MSDE components - --- -Attack Scenarios: -An attacker can use an automated script to gain access to a host and the -database contents as an administrator by repeatly attempting to login -using the "sa" account and different passwords. - -Some worms also try to brute force entry using this methodology. - --- -Ease of Attack: -Simple, - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Change the default "sa" password - -Disable the "sa" account. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3274.txt snort-2.9.2/doc/signatures/3274.txt --- snort-2.8.5.2/doc/signatures/3274.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3274.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3274 - --- -Summary: -This event is generated when an attempt is made to exploit a known -buffer overflow vulnerability affecting "login" via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the target host. - --- -Detailed Information: -The login binary is used when establishing an interactive session on a -system. It is used locally and by protocols that allow remote access. A -buffer overflow condition exists in some versions of login that can be -triggered by the manipulation of environment variables. - -This event is generated when an attempt is made to overflow login via -telnet by manipulating the TTYPROMPT environment variable. - --- -Affected Systems: - Systems using Sys V derived login - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting 6 bytes of data followed -by 65 characters and a newline into the TTYPROMPT variable. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3275.txt snort-2.9.2/doc/signatures/3275.txt --- snort-2.8.5.2/doc/signatures/3275.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3275.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3275 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3276.txt snort-2.9.2/doc/signatures/3276.txt --- snort-2.8.5.2/doc/signatures/3276.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3276.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3276 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3277.txt snort-2.9.2/doc/signatures/3277.txt --- snort-2.8.5.2/doc/signatures/3277.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3277.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3277 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3278.txt snort-2.9.2/doc/signatures/3278.txt --- snort-2.8.5.2/doc/signatures/3278.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3278.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3278 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3279.txt snort-2.9.2/doc/signatures/3279.txt --- snort-2.8.5.2/doc/signatures/3279.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3279.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3279 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/327.txt snort-2.9.2/doc/signatures/327.txt --- snort-2.8.5.2/doc/signatures/327.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/327.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 327 - --- - -Summary: -This event is generated when a remote command execution exploit against a finger daemon is attempted. - --- - -Impact: -Serious. The attacker may be presented with the opportunity to run a command of his choice on the target UNIX system - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable version of the finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack may allow an attacker to execute a command remotely on a target system with the privileges of the user running the "finger" daemon. The user is usually defined in the /etc/inetd.conf file and is commonly designated as "nobody". - --- -Attack Scenarios: -An attacker may try the attack and then executes a command to download a backdoor to the target system. He then connects to the system and may attempt to escalate his privileges by exploiting a local SUID application to gain "root" privileges. - --- - -Ease of Attack: -Simple, no exploit software is required, just a specially formatted finger query - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152 - -Arachnids: -http://www.whitehats.com/info/IDS380 - -Bugtraq: -http://online.securityfocus.com/bid/2220 - --- diff -Nru snort-2.8.5.2/doc/signatures/3280.txt snort-2.9.2/doc/signatures/3280.txt --- snort-2.8.5.2/doc/signatures/3280.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3280.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3280 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3281.txt snort-2.9.2/doc/signatures/3281.txt --- snort-2.8.5.2/doc/signatures/3281.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3281.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3281 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3282.txt snort-2.9.2/doc/signatures/3282.txt --- snort-2.8.5.2/doc/signatures/3282.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3282.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3282 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3283.txt snort-2.9.2/doc/signatures/3283.txt --- snort-2.8.5.2/doc/signatures/3283.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3283.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3283 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3284.txt snort-2.9.2/doc/signatures/3284.txt --- snort-2.8.5.2/doc/signatures/3284.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3284.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3284 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3285.txt snort-2.9.2/doc/signatures/3285.txt --- snort-2.8.5.2/doc/signatures/3285.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3285.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3285 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3286.txt snort-2.9.2/doc/signatures/3286.txt --- snort-2.8.5.2/doc/signatures/3286.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3286.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3286 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3287.txt snort-2.9.2/doc/signatures/3287.txt --- snort-2.8.5.2/doc/signatures/3287.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3287.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3287 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3288.txt snort-2.9.2/doc/signatures/3288.txt --- snort-2.8.5.2/doc/signatures/3288.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3288.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3288 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3289.txt snort-2.9.2/doc/signatures/3289.txt --- snort-2.8.5.2/doc/signatures/3289.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3289.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3289 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/328.txt snort-2.9.2/doc/signatures/328.txt --- snort-2.8.5.2/doc/signatures/328.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/328.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 328 - --- - -Summary: -This event is generated when a Denial-of-Service (DoS) attack against a finger daemon is attempted. - --- - -Impact: -The attacker may overload the target machine or crash the finger daemon - --- -Detailed Information: -This event is generated when a specially crafted finger query is directed at a target UNIX host. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack will crash or overload the vulnerable machines. - --- - -Attack Scenarios: -The attacker needs to send specially crafted packets to the finger daemon on a host. - --- - -Ease of Attack: -Moderate, no exploit software is required, just a specially formatted finger query - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0106 - -Arachnids: -http://www.whitehats.com/info/IDS381 - --- diff -Nru snort-2.8.5.2/doc/signatures/3290.txt snort-2.9.2/doc/signatures/3290.txt --- snort-2.8.5.2/doc/signatures/3290.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3290.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3290 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3291.txt snort-2.9.2/doc/signatures/3291.txt --- snort-2.8.5.2/doc/signatures/3291.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3291.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3291 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3292.txt snort-2.9.2/doc/signatures/3292.txt --- snort-2.8.5.2/doc/signatures/3292.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3292.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3292 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3293.txt snort-2.9.2/doc/signatures/3293.txt --- snort-2.8.5.2/doc/signatures/3293.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3293.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3293 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3294.txt snort-2.9.2/doc/signatures/3294.txt --- snort-2.8.5.2/doc/signatures/3294.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3294.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3294 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3295.txt snort-2.9.2/doc/signatures/3295.txt --- snort-2.8.5.2/doc/signatures/3295.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3295.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3295 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3296.txt snort-2.9.2/doc/signatures/3296.txt --- snort-2.8.5.2/doc/signatures/3296.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3296.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3296 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3297.txt snort-2.9.2/doc/signatures/3297.txt --- snort-2.8.5.2/doc/signatures/3297.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3297.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3297 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3298.txt snort-2.9.2/doc/signatures/3298.txt --- snort-2.8.5.2/doc/signatures/3298.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3298.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3298 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3299.txt snort-2.9.2/doc/signatures/3299.txt --- snort-2.8.5.2/doc/signatures/3299.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3299.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3299 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/329.txt snort-2.9.2/doc/signatures/329.txt --- snort-2.8.5.2/doc/signatures/329.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/329.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 329 - --- -Summary: -This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon - --- -Impact: -The attacker may obtain information about a third party host without making a direct connection to that host. - --- -Detailed Information: -The event is generated when an attempt to use a machine to run -finger queries against a third party UNIX system is attempted by the -Cybercop vulnerability scanner. - -The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. - --- - -Attack Scenarios: -An attacker uses the Cybercop vulnerability scanner to test for this weakness. - --- - -Ease of Attack: -Simple, performed by a scanner - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or upgrade to a daemon without finger forwarding functionality - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 - -Arachnids: -http://www.whitehats.com/info/IDS11 - --- diff -Nru snort-2.8.5.2/doc/signatures/3300.txt snort-2.9.2/doc/signatures/3300.txt --- snort-2.8.5.2/doc/signatures/3300.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3300.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3300 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3301.txt snort-2.9.2/doc/signatures/3301.txt --- snort-2.8.5.2/doc/signatures/3301.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3301.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3301 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3302.txt snort-2.9.2/doc/signatures/3302.txt --- snort-2.8.5.2/doc/signatures/3302.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3302.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3302 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3303.txt snort-2.9.2/doc/signatures/3303.txt --- snort-2.8.5.2/doc/signatures/3303.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3303.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3303 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3304.txt snort-2.9.2/doc/signatures/3304.txt --- snort-2.8.5.2/doc/signatures/3304.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3304.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3304 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3305.txt snort-2.9.2/doc/signatures/3305.txt --- snort-2.8.5.2/doc/signatures/3305.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3305.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3305 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3306.txt snort-2.9.2/doc/signatures/3306.txt --- snort-2.8.5.2/doc/signatures/3306.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3306.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3306 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3307.txt snort-2.9.2/doc/signatures/3307.txt --- snort-2.8.5.2/doc/signatures/3307.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3307.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3307 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3308.txt snort-2.9.2/doc/signatures/3308.txt --- snort-2.8.5.2/doc/signatures/3308.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3308.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3308 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3309.txt snort-2.9.2/doc/signatures/3309.txt --- snort-2.8.5.2/doc/signatures/3309.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3309.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3309 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/330.txt snort-2.9.2/doc/signatures/330.txt --- snort-2.8.5.2/doc/signatures/330.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/330.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: 330 - --- -Summary: -This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon - --- -Impact: -The attacker may obtain information about a third party host without making a direct connection to that host. - --- -Detailed Information: -The event is generated when an attempt to use a machine to run -finger queries against a third party UNIX system is attempted. - -The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. - --- -Attack Scenarios: -An attacker runs a finger query and obtains information about the root account. He then proceeds to compromise the system using the obtained data as a basis for the compromise. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or upgrade to a daemon without finger forwarding functionality - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10073 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 - -Arachnids: -http://www.whitehats.com/info/IDS251 - --- diff -Nru snort-2.8.5.2/doc/signatures/3310.txt snort-2.9.2/doc/signatures/3310.txt --- snort-2.8.5.2/doc/signatures/3310.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3310.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3310 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3311.txt snort-2.9.2/doc/signatures/3311.txt --- snort-2.8.5.2/doc/signatures/3311.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3311.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3311 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3312.txt snort-2.9.2/doc/signatures/3312.txt --- snort-2.8.5.2/doc/signatures/3312.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3312.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3312 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3313.txt snort-2.9.2/doc/signatures/3313.txt --- snort-2.8.5.2/doc/signatures/3313.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3313.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3313 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3314.txt snort-2.9.2/doc/signatures/3314.txt --- snort-2.8.5.2/doc/signatures/3314.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3314.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3314 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3315.txt snort-2.9.2/doc/signatures/3315.txt --- snort-2.8.5.2/doc/signatures/3315.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3315.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3315 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3316.txt snort-2.9.2/doc/signatures/3316.txt --- snort-2.8.5.2/doc/signatures/3316.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3316.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3316 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3317.txt snort-2.9.2/doc/signatures/3317.txt --- snort-2.8.5.2/doc/signatures/3317.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3317.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3317 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3318.txt snort-2.9.2/doc/signatures/3318.txt --- snort-2.8.5.2/doc/signatures/3318.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3318.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3318 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3319.txt snort-2.9.2/doc/signatures/3319.txt --- snort-2.8.5.2/doc/signatures/3319.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3319.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3319 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/331.txt snort-2.9.2/doc/signatures/331.txt --- snort-2.8.5.2/doc/signatures/331.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/331.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: -reference:arachnids,132; reference:cve,CVE-1999-0612; -classtype:attempted-recon; sid:331; rev:6;) - --- -Sid: 331 - --- - -Summary: -This is an intelligence gathering activity. This event is indicative of an information leak attempt against a finger daemon performed by a vulnerability scanner - --- - -Impact: -The attacker may obtain information about user accounts on the target system. - --- -Detailed Information: -This event is generated when an attempt to query the finger daemon is attempted by the Cybercop vulnerability scanner. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The scan will confirm that the target host will respond to finger queries. - --- - -Attack Scenarios: -An attacker uses the Cybercop vulnerability scanner to test for this weakness. - --- - -Ease of Attack: -Simple, performed by a scanner - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via a firewall or TCP wrappers. - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS132 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612 - --- diff -Nru snort-2.8.5.2/doc/signatures/3320.txt snort-2.9.2/doc/signatures/3320.txt --- snort-2.8.5.2/doc/signatures/3320.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3320.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3320 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3321.txt snort-2.9.2/doc/signatures/3321.txt --- snort-2.8.5.2/doc/signatures/3321.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3321.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3321 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3322.txt snort-2.9.2/doc/signatures/3322.txt --- snort-2.8.5.2/doc/signatures/3322.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3322.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3322 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3323.txt snort-2.9.2/doc/signatures/3323.txt --- snort-2.8.5.2/doc/signatures/3323.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3323.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3323 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3324.txt snort-2.9.2/doc/signatures/3324.txt --- snort-2.8.5.2/doc/signatures/3324.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3324.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3324 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3325.txt snort-2.9.2/doc/signatures/3325.txt --- snort-2.8.5.2/doc/signatures/3325.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3325.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3325 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3326.txt snort-2.9.2/doc/signatures/3326.txt --- snort-2.8.5.2/doc/signatures/3326.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3326.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3326 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3327.txt snort-2.9.2/doc/signatures/3327.txt --- snort-2.8.5.2/doc/signatures/3327.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3327.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3327 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3328.txt snort-2.9.2/doc/signatures/3328.txt --- snort-2.8.5.2/doc/signatures/3328.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3328.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3328 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3329.txt snort-2.9.2/doc/signatures/3329.txt --- snort-2.8.5.2/doc/signatures/3329.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3329.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3329 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/332.txt snort-2.9.2/doc/signatures/332.txt --- snort-2.8.5.2/doc/signatures/332.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/332.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 332 - --- - -Summary: -An intelligence gathering attack against the finger daemon - --- - -Impact: -The attacker may obtain information about user accounts on the target system. - --- -Detailed Information: -This event is generated when an attempt is made to use a finger command against a host with a username of "0". A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). - -Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse. - --- - -Attack Scenarios: -An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS378 -http://www.whitehats.com/info/IDS131 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host - --- diff -Nru snort-2.8.5.2/doc/signatures/3330.txt snort-2.9.2/doc/signatures/3330.txt --- snort-2.8.5.2/doc/signatures/3330.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3330.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3330 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3331.txt snort-2.9.2/doc/signatures/3331.txt --- snort-2.8.5.2/doc/signatures/3331.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3331.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3331 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3332.txt snort-2.9.2/doc/signatures/3332.txt --- snort-2.8.5.2/doc/signatures/3332.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3332.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3332 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3333.txt snort-2.9.2/doc/signatures/3333.txt --- snort-2.8.5.2/doc/signatures/3333.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3333.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3333 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3334.txt snort-2.9.2/doc/signatures/3334.txt --- snort-2.8.5.2/doc/signatures/3334.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3334.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3334 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3335.txt snort-2.9.2/doc/signatures/3335.txt --- snort-2.8.5.2/doc/signatures/3335.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3335.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3335 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3336.txt snort-2.9.2/doc/signatures/3336.txt --- snort-2.8.5.2/doc/signatures/3336.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3336.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3336 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3337.txt snort-2.9.2/doc/signatures/3337.txt --- snort-2.8.5.2/doc/signatures/3337.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3337.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3337 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3338.txt snort-2.9.2/doc/signatures/3338.txt --- snort-2.8.5.2/doc/signatures/3338.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3338.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3338 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3339.txt snort-2.9.2/doc/signatures/3339.txt --- snort-2.8.5.2/doc/signatures/3339.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3339.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3339 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/333.txt snort-2.9.2/doc/signatures/333.txt --- snort-2.8.5.2/doc/signatures/333.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/333.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -333 - --- -Summary: -This event is generated when a remote user sends a finger request to .@hostname. This may indicate an attempt to discover information about users on the system. - --- -Impact: -Information gathering. - --- -Detailed Information: -Finger is a directory service on UNIX and Linux operating systems that allows users to obtain basic information about other users, including account name, home directory, and login status. A malicious user could use the string "finger .@hostname" to obtain a list of each user on the system. This may enable the attacker to view unused or inactive accounts, which are more likely to have default passwords that are relatively easy to guess or susceptible to brute force password attempts. - --- -Affected Systems: -Any UNIX/Linux distribution with older versions of finger enabled. - --- -Attack Scenarios: -An attacker issues a finger .@host to the vulnerable server and views a list of users. The attacker then attempts to guess passwords for users with the "Never logged in" status. - --- -Ease of Attack: -Simple. - --- -False Positives: -A non-malicious user using finger to obtain a user list will cause this rule to trigger. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable finger support on your servers or upgrade to a more recent version of the finger daemon. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3340.txt snort-2.9.2/doc/signatures/3340.txt --- snort-2.8.5.2/doc/signatures/3340.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3340.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3340 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3341.txt snort-2.9.2/doc/signatures/3341.txt --- snort-2.8.5.2/doc/signatures/3341.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3341.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3341 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3342.txt snort-2.9.2/doc/signatures/3342.txt --- snort-2.8.5.2/doc/signatures/3342.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3342.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3342 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3343.txt snort-2.9.2/doc/signatures/3343.txt --- snort-2.8.5.2/doc/signatures/3343.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3343.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3343 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3344.txt snort-2.9.2/doc/signatures/3344.txt --- snort-2.8.5.2/doc/signatures/3344.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3344.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3344 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3345.txt snort-2.9.2/doc/signatures/3345.txt --- snort-2.8.5.2/doc/signatures/3345.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3345.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3345 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3346.txt snort-2.9.2/doc/signatures/3346.txt --- snort-2.8.5.2/doc/signatures/3346.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3346.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3346 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3347.txt snort-2.9.2/doc/signatures/3347.txt --- snort-2.8.5.2/doc/signatures/3347.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3347.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3347 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3348.txt snort-2.9.2/doc/signatures/3348.txt --- snort-2.8.5.2/doc/signatures/3348.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3348.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3348 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3349.txt snort-2.9.2/doc/signatures/3349.txt --- snort-2.8.5.2/doc/signatures/3349.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3349.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3349 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/334.txt snort-2.9.2/doc/signatures/334.txt --- snort-2.8.5.2/doc/signatures/334.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/334.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 334 - --- -Summary: -This event is generated when an attempt to copy a specific file to an FTP server is made. - --- - -Impact: -Serious. The attacker might gain the ability to execute commands remotely with the privileges of the affected user. - --- -Detailed Information: -This event is generated when an attempt to copy a ".forward" file to a victim host is made. A ".forward"file is used to configure email forwarding on UNIX systems. Usually it contains the email addresses where incoming email is forwarded. However, ".forward" file can also be used to forward email to programs (for example, "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 anton") and thus cause program execution triggered by arriving email messages. - -This functionality can be used to activate a backdoor or start a daemon that listens for connections on a high port, launch a terminal session on the attacker's machine or initiate a reverse shell session. - -This attack requires an established FTP session. - --- - -Attack Scenarios: -The attacker uploads a ".forward" file with commands to launch an "xterm" window on his machine into the user's home directory. Then he sends an email to the user whose ".forward" file was modified. That triggers the command in ".forward" and causes the xterm windows to be opened, providing shell access to a system with the privileges assigned to that user. - --- - -Ease of Attack: -The attack requires an access to a users home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack. - --- - -False Positives: -If the string ".forward" is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Locate the uploaded ".forward" file and check it for signs of suspicious entries. - -Check the server logs for other suspicious events that might have occurred within the same FTP session - -Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS319 - --- diff -Nru snort-2.8.5.2/doc/signatures/3350.txt snort-2.9.2/doc/signatures/3350.txt --- snort-2.8.5.2/doc/signatures/3350.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3350.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3350 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3351.txt snort-2.9.2/doc/signatures/3351.txt --- snort-2.8.5.2/doc/signatures/3351.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3351.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3351 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3352.txt snort-2.9.2/doc/signatures/3352.txt --- snort-2.8.5.2/doc/signatures/3352.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3352.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3352 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3353.txt snort-2.9.2/doc/signatures/3353.txt --- snort-2.8.5.2/doc/signatures/3353.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3353.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3353 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3354.txt snort-2.9.2/doc/signatures/3354.txt --- snort-2.8.5.2/doc/signatures/3354.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3354.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3354 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3355.txt snort-2.9.2/doc/signatures/3355.txt --- snort-2.8.5.2/doc/signatures/3355.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3355.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3355 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3356.txt snort-2.9.2/doc/signatures/3356.txt --- snort-2.8.5.2/doc/signatures/3356.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3356.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3356 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3357.txt snort-2.9.2/doc/signatures/3357.txt --- snort-2.8.5.2/doc/signatures/3357.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3357.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3357 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3358.txt snort-2.9.2/doc/signatures/3358.txt --- snort-2.8.5.2/doc/signatures/3358.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3358.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3358 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3359.txt snort-2.9.2/doc/signatures/3359.txt --- snort-2.8.5.2/doc/signatures/3359.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3359.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3359 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/335.txt snort-2.9.2/doc/signatures/335.txt --- snort-2.8.5.2/doc/signatures/335.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/335.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 335 - --- -Summary: -This event is generated when an attempt to copy a specific file to an FTP server is made. - --- - -Impact: -Serious. An attacker might gain the ability to remotely connect to a server via r-commands without using a password. - --- -Detailed Information: -This event is generated when an attempt to copy an ".rhosts" file to a server. An ".rhosts" file is used to configure remote access via r-commands (rlogin, rsh, rcp, rexec). - -Specifically, the file might contain IP addresses (hostnames) or usernames that are allowed to connect to a server in the following format: "hostname [username]", where either can be a "+" character, indicating all hostnames or usernames. - -The file might also contain a string "+ +" that indicates that everybody from any IP address is allowed to connect to server without using a password. The file is located in user's home directory. - --- - -Attack Scenarios: -An attacker uploads a ".hosts" file with "+ +" in it in the user's directory on the machine. He is then able to connect to a host via an "rlogin" command without entering a password, resulting in a shell session. If this is done in roots home driectory the attacker will have control of the victim host. - --- - -Ease of Attack: -The attack requires an access to any user's home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack. - --- - -False Positives: -If the string ".rhosts" is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Locate the uploaded ".rhosts" file and check it for signs of suspicious entries. - -Check the server logs for other suspicious events that might have occurred within the same FTP session - -Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users. - -Disallow the use of r-commands for file transfer and login procedures. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS328 - --- diff -Nru snort-2.8.5.2/doc/signatures/3360.txt snort-2.9.2/doc/signatures/3360.txt --- snort-2.8.5.2/doc/signatures/3360.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3360.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3360 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3361.txt snort-2.9.2/doc/signatures/3361.txt --- snort-2.8.5.2/doc/signatures/3361.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3361.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3361 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3362.txt snort-2.9.2/doc/signatures/3362.txt --- snort-2.8.5.2/doc/signatures/3362.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3362.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3362 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3363.txt snort-2.9.2/doc/signatures/3363.txt --- snort-2.8.5.2/doc/signatures/3363.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3363.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3363 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3364.txt snort-2.9.2/doc/signatures/3364.txt --- snort-2.8.5.2/doc/signatures/3364.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3364.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3364 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3365.txt snort-2.9.2/doc/signatures/3365.txt --- snort-2.8.5.2/doc/signatures/3365.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3365.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3365 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3366.txt snort-2.9.2/doc/signatures/3366.txt --- snort-2.8.5.2/doc/signatures/3366.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3366.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3366 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3367.txt snort-2.9.2/doc/signatures/3367.txt --- snort-2.8.5.2/doc/signatures/3367.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3367.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3367 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3368.txt snort-2.9.2/doc/signatures/3368.txt --- snort-2.8.5.2/doc/signatures/3368.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3368.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3368 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3369.txt snort-2.9.2/doc/signatures/3369.txt --- snort-2.8.5.2/doc/signatures/3369.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3369.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3369 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/336.txt snort-2.9.2/doc/signatures/336.txt --- snort-2.8.5.2/doc/signatures/336.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/336.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: -Sid: -336 --- -Summary: -This event is generated when an attempt is made to access roots home -directory in an ftp session. - --- -Impact: -Serious. Information disclosure. - --- -Detailed Information: -An ftp command to change directories to root's home directory has been -made. If roots home directory is world readable and is within the ftp -root, the contents may be viewed or downloaded in an ftp session. - -Under normal ftp usage (by non-root users), this should never occur. - --- -Affected Systems: - --- -Attack Scenarios: -Scenario A: -1. Remote attacker has gained root password/access, or is able to access root's home directory. -2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root. - -Scenario B: -1. System administrator (root) connects to the system via un-encrypted ftp. -2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'. -3. The attacker can now log in as root. - -Scenario C: -1. The ~root directory is world readable. -2. Sensitive files that may exist in this directory can now be accessed by anyone. --- -Ease of Attack: -Scenario A: depends on how the attacker gained root's password -Scenario B: trivial for someone on the same network or on the route to the comprimiseable system. -Scenario C: easy. --- -False Positives: -None Known -The administrator has legitimately logged into this machine from a remote location. -Note: this still has the potential for a security breach (see Scenario B). --- -False Negatives: -None Known -Accessing other system critical directories other than ~root (for example, /etc, where passwd/shadow files are kept) could indicate the same comprimise. --- -Corrective Action: - - Dissallow ftp login for root, consider using something more secure than ftp for root file transfers. - - Make sure root's home directory is NOT world readable. - - Root's password may have been discovered, take apropriate action. --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Snort documentation contributed by Jeremy Stashewsky - --- -Additional References: -CVE CVE-1999-0082 -RFC 959: File Transfer Protocol http://www.ietf.org/rfc/rfc959.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/3370.txt snort-2.9.2/doc/signatures/3370.txt --- snort-2.8.5.2/doc/signatures/3370.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3370.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3370 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3371.txt snort-2.9.2/doc/signatures/3371.txt --- snort-2.8.5.2/doc/signatures/3371.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3371.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3371 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3372.txt snort-2.9.2/doc/signatures/3372.txt --- snort-2.8.5.2/doc/signatures/3372.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3372.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3372 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3373.txt snort-2.9.2/doc/signatures/3373.txt --- snort-2.8.5.2/doc/signatures/3373.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3373.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3373 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3374.txt snort-2.9.2/doc/signatures/3374.txt --- snort-2.8.5.2/doc/signatures/3374.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3374.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3374 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3375.txt snort-2.9.2/doc/signatures/3375.txt --- snort-2.8.5.2/doc/signatures/3375.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3375.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3375 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3376.txt snort-2.9.2/doc/signatures/3376.txt --- snort-2.8.5.2/doc/signatures/3376.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3376.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3376 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3377.txt snort-2.9.2/doc/signatures/3377.txt --- snort-2.8.5.2/doc/signatures/3377.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3377.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3377 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3378.txt snort-2.9.2/doc/signatures/3378.txt --- snort-2.8.5.2/doc/signatures/3378.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3378.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3378 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3379.txt snort-2.9.2/doc/signatures/3379.txt --- snort-2.8.5.2/doc/signatures/3379.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3379.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3379 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/337.txt snort-2.9.2/doc/signatures/337.txt --- snort-2.8.5.2/doc/signatures/337.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/337.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -337 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a buffer overflow vulnerability in the IBM AIX FTP daemon. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -The IBM AIX 4.3.x FTP daemon contains a buffer overflow vulnerability. An attacker can send an overly long string in the CEL command, causing a buffer overflow condition and allowing the attacker to execute arbitrary code. - --- -Affected Systems: -IBM AIX 4.3.x - --- -Attack Scenarios: -An attacker sends a suspiciously large amount of data to the FTP server in the CEL command, causing a buffer overflow condition. The attacker can then execute arbitrary code to obtain root privileges. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the patch provided by IBM. See http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt for an advisory and information about obtaining the patch. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -IBM -http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/3380.txt snort-2.9.2/doc/signatures/3380.txt --- snort-2.8.5.2/doc/signatures/3380.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3380.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3380 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3381.txt snort-2.9.2/doc/signatures/3381.txt --- snort-2.8.5.2/doc/signatures/3381.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3381.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3381 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3382.txt snort-2.9.2/doc/signatures/3382.txt --- snort-2.8.5.2/doc/signatures/3382.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3382.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3382 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3383.txt snort-2.9.2/doc/signatures/3383.txt --- snort-2.8.5.2/doc/signatures/3383.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3383.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3383 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3384.txt snort-2.9.2/doc/signatures/3384.txt --- snort-2.8.5.2/doc/signatures/3384.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3384.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3384 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3385.txt snort-2.9.2/doc/signatures/3385.txt --- snort-2.8.5.2/doc/signatures/3385.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3385.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3385 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3386.txt snort-2.9.2/doc/signatures/3386.txt --- snort-2.8.5.2/doc/signatures/3386.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3386.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3386 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3387.txt snort-2.9.2/doc/signatures/3387.txt --- snort-2.8.5.2/doc/signatures/3387.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3387.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3387 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3388.txt snort-2.9.2/doc/signatures/3388.txt --- snort-2.8.5.2/doc/signatures/3388.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3388.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3388 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3389.txt snort-2.9.2/doc/signatures/3389.txt --- snort-2.8.5.2/doc/signatures/3389.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3389.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3389 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/338.txt snort-2.9.2/doc/signatures/338.txt --- snort-2.8.5.2/doc/signatures/338.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/338.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -SID: -338 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3390.txt snort-2.9.2/doc/signatures/3390.txt --- snort-2.8.5.2/doc/signatures/3390.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3390.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3390 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3391.txt snort-2.9.2/doc/signatures/3391.txt --- snort-2.8.5.2/doc/signatures/3391.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3391.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3391 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3392.txt snort-2.9.2/doc/signatures/3392.txt --- snort-2.8.5.2/doc/signatures/3392.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3392.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3392 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3393.txt snort-2.9.2/doc/signatures/3393.txt --- snort-2.8.5.2/doc/signatures/3393.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3393.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3393 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3394.txt snort-2.9.2/doc/signatures/3394.txt --- snort-2.8.5.2/doc/signatures/3394.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3394.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3394 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3395.txt snort-2.9.2/doc/signatures/3395.txt --- snort-2.8.5.2/doc/signatures/3395.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3395.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3395 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3396.txt snort-2.9.2/doc/signatures/3396.txt --- snort-2.8.5.2/doc/signatures/3396.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3396.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3396 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3397.txt snort-2.9.2/doc/signatures/3397.txt --- snort-2.8.5.2/doc/signatures/3397.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3397.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3397 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3398.txt snort-2.9.2/doc/signatures/3398.txt --- snort-2.8.5.2/doc/signatures/3398.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3398.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3398 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3399.txt snort-2.9.2/doc/signatures/3399.txt --- snort-2.8.5.2/doc/signatures/3399.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3399.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3399 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/339.txt snort-2.9.2/doc/signatures/339.txt --- snort-2.8.5.2/doc/signatures/339.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/339.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,95 +0,0 @@ -Rule: - --- -Sid: -339 - --- -Summary: - --- -Impact: -Severe; This is a remote exploit that could result in a root compromise. - --- -Detailed Information: -There is an off-by-one error in the replydirname() function in the BSD FTP deamon which is also present in many derivitave works. This vulnerability allows an attacker to overflow the buffer by one byte, overwriting the first byte of the return pointer on the stack. - --- -Affected Systems: - BSD ftpd 0.3.2 - + Progeny Debian 1.0 - David A. Holland linux-ftpd 0.17 - + Progeny Debian 1.0 - David Madore ftpd-BSD 0.2.3 - - Caldera OpenLinux 2.2 - - Caldera OpenLinux 2.3 - - Caldera OpenLinux 2.4 - - Debian Linux 2.0 - - Debian Linux 2.1 - - Debian Linux 2.2 - - Debian Linux 2.3 - - MandrakeSoft Linux Mandrake 6.0 - - MandrakeSoft Linux Mandrake 6.1 - - MandrakeSoft Linux Mandrake 7.0 - - MandrakeSoft Linux Mandrake 7.1 - - MandrakeSoft Linux Mandrake 7.2 - - RedHat Linux 5.0 - - RedHat Linux 6.0 x - - RedHat Linux 7.0 - - Slackware Linux 4.0 - - Slackware Linux 7.0 - - Slackware Linux 7.1 - NetBSD NetBSD 1.4 - NetBSD NetBSD 1.4.1 - NetBSD NetBSD 1.4.2 - NetBSD NetBSD 1.5 - OpenBSD 2.4 - OpenBSD 2.5 - OpenBSD 2.6 - OpenBSD 2.7 - OpenBSD 2.8 -Note: OpenBSD ships with the FTP daemon turned off, so this is not on by default. - --- -Attack Scenarios: -The attacker could log into a vulnerable OpenBSD anonymous FTP server, calculate the buffer size, fill the buffer and over write the lowest byte on the base pointer with a null byte. This would result in the attacker controling that space on the stack, with full access to control the host at will. - --- -Ease of Attack: -Simple; there are script versions of this exploit in the wild. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Update your machine to the latest version of OpenBSD. If you are running OpenBSD 2.8, use the following patch: http://www.securityfocus.com/data/vulnerabilities/patches/005_ftpd.patch - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Mike Poor - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS446 - -Bugtraq -http://www.securityfocus.com/bid/2124 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0053 - -OpenBSD -http://www.openbsd.org/errata28.html#ftpd - --- diff -Nru snort-2.8.5.2/doc/signatures/3400.txt snort-2.9.2/doc/signatures/3400.txt --- snort-2.8.5.2/doc/signatures/3400.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3400.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3400 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3401.txt snort-2.9.2/doc/signatures/3401.txt --- snort-2.8.5.2/doc/signatures/3401.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3401.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3401 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3402.txt snort-2.9.2/doc/signatures/3402.txt --- snort-2.8.5.2/doc/signatures/3402.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3402.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3402 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3403.txt snort-2.9.2/doc/signatures/3403.txt --- snort-2.8.5.2/doc/signatures/3403.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3403.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3403 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3404.txt snort-2.9.2/doc/signatures/3404.txt --- snort-2.8.5.2/doc/signatures/3404.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3404.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3404 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3405.txt snort-2.9.2/doc/signatures/3405.txt --- snort-2.8.5.2/doc/signatures/3405.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3405.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3405 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3406.txt snort-2.9.2/doc/signatures/3406.txt --- snort-2.8.5.2/doc/signatures/3406.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3406.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3406 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3407.txt snort-2.9.2/doc/signatures/3407.txt --- snort-2.8.5.2/doc/signatures/3407.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3407.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3407 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3408.txt snort-2.9.2/doc/signatures/3408.txt --- snort-2.8.5.2/doc/signatures/3408.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3408.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3408 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3409.txt snort-2.9.2/doc/signatures/3409.txt --- snort-2.8.5.2/doc/signatures/3409.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3409.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3409 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3410.txt snort-2.9.2/doc/signatures/3410.txt --- snort-2.8.5.2/doc/signatures/3410.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3410.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3410 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3411.txt snort-2.9.2/doc/signatures/3411.txt --- snort-2.8.5.2/doc/signatures/3411.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3411.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3411 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3412.txt snort-2.9.2/doc/signatures/3412.txt --- snort-2.8.5.2/doc/signatures/3412.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3412.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3412 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3413.txt snort-2.9.2/doc/signatures/3413.txt --- snort-2.8.5.2/doc/signatures/3413.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3413.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3413 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3414.txt snort-2.9.2/doc/signatures/3414.txt --- snort-2.8.5.2/doc/signatures/3414.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3414.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3414 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3415.txt snort-2.9.2/doc/signatures/3415.txt --- snort-2.8.5.2/doc/signatures/3415.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3415.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3415 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3416.txt snort-2.9.2/doc/signatures/3416.txt --- snort-2.8.5.2/doc/signatures/3416.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3416.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3416 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3417.txt snort-2.9.2/doc/signatures/3417.txt --- snort-2.8.5.2/doc/signatures/3417.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3417.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3417 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3418.txt snort-2.9.2/doc/signatures/3418.txt --- snort-2.8.5.2/doc/signatures/3418.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3418.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3418 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3419.txt snort-2.9.2/doc/signatures/3419.txt --- snort-2.8.5.2/doc/signatures/3419.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3419.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3419 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3420.txt snort-2.9.2/doc/signatures/3420.txt --- snort-2.8.5.2/doc/signatures/3420.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3420.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3420 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3421.txt snort-2.9.2/doc/signatures/3421.txt --- snort-2.8.5.2/doc/signatures/3421.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3421.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3421 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3422.txt snort-2.9.2/doc/signatures/3422.txt --- snort-2.8.5.2/doc/signatures/3422.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3422.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3422 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3423.txt snort-2.9.2/doc/signatures/3423.txt --- snort-2.8.5.2/doc/signatures/3423.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3423.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3423 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3424.txt snort-2.9.2/doc/signatures/3424.txt --- snort-2.8.5.2/doc/signatures/3424.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3424.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3424 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3425.txt snort-2.9.2/doc/signatures/3425.txt --- snort-2.8.5.2/doc/signatures/3425.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3425.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3425 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3426.txt snort-2.9.2/doc/signatures/3426.txt --- snort-2.8.5.2/doc/signatures/3426.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3426.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3426 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3427.txt snort-2.9.2/doc/signatures/3427.txt --- snort-2.8.5.2/doc/signatures/3427.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3427.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3427 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3428.txt snort-2.9.2/doc/signatures/3428.txt --- snort-2.8.5.2/doc/signatures/3428.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3428.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3428 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3429.txt snort-2.9.2/doc/signatures/3429.txt --- snort-2.8.5.2/doc/signatures/3429.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3429.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3429 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/342.txt snort-2.9.2/doc/signatures/342.txt --- snort-2.8.5.2/doc/signatures/342.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/342.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -342 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd on Solaris 8 - --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure. -Restrict access to ftp at the firewall to known hosts only --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3430.txt snort-2.9.2/doc/signatures/3430.txt --- snort-2.8.5.2/doc/signatures/3430.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3430.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3430 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3431.txt snort-2.9.2/doc/signatures/3431.txt --- snort-2.8.5.2/doc/signatures/3431.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3431.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3431 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3432.txt snort-2.9.2/doc/signatures/3432.txt --- snort-2.8.5.2/doc/signatures/3432.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3432.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3432 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3433.txt snort-2.9.2/doc/signatures/3433.txt --- snort-2.8.5.2/doc/signatures/3433.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3433.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3433 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3434.txt snort-2.9.2/doc/signatures/3434.txt --- snort-2.8.5.2/doc/signatures/3434.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3434.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3434 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3435.txt snort-2.9.2/doc/signatures/3435.txt --- snort-2.8.5.2/doc/signatures/3435.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3435.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3435 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3436.txt snort-2.9.2/doc/signatures/3436.txt --- snort-2.8.5.2/doc/signatures/3436.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3436.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3436 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3437.txt snort-2.9.2/doc/signatures/3437.txt --- snort-2.8.5.2/doc/signatures/3437.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3437.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3437 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3438.txt snort-2.9.2/doc/signatures/3438.txt --- snort-2.8.5.2/doc/signatures/3438.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3438.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3438 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3439.txt snort-2.9.2/doc/signatures/3439.txt --- snort-2.8.5.2/doc/signatures/3439.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3439.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3439 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/343.txt snort-2.9.2/doc/signatures/343.txt --- snort-2.8.5.2/doc/signatures/343.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/343.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -SID: -343 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd running on FreeBSD --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3440.txt snort-2.9.2/doc/signatures/3440.txt --- snort-2.8.5.2/doc/signatures/3440.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3440.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3440 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3441.txt snort-2.9.2/doc/signatures/3441.txt --- snort-2.8.5.2/doc/signatures/3441.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3441.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3441 - --- -Summary: -This event is generated when an attempt is made to use the PORT command -in an FTP session. - --- -Impact: -Serious. Unauthorized access to the target host. Information disclosure. - --- -Detailed Information: -The PORT command can be used in an FTP PORT bounce attack to establish -a connection between the FTP server and another machine listening on -an alternative port. - -This may lead to unauthorized access to a target host listening on a -port not available from outside the protected network. - --- -Affected Systems: - Systems using FTP - --- -Attack Scenarios: -An attacker can issue a PORT command from an FTP session to connect to -another machine listening on an alternate port. For example, from an -FTP session an attacker could connect to an internal host listening on -an alternate web port meant only for internal sessions. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/tech_tips/ftp_port_attacks.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3442.txt snort-2.9.2/doc/signatures/3442.txt --- snort-2.8.5.2/doc/signatures/3442.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3442.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3442 - --- -Summary: -This event is generated when an attempt is made exploit a known -vulnerability in Microsoft Windows TCP/IP print services. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Microsoft Windows TCP/IP print services are used to share printers -attached to Windows based machines with other UNIX based hosts. - -Microsoft Windows TCP/IP print services are vulnerable to a DoS when -processing malformed print requests. Other services may also be affected -and may need to be restarted to regain functionality should this attack -be sucessful. - --- -Affected Systems: - Microsoft Windows TCP/IP print services for Windows NT - Microsoft Windows TCP/IP print services for Windows 2000 - --- -Attack Scenarios: -An attacker can send a malformed print request to port 515 on the server -hosting the print services and cause the DoS condition. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3443.txt snort-2.9.2/doc/signatures/3443.txt --- snort-2.8.5.2/doc/signatures/3443.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3443.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3443 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3444.txt snort-2.9.2/doc/signatures/3444.txt --- snort-2.8.5.2/doc/signatures/3444.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3444.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3444 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3445.txt snort-2.9.2/doc/signatures/3445.txt --- snort-2.8.5.2/doc/signatures/3445.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3445.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3445 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3446.txt snort-2.9.2/doc/signatures/3446.txt --- snort-2.8.5.2/doc/signatures/3446.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3446.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3446 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3447.txt snort-2.9.2/doc/signatures/3447.txt --- snort-2.8.5.2/doc/signatures/3447.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3447.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3447 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3448.txt snort-2.9.2/doc/signatures/3448.txt --- snort-2.8.5.2/doc/signatures/3448.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3448.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3448 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3449.txt snort-2.9.2/doc/signatures/3449.txt --- snort-2.8.5.2/doc/signatures/3449.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3449.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3449 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/344.txt snort-2.9.2/doc/signatures/344.txt --- snort-2.8.5.2/doc/signatures/344.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/344.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: - -344 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Wu-ftpd. - --- -Impact: - -Serious. Full system compromise is possible. - --- -Detailed Information: -Some versions of Wu-ftpd contain an exploitable vulnerability in SITE -EXEC command, which can trigger a buffer overflow enabling an attacker -to gain root privileges. Anonymous access is enough for this exploit to -work. - --- -Affected Systems: - - Any version of Linux running wu-ftpd 2.6.0 and lower - --- -Attack Scenarios: -An attacker tries to connect to the server on port 21 anonymously. Then -he creates special directories using the MKD (make directory) command, -and then change its current FTP path into them using the CWD (change -current directory) command followed by a SITE EXEC on that directory. - - --- -Ease of Attack: - -Simple. Exploit scripts are available. - --- -False Positives: - -None known. - --- -False Negatives: - -None known. - --- -Corrective Action: -Disable anonymous FTP access to your site. - -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2000-13.html - --- diff -Nru snort-2.8.5.2/doc/signatures/3450.txt snort-2.9.2/doc/signatures/3450.txt --- snort-2.8.5.2/doc/signatures/3450.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3450.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3450 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3451.txt snort-2.9.2/doc/signatures/3451.txt --- snort-2.8.5.2/doc/signatures/3451.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3451.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3451 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3452.txt snort-2.9.2/doc/signatures/3452.txt --- snort-2.8.5.2/doc/signatures/3452.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3452.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3452 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3453.txt snort-2.9.2/doc/signatures/3453.txt --- snort-2.8.5.2/doc/signatures/3453.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3453.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3453 - --- -Summary: -This event is generated when an attempt is made to probe for -information on a host running Arkeia Client Backup server. - --- -Impact: -This may be reconnaissance to find version or operating -system information about the Arkeia Client Backup server -to later run an appropriate exploit. - --- -Detailed Information: -By default, Arkeia Client Backup servers do not require any -authentication for informational requests. An attacker who -may be planning to exploit a vulnerable version of the software -may attempt to request file or system information. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker can attempt to query an Arkeia Client Backup -server for system or file information. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. If you run Arkeia Client Backup on your network, -make sure that your the variable $EXTERNAL_NET is configured -to reflect IP addresses outside of your network. Otherwise, -this rule will alert on valid internal traffic. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.8.5.2/doc/signatures/3454.txt snort-2.9.2/doc/signatures/3454.txt --- snort-2.8.5.2/doc/signatures/3454.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3454.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3454 - --- -Summary: -This event is generated when an attempt is made to probe for -information on a host running Arkeia Client Backup server. - --- -Impact: -This may be reconnaissance to find version or operating -system information about the Arkeia Client Backup server -to later run an appropriate exploit. - --- -Detailed Information: -By default, Arkeia Client Backup servers do not require any -authentication for informational requests. An attacker who -may be planning to exploit a vulnerable version of the software -may attempt to request file or system information. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker can attempt to query an Arkeia Client Backup -server for system or file information. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. If you run Arkeia Client Backup on your network, -make sure that your the variable $EXTERNAL_NET is configured -to reflect IP addresses outside of your network. Otherwise, -this rule will alert on valid internal traffic. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.8.5.2/doc/signatures/3455.txt snort-2.9.2/doc/signatures/3455.txt --- snort-2.8.5.2/doc/signatures/3455.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3455.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3455 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Bontago Game Server. - --- -Impact: -Serious. Code execution and Denial of Service (DoS) are possible. - --- -Detailed Information: -The Bontago game server does not properly sanitize user nicknames. -Sucessful exploitation of this error may present an attacker with the -opportunity to overflow a buffer which may then lead to remote code -execution and possible DoS. - --- -Affected Systems: - Bontago Game Server 1.1 and prior - --- -Attack Scenarios: -An attacker can supply a nickname to the server that exceeds the static -buffer length assigned to handle this value. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3456.txt snort-2.9.2/doc/signatures/3456.txt --- snort-2.8.5.2/doc/signatures/3456.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3456.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -3456 - --- - -Summary: -This event is generated when the user "root" logs in to a MySQL database from an external source. - --- -Impact: -Serious. An attacker may have gained superuser access to the system. - --- -Detailed Information: -This event is generated when someone using the name "root" logs in to a MySQL database. - -The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. - --- - -False Positives: -This event may be generated by a database administrator logging in as the root user from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3457.txt snort-2.9.2/doc/signatures/3457.txt --- snort-2.8.5.2/doc/signatures/3457.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3457.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3457 - --- -Summary: -This event is generated when an attempt is made to exploit -a buffer overflow associated with the Arkeia Client Backup -server. - --- -Impact: -A successful attack may cause a buffer overflow and the -subsequent execution of arbitrary code at the privilege -level of the vulnerable service. - --- -Detailed Information: -A vulnerability exists in the Arkeia Client Backup server -software for a type 77 request. This may cause a buffer -overflow and the subsequent execution of arbitrary code -on a vulnerable server. The vulnerability is caused by -an overly long message length. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker craft a malicious type 77 request and send -it to a vulnerable server. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. - --- -False Negatives: -There can be multiple messages in one transfer. The event is generated -on the first message only. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.8.5.2/doc/signatures/3458.txt snort-2.9.2/doc/signatures/3458.txt --- snort-2.8.5.2/doc/signatures/3458.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3458.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3458 - --- -Summary: -This event is generated when an attempt is made to exploit -a buffer overflow associated with the Arkeia Client Backup -server. - --- -Impact: -A successful attack may cause a buffer overflow and the -subsequent execution of arbitrary code at the privilege -level of the vulnerable service. - --- -Detailed Information: -A vulnerability exists in the Arkeia Client Backup server -software for a type 84 request. This may cause a buffer -overflow and the subsequent execution of arbitrary code -on a vulnerable server. The vulnerability is caused by -an overly long message length. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker craft a malicious type 84 request and send -it to a vulnerable server. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. - --- -False Negatives: -There can be multiple messages in one transfer. The event is generated -on the first message only. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.8.5.2/doc/signatures/3459.txt snort-2.9.2/doc/signatures/3459.txt --- snort-2.8.5.2/doc/signatures/3459.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3459.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3459 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This -may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be -configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to -transfer company confidential information to unauthorized hosts external -to the protected network bypassing other security measures in place. - -This rule detects activity from Manolito p2p client applications. - --- -Affected Systems: - Any host using a Manolito p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/345.txt snort-2.9.2/doc/signatures/345.txt --- snort-2.8.5.2/doc/signatures/345.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/345.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -SID: -345 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3460.txt snort-2.9.2/doc/signatures/3460.txt --- snort-2.8.5.2/doc/signatures/3460.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3460.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3460 - --- -Summary: -This event is generated when a numeric argument to the REST command is -detected. - --- -Impact: -Information disclosure. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is generated -when a numeric argument to the REST command is detected. - -If a numeric argument is supplied to the REST command on an affected -HP-UX system, it may be possible for an attacker to discover the -contents of a particular memory location identified by the argument. -This may in turn lead to the disclosure of sensitive information on the -host. - --- -Affected Systems: - HP-UX 11.0 utilizing HP-UX ftpd 1.1.214 .4 - --- -Attack Scenarios: - --- -Ease of Attack: -Simple. Exploit code is not needed but code does exist. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3461.txt snort-2.9.2/doc/signatures/3461.txt --- snort-2.8.5.2/doc/signatures/3461.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3461.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3461 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer -using the Content-Type parameter. - --- -Impact: -Serious. Code execution is possible. - --- -Detailed Information: -Internet Explorer does not correctly handle Content-Type or -Content-Encoding headers returned from a server. It is possible to -overflow a static buffer in urlmon.dll by supplying more than 300 bytes -of data in the parameter for those headers. - -Specifically the error occurs when an image tag is used to pass -the excess data to both those header fields in a server response. Since -some email clients use Internet Explorer to process HTML email messages, -it is also possible to cause this overflow to occur via email. - --- -Affected Systems: - Microsoft Windows systems - --- -Attack Scenarios: -An attacker can supply a malicious HTML file to a mail client containing -excess data in the Content-Type and Content-Encoding headers that will -overflow the buffer presenting them with the opportunity to write to -various parts of memory and possibly execute code of their choosing. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/3462.txt snort-2.9.2/doc/signatures/3462.txt --- snort-2.8.5.2/doc/signatures/3462.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3462.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3462 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer -using the Content-Encoding parameter. - --- -Impact: -Serious. Code execution is possible. - --- -Detailed Information: -Internet Explorer does not correctly handle Content-Type or -Content-Encoding headers returned from a server. It is possible to -overflow a static buffer in urlmon.dll by supplying more than 300 bytes -of data in the parameter for those headers. - -Specifically the error occurs when an image tag is used to pass -the excess data to both those header fields in a server response. Since -some email clients use Internet Explorer to process HTML email messages, -it is also possible to cause this overflow to occur via email. - --- -Affected Systems: - Microsoft Windows systems - --- -Attack Scenarios: -An attacker can supply a malicious HTML file to a mail client containing -excess data in the Content-Type and Content-Encoding headers that will -overflow the buffer presenting them with the opportunity to write to -various parts of memory and possibly execute code of their choosing. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.8.5.2/doc/signatures/3463.txt snort-2.9.2/doc/signatures/3463.txt --- snort-2.8.5.2/doc/signatures/3463.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3463.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3463 - --- -Summary: -This event is generated when an attempt is made to access the cgi script -awstats.pl. - --- -Impact: -Possible execution of system commands. - --- -Detailed Information: -Adavanced Web Statistics (awstats) is used to process web server log -files and produces reports of web server usage. - -Some versions of awstats do not correctly sanitize user input. This may -present an attacker with the opportunity to supply system commands via -the "logfile" parameter. For the attack to be sucessful the "update" -parameter must also have the value set to "1". This event indicates that -an attempt has been made to access the awstats.pl cgi script. - --- -Affected Systems: - Awstats 6.1 and prior - --- -Attack Scenarios: -An attacker can supply commands of their choosing as a value for the -logfile parameter by enclosing the commands in pipe charecters. For -example: - - http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|| - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - -Disallow access to awstats.pl as a CGI script. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3464.txt snort-2.9.2/doc/signatures/3464.txt --- snort-2.8.5.2/doc/signatures/3464.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3464.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3464 - --- -Summary: -This event is generated when an attempt is made to execute system -commands via the cgi script awstats.pl. - --- -Impact: -Possible execution of system commands. - --- -Detailed Information: -Adavanced Web Statistics (awstats) is used to process web server log -files and produces reports of web server usage. - -Some versions of awstats do not correctly sanitize user input. This may -present an attacker with the opportunity to supply system commands via -the "logfile" parameter. For the attack to be sucessful the "update" -parameter must also have the value set to "1". This event indicates that -an attempt has been made to pass a system command as a value to the -"logfile" parameter the awstats.pl cgi script. - --- -Affected Systems: - Awstats 6.1 and prior - --- -Attack Scenarios: -An attacker can supply commands of their choosing as a value for the -logfile parameter by enclosing the commands in pipe charecters. For -example: - - http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|| - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - -Disallow access to awstats.pl as a CGI script. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/3465.txt snort-2.9.2/doc/signatures/3465.txt --- snort-2.8.5.2/doc/signatures/3465.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/3465.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3465 - --- -Summary: -This event is generated when an attempt is made to access the cgi script -show.pl. - --- -Impact: -Use of script as an open proxy. - --- -Detailed Information: -RiSearch is a collection of cgi scripts written in Perl to facilitate -web site search functionality. Some versions of the script show.pl do -not correctly sanitize user input. This may present an attacker with the -opportunity to use the script as an open proxy server, possibly in -attempts to execute web attacks against other systems anonymously. - -Specifically, it may be possible for an attacker to supply their own -input to the "uri" parameter. - --- -Affected Systems: - RiSearch 0.99.8 and prior - RiSearch Pro 3.2.6 - --- -Attack Scenarios: -An attacker can supply a URI of their choosing as a value for the -uri parameter - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/348.txt snort-2.9.2/doc/signatures/348.txt --- snort-2.8.5.2/doc/signatures/348.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/348.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -SID: -348 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - -This rule detects code from a published exploit called bobek.c --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/349.txt snort-2.9.2/doc/signatures/349.txt --- snort-2.8.5.2/doc/signatures/349.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/349.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -SID: -349 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/350.txt snort-2.9.2/doc/signatures/350.txt --- snort-2.8.5.2/doc/signatures/350.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/350.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -SID: -350 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/351.txt snort-2.9.2/doc/signatures/351.txt --- snort-2.8.5.2/doc/signatures/351.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/351.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -SID: -351 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated -user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/352.txt snort-2.9.2/doc/signatures/352.txt --- snort-2.8.5.2/doc/signatures/352.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/352.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -SID: -352 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated -user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: - NcFTP Software NcFTPD 2.3.5 - Washington University wu-ftpd 2.4.2 (beta 18) VR10 RedHat wu-ftpd 2.4.2 b18-2 - Washington University wu-ftpd 2.4.2 academ[BETA-18] - Probably others as well, suspect anything under - Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/353.txt snort-2.9.2/doc/signatures/353.txt --- snort-2.8.5.2/doc/signatures/353.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/353.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -353 - --- -Summary: -This event is generated when a remote user attempts to anonymously log into an internal FTP server with a suspicious password, indicating that an attacker may be scanning the FTP server for vulnerabilities using the ADMhack scanning tool. - --- -Impact: -Information gathering, possible unauthorized access. - --- -Detailed Information: -ADMhack is a security scanner that scans for exploitable network vulnerabilities. When the scanner encounters an FTP server, it attempts to log in using "ddd@ " as a password. - --- -Affected Systems: -Computers running anonymous FTP servers. - --- -Attack Scenarios: -An attacker scans the network for vulnerable FTP servers using ADMhack scanner. When an FTP server is found, the tool attempts to log into the server. If vulnerabilities exist on the server, this may allow the attacker access to the FTP server in order to exploit them. - --- -Ease of Attack: -Simple. ADMhack is freely available on the Internet. - --- -False Positives: -If a legitimate remote anonymous user uses the same password, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable anonymous FTP access. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/354.txt snort-2.9.2/doc/signatures/354.txt --- snort-2.8.5.2/doc/signatures/354.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/354.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -354 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-iss@iss) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -ISS Scanner is a security scanner which checks for common -vulnerabilities. When it detects an open ftp server, it tries to log in -anonymously using the password '-iss@iss' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the ISS Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS331 - --- diff -Nru snort-2.8.5.2/doc/signatures/355.txt snort-2.9.2/doc/signatures/355.txt --- snort-2.8.5.2/doc/signatures/355.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/355.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -355 - --- -Summary: -This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server. - --- -Impact: -Remote root access. The attack may indicate that the FTP server has been compromised. - --- -Detailed Information: -The password "wh00t" is a common backdoor password associated with a compromised root account. If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created. Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. - --- -Affected Systems: -FTP servers. - --- -Attack Scenarios: -An attacker may compromise a host and create a backdoor account. An attacker may attempt to locate FTP servers with a backdoor account. - --- -Ease of Attack: -Simple - --- -False Positives: -It is very remotely possible that a legitimate password of "wh00t" exists. - --- -False Negatives: -None known. - --- -Corrective Action: -Examine the suspected compromised host for unauthorized changes. - -Make sure that the suspected compromised host has all security patches applied. - -Log activity to and from the suspected compromised host. - -Examine other systems on the network for evidence of compromise. - -If a compromised is discovered, reinstall the operating system. - --- -Contributors: -Orignal rule written by Ron Gula -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS324 - --- diff -Nru snort-2.8.5.2/doc/signatures/356.txt snort-2.9.2/doc/signatures/356.txt --- snort-2.8.5.2/doc/signatures/356.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/356.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 356 - --- - -Summary: -This event is generated when an attempt to retrieve a specific file, in this case the systems user database from an FTP server is made. - --- -Impact: -Serious. The attacker may obtain a valid list of user names and/or encrypted passwords from the server. - --- -Detailed Information: -This event is generated when an attempt to download a copy of the "passwd" file from the server is made. - -The UNIX "passwd" file (typically located in "/etc/" directory) is used to hold the authentication information for system logins. This file needs to be readable by all system users. - -Where shadow passwords are used, the actual encrypted passwords are stored in a separate file, only readable by root. It is possible to use various password cracking tools to obtain unencrypted passwords either by trying random character combinations, a predefined word list or a combination of public user information. The attacker may use the information contained in the passwd file to launch a dictionary attack against the victim host or other hosts the same users may have access to. - --- -Attack Scenarios: -The attacker downloads a "passwd" file from a machine that does not use shadowed passwords and uses a tool like John-the-Ripper to crack the passwords used for several accounts. He then proceeds to login to the system remotely and possibly gain escalated privileges via a local exploit on the system. - --- - -Ease of Attack: -Simple. The attack usually requires FTP access to the /etc/ directory either by system misconfiguration or via a directory traversal technique. Also, in the rare circumstances the system administrator may have accidentally left a copy of a "passwd" file in a directory accessible for anonymous or other FTP users, which presents a high security risk and simplifies the attack. - --- - -False Positives: -If the string "passwd" is contained within an otherwise innocuous filename being retrieved from a server, the rule will generate an event. - -Also, the anonymous FTP account often has a separate password file within the chrooted anonymous FTP directory (e.g. /var/ftp/etc/passwd). This file does not usually contain valid system usernames and passwords. While technically not a false positive, this may be considered a false alarm. - --- - -False Negatives: -None Known - --- - -Corrective Action: -Identify the downloaded file and confirm that it indeed a valid system password file. Change the user passwords on the system and notify the users. - -Ensure that FTP access to sensitive system files is not allowed. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS319 - --- diff -Nru snort-2.8.5.2/doc/signatures/357.txt snort-2.9.2/doc/signatures/357.txt --- snort-2.8.5.2/doc/signatures/357.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/357.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -357 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/358.txt snort-2.9.2/doc/signatures/358.txt --- snort-2.8.5.2/doc/signatures/358.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/358.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -358 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-saint) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -Saint is an open-source security scanner which checks for common -vulnerabilities. When it detects an open ftp server, it tries to log in -anonymously using the password '-saint' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the Saint Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS330 - --- diff -Nru snort-2.8.5.2/doc/signatures/359.txt snort-2.9.2/doc/signatures/359.txt --- snort-2.8.5.2/doc/signatures/359.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/359.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -359 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-satan) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -Satan is an open-source security scanner,a predecessor to Saint, which -checks for common vulnerabilities. When it detects an open ftp server, -it tries to log in anonymously using the password '-satan' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the Satan Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS329 - --- diff -Nru snort-2.8.5.2/doc/signatures/360.txt snort-2.9.2/doc/signatures/360.txt --- snort-2.8.5.2/doc/signatures/360.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/360.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -360 - --- -Summary: -This event is generated when an attempt is made to exploit a known vulnerability in Serv-U FTP from CatSoft. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a -compromise of all resources the machine is connected to. - --- -Detailed Information: -Serv-U FTP from CatSoft is an FTP server for Windows 2000, NT and 9x systems. - -An attacker can download and upload files on the same partition as the ftp root. The attacker can use a standard user account with write and read access to a home folder. - -The vulnerability appears in Catsoft Serv-U FTP Server version 2.5a-h. A Unicode support implementation error was made, which allows an attacker to submit %20..%20.. to receive a "..", which allows an attacker to traverse the directory structure of the server. - --- -Affected Systems: -CatSoft Serv-U 2.4 -CatSoft Serv-U 2.5 -Note: CatSoft Serv-U 2.5i is not affected. - --- -Attack Scenarios: -Any standard user can break into the system root and access any file. An attacker could also guess a login and weak password, login and use the directory traversal to gain the Serv-U FTP Server's configuration file. The configuration file can be modified to give "execute" rights, uploaded using %20. directory traversal and trojans can be installed. - --- -Ease of Attack: -Simple. No exploit code is required. - --- -False Positives: -None Known. - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Check FTP log files for signs of compromise. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Ueli Kistler, -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/361.txt snort-2.9.2/doc/signatures/361.txt --- snort-2.8.5.2/doc/signatures/361.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/361.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -361 - --- -Summary: -This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1. - --- -Impact: -Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit. - --- -Detailed Information: -A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command. - --- -Affected Systems: -Servers running Washington University wu-ftpd version 2.4.1 or earlier. - --- -Attack Scenarios: -An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user uses the SITE EXEC command, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to a later version of the wu-ftp daemon. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080 - -CERT -http://www.cert.org/advisories/CA-1995-16.html - --- diff -Nru snort-2.8.5.2/doc/signatures/362.txt snort-2.9.2/doc/signatures/362.txt --- snort-2.8.5.2/doc/signatures/362.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/362.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: 362 - --- - -Summary: -This event is generated when an attempt to abuse an FTP servers functionality and configuration weaknesses is attempted. - --- -Impact: -Serious. The attacker may have the ability to execute commands remotely within an FTP session. - --- -Detailed Information: -This event is generated when an attempt to abuse the built-in archive decompression functionality of the FTP server is attempted. - -Some FTP servers allow the user to compress/archive files on the fly whilst they are being uploaded or downloaded. For example, the user may be able to "tar" and download an entire directory in one command simply by requesting the "directory_name.tar". Additionally, the user may be able to specify the command the "tar" archiver will use for compression (normally, "gzip", "bzip2", etc) and have an FTP server erroneously accept this command. - -If this command is a shell, an interactive session will be started. The string " --use-compress-program" is an indicator that such a parameter is being given to "tar" utility. The attack requires an established FTP session. - --- - -Attack Scenarios: -An FTP-only user with no shell access can connect to a server and execute a "/bin/bash" shell via this exploit. This will present the attacker with interactive access to a system. - --- - -Ease of Attack: -Simple. The attack requires an access via FTP to the target server. In the case of an anonymous FTP connection, the attack will only permit execution of software from within the chrooted anonymous FTP home. - -If the session is that of a regular FTP user, any binary or executable file can be executed. No special exploit software is required. - --- - -False Positives: -Highly unlikely, but the legitimate use of this functionality might trigger a false alarm - --- - -False Negatives: -None Known - --- - -Corrective Action: -Upgrade the FTP server software to a non-vulnerable version - -Restrict access to the FTP server to trusted users/IP addresses, - -Disallow automatic file archival - -Disable FTP server and use secure shell (SSH) for transferring files. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS134 - -Bugtraq: -http://online.securityfocus.com/bid/2240 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0202 - --- diff -Nru snort-2.8.5.2/doc/signatures/363.txt snort-2.9.2/doc/signatures/363.txt --- snort-2.8.5.2/doc/signatures/363.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/363.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -363 - --- -Summary: -This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table. - --- -Impact: -Denial of service. - --- -Detailed Information: -The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP. - -An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. - -Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Sun Solaris 2.6 - --- -Attack Scenarios: -An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition. - --- -Ease of Attack: -Simple. A proof-of-concept exists. - --- -False Positives: -This rule may generate an alert if legitimate ICMP traffic of type 9 is sent from an external server to an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -For vulnerable Windows computers, disable IRDP on the system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp). - -For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access). - -Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network. - --- -Contributors: -Original rule written by Max Vision . -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey -Additional information from Anton Chuvakin - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875 - -Arachnids: -http://www.whitehats.com/info/IDS174 - -Bugtraq: -http://www.securityfocus.com/bid/578 - -RFC: -http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/364.txt snort-2.9.2/doc/signatures/364.txt --- snort-2.8.5.2/doc/signatures/364.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/364.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -364 - --- -Summary: -This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table. - --- -Impact: -Denial of service. - --- -Detailed Information: -The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP. - -An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. - -Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Sun Solaris 2.6 - --- -Attack Scenarios: -An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition. - --- -Ease of Attack: -Simple. A proof-of-concept exists. - --- -False Positives: -This rule may generate an alert if legitimate ICMP traffic of type 10 is sent from an external server to an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -For vulnerable Windows computers, disable IRDP on the vulnerable system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp). - -For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access). - -Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network. - --- -Contributors: -Original rule written by Max Vision . -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey -Additional information from Anton Chuvakin - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875 - -Arachnids: -http://www.whitehats.com/info/IDS174 - -Bugtraq: -http://www.securityfocus.com/bid/578 - -RFC: -http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/365.txt snort-2.9.2/doc/signatures/365.txt --- snort-2.8.5.2/doc/signatures/365.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/365.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -365 - --- -Summary: -This event is generated when an external user pings an internal server using an echo request ICMP type. This may indicate an attempt to scan the network or cause a denial of service using a "ping flood." - --- -Impact: -Possible information gathering or denial of service attempt. - --- -Detailed Information: -An ICMP ping may indicate a scanning attempt, a ping flood, or a remote user attempting to see if the network responds. - --- -Affected Systems: -Any system that responds to a ping request. - --- -Attack Scenarios: -An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition. - --- -Ease of Attack: -Simple. Scanning and ping-based DoS tools are freely available. - --- -False Positives: -This rule will generate an alert if a legitimate remote user pings an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to block ICMP ping packets with an ICMP type value of 8. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/366.txt snort-2.9.2/doc/signatures/366.txt --- snort-2.8.5.2/doc/signatures/366.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/366.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -366 - --- -Summary: -ping is a standard networking utility that determines if a target host -is up. This rule indicates that the ping originated from a host running -Unix. - --- -Impact: -Information Disclosure. Ping can be used as a reconnaissance tool. - --- -Detailed Information: -ping sends an ICMP Echo Request packet to an IP address. If a host is -up at that address it will reply with an ICMP Echo Reply. The reply -includes the data portion of the echo packet. The data included in the -Echo Request varies across different operating system implementations. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker will often ping a machine to make sure it is up before -attacking. - --- -Ease of Attack: -Simple. - --- -False Positives: -This program is also used legitimately by users and/or network -administrators to troubleshoot problems. It is possible to emulate this -ping signature using another ping utility. - --- -False Negatives: -None known. - --- -Corrective Action: -ICMP packets can be blocked with a packet filtering firewall. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/368.txt snort-2.9.2/doc/signatures/368.txt --- snort-2.8.5.2/doc/signatures/368.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/368.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -368 - --- -Summary: -This event is generated when an ICMP echo request is made from a Berkeley Systems Development (BSD) host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running a BSD TCP/IP networking stack such as FreeBSD, NetBSD, or OpenBSD, will contain a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS152 - --- diff -Nru snort-2.8.5.2/doc/signatures/369.txt snort-2.9.2/doc/signatures/369.txt --- snort-2.8.5.2/doc/signatures/369.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/369.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -369 - --- -Summary: -This event is generated when an ICMP echo request is made from a BayRS Router. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a BayRS router contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: - -Original rule written by Doug@Minderhout.com -Modified by Brian Caswell -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.whitehats.com/info/IDS444 - --- diff -Nru snort-2.8.5.2/doc/signatures/370.txt snort-2.9.2/doc/signatures/370.txt --- snort-2.8.5.2/doc/signatures/370.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/370.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -370 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running BeOS4.x. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running BeOS4.x contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS151 - --- diff -Nru snort-2.8.5.2/doc/signatures/371.txt snort-2.9.2/doc/signatures/371.txt --- snort-2.8.5.2/doc/signatures/371.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/371.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: --- -Sid: -371 - --- -Summary: -This event is generated when an ICMP echo request is made from a Cisco IOS 9.x system. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a system running Cisco IOS 9.x contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS153 - --- diff -Nru snort-2.8.5.2/doc/signatures/372.txt snort-2.9.2/doc/signatures/372.txt --- snort-2.8.5.2/doc/signatures/372.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/372.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -372 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Delphi software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS155 - --- diff -Nru snort-2.8.5.2/doc/signatures/373.txt snort-2.9.2/doc/signatures/373.txt --- snort-2.8.5.2/doc/signatures/373.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/373.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -373 - --- -Summary: -This event is generated when an ICMP echo request is made from a Flowpoint 2200 DSL router. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Flowpoint 2200 DSL router contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS156 - --- diff -Nru snort-2.8.5.2/doc/signatures/374.txt snort-2.9.2/doc/signatures/374.txt --- snort-2.8.5.2/doc/signatures/374.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/374.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -374 - --- - -Summary: -This event is generated when an ICMP echo request is made from a MacIntosh host running IPNetMonitor. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a MacIntosh host running IPNetMonitor contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS157 - --- diff -Nru snort-2.8.5.2/doc/signatures/375.txt snort-2.9.2/doc/signatures/375.txt --- snort-2.8.5.2/doc/signatures/375.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/375.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -375 - --- -Summary: -This event is generated when an ICMP echo request is made from a Linux or Berkeley Systems Development (BSD) host running the reconnaissance tool SING. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Linux or BSD using the SING reconnaissance tool contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Ofir Arkin < ofir@sys-security.com> -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS447 - --- diff -Nru snort-2.8.5.2/doc/signatures/376.txt snort-2.9.2/doc/signatures/376.txt --- snort-2.8.5.2/doc/signatures/376.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/376.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: --- - -Sid: -376 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS159 - --- diff -Nru snort-2.8.5.2/doc/signatures/377.txt snort-2.9.2/doc/signatures/377.txt --- snort-2.8.5.2/doc/signatures/377.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/377.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -377 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Network Toolbox 3 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Network Toolbox 3 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS161 - --- diff -Nru snort-2.8.5.2/doc/signatures/378.txt snort-2.9.2/doc/signatures/378.txt --- snort-2.8.5.2/doc/signatures/378.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/378.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -378 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Ping-O-Meter software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Ping-O-Meter software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS164 - --- diff -Nru snort-2.8.5.2/doc/signatures/379.txt snort-2.9.2/doc/signatures/379.txt --- snort-2.8.5.2/doc/signatures/379.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/379.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -379 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running "pinger" software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running "pinger" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS165 - --- diff -Nru snort-2.8.5.2/doc/signatures/380.txt snort-2.9.2/doc/signatures/380.txt --- snort-2.8.5.2/doc/signatures/380.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/380.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -380 - -Summary: -This event is generated when an ICMP echo request is made from a Windows host running "Seer" software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running "Seer" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS166 - --- diff -Nru snort-2.8.5.2/doc/signatures/381.txt snort-2.9.2/doc/signatures/381.txt --- snort-2.8.5.2/doc/signatures/381.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/381.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -381 - --- -Summary: -This event is generated when an ICMP echo request is made from a Solaris host running SING software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Solaris host running SING software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS448 - --- diff -Nru snort-2.8.5.2/doc/signatures/382.txt snort-2.9.2/doc/signatures/382.txt --- snort-2.8.5.2/doc/signatures/382.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/382.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -382 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows 9x or 2000 host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows 9x or 2000 host contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS169 - --- diff -Nru snort-2.8.5.2/doc/signatures/384.txt snort-2.9.2/doc/signatures/384.txt --- snort-2.8.5.2/doc/signatures/384.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/384.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -384 - --- -Summary: -This event is generated when an generic ICMP echo request is made. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/385.txt snort-2.9.2/doc/signatures/385.txt --- snort-2.8.5.2/doc/signatures/385.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/385.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -385 - --- -Summary: -This event is generated when a Windows traceroute (tracert) is detected. - --- -Impact: -Information gathering. A traceroute can be used to discover live hosts and network topologies. - --- -Detailed Information: -A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. - -Additionally There are at least three different implementations of -traceroute. In one implementation traceroute works by sending an ICMP -Echo Request packet to a destination host with a TTL value of 1. If the -host is more than one hop away, the first route that receives the back -will send back an ICMP packet indicating that the TTL was exceeded. The -address of this router is then listed as the first hop. The packet is -then sent out again with a TTL of 2. This continues until the -destination host is able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -The traceroute command may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS118 - --- diff -Nru snort-2.8.5.2/doc/signatures/386.txt snort-2.9.2/doc/signatures/386.txt --- snort-2.8.5.2/doc/signatures/386.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/386.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -386 - --- -Summary: -This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. - --- -Impact: -Information gathering. - --- -Detailed Information: -If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. - --- -Affected Systems: -Any system that responds to ICMP address mask requests. - --- -Attack Scenarios: -An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. - --- -Ease of Attack: -Simple. Tools that use this method of information gathering are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 - -ArachNIDS -http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 - --- diff -Nru snort-2.8.5.2/doc/signatures/387.txt snort-2.9.2/doc/signatures/387.txt --- snort-2.8.5.2/doc/signatures/387.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/387.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -387 - --- -Summary: -This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. - --- -Impact: -Information gathering. - --- -Detailed Information: -If an attacker sends an ICMP request to an internal server for address mask information (SID 389 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. - --- -Affected Systems: -Any system that responds to ICMP address mask requests. - --- -Attack Scenarios: -An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. - --- -Ease of Attack: -Simple. Tools that use this method of information gathering are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 - -ArachNIDS -http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 - --- diff -Nru snort-2.8.5.2/doc/signatures/388.txt snort-2.9.2/doc/signatures/388.txt --- snort-2.8.5.2/doc/signatures/388.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/388.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -388 - --- - -Summary: -This event is generated when an ICMP Address Mask Request message is found on the network. ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network. - --- - -Impact: -Attacks may use an ICMP address Mask Request to determine the subnet mask of the network. This information can be used to help develope a network diagram in lue of more focused attacks. --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -Legitimate uses of ICMP Address Mask Requests exist. Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/389.txt snort-2.9.2/doc/signatures/389.txt --- snort-2.8.5.2/doc/signatures/389.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/389.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -389 - --- - -Summary: -This event is generated when an ICMP Address Mask Request message is found on the network with an invalid ICMP Code. ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network. RFC 950 definesthe Code for ICMP Type 17 datagram to be 0, if this field is not 0 it could be an indication of an attack attempt. - --- - -Impact: -Attacks may use an ICMP address Mask Request to determine the subnet mask of the network. This information can be used to help develope a network diagram in lue of more focused attacks. --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network subnet. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -None known. ICMP Type 17 datagrams should never be generated with a code other than 0. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/390.txt snort-2.9.2/doc/signatures/390.txt --- snort-2.8.5.2/doc/signatures/390.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/390.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -390 - --- - -Summary: -This event is generated when an ICMP Alternate Host Address datagram is detected on the network. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address or neighboring hosts. - --- - -Impact: -This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. - --- - -Detailed Information: -ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the network. --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Alternate Host Address datagrams. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 6 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/391.txt snort-2.9.2/doc/signatures/391.txt --- snort-2.8.5.2/doc/signatures/391.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/391.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -391 - --- - -Summary: -This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts. - --- - -Impact: -This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. - --- - -Detailed Information: -ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the network. --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 6 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/392.txt snort-2.9.2/doc/signatures/392.txt --- snort-2.8.5.2/doc/signatures/392.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/392.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -392 - --- - -Summary: -This event is generated when an ICMP Datagram Conversion Error message is detected on the network. ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6. - --- - -Impact: -No known attack vectors are known that use ICMP type 31 datagrams. This is purely an informational message that detects errors on the network. - --- - -Detailed Information: -ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them. - --- - -Attack Scenarios: -None known --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Datagram Conversion Error messages. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 31 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/393.txt snort-2.9.2/doc/signatures/393.txt --- snort-2.8.5.2/doc/signatures/393.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/393.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -393 - --- - -Summary: -This event is generated when an ICMP Datagram Conversion Error message is detected on the network with an invalid ICMP code. ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6. - --- - -Impact: -No known attack vectors are known that use ICMP type 31 datagrams. This is purely an informational message that detects errors on the network. Only ICMP Codes 0 through 11 have been defined by IANA, ICMP Type 31 datagrams with ICMP Codes other than these values are invalid. - --- - -Detailed Information: -ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them. - --- - -Attack Scenarios: -None known --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Datagram Conversion Error messages. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 31 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/394.txt snort-2.9.2/doc/signatures/394.txt --- snort-2.8.5.2/doc/signatures/394.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/394.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -394 - --- - -Summary: -This event is generated when an ICMP Destination Host Unknown datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination's IP address is unreachable. - --- - -Impact: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems or faulty routing devices. - --- - -Detailed Information: -This ICMP message will be generated when the destination host specified in the datagram is unreachable. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no correct action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/395.txt snort-2.9.2/doc/signatures/395.txt --- snort-2.8.5.2/doc/signatures/395.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/395.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -395 - --- - -Summary: -This event is generated when an ICMP Destination Network Unknown datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination network is unreachable. - --- - -Impact: -This ICMP message will be generated when the destination network specified in the datagram is unreachable. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems or faulty routing -devices. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no correct action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/396.txt snort-2.9.2/doc/signatures/396.txt --- snort-2.8.5.2/doc/signatures/396.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/396.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -396 - --- - -Summary: -This event is generated when an ICMP Destination Unreachable Fragmentation Needed datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination network requires fragmentation before the datagram can be forwarded by a gateway. - --- - -Impact: -This ICMP message will be generated when the destination network specified in the datagram requires fragmentation and the DF bit is set on the datagram. This could be an indication of improperly configured network hosts. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/397.txt snort-2.9.2/doc/signatures/397.txt --- snort-2.8.5.2/doc/signatures/397.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/397.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -397 - --- - -Summary: -This event is generated when An ICMP Host Precedence Violation is sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source and destination host, network destination, upper layer protocol, or source/destination port. - --- - -Impact: -Routers will generate this message when the requested precedent is not permitted to transverse the network. This could be an indication of an improperly configured routing device or a improperly configured host on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/398.txt snort-2.9.2/doc/signatures/398.txt --- snort-2.8.5.2/doc/signatures/398.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/398.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -398 - --- - -Summary: -This event is generated when An ICMP Host Unreachable for Type of Server datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the requested TOS (Type of Service) is not permitted to transverse the network. This could be an indication of an improperly configured routing device or a improperly configured host on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/399.txt snort-2.9.2/doc/signatures/399.txt --- snort-2.8.5.2/doc/signatures/399.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/399.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -399 - --- - -Summary: -This event is generated when An ICMP Host Unreachable datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination host on a directly connected network is not available. This occurs when no ARP response is received from the destination network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/400.txt snort-2.9.2/doc/signatures/400.txt --- snort-2.8.5.2/doc/signatures/400.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/400.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -400 - --- - -Summary: -This event is generated when An ICMP Network Unreachable For Type Of Service datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination network does not support the Type of Service requested in the datagram or the default TOS. This could be an indication or routing problems or excessive packet loss. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/401.txt snort-2.9.2/doc/signatures/401.txt --- snort-2.8.5.2/doc/signatures/401.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/401.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -401 - --- - -Summary: -This event is generated when An ICMP Network Unreachable datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination network is not available. This could be an indication of routing problems on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/402.txt snort-2.9.2/doc/signatures/402.txt --- snort-2.8.5.2/doc/signatures/402.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/402.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -402 - --- -Summary: -This event is generated when an ICMP Port Unreachable message was detected. - --- -Impact: -Unknown. - --- -Detailed Information: -An ICMP Port Unreachable is not an attack, but may indicate that the source -of the packet was the target of a scan or other malicious activity. - -An ICMP Port Unreachable (ICMP type 3 code 3) indicates that someone or -something tried to connect to a port on a system that was not available -(i.e., no service was running on that port). - -This is analagous to RST packets in TCP. Since UDP does not have an -equivalent, it relies upon ICMP Port Unreachable for this. This often -indicates someone was scanning for UDP services. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker may use a port scanner to determine possible attack vectors -as a prelude to a directed attack against a system. - --- -Ease of Attack: -Simple. - --- -False Positives: -This kind of packet is common on networks, and may be generated by simple -misconfigurations on either the source or destination, or service outage. - --- -False Negatives: -Not all operating systems will respond with ICMP Port Unreachable -messages when no service is running. - --- -Corrective Action: -Examine the activity of the recipient of this packet to see if the -recipient was responsible for scanning or other behavior. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -References: - -RFC 792: -http://www.faqs.org/rfcs/rfc792.html - --- diff -Nru snort-2.8.5.2/doc/signatures/403.txt snort-2.9.2/doc/signatures/403.txt --- snort-2.8.5.2/doc/signatures/403.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/403.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -403 - --- - -Summary: -This event is generated when An ICMP Precedence Cutoff In Effect datagram is detected on the network. - --- - -Impact: -Routers will generate this message when a minimum precedence level has been configured for the network. This could be an indication of improperly configured routing equipment or network host. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/404.txt snort-2.9.2/doc/signatures/404.txt --- snort-2.8.5.2/doc/signatures/404.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/404.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -404 - --- - -Summary: -This event is generated when An ICMP Protocol Unreachable datagram is detected on the network. - --- - -Impact: -This could be an indication of improperly configured routing equipment or network host. - --- - -Detailed Information: -This rule generates informational events about the network. Routers will generate this message when the transport protocol designated in the datagram is not supported in the transport layer of the final destination. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/405.txt snort-2.9.2/doc/signatures/405.txt --- snort-2.8.5.2/doc/signatures/405.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/405.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -405 - --- - -Summary: -This event is generated when An ICMP Source Host Isolated datagram is detected on the network. - --- - -Impact: -This is an indication of improperly configured routing equipment or network host. RFC 1812 indicates that ICMP Type 3 ICMP Code 8 messages should never be generated. - --- - -Detailed Information: -This rule generates informational events about the network. Routers should never generate ICMP Type 11 Code 8 as they are in violation of RFC1812. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/406.txt snort-2.9.2/doc/signatures/406.txt --- snort-2.8.5.2/doc/signatures/406.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/406.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -406 - --- - -Summary: -This event is generated when An ICMP Source Route Failed datagram is detected on the network. - --- - -Impact: -The datagram that generated with ICMP datagram failed to transverse the network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/407.txt snort-2.9.2/doc/signatures/407.txt --- snort-2.8.5.2/doc/signatures/407.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/407.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -407 - --- - -Summary: -This event is generated when An ICMP Destination Unreachable datagram is detected on the network with an undefined ICMP Code. - --- - -Impact: -ICMP Codes for Destination Unreachable datagrams are defined in RFC 792 and RFC 1812. The datagram that generated this event is not defined in either of these RFCs. This could be an indication of a DoS (Denial of Service) attempt against the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, improperly configured hosts, or an attempted DoS. - --- - -Attack Scenarios: -Invalid or undefined ICMP codes should never be seen in normal network conditions. A remote attacker could be generating these packets in an attempt to cause an DoS. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/408.txt snort-2.9.2/doc/signatures/408.txt --- snort-2.8.5.2/doc/signatures/408.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/408.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -408 - --- - -Summary: -This event is generated when a network host generates an ICMP Echo Reply in response to an ICMP Echo Request message. - --- - -Impact: -Information-gathering. An ICMP Echo Reply message is sent in response to an ICMP REcho Request message. If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams. This type of message is used to determine if a host is active on the network. - --- - -Attack Scenarios: -A remote attacker may use ICMP Echo Request datagrams to determine active hosts on the network in prelude of further attacks. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/409.txt snort-2.9.2/doc/signatures/409.txt --- snort-2.8.5.2/doc/signatures/409.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/409.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -409 - --- - -Summary: -This event is generated when a network host generates an ICMP Echo Reply with an invalid or undefined ICMP Code. - --- - -Impact: -Information-gathering. An ICMP Echo Reply message is sent in response to an ICMP Echo Request message. If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive. Most OS's (operating systems) will accept an ICMP Echo Reply message with an invalid or undefined ICMP code set as a valid ICMP Echo Reply. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams. This type of message is used to determine if a host is active on the network. - --- - -Attack Scenarios: -Remote attackers my generate ICMP Echo Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Echo Requests. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/410.txt snort-2.9.2/doc/signatures/410.txt --- snort-2.8.5.2/doc/signatures/410.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/410.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -410 - --- - -Summary: -This event is generated when a network host generates an ICMP Fragment Reassembly Time Exceeded message. - --- - -Impact: -This could be an indication of an improperly configured routing device or networked host. - --- - -Detailed Information: -ICMP Type 11 Code 1 is the RFC defined messaging type for ICMP Fragment Reassembly Time exceeded datagrams. If a host fails to reassemble a fragmented datagram before the TTL of the datagram is expires an ICMP Fragment Reassembly Time Exceeded datagram is generated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Fragment reassembly Time Exceeded messages are normally and indication of improperly configured hosts or routing equipment. The configurations of the devices causing these ICMP datagrams to be created should be checked for errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/411.txt snort-2.9.2/doc/signatures/411.txt --- snort-2.8.5.2/doc/signatures/411.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/411.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -411 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram. - --- - -Impact: -ICMP Type 34 datagrams are not expected network traffic. Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/412.txt snort-2.9.2/doc/signatures/412.txt --- snort-2.8.5.2/doc/signatures/412.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/412.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -412 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram with an undefined ICMP code. - --- - -Impact: -ICMP Type 34 datagrams are not expected network traffic. Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/413.txt snort-2.9.2/doc/signatures/413.txt --- snort-2.8.5.2/doc/signatures/413.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/413.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -413 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram. - --- - -Impact: -ICMP Type 33 datagrams are not expected network traffic. Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/414.txt snort-2.9.2/doc/signatures/414.txt --- snort-2.8.5.2/doc/signatures/414.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/414.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -414 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Type 33 datagrams are not expected network traffic. Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/415.txt snort-2.9.2/doc/signatures/415.txt --- snort-2.8.5.2/doc/signatures/415.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/415.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -415 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Reply datagram. - --- - -Impact: -ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - --- - -Detailed Information: -This message is generated in response to an ICMP Information Request Message. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 16 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/416.txt snort-2.9.2/doc/signatures/416.txt --- snort-2.8.5.2/doc/signatures/416.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/416.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -416 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Reply datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - -Undefined ICMP Code values should never been seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -This message is generated in response to an ICMP Information Request Message. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 16 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/417.txt snort-2.9.2/doc/signatures/417.txt --- snort-2.8.5.2/doc/signatures/417.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/417.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -417 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Request datagram. - --- - -Impact: -ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - --- - -Detailed Information: -This message is generated when a host attempts to locate the network number of the network segment it is located on.. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 15 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/418.txt snort-2.9.2/doc/signatures/418.txt --- snort-2.8.5.2/doc/signatures/418.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/418.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -418 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Request datagram with an undefined ICMP code. - --- - -Impact: -ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - -Undefined ICMP Code values should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -This message is generated when a host attempts to locate the network number of the network segment it is located on.. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 15 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/419.txt snort-2.9.2/doc/signatures/419.txt --- snort-2.8.5.2/doc/signatures/419.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/419.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -419 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Host Redirect datagram. - --- - -Impact: -ICMP Mobile Host Redirect Messages alert base-stations to the movements of IP based mobile hosts, such as notebooks and palmtop computers. - --- - -Detailed Information: -The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message. This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station. - -This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 32 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/420.txt snort-2.9.2/doc/signatures/420.txt --- snort-2.8.5.2/doc/signatures/420.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/420.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -420 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Host Redirect datagram with an undefined ICMP code. - --- - -Impact: - -Undefined ICMP Code values should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message. This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - -This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 32 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/421.txt snort-2.9.2/doc/signatures/421.txt --- snort-2.8.5.2/doc/signatures/421.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/421.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -421 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Reply datagram. - --- - -Impact: -ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 36 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/422.txt snort-2.9.2/doc/signatures/422.txt --- snort-2.8.5.2/doc/signatures/422.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/422.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -422 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Reply datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams with an ICMP Code other than 0, should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 36 datagrams with undefined ICMP Codes are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/423.txt snort-2.9.2/doc/signatures/423.txt --- snort-2.8.5.2/doc/signatures/423.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/423.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -423 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Request datagram. - --- - -Impact: -ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/424.txt snort-2.9.2/doc/signatures/424.txt --- snort-2.8.5.2/doc/signatures/424.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/424.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -424 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Request datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/425.txt snort-2.9.2/doc/signatures/425.txt --- snort-2.8.5.2/doc/signatures/425.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/425.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -425 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Bad Length datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated before it reached its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. An ICMP Parameter Problem Bad Length datagram indicates that the datagram was truncated before it reached its final destination. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 2 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/426.txt snort-2.9.2/doc/signatures/426.txt --- snort-2.8.5.2/doc/signatures/426.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/426.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -426 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Required Option Missing datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated when the IP datagram is truncated or damaged before it reaches its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. An ICMP Parameter Problem Required Option Missing datagram indicates that the IP datagram is invalid or contains invalid IP options. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 1 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/427.txt snort-2.9.2/doc/signatures/427.txt --- snort-2.8.5.2/doc/signatures/427.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/427.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -427 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 0 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/428.txt snort-2.9.2/doc/signatures/428.txt --- snort-2.8.5.2/doc/signatures/428.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/428.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -428 - --- - -Summary: -This event is generated when a host generates and ICMP Parameter Problem datagram with an undefined ICMP Code. - --- - -Impact: -ICMP datagrams should never contain undefined ICMP Codes. This is normally an indication of nefarious activity occurring on the network. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 datagrams with undefined ICMP Codes are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/429.txt snort-2.9.2/doc/signatures/429.txt --- snort-2.8.5.2/doc/signatures/429.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/429.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -429 - --- - -Summary: -This event is generated when a host generates and ICMP Bad SPI datagram. - --- - -Impact: -ICMP Type 40 Code 0 datagrams are an indication that a received datagram has an invalid SPI that is invalid or has expired. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 0 datagrams are generated when a received datagram includes a SPI (Security Parameters Index) that is invalid or has expired. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.8.5.2/doc/signatures/430.txt snort-2.9.2/doc/signatures/430.txt --- snort-2.8.5.2/doc/signatures/430.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/430.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -430 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 1 Authentication Failed datagram. - --- - -Impact: -ICMP Type 40 Code 1 datagrams are an indication that a received datagram failed the authenticity or integrity check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 1 datagrams are generated when a received datagram failed the authenticity or integrity check for a given SPI (Security Parameters Index). In some situations this may be an indication that an outer Encapsulation Security Protocol is in use, and the Authentication Header SPI is hidden inside the encapsulation. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.8.5.2/doc/signatures/431.txt snort-2.9.2/doc/signatures/431.txt --- snort-2.8.5.2/doc/signatures/431.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/431.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -431 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 2 Decompression Failed datagram. - --- - -Impact: -ICMP Type 40 Code 2 datagrams are an indication that a received datagram failed a decompression check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 2 datagrams are generated when a received datagram fails the decompression check for a given SPI (Security Parameters Index). - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.8.5.2/doc/signatures/432.txt snort-2.9.2/doc/signatures/432.txt --- snort-2.8.5.2/doc/signatures/432.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/432.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -432 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. - --- - -Impact: -ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.8.5.2/doc/signatures/433.txt snort-2.9.2/doc/signatures/433.txt --- snort-2.8.5.2/doc/signatures/433.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/433.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -433 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Type 40 datagrams are an indication that a received datagram failed a integrity check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 datagrams are generated when a received datagram fails an integrity check for a given SPI (Security Parameters Index). ICMP Type 40 datagrams should never be generated with an undefined ICMP Code, this could be an indication of nefarious network activity. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.8.5.2/doc/signatures/436.txt snort-2.9.2/doc/signatures/436.txt --- snort-2.8.5.2/doc/signatures/436.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/436.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -436 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for the Type of Service and Host datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.8.5.2/doc/signatures/437.txt snort-2.9.2/doc/signatures/437.txt --- snort-2.8.5.2/doc/signatures/437.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/437.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -437 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for the Type of Service and Network datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.8.5.2/doc/signatures/438.txt snort-2.9.2/doc/signatures/438.txt --- snort-2.8.5.2/doc/signatures/438.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/438.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -438 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect with an undefined ICMP code. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - -ICMP datagrams with undefined codes should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.8.5.2/doc/signatures/439.txt snort-2.9.2/doc/signatures/439.txt --- snort-2.8.5.2/doc/signatures/439.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/439.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- - -Sid: -439 - --- - -Summary: -This event is generated when an ICMP Type 19 Code 0 (ICMP Reserved for Security) datagram is detected on the network. - --- - -Impact: -ICMP Type 19 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 19 is not defined for use and is not expected network activity. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/440.txt snort-2.9.2/doc/signatures/440.txt --- snort-2.8.5.2/doc/signatures/440.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/440.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- - -Sid: -440 - --- - -Summary: -This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 19 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/441.txt snort-2.9.2/doc/signatures/441.txt --- snort-2.8.5.2/doc/signatures/441.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/441.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- - -Sid: -441 - --- - -Summary: -This event is generated when an ICMP Router Advertisement message is found on the network. - --- - -Impact: - --- - -Detailed Information: -Routers may use ICMP protocol 9 to advertise their information and presence on a network. Clients normally recieve this information from DNS if they use DHCP. Clients with statically assigned addresses do not need this information from an external source. - -It may be possible for an attacker to craft a packet of this type in such a way as to change the routing information on a DHCP enabled client. - --- - -Affected Systems: - Microsoft Windows 98 - Sun Solaris 2.6, Sun OS 5. - --- - -Attack Scenarios: - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. - --- - -False Positives: -Legitimate uses of ICMP type 9 messages are common. - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 9 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. - --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/443.txt snort-2.9.2/doc/signatures/443.txt --- snort-2.8.5.2/doc/signatures/443.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/443.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -443 - --- - -Summary: -This event is generated when an ICMP Router Selection message is found on the network. - --- - -Impact: - --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -Legitimate uses of ICMP Address Mask Requests exist. Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/445.txt snort-2.9.2/doc/signatures/445.txt --- snort-2.8.5.2/doc/signatures/445.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/445.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -445 - --- -Summary: -This event is generated when an ICMP "SKIP" message is generated. - --- -Impact: -Informational. This indicates that an error condition was encountered when requesting the Simple Key Management Protocol for IP (SKIP) protocol to provide keying material. - --- -Detailed Information: -An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. This may occur when the sender makes a request via a SKIP packet for some kind of algorithm, such as encryption, that is not supported by the receiver. The receiver responds with this ICMP message to indicate that the requested algorithm is not supported. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -This is not an attack unless these messages are sent in volume for an attempted denial of service. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -None. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/446.txt snort-2.9.2/doc/signatures/446.txt --- snort-2.8.5.2/doc/signatures/446.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/446.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -446 - --- -Summary: -This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been crafted. - --- -Detailed Information: -An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. - - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -None. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/448.txt snort-2.9.2/doc/signatures/448.txt --- snort-2.8.5.2/doc/signatures/448.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/448.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -448 - --- -Summary: -This event is generated when an ICMP "Source Quench" message is -generated that has a non-zero ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been -crafted. - --- -Detailed Information: -An ICMP "Source Quench" message is issued by a network device that -cannot handle the current volume of traffic. The ICMP code value for -this message should be 0. If a non-zero ICMP code is observed, it may -be an indication that the packet was crafted with an invalid value. - -ICMP Source Quench messages may be normally sent by either a gateway or -a host as a congestion control mechanism. A gateway would send them if -it is running out of buffer space (needed to queue datagrams for output -to the next hop) or by a host that is receiving datagrams too fast to -process. Maliciously crafted ICMP Source Quench Messages may be used to -force a remote host to slow down its transmission rate and causing a -Denial of Service. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "Source Quench" message with an invalid -ICMP code. A single packet itself is not harmful, but the unusual ICMP -code my indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although rare, it is possible to observe an ICMP "Source Quench" message -with a non-zero type code generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -If a routing device in your network is generating this message, investigate why it does not have a standard ICMP code of 0. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak -Additional information by Jose Hernandez - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/449.txt snort-2.9.2/doc/signatures/449.txt --- snort-2.8.5.2/doc/signatures/449.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/449.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -449 - --- -Summary: -This event is generated when a routing device detects that a packet has exceeded the maximum number of allowable hops. - --- -Impact: -Informational. This indicates that a packet has been expired by an internal router. This may be an indication of an attacker attempting a traceroute of a host in your network. - --- -Detailed Information: -Each packet is assigned an initial Time To Live (TTL) value before being sent. This value is usually determined by the operating system of the given TCP/IP stack. The TTL value represents the maximum number of hops a packet may take before being expired by a routing device. This is done to banish lost or misguided packets from the network. The traceroute utility assigns its own TTL values to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet. During the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this message, it may be an indication that an attacker is attempting a traceroute of a host in your network. - --- -Affected Systems: -Any device that expires a packet will generate this ICMP message. - --- -Attack Scenarios: -An attacker may attempt a traceroute to discover your routing devices and network topology. - --- -Ease of Attack: -Simple. The UNIX traceroute and Windows tracert are provided utilities. - --- -False Positives: -It is possible to observe an ICMP "Time Exceeded in Transit" message sent outbound if any inbound packet has exceeded the maximum allowable hops. This may be a indication of a lost packet or routing problems such as a routing loop. - --- -False Negatives: -None Known. - --- -Corrective Action: -Sites may elect to disable this ICMP message on the outbound interface to prevent releasing potentially value reconnaissance about the network topology. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/450.txt snort-2.9.2/doc/signatures/450.txt --- snort-2.8.5.2/doc/signatures/450.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/450.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -450 - --- -Summary: -This event is generated when an ICMP "Time Exceeded" message is generated that has an invalid ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been crafted. - --- -Detailed Information: -An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been exceeded or a timer has expired before all fragments have been received. The ICMP code value for this message should be 0 or 1. If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although rare, it is possible to observe an ICMP "Time Exceeded" message with an ICMP code greater than 1 if it is generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -If a host or device in your network is generating this message, investigate why it does not have a standard ICMP code. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/451.txt snort-2.9.2/doc/signatures/451.txt --- snort-2.8.5.2/doc/signatures/451.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/451.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -408 - --- - -Summary: -This event is generated when a network host generates an ICMP Timestamp Reply in response to an ICMP Timestamp Request message. - --- - -Impact: -Information-gathering. An ICMP Timestamp Reply message is sent in response to an ICMP RTimestamp Request message. If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams. This type of message is used to determine if a host is active on the network. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative. - --- - -Attack Scenarios: -A remote attacker may use ICMP Timestamp Request datagrams to determine active hosts on the network in prelude of further attacks. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/452.txt snort-2.9.2/doc/signatures/452.txt --- snort-2.8.5.2/doc/signatures/452.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/452.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -452 - --- - -Summary: -This event is generated when a network host generates an ICMP Timestamp Reply with an invalid or undefined ICMP Code. - --- - -Impact: -Information-gathering. An ICMP Timestamp Reply message is sent in response to an ICMP Timestamp Request message. If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive. Most OS's (operating systems) will accept an ICMP Timestamp Reply message with an invalid or undefined ICMP code set as a valid ICMP Timestamp Reply. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams. This type of message is used to determine if a host is active on the network. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative. - --- - -Attack Scenarios: -Remote attackers my generate ICMP Timestamp Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Timestamp Requests. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/453.txt snort-2.9.2/doc/signatures/453.txt --- snort-2.8.5.2/doc/signatures/453.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/453.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -453 - --- -Summary: -This event is generated when an ICMP Timestamp request is made. - --- -Impact: -Information gathering. An ICMP Timestamp request can determine if a host is active. - --- -Detailed Information: -An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - -If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP Timestamp request may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP Timestamp requests. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak -Additional information by Steven Alexander - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/454.txt snort-2.9.2/doc/signatures/454.txt --- snort-2.8.5.2/doc/signatures/454.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/454.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -454 - --- -Summary: -This event is generated when an ICMP Timestamp request is made with an invalid or undefined ICMP Code. - --- -Impact: -Information gathering. An ICMP Timestamp request can determine if a host is active. - --- -Detailed Information: -An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 13 (timestamp) as an alternative. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP Timestamp request may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP Timestamp requests. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak -Additional information by Steven Alexander - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/456.txt snort-2.9.2/doc/signatures/456.txt --- snort-2.8.5.2/doc/signatures/456.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/456.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -456 - --- -Summary: -This event is generated when an attempt is made to use ICMP as a -reconnaisance tool. - --- -Impact: -Can be used as a reconnaissance tool. Traceroute reveals information -about the layout of a network. - --- -Detailed Information: -There are at least three different implementations of traceroute. In -one implementation traceroute works by sending an ICMP Echo Request -packet to a destination host with a TTL value of 1. If the host is more -than one hop away, the first route that receives the back will send back -an ICMP packet indicating that the TTL was exceeded. The address of -this router is then listed as the first hop. The packet is then sent -out again with a TTL of 2. This continues until the destination host is -able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: - -Traceroute is often used against machines on a network prior to an -attack. - --- -Ease of Attack: -Simple - --- -False Positives: - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP type 30 messages. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Miscellaneous -http://www.faqs.org/rfcs/rfc1393.html - - - - - --- diff -Nru snort-2.8.5.2/doc/signatures/457.txt snort-2.9.2/doc/signatures/457.txt --- snort-2.8.5.2/doc/signatures/457.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/457.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -457 - --- -Summary: -This event is generated when an ICMP type 14 is detected that does not -include the necessary code in the packet. - - --- -Impact: - -Can be used as a reconnaissance tool. Traceroute reveals information -about the layout of a network. - --- -Detailed Information: -There are at least three different implementations of traceroute. In -one implementation traceroute works by sending an ICMP Echo Request -packet to a destination host with a TTL value of 1. If the host is more -than one hop away, the first route that receives the back will send back -an ICMP packet indicating that the TTL was exceeded. The address of -this router is then listed as the first hop. The packet is then sent -out again with a TTL of 2. This continues until the destination host is -able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: - -Traceroute is often used against machines on a network prior to an -attack. - --- -Ease of Attack: -Simple - --- -False Positives: - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP type 30 messages. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Miscellaneous -http://www.faqs.org/rfcs/rfc1393.html - - - - - --- diff -Nru snort-2.8.5.2/doc/signatures/458.txt snort-2.9.2/doc/signatures/458.txt --- snort-2.8.5.2/doc/signatures/458.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/458.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -458 - --- - -Summary: -This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 1 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/459.txt snort-2.9.2/doc/signatures/459.txt --- snort-2.8.5.2/doc/signatures/459.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/459.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -459 - --- - -Summary: -This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 1 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/460.txt snort-2.9.2/doc/signatures/460.txt --- snort-2.8.5.2/doc/signatures/460.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/460.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -460 - --- - -Summary: -This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 2 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 2 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/461.txt snort-2.9.2/doc/signatures/461.txt --- snort-2.8.5.2/doc/signatures/461.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/461.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -461 - --- - -Summary: -This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 2 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 2 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/462.txt snort-2.9.2/doc/signatures/462.txt --- snort-2.8.5.2/doc/signatures/462.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/462.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -462 - --- - -Summary: -This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 7 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 7 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/463.txt snort-2.9.2/doc/signatures/463.txt --- snort-2.8.5.2/doc/signatures/463.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/463.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -463 - --- - -Summary: -This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 7 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 7 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.8.5.2/doc/signatures/465.txt snort-2.9.2/doc/signatures/465.txt --- snort-2.8.5.2/doc/signatures/465.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/465.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -465 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running the Internet Security Scanner tool. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Internet Security Scanner "pinger" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS158 - --- diff -Nru snort-2.8.5.2/doc/signatures/466.txt snort-2.9.2/doc/signatures/466.txt --- snort-2.8.5.2/doc/signatures/466.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/466.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -466 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running the L3 "Retriever 1.5" security scanner. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running the L3 "Retriever 1.5" security scanner contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS311 - --- diff -Nru snort-2.8.5.2/doc/signatures/467.txt snort-2.9.2/doc/signatures/467.txt --- snort-2.8.5.2/doc/signatures/467.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/467.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -467 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running Nemesis v1.1 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Nemesis v1.1 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS449 - --- diff -Nru snort-2.8.5.2/doc/signatures/469.txt snort-2.9.2/doc/signatures/469.txt --- snort-2.8.5.2/doc/signatures/469.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/469.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,84 +0,0 @@ --- -Rule: - --- -Sid: -469 - --- -Summary: -This event is generated when an ICMP ping typically generated by nmap is detected. - --- -Impact: -This could indicate a full scan by nmap which is sometimes indicative of -potentially malicious behavior. - --- -Detailed Information: -Nmap's ICMP ping, by default, sends zero data as part of the ping. -Nmap typically pings the host via icmp if the user has root -privileges, and uses a tcp-ping otherwise. - --- -Attack Scenarios: -As part of an information gathering attempt, an attacker may use nmap -to see what hosts are alive on a given network. If nmap is used for -portscanning as root, the icmp ping will occur by default unless the -user specifies otherwise (via '-P0'). - --- -Ease of Attack: -Trivial. Nmap requires little or no skill to operate. - --- -False Positives: -Possible. The only current identifying feature of nmap's ICMP ping is -that the data size is 0. It is entirely possible that other tools may -send icmp pings with zero data. - -Kontiki delivery manager used on windows platforms to download -multimedia files is known to produce ICMP pings that can cause this -rule to generate many events. - -avast! antivirus update feature is reported to produce ICMP pings with -zero data when connecting to the avast servers. This can occur every 40 -seconds if no reply is received by the client. - -The avast! client attempts to ping one of the following servers: - -URL: http://www.asw.cz/iavs4pro -IP: 195.70.130.34 - -URL: http://www.avast.com/iavs4pro -IP: 66.98.166.72 - -URL: http://www.iavs.net/iavs4pro -IP: 207.44.156.15 - -URL: http://www.iavs.cz/iavs4pro -IP: 62.168.45.69 - --- -False Negatives: -None currently. - --- -Corrective Action: -If you detect other suspicous traffic from this host (i.e., a -portscan), follow standard procedure to assess what threat this may -pose. If you only detect the icmp ping, this may have simply been a -'ping sweep' and may be ignored. - --- -Contributors: -warchild@spoofed.org -Sourcefire Research Team -Nigel Houghton - --- -Additional References: -www.insecure.org - - --- diff -Nru snort-2.8.5.2/doc/signatures/471.txt snort-2.9.2/doc/signatures/471.txt --- snort-2.8.5.2/doc/signatures/471.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/471.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- - -Sid: -471 - --- - -Summary: -This event is generated when Icmpenum v1.1.1 generates an ICMP datagram. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -Icmpenum v1.1.1 generates an ICMP Type 0 datagram with an ICMP ID of 666, an ICMP -sequence number of 0, and an ICMP datagram size of 0. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. Packet generation tools can generate this type of ICMP packet - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP Echo requests with -user-defined payloads that emulate this application. - --- - -Corrective Action: -To prevent information gathering, use ingress filtering to block -incoming ICMP Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS450 - - --- diff -Nru snort-2.8.5.2/doc/signatures/472.txt snort-2.9.2/doc/signatures/472.txt --- snort-2.8.5.2/doc/signatures/472.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/472.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -472 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for Host datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.8.5.2/doc/signatures/473.txt snort-2.9.2/doc/signatures/473.txt --- snort-2.8.5.2/doc/signatures/473.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/473.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -473 - --- -Summary: -This event is generated when an ICMP Redirect Network message was -detected in network traffic. - --- -Impact: -Unknown. Possible system crash, Denial of Service (DoS) for some -embedded operating systems. - --- -Detailed Information: -Several susceptible IP Stack implementations may result in the system -hanging or crashing when malformed or corrupted ICMP Redirect Network -(Type 5, Code 0) packets are sent to them. This vulnerability was first -discovered in 1997. - -Under normal network conditions ICMP Redirect Network packets will occur -in a number of situations. One such situation is when a host is on a -subnet with more than one router. The host can only have one default -gateway, and forwards all traffic for networks outside its own subnet to -this gateway. If the default gateway detects that the gateway for this -route is on the same subnet as the originating host, the default gateway -forwards the packet onto this gateway and sends an ICMP Redirect Network -to the originating host. - -This funtionality exists primarily to save network administrators from -having to keep extensive routing tables on hosts, the host will remember -the route learned from the ICMP Redirect Network message for a period of -time, and will forward any traffic directly while it has the route in -its cache. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -A malicious user may send corrupted ICMP Redirect Net messages to -networks in an attempt to crash a system. - --- -Ease of Attack: -Simple. - --- -False Positives: -Any ICMP Network Redirect will generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Patches for Microsoft Windows NT 4.0 were included in SP4, and also -release as a post SP3 fix - teardrop2-fix. Fixes are also available for -Windows 95 and various embedded systems. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Microsoft KB, Q154174 --- diff -Nru snort-2.8.5.2/doc/signatures/474.txt snort-2.9.2/doc/signatures/474.txt --- snort-2.8.5.2/doc/signatures/474.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/474.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: --- -Sid: -474 - --- -Summary: -This event is generated when an ICMP Echo Request from the Windows based -scanner SuperScan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -SuperScan is a freely available Windows based scanner from Foundstone. -The scanners default behavior is to send an ICMP Echo Request before -starting the scan. This ICMP packet has a special payload of eight (8) bytes, -consisting of the number zero (0). - -This scanner is fairly popular among Windows users. - --- -Affected Systems: - All - --- -Attack Scenarios: -SuperScan may be used as an information gathering tool to detect active hosts -on a network by sending icmp echo requests. - --- -Ease of Attack: -Simple. SuperScan is widely available. - --- -False Positives: -Tools other than SuperScan may generate echo requests with the same content. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Johan Augustsson - and Josh Gray -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Foundstone -http://www.foundstone.com/ - -McAfee: -http://vil.nai.com/vil/content/v_103727.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/475.txt snort-2.9.2/doc/signatures/475.txt --- snort-2.8.5.2/doc/signatures/475.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/475.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- - -Sid: -475 - --- - -Summary: -This event is generated when a network host generates an ICMP datagram -with Record Route IP options. - --- - -Impact: -Packets containing IP Record Route options are used to emulate the functionality -of traceroute. - --- - -Detailed Information: -The Record Route IP option is used to store routing information about the -path a datagram takes to its destination. ICMP ECHO packets with an IP header -utilizing the Record Route option are used to emulate the functionality of -traceroute. - --- - -Attack Scenarios: -A remote attacker may attempt to use the Record Route IP option to determine -routing information if traceroute fails. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of datagram. - --- - -False Positives: -Network diagnostic tools may generate these types of datagrams. - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to block incoming datagrams with the IP Record Route option. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS238 - - --- diff -Nru snort-2.8.5.2/doc/signatures/476.txt snort-2.9.2/doc/signatures/476.txt --- snort-2.8.5.2/doc/signatures/476.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/476.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- - -Sid: -476 - --- - -Summary: -This event is generated when Webtrends Security Scanner generates an ICMP echo -request message. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -Webtrends Ecurity Scanner generates a ICMP Echo Request message containing the -following hex signature: - -|00000000454545454545454545454545| - -By searching for this string in a packet, it is possible to determine -the type of host that generated the request. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. The "ping" utility found on most operating systems can generate -these types of ICMP messages. - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP Echo requests with -user-defined payloads. This could allow attackers to replace this -signature with binary values and conceal their operating system. - --- - -Corrective Action: -To prevent information gathering, use a firewall to block incoming ICMP -Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS307 - - --- diff -Nru snort-2.8.5.2/doc/signatures/477.txt snort-2.9.2/doc/signatures/477.txt --- snort-2.8.5.2/doc/signatures/477.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/477.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- - -Sid: -477 - --- - -Summary: -This event is generated when a network host generates an ICMP source quench -datagram. - --- - -Impact: -ICMP source quench message are generated by gateway devices that no longer -have the buffer space needed to queue datagrams for output to the next route. -This could be an indication of a routing problem, network capacity problem, -or on going Denial of Service attack. - --- - -Detailed Information: -ICMP source quench messasges are generated when a gateway device runs out -of buffer space to process incoming network traffic. This is an informational -message that is generated in an attempt to inform the remote host generating -the traffic to limit the speed at which it is sending network traffic to -the remote host. - --- - -Attack Scenarios: -Denial of Service. Attackers could potenially use ICMP source quench datagrams -to rate limit a remote host that listens to unsolicited ICMP source quench -datagrams. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of datagram. - --- - -False Positives: -Legitimate source quench datagrams will trigger this rule. - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to block incoming ICMP source quench datagrams. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS238 - - --- diff -Nru snort-2.8.5.2/doc/signatures/478.txt snort-2.9.2/doc/signatures/478.txt --- snort-2.8.5.2/doc/signatures/478.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/478.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- - -Sid: -478 - --- - -Summary: -This event is generated when Broadscan Smurf Scanner generates an ICMP echo -request message. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -The Broadscan Smurf Scanner generates an ICMP echo packet with a specific -datagram signature. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. Packet generation tools can generate this type of ICMP packet - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP echo requests with -user-defined payloads. This could allow attackers to replace this -signature with binary values and conceal their operating system. - --- - -Corrective Action: -To prevent information gathering, use a firewall to block incoming ICMP -Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/480.txt snort-2.9.2/doc/signatures/480.txt --- snort-2.8.5.2/doc/signatures/480.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/480.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -480 - --- -Summary: -This event is generated when a benevolent ping used by SpeedEra.net to -find the closest cache to a host is detected. - --- -Impact: -Unknown. - --- -Detailed Information: -After visiting certain speedera.net sites, several pings will be -received by the host. These pings are sent so that speedera can find the -closest cache to the host. This rule is intended to distinguish the -usually benevolent speedera pings from normal, possibly malevolent pings. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -This is not really an attack. However an attacker could disguise their -pings as speedera pings, but this is unlikely. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -None required. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Drew Hintz ( http://guh.nu ) -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Linux Security: -http://www.linuxsecurity.com/articles/firewalls_article-2064.html - --- diff -Nru snort-2.8.5.2/doc/signatures/481.txt snort-2.9.2/doc/signatures/481.txt --- snort-2.8.5.2/doc/signatures/481.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/481.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -481 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running TJPingPro 1.1 Build 2 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running TJPingPro 1.1 Build 2 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS167 - --- diff -Nru snort-2.8.5.2/doc/signatures/482.txt snort-2.9.2/doc/signatures/482.txt --- snort-2.8.5.2/doc/signatures/482.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/482.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -482 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Whatsup Gold software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Whatsup Gold software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS168 - --- diff -Nru snort-2.8.5.2/doc/signatures/483.txt snort-2.9.2/doc/signatures/483.txt --- snort-2.8.5.2/doc/signatures/483.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/483.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -483 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running CyberKit 2.2 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running CyberKit 2.2 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS154 - --- diff -Nru snort-2.8.5.2/doc/signatures/484.txt snort-2.9.2/doc/signatures/484.txt --- snort-2.8.5.2/doc/signatures/484.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/484.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -Rule: --- -Sid: -484 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running Sniffer Pro/NetXRay software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Sniffer Pro/NetXRay software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/485.txt snort-2.9.2/doc/signatures/485.txt --- snort-2.8.5.2/doc/signatures/485.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/485.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -485 - --- -Summary: -This event is generated when a router was unable to forward a packet due -to filtering and used the Internet Control Message Protocol to alert -involved hosts. - --- -Impact: -Unknown. This particular message is meant only to be informative but can be -indicative of malicious activity (spoofed traffic, DoS). - --- -Detailed Information: -A packet sent between two points on a network was administratively -prohibited via filtering of some sort. The host or device performing the -filtering returned an ICMP message informing the apparent source host -that filtering had been done. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -In a DoS attack it is common to to use spoofed source addresses. If -and when the traffic gets filtered and an ICMP message is returned, -the spoofed source address will be the recipient of the ICMP message. -A similar situation may occur when a large portscan is occuring and an -attempt is made to mask the true source of the scan by using spoofed -source addresses. - --- -Ease of Attack: -Simple. Tools are readily available that can craft arbitrary ICMP -packets. It is also possible to spoof packets using arbitrary -addresses potentially causing intermediary routers to generate ICMP -messages. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -None needed unless messages become excessive or appear to be invalid. - -Determine what traffic caused this particular ICMP message to be -generated and act accordingly. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -RFC 1812: -ftp://ftp.isi.edu/in-notes/rfc1812.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/486.txt snort-2.9.2/doc/signatures/486.txt --- snort-2.8.5.2/doc/signatures/486.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/486.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- - -Sid: -486 - --- - -Summary: -This event is generated when an ICMP destination unreachable -(Communication with Destination Host is Administratively Prohibited) -datagram is detected on the network. - --- - -Impact: -This message is generated when a datagram failed to traverse the -network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large -numbers of these messages on the network could indication routing -problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None known. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -This rule detects informational network information, so no corrective -action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None. - - --- diff -Nru snort-2.8.5.2/doc/signatures/487.txt snort-2.9.2/doc/signatures/487.txt --- snort-2.8.5.2/doc/signatures/487.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/487.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- - -Sid: -486 - --- - -Summary: -This event is generated when an ICMP destination unreachable -(Communication with Destination Host is Administratively Prohibited) -datagram is detected on the network. - --- - -Impact: -This message is generated when a datagram failed to traverse the -network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large -numbers of these messages on the network could indication routing -problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None known. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -This rule detects informational network information, so no corrective -action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None. - - --- diff -Nru snort-2.8.5.2/doc/signatures/488.txt snort-2.9.2/doc/signatures/488.txt --- snort-2.8.5.2/doc/signatures/488.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/488.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -488 - --- -Summary: -This event is generated when a connection is closed from a resource -external to the protected network. - --- -Impact: -Unknown. - --- -Detailed Information: -This event indicates that an established connection has been closed -from a source external to the protected network. Since the external -connection port is 80, this is unusual behavior. It may be that an -attacker is using port 80 on the external machine to initiate a -connection to a machine on the protected network in an attempt to bypass -firewall protection. When this connection is terminated, this rule will -generate an event. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker can use port 80 from a compromised machine to connect to -another compromised host in an attempt to bypass firewall restrictions -by imitating normal web traffic. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Investigate the host for signs of system compromise. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/489.txt snort-2.9.2/doc/signatures/489.txt --- snort-2.8.5.2/doc/signatures/489.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/489.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -489 - --- - -Summary: -This event is generated when an attempt is made to log into an ftp -server with an empty password. - --- - -Impact: -Possible unauthorized access, invalid login attempt. - --- - -Detailed Information: -An attempt was made to log into an ftp server with an empty password. -This is an unusual behavior as every ftp login usually has a password, -even anonymous ones. An empty password might mean the system was already -compromised and a username exists with no password. - --- - -Affected Systems: -Machines running ftp servers. - --- - -Attack Scenarios: -An attacker gains access to the system via a vulnerability, creates a -login without a password and then tries to ftp to the system with that -login. - --- - -Ease of Attack: -Simple, no exploit software required. - --- - -False Positives: -There might be legitimate users on the system with empty passwords, but -not very likely. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Check all the usernames on the system for empty passwords. - --- - -Contributors: -Original Rule Writer Max Vision -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS322 - --- diff -Nru snort-2.8.5.2/doc/signatures/490.txt snort-2.9.2/doc/signatures/490.txt --- snort-2.8.5.2/doc/signatures/490.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/490.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -490 - --- - -Summary: -This event is generated when network traffic containing the string -BattleMail is observed. - --- - -Impact: -Unknown - --- - -Detailed Information: -Email communications containing the string "BattleMail" has been -detected in network traffic going to a mail server on the protected -network. This may indicate participation in an email gaming system by -the recipient. - --- - -Affected Systems: - All email servers - --- - -Attack Scenarios: -Not applicable - --- - -Ease of Attack: -Simple, no exploit software required. - --- - -False Positives: -None known - --- - -False Negatives: -None known. - --- - -Corrective Action: -Not applicable - --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Battlemail: -http://www.thaicybersoft.com/download/internet/e-mail/BattleMail/ - --- diff -Nru snort-2.8.5.2/doc/signatures/491.txt snort-2.9.2/doc/signatures/491.txt --- snort-2.8.5.2/doc/signatures/491.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/491.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: --- -Sid: -491 - --- -Summary: -This event is generated when a failed attempt to login to an FTP server -is detected. - --- -Impact: -Unknown. Multiple events may indicate an attempt to enumerate accounts -and passwords using brute force methodology. - --- -Detailed Information: -This event is generated when a failed attempt to login to an FTP server -is detected. - -Multiple events may indicate an attempt to enumerate accounts -and passwords using brute force methodology. - --- -Affected Systems: - All FTP Servers - --- -Attack Scenarios: - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Check FTP logs for access attempts. - -Disallow FTP access from sources external to the protected network. - -Consider using Secure Shell as a replacement for FTP services. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -RFC: -http://www.faqs.org/rfcs/rfc959.html - --- diff -Nru snort-2.8.5.2/doc/signatures/492.txt snort-2.9.2/doc/signatures/492.txt --- snort-2.8.5.2/doc/signatures/492.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/492.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,102 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -492 - --- - -Summary: -This event is generated when an unsuccessful login attempt was made via telnet. - --- - -Impact: -Possible unauthorized access via password brute-forcing - -An attacker may have attempted to gain access to a valid user's account -via the telnet service, but did not succeed. The telnet service is -running, which uses insecure authentication mechanisms. - --- - -Detailed Information: -A user tried to log on to a system via telnet, but has been rejected, -either due to invalid username, password, or both. This could mean -someone is trying to log on without proper password (if there are -multiple unsuccessful logins) or they may have just mistyped the -username or the password. - -The telnet server typically runs on TCP port 23. Upon access to the -server, account access is granted based on an unencrypted user name and -password. Upon a failed login (resulting from either an invalid account -or an incorrect password), a login failure message will be returned. -This rule matches the common text "Login failed". - --- - -Affected Systems: -Any system running a telnet server. - --- - -Attack Scenarios: -Attackers can, particularly when armed with a valid account name, -attempt to use guessing attacks or brute-force means to gain access via -the telnet service. Many successive events of this type would likely be -indicative of such an attack. - -The use of a telnet server allows the passive attack of traffic -sniffing, which can extract a username and password from any valid -login. - --- - -Ease of Attack: -Simple. - -This event indicates it is possible to perform a brute-force attack; the -ease of such an attack is dependent upon the strength of passwords, and -rate-limiting techniques employed by the telnet server in question. - --- - -False Positives: -This event will match any badly-typed or -remembered password, and will -therefore generate a false positive. Look for rapid successive events. - --- - -False Negatives: -If a password is correctly guessed, no failure will be noted. - --- - -Corrective Action: -Check how many invalid attempts occurred, change the password of the -user that tried to log in. - -It is best to avoid using telnet whenever possible; its authentication -system is lacking, and encryption is generally unavailable. If your -telnet server can be configured to temporarily disable access after -rapid successive failures, it as advised that you do so. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos and Nick Black, Reflex Security -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Telnet RFC: -http://www.faqs.org/rfcs/rfc854.html - --- diff -Nru snort-2.8.5.2/doc/signatures/493.txt snort-2.9.2/doc/signatures/493.txt --- snort-2.8.5.2/doc/signatures/493.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/493.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 493 - --- -Summary: -This event is generated when an attempt is made to access the psyBNC IRC -"bouncer". - --- -Impact: - - --- -Detailed Information: -The psyBNC IRC bouncer was designed to hold a connection to an IRC server. As part -of the connection process, a psyBNC server will respond with -"Welcome!psyBNC@lam3rz.de". - --- -Affected Systems: - All systems using psyBNC. - --- -Attack Scenarios: -The psyBNC server itself is not necessarily a risk in itself, but this may be a -violation of corporate policy. Furthermore, psyBNC has found it's way into a large number -of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks. - --- -Ease of Attack: -Simple. Any user can install psyBNC. - --- -False Positives: -None Known - --- -False Negatives: -A modified psyBNC server will not respond with "Welcome!psyBNC@lam3rz.de" and could -easily evade this rule. - -SSL encryption between client and server is possible. - --- -Corrective Action: -Check the originating host IP and source port and investigate the possibility of a -listening psyBNC server and possible system comprimise. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - -psyBNC: -http://www.psychoid.lam3rz.de/ -http://www.psychoid.net/ - --- diff -Nru snort-2.8.5.2/doc/signatures/494.txt snort-2.9.2/doc/signatures/494.txt --- snort-2.8.5.2/doc/signatures/494.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/494.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 494 - --- -Summary: -This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. - --- - -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft Technet: -http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/495.txt snort-2.9.2/doc/signatures/495.txt --- snort-2.8.5.2/doc/signatures/495.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/495.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 495 - --- - -Summary: -This event is generated by an unsuccessful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. - --- - -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "Bad command or filename". For example, it is generated by the Windows operating system if the executable file to be run from the command line is not found. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has tried to execute a command. Note that the source address of this event is actually -the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then tries to run other commands on the machine. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Bad command -or filename" appears in the content distributed by a web server, in -which case the rule should be tuned. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/496.txt snort-2.9.2/doc/signatures/496.txt --- snort-2.8.5.2/doc/signatures/496.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/496.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 496 - --- -Summary: -This event is generated by the successful completion of a directory listing operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for listing directory contents. - --- -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated when a standard Windows command for listing directories is executed. The string "Directory of" is typically shown in front of the directory listing on Windows NT/2000/XP. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed at least one command to list the contents of a directory directory. Note that the source address of this event is actually -the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to look for interesting files on the compromised server via the "dir" command. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Directory of" appears in the content distributed by a web server, in which case the rule should be tuned. - --- -False Negatives: -None Known - --- - -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/497.txt snort-2.9.2/doc/signatures/497.txt --- snort-2.8.5.2/doc/signatures/497.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/497.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 497 - --- -Summary: -This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. - --- -Impact: -Serious. An attacker may have the ability to transfer files from the victim host. - --- -Detailed Information: -This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Investigate the web server for other signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/498.txt snort-2.9.2/doc/signatures/498.txt --- snort-2.8.5.2/doc/signatures/498.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/498.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -498 - --- - -Summary: -This event is generated by the use of a UNIX "id" command. This may be -indicative of post-compromise behavior where the attacker is checking -for super user privileges gained by a sucessful exploit against a -vulnerable system. - --- -Impact: -Serious. An attacker may have gained super user access to the system. - --- -Detailed Information: -This event is generated when a UNIX "id" command is used to confirm the -user name of the currenly logged in user over an unencrypted connection. -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - -The string "uid=0(root)" is an output of an "id" command indicating that -the user has "root" privileges. Seeing such a response indicates that -some user, connected over the network to a target server, has root privileges. - --- - -Attack Scenarios: -A buffer overflow exploit against an FTP server results in "/bin/sh" -being executed. An automated script performing an attack, checks for the -success of the exploit via an "id" command. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the -successful exploitation of a vulnerable system. - --- - -False Positives: -This rule will generate an event if a legitimate system administrator -executes the "id" command over an unencrypted connection to verify the -privilege level available to him. - -This rule may also generate event by viewing the documentation on -snort.org or any other security related web site which may contain -details on this issue. - -The web site www.bugtraq.org serves a non-standard HTTP header of the -form "X-Mandatory-Snort-Alert: *GOBBLE* uid=65534(nobody) uid=0(root)" -browsing this site will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton -Additional false positive information contributed by Arnd Fischer - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/499.txt snort-2.9.2/doc/signatures/499.txt --- snort-2.8.5.2/doc/signatures/499.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/499.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: --- - -Sid: -499 - --- - -Summary: -This event is generated when a large ICMP packet is detected. Also known -as the "Ping of Death". - --- -Impact: -Denial of Service (DoS) by system crash or bandwidth utilisation. - --- -Detailed Information: -Some implementations of the IP stack may result in a system crash -or may hang when a large ICMP packet is sent to them. Alternatively -a large number of these packets may result in link saturation, -especially where bandwidth is limited. - -This attack was prevalent a number of years ago when the TCP/IP stack of -a number of operating systems could not handle large packet payloads. - --- -Affected Systems: - Multiple older systems. - --- -Attack Scenarios: -A malicious individual may send a series of large ICMP packets -to a host with the intention of either crashing or hanging the host, -or to saturate the available bandwidth. - --- -Ease of Attack: -Simple. - --- -False Positives: -A number of load balancing applications use 1500 byte ICMP packets to -determine the most efficent route to a host by measuring the latency -of multiple paths. - -HP-UX systems configured with PMTU discovery will send echo requests -in response to several types of network connections. PMTU Discovery -is enabled in HP-UX 10.30 and 11.0x by default. - -Windows 2000 uses large ICMP payloads to determine the speed of a link -when utilizing a Windows domain controller. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -ICMP Traffic - Seth Stein -http://www.wfu.edu/~steinsj5/work/icmp.html - --- diff -Nru snort-2.8.5.2/doc/signatures/500.txt snort-2.9.2/doc/signatures/500.txt --- snort-2.8.5.2/doc/signatures/500.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/500.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -500 --- -Summary: -This event is generated when an IPv4 packet has the loose source record -route IP option set. --- -Impact: -Information could be gathered about network topology, and machines -routing packets onto trusted links could be abused. --- -Detailed Information: -Loose source record routing specifies a series of machines which must be -used in the routing of a datagram. This can be useful to map out routes -using the traceroute program by adding discovered intermediary routers -one at a time. Furthermore, while a machine may normally be unreachable -due to default gateways, a compliant router can be forced to hand off -source routed packets to an intermediary capable of speaking both to the -outside world and target machines; the packet may then be forwarded on -to its destination. --- -Affected Systems: -Any machine fully implementing RFC 791 set up as a router. --- -Attack Scenarios: -By incrementing the TTL of successive packets, the topology of routes to -a host can be determined. Each compliant node along the way will reply -with an ICMP Time Exceeded bearing their address and the recorded route. --- -Ease of Attack: -Tools are readily available to employ source routing for the purpose of -network discovery; the bounce attack described is unlikely to surface in -a properly configured network. --- -False Positives: -None known. --- -False Negatives: -Network discovery can be done using other means than source routing. --- -Corrective Action: -Redesign network topologies so that routers are kept to a minimum; -disable routing by other machines. To prevent network mapping, don't -allow source-routed packets at all. --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Nick Black, Reflex Security --- -Additional References: - -IP RFC: -http://www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.8.5.2/doc/signatures/501.txt snort-2.9.2/doc/signatures/501.txt --- snort-2.8.5.2/doc/signatures/501.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/501.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -501 - --- -Summary: -This event is generated when a packet is discovered with loose source routing set in the IP options. - --- -Impact: -Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing. - --- -Detailed Information: -Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it. - --- -Affected Systems: -Unless loose source routing is disabled, all hosts can accept them. - --- -Attack Scenarios: -An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets. - --- -Ease of Attack: -Simple. - --- -False Positives: -This even will trigger if you allow loose source routed packets into your network. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block all source routed (loose or strict) packets from entering your network. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/646 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909 - -Whitehats -www.whitehats.com/info/IDS470 - --- diff -Nru snort-2.8.5.2/doc/signatures/502.txt snort-2.9.2/doc/signatures/502.txt --- snort-2.8.5.2/doc/signatures/502.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/502.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -502 - --- -Summary: -This event is generated when an IPv4 packet set the strict source record -route IP option. - --- -Impact: -Information could be gathered about network topology, and machines -routing packets onto trusted links could be abused. - --- -Detailed Information: -Strict source record routing specifies a series of machines which must -be exclusively used in the routing of a datagram. This can be useful to -map out routes ala the traceroute program by adding discovered -intermediary routers one at a time. Furthermore, while a machine may -normally be unreachable due to default gateways, a compliant router can -be forced to hand off source routed packets to an intermediary capable -of speaking both to the outside world and target machines; the packet -may then be forwarded on to its destination. - --- -Affected Systems: -Any machine fully implementing RFC 791 set up as a router. - --- -Attack Scenarios: -By incrementing the TTL of successive packets, the topology of routes to -a host can be determined. Each compliant node along the way will reply -with an ICMP Time Exceeded bearing their address and the recorded route. - --- -Ease of Attack: -Tools are readily available to employ source routing for the purpose of -network discovery; the bounce attack described is unlikely to surface in -a properly configured network. - --- -False Positives: -None - --- -False Negatives: -Network discovery can be done using other means than source routing. - --- -Corrective Action: -Redesign network topologies so that routers are kept to a minimum; -disable routing by other machines. To prevent network mapping, don't -allow source-routed packets at all. - --- -Contributors: -Snort documentation contributed by by Nick Black, Reflex Security -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -IP RFC: -www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.8.5.2/doc/signatures/503.txt snort-2.9.2/doc/signatures/503.txt --- snort-2.8.5.2/doc/signatures/503.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/503.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -503 - --- -Summary: -This event is generated when possible non-legitimate traffic is detected -that should not be allowed through a firewall. - --- -Impact: -This can be used to pass through a poorly configured firewall. - --- -Detailed Information: -Traffic from port 20 is normally FTP traffic. Commands are passed to an -FTP server over port 21. In order to download files, a client tells the -FTP server to connect to the client on port 'X' where 'X' is a port -above 1023. The FTP server then connects to the client on the given -port using the source port of 20. Ports below 1024 are privileged, a -legitimate connection from an ftp server should always be to a port -above 1023. Some misconfigured firewalls may blindly allow connections -to any port from a source port of 20. - --- -Affected Systems: - -All - --- -Attack Scenarios: -An attacker could use a source port of 20 for TCP connections to bypass -a poorly configured firewall. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Connections from port 20 should only be allowed to ports >=1024. A -better solution would be block this traffic entirely and force FTP -clients inside the firewall to use PASV mode. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS06 - --- diff -Nru snort-2.8.5.2/doc/signatures/504.txt snort-2.9.2/doc/signatures/504.txt --- snort-2.8.5.2/doc/signatures/504.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/504.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -504 - --- -Summary: -This event is generated when possible non-legitimate traffic is detected -that should not be allowed through a firewall. - --- -Impact: -This can be used to pass through a poorly configured firewall. - --- -Detailed Information: - -Traffic from TCP port 53 is used by DNS servers for zone transfers. -Normal DNS traffic uses the UDP protocol. An attacker could use a TCP -source port of 53 to pass through a poorly configured firewall. DNS -traffic from port 53 using either UDP or TCP should be to a port above -1023. Ports 1023 and below are privileged. - --- -Affected Systems: - -All - --- -Attack Scenarios: -An attacker could use a source port of 53 for TCP connections to bypass -a poorly configured firewall. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Incoming connections from TCP port 53 should only be allowed to machines -that need the ability to do zone tranfers. - -Connections from TCP port 53 should only be allowed to ports >=1024 on -these machines. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS07 - --- diff -Nru snort-2.8.5.2/doc/signatures/505.txt snort-2.9.2/doc/signatures/505.txt --- snort-2.8.5.2/doc/signatures/505.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/505.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -SID: -505 - --- -Summary: -This event is generated when an attempt is made to login to a Timbuktu server using an unencrypted link. - --- -Impact: -Serious. Unauthorized access to the server. - --- -Detailed information: -Looks at the initial hex code of a Timbuktu client login and captures the login and password combination. - -This is a poor security practice over the open internet and on untrusted network links. This is a Timbuktu login going over plaintext to the Timbuktu server. - -That means that anyone sniffing the wire can now use the login and password used to gain access to the Timbuktu server. - --- -Affected Systems: - Windows all versions - Mac OS 7.5.3 and later - --- -Attack Scenario: -An attacker can use a sniffer to gain the user login credentials and use the information to gain unauthorized access to the machine. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -Timbuktu may use a port other than 1417 - --- -Corrective Action: -Use Timbuktu over encrypted links or only on local LANs - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -Arachnids: -arachnids 229 - --- diff -Nru snort-2.8.5.2/doc/signatures/506.txt snort-2.9.2/doc/signatures/506.txt --- snort-2.8.5.2/doc/signatures/506.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/506.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -506 - --- -Summary: -This event is generated when the Ramen worm attempts to retrieve a copy of the worm from a host. - --- -Impact: -Severe. The Ramen worm is already on the host and is currently propagating from the source ip address. - --- -Detailed Information: -The Ramen worm is a set of exploits that uses synscan to grab banners before exploiting new hosts. - -It scans automatically for random class B IP addresses and attacks them if possible. Another feature is the automatic defacement of index(.htm/html) files. The exploits are used to attack vulnerable WuFTPd servers, vulnerable RPC services (statd format string exploit) or vulnerable LPRng services. The RPC statd exploit binds suid shell on port 39168 which is used for further host compromise. - --- -Affected Systems: -Various Linux systems - --- -Attack Scenarios: -The RPC, WuFTP or LPRng printer spooler service was vulnerable and attacked by Ramen worm. The host is then back-doored on port 39168 and propagates to other vulnerable hosts in a class B/C network. - --- -Ease of Attack: -Simple. This is Worm activity - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -- rm -rf /usr/src/.poop (it contains the worm files) -- rm -rf /tmp/ramen.tar.gz (Ramen worm files with exploits and shellscripts) -- Delete line "/user/src/.poop/start*.sh" in /etc/rc.d/rc.sysinit -- ps -Af | grep "asp" (Search PID of asp service port webserver) -- kill -9 %PID_you_just_saw% -- rm /sbin/asp (backdoor webserver, which binds to 27374) -- Service startup: - - Using Inetd (Redhat 6): remove line "asp stream tcp nowait root" form /etc/inetd.conf and restart inetd service - - Using XInet.d (Redhat 7): rm -rf /etc/xinet.d/asp -- Update /etc/hosts.deny because Ramen worm deletes the file or modifies it -- Check index(.htm/html) files since they may be modified by the worm -- Update WuFTPd server, NFS service, LPRng service -- Reboot the host - --- -Contributors: -Snort documentation contributed by Ueli Kistler, -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/507.txt snort-2.9.2/doc/signatures/507.txt --- snort-2.8.5.2/doc/signatures/507.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/507.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -507 - --- -Summary: -This event is generated when an attempt is made to gain administrative -rights to a PC running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.8.5.2/doc/signatures/508.txt snort-2.9.2/doc/signatures/508.txt --- snort-2.8.5.2/doc/signatures/508.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/508.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -508 - --- -Summary: -This event is generated when a Gopher server is used as a proxy to connect to an FTP server. - --- -Impact: -This allows a user to assume the source IP of the Gopher server when connecting to an FTP server. - --- -Detailed Information: -A Gopher server may support proxy connections to FTP servers. This allows a user to assume the source IP of the Gopher server when connecting to an FTP server. This may be used to bypass FTP access restrictions based on source IP's. - --- -Affected Systems: -Any Gopher server that supports proxy connections to FTP servers. - --- -Attack Scenarios: -A user who is normally restricted access to an FTP server based on the originating IP may attempt to circumvent this by attempting access from a Gopher server that supports proxy connections to FTP servers. - --- -Ease of Attack: -Simple. - --- -False Positives: -This even will trigger if a Gopher server suuports proxy connections to FTP servers. - --- -False Negatives: -None Known. - --- -Corrective Action: -Disable the use of Gopher server. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Whitehats -www.whitehats.com/info/IDS409 - --- diff -Nru snort-2.8.5.2/doc/signatures/509.txt snort-2.9.2/doc/signatures/509.txt --- snort-2.8.5.2/doc/signatures/509.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/509.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -509 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/510.txt snort-2.9.2/doc/signatures/510.txt --- snort-2.8.5.2/doc/signatures/510.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/510.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -510 - --- -Summary: -This event is generated when an attempt is made to change the message on -the LCD display on a JetDirect enabled HP printer. - --- -Impact: -User confusion and comedy, mostly. - --- -Detailed Information: -HP JetDirect printers allow remote machines to change the message that -is displayed on the LCD panel via the PJL command. This event indicates -that this command has been used in network traffic. - --- -Affected Systems: - HP JetDirect enabled printers - --- -Attack Scenarios: -As part of an attempt to confuse and annoy users, an attacker may -attempt to change the message displayed on the printers LCD screen. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to the latest JetDirect, and investigate the possibility of -restricting access to a central print-server using the "allow: -" directive in a printer config file. - -Disallow printer use from hosts outside the protected network. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/511.txt snort-2.9.2/doc/signatures/511.txt --- snort-2.8.5.2/doc/signatures/511.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/511.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -511 - --- -Summary: -This event is generated when an attempt is made to gain access to a PC -running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.8.5.2/doc/signatures/512.txt snort-2.9.2/doc/signatures/512.txt --- snort-2.8.5.2/doc/signatures/512.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/512.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -512 - --- -Summary: -This event is generated when an attempt is made to gain access to a PC -running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.8.5.2/doc/signatures/513.txt snort-2.9.2/doc/signatures/513.txt --- snort-2.8.5.2/doc/signatures/513.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/513.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -513 - --- -Summary: -This event is generated when a Cisco Catalyst switch responds to an external connection that it is listening on the remote management port. - --- -Impact: -Denial of service. A successful connection to the remote management port may allow an attacker access to the switch. - --- -Detailed Information: -TCP port 7161 is the remote management port for Cisco Catalyst switches. A vulnerability exists that may allow a user to connect to this port on an affected switch and cause the supervisor module to reload, disabling service while in progress. - - --- -Affected Systems: -Cisco switches: - - The Catalyst 12xx family, running supervisor software versions up to and including 4.29. - - The Catalyst 29xx family (but not the Catalyst 2900XL), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). - - The Catalyst 5xxx series (including the Catalyst 55xx family), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). - --- -Attack Scenarios: -An attacker can exploit a vulnerability associated with the remote management port of Cisco switches, causing a denial of service. - --- -Ease of Attack: -Unknown. - --- -False Positives: -This event is generated if any host on the internal network is listening on TCP port 7161 and responds to an external connection request. - --- -False Negatives: -None Known. - --- -Corrective Action: -Disable external access to the Cisco switch remote management port. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Whitehats -www.whitehats.com/info/IDS129 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0430 - --- diff -Nru snort-2.8.5.2/doc/signatures/514.txt snort-2.9.2/doc/signatures/514.txt --- snort-2.8.5.2/doc/signatures/514.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/514.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -514 - --- -Summary: -This activity is a sign of a host that has been compromised by the ramen worm, which is attempting to retrieve the worm binaries from a remote system. - --- -Impact: -Severe; this host issued a request to a malicious web server to download the ramen worm binaries. After the binaries are downloaded, the compromised host acts as a scanner and could be used to attack other hosts. - --- -Detailed Information: -This rule looks for GET requests to a compromised webserver running on TCP port 27374. The compromised webserver serves up the ramen binaries required to continue the propagation of the malicious code. After the host is compromised, a random number generator selects IP address ranges to scan for other vulnerable hosts. The ramen worm is wide spread, and affects vulnerable Red Hat Linux 6.2 and 7.0 machines. The worm exploited well-known vulnerabilities in LPRng, rpc.statd, and wu-ftpd. - --- -Attack Scenarios: -This is a worm; after it is released, it self-propagates. Once a vulnerable machine is found, worm binaries are downloaded and the newly compromised machine becomes a scanning agent to further the worm's propagation. - --- -Ease of Attack: -Simple execution of worm code. - --- -False Positives: -None known - --- -False Negatives: -If the worm code is changed to contact a port other than 27374 tcp, then this rule would not catch the activity. - --- -Corrective Action: - --- -Contributors: -Original rule writer Max Vision -Sourcefire Research Team -Mike Poor - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS461 - -CIAC: -http://www.ciac.org/ciac/bulletins/l-040.shtml - -SANS: -http://www.sans.org/y2k/ramen.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/516.txt snort-2.9.2/doc/signatures/516.txt --- snort-2.8.5.2/doc/signatures/516.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/516.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Nigel - added new references to the rule and bumped up revision number. -Rule: - --- -Sid: -516 - --- -Summary: -This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. - --- -Impact: -Reconnaissance. An attacker may obtain SMB usernames of the remote host. - --- -Detailed Information: -Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. - --- -Affected Systems: -Hosts that run SMB and listen for SNMP requests. - --- -Attack Scenarios: -An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. - --- -Ease of Attack: -A Nessus script exists to list current SMB users. - --- -False Positives: -None. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block inbound SNMP traffic. - -Disable SNMP as a listening service on the remote host unless it is required. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS333 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10546 - --- diff -Nru snort-2.8.5.2/doc/signatures/517.txt snort-2.9.2/doc/signatures/517.txt --- snort-2.8.5.2/doc/signatures/517.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/517.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -517 - --- -Summary: -This event is generated when an attempt is made to query the XDMCP -service. - --- -Impact: -Serious. Information disclosure. Unauthorized access to the system. - --- -Detailed Information: -An XDMCP query can provide a wealth of information about a host such as -a login screen, a list of users on the host, and to bypass access -control restrictions used by tcpwrapper and to bypass the restriction of -login by user "root" on the box. - --- -Affected Systems: - Any UNIX based server running XDMCP. - --- -Attack Scenarios: -An attacker can use this to find out information about the machine and -then either launch a specific attack or connect to the X windows server -using XDMCP. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable XDMCP if not needed. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS476 - --- diff -Nru snort-2.8.5.2/doc/signatures/518.txt snort-2.9.2/doc/signatures/518.txt --- snort-2.8.5.2/doc/signatures/518.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/518.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -518 - --- - -Summary: -This event is generated when a TFTP PUT request is made. This is an indication that someone is attempting to create or place a file on the server. - --- - -Impact: -A TFTP PUT requests allows a remote attacker to create, modify, or replace files on the server running TFTP. If the TFTP server allows anonymous TFTP PUT requests it could be possible to upload malicious files and payloads to the server. - --- - -Detailed Information: -This rule will generate an event on in-bound TFTP PUT requests. Attackers my use TFTP to upload and download files from a server that is properly or improperly configured. This could result in malicious payload being uploaded to the server or sensitive files being downloaded. - --- - -Attack Scenarios: -Attackers may use TFTP to upload and download files from server that are properly or improperly configured. Normally attackers attempt to locate TFTP servers using automated scanners and tools. Once a TFTP server is located an attempt to write files and get files from the TFTP server is made. Depending on the results of those tests attackers may attempt to further exploit that system, by overwriting system files or downloading password files to access the system. - --- - -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- - -False Positives: -Legitimate TFTP PUT requests for updating routers or other access devices may trigger this rule. - --- - -False Negatives: -None known - --- - -Corrective Action: -The TFTP server should be configured to only allow PUT requests from trusted locations. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - --- - -Additional References -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 -http://www.whitehats.com/info/IDS148 - - --- diff -Nru snort-2.8.5.2/doc/signatures/519.txt snort-2.9.2/doc/signatures/519.txt --- snort-2.8.5.2/doc/signatures/519.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/519.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -519 - --- -Summary: -This event is generated when a TFTP request is made with a parent directory designation of "..". This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server. - --- -Impact: -TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system. Additionally if the TFTP server allows directory transversal using the ".." designator it may be possible to retrieve files from other directories on the system. - --- -Detailed Information: -This rule searches for ".." payload in TFTP requests. Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server. This could result in sensitive files being transfered off the system or arbitrary files being upload to the system. - --- -Attack Scenarios: -Using the ".." designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory. Normally an attacker will attempt to retrieve sensitive system files such as "../../etc/passwd" or "../../shadow" after determining if this attack vector is successful. - --- -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- -False Positives: -None Known - --- -False Negatives -None Known - --- -Corrective Action: -Upgrade to the current version of your TFTP server solutation, or contact the product vendor for patch information. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 - -Arachnids: -http://www.whitehats.com/info/IDS137 - --- diff -Nru snort-2.8.5.2/doc/signatures/520.txt snort-2.9.2/doc/signatures/520.txt --- snort-2.8.5.2/doc/signatures/520.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/520.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -520 - --- -Summary: -This event is generated when a TFTP request is made with a directory designation of "/". This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server. - --- -Impact: -TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system. Additionally if the TFTP server allows directory transversal using the "/" designator it may be possible to retrieve files from other directories on the system. - --- -Detailed Information: -This rule searches for a "/" payload in TFTP requests. Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server. This could result in sensitive files being transfered off the system or arbitrary files being upload to the system. - --- -Attack Scenarios: -Using the "/" designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory. Normally an attacker will attempt to retrieve sensitive system files such as "/etc/passwd" or "/etc/shadow" after determining if this attack vector is successful. - --- -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- -False Positives: -None Known - --- -False Negatives -None Known - --- -Corrective Action: -Upgrade to the current version of your TFTP server solution, or contact the product vendor for patch information. - -Contributers: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 - -Arachnids: -http://www.whitehats.com/info/IDS138 - --- diff -Nru snort-2.8.5.2/doc/signatures/521.txt snort-2.9.2/doc/signatures/521.txt --- snort-2.8.5.2/doc/signatures/521.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/521.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: --- -Sid: -521 - --- -Summary: -This event is generated when an overly large UDP packet is observed. - --- -Impact: -Possible denial of service. UDP packet payloads are typically smaller than 4000 bytes. One possible explanation of a payload of greater than 4000 bytes is an attempted denial of service. - --- -Detailed Information: -UDP payloads are typically smaller than 4000 bytes since the UDP protocol is intended to be used for the transmission of smaller payloads. When a large payload is observed, it may be a sign or anomalous activity, perhaps an attempted denial of service against the remote host. - --- -Affected Systems: -Any system that listens for a UDP service. - --- -Attack Scenarios: -An attacker may craft large UDP payloads in an attempt to cause a denial of service against a remote host. - --- -Ease of Attack: -Simple. - --- -False Positives: -There may be UDP services offered that naturally support large payload sizes. - --- -False Negatives: -None Known. - --- -Corrective Action: -Allow only known UDP protocols inbound. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS521 - --- diff -Nru snort-2.8.5.2/doc/signatures/522.txt snort-2.9.2/doc/signatures/522.txt --- snort-2.8.5.2/doc/signatures/522.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/522.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,86 +0,0 @@ -Rule: - --- -Sid: -522 - --- -Summary: -This event is generated when an IPv4 fragment of dubiously small nature -was detected. - --- -Impact: -Many IDSes are known to have issues regarding the reassembly of IP -fragments, and could miss an attack carried over such means. Firewalls -suffer from the same issues, and can be tricked into allowing packets -through that should normally be rejected. Furthermore, there is a small -history of OS issues related to unorthodox fragmentation. - --- -Detailed Information: -IPv4 manages to adapt to various link layer protocols on a route via the -fragmentation mechanism outlined in its RFC. A router connecting two -carrying media of varying MTU (Maximum Transmission Unit) can fragment -packets of size too large to transmit on one wire before dispatch. When -datagrams stay within one MTU, the maximum packet sizes possible can be -used without fragmentation, thus pairing flexibility with efficiency. - -Historically, handling of fragmentation has been less than stellar in -both IP stacks and the IDS systems designed to protect them. While the -limited number of attacks based on fragmentation are easily picked up by -anomaly- or signature-based system, IDSes which fail to properly -reassemble fragments can miss any attack which is so fragmented. -Firewalls have often proved susceptible to fragmented TCP or UDP -headers, allowing traffic which should have been filtered to pass -through. - --- -Affected Systems: -Any IDS/firewall lacking proper IPv4 fragment reassembly. - --- -Attack Scenarios: -An attacker may pass a fragment containing a TCP/UDP header which is -allowed to pass through a firewall, then follow this up with a fragment -which overwrites the previous headers, but is allowed due to poor -connection tracking. - -An attacker may fragment an exploit, so that it is not detected by IPS -nor filtered by IPS products. - --- -Ease of Attack: -Tools have been written to trivially fragment traffic; Dug Song's -fragrouter program is a well-known example. - --- -False Positives: -It is unlikely that such a fragment would be seen in standard use of -IPv4; while the last fragment in a series is typically smaller than the -others, this signature explicilty matches the More Fragments bit. -Nonetheless, a pedantic reading of the IPv4 RFC allows this, so long as -the data length is a multiple of 8. - --- -False Negatives: -Attacks may still be fragmented into larger chunks. - --- -Corrective Action: -None - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Nick Black, Reflex Security - --- -Additional References: - -IPv4 RFC: -http://www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.8.5.2/doc/signatures/523.txt snort-2.9.2/doc/signatures/523.txt --- snort-2.8.5.2/doc/signatures/523.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/523.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 523 - --- -Summary: -This event is generated when packets on the network have the reserved -bit set. - --- -Impact: -Possible prelude to system compromise. - --- -Detailed Information: -Under normal circumstances IP packets do not use the reserved bit. - -This may be an indicator of the use of the reserved bit by a malicious -user to instigate covert channel communications. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - All - --- -Attack Scenarios: -The attacker may send specially crafted packets with the reserved bit -set. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Use a packet filtering device to reject packets with this bit set. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/524.txt snort-2.9.2/doc/signatures/524.txt --- snort-2.8.5.2/doc/signatures/524.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/524.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 524 - --- -Summary: -This event is generated when TCP traffic to port 0 is detected. This -should not be seen in normal TCP communications. - --- -Impact: -Possible reconnaisance. This may be an attempt to verify the existance -of a host or hosts at a particular address or address range. - --- -Detailed Information: -TCP traffic to port 0 is not valid under normal circumstances. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker could send packets to a host with a destination port of 0. -The attacker might also be using hping to verify the existance of a host -as a prelude to an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow TCP traffic to port 0. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/525.txt snort-2.9.2/doc/signatures/525.txt --- snort-2.8.5.2/doc/signatures/525.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/525.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 525 - --- -Summary: -This event is generated when UDP traffic to port 0 is detected. This -should not be seen in normal UDP communications. - --- -Impact: -Denial of Service against Checkpoint Firewall 1 devices. Possible -reconnaisance. This may be an attempt to verify the existance -of a host or hosts at a particular address or address range. - --- -Detailed Information: -UDP traffic to port 0 is not valid under normal circumstances. - -Certain versions of Checkpoints Firewall 1 are subject to a Denial of -Service attack when UDP packets to port 0 are sent via VPN-1. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker could send packets to a host with a destination port of 0. -The attacker might also be using hping to verify the existance of a host -as a prelude to an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow UDP traffic to port 0. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0675 - --- diff -Nru snort-2.8.5.2/doc/signatures/526.txt snort-2.9.2/doc/signatures/526.txt --- snort-2.8.5.2/doc/signatures/526.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/526.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 526 - --- -Summary: -This event is generated when SYN packets contain data greater than what -is normally expected. - --- -Impact: -Possible Denial of Service attack (DoS) or IDS evasion. - --- -Detailed Information: -Under normal circumstances TCP SYN packets are exchanged between hosts -to synchronize the TCP sequence numbers in a transaction. A SYN packet -with a datagram size larger than 6 bytes may be an indication of a -Denial of Service attack or an attempt to evade IDS. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker would need to send specially crafted packets with the SYN -flag set with a datagram size larger than 6 bytes. This may be achieved -using a script or tool. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html - --- diff -Nru snort-2.8.5.2/doc/signatures/527.txt snort-2.9.2/doc/signatures/527.txt --- snort-2.8.5.2/doc/signatures/527.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/527.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: 527 - --- -Summary: -This event is generated when traffic on the network is using the same -source and destination IP address. - --- -Impact: -Possible Denial of Service. - --- -Detailed Information: -Under normal circumstances traffic to and from the same IP address -should not be seen on the network. This may be an indicator for the Land -attack tool. - -Some TCP/IP stacks hang or even crash when presented with a TCP SYN -packet containing the same source and destination IP address. Some -target hosts will crash others will be temporarily disabled. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - -A packet that has the same source and destination IP addresses directed to TCP -port 7007 or 7778 can cause a denial of service for Windows Media Station or -Windows Media Monitor on Windows 2000 hosts SP2, SP3, SP4 running Windows Media -services 4.0 or 4.1 will also generate an event from this rule. - --- -Affected Systems: - Multiple systems from multiple vendors. - --- -Attack Scenarios: -The attacker may send traffic from a spoofed source address, in this -case the victims IP address. - -The attacker may be using the Land attack tool. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Employ egress filtering at the border router or firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - -SANS: -http://www.sans.org/rr/firewall/egress.php - -CERT: -http://www.cert.org/advisories/CA-1997-28.html - -Bugtraq: -http://www.securityfocus.com/bid/9825 - --- diff -Nru snort-2.8.5.2/doc/signatures/528.txt snort-2.9.2/doc/signatures/528.txt --- snort-2.8.5.2/doc/signatures/528.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/528.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 528 - --- -Summary: -This event is generated when loopback traffic is seen on the network. - --- -Impact: -Possible reconnaisance. - --- -Detailed Information: -Under normal circumstances traffic to the localhost (127.0.0.0/8) should -only be seen on the loopback interface (lo0). - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker may send traffic from a spoofed source address, in this -case the localhost. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Employ egress filtering at the firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/rr/firewall/egress.php - --- diff -Nru snort-2.8.5.2/doc/signatures/529.txt snort-2.9.2/doc/signatures/529.txt --- snort-2.8.5.2/doc/signatures/529.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/529.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -529 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a host using the RFPoison tool. - --- -Impact: -Serious. Denial of Service. - --- -Detailed Information: -The Microsoft Local Security Authority (LSA) service does not handle -certain malformed requests correctly. This service allows for the -manipulation of user privileges on the host. A specially crafted -malformed request sent to the LSA service will cause the system to -become unresponsive. - --- -Affected Systems: - Microsoft Windows NT Workstation - Microsoft Windows NT Server - Microsoft Windows NT Terminal Server - --- -Attack Scenarios: -An attacker can use the RFPoison tool against a host to generate the -request necessary to cause the DoS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -RFP: -http://www.wiretrip.net/rfp/txt/rfp9906.txt - -Microsoft: -http://support.microsoft.com/support/kb/articles/Q231/4/57.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/530.txt snort-2.9.2/doc/signatures/530.txt --- snort-2.8.5.2/doc/signatures/530.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/530.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -530 - --- -Summary: -This event is generated when an attacker sends a blank username and blank password in an attempt to connect to the IPC$ (Interprocess Communication) pipe. - --- -Impact: -Information gathering. This attack can permit the disclosure of sensitive information about the target host. - --- -Detailed Information: -Null sessions allow browsing of Windows hosts by the "Network Neighborhood" and other functions. A Null session permits access to a host using a blank user name and password. At attacker may attempt to perform a Null session connection, disclosing sensitive information about the target host such as available shares and user names. - --- -Affected Systems: -Microsoft Windows hosts - --- - -Attack Scenarios: -An attacker can send a blank username and blank password to try to connect to the IPC$ hidden share on the target computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -Null sessions may be used by legitimate processes in the same Windows domain. - --- -False Negatives: -None Known - --- -Corrective Action: -On Windows NT, 2000, XP set the registry key /System/CurrentControlSet/Control/LSA/RestrictAnonymous value to 1. - --- -Contributors: -Original rule written by Ian Viket -Documented by Nawapong Nakjang -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS204 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0519 - --- diff -Nru snort-2.8.5.2/doc/signatures/532.txt snort-2.9.2/doc/signatures/532.txt --- snort-2.8.5.2/doc/signatures/532.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/532.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -532 - --- -Summary: -This event is generated when an attempt is made to access an administrative share on a Windows machine. - --- -Impact: -Serious. Possible administrator access on the victim machine. - --- -Detailed Information: -This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. - -This is a poor security practice or an indication that a machine is being accessed remotely. - --- -Affected Systems: - Windows 9x - Windows 2000 - Windows XP - --- -Attack Scenario: -This can be accessed from GUI "map network drive" remotely - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to disallow Netbios access from the unprotected network. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -arachnids 340 - --- diff -Nru snort-2.8.5.2/doc/signatures/533.txt snort-2.9.2/doc/signatures/533.txt --- snort-2.8.5.2/doc/signatures/533.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/533.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -533 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.8.5.2/doc/signatures/534.txt snort-2.9.2/doc/signatures/534.txt --- snort-2.8.5.2/doc/signatures/534.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/534.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -534 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/535.txt snort-2.9.2/doc/signatures/535.txt --- snort-2.8.5.2/doc/signatures/535.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/535.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -535 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/536.txt snort-2.9.2/doc/signatures/536.txt --- snort-2.8.5.2/doc/signatures/536.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/536.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -536 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/537.txt snort-2.9.2/doc/signatures/537.txt --- snort-2.8.5.2/doc/signatures/537.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/537.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -537 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/538.txt snort-2.9.2/doc/signatures/538.txt --- snort-2.8.5.2/doc/signatures/538.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/538.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -538 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/539.txt snort-2.9.2/doc/signatures/539.txt --- snort-2.8.5.2/doc/signatures/539.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/539.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -539 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/540.txt snort-2.9.2/doc/signatures/540.txt --- snort-2.8.5.2/doc/signatures/540.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/540.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 540 - --- -Summary: -This event is generated when activity relating to network chat clients is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -MSN Protocol -http://www.hypothetic.org/docs/msn/ -Devarticles -http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1 -MSN Messenger Protocol -http://www.venkydude.com/articles/msn.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/541.txt snort-2.9.2/doc/signatures/541.txt --- snort-2.8.5.2/doc/signatures/541.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/541.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -Rule: - --- -Sid: 541 - --- -Summary: -This event is generated when activity relating to network chat clients is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/542.txt snort-2.9.2/doc/signatures/542.txt --- snort-2.8.5.2/doc/signatures/542.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/542.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -542 - --- -Summary: -This event is generated when activity relating to network chat clients -is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown -external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow -users to transfer files directly between hosts. This can allow malicious -users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain -unauthorized access to a host. - -This event indicates that an IRC nickname change has been made from a -client originating from the protected network to an IRC server external -to the protected network. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access -to a host, then upload a Trojan Horse program to gain control of that -host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -IRC Protocol: -http://www.irchelp.org/irchelp/rfc/ - --- diff -Nru snort-2.8.5.2/doc/signatures/543.txt snort-2.9.2/doc/signatures/543.txt --- snort-2.8.5.2/doc/signatures/543.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/543.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -543 - --- -Summary: -This event is generated when an attempt is made to store a file named -"1mb" on an ftp server. - --- -Impact: -Possible abuse ftp behavior by hordes of warez sites, and the -existance of (potentially) illegal files/software on an ftp server. - --- -Detailed Information: -Warez sites have been known to name "warez" files by their size. Large -files are split into smaller, more manageable chunks, and allow warez -sites to store large files on ftp sites in a semi-organized manner. - --- -Affected Systems: - All FTP servers - --- -Attack Scenarios: -As part of an attempt to store elite warez on an ftp server, an -attacker named the file "1mb" to indicate it's size. This file is -likely part of an archive that represents a larger, most likely -illegal copy of media. - --- -Ease of Attack: -Simple. Exploit software is not required - --- -False Positives: -If a legitimate user has a legitimate file named "1mb", this rule may -generate an event. - --- -False Negatives: -This will detect only files named 1mb. If a warez site decides to -start naming their files in a different way this rule will not generate -an event. - --- -Corrective Action: -Inspect the ftp server for a file named 1mb. If it exists, determine -if the file is legitimate, or if it was deposited by someone attempting -to use the server to distribute non-legitimate files. - -Furthermore, evaluate the need for ftp write access. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/544.txt snort-2.9.2/doc/signatures/544.txt --- snort-2.8.5.2/doc/signatures/544.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/544.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -544 - --- -Summary: -This event is generated when an attempt is made to retrieve a file named -"1mb" from an ftp server. - --- -Impact: -Possible abuse ftp behavior by hordes of warez sites, and the -existance of (potentially) illegal files/software on an ftp server. - --- -Detailed Information: -Warez sites have been known to name "warez" files by their size. Large -files are split into smaller, more manageable chunks, and allow warez -sites to store large files on ftp sites in a semi-organized manner. -Once these files are uploaded, it is common practice for other warez -users to attempt to retrieve them. - --- -Affected Systems: - All FTP servers - --- -Attack Scenarios: -As part of an attempt to store elite warez on an ftp server, an -attacker named the file "1mb" to indicate it's size. This file is -likely part of an archive that represents a larger, most likely -illegal copy of media. - --- -Ease of Attack: -Simple. Exploit software is not required - --- -False Positives: -If a legitimate user has a legitimate file named "1mb", this rule may -generate an event. - --- -False Negatives: -This will detect only files named 1mb. If a warez site decides to -start naming their files in a different way this rule will not generate -an event. - --- -Corrective Action: -Inspect the ftp server for a file named 1mb. If it exists, determine -if the file is legitimate, or if it was deposited by someone attempting -to use the server to distribute non-legitimate files. - -Furthermore, evaluate the need for ftp write access. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/545.txt snort-2.9.2/doc/signatures/545.txt --- snort-2.8.5.2/doc/signatures/545.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/545.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -545 - --- -Summary: -This event is generated when an attempt is made to navigate in an FTP sessions to a hidden directory named "/ ". - --- -Impact: -Unauthorized file storage. An attacker may attempt to navigate on an FTP server to the "/ " directory to list or store unauthorized files such as unlicensed software. - --- -Detailed Information: -An attacker may attempt to hide unauthorized files in a hidden directory named "/ ". This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may navigate to the hidden directory named "/ " to list or store unauthorized files. - --- -Ease of Attack: -Simple. - --- -False Positives: -It is remotely possible that an authorized directory exists named "/ ". - --- -False Negatives: -Hidden directories other than those named "/ " may be used to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/546.txt snort-2.9.2/doc/signatures/546.txt --- snort-2.8.5.2/doc/signatures/546.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/546.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -546 - --- -Summary: -This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space. - --- -Impact: -Unauthorized file storage. An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software. - --- -Detailed Information: -An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space. This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that an authorized directory exists with a name that begins with a space. - --- -False Negatives: -Hidden directories other than those with names that begin with a space may be used to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/547.txt snort-2.9.2/doc/signatures/547.txt --- snort-2.8.5.2/doc/signatures/547.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/547.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -547 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a space on an FTP server. - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with a space on an FTP server, possibly in preparation to store unauthorized files. - - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with a space on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with a space to store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known. - --- -False Negatives: -Hidden directories other than those with a name that begins with a space may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/548.txt snort-2.9.2/doc/signatures/548.txt --- snort-2.8.5.2/doc/signatures/548.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/548.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -547 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a period on an FTP server. - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with a period on an FTP server, possibly in preparation to store unauthorized files. - - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with a period on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with a period to store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that an authorized directory exists with a name that begins with a period. - --- -False Negatives: -Hidden directories other than those with a name that begins with a period may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/549.txt snort-2.9.2/doc/signatures/549.txt --- snort-2.8.5.2/doc/signatures/549.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/549.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -549 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/550.txt snort-2.9.2/doc/signatures/550.txt --- snort-2.8.5.2/doc/signatures/550.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/550.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -550 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/551.txt snort-2.9.2/doc/signatures/551.txt --- snort-2.8.5.2/doc/signatures/551.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/551.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -551 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/552.txt snort-2.9.2/doc/signatures/552.txt --- snort-2.8.5.2/doc/signatures/552.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/552.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -552 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/553.txt snort-2.9.2/doc/signatures/553.txt --- snort-2.8.5.2/doc/signatures/553.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/553.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -553 - --- -Summary: -The event is generated when an attempt is made to log on to an FTP server with the username of "anonymous". - --- -Impact: -Information gathering or remote access. This activity may be a precursor to navigating through the accessible directories on the anonymous FTP server to do reconnaissance of the server. Alternately, this may be a precursor of attempting an exploit, such as a buffer overflow, that may permit remote access to the vulnerable FTP server. - --- -Detailed Information: -FTP servers may permit anonymous user access to share authorized public files. FTP servers must have tighly restricted permissions to prevent anonymous users from navigating or writing to unauthorized directories. If permissions are incorrectly assigned, an attacker may attempt to store unauthorized "warez" files of pirated software. Alternately, anonymous access to a vulnerable FTP server may permit an attacker to exploit a buffer overflow, permitting execution of arbitrary commands on the host. - --- -Affected Systems: -FTP servers allowing anonymous user access - --- -Attack Scenarios: -An attacker may employ anonymous user access to do reconnaissance, store unauthorized files, or attempt an exploit on a vulnerable FTP server. - --- -Ease of Attack: -Simple - --- -False Positives: -If anonymous user access is knowingly permitted, this rule may fire. Consider disabling this rule to anonymous FTP server. - --- -False Negatives: -An attacker may use the username "ftp" instead of "anonymous" to gain anonymous access. - --- -Corrective Action: -Disable anonymous access on the FTP server if it is not required. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/554.txt snort-2.9.2/doc/signatures/554.txt --- snort-2.8.5.2/doc/signatures/554.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/554.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -554 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a "/ " on an FTP server. - - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with "/ " on an FTP server, possibly in preparation to store unauthorized files. - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with "/ " on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with "/ " to store unauthorized files. - - --- -Ease of Attack: -Simple - --- -False Positives: -None Known. - --- -False Negatives: -Hidden directories other than those with a name that begins with a "/ " may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/555.txt snort-2.9.2/doc/signatures/555.txt --- snort-2.8.5.2/doc/signatures/555.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/555.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -555 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/556.txt snort-2.9.2/doc/signatures/556.txt --- snort-2.8.5.2/doc/signatures/556.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/556.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- - -Sid: - -556 - --- - -Summary: - -A network-internal client has connected to an external GNUTella server -and issued a connect attempt to begin communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella client has been detected -on your network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: -It is possible for an inside attack to take place by using peer-to-peer -clients to transfer corporate data from an internal resource to an -external third party. - --- - -Ease of Attack: -Simple. This is peer-to-peer activity. - --- - -False Positives: - -This rule detects the term "GNUTELLA CONNECT" on all ports. As a -result, any email, web page, or other network content that discusses the -protocol and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - -Gnutella Protocol -http://rfc-gnutella.sourceforge.net/developer/testing/ - --- diff -Nru snort-2.8.5.2/doc/signatures/557.txt snort-2.9.2/doc/signatures/557.txt --- snort-2.8.5.2/doc/signatures/557.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/557.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -Rule: - --- - -Sid: - -557 - --- - -Summary: - -A network-internal server has authenticated an external GNUTella client -connection attempt and they have begun communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella server has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella server installed (available for most -platforms) - --- - -Attack Scenarios: -It is possible for an inside attack to take place by using peer-to-peer -clients to transfer corporate data from an internal resource to an -external third party. - --- - -Ease of Attack: -Simple. This is peer-to-peer activity. - --- - -False Positives: - -This rule detects the term "GNUTELLA OK" on all ports. As a result, any -email, web page, or other network content that discusses the protocol -and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - -Gnutella Protocol -http://rfc-gnutella.sourceforge.net/developer/testing/ - --- diff -Nru snort-2.8.5.2/doc/signatures/558.txt snort-2.9.2/doc/signatures/558.txt --- snort-2.8.5.2/doc/signatures/558.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/558.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- - -Sid: - -558 - --- - -Summary: - -A network-external server has authenticated an internal GNUTella client -connection attempt and they have begun communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella client has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: - -N/A - --- - -Ease of Attack: - -N/A - --- - -False Positives: - -This rule detects the term "GNUTELLA OK" on all ports. As a result, any -email, web page, or other network content that discusses the protocol -and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - --- diff -Nru snort-2.8.5.2/doc/signatures/559.txt snort-2.9.2/doc/signatures/559.txt --- snort-2.8.5.2/doc/signatures/559.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/559.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- - -Sid: - -559 - --- - -Summary: - -A network-external client has connected to an internal GNUTella server -and issued a connect attempt to begin communications. - --- - -Impact: - -Possible policy violation; possible excess network load. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella server has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: - -N/A - --- - -Ease of Attack: - -N/A - --- - -False Positives: - -This rule detects the term "GNUTELLA CONNECT" on all ports. As a -result, any email, web page, or other network content that discusses the -protocol and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - - --- diff -Nru snort-2.8.5.2/doc/signatures/560.txt snort-2.9.2/doc/signatures/560.txt --- snort-2.8.5.2/doc/signatures/560.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/560.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -560 - --- -Summary: -This event is generated when network traffic indicating the use of an -application or service that may violate a corporate security policy. - --- -Impact: -This may be a violation of corporate policy since some applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. In -some instances this event may indicate behavior contrary to best -security practices. - -In this case the event is generated when a VNC server response is -detected. This traffic indicates that a VNC client has made an attempt -to connect to a VNC server. - -Virtual Network Computing (VNC) allows users to connect machines across -a network. It allows full control of the connected machine to take -place, the user can access all resources on the machine and any other -resources that machine is connected to. - --- -Detailed Information: -This event may indicate a violation of corporate policy. It may also -indicate the use of services or applications that may be the antithesis -of best security practices. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -Violation of corporate security policy can manifest serious risk to -company assets. - --- -Ease of Attack: -Not applicable - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure adherence to best security practices and strict adherence to -corporate policy - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/561.txt snort-2.9.2/doc/signatures/561.txt --- snort-2.8.5.2/doc/signatures/561.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/561.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -561 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/562.txt snort-2.9.2/doc/signatures/562.txt --- snort-2.8.5.2/doc/signatures/562.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/562.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -562 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/563.txt snort-2.9.2/doc/signatures/563.txt --- snort-2.8.5.2/doc/signatures/563.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/563.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -563 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/564.txt snort-2.9.2/doc/signatures/564.txt --- snort-2.8.5.2/doc/signatures/564.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/564.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -564 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/565.txt snort-2.9.2/doc/signatures/565.txt --- snort-2.8.5.2/doc/signatures/565.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/565.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -565 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/566.txt snort-2.9.2/doc/signatures/566.txt --- snort-2.8.5.2/doc/signatures/566.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/566.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -566 - --- -Summary: -This event is generated when network traffic indicating the use of an -application or service that may violate a corporate security policy. - --- -Impact: -This may be a violation of corporate policy since some applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. In -some instances this event may indicate behavior contrary to best -security practices. - --- -Detailed Information: -This event may indicate a violation of corporate policy. It may also -indicate the use of services or applications that may be the antithesis -of best security practices. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -Violation of corporate security policy can manifest serious risk to -company assets. - --- -Ease of Attack: -Not applicable - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure adherence to best security practices and strict adherence to -corporate policy - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - --- diff -Nru snort-2.8.5.2/doc/signatures/567.txt snort-2.9.2/doc/signatures/567.txt --- snort-2.8.5.2/doc/signatures/567.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/567.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -567 - --- -Summary: -This event is generated when a failed attempt is made to use a Simple Mail Transfer Protocol (SMTP) server to relay mail to a third party. - --- -Impact: -Rejected of unauthorized use. This event indicates that an SMTP server is properly configured to reject mail relay attempts. - - --- -Detailed Information: -An attacker may attempt to use an improperly configured SMTP server to relay mail, reflecting the origin of the mail to be the relay SMTP server instead of the actual sender. A poorly configured SMTP server may be used to relay spam and other undesirable mail. If an SMTP server rejects relay attempts, it will return an error message indicating the failure. - --- -Affected Systems: -SMTP servers - --- -Attack Scenarios: -An attacker may attempt to relay mail through an improperly configured SMTP server. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -An SMTP server may reject mail using other errors. - --- -Corrective Action: -Configure an SMTP server to reject relayed mail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS249 - -Miscellaneous -http://mail-abuse.org/tsi/ar-fix.html - --- diff -Nru snort-2.8.5.2/doc/signatures/568.txt snort-2.9.2/doc/signatures/568.txt --- snort-2.8.5.2/doc/signatures/568.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/568.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -568 - --- -Summary: -This event is generated when an attempt is made to change the message on -the LCD display on a JetDirect enabled HP printer. - --- -Impact: -User confusion and comedy, mostly. - --- -Detailed Information: -HP JetDirect printers allow remote machines to change the message that -is displayed on the LCD panel via the PJL command. This event indicates -that this command has been used in network traffic. - --- -Affected Systems: - HP JetDirect enabled printers - --- -Attack Scenarios: -As part of an attempt to confuse and annoy users, an attacker may -attempt to change the message displayed on the printers LCD screen. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to the latest JetDirect, and investigate the possibility of -restricting access to a central print-server using the "allow: -" directive in a printer config file. - -Disallow printer use from hosts outside the protected network. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/569.txt snort-2.9.2/doc/signatures/569.txt --- snort-2.8.5.2/doc/signatures/569.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/569.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,94 +0,0 @@ -Rule: - --- -Sid: -569 - --- -Summary: -The snmpXdmi daemon is used on Sun Solaris systems to map Simple Network -Management Protocol (SNMP) management requests to and from the Desktop -Management Interface (DMI). - -This daemon contains a boundary condition error that could result in a -buffer overflow that will present the attacker with super user access to -the target host. - --- -Impact: -Complete control of the target machine. - --- -Detailed Information: -The snmpXdmi daemon is installed and enabled by default on the affected -systems below. - -DMI is used to manage components on client machines across a network. It -can be used in conjunction with SNMP via a daemon such as snmpXdmi. - -A number of exploits for this vulnerability exist and are in use. The result of a sucessful attack is a complete root compromise of the victim host. - -Compromised systems are reported to display a number of commonalities such as: - - A core file for snmpXdmi on / - Two instances of inetd running - Telnet and SSH backdoors running on high ports - An instance of an IRC proxy - System binaries replaced by rootkit versions - Network sniffers installed - Log files changed - -The system binaries 'ps' and 'netstat' cannot be trusted to show all -running processes since they may have been replaced by rootkit versions -specially modified so as to hide evidence of the compromise. - --- -Affected Systems: -Sun Solaris 2.6, 7.0, 8.0 for SPARC and Intel architectures - --- -Attack Scenarios: -The attacker must send specially crafted packets to the snmpXdmi daemon -or use one of the widely available exploits. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the snmpXdmi service. - -Apply the appropriate patches for each affected system. - -Disallow all RPC requests from external sources and use a firewall to -block access to RPC ports from outside the LAN. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2417 - -CERT: -http://www.cert.org/advisories/CA-2001-05.html -http://www.kb.cert.org/vuls/id/648304 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236 - --- diff -Nru snort-2.8.5.2/doc/signatures/570.txt snort-2.9.2/doc/signatures/570.txt --- snort-2.8.5.2/doc/signatures/570.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/570.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -SID: -570 --- - -Rule: --- - -Summary: -This event indicates an attempt to exploit the tool talk RPC database -service --- - -Impact: -Possible unauthorized administrative access to the server or application -or a denial of service to the affected application --- - -Detailed Information: -ToolTalk RPC database service (rpc.ttdbserverd) does not perform -adequate input validation or provide a format string specifier argument -when writing to syslog. This means a specifically crafted RPC request to -the ToolTalk RPC database service overwriting specific locations in -memory and therefore allowing execution of code with the same permission -level as the user running ttdbserverd, usually root. --- - -Affected Systems: - HP-UX 10.10 - 11.0 - AIX 4.1 - 4.3 - IRIX 5.2 - 6.4 - Solaris 1.1 - 2.6 - TriTeal TED CDE 4.3 - Xi Graphics Maximum CDE 1.2.3 - -Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. --- - -Attack Scenarios: -An attacker will send a specially crafted RPC call to the -rpc.ttdbserverd daemon running on an affected system. A sucessful -attack will then run code on the server with the access level of the -root user. --- - -Ease of Attack: -Simple, Exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Updates packages and patches are available from vendors, install them or -disable the service if not needed. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/571.txt snort-2.9.2/doc/signatures/571.txt --- snort-2.8.5.2/doc/signatures/571.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/571.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -SID: -571 --- - -Rule: --- - -Summary: -This event indicates an attempt to exploit the tool talk RPC database -service --- - -Impact: -Possible unauthorized administrative access to the server or application -or a denial of service to the affected application running on a Solaris -system --- - -Detailed Information: -ToolTalk RPC database service (rpc.ttdbserverd) does not perform -adequate input validation or provide a format string specifier argument -when writing to syslog. This means a specifically crafted RPC request to -the ToolTalk RPC database service overwriting specific locations in -memory and therefore allowing execution of code with the same permission -level as the user running ttdbserverd, usually root. --- - -Affected Systems: - Solaris 1.1 - 2.6 -Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. --- - -Attack Scenarios: -An attacker will send a specially crafted RPC call to the -rpc.ttdbserverd daemon running on an affected system. A sucessful -attack will then run code on the server with the access level of the -root user. --- - -Ease of Attack: -Simple, Exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Updates packages and patches are available from vendors, install them or -disable the service if not needed. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/572.txt snort-2.9.2/doc/signatures/572.txt --- snort-2.8.5.2/doc/signatures/572.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/572.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -572 - --- -Summary: -This event is generated when an attempt is made to disable the rpc.ttdbservd service. - --- -Impact: -Denial of service. A successful attack may kill the ToolTalk database server. - --- -Detailed Information: -The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications to communicate in the Common Desktop Environment (CDE). The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications. The ToolTalk database server is enabled by default on hosts with CDE. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to crash. - --- -Affected Systems: -HP HP-UX 10.10, 10.20, 10.30, 11.0 -IBM AIX 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3 -SGI IRIX 5.2, 5.3, 6.0, 6.0.1, 6.2, 6.3, 6.4 -Sun Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6 - --- -Attack Scenarios: -An attacker can attempt a denial of service attack by causing a vulnerable ToolTalk database server to crash. - --- -Ease of Attack: -Easy. Exploit scripts are freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003 - -Bugtraq -http://www.securityfocus.com/bid/122 - -Arachnids: -http://www.whitehats.com/info/IDS241 - --- diff -Nru snort-2.8.5.2/doc/signatures/574.txt snort-2.9.2/doc/signatures/574.txt --- snort-2.8.5.2/doc/signatures/574.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/574.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -574 - --- -Summary: -This event is generated when a request is made to Network File System (NFS) to list all exported file systems and which clients are permitted to mount each file system. - --- -Impact: -Information disclosure. This can allow an attacker to discover exported NFS file systems and client mount permissions. - --- -Detailed Information: -The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems. If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory. An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions. - --- -Affected Systems: -All systems running NFS. - --- -Attack Scenarios: -An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS26 - - --- diff -Nru snort-2.8.5.2/doc/signatures/575.txt snort-2.9.2/doc/signatures/575.txt --- snort-2.8.5.2/doc/signatures/575.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/575.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -575 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening. - --- -Impact: -Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration. - --- -Affected Systems: -Any host running admind with weak authentication. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access admind, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS18 - - --- diff -Nru snort-2.8.5.2/doc/signatures/576.txt snort-2.9.2/doc/signatures/576.txt --- snort-2.8.5.2/doc/signatures/576.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/576.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -576 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port amountd is using. Attackers can also learn what versions of the amountd protocol are accepted by amountd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run. The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files. It can use name service maps to find file systems to be mounted. A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands. The attacker requests a map name that is executable, followed by a malformed client key and commands to be executed. The server improperly interprets the input and executes the commands. - --- -Affected Systems: -IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1. - --- -Attack Scenarios: -An attacker can craft an amountd request that executes arbitrary commands on the remote file system. - --- -Ease of Attack: -Easy. Exploit code is widely available. - --- -False Positives: -If a legitimate remote user is allowed to access amountd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for amountd, not probes of the amountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the amountd service itself. An attacker may attempt to go directly to the amountd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/332/info/ - -Arachnids: -http://www.whitehats.com/info/IDS19 - - --- diff -Nru snort-2.8.5.2/doc/signatures/577.txt snort-2.9.2/doc/signatures/577.txt --- snort-2.8.5.2/doc/signatures/577.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/577.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -577 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) bootparam is listening. - --- -Impact: -Information disclosure. This request is used to discover which port bootparam is using. Attackers can also learn what versions of the bootparam protocol are accepted by bootparam. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as bootparam run. The bootparam RPC service is used by some diskless workstations to query a server to discover the information required to boot. The client will issue a bootparam whoami request to the server. The server response will include the Network Information Systems (NIS) domain name. If no authentication is used, an attacker can send a bootparam request. The domain name provides valuable information that can be used to break into an NIS environment. - --- -Affected Systems: -Any host running bootparam with no authentication. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where bootparam runs. This may be a precursor to accessing bootparam. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access bootparam, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for bootparam, not probes of the bootparam service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the bootparam service itself. An attacker may attempt to go directly to the bootparam port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0647 - -Arachnids -http://www.whitehats.com/info/IDS16 - - --- diff -Nru snort-2.8.5.2/doc/signatures/578.txt snort-2.9.2/doc/signatures/578.txt --- snort-2.8.5.2/doc/signatures/578.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/578.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - -Sid: -578 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cmsd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port cmsd is using. Attackers can also learn what versions of the cmsd protocol are accepted by cmsd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cmsd run. The cmsd RPC service implements the Calendar Manager Service daemon that is often distributed with the Common Desktop Environment (CDE) and OpenWindows. Several buffer overflow vulnerabilities have been associated with cmsd. - --- -Affected Systems: -Any host running the RPC service cmsd. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where cmsd runs. This may be a precursor to accessing cmsd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access cmsd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for cmsd, not probes of the cmsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cmsd service itself. An attacker may attempt to go directly to the cmsd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS17 - - --- diff -Nru snort-2.8.5.2/doc/signatures/579.txt snort-2.9.2/doc/signatures/579.txt --- snort-2.8.5.2/doc/signatures/579.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/579.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -579 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) mountd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port mountd is using. Attackers can also learn what versions of the mountd protocol are accepted by mountd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run. The mountd RPC service allows remote file system access through Network File System (NFS). A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code with root privileges. - --- -Affected Systems: -Caldera OpenLinux Standard 1.2 -RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where mountd runs. This may be a precursor to accessing mountd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access mountd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for mountd, not probes of the mountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the mountd service itself. An attacker may attempt to go directly to the mountd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/121 - -CERT -http://www.cert.org/advisories/CA-1998-12.html - -Arachnids -http://www.whitehats.com/info/IDS13 - - --- diff -Nru snort-2.8.5.2/doc/signatures/580.txt snort-2.9.2/doc/signatures/580.txt --- snort-2.8.5.2/doc/signatures/580.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/580.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -580 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nisd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port nisd is using. Attackers can also learn what versions of the nisd protocol are accepted by nisd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nisd run. The nisd RPC service implements Network Information Systems (NIS and NIS+). NIS and NIS+ provide centralized management and distribution of information about resources, such as users and hosts, in a network domain. A buffer overflow exists because of improper bounds checking, which can lead to execution of arbitrary commands on the host. - --- -Affected Systems: -Solaris 2.3 - 2.6 hosts running NIS+. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where nisd runs. This may be a precursor to accessing nisd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access nisd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for nisd, not probes of the nisd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nisd service itself. An attacker may attempt to go directly to the nisd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/677 - -CERT -http://www.cert.org/advisories/CA-98.06.nisd.html - -Arachnids -http://www.whitehats.com/info/IDS21 - - --- diff -Nru snort-2.8.5.2/doc/signatures/581.txt snort-2.9.2/doc/signatures/581.txt --- snort-2.8.5.2/doc/signatures/581.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/581.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -581 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) pcnfsd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port pcnfsd is using. Attackers can also learn what versions of the pcnfsd protocol are accepted by pcnfsd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as pcnfsd run. The pcnfsd RPC service handles printing and authentication over the network. A vulnerability exists because of improper argument checking that allows execution of arbitrary commands with root privileges. - --- -Affected Systems: -BSDI BSD/OS 2.1 -HP HP-UX 10.1, 10.10, 10.20, 11.0 -IBM AIX 3.2, 4.0, 4.1, 4.2 -SCO Open Server 5.0 -SCO Unixware 2.0, 2.0.3, 2.1 -SGI IRIX 6.5, 6.5.1 - 6.5.16 -Sun Solaris 2.4, 2.5 -Sun SunOS 4.1, 4.1.1 - 4.1.4 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where pcnfsd runs. This may be a precursor to accessing pcnfsd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access pcnfsd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for pcnfsd, not probes of the pcnfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the pcnfsd service itself. An attacker may attempt to go directly to the pcnfsd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/5378 - -CERT -http://www.cert.org/advisories/CA-1996-08.html - -Arachnids -http://www.whitehats.com/info/IDS22 - - --- diff -Nru snort-2.8.5.2/doc/signatures/582.txt snort-2.9.2/doc/signatures/582.txt --- snort-2.8.5.2/doc/signatures/582.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/582.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -582 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rexd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port rexd is using. Attackers can also learn what versions of the rexd protocol are accepted by rexd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rexd run. The rexd RPC service allows remote program execution. If weak authentication is used, an attacker may run arbitrary commands as a user other than root. - --- -Affected Systems: -AIX 4.0 -Compaq Tru64 UNIX (Any version) -HP-UX 10.20 -HP-UX 11 -Red Hat Linux 6.0 -Red Hat Linux 7.x -Solaris 2.5.1 -Solaris 2.6 -Solaris 7 -Solaris 8 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where rexd runs. This may be a precursor to accessing rexd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access rexd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for rexd, not probes of the rexd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rexd service itself. An attacker may attempt to go directly to the rexd port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/37 - -CERT -http://www.cert.org/advisories/CA-1992-05.html - -Arachnids -http://www.whitehats.com/info/IDS23 - - --- diff -Nru snort-2.8.5.2/doc/signatures/583.txt snort-2.9.2/doc/signatures/583.txt --- snort-2.8.5.2/doc/signatures/583.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/583.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -583 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rstatd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port rstatd is using. Attackers can also learn what versions of the rstatd protocol are accepted by rstatd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rstatd run. The rstatd RPC service can be queried for performance statistics obtained from the kernel including network, disk, and CPU. This can provide valuable information to determine which host may make a suitable target to participate in a particular attack. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where rstatd runs. This may be a precursor to querying rstatd for usage statistics. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access rstatd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for rstatd, not probes of the rstatd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rstatd service itself. An attacker may attempt to go directly to the rstatd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS10 - - --- diff -Nru snort-2.8.5.2/doc/signatures/584.txt snort-2.9.2/doc/signatures/584.txt --- snort-2.8.5.2/doc/signatures/584.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/584.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -584 - --- -Summary: -This event is generated when an attempt is made to probe a host for the -rusers RPC service. - --- -Impact: -Information gathering. - --- -Detailed Information: -The rusers RPC service is used to remotely list all logged in users on a -machine. This information may be useful to an attacker when targeting a -remote host. - --- -Affected Systems: - All systems running the rusers RPC service - --- -Attack Scenarios: -An attacker runs a vulnerability assessment tool, or the standard Unix -rusers command. The attacker may use information gleaned from this to -better target his attacks. - --- -Ease of Attack: -Simple. Tools to probe the rusers service come standard with most Unix variants. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the rusers service. - -Disallow access to RPC services from hosts external to the protected -network - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/585.txt snort-2.9.2/doc/signatures/585.txt --- snort-2.8.5.2/doc/signatures/585.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/585.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -585 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) sadmind is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port sadmind is using. Attackers can also learn what versions of the sadmind protocol are accepted by sadmind. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as sadmind run. The sadmind RPC service is used by Solaris hosts to remotely perform distributed system administration tasks such as adding new users. There is a vulnerability associated with sadmind that may cause a buffer overflow, allowing an attacker to execute abitrary code with the privileges of sadmind, possibly root. - --- -Affected Systems: -Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where sadmind runs. This may be a precursor to an attack to exploit the sadmind buffer overflow. - --- -Ease of Attack: -Simple. Exploit scripts are freely available. A worm was observed in 2001 that used the sadmind exploit (and an IIS vulnerability) to compromise systems and deface web pages. - --- -False Positives: -If a legitimate remote user is allowed to access sadmind, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for sadmind, not probes of the sadmind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the sadmind service itself. An attacker may attempt to go directly to the sadmind port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Original rule modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/866 - -CERT: -http://www.cert.org/advisories/CA-1999-16.html - -Arachnids: -http://www.whitehats.com/info/IDS20 - - --- diff -Nru snort-2.8.5.2/doc/signatures/586.txt snort-2.9.2/doc/signatures/586.txt --- snort-2.8.5.2/doc/signatures/586.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/586.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -586 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) selection_svc is listening. - --- -Impact: -Information disclosure. This request is used to discover which port selection_svc is using. Attackers can also learn what versions of the selection_svc protocol are accepted by selection_svc. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as selection_svc run. The selection_svc RPC service is used by SunView, an old windowing system from Sun. A vulnerability exists in selection_svc that allows a remote user to read files that are readable by SunView. - --- -Affected Systems: -Sun SunOS 3.5 -Sun SunOS 4.0 -Sun SunOS 4.0.1 -Sun SunOS 4.0.2 -Sun SunOS 4.0.3 -Sun SunOS 4.1 -Sun SunOS 4.1.1 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where selection_svc runs. This may be a precursor to accessing selection_svc. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access selection_svc, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for selection_svc, not probes of the selection_svc service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the selection_svc service itself. An attacker may attempt to go directly to the selection_svc port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/8 - -CERT -http://www.cert.org/advisories/CA-1990-05.html - -Arachnids -http://www.whitehats.com/info/IDS25 - - --- diff -Nru snort-2.8.5.2/doc/signatures/587.txt snort-2.9.2/doc/signatures/587.txt --- snort-2.8.5.2/doc/signatures/587.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/587.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - -Sid: -587 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) statd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port statd is using. Attackers can also learn what versions of the statd protocol are accepted by statd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as statd run. The statd RPC service manages Network File System (NFS) locks for exclusive access to a remote file. Multiple vulnerabilities that have allowed execution of arbitrary commands as root have been associated with statd. - --- -Affected Systems: -Multiple; refer to your vendor for specific information. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where statd runs. This may be a precursor to accessing statd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access statd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for statd, not probes of the statd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the statd service itself. An attacker may attempt to go directly to the statd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS15 - - --- diff -Nru snort-2.8.5.2/doc/signatures/588.txt snort-2.9.2/doc/signatures/588.txt --- snort-2.8.5.2/doc/signatures/588.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/588.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -588 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port ttdbserverd is using. Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run. The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate. The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications. The ToolTalk database server comes enabled on hosts with CDE. Multiple vulernabilities have been associated with the ToolTalk database server. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ttdbserverd runs. This may be a precursor to accessing ttdbserverd. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access ttdbserverd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ttdbserverd, not probes of the ttdbserverd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ttdbserverd service itself. An attacker may attempt to go directly to the ttdbserverd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075 - - --- diff -Nru snort-2.8.5.2/doc/signatures/589.txt snort-2.9.2/doc/signatures/589.txt --- snort-2.8.5.2/doc/signatures/589.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/589.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -589 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) yppasswd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port yppasswd is using. Attackers can also learn what versions of the yppasswd protocol are accepted by yppasswd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as yppasswd run. The yppasswd RPC service handles password change requests from the yppasswd client program. This client program is used to change a user password in Network Information Service (NIS) environments where a centralized database exists to distribute passwords throughout a network. Multiple vulnerabilities are associated with the yppasswd RPC service. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where yppasswd runs. This may be a precursor to querying yppasswd for usage statistics. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access yppasswd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for yppasswd, not probes of the yppasswd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the yppasswd service itself. An attacker may attempt to go directly to the yppasswd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS14 - - --- diff -Nru snort-2.8.5.2/doc/signatures/590.txt snort-2.9.2/doc/signatures/590.txt --- snort-2.8.5.2/doc/signatures/590.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/590.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -590 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypserv is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port ypserv is using. Attackers can also learn what versions of the ypserv protocol are accepted by ypserv. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypserv run. The ypserv RPC service looks up information in the local Network Information Service (NIS) maps. The ypserv program provides the server function for Yellow Pages (YP) by providing clients information from NIS maps. Multiple vulnerabilities are associated with the ypserv RPC program. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ypserv runs. This may be a precursor to accessing ypserv. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access ypserv, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ypserv, not probes of the ypserv service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypserv service itself. An attacker may attempt to go directly to the ypserv port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/6016 -http://www.securityfocus.com/bid/5914 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 - -Arachnids: -http://www.whitehats.com/info/IDS12 - - --- diff -Nru snort-2.8.5.2/doc/signatures/591.txt snort-2.9.2/doc/signatures/591.txt --- snort-2.8.5.2/doc/signatures/591.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/591.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -591 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. - --- -Impact: -Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. - --- -Affected Systems: -HP HP-UX 10.1, 10.10, 10.20 -IBM AIX 3.2, 4.1 -NEC EWS-UX/V, UP-UX/V -SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 -Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access ypupdated, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1749 - -CERT -http://www.cert.org/advisories/CA-1995-17.html - -Arachnids -http://www.whitehats.com/info/IDS125 - - --- diff -Nru snort-2.8.5.2/doc/signatures/593.txt snort-2.9.2/doc/signatures/593.txt --- snort-2.8.5.2/doc/signatures/593.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/593.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -593 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) snmpXdmi is listening. - --- -Impact: -Information disclosure. This request is used to discover which port snmpXdmi is using. Attackers can also learn what versions of the snmpXdmi protocol are accepted by snmpXdmi. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as snmpXdmi run. Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI) are remote management protocols. The snmpXdmi RPC service translates between SNMP and DMI, allowing the use of either or both. There is a buffer overflow when translating DMI to SNMP that allows access with the privilege level of snmpXdmi. - --- -Affected Systems: -Sun Solaris 2.6, 7.0, and 8.0. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where snmpXdmi runs. This may be a precursor to accessing snmpXdmi. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access snmpXdmi, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for snmpXdmi, not probes of the snmpXdmi service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the snmpXdmi service itself. An attacker may attempt to go directly to the snmpXdmi port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236 - -CERT -http://www.cert.org/advisories/CA-2001-05.html - -Bugtraq -http://www.securityfocus.com/bid/2417 - - - --- diff -Nru snort-2.8.5.2/doc/signatures/595.txt snort-2.9.2/doc/signatures/595.txt --- snort-2.8.5.2/doc/signatures/595.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/595.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -595 - --- -Summary: -Embedded Support Partner (ESP) is an integral part of the SGI IRIX -operating system to enable remote support for the operating system - -A vulnerability exists in the Embedded Support Partner Daemon (ESP) that -could lead to arbitrary commands being executed on a target host. - --- -Impact: -Remote super user access leading to a compromise of the target machine -along with any network resources that machine is connected to. - --- -Detailed Information: -The ESP daemon is an RPC (Remote Procedure Call) resource used on SGI -IRIX systems. The ESP daemon runs with the privileges of the root user. -IRIX version 6.5.8 and prior are susceptible to a buffer overflow of the -ESP daemon leading to a remote root compromise of the affected host. - --- -Affected Systems: -SGI IRIX 6.5.8 and earlier. - --- -Attack Scenarios: -The attacker would need to craft a packet that would lead to the buffer -overflow. No current exploits are available. - --- -Ease of Attack: -Difficult - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -All systems running vulnerable versions of rpc.espd should have the appropriate patch applied. - -Additionally, the ESP daemon should be disabled where not needed by -commenting out the appropriate line in inetd.conf. The daemon itself can -be made non-executable by removal of the x bit (chmod -x rpc.espd). - -RPC services should not be available outside the local area network, -filter RPC ports at the firewall to ensure access is denied to RPC -enabled machines. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0331 - -Bugtraq: -http://www.securityfocus.com/bid/2714 - --- diff -Nru snort-2.8.5.2/doc/signatures/598.txt snort-2.9.2/doc/signatures/598.txt --- snort-2.8.5.2/doc/signatures/598.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/598.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -598 - --- -Summary: -This event is generated when an attempt is made dump entries from the portmapper. - --- -Impact: -Information disclosure. This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens. This can provide an attacker with valuable information about what RPC services are offered and on which ports. - --- -Affected Systems: -All hosts running portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover RPC services and their associated listening ports. - --- -Ease of Attack: -Simple. Execute 'rpcinfo -p hostname/IP'. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS429 - - --- diff -Nru snort-2.8.5.2/doc/signatures/599.txt snort-2.9.2/doc/signatures/599.txt --- snort-2.8.5.2/doc/signatures/599.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/599.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -599 - --- -Summary: -This event is generated when an attempt is made dump entries from the portmapper on a Solaris host. - --- -Impact: -Information disclosure. This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens. This can provide an attacker with valuable information about what RPC services are offered and on which ports. - --- -Affected Systems: -All Solaris hosts running portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover RPC services and their associated listening ports. - --- -Ease of Attack: -Simple. Execute 'rpcinfo -p hostname/IP'. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC service. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS429 - - --- diff -Nru snort-2.8.5.2/doc/signatures/601.txt snort-2.9.2/doc/signatures/601.txt --- snort-2.8.5.2/doc/signatures/601.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/601.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -601 - --- -Summary: -This event is generated when an attempt is made to exploit a -machine using Network Information Services (NIS). - --- -Impact: -Unknown. This is traffic that should not be seen when using NIS and -remote login services. - --- -Detailed Information: -This event is generated when spurious data is sent to the rlogin service -running on a machine that is using NIS. - --- -Attack Scenarios: -An attacker needs to generate this traffic and send it directly to a -machine. This is not normal network behavior. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None known. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/602.txt snort-2.9.2/doc/signatures/602.txt --- snort-2.8.5.2/doc/signatures/602.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/602.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 602 - --- -Summary: -This event is generated when an attempt to login using the "bin" account is made. - --- -Impact: -An attacker may have gained the ability to initiate a remote interactive session on the server. - --- -Detailed Information: -This event is generated when a connection using the "bin" account via "rsh" is attempted. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. - --- -Attack Scenarios: -An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -If a local username is not the same as the remote one ("bin"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.whitehats.com/info/IDS384 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - --- diff -Nru snort-2.8.5.2/doc/signatures/603.txt snort-2.9.2/doc/signatures/603.txt --- snort-2.8.5.2/doc/signatures/603.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/603.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 603 - --- -Summary: -This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. - --- -Impact: -An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. - --- -Detailed Information: -The rule generates an event when system reconfiguration is attempted via "rsh". - -The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS385 - --- diff -Nru snort-2.8.5.2/doc/signatures/604.txt snort-2.9.2/doc/signatures/604.txt --- snort-2.8.5.2/doc/signatures/604.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/604.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 604 - --- -Summary: -This event is generated due to the use of a suspicious login attempt - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". - -A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" - --- -Attack Scenarios: -If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Disable the "rsh" service if not used, apply a patch if appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 - -Arachnids: -http://www.whitehats.com/info/IDS387 - --- diff -Nru snort-2.8.5.2/doc/signatures/605.txt snort-2.9.2/doc/signatures/605.txt --- snort-2.8.5.2/doc/signatures/605.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/605.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 605 - --- -Summary: -This event is generated when a remote login attempt using rlogin fails. - --- -Impact: -Someone has tried to login using rlogin and failed - --- -Detailed Information: -This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. - -Multiple events may indicate that an attacker is attempting a brute force password guessing attack. - --- -Attack Scenarios: -An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A legitimate user may generate an event by entering an incorrect password. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - -Arachnids: -http://www.whitehats.com/info/IDS393 - --- diff -Nru snort-2.8.5.2/doc/signatures/606.txt snort-2.9.2/doc/signatures/606.txt --- snort-2.8.5.2/doc/signatures/606.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/606.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 606 - --- -Summary: -This event is generated when an attempt to login as the superuser is attempted using rlogin. - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rlogin" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. - -Some UNIX systems use the "rlogin" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with the "rlogin" service running and connects to it, then proceeds to guess the "root" password - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A system administrator may be logging in to a host using the username "root" - --- -False Negatives: -If a local username is not the same as the remote one ("root"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS389 - --- diff -Nru snort-2.8.5.2/doc/signatures/607.txt snort-2.9.2/doc/signatures/607.txt --- snort-2.8.5.2/doc/signatures/607.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/607.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 607 - --- -Summary: -This event is generated when an attempt to login using the "bin" account is made. - --- -Impact: -An attacker may have gained the ability to initiate a remote interactive session on the server. - --- -Detailed Information: -This event is generated when a connection using the "bin" account via "rsh" is attempted. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. - --- -Attack Scenarios: -An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -If a local username is not the same as the remote one ("bin"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS384 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - --- diff -Nru snort-2.8.5.2/doc/signatures/608.txt snort-2.9.2/doc/signatures/608.txt --- snort-2.8.5.2/doc/signatures/608.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/608.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 608 - --- -Summary: -This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. - --- -Impact: -An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. - --- -Detailed Information: -The rule generates an event when system reconfiguration is attempted via "rsh". - -The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.whitehats.com/info/IDS388 - --- diff -Nru snort-2.8.5.2/doc/signatures/609.txt snort-2.9.2/doc/signatures/609.txt --- snort-2.8.5.2/doc/signatures/609.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/609.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 609 - --- -Summary: -This event is generated due to the use of a suspicious login attempt - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". - -A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" - --- -Attack Scenarios: -If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Disable the "rsh" service if not used, apply a patch if appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 - -Arachnids: -http://www.whitehats.com/info/IDS387 - --- diff -Nru snort-2.8.5.2/doc/signatures/610.txt snort-2.9.2/doc/signatures/610.txt --- snort-2.8.5.2/doc/signatures/610.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/610.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 610 - --- -Summary: -This event is generated when an attempt to login as the superuser is attempted using rsh. - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. - -Some UNIX systems use the "rsh" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with the "rsh" service running and connects to it, then proceeds to guess the "root" password - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A system administrator may be logging in to a host using the username "root" - --- -False Negatives: -If a local username is not the same as the remote one ("root"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rsh. - -Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS391 - --- diff -Nru snort-2.8.5.2/doc/signatures/611.txt snort-2.9.2/doc/signatures/611.txt --- snort-2.8.5.2/doc/signatures/611.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/611.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 611 - --- -Summary: -This event is generated when a remote login attempt using rlogin fails. - --- -Impact: -Someone has tried to login using rlogin and failed - --- -Detailed Information: -This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. - -Multiple events may indicate that an attacker is attempting a brute force password guessing attack. - --- -Attack Scenarios: -An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A legitimate user may generate an event by entering an incorrect password. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - -Arachnids: -http://www.whitehats.com/info/IDS392 - --- diff -Nru snort-2.8.5.2/doc/signatures/612.txt snort-2.9.2/doc/signatures/612.txt --- snort-2.8.5.2/doc/signatures/612.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/612.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -612 - --- -Summary: -This event is generated when a request is made via Remote Procedure Call (RPC) to list the logged in users. - --- -Impact: -Reconnaissance. A response to this request provides valid user names that can connect to the host. - --- -Detailed Information: -The rusers RPC query is used to discover the users currently logged on to the host. A response to this request provides valid user names that can connect to the host. This information can be used to attempt a brute force guessing of associated passwords. - --- -Affected Systems: -All systems running rusers. - --- -Attack Scenarios: -An attacker may attempt to list all logged in users to gather information for a future brute force password attack. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to list users, this will generate a false positive. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: -www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0626 - --- diff -Nru snort-2.8.5.2/doc/signatures/613.txt snort-2.9.2/doc/signatures/613.txt --- snort-2.8.5.2/doc/signatures/613.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/613.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -613 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/614.txt snort-2.9.2/doc/signatures/614.txt --- snort-2.8.5.2/doc/signatures/614.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/614.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,94 +0,0 @@ -Rule: - --- -Sid: -614 - --- -Summary: -hack-a-tack is a Trojan Horse. - --- -Impact: -Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. - - SID Message - --- ------- - 141 HackAttack 1.20 Connect - 614 hack-a-tack attempt - -This Trojan is commonly used to install other Trojan programs. - -The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - -The Trojan server is located at :\WINDOWS\Expl32.exe. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - -Registry keys added are: - - Explorer32 =":\windows\Expl32.exe" - Configuration Wizard = ":\windows=cfgwiz32.exe" - -Removal of this entry is required. - -Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe - -Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS314 -http://www.whitehats.com/info/IDS504 - -Hackfix.org -http://www.hackfix.org/miscfix/hackatack.shtml - -Commodon Communications -http://www.commodon.com/threat/threat-hack.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/615.txt snort-2.9.2/doc/signatures/615.txt --- snort-2.8.5.2/doc/signatures/615.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/615.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,94 +0,0 @@ -Rule: - --- - -Sid: - -615 - --- - -Summary: - -An external host has requested to start communications with your host on -port 1080. - --- - -Impact: - -Network reconnaissance. - --- - -Detailed Information: - -Improperly-configured SOCKS proxies can be abused to allow a hostile -user to launch attacks and make them appear to come from your site. - -Additionally, if the proxy is behind a firewall or is a trusted host, it -can be used to gain further access into your network and other hosts. - --- - -Affected Systems: - -Any system with a SOCKS proxy server installed. - --- - -Attack Scenarios: - -Attacker utilizes your misconfigured proxy to anonymize their other -illegitimate activities or gain further access to your network. - --- - -Ease of Attack: - -Trivial or extremely difficult, depending on proxy configuration. - --- - -False Positives: -Non-proxy applications running on port 1080, regardless of purpose, will -trigger this alert every time any session begins. - -Ftp clients open a source tcp port greater than 1023 (an 'ephemeral' port). If the -client opens port 1080 for the data connection, this rule will be triggered by return -packets from the ftp server. One way to cut down on these false -positives for this rule might be to preceed it with a pass rule for -'established' connections to 1080. This would only work with passive ftp -transactions, where the client initiates both control and data sessions. Normal ftp -requires the server to initiate a connection to the client for data transfers after the client -sets up a control session. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Allow only internal users to connect to the proxy, or configure strong -access control. - --- - -Contributors: -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -False positive information contributed by jaffeld@duwamish.net - --- - -Additional References: - -UnderNet: -http://help.undernet.org/proxyscan/ - - --- diff -Nru snort-2.8.5.2/doc/signatures/616.txt snort-2.9.2/doc/signatures/616.txt --- snort-2.8.5.2/doc/signatures/616.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/616.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -616 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/618.txt snort-2.9.2/doc/signatures/618.txt --- snort-2.8.5.2/doc/signatures/618.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/618.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -618 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/619.txt snort-2.9.2/doc/signatures/619.txt --- snort-2.8.5.2/doc/signatures/619.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/619.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -619 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/620.txt snort-2.9.2/doc/signatures/620.txt --- snort-2.8.5.2/doc/signatures/620.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/620.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -620 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/621.txt snort-2.9.2/doc/signatures/621.txt --- snort-2.8.5.2/doc/signatures/621.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/621.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: --- -Sid: -621 --- -Summary: -A tcp packet with only it's FIN flag set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type may be disclosed. This technique can also be -used to bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with only it's FIN flag set was detected. Most Windows -machines will respond with an ACK-RST regardless of whether or not the -port is open. Most *nix systems will respond with an ACK-RST if the -port is closed and will not respond at all if the port is open. -Actual responses may vary. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send packets with only the FIN flag set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. Consider filtering this type -of traffic at the ingress points of your network. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/622.txt snort-2.9.2/doc/signatures/622.txt --- snort-2.8.5.2/doc/signatures/622.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/622.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -622 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/623.txt snort-2.9.2/doc/signatures/623.txt --- snort-2.8.5.2/doc/signatures/623.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/623.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: --- -Sid: -623 --- -Summary: -A tcp packet with none of it's control bits set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type is possible. This technique can also be used to -bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with none of it's control bits (URG, ACK, PSH, RST, SYN, -FIN) was detected. Additionally, both the sequence number and -acknowledgement number were set to 0. An open port will generally not -respond at all, whereas a closed port will generally respond with an -ACK RST. The particular response varies between operating systems, -and is also governed by any filtering that may be done between the two -hosts. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send tcp packets with no control bits set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/624.txt snort-2.9.2/doc/signatures/624.txt --- snort-2.8.5.2/doc/signatures/624.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/624.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -624 - --- -Summary: -A tcp packet with it's SYN and FIN flags set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type is possible. This technique can also be used to -bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with it's SYN and FIN flags set was detected. Most -stacks will respond with an ACK SYN indicating that the port was open, -whereas a closed port will illicit an ACK RST. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send packets with the SYN and FIN flags set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/625.txt snort-2.9.2/doc/signatures/625.txt --- snort-2.8.5.2/doc/signatures/625.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/625.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: --- -Sid: -625 - -Summary: --- -A TCP packet with all of the (unreserved) control bits set was -detected as being destined for your machine. - --- -Impact: -System recon. Different operating-systems will respond in different -ways depending on their particular stack implementation. This allows -attackers to determine things such as open/closed ports, ACLs, and the -like. - --- -Detailed Information: -The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP -packet. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a recon mission that may be an indicator to upcoming -attacks, an attacker may attempt to determine what ports are listening -on a given machine by sending a TCP packet with all of its control -bits "lit up", hence the name XMAS scan -- its "lit up like a -christmas tree." -__ -Ease of Attack: -Trivial. Many of the popular portscanners/vulnerability testers, most -notably nmap, allow anyone to inititiate an XMAS scan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine what information an attacker may have gleaned from this -attack. Would your ports show as open or closed? Consider -implementing a stateful firewall on the victim machine, or at ingress -points on your network. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: -http://rr.sans.org/firewall/egress.php - --- diff -Nru snort-2.8.5.2/doc/signatures/626.txt snort-2.9.2/doc/signatures/626.txt --- snort-2.8.5.2/doc/signatures/626.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/626.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: - -626 - --- -Summary: -This event is generated when the Cybercop vulnerability scanner is used -against a host. - --- -Impact: -Cybercop can be used to identify vulnerabilities on host systems. - --- -Detailed Information: -This particular packet is a part of Cybercop's OS identification. -Specially crafted packets are able to elicit different responses from -different operating systems. This packet is likely to be part of a full -Cybercop scan rather than an isolated event. Having PUSH, ACK and -reserve bits 1 and 2 set at the same time is unusual. While this rule -performs content as well as header checking to avoid false positives, -this flag combination in the TCP header is possible is possible in a -legitimate situation because of the addition of Explicit Congestion -Notification (ECN). - --- -Affected Systems: -All - --- -Attack Scenarios: -Cybercop can be used by attackers to determine vulnerabilities present -on a host or network of hosts that could be used as attack vectors. - --- -Ease of Attack: -Simple - --- -False Positives: -This tool can be used legitimately by a system and network -administrators. - -False positives from ECN enabled systems are possible. - --- -False Negatives: -None known. - --- -Corrective Action: -TCP packets with PUSH, ACK and reserved bits 1 and 2 set at the same -time are unusual but possible with Explicit Congestion Notification -(ECN). It is advisable to block TCP packets with these flags set that -do not have the ECT bit (TOS bit 6) set in the IP header. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS149 - -Security Focus: -http://www.securityfocus.com/infocus/1205 - -RFC: -http://www.ietf.org/rfc/rfc2481.txt?number=2481 - --- diff -Nru snort-2.8.5.2/doc/signatures/627.txt snort-2.9.2/doc/signatures/627.txt --- snort-2.8.5.2/doc/signatures/627.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/627.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -627 - --- -Summary: -This event is generated when the Cybercop vulnerability scanner is used -against a host. - --- -Impact: -Cybercop can be used to identify vulnerabilities on host systems. - --- -Detailed Information: -This particular packet is a part of Cybercop's OS identification. -Specially crafted packets are able to elicit different responses from -different operating systems. This packet is likely to be part of a full -Cybercop scan rather than an isolated event. Having SYN, FIN, URG and -reserve bits 1 and 2 set at the same time is abnormal. - --- -Affected Systems: -All - --- -Attack Scenarios: -Cybercop can be used by attackers to determine vulnerabilities present -on a host or network of hosts that could be used as attack vectors. - --- -Ease of Attack: -Simple - --- -False Positives: -This tool can be used legitimately by system and network administrators. -Other vulnerability scanners may display the same behavior. - --- -False Negatives: -None known. - --- -Corrective Action: -TCP packets with SYN, FIN, URG and reserved bits 1 and 2 set at the same -time are abnormal, use a packet filtering firewall to block them. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS150 - --- diff -Nru snort-2.8.5.2/doc/signatures/628.txt snort-2.9.2/doc/signatures/628.txt --- snort-2.8.5.2/doc/signatures/628.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/628.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -628 - --- -Summary: -This event is generated when the nmap port scanner and reconnaissance -tool is used against a host. - --- -Impact: -This could be part of a full scan by nmap and could indicate -potential malicious reconnaissance of the targeted network or host. - --- -Detailed Information: -Some versions of Nmap's TCP ping, if selected, sends a TCP ACK with an -ACK number = 0. - -Nmap can use TCP ping as a second alternative to ICMP Ping. - --- -Affected Systems: -All systems not protected by a stateful firewall are affected. The TCP -Ping targeted port does not need to be open on the host being probed to -determine if the machine is alive or not. - --- -Attack Scenarios: -The first thing an attacker does is to gather some information about its -target, he may use Nmap to see if the potential target is alive on -certain network. Included as part of the "pinging" technique used by -Nmap, a TCP ping can be used on certain networks that don't allow the -ICMP Protocol. - --- -Ease of Attack: -Simple. Nmap requires no specialized experience to use it. - --- -False Positives: -This particular Nmap TCP Ping uses a TCP ACK with an ACK Number = 0. It -is possible that other tools may also send a TCP ACK with an ACK number -of Zero. - --- -False Negatives: -None known. - --- -Corrective Action: -Any stateful firewall should be enough to protect a host from being "TCP -ACK probed". If you have more suspicious/malicious activity from the -host doing the portscan, follow your standard procedure to asess the -potential threat. If you only detect TCP Pings, that may be just a TCP -Ping Sweep and it is not a real threat. - --- -Contributors: -Original Rule Writer Unknown (prime suspect is Marty Roesch) -Snort documentation contributed by Jose Hernandez -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -arachnids: ids28 - --- diff -Nru snort-2.8.5.2/doc/signatures/629.txt snort-2.9.2/doc/signatures/629.txt --- snort-2.8.5.2/doc/signatures/629.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/629.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -629 - --- -Summary: -This event is generated when the nmap port scanner and reconnaissance -tool is used against a host. - -When run with the '-O' option, it attempts to identify the remote -operating system. - --- -Impact: -Can provide useful reconnaissance information to an attacker. Has been -known to cause a denial of service on some older hosts. - --- -Detailed Information: -nmap attempts to identify the remote operating system by looking for -different services that are common or specific to particular operating -systems. It also sends a variety of abnormal packets that are often -handled differently by different operating systems so that it can -differentiate between them based on the responses. - --- -Affected Systems: -All - --- -Attack Scenarios: -nmap is often used before an attempt to gain access to a system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. The signature may be produced by other scanners but is -unlikely to be used for legitimate activity. - --- -False Negatives: -None known. - --- -Corrective Action: -Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set -using a firewall. Block only packets that have all four of the flags -set as they are individually and in other combinations necessary for -normal TCP traffic. If you block them individually or in other -combinations your network will not function correctly. - --- -Contributors: -Original Rule Writer Unknown (prime suspect is Marty Roesch) -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS05 - -Nmap scanner: -http://www.insecure.org - --- diff -Nru snort-2.8.5.2/doc/signatures/630.txt snort-2.9.2/doc/signatures/630.txt --- snort-2.8.5.2/doc/signatures/630.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/630.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -Rule: - --- -Sid:630 - --- -Summary: -A host has scanned the network looking for vulnerable servers. - --- -Impact: -Information leak, reconnaisance, preperation for automated attack such as worm propagation - - --- -Detailed Information: -Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. - --- -Attack Scenarios: -This is a scanning tool that is often the precursor to a worm infection. - - --- -Ease of Attack: -This scanner is fast and easy to use. It is readily available and was included with several worms. - - --- -False Positives: -sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6] - --- -False Negatives: -This rule will not generate an event if recent versions of synScan, such as 1.6a, are used because synScan now uses random IP IDs. - --- -Corrective Action: -Run flexresp with synscan kill. - --- -Contributors: -Don Smith Initial Research -Josh Gray Edits - --- -Additional References: - - - --- diff -Nru snort-2.8.5.2/doc/signatures/631.txt snort-2.9.2/doc/signatures/631.txt --- snort-2.8.5.2/doc/signatures/631.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/631.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -631 - --- -Summary: -This event is generated when an external user scans an internal SMTP -server using Network Associates' Cybercop vulnerability scanner. - --- -Impact: -Information gathering. - --- -Detailed Information: -Cybercop Scanner is scanning software that searches for system -vulnerabilities. As one of its scanning procedures, it sends an EHLO -command to SMTP server ports to determine if the SMTP server will return -a list of remote commands that it accepts. - --- -Affected Systems: -Any SMTP server that returns a list of acceptable commands for remote mailers. - --- -Attack Scenarios: -An attacker may run Cybercop Scanner against SMTP servers in order to -determine vulnerabilities that can later be exploited. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure that your SMTP server does not provide more information than is -necessary when it receives an EHLO request. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -General Cybercop information: -http://www.securityfocus.com/products/126 - --- diff -Nru snort-2.8.5.2/doc/signatures/632.txt snort-2.9.2/doc/signatures/632.txt --- snort-2.8.5.2/doc/signatures/632.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/632.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -632 - --- -Summary: -This event is generated when an external user scans an internal SMTP server using Network Associates' Cybercop vulnerability scanner. - --- -Impact: -Information gathering. - --- -Detailed Information: -Cybercop Scanner is scanning software that searches for system vulnerabilities. As one of its scanning procedures, it sends an expn command to SMTP server ports to determine if the SMTP server will return a list of email addresses, aliases, and distribution lists. - --- -Affected Systems: -Any SMTP server that returns a list of email addresses, aliases, and distribution lists when queried with the expn command. - --- -Attack Scenarios: -An attacker may run Cybercop Scanner against SMTP servers in order to determine vulnerabilities that can later be exploited. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable expn on your mail server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/634.txt snort-2.9.2/doc/signatures/634.txt --- snort-2.8.5.2/doc/signatures/634.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/634.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -634 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/635.txt snort-2.9.2/doc/signatures/635.txt --- snort-2.8.5.2/doc/signatures/635.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/635.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -635 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/636.txt snort-2.9.2/doc/signatures/636.txt --- snort-2.8.5.2/doc/signatures/636.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/636.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -636 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/637.txt snort-2.9.2/doc/signatures/637.txt --- snort-2.8.5.2/doc/signatures/637.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/637.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -637 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/638.txt snort-2.9.2/doc/signatures/638.txt --- snort-2.8.5.2/doc/signatures/638.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/638.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 638 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS356 - -Phrack.com: -http://www.phrack.com/show.php?p=56&a=15 - --- diff -Nru snort-2.8.5.2/doc/signatures/639.txt snort-2.9.2/doc/signatures/639.txt --- snort-2.8.5.2/doc/signatures/639.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/639.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 639 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS357 - --- diff -Nru snort-2.8.5.2/doc/signatures/640.txt snort-2.9.2/doc/signatures/640.txt --- snort-2.8.5.2/doc/signatures/640.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/640.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 640 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/641.txt snort-2.9.2/doc/signatures/641.txt --- snort-2.8.5.2/doc/signatures/641.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/641.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 641 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS352 - --- diff -Nru snort-2.8.5.2/doc/signatures/642.txt snort-2.9.2/doc/signatures/642.txt --- snort-2.8.5.2/doc/signatures/642.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/642.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 642 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS358 - --- diff -Nru snort-2.8.5.2/doc/signatures/643.txt snort-2.9.2/doc/signatures/643.txt --- snort-2.8.5.2/doc/signatures/643.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/643.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 643 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS359 - --- diff -Nru snort-2.8.5.2/doc/signatures/644.txt snort-2.9.2/doc/signatures/644.txt --- snort-2.8.5.2/doc/signatures/644.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/644.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 644 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS345 - --- diff -Nru snort-2.8.5.2/doc/signatures/645.txt snort-2.9.2/doc/signatures/645.txt --- snort-2.8.5.2/doc/signatures/645.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/645.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 645 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS353 - --- diff -Nru snort-2.8.5.2/doc/signatures/646.txt snort-2.9.2/doc/signatures/646.txt --- snort-2.8.5.2/doc/signatures/646.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/646.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 646 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS355 - --- diff -Nru snort-2.8.5.2/doc/signatures/647.txt snort-2.9.2/doc/signatures/647.txt --- snort-2.8.5.2/doc/signatures/647.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/647.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -647 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/648.txt snort-2.9.2/doc/signatures/648.txt --- snort-2.8.5.2/doc/signatures/648.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/648.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -Rule: --- -Sid: -648 - --- -Summary: -A series of NOP instructions for Intel's x86 architecure was detected. - --- -Impact: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices in hopes of executing -arbitrary code. This procedure generally makes use of NOPs. - --- -Detailed Information: -The NOP allows an attacker to fill an address space with a large -number of NOPs followed by his or her code of choice. This allows -"sledding" into the attackers shellcode. - --- -Affected Systems: - All x86 based systems - --- -Attack Scenarios: -If a particular service was written using unsafe functions without -bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible -to write arbitrary data to the address space of the service. -Normally, this may just cause the program to die a horrible death. -However, if you can get the return address to point to the beginning -of the newly written data, it is possible to execute code of your -choice. This requires that the newly written data is actual -executable data. Since calculating exactly where the return address -may point to is no small task, a popular technique is to pad the space -leading up to your shellcode with NOPs. This way, if the return -address points anywhere in the series of NOPS, execution will slide -down into your shellcode. - --- -Ease of Attack: -Not-so trivial. This particular technique requires a knowledge of x86 -assembly coding, memory, and usually an intimate understanding of the -code that one is attempting to exploit. Unfortunately, there are -hundreds upon hundreds of canned exploits that nearly anyone with the -ability point-and-click can use and wreak havok with. - --- -False Positives: -The x86 NOP can frequently be found in day-to-day traffic, -particularly when transfering large files. - --- -False Negatives: -There are other techniques to emulate a NOP. Additionally, if -the attackers NOP sled is small enough (< 15), this particular attack -may slip by. Fortunately, NOP sleds are generally quite large. - --- -Corrective Action: -Determine if this NOP was part of an attack or simply part of an -innocent stream of data. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/649.txt snort-2.9.2/doc/signatures/649.txt --- snort-2.8.5.2/doc/signatures/649.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/649.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: --- -Sid: -649 --- -Summary: -Shellcode to set the group identity to 0 (root) was detected. - --- -Impact: -If this code is executed successfully, it is possible for the current -process to inherity root group privledges. - - --- -Detailed Information: -Snort detected data resembling the x86 assembly code to change the -group identity to 0. - - --- -Affected Systems: - --- -Attack Scenarios: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices and execute code of his or -her choosing through techniques known as 'buffer-overflows', -'format-strings' and others. Such attacks may contain code to change -the identity of the current group to that of the root group (setgid -0). - --- -Ease of Attack: -Non-trivial. Shellcode (and just x86 assembly code in general) -requires a fairly intimate knowledge of computer architecture, memory -structures, and many concepts that are part of the more arcane areas -of computing. Furthermore, if this was in fact an attack, the -attacker needs to have a good idea of the design of the both the -program and the system that he or she is attacking. The x86 setgid -call itself is not particularly difficult, and by itself is not -harmful. However, combined with other carefuly aimed shellcode, it -can be quite lethal. - --- -False Positives: -Fairly high. Large binary transfers, certain web traffic, and even -mail traffic can trigger this rule, but are not necessarily indicative -of actual setgid code. - --- -False Negatives: -None Known - --- -Corrective Action: -Determine what stream of traffic generated this particular alert. If -you only have the alert but not the entire packet, examine system for -pecularities. If you are smart and have the entire packet (or better -yet, all your traffic for the past n hours), attempt to determine if -this particular sequence of characters was part of an innocent stream -of data (large binary transfers, for example) or part of a malicious -act against your machine. In either case, check for other activity -from the host in question -- both currently collected traffic and -traffic in the future. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/650.txt snort-2.9.2/doc/signatures/650.txt --- snort-2.8.5.2/doc/signatures/650.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/650.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -Rule: --- -Sid: -650 - --- -Summary: -Shellcode to set the user identity to 0 (root) was detected. - --- -Impact: -If this code is executed successfully, it is possible for the current -process to inherity root privledges. However, setuid(2) requires root -privledges to be executed in the first place if the current uid is -attempting to get a higher priviledge level. - --- -Detailed Information: -Snort detected data resembling the x86 assembly code to change the -user identity to 0. - - --- -Affected Systems: - --- -Attack Scenarios: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices and execute code of his or -her choosing through techniques known as 'buffer-overflows', -'format-strings' and others. Such attacks may contain code to change -the identity of the current user to that of the root account (setuid -0). - --- -Ease of Attack: -Non-trivial. Shellcode (and just x86 assembly code in general) -requires a fairly intimate knowledge of computer architecture, memory -structures, and many concepts that are part of the more arcane areas -of computing. Furthermore, if this was in fact an attack, the -attacker needs to have a good idea of the design of the both the -program and the system that he or she is attacking. The x86 setuid -call itself is not particularly difficult, and by itself is not -harmful. However, combined with other carefuly aimed shellcode, it -can be quite lethal. - --- -False Positives: -None Known -Fairly high. Large binary transfers, certain web traffic, and even -mail traffic can trigger this rule, but are not necessarily indicative -of actualy setuid code. - --- -False Negatives: -None Known -Unknown, but probably possible. - --- -Corrective Action: -Determine what stream of traffic generated this particular alert. If -you only have the alert but not the entire packet, examine system for -pecularities. If you are smart and have the entire packet (or better -yet, all your traffic for the past n hours), attempt to determine if -this particular sequence of characters was part of an innocent stream -of data (large binary transfers, for example) or part of a malicious -act against your machine. In either case, check for other activity -from the host in question -- both currently collected traffic and -traffic in the future. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/651.txt snort-2.9.2/doc/signatures/651.txt --- snort-2.8.5.2/doc/signatures/651.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/651.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: --- -Sid: -651 - --- -Summary: -Binary data in the packet matched one kind of byte sequence used as filler in buffer overflow attacks. - --- -Impact: -It is possible someone was attempting a buffer overflow to gain unauthorized access to one of your servers. - --- -Detailed Information: -This rule triggers when a binary pattern appears in the packet contents which matches one form of filler-bytes used in buffer overflow attacks. Buffer overflows allow execution of arbitrary code with the privlege level of the affected server process. A very detailed discussion of how basic buffer overflows work can be found in the text of "Smashing the stack for fun and profit" by Aleph One in Phrack #49. - --- -Affected Systems: - --- -Attack Scenarios: -If the attacker suspects you have a server which is vulnerable to buffer overflow, they will attempt to exploit this vulnerability to gain access. - - --- -Ease of Attack: -Tools that use buffer overflows with stealth nop are widely available. - --- -False Positives: -This byte pattern can naturally occur in almost any binary data, so file downloads, streaming media, etc can cause this to false positive. If this traffic appears to be coming from a web or ftp server outside your network to one of your client machines, it is likely a false alert caused by someone downloading a binary file. If this was directed at a port on one of your machines which is running a server process, you may want to check to see if it has been exploited. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Matt Kettler mkettler@evi-inc.com Initial Research -Josh Gray Edits - --- -Additional References: -http://online.securityfocus.com/library/14 - - --- diff -Nru snort-2.8.5.2/doc/signatures/652.txt snort-2.9.2/doc/signatures/652.txt --- snort-2.8.5.2/doc/signatures/652.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/652.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -652 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/653.txt snort-2.9.2/doc/signatures/653.txt --- snort-2.8.5.2/doc/signatures/653.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/653.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -653 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/654.txt snort-2.9.2/doc/signatures/654.txt --- snort-2.8.5.2/doc/signatures/654.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/654.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -654 - --- -Summary: -When connecting to port 25 (SMTP) on a computer running a vunarable SMTP server it is possible to perform a DoS attack. In some cases it might be possible to perform a security breach as well. - --- -Impact: -Depending on the vunerable software you may need to restart the SMTP server or perform some level of incident response. - --- -Detailed Information: -Vulnerable systems: - Avirt Mail 4.0 (build 4124) - Avirt Mail 4.2 (build 4807) - PakMail SMTP/POP3 - Netscape Messaging Server 3.54/3.55/3.6 - -More details can be found on the various sites listed below as the impact and details vary from system to system. - --- -Affected Systems: - --- -Attack Scenarios: -Supply a large amount of data after the RCPT TO: header in your SMTP flow. - --- -Ease of Attack: -DoS: rather easy -Security breach: probably hard - --- -False Positives: -These will occur rather frequently with the given rule. They are most common when subscribed to mailinglists. - --- -False Negatives: -None Known - - --- -Corrective Action: -Upgrade software according to the instructions of your software manufacturer. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Hugo van der Kooij -Josh Gray Edits - --- -Additional References: -http://www.securiteam.com/exploits/6C00O1F00Y.html -http://www.synnergy.net/downloads/advisories/SLA-2000-01.pakmail.txt -http://online.securityfocus.com/bid/748 - --- diff -Nru snort-2.8.5.2/doc/signatures/655.txt snort-2.9.2/doc/signatures/655.txt --- snort-2.8.5.2/doc/signatures/655.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/655.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -655 - --- -Summary: -This event is generated when a buffer overflow is attempted on a Sendmail 8.6.9 server. - --- -Impact: -Attempted administrator access. A successful buffer overflow attack can allow a remote attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail. - --- -Detailed Information: -A vulnerability exists in Sendmail version 8.6.9 that can be exploited by a buffer overflow attack. This allows the attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail. This attack can occur when a Sendmail server connects back to the ident service of the client requesting the Sendmail connection. Because it is improperly validated by the Sendmail server, a malicious response can cause a buffer overflow. - --- -Affected Systems: -Sendmail version 8.6.9. - --- -Attack Scenarios: -An attacker can request a connection to a Sendmail server, listen for the request for the ident service, and respond with a malicious payload to exploit the vulnerability. - --- -Ease of Attack: -Easy. Exploit code is available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch or upgrade to a Sendmail version greater than 8.6.9. - --- -Contributors: -Original rule written by Max Vision -Rule updated by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - - --- diff -Nru snort-2.8.5.2/doc/signatures/657.txt snort-2.9.2/doc/signatures/657.txt --- snort-2.8.5.2/doc/signatures/657.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/657.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -657 - --- -Summary: -This event is generated when an external user sends a HELP command with specific syntax to an internal SMTP server, which may indicate an attempt to exploit a buffer overflow vulnerability in NetManage Chameleon SMTP server. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -NetManage Chameleon SMTP server contains a buffer overflow vulnerability in the HELP command. If the HELP command is used with an argument longer than 514 characters, a buffer overflow condition occurs, allowing the execution of arbitrary code. - --- -Affected Systems: -Systems running NetManage Chameleon Unix 97 or NetManage Chameleon 4.5. - --- -Attack Scenarios: -An attacker sends an overly long string to a vulnerable NetManage Chameleon SMTP server in the HELP command. This causes a buffer overflow condition, allowing the attacker to execute arbitrary code on the server and obtain root privileges on the mail server. - --- -Ease of Attack: -Simple. - --- -alse Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of NetManage Chameleon SMTP server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/658.txt snort-2.9.2/doc/signatures/658.txt --- snort-2.8.5.2/doc/signatures/658.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/658.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -658 - --- -Summary: -This event is generated when a denial of service is attempted on a Microsoft Exchange mail server. - --- -Impact: -Denial of service. This will cause the Exchange server to fail. - --- -Detailed Information: -A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'. The Exchange server does not properly handle this MIME header string, causing it to crash. - --- -Affected Systems: -Microsoft Exchange server 5.5 - --- -Attack Scenarios: -An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. - --- -Ease of Attack: -Easy. An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp - -Miscellaneous: -http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt - - --- diff -Nru snort-2.8.5.2/doc/signatures/659.txt snort-2.9.2/doc/signatures/659.txt --- snort-2.8.5.2/doc/signatures/659.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/659.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: --- -Sid: -659 - --- -Summary: -This event is generated when a probe is sent to an SMTP server to determine if the decode alias is supported. - --- -Impact: -Intelligence gathering activity. This event could be an indication of reconnaissance or an actual attempt to overwrite a sensitive file. If the decode alias is present on the SMTP server, an attacker may use it to overwrite files. - --- -Detailed Information: -The decode alias was included to allow email to be sent to a username of decode to process the email content through the uudecode program. A malicious user could attempt to email a uuencoded file that would overwrite an existing sensitive file. - --- -Affected Systems: -Older UNIX Sendmail versions (~1990-1996) - --- -Attack Scenarios: -An attacker can email a uuencoded file to the decode username to overwrite an existing sensitive file. - --- -Ease of Attack: -Simple. Send email containing a uuencoded file to the username decode to overwrite an existing sensitive file. --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove decode in /etc/aliases. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS32 - - --- diff -Nru snort-2.8.5.2/doc/signatures/660.txt snort-2.9.2/doc/signatures/660.txt --- snort-2.8.5.2/doc/signatures/660.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/660.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ - --- -Sid: -660 - --- -Summary: -This event is generated when an attempt is made to expand the alias of root on a Sendmail server. - --- -Impact: -Reconnaissance. This is an attempt to discover email addresses associated with the alias of root for a Sendmail server. - --- -Detailed Information: -An attacker may probe for email addresses associated with the alias of root on a Sendmail server. The "expn" command expands the alias into a list of actual recipients associated with the alias. This command can be used to determine who reads the mail sent to the administrator. It may be used by spammers to get valid email accounts or may be used to discover valid accounts on the Sendmail server. - --- -Affected Systems: -Versions of Sendmail that do not disable expn. - --- -Attack Scenarios: -An attacker can telnet to the Sendmail server and issue the command "expn root" to gather email addresses associated with the alias of root. - --- -Ease of Attack: -Easy. Telnet to the Sendmail server and issue the command "expn root". - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Edit the /etc/sendmail.cf file to disable expn by setting PrivacyOptions=noexpn. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS31 - - --- diff -Nru snort-2.8.5.2/doc/signatures/661.txt snort-2.9.2/doc/signatures/661.txt --- snort-2.8.5.2/doc/signatures/661.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/661.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -661 - --- -Summary: -This event is generated when an attempt is made to exploit a problem with Majordomo software that allows arbitrary commands to be executed on the server. - --- -Impact: -Attempted administrator access. This is an attempt to execute a command on a server where Majordomo is installed. - --- -Detailed Information: -Majordomo is an application that automates mailing list management. An input validation error allows attackers to use a malformed email header as a command that will be executed on the host. To be vulnerable, the server must use a list or a hidden list and the configuration file must specify an advertise or noadvertise option. This has been documented as either a local or remote attack on the host. - --- -Affected Systems: -Majordomo versions up to and including 1.94.4. - --- -Attack Scenarios: -An attacker can send a malformed e-mail header to the Majordomo host. The host executes a command that facilitates access to the host. - - --- -Ease of Attack: -Simple. Use an appropriate malformed header and supply a command that enables access to the host. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to Majordomo version 1.94.5 or higher. --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2310 - -Arachnids: -http://www.whitehats.com/info/IDS143 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207 - - --- diff -Nru snort-2.8.5.2/doc/signatures/662.txt snort-2.9.2/doc/signatures/662.txt --- snort-2.8.5.2/doc/signatures/662.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/662.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -662 - --- -Summary: -This event is generated when maliciously formatted "mail from" text is supplied. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands with root privileges. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail that incorrectly parses message headers. This vulnerability can allow anattacker to execute arbitrary commands as root. - --- -Affected Systems: -Sendmail versions prior to 8.6.10 and any version based on 5.x. - --- -Attack Scenarios: -An attacker can craft a malicious mail header that executes a command. - --- -Ease of Attack: -Easy. Use a maliciously formatted header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to version 8.6.10 or higher of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2308 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Arachnids: -http://www.whitehats.com/info/IDS119 - - --- diff -Nru snort-2.8.5.2/doc/signatures/663.txt snort-2.9.2/doc/signatures/663.txt --- snort-2.8.5.2/doc/signatures/663.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/663.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -663 - --- -Summary: -This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server. This may be an attempt to exploit a problem in older versions of Sendmail. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail associated with the debug mode. Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root. The "sed" command is used to strip off the mail headers before executing the supplied command. This vulnerability was exploited by the Morris worm. - --- -Affected Systems: -Sendmail versions prior to 5.5.9. - --- -Attack Scenarios: -An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server. - --- -Ease of Attack: -Easy. An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed. - --- -False Positives: -It is possible that this event may be generated by text in the DATA section of a pipelined SMTP transaction. - --- -False Negatives: -This rule generates an event based on a specific string in the packet payload. An attacker could craft payloads with other malicious commands. - --- -Corrective Action: -Upgrade to Sendmail version 5.5.9 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095 - -Arachnids: -http://www.whitehats.com/info/IDS172 - - --- diff -Nru snort-2.8.5.2/doc/signatures/664.txt snort-2.9.2/doc/signatures/664.txt --- snort-2.8.5.2/doc/signatures/664.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/664.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -664 - --- -Summary: -This event is generated when maliciously formatted "rcpt to" text is supplied to Sendmail. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands with root privleges. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail that incorrectly parses message headers. This can allow a malicious user to execute arbitrary commands as root. - --- -Affected Systems: -Sendmail versions prior to 8.6.10 and any version based on 5.x. - --- -Attack Scenarios: -An attacker can craft a malicious mail header that executes a command. - --- -Ease of Attack: -Easy. Use a maliciously formatted header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to version 8.6.10 or higher of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2308 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - - --- diff -Nru snort-2.8.5.2/doc/signatures/665.txt snort-2.9.2/doc/signatures/665.txt --- snort-2.8.5.2/doc/signatures/665.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/665.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -665 - --- -Summary: -This event is generated when a remote user attempts to exploit a Sendmail vulnerability where a remote user can execute arbitrary code on an server running older versions of Sendmail. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Earlier versions of Sendmail contain a vulnerability in message header parsing. This vulnerability can be exploited by a remote user who sends an email message with a malformed MAIL FROM value to a vulnerable Sendmail implementation. The server then executes any arbitrary shell code included in the text of the email. - --- -Affected Systems: -Systems running Sendmail versions lower than 8.6.10. - --- -Attack Scenarios: -An attacker sends an email using |usr/bin/tail|usr/bin/sh as the MAIL FROM value. Arbitrary shell code placed in the text of the email message is executed by the mail server with the security context of Sendmail. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to Sendmail version 8.6.10 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Bugtraq -http://www.securityfocus.com/bid/2308 - -CERT -http://www.cert.org/advisories/CA-1995-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/667.txt snort-2.9.2/doc/signatures/667.txt --- snort-2.8.5.2/doc/signatures/667.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/667.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -667 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail where newline characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of newline characters (\n) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with newlines in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with newline characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.8.5.2/doc/signatures/668.txt snort-2.9.2/doc/signatures/668.txt --- snort-2.8.5.2/doc/signatures/668.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/668.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -668 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.8.5.2/doc/signatures/669.txt snort-2.9.2/doc/signatures/669.txt --- snort-2.8.5.2/doc/signatures/669.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/669.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -669 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.8.5.2/doc/signatures/670.txt snort-2.9.2/doc/signatures/670.txt --- snort-2.8.5.2/doc/signatures/670.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/670.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -670 - --- -Summary: -This event is generated when an external attacker attempts to use a specific exploit against Sendmail that allows the attacker to execute remote commands on the server, and to email files from the server to a remote email account. - --- -Impact: -Severe. Remote execution of arbitrary code, possibly leading to remote root compromise, or at the very least, information disclosure. - --- -Detailed Information: -Sendmail 8.6.9 and earlier contain a vulnerability related to the parsing of commands passed from ident to Sendmail. An attacker can use a specific exploit to send a message through the mail server. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. The exploit in question allows the attacker to execute commands to email files from the server to a remote email account. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.9 or earlier. - --- -Attack Scenarios: -An attacker sends an email generated by the exploit, and customizes it to mail the server's password file to a remote email account. The attacker then cracks the passwords in the password file and is able to access the server directly. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to Sendmail 8.6.10 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.8.5.2/doc/signatures/671.txt snort-2.9.2/doc/signatures/671.txt --- snort-2.8.5.2/doc/signatures/671.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/671.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -671 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where unexpected characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of unexpected characters (in this case, newline characters and a carriage return) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with unexpected characters in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with newline characters and a carriage return, including a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.8.5.2/doc/signatures/672.txt snort-2.9.2/doc/signatures/672.txt --- snort-2.8.5.2/doc/signatures/672.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/672.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -672 - --- -Summary: -This event is generated when a remote user attempts to scan for a vulnerability in the VRFY command on internal SMTP servers. - --- -Impact: -Information gathering, possibly leading to a future attack and system compromise. - --- -Detailed Information: -If the decode alias on the Sendmail server is enabled, an attacker may be able to send messages to the decode alias email address, creating or overwriting files on the server. Vulnerability scanners use the "vrfy decode" command to verify that a decode alias is enabled. - --- -Affected Systems: -Systems running Sendmail. - --- -Attack Scenarios: -An attacker scans the server to determine that the decode alias exists. The attacker then sends an email address to the decode alias on the server, with directives to overwrite or create files on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the decode alias by commenting out the "decode |/usr/bin/uudecode" line in your Sendmail aliases file. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0096 - --- diff -Nru snort-2.8.5.2/doc/signatures/673.txt snort-2.9.2/doc/signatures/673.txt --- snort-2.8.5.2/doc/signatures/673.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/673.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -NGSSoftware Advisory: -http://www.nextgenss.com/advisories/mssql-jobs2.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/674.txt snort-2.9.2/doc/signatures/674.txt --- snort-2.8.5.2/doc/signatures/674.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/674.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -674 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/675.txt snort-2.9.2/doc/signatures/675.txt --- snort-2.8.5.2/doc/signatures/675.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/675.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -675 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/676.txt snort-2.9.2/doc/signatures/676.txt --- snort-2.8.5.2/doc/signatures/676.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/676.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -NGSSoftware Advisory: -http://www.nextgenss.com/advisories/mssql-jobs2.txt - --- diff -Nru snort-2.8.5.2/doc/signatures/677.txt snort-2.9.2/doc/signatures/677.txt --- snort-2.8.5.2/doc/signatures/677.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/677.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -677 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/678.txt snort-2.9.2/doc/signatures/678.txt --- snort-2.8.5.2/doc/signatures/678.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/678.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -678 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/679.txt snort-2.9.2/doc/signatures/679.txt --- snort-2.8.5.2/doc/signatures/679.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/679.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/680.txt snort-2.9.2/doc/signatures/680.txt --- snort-2.8.5.2/doc/signatures/680.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/680.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/681.txt snort-2.9.2/doc/signatures/681.txt --- snort-2.8.5.2/doc/signatures/681.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/681.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -681 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/682.txt snort-2.9.2/doc/signatures/682.txt --- snort-2.8.5.2/doc/signatures/682.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/682.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/683.txt snort-2.9.2/doc/signatures/683.txt --- snort-2.8.5.2/doc/signatures/683.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/683.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -683 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/684.txt snort-2.9.2/doc/signatures/684.txt --- snort-2.8.5.2/doc/signatures/684.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/684.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -684 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft SQL Command summary: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_da-di_8nas.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/685.txt snort-2.9.2/doc/signatures/685.txt --- snort-2.8.5.2/doc/signatures/685.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/685.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -685 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/686.txt snort-2.9.2/doc/signatures/686.txt --- snort-2.8.5.2/doc/signatures/686.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/686.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/687.txt snort-2.9.2/doc/signatures/687.txt --- snort-2.8.5.2/doc/signatures/687.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/687.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-2002-04.html - --- diff -Nru snort-2.8.5.2/doc/signatures/688.txt snort-2.9.2/doc/signatures/688.txt --- snort-2.8.5.2/doc/signatures/688.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/688.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/689.txt snort-2.9.2/doc/signatures/689.txt --- snort-2.8.5.2/doc/signatures/689.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/689.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/690.txt snort-2.9.2/doc/signatures/690.txt --- snort-2.8.5.2/doc/signatures/690.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/690.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -690 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/691.txt snort-2.9.2/doc/signatures/691.txt --- snort-2.8.5.2/doc/signatures/691.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/691.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/692.txt snort-2.9.2/doc/signatures/692.txt --- snort-2.8.5.2/doc/signatures/692.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/692.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/693.txt snort-2.9.2/doc/signatures/693.txt --- snort-2.8.5.2/doc/signatures/693.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/693.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/694.txt snort-2.9.2/doc/signatures/694.txt --- snort-2.8.5.2/doc/signatures/694.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/694.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/695.txt snort-2.9.2/doc/signatures/695.txt --- snort-2.8.5.2/doc/signatures/695.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/695.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -695 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/696.txt snort-2.9.2/doc/signatures/696.txt --- snort-2.8.5.2/doc/signatures/696.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/696.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -696 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/697.txt snort-2.9.2/doc/signatures/697.txt --- snort-2.8.5.2/doc/signatures/697.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/697.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -697 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/698.txt snort-2.9.2/doc/signatures/698.txt --- snort-2.8.5.2/doc/signatures/698.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/698.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -698 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/699.txt snort-2.9.2/doc/signatures/699.txt --- snort-2.8.5.2/doc/signatures/699.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/699.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -699 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/700.txt snort-2.9.2/doc/signatures/700.txt --- snort-2.8.5.2/doc/signatures/700.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/700.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -700 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/701.txt snort-2.9.2/doc/signatures/701.txt --- snort-2.8.5.2/doc/signatures/701.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/701.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -701 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/702.txt snort-2.9.2/doc/signatures/702.txt --- snort-2.8.5.2/doc/signatures/702.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/702.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -702 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/703.txt snort-2.9.2/doc/signatures/703.txt --- snort-2.8.5.2/doc/signatures/703.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/703.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -703 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/704.txt snort-2.9.2/doc/signatures/704.txt --- snort-2.8.5.2/doc/signatures/704.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/704.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -704 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/705.txt snort-2.9.2/doc/signatures/705.txt --- snort-2.8.5.2/doc/signatures/705.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/705.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -705 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/706.txt snort-2.9.2/doc/signatures/706.txt --- snort-2.8.5.2/doc/signatures/706.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/706.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: - -706 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft SQL Server and Data Engine. - --- -Impact: -Serious. Full system compromise is possible. - --- -Detailed Information: -A buffer overflow condition in the xp_peekqueue variable exists which -may allow the execution of an arbitary command with administrative -priviledge. - -The vulnerability occurs in API Srv_paraminfo(), which is implemented by -Extended Stored Procedures (XPs) in Microsoft SQL Server and Data -Engine. It may also be possible for attackers to execute arbitrary code -on the host running SQL Server. - - --- -Affected Systems: - - Microsoft SQL Server 7.0 - Microsoft SQL Server 2000 - Microsoft Data Engine 1.0 - Microsoft Data Engine 2000 - - --- -Attack Scenarios: - -An attacker can pass an overly long string to the XP xp_peekqueue, -a buffer overflow can occur due to an unsafe memory copy. This can cause -SQL Server to crash. - - --- -Ease of Attack: - -Simple. Exploit scripts are available. - --- -False Positives: - -None known - --- -False Negatives: - -None known - --- -Corrective Action: - -Apply the appropriate vendor supplied patch -(Microsoft Patch Q280380 , Microsoft Patch Q280380) - --- -Contributors: -Original Rule Writer Unknown -Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2040/ --- diff -Nru snort-2.8.5.2/doc/signatures/707.txt snort-2.9.2/doc/signatures/707.txt --- snort-2.8.5.2/doc/signatures/707.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/707.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -707 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/708.txt snort-2.9.2/doc/signatures/708.txt --- snort-2.8.5.2/doc/signatures/708.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/708.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: 708 - --- - -Summary: -This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine. - --- -Impact: -Serious. A Denial of Service condition or execution of arbitrary code is possible. - --- -Detailed Information: -A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server. - -The attacker must gain access to the SQL Server to exploit this vulnerability. - --- - -Attack Scenarios: -Exploit code exists. - --- - -Ease of Attack: -Simple. Exploit code exists. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082 - -Bugtraq: -http://www.securityfocus.com/bid/2031 - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/ms00-092.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/709.txt snort-2.9.2/doc/signatures/709.txt --- snort-2.8.5.2/doc/signatures/709.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/709.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -709 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username 4Dgifts. - --- -Impact: -Unauthorized remote access. - --- -Detailed Information: -This event is generated when an attempt is made to login to a server -using the username 4Dgifts via Telnet. This is a default account on some -SGI based machines. The password may also be 4Dgifts or it may not have -a password assigned. - -Repeated events from this rule may indicate a determined effort to guess -the password for this account. - --- -Affected Systems: - SGI Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -4Dgifts. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the 4Dgifts account. - -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/710.txt snort-2.9.2/doc/signatures/710.txt --- snort-2.8.5.2/doc/signatures/710.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/710.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -710 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username OutOfBox. - --- -Impact: -Unauthorized remote access. - --- -Detailed Information: -Some SGI machines are shipped with an easy setup group of scripts to -assist the user when setting up the host. This group of programs is -called EZsetup and may install some passwordless default accounts on the -machine. - -This event is generated when an attempt is made to login to a server -using the username OutOfBox via Telnet. This is a default account on some -SGI based machines. The password may also be OutOfBox or it may not have -a password assigned. - -Repeated events from this rule may indicate a determined effort to guess -the password for this account. - --- -Affected Systems: - SGI Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -OutOfBox. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the OutOfBox account. - -Choose the most secure options when using EZsetup. - -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/711.txt snort-2.9.2/doc/signatures/711.txt --- snort-2.8.5.2/doc/signatures/711.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/711.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -711 - --- -Summary: -This event is generated when an attempt is made to exploit a flaw in SGI IRIX's telnetd. - --- -Impact: -Serious. Arbitrary code execution. Possible remote root compromise of -the host. - --- -Detailed Information: -When setting one of the _RDL environment variables, IRIX's telnetd logs -the information via syslog. When telnetd calls syslog, it is possible to -manipulate the variable to overwrite values on the stack so that code -given is executed as the user telnetd is run as, typically root. - --- -Affected Systems: - SGI IRIX versions 6.2 to 6.5.8 - SGI IRIX versions 5.2 to 6.1 with patches 1010 and 1020. - --- -Attack Scenarios: -An attacker can gain a root shell with this attack. - --- -Ease of Attack: -Simple. Exploit code exisits and is readily available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply patch from SGI. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS304 - -Bugtraq: -http://www.securityfocus.com/bid/1572 - --- diff -Nru snort-2.8.5.2/doc/signatures/712.txt snort-2.9.2/doc/signatures/712.txt --- snort-2.8.5.2/doc/signatures/712.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/712.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -712 - --- -Summary: -This event is generated when an attempt is made to set an environment -variable in a Telnet session to a server. - --- -Impact: -Unauthorized superuser access. - --- -Detailed Information: -This event is generated when an attempt is made to use the environment -variable ld_library_path in a Telnet session. - --- -Affected Systems: - Telnet servers. - --- -Attack Scenarios: -An attacker can attempt to set the environment variable ld_library_path -and then attempt to exploit a known vulnerability in some SunOS based -systems. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/43 - --- diff -Nru snort-2.8.5.2/doc/signatures/713.txt snort-2.9.2/doc/signatures/713.txt --- snort-2.8.5.2/doc/signatures/713.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/713.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -713 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Lucent/Livingston Portmaster router. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a Livingston/Lucent router. In some -situations malformed data sent to the Telnet service on the router can -cause the DoS to occur. - -Lucent Portmaster routers were previously known as Livingston Portmaster -from Livingston Technologies. - --- -Affected Systems: - Lucent Portmaster 1.0 - Lucent Portmaster 2.0 - Lucent Portmaster 3.0 - --- -Attack Scenarios: -The attacker can use one of the publicly available exploit scripts. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -The Portmaster series of routers is no longer available. - -Disable the Telnet service if possible. - -Reboot the router to regain the service - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2225 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0218 - --- diff -Nru snort-2.8.5.2/doc/signatures/714.txt snort-2.9.2/doc/signatures/714.txt --- snort-2.8.5.2/doc/signatures/714.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/714.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: -resolv_host_conf"; flow:to_server,established; -content:"resolv_host_conf"; reference:arachnids,369; -reference:url,www.securityfocus.com/bid/2181; classtype:attempted-admin; -sid:714; rev:4;) - --- - -Sid: - -714 - --- - -Summary: - -The RESOLV_HOST_CONF variable is being manipulated on your Telnet host. - --- - -Impact: - -Elevated priviledges (file reads). - --- - -Detailed Information: - -The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't -properly validated in some versions of glibc. As a result, an attacker -can use an suid or sgid root program to gain access to files they're not -supposed to have. - --- - -Affected Systems: - -UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations. - --- - -Attack Scenarios: - -Attacker sets the RESOLVE_HOST_CONF variable to the filename of any -protected file (for example, /etc/shadow), and then runs an suid or sgid -root program. The contents of the protected file are then echoed to the -console in a series of error messages. - --- - -Ease of Attack: - -Simple. - --- - -False Positives: - -None known. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Install the latest vendor-supplied glibc implementation. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS369 - -Bugtraq: -http://www.securityfocus.com/bid/2181 - - --- diff -Nru snort-2.8.5.2/doc/signatures/715.txt snort-2.9.2/doc/signatures/715.txt --- snort-2.8.5.2/doc/signatures/715.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/715.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -715 - --- -Summary: -This event is generated when a telnet server sends an error message regarding a failed user attempt to issue the 'su' command to get root privileges. - --- -Impact: -Failed root access. This attack occurs when a user attempts to get root privileges using the su command. - --- -Detailed Information: -An attacker may attempt to gain root privileges by issuing the su command. This implies that the attacker has successfully connected to the telnet server with an account other than root. A failed attempt will cause an error message to be generated indicating that the user is not a member of an authorized group to obtain root privileges. - --- -Affected Systems: -All telnet servers. - --- -Attack Scenarios: -At attacker may attempt to gain root privileges on a telnet server. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that a legitimate user with multiple user accounts may attempt to issue su command from the wrong account. - --- -False Negatives: -None known. - --- -Corrective Action: -Use ssh instead of telnet to prevent su passwords from being sniffed. - -Tightly restric su access to authorized users. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/716.txt snort-2.9.2/doc/signatures/716.txt --- snort-2.8.5.2/doc/signatures/716.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/716.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -716 - --- -Summary: -This event is generated when a remote user successfully connects to a telnet server. - --- -Impact: -Remote access. This event may be an indication of a successful telnet connection by an authorized or unauthorized user. - --- -Detailed Information: -A message is generated by a telnet server after a successful connection. This particular event occurs when a remote user who does not belong to the internal network successfully connects to a telnet server. This may be a legimate connection by an authorized user or a undesired connection by an unauthorized user. Since telnet connections are not encrypted, it is possible that user accounts and passwords may be sniffed and used by attackers. Telnet connections are not considered to be secure especially over the Internet. Secure shell is the recommended service for remote connectivity since it uses encrypted sessions. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server after sniffing a username and password. - --- -Ease of Attack: -Simple - --- -False Positives: -If authorized users are allowed to connect remotely using telnet, disable this rule. - --- -False Negatives: -None known. - --- -Corrective Action: - -Consider using Secure Shell instead of telnet. - -Block inbound telnet connections if it is not required. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619 - -Arachnids: -http://www.whitehats.com/info/IDS08 - --- diff -Nru snort-2.8.5.2/doc/signatures/717.txt snort-2.9.2/doc/signatures/717.txt --- snort-2.8.5.2/doc/signatures/717.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/717.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -717 - --- -Summary: -This event is generated when a failed remote telnet connection occurs using the root account. - --- -Impact: -Failed root access. This event indicates that an attacker tried an failed to connect to a telnet server using the root account. - - --- -Detailed Information: -Telnet servers can be configured to disallow connections using the root account. If root privileges are required, the root user must log on to the telnet server's console directly. A failed telnet connection using the root account will generate an error message. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to log on to a telnet server using the root account. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - -Disable root logins using telnet. - -Consider using Secure Shell instead of telnet. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule written by Ron Gula -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS365 - --- diff -Nru snort-2.8.5.2/doc/signatures/718.txt snort-2.9.2/doc/signatures/718.txt --- snort-2.8.5.2/doc/signatures/718.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/718.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -718 - --- -Summary: -This event is generated when an attempted telnet login fails from a remote user. - --- -Impact: -Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination. - --- -Detailed Information: -A telnet server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. Telnet traffic is passed in clear text so it is not recommended for remote connections. Secure Shell is considered to be a more secure alternative. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to guess username and password combinations. - --- -Ease of Attack: -Simple - --- -False Positives: -This event may be triggered by a failed telnet login attempt from a remote user. - --- -False Negatives: -None known. - --- -Corrective Action: -Consider using Secure Shell instead of telnet. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS127 - --- diff -Nru snort-2.8.5.2/doc/signatures/719.txt snort-2.9.2/doc/signatures/719.txt --- snort-2.8.5.2/doc/signatures/719.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/719.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -719 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username root. - --- -Impact: -Remote root access. This may or may not indicate a successful root -login to a telnet server. - --- -Detailed Information: -This event is generated after a telnet server observes an attempted -login with the username root. It is not possible to tell from this -event alone whether or not the attempt was successful. If this is -followed by a login failure event, the root login did not succeeed. -However, if no failure message is observed and the rule with SID 718 is -enabled, this may indicate that the root login succeeded. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -of root. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Consider using Secure Shell instead of telnet. - -Disable root logins to telnet. - - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/720.txt snort-2.9.2/doc/signatures/720.txt --- snort-2.8.5.2/doc/signatures/720.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/720.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -720 - --- -Summary: -This event is generated when email is received from a Post Office Protocol (POP) server that may contain an attachment with the Snow White worm. - --- -Impact: -Possible system compromise. The worm can alter system files and registry key settings. - --- -Detailed Information: -The Snow White worm, also known as Hybris, may contain text with a unique misspelling of "Suddlently". This worm attempts to write to the wsock32.dll library. It may also attempt to alter registry key settings. - --- -Affected Systems: -Microsoft Win32 systems. - --- -Attack Scenarios: -The worm is spread by e-mail and attempts to infect other hosts when a user opens the e-mail attachment. - --- -Ease of Attack: -Simple - --- -False Positives: -This event is triggered when an e-mail is received from a POP server that contains the misspelled word "Suddlently". - --- -False Negatives: -None known. - --- -Corrective Action: -Make sure that the suspected infected host has the most current anti-virus software. - -Run a virus scan on the suspected infected host. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -F-Secure: -http://www.f-secure.com/v-descs/hybris.shtml - --- diff -Nru snort-2.8.5.2/doc/signatures/721.txt snort-2.9.2/doc/signatures/721.txt --- snort-2.8.5.2/doc/signatures/721.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/721.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -721 - --- -Summary: -This event is generated when network activity indicating possible virus -infection is detected. - --- -Impact: -Malicious code infection. This event may indicate that an internal host -may be infected with some kind of malicious code. - --- -Detailed Information: -This event may indicate a possible virus infection of a host on the -protected network. - --- -Affected Systems: - Various systems - --- -Attack Scenarios: -Viruses may propogate in many different ways. Many arrive in the form of -email attachments that an unsuspecting user may trigger by opening the -attachment. Once infected, many viruses have the ability to use the -infected host as a means of spreading copies of itself to other machines -on the protected and external networks. - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Use antivirus software on hosts to terminate infectors. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/724.txt snort-2.9.2/doc/signatures/724.txt --- snort-2.8.5.2/doc/signatures/724.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/724.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -724 - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/725.txt snort-2.9.2/doc/signatures/725.txt --- snort-2.8.5.2/doc/signatures/725.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/725.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -725 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/726.txt snort-2.9.2/doc/signatures/726.txt --- snort-2.8.5.2/doc/signatures/726.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/726.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -726 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/727.txt snort-2.9.2/doc/signatures/727.txt --- snort-2.8.5.2/doc/signatures/727.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/727.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -727 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/728.txt snort-2.9.2/doc/signatures/728.txt --- snort-2.8.5.2/doc/signatures/728.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/728.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -728 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/729.txt snort-2.9.2/doc/signatures/729.txt --- snort-2.8.5.2/doc/signatures/729.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/729.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -729 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/730.txt snort-2.9.2/doc/signatures/730.txt --- snort-2.8.5.2/doc/signatures/730.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/730.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -730 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/731.txt snort-2.9.2/doc/signatures/731.txt --- snort-2.8.5.2/doc/signatures/731.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/731.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -731 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/732.txt snort-2.9.2/doc/signatures/732.txt --- snort-2.8.5.2/doc/signatures/732.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/732.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -732 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/733.txt snort-2.9.2/doc/signatures/733.txt --- snort-2.8.5.2/doc/signatures/733.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/733.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -733 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/734.txt snort-2.9.2/doc/signatures/734.txt --- snort-2.8.5.2/doc/signatures/734.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/734.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -734 - --- -Summary: -This event is generated when Matrix worm activity is detected. - --- -Impact: -Severe - Windows system files can be deleted/replaced/infected -(Wsock32.dll, Explorer.exe and Rundll32.exe). - -The virus propagation is done when a user sends e-mail, but variants may -exist that display other characteristics. - --- -Detailed Information: -Matrix worm is distributed via e-mail when a user sends some e-mail to a recipient. The attachement name is random. File suffixes can be .exe, .com, .bat, .pif, .scr, .jpg.pif.. etc. The worm code uses plugins which can make the virus really dangerous (e.x. installing backdoors). Removal could be difficult, but free removal tools exist (see below). - --- -Attack Scenarios: -An attacker sends the Matrix worm using a MIME exploit which executes the virus code automatically. The worm can now distribute itself using the mail client of the user and can install backdoors and infect EXE files. - --- -Ease of Attack: -Simple. The worm does all the distribution work. - --- -False Positives: -E-Mail that contains the body "Software provide by [MATRiX]" - --- -False Negatives: -None known - --- -Corrective Action: -Symantec W95.MTX removal tool: http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Ueli Kistler, - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/735.txt snort-2.9.2/doc/signatures/735.txt --- snort-2.8.5.2/doc/signatures/735.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/735.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -735 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.8.5.2/doc/signatures/772.txt snort-2.9.2/doc/signatures/772.txt --- snort-2.8.5.2/doc/signatures/772.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/772.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: - -772 - --- -Summary: -This event is generated when the PrettyPark virus attempts to spread. - --- -Impact: -Possible virus infection. Attempt to spread a virus/trojan. - --- -Detailed Information: -Prettypark is a Win32 based Internet worm. This spreads through the Internet by attaching itself to email messages. - -When the attached file is executed, it checks for the existence of Prettypark in memory, if it is not present it then installs Prettypark. After infecting it sends messages to all the email addresses listed in the address book with an attachment containing the virus. - -Prettypark is capable of revealing passwords and connects to IRC channels. System access is possible. - --- -Affected Systems: -Windows 95, 98 and NT - --- -Attack Scenarios: -This is virus propogation activity. - --- -Ease of Attack: - -Simple. - --- -False Positives: - -Possible in certain mail content - --- -False Negatives: - -None known - --- -Corrective Action: - -Use an Anti-Virus tool to remove it. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.nwinternet.com/~pchelp/bo/prettypark.htm --- diff -Nru snort-2.8.5.2/doc/signatures/775.txt snort-2.9.2/doc/signatures/775.txt --- snort-2.8.5.2/doc/signatures/775.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/775.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -775 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/793.txt snort-2.9.2/doc/signatures/793.txt --- snort-2.8.5.2/doc/signatures/793.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/793.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -793 - --- -Summary: -This event is generated when an internal mail server sends an e-mail out of the network that may contain a Visual Basic Script (VBS) attachment. - --- -Impact: -Malicious code infection. This event may indicate that an internal host may be infected with some kind of malicious code. - --- -Detailed Information: -An outbound e-mail message that contains an attachment with a file name ending in ".vbs" may indicate that an internal host has been infected by some kind of malicious code. A ".vbs" extension typically means that an attachment file is a Visual Basic Script. A VBS attachment may contain executable code for a worm, virus, or trojan. - --- -Affected Systems: -Microsoft Windows hosts. - --- -Attack Scenarios: -Malicious code may be spread by e-mail containing attachments with files ending in ".vbs". - --- -Ease of Attack: -Simple - --- -False Positives: -This alert will be triggered if e-mail is sent containing a legitimate VBS attachment. - --- -False Negatives: -None known. - --- -Corrective Action: -Make sure that the suspected infected host has the most current anti-virus software. - -Run a virus scan on the suspected infected host. - -Configure your mail server to block attachments that contain executable code, such as those with extensions of ".vbs", ".exe", etc. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/795.txt snort-2.9.2/doc/signatures/795.txt --- snort-2.8.5.2/doc/signatures/795.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/795.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -795 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a text - e.g. loveletter.txt.vbs gets displayed as -loveletter.txt but is a visual basic script and not a plain text. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.8.5.2/doc/signatures/796.txt snort-2.9.2/doc/signatures/796.txt --- snort-2.8.5.2/doc/signatures/796.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/796.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ - -Rule: - --- -Sid: -796 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is an EXCEL spreadsheet - e.g. businnesplan.xls.vbs gets displayed as -businessplan.xls but is a visual basic script and not an EXCEL spreadsheet. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning: -An EXCEL spreadsheet is in now way more secure than a visual basic script. -Wrongly configured antivirus software my ignore this files and -let a macro virus pass. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.8.5.2/doc/signatures/797.txt snort-2.9.2/doc/signatures/797.txt --- snort-2.8.5.2/doc/signatures/797.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/797.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -797 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a picture - e.g. niceboy.jpg.vbs gets displayed as -nicegboy.jpg but is a visual basic script and not a picture. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.8.5.2/doc/signatures/798.txt snort-2.9.2/doc/signatures/798.txt --- snort-2.8.5.2/doc/signatures/798.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/798.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -798 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a picture - e.g. nicegirl.gif.vbs gets displayed as -nicegirl.gif but is a visual basic script and not a picture. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.8.5.2/doc/signatures/801.txt snort-2.9.2/doc/signatures/801.txt --- snort-2.8.5.2/doc/signatures/801.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/801.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -801 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a WORD document - e.g. resume.doc.vbs gets displayed as -resume.doc but is a visual basic script and not a WORD document. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning: -A WORD document is in now way more secure than a visual basic script. -Wrongly configured antivirus software my ignore this files and -let a macro virus pass. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/803.txt snort-2.9.2/doc/signatures/803.txt --- snort-2.8.5.2/doc/signatures/803.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/803.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -803 - --- -Summary: -This event is generated when an attempt is made to access hsx.cgi and -then utilize a directory traversal technique to read files outside the -root directory of the web server. This indicates an attempt to exploit a -vulnerability in the Hyperseek 2000 search engine that allows -read-access to directory listings and files. - - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a directory traversal vulnerability in HyperSeek 2000. When directory traversal techniques such as ../../ are used as arguments to hsx.cgi, an unauthorized user can navigate to directories and access files that are normally hidden. - --- -Affected Systems: -Web servers running iWeb Systems HyperSeek 2000 are vulnerable. - --- -Attack Scenarios: -An attacker can use a directory traversal technique when executing hsx.cgi to view hidden directories and files on the web server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uprade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Rule modified by Brian Caswell -Nigel Houghton -Sourcefire Technical Publications Team - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2314 - -CERT/CC -http://www.kb.cert.org/vuls/id/146704 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0253 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10602 - --- diff -Nru snort-2.8.5.2/doc/signatures/804.txt snort-2.9.2/doc/signatures/804.txt --- snort-2.8.5.2/doc/signatures/804.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/804.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -804 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability in SWSoft ASPSeek search engine software. - --- -Impact: -Arbitrary code execution. - --- -Detailed Information: -SWSoft ASPSeek search engine software contains a buffer overflow -vulnerability where, if a sufficiently long string is sent to the s.cgi -script using the template (tmpl) variable, a buffer overflow condition -can occur. This may allow the execution of arbitrary code. - --- -Affected Systems: -All Apache web servers running SWSoft ASPSeek 1.0.3 and earlier are -vulnerable. - --- -Attack Scenarios: -An attacker can send a crafted query to the s.cgi script, creating a -buffer overflow condition. This could then allow the attacker to execute -arbitrary code from the system's command shell. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -If a legitimate remote user accesses s.cgi where the "tmpl" variable is -invoked, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to SWSoft ASPSeek 1.04 or later. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2492 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0476 - --- diff -Nru snort-2.8.5.2/doc/signatures/805.txt snort-2.9.2/doc/signatures/805.txt --- snort-2.8.5.2/doc/signatures/805.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/805.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -805 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in the WebSpeed WSIS Messenger -Administration Utility. - --- -Impact: -Information gathering and system integrity. Unauthorized administrative -access to the to the WebSpeed configuration utility can allow an -attacker to view and change WebSpeed configuration, and possibly stop -WebSpeed services. - --- -Detailed Information: -The WSIS Messenger Administration Utility is a web-based administration -utility provided with the Progress WebSpeed 3.0 development environment -and transaction server. It allows WebSpeed administrators to remotely -manage the WebSpeed system. The configuration utility has a -vulnerability that allows unauthenticated users to configure services -when the WSMAdmin function is invoked using wsisa.dll. - --- -Affected Systems: -Any system running Progress WebSpeed 3.0 WSIS Messenger Administration -Utility. - --- -Attack Scenarios: -An attacker can access the WSIS Messenger Administration Utility, which -can then be used to view and change WebSpeed configuration. The attacker -can potentially stop WebSpeed services. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -If a legitimate remote user accesses the web-based administration -utility, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the WSIS Messenger Administration Utility. - -Install the appropriate patch. Patches can be found at -http://www.progress.com/patches/patchlst/availpatche.html. - -Disallow access to the WSIS Messenger Administration Utilility from -sources external to the protected network. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Nigel Houghton - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/969 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0127 - --- diff -Nru snort-2.8.5.2/doc/signatures/806.txt snort-2.9.2/doc/signatures/806.txt --- snort-2.8.5.2/doc/signatures/806.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/806.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: - -806 - --- -Summary: -This event is generated when an attempt is made to access a file outside the root directory of a webserver running YaBB.cgi. - - --- -Impact: - -Information disclosure. - --- -Detailed Information: - -YaBB.cgi is widely used web-based BBS script. Due to input validation problems in YaBB, a remote attacker can traverse the directory structure and view any files and view any file that a webserver has access to. - -This event indicates that a remote attacker has attempted to view a file outside the webservers root directory. - --- -Affected Systems: - -YaBB YaBB 9.1.2000 - --- -Attack Scenarios: - -An attacker issues the following command on port 80 of the webserver: - -GET http://target/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00 HTTP/1.0 - --- -Ease of Attack: - -Simple. No exploit software required. - --- -False Positives: - -None known. - --- -False Negatives: - -None known. - --- -Corrective Action: - -Update to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/807.txt snort-2.9.2/doc/signatures/807.txt --- snort-2.8.5.2/doc/signatures/807.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/807.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - -Sid: -807 - --- - -Summary: -This event is generated when an attempt is made to download the wwwboard password file - --- -Impact: -Information disclosure. -An attacker could crack the encrypted password and gain access to the wwwboard -administrator account - --- -Detailed Information: -Releases of WWWBoard (Matt Wright's CGI webboard application) before -version 2.0 Alpha 2.1 place the encrypted password for the web -application's administrator in a file called "passwd.txt" accessible -from the web root. - --- -Affected Systems: - --- -Attack Scenarios: -Attacker downloads the passwd.txt file and then launches a password -cracker to brute force the password (the password is encypted via -crypt(3), and password crackers for this format are ubiquitous). If -the password is successfully cracked (due to weak passwords or -significant cracking resources), the attacker will have administrative -access to the wwwboard web application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Inspect packet to insure that it was an attempt to download the -password file and not just a webpage discussing WWWBoard. -Insure that local installations of WWWBoard are current and properly -configured to not save the password file into a publically-accessible -area. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -CVE: CVE-1999-0953 -Bugtraq: BID 649 -Arachnids: 463 - --- diff -Nru snort-2.8.5.2/doc/signatures/808.txt snort-2.9.2/doc/signatures/808.txt --- snort-2.8.5.2/doc/signatures/808.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/808.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -808 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/809.txt snort-2.9.2/doc/signatures/809.txt --- snort-2.8.5.2/doc/signatures/809.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/809.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -809 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/810.txt snort-2.9.2/doc/signatures/810.txt --- snort-2.8.5.2/doc/signatures/810.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/810.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -810 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/811.txt snort-2.9.2/doc/signatures/811.txt --- snort-2.8.5.2/doc/signatures/811.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/811.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -811 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/812.txt snort-2.9.2/doc/signatures/812.txt --- snort-2.8.5.2/doc/signatures/812.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/812.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -812 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/813.txt snort-2.9.2/doc/signatures/813.txt --- snort-2.8.5.2/doc/signatures/813.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/813.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -813 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/815.txt snort-2.9.2/doc/signatures/815.txt --- snort-2.8.5.2/doc/signatures/815.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/815.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -815 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/817.txt snort-2.9.2/doc/signatures/817.txt --- snort-2.8.5.2/doc/signatures/817.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/817.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -817 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/818.txt snort-2.9.2/doc/signatures/818.txt --- snort-2.8.5.2/doc/signatures/818.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/818.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -818 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/819.txt snort-2.9.2/doc/signatures/819.txt --- snort-2.8.5.2/doc/signatures/819.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/819.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -819 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/820.txt snort-2.9.2/doc/signatures/820.txt --- snort-2.8.5.2/doc/signatures/820.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/820.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -820 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/821.txt snort-2.9.2/doc/signatures/821.txt --- snort-2.8.5.2/doc/signatures/821.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/821.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -821 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/823.txt snort-2.9.2/doc/signatures/823.txt --- snort-2.8.5.2/doc/signatures/823.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/823.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -823 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/824.txt snort-2.9.2/doc/signatures/824.txt --- snort-2.8.5.2/doc/signatures/824.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/824.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -824 - --- -Summary: -A remote user has tried access the php.cgi script. Some versions -of this script can allow access to any file the -server can read. - --- -Impact: -Information disclosure. - --- -Detailed Information: -Because of a design problem in this version of PHP/FI, remote users are -able to access any file that the UID of the http process has access to. -The exploit is a simple web request for the file and can be used with -malicious intent. - --- -Affected Systems: - PHP/FI 2.0 - --- -Attack Scenarios: -An attacker can simply pass a file name to the script -and be able to view the file if the web server has access -to it. This can be used to obtain passwords or other sensitive -information. - -Example: http://somewebserver/php.cgi?/path/to/desired/file - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade or remove the file php.cgix - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS232 - -Bugraq: -http://www.securityfocus.com/bid/2250 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0238 - --- diff -Nru snort-2.8.5.2/doc/signatures/825.txt snort-2.9.2/doc/signatures/825.txt --- snort-2.8.5.2/doc/signatures/825.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/825.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -825 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/826.txt snort-2.9.2/doc/signatures/826.txt --- snort-2.8.5.2/doc/signatures/826.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/826.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -826 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/827.txt snort-2.9.2/doc/signatures/827.txt --- snort-2.8.5.2/doc/signatures/827.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/827.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -827 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/828.txt snort-2.9.2/doc/signatures/828.txt --- snort-2.8.5.2/doc/signatures/828.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/828.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -828 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/829.txt snort-2.9.2/doc/signatures/829.txt --- snort-2.8.5.2/doc/signatures/829.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/829.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -829 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/830.txt snort-2.9.2/doc/signatures/830.txt --- snort-2.8.5.2/doc/signatures/830.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/830.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -830 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/832.txt snort-2.9.2/doc/signatures/832.txt --- snort-2.8.5.2/doc/signatures/832.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/832.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -832 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/833.txt snort-2.9.2/doc/signatures/833.txt --- snort-2.8.5.2/doc/signatures/833.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/833.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -833 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/834.txt snort-2.9.2/doc/signatures/834.txt --- snort-2.8.5.2/doc/signatures/834.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/834.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -834 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/835.txt snort-2.9.2/doc/signatures/835.txt --- snort-2.8.5.2/doc/signatures/835.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/835.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: --- -Sid: -835 - --- -Summary: -This event is generated when an attempt is made to -access to the cgi script test-cgi. - --- -Impact: -Information disclosure. - --- -Detailed Information: -The test-cgi script is provided as part of the Apache web server to -test that cgi scripts are working. It can provide vital information -about the configuration of your webserver that may be invaluable to a -potential attacker. - --- -Affected Systems: - All versions of Apache. - --- -Attack Scenarios: -A standard web request using a browser. - -lynx http://victim/cgi-bin/test-cgi - -$ telnet victim 80 -Trying 192.168.0.2... -Connected to victim. -Escape character is '^]'. -GET /cgi-bin/test-cgi HTTP/1.0 - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -This may trigger on urls containing test-cgi, but are not necessarily -indicative of an attack. For example, -http://myhost.org/home/foobar/test-cgi.txt would trigger this rule. - --- -False Negatives: -None Known - --- -Corrective Action: -Determine the need for this script, and remove it if there is no need. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/836.txt snort-2.9.2/doc/signatures/836.txt --- snort-2.8.5.2/doc/signatures/836.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/836.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -836 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/837.txt snort-2.9.2/doc/signatures/837.txt --- snort-2.8.5.2/doc/signatures/837.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/837.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -837 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/838.txt snort-2.9.2/doc/signatures/838.txt --- snort-2.8.5.2/doc/signatures/838.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/838.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -838 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/839.txt snort-2.9.2/doc/signatures/839.txt --- snort-2.8.5.2/doc/signatures/839.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/839.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -839 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/840.txt snort-2.9.2/doc/signatures/840.txt --- snort-2.8.5.2/doc/signatures/840.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/840.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -840 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/841.txt snort-2.9.2/doc/signatures/841.txt --- snort-2.8.5.2/doc/signatures/841.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/841.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -841 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/842.txt snort-2.9.2/doc/signatures/842.txt --- snort-2.8.5.2/doc/signatures/842.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/842.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -842 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/843.txt snort-2.9.2/doc/signatures/843.txt --- snort-2.8.5.2/doc/signatures/843.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/843.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -843 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/844.txt snort-2.9.2/doc/signatures/844.txt --- snort-2.8.5.2/doc/signatures/844.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/844.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -844 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/845.txt snort-2.9.2/doc/signatures/845.txt --- snort-2.8.5.2/doc/signatures/845.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/845.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -845 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/846.txt snort-2.9.2/doc/signatures/846.txt --- snort-2.8.5.2/doc/signatures/846.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/846.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -846 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/847.txt snort-2.9.2/doc/signatures/847.txt --- snort-2.8.5.2/doc/signatures/847.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/847.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -847 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/848.txt snort-2.9.2/doc/signatures/848.txt --- snort-2.8.5.2/doc/signatures/848.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/848.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -848 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/849.txt snort-2.9.2/doc/signatures/849.txt --- snort-2.8.5.2/doc/signatures/849.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/849.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -849 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/850.txt snort-2.9.2/doc/signatures/850.txt --- snort-2.8.5.2/doc/signatures/850.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/850.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -850 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/851.txt snort-2.9.2/doc/signatures/851.txt --- snort-2.8.5.2/doc/signatures/851.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/851.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -851 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/852.txt snort-2.9.2/doc/signatures/852.txt --- snort-2.8.5.2/doc/signatures/852.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/852.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -852 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/853.txt snort-2.9.2/doc/signatures/853.txt --- snort-2.8.5.2/doc/signatures/853.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/853.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -853 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/854.txt snort-2.9.2/doc/signatures/854.txt --- snort-2.8.5.2/doc/signatures/854.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/854.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -854 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/856.txt snort-2.9.2/doc/signatures/856.txt --- snort-2.8.5.2/doc/signatures/856.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/856.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -856 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/857.txt snort-2.9.2/doc/signatures/857.txt --- snort-2.8.5.2/doc/signatures/857.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/857.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -857 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/858.txt snort-2.9.2/doc/signatures/858.txt --- snort-2.8.5.2/doc/signatures/858.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/858.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -858 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/859.txt snort-2.9.2/doc/signatures/859.txt --- snort-2.8.5.2/doc/signatures/859.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/859.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -859 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/860.txt snort-2.9.2/doc/signatures/860.txt --- snort-2.8.5.2/doc/signatures/860.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/860.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -860 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/861.txt snort-2.9.2/doc/signatures/861.txt --- snort-2.8.5.2/doc/signatures/861.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/861.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -861 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/862.txt snort-2.9.2/doc/signatures/862.txt --- snort-2.8.5.2/doc/signatures/862.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/862.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -862 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/863.txt snort-2.9.2/doc/signatures/863.txt --- snort-2.8.5.2/doc/signatures/863.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/863.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -863 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/864.txt snort-2.9.2/doc/signatures/864.txt --- snort-2.8.5.2/doc/signatures/864.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/864.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -864 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/865.txt snort-2.9.2/doc/signatures/865.txt --- snort-2.8.5.2/doc/signatures/865.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/865.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -865 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/866.txt snort-2.9.2/doc/signatures/866.txt --- snort-2.8.5.2/doc/signatures/866.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/866.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -866 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/867.txt snort-2.9.2/doc/signatures/867.txt --- snort-2.8.5.2/doc/signatures/867.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/867.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -867 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/868.txt snort-2.9.2/doc/signatures/868.txt --- snort-2.8.5.2/doc/signatures/868.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/868.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -868 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/869.txt snort-2.9.2/doc/signatures/869.txt --- snort-2.8.5.2/doc/signatures/869.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/869.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -869 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/870.txt snort-2.9.2/doc/signatures/870.txt --- snort-2.8.5.2/doc/signatures/870.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/870.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -870 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/871.txt snort-2.9.2/doc/signatures/871.txt --- snort-2.8.5.2/doc/signatures/871.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/871.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -871 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/872.txt snort-2.9.2/doc/signatures/872.txt --- snort-2.8.5.2/doc/signatures/872.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/872.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -872 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/873.txt snort-2.9.2/doc/signatures/873.txt --- snort-2.8.5.2/doc/signatures/873.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/873.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -873 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/875.txt snort-2.9.2/doc/signatures/875.txt --- snort-2.8.5.2/doc/signatures/875.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/875.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -875 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/877.txt snort-2.9.2/doc/signatures/877.txt --- snort-2.8.5.2/doc/signatures/877.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/877.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -877 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/878.txt snort-2.9.2/doc/signatures/878.txt --- snort-2.8.5.2/doc/signatures/878.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/878.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -878 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/879.txt snort-2.9.2/doc/signatures/879.txt --- snort-2.8.5.2/doc/signatures/879.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/879.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -879 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/880.txt snort-2.9.2/doc/signatures/880.txt --- snort-2.8.5.2/doc/signatures/880.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/880.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -880 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/881.txt snort-2.9.2/doc/signatures/881.txt --- snort-2.8.5.2/doc/signatures/881.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/881.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -881 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Guide to network resource tools: -http://www.acad.bg/beginner/gnrt/specialist/archie.html - --- diff -Nru snort-2.8.5.2/doc/signatures/882.txt snort-2.9.2/doc/signatures/882.txt --- snort-2.8.5.2/doc/signatures/882.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/882.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -882 - --- -Summary: -This event is generated when an attempt is made to access a web -application that may lead to exploitation of the application. - --- -Impact: -Potentially harmful execution of binaries through perl open() - --- -Detailed Information: -An open source calendar perl script by Matt Kruse, Allows commands to be executed without input verification using the perl open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping 127.0.0.1|" in the configuration file field, this executes the command "ping 127.0.0.1" - --- -Affected Systems: -Any web server running the application. - --- -Attack Scenarios: -An unauthenticated user can execute arbitrary programs on the server by accessing calendar_admin.pl and inputting commands such as "|mail /etc/passwd|" into the configuration file field. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -If your webserver has pages by the name of calendar* this rule will -fire often. Many sites now use calendar applications and this rule may -generate a large number of false positives, it does not distinguish -between perl cgi applications and php scripts. Consider tuning this rule -for your site if it is generating a large number of false positives. If -you use a calendar application, consider changing the name of the script -to something other than "calendar". - --- -False Negatives: -None known. - --- -Corrective Action: -Download a newer version of the cgi - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Aaron Navratil (Initial Research) -Snort documentation contributed by Josh Gray (Edits) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0432 - -Bugtraq: -http://online.securityfocus.com/bid/1215 - --- diff -Nru snort-2.8.5.2/doc/signatures/883.txt snort-2.9.2/doc/signatures/883.txt --- snort-2.8.5.2/doc/signatures/883.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/883.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -883 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/884.txt snort-2.9.2/doc/signatures/884.txt --- snort-2.8.5.2/doc/signatures/884.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/884.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -884 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the CGI web application Formmail running on a server. - --- -Impact: -Several vulnerabilities include server access, information -disclosure, spam relaying and mail anonymizing. - --- -Detailed Information: -This event is generated when an attempt is made to access the perl cgi -script Formmail. Early versions (1.6 and prior) had several vulnerabilities -(Spam engine, ability to run commands under server id and set -environment variables) and should be upgraded immediately. Newer -versions can still be used by spammers for anonymizing email and -defeating email relay controls. - --- -Affected Systems: - All systems running Formmail - --- -Attack Scenarios: -Information can be appended to the URL to use your -mail gateway avoiding SMTP relay controls. HTTP header information can -be manipulated to avoid access control methods in script. Allows SMTP -exploits that are normally available only to trusted (local) users such -as Sendmail % hack. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -Legitimate use of the script can cause alerts. Verify -packet payload and watch web/mailserver logfiles. - --- -False Negatives: -If the name of the script has been changed this rule will not generate -an event. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/885.txt snort-2.9.2/doc/signatures/885.txt --- snort-2.8.5.2/doc/signatures/885.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/885.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -885 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/886.txt snort-2.9.2/doc/signatures/886.txt --- snort-2.8.5.2/doc/signatures/886.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/886.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -886 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/887.txt snort-2.9.2/doc/signatures/887.txt --- snort-2.8.5.2/doc/signatures/887.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/887.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -887 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -WWW-SQL: -http://grox.net/doc/web/www-sql.html - --- diff -Nru snort-2.8.5.2/doc/signatures/888.txt snort-2.9.2/doc/signatures/888.txt --- snort-2.8.5.2/doc/signatures/888.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/888.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -888 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/889.txt snort-2.9.2/doc/signatures/889.txt --- snort-2.8.5.2/doc/signatures/889.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/889.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -889 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/890.txt snort-2.9.2/doc/signatures/890.txt --- snort-2.8.5.2/doc/signatures/890.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/890.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -890 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/891.txt snort-2.9.2/doc/signatures/891.txt --- snort-2.8.5.2/doc/signatures/891.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/891.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -891 - --- -Summary: -This event is generated when an attempt is made to access the file -upload.pl via a web browser. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited -by the attacker. - -This event indicates an attempt to access the CGI application upload.pl, -this perl script can be used to upload files to a system and may be used -by an attacker to place files of their choosing onto a server for -further use. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Ensure that access controls are in place to limit access to the -application to authorized users only. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/892.txt snort-2.9.2/doc/signatures/892.txt --- snort-2.8.5.2/doc/signatures/892.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/892.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -892 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/893.txt snort-2.9.2/doc/signatures/893.txt --- snort-2.8.5.2/doc/signatures/893.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/893.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -893 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the CGI web application webdist.cgi running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited -by the attacker. - -In particular this event is generated when an attempt is made to access -"MachineInfo" using the CGI application webdist.cgi, distributed with -IRIX operating systems using the package IRIX Mindshare OutBox. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - IRIX 5.x - IRIX 6.x - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1997-12.html - --- diff -Nru snort-2.8.5.2/doc/signatures/894.txt snort-2.9.2/doc/signatures/894.txt --- snort-2.8.5.2/doc/signatures/894.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/894.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -Rule: --- -Sid: -894 - --- -Summary: -This event is generated when an attempt is made to display historical -information from a Big Brother system monitor host. - --- -Impact: -Information Disclosure. - --- -Detailed Information: -Big Brother is a monitoring system used by many organisations. It records both current and historical information about monitored hosts on a network. Access to the system status is via a series of web pages and CGI scripts. Version 1.09b & 1.09c contained a bug in bb-hist.sh that could be made to display files accessible by the user under which the CGI script is run. - --- -Attack Scenarios: -A malicious user could use this vulnerability to gain more information about the Big Brother host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to a later version of Big Brother at least 1.09d - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -url,http://bb4.com/ -cve,CAN-1999-1462 - - --- diff -Nru snort-2.8.5.2/doc/signatures/895.txt snort-2.9.2/doc/signatures/895.txt --- snort-2.8.5.2/doc/signatures/895.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/895.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -895 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/896.txt snort-2.9.2/doc/signatures/896.txt --- snort-2.8.5.2/doc/signatures/896.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/896.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -896 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/897.txt snort-2.9.2/doc/signatures/897.txt --- snort-2.8.5.2/doc/signatures/897.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/897.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -897 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/898.txt snort-2.9.2/doc/signatures/898.txt --- snort-2.8.5.2/doc/signatures/898.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/898.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -898 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/899.txt snort-2.9.2/doc/signatures/899.txt --- snort-2.8.5.2/doc/signatures/899.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/899.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -899 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/900.txt snort-2.9.2/doc/signatures/900.txt --- snort-2.8.5.2/doc/signatures/900.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/900.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -900 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/901.txt snort-2.9.2/doc/signatures/901.txt --- snort-2.8.5.2/doc/signatures/901.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/901.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -901 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/902.txt snort-2.9.2/doc/signatures/902.txt --- snort-2.8.5.2/doc/signatures/902.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/902.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -902 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/903.txt snort-2.9.2/doc/signatures/903.txt --- snort-2.8.5.2/doc/signatures/903.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/903.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -903 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/904.txt snort-2.9.2/doc/signatures/904.txt --- snort-2.8.5.2/doc/signatures/904.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/904.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -904 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - --- -Impact: -Serious. The vulnerability is not limited to files in the webspace, so -system files or additional unexecuted code files could be retrieved and -examined for vulnerabilities. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -email application can be exploited to allow remote viewing of arbitrary -files. - --- -Affected Systems: -ColdFusion versions 4.0 thru 4.5 (4.5.1 is not vulnerable), on all -supported platforms - --- -Attack Scenarios: -The file at cfdocs/exampleapp/email/application.cfm includes a page, -cfdocs/exampleapp/email/getfile.cfm, that can accept URL-mangled -requests like: - -http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini - -This allows trivial remote retrieval of any file on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: CAN-2001-0535 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - --- diff -Nru snort-2.8.5.2/doc/signatures/905.txt snort-2.9.2/doc/signatures/905.txt --- snort-2.8.5.2/doc/signatures/905.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/905.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -905 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - -This 'Web Publish Example Script' can be exploited to allow the attacker -to upload arbitrary files to the server. - --- -Impact: -Serious: The vulnerability allows custom code to be uploaded to the -server. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -'Web Publish Example script' application can be exploited to allow the -uploading of arbitrary files. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - Expression Evaluator Patch (ASB99-01) - --- -Attack Scenarios: -The web application allows file uploading via a URL like this: - -http://www.target.com/CFDOCS/exampleapps/publish/admin/application.cfm - -Once the file has been uploaded, it can be executed by crafting a 2nd -URL to the uploaded file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/906.txt snort-2.9.2/doc/signatures/906.txt --- snort-2.8.5.2/doc/signatures/906.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/906.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -906 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - --- -Impact: -Serious. The vulnerability is not limited to files in the webspace, so -system files or additional unexecuted code files could be retrieved and -examined for vulnerabilities. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -email application can be exploited to allow remote viewing of arbitrary -files. - - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - --- -Attack Scenarios: -The example application file cfdocs/exampleapp/email/getfile.cfm can -accept URL-mangled requests like: - -http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini - -This allows trivial remote retrieval of any file on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -CAN-2001-0535 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - --- diff -Nru snort-2.8.5.2/doc/signatures/907.txt snort-2.9.2/doc/signatures/907.txt --- snort-2.8.5.2/doc/signatures/907.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/907.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -907 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. The 'Web Publish Example Script' -can be exploited to allow the attacker to upload an arbitrary file to -the server. - --- -Impact: -Serious. The vulnerability allows custom code to be uploaded to the -server. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -'Web Publish Example script' application can be exploited to allow the -uploading of arbitrary files. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - Expression Evaluator Patch (ASB99-01) - --- -Attack Scenarios: -The web application allows file uploading via a URL like this: - -http://www.target.com/CFDOCS/exampleapps/publish/admin/addcontent.cfm - -Once the file has been uploaded, it can be executed by crafting a 2nd -URL to the uploaded file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - -CAN-2001-0535 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - --- diff -Nru snort-2.8.5.2/doc/signatures/908.txt snort-2.9.2/doc/signatures/908.txt --- snort-2.8.5.2/doc/signatures/908.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/908.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -908 - --- -Summary: -This event is generated when an attempt is made to access the -administrator screens for Coldfusion server. A long password can cause -a Denial-of-Service. - --- -Impact: -Denial of Service (DoS). While the risk as a target for password attacks is minor, the administrator login mechanism can be jammed by long passwords, leading to a DoS for the server. - --- -Detailed Information: -ColdFusion's administrator interface is reachable via: - -http://www.target.com/CFIDE/administrator/index.cfm - -It is recommended that access to these pages be restricted to trusted -IP addresses to prevent them being targets for password attacks. - -Further, long passwords create a Denial-of-Service state in the server -temporarily. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - --- -Affected Systems: -ColdFusion versions 4.x for Windows, Solaris, HP-UX, Linux - --- -Attack Scenarios: -The attacker can access the administration interface for the server and -gain control of the application. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -At minimum, restrict access to the administrator mechanism from within -the ColdFusion administrator screens. Only internal, trusted users -should be allowed access. For further protections, use the security -capabilities of the webserver or the OS to restrict access to the -CFIDE/administrator directory when not needed, or copy/remove the -CFIDE/administrator directory completely off the server when not in use -(it will be necessary to reload the directory before accessing admin -functions, of course). - -http://www.macromedia.com/support/coldfusion/ts/documents/tn17254.htm - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Allaire Security Bulletin (ASB00-14) -http://www.macromedia.com/devnet/security/security_zone/asb00-14.html - -CVE-2000-0538 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0538 - --- diff -Nru snort-2.8.5.2/doc/signatures/909.txt snort-2.9.2/doc/signatures/909.txt --- snort-2.8.5.2/doc/signatures/909.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/909.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -909 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/910.txt snort-2.9.2/doc/signatures/910.txt --- snort-2.8.5.2/doc/signatures/910.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/910.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -910 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/911.txt snort-2.9.2/doc/signatures/911.txt --- snort-2.8.5.2/doc/signatures/911.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/911.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -911 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/912.txt snort-2.9.2/doc/signatures/912.txt --- snort-2.8.5.2/doc/signatures/912.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/912.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -912 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/913.txt snort-2.9.2/doc/signatures/913.txt --- snort-2.8.5.2/doc/signatures/913.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/913.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -913 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/914.txt snort-2.9.2/doc/signatures/914.txt --- snort-2.8.5.2/doc/signatures/914.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/914.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -914 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/915.txt snort-2.9.2/doc/signatures/915.txt --- snort-2.8.5.2/doc/signatures/915.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/915.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -915 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/916.txt snort-2.9.2/doc/signatures/916.txt --- snort-2.8.5.2/doc/signatures/916.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/916.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -916 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/917.txt snort-2.9.2/doc/signatures/917.txt --- snort-2.8.5.2/doc/signatures/917.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/917.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -917 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/918.txt snort-2.9.2/doc/signatures/918.txt --- snort-2.8.5.2/doc/signatures/918.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/918.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -918 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/919.txt snort-2.9.2/doc/signatures/919.txt --- snort-2.8.5.2/doc/signatures/919.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/919.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -919 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/920.txt snort-2.9.2/doc/signatures/920.txt --- snort-2.8.5.2/doc/signatures/920.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/920.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -920 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/921.txt snort-2.9.2/doc/signatures/921.txt --- snort-2.8.5.2/doc/signatures/921.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/921.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -921 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/922.txt snort-2.9.2/doc/signatures/922.txt --- snort-2.8.5.2/doc/signatures/922.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/922.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -922 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/923.txt snort-2.9.2/doc/signatures/923.txt --- snort-2.8.5.2/doc/signatures/923.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/923.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -923 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/924.txt snort-2.9.2/doc/signatures/924.txt --- snort-2.8.5.2/doc/signatures/924.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/924.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -924 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/925.txt snort-2.9.2/doc/signatures/925.txt --- snort-2.8.5.2/doc/signatures/925.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/925.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -925 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/926.txt snort-2.9.2/doc/signatures/926.txt --- snort-2.8.5.2/doc/signatures/926.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/926.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -926 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/927.txt snort-2.9.2/doc/signatures/927.txt --- snort-2.8.5.2/doc/signatures/927.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/927.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -927 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/928.txt snort-2.9.2/doc/signatures/928.txt --- snort-2.8.5.2/doc/signatures/928.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/928.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -928 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/929.txt snort-2.9.2/doc/signatures/929.txt --- snort-2.8.5.2/doc/signatures/929.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/929.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -SID: -929 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.8.5.2/doc/signatures/930.txt snort-2.9.2/doc/signatures/930.txt --- snort-2.8.5.2/doc/signatures/930.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/930.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -930 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/931.txt snort-2.9.2/doc/signatures/931.txt --- snort-2.8.5.2/doc/signatures/931.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/931.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -931 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/932.txt snort-2.9.2/doc/signatures/932.txt --- snort-2.8.5.2/doc/signatures/932.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/932.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -932 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/933.txt snort-2.9.2/doc/signatures/933.txt --- snort-2.8.5.2/doc/signatures/933.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/933.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -933 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/935.txt snort-2.9.2/doc/signatures/935.txt --- snort-2.8.5.2/doc/signatures/935.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/935.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -935 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/936.txt snort-2.9.2/doc/signatures/936.txt --- snort-2.8.5.2/doc/signatures/936.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/936.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -936 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/937.txt snort-2.9.2/doc/signatures/937.txt --- snort-2.8.5.2/doc/signatures/937.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/937.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -937 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/939.txt snort-2.9.2/doc/signatures/939.txt --- snort-2.8.5.2/doc/signatures/939.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/939.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -939 - --- - -Summary: -This event is generated when an attempt is made to use a Frontpage -client to connect and/or publish content to a Frontpage Server -Extensions-enabled IIS web server. - --- - -Impact: -An attacker can modify your web content, access privileged files or -modify other users' privileges on the Frontpage-enabled virtual host. - --- - -Detailed Information: -Microsoft Frontpage is a web-content managing and publishing -application, which also comes with server extensions for Microsoft IIS -and Apache web servers. The extensions enable the servers to display -dynamic content, as well as perform certain levels of web-server -administration. - --- - -Affected Systems: -All systems running FPSE on IIS. - --- - -Attack Scenarios: -An attacker can gain the FPSE username and password via sniffing, social -engineering or brute force guessing. After successfully logging on to -the system, the attacker can alter web contents, modify login -information for other users and generally control the web server. - --- - -Ease of Attack: -After gaining the login credentials the attack is trivial. - --- - -False Positives: -If FrontPage authoring is allowed from resources external to the -protected network this rule will generate an event. - --- - -False Negatives: -not known. - --- - -Corrective Action: -Disable FPSE if it is not needed for web-content management. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -eEye Digital Security: -http://www.eeye.com/html/research/advisories/AD20001222.html - --- diff -Nru snort-2.8.5.2/doc/signatures/940.txt snort-2.9.2/doc/signatures/940.txt --- snort-2.8.5.2/doc/signatures/940.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/940.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -940 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/941.txt snort-2.9.2/doc/signatures/941.txt --- snort-2.8.5.2/doc/signatures/941.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/941.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -941 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/942.txt snort-2.9.2/doc/signatures/942.txt --- snort-2.8.5.2/doc/signatures/942.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/942.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -942 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/943.txt snort-2.9.2/doc/signatures/943.txt --- snort-2.8.5.2/doc/signatures/943.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/943.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -943 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -In this case an attempt is being made to access the executable file -fpsvradm.exe from resources external to the protected network. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_3.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/944.txt snort-2.9.2/doc/signatures/944.txt --- snort-2.8.5.2/doc/signatures/944.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/944.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -944 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -In this case an attempt is being made to access the executable file -fpremadm.exe from resources external to the protected network. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_5.mspx - --- diff -Nru snort-2.8.5.2/doc/signatures/945.txt snort-2.9.2/doc/signatures/945.txt --- snort-2.8.5.2/doc/signatures/945.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/945.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -945 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/946.txt snort-2.9.2/doc/signatures/946.txt --- snort-2.8.5.2/doc/signatures/946.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/946.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -946 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/947.txt snort-2.9.2/doc/signatures/947.txt --- snort-2.8.5.2/doc/signatures/947.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/947.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -947 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/948.txt snort-2.9.2/doc/signatures/948.txt --- snort-2.8.5.2/doc/signatures/948.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/948.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -948 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Frontpage form results. - --- - -Impact: -If successful, the attacker can read sensitive data users have posted -via forms within the Frontpage web. - --- - -Detailed Information: -On systems running Microsoft Frontpage Extensions on IIS or Apache web -servers users can insert forms into web pages and have their data saved -into a text file (/_private/form_results.txt) which can later be read or -emailed to the user. If direct access to the file is possible, the -attacker may read the sensitive data posted from the form. - --- - -Affected Systems: -All systems running FPSE. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable direct access to the file /_private/form_results.txt - -Restrict access to the file using password protection. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos - --- - -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/949.txt snort-2.9.2/doc/signatures/949.txt --- snort-2.8.5.2/doc/signatures/949.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/949.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -949 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/950.txt snort-2.9.2/doc/signatures/950.txt --- snort-2.8.5.2/doc/signatures/950.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/950.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -950 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/951.txt snort-2.9.2/doc/signatures/951.txt --- snort-2.8.5.2/doc/signatures/951.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/951.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,83 +0,0 @@ -Rule: - --- -Sid: -951 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Personal Web Server login information. - --- - -Impact: -If successful, the attacker can log into the system and modify web -content. - --- - -Detailed Information: -On systems running Microsoft Personal Web Server the file authors.pwd -contains usernames and encrypted passwords for users who can author the -contents on this server. The attacker can guess the exact URL of this -file and request it, hence gaining insecure information. - --- - -Affected Systems: -Certain versions of Microsoft Windows 95 or Windows 98 running Personal -Web Server 4.0. Windows NT installations are not affected. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL, and gain access to the system after cracking the -passwords found in the file. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos - --- - -Additional References: - -Official fix: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp - - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10078 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0386 - - - - --- diff -Nru snort-2.8.5.2/doc/signatures/952.txt snort-2.9.2/doc/signatures/952.txt --- snort-2.8.5.2/doc/signatures/952.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/952.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -952 - --- - -Summary: -This event is generated when an attempt is made to use a Frontpage -client to connect and/or publish content to a web server with Frontpage -Server Extensions-enabled. - --- - -Impact: -An attacker can modify web content, access privileged files or modify -other users' privileges on the Frontpage-enabled virtual host. - --- - -Detailed Information: -Microsoft Frontpage is a web-content managing and publishing -application, which also comes with server extensions for Microsoft IIS -and Apache web servers. The extensions enable the servers to display -dynamic content, as well as perform certain levels of web-server -administration. - --- - -Affected Systems: -All systems running FPSE. - --- - -Attack Scenarios: -An attacker can gain the FPSE username and password via sniffing, social -engineering or brute force guessing. After successfully logging on to -the system, the attacker can alter web contents, modify login -information for other users and generally control the web server. - --- - -Ease of Attack: -After gaining the login credentials the attack is trivial. - --- - -False Positives: -If FrontPage authoring is allowed from resources external to the -protected network this rule will generate an event. - --- - -False Negatives: -Not known. - --- - -Corrective Action: -Disable FPSE if it is not needed for web-content management. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2144 - --- diff -Nru snort-2.8.5.2/doc/signatures/953.txt snort-2.9.2/doc/signatures/953.txt --- snort-2.8.5.2/doc/signatures/953.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/953.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -953 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Personal Server administration information. - --- - -Impact: -If successful, the attacker can log into the system and modify web -content, as well as modify other users' credentials. - --- - -Detailed Information: -On systems running Microsoft Personal Web Server the file -administrators.pwd contains usernames and encrypted passwords for users -who can author contents and administer this server. The attacker can -guess the exact URL of this file and request it, hence gaining this -information. - --- - -Affected Systems: -Certain versions of Microsoft Windows 95 or Windows 98 running Frontpage -1.1 or Frontpage 98 Server Extensions. Windows NT installations are not -affected. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL, and gain access to the system after cracking the -passwords found in the file. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable the Personal Web Server. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1205/info/ - - - - --- diff -Nru snort-2.8.5.2/doc/signatures/954.txt snort-2.9.2/doc/signatures/954.txt --- snort-2.8.5.2/doc/signatures/954.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/954.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -954 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/955.txt snort-2.9.2/doc/signatures/955.txt --- snort-2.8.5.2/doc/signatures/955.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/955.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -955 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.8.5.2/doc/signatures/956.txt snort-2.9.2/doc/signatures/956.txt --- snort-2.8.5.2/doc/signatures/956.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/956.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -956 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/957.txt snort-2.9.2/doc/signatures/957.txt --- snort-2.8.5.2/doc/signatures/957.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/957.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -957 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/958.txt snort-2.9.2/doc/signatures/958.txt --- snort-2.8.5.2/doc/signatures/958.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/958.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Rule: --- -Sid: -958 - --- - -Summary: -This event is generated when an attempt is made to access a file with -sensitive information on a webserver with Microsoft Frontpage extensions -enabled. - --- - -Impact: -If successful, the attacker can read sensitive data about the Frontpage web. - --- - -Detailed Information: -On systems running Microsoft Frontpage Extensions on IIS or Apache web -servers the file _vti_pvt/service.cnf exists which may contain sensitive -information about the web server. This file is meant to be only used -internally by FPSE and never directly by the user. - --- - -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering the exact URL. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable direct access to the file /_vti_pvt/service.cnf. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Vulnerability Research Team -Nigel Houghton - --- - -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - - - - - - --- diff -Nru snort-2.8.5.2/doc/signatures/959.txt snort-2.9.2/doc/signatures/959.txt --- snort-2.8.5.2/doc/signatures/959.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/959.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -959 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/960.txt snort-2.9.2/doc/signatures/960.txt --- snort-2.8.5.2/doc/signatures/960.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/960.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -960 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event is generated when an attempt is made to retrieve the file -service.stp. This file contains sensitive information concerning the -location of other sensitive files that contain group and password -information. - --- -Affected Systems: - CERN and NCSA servers using Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Special FrontPage directories and Storage Locations: -http://www.rtr.com/fpsupport/serk4.0/apndx05.htm - --- diff -Nru snort-2.8.5.2/doc/signatures/961.txt snort-2.9.2/doc/signatures/961.txt --- snort-2.8.5.2/doc/signatures/961.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/961.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -961 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.8.5.2/doc/signatures/962.txt snort-2.9.2/doc/signatures/962.txt --- snort-2.8.5.2/doc/signatures/962.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/962.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -962 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/963.txt snort-2.9.2/doc/signatures/963.txt --- snort-2.8.5.2/doc/signatures/963.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/963.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -963 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event indicates that an attempt has been made to access the file -svcacl.cnf which may contain sensitive information about the host and -applications using the FrontPage extensions. - -Svcacl.cnf contains data about permissions and IP address restrictions -on all of the sub-webs. This information would be very valuable to a -hacker and could be used to plan future attacks. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Ricky McAtee - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.8.5.2/doc/signatures/964.txt snort-2.9.2/doc/signatures/964.txt --- snort-2.8.5.2/doc/signatures/964.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/964.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -964 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event is generated when an attempt is made to retrieve the file -users.pwd. This file contains user password information. - --- -Affected Systems: - Windows 98 using Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;144190 - --- diff -Nru snort-2.8.5.2/doc/signatures/965.txt snort-2.9.2/doc/signatures/965.txt --- snort-2.8.5.2/doc/signatures/965.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/965.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -965 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.8.5.2/doc/signatures/966.txt snort-2.9.2/doc/signatures/966.txt --- snort-2.8.5.2/doc/signatures/966.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/966.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -966 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/967.txt snort-2.9.2/doc/signatures/967.txt --- snort-2.8.5.2/doc/signatures/967.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/967.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -Rule: --- -Sid: -967 - --- -Summary: -dvwssr.dll is a component installed with Windows NT Option Pack 4.0, -Personal Web Server for Windows 95 and 98 and Front Page 98 Server -Extensions. This component is vulnerable to a buffer overflow which -may allow for the execution of arbitrary code that would run in the -context of the system account. - --- -Impact: -Serious. Execution of arbitrary code and Denial of Service (DoS). - --- -Detailed Information: -As with an abundance of other exploits related to Microsoft's Internet -Information Services and web server based implementations, it is -possible for an attacker to run code of choice against the vulnerable -web server. It is also possible to use this exploit to stop the remote -server from responding which would result in a DoS. - --- -Attack Scenarios: - - --- -Ease of Attack: -This attack would require for both the dvwssr.dll file to reside on the -web server and for the correct permissions to be in place in order for -the attack to be successful. Using a script to send continued requests -for the file dvwssr.dll would make a denial of service attack fairly -easy. - --- -False Positives: -Web requests or web based applications which use dvwssr.dll in a context -which in not malicious in nature. - --- -False Negatives: -None Known - --- -Corrective Action: -Remove dvwssr.dll from the web server and test all necessary -functionality. See additional references for more information. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Chris Arsenault and Josh Gray -Sourcefire Vulnerability Research Team -Nigel Houghton - - --- -Additional References: - -Security Focus BugTraq ID -http://www.securityfocus.com/bid/1109 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260 - -Microsoft ms00-025 -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-025.asp - - --- diff -Nru snort-2.8.5.2/doc/signatures/968.txt snort-2.9.2/doc/signatures/968.txt --- snort-2.8.5.2/doc/signatures/968.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/968.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -968 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1 - --- diff -Nru snort-2.8.5.2/doc/signatures/969.txt snort-2.9.2/doc/signatures/969.txt --- snort-2.8.5.2/doc/signatures/969.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/969.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -969 - --- -Summary: -This event is generated when an attempt is made to request a file by the HTTP LOCK method. - --- -Impact: -Denial of service. Repeated successful attempts can consume all CPU resources subsequently crashing the victim server. - --- -Detailed Information: -The WebDAV (Web Distributed Authoring and Versioning) component of Microsoft's Internet Information Services (IIS) provides extensions to the HTTP protocol allowing users to edit and manage files on the remote web server. A specially crafted request processed by WebDAV can consume CPU resources on the web server host causing it to crash. - --- -Affected Systems: -Windows 2000 systems running IIS 5.0. - --- -Attack Scenarios: -An attacker can craft an HTTP request processed by WebDAV that exhausts CPU resources and causes the system to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using the IIS Lockdown Tool to disable WebDAV if it is not necessary. - -Download and install the appropriate patch mentioned in the Microsoft bulletin. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2736 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms01-016.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/970.txt snort-2.9.2/doc/signatures/970.txt --- snort-2.8.5.2/doc/signatures/970.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/970.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -1283 - --- -Summary: -This event is generated when an attempt is made to cause a denial of service of WWW Publishing Service and IIS Administration software. - --- -Impact: -Denial of service. This attack may cause a vulnerable server to stop. - --- -Detailed Information: -Outlook Web Access (OWA) is an optional feature of Microsoft Exchange Server that allows a user to access mail through a web interface supported by Internet Information Services (IIS). A denial of service of the support software WWW Publishing service and IIS Administration can occur when a user enters a long string of '%' characters in the Log On field in OWA and enters these characcters in the username and password field received in the NT challenge dialog. - --- -Affected Systems: -Microsoft Exchange Server 5.5 and Microsoft Exchange Server 5.5 SP1, SP2, SP3, SP4 - --- -Attack Scenarios: -An attacker can enter a long string of '%' characters in OWA Log On and challenge fields to cause a denial of service against a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the most current version of Microsoft Exchange Server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/3223 - --- diff -Nru snort-2.8.5.2/doc/signatures/971.txt snort-2.9.2/doc/signatures/971.txt --- snort-2.8.5.2/doc/signatures/971.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/971.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: --- -Sid: -971 - --- - -Summary: -This event is generated when an attempt is made to compromise a web -server running IIS 5.0 by exploiting the ".printer" bug. - --- -Impact: -Serious. Remote unauthorized administrative access. - --- -Detailed Information: -With the increasing pervasion of the Internet, vendors are adding -features into their software to support the networked world. -Microsoft's initial implementation of one such feature were the -".printer" extensions on IIS 5.0 that first shipped with Windows 2000. - -A bug exsisted in the initial release that could result in remote system -level access to the web server. A patch has been released that fixes -this bug. - --- -Attack Scenarios: -A hacker could use this vulnerability to get a remote, system level -command prompt on the server. - --- -Ease of Attack: -Simple. Exploit software exists. - --- -False Positives: -There are legitimate uses of the ".printer" feature, though it is -unknown how widely it is used. You should know if this feature is -implemented on your web servers. - --- -False Negatives: -None Known - --- -Corrective Action: -Install latest patches from the vendor, or disable the ".printer" extensions using the IIS administration tool. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -Vendor Security Bulletin: MS01-023 -Bugtraq Archive: url,http://www.securityfocus.com/archive/1/181937 - --- diff -Nru snort-2.8.5.2/doc/signatures/972.txt snort-2.9.2/doc/signatures/972.txt --- snort-2.8.5.2/doc/signatures/972.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/972.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Will be obsolete when httpinspect is used -Rule: - --- -Sid: -972 - --- -Summary: -This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file when the period is hex encoded as "%2e". - --- -Impact: -Intelligence gathering activity. A vulnerability exists that discloses the .asp file contents when it is reference using the "%2e" hex encoding. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting. ASP files use a .asp extension. When the period of the .asp is hex-encoded with a "%2e" to reference an ASP file, the contents of the file are disclosed. - --- -Affected Systems: -Hosts running IIS 3.0 - --- -Attack Scenarios: -An attacker can attempt use the hex-encoded reference to the .asp file to see the contents of the file. Sensitive information may by disclosed depending on the selected file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0253 - -Bugtraq: -http://www.securityfocus.com/bid/1814 - - --- diff -Nru snort-2.8.5.2/doc/signatures/973.txt snort-2.9.2/doc/signatures/973.txt --- snort-2.8.5.2/doc/signatures/973.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/973.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -973 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the victim server. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. - --- -Affected Systems: -IIS 4.0 hosts - --- -Attack Scenarios: -An attacker can send a malformed request of a .idc file that causes a buffer overflow. - --- -Ease of Attack: -Simple. Exploit code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 - -Bugtraq: -http://www.securityfocus.com/bid/307 - --- diff -Nru snort-2.8.5.2/doc/signatures/974.txt snort-2.9.2/doc/signatures/974.txt --- snort-2.8.5.2/doc/signatures/974.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/974.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -Comment - move to deleted rules - applies to IIS 1.0 and decode/inspect should now find this. -Rule: - - --- -Sid: -974 - --- -Summary: -This event is generated when an attempt is made to peform a denial of service against Internet Information Service (IIS) 1.0 hosts. - --- -Impact: -Denial of service. This attack may cause an IIS 1.0 server to crash. - --- -Detailed Information: -IIS 1.0 servers are vulnerable to a denial of service attack when a malformed request containing "..\.." is sent to the server. The service must be restarted to restore functionality. - --- -Affected Systems: -IIS 1.0 Servers - --- -Attack Scenarios: -An attacker can send a malformed request to a vulnerable IIS server to cause a denial of service. - --- -Ease of Attack: -Simple. Send a request similar to this: GET ..\.. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229 - -Bugtraq: -http://www.securityfocus.com/bid/2218 - --- diff -Nru snort-2.8.5.2/doc/signatures/975.txt snort-2.9.2/doc/signatures/975.txt --- snort-2.8.5.2/doc/signatures/975.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/975.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Should be obsolete when httpinspect is used -Rule: - --- -Sid: -975 - --- -Summary: -This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file to disclose its contents. - --- -Impact: -Intelligence gathering activity. A vulnerability exists that discloses the .asp file contents when the file name is appended with "::$DATA". - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting. ASP files use a .asp extension. When the file name is appended with "::$DATA", the contents of the file are disclosed instead of executing the .asp file. - --- -Affected Systems: -Hosts running IIS 3.0, IIS 4.0 - --- -Attack Scenarios: -An attacker can attempt to reference a .asp file appended with "::$DATA" to see the contents of the file. Sensitive information may by disclosed depending on the selected file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft -http://support.microsoft.com/default.aspx?scid=kb;EN-US;q188806 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0278 - -Bugtraq -http://www.securityfocus.com/bid/149 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10362 - --- diff -Nru snort-2.8.5.2/doc/signatures/976.txt snort-2.9.2/doc/signatures/976.txt --- snort-2.8.5.2/doc/signatures/976.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/976.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -976 - --- -Summary: -This event is generated when an attempt is made to reference a .bat file to execute arbitrary commands on an Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can execute arbitrary commands on the IIS server with the privileges of the user running IIS. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses .bat and .cmd to execute code using the Common Gateway Interface (CGI). A .bat file or .cmd file can be passed a malicious command to be executed on the server. This is accomplished by preceding the malicious command with an ampersand. This allows execution of arbitrary commands with the privileges of the user running IIS. - --- -Affected Systems: -Hosts running IIS 1.0 - --- -Attack Scenarios: -An attacker can pass a .bat or .cmd file a malicious command to be executed. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft -http://support.microsoft.com/support/kb/articles/Q148/1/88.asp -http://support.microsoft.com/support/kb/articles/Q155/0/56.asp - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0233 - -Bugtraq -http://www.securityfocus.com/bid/2023 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10362 - --- diff -Nru snort-2.8.5.2/doc/signatures/977.txt snort-2.9.2/doc/signatures/977.txt --- snort-2.8.5.2/doc/signatures/977.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/977.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 977 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/978.txt snort-2.9.2/doc/signatures/978.txt --- snort-2.8.5.2/doc/signatures/978.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/978.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Will %20 disappear with httpinspect? -Rule: - --- -Sid: -978 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of a file on an Internet Information Service (IIS) host. - --- -Impact: -Intelligence gathering activity. This attack can display the contents of an Activer Server Page (ASP) file or other files located on the server. - --- -Detailed Information: -A vulnerability exists in Windows NT 4.0 Option Pack and Windows 2000 Index Server. The Index Server is a search engine used by IIS that allows a user's browser to search for text in HTML and other documents. The Index Server has a Hit-Hightlighting component that highlights the text that satisifies the user's query. A vulnerability exists in the webhits.dll file that allows disclosure of file contents when a URL is crafted to contain a hex-encoded space "%20" after the file name passed to webhits.dll and setting 'CiHiliteType' to 'Full' and 'CiRestriction' to 'none' - --- -Affected Systems: -Hosts running Microsoft Index Server 2.0 - --- -Attack Scenarios: -An attacker can attempt to disclose the contents of a file by crafting a special URL to access the Hit-Highlighting component of the Index Server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch discussed in the referenced Microsoft Bulletin. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1084 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0302 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-006.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/979.txt snort-2.9.2/doc/signatures/979.txt --- snort-2.8.5.2/doc/signatures/979.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/979.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -979 - --- -Summary: -This event is generated when an attempt is made to exploit a cross-site scripting vulnerability associated with a file having a .htw extension. - --- -Impact: -Cross-site scripting. This attack may allow the execution of arbitrary commands on a victim host that visits a vulnerable server. - --- -Detailed Information: -The Microsoft Indexing Service is vulnerable to a cross-site scripting exploit because of a failure to properly filter user input associated with files with a .htw extension. This vulnerability is associated with Indexing Service component (CiWebHitsFile). This may allow an attacker to execute abitrary code on the victim host that visits the vulnerable server. - --- - -Affected Systems: -Microsoft Indexing Services for Windows NT 4.0 and Windows 2000 - - --- -Attack Scenarios: -An attacker can inject malicious code in a vulernable server. This may allow execution of arbitrary code on the victim host that visits the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch discussed in the referenced Microsoft Bulletin. - - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1861 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0942 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-084.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/980.txt snort-2.9.2/doc/signatures/980.txt --- snort-2.8.5.2/doc/signatures/980.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/980.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - - --- -Sid: -980 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of a file on an host running Stalkerlab's CGIMail server. - --- -Impact: -Intelligence gathering activity. This attack can display the contents of a file on the server. - --- -Detailed Information: - -Stalkerlab's CGIMail is a CGI program that permits an HTTP server to send SMTP mail using the data from the HTLM form. A vulnerability exits in the CGImail.exe program that can disclose the contents of files on the web server. This can be accomplished by locally modifying the Web page that sends data to the SMTP server. The modifications would include setting specific variable values to file names that the attacker wishes to examine. - - --- -Affected Systems: -Hosts running Stalkerlab CGIMail 1.1.2 - --- -Attack Scenarios: -An attacker can modify an HTML form used by Stalkerlab CGIMail that passes data to the SMTP server. This can permit disclosure of file contents on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -No known remedy or patch is available. - - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1623 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0726 - --- diff -Nru snort-2.8.5.2/doc/signatures/981.txt snort-2.9.2/doc/signatures/981.txt --- snort-2.8.5.2/doc/signatures/981.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/981.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -981 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "/" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "/" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/982.txt snort-2.9.2/doc/signatures/982.txt --- snort-2.8.5.2/doc/signatures/982.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/982.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -982 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "\" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/983.txt snort-2.9.2/doc/signatures/983.txt --- snort-2.8.5.2/doc/signatures/983.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/983.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -983 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "\" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/984.txt snort-2.9.2/doc/signatures/984.txt --- snort-2.8.5.2/doc/signatures/984.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/984.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -984 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/985.txt snort-2.9.2/doc/signatures/985.txt --- snort-2.8.5.2/doc/signatures/985.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/985.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -985 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/986.txt snort-2.9.2/doc/signatures/986.txt --- snort-2.8.5.2/doc/signatures/986.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/986.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 986 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/987.txt snort-2.9.2/doc/signatures/987.txt --- snort-2.8.5.2/doc/signatures/987.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/987.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -987 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. - --- -Impact: -Information gathering. Fragments of the source code of an ASP may be returned possibly disclosing sensitive information. - --- -Detailed Information: -HTR is an older scripting language still supported by Internet Information Service (IIS). HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests. This may disclose parts of the source code associated with a .asp file referenced in the request. - --- -Affected Systems: - -Microsoft IIS 4.0, 5.0 - --- -Attack Scenarios: -An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063 - -Bugtraq -http://www.securityfocus.com/bid/1488 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-031.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/988.txt snort-2.9.2/doc/signatures/988.txt --- snort-2.8.5.2/doc/signatures/988.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/988.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -988 --- -Summary: -This event is generated when an attempt is made to access the Windows Security Accounts Manager (SAM) password file via a web request. - --- -Impact: -Information gathering - An attacker tried to get the Windows password file - --- -Detailed Information: -The SAM password file contains Windows logins which are NTLM or LANMAN hashes on Windows NT/2K/XP hosts. - -The hash algorithms are weak and can be cracked within few minutes/hours if passwords are weak. - --- -Affected Systems: -Windows NT 3.x and 4.0 - --- -Attack Scenarios: -If an attacker can get the real SAM file and is able to gain clear text passwords, the host can be compromised using the Administrator's login. - --- -Ease of Attack: -Simple. Exploit scripts are available. The host may be already compromised depending on the password strength used on the server. - --- -False Positives: -None Known - --- -False Negatives: -None known - --- -Corrective Action: -Change all Windows passwords. - -Apply appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Ueli Kistler, -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - - --- diff -Nru snort-2.8.5.2/doc/signatures/989.txt snort-2.9.2/doc/signatures/989.txt --- snort-2.8.5.2/doc/signatures/989.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/989.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Changed message since it really didn't reflect what was happening -Rule: - --- -Sid: -989 - --- -Summary: -This event is generated when an attempt is made to access the sensepost.exe file. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. - --- -Detailed Information: -A vulnerability associated Microsoft Internet Information Services (IIS) servers allows an attacker to escape the web root directory (inetpub) permitting navigation to unauthorized directories. This vulnerability is exploitable by encoding characters in unicode because unauthorized directory traversal is not examined after the unicode decoding. A widely available script exploits this vulnerability and copies the \winnt\system32\cmd.exe file to \inetpub\scripts\sensepost.exe, essentially allowing an attacker to execute arbitrary commands on the vulnerable host even after the patch has been applied. - --- -Affected Systems: -Microsoft IIS 4.0, 5.0 - --- -Attack Scenarios: -An attacker can attempt to access the sensepost.exe file to execute arbitrary commands on the exploited server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - -Bugtraq -http://www.securityfocus.com/bid/1806 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.8.5.2/doc/signatures/990.txt snort-2.9.2/doc/signatures/990.txt --- snort-2.8.5.2/doc/signatures/990.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/990.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -Can't find affected system versions -Rule: - --- -Sid: -990 - --- -Summary: -This event is generated when an attempt is made to access a file with '_vti_inf' in the name. - --- -Impact: -Information gathering. This attack can leak the version number and scripting paths of Microsoft FrontPage. - --- -Detailed Information: -Microsoft FrontPage provides software for web designers to generate and administer web pages. The file '_vti_inf.html' contains FrontPage configuration information of version number and scripting paths that is normally used by a FrontPage client to communicate with the server. An attacker can craft a URL to access this file to disclose the version number and scripting paths. - --- -Affected Systems: -??? - --- -Attack Scenarios: -An attacker can craft a URL to access the '_vti_inf' file to learn the version and scripting paths of FrontPage. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply patches and upgrade to most current version of FrontPage. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.8.5.2/doc/signatures/991.txt snort-2.9.2/doc/signatures/991.txt --- snort-2.8.5.2/doc/signatures/991.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/991.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -991 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes. The iisadmpwd directory has several .HTR files that are used to implement the password changes. An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. - --- -Affected Systems: - -Microsoft IIS 4.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the IISADMPWD virtual directory to disable remote password changes. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407 - -Bugtraq -http://www.securityfocus.com/bid/2110 - --- diff -Nru snort-2.8.5.2/doc/signatures/992.txt snort-2.9.2/doc/signatures/992.txt --- snort-2.8.5.2/doc/signatures/992.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/992.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 992 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/993.txt snort-2.9.2/doc/signatures/993.txt --- snort-2.8.5.2/doc/signatures/993.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/993.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 993 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/994.txt snort-2.9.2/doc/signatures/994.txt --- snort-2.8.5.2/doc/signatures/994.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/994.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 994 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/995.txt snort-2.9.2/doc/signatures/995.txt --- snort-2.8.5.2/doc/signatures/995.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/995.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule - --- -Sid: -995 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 servers that were upgraded from IIS 2 or 3 have a legacy ism.dll file that allows web-based administration. Upon sending a request to ism.dll, the user will be prompted for a userid and password. An attacker can attempt to brute force guess a password, allowing remote access to the server. - --- -Affected Systems: - -Microsoft IIS 4.0 servers upgraded from IIS 2.0 or 3.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of ISS. - -Consider running the IIS Lockdown Tool to disable unnecessary functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1538 - -Bugtraq -http://www.securityfocus.com/bid/189 - --- diff -Nru snort-2.8.5.2/doc/signatures/996.txt snort-2.9.2/doc/signatures/996.txt --- snort-2.8.5.2/doc/signatures/996.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/996.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -996 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes. The iisadmpwd directory has several .HTR files that are used to implement the password changes. An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. - --- -Affected Systems: - -Microsoft IIS 4.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the IISADMPWD virtual directory to disable remote password changes. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407 - -Bugtraq -http://www.securityfocus.com/bid/2110 - --- diff -Nru snort-2.8.5.2/doc/signatures/997.txt snort-2.9.2/doc/signatures/997.txt --- snort-2.8.5.2/doc/signatures/997.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/997.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 997 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/998.txt snort-2.9.2/doc/signatures/998.txt --- snort-2.8.5.2/doc/signatures/998.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/998.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 998 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/999.txt snort-2.9.2/doc/signatures/999.txt --- snort-2.8.5.2/doc/signatures/999.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/999.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 999 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.8.5.2/doc/signatures/snort-sid-template.txt snort-2.9.2/doc/signatures/snort-sid-template.txt --- snort-2.8.5.2/doc/signatures/snort-sid-template.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/signatures/snort-sid-template.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -# This is a template for submitting snort signature descriptions to -# the snort.org website -# -# Ensure that your descriptions are your own -# and not the work of others. References in the rules themselves -# should be used for linking to other's work. -# -# If you are unsure of some part of a rule, use that as a commentary -# and someone else perhaps will be able to fix it. -# -# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $ -# -# - -Rule: - --- -Sid: - --- -Summary: - --- -Impact: - --- -Detailed Information: - --- -Attack Scenarios: - --- -Ease of Attack: - --- -False Positives: - --- -False Negatives: - --- -Corrective Action: - --- -Contributors: - --- -Additional References: Binary files /tmp/V0Dipj1n0e/snort-2.8.5.2/doc/snort_manual.pdf and /tmp/F5HiNrDXpo/snort-2.9.2/doc/snort_manual.pdf differ diff -Nru snort-2.8.5.2/doc/snort_manual.tex snort-2.9.2/doc/snort_manual.tex --- snort-2.8.5.2/doc/snort_manual.tex 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/doc/snort_manual.tex 2011-12-07 19:24:50.000000000 +0000 @@ -16,7 +16,7 @@ %\IfFileExists{url.sty}{\usepackage{url}} % {\newcommand{\url}{\texttt}} -\usepackage{hyperref} +\usepackage{html} % \makeatletter @@ -71,18 +71,18 @@ } %\end{latexonly} -%\begin{htmlonly} -%\newenvironment{note}{ -% \begin{rawhtml} -%

-% Note:   -% \end{rawhtml} -%}{ -% \begin{rawhtml} -%

-% \end{rawhtml} -%} -%\end{htmlonly} +\begin{htmlonly} +\newenvironment{note}{ + \begin{rawhtml} +

+ Note:   + \end{rawhtml} +}{ + \begin{rawhtml} +

+ \end{rawhtml} +} +\end{htmlonly} \usepackage{babel} @@ -101,7 +101,7 @@ \begin{document} -\title{SNORT\textsuperscript{\textregistered} Users Manual\\2.8.5} +\title{SNORT\textsuperscript{\textregistered} Users Manual\\2.9.2} \author{The Snort Project} @@ -113,7 +113,7 @@ Copyright \copyright 2001-2003 Chris Green -Copyright \copyright 2003-2009 Sourcefire, Inc. +Copyright \copyright 2003-2011 Sourcefire, Inc. \tableofcontents{} @@ -149,10 +149,6 @@ for matches against a user-defined rule set and performs several actions based upon what it sees. -\item {\em Inline mode,} which obtains packets from iptables instead of from -libpcap and then causes iptables to drop or pass packets based on Snort rules -that use inline-specific rule types. - \end{itemize} \section{Sniffer Mode} @@ -281,9 +277,9 @@ ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf \end{verbatim} -where \texttt{snort.conf} is the name of your rules file. This will apply the -rules configured in the \verb!snort.conf! file to each packet to decide if an -action based upon the rule type in the file should be taken. If you don't +where \texttt{snort.conf} is the name of your snort configuration file. This will +apply the rules configured in the \verb!snort.conf! file to each packet to decide +if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to \verb!/var/log/snort!. @@ -377,7 +373,7 @@ To send alerts to syslog, use the -s switch. The default facilities for the syslog alerting mechanism are LOG\_AUTHPRIV and LOG\_ALERT. If you want to configure other facilities for syslog output, use the output plugin directives -in the rules files. See Section \ref{alert syslog lable} for more details on +in snort.conf. See Section \ref{alert syslog label} for more details on configuring syslog output. For example, use the following command line to log to default (decoded ASCII) @@ -424,7 +420,7 @@ possible while another program performs the slow actions, such as writing to a database. -If you want a text file that's easily parsable, but still somewhat fast, try +If you want a text file that's easily parsed, but still somewhat fast, try using binary logging with the ``fast'' output mechanism. This will log packets in tcpdump format and produce minimal alerts. For @@ -455,9 +451,10 @@ \item \texttt{--alert-before-pass} option forces alert rules to take affect in favor of a pass rule. -\item \texttt{--treat-drop-as-alert} causes drop, sdrop, and reject -rules and any associated alerts to be logged as alerts, rather then the -normal action. This allows use of an inline policy with passive/IDS mode. +\item \texttt{--treat-drop-as-alert} causes drop and reject rules and +any associated alerts to be logged as alerts, rather then the normal +action. This allows use of an inline policy with passive/IDS mode. +The sdrop rules are not loaded. \item \texttt{--process-all-events} option causes Snort to process every event associated with a packet, while taking the actions based @@ -474,284 +471,310 @@ \end{note} -\section{Inline Mode} -\label{Snort Inline} +\section{Packet Acquisition} -Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of -\texttt{Snort Inline} into the official Snort project. \texttt{Snort Inline} -obtains packets from iptables instead of libpcap and then uses new rule types -to help iptables pass or drop packets based on Snort rules. +Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The +DAQ replaces direct calls to PCAP functions with an abstraction layer that +facilitates operation on a variety of hardware and software interfaces without +requiring changes to Snort. It is possible to select the DAQ type and mode +when invoking Snort to perform PCAP readback or inline operation, etc. -In order for \texttt{Snort Inline} to work properly, you must download and -compile the iptables code to include ``make install-devel'' -(\url{http://www.iptables.org}). This will install the \texttt{libipq} library -that allows \texttt{Snort Inline} to interface with iptables. Also, you must -build and install LibNet, which is available from -\url{http://www.packetfactory.net}. +\begin{note} -There are three rule types you can use when running Snort with \texttt{Snort Inline}: +Some network cards have features named "Large Receive Offload" (lro) and "Generic +Receieve Offload" (gro). With these features enabled, the network card performs +packet reassembly before they're processed by the kernel. -\begin{itemize} +By default, Snort will truncate packets larger than the default snaplen of 1518 +bytes. In addition, LRO and GRO may cause issues with Stream5 target-based +reassembly. We recommend that you turn off LRO and GRO. On linux systems, you can run: -\item \textbf{drop} - The drop rule type will tell iptables to drop the packet -and log it via usual Snort means. +\begin{verbatim} + $ ethtool -K eth1 gro off + $ ethtool -K eth1 lro off +\end{verbatim} -\item \textbf{reject} - The reject rule type will tell iptables to drop the -packet, log it via usual Snort means, and send a TCP reset if the protocol is -TCP or an icmp port unreachable if the protocol is UDP. +\end{note} -\item \textbf{sdrop} - The sdrop rule type will tell iptables to drop the -packet. Nothing is logged. +\subsection{Configuration} -\end{itemize} +Assuming that you did not disable static modules or change the default DAQ +type, you can run Snort just as you always did for file readback or sniffing an +interface. However, you can select and configure the DAQ when Snort is invoked +as follows: -\begin{note} +\begin{verbatim} + ./snort \ + [--daq ] \ + [--daq-mode ] \ + [--daq-dir ] \ + [--daq-var ] -You can also replace sections of the packet payload when using \texttt{Snort -Inline}. See Section \ref{ReplaceInline} for more information. + config daq: + config daq_dir: + config daq_var: + config daq_mode: -\end{note} + ::= pcap | afpacket | dump | nfq | ipq | ipfw + ::= read-file | passive | inline + ::= arbitrary = passed to DAQ + ::= path where to look for DAQ module so's +\end{verbatim} -When using a \texttt{reject} rule, there are two options you can use to send -TCP resets: +The DAQ type, mode, variable, and directory may be specified either via the +command line or in the conf file. You may include as many variables and +directories as needed by repeating the arg / config. DAQ type may be specified +at most once in the conf and once on the command line; if configured in both +places, the command line overrides the conf. -\begin{itemize} -\item You can use a RAW socket (the default behavior for \texttt{Snort -Inline}), in which case you must have an interface that has an IP address -assigned to it. If there is not an interface with an IP address assigned with -access to the source of the packet, the packet will be logged and the reset -packet will never make it onto the network. +If the mode is not set explicitly, -Q will force it to inline, and if that +hasn't been set, -r will force it to read-file, and if that hasn't been set, +the mode defaults to passive. Also, -Q and --daq-mode inline are allowed, +since there is no conflict, but -Q and any other DAQ mode will cause a fatal +error at start-up. -\item You can also now perform resets via a physical device when using -iptables. We take the indev name from ip\_queue and use this as the interface -on which to send resets. We no longer need an IP loaded on the bridge, and can -remain pretty stealthy as the \texttt{config layer2\_resets} in -snort.conf takes a source MAC address which we substitue for the MAC of -the bridge. For example: +Note that if Snort finds multiple versions of a given library, the most recent +version is selected. This applies to static and dynamic versions of the same +library. \begin{verbatim} - config layer2resets + ./snort [--daq-list ] \end{verbatim} -tells \texttt{Snort Inline} to use layer2 resets and uses the MAC address of -the bridge as the source MAC in the packet, and: +The above command searches the specified directory for DAQ modules and prints +type, version, and attributes of each. This feature is not available in the +conf. + +\subsection{PCAP} + +pcap is the default DAQ. if snort is run w/o any DAQ arguments, it will +operate as it always did using this module. These are equivalent: \begin{verbatim} - config layer2resets: 00:06:76:DD:5F:E3 + ./snort -i + ./snort -r + + ./snort --daq pcap --daq-mode passive -i + ./snort --daq pcap --daq-mode read-file -r \end{verbatim} -will tell Snort Inline to use layer2 resets and uses the source MAC of -00:06:76:DD:5F:E3 in the reset packet. +You can specify the buffer size pcap uses with: -\item The command-line option \texttt{--disable-inline-initialization} can be -used to not initialize IPTables when in inline mode. It should be used with -command-line option \texttt{-T} to test for a valid configuration without -requiring opening inline devices and adversely affecting traffic flow. +\begin{verbatim} + ./snort --daq pcap --daq-var buffer_size=<#bytes> +\end{verbatim} -\end{itemize} +Note that the pcap DAQ does not count filtered packets. -\subsection{Snort Inline Rule Application Order} -\label{InlineRuleOrder} +\subsubsection{MMAPed pcap} -The current rule application order is: +On Linux, a modified version of libpcap is available that implements a shared +memory ring buffer. Phil Woods (cpw@lanl.gov) is the current maintainer of the +libpcap implementation of the shared memory ring buffer. The shared memory +ring buffer libpcap can be downloaded from his website at +\url{http://public.lanl.gov/cpw/}. -\begin{verbatim} - ->activation->dynamic->pass->drop->sdrop->reject->alert->log -\end{verbatim} +Instead of the normal mechanism of copying the packets from kernel memory into +userland memory, by using a shared memory ring buffer, libpcap is able to queue +packets into a shared buffer that Snort is able to read directly. This change +speeds up Snort by limiting the number of times the packet is copied before +Snort gets to perform its detection upon it. -This will ensure that a drop rule has precedence over an alert or log rule. +Once Snort linked against the shared memory libpcap, enabling the ring buffer +is done via setting the environment variable \emph{PCAP\_FRAMES}. +\emph{PCAP\_FRAMES} is the size of the ring buffer. According to Phil, the +maximum size is 32768, as this appears to be the maximum number of iovecs the +kernel can handle. By using \emph{PCAP\_FRAMES=max}, libpcap will +automatically use the most frames possible. On Ethernet, this ends up being +1530 bytes per frame, for a total of around 52 Mbytes of memory for the ring +buffer alone. -\subsection{Replacing Packets with Snort Inline} -\label{ReplaceInline} +\subsection{AFPACKET} -Additionally, Jed Haile's content replace code allows you to modify packets -before they leave the network. For example: +afpacket functions similar to the memory mapped pcap DAQ but no external +library is required: \begin{verbatim} - alert tcp any any <> any 80 ( \ - msg: "tcp replace"; content:"GET"; replace:"BET";) - - alert udp any any <> any 53 ( \ - msg: "udp replace"; content: "yahoo"; replace: "xxxxx";) + ./snort --daq afpacket -i + [--daq-var buffer_size_mb=<#MB>] + [--daq-var debug] \end{verbatim} -These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 -traffic looking for yahoo. Once they are found, they are replaced with BET and -xxxxx, respectively. The only catch is that the replace must be the same -length as the content. +If you want to run afpacket in inline mode, you must set device to one or more +interface pairs, where each member of a pair is separated by a single colon and +each pair is separated by a double colon like this: -\subsection{Installing Snort Inline} -\label{InlineInstall} -To install Snort inline, use the following command: \begin{verbatim} - ./configure --enable-inline - make - make install -\end{verbatim} - -\subsection{Running Snort Inline} + eth0:eth1 +\end{verbatim} -First, you need to ensure that the ip\_queue module is loaded. Then, you need -to send traffic to Snort Inline using the QUEUE target. For example: +or this: \begin{verbatim} - iptables -A OUTPUT -p tcp --dport 80 -j QUEUE + eth0:eth1::eth2:eth3 \end{verbatim} -sends all TCP traffic leaving the firewall going to port 80 to the QUEUE -target. This is what sends the packet from kernel space to user space -(\texttt{Snort Inline}). A quick way to get all outbound traffic going to the -QUEUE is to use the rc.firewall script created and maintained by the Honeynet -Project (\url{http://www.honeynet.org/papers/honeynet/tools/}) This script is -well-documented and allows you to direct packets to \texttt{Snort Inline} by -simply changing the QUEUE variable to yes. - -Finally, start Snort Inline: +By default, the afpacket DAQ allocates 128MB for packet memory. You can change +this with: \begin{verbatim} - snort -QDc ../etc/drop.conf -l /var/log/snort + --daq-var buffer_size_mb=<#MB> \end{verbatim} -You can use the following command line options: +Note that the total allocated is actually higher, here's why. Assuming the +default packet memory with a snaplen of 1518, the numbers break down like this: -\begin{itemize} +\begin{slist} +\item +The frame size is 1518 (snaplen) + the size of the AFPacket header (66 +bytes) = 1584 bytes. + +\item +The number of frames is 128 MB / 1518 = 84733. + +\item +The smallest block size that can fit at least one frame is 4 KB = 4096 bytes + @ 2 frames per block. -\item \texttt{-Q} - Gets packets from iptables. +\item +As a result, we need 84733 / 2 = 42366 blocks. -\item \texttt{-D} - Runs \texttt{Snort Inline} in daemon mode. The process ID -is stored at \texttt{/var/run/snort.pid} +\item +Actual memory allocated is 42366 * 4 KB = 165.5 MB. +\end{slist} -\item \texttt{-c} - Reads the following configuration file. +\subsection{NFQ} -\item \texttt{-l} - Logs to the following directory. +NFQ is the new and improved way to process iptables packets: -\end{itemize} +\begin{verbatim} + ./snort --daq nfq \ + [--daq-var device=] \ + [--daq-var proto=] \ + [--daq-var queue=] \ + [--daq-var queue_len=] -Ideally, Snort Inline will be run using only its own drop.rules. If you want -to use Snort for just alerting, a separate process should be running with its -own rule set. + ::= ip | eth0, etc; default is IP injection + ::= ip4 | ip6 | ip*; default is ip4 + ::= 0..65535; default is 0 + ::= 0..65535; default is 0 +\end{verbatim} -\subsection{Using the Honeynet Snort Inline Toolkit} +Notes on iptables are given below. -The Honeynet Snort Inline Toolkit is a statically compiled \texttt{Snort -Inline} binary put together by the Honeynet Project for the Linux operating -system. It comes with a set of drop.rules, the \texttt{Snort Inline} binary, a -snort-inline rotation shell script, and a good README. It can be found at: +\subsection{IPQ} -\url{http://www.honeynet.org/papers/honeynet/tools/} +IPQ is the old way to process iptables packets. It replaces the inline version +available in pre-2.9 versions built with this: -\subsection{Troubleshooting Snort Inline} +\begin{verbatim} + ./configure --enable-inline / -DGIDS +\end{verbatim} -If you run Snort Inline and see something like this: +Start the IPQ DAQ as follows: \begin{verbatim} - Initializing Output Plugins! - Reading from iptables - Log directory = /var/log/snort - Initializing Inline mode - InlineInit: : Failed to send netlink message: Connection refused + ./snort --daq ipq \ + [--daq-var device=] \ + [--daq-var proto=] \ + + ::= ip | eth0, etc; default is IP injection + ::= ip4 | ip6; default is ip4 \end{verbatim} -More than likely, the ip\_queue module is not loaded or ip\_queue support is -not compiled into your kernel. Either recompile your kernel to support -ip\_queue, or load the module. +Notes on iptables are given below. + +\subsection{IPFW} -The ip\_queue module is loaded by executing: +IPFW is available for BSD systems. It replaces the inline version available in +pre-2.9 versions built with this: \begin{verbatim} - insmod ip_queue + ./configure --enable-ipfw / -DGIDS -DIPFW \end{verbatim} -Also, if you want to ensure Snort Inline is getting packets, you can start it -in the following manner: +This command line argument is no longer supported: \begin{verbatim} - snort -Qvc + ./snort -J \end{verbatim} -This will display the header of every packet that Snort Inline sees. - -\section{Miscellaneous} - -\subsection{Running Snort as a Daemon} - -If you want to run Snort as a daemon, you can the add -D switch to any -combination described in the previous sections. Please notice that if you want -to be able to restart Snort by sending a SIGHUP signal to the daemon, you {\em -must} specify the full path to the Snort binary when you start it, for example: +Instead, start Snort like this: \begin{verbatim} - /usr/local/bin/snort -d -h 192.168.1.0/24 \ - -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D -\end{verbatim} - -Relative paths are not supported due to security concerns. + ./snort --daq ipfw [--daq-var port=] -\subsubsection{Snort PID File} + ::= 1..65535; default is 8000 +\end{verbatim} -When Snort is run as a daemon , the daemon creates a PID file in the log -directory. In Snort 2.6, the \texttt{--pid-path} command line switch causes -Snort to write the PID file in the directory specified. +* IPFW only supports ip4 traffic. -Additionally, the \texttt{--create-pidfile} switch can be used to force -creation of a PID file even when not running in daemon mode. +\subsection{Dump} -The PID file will be locked so that other snort processes cannot start. Use -the \texttt{--nolock-pidfile} switch to not lock the PID file. +The dump DAQ allows you to test the various inline mode features available in +2.9 Snort like injection and normalization. -\subsection{Running in Rule Stub Creation Mode} +\begin{verbatim} + ./snort -i --daq dump + ./snort -r --daq dump +\end{verbatim} -If you need to dump the shared object rules stub to a directory, you might need to use the --dump-dynamic-rules option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute. +By default a file named inline-out.pcap will be created containing all packets +that passed through or were generated by snort. You can optionally specify a +different name. \begin{verbatim} - /usr/local/bin/snort -c /usr/local/etc/snort.conf \ - --dump-dynamic-rules=/tmp + ./snort --daq dump --daq-var file= \end{verbatim} -This path can also be configured in the snort.conf using the config option dump-dynamic-rules-path as follows: +dump uses the pcap daq for packet acquisition. It therefore does not count +filtered packets. + +Note that the dump DAQ inline mode is not an actual inline mode. Furthermore, +you will probably want to have the pcap DAQ acquire in another mode like this: \begin{verbatim} - config dump-dynamic-rules-path: /tmp/sorules + ./snort -r -Q --daq dump --daq-var load-mode=read-file + ./snort -i -Q --daq dump --daq-var load-mode=passive \end{verbatim} -The path configured by command line has precedence over the one configured using dump-dynamic-rules-path. +\subsection{Statistics Changes} -\begin{verbatim} - /usr/local/bin/snort -c /usr/local/etc/snort.conf \ - --dump-dynamic-rules +The Packet Wire Totals and Action Stats sections of Snort's output include +additional fields: - snort.conf: - config dump-dynamic-rules-path: /tmp/sorules -\end{verbatim} +\begin{itemize} +\item \texttt{Filtered} +count of packets filtered out and not handed to Snort for analysis. -In the above mentioned scenario the dump path is set to /tmp/sorules. +\item \texttt{Injected} +packets Snort generated and sent, eg TCP resets. -\subsection{Obfuscating IP Address Printouts} +\item \texttt{Allow} +packets Snort analyzed and did not take action on. -If you need to post packet logs to public mailing lists, you might want to use -the -O switch. This switch obfuscates your IP addresses in packet printouts. -This is handy if you don't want people on the mailing list to know the IP -addresses involved. You can also combine the -O switch with the -h switch to -only obfuscate the IP addresses of hosts on the home network. This is useful -if you don't care who sees the address of the attacking host. For example, you -could use the following command to read the packets from a log file and dump -them to the screen, obfuscating only the addresses from the 192.168.1.0/24 -class C network: - -\begin{verbatim} - ./snort -d -v -r snort.log -O -h 192.168.1.0/24 -\end{verbatim} +\item \texttt{Block} +packets Snort did not forward, eg due to a block rule. -\subsection{Specifying Multiple-Instance Identifiers} +\item \texttt{Replace} +packets Snort modified. -In Snort v2.4, the \texttt{-G} command line option was added that specifies an -instance identifier for the event logs. This option can be used when running -multiple instances of snort, either on different CPUs, or on the same CPU but a -different interface. Each Snort instance will use the value specified to -generate unique event IDs. Users can specify either a decimal value -(\texttt{-G 1}) or hex value preceded by 0x (\texttt{-G 0x11}). This is also -supported via a long option \texttt{--logid}. +\item \texttt{Whitelist} +packets that caused Snort to allow a flow to pass w/o inspection by any +analysis program. + +\item \texttt{Blacklist} +packets that caused Snort to block a flow from passing. + +\item \texttt{Ignore} +packets that caused Snort to allow a flow to pass w/o inspection by this +instance of Snort. +\end{itemize} + +The action stats show "blocked" packets instead of "dropped" packets to avoid +confusion between dropped packets (those Snort didn't actually see) and blocked +packets (those Snort did not allow to pass). \section{Reading Pcaps} @@ -786,7 +809,7 @@ \hline \texttt{--pcap-file=} & -File that contains a list of pcaps to read. Can specifiy path to pcap or +File that contains a list of pcaps to read. Can specify path to pcap or directory to recurse to get pcaps. \\ \hline @@ -797,7 +820,7 @@ \hline \texttt{--pcap-dir=} & -A directory to recurse to look for pcaps. Sorted in ascii order. \\ +A directory to recurse to look for pcaps. Sorted in ASCII order. \\ \hline \texttt{--pcap-filter=} & @@ -805,7 +828,7 @@ Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any \texttt{--pcap-file} or \texttt{--pcap-dir} arguments following. Use \texttt{--pcap-no-filter} to delete filter for following -\texttt{--pcap-file} or \texttt{--pcap-dir} arguments or specifiy +\texttt{--pcap-file} or \texttt{--pcap-dir} arguments or specify \texttt{--pcap-filter} again to forget previous filter and to apply to following \texttt{--pcap-file} or \texttt{--pcap-dir} arguments. \\ @@ -940,6 +963,218 @@ The above example will read all of the files under /home/foo/pcaps and will print a line indicating which pcap is currently being read. +\section{Basic Output} + +Snort does a lot of work and outputs some useful statistics when it is done. +Many of these are self-explanatory. The others are summarized below. This +does not include all possible output data, just the basics. + +\subsection{Timing Statistics} + +This section provides basic timing statistics. It includes total seconds and +packets as well as packet processing rates. The rates are based on whole +seconds, minutes, etc. and only shown when non-zero. + +Example: + +\begin{verbatim} +=============================================================================== +Run time for packet processing was 175.856509 seconds +Snort processed 3716022 packets. +Snort ran for 0 days 0 hours 2 minutes 55 seconds + Pkts/min: 1858011 + Pkts/sec: 21234 +=============================================================================== +\end{verbatim} + +\subsection{Packet I/O Totals} + +This section shows basic packet acquisition and injection peg counts obtained +from the DAQ. If you are reading pcaps, the totals are for all pcaps combined, +unless you use --pcap-reset, in which case it is shown per pcap. + +\begin{itemize} +\item Outstanding indicates how many packets are buffered awaiting processing. +The way this is counted varies per DAQ so the DAQ documentation should be +consulted for more info. + +\item Filtered packets are not shown for pcap DAQs. + +\item Injected packets are the result of active response which can be +configured for inline or passive modes. +\end{itemize} + +Example: + +\begin{verbatim} +=============================================================================== +Packet I/O Totals: + Received: 3716022 + Analyzed: 3716022 (100.000%) + Dropped: 0 ( 0.000%) + Filtered: 0 ( 0.000%) +Outstanding: 0 ( 0.000%) + Injected: 0 +=============================================================================== +\end{verbatim} + + +\subsection{Protocol Statistics} + +Traffic for all the protocols decoded by Snort is summarized in the breakdown +section. This traffic includes internal "pseudo-packets" if preprocessors such +as frag3 and stream5 are enabled so the total may be greater than the number of +analyzed packets in the packet I/O section. + +\begin{itemize} +\item Disc counts are discards due to basic encoding integrity flaws that +prevents Snort from decoding the packet. + +\item Other includes packets that contained an encapsulation that Snort doesn't +decode. + +\item S5 G 1/2 is the number of client/server sessions stream5 flushed due to +cache limit, session timeout, session reset. +\end{itemize} + +Example: + +\begin{verbatim} +=============================================================================== +Breakdown by protocol (includes rebuilt packets): + Eth: 3722347 (100.000%) + VLAN: 0 ( 0.000%) + IP4: 1782394 ( 47.884%) + Frag: 3839 ( 0.103%) + ICMP: 38860 ( 1.044%) + UDP: 137162 ( 3.685%) + TCP: 1619621 ( 43.511%) + IP6: 1781159 ( 47.850%) + IP6 Ext: 1787327 ( 48.016%) + IP6 Opts: 6168 ( 0.166%) + Frag6: 3839 ( 0.103%) + ICMP6: 1650 ( 0.044%) + UDP6: 140446 ( 3.773%) + TCP6: 1619633 ( 43.511%) + Teredo: 18 ( 0.000%) + ICMP-IP: 0 ( 0.000%) + EAPOL: 0 ( 0.000%) + IP4/IP4: 0 ( 0.000%) + IP4/IP6: 0 ( 0.000%) + IP6/IP4: 0 ( 0.000%) + IP6/IP6: 0 ( 0.000%) + GRE: 202 ( 0.005%) + GRE Eth: 0 ( 0.000%) + GRE VLAN: 0 ( 0.000%) + GRE IP4: 0 ( 0.000%) + GRE IP6: 0 ( 0.000%) +GRE IP6 Ext: 0 ( 0.000%) + GRE PPTP: 202 ( 0.005%) + GRE ARP: 0 ( 0.000%) + GRE IPX: 0 ( 0.000%) + GRE Loop: 0 ( 0.000%) + MPLS: 0 ( 0.000%) + ARP: 104840 ( 2.817%) + IPX: 60 ( 0.002%) + Eth Loop: 0 ( 0.000%) + Eth Disc: 0 ( 0.000%) + IP4 Disc: 0 ( 0.000%) + IP6 Disc: 0 ( 0.000%) + TCP Disc: 0 ( 0.000%) + UDP Disc: 1385 ( 0.037%) + ICMP Disc: 0 ( 0.000%) +All Discard: 1385 ( 0.037%) + Other: 57876 ( 1.555%) +Bad Chk Sum: 32135 ( 0.863%) + Bad TTL: 0 ( 0.000%) + S5 G 1: 1494 ( 0.040%) + S5 G 2: 1654 ( 0.044%) + Total: 3722347 +=============================================================================== +\end{verbatim} + +\subsection{Actions, Limits, and Verdicts} + +Action and verdict counts show what Snort did with the packets it analyzed. +This information is only output in IDS mode (when snort is run with the +\texttt{-c } option). + +\begin{itemize} +\item Alerts is the number of activate, alert, and block actions processed as +determined by the rule actions. Here block includes block, drop, and reject +actions. +\end{itemize} + +Limits arise due to real world constraints on processing time and available +memory. These indicate potential actions that did not happen: + +\begin{itemize} +\item Match Limit counts rule matches were not processed due to the +\texttt{config detection: max\_queue\_events} setting. The default is 5. + +\item Queue Limit counts events couldn't be stored in the event queue +due to the \texttt{config event\_queue: max\_queue} setting. The default is 8. + +\item Log Limit counts events were not alerted due to the +\texttt{config event\_queue: log} setting. The default is 3. + +\item Event Limit counts events not alerted due to +\texttt{event\_filter} limits. + +\item Alert Limit counts events were not alerted because they already +were triggered on the session. +\end{itemize} + +Verdicts are rendered by Snort on each packet: + +\begin{itemize} +\item Allow = packets Snort analyzed and did not take action on. + +\item Block = packets Snort did not forward, eg due to a block rule. "Block" +is used instead of "Drop" to avoid confusion between dropped packets (those +Snort didn't actually see) and blocked packets (those Snort did not allow to +pass). + +\item Replace = packets Snort modified, for example, due to normalization or +replace rules. This can only happen in inline mode with a compatible DAQ. + +\item Whitelist = packets that caused Snort to allow a flow to pass w/o +inspection by any analysis program. Like blacklist, this is done by the DAQ or +by Snort on subsequent packets. + +\item Blacklist = packets that caused Snort to block a flow from passing. This +is the case when a block TCP rule fires. If the DAQ supports this in hardware, +no further packets will be seen by Snort for that session. If not, snort will +block each packet and this count will be higher. + +\item Ignore = packets that caused Snort to allow a flow to pass w/o inspection +by this instance of Snort. Like blacklist, this is done by the DAQ or by Snort +on subsequent packets. +\end{itemize} + +Example: + +\begin{verbatim} +=============================================================================== +Action Stats: + Alerts: 0 ( 0.000%) + Logged: 0 ( 0.000%) + Passed: 0 ( 0.000%) +Limits: + Match: 0 + Queue: 0 + Log: 0 + Event: 0 + Alert: 0 +Verdicts: + Allow: 3716022 (100.000%) + Block: 0 ( 0.000%) + Replace: 0 ( 0.000%) + Whitelist: 0 ( 0.000%) + Blacklist: 0 ( 0.000%) + Ignore: 0 ( 0.000%) +=============================================================================== +\end{verbatim} \section{Tunneling Protocol Support} @@ -1005,74 +1240,353 @@ \end{note} -\section{More Information} +\section{Miscellaneous} -Chapter \ref{Configuring Snort} contains much information about many -configuration options available in the configuration file. The Snort manual -page and the output of \texttt{snort -?} or \texttt{snort --help} contain -information that can help you get Snort running in several different modes. +\subsection{Running Snort as a Daemon} -\begin{note} +If you want to run Snort as a daemon, you can the add -D switch to any +combination described in the previous sections. Please notice that if you want +to be able to restart Snort by sending a SIGHUP signal to the daemon, you {\em +must} specify the full path to the Snort binary when you start it, for example: -In many shells, a backslash (\textbackslash{}) is needed to escape the ?, so -you may have to type \texttt{snort -\textbackslash{}?} instead of \texttt{snort --?} for a list of Snort command line options. +\begin{verbatim} + /usr/local/bin/snort -d -h 192.168.1.0/24 \ + -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D +\end{verbatim} -\end{note} +Relative paths are not supported due to security concerns. -The Snort web page (\url{http://www.snort.org}) and the Snort Users mailing -list: +\subsubsection{Snort PID File} -\url{http://marc.theaimsgroup.com/?l=snort-users} +When Snort is run as a daemon , the daemon creates a PID file in the log +directory. In Snort 2.6, the \texttt{--pid-path} command line switch causes +Snort to write the PID file in the directory specified. -at \verb?snort-users@lists.sourceforge.net? provide informative announcements -as well as a venue for community discussion and support. There's a lot to -Snort, so sit back with a beverage of your choosing and read the documentation -and mailing list archives. +Additionally, the \texttt{--create-pidfile} switch can be used to force +creation of a PID file even when not running in daemon mode. -\chapter{Configuring Snort} -\label{Configuring Snort} +The PID file will be locked so that other snort processes cannot start. Use +the \texttt{--nolock-pidfile} switch to not lock the PID file. -\section{Includes} +\subsection{Running in Rule Stub Creation Mode} -The {\tt include} keyword allows other rules files to be included within the -rules file indicated on the Snort command line. It works much like an \#include -from the C programming language, reading the contents of the named file and -adding the contents in the place where the include statement appears in the -file. +If you need to dump the shared object rules stub to a directory, you must use the --dump-dynamic-rules command line option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute. -\subsection{Format} \begin{verbatim} - include + /usr/local/bin/snort -c /usr/local/etc/snort.conf \ + --dump-dynamic-rules=/tmp \end{verbatim} -\begin{note} - -Note that there is no semicolon at the end of this line. - -\end{note} - -Included files will substitute any predefined variable values into their own -variable references. See Section \ref{variables} for more information on -defining and using variables in Snort rules files. +This path can also be configured in the snort.conf using the config option dump-dynamic-rules-path as follows: -\subsection{Variables} -\label{variables} +\begin{verbatim} + config dump-dynamic-rules-path: /tmp/sorules +\end{verbatim} -Three types of variables may be defined in Snort: +The path configured by command line has precedence over the one configured using dump-dynamic-rules-path. -\begin{itemize} -\item var -\item portvar -\item ipvar -\end{itemize} +\begin{verbatim} + /usr/local/bin/snort -c /usr/local/etc/snort.conf \ + --dump-dynamic-rules -\begin{note} + snort.conf: + config dump-dynamic-rules-path: /tmp/sorules +\end{verbatim} -Note: 'ipvar's are only enabled with IPv6 support. Without IPv6 support, use a -regular 'var'. +In the above mentioned scenario the dump path is set to /tmp/sorules. -\end{note} +\subsection{Obfuscating IP Address Printouts} + +If you need to post packet logs to public mailing lists, you might want to use +the -O switch. This switch obfuscates your IP addresses in packet printouts. +This is handy if you don't want people on the mailing list to know the IP +addresses involved. You can also combine the -O switch with the -h switch to +only obfuscate the IP addresses of hosts on the home network. This is useful +if you don't care who sees the address of the attacking host. For example, you +could use the following command to read the packets from a log file and dump +them to the screen, obfuscating only the addresses from the 192.168.1.0/24 +class C network: + +\begin{verbatim} + ./snort -d -v -r snort.log -O -h 192.168.1.0/24 +\end{verbatim} + +\subsection{Specifying Multiple-Instance Identifiers} + +In Snort v2.4, the \texttt{-G} command line option was added that specifies an +instance identifier for the event logs. This option can be used when running +multiple instances of snort, either on different CPUs, or on the same CPU but a +different interface. Each Snort instance will use the value specified to +generate unique event IDs. Users can specify either a decimal value +(\texttt{-G 1}) or hex value preceded by 0x (\texttt{-G 0x11}). This is also +supported via a long option \texttt{--logid}. + +\subsection{Snort Modes} + +Snort can operate in three different modes namely tap (passive), inline, and inline-test. +Snort policies can be configured in these three modes too. + +\subsubsection{Explanation of Modes} + +\begin{itemize} + +\item \texttt{Inline} + +When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be +configured to run in inline mode using the command line argument -Q and snort config option +\texttt{policy\_mode} as follows: + +\begin{verbatim} + snort -Q + config policy_mode:inline +\end{verbatim} + +\item \texttt{Passive} + +When Snort is in Passive mode, it acts as a IDS. Drop rules are not loaded (without --treat-drop-as-alert). +Snort can be configured to passive mode using the snort config option \texttt{policy\_mode} as follows: + +\begin{verbatim} + config policy_mode:tap +\end{verbatim} + + +\item \texttt{Inline-Test} + +Inline-Test mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting +traffic. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. Snort can be +configured to run in inline-test mode using the command line option (--enable-inline-test) or using the +snort config option \texttt{policy\_mode} as follows: + +\begin{verbatim} + snort --enable-inline-test + config policy_mode:inline_test +\end{verbatim} + +\begin{note} + +Please note --enable-inline-test cannot be used in conjunction with -Q. + +\end{note} + +\end{itemize} + +\texttt{Behavior of different modes with rule options} + + +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Rule Option & Inline Mode & Passive Mode & Inline-Test Mode\\ +\hline +\hline +\texttt{reject} & Drop + Response & Alert + Response & Wdrop + Response\\ +\hline +\texttt{react} & Blocks and send notice & Blocks and send notice & Blocks and send notice\\ +\hline +\texttt{normalize} & Normalizes packet & Doesn't normalize & Doesn't normalize\\ +\hline +\texttt{replace} & replace content & Doesn't replace & Doesn't replace\\ +\hline +\texttt{respond} & close session & close session & close session\\ +\hline +\end{tabular} + + +\texttt{Behavior of different modes with rules actions} + + +\begin{tabular}{|l|c|c|c|} +\hline +Adapter Mode & Snort args & config policy\_mode & Drop Rule Handling\\ +\hline +\hline +Passive & \texttt{ --treat-drop-as-alert} & tap & Alert\\ +\hline +Passive & \texttt{ no args} & tap & Not Loaded\\ +\hline +Passive & \texttt{ --treat-drop-as-alert} & inline\_test & Alert\\ +\hline +Passive & \texttt{ no args} & inline\_test & Would Drop\\ +\hline +Passive & \texttt{ --treat-drop-as-alert} & inline & Alert\\ +\hline +Passive & \texttt{no args} & inline & Not loaded + warning\\ +\hline +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & tap & Alert\\ +\hline +Inline Test & \texttt{ --enable-inline-test} & tap & Would Drop\\ +\hline +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline\_test & Alert\\ +\hline +Inline Test & \texttt{ --enable-inline-test} & inline\_test & Would Drop\\ +\hline +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline & Alert\\ +\hline +Inline Test & \texttt{ --enable-inline-test} & inline & Would Drop\\ +\hline +Inline & \texttt{ -Q --treat-drop-as-alert} & tap & Alert\\ +\hline +Inline & \texttt{ -Q} & tap & Alert\\ +\hline +Inline & \texttt{ -Q --treat-drop-as-alert} & inline\_test & Alert\\ +\hline +Inline & \texttt{ -Q} & inline\_test & Would Drop\\ +\hline +Inline & \texttt{ -Q --treat-drop-as-alert} & inline & Alert\\ +\hline +Inline & \texttt{ -Q} & inline & Drop\\ +\hline +\end{tabular} + +\section{Control socket} +\label{control_socket} +Snort can be configured to provide a Unix socket that can be used to issue commands +to the running process. You must build snort with the +\texttt{--enable-control-socket} option. The control socket +functionality is supported on Linux only.\\ + +Snort can be configured to use control socket using the command line argument \texttt{--cs-dir } + and snort config option \texttt{cs\_dir} as follows: + +\begin{verbatim} + snort --cs-dir + config cs_dir: +\end{verbatim} + +\texttt{} specifies the directory for snort to creat the socket. If relative path is used, +the path is relative to pid path specified. If there is no pid path specified, it is relative to +current working directory. + +A command \texttt{snort\_control} is made and installed along with snort in the same +bin directory when configured with the \texttt{--enable-control-socket} option. + +\section{Configure signal value} +\label{configure_signal} +On some systems, signal used by snort might be used by other functions. To avoid conflicts, +users can change the default signal value through \texttt{./configure} options for non-Windows system. + +These signals can be changed: +\begin{itemize} +\item \texttt{SIGNAL\_SNORT\_RELOAD} +\item \texttt{SIGNAL\_SNORT\_DUMP\_STATS} +\item \texttt{SIGNAL\_SNORT\_ROTATE\_STATS} +\item \texttt{SIGNAL\_SNORT\_READ\_ATTR\_TBL} +\end{itemize} + +Syntax: + +\begin{verbatim} + ./configure SIGNAL_SNORT_RELOAD= SIGNAL_SNORT_DUMP_STATS=\ + SIGNAL_SNORT_READ_ATTR_TBL= SIGNAL_SNORT_ROTATE_STATS= +\end{verbatim} + +You can set those signals to user defined values or known signal names in the system. +The following example changes the rotate stats signal to 31 and reload attribute table to +signal SIGUSR2 : + +\begin{verbatim} + ./configure SIGNAL_SNORT_ROTATE_STATS=31 SIGNAL_SNORT_READ_ATTR_TBL=SIGUSR2 +\end{verbatim} + +If the same signal is assigned more than once a warning will be logged +during snort initialization. If a signal handler cannot be installed a warning +will be logged and that has to be fixed, otherwise the functionality will be lost. + +\texttt{Signals used in snort} + +\begin{tabular}{|l|l|l|} +\hline +Signal name & Default value & Action \\ +\hline +\hline +SIGTERM & SIGTERM & exit \\ +\hline +SIGINT & SIGINT & exit \\ +\hline +SIGQUIT & SIGQUIT & exit \\ +\hline +SIGPIPE & SIGPIPE & ignore \\ +\hline +SIGNAL\_SNORT\_RELOAD & SIGHUP & reload snort \\ +\hline +SIGNAL\_SNORT\_DUMP\_STATS & SIGUSR1 & dump stats \\ +\hline +SIGNAL\_SNORT\_ROTATE\_STATS & SIGUSR2 & rotate stats \\ +\hline +SIGNAL\_SNORT\_READ\_ATTR\_TBL & SIGURG & reload attribute table \\ +\hline +SIGNAL\_SNORT\_CHILD\_READY & SIGCHLD & internal use in daemon mode \\ +\hline +\end{tabular} + +\section{More Information} + +Chapter \ref{Configuring Snort} contains much information about many +configuration options available in the configuration file. The Snort manual +page and the output of \texttt{snort -?} or \texttt{snort --help} contain +information that can help you get Snort running in several different modes. + +\begin{note} + +In many shells, a backslash (\textbackslash{}) is needed to escape the ?, so +you may have to type \texttt{snort -\textbackslash{}?} instead of \texttt{snort +-?} for a list of Snort command line options. + +\end{note} + +The Snort web page (\url{http://www.snort.org}) and the Snort Users mailing +list: + +\url{http://marc.theaimsgroup.com/?l=snort-users} + +at \verb?snort-users@lists.sourceforge.net? provide informative announcements +as well as a venue for community discussion and support. There's a lot to +Snort, so sit back with a beverage of your choosing and read the documentation +and mailing list archives. + +\chapter{Configuring Snort} +\label{Configuring Snort} + +\section{Includes} + +The {\tt include} keyword allows other snort config files to be included within the +snort.conf indicated on the Snort command line. It works much like an \#include +from the C programming language, reading the contents of the named file and +adding the contents in the place where the include statement appears in the +file. + +\subsection{Format} +\begin{verbatim} + include +\end{verbatim} + +\begin{note} + +Note that there is no semicolon at the end of this line. + +\end{note} + +Included files will substitute any predefined variable values into their own +variable references. See Section \ref{variables} for more information on +defining and using variables in Snort config files. + +\subsection{Variables} +\label{variables} + +Three types of variables may be defined in Snort: + +\begin{itemize} +\item var +\item portvar +\item ipvar +\end{itemize} + +\begin{note} + +Note: 'ipvar's are only enabled with IPv6 support. Without IPv6 support, use a +regular 'var'. + +\end{note} These are simple substitution variables set with the {\tt var}, {\tt ipvar}, or {\tt portvar} keywords as follows: @@ -1367,6 +1881,11 @@ \ref{Snort Default Classifications} for a list of classifications.\\ \hline +\texttt{config cs\_dir: } & configure snort to provide a Unix socket in the path +that can be used to issue commands to the running process. See Section +\ref{control_socket} for more details.\\ + +\hline \texttt{config daemon} & Forks as a daemon (\texttt{snort -D}). \\ \hline @@ -1380,39 +1899,181 @@ loading rules. \\ \hline -\texttt{config detection: [lowmem] [no\_stream\_inserts] -[max\_queue\_events ]} & Makes changes to the detection engine. The following -options can be used: - -\begin{itemize} -\item \texttt{search-method $<$ac $|$ ac-std -$|$ ac-bnfa $|$ acs $|$ ac-banded $|$ ac-sparsebands $|$ lowmem $>$} +\texttt{config daq: } & Selects the type of DAQ to instantiate. The +DAQ with the highest version of the given type is selected if there are +multiple of the same type (this includes any built-in DAQs).\\ -\begin{itemize} - -\item \texttt{ac} Aho-Corasick Full (high memory, best performance) - -\item \texttt{ac-std} Aho-Corasick Standard (moderate memory, high performance) +\hline +\texttt{config daq\_mode: } & Select the DAQ mode: passive, inline, or +read-file. Not all DAQs support modes. See the DAQ distro README for +possible DAQ modes or list DAQ capabilities for a brief summary. \\ -\item \texttt{ac-bnfa} Aho-Corasick NFA (low memory, high performance) +\hline +\texttt{config daq\_var: } & Set a DAQ specific variable. Snort +just passes this information down to the DAQ. See the DAQ distro README for +possible DAQ variables. \\ -\item \texttt{acs} Aho-Corasick Sparse (small memory, moderate performance) +\hline +\texttt{config daq\_dir: } & Tell Snort where to look for available +dynamic DAQ modules. This can be repeated. The selected DAQ will be the +one with the latest version. \\ -\item \texttt{ac-banded} Aho-Corasick Banded (small memory, moderate -performance) +\hline \texttt{config daq\_list: []} & Tell Snort to dump basic DAQ +capabilities and exit. You can optionally specify a directory to include any +dynamic DAQs from that directory. You can also preceed this option with extra +DAQ directory options to look in multiple directories. \\ -\item \texttt{ac-sparsebands} Aho-Corasick Sparse-Banded (small memory, high -performance) +\hline +\texttt{config decode\_esp: [enable | disable]} & Enable or disable the decoding of +Encapsulated Security Protocol (ESP). This is disabled by default. +Some networks use ESP for authentication without encryption, allowing their +content to be inspected. Encrypted ESP may cause some false positives if this +option is enabled.\\ -\item \texttt{lowmem} Low Memory Keyword Trie (small memory, low performance) +\hline +\texttt{config detection: [search-method ]} & Select type of fast pattern +matcher algorithm to use. +\begin{itemize} +\item \texttt{search-method } +\begin{itemize} +\item Queued match search methods - Matches are queued until the fast pattern +matcher is finished with the payload, then evaluated. This was found to generally +increase performance through fewer cache misses (evaluating each rule would +generally blow away the fast pattern matcher +state in the cache). +\begin{itemize} +\item \texttt{ac} and \texttt{ac-q} - Aho-Corasick Full (high memory, best performance). +\item \texttt{ac-bnfa} and \texttt{ac-bnfa-q} - Aho-Corasick Binary NFA (low memory, high performance) +\item \texttt{lowmem} and \texttt{lowmem-q} - Low Memory Keyword Trie (low memory, moderate performance) +\item \texttt{ac-split} - Aho-Corasick Full with ANY-ANY port group evaluated separately (low memory, high performance). Note this is shorthand for \texttt{search-method ac, split-any-any} +\item \texttt{intel-cpm} - Intel CPM library (must have compiled Snort with location of libraries to enable this) +\end{itemize} +\end{itemize} +\begin{itemize} +\item No queue search methods - The "nq" option specifies that matches should not +be queued and evaluated as they are found. +\begin{itemize} +\item \texttt{ac-nq} - Aho-Corasick Full (high memory, best performance). +\item \texttt{ac-bnfa-nq} - Aho-Corasick Binary NFA (low memory, high performance). +This is the default search method if none is specified. +\item \texttt{lowmem-nq} - Low Memory Keyword Trie (low memory, moderate performance) +\end{itemize} +\end{itemize} +\begin{itemize} +\item Other search methods (the above are considered superior to these) +\begin{itemize} +\item \texttt{ac-std} - Aho-Corasick Standard (high memory, high performance) +\item \texttt{acs} - Aho-Corasick Sparse (high memory, moderate performance) +\item \texttt{ac-banded} - Aho-Corasick Banded (high memory, moderate performance) +\item \texttt{ac-sparsebands} - Aho-Corasick Sparse-Banded (high memory, moderate performance) +\end{itemize} +\end{itemize} +\end{itemize} \\ +\hline +\texttt{config detection: [split-any-any] [search-optimize] [max-pattern-len ]} & Other options +that affect fast pattern matching. +\begin{itemize} +\item \texttt{split-any-any} +\begin{itemize} +\item A memory/performance tradeoff. By default, ANY-ANY port rules are added to +every non ANY-ANY port group so that only one port group rule evaluation needs to +be done per packet. Not putting the ANY-ANY port rule group into every other +port group can significantly reduce the memory footprint of the fast pattern +matchers if there are many ANY-ANY port rules. But doing so may require two +port group evaluations per packet - one for the specific port group and one for +the ANY-ANY port group, thus potentially reducing performance. This option is +generic and can be used with any \texttt{search-method} but was specifically +intended for use with the \texttt{ac} \texttt{search-method} where the memory +footprint is significantly reduced though overall fast pattern performance is +better than \texttt{ac-bnfa}. Of note is that the lower memory footprint can +also increase performance through fewer cache misses. Default is not to split +the ANY-ANY port group. +\end{itemize} +\item \texttt{search-optimize} +\begin{itemize} +\item Optimizes fast pattern memory when used with \texttt{search-method} +\texttt{ac} or \texttt{ac-split} by dynamically determining the size of a +state based on the total number of states. When used with \texttt{ac-bnfa}, some +fail-state resolution will be attempted, potentially increasing performance. +Default is not to optimize. +\end{itemize} +\item \texttt{max-pattern-len } +\begin{itemize} +\item This is a memory optimization that specifies the maximum length of a pattern +that will be put in the fast pattern matcher. Patterns longer than this length +will be truncated to this length before inserting into the pattern matcher. Useful +when there are very long contents being used and truncating the pattern won't diminish +the uniqueness of the patterns. Note that this may cause more false positive rule +evaluations, i.e. rules that will be evaluated because a fast pattern was matched, +but eventually fail, however CPU cache can play a part in performance so a smaller memory +footprint of the fast pattern matcher can potentially increase performance. Default +is to not set a maximum pattern length. \end{itemize} +\end{itemize} \\ +\hline +\texttt{config detection: [no\_stream\_inserts] [max\_queue\_events ] [enable-single-rule-group] [bleedover-port-limit]} & Other detection engine options. +\begin{itemize} \item \texttt{no\_stream\_inserts} +\begin{itemize} +\item Specifies that stream inserted packets should not be evaluated against the detection engine. +This is a potential performance improvement with the idea that the stream rebuilt packet will +contain the payload in the inserted one so the stream inserted packet doesn't need to be +evaluated. Default is to inspect stream inserts. +\end{itemize} +\item \texttt{max\_queue\_events } +\begin{itemize} +\item Specifies the maximum number of matching fast-pattern states to queue per packet. +Default is 5 events. +\end{itemize} +\item \texttt{enable-single-rule-group} +\begin{itemize} +\item Put all rules into one port group. Not recommended. Default is not to +do this. +\end{itemize} +\item \texttt{bleedover-port-limit} +\begin{itemize} +\item The maximum number of source or destination ports designated in a rule +before the rule is considered an ANY-ANY port group rule. Default is 1024. +\end{itemize} +\end{itemize} \\ -\item \texttt{max\_queue\_events$<$integer$>$} - -\end{itemize}\\ +\hline +\texttt{config detection: [debug] [debug-print-nocontent-rule-tests] [debug-print-rule-group-build-details] [debug-print-rule-groups-uncompiled] [debug-print-rule-groups-compiled] [debug-print-fast-pattern] [bleedover-warnings-enabled]} & Options for detection engine debugging. +\begin{itemize} +\item \texttt{debug} +\begin{itemize} +\item Prints fast pattern information for a particular port group. +\end{itemize} +\item \texttt{debug-print-nocontent-rule-tests} +\begin{itemize} +\item Prints port group information during packet evaluation. +\end{itemize} +\item \texttt{debug-print-rule-group-build-details} +\begin{itemize} +\item Prints port group information during port group compilation. +\end{itemize} +\item \texttt{debug-print-rule-groups-uncompiled} +\begin{itemize} +\item Prints uncompiled port group information. +\end{itemize} +\item \texttt{debug-print-rule-groups-compiled} +\begin{itemize} +\item Prints compiled port group information. +\end{itemize} +\item \texttt{debug-print-fast-pattern} +\begin{itemize} +\item For each rule with fast pattern content, prints information about the content +being used for the fast pattern matcher. +\end{itemize} +\item \texttt{bleedover-warnings-enabled} +\begin{itemize} +\item Prints a warning if the number of source or destination ports used in a +rule exceed the \texttt{bleedover-port-limit} forcing the rule to be moved into +the ANY-ANY port group. +\end{itemize} +\end{itemize} \\ \hline \texttt{config disable\_decode\_alerts} & Turns off the alerts generated by the @@ -1476,6 +2137,11 @@ effective (only applicable in inline mode). \\ \hline +\texttt{config enable\_deep\_teredo\_inspection} & Snort's packet decoder only +decodes Teredo (IPv6 over UDP over IPv4) traffic on UDP port 3544. This option +makes Snort decode Teredo traffic on all UDP ports. \\ + +\hline \texttt{config enable\_ipopt\_drops} & Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).\\ @@ -1509,11 +2175,11 @@ mode).\\ \hline -\texttt{enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with +\texttt{config enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline -\texttt{enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP +\texttt{config enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline @@ -1534,31 +2200,9 @@ See Section \ref{eventqueue} for more information and examples.\\ \hline -\texttt{config flexresp2\_attempts: } & Specify the number of TCP -reset packets to send to the source of the attack. Valid values are 0 to 20, -however values less than 4 will default to 4. The default value without this -option is 4. (Snort must be compiled with --enable-flexresp2) \\ - -\hline -\texttt{config flexresp2\_interface: } & Specify the response interface to -use. In Windows this can also be the interface number. (Snort must be -compiled with --enable-flexresp2) \\ - -\hline -\texttt{config flexresp2\_memcap: } & Specify the memcap for the hash -table used to track the time of responses. The times (hashed on a socket pair -plus protocol) are used to limit sending a response to the same half of a -socket pair every couple of seconds. Default is 1048576 bytes. (Snort must be -compiled with --enable-flexresp2) \\ - -\hline -\texttt{config flexresp2\_rows: } & Specify the number of rows for the -hash table used to track the time of responses. Default is 1024 rows. (Snort -must be compiled with --enable-flexresp2) \\ - -\hline -\texttt{config flowbits\_size: } & Specifies the maximum number of -flowbit tags that can be used within a rule set.\\ +\texttt{config flowbits\_size: } & Specifies the maximum number of +flowbit tags that can be used within a rule set. The default is 1024 bits +and maximum is 2096. \\ \hline \texttt{config ignore\_ports: } & Specifies ports to ignore @@ -1591,14 +2235,14 @@ \end{itemize} \\ \hline -\texttt{config layer2resets: } & This option is only available -when running in inline mode. See Section \ref{Snort Inline}.\\ - -\hline \texttt{config logdir: } & Sets the logdir (\texttt{snort -l}). \\ \hline +\texttt{config log\_ipv6\_extra\_data} & Set Snort to log IPv6 source and destination +addresses as unified2 extra data events. \\ + +\hline \texttt{config max\_attribute\_hosts: } & Sets a limit on the maximum number of hosts to read from the attribute table. Minimum value is 32 and the maximum is 524288 (512k). The default is 10000. If the number of hosts in the @@ -1675,6 +2319,11 @@ \hline \texttt{config quiet}& Disables banner and status reports (\texttt{snort -q}). +NOTE: The command line switch \texttt{-q} takes effect immediately after +processing the command line parameters, whereas using \texttt{config quiet} +in snort.conf takes effect when the configuration line in snort.conf is parsed. +That may occur after other configuration settings that result in output to +console or syslog. \\ \hline @@ -1689,16 +2338,21 @@ \texttt{config reference\_net } & For IP obfuscation, the obfuscated net will be used if the packet contains an IP address in the reference net. Also used to determine how to set up the logging directory structure for the -\texttt{session} post detection rule option and ascii output plugin - an +\texttt{session} post detection rule option and ASCII output plugin - an attempt is made to name the log directories after the IP address that is not in the reference net. \\ +\hline \texttt{config response: [attempts ] [, device ]} & Set the +number of strafing attempts per injected response and/or the device, such as +eth0, from which to send responses. These options may appear in any order but +must be comma separated. The are intended for passive mode. \\ + \hline \texttt{config set\_gid: } & Changes GID to specified GID (\texttt{snort -g}). \\ \hline -\texttt{set\_uid: } & Sets UID to $<$id$>$ (\texttt{snort -u}). \\ +\texttt{config set\_uid: } & Sets UID to $<$id$>$ (\texttt{snort -u}). \\ \hline \texttt{config show\_year} & Shows year in timestamps (\texttt{snort -y}). \\ @@ -1708,6 +2362,13 @@ \texttt{-P $<$snaplen$>$} or \texttt{--snaplen $<$snaplen$>$} options.\\ \hline +\texttt{config so\_rule\_memcap: } & Set global memcap in bytes for +so rules that dynamically allocate memory for storing session data in the +stream preprocessor. A value of 0 disables the memcap. Default is 0. +Maximum value is the maximum value an unsigned 32 bit integer can hold +which is 4294967295 or 4GB.\\ + +\hline \texttt{config stateful} & Sets assurance mode for stream (stream is established). \\ @@ -1745,6 +2406,12 @@ \\ \hline +\texttt{config vlan\_agnostic} & Causes Snort to ignore vlan headers for the purposes of connection tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. \\ + +\hline +\texttt{config policy\_mode: tap|inline|inline\_test} & Sets the policy mode to either \texttt{passive}, \texttt{inline} or \texttt{inline\_test}. \\ + +\hline \end{longtable} \end{center} @@ -1757,7 +2424,7 @@ can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors are loaded and configured using the {\tt preprocessor} keyword. -The format of the preprocessor directive in the Snort rules file is: +The format of the preprocessor directive in the Snort config file is: \begin{verbatim} preprocessor : @@ -1767,23 +2434,17 @@ \label{frag3 section} The frag3 preprocessor is a target-based IP defragmentation module for Snort. -Frag3 is intended as a replacement for the frag2 defragmentation module and was -designed with the following goals: +Frag3 is designed with the following goals: \begin{slist} -\item Faster execution than frag2 with less complex data management. +\item Fast execution with less complex data management. \item Target-based host modeling anti-evasion techniques. \end{slist} -The frag2 preprocessor used splay trees extensively for managing the data -structures associated with defragmenting packets. Splay trees are excellent -data structures to use when you have some assurance of locality of reference -for the data that you are handling but in high speed, heavily fragmented -environments the nature of the splay trees worked against the system and -actually hindered performance. Frag3 uses the sfxhash data structure and -linked lists for data handling internally which allows it to have much more -predictable and deterministic performance in any environment which should aid -us in managing heavily fragmented environments. +Frag3 uses the sfxhash data structure and linked lists for data handling +internally which allows it to have much more predictable and deterministic +performance in any environment which should aid us in managing heavily +fragmented environments. Target-based analysis is a relatively new concept in network-based intrusion detection. The idea of a target-based system is to model the actual targets on @@ -1792,7 +2453,7 @@ are usually implemented by people who read the RFCs and then write their interpretation of what the RFC outlines into code. Unfortunately, there are ambiguities in the way that the RFCs define some of the edge conditions that -may occurr and when this happens different people implement certain aspects of +may occur and when this happens different people implement certain aspects of their IP stacks differently. For an IDS this is a big problem. In an environment where the attacker can determine what style of IP @@ -1825,11 +2486,10 @@ \subsubsection{Frag 3 Configuration} -Frag3 configuration is somewhat more complex than frag2. There are at least -two preprocessor directives required to activate frag3, a global configuration -directive and an engine instantiation. There can be an arbitrary number of -engines defined at startup with their own configuration, but only one global -configuration. +There are at least two preprocessor directives required to activate frag3, +a global configuration directive and an engine instantiation. There can +be an arbitrary number of engines defined at startup with their own +configuration, but only one global configuration. \textbf{Global Configuration} @@ -1848,8 +2508,21 @@ \item \texttt{memcap $<$bytes$>$} - Memory cap for self preservation. Default is 4MB. -\item \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode. -Use preallocated fragment nodes (faster in some situations). +\item \texttt{prealloc\_memcap $<$bytes$>$} - alternate memory management mode, +use preallocated fragment nodes based on a memory cap (faster in some +situations). + +\item \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode, +use preallocated fragment nodes (faster in some situations). + +\item \texttt{disabled} - This optional keyword is allowed with any +policy to avoid packet processing. This option disables the preprocessor +for this config, but not for other instances of multiple configurations. +Use the disable keyword in the base configuration to specify values for the +options \texttt{memcap}, \texttt{prealloc\_memcap}, and \texttt{prealloc\_frags} +without having the preprocessor inspect traffic for traffic applying to the base +configuration. The other options are parsed but not used. Any valid +configuration may have "disabled" added to it. \end{itemize} \end{itemize} @@ -1870,7 +2543,7 @@ 60 seconds. \item \texttt{min\_ttl $<$value$>$} - Minimum acceptable TTL value for a -fragment packet. Default is 1. +fragment packet. Default is 1. The accepted range for this option is 1 - 255. \item \texttt{detect\_anomalies} - Detect fragment anomalies. @@ -1879,19 +2552,20 @@ the IP List. Default value is \texttt{all}. \item \texttt{overlap\_limit } - Limits the number of overlapping -fragments per packet. The default is "0" (unlimited), the minimum is "0", and -the maximum is "255". This is an optional parameter. detect\_anomalies option -must be configured for this option to take effect. +fragments per packet. The default is "0" (unlimited). This config option takes +values equal to or greater than zero. This is an optional parameter. +detect\_anomalies option must be configured for this option to take effect. \item \texttt{min\_fragment\_length } - Defines smallest fragment size (payload size) that should be considered valid. Fragments smaller than or equal to this limit are considered malicious and an event is raised, if detect\_anomalies is also configured. The default is "0" (unlimited), the -minimum is "0", and the maximum is "255". This is an optional parameter. -detect\_anomalies option must be configured for this option to take effect. +minimum is "0". This is an optional parameter. detect\_anomalies option +must be configured for this option to take effect. \item \texttt{policy $<$type$>$} - Select a target-based defragmentation mode. -Available types are first, last, bsd, bsd-right, linux. Default type is bsd. +Available types are first, last, bsd, bsd-right, linux, windows and solaris. +Default type is bsd. The Paxson Active Mapping paper introduced the terminology frag3 is using to describe policy types. The known mappings are as follows. Anyone who develops @@ -1965,7 +2639,7 @@ \hline Vax/VMS & BSD \\ \hline - Windows (95/98/NT4/W2K/XP) & First\\ + Windows (95/98/NT4/W2K/XP) & Windows\\ \hline \end{tabular} @@ -2044,6 +2718,21 @@ For example, a few operating systems allow data in TCP SYN packets, while others do not. +\subsubsection{Protocol Aware Flushing} + +Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option: + +\begin{verbatim} +config paf_max: +\end{verbatim} + +where \texttt{} is between zero (off) and 63780. This allows Snort to +statefully scan a stream and reassemble a complete PDU regardless of +segmentation. For example, multiple PDUs within a single TCP segment, as well +as one PDU spanning multiple TCP segments will be reassembled into one PDU per +packet for each PDU. PDUs larger than the configured maximum will be split +into multiple packets. + \subsubsection{Stream5 Global Configuration} Global settings for the Stream5 preprocessor. @@ -2054,8 +2743,9 @@ [memcap ], \ [track_udp ], [max_udp ], \ [track_icmp ], [max_icmp ], \ + [track_ip ], [max_ip ], \ [flush_on_alert], [show_rebuilt_packets], \ - [prune_log_max ] + [prune_log_max ], [disabled] \end{verbatim} \begin{center} @@ -2073,8 +2763,8 @@ \hline \texttt{max\_tcp } & -Maximum simultaneous TCP sessions tracked. The default is "256000", maximum is -"1052672", minimum is "1".\\ +Maximum simultaneous TCP sessions tracked. The default is "262144", maximum is +"1048576", minimum is "1".\\ \hline \texttt{memcap } & @@ -2090,24 +2780,43 @@ \hline \texttt{max\_udp } & -Maximum simultaneous UDP sessions tracked. The default is "128000", maximum is -"1052672", minimum is "1".\\ +Maximum simultaneous UDP sessions tracked. The default is "131072", maximum is +"1048576", minimum is "1".\\ \hline \texttt{track\_icmp } & -Track sessions for ICMP. The default is "yes".\\ +Track sessions for ICMP. The default is "no".\\ \hline \texttt{max\_icmp } & -Maximum simultaneous ICMP sessions tracked. The default is "64000", maximum is -"1052672", minimum is "1".\\ +Maximum simultaneous ICMP sessions tracked. The default is "65536", maximum is +"1048576", minimum is "1".\\ + +\hline +\texttt{track\_ip } & + +Track sessions for IP. The default is "no". Note that "IP" includes all +non-TCP/UDP traffic over IP including ICMP if ICMP not otherwise configured.\\ + +\hline +\texttt{max\_ip } & + +Maximum simultaneous IP sessions tracked. The default is "16384", maximum is +"1048576", minimum is "1".\\ + +\hline +\texttt{disabled} & + +Option to disable the stream5 tracking. By default this option is turned off. +When the preprocessor is disabled only the options memcap, max\_tcp, max\_udp +and max\_icmp are applied when specified with the configuration.\\ \hline \texttt{flush\_on\_alert} & -Backwards compatibilty. Flush a TCP stream when an alert is generated on that +Backwards compatibility. Flush a TCP stream when an alert is generated on that stream. The default is set to off.\\ \hline @@ -2120,8 +2829,8 @@ \texttt{prune\_log\_max } & Print a message when a session terminates that was consuming more than the -specified number of bytes. The default is "1048576" (1MB), minimum is "0" -(unlimited), maximum is not bounded, other than by the memcap.\\ +specified number of bytes. The default is "1048576" (1MB), minimum can be either "0" +(disabled) or if not disabled the minimum is "1024" and maximum is "1073741824".\\ \hline \end{tabular} @@ -2130,21 +2839,23 @@ \subsubsection{Stream5 TCP Configuration} Provides a means on a per IP address target to configure TCP policy. This can -have multiple occurances, per policy that is bound to an IP address or network. +have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network. \begin{verbatim} preprocessor stream5_tcp: \ - [bind_to ], [timeout ], \ - [policy ], [min_ttl ], \ + [bind_to ], \ + [timeout ], [policy ], \ [overlap_limit ], [max_window ], \ [require_3whs []], [detect_anomalies], \ [check_session_hijacking], [use_static_footprint_sizes], \ [dont_store_large_packets], [dont_reassemble_async], \ [max_queued_bytes ], [max_queued_segs ], \ + [small_segments bytes [ignore_ports number [number]*]], \ [ports ], \ - [ignore_any_rules] + [protocol ], \ + [ignore_any_rules], [flush_factor ] \end{verbatim} \begin{longtable}[h]{| p{2in} | p{4in} |} @@ -2220,12 +2931,6 @@ \end{tabular}\\ \hline -\texttt{min\_ttl } & - -Minimum TTL. The default is "1", the minimum is "1" and the maximum is "255". -\\ - -\hline \texttt{overlap\_limit } & Limits the number of overlapping packets per session. The default is "0" @@ -2303,6 +3008,18 @@ enforced.\\ \hline +\texttt{small\_segments bytes [ignore\_ports ]} & + +Configure the maximum small segments queued. This feature requires that +detect\_anomalies be enabled. The first number is the number of consecutive segments +that will trigger the detection rule. The default value is "0" (disabled), with a +maximum of "2048". The second number is the minimum bytes for a segment to be +considered "small". The default value is "0" (disabled), with a maximum of "2048". +ignore\_ports is optional, defines the list of ports in which will be ignored for +this rule. The number of ports can be up to "65535". A message is written to +console/syslog when this limit is enforced.\\ + +\hline \texttt{ports } & @@ -2313,6 +3030,18 @@ maximum allowed is "65535".\\ \hline +\texttt{protocol } & + + +Specify the client, server, or both and list of services in which to perform +reassembly. This can appear more than once in a given config. The default +settings are \texttt{ports client ftp telnet smtp nameserver dns http pop3 +sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql}. The +service names can be any of those used in the host attribute table (see +\ref{targetbased}), including any of the internal defaults (see +\ref{attribute:service names}) or others specific to the network.\\ + +\hline \texttt{ignore\_any\_rules} & Don't process any \texttt{->} any (ports) rules for TCP that attempt to match @@ -2324,6 +3053,13 @@ policy.\\ \hline +\texttt{flush\_factor} & + +Useful in ips mode to flush upon seeing a drop in segment size after N +segments of non-decreasing size. The drop in size often indicates an +end of request or response.\\ + +\hline \end{longtable} \begin{note} @@ -2337,7 +3073,7 @@ \subsubsection{Stream5 UDP Configuration} Configuration for UDP session tracking. Since there is no target based -binding, there should be only one occurance of the UDP configuration. +binding, there should be only one occurrence of the UDP configuration. \begin{verbatim} preprocessor stream5_udp: [timeout ], [ignore_any_rules] @@ -2393,7 +3129,7 @@ \subsubsection{Stream5 ICMP Configuration} Configuration for ICMP session tracking. Since there is no target based -binding, there should be only one occurance of the ICMP configuration. +binding, there should be only one occurrence of the ICMP configuration. \begin{note} @@ -2423,6 +3159,39 @@ \end{tabular} \end{center} +\subsubsection{Stream5 IP Configuration} + +Configuration for IP session tracking. Since there is no target based +binding, there should be only one occurrence of the IP configuration. + +\begin{note} + +"IP" includes all non-TCP/UDP traffic over IP including ICMP if ICMP +not otherwise configured. It is not turned on by default. + +\end{note} + +\begin{verbatim} + preprocessor stream5_ip: [timeout ] +\end{verbatim} + +\begin{center} +\begin{tabular}{| l | p{4.5in} |} + +\hline +\textbf{Option} & \textbf{Description}\\ +\hline + +\hline +\texttt{timeout } & + +Session timeout. The default is "30", the minimum is "1", and the maximum is +"86400" (approximately 1 day).\\ + +\hline +\end{tabular} +\end{center} + \subsubsection{Example Configurations} \begin{enumerate} @@ -2458,25 +3227,6 @@ \end{enumerate} -\subsubsection{Alerts} - -Stream5 uses generator ID 129. It is capable of alerting on 8 (eight) -anomalies, all of which relate to TCP anomalies. There are no anomalies -detected relating to UDP or ICMP. - -The list of SIDs is as follows: - -\begin{enumerate} -\item{SYN on established session} -\item{Data on SYN packet} -\item{Data sent on stream not accepting data} -\item{TCP Timestamp is outside of PAWS window} -\item{Bad segment, overlap adjusted size less than/equal 0} -\item{Window size (after scaling) larger than policy allows} -\item{Limit on number of overlapping TCP packets reached} -\item{Data after Reset packet} -\end{enumerate} - \subsection{sfPortscan} The sfPortscan module, developed by Sourcefire, is designed to detect the first @@ -2597,7 +3347,7 @@ time window (more on windows below). On TCP scan alerts, sfPortscan will also display any open ports that were scanned. On TCP sweep alerts however, sfPortscan will only track open ports after the alert has been triggered. Open -port events are not individual alerts, but tags based on the orginal scan +port events are not individual alerts, but tags based on the original scan alert. \subsubsection{sfPortscan Configuration} @@ -2642,9 +3392,9 @@ \item \texttt{low} - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this -setting should see very few false postives. However, this setting will never +setting should see very few false positives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This -setting is based on a static time window of 60 seconds, afterwhich this window +setting is based on a static time window of 60 seconds, after which this window is reset. \item \texttt{medium} - ``Medium'' alerts track connection counts, and so will @@ -2697,6 +3447,14 @@ alerts, especially under heavy load with dropped packets; which is why the option is off by default. +\item \textbf{disabled} + +This optional keyword is allowed with any policy to avoid packet processing. +This option disables the preprocessor. When the preprocessor is disabled +only the memcap option is applied when specified with the configuration. +The other options are parsed but not used. Any valid configuration may have +"disabled" added to it. + \end{slist} \subsubsection{Format} @@ -2708,7 +3466,8 @@ watch_ip \ ignore_scanners \ ignore_scanned \ - logfile + logfile \ + disabled \end{verbatim} \subsubsection{Example} @@ -2830,7 +3589,7 @@ \item \textbf{Use the watch\_ip, ignore\_scanners, and ignore\_scanned options.} It's important to correctly set these options. The \texttt{watch\_ip} option -is easy to understand. The analyst should set this option to the list of Cidr +is easy to understand. The analyst should set this option to the list of CIDR blocks and IPs that they want to watch. If no \texttt{watch\_ip} is defined, sfPortscan will watch all network traffic. @@ -2862,7 +3621,7 @@ of this analysis in assigning a scope level and confidence level, but for now the user must manually do this. The easiest way to determine false positives is through simple ratio estimations. The following is a list of ratios to -estimate and the associated values that indicate a legimite scan and not a +estimate and the associated values that indicate a legitimate scan and not a false positive. \textbf{Connection Count / IP Count:} This ratio indicates an estimated @@ -3038,6 +3797,9 @@ \item KPkts/Sec (combined) \end{itemize} +There are over 100 individual statistics included. A header line is output at startup and +rollover that labels each column. + The following options can be used with the performance monitor: \begin{itemize} @@ -3047,10 +3809,19 @@ amounts of output. \item \texttt{events} - Turns on event reporting. This prints out statistics -as to the number of signatures that were matched by the setwise pattern matcher -(\textit{non-qualified events}) and the number of those matches that were -verified with the signature flags (\textit{qualified events}). This shows the -user if there is a problem with the rule set that they are running. +as to the number of rules that were evaluated and didn't match +(\textit{non-qualified events}) vs. the number of rules that were evaluated and +matched (\textit{qualified events}). A high \textit{non-qualified event} to +\textit{qualified event} ratio can indicate there are many rules with either +minimal content or no content that are being evaluated without success. The +fast pattern matcher is used to select a set of rules for evaluation based on +the longest \texttt{content} or a \texttt{content} modified with the +\texttt{fast\_pattern} rule option in a rule. Rules with short, generic +contents are more likely to be selected for evaluation than those with +longer, more unique contents. Rules without \texttt{content} are not +filtered via the fast pattern matcher and are always evaluated, so if +possible, adding a \texttt{content} rule option to those rules can decrease the +number of times they need to be evaluated and improve performance. \item \texttt{max} - Turns on the theoretical maximum performance that Snort calculates given the processor speed and current performance. This is only @@ -3063,7 +3834,9 @@ that is specified. Not all statistics are output to this file. You may also use \texttt{snortfile} which will output into your defined Snort log directory. Both of these directives can be overridden on the command line with the -\texttt{-Z} or \texttt{--perfmon-file} options. +\texttt{-Z} or \texttt{--perfmon-file} options. At startup, Snort will log +a distinctive line to this file with a timestamp to all readers to easily identify +gaps in the stats caused by Snort not running. \item \texttt{pktcnt} - Adjusts the number of packets to process before checking for the time sample. This boosts performance, since checking the time @@ -3080,10 +3853,58 @@ \item \texttt{max\_file\_size} - Defines the maximum size of the comma-delimited file. Before the file exceeds this size, it will be rolled into a new date stamped file of the format YYYY-MM-DD, followed by -YYYY-MM-DD.x, where x will be incremented each time the comma delimiated file +YYYY-MM-DD.x, where x will be incremented each time the comma delimited file is rolled over. The minimum is 4096 bytes and the maximum is 2147483648 bytes (2GB). The default is the same as the maximum. +\item \texttt{flow-ip} - Collects IP traffic distribution statistics based on +host pairs. For each pair of hosts for which IP traffic has been seen, the +following statistics are collected for both directions (A to B and B to A): +\begin{itemize} +\item TCP Packets +\item TCP Traffic in Bytes +\item TCP Sessions Established +\item TCP Sessions Closed +\item UDP Packets +\item UDP Traffic in Bytes +\item UDP Sessions Created +\item Other IP Packets +\item Other IP Traffic in Bytes +\end{itemize} +These statistics are printed and reset at the end of each interval. + +\item \texttt{flow-ip-file} - Prints the flow IP statistics in a +comma-delimited format to the file that is specified. All of the statistics +mentioned above, as well as the IP addresses of the host pairs in +human-readable format, are included. + +Each line in the file will have its values correspond (in order) to those below: +\begin{itemize} +\item IP Address A (String) +\item IP Address B (String) +\item TCP Packets from A to B +\item TCP Traffic in Bytes from A to B +\item TCP Packets from B to A +\item TCP Traffic in Bytes from B to A +\item UDP Packets from A to B +\item UDP Traffic in Bytes from A to B +\item UDP Packets from B to A +\item UDP Traffic in Bytes from B to A +\item Other IP Packets from A to B +\item Other IP Traffic in Bytes from A to B +\item Other IP Packets from B to A +\item Other IP Traffic in Bytes from B to A +\item TCP Sessions Established +\item TCP Sessions Closed +\item UDP Sessions Created +\end{itemize} + +\item \texttt{flow-ip-memcap} - Sets the memory cap on the hash table used to +store IP traffic statistics for host pairs. Once the cap has been reached, the +table will start to prune the statistics for the least recently seen host pairs +to free memory. This value is in bytes and the default value is +52428800 (50MB). + \end{itemize} \subsubsection{Examples} @@ -3093,6 +3914,9 @@ preprocessor perfmonitor: \ time 300 file /var/tmp/snortstat pktcnt 10000 + + preprocessor perfmonitor: \ + time 30 flow-ip flow-ip-file flow-ip-stats.csv pktcnt 1000 \end{verbatim} \subsection{HTTP Inspect} @@ -3127,7 +3951,11 @@ iis_unicode_map \ codemap \ [detect_anomalous_servers] \ - [proxy_alert] + [proxy_alert] \ + [max_gzip_mem ] \ + [compress_depth ] [decompress_depth ] \ + [memcap ] \ + disabled \end{verbatim} You can only have a single global configuration, you'll get an error if you try @@ -3166,7 +3994,7 @@ this on if you don't have a default server configuration that encompasses all of the HTTP server ports that your users might access. In the future, we want to limit this to specific networks so it's more useful, but for right now, this -inspects all network traffic. +inspects all network traffic. This option is turned off by default. \item \texttt{proxy\_alert} @@ -3179,6 +4007,82 @@ may get a lot of proxy alerts. So, please only use this feature with traditional proxy environments. Blind firewall proxies don't count. +\item \texttt{compress\_depth $<$integer$>$} +This option specifies the maximum amount of packet payload to decompress. This +value can be set from 1 to 65535. The default for this option is 1460. + +\begin{note} + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of \texttt{unlimited\_decompress} this should be set to its max value. This value should +be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. + +\end{note} + +\item \texttt{decompress\_depth $<$integer$>$} +This option specifies the maximum amount of decompressed data to obtain from the +compressed packet payload. This value can be set from 1 to 65535. The default for +this option is 2920. + +\begin{note} + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of \texttt{unlimited\_decompress} this should be set to its max value. This value should +be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. + +\end{note} + +\item \texttt{max\_gzip\_mem $<$integer$>$} + +This option determines (in bytes) the maximum amount of memory the HTTP Inspect +preprocessor will use for decompression. This value can be set from 3276 bytes +to 100MB. This option along with \texttt{compress\_depth} and \texttt{decompress\_depth} +determines the gzip sessions that will be decompressed at any given instant. The default +value for this option is 838860. + +\begin{note} + +This value should be specified in the default policy even when the HTTP inspect preprocessor +is turned off using the \texttt{disabled} keyword. It is suggested to set this value such that +the max gzip session calculated as follows is at least 1. + +max gzip session = \texttt{max\_gzip\_mem} /(\texttt{decompress\_depth} + \texttt{compress\_depth}) + +\end{note} + +\item \texttt{memcap $<$integer$>$} + +This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor +will use for logging the URI and Hostname data. This value can be set from 2304 to 603979776 (576 MB). +This option along with the maximum uri and hostname logging size (which is defined in snort) will +determine the maximum HTTP sessions that will log the URI and hostname data at any given instant. The +maximum size for logging URI data is 2048 and for hostname is 256. The default value for this +option is 150994944 (144 MB). + +\begin {note} + +This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. In case of multiple policies, the value specified in the +default policy will overwrite the value specified in other policies. + +max http sessions logged = memcap /( max uri logging size + max hostname logging size ) +max uri logging size defined in snort : 2048 +max hostname logging size defined in snort : 256 + +\end{note} + +\item \texttt{disabled} + +This optional keyword is allowed with any policy to avoid packet processing. +This option disables the preprocessor. When the preprocessor is disabled +only the "memcap", "max\_gzip\_mem", "compress\_depth" and "decompress\_depth" +options are applied when specified with the configuration. Other options are +parsed but not used. Any valid configuration may have "disabled" added to it. + \end{slist} \subsubsection{Example Global Configuration} @@ -3279,7 +4183,7 @@ \hline iis\_unicode\_map & codepoint map in the global configuration \\ \hline -ascii decoding & on, alert off \\ +ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline @@ -3307,6 +4211,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -3341,7 +4247,7 @@ \hline chunk encoding & alert on chunks larger than 500000 bytes \\ \hline -ascii decoding & on, alert off \\ +ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline @@ -3359,6 +4265,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -3389,13 +4297,13 @@ \hline client\_flow\_depth & 300 \\ \hline -post\_depth & 0 \\ +post\_depth & -1 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes\\ \hline iis\_unicode\_map & codepoint map in the global configuration \\ \hline -ascii decoding & on, alert off \\ +ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline @@ -3421,6 +4329,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -3456,12 +4366,12 @@ server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ -post\_depth & 0 \\ \hline +post\_depth & -1 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes\\ \hline -ascii decoding & on, alert off \\ +ASCII decoding & on, alert off \\ \hline utf\_8 encoding & on, alert off\\ \hline @@ -3481,8 +4391,9 @@ \hline max\_header\_length & 0, header length not checked\\ \hline -max\_headers & 0, number of headers not checked\\ +max\_spaces & 200 \\ \hline +max\_headers & 0, number of headers not checked\\ \hline \end{tabular} \end{center} @@ -3503,8 +4414,21 @@ \item \texttt{oversize\_dir\_length} \item \texttt{normalize\_headers} \item \texttt{normalize\_cookies} +\item \texttt{normalize\_utf} \item \texttt{max\_header\_length} +\item \texttt{max\_spaces} \item \texttt{max\_headers} +\item \texttt{extended\_response\_inspection} +\item \texttt{enable\_cookie} +\item \texttt{inspect\_gzip} +\item \texttt{unlimited\_decompress} +\item \texttt{normalize\_javascript} +\item \texttt{max\_javascript\_whitespaces} +\item \texttt{enable\_xff} +\item \texttt{http\_methods} +\item \texttt{log\_uri} +\item \texttt{log\_hostname} +\item \texttt{small\_chunk\_length} \end{itemize} These options must be specified after the \texttt{profile} option. @@ -3540,23 +4464,193 @@ correct code page by looking at the available code pages that the ms\_unicode\_generator outputs. +\item \texttt{extended\_response\_inspection} + +This enables the extended HTTP response inspection. The default http response +inspection does not inspect the various fields of a HTTP response. By turning +this option the HTTP response will be thoroughly inspected. The different fields +of a HTTP response such as status code, status message, headers, cookie (when +enable\_cookie is configured) and body are extracted and saved into buffers. +Different rule options are provided to inspect these buffers. + +\begin{note} + +When this option is turned on, if the HTTP response packet has a body then any +content pattern matches ( without http modifiers ) will search the response body +((decompressed in case of gzip) and not the entire packet payload. To search for +patterns in the header of the response, one should use the http modifiers with +content such as \texttt{http\_header}, \texttt{http\_stat\_code}, \texttt{http\_stat\_msg} +and \texttt{http\_cookie}. + +\end{note} + +\item \texttt{enable\_cookie} + +This options turns on the cookie extraction from HTTP requests and HTTP response. +By default the cookie inspection and extraction will be turned off. The cookie from +the \texttt{Cookie} header line is extracted and stored in HTTP Cookie buffer for +HTTP requests and cookie from the \texttt{Set-Cookie} is extracted and stored in +HTTP Cookie buffer for HTTP responses. The \texttt{Cookie:} and \texttt{Set-Cookie:} +header names itself along with leading spaces and the CRLF terminating the header +line are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer. + +\begin{verbatim} +Ex: Set-Cookie: mycookie \r\n + +In this case, Set-Cookie: \r\n will be in the HTTP header buffer and the pattern +mycookie will be in the HTTP cookie buffer. + +\end{verbatim} + +\item \texttt{inspect\_gzip} + +This option specifies the HTTP inspect module to uncompress the compressed +data(gzip/deflate) in HTTP response. You should select the config option +"extended\_response\_inspection" before configuring this option. Decompression +is done across packets. So the decompression will end when either the +'compress\_depth' or 'decompress\_depth' is reached or when the compressed data ends. +When the compressed data is spanned across multiple packets, the state of the last +decompressed packet is used to decompressed the data of the next packet. +But the decompressed data are individually inspected. (i.e. the +decompressed data from different packets are not combined while inspecting). +Also the amount of decompressed data that will be inspected depends on the +'server\_flow\_depth' configured. + +Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompression +fails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspect +will also provide the detection module with the data that was decompressed by zlib. + +\begin{note} + +To enable compression of HTTP server response, Snort should be configured +with the --enable-zlib flag. + +\end{note} + +\item \texttt{unlimited\_decompress} + +This option enables the user to decompress unlimited gzip data (across multiple +packets).Decompression will stop when the compressed data ends or when a out of +sequence packet is received. To ensure unlimited decompression, user should set +the 'compress\_depth' and 'decompress\_depth' to its maximum values in the default +policy. The decompression in a single packet is still limited by the 'compress\_depth' +and 'decompress\_depth'. + +\item \texttt{normalize\_javascript} +This option enables the normalization of Javascript within the HTTP response body. +You should select the config option \texttt{extended\_response\_inspection} before configuring +this option. When this option is turned on, Http Inspect searches for a Javascript within the +HTTP response body by searching for the + + + +\end{verbatim} + +The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when \texttt{normalize\_javascript} +is turned on. + +Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type +of encodings within the escaped/encoded data. + +\begin{verbatim} + +For example: + +unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"); +String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33) + +\\end{verbatim} + +The above obfuscation will generate the preprocessor alert with GID 120 and SID 11. + +This option is turned off by default in HTTP Inspect. + +\item \texttt{max\_javascript\_whitespaces $<$positive integer up to 65535$>$} +This option takes an integer as an argument. The integer determines the maximum number +of consecutive whitespaces allowed within the Javascript obfuscated data in a HTTP +response body. The config option \texttt{normalize\_javascript} should be turned on before configuring + this config option. When the whitespaces in the javascript obfuscated data is equal to or more +than this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for +this option is 200. To enable, specify an integer argument to \texttt{max\_javascript\_spaces} of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + +\item \texttt{enable\_xff} + +This option enables Snort to parse and log the original client IP present in the +X-Forwarded-For or True-Client-IP HTTP request headers along with the generated +events. The XFF/True-Client-IP Original client IP address is logged only with +unified2 output and is not logged with console (-A cmg) output. + +\begin{note} + +The original client IP from XFF/True-Client-IP in unified2 logs can be viewed using +the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of snort +source tree. + +\end{note} + \item \texttt{server\_flow\_depth $<$integer$>$} -This specifies the amount of server response payload to inspect. This option -significantly increases IDS performance because we are ignoring a large part of -the network traffic (HTTP server response payloads). A small percentage of -Snort rules are targeted at this traffic and a small flow\_depth value may -cause false negatives in some of these rules. Most of these rules target -either the HTTP header, or the content that is likely to be in the first -hundred or so bytes of non-header data. Headers are usually under 300 bytes -long, but your mileage may vary. - -This value can be set from -1 to 1460. A value of -1 causes Snort to ignore all -server side traffic for ports defined in \texttt{ports}. Inversely, a value of -0 causes Snort to inspect all HTTP server payloads defined in \texttt{ports} -(note that this will likely slow down IDS performance). Values above 0 tell -Snort the number of bytes to inspect in the first packet of the server -response. +This specifies the amount of server response payload to inspect. When +\texttt{extended\_response\_inspection} is turned on, it is applied to the HTTP response +body (decompressed data when \texttt{inspect\_gzip} is turned on) and not the HTTP headers. +When \texttt{extended\_response\_inspection} is turned off the \texttt{server\_flow\_depth} +is applied to the entire HTTP response (including headers). Unlike \texttt{client\_flow\_depth} +this option is applied per TCP session. This option can be used to balance the needs of +IDS performance and level of inspection of HTTP server response data. Snort rules are +targeted at HTTP server response traffic and when used with a small flow\_depth value +may cause false negatives. Most of these rules target either the HTTP header, or +the content that is likely to be in the first hundred or so bytes of non-header data. +Headers are usually under 300 bytes long, but your mileage may vary. +It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. + +This value can be set from -1 to 65535. A value of -1 causes Snort +to ignore all server side traffic for ports defined in \texttt{ports} when +\texttt{extended\_response\_inspection} is turned off. When the \texttt{extended\_response\_inspection} + is turned on, value of -1 causes Snort to ignore the HTTP response body data and + not the HTTP headers. Inversely, a value of 0 causes Snort to inspect all HTTP server +payloads defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect of the server response (excluding the HTTP headers when \texttt{extended\_response\_inspection} +is turned on) in a given HTTP session. Only packets payloads starting with 'HTTP' will +be considered as the first packet of a server response. If less than flow\_depth bytes +are in the payload of the HTTP response packets in a given session, the entire payload will be +inspected. If more than flow\_depth bytes are in the payload of the HTTP response packet in a session +only flow\_depth bytes of the payload will be inspected for that session. Rules that are meant to +inspect data in the payload of the HTTP response packets in a session beyond 65535 bytes will be +ineffective unless flow\_depth is set to 0. The default value for \texttt{server\_flow\_depth} is 300. +Note that the 65535 byte maximum flow\_depth applies to stream reassembled packets as well. +It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. \begin{note} @@ -3567,16 +4661,32 @@ \item \texttt{client\_flow\_depth $<$integer$>$} -This specifies the amount of raw client request payload to inspect. It is -similar to \texttt{server\_flow\_depth} (above), and has a default value of -300. It primarily eliminates Snort fro inspecting larger HTTP Cookies that -appear at the end of many client request Headers. +This specifies the amount of raw client request payload to inspect. This +value can be set from -1 to 1460. Unlike \texttt{server\_flow\_depth} this value is applied +to the first packet of the HTTP request. It is not a session based flow depth. +It has a default value of 300. It primarily eliminates Snort from inspecting +larger HTTP Cookies that appear at the end of many client request Headers. + +A value of -1 causes Snort to ignore all client side traffic for ports +defined in "ports." Inversely, a value of 0 causes Snort to inspect all HTTP client + side traffic defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect in the first packet of the client request. If less than flow\_depth bytes +are in the TCP payload (HTTP request) of the first packet, the entire payload will be inspected. +If more than flow\_depth bytes are in the payload of the first packet only flow\_depth +bytes of the payload will be inspected. Rules that are meant to +inspect data in the payload of the first packet of a client request beyond 1460 bytes +will be ineffective unless flow\_depth is set to 0. Note that the 1460 byte +maximum flow\_depth applies to stream reassembled packets as well. It is +suggested to set the \texttt{client\_flow\_depth} to its maximum value. \item \texttt{post\_depth $<$integer$>$} -This specifies the amount of data to inspect in a client post message. The -value can be set from 0 to 65495. The default value is 0. This increases the -perfomance by inspecting only specified bytes in the post message. +This specifies the amount of data to inspect in a client post message. The +value can be set from -1 to 65495. The default value is -1. A value of -1 +causes Snort to ignore all the data in the post message. Inversely, a value +of 0 causes Snort to inspect all the client post message. This increases +the performance by inspecting only specified bytes in the post message. \item \texttt{ascii $<$yes$|$no$>$} @@ -3585,6 +4695,12 @@ in URLs, so it is recommended that you disable HTTP Inspect alerting for this option. +\item \texttt{extended\_ascii\_uri} + +This option enables the support for extended ASCII codes in the HTTP request +URI. This option is turned off by default and is not supported with any of +the profiles. + \item \texttt{utf\_8 $<$yes$|$no$>$} The \texttt{utf-8} decode option tells HTTP Inspect to decode standard UTF-8 @@ -3620,18 +4736,6 @@ The alert on this decoding should be enabled, because there are no legitimate clients that encode UTF-8 this way since it is non-standard. -\item \texttt{base36 $<$yes$|$no$>$} - -This is an option to decode base36 encoded chars. This option is based on -info from: - -\url{http://www.yk.rim.or.jp/~shikap/patch/spp\_http\_decode.patch}. - -If \%u encoding is enabled, this option will not work. You have to use the -\texttt{base36} option with the \texttt{utf\_8} option. Don't use the \%u -option, because base36 won't work. When \texttt{base36} is enabled, ASCII -encoding is also enabled to enforce correct behavior. - \item \texttt{iis\_unicode $<$yes$|$no$>$} The \texttt{iis\_unicode} option turns on the Unicode codepoint mapping. If @@ -3650,8 +4754,8 @@ The \texttt{double\_decode} option is once again IIS-specific and emulates IIS functionality. How this works is that IIS does two passes through the request URI, doing decodes in each one. In the first pass, it seems that all types of -iis encoding is done: utf-8 unicode, ascii, bare byte, and \%u. In the second -pass, the following encodings are done: ascii, bare byte, and \%u. We leave +iis encoding is done: utf-8 unicode, ASCII, bare byte, and \%u. In the second +pass, the following encodings are done: ASCII, bare byte, and \%u. We leave out utf-8 because I think how this works is that the \% encoded utf-8 is decoded to the Unicode byte in the first pass, and then UTF-8 is decoded in the second stage. Anyway, this is really complex and adds tons of different @@ -3730,6 +4834,23 @@ picks up the Apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding. +\item \texttt{small\_chunk\_length \{ $<$chunk size$>$ $<$consecutive chunks$>$ \} } + +This option is an evasion detector for consecutive small chunk sizes when +either the client or server use \texttt{Transfer-Encoding: chunked}. +$<$chunk size$>$ specifies the maximum chunk size for which a chunk will be +considered small. $<$consecutive chunks$>$ specifies the number of consecutive +small chunks $<$= $<$chunk size$>$ before an event will be generated. This option +is turned off by default. Maximum values for each are 255 and a $<$chunk size$>$ of 0 +disables. Events generated are gid:119, sid:26 for client small +chunks and gid:120, sid:7 for server small chunks. + +Example: +\begin{verbatim} +small_chunk_length { 10 5 } +\end{verbatim} +Meaning alert if we see 5 consecutive chunk sizes of 10 or less. + \item \texttt{no\_pipeline\_req} This option turns HTTP pipeline decoding off, and is a performance enhancement @@ -3802,6 +4923,16 @@ enable, specify an integer argument to max\_header\_length of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. +\item \texttt{max\_spaces $<$positive integer up to 65535$>$} + +This option takes an integer as an argument. The integer determines the maximum number +of whitespaces allowed with HTTP client request line folding. Requests headers +folded with whitespaces equal to or more than this value will cause a +"Space Saturation" alert with SID 26 and GID 119. The default value for this +option is 200. To enable, specify an integer argument to \texttt{max\_spaces} of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + + \item \texttt{webroot $<$yes$|$no$>$} This option generates an alert when a directory traversal traverses past the @@ -3832,14 +4963,71 @@ configuration parameters as the URI normalization (ie, multi-slash, directory, etc.). It is useful for normalizing data in HTTP Cookies that may be encoded. +\item \texttt{normalize\_utf} + +This option turns on normalization of HTTP response bodies where the Content-Type +header lists the character set as "utf-16le", "utf-16be", "utf-32le", or +"utf-32be". HTTP Inspect will attempt to normalize these back into 8-bit encoding, +generating an alert if the extra bytes are non-zero. + \item \texttt{max\_headers $<$positive integer up to 1024$>$} This option takes an integer as an argument. The integer is the maximum number of HTTP client request header fields. Requests that contain more HTTP Headers than this value will cause a "Max Header" alert. The alert is off by default. -To enable, specify an integer argumnet to max\_headers of 1 to 1024. +To enable, specify an integer argument to max\_headers of 1 to 1024. Specifying a value of 0 is treated as disabling the alert. +\item \texttt{http\_methods $\{ cmd [cmd] \}$ } +This specifies additional HTTP Request Methods outside of those checked by +default within the preprocessor (GET and POST). The list should be enclosed +within braces and delimited by spaces, tabs, line feed or carriage return. +The config option, braces and methods also needs to be separated by braces. + +\begin{verbatim} + http_methods { PUT CONNECT } +\end{verbatim} + +\begin{note} + +Please note the maximum length for a method name is 256. + +\end{note} + +\item \texttt{log\_uri} + +This option enables HTTP Inspect preprocessor to parse the URI data from the +HTTP request and log it along with all the generated events for that session. +Stream5 reassembly needs to be turned on HTTP ports to enable the logging. +If there are multiple HTTP requests in the session, the URI data of the most recent +HTTP request during the alert will be logged. The maximum URI logged is 2048. + +\begin{note} + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from +the unified2. + +\end{note} + +\item \texttt{log\_hostname} + +This option enables HTTP Inspect preprocessor to parse the hostname data from the +"Host" header of the HTTP request and log it along with all the generated events +for that session. Stream5 reassembly needs to be turned on HTTP ports to enable +the logging. If there are multiple HTTP requests in the session, the Hostname data +of the most recent HTTP request during the alert will be logged. In case of +multiple "Host" headers within one HTTP request, a preprocessor alert with sid 24 is +generated. The maximum hostname length logged is 256. + +\begin{note} + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from +the unified2. + +\end{note} + \end{slist} \subsubsection{Examples} @@ -3993,51 +5181,615 @@ List all commands understood by the preprocessor. This not normally printed out with the configuration because it can print so much data. -\end{slist} +\item \texttt{disabled} -\subsubsection{Example} +Disables the SMTP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{max\_mime\_mem} in default config without turning on the SMTP preprocessor. -\begin{verbatim} - preprocessor SMTP: \ - ports { 25 } \ - inspection_type stateful \ - normalize cmds \ - normalize_cmds { EXPN VRFY RCPT } \ - ignore_data \ - ignore_tls_data \ - max_command_line_len 512 \ - max_header_line_len 1024 \ - max_response_line_len 512 \ - no_alerts \ - alt_max_command_line_len 300 { RCPT } \ - invalid_cmds { } \ - valid_cmds { } \ - xlink2state { disable } \ - print_cmds -\end{verbatim} +\item \texttt{b64\_decode\_depth} -\subsubsection{Default} +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A SMTP preprocessor +alert with sid 10 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. -\begin{verbatim} - preprocessor SMTP: \ - ports { 25 } \ - inspection_type stateful \ - normalize cmds \ - normalize_cmds { EXPN VRFY RCPT } \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN } \ - alt_max_command_line_len 255 { EXPN VRFY } -\end{verbatim} +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. -\subsubsection{Note} +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. -\texttt{RCPT TO:} and \texttt{MAIL FROM:} are SMTP commands. For the -preprocessor configuration, they are referred to as RCPT and MAIL, -respectively. Within the code, the preprocessor actually maps RCPT and MAIL to -the correct command name. +This option replaces the deprecated options, \texttt{enable\_mime\_decoding} and +\texttt{max\_mime\_depth}. It is recommended that user inputs a value that is a +multiple of 4. When the value specified is not a multiple of 4, the SMTP preprocessor +will round it up to the next multiple of 4. -\subsection{FTP/Telnet Preprocessor} +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A SMTP +preprocessor alert with sid 11 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary/text extraction +depth used to extract the 7bit/8bit/binary encoded or plain text MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A SMTP +preprocessor alert with sid 12 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary/text MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments. +The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU SMTP attachments. A SMTP +preprocessor alert with sid 13 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded SMTP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{enable\_mime\_decoding} + +Enables Base64 decoding of Mime attachments/data. Multiple base64 encoded MIME +attachments/data in one packet are pipelined. When stateful inspection is turned +on the base64 encoded MIME attachments/data across multiple packets are decoded too. +The decoding of base64 encoded attachments/data ends when either the +\texttt{max\_mime\_depth} or maximum MIME sessions (calculated using +\texttt{max\_mime\_depth} and \texttt{max\_mime\_mem}) is reached or when the +encoded data ends. The decoded data is available for detection using the rule option +\texttt{file\_data}. See \ref{sub:file_data} rule option for more details. + +This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off +or on the base64 decoding instead. + +\item \texttt{max\_mime\_depth } + +Specifies the maximum number of base64 encoded data to decode per SMTP session. +The option take values ranging from 4 to 20480 bytes. The default value for this +in snort in 1460 bytes. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off +or on the base64 decoding instead. + +\item \texttt{max\_mime\_mem } + +This option determines (in bytes) the maximum amount of memory the SMTP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the SMTP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max smtp session calculated as +follows is atleast 1. + +max smtp session = \texttt{max\_mime\_mem} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max smtp session = \texttt{max\_mime\_mem}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{max\_mime\_mem} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable SMTP preprocessor in a config). + +When the memcap for decoding (\texttt{max\_mime\_mem}) is exceeded the SMTP preprocessor alert with sid 9 is +generated (when enabled) + +\item \texttt{log\_mailfrom} +This option enables SMTP preprocessor to parse and log the sender's email address extracted +from the "MAIL FROM" command along with all the generated events for that session. The maximum +number of bytes logged for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_rcptto} +This option enables SMTP preprocessor to parse and log the recipient's email addresses +extracted from the "RCPT TO" command along with all the generated events for that session. +Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). + u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_filename} +This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted +from the Content-Disposition header within the MIME body along with all the generated events +for that session. Multiple filenames are appended with commas. The maximum number of bytes logged +for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with the +console output (-A cmg). u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_email\_hdrs} +This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from +SMTP data along with all generated events for that session. The number of bytes extracted and +logged depends upon the \texttt{email\_hdrs\_log\_depth}. + +Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +\item \texttt{email\_hdrs\_log\_depth } +This option specifies the depth for logging email headers. The allowed range for this option is +0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. + +Please note, in case of multiple policies, the value specified in the default policy is used and the values +specified in the targeted policies are overwritten by the default value. +This option must be configured in the default policy even if the SMTP configuration is disabled. + +\item \texttt{memcap } +This option determines in bytes the maximum amount of memory the SMTP preprocessor will +use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value +along with the buffer size used to log MAIL FROM, RCPT TO, filenames and \texttt{email\_hdrs\_log\_depth} +will determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap +is reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers +until memory becomes available. + +Max SMTP sessions logging email headers at any given time + = memcap/(1024 + 1024 + 1024 + \texttt{email\_hdrs\_log\_depth}) + +The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses. + +Default value for this option is 838860. The allowed range for this option is 3276 to 104857600. +The value specified in the default config is used when this option is specified in multiple configs. +This option must be configured in the default config even if the SMTP configuration is disabled. + +Please note, in case of multiple policies, the value specified in the default policy is used and the values +specified in the targeted policies are overwritten by the default value. +This option must be configured in the default policy even if the SMTP configuration is disabled. + +\end{slist} + +\subsubsection{Example} + +\begin{verbatim} + preprocessor SMTP: \ + ports { 25 } \ + inspection_type stateful \ + normalize cmds \ + normalize_cmds { EXPN VRFY RCPT } \ + ignore_data \ + ignore_tls_data \ + max_command_line_len 512 \ + max_header_line_len 1024 \ + max_response_line_len 512 \ + no_alerts \ + alt_max_command_line_len 300 { RCPT } \ + invalid_cmds { } \ + valid_cmds { } \ + xlink2state { disable } \ + print_cmds \ + log_filename \ + log_email_hdrs \ + log_mailfrom \ + log_rcptto \ + email_hdrs_log_depth 2920 \ + memcap 6000 + + preprocessor SMTP: \ + b64_decode_depth 0\ + max_mime_mem 4000 \ + memcap 6000 \ + email_hdrs_log_depth 2920 \ + disabled +\end{verbatim} + +\subsubsection{Default} + +\begin{verbatim} + preprocessor SMTP: \ + ports { 25 } \ + inspection_type stateful \ + normalize cmds \ + normalize_cmds { EXPN VRFY RCPT } \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN } \ + alt_max_command_line_len 255 { EXPN VRFY } +\end{verbatim} + +\subsubsection{Note} + +\texttt{RCPT TO:} and \texttt{MAIL FROM:} are SMTP commands. For the +preprocessor configuration, they are referred to as RCPT and MAIL, +respectively. Within the code, the preprocessor actually maps RCPT and MAIL to +the correct command name. + +\subsection{POP Preprocessor} +\label{POP} + +POP is an POP3 decoder for user applications. Given a data buffer, +POP will decode the buffer and find POP3 commands and responses. +It will also mark the command, data header data body sections and +extract the POP3 attachments and decode it appropriately. + +POP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for POP. Please ensure that the POP ports are added + to the stream5 ports for proper reassembly. + +The POP preprocessor uses GID 142 to register events. + +\subsubsection{Configuration} + +The configuration options are described below: + +\begin{slist} + +\item \texttt{ports \{ [] ... \}} + +This specifies on what ports to check for POP data. Typically, this will +include 110. Default ports if none are specified are 110 . + +\item \texttt{disabled} + +Disables the POP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{memcap} in default config without turning on the POP preprocessor. + +\item \texttt{b64\_decode\_depth} + +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A POP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value specified +is not a multiple of 4, the POP preprocessor will round it up to the next multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A POP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A POP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of POP attachments. +The value of 0 sets the decoding of UU encoded POP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU POP attachments. A POP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded POP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{memcap } + +This option determines (in bytes) the maximum amount of memory the POP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the POP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max pop session calculated as +follows is atleast 1. + +max pop session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max pop session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable POP preprocessor in a config). + +When the memcap for decoding (\texttt{memcap}) is exceeded the POP preprocessor alert with sid 3 is +generated (when enabled). + +\end{slist} + +\subsubsection{Example} + +\begin{verbatim} + preprocessor pop: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + + preprocessor pop: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled +\end{verbatim} + +\subsubsection{Default} + +\begin{verbatim} + preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 +\end{verbatim} + +\subsection{IMAP Preprocessor} +\label{IMAP} + +IMAP is an IMAP4 decoder for user applications. Given a data buffer, +IMAP will decode the buffer and find IMAP4 commands and responses. +It will also mark the command, data header data body sections and +extract the IMAP4 attachments and decode it appropriately. + +IMAP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for IMAP. Please ensure that the IMAP ports are added + to the stream5 ports for proper reassembly. + +The IMAP preprocessor uses GID 141 to register events. + +\subsubsection{Configuration} + +The configuration options are described below: + +\begin{slist} + +\item \texttt{ports \{ [] ... \}} + +This specifies on what ports to check for IMAP data. Typically, this will +include 143. Default ports if none are specified are 143 . + +\item \texttt{disabled} + +Disables the IMAP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{memcap} in default config without turning on the IMAP preprocessor. + +\item \texttt{b64\_decode\_depth} + +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A IMAP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value specified +is not a multiple of 4, the IMAP preprocessor will round it up to the next multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A IMAP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A IMAP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments. +The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU IMAP attachments. A IMAP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded IMAP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{memcap } + +This option determines (in bytes) the maximum amount of memory the IMAP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the IMAP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max imap session calculated as +follows is atleast 1. + +max imap session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max imap session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable IMAP preprocessor in a config). + +When the memcap for decoding (\texttt{memcap}) is exceeded the IMAP preprocessor alert with sid 3 is +generated (when enabled). + +\end{slist} + +\subsubsection{Example} + +\begin{verbatim} + preprocessor imap: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + + preprocessor imap: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled +\end{verbatim} + +\subsubsection{Default} + +\begin{verbatim} + preprocessor imap: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 +\end{verbatim} + +\subsection{FTP/Telnet Preprocessor} \label{sub:ftptelnet} FTP/Telnet is an improvement to the Telnet decoder and provides stateful @@ -4049,7 +5801,7 @@ FTP/Telnet has the capability to handle stateless processing, meaning it only looks for information on a packet-by-packet basis. -The default is to run FTP/Telent in stateful inspection mode, meaning it looks +The default is to run FTP/Telnet in stateful inspection mode, meaning it looks for information and handles reassembled data correctly. FTP/Telnet has a very ``rich'' user configuration, similar to that of HTTP @@ -4109,7 +5861,7 @@ \item \texttt{check\_encrypted} -Instructs the the preprocessor to continue to check an encrypted session for a +Instructs the preprocessor to continue to check an encrypted session for a subsequent command to cease encryption. \end{slist} @@ -4154,7 +5906,7 @@ This option tells the preprocessor to normalize the telnet traffic by eliminating the telnet escape sequences. It functions similarly to its predecessor, the telnet\_decode preprocessor. Rules written with 'raw' content -options will ignore the normailzed buffer that is created when this option is +options will ignore the normalized buffer that is created when this option is in use. \item \texttt{ayt\_attack\_thresh $<$ number $>$} @@ -4168,7 +5920,7 @@ In order to support certain options, Telnet supports subnegotiation. Per the Telnet RFC, subnegotiation begins with SB (subnegotiation begin) and must end with an SE (subnegotiation end). However, certain implementations of Telnet -servers will ignore the SB without a cooresponding SE. This is anomalous +servers will ignore the SB without a corresponding SE. This is anomalous behavior which could be an evasion case. Being that FTP uses the Telnet protocol on the control connection, it is also susceptible to this behavior. The \texttt{detect\_anomalies} option enables alerting on Telnet SB without the @@ -4493,6 +6245,17 @@ bounce_to { 192.168.1.1,20020 192.168.1.2,20030 } \end{verbatim} +\item Allows bounces to IPv6 address fe8::5 port 59340. + +\begin{note} +IPv6 support must be enabled. +\end{note} + +\begin{verbatim} + bounce_to { fe8::5,59340 } +\end{verbatim} + + \end{itemize} \item \texttt{telnet\_cmds $<$yes|no$>$} @@ -4581,18 +6344,21 @@ The number of encrypted packets that Snort will inspect before ignoring a given SSH session. The SSH vulnerabilities that Snort can detect all happen at the very beginning of an SSH session. Once max\_encrypted\_packets packets have been -seen, Snort ignores the session to increase performance. +seen, Snort ignores the session to increase performance. The default is set to 25. +This value can be set from 0 to 65535. \item \texttt{max\_client\_bytes $<$ number $>$} The number of unanswered bytes allowed to be transferred before alerting on Challenge-Response Overflow or CRC 32. This number must be hit before max\_encrypted\_packets packets are sent, or else Snort will ignore the traffic. +The default is set to 19600. This value can be set from 0 to 65535. \item \texttt{max\_server\_version\_len $<$ number $>$} The maximum number of bytes allowed in the SSH server version string before -alerting on the Secure CRT server version string overflow. +alerting on the Secure CRT server version string overflow. The default is set to +80. This value can be set from 0 to 255. \item \texttt{autodetect} @@ -4632,7 +6398,7 @@ The SSH preprocessor should work by default. After max\_encrypted\_packets is reached, the preprocessor will stop processing traffic for a given session. If -Challenge-Respone Overflow or CRC 32 false positive, try increasing the number +Challenge-Response Overflow or CRC 32 false positive, try increasing the number of required client bytes with max\_client\_bytes. \subsubsection{Example Configuration from snort.conf} @@ -4649,228 +6415,63 @@ enable_ssh1crc32 \end{verbatim} -\subsection{DCE/RPC} -\label{sub:dcerpc} +\subsection{DNS} +\label{sub:dns} -The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. It is -primarily interested in DCE/RPC requests, and only decodes SMB to get to the -potential DCE/RPC requests carried by SMB. - -Currently, the preprocessor only handles desegmentation (at SMB and TCP layers) -and defragmentation of DCE/RPC. Snort rules can be evaded by using both types -of fragmentation. With the preprocessor enabled, the rules are given -reassembled DCE/RPC data to examine. - -At the SMB layer, only segmentation using WriteAndX is currently reassembled. -Other methods will be handled in future versions of the preprocessor. - -Autodetection of SMB is done by looking for "\verb!\xFFSMB!" at the start of -the SMB data, as well as checking the NetBIOS header (which is always present -for SMB) for the type "Session Message". - -Autodetection of DCE/RPC is not as reliable. Currently, two bytes are checked -in the packet. Assuming that the data is a DCE/RPC header, one byte is checked -for DCE/RPC version 5 and another for a DCE/RPC PDU type of Request. If both -match, the preprocessor proceeds with the assumption that it is looking at -DCE/RPC data. If subsequent checks are nonsensical, it ends processing. +The DNS preprocessor decodes DNS Responses and can detect the following +exploits: DNS Client RData Overflow, Obsolete Record Types, and Experimental +Record Types. -\subsubsection{Configuration} +DNS looks at DNS Response traffic over UDP and TCP and it requires Stream +preprocessor to be enabled for TCP decoding. -The proprocessor has several optional configuration options. They are -described below: +\subsubsection{Configuration} -\begin{itemize} +By default, all alerts are disabled and the preprocessor checks traffic on port +53. -\item \texttt{autodetect} -\newline +The available configuration options are described below. -In addition to configured ports, try to autodetect DCE/RPC sessions. Note that -DCE/RPC can run on practically any port in addition to the more common ports. -This option is not configured by default. +\begin{slist} -\item \texttt{ports smb \{ $<$port$>$ [<$port$> <...>] \}} -\newline +\item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} -Ports that the preprocessor monitors for SMB traffic. Default are ports 139 -and 445. +This option specifies the source ports that the DNS preprocessor should inspect +traffic. -\item \texttt{ports dcerpc \{ $<$port$>$ [<$port$> <...>] \}} -\newline +\item \texttt{enable\_obsolete\_types} -Ports that the preprocessor monitors for DCE/RPC over TCP traffic. Default is -port 135. +Alert on Obsolete (per RFC 1035) Record Types -\item \texttt{disable\_smb\_frag} -\newline +\item \texttt{enable\_experimental\_types} -Do not do SMB desegmentation. Unless you are experiencing severe performance -issues, this option should not be configured as SMB segmentation provides for -an easy evasion opportunity. This option is not configured by default. +Alert on Experimental (per RFC 1035) Record Types -\item \texttt{disable\_dcerpc\_frag} -\newline +\item \texttt{enable\_rdata\_overflow} -Do not do DCE/RPC defragmentation. Unless you are experiencing severe -performance issues, this option should not be configured as DCE/RPC -fragmentation provides for an easy evasion opportunity. This option is not -configured by default. +Check for DNS Client RData TXT Overflow -\item \texttt{max\_frag\_size $<$number$>$} -\newline +\end{slist} -Maximum DCE/RPC fragment size to put in defragmentation buffer, in bytes. -Default is 3000 bytes. +The DNS preprocessor does nothing if none of the 3 vulnerabilities it checks +for are enabled. It will not operate on TCP sessions picked up midstream, and +it will cease operation on a session if it loses state because of missing data +(dropped packets). -\item \texttt{memcap $<$number$>$} -\newline +\subsubsection{Examples/Default Configuration from snort.conf} -Maximum amount of memory available to the DCE/RPC preprocessor for -desegmentation and defragmentation, in kilobytes. Default is 100000 kilobytes. +Looks for traffic on DNS server port 53. Check for the DNS Client RData +overflow vulnerability. Do not alert on obsolete or experimental RData record +types. -\item \texttt{alert\_memcap} -\newline +\begin{verbatim} + preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow +\end{verbatim} -Alert if memcap is exceeded. This option is not configured by default. - -\item \texttt{reassemble\_increment $<$number$>$} -\newline - -This option specifies how often the preprocessor should create a reassembled -packet to send to the detection engine with the data that's been accrued in the -segmentation and fragmentation reassembly buffers, before the final -desegmentation or defragmentation of the DCE/RPC request takes place. This -will potentially catch an attack earlier and is useful if in inline mode. -Since the preprocessor looks at TCP reassembled packets (to avoid TCP overlaps -and segmentation evasions), the last packet of an attack using DCE/RPC -segmented/fragmented evasion techniques may have already gone through before -the preprocessor looks at it, so looking at the data early will likely catch -the attack before all of the exploit data has gone through. Note, however, -that in using this option, Snort will potentially take a performance hit. Not -recommended if Snort is running in passive mode as it's not really needed. The -argument to the option specifies how often the preprocessor should create a -reassembled packet if there is data in the segmentation/fragmentation buffers. -If not specified, this option is disabled. A value of 0 will in effect disable -this option as well. - -\end{itemize} - -\subsubsection{Configuration Examples} - -In addition to defaults, autodetect SMB and DCE/RPC sessions on non-configured -ports. Don't do desegmentation on SMB writes. Truncate DCE/RPC fragment if -greater than 4000 bytes. - -\begin{verbatim} - preprocessor dcerpc: \ - autodetect \ - disable_smb_frag \ - max_frag_size 4000 -\end{verbatim} - -In addition to defaults, don't do DCE/RPC defragmentation. Set memory cap for -desegmentation/defragmentation to 50,000 kilobytes. (Since no DCE/RPC -defragmentation will be done the memory cap will only apply to desegmentation.) - -\begin{verbatim} - preprocessor dcerpc: \ - disable_dcerpc_frag \ - memcap 50000 -\end{verbatim} - -In addition to the defaults, detect on DCE/RPC (or TCP) ports 135 and 2103 -(overrides default). Set memory cap for desegmentation/defragmentation to -200,000 kilobytes. Create a reassembly packet every time through the -preprocessor if there is data in the desegmentation/defragmentation buffers. - -\begin{verbatim} - preprocessor dcerpc: \ - ports dcerpc { 135 2103 } \ - memcap 200000 \ - reassemble_increment 1 -\end{verbatim} - -\subsubsection{Default Configuration} - -If no options are given to the preprocessor, the default configuration will -look like: - -\begin{verbatim} - preprocessor dcerpc: \ - ports smb { 139 445 } \ - ports dcerpc { 135 } \ - max_frag_size 3000 \ - memcap 100000 \ - reassemble_increment 0 -\end{verbatim} - -\subsubsection{Preprocessor Events} - -There is currently only one alert, which is triggered when the preprocessor has -reached the \texttt{memcap} limit for memory allocation. The alert is gid 130, -sid 1. - -\subsubsection{Note} - -At the current time, there is not much to do with the dcerpc preprocessor other -than turn it on and let it reassemble fragmented DCE/RPC packets. - -\subsection{DNS} -\label{sub:dns} - -The DNS preprocessor decodes DNS Responses and can detect the following -exploits: DNS Client RData Overflow, Obsolete Record Types, and Experimental -Record Types. - -DNS looks at DNS Response traffic over UDP and TCP and it requires Stream -preprocessor to be enabled for TCP decoding. - -\subsubsection{Configuration} - -By default, all alerts are disabled and the preprocessor checks traffic on port -53. - -The available configuration options are described below. - -\begin{slist} - -\item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} - -This option specifies the source ports that the DNS preprocessor should inspect -traffic. - -\item \texttt{enable\_obsolete\_types} - -Alert on Obsolete (per RFC 1035) Record Types - -\item \texttt{enable\_experimental\_types} - -Alert on Experimental (per RFC 1035) Record Types - -\item \texttt{enable\_rdata\_overflow} - -Check for DNS Client RData TXT Overflow - -\end{slist} - -The DNS preprocessor does nothing if none of the 3 vulnerabilities it checks -for are enabled. It will not operate on TCP sessions picked up midstream, and -it will cease operation on a session if it loses state because of missing data -(dropped packets). - -\subsubsection{Examples/Default Configuration from snort.conf} - -Looks for traffic on DNS server port 53. Check for the DNS Client RData -overflow vulnerability. Do not alert on obsolete or experimental RData record -types. - -\begin{verbatim} - preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow -\end{verbatim} - -\subsection{SSL/TLS} -\label{sub:SSL/TLS} +\subsection{SSL/TLS} +\label{sub:SSL/TLS} Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) decodes SSL @@ -4937,6 +6538,80 @@ preprocessor ssl: noinspect_encrypted \end{verbatim} +\subsubsection{Rule Options} + +The following rule options are supported by enabling the \texttt{ssl} preprocessor: + +\begin{itemize} +\item[] +\begin{verbatim} + ssl_version + ssl_state +\end{verbatim} +\end{itemize} + +\texttt{ssl\_version} +\label{ssl:ssl_version} +\begin{itemize} + +\item[] The \texttt{ssl\_version} rule option tracks the version negotiated between +the endpoints of the SSL encryption. The list of version identifiers are below, and +more than one identifier can be specified, via a comma separated list. Lists of +identifiers are OR'ed together. + +The option will match if any one of the OR'ed versions are used in the SSL +connection. To check for two or more SSL versions in use simultaneously, multiple +\texttt{ssl\_version} rule options should be used. + +\textit{Syntax} +\footnotesize +\begin{verbatim} + ssl_version: + + version-list = version | version , version-list + version = ["!"] "sslv2" | "sslv3" | "tls1.0" | "tls1.1" | "tls1.2" +\end{verbatim} + +\textit{Examples} +\begin{verbatim} + ssl_version:sslv3; + ssl_version:tls1.0,tls1.1,tls1.2; + ssl_version:!sslv2; +\end{verbatim} + +\end{itemize} + +\texttt{ssl\_state} +\label{ssl:ssl_state} +\begin{itemize} + +\item[] The \texttt{ssl\_state} rule option tracks the state of the SSL encryption +during the process of hello and key exchange. The list of states are below. More than +one state can be specified, via a comma separated list, and are OR'ed together. + +The option will match if the connection is currently in any one of the OR'ed states. +To ensure the connection has reached each of a set of states, multiple rules using +the \texttt{ssl\_state} rule option should be used. + +\textit{Syntax} +\footnotesize +\begin{verbatim} + ssl_state: + + state-list = state | state , state-list + state = ["!"] "client_hello" | "server_hello" | "client_keyx" | "server_keyx" | "unknown" +\end{verbatim} + + +\textit{Examples} +\begin{verbatim} + ssl_state:client_hello; + ssl_state:client_keyx,server_keyx; + ssl_state:!server_hello; +\end{verbatim} + +\end{itemize} + \subsection{ARP Spoof Preprocessor} \label{sub:arpspoof} @@ -4986,7 +6661,7 @@ \subsubsection{Example Configuration} The first example configuration does neither unicast detection nor ARP mapping -monitoring. The preprosessor merely looks for Ethernet address inconsistencies. +monitoring. The preprocessor merely looks for Ethernet address inconsistencies. \begin{verbatim} preprocessor arpspoof @@ -5029,9 +6704,6 @@ \begin{itemize} -\item The \texttt{dcerpc} preprocessor (the initial iteration) must be -disabled. - \item Stream session tracking must be enabled, i.e. \texttt{stream5}. The preprocessor requires a session tracker to keep its data. @@ -5187,7 +6859,7 @@ \end{itemize} \end{itemize} -\textit{Multliple Bind requests} +\textit{Multiple Bind Requests} \begin{itemize} \item[] A \texttt{Bind} request is the first request that must be made in a @@ -5329,10 +7001,12 @@ \hline \texttt{max\_frag\_len} & \texttt{} & NO & OFF\\ \hline -\texttt{events} & \texttt{} & NO & \texttt{events [smb, co, cl]}\\ +\texttt{events} & \texttt{} & NO & OFF\\ \hline \texttt{reassemble\_threshold} & \texttt{} & NO & OFF\\ \hline +\texttt{disabled} & NONE & NO & OFF\\ +\hline \end{tabular} \end{itemize} @@ -5359,6 +7033,15 @@ \end{itemize} +\item[] \texttt{disabled} +\begin{itemize} + +\item[] Disables the preprocessor. By default this value is turned off. When the +preprocessor is disabled only the memcap option is applied when specified +with the configuration. + +\end{itemize} + \item[] \texttt{disable\_defrag} \begin{itemize} @@ -5374,7 +7057,8 @@ \item[] Specifies the maximum fragment size that will be added to the defragmention module. If a fragment is greater than this size, it is truncated -before being added to the defragmentation module. Default is not set. +before being added to the defragmentation module. Default is set to -1. The +allowed range for this option is 1514 - 65535. \end{itemize} @@ -5412,8 +7096,7 @@ \begin{itemize} \item[] Stands for connectionless DCE/RPC. Alert on events related to -connectionless DCE/RPC processing. Defaults are \texttt{smb}, \texttt{co} and -\texttt{cl}. +connectionless DCE/RPC processing. \end{itemize} \end{itemize} @@ -5463,7 +7146,7 @@ \textit{Default global configuration} \footnotesize \begin{verbatim} - preprocessor dcerpc2: memcap 102400, events [smb, co, cl] + preprocessor dcerpc2: memcap 102400 \end{verbatim} \normalsize @@ -5555,8 +7238,8 @@ shares = share | '[' share-list ']' share-list = share | share ',' share-list share = word | '"' word '"' | '"' var-word '"' - word = graphical ascii characters except ',' '"' ']' '[' '$' - var-word = graphical ascii characters except ',' '"' ']' '[' + word = graphical ASCII characters except ',' '"' ']' '[' '$' + var-word = graphical ASCII characters except ',' '"' ']' '[' max-chain = 0-255 \end{verbatim} \normalsize @@ -5653,7 +7336,7 @@ \item[] Specifies the maximum amount of AndX command chaining that is allowed before an alert is generated. Default maximum is 3 chained commands. A value -of 0 disables this option. +of 0 disables this option. This value can be set from 0 to 255. \end{itemize} \end{itemize} @@ -5742,8 +7425,7 @@ \underline{Complete \texttt{dcerpc2} default configuration} \footnotesize \begin{verbatim} - preprocessor dcerpc2: \ - memcap 102400, events [smb, co, cl] + preprocessor dcerpc2: memcap 102400 preprocessor dcerpc2_server: \ default, policy WinXP, \ @@ -6003,8 +7685,8 @@ 40 & The preprocessor will alert if the connectionless DCE/RPC major version is not equal to 4.\\ \hline - 41 & The preprocessor will alert if the connectionless DCE/RPC pdu type is - not a valid pdu type.\\ + 41 & The preprocessor will alert if the connectionless DCE/RPC PDU type is + not a valid PDU type.\\ \hline 42 & The preprocessor will alert if the packet data length is less than the size of the connectionless header.\\ @@ -6036,8 +7718,8 @@ \begin{itemize} \item[] \begin{verbatim} - byte_test: dce - byte_jump: dce + byte_test:dce + byte_jump:dce \end{verbatim} \end{itemize} @@ -6084,7 +7766,7 @@ \textit{Syntax} \footnotesize \begin{verbatim} - [ ',' ] [ ',' "any_frag" ] + dce_iface:[, ][, any_frag]; uuid = hexlong '-' hexshort '-' hexshort '-' 2hexbyte '-' 6hexbyte hexlong = 4hexbyte @@ -6097,10 +7779,10 @@ \textit{Examples} \footnotesize \begin{verbatim} - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, <2; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, any_frag; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, =1, any_frag; \end{verbatim} \normalsize @@ -6157,6 +7839,20 @@ supplied in which case only the interface UUID and version need match. Note that a defragmented DCE/RPC request will be considered a full request. +\begin{note} +Using this rule option will automatically insert fast pattern contents into +the fast pattern matcher. For UDP rules, the interface UUID, in both big and +little endian format will be inserted into the fast pattern matcher. For TCP +rules, (1) if the rule option \texttt{flow:to\_server|from\_client} is used, $|$05 00 00$|$ +will be inserted into the fast pattern matcher, (2) if the rule option +\texttt{flow:from\_server|to\_client} is used, $|$05 00 02$|$ will be inserted into the +fast pattern matcher and (3) if the flow isn't known, $|$05 00$|$ will be inserted +into the fast pattern matcher. Note that if the rule already has content rule +options in it, the best (meaning longest) pattern will be used. If a content +in the rule uses the \texttt{fast\_pattern} rule option, it will unequivocally be used +over the above mentioned patterns. +\end{note} + \end{itemize} \texttt{dce\_opnum} @@ -6172,7 +7868,7 @@ \textit{Syntax} \footnotesize \begin{verbatim} - + dce_opnum:; opnum-list = opnum-item | opnum-item ',' opnum-list opnum-item = opnum | opnum-range @@ -6183,10 +7879,10 @@ \textit{Examples} \footnotesize \begin{verbatim} - dce_opnum: 15; - dce_opnum: 15-18; - dce_opnum: 15,18-20; - dce_opnum: 15,17,20-22; + dce_opnum:15; + dce_opnum:15-18; + dce_opnum:15, 18-20; + dce_opnum:15, 17, 20-22; \end{verbatim} \normalsize @@ -6223,7 +7919,7 @@ matches if there is DCE/RPC stub data. \end{itemize} -\texttt{byte\_test} and \texttt{byte\_jump}\label{dcerpc2:byte_test_jump} +\texttt{byte\_test} and \texttt{byte\_jump} with \texttt{dce}\label{dcerpc2:byte_test_jump} \begin{itemize} \item[] A DCE/RPC request can specify whether numbers are represented in big or @@ -6238,12 +7934,11 @@ \item[] \textit{Syntax} \footnotesize \begin{verbatim} - ',' [ '!' ] ',' [ ',' [ ',' "relative" ]] \ - ',' "dce" + byte_test:, [!], , [, relative], dce; - convert = 1 | 2 | 4 + convert = 1 | 2 | 4 (only with option "dce") operator = '<' | '=' | '>' | '&' | '^' - value = 0-4294967295 + value = 0 - 4294967295 offset = -65535 to 65535 \end{verbatim} \normalsize @@ -6251,8 +7946,8 @@ \textit{Examples} \footnotesize \begin{verbatim} - byte_test: 4,>,35000,0,relative,dce; - byte_test: 2,!=,2280,-10,relative,dce; + byte_test:4, >, 35000, 0, relative, dce; + byte_test:2, !=, 2280, -10, relative, dce; \end{verbatim} \normalsize @@ -6266,13 +7961,13 @@ \item[] \textit{Syntax} \footnotesize \begin{verbatim} - ',' [ ',' "relative" ] [ ',' "multiplier" ] \ - [ ',' "align" ] [ ',' "post_offet" ] ',' "dce" + byte_jump:, [, relative][, multiplier ] \ + [, align][, post_offet ], dce; - convert = 1 | 2 | 4 + convert = 1 | 2 | 4 (only with option "dce") offset = -65535 to 65535 - mult-value = 0-65535 - adjustment-value = -65535 to 65535 + mult_value = 0 - 65535 + adjustment_value = -65535 to 65535 \end{verbatim} \normalsize @@ -6316,122 +8011,2811 @@ \normalsize \end{itemize} +\subsection{Sensitive Data Preprocessor} +\label{sub:sensitive_data} -\section{Decoder and Preprocessor Rules} +The Sensitive Data preprocessor is a Snort module that performs detection and +filtering of Personally Identifiable Information (PII). This information +includes credit card numbers, U.S. Social Security numbers, and email addresses. +A limited regular expression syntax is also included for defining your own PII. -Decoder and preprocessor rules allow one to enable and disable decoder and -preprocessor events on a rule by rule basis. They also allow one to specify -the rule type or action of a decoder or preprocessor event on a rule by rule -basis. +\subsubsection{Dependencies} -Decoder config options will still determine whether or not to generate decoder -events. For example, if \texttt{config disable\_decode\_alerts} is in -\texttt{snort.conf}, decoder events will not be generated regardless of whether -or not there are corresponding rules for the event. Also note that if the -decoder is configured to enable drops, e.g. \texttt{config -enable\_decode\_drops}, these options will take precedence over the event type -of the rule. A packet will be dropped if either a decoder config drop option -is in \texttt{snort.conf} or the decoder or preprocessor rule type is -\texttt{drop}. Of course, the drop cases only apply if Snort is running -inline. See \texttt{doc/README.decode} for config options that control decoder -events. +The Stream5 preprocessor must be enabled for the Sensitive Data preprocessor +to work. -\subsection{Configuring} +\subsubsection{Preprocessor Configuration} -The following options to configure will enable decoder and preprocessor rules: +Sensitive Data configuration is split into two parts: the preprocessor config, +and the rule options. The preprocessor config starts with: \begin{verbatim} - $ ./configure --enable-decoder-preprocessor-rules +preprocessor sensitive_data: \end{verbatim} -The decoder and preprocessor rules are located in the \texttt{preproc\_rules/} -directory in the top level source tree, and have the names -\texttt{decoder.rules} and \texttt{preprocessor.rules} respectively. These -files are updated as new decoder and preprocessor events are added to Snort. +\textit{Option syntax} +\begin{itemize} -To enable these rules in \texttt{snort.conf}, define the path to where the -rules are located and uncomment the \texttt{include} lines in -\texttt{snort.conf} that reference the rules files. +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{alert\_threshold} & \texttt{} & NO & \texttt{alert\_threshold 25}\\ +\hline +\texttt{mask\_output} & NONE & NO & OFF\\ +\hline +\texttt{ssn\_file} & \texttt{} & NO & OFF\\ +\hline +\end{tabular} +\end{itemize} +\footnotesize \begin{verbatim} - var PREPROC_RULE_PATH /path/to/preproc_rules - ... - include $PREPROC_RULE_PATH/preprocessor.rules - include $PREPROC_RULE_PATH/decoder.rules + alert_threshold = 1 - 65535 \end{verbatim} +\normalsize -To disable any rule, just comment it with a \texttt{\#} or remove the rule -completely from the file (commenting is recommended). +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{alert\_threshold} +\begin{itemize} -To change the rule type or action of a decoder/preprocessor rule, just replace -\texttt{alert} with the desired rule type. Any one of the following rule types -can be used: +\item[] The preprocessor will alert when any combination of PII are detected +in a session. This option specifies how many need to be detected before +alerting. +This should be set higher than the highest individual count in your +"sd\_pattern" rules. -\begin{verbatim} - alert - log - pass - drop - sdrop - reject -\end{verbatim} +\end{itemize} -For example one can change: +\item[] \texttt{mask\_output} +\begin{itemize} -\begin{verbatim} - alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ - metadata: rule-type decode ; classtype:protocol-command-decode;) -\end{verbatim} +\item[] This option replaces all but the last 4 digits of a detected PII with +"X"s. This is only done on credit card \& Social Security numbers, where +an organization's regulations may prevent them from seeing unencrypted +numbers. -to +\end{itemize} + +\item[] \texttt{ssn\_file} +\begin{itemize} + +\item[] A Social Security number is broken up into 3 sections: +Area (3 digits), Group (2 digits), and Serial (4 digits). +On a monthly basis, the Social Security Administration publishes a list +of which Group numbers are in use for each Area. +These numbers can be updated in Snort by supplying a CSV file with the +new maximum Group numbers to use. +By default, Snort recognizes Social Security numbers issued up through +November 2009. + +\end{itemize} +\end{itemize} +\textit{Example preprocessor config} \begin{verbatim} - drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ - metadata: rule-type decode ; classtype:protocol-command-decode;) +preprocessor sensitive_data: alert_threshold 25 \ + mask_output \ + ssn_file ssn_groups_Jan10.csv \end{verbatim} -to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but -version field in IPv4 header has a value other than 4. +\subsubsection{Rule Options} -See \texttt{README.decode}, \texttt{README.gre} and the various preprocessor -READMEs for descriptions of the rules in \texttt{decoder.rules} and -\texttt{preprocessor.rules}. +Snort rules are used to specify which PII the preprocessor should look for. +A new rule option is provided by the preprocessor: -\subsection{Reverting to original behavior} +\begin{verbatim} +sd_pattern +\end{verbatim} -If you have configured snort to use decoder and preprocessor rules, the -following config option in \texttt{snort.conf} will make Snort revert to the -old behavior: +This rule option specifies what type of PII a rule should detect. +\textit{Syntax} \begin{verbatim} - config autogenerate_preprocessor_decoder_rules + sd_pattern:, ; \end{verbatim} +\footnotesize +\begin{verbatim} -Note that if you want to revert to the old behavior, you also have to remove -the decoder and preprocessor rules and any reference to them from -\texttt{snort.conf}, otherwise they will be loaded. This option applies to -rules not specified and the default behavior is to alert. + count = 1 - 255 + pattern = any string +\end{verbatim} +\normalsize -\section{Event Processing} +\textit{Option Explanations} -Snort provides a variety of mechanisms to tune event processing to suit your -needs: +\begin{itemize} +\item[] \texttt{count} -\begin{itemize} -\item \texttt{Detection Filters} +\begin{itemize} +\item[] This dictates how many times a PII pattern must be matched for an alert +to be generated. The count is tracked across all packets in a session. +\end{itemize} -You can use detection filters to specifiy a threshold that must be exceeded -before a rule generates an event. This is covered in section -\ref{detection_filter}. +\item[] \texttt{pattern} -\item \texttt{Rate Filters} +\begin{itemize} +\item[] This is where the pattern of the PII gets specified. There are a few +built-in patterns to choose from: -You can use rate filters to change a rule action when the number or rate of -events indicates a possible attack. +\begin{itemize} +\item[] \texttt{credit\_card} -\item \texttt{Event Filters} +\begin{itemize} +\item[] The "credit\_card" pattern matches 15- and 16-digit credit card +numbers. These numbers may have spaces, dashes, or nothing in +between groups. This covers Visa, Mastercard, Discover, and +American Express. +Credit card numbers matched this way have their check digits +verified using the Luhn algorithm. +\end{itemize} -You can use event filters to reduce the number of logged events for noisy +\item[] \texttt{us\_social} + +\begin{itemize} +\item[] This pattern matches against 9-digit U.S. Social Security numbers. +The SSNs are expected to have dashes between the Area, Group, and +Serial sections. + +SSNs have no check digits, but the preprocessor will check matches +against the list of currently allocated group numbers. +\end{itemize} + +\item[] \texttt{us\_social\_nodashes} + +\begin{itemize} +\item[] This pattern matches U.S. Social Security numbers without dashes +separating the Area, Group, and Serial sections. +\end{itemize} + +\item[] \texttt{email} + +\begin{itemize} +\item[] This pattern matches against email addresses. +\end{itemize} +\end{itemize} + +\item[] If the pattern specified is not one of the above built-in patterns, +then it is the definition of a custom PII pattern. Custom PII types +are defined using a limited regex-style syntax. The following +special characters and escape sequences are supported: + +\item[] +\begin{tabular}{|c|p{10cm}|} + +\hline +\texttt{\textbackslash d} & matches any digit\\ +\hline +\texttt{\textbackslash D} & matches any non-digit\\ +\hline +\texttt{\textbackslash l} & matches any letter\\ +\hline +\texttt{\textbackslash L} & matches any non-letter\\ +\hline +\texttt{\textbackslash w} & matches any alphanumeric character\\ +\hline +\texttt{\textbackslash W} & matches any non-alphanumeric character\\ +\hline +\texttt{\{num\}} & used to repeat a character or escape sequence "num" times. +example: "\d\{3\}" matches 3 digits.\\ +\hline +\texttt{?} & makes the previous character or escape sequence optional. +example: " ?" matches an optional space. +This behaves in a greedy manner.\\ +\hline +\texttt{\textbackslash\textbackslash} & matches a backslash\\ +\hline +\textbackslash \{, \textbackslash \} & matches \{ and \}\\ +\hline +\textbackslash ? & matches a question mark.\\ +\hline +\end{tabular} + +\item[] Other characters in the pattern will be matched literally. + +\begin{note} +Unlike PCRE, \texttt{\textbackslash w} in this rule option does NOT match underscores. +\end{note} +\end{itemize} + +\item[] \textit{Examples} +\begin{verbatim} + sd_pattern: 2,us_social; +\end{verbatim} + Alerts when 2 social security numbers (with dashes) appear in a session. + +\begin{verbatim} + sd_pattern: 5,(\d{3})\d{3}-\d{4}; +\end{verbatim} + Alerts on 5 U.S. phone numbers, following the format (123)456-7890 + + Whole rule example: + +\begin{verbatim} + alert tcp $HOME_NET $HIGH_PORTS -> $EXTERNAL_NET $SMTP_PORTS \ + (msg:"Credit Card numbers sent over email"; gid:138; sid:1000; rev:1; \ + sd_pattern:4,credit_card; metadata:service smtp;) +\end{verbatim} + + +\item[] \textit{Caveats} +\begin{itemize} +\item[] \texttt{sd\_pattern} is not compatible with other rule options. Trying to use +other rule options with \texttt{sd\_pattern} will result in an error message. + +Rules using \texttt{sd\_pattern} must use GID 138. +\end{itemize} +\end{itemize} + +\subsection{Normalizer} + +When operating Snort in inline mode, it is helpful to normalize packets to help +minimize the chances of evasion. + +To enable the normalizer, use the following when configuring Snort: + +\begin{verbatim} + ./configure --enable-normalizer +\end{verbatim} + +The normalize preprocessor is activated via the conf as outlined below. There +are also many new preprocessor and decoder rules to alert on or drop packets +with "abnormal" encodings. + +Note that in the following, fields are cleared only if they are non-zero. +Also, normalizations will only be enabled if the selected DAQ supports packet +replacement and is operating in inline mode. + +If a policy is configured for \texttt{inline\_test} or passive mode, any +normalization statements in the policy config are ignored. + +\subsubsection{IP4 Normalizations} + +IP4 normalizations are enabled with: + +\begin{verbatim} + preprocessor normalize_ip4: [df], [rf], [tos], [trim] +\end{verbatim} + +Base normalizations enabled with "preprocessor \texttt{normalize\_ip4}" include: + +\begin{itemize} +\item +Truncate packets with excess payload to the datagram length specified in the +IP header. + +\item +TTL normalization if enabled (explained below). + +\item +Clear the differentiated services field (formerly TOS). + +\item +NOP all options octets. +\end{itemize} + +Optional normalizations include: + +\begin{itemize} +\item \texttt{df} +don't fragment: clear this bit on incoming packets. + +\item \texttt{rf} +reserved flag: clear this bit on incoming packets. + +\item \texttt{tos} +type of service (differentiated services): clear this byte. + +\item \texttt{trim} +truncate packets with excess payload to the datagram length specified in the +IP header + the layer 2 header (eg ethernet), but don't truncate below minimum +frame length. This is automatically disabled if the DAQ can't inject packets. +\end{itemize} + +\subsubsection{IP6 Normalizations} + +IP6 normalizations are enabled with: + +\begin{verbatim} + preprocessor normalize_ip6 +\end{verbatim} + +Base normalizations enabled with "preprocessor \texttt{normalize\_ip6}" include: + +\begin{itemize} +\item +Hop limit normalizaton if enabled (explained below). + +\item +NOP all options octets in hop-by-hop and destination options extension headers. +\end{itemize} + + +\subsubsection{ICMP4/6 Normalizations} + +ICMP4 and ICMP6 normalizations are enabled with: + +\begin{verbatim} + preprocessor normalize_icmp4 + preprocessor normalize_icmp6 +\end{verbatim} + +Base normalizations enabled with the above include: + +\begin{itemize} +\item +Clear the code field in echo requests and replies. +\end{itemize} + + +\subsubsection{TCP Normalizations} + +TCP normalizations are enabled with: + +\begin{verbatim} + preprocessor normalize_tcp: \ + [ips], [urp], [trim], \ + [ecn ], \ + [opts [allow +]] + + ::= stream | packet + + ::= \ + sack | echo | partial_order | conn_count | alt_checksum | md5 | + + ::= { 4, 5 } + ::= { 6, 7 } + ::= { 9, 10 } + ::= { 11, 12, 13 } + ::= { 14, 15 } + ::= { 19 } + ::= (3..255) +\end{verbatim} + +Base normalizations enabled with "preprocessor \texttt{normalize\_tcp}" include: + +\begin{itemize} +\item +Remove data on SYN. + +\item +Clear the reserved bits in the TCP header. + +\item +Clear the urgent pointer if the urgent flag is not set. + +\item +Clear the urgent pointer and the urgent flag if there is no payload. + +\item +Set the urgent pointer to the payload length if it is greater than the +payload length. + +\item +Clear the urgent flag if the urgent pointer is not set. + +\item +Clear any option padding bytes. + +\item +Remove any data from RST packet. + +\item +Trim data to window. + +\item +Trim data to MSS. +\end{itemize} + +Optional normalizations include: + +\begin{itemize} +\item \texttt{ips} + +ensure consistency in retransmitted data (also forces reassembly policy to +"first"). Any segments that can't be properly reassembled will be dropped. + +\item \texttt{urp} + +urgent pointer: don't adjust the urgent pointer if it is greater than payload +length. + +\item \texttt{trim} +remove data on SYN. + +\item \texttt{trim} +remove any data from RST packet. + +\item \texttt{trim} +trim data to window. + +\item \texttt{trim} +trim data to MSS. + +\item \texttt{ecn packet} + +clear ECN flags on a per packet basis (regardless of negotiation). + +\item \texttt{ecn stream} + +clear ECN flags if usage wasn't negotiated. Should also enable \texttt{require\_3whs}. + +\item \texttt{opts} + +NOP all option bytes other than maximum segment size, window scaling, +timestamp, and any explicitly allowed with the allow keyword. You can allow +options to pass by name or number. + +\item \texttt{opts} + +if timestamp is present but invalid, or valid but not negotiated, NOP the +timestamp octets. + +\item \texttt{opts} + +if timestamp was negotiated but not present, block the packet. + +\item \texttt{opts} + +clear TS ECR if ACK flag is not set. + +\item \texttt{opts} + +MSS and window scale options are NOP'd if SYN flag is not set. + +\end{itemize} + +\subsubsection{TTL Normalization} + +TTL normalization pertains to both IP4 TTL (time-to-live) and IP6 (hop limit) +and is only performed if both the relevant base normalization is enabled (as +described above) and the minimum and new TTL values are configured, as follows: + +\begin{verbatim} + config min_ttl: + config new_ttl: + + ::= (1..255) + ::= (+1..255) +\end{verbatim} + +If \texttt{new\_ttl }> \texttt{min\_ttl}, then if a packet is received with a +TTL < \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. + +Note that this configuration item was deprecated in 2.8.6: + +\begin{verbatim} + preprocessor stream5_tcp: min_ttl <#> +\end{verbatim} + +By default \texttt{min\_ttl} = 1 (TTL normalization is disabled). +When TTL normalization is turned on the \texttt{new\_ttl} is set +to 5 by default. + +\subsection{SIP Preprocessor} +\label{sub:sip} +Session Initiation Protocol (SIP) is an application-layer control (signaling) +protocol for creating, modifying, and terminating sessions with one or more +participants. These sessions include Internet telephone calls, multimedia +distribution, and multimedia conferences. SIP Preprocessor provides ways to +tackle Common Vulnerabilities and Exposures (CVEs) related with SIP found over +the past few years. It also makes detecting new attacks easier. + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: + +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. Both TCP and UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. In addition, Stream API is able to provide correct support for ignoring + audio/video data channel. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{Configuration} +The preprocessor configuration name is \texttt{sip}.\\ +\begin{verbatim} + preprocessor sip +\end{verbatim} +\textit{Option syntax} +\begin{itemize} + +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{disabled} & NONE & NO & OFF\\ +\hline +\texttt{max\_sessions} & \texttt{} & NO & \texttt{max\_sessions 10000}\\ +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 5060 5061 \} }\\ +\hline +\texttt{methods} & \texttt{} & NO & \texttt{methods \{ invite cancel ack bye + register options \} }\\ +\hline +\texttt{max\_uri\_len} & \texttt{} & NO & \texttt{max\_uri\_len 256 }\\ +\hline +\texttt{max\_call\_id\_len} & \texttt{} & NO & \texttt{max\_call\_id\_len 256 }\\ +\hline +\texttt{max\_requestName\_len} & \texttt{} & NO & \texttt{max\_requestName\_len 20 }\\ +\hline +\texttt{max\_from\_len} & \texttt{} & NO & \texttt{max\_from\_len 256 }\\ +\hline +\texttt{max\_to\_len} & \texttt{} & NO & \texttt{max\_to\_len 256 }\\ +\hline +\texttt{max\_via\_len} & \texttt{} & NO & \texttt{max\_via\_len 1024 }\\ +\hline +\texttt{max\_contact\_len} & \texttt{} & NO & \texttt{max\_contact\_len 256 }\\ +\hline +\texttt{max\_content\_len} & \texttt{} & NO & \texttt{max\_content\_len 1024 }\\ +\hline +\texttt{ignore\_call\_channel} & NONE & NO & OFF\\ +\hline +\end{tabular} +\end{itemize} +\footnotesize +\begin{verbatim} + max_sessions = 1024-4194303 + methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer" |"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" + max_uri_len = 0-65535 + max_call_id_len = 0-65535 + max_requestName_len = 0-65535 + max_from_len = 0-65535 + max_to_len = 0-65535 + max_via_len = 0-65535 + max_contact_len = 0-65535 + max_content_len = 0-65535 +\end{verbatim} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{disabled} +\begin{itemize} +\item[] SIP dynamic preprocessor can be enabled/disabled through configuration. + By default this value is turned off. When the preprocessor is disabled, + only the max\_sessions option is applied when specified with the configuration. +\end{itemize} +\item[] \texttt{max\_sessions} +\begin{itemize} +\item[] This specifies the maximum number of sessions that can be allocated. + Those sessions are stream sessions, so they are bounded by maximum number of + stream sessions. Default is 10000. +\end{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for SIP messages. Typically, this will + include 5060, 5061. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 5060 5061 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} + \item[] \texttt{methods} +\begin{itemize} + \item[] This specifies on what methods to check for SIP messages: (1) invite, + (2) cancel, (3) ack, (4) bye, (5) register, (6) options, (7) refer, + (8) subscribe, (9) update (10) join (11) info (12) message (13) notify + (14) prack. + Note: those 14 methods are up to date list (Feb. 2011). New methods can be + added to the list. Up to 32 methods supported. + +\item[] \textit{Syntax} +\begin{verbatim} + methods { } + method-list = method|method method-list + methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\item[] \texttt{max\_uri\_len} +\begin{itemize} + \item[] This specifies the maximum Request URI field size. If the Request URI field + is greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_call\_id\_len} +\begin{itemize} + \item[] This specifies the maximum Call-ID field size. If the Call-ID field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_requestName\_len} +\begin{itemize} + \item[] This specifies the maximum request name size that is part of the CSeq ID. + If the request name is greater than this size, an alert is generated. + Default is set to 20. The allowed range for this option is 0 - 65535. + ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_from\_len} +\begin{itemize} + \item[] This specifies the maximum From field size. If the From field is greater + than this size, an alert is generated. Default is set to 256. The allowed + range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_to\_len} +\begin{itemize} + \item[] This specifies the maximum To field size. If the To field is greater than + this size, an alert is generated. Default is set to 256. The allowed range + for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_via\_len} +\begin{itemize} + \item[] This specifies the maximum Via field size. If the Via field is greater than + this size, an alert is generated. Default is set to 1024. The allowed range + for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} +\item[] \texttt{max\_contact\_len} +\begin{itemize} + \item[] This specifies the maximum Contact field size. If the Contact field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} +\item[] \texttt{max\_content\_len} +\begin{itemize} + \item[] This specifies the maximum content length of the message body. If the + content length is greater than this number, an alert is generated. + Default is set to 1024. The allowed range for this option is 0 - 65535. + ``0'' means never alert. +\end{itemize} +\item[] \texttt{ignore\_call\_channel} +\begin{itemize} + \item[] This enables the support for ignoring audio/video data channel + (through Stream API). By default, this is disabled. +\end{itemize} + +\end{itemize} +\textit{Option examples} +\footnotesize +\begin{verbatim} + max_sessions 30000 + disabled + ports { 5060 5061 } + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } + max_uri_len 1024 + max_call_id_len 1024 + max_requestName_len 10 + max_from_len 1024 + max_to_len 1024 + max_via_len 1024 + max_contact_len 1024 + max_content_len 1024 + max_content_len + ignore_call_channel +\end{verbatim} +\normalsize + +\textit{Configuration examples} +\footnotesize +\begin{verbatim} + preprocessor sip + preprocessor sip: max_sessions 500000 + preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \ + cancel ack bye register options } , ignore_call_channel + preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + preprocessor sip: disabled + preprocessor sip: ignore_call_channel +\end{verbatim} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor sip +\end{verbatim} +\normalsize +\subsubsection{Events} +The preprocessor uses GID 140 to register events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & If the memory cap is reached and the preprocessor is configured to alert, + this alert will be created. \\ +\hline + 2 & Request URI is required. When Request URI is empty, this alert will be created. \\ +\hline + 3 & The Request URI is larger than the defined length in configuration.\\ +\hline + 4 & When Call-ID is empty, this alert will be created.\\ +\hline + 5 & The Call-ID is larger than the defined length in configuration.\\ +\hline + 6 & The sequence e number value MUST be expressible as a 32-bit unsigned integer + and MUST be less than $2^{31}$.\\ +\hline + 7 & The request name in the CSeq is larger than the defined length in configuration.\\ +\hline + 8 & From field is empty.\\ +\hline + 9 & From field is larger than the defined length in configuration.\\ +\hline + 10 & To field is empty.\\ +\hline + 11 & To field is larger than the defined length in configuration.\\ +\hline + 12 & Via filed is empty.\\ +\hline + 13 & Via filed is larger than the defined length in configuration.\\ +\hline + 14 & Contact is empty, but it is required non-empty for the message.\\ +\hline + 15 & The Contact is larger than the defined length in configuration. \\ +\hline + 16 & The content length is larger than the defined length in configuration or is negative. \\ +\hline + 17 & There are multiple requests in a single packet. Old SIP protocol supports + multiple sip messages within one packet.\\ +\hline + 18 & There are inconsistencies between Content-Length in SIP header and + actual body data.\\ +\hline + 19 & Request name is invalid in response.\\ +\hline + 20 & Authenticated invite message received, but no challenge from server received. + This is the case of InviteReplay billing attack.\\ +\hline + 21 & Authenticated invite message received, but session information has been changed. + This is different from re-INVITE, where the dialog has been established. + and authenticated. This is can prevent FakeBusy billing attack.\\ +\hline + 22 & Response status code is not a 3 digit number.\\ +\hline + 23 & Content type header field is required if the message body is not empty.\\ +\hline + 24 & SIP version other than 2.0, 1.0, and 1.1 is invalid \\ +\hline + 25 & Mismatch in Method of request and the CSEQ header\\ +\hline + 26 & The method is unknown \\ +\hline +\end{longtable} +\subsubsection{Rule Options} +New rule options are supported by enabling the \texttt{sip} preprocessor: +\begin{itemize} +\item[] +\begin{verbatim} + sip_method + sip_stat_code + sip_header + sip_body +\end{verbatim} +\end{itemize} +Overload modifiers to existing \texttt{pcre} rule options: +\begin{itemize} +\item[] H: Match SIP request or SIP response header, Similar to \texttt{sip\_header}. +\item[] P: Match SIP request or SIP response body, Similar to \texttt{sip\_body}. +\end{itemize} +\texttt{sip\_method} +\label{sip:sip_method} +\begin{itemize} + \item[] The \texttt{sip\_method} keyword is used to check for specific SIP request methods. + The list of methods is: invite, cancel, ack, bye, register, options, refer, + subscribe, update, join, info, message, notify, prack. More than one method + can be specified, via a comma separated list, and are OR'ed together. + It will be applied in fast pattern match if available. If the method used in + this rule is not listed in the preprocessor configuration, it will be added + to the preprocessor configuration for the associated policy.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_method:; + method-list = method|method, method-list + method = ["!"] "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" + Note: if "!" is used, only one method is allowed in sip_method. +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + sip_method:invite, cancel + sip_method:!invite + + Note: If a user wants to use "and", they can use something like this: + sip_method:!invite; sip_method:!bye +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_stat\_code} +\label{sip:sip_stat_code} +\begin{itemize} + \item[] The \texttt{sip\_stat\_code} is used to check the SIP response status code. This option + matches if any one of the state codes specified matches the status codes of + the SIP response.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_stat_code: ; + code_list = state_code|state_code, code_list + code = "100-999"|"1-9" +\end{verbatim} + \item[] Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", '3xx', '4xx', '5xx', + '6xx'... reponses. \\ +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + sip_stat_code:200 + sip_stat_code: 2 + sip_stat_code: 200, 180 +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_header} +\label{sip:sip_header} +\begin{itemize} + \item[] The \texttt{sip\_header} keyword restricts the search to the extracted Header fields of + a SIP message request or a response. This works similar to \texttt{file\_data}. \\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_header; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (sip_header; content:"CSeq"; ) +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_body} +\label{sip:sip_body} +\begin{itemize} + \item[] The \texttt{sip\_body} keyword places the cursor at the beginning of the Body fields + of a SIP message. This works similar to \texttt{file\_data} and \texttt{dce\_stub\_data}. The message + body includes channel information using SDP protocol (Session Description Protocol).\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_body; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (sip_body; content:"C=IN 0.0.0.0"; within 100;) +\end{verbatim} +\normalsize +\end{itemize} +\texttt{pcre} +\label{sip:pcre} +\begin{itemize} + \item[] SIP overloads two options for \texttt{pcre}:\\ +\begin{itemize} +\item H: Match SIP header for request or response , Similar to \texttt{sip\_header}.\\ +\item P: Match SIP body for request or response , Similar to \texttt{sip\_body}.\\ +\end{itemize} +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) + alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) +\end{verbatim} +\normalsize +\end{itemize} + +\subsection{Reputation Preprocessor} +\label{sub:reputation} +Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to +block/drop/pass traffic from IP addresses listed. In the past, we use standard +Snort rules to implement Reputation-based IP blocking. This preprocessor will +address the performance issue and make the IP reputation management easier. +This preprocessor runs before other preprossors. +\subsubsection{Configuration} +The preprocessor configuration name is \texttt{repuation}.\\ + +\begin{verbatim} + preprocessor reputation +\end{verbatim} +\textit{Option syntax} +\begin{itemize} + +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{memcap} & \texttt{} & NO & \texttt{memcap 500}\\ +\hline +\texttt{scan\_local} & NONE & NO & OFF\\ +\hline +\texttt{blacklist} & \texttt{} & NO & NONE\\ +\hline +\texttt{whitelist} & \texttt{} & NO & NONE\\ +\hline +\texttt{priority} & [blacklist whitelist] & NO & \texttt{priority whitelist}\\ +\hline +\texttt{nested\_ip} & [inner outer both] & NO & \texttt{nested\_ip inner}\\ +\hline +\end{tabular} +\end{itemize} +\footnotesize +\begin{verbatim} + memcap = 1-4095 Mbytes +\end{verbatim} +\normalsize +\textit{Option explanations} +\begin{itemize} + +\item[] \texttt{memcap} +\begin{itemize} +\item[] Maximum total memory supported. It can be set up to 4095 Mbytes. +\end{itemize} + +\item[] \texttt{scan\_local} +\begin{itemize} +\item[] Enable to inspect local address defined in RFC 1918: +\begin{itemize} + \item[] 10.0.0.0 - 10.255.255.255 (10/8 prefix) + \item[] 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + \item[] 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) +\end{itemize} +\end{itemize} + +\item[] \texttt{blacklist/whitelist} +\begin{itemize} +\item[] The IP lists are loaded from external files. It supports relative + paths for inclusion and \$variables for path. Multiple blacklists or + whitelists are supported. + + \item[] Note: if the same IP is redefined later, it will overwrite the + previous one. In other words, IP lists always favors the last file or + entry processed. +\end{itemize} + +\item[] \texttt{priority} +\begin{itemize} +\item[] Specify either blacklist or whitelist has higher priority when + source/destination is on blacklist while destination/source is on + whitelist. By default, whitelist has higher priority. In other words, + the packet will be passed when either source or destination is + whitelisted. + +\item[] Note: this only defines priority when there is a decision conflict, + during run-time. During initialization time, if the same IP address + is defined in whitelist and blacklist, whoever the last one defined + will be the final one. Priority does not work on this case. +\end{itemize} + +\item[] \texttt{nested\_ip} +\begin{itemize} +\item[] Specify which IP address to be used when there is IP + encapsulation. +\end{itemize} + +\end{itemize} + +\textit{Configuration examples} +\footnotesize +\begin{verbatim} + preprocessor reputation:\ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + preprocessor reputation: \ + nested_ip both, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + preprocessor reputation: \ + memcap 4095, scan_local, nested_ip both, \ + priority whitelist, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + $REP_BLACK_FILE1 = ../dshield.list + $REP_BLACK_FILE2 = ../snort.org.list + preprocessor reputation: \ + blacklist $REP_BLACK_FILE1,\ + blacklist $REP_BLACK_FILE2 + +\end{verbatim} +\normalsize +\textit{IP List File Format} +\begin{itemize} + +\item[] \texttt{Syntax} +\begin{itemize} +\item[] The IP list file has 1 entry per line. The entry can be either IP entry or + comment. +\end{itemize} + +\begin{itemize} +\item[] \texttt{IP Entry} +\begin{itemize} +\item[] CIDR notation $<$comments$>$ line break. +\item[] Example: +\footnotesize +\begin{verbatim} + 172.16.42.32/32 + 172.33.42.32/16 +\end{verbatim} +\normalsize +\end{itemize} + +\item[] \texttt{Comment} +\begin{itemize} +\item[] The comment start with \# +\item[] \# $<$comments$>$ +\item[] Example +\footnotesize +\begin{verbatim} + # This is a full line comment + 172.33.42.32/16 # This is a in-line comment +\end{verbatim} +\normalsize +\end{itemize} + +\end{itemize} + +\item[] \texttt{IP List File Example} +\begin{itemize} + +\item[] +\footnotesize +\begin{verbatim} + # This is a full line comment + 172.16.42.32/32 # This is an inline comment, line with single CIDR block + 172.33.42.32/16 +\end{verbatim} +\normalsize +\end{itemize} +\end{itemize} + +\textit{Use case} +\begin{itemize} + \item[] A user wants to protect his/her network from unwanted/unknown IPs, only allowing + some trusted IPs. Here is the configuration: +\item[] \footnotesize +\begin{verbatim} + preprocessor reputation: \ + blacklist /etc/snort/default.blacklist + whitelist /etc/snort/default.whitelist + + In file "default.blacklist" + # These two entries will match all ipv4 addresses + 1.0.0.0/1 + 128.0.0.0/1 + + In file "default.whitelist" + 68.177.102.22 # sourcefire.com + 74.125.93.104 # google.com +\end{verbatim} +\end{itemize} +\normalsize + +\subsubsection{Events} +Reputation preprocessor uses GID 136 to register events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & Packet is blacklisted. \\ +\hline + 2 & Packet is whitelisted. \\ +\hline +\end{longtable} +\subsubsection{Shared memory support} + +\begin{itemize} + \item[] + In order to minimize memory consumption when multiple Snort instances are + running concurrently, we introduce the support of shared memory. After + configured, all the snort instances share the same IP tables in shared memory. + + \item[]\textit{System requirement} +\begin{itemize} + \item[]This feature is supported only in Linux. +\end{itemize} + + \item[]\textit{Build configuration} + + \begin{itemize} \item[]A new option, \texttt{--enable-shared-rep} is introduced to + \texttt{./configure} command. + This option enables the support for shared memory. +\end{itemize} + \item[]\textit{Configuration} + +\begin{itemize} + + \item[]\texttt{shared\_mem} +\begin{itemize} + + \item[] If the build supports shared memory, this configuration will enable shared + memory. If this option isn't set, standard memory is used. This option must + specify a path or directory where IP lists will be loaded in shared memory. + One snort instance will create and maintain the shared IP lists. + We use instance ID 1, specified in the snort \texttt{-G} option to be the master snort. + All the other snort instances are clients (readers). + + \item[] \textit{Syntax} + \begin{verbatim} + shared_mem: path + \end{verbatim} + \item[] \textit{Examples} + \begin{verbatim} + shared_mem /user/reputation/iplists + \end{verbatim} +\end{itemize} + \item[]\texttt{shared\_refresh} + +\begin{itemize} + \item[]This option changes the period of checking new shared memory segment, in the unit of second. + By default, the refresh rate is $60$ seconds. + + \item[]\textit{Syntax} + \begin{verbatim} + shared_refresh + period = "1 - 4294967295" + \end{verbatim} + \item[]\textit{Examples} + \begin{verbatim} + shared_refresh 60 + \end{verbatim} +\end{itemize} +\end{itemize} + + \item[]\textit{Steps to configure shared memory} + +\begin{itemize} + + \item When building Snort, add option \texttt{--enable-shared-rep} to \texttt{./configure}\\ + For example: + \begin{verbatim} + ./configure --enable-gre --enable-sourcefire --enable-flexresp3 + --enable-dynamicplugin --enable-pthread --enable-linux-smp-stats + --enable-targetbased --enable-shared-rep --enable-control-socket + \end{verbatim} + \item Put your IP list file into a directory, where snort has full access. \\ + For example: + + \begin{verbatim} + /user/reputation/iplists + \end{verbatim} + + In order to separate whitelist with blacklist, you need to specify + whitelist with \texttt{.wlf} extension and blacklist with \texttt{.blf} extension. + \item In snort config file, specify shared memory support with the path to IP files.\\ + For example: + + \begin{verbatim} + shared_mem /user/reputation/iplists + \end{verbatim} + + If you want to change the period of checking new IP lists, add refresh period.\\ + For example: + + \begin{verbatim} + shared_refresh 300 + \end{verbatim} + + \item Start shared memory master(writer) with \texttt{-G} 1 option. Note: only one master + should be enabled. + \item Start shared memory clients (readers) with \texttt{-G} 2 or other IDs. Note: for + one ID, only one snort instance should be enabled. + \item You will see the IP lists got loaded and shared across snort instances! +\end{itemize} + + \item[]\textit{Reload IP lists using control socket} +\begin{itemize} + \item Run snort using command line with option \texttt{--cs-dir } + or configure snort with: + \begin{verbatim} + config cs_dir: + \end{verbatim} + \item (Optional) you can create a version file named ``IPRVersion.dat'' in the IP list + directory. This file helps managing reloading IP lists, by specifying a version. + When the version isn't changed, IP lists will not be reloaded if they are + already in shared memory. \\ + For example: + \begin{verbatim} + VERSION=1 + \end{verbatim} + \item In the \texttt{/src/tools/control} directory, you will find \texttt{snort\_control} command if + built with \texttt{--enable-control-socket} option. + \item Type the following command to reload IP lists. Before typing this command, + make sure to update version file if you are using version file. + The \texttt{} is the same path in first step.\\ + \begin{verbatim} + /src/tools/control 1361 + \end{verbatim} +\end{itemize} +\end{itemize} +\subsection{GTP Decoder and Preprocessor} +\label{sub:gtp} +GTP (GPRS Tunneling Protocol) is used in core communication networks to establish +a channel between GSNs (GPRS Serving Node). GTP decoding preprocessor provides +ways to tackle intrusion attempts to those networks through GTP. It also makes +detecting new attacks easier. + +Two components are developed: GTP decoder and GTP preprocessor. +\begin{itemize} +\item GTP decoder extracts payload inside GTP PDU; +\item GTP preprocessor inspects all the signaling messages and provide keywords for +further inspection +\end{itemize} + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{GTP Data Channel Decoder Configuration} +GTP decoder extracts payload from GTP PDU. The following configuration sets +GTP decoding: +\begin{verbatim} +config enable_gtp +\end{verbatim} +By default, GTP decoder uses port number $2152$ (GTPv1) and $3386$ (GTPv0). +If users want to change those values, they can use \texttt{portvar GTP\_PORTS}: + +\begin{verbatim} +portvar GTP_PORTS [2152,3386] +\end{verbatim} + +\subsubsection{GTP Control Channel Preprocessor Configuration} + +Different from GTP decoder, GTP preprocessor examines all signaling messages. +The preprocessor configuration name is \texttt{gtp}. +\begin{verbatim} +preprocessor sip +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 2123 3386 \} }\\ +\hline +\end{tabular} +\end{itemize} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for SIP messages. Typically, + this will include 5060, 5061. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 2123 3386 2152 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor gtp +\end{verbatim} +\normalsize +\subsubsection{GTP Decoder Events} +\begin{longtable}{|r|p{13.5cm}|} +\hline +SID & Description\\ +\hline + 297 & Two or more GTP encapsulation layers present \\ +\hline + 298 & GTP header length is invalid \\ +\hline +\end{longtable} + +\subsubsection{GTP Preprocessor Events} +\begin{longtable}{|r|p{13.5cm}|} +\hline +SID & Description\\ +\hline + 1 & Message length is invalid. \\ +\hline + 2 & Information element length is invalid. \\ +\hline + 3 & Information elements are out of order. \\ +\hline +\end{longtable} +\subsubsection{Rule Options} +New rule options are supported by enabling the \texttt{gtp} preprocessor: +\begin{itemize} +\item[] +\begin{verbatim} + gtp_type + gtp_info + gtp_version +\end{verbatim} +\end{itemize} + +\texttt{gtp\_type} +\label{gtp:gtp_method} +\begin{itemize} + \item[] The \texttt{gtp\_type} keyword is used to check for specific GTP types. + User can input message type value, an integer in [0, 255], or a string defined + in the Table below. More than one type can be specified, via a comma separated + list, and are OR'ed together. If the type used in a rule is not listed in the + preprocessor configuration, an error will be thrown. + + \item[] A message type can have different type value in different GTP + versions. For example, \texttt{sgsn\_\-context\_\-request} has message type + value $50$ in GTPv0 and GTPv1, but $130$ in GTPv2. \texttt{gtp\_type} will + match to a different value depending on the version number in the packet. + In this example, evaluating a GTPv0 or GTPv1 packet will check whether the + message type value is $50$; evaluating a GTPv2 packet will check whether the + message type value is $130$. When a message type is not defined in a version, + any packet in that version will always return ``No match''. + + \item[] If an integer is used to specify message type, every GTP packet is + evaluated, no matter what version the packet is. If the message type matches + the value in packet, it will return ``Match''. \\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_type:; + type-list = type|type, type-list + type = "0-255"| + | "echo_request" | "echo_response" ... +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_type:10, 11, echo_request; +\end{verbatim} +\normalsize + +\textit{GTP message types} +\small +\begin{longtable}{|r|c|c|c|p{13.5cm}|} +\hline +Type & GTPv0 & GTPv1 & GTPv2\\ +\hline +0 & N/A & N/A & N/A\\ +\hline +1 & echo\_request & echo\_request & echo\_request\\ +\hline +2 & echo\_response & echo\_response & echo\_response\\ +\hline +3 & version\_not\_supported & version\_not\_supported & version\_not\_supported\\ +\hline +4 & node\_alive\_request & node\_alive\_request & N/A\\ +\hline +5 & node\_alive\_response & node\_alive\_response & N/A\\ +\hline +6 & redirection\_request & redirection\_request & N/A\\ +\hline +7 & redirection\_response & redirection\_response & N/A \\ +\hline +16 & create\_pdp\_context\_request & create\_pdp\_context\_request & N/A\\ +\hline +17 & create\_pdp\_context\_response & create\_pdp\_context\_response & N/A \\ +\hline +18 & update\_pdp\_context\_request & update\_pdp\_context\_request & N/A\\ +\hline +19 & update\_pdp\_context\_response & update\_pdp\_context\_response & N/A\\ +\hline +20 & delete\_pdp\_context\_request & delete\_pdp\_context\_request & N/A\\ +\hline +21 & delete\_pdp\_context\_response & delete\_pdp\_context\_response & N/A\\ +\hline +22 & create\_aa\_pdp\_context\_request & init\_pdp\_context\_activation\_request & N/A\\ +\hline +23 & create\_aa\_pdp\_context\_response & init\_pdp\_context\_activation\_response & N/A\\ +\hline +24 & delete\_aa\_pdp\_context\_request & N/A & N/A\\ +\hline +25 & delete\_aa\_pdp\_context\_response & N/A & N/A\\ +\hline +26 & error\_indication & error\_indication & N/A\\ +\hline +27 & pdu\_notification\_request & pdu\_notification\_request & N/A\\ +\hline +28 & pdu\_notification\_response & pdu\_notification\_response & N/A\\ +\hline +29 & pdu\_notification\_reject\_request & pdu\_notification\_reject\_request & N/A\\ +\hline +30 & pdu\_notification\_reject\_response & pdu\_notification\_reject\_response & N/A\\ +\hline +31 & N/A & supported\_ext\_header\_notification & N/A \\ +\hline +32 & send\_routing\_info\_request & send\_routing\_info\_request & create\_session\_request \\ +\hline +33 & send\_routing\_info\_response & send\_routing\_info\_response & create\_session\_response \\ +\hline +34 & failure\_report\_request & failure\_report\_request & modify\_bearer\_request \\ +\hline +35 & failure\_report\_response & failure\_report\_response & modify\_bearer\_response \\ +\hline +36 & note\_ms\_present\_request & note\_ms\_present\_request & delete\_session\_request \\ +\hline +37 & note\_ms\_present\_response & note\_ms\_present\_response & delete\_session\_response \\ +\hline +38 & N/A & N/A & change\_notification\_request \\ +\hline +39 & N/A & N/A & change\_notification\_response \\ +\hline +48 & identification\_request & identification\_request & N/A \\ +\hline +49 & identification\_response & identification\_response & N/A \\ +\hline +50 & sgsn\_context\_request & sgsn\_context\_request & N/A \\ +\hline +51 & sgsn\_context\_response & sgsn\_context\_response & N/A \\ +\hline +52 & sgsn\_context\_ack & sgsn\_context\_ack & N/A \\ +\hline +53 & N/A & forward\_relocation\_request & N/A \\ +\hline +54 & N/A & forward\_relocation\_response & N/A \\ +\hline +55 & N/A & forward\_relocation\_complete & N/A \\ +\hline +56 & N/A & relocation\_cancel\_request & N/A \\ +\hline +57 & N/A & relocation\_cancel\_response & N/A \\ +\hline +58 & N/A & forward\_srns\_contex & N/A \\ +\hline +59 & N/A & forward\_relocation\_complete\_ack & N/A \\ +\hline +60 & N/A & forward\_srns\_contex\_ack & N/A \\ +\hline +64 & N/A & N/A & modify\_bearer\_command \\ +\hline +65 & N/A & N/A & modify\_bearer\_failure\_indication \\ +\hline +66 & N/A & N/A & delete\_bearer\_command \\ +\hline +67 & N/A & N/A & delete\_bearer\_failure\_indication \\ +\hline +68 & N/A & N/A & bearer\_resource\_command \\ +\hline +69 & N/A & N/A & bearer\_resource\_failure\_indication \\ +\hline +70 & N/A & ran\_info\_relay & downlink\_failure\_indication \\ +\hline +71 & N/A & N/A & trace\_session\_activation \\ +\hline +72 & N/A & N/A & trace\_session\_deactivation \\ +\hline +73 & N/A & N/A & stop\_paging\_indication \\ +\hline +95 & N/A & N/A & create\_bearer\_request \\ +\hline +96 & N/A & mbms\_notification\_request & create\_bearer\_response \\ +\hline +97 & N/A & mbms\_notification\_response & update\_bearer\_request \\ +\hline +98 & N/A & mbms\_notification\_reject\_request & update\_bearer\_response \\ +\hline +99 & N/A & mbms\_notification\_reject\_response & delete\_bearer\_request \\ +\hline +100 & N/A & create\_mbms\_context\_request & delete\_bearer\_response \\ +\hline +101 & N/A & create\_mbms\_context\_response & delete\_pdn\_request \\ +\hline +102 & N/A & update\_mbms\_context\_request & delete\_pdn\_response \\ +\hline +103 & N/A & update\_mbms\_context\_response & N/A \\ +\hline +104 & N/A & delete\_mbms\_context\_request & N/A \\ +\hline +105 & N/A & delete\_mbms\_context\_response & N/A \\ +\hline +112 & N/A & mbms\_register\_request & N/A \\ +\hline +113 & N/A & mbms\_register\_response & N/A \\ +\hline +114 & N/A & mbms\_deregister\_request & N/A \\ +\hline +115 & N/A & mbms\_deregister\_response & N/A \\ +\hline +116 & N/A & mbms\_session\_start\_request & N/A \\ +\hline +117 & N/A & mbms\_session\_start\_response & N/A \\ +\hline +118 & N/A & mbms\_session\_stop\_request & N/A \\ +\hline +119 & N/A & mbms\_session\_stop\_response & N/A \\ +\hline +120 & N/A & mbms\_session\_update\_request & N/A \\ +\hline +121 & N/A & mbms\_session\_update\_response & N/A \\ +\hline +128 & N/A & ms\_info\_change\_request & identification\_request \\ +\hline +129 & N/A & ms\_info\_change\_response & identification\_response \\ +\hline +130 & N/A & N/A & sgsn\_context\_request \\ +\hline +131 & N/A & N/A & sgsn\_context\_response \\ +\hline +132 & N/A & N/A & sgsn\_context\_ack \\ +\hline +133 & N/A & N/A & forward\_relocation\_request \\ +\hline +134 & N/A & N/A & forward\_relocation\_response \\ +\hline +135 & N/A & N/A & forward\_relocation\_complete \\ +\hline +136 & N/A & N/A & forward\_relocation\_complete\_ack \\ +\hline +137 & N/A & N/A & forward\_access \\ +\hline +138 & N/A & N/A & forward\_access\_ack \\ +\hline +139 & N/A & N/A & relocation\_cancel\_request \\ +\hline +140 & N/A & N/A & relocation\_cancel\_response \\ +\hline +141 & N/A & N/A & configuration\_transfer\_tunnel \\ +\hline +149 & N/A & N/A & detach \\ +\hline +150 & N/A & N/A & detach\_ack \\ +\hline +151 & N/A & N/A & cs\_paging \\ +\hline +152 & N/A & N/A & ran\_info\_relay \\ +\hline +153 & N/A & N/A & alert\_mme \\ +\hline +154 & N/A & N/A & alert\_mme\_ack \\ +\hline +155 & N/A & N/A & ue\_activity \\ +\hline +156 & N/A & N/A & ue\_activity\_ack \\ +\hline +160 & N/A & N/A & create\_forward\_tunnel\_request \\ +\hline +161 & N/A & N/A & create\_forward\_tunnel\_response \\ +\hline +162 & N/A & N/A & suspend \\ +\hline +163 & N/A & N/A & suspend\_ack \\ +\hline +164 & N/A & N/A & resume \\ +\hline +165 & N/A & N/A & resume\_ack \\ +\hline +166 & N/A & N/A & create\_indirect\_forward\_tunnel\_request \\ +\hline +167 & N/A & N/A & create\_indirect\_forward\_tunnel\_response \\ +\hline +168 & N/A & N/A & delete\_indirect\_forward\_tunnel\_request \\ +\hline +169 & N/A & N/A & delete\_indirect\_forward\_tunnel\_response \\ +\hline +170 & N/A & N/A & release\_access\_bearer\_request \\ +\hline +171 & N/A & N/A & release\_access\_bearer\_response \\ +\hline +176 & N/A & N/A & downlink\_data \\ +\hline +177 & N/A & N/A & downlink\_data\_ack \\ +\hline +178 & N/A & N/A & N/A \\ +\hline +179 & N/A & N/A & pgw\_restart \\ +\hline +199 & N/A & N/A & pgw\_restart\_ack \\ +\hline +200 & N/A & N/A & update\_pdn\_request \\ +\hline +201 & N/A & N/A & update\_pdn\_response \\ +\hline +211 & N/A & N/A & modify\_access\_bearer\_request \\ +\hline +212 & N/A & N/A & modify\_access\_bearer\_response \\ +\hline +231 & N/A & N/A & mbms\_session\_start\_request \\ +\hline +232 & N/A & N/A & mbms\_session\_start\_response \\ +\hline +233 & N/A & N/A & mbms\_session\_update\_request \\ +\hline +234 & N/A & N/A & mbms\_session\_update\_response \\ +\hline +235 & N/A & N/A & mbms\_session\_stop\_request \\ +\hline +236 & N/A & N/A & mbms\_session\_stop\_response \\ +\hline +240 & data\_record\_transfer\_request & data\_record\_transfer\_request & N/A \\ +\hline +241 & data\_record\_transfer\_response & data\_record\_transfer\_response & N/A \\ +\hline +254 & N/A & end\_marker & N/A \\ +\hline +255 & pdu & pdu & N/A \\ +\hline +\end{longtable} +\end{itemize} + +\texttt{gtp\_info} +\label{gtp:gtp_info} +\begin{itemize} +\item[] The \texttt{gtp\_info} keyword is used to check for specific GTP + information element. This keyword restricts the search to the information + element field. User can input information element value, an integer in + $[0, 255]$, or a string defined in the Table below. If the information + element used in this rule is not listed in the preprocessor configuration, + an error will be thrown. + +\item[] When there are several information elements with the same type in the + message, this keyword restricts the search to the total consecutive buffer. + Because the standard requires same types group together, this feature will be + available for all valid messages. In the case of ``out of order information + elements'', this keyword restricts the search to the last buffer. + +\item[] Similar to message type, same information element might have different + information element value in different GTP versions. For example, + \texttt{cause} has value $1$ in GTPv0 and GTPv1, but $2$ in GTPv2. + \texttt{gtp\_info} will match to a different + value depending on the version number in the packet. When an information + element is not defined in a version, any packet in that version will always + return ``No match''. + + If an integer is used to specify information element type, every GTP packet + is evaluated, no matter what version the packet is. If the message type + matches the value in packet, it will return ``Match''.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_info:; + ie = "0-255"| + "rai" | "tmsi"... +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_info: 16; + gtp_info: tmsi +\end{verbatim} +\normalsize +\textit{GTP information elements} +\small +\begin{longtable}{|r|c|c|c|p{13.5cm}|} +\hline +Type & GTPv0 & GTPv1 & GTPv2\\ +\hline +0 & N/A & N/A & N/A \\ +\hline +1 & cause & cause & imsi\\ +\hline +2 & imsi & imsi & cause \\ +\hline +3 & rai & rai & recovery\\ +\hline +4 & tlli & tlli & N/A\\ +\hline +5 & p\_tmsi & p\_tmsi & N/A\\ +\hline +6 & qos & N/A & N/A\\ +\hline +7 & N/A & N/A & N/A \\ +\hline +8 & recording\_required & recording\_required & N/A\\ +\hline +9 & authentication & authentication & N/A\\ +\hline +10 & N/A & N/A & N/A\\ +\hline +11 & map\_cause & map\_cause & N/A\\ +\hline +12 & p\_tmsi\_sig & p\_tmsi\_sig & N/A\\ +\hline +13 & ms\_validated & ms\_validated & N/A\\ +\hline +14 & recovery & recovery & N/A\\ +\hline +15 & selection\_mode & selection\_mode & N/A\\ +\hline +16 & flow\_label\_data\_1 & teid\_1 & N/A\\ +\hline +17 & flow\_label\_signalling & teid\_control & N/A\\ +\hline +18 & flow\_label\_data\_2 & teid\_2 & N/A\\ +\hline +19 & ms\_unreachable & teardown\_ind & N/A\\ +\hline +20 & N/A & nsapi & N/A\\ +\hline +21 & N/A & ranap & N/A\\ +\hline +22 & N/A & rab\_context & N/A\\ +\hline +23 & N/A & radio\_priority\_sms & N/A\\ +\hline +24 & N/A & radio\_priority & N/A\\ +\hline +25 & N/A & packet\_flow\_id & N/A\\ +\hline +26 & N/A & charging\_char & N/A\\ +\hline +27 & N/A & trace\_ref & N/A\\ +\hline +28 & N/A & trace\_type & N/A\\ +\hline +29 & N/A & ms\_unreachable & N/A\\ +\hline +71 & N/A & N/A & apn\\ +\hline +72 & N/A & N/A & ambr\\ +\hline +73 & N/A & N/A & ebi\\ +\hline +74 & N/A & N/A & ip\_addr\\ +\hline +75 & N/A & N/A & mei\\ +\hline +76 & N/A & N/A & msisdn\\ +\hline +77 & N/A & N/A & indication\\ +\hline +78 & N/A & N/A & pco\\ +\hline +79 & N/A & N/A & paa\\ +\hline +80 & N/A & N/A & bearer\_qos\\ +\hline +81 & N/A & N/A & flow\_qos\\ +\hline +82 & N/A & N/A & rat\_type\\ +\hline +83 & N/A & N/A & serving\_network\\ +\hline +84 & N/A & N/A & bearer\_tft\\ +\hline +85 & N/A & N/A & tad\\ +\hline +86 & N/A & N/A & uli\\ +\hline +87 & N/A & N/A & f\_teid\\ +\hline +88 & N/A & N/A & tmsi\\ +\hline +89 & N/A & N/A & cn\_id\\ +\hline +90 & N/A & N/A & s103pdf\\ +\hline +91 & N/A & N/A & s1udf\\ +\hline +92 & N/A & N/A & delay\_value\\ +\hline +93 & N/A & N/A & bearer\_context\\ +\hline +94 & N/A & N/A & charging\_id\\ +\hline +95 & N/A & N/A & charging\_char\\ +\hline +96 & N/A & N/A & trace\_info\\ +\hline +97 & N/A & N/A & bearer\_flag\\ +\hline +98 & N/A & N/A & N/A\\ +\hline +99 & N/A & N/A & pdn\_type\\ +\hline +100 & N/A & N/A & pti\\ +\hline +101 & N/A & N/A & drx\_parameter\\ +\hline +102 & N/A & N/A & N/A\\ +\hline +103 & N/A & N/A & gsm\_key\_tri\\ +\hline +104 & N/A & N/A & umts\_key\_cipher\_quin\\ +\hline +105 & N/A & N/A & gsm\_key\_cipher\_quin\\ +\hline +106 & N/A & N/A & umts\_key\_quin\\ +\hline +107 & N/A & N/A & eps\_quad\\ +\hline +108 & N/A & N/A & umts\_key\_quad\_quin\\ +\hline +109 & N/A & N/A & pdn\_connection\\ +\hline +110 & N/A & N/A & pdn\_number\\ +\hline +111 & N/A & N/A & p\_tmsi\\ +\hline +112 & N/A & N/A & p\_tmsi\_sig\\ +\hline +113 & N/A & N/A & hop\_counter\\ +\hline +114 & N/A & N/A & ue\_time\_zone\\ +\hline +115 & N/A & N/A & trace\_ref\\ +\hline +116 & N/A & N/A & complete\_request\_msg\\ +\hline +117 & N/A & N/A & guti\\ +\hline +118 & N/A & N/A & f\_container\\ +\hline +119 & N/A & N/A & f\_cause\\ +\hline +120 & N/A & N/A & plmn\_id\\ +\hline +121 & N/A & N/A & target\_id\\ +\hline +122 & N/A & N/A & N/A\\ +\hline +123 & N/A & N/A & packet\_flow\_id\\ +\hline +124 & N/A & N/A & rab\_contex\\ +\hline +125 & N/A & N/A & src\_rnc\_pdcp\\ +\hline +126 & N/A & N/A & udp\_src\_port\\ +\hline +127 & charge\_id & charge\_id & apn\_restriction\\ +\hline +128 & end\_user\_address & end\_user\_address & selection\_mode\\ +\hline +129 & mm\_context & mm\_context & src\_id\\ +\hline +130 & pdp\_context & pdp\_context & N/A\\ +\hline +131 & apn & apn & change\_report\_action\\ +\hline +132 & protocol\_config & protocol\_config & fq\_csid\\ +\hline +133 & gsn & gsn & channel\\ +\hline +134 & msisdn & msisdn & emlpp\_pri\\ +\hline +135 & N/A & qos & node\_type\\ +\hline +136 & N/A & authentication\_qu & fqdn\\ +\hline +137 & N/A & tft & ti\\ +\hline +138 & N/A & target\_id & mbms\_session\_duration\\ +\hline +139 & N/A & utran\_trans & mbms\_service\_area\\ +\hline +140 & N/A & rab\_setup & mbms\_session\_id\\ +\hline +141 & N/A & ext\_header & mbms\_flow\_id\\ +\hline +142 & N/A & trigger\_id & mbms\_ip\_multicast\\ +\hline +143 & N/A & omc\_id & mbms\_distribution\_ack\\ +\hline +144 & N/A & ran\_trans & rfsp\_index\\ +\hline +145 & N/A & pdp\_context\_pri & uci\\ +\hline +146 & N/A & addi\_rab\_setup & csg\_info\\ +\hline +147 & N/A & sgsn\_number & csg\_id\\ +\hline +148 & N/A & common\_flag & cmi\\ +\hline +149 & N/A & apn\_restriction & service\_indicator\\ +\hline +150 & N/A & radio\_priority\_lcs & detach\_type\\ +\hline +151 & N/A & rat\_type & ldn\\ +\hline +152 & N/A & user\_loc\_info & node\_feature\\ +\hline +153 & N/A & ms\_time\_zone & mbms\_time\_to\_transfer\\ +\hline +154 & N/A & imei\_sv & throttling\\ +\hline +155 & N/A & camel & arp\\ +\hline +156 & N/A & mbms\_ue\_context & epc\_timer\\ +\hline +157 & N/A & tmp\_mobile\_group\_id & signalling\_priority\_indication\\ +\hline +158 & N/A & rim\_routing\_addr & tmgi\\ +\hline +159 & N/A & mbms\_config & mm\_srvcc\\ +\hline +160 & N/A & mbms\_service\_area & flags\_srvcc\\ +\hline +161 & N/A & src\_rnc\_pdcp & mmbr\\ +\hline +162 & N/A & addi\_trace\_info & N/A\\ +\hline +163 & N/A & hop\_counter & N/A\\ +\hline +164 & N/A & plmn\_id & N/A\\ +\hline +165 & N/A & mbms\_session\_id & N/A\\ +\hline +166 & N/A & mbms\_2g3g\_indicator & N/A\\ +\hline +167 & N/A & enhanced\_nsapi & N/A\\ +\hline +168 & N/A & mbms\_session\_duration & N/A\\ +\hline +169 & N/A & addi\_mbms\_trace\_info & N/A\\ +\hline +170 & N/A & mbms\_session\_repetition\_num & N/A\\ +\hline +171 & N/A & mbms\_time\_to\_data & N/A\\ +\hline +173 & N/A & bss & N/A\\ +\hline +174 & N/A & cell\_id & N/A\\ +\hline +175 & N/A & pdu\_num & N/A\\ +\hline +176 & N/A & N/A & N/A\\ +\hline +177 & N/A & mbms\_bearer\_capab & N/A\\ +\hline +178 & N/A & rim\_routing\_disc & N/A\\ +\hline +179 & N/A & list\_pfc & N/A\\ +\hline +180 & N/A & ps\_xid & N/A\\ +\hline +181 & N/A & ms\_info\_change\_report & N/A\\ +\hline +182 & N/A & direct\_tunnel\_flags & N/A\\ +\hline +183 & N/A & correlation\_id & N/A\\ +\hline +184 & N/A & bearer\_control\_mode & N/A\\ +\hline +185 & N/A & mbms\_flow\_id & N/A\\ +\hline +186 & N/A & mbms\_ip\_multicast & N/A\\ +\hline +187 & N/A & mbms\_distribution\_ack & N/A\\ +\hline +188 & N/A & reliable\_inter\_rat\_handover & N/A\\ +\hline +189 & N/A & rfsp\_index & N/A\\ +\hline +190 & N/A & fqdn & N/A\\ +\hline +191 & N/A & evolved\_allocation1 & N/A\\ +\hline +192 & N/A & evolved\_allocation2 & N/A\\ +\hline +193 & N/A & extended\_flags & N/A\\ +\hline +194 & N/A & uci & N/A\\ +\hline +195 & N/A & csg\_info & N/A\\ +\hline +196 & N/A & csg\_id & N/A\\ +\hline +197 & N/A & cmi & N/A\\ +\hline +198 & N/A & apn\_ambr & N/A\\ +\hline +199 & N/A & ue\_network & N/A\\ +\hline +200 & N/A & ue\_ambr & N/A\\ +\hline +201 & N/A & apn\_ambr\_nsapi & N/A\\ +\hline +202 & N/A & ggsn\_backoff\_timer & N/A\\ +\hline +203 & N/A & signalling\_priority\_indication & N/A\\ +\hline +204 & N/A & signalling\_priority\_indication\_nsapi & N/A\\ +\hline +205 & N/A & high\_bitrate & N/A\\ +\hline +206 & N/A & max\_mbr & N/A\\ +\hline +250 & N/A & N/A & N/A\\ +\hline + & N/A & N/A & N/A\\ +\hline +251 & charging\_gateway\_addr & charging\_gateway\_addr & N/A\\ +\hline +255 & private\_extension & private\_extension & private\_extension\\ +\hline +\end{longtable} +\end{itemize} +\texttt{gtp\_version} +\label{gtp:gtp_version} +\begin{itemize} + \item[] The \texttt{gtp\_version} keyword is used to check for specific +GTP version. + \item[] Because different GTP version defines different message types and + information elements, this keyword should combine with \texttt{gtp\_type} +and \texttt{gtp\_info.}\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_version:; + version = "0, 1, 2' +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_version: 1; +\end{verbatim} +\normalsize +\end{itemize} + +\subsection{Modbus Preprocessor} +\label{sub:modbus} +The Modbus preprocessor is a Snort module that decodes the Modbus protocol. +It also provides rule options to access certain protocol fields. +This allows a user to write rules for Modbus packets without decoding the protocol +with a series of "content" and "byte\_test" options. + +Modbus is a protocol used in SCADA networks. If your network does not contain any +Modbus-enabled devices, we recommend leaving this preprocessor turned off. + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. TCP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item Protocol Aware Flushing (PAF) must be enabled. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{Preprocessor Configuration} +To get started, the Modbus preprocessor must be enabled. +The preprocessor name is \texttt{modbus}. +\begin{verbatim} +preprocessor modbus +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 502 \} }\\ +\hline +\end{tabular} +\end{itemize} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for Modbus messages. Typically, + this will include 502. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 1237 3945 5067 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor modbus +\end{verbatim} +\normalsize + +\subsubsection{Rule Options} +The Modbus preprocessor adds 3 new rule options. These rule options match on +various pieces of the Modbus headers: + +\begin{itemize} +\item[] +\begin{verbatim} + modbus_func + modbus_unit + modbus_data +\end{verbatim} +\end{itemize} + +The preprocessor must be enabled for these rule option to work. + +\texttt{modbus\_func} +\label{modbus:modbus_func} +\begin{itemize} + \item[] This option matches against the Function Code inside of a Modbus + header. The code may be a number (in decimal format), or a string from the + list provided below. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_func: + + code = 0-255 | + "read_coils" | + "read_discrete_inputs" | + "read_holding_registers" | + "read_input_registers" | + "write_single_coil" | + "write_single_register" | + "read_exception_status" | + "diagnostics" | + "get_comm_event_counter" | + "get_comm_event_log" | + "write_multiple_coils" | + "write_multiple_registers" | + "report_slave_id" | + "read_file_record" | + "write_file_record" | + "mask_write_register" | + "read_write_multiple_registers" | + "read_fifo_queue" | + "encapsulated_interface_transport" +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_func:1; + modbus_func:write_multiple_coils; +\end{verbatim} +\normalsize + +\texttt{modbus\_unit} +\label{modbus:modbus_unit} +\begin{itemize} + \item[] This option matches against the Unit ID field in a Modbus header. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_unit: + + unit = 0-255 +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_unit:1; +\end{verbatim} +\normalsize + +\texttt{modbus\_data} +\label{modbus:modbus_data} +\begin{itemize} + \item[] This rule option sets the cursor at the beginning of the Data field + in a Modbus request/response. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_data; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_data; content:"badstuff"; +\end{verbatim} +\normalsize + +\subsubsection{Preprocessor Events} +The Modbus preprocessor uses GID 144 for its preprocessor events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & The length in the Modbus header does not match the length needed \\ + & by the Modbus function code. \\ +&\\ + & Each Modbus function has an expected format for requests and responses. \\ + & If the length of the message does not match the expected format, this \\ + & alert is generated. \\ +\hline + 2 & Modbus protocol ID is non-zero. \\ +&\\ + & The protocol ID field is used for multiplexing other protocols with \\ + & Modbus. Since the preprocessor cannot handle these other protocols, \\ + & this alert is generated instead. \\ +\hline + 3 & Reserved Modbus function code in use. \\ +\hline +\end{longtable} + +\subsection{DNP3 Preprocessor} +\label{sub:dnp3} +The DNP3 preprocessor is a Snort module that decodes the DNP3 protocol. +It also provides rule options to access certain protocol fields. +This allows a user to write rules for DNP3 packets without decoding the protocol +with a series of "content" and "byte\_test" options. + +DNP3 is a protocol used in SCADA networks. If your network does not contain any +DNP3-enabled devices, we recommend leaving this preprocessor turned off. + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. TCP or UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item Protocol Aware Flushing (PAF) must be enabled. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{Preprocessor Configuration} +To get started, the DNP3 preprocessor must be enabled. +The preprocessor name is \texttt{dnp3}. +\begin{verbatim} +preprocessor dnp3 +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 20000 \} }\\ +\texttt{memcap} & \texttt{ [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 1237 3945 5067 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} + +\item[] \texttt{memcap} +\begin{itemize} +\item[] This sets a maximum to the amount of memory allocated to the DNP3 + preprocessor for session-tracking purposes. The argument is given + in bytes. + Each session requires about 4 KB to track, and the default is 256 kB. + This gives the preprocessor the ability to track 63 DNP3 sessions + simultaneously. + Setting the memcap below 4144 bytes will cause a fatal error. + When multiple configs are used, the memcap in the non-default configs + will be overwritten by the memcap in the default config. If the default + config isn't intended to inspect DNP3 traffic, use the "disabled" + keyword. +\end{itemize} + +\item[] \texttt{check\_crc} +\begin{itemize} +\item[] This option makes the preprocessor validate the checksums contained in + DNP3 Link-Layer Frames. Frames with invalid checksums will be ignored. + If the corresponding preprocessor rule is enabled, invalid checksums + will generate alerts. + The corresponding rule is GID 145, SID 1. +\end{itemize} + +\item[] \texttt{disabled} +\begin{itemize} +\item[] This option is used for loading the preprocessor without inspecting + any DNP3 traffic. The \texttt{disabled} keyword is only useful when the DNP3 + preprocessor is turned on in a separate policy. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor dnp3 +\end{verbatim} +\normalsize + +\subsubsection{Rule Options} +The DNP3 preprocessor adds 4 new rule options. These rule options match on +various pieces of the DNP3 headers: + +\begin{itemize} +\item[] +\begin{verbatim} + dnp3_func + dnp3_obj + dnp3_ind + dnp3_data +\end{verbatim} +\end{itemize} + +The preprocessor must be enabled for these rule option to work. + +\texttt{dnp3\_func} +\label{dnp3:dnp3_func} +\begin{itemize} + \item[] This option matches against the Function Code inside of a DNP3 + Application-Layer request/response header. The code may be a number + (in decimal format), or a string from the list provided below. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_func: + + code = 0-255 | + "confirm" | + "read" | + "write" | + "select" | + "operate" | + "direct_operate" | + "direct_operate_nr" | + "immed_freeze" | + "immed_freeze_nr" | + "freeze_clear" | + "freeze_clear_nr" | + "freeze_at_time" | + "freeze_at_time_nr" | + "cold_restart" | + "warm_restart" | + "initialize_data" | + "initialize_appl" | + "start_appl" | + "stop_appl" | + "save_config" | + "enable_unsolicited" | + "disable_unsolicited" | + "assign_class" | + "delay_measure" | + "record_current_time" | + "open_file" | + "close_file" | + "delete_file" | + "get_file_info" | + "authenticate_file" | + "abort_file" | + "activate_config" | + "authenticate_req" | + "authenticate_err" | + "response" | + "unsolicited_response" | + "authenticate_resp" + +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + dnp3_func:1; + dnp3_func:delete_file; +\end{verbatim} +\normalsize + +\texttt{dnp3\_ind} +\label{dnp3:dnp3_ind} +\begin{itemize} + \item[] This option matches on the Internal Indicators flags present in a + DNP3 Application Response Header. Much like the TCP flags rule option, + providing multiple flags in one option will cause the rule to fire if \emph{ANY} + one of the flags is set. To alert on a combination of flags, use multiple rule + options. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_ind:{,...] + + flag = "all_stations" + "class_1_events" + "class_2_events" + "class_3_events" + "need_time" + "local_control" + "defice_trouble" + "device_restart" + "no_func_code_support" + "object_unknown" + "parameter_error" + "event_buffer_overflow" + "already_executing" + "config_corrupt" + "reserved_2" + "reserved_1" +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + # Alert on reserved_1 OR reserved_2 + dnp3_ind:reserved_1,reserved_2; + + # Alert on class_1 AND class_2 AND class_3 events + dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events; +\end{verbatim} +\normalsize + +\texttt{dnp3\_obj} +\label{dnp3:dnp3_obj} +\begin{itemize} + \item[] This option matches on DNP3 object headers present in a request or response. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_obj:, + + group = 0 - 255 + var = 0 - 255 +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + # Alert on DNP3 "Date and Time" object + dnp3_obj:50,1; +\end{verbatim} +\normalsize + +\texttt{dnp3\_data} +\label{dnp3:dnp3_data} +\begin{itemize} + \item[] As Snort processes DNP3 packets, the DNP3 preprocessor collects + Link-Layer Frames and reassembles them back into Application-Layer Fragments. + This rule option sets the cursor to the beginning of an Application-Layer + Fragment, so that other rule options can work on the reassembled data. + + With the dnp3\_data rule option, you can write rules based on the data within + Fragments without splitting up the data and adding CRCs every 16 bytes. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_data; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + dnp3_data; content:"badstuff_longer_than_16chars"; +\end{verbatim} +\normalsize + +\subsubsection{Preprocessor Events} +The DNP3 preprocessor uses GID 145 for its preprocessor events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & A Link-Layer Frame contained an invalid CRC. \\ + & (Enable \texttt{check\_crc} in the preprocessor config to get this alert.) \\ +\hline + 2 & A DNP3 Link-Layer Frame was dropped, due to an invalid length. \\ +\hline + 3 & A Transport-Layer Segment was dropped during reassembly. \\ + & This happens when segments have invalid sequence numbers. \\ +\hline + 4 & The DNP3 Reassembly buffer was cleared before a complete fragment could \\ + & be reassembled. \\ + & This happens when a segment carrying the "FIR" flag appears after some \\ + & other segments have been queued. \\ +\hline + 5 & A DNP3 Link-Layer Frame is larger than 260 bytes. \\ +\hline + 6 & A DNP3 Link-Layer Frame uses an address that is reserved. \\ +\hline + 7 & A DNP3 request or response uses a reserved function code. \\ +\hline +\end{longtable} + + + + +\section{Decoder and Preprocessor Rules} + +Decoder and preprocessor rules allow one to enable and disable decoder and +preprocessor events on a rule by rule basis. They also allow one to specify +the rule type or action of a decoder or preprocessor event on a rule by rule +basis. + +Decoder config options will still determine whether or not to generate decoder +events. For example, if \texttt{config disable\_decode\_alerts} is in +\texttt{snort.conf}, decoder events will not be generated regardless of whether +or not there are corresponding rules for the event. Also note that if the +decoder is configured to enable drops, e.g. \texttt{config +enable\_decode\_drops}, these options will take precedence over the event type +of the rule. A packet will be dropped if either a decoder config drop option +is in \texttt{snort.conf} or the decoder or preprocessor rule type is +\texttt{drop}. Of course, the drop cases only apply if Snort is running +inline. See \texttt{doc/README.decode} for config options that control decoder +events. + +\subsection{Configuring} + +The following options to configure will enable decoder and preprocessor rules: + +\begin{verbatim} + $ ./configure --enable-decoder-preprocessor-rules +\end{verbatim} + +The decoder and preprocessor rules are located in the \texttt{preproc\_rules/} +directory in the top level source tree, and have the names +\texttt{decoder.rules} and \texttt{preprocessor.rules} respectively. These +files are updated as new decoder and preprocessor events are added to Snort. +The \texttt{gen-msg.map} under \texttt{etc} directory is also updated with +new decoder and preprocessor rules. + +To enable these rules in \texttt{snort.conf}, define the path to where the +rules are located and uncomment the \texttt{include} lines in +\texttt{snort.conf} that reference the rules files. + +\begin{verbatim} + var PREPROC_RULE_PATH /path/to/preproc_rules + ... + include $PREPROC_RULE_PATH/preprocessor.rules + include $PREPROC_RULE_PATH/decoder.rules +\end{verbatim} + +To disable any rule, just comment it with a \texttt{\#} or remove the rule +completely from the file (commenting is recommended). + +To change the rule type or action of a decoder/preprocessor rule, just replace +\texttt{alert} with the desired rule type. Any one of the following rule types +can be used: + +\begin{verbatim} + alert + log + pass + drop + sdrop + reject +\end{verbatim} + +For example one can change: + +\begin{verbatim} + alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ + metadata: rule-type decode ; classtype:protocol-command-decode;) +\end{verbatim} + +to + +\begin{verbatim} + drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ + metadata: rule-type decode ; classtype:protocol-command-decode;) +\end{verbatim} + +to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but +version field in IPv4 header has a value other than 4. + +See \texttt{README.decode}, \texttt{README.gre} and the various preprocessor +READMEs for descriptions of the rules in \texttt{decoder.rules} and +\texttt{preprocessor.rules}. + +The generator ids ( gid ) for different preprocessors and the decoder are as follows: + +\begin{table}[h] +\begin{center} +\begin{tabular}{| l | l |} + +\hline +\textbf{Generator Id} & \textbf{Module}\\ +\hline + +\hline +\texttt{105} & Back Orifice preprocessor \\ + +\hline +\texttt{106} & RPC Decode preprocessor \\ + +\hline +\texttt{112} & Arpspoof preprocessor \\ + +\hline +\texttt{116} & Snort Decoder \\ + +\hline +\texttt{119} & HTTP Inspect preprocessor ( Client ) \\ + +\hline +\texttt{120} & HTTP Inspect preprocessor ( Server ) \\ + +\hline +\texttt{122} & Portscan preprocessor \\ + +\hline +\texttt{123} & Frag3 preprocessor \\ + +\hline +\texttt{124} & SMTP preprocessor \\ + +\hline +\texttt{125} & FTP (FTP) preprocessor \\ + +\hline +\texttt{126} & FTP (Telnet) preprocessor \\ + +\hline +\texttt{127} & ISAKMP preprocessor \\ + +\hline +\texttt{128} & SSH preprocessor \\ + +\hline +\texttt{129} & Stream5 preprocessor \\ + +\hline +\texttt{131} & DNS preprocessor \\ + +\hline +\texttt{132} & Skype preprocessor \\ + +\hline +\texttt{133} & DceRpc2 preprocessor \\ + +\hline +\texttt{134} & PPM preprocessor \\ + +\hline +\texttt{136} & Reputation preprocessor \\ + +\hline +\texttt{137} & SSL preprocessor \\ + +\hline +\texttt{139} & SDF preprocessor \\ + +\hline +\texttt{140} & SIP preprocessor \\ + +\hline +\texttt{141} & IMAP preprocessor \\ + +\hline +\texttt{142} & POP preprocessor \\ + +\hline +\texttt{143} & GTP preprocessor \\ +\hline +\end{tabular} +\end{center} +\end{table} + + +\subsection{Reverting to original behavior} + +If you have configured snort to use decoder and preprocessor rules, the +following config option in \texttt{snort.conf} will make Snort revert to the +old behavior: + +\begin{verbatim} + config autogenerate_preprocessor_decoder_rules +\end{verbatim} + +Note that if you want to revert to the old behavior, you also have to remove +the decoder and preprocessor rules and any reference to them from +\texttt{snort.conf}, otherwise they will be loaded. This option applies to +rules not specified and the default behavior is to alert. + +\section{Event Processing} + +Snort provides a variety of mechanisms to tune event processing to suit your +needs: + +\begin{itemize} +\item \texttt{Detection Filters} + +You can use detection filters to specify a threshold that must be exceeded +before a rule generates an event. This is covered in section +\ref{detection_filter}. + +\item \texttt{Rate Filters} + +You can use rate filters to change a rule action when the number or rate of +events indicates a possible attack. + +\item \texttt{Event Filters} + +You can use event filters to reduce the number of logged events for noisy rules. This can be tuned to significantly reduce false alarms. \item \texttt{Event Suppression} @@ -6921,8 +11305,13 @@ require only a simple \texttt{config} option to \texttt{snort.conf} and Snort will print statistics on the worst (or all) performers on exit. When a file name is provided in \texttt{profile\_rules} or \texttt{profile\_preprocs}, the -statistics will be saved in these files. If the \texttt{append} option is not -present, previous data in these files will be overwritten. +statistics will be saved in these files. If \texttt{append} is not specified, +a new file will be created each time Snort is run. The filenames will have +timestamps appended to them. These files will be found in the logging +directory. + +To use this feature, you must build snort with the \texttt{--enable-perfprofiling} +option to the configure script. \subsection{Rule Profiling} \label{rule profiling} @@ -6962,7 +11351,7 @@ \subitem \texttt{config profile\_rules} \item Print all rules, sort by avg\_ticks, and append to file \texttt{rules\_stats.txt} -\subitem \texttt{config profile\_rules filename \texttt{rules\_stats.txt} append} +\subitem \texttt{config profile\_rules: filename \texttt{rules\_stats.txt} append} \item Print the top 10 rules, based on highest average time \subitem \texttt{config profile\_rules: print 10, sort avg\_ticks} @@ -7070,7 +11459,7 @@ \item Print all preprocessors, sort by avg\_ticks, and append to file \texttt{preprocs\_stats.txt} -\subitem \texttt{config profile\_preprocs, filename \texttt{preprocs\_stats.txt} append} +\subitem \texttt{config profile\_preprocs: filename \texttt{preprocs\_stats.txt} append} \item Print the top 10 preprocessors, based on highest average time \subitem \texttt{config profile\_preprocs: print 10, sort avg\_ticks} @@ -7087,57 +11476,46 @@ \begin{figure} \footnotesize{ \begin{verbatim} -Preprocessor Profile Statistics (all) +Preprocessor Profile Statistics (worst 10) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ - 1 ftptelnet_ftp 0 2697 2697 135720 50.32 0.20 0.20 - 2 detect 0 930237 930237 31645670 34.02 47.20 47.20 - 1 rule eval 1 1347969 1347969 26758596 19.85 84.56 39.91 - 1 rule tree eval 2 1669390 1669390 26605086 15.94 99.43 39.68 - 1 pcre 3 488652 488652 18994719 38.87 71.40 28.33 - 2 asn1 3 1 1 8 8.56 0.00 0.00 - 3 uricontent 3 647122 647122 2638614 4.08 9.92 3.94 - 4 content 3 1043099 1043099 3154396 3.02 11.86 4.70 - 5 ftpbounce 3 23 23 19 0.87 0.00 0.00 - 6 byte_jump 3 9007 9007 3321 0.37 0.01 0.00 - 7 byte_test 3 239015 239015 64401 0.27 0.24 0.10 - 8 icmp_seq 3 2 2 0 0.16 0.00 0.00 - 9 fragbits 3 65259 65259 10168 0.16 0.04 0.02 - 10 isdataat 3 5085 5085 757 0.15 0.00 0.00 - 11 flags 3 4147 4147 517 0.12 0.00 0.00 - 12 flowbits 3 2002630 2002630 212231 0.11 0.80 0.32 - 13 ack 3 4042 4042 261 0.06 0.00 0.00 - 14 flow 3 1347822 1347822 79002 0.06 0.30 0.12 - 15 icode 3 75538 75538 4280 0.06 0.02 0.01 - 16 itype 3 27009 27009 1524 0.06 0.01 0.00 - 17 icmp_id 3 41150 41150 1618 0.04 0.01 0.00 - 18 ip_proto 3 142625 142625 5004 0.04 0.02 0.01 - 19 ipopts 3 13690 13690 457 0.03 0.00 0.00 - 2 rtn eval 2 55836 55836 22763 0.41 0.09 0.03 - 2 mpse 1 492836 492836 4135697 8.39 13.07 6.17 - 3 frag3 0 76925 76925 1683797 21.89 2.51 2.51 - 1 frag3insert 1 70885 70885 434980 6.14 25.83 0.65 - 2 frag3rebuild 1 5419 5419 6280 1.16 0.37 0.01 - 4 dcerpc 0 127332 127332 2426830 19.06 3.62 3.62 - 5 s5 0 809682 809682 14195602 17.53 21.17 21.17 - 1 s5tcp 1 765281 765281 14128577 18.46 99.53 21.07 - 1 s5TcpState 2 742464 742464 13223585 17.81 93.59 19.72 - 1 s5TcpFlush 3 51987 51987 92918 1.79 0.70 0.14 - 1 s5TcpProcessRebuilt 4 47355 47355 14548497 307.22 15657.23 21.70 - 2 s5TcpBuildPacket 4 47360 47360 41711 0.88 44.89 0.06 - 2 s5TcpData 3 250035 250035 141490 0.57 1.07 0.21 - 1 s5TcpPktInsert 4 88173 88173 110136 1.25 77.84 0.16 - 2 s5TcpNewSess 2 60880 60880 81779 1.34 0.58 0.12 - 6 eventq 0 2089428 2089428 26690209 12.77 39.81 39.81 - 7 httpinspect 0 296030 296030 1862359 6.29 2.78 2.78 - 8 smtp 0 137653 137653 227982 1.66 0.34 0.34 - 9 decode 0 1057635 1057635 1162456 1.10 1.73 1.73 - 10 ftptelnet_telnet 0 175 175 175 1.00 0.00 0.00 - 11 sfportscan 0 881153 881153 518655 0.59 0.77 0.77 - 12 backorifice 0 35369 35369 4875 0.14 0.01 0.01 - 13 dns 0 16639 16639 1346 0.08 0.00 0.00 - total total 0 1018323 1018323 67046412 65.84 0.00 0.00 + 1 detect 0 338181 338181 9054573 26.77 64.62 64.62 + 1 rule eval 1 256978 256978 2570596 10.00 28.39 18.35 + 1 rule tree eval 2 399860 399860 2520629 6.30 98.06 17.99 + 1 pcre 3 51328 51328 505636 9.85 20.06 3.61 + 2 byte_jump 3 6 6 7 1.30 0.00 0.00 + 3 content 3 1077588 1077588 1123373 1.04 44.57 8.02 + 4 uricontent 3 106498 106498 79685 0.75 3.16 0.57 + 5 byte_test 3 9951 9951 5709 0.57 0.23 0.04 + 6 isdataat 3 8486 8486 3192 0.38 0.13 0.02 + 7 flowbits 3 135739 135739 35365 0.26 1.40 0.25 + 8 flags 3 2 2 0 0.20 0.00 0.00 + 9 preproc_rule_options 3 15499 15499 1939 0.13 0.08 0.01 + 10 flow 3 394817 394817 36420 0.09 1.44 0.26 + 11 file_data 3 15957 15957 1264 0.08 0.05 0.01 + 12 ack 3 4 4 0 0.07 0.00 0.00 + 2 rtn eval 2 36928 36928 17500 0.47 0.68 0.12 + 2 mpse 1 646528 646528 5840244 9.03 64.50 41.68 + 2 s5 0 310080 310080 3270702 10.55 23.34 23.34 + 1 s5tcp 1 310080 310080 2993020 9.65 91.51 21.36 + 1 s5TcpState 2 304484 304484 2559085 8.40 85.50 18.26 + 1 s5TcpFlush 3 22148 22148 70681 3.19 2.76 0.50 + 1 s5TcpProcessRebuilt 4 22132 22132 2018748 91.21 2856.11 14.41 + 2 s5TcpBuildPacket 4 22132 22132 34965 1.58 49.47 0.25 + 2 s5TcpData 3 184186 184186 120794 0.66 4.72 0.86 + 1 s5TcpPktInsert 4 46249 46249 89299 1.93 73.93 0.64 + 2 s5TcpNewSess 2 5777 5777 37958 6.57 1.27 0.27 + 3 httpinspect 0 204751 204751 1814731 8.86 12.95 12.95 + 4 ssl 0 10780 10780 16283 1.51 0.12 0.12 + 5 decode 0 312638 312638 437860 1.40 3.12 3.12 + 6 DceRpcMain 0 155358 155358 186061 1.20 1.33 1.33 + 1 DceRpcSession 1 155358 155358 156193 1.01 83.95 1.11 + 7 backorifice 0 77 77 42 0.55 0.00 0.00 + 8 smtp 0 45197 45197 17126 0.38 0.12 0.12 + 9 ssh 0 26453 26453 7195 0.27 0.05 0.05 + 10 dns 0 28 28 5 0.18 0.00 0.00 + total total 0 311202 311202 14011946 45.03 0.00 0.00 \end{verbatim} } \caption{Preprocessor Profiling Example Output} @@ -7147,8 +11525,8 @@ Configuration line used to print the above table: \begin{verbatim} - config profile_rules: \ - print 3, sort total_ticks + config profile_preprocs: \ + print 10, sort total_ticks \end{verbatim} The columns represent: @@ -7267,7 +11645,7 @@ \texttt{threshold } \begin{itemize} -\item sets the number of consecutive rule time excesses before disabling +\item sets the number of cumulative rule time excesses before disabling a rule \item default is 5 \end{itemize} @@ -7422,7 +11800,7 @@ flexible in the formatting and presentation of output to its users. The output modules are run when the alert or logging subsystems of Snort are called, after the preprocessors and detection engine. The format of the directives in the -rules file is very similar to that of the preprocessors. +config file is very similar to that of the preprocessors. Multiple output plugins may be specified in the Snort configuration file. When multiple plugins of the same type (log, alert) are specified, they are stacked @@ -7431,7 +11809,7 @@ or to a user directed directory (using the -l command line switch). Output modules are loaded at runtime by specifying the output keyword in the -rules file: +config file: \begin{verbatim} output : @@ -7442,11 +11820,11 @@ \end{verbatim} \subsection{alert\_syslog} -\label{alert syslog lable} +\label{alert syslog label} This module sends alerts to the syslog facility (much like the -s command line switch). This module also allows the user to specify the logging facility and -priority within the Snort rules file, giving users greater flexibility in +priority within the Snort config file, giving users greater flexibility in logging alerts. \subsubsection{Available Keywords} @@ -7514,7 +11892,7 @@ \subsubsection{Example} \begin{verbatim} - output alert_syslog: 10.1.1.1:514, + output alert_syslog: host=10.1.1.1:514, \end{verbatim} \subsection{alert\_fast} @@ -7633,6 +12011,12 @@ \subsection{database} \label{database section} +\begin{note} +The database output plugins are considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +The recommended approach to logging is to use unified2 with barnyard2 or similar. +\end{note} + This module from Jed Pickel sends Snort data to a variety of SQL databases. More information on installing and configuring this module can be found on the {[}91{]}incident.org web page. The arguments to this plugin are the name of the @@ -7835,7 +12219,7 @@ different files, an \emph{alert} file, and a \emph{log} file. The alert file contains the high-level details of an event (eg: IPs, protocol, port, message id). The log file contains the detailed packet information (a packet dump with -the associated event ID). Both file types are written in a bimary format +the associated event ID). Both file types are written in a binary format described in \emph{spo\_unified.h}. \begin{note} @@ -7908,6 +12292,11 @@ \subsection{alert\_prelude} \begin{note} +The \texttt{alert\_prelude} output plugin is considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +\end{note} + +\begin{note} support to use alert\_prelude is not built in by default. To use alert\_prelude, snort must be built with the --enable-prelude argument passed @@ -7962,6 +12351,11 @@ \subsection{alert\_aruba\_action} \begin{note} +The \texttt{alert\_aruba\_action} output plugin is considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +\end{note} + +\begin{note} Support to use alert\_aruba\_action is not built in by default. To use alert\_aruba\_action, snort must be built with the --enable-aruba argument @@ -8125,7 +12519,7 @@ 100 - OpenSSH + OpenSSH 100 3.9p1 @@ -8135,7 +12529,7 @@ - 23 + 2300 100 @@ -8159,11 +12553,11 @@ 100 - http + http 91 - IE Http Browser + IE Http Browser 90 6.0 @@ -8177,18 +12571,154 @@ \end{verbatim} -\begin{note} +\begin{note} + +With Snort 2.8.1, for a given host entry, the stream and IP frag information +are both used. Of the service attributes, only the IP protocol (tcp, udp, +etc), port, and protocol (http, ssh, etc) are used. The application and +version for a given service attribute, and any client attributes are ignored. +They will be used in a future release. + +\end{note} + +A DTD for verification of the Host Attribute Table XML file is provided with +the snort packages. + +The confidence metric may be used to indicate the validity of a given service +or client application and its respective elements. That field is not +currently used by Snort, but may be in future releases. + +\subsection{Attribute Table Example} + +In the example above, a host running Red Hat 2.6 is described. This host has +an IP address of 192.168.1.234. On that host, TCP port 22 is ssh (running +Open SSH), and TCP port 2300 is telnet. + +The IP stack fragmentation and stream reassembly is mimicked by the "linux" +configuration (see sections \ref{frag3 section} and \ref{stream5 section}). + +\subsubsection{Attribute Table Affect on preprocessors} + +\begin{itemize} +\item{Network Layer Preprocessors} + +Each of the network layer preprocessors (frag3 and stream5) make use of the +respective \texttt{FRAG\_POLICY} and \texttt{STREAM\_POLICY} in terms of +how data is handled for reassembly for packets being received by that host. + +\item{Application Layer Preprocessors} + +The application layer preprocessors (HTTP, SMTP, FTP, Telnet, etc) make +use of the \texttt{SERVICE} information for connections destined to that +host on that port. + +For example, even if the telnet portion of the FTP/Telnet preprocessor is +only configured to inspect port 23, Snort will inspect packets for a connection +to 192.168.1.234 port 2300 as telnet. + +Conversely, if, for example, HTTP Inspect is configured to inspect traffic +on port 2300, HTTP Inspect will NOT process the packets on a connection +to 192.168.1.234 port 2300 because it is identified as telnet. + +Below is a list of the common services used by Snort's application layer +preprocessors and Snort rules (see below). + +\begin{table}[h] +\label{attribute:service names} +\begin{center} +\begin{tabular}{| l | l | l | l | l | l | l |} +\hline +http & ftp & ftp-data & telnet & smtp & ssh & tftp \\ +\hline +dcerpc & netbios-dgm & netbios-ns & netbios-ssn & nntp & finger & sunrpc \\ +\hline +dns & isakmp & mysql & oracle & cvs & shell & x11 \\ +\hline +imap & pop2 & pop3 & snmp & & & \\ +\hline +\end{tabular} +\end{center} +\end{table} +\end{itemize} + +\subsubsection{Attribute Table Affect on rules} + +Similar to the application layer preprocessors, rules configured for specific +ports that have a service metadata will be processed based on the service +identified by the attribute table. + +When both service metadata is present in the rule and in the connection, Snort uses +the service rather than the port. If there are rules that use the service +and other rules that do not but the port matches, Snort will ONLY inspect the rules +that have the service that matches the connection. + +The following few scenarios identify whether a rule will be inspected or not. + +\begin{itemize} +\item{Alert: Rule Has Service Metadata, Connection Service Matches} + +The following rule will be inspected and alert on traffic to host 192.168.1.234 +port 2300 because it is identified as telnet. + +\begin{verbatim} +alert tcp any any -> any 23 (msg:"Telnet traffic"; flow:to_server,established; +sid:10000001; metadata: service telnet;) +\end{verbatim} + +\item{Alert: Rule Has Multiple Service Metadata, Connection Service Matches One of them} + +The following rule will be inspected and alert on traffic to host 192.168.1.234 +port 2300 because it is identified as telnet. + +\begin{verbatim} +alert tcp any any -> any 23 (msg:"Telnet traffic"; flow:to_server,established; +sid:10000002; metadata: service telnet, service smtp;) +\end{verbatim} + +\item{No Alert: Rule Has Service Metadata, Connection Service Does Not Match, Port Matches} -With Snort 2.8.1, for a given host entry, the stream and IP frag information -are both used. Of the service attributes, only the IP protocol (tcp, udp, -etc), port, and protocol (http, ssh, etc) are used. The application and -version for a given service attribute, and any client attributes are ignored. -They will be used in a future release. +The following rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 +port 2300 because that traffic is identified as telnet, but the service is ssh. -\end{note} +\begin{verbatim} +alert tcp any any -> any 2300 (msg:"SSH traffic"; flow:to_server,established; +sid:10000003; metadata: service ssh;) +\end{verbatim} -A DTD for verification of the Host Attribute Table XML file is provided with -the snort packages. +\item{Alert: Rule Has No Service Metadata, Port Matches} + +The following rule will be inspected and alert on traffic to host 192.168.1.234 +port 2300 because the port matches. + +\begin{verbatim} +alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established; +sid:10000004;) +\end{verbatim} + +\item{Alert: Rule Has No Service Metadata, Packet has service + other rules with service} + +The first rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 +port 2300 because the service is identified as telnet and there are other rules with +that service. + +\begin{verbatim} +alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established; +sid:10000005;) +alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established; +sid:10000006; metadata: service telnet;) +\end{verbatim} + +\item{No Alert: Rule Has No Service Metadata, Port Does Not Match} + +The following rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 +port 2300 because the port does not match. + +\begin{verbatim} +alert tcp any any -> any 23 (msg:"Port 23 traffic"; flow:to_server,established; +sid:10000007;) +\end{verbatim} + +\end{itemize} \section{Dynamic Modules} @@ -8284,6 +12814,9 @@ \begin{note} This functionality is not currently supported in Windows. + +Caveat : When Snort is run on the primary network interface of an OpenBSD system, the reload and failopen operations may not function as expected. + \end{note} @@ -8341,10 +12874,6 @@ config chroot config daemon config detection_filter -config flexresp2_attempts -config flexresp2_interface -config flexresp2_memcap -config flexresp2_rows config flowbits_size config interface config logdir @@ -8354,6 +12883,7 @@ config pkt_count config rate_filter config read_bin_file +config response config set_gid config set_uid config snaplen @@ -8386,12 +12916,14 @@ memcap prealloc_frags prealloc_memcap + disabled preprocessor perfmonitor file snortfile preprocessor sfportscan memcap logfile + disabled preprocessor stream5_global memcap max_tcp @@ -8434,7 +12966,8 @@ Ids and alphanumeric are not supported. \item [\texttt{ipList}] - Refers to ip subnets. Subnets can be CIDR blocks for -IPV6 or IPv4. +IPV6 or IPv4. A maximum of 512 individual IPv4 or IPv6 addresses or CIDRs can be +specified. \end{description} @@ -8562,6 +13095,195 @@ In this case, snort will use the first configuration in the order of definition, that can be applied to the packet. +\section{Active Response} + +Snort 2.9 includes a number of changes to better handle inline operation, +including: + +\begin{itemize} +\item a single mechanism for all responses +\item fully encoded reset or icmp unreachable packets +\item updated flexible response rule option +\item updated react rule option +\item added block and sblock rule actions +\end{itemize} + +These changes are outlined below. + +\subsection{Enabling Active Response} + +This enables active responses (snort will send TCP RST or ICMP +unreachable/port) when dropping a session. + +\begin{verbatim} + ./configure --enable-active-response / -DACTIVE_RESPONSE + + preprocessor stream5_global: \ + max_active_responses , \ + min_response_seconds + + ::= (0..25) + ::= (1..300) +\end{verbatim} + +Active responses will be encoded based on the triggering packet. TTL will be +set to the value captured at session pickup. + +\subsection{Configure Sniping} + +Configure the number of attempts to land a TCP RST within the session's current +window (so that it is accepted by the receiving TCP). This sequence "strafing" +is really only useful in passive mode. In inline mode the reset is put +straight into the stream in lieu of the triggering packet so strafing is not +necessary. + +Each attempt (sent in rapid succession) has a different sequence number. Each +active response will actually cause this number of TCP resets to be sent. TCP +data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is +sent, if and only if attempts > 0. + +\begin{verbatim} + ./configure --enable-active-response + + config response: [device ] [dst_mac ] attempts + + ::= ip | eth0 | etc. + ::= (1..20) + ::= nn:nn:nn:nn:nn:nn + (n is a hex number from 0-F) +\end{verbatim} + +device ip will perform network layer injection. It is probably a better choice +to specify an interface and avoid kernel routing tables, etc. + +dst\_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. +Otherwise, response destination MAC address is derived from packet. +Example: +\begin{verbatim} + config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2 +\end{verbatim} + +\subsection{Flexresp} +\label{resp section} + +Flexresp and flexresp2 are replaced with flexresp3. + +* Flexresp is deleted; these features are no longer avaliable: + +\begin{verbatim} + ./configure --enable-flexresp / -DENABLE_RESPOND -DENABLE_RESPONSE + config flexresp: attempts 1 +\end{verbatim} + +* Flexresp2 is deleted; these features are deprecated, non-functional, and will + be deleted in a future release: + +\begin{verbatim} + ./configure --enable-flexresp2 / -DENABLE_RESPOND -DENABLE_RESPONSE2 + + config flexresp2_interface: eth0 + config flexresp2_attempts: 4 + config flexresp2_memcap: 1000000 + config flexresp2_rows: 1000 +\end{verbatim} + +* Flexresp3 is new: the resp rule option keyword is used to configure active + responses for rules that fire. + +\begin{verbatim} + ./configure --enable-flexresp3 / -DENABLE_RESPOND -DENABLE_RESPONSE3 + + alert tcp any any -> any 80 (content:"a"; resp:; sid:1;) +\end{verbatim} + +* \texttt{resp\_t} includes all flexresp and flexresp2 options: + +\begin{verbatim} + ::= \ + rst_snd | rst_rcv | rst_all | \ + reset_source | reset_dest | reset_both | icmp_net | \ + icmp_host | icmp_port | icmp_all +\end{verbatim} + +\subsection{React} +\label{react section} + +react is a rule option keyword that enables sending an HTML page on a session +and then resetting it. This is built with: + +\begin{verbatim} + ./configure --enable-react / -DENABLE_REACT +\end{verbatim} + +The page to be sent can be read from a file: + +\begin{verbatim} + config react: +\end{verbatim} + +or else the default is used: + +\begin{verbatim} + ::= \ + "HTTP/1.1 403 Forbidden\r\n" + "Connection: close\r\n" + "Content-Type: text/html; charset=utf-8\r\n" + "\r\n" + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "Access Denied\r\n" \ + "\r\n" \ + "\r\n" \ + "

Access Denied

\r\n" \ + "

%s

\r\n" \ + "\r\n" \ + "\r\n"; +\end{verbatim} + +Note that the file must contain the entire response, including any HTTP headers. +In fact, the response isn't strictly limited to HTTP. You could craft a binary +payload of arbitrary content. + +When the rule is configured, the page is loaded and the %s is replaced with the +selected message, which defaults to: + +\begin{verbatim} + ::= \ + "You are attempting to access a forbidden site.
" \ + "Consult your system administrator for details."; +\end{verbatim} + +This is an example rule: + +\begin{verbatim} + drop tcp any any -> any $HTTP_PORTS ( \ + content: "d"; msg:"Unauthorized Access Prohibited!"; \ + react: ; sid:4;) + + ::= [msg] [, ] +\end{verbatim} + +These options are deprecated: + +\begin{verbatim} + ::= [block|warn], [proxy ] +\end{verbatim} + +The original version sent the web page to one end of the session only if the +other end of the session was port 80 or the optional proxy port. The new +version always sends the page to the client. If no page should be sent, a resp +option can be used instead. The deprecated options are ignored. + +\subsection{Rule Actions} + +The block and sblock actions have been introduced as synonyms for drop and +sdrop to help avoid confusion between packets dropped due to load (eg lack of +available buffers for incoming packets) and packets blocked due to Snort's +analysis. + \chapter{Writing Snort Rules} \label{Writing Snort Rules} @@ -8643,13 +13365,13 @@ \item dynamic - remain idle until activated by an activate rule , then act as a log rule -\item drop - make iptables drop the packet and log the packet +\item drop - block and log the packet -\item reject - make iptables drop the packet, log it, and then send a TCP reset +\item reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. -\item sdrop - make iptables drop the packet but do not log it. +\item sdrop - block the packet but do not log it. \end{enumerate} @@ -8689,7 +13411,7 @@ The next portion of the rule header deals with the IP address and port information for a given rule. The keyword any may be used to define any address. Snort does not have a mechanism to provide host name lookup for the IP -address fields in the rules file. The addresses are formed by a straight +address fields in the config file. The addresses are formed by a straight numeric IP address and a CIDR\cite{cidrnotation} block. The CIDR block indicates the netmask that should be applied to the rule's address and any incoming packets that are tested against the rule. A CIDR block mask of /24 @@ -8716,7 +13438,7 @@ \begin{figure} \begin{verbatim} alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 \ - (content: "|00 01 86 a5|"; msg: "external mountd access";) + (content:"|00 01 86 a5|"; msg:"external mountd access";) \end{verbatim} \caption{\label{Example Negation} Example IP Address Negation Rule} @@ -8737,8 +13459,8 @@ \begin{figure} \begin{verbatim} alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> \ - [192.168.1.0/24,10.1.1.0/24] 111 (content: "|00 01 86 a5|"; \ - msg: "external mountd access";) + [192.168.1.0/24,10.1.1.0/24] 111 (content:"|00 01 86 a5|"; \ + msg:"external mountd access";) \end{verbatim} \caption{\label{IP list usage}IP Address Lists} @@ -8758,10 +13480,10 @@ \begin{center} \begin{figure} \begin{verbatim} - log udp any any -> 192.168.1.0/24 1:1024 log udp + log udp any any -> 192.168.1.0/24 1:1024 \end{verbatim} -traffic coming from any port and destination ports ranging from 1 to 1024 +log udp traffic coming from any port and destination ports ranging from 1 to 1024 \begin{verbatim} log tcp any any -> 192.168.1.0/24 :6000 @@ -8847,10 +13569,10 @@ \begin{figure} \begin{verbatim} - activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; \ - content: "|E8C0FFFFFF|/bin"; activates: 1; \ - msg: "IMAP buffer overflow!";) - dynamic tcp !$HOME_NET any -> $HOME_NET 143 (activated_by: 1; count: 50;) + activate tcp !$HOME_NET any -> $HOME_NET 143 (flags:PA; \ + content:"|E8C0FFFFFF|/bin"; activates:1; \ + msg:"IMAP buffer overflow!";) + dynamic tcp !$HOME_NET any -> $HOME_NET 143 (activated_by:1; count:50;) \end{verbatim} \caption{Activate/Dynamic Rule Example} @@ -8901,7 +13623,7 @@ \subsubsection{Format} \begin{verbatim} - msg: ""; + msg:""; \end{verbatim} \subsection{reference} @@ -8945,7 +13667,11 @@ \hline mcafee& -http://vil.nai.com/vil/dispVirus.asp?virus\_k=\\ +http://vil.nai.com/vil/content/v\_\\ + +\hline +osvdb& +http://osvdb.org/show/osvdb/\\ \hline url& @@ -8959,7 +13685,7 @@ \subsubsection{Format} \begin{verbatim} - reference: ,; [reference: ,;] + reference:, ; [reference:, ;] \end{verbatim} \subsubsection{Examples} @@ -8985,7 +13711,7 @@ optional and if it is not specified in a rule, it will default to 1 and the rule will be part of the general rule subsystem. To avoid potential conflict with gids defined in Snort (that for some reason aren't noted it -etc/generators), it is recommended that a value greater than 1,000,000 be used. +etc/generators), it is recommended that values starting at 1,000,000 be used. For general rule writing, it is not recommended that the \texttt{gid} keyword be used. This option should be used with the \texttt{sid} keyword. (See section \ref{keyword sid}) @@ -8996,7 +13722,7 @@ \subsubsection{Format} \begin{verbatim} - gid: ; + gid:; \end{verbatim} \subsubsection{Example} @@ -9016,8 +13742,8 @@ \begin{itemize} \item $<$100 Reserved for future use -\item 100-1,000,000 Rules included with the Snort distribution -\item $>$1,000,000 Used for local rules +\item 100-999,999 Rules included with the Snort distribution +\item $>=$1,000,000 Used for local rules \end{itemize} The file sid-msg.map contains a mapping of alert messages to Snort rule IDs. @@ -9027,7 +13753,7 @@ \subsubsection{Format} \begin{verbatim} - sid: ; + sid:; \end{verbatim} \subsubsection{Example} @@ -9049,7 +13775,7 @@ \subsubsection{Format} \begin{verbatim} - rev: ; + rev:; \end{verbatim} \subsubsection{Example} @@ -9071,7 +13797,7 @@ \subsubsection{Format} \begin{verbatim} - classtype: ; + classtype:; \end{verbatim} \subsubsection{Example} @@ -9089,8 +13815,8 @@ \end{verbatim} These attack classifications are listed in Table \ref{Snort Default -Classifications}. They are currently ordered with 3 default priorities. A -priority of 1 (high) is the most severe and 3 (low) is the least severe. +Classifications}. They are currently ordered with 4 default priorities. A +priority of 1 (high) is the most severe and 4 (very low) is the least severe. \begin{center} \begin{longtable}[h]{|p{2in}|p{2.5in}|c|} @@ -9106,8 +13832,8 @@ attempted-user& Attempted User Privilege Gain & high\\ \hline -kickass-porn& -SCORE! Get the lotion! & high\\ +inappropriate-content& +Inappropriate Content was Detected & high\\ \hline policy-violation& Potential Corporate Privacy Violation & high\\ @@ -9222,17 +13948,17 @@ \subsubsection{Format} \begin{verbatim} - priority: ; + priority:; \end{verbatim} \subsubsection{Examples} \begin{verbatim} - alert TCP any any -> any 80 (msg: "WEB-MISC phf attempt"; flags:A+; \ - content: "/cgi-bin/phf"; priority:10;) + alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \ + content:"/cgi-bin/phf"; priority:10;) alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; \ - dsize: >128; classtype:attempted-admin; priority:10 ); + dsize:>128; classtype:attempted-admin; priority:10 ); \end{verbatim} \subsection{metadata} @@ -9288,20 +14014,20 @@ keys separated by commas. \begin{verbatim} - metadata: key1 value1; - metadata: key1 value1, key2 value2; + metadata:key1 value1; + metadata:key1 value1, key2 value2; \end{verbatim} \subsubsection{Examples} \begin{verbatim} - alert tcp any any -> any 80 (msg: "Shared Library Rule Example"; \ + alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \ metadata:engine shared; metadata:soid 3|12345;) - alert tcp any any -> any 80 (msg: "Shared Library Rule Example"; \ + alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \ metadata:engine shared, soid 3|12345;) - alert tcp any any -> any 80 (msg: "HTTP Service Rule Example"; \ + alert tcp any any -> any 80 (msg:"HTTP Service Rule Example"; \ metadata:service http;) \end{verbatim} @@ -9396,14 +14122,14 @@ Also note that the following characters must be escaped inside a content rule: \begin{verbatim} - : ; \ " + ; \ " \end{verbatim} \end{note} \subsubsection{Format} \begin{verbatim} - content: [!] ""; + content:[!]""; \end{verbatim} \subsubsection{Examples} @@ -9466,15 +14192,30 @@ \hline http\_cookie & \ref{sub:HttpCookie} \\ +\hline +http\_raw\_cookie & \ref{sub:RawHttpCookie} \\ + \hline http\_header & \ref{sub:HttpHeader} \\ \hline +http\_raw\_header & \ref{sub:RawHttpHeader} \\ + +\hline http\_method & \ref{sub:HttpMethod} \\ \hline http\_uri & \ref{sub:HttpUri} \\ +\hline +http\_raw\_uri & \ref{sub:RawHttpUri} \\ + +\hline +http\_stat\_code & \ref{sub:HttpStatCode} \\ + +\hline +http\_stat\_msg & \ref{sub:HttpStatMsg} \\ + \hline fast\_pattern & \ref{sub:FastPattern} \\ @@ -9488,7 +14229,7 @@ The nocase keyword allows the rule writer to specify that the Snort should look for the specific pattern, ignoring case. nocase modifies the previous -'content' keyword in the rule. +\texttt{content} keyword in the rule. \subsubsection{Format} @@ -9509,6 +14250,13 @@ decoding that was done by preprocessors. This acts as a modifier to the previous content \ref{sub:content} option. +Several preprocessors, such as Telnet, RPC, and SMTP, use decoded/normalized data for +content match by default, if \texttt{rawbytes} is not specified explicitly. Therefore, +\texttt{rawbytes} should be specified in order to inspect raw data for those traffic. + +HTTP Inspect has a set of keywords to use raw data, such as +\texttt{http\_raw\_cookie}, \texttt{http\_raw\_header}, \texttt{http\_raw\_uri} etc. + \subsubsection{format} \begin{verbatim} @@ -9521,7 +14269,7 @@ instead of the decoded traffic provided by the Telnet decoder. \begin{verbatim} - alert tcp any any -> any 21 (msg: "Telnet NOP"; content: "|FF F1|"; rawbytes;) + alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF F1|"; rawbytes;) \end{verbatim} \subsection{depth} @@ -9534,13 +14282,20 @@ A depth of 5 would tell Snort to only look for the specified pattern within the first 5 bytes of the payload. -As the depth keyword is a modifier to the previous `content' keyword, there -must be a content in the rule before `depth' is specified. +As the depth keyword is a modifier to the previous \texttt{content} keyword, there +must be a content in the rule before \texttt{depth} is specified. + +This keyword allows values greater than or equal to the pattern length being +searched. The minimum allowed value is 1. The maximum allowed value for this +keyword is 65535. + +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. \subsubsection{Format} \begin{verbatim} - depth: ; + depth:[|]; \end{verbatim} \subsection{offset} @@ -9553,13 +14308,18 @@ An offset of 5 would tell Snort to start looking for the specified pattern after the first 5 bytes of the payload. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'offset' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{offset} is specified. + +This keyword allows values from -65535 to 65535. + +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. \subsubsection{Format} \begin{verbatim} - offset: ; + offset:[|]; \end{verbatim} \subsubsection{Example} @@ -9568,7 +14328,7 @@ rule. \begin{verbatim} - alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4; depth:20;) + alert tcp any any -> any 80 (content:"cgi-bin/phf"; offset:4; depth:20;) \end{verbatim} \subsection{distance} @@ -9582,10 +14342,15 @@ \ref{sub:offset}), except it is relative to the end of the last pattern match instead of the beginning of the packet. +This keyword allows values from -65535 to 65535. + +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. + \subsubsection{Format} \begin{verbatim} - distance: ; + distance:[|]; \end{verbatim} \subsubsection{Example} @@ -9593,7 +14358,7 @@ The rule below maps to a regular expression of /ABC.\{1\}DEF/. \begin{verbatim} - alert tcp any any -> any any (content:"ABC"; content: "DEF"; distance:1;) + alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;) \end{verbatim} \subsection{within} @@ -9604,10 +14369,16 @@ \ref{sub:content} ). It's designed to be used in conjunction with the distance (Section \ref{sub:Distance}) rule option. +This keyword allows values greater than or equal to pattern length being searched. +The maximum allowed value for this keyword is 65535. + +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. + \subsubsection{Format} \begin{verbatim} - within: ; + within:[|]; \end{verbatim} \subsubsection{Examples} @@ -9615,17 +14386,21 @@ This rule constrains the search of EFG to not go past 10 bytes past the ABC match. \begin{verbatim} - alert tcp any any -> any any (content:"ABC"; content: "EFG"; within:10;) + alert tcp any any -> any any (content:"ABC"; content:"EFG"; within:10;) \end{verbatim} \subsection{http\_client\_body} \label{sub:HttpClientBody} The http\_client\_body keyword is a content modifier that restricts the search -to the NORMALIZED body of an HTTP client request. +to the body of an HTTP client request. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_client\_body' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before 'http\_client\_body' is specified. + +The amount of data that is inspected with this option depends on the \texttt{post\_depth} +config option of HttpInspect. Pattern matches with this keyword wont work when + \texttt{post\_depth} is set to -1. \subsubsection{Format} @@ -9635,11 +14410,11 @@ \subsubsection{Examples} -This rule constrains the search for the pattern "EFG" to the NORMALIZED body of +This rule constrains the search for the pattern "EFG" to the raw body of an HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_client_body;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_client_body;) \end{verbatim} \begin{note} @@ -9651,10 +14426,19 @@ \label{sub:HttpCookie} The http\_cookie keyword is a content modifier that restricts the search to the -extracted Cookie Header field of an HTTP client request. - -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_cookie' is specified. +extracted Cookie Header field (excluding the header name itself and the CRLF terminating +the header line) of a HTTP client request or a HTTP server response (per the configuration +of HttpInspect \ref{sub:http-inspect}). The Cookie buffer does not include the header +names (\texttt{Cookie:} for HTTP requests or \texttt{Set-Cookie:} for HTTP responses) +or leading spaces and the CRLF terminating the header line. These are included in the HTTP +header buffer. + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_cookie} is specified. This keyword is dependent +on the \texttt{enable\_cookie} config option. The Cookie Header field will be extracted only +when this option is configured. If \texttt{enable\_cookie} is not specified, the cookie +still ends up in HTTP header. When \texttt{enable\_cookie} is not specified, using +\texttt{http\_cookie} is the same as using \texttt{http\_header}. The extracted Cookie Header field may be NORMALIZED, per the configuration of HttpInspect (see \ref{sub:http-inspect}). @@ -9668,10 +14452,10 @@ \subsubsection{Examples} This rule constrains the search for the pattern "EFG" to the extracted Cookie -Header field of an HTTP client request. +Header field of a HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_cookie;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_cookie;) \end{verbatim} \begin{note} @@ -9681,14 +14465,50 @@ \end{note} +\subsection{http\_raw\_cookie} +\label{sub:RawHttpCookie} + +The http\_raw\_cookie keyword is a content modifier that restricts the search to the +extracted UNNORMALIZED Cookie Header field of a HTTP client request or a HTTP server +response (per the configuration of HttpInspect \ref{sub:http-inspect}). + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_cookie} is specified. This keyword is dependent +on the \texttt{enable\_cookie} config option. The Cookie Header field will be extracted only +when this option is configured. + +\subsubsection{Format} + +\begin{verbatim} + http_raw_cookie; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "EFG" to the extracted Unnormalized +Cookie Header field of a HTTP client request. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_cookie;) +\end{verbatim} + +\begin{note} + +The \texttt{http\_raw\_cookie} modifier is not allowed to be used with the +\texttt{rawbytes}, \texttt{http\_cookie} or \texttt{fast\_pattern} modifiers for the same +content. + +\end{note} + \subsection{http\_header} \label{sub:HttpHeader} The http\_header keyword is a content modifier that restricts the search to the -extracted Header fields of an HTTP client request. +extracted Header fields of a HTTP client request or a HTTP server response (per the +configuration of HttpInspect \ref{sub:http-inspect}). -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_header' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_header} is specified. The extracted Header fields may be NORMALIZED, per the configuration of HttpInspect (see \ref{sub:http-inspect}). @@ -9702,10 +14522,10 @@ \subsubsection{Examples} This rule constrains the search for the pattern "EFG" to the extracted Header -fields of an HTTP client request. +fields of a HTTP client request or a HTTP server response. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_header;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_header;) \end{verbatim} \begin{note} @@ -9715,14 +14535,47 @@ \end{note} +\subsection{http\_raw\_header} +\label{sub:RawHttpHeader} + +The http\_raw\_header keyword is a content modifier that restricts the search to the +extracted UNNORMALIZED Header fields of a HTTP client request or a HTTP server +response (per the configuration of HttpInspect \ref{sub:http-inspect}). + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_header} is specified. + +\subsubsection{Format} + +\begin{verbatim} + http_raw_header; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "EFG" to the extracted Header fields +of a HTTP client request or a HTTP server response. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_header;) +\end{verbatim} + +\begin{note} + +The \texttt{http\_raw\_header} modifier is not allowed to be used with the +\texttt{rawbytes}, \texttt{http\_header} or \texttt{fast\_pattern} modifiers for the same +content. + +\end{note} + \subsection{http\_method} \label{sub:HttpMethod} The http\_method keyword is a content modifier that restricts the search to the -extracted Method from an HTTP client request. +extracted Method from a HTTP client request. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_method' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_method} is specified. \subsubsection{Format} @@ -9733,95 +14586,322 @@ \subsubsection{Examples} This rule constrains the search for the pattern "GET" to the extracted Method -from an HTTP client request. +from a HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "GET"; http_method;) + alert tcp any any -> any 80 (content:"ABC"; content:"GET"; http_method;) \end{verbatim} \begin{note} The \texttt{http\_method} modifier is not allowed to be used with the +\texttt{rawbytes} or \texttt{fast\_pattern} modifiers for the same content. + +\end{note} + +\subsection{http\_uri} +\label{sub:HttpUri} + +The http\_uri keyword is a content modifier that restricts the search to the +NORMALIZED request \textsc{URI} field . Using a content rule option followed +by a http\_uri modifier is the same as using a uricontent by itself (see: +\ref{sub:UriContent}). + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_uri} is specified. + +\subsubsection{Format} + +\begin{verbatim} + http_uri; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "EFG" to the NORMALIZED URI. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_uri;) +\end{verbatim} + +\begin{note} + +The \texttt{http\_uri} modifier is not allowed to be used with the \texttt{rawbytes} modifier for the same content. \end{note} -\subsection{http\_uri} -\label{sub:HttpUri} +\subsection{http\_raw\_uri} +\label{sub:RawHttpUri} +The http\_raw\_uri keyword is a content modifier that restricts the search to the +UNNORMALIZED request \textsc{URI} field . + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_uri} is specified. + +\subsubsection{Format} + +\begin{verbatim} + http_raw_uri; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "EFG" to the UNNORMALIZED URI. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_uri;) +\end{verbatim} +\begin{note} + +The \texttt{http\_raw\_uri} modifier is not allowed to be used with the +\texttt{rawbytes}, \texttt{http\_uri} or \texttt{fast\_pattern} modifiers for the same +content. + +\end{note} + +\subsection{http\_stat\_code} +\label{sub:HttpStatCode} + +The http\_stat\_code keyword is a content modifier that restricts the search to the +extracted Status code field from a HTTP server response. + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_stat\_code} is specified. + +The Status Code field will be extracted only if the extended\_reponse\_inspection is +configured for the HttpInspect (see \ref{sub:http-inspect}). + +\subsubsection{Format} + +\begin{verbatim} + http_stat_code; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "200" to the extracted Status Code field +of a HTTP server response. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"200"; http_stat_code;) +\end{verbatim} + +\begin{note} + +The \texttt{http\_stat\_code} modifier is not allowed to be used with the +\texttt{rawbytes} or \texttt{fast\_pattern} modifiers for the same content. + +\end{note} + +\subsection{http\_stat\_msg} +\label{sub:HttpStatMsg} + +The http\_stat\_msg keyword is a content modifier that restricts the search to the +extracted Status Message field from a HTTP server response. + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_stat\_msg} is specified. + +The Status Message field will be extracted only if the extended\_reponse\_inspection is +configured for the HttpInspect (see \ref{sub:http-inspect}). + +\subsubsection{Format} + +\begin{verbatim} + http_stat_msg; +\end{verbatim} + +\subsubsection{Examples} + +This rule constrains the search for the pattern "Not Found" to the extracted Status +Message field of a HTTP server response. + +\begin{verbatim} + alert tcp any any -> any 80 (content:"ABC"; content:"Not Found"; http_stat_msg;) +\end{verbatim} + +\begin{note} + +The \texttt{http\_stat\_msg} modifier is not allowed to be used with the +\texttt{rawbytes} or \texttt{fast\_pattern} modifiers for the same content. + +\end{note} + +\subsection{http\_encode} +\label{sub:HttpEncode} -The http\_uri keyword is a content modifier that restricts the search to the -NORMALIZED request \textsc{URI} field . Using a content rule option followed -by a http\_uri modifier is the same as using a uricontent by itself (see: -\ref{sub:UriContent}). +The \texttt{http\_encode} keyword will enable alerting based on encoding type present +in a HTTP client request or a HTTP server response (per the configuration of +HttpInspect \ref{sub:http-inspect}). + +There are several keywords associated with \texttt{http\_encode}. The keywords +'uri', 'header' and 'cookie' determine the HTTP fields used to search for a +particular encoding type. The keywords 'utf8', 'double\_encode', 'non\_ascii', +'uencode', 'iis\_encode', 'ascii' and 'bare\_byte' determine the encoding +type which would trigger the alert. These keywords can be combined using a OR operation. +Negation is allowed on these keywords. + +The config option 'normalize\_headers' needs to be turned on for rules to work +with the keyword 'header'. The keyword 'cookie' is dependent on config options +'enable\_cookie' and 'normalize\_cookies' (see \ref{sub:http-inspect}). This +rule option will not be able to detect encodings if the specified HTTP fields +are not NORMALIZED. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_uri' is specified. +\begin{tabular}{| l | p{4.5in} |} +\hline +{\bf Option} & {\bf Description}\\ +\hline +\hline +\texttt{uri} & Check for the specified encoding type in HTTP client request URI field.\\ +\hline +\texttt{header} & Check for the specified encoding type in HTTP request or HTTP response header fields +(depending on the packet flow)\\ +\hline +\texttt{cookie} & Check for the specified encoding type in HTTP request or HTTP response cookie +header fields (depending on the packet flow)\\ +\hline +\texttt{utf8} & Check for utf8 encoding in the specified buffer\\ +\hline +\texttt{double\_encode} & Check for double encoding in the specified buffer\\ +\hline +\texttt{non\_ascii} & Check for non-ASCII encoding in the specified buffer\\ +\hline +\texttt{uencode} & Check for u-encoding in the specified buffer\\ +\hline +\texttt{bare\_byte} & Check for bare byte encoding in the specified buffer\\ +\hline +\texttt{ascii} & Check for ascii encoding in the specified buffer\\ +\hline +\texttt{iis\_encode} & Check for IIS Unicode encoding in the specified buffer\\ +\hline +\end{tabular} \subsubsection{Format} \begin{verbatim} - http_uri; + http_encode:, [!] + http_encode:[uri|header|cookie], [!][]; \end{verbatim} \subsubsection{Examples} - -This rule constrains the search for the pattern "EFG" to the NORMALIZED URI. - \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_uri;) + alert tcp any any -> any any (msg:"UTF8/UEncode Encoding present"; http_encode:uri,utf8|uencode;) + alert tcp any any -> any any (msg:"No UTF8"; http_encode:uri,!utf8;) \end{verbatim} + \begin{note} -The \texttt{http\_uri} modifier is not allowed to be used with the -\texttt{rawbytes} modifier for the same content. +Negation(!) and OR({\tt |}) operations cannot be used in conjunction with each other for the +\texttt{http\_encode} keyword. The OR and negation operations work only on the encoding type +field and not on http buffer type field. \end{note} \subsection{fast\_pattern} \label{sub:FastPattern} -The fast\_pattern keyword is a content modifier that sets the content within a -rule to be used with the Fast Pattern Matcher. It overrides the default of -using the longest content within the rule. +The \texttt{fast\_pattern} keyword is a content modifier that sets the content +within a rule to be used with the fast pattern matcher. Since the default +behavior of fast pattern determination is to use the longest content in the +rule, it is useful if a shorter content is more "unique" than the longer content, +meaning the shorter content is less likely to be found in a packet than the +longer content. + +The fast pattern matcher is used to select only those rules that have a +chance of matching by using a content in the rule for selection and only +evaluating that rule if the content is found in the payload. Though this +may seem to be overhead, it can significantly reduce the number of rules +that need to be evaluated and thus increases performance. The better the +content used for the fast pattern matcher, the less likely the rule will +needlessly be evaluated. + +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a \texttt{content} rule option in the rule before \texttt{fast\_pattern} is specified. +The \texttt{fast\_pattern} option may be specified only once per rule. -fast\_pattern may be specified at most once for each of the buffer modifiers -(excluding the http\_cookie modifier). +\begin{note} +The \texttt{fast\_pattern} modifier cannot be used with the following http +content modifiers: \texttt{http\_cookie}, \texttt{http\_raw\_uri}, +\texttt{http\_raw\_header}, \texttt{http\_raw\_cookie}, \texttt{http\_method}, +\texttt{http\_stat\_code}, \texttt{http\_stat\_msg}. +\end{note} -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'fast\_pattern' is specified. +\begin{note} +The \texttt{fast\_pattern} modifier can be used with negated contents only if +those contents are not modified with \texttt{offset}, \texttt{depth}, +\texttt{distance} or \texttt{within}. +\end{note} \subsubsection{Format} +The \texttt{fast\_pattern} option can be used alone or optionally take arguments. +When used alone, the meaning is simply to use the specified content as the +fast pattern content for the rule. \begin{verbatim} - fast_pattern; +fast_pattern; \end{verbatim} -\subsubsection{Examples} - -This rule causes the pattern "EFG" to be used with the Fast Pattern Matcher, -even though it is shorter than the earlier pattern "ABCD". +The optional argument \texttt{only} can be used to specify that the content +should only be used for the fast pattern matcher and should not be evaluated +as a rule option. This is useful, for example, if a known content must be +located in the payload independent of location in the payload, as it saves +the time necessary to evaluate the rule option. +Note that (1) the modified content must be case insensitive since +patterns are inserted into the pattern matcher in a case insensitive manner, +(2) negated contents cannot be used and (3) contents cannot have any positional +modifiers such as \texttt{offset}, \texttt{depth}, \texttt{distance} +or \texttt{within}. +\begin{verbatim} +fast_pattern:only; +\end{verbatim} +The optional argument \texttt{,} can be used to specify that +only a portion of the content should be used for the fast pattern matcher. +This is useful if the pattern is very long and only a portion of the pattern +is necessary to satisfy "uniqueness" thus reducing the memory required to +store the entire pattern in the fast pattern matcher. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABCD"; content: "EFG"; fast_pattern;) +fast_pattern:,; \end{verbatim} \begin{note} +The optional arguments \texttt{only} and \texttt{,} are +mutually exclusive. +\end{note} -The \texttt{fast\_pattern} modifier is not allowed to be used with the -\texttt{http\_cookie} modifier for the same content, nor with a content that is -negated with a \texttt{!}. +\subsubsection{Examples} -\end{note} +This rule causes the pattern "IJKLMNO" to be used with the fast pattern matcher, +even though it is shorter than the earlier pattern "ABCDEFGH". + +\begin{verbatim} +alert tcp any any -> any 80 (content:"ABCDEFGH"; content:"IJKLMNO"; fast_pattern;) +\end{verbatim} + +This rule says to use the content "IJKLMNO" for the fast pattern matcher and that +the content should only be used for the fast pattern matcher and not evaluated +as a \texttt{content} rule option. +\begin{verbatim} +alert tcp any any -> any 80 (content:"ABCDEFGH"; content:"IJKLMNO"; nocase; fast_pattern:only;) +\end{verbatim} + +This rule says to use "JKLMN" as the fast pattern content, but still evaluate +the \texttt{content} rule option as "IJKLMNO". +\begin{verbatim} +alert tcp any any -> any 80 (content:"ABCDEFGH"; content:"IJKLMNO"; fast_pattern:1,5;) +\end{verbatim} \subsection{uricontent} \label{sub:UriContent} The \texttt{uricontent} keyword in the Snort rule language searches the -NORMALIZED request \textsc{URI} field. This means that if you are writing -rules that include things that are normalized, such as \%2f or directory -traversals, these rules will not alert. The reason is that the things you are -looking for are normalized out of the URI buffer. +NORMALIZED request \textsc{URI} field. This is equivalent to using the +\texttt{http\_uri} modifier to a \texttt{content} keyword. As such if you +are writing rules that include things that are normalized, such as \%2f or +directory traversals, these rules will not alert. The reason is that the +things you are looking for are normalized out of the URI buffer. For example, the URI: @@ -9854,8 +14934,42 @@ You can write rules that look for the non-normalized content by using the content option. (See Section \ref{sub:content}) -For a description of the parameters to this function, see the content rule -options in Section \ref{sub:content}. +\texttt{uricontent} can be used with several of the modifiers available to the +\texttt{content} keyword. These include: + +\begin{table}[h] +\begin{center} +\caption{Uricontent Modifiers} +\label{Uricontent Modifiers} +\begin{tabular}{|p{1in}|p{1in}|} + +\hline +Modifier & Section \\ +\hline + +\hline +nocase & \ref{sub:nocase} \\ + +\hline +depth & \ref{sub:depth} \\ + +\hline +offset & \ref{sub:offset} \\ + +\hline +distance & \ref{sub:Distance} \\ + +\hline +within & \ref{sub:Within} \\ + +\hline +fast\_pattern & \ref{sub:FastPattern} \\ + +\hline +\end{tabular} +\end{center} +\end{table} + This option works in conjunction with the HTTP Inspect preprocessor specified in Section \ref{sub:http-inspect}. @@ -9863,12 +14977,15 @@ \subsubsection{Format} \begin{verbatim} - uricontent:[!]; + uricontent:[!]""; \end{verbatim} \begin{note} -\texttt{uricontent} cannot be modified by a \texttt{rawbytes} modifier. +\texttt{uricontent} cannot be modified by a \texttt{rawbytes} modifier or any +of the other HTTP modifiers. If you wish to search the UNNORMALIZED +request \textsc{URI} field, use the \texttt{http\_raw\_uri} modifier with a +\texttt{content} option. \end{note} @@ -9876,32 +14993,50 @@ The \texttt{urilen} keyword in the Snort rule language specifies the exact length, the minimum length, the maximum length, or range of URI lengths to -match. +match. By default the raw uri buffer will be used. With the optional +\texttt{} argument, you can specify whether the raw or normalized +buffer are used. \subsubsection{Format} \begin{verbatim} - urilen: int<>int; - urilen: [<,>] ; + urilen:min<>max[,]; + urilen:[<|>][,]; + + : "norm" | "raw" \end{verbatim} The following example will match URIs that are 5 bytes long: \begin{verbatim} - urilen: 5 + urilen:5; \end{verbatim} The following example will match URIs that are shorter than 5 bytes: \begin{verbatim} - urilen: < 5 + urilen:<5; \end{verbatim} The following example will match URIs that are greater than 5 bytes and less than 10 bytes: \begin{verbatim} - urilen: 5<>10 + urilen:5<>10; +\end{verbatim} + +The following example will match URIs that are greater than 500 bytes using the +normalized URI buffer: + +\begin{verbatim} + urilen:>500,norm; +\end{verbatim} + +The following example will match URIs that are greater than 500 bytes explicitly +stating to use the raw URI buffer: + +\begin{verbatim} + urilen:>500,raw; \end{verbatim} This option works in conjunction with the HTTP Inspect preprocessor specified @@ -9915,7 +15050,7 @@ \subsubsection{Format} \begin{verbatim} - isdataat:[,relative]; + isdataat:[!][, relative|rawbytes]; \end{verbatim} \subsubsection{Example} @@ -9929,6 +15064,16 @@ is at least 50 bytes after the end of the string PASS, then verifies that there is not a newline character within 50 bytes of the end of the PASS string. +When the \texttt{rawbytes} modifier is specified with \texttt{isdataat}, it +looks at the raw packet data, ignoring any decoding that was done by the +preprocessors. This modifier will work with the \texttt{relative} modifier +as long as the previous content match was in the raw packet data. + +A \texttt{!} modifier negates the results of the isdataat test. It will alert +if a certain amount of data is not present within the payload. For example, +the rule with modifiers \texttt{content:"foo"; isdataat:!10,relative;} would +alert if there were not 10 bytes after "foo" before the payload ended. + \subsection{pcre} \label{pcre} @@ -9939,12 +15084,12 @@ \subsubsection{Format} \begin{verbatim} - pcre:[!]"(//|m)[ismxAEGRUBPHMCO]"; + pcre:[!]"(//|m)[ismxAEGRUBPHMCOIDKYS]"; \end{verbatim} -The post-re modifiers set compile time flags for the regular expression. See tables -\ref{pcre-mod_perl}, \ref{pcre-mod_pcre}, and \ref{pcre-mod_snort} for descriptions -of each modifier. +The post-re modifiers set compile time flags for the regular expression. See +tables \ref{pcre-mod_perl}, \ref{pcre-mod_pcre}, and \ref{pcre-mod_snort} for +descriptions of each modifier. \begin{table}[ht] \begin{center} @@ -10018,15 +15163,34 @@ \hline U & -Match the decoded URI buffers (Similar to \texttt{uricontent} and \texttt{http\_uri}) \\ +Match the decoded URI buffers (Similar to \texttt{uricontent} and \texttt{http\_uri}). +This modifier is not allowed with the unnormalized HTTP request uri buffer modifier(I) +for the same content. \\ + +\hline +I & +Match the unnormalized HTTP request uri buffer (Similar to \texttt{http\_raw\_uri}). +This modifier is not allowed with the HTTP request uri buffer modifier(U) for the +same content. \\ \hline P & -Match normalized HTTP request body (Similar to \texttt{http\_client\_body}) \\ +Match unnormalized HTTP request body (Similar to \texttt{http\_client\_body}).\\ + + & For SIP message, match SIP body for request or response (Similar to \texttt{sip\_body}). \\ \hline H & -Match normalized HTTP request header (Similar to \texttt{http\_header}) \\ +Match normalized HTTP request or HTTP response header (Similar to \texttt{http\_header}). +This modifier is not allowed with the unnormalized HTTP request or HTTP response header +modifier(D) for the same content. \\ + & For SIP message, match SIP header for request or response (Similar to \texttt{sip\_header}). \\ + +\hline +D & +Match unnormalized HTTP request or HTTP response header (Similar to \texttt{http\_raw\_header}). +This modifier is not allowed with the normalized HTTP request or HTTP response header +modifier(H) for the same content. \\ \hline M & @@ -10034,7 +15198,23 @@ \hline C & -Match normalized HTTP request cookie (Similar to \texttt{http\_cookie}) \\ +Match normalized HTTP request or HTTP response cookie (Similar to \texttt{http\_cookie}). +This modifier is not allowed with the unnormalized HTTP request or HTTP response cookie +modifier(K) for the same content. \\ + +\hline +K & +Match unnormalized HTTP request or HTTP response cookie (Similar to \texttt{http\_raw\_cookie}). +This modifier is not allowed with the normalized HTTP request or HTTP response cookie +modifier(C) for the same content. \\ + +\hline +S & +Match HTTP response status code (Similar to \texttt{http\_stat\_code}) \\ + +\hline +Y & +Match HTTP response status message (Similar to \texttt{http\_stat\_msg}) \\ \hline B & @@ -10042,7 +15222,9 @@ \hline O & -Override the configured pcre match limit for this expression (See section \ref{Config}) \\ +Override the configured pcre match limit and pcre match limit recursion for +this expression (See section \ref{Config}). It completely ignores the limits +while evaluating the pcre pattern specified. \\ \hline \end{tabular} @@ -10050,7 +15232,8 @@ \end{table} \begin{note} -The modifiers R and B should not be used together. +The modifiers R (relative) and B (rawbytes) are not allowed with any of the HTTP modifiers such as U, I, +P, H, D, M, C, K, S and Y. \end{note} \subsubsection{Example} @@ -10069,6 +15252,183 @@ \end{note} +\subsection{pkt\_data} +\label{sub:pkt_data} +This option sets the cursor used for detection to the raw transport payload. + +Any relative or absolute content matches (without HTTP modifiers or rawbytes) and other +payload detecting rule options that follow \texttt{pkt\_data} in a rule will apply to the +raw TCP/UDP payload or the normalized buffers (in case of telnet, smtp normalization) until +the cursor (used for detection) is set again. + +This rule option can be used several times in a rule. + +\subsubsection{Format} + +\begin{verbatim} + pkt_data; +\end{verbatim} + +\subsubsection{Example} + +\begin{verbatim} + + alert tcp any any -> any any(msg:"Absolute Match"; pkt_data; content:"BLAH"; offset:0; depth:10;) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; content:"foo"; within:10;) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; content:"foo";) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; pcre:"/foo/i";) + +\end{verbatim} + +\subsection{file\_data} +\label{sub:file_data} +This option sets the cursor used for detection to one of the following buffers: +1. When the traffic being detected is HTTP it sets the buffer to, + a. HTTP response body (without chunking/compression/normalization) + b. HTTP de-chunked response body + c. HTTP decompressed response body (when \texttt{inspect\_gzip} is turned on) + d. HTTP normalized response body (when \texttt{normalized\_javascript} is turned on) + e. HTTP UTF normalized response body (when \texttt{normalize\_utf} is turned on) + f. All of the above +2. When the traffic being detected is SMTP/POP/IMAP it sets the buffer to, + a. SMTP/POP/IMAP data body (including Email headers and MIME when decoding + is turned off) + b. Base64 decoded MIME attachment (when \texttt{b64\_decode\_depth} is greater than -1) + c. 7bit/8bit/binary/text MIME attachment (when \texttt{bitenc\_decode\_depth} is greater than -1) + d. Quoted-Printable decoded MIME attachment (when \texttt{qp\_decode\_depth} is greater than -1) + e. Unix-to-Unix decoded attachment (when \texttt{uu\_decode\_depth} is greater than -1) + +Any relative or absolute content matches (without HTTP modifiers or rawbytes) and payload detecting +rule options that follow \texttt{file\_data} in a rule will apply to this buffer until explicitly reset +by other rule options. + +This rule option can be used several time in a rule. + +The argument \texttt{mime} to \texttt{file\_data} is deprecated. The rule options \texttt{file\_data} will +itself point to the decoded MIME attachment. + +\subsubsection{Format} + +\begin{verbatim} + file_data; +\end{verbatim} + +\subsubsection{Example} + +\begin{verbatim} + alert tcp any any -> any any(msg:"Absolute Match"; file_data; content:"BLAH"; offset:0; depth:10;) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo"; within:10;) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo";) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; pcre:"/foo/i";) + + The following rule searches for content "foo" within the file_data buffer and content "bar" within the + entire packet payload. The rule option pkt_data will reset the cursor used for detection to the + TCP payload. + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo"; pkt_data; content:"bar";) + +\end{verbatim} + + +\subsection{base64\_decode} +\label{sub:base64_decode} + +This option is used to decode the base64 encoded data. This option is particularly useful +in case of HTTP headers such as HTTP authorization headers. This option unfolds the data +before decoding it. + +\subsubsection{Format} + +\begin{verbatim} + base64_decode[:[bytes ][, ][offset [, relative]]]; +\end{verbatim} + +\begin{tabular}{| l | p{4.5in} |} +\hline +{\bf Option} & {\bf Description}\\ +\hline +\hline +\texttt{bytes} & + +Number of base64 encoded bytes to decode. This argument takes positive and +non-zero values only. When this option is not specified we look for base64 +encoded data till either the end of header line is reached or end of packet +payload is reached.\\ +\hline +\texttt{offset} & + +Determines the offset relative to the doe\_ptr when the option \texttt{relative} +is specified or relative to the start of the packet payload to begin inspection +of base64 encoded data. This argument takes positive and non-zero values only.\\ +\hline +\texttt{relative} & + +Specifies the inspection for base64 encoded data is relative to the doe\_ptr.\\ + +\hline +\end{tabular} + +The above arguments to \texttt{base64\_decode} are optional. + +\begin{note} + +This option can be extended to protocols with folding similar to HTTP. If folding is not +present the search for base64 encoded data will end when we see a carriage return or line feed +or both without a following space or tab. + +This option needs to be used in conjunction with \texttt{base64\_data} for any other +payload detecting rule options to work on base64 decoded buffer. +\end{note} + +\subsubsection{Examples} + +\begin{verbatim} + alert tcp $EXTERNAL_NET any -> $HOME_NET any \ + (msg:"Base64 Encoded Data"; base64_decode; base64_data; \ + content:"foo bar"; within:20;) + + alert tcp $EXTERNAL_NET any -> $HOME_NET any \ + (msg:"Authorization NTLM"; content:"Authorization: NTLM"; + base64_decode:relative; base64_data; content:"NTLMSSP"; ) + + alert tcp any any -> any any (msg:"Authorization NTLM"; \ + content:"Authorization:"; http_header; \ + base64_decode:bytes 12, offset 6, relative; base64_data; \ + content:"NTLMSSP"; within:8;) +\end{verbatim} + +\subsection{base64\_data} +\label{sub:base64_data} +This option is similar to the rule option \texttt{file\_data} and is used +to set the corsor used for detection to the beginning of the base64 decoded +buffer if present. + +This option does not take any arguments. The rule option \texttt{base64\_decode} +needs to be specified before the \texttt{base64\_data} option. + +\subsubsection{Format} + +\begin{verbatim} + base64_data; +\end{verbatim} + +This option matches if there is base64 decoded buffer. + +\begin{note} + +Fast pattern content matches are not allowed with this buffer. +\end{note} + + +\subsubsection{Example} + +\begin{verbatim} + alert tcp any any -> any any (msg:"Authorization NTLM"; \ + content:"Authorization:"; http_header; \ + base64_decode:bytes 12, offset 6, relative; base64_data; \ + content:"NTLMSSP"; within:8;) +\end{verbatim} + + \subsection{byte\_test} \label{sub:byte_test} @@ -10081,9 +15441,15 @@ \subsubsection{Format} +\footnotesize \begin{verbatim} - byte_test: , [!], , \ - [,relative] [,] [,, string]; + byte_test:, [!], , \ + [, relative][, ][, string, ][, dce]; + + bytes = 1 - 10 + operator = '<' | '=' | '>' | '&' | '^' + value = 0 - 4294967295 + offset = -65535 to 65535 \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -10091,14 +15457,17 @@ {\bf Option} & {\bf Description}\\ \hline \hline -\texttt{bytes\_to\_convert} & Number of bytes to pick up from the packet\\ +\texttt{bytes\_to\_convert} & + +Number of bytes to pick up from the packet. The allowed values are 1 to 10 when +used without \texttt{dce}. If used with \texttt{dce} allowed values are 1, 2 and 4.\\ + \hline \texttt{operator} & Operation to perform to test the value: \begin{itemize} \item \textless{} - less than \item \textgreater{} - greater than \item = - equal -\item ! - not \item \& - bitwise AND \item \textasciicircum{} - bitwise OR \end{itemize}\\ @@ -10150,36 +15519,36 @@ \begin{verbatim} alert udp $EXTERNAL_NET any -> $HOME_NET any \ - (msg:"AMD procedure 7 plog overflow "; \ - content: "|00 04 93 F3|"; \ - content: "|00 00 00 07|"; distance: 4; within: 4; \ - byte_test: 4,>, 1000, 20, relative;) + (msg:"AMD procedure 7 plog overflow"; \ + content:"|00 04 93 F3|"; \ + content:"|00 00 00 07|"; distance:4; within:4; \ + byte_test:4, >, 1000, 20, relative;) alert tcp $EXTERNAL_NET any -> $HOME_NET any \ - (msg:"AMD procedure 7 plog overflow "; \ - content: "|00 04 93 F3|"; \ - content: "|00 00 00 07|"; distance: 4; within: 4; \ - byte_test: 4, >,1000, 20, relative;) + (msg:"AMD procedure 7 plog overflow"; \ + content:"|00 04 93 F3|"; \ + content:"|00 00 00 07|"; distance:4; within:4; \ + byte_test:4, >, 1000, 20, relative;) alert udp any any -> any 1234 \ - (byte_test: 4, =, 1234, 0, string, dec; \ - msg: "got 1234!";) + (byte_test:4, =, 1234, 0, string, dec; \ + msg:"got 1234!";) alert udp any any -> any 1235 \ - (byte_test: 3, =, 123, 0, string, dec; \ - msg: "got 123!";) + (byte_test:3, =, 123, 0, string, dec; \ + msg:"got 123!";) alert udp any any -> any 1236 \ - (byte_test: 2, =, 12, 0, string, dec; \ - msg: "got 12!";) + (byte_test:2, =, 12, 0, string, dec; \ + msg:"got 12!";) alert udp any any -> any 1237 \ - (byte_test: 10, =, 1234567890, 0, string, dec; \ - msg: "got 1234567890!";) + (byte_test:10, =, 1234567890, 0, string, dec; \ + msg:"got 1234567890!";) alert udp any any -> any 1238 \ - (byte_test: 8, =, 0xdeadbeef, 0, string, hex; \ - msg: "got DEADBEEF!";) + (byte_test:8, =, 0xdeadbeef, 0, string, hex; \ + msg:"got DEADBEEF!";) \end{verbatim} \subsection{byte\_jump} @@ -10202,9 +15571,15 @@ \subsubsection{Format} \begin{verbatim} - byte_jump: , \ - [,relative] [,multiplier ] [,big] [,little][,string]\ - [,hex] [,dec] [,oct] [,align] [,from_beginning] [,post_offset ]; + byte_jump:, \ + [, relative][, multiplier ][, ][, string, ]\ + [, align][, from_beginning][, post_offset ][, dce]; + + bytes = 1 - 10 + offset = -65535 to 65535 + mult_value = 0 - 65535 + post_offset = -65535 to 65535 + \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -10212,7 +15587,11 @@ {\bf Option} & {\bf Description}\\ \hline \hline -\texttt{bytes\_to\_convert} & Number of bytes to pick up from the packet\\ +\texttt{bytes\_to\_convert} & + +Number of bytes to pick up from the packet. The allowed values are 1 to 10 when +used without \texttt{dce}. If used with \texttt{dce} allowed values are 1, 2 and 4.\\ + \hline \texttt{offset} & Number of bytes into the payload to start processing\\ \hline @@ -10233,28 +15612,127 @@ \hline \texttt{oct} & Converted string data is represented in octal\\ \hline -\texttt{align} & Round the number of converted bytes up to the next 32-bit boundary\\ +\texttt{align} & Round the number of converted bytes up to the next 32-bit boundary\\ +\hline +\texttt{from\_beginning} & Skip forward from the beginning of the packet +payload instead of from the current position in the packet.\\ +\hline +\texttt{post\_offset $<$value$>$} & Skip forward or backwards (positive of +negative value) \texttt{by $<$value$>$} number of bytes after the other jump +options have been applied.\\ +\hline +\texttt{dce} & Let the DCE/RPC 2 preprocessor determine the byte order of the +value to be converted. See section \ref{sub:dcerpc2} for a description and +examples (\ref{dcerpc2:byte_test_jump} for quick reference).\\ \hline +\end{tabular} + +\subsubsection{Example} + +\begin{verbatim} + alert udp any any -> any 32770:34000 (content:"|00 01 86 B8|"; \ + content:"|00 00 00 01|"; distance:4; within:4; \ + byte_jump:4, 12, relative, align; \ + byte_test:4, >, 900, 20, relative; \ + msg:"statd format string buffer overflow";) +\end{verbatim} + +\subsection{byte\_extract} +\label{byte_extract} + +The \texttt{byte\_extract} keyword is another useful option for writing rules +against length-encoded protocols. It reads in some number of bytes from the +packet payload and saves it to a variable. These variables can be referenced +later in the rule, instead of using hard-coded values. + +\begin{note} + +Only two \texttt{byte\_extract} variables may be created per rule. They can be +re-used in the same rule any number of times. + +\end{note} + +\subsubsection{Format} + +\begin{verbatim} + byte_extract:, , \ + [, relative][, multiplier ][, ]\ + [, string][, hex][, dec][, oct][, align ][, dce] +\end{verbatim} + +\begin{tabular}{| l | p{4.5in} |} +\hline +{\bf Option} & {\bf Description}\\ +\hline +\hline +\texttt{bytes\_to\_convert} & Number of bytes to pick up from the packet\\ +\hline +\texttt{offset} & Number of bytes into the payload to start processing\\ +\hline +\texttt{name} & Name of the variable. This will be used to reference the +variable in other rule options.\\ +\hline +\texttt{relative} & Use an offset relative to last pattern match\\ +\hline +\texttt{multiplier $<$value$>$} & Multiply the bytes read from the packet by +\texttt{$<$value$>$} and save that number into the variable.\\ +\hline +\texttt{big} & Process data as big endian (default)\\ +\hline +\texttt{little} & Process data as little endian\\ +\hline +\texttt{dce} & Use the DCE/RPC 2 preprocessor to determine the byte-ordering. +The DCE/RPC 2 preprocessor must be enabled for this option to work.\\ +\hline +\texttt{string} & Data is stored in string format in packet\\ +\hline +\texttt{hex} & Converted string data is represented in hexadecimal\\ +\hline +\texttt{dec} & Converted string data is represented in decimal\\ +\hline +\texttt{oct} & Converted string data is represented in octal\\ +\hline +\texttt{align $<$value$>$} & Round the number of converted bytes up to the next +\texttt{$<$value$>$-byte} boundary. \texttt{$<$value$>$} may be \texttt{2} or +\texttt{4}.\\ \hline -\texttt{from\_beginning} & Skip forward from the beginning of the packet -payload instead of from the current position in the packet.\\ +\end{tabular} + +\subsubsection{Other options which use byte\_extract variables} + +A \texttt{byte\_extract} rule option detects nothing by itself. Its use is in +extracting packet data for use in other rule options. Here is a list of places +where \texttt{byte\_extract} variables can be used: + +\begin{tabular}{| l | p{4.5in} |} \hline -\texttt{post\_offset $<$value$>$} & Skip forward or backwards (positive of -negative value) \texttt{by $<$value$>$} number of bytes after the other jump -options have been applied.\\ +{\bf Rule Option} & {\bf Arguments that Take Variables}\\ +\hline +\hline +\texttt{content}/\texttt{uricontent} & \texttt{offset}, \texttt{depth}, +\texttt{distance}, \texttt{within}\\ +\hline +\texttt{byte\_test} & \texttt{offset}, \texttt{value}\\ +\hline +\texttt{byte\_jump} & \texttt{offset}\\ +\hline +\texttt{isdataat} & \texttt{offset}\\ \hline -\texttt{dce} & Let the DCE/RPC 2 preprocessor determine the byte order of the -value to be converted. See section \ref{sub:dcerpc2} for a description and -examples (\ref{dcerpc2:byte_test_jump} for quick reference).\\ \hline \end{tabular} -\subsubsection{Example} +\subsubsection{Examples} + +This example uses two variables to: +\begin{itemize} +\item Read the offset of a string from a byte at offset 0. +\item Read the depth of a string from a byte at offset 1. +\item Use these values to constrain a pattern match to a smaller area. +\end{itemize} \begin{verbatim} - alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|"; \ - content: "|00 00 00 01|"; distance: 4; within: 4; \ - byte_jump: 4, 12, relative, align; \ - byte_test: 4, >, 900, 20, relative; \ - msg: "statd format string buffer overflow";) + alert tcp any any -> any any (byte_extract:1, 0, str_offset; \ + byte_extract:1, 1, str_depth; \ + content:"bad stuff"; offset:str_offset; depth:str_depth; \ + msg:"Bad Stuff detected within field";) \end{verbatim} \subsection{ftpbounce} @@ -10293,7 +15771,7 @@ \subsubsection{Format} \begin{verbatim} - asn1: option[ argument][, option[ argument]] . . . + asn1:[bitstring_overflow][, double_overflow][, oversize_length ][, absolute_offset |relative_offset ]; \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -10336,7 +15814,7 @@ This is the relative offset from the last content match or byte\_test/jump. \texttt{relative\_offset} has one argument, the offset number. So if you wanted to start decoding and ASN.1 sequence right after the content ``foo'', -you would specify \verb!'content:"foo"; asn1: bitstring_overflow, relative_offset 0'!. +you would specify \verb!'content:"foo"; asn1:bitstring_overflow, relative_offset 0'!. Offset values may be positive or negative. \\ \hline @@ -10346,10 +15824,10 @@ \begin{verbatim} alert udp any any -> any 161 (msg:"Oversize SNMP Length"; \ - asn1: oversize_length 10000, absolute_offset 0;) + asn1:oversize_length 10000, absolute_offset 0;) alert tcp any any -> any 80 (msg:"ASN1 Relative Foo"; content:"foo"; \ - asn1: bitstring_overflow, relative_offset 0;) + asn1:bitstring_overflow, relative_offset 0;) \end{verbatim} \subsection{cvs} @@ -10409,6 +15887,41 @@ See the DCE/RPC 2 Preprocessor section \ref{sub:dcerpc2} for a description and examples of using this rule option. +\subsection{sip\_method} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_stat\_code} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_header} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_body} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{gtp\_type} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + +\subsection{gtp\_info} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + +\subsection{gtp\_version} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + %\subsection{content-list} % %The content-list keyword is broken and should not be used. @@ -10424,11 +15937,6 @@ %\begin{figure} %\begin{verbatim} %# adult sites -%"porn" -%"porn" -%"adults" -%"hard core" -%"www.pornsite.com" %\end{verbatim} %\caption{\label{content-list example}Content-list adults %file example} @@ -10441,6 +15949,16 @@ %content-list: ; %\end{verbatim} +\subsection{ssl\_version} + +See the SSL/TLS Preprocessor section \ref{sub:SSL/TLS} for a description and examples of +using this rule option. + +\subsection{ssl\_state} + +See the SSL/TLS Preprocessor section \ref{sub:SSL/TLS} for a description and examples of +using this rule option. + \subsection{Payload Detection Quick Reference} \begin{center} \begin{longtable}[h]{| p{1in} | p{4.5in} |} @@ -10553,6 +16071,41 @@ See the DCE/RPC 2 Preprocessor section \ref{dcerpc2:dce_stub_data}. \\ \hline +\texttt{sip\_method} & + +See the SIP Preprocessor section \ref{sub:sip}. \\ + +\hline +\texttt{sip\_stat\_code} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{sip\_header} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{sip\_body} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{gtp\_type} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline +\texttt{gtp\_info} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline +\texttt{gtp\_version} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline \end{longtable} \end{center} @@ -10568,25 +16121,27 @@ \subsubsection{Format} \begin{verbatim} - fragoffset:[<|>]; + fragoffset:[!|<|>]; \end{verbatim} \subsubsection{Example} \begin{verbatim} alert ip any any -> any any \ - (msg: "First Fragment"; fragbits: M; fragoffset: 0;) + (msg:"First Fragment"; fragbits:M; fragoffset:0;) \end{verbatim} \subsection{ttl} The ttl keyword is used to check the IP time-to-live value. This option -keyword was intended for use in the detection of traceroute attempts. +keyword was intended for use in the detection of traceroute attempts. This + keyword takes numbers from 0 to 255. \subsubsection{Format} \begin{verbatim} - ttl:[[-]><=]; + ttl:[<, >, =, <=, >=]; + ttl:[]-[]; \end{verbatim} \subsubsection{Example} @@ -10603,6 +16158,36 @@ ttl:3-5; \end{verbatim} +This example checks for a time-to-live value that between 0 and 5. + +\begin{verbatim} + ttl:-5; +\end{verbatim} + +This example checks for a time-to-live value that between 5 and 255. + +\begin{verbatim} + ttl:5-; +\end{verbatim} + +Few other examples are as follows: + +\begin{verbatim} + ttl:<=5; + ttl:>=5; + ttl:=5; +\end{verbatim} + +The following examples are NOT allowed by ttl keyword: + +\begin{verbatim} + ttl:=>5; + ttl:=<5; + ttl:5-3; +\end{verbatim} + + + \subsection{tos} The tos keyword is used to check the IP TOS field for a specific value. @@ -10655,7 +16240,8 @@ \item [ts] - Time Stamp \item [sec] - IP Security \item [esec] - IP Extended Security -\item [lsrr] - Loose Source Routing +\item [lsrr] - Loose Source Routing +\item [lsrre] - Loose Source Routing (For MS99-038 and CVE-1999-0909) \item [ssrr] - Strict Source Routing \item [satid] - Stream identifier \item [any] - any IP options are set @@ -10667,7 +16253,7 @@ \subsubsection{Format} \begin{verbatim} - ipopts:; + ipopts:; \end{verbatim} \subsubsection{Example} @@ -10721,13 +16307,13 @@ \subsection{dsize} The dsize keyword is used to test the packet payload size. This may be used to -check for abnormally sized packets. In many cases, it is useful for detecting -buffer overflows. +check for abnormally sized packets that might cause buffer overflows. \subsubsection{Format} \begin{verbatim} - dsize: [<>][<>]; + dsize:min<>max; + dsize:[<|>]; \end{verbatim} \subsubsection{Example} @@ -10740,8 +16326,10 @@ \subsubsection{Warning} -dsize will fail on stream rebuilt packets, regardless of the size of the -payload. +Note that segmentation makes dsize less reliable for TCP based protocols such +as HTTP. Furthermore, dsize will fail on stream rebuilt packets, regardless of +the size of the payload, unless protocol aware flushing (PAF) marks this packet +as the start of a message. \subsection{flags} @@ -10750,14 +16338,14 @@ The following bits may be checked: \begin{description} -\item [F] - FIN (LSB in TCP Flags byte) -\item [S] - SYN -\item [R] - RST -\item [P] - PSH -\item [A] - ACK -\item [U] - URG -\item [1] - Reserved bit 1 (MSB in TCP Flags byte) -\item [2] - Reserved bit 2 +\item [F] - FIN - Finish (LSB in TCP Flags byte) +\item [S] - SYN - Synchronize sequence numbers +\item [R] - RST - Reset +\item [P] - PSH - Push +\item [A] - ACK - Acknowledgment +\item [U] - URG - Urgent +\item [C] - CWR - Congestion Window Reduced (MSB in TCP Flags byte) +\item [E] - ECE - ECN-Echo (If SYN, then ECN capable. Else, CE flag in IP header is set) \item [0] - No TCP Flags Set \end{description} @@ -10770,26 +16358,34 @@ \end{description} To handle writing rules for session initiation packets such as ECN where a SYN -packet is sent with the previously reserved bits 1 and 2 set, an option mask -may be specified. A rule could check for a flags value of S,12 if one wishes to +packet is sent with CWR and ECE set, an option mask +may be specified. A rule could check for a flags value of S,CE if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits. \subsubsection{Format} \begin{verbatim} - flags:[!|*|+][,]; + flags:[!|*|+][,]; \end{verbatim} \subsubsection{Example} -This example checks if just the SYN and the FIN bits are set, ignoring reserved -bit 1 and reserved bit 2. +This example checks if just the SYN and the FIN bits are set, ignoring CWR (reserved +bit 1) and ECN (reserved bit 2). \begin{verbatim} - alert tcp any any -> any any (flags:SF,12;) + alert tcp any any -> any any (flags:SF,CE;) \end{verbatim} + +\begin{note} +The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, +to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". +The old values of '1' and '2' are still valid for the \texttt{flag} keyword, but +are now deprecated. + +\end{note} \subsection{flow} \label{flow section} @@ -10801,7 +16397,7 @@ related to \$HOME\_NET clients viewing web pages to be distinguished from servers running in the \$HOME\_NET. -The established keyword will replace the \texttt{flags: A+} used in many places +The established keyword will replace the \texttt{flags:+A} used in many places to show established TCP connections. \subsubsection*{Options} @@ -10821,6 +16417,8 @@ \hline \texttt{established} & Trigger only on established TCP connections\\ \hline +\texttt{not\_established} & Trigger only when no TCP connection is established\\ +\hline \texttt{stateless} & Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash)\\ \hline @@ -10830,14 +16428,19 @@ \texttt{only\_stream} & Only trigger on rebuilt stream packets\\ \hline +\texttt{no\_frag} & Do not trigger on rebuilt frag packets\\ +\hline +\texttt{only\_frag} & Only trigger on rebuilt frag packets\\ +\hline \end{tabular} \subsubsection{Format} \begin{verbatim} - flow: [(established|stateless)] + flow:[(established|not_established|stateless)] [,(to_client|to_server|from_client|from_server)] - [,(no_stream|only_stream)]; + [,(no_stream|only_stream)] + [,(no_frag|only_frag)]; \end{verbatim} \subsubsection{Examples} @@ -10846,7 +16449,7 @@ alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming detected"; \ flow:from_client; content:"CWD incoming"; nocase;) - alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg: "Port 0 TCP traffic"; \ + alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg:"Port 0 TCP traffic"; \ flow:stateless;) \end{verbatim} @@ -10855,26 +16458,32 @@ The \texttt{flowbits} keyword is used in conjunction with conversation tracking from the Stream preprocessor (see Section\ref{stream5 section}). It allows -rules to track states across transport protocol sessions. The flowbits option +rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol. -There are seven keywords associated with flowbits. Most of the options need a +There are eight keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and -underscores. +underscores. The keywords set and toggle take an optional argument which specifies +the group to which the keywords will belong. When no group name is specified the +flowbits will belong to a default group. All the flowbits in a particular group +(with an exception of default group) are mutually exclusive. A particular flow +cannot belong to more than one group. \begin{tabular}{| l | p{4.5in} |} \hline {\bf Option} & {\bf Description}\\ \hline \hline -\texttt{set} & Sets the specified state for the current flow.\\ +\texttt{set} & Sets the specified state for the current flow and unsets all the other +flowbits in a group when a GROUP\_NAME is specified.\\ \hline \texttt{unset} & Unsets the specified state for the current flow.\\ \hline -\texttt{toggle} & Sets the specified state if the state is unset, otherwise unsets the -state if the state is set.\\ +\texttt{toggle} & Sets the specified state if the state is unset and unsets all the +other flowbits in a group when a GROUP\_NAME is specified, otherwise unsets the state +if the state is set.\\ \hline \texttt{isset} & Checks if the specified state is set.\\ \hline @@ -10882,12 +16491,14 @@ \hline \texttt{noalert} & Cause the rule to not generate an alert, regardless of the rest of the detection options.\\ \hline +\texttt{reset} & Reset all states on a given flow.\\ +\hline \end{tabular} \subsubsection{Format} \begin{verbatim} - flowbits: [set|unset|toggle|isset|reset|noalert][,]; + flowbits:[set|unset|toggle|isset|isnotset|noalert|reset][, ][, ]; \end{verbatim} \subsubsection{Examples} @@ -10899,6 +16510,7 @@ alert tcp any any -> any 143 (msg:"IMAP LIST"; content:"LIST"; flowbits:isset,logged_in;) + \end{verbatim} \subsection{seq} @@ -10926,7 +16538,7 @@ \subsubsection{Format} \begin{verbatim} - ack: ; + ack:; \end{verbatim} \subsubsection{Example} @@ -10962,7 +16574,8 @@ \subsubsection{Format} \begin{verbatim} - itype:[<|>][<>]; + itype:min<>max; + itype:[<|>]; \end{verbatim} \subsubsection{Example} @@ -10980,7 +16593,8 @@ \subsubsection{Format} \begin{verbatim} - icode: [<|>][<>]; + icode:min<>max; + icode:[<|>]; \end{verbatim} \subsubsection{Example} @@ -10988,7 +16602,7 @@ This example looks for an ICMP code greater than 30. \begin{verbatim} - code:>30; + icode:>30; \end{verbatim} \subsection{icmp\_id} @@ -11045,7 +16659,7 @@ \subsubsection{Format} \begin{verbatim} - rpc: , [|*], [|*]>; + rpc:, [|*], [|*]>; \end{verbatim} \subsubsection{Example} @@ -11053,7 +16667,7 @@ The following example looks for an RPC portmap GETPORT request. \begin{verbatim} - alert tcp any any -> any 111 (rpc: 100000,*,3;); + alert tcp any any -> any 111 (rpc:100000, *, 3;); \end{verbatim} \subsubsection{Warning} @@ -11100,6 +16714,41 @@ alert ip any any -> any any (sameip;) \end{verbatim} +\subsection{stream\_reassemble} + +The stream\_reassemble keyword allows a rule to enable or disable TCP stream reassembly +on matching traffic. + +\begin{note} + +The stream\_reassemble option is only available when the Stream5 preprocessor is +enabled. + +\end{note} + +\subsubsection{Format} + +\begin{verbatim} + stream_reassemble:, [, noalert][, fastpath]; +\end{verbatim} + +\begin{itemize} +\item The optional \texttt{noalert} parameter causes the rule to not generate +an alert when it matches. +\item The optional \texttt{fastpath} parameter causes Snort to ignore the rest of the +connection. +\end{itemize} + +\subsubsection{Example} + +For example, to disable TCP reassembly for client traffic when we see a +HTTP 200 Ok Response message, use: + +\begin{verbatim} + alert tcp any 80 -> any any (flow:to_client, established; content:"200 OK"; + stream_reassemble:disable,client,noalert;) +\end{verbatim} + \subsection{stream\_size} The stream\_size keyword allows a rule to match traffic according to the number @@ -11115,7 +16764,7 @@ \subsubsection{Format} \begin{verbatim} - stream_size:,, + stream_size:, , ; \end{verbatim} Where the operator is one of the following: @@ -11124,7 +16773,7 @@ \item $<$ - less than \item $>$ - greater than \item = - equal -\item != - not +\item != - not equal \item $<$= - less than or equal \item $>$= - greater than or equal \end{itemize} @@ -11198,8 +16847,8 @@ \hline \texttt{flowbits} & -The flowbits keyword allows rules to track states across transport protocol -sessions. \\ +The flowbits keyword allows rules to track states during a transport protocol +session. \\ \hline \texttt{seq} & @@ -11277,17 +16926,18 @@ many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful. -There are two available argument keywords for the session rule option, -printable or all. The printable keyword only prints out data that the user -would normally see or be able to type. +There are three available argument keywords for the session rule option: +\texttt{printable}, \texttt{binary}, or \texttt{all}. -The all keyword substitutes non-printable characters with their hexadecimal -equivalents. +The \texttt{printable} keyword only prints out data that the user +would normally see or be able to type. The \texttt{binary} keyword prints out data in a +binary format. The \texttt{all} keyword substitutes non-printable characters with +their hexadecimal equivalents. \subsubsection{Format} \begin{verbatim} - session: [printable|all]; + session:[printable|binary|all]; \end{verbatim} \subsubsection{Example} @@ -11298,117 +16948,34 @@ log tcp any any <> any 23 (session:printable;) \end{verbatim} -\subsubsection{Warnings} - -Using the session keyword can slow Snort down considerably, so it should not be -used in heavy load situations. The session keyword is best suited for -post-processing binary (pcap) log files. - -\subsection{resp} - -The resp keyword is used to attempt to close sessions when an alert is -triggered. In Snort, this is called flexible response. - -Flexible Response supports the following mechanisms for attempting to close -sessions: - -\begin{center} -\begin{tabular}{| l | l |} -\hline -{\bf Option} & {\bf Description}\\ -\hline -\hline -\texttt{rst\_snd} & Send TCP-RST packets to the sending socket\\ -\hline -\texttt{rst\_rcv} & Send TCP-RST packets to the receiving socket\\ -\hline -\texttt{rst\_all} & Send TCP\_RST packets in both directions\\ -\hline -\texttt{icmp\_net} & Send a ICMP\_NET\_UNREACH to the sender\\ -\hline -\texttt{icmp\_host} & Send a ICMP\_HOST\_UNREACH to the sender\\ -\hline -\texttt{icmp\_port} & Send a ICMP\_PORT\_UNREACH to the sender\\ -\hline -\texttt{icmp\_all} & Send all above ICMP packets to the sender\\ -\hline -\end{tabular} -\end{center} - -These options can be combined to send multiple responses to the target host. - -\subsubsection{Format} +Given an FTP data session on port 12345, this example logs the payload bytes +in binary form. \begin{verbatim} - resp: [,[,]]; + log tcp any any <> any 12345 (metadata:service ftp-data; session:binary;) \end{verbatim} \subsubsection{Warnings} -This functionality is not built in by default. Use the -- --enable-flexresp -flag to configure when building Snort to enable this functionality. - -Be very careful when using Flexible Response. It is quite easy to get Snort -into an infinite loop by defining a rule such as: - -\begin{verbatim} - alert tcp any any -> any any (resp:rst_all;) -\end{verbatim} +Using the session keyword can slow Snort down considerably, so it should not be +used in heavy load situations. The session keyword is best suited for +post-processing binary (pcap) log files. -It is easy to be fooled into interfering with normal network traffic as well. +The \texttt{binary} keyword does not log any protocol headers below the +application layer, and Stream reassembly will cause duplicate data when +the reassembled packets are logged. -\subsubsection{Example} +\subsection{resp} -The following example attempts to reset any TCP connection to port 1524. -\begin{verbatim} - alert tcp any any -> any 1524 (flags:S; resp:rst_all;) -\end{verbatim} +The resp keyword enables an active response that kills the offending session. +Resp can be used in both passive or inline modes. See \ref{resp section} for +details. \subsection{react} -This keyword implements an ability for users to react to traffic that matches a -Snort rule. The basic reaction is blocking interesting sites users want to -access: New York Times, slashdot, or something really important - napster and -porn sites. The React code allows Snort to actively close offending connections -and send a visible notice to the browser. The notice may include your own -comment. The following arguments (basic modifiers) are valid for this option: - -\begin{itemize} -\item block - close connection and send the visible notice -\end{itemize} - -The basic argument may be combined with the following arguments (additional -modifiers): - -\begin{itemize} -\item msg - include the msg option text into the blocking visible notice -\item proxy $<$port\_nr$>$ - use the proxy port to send the visible notice -\end{itemize} - -Multiple additional arguments are separated by a comma. The react keyword -should be placed as the last one in the option list. - -\subsubsection{Format} - -\begin{verbatim} - react: block[, ]; -\end{verbatim} - -\subsubsection{Example} - -\begin{verbatim} - alert tcp any any <> 192.168.1.0/24 80 (content: "bad.htm"; \ - msg: "Not for children!"; react: block, msg, proxy 8000;) -\end{verbatim} - -\subsubsection{Warnings} - -React functionality is not built in by default; you must configure with ---enable-react to build it. (Note that react may now be enabled independently -of flexresp and flexresp2.) - -Be very careful when using react. Causing a network traffic generation loop is -very easy to do with this functionality. +The react keyword enables an active response that includes sending a web page +or other content to the client and then closing the connection. React can be +used in both passive and inline modes. See \ref{react section} for details. \subsection{tag} \label{tag section} @@ -11425,7 +16992,7 @@ \subsubsection{Format} \begin{verbatim} - tag: , , , [direction]; + tag:, , [, direction]; \end{verbatim} \begin{description}{} @@ -11466,23 +17033,16 @@ packet that generated the initial event. \end{itemize} - \end{description} -Note, any packets that generate an alert will not be tagged. For example, it -may seem that the following rule will tag the first 600 seconds of any packet -involving 10.1.1.1. - -\begin{verbatim} - alert tcp any any <> 10.1.1.1 any (tag:host,600,seconds,src;) -\end{verbatim} - -However, since the rule will fire on every packet involving 10.1.1.1, no -packets will get tagged. The \emph{flowbits} option would be useful here. +Note that neither subsequent alerts nor event filters will prevent a tagged +packet from being logged. Subsequent tagged alerts will cause the limit to +reset. \begin{verbatim} - alert tcp any any <> 10.1.1.1 any (flowbits:isnotset,tagged; - flowbits:set,tagged; tag:host,600,seconds,src;) + alert tcp any any <> 10.1.1.1 any \ + (flowbits:isnotset,tagged; content:"foobar"; nocase; \ + flowbits:set,tagged; tag:host,600,seconds,src;) \end{verbatim} Also note that if you have a tag option in a rule that uses a metric other than @@ -11512,7 +17072,7 @@ (whichever comes first) of any telnet session. \begin{verbatim} - alert tcp any any -> any 23 (flags:s,12; tag:session,10,seconds;) + alert tcp any any -> any 23 (flags:S,CE; tag:session,10,seconds;) \end{verbatim} \subsection{activates} @@ -11524,7 +17084,7 @@ \subsubsection{Format} \begin{verbatim} - activates: 1; + activates:1; \end{verbatim} \subsection{activated\_by} @@ -11536,7 +17096,7 @@ \subsubsection{Format} \begin{verbatim} - activated_by: 1; + activated_by:1; \end{verbatim} \subsection{count} @@ -11549,7 +17109,7 @@ \subsubsection{Format} \begin{verbatim} - activated_by: 1; count: 50; + activated_by:1; count:50; \end{verbatim} \subsection{replace} @@ -11560,10 +17120,8 @@ the new string and the content it is to replace must have the same length. You can have multiple replacements within a rule, one per content. -See section \ref{Snort Inline} for more on operating in inline mode. - \begin{verbatim} - replace: ; + replace:""; \end{verbatim} \subsection{detection\_filter} @@ -11624,7 +17182,7 @@ msg:"SSH Brute Force Attempt"; flow:established,to_server; \ content:"SSH"; nocase; offset:0; depth:4; \ - detection_filter: track by_src, count 30, seconds 60; \ + detection_filter:track by_src, count 30, seconds 60; \ sid:1000001; rev:1;) \end{verbatim} @@ -11783,8 +17341,8 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type limit, track \ - by_src, count 1 , seconds 60 ; sid:1000852; rev:1;) + classtype:web-application-activity; threshold:type limit, track \ + by_src, count 1 , seconds 60; sid:1000852; rev:1;) \end{verbatim} This rule logs every 10th event on this SID during a 60 second interval. So if @@ -11795,7 +17353,7 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type threshold, \ + classtype:web-application-activity; threshold:type threshold, \ track by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;) \end{verbatim} @@ -11806,8 +17364,8 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type both , track \ - by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;) + classtype:web-application-activity; threshold:type both, track \ + by_dst, count 10, seconds 60; sid:1000852; rev:1;) \end{verbatim} \section{Writing Good Rules} @@ -11817,15 +17375,21 @@ \subsection{Content Matching} -The 2.0 detection engine changes the way Snort works slightly by having the -first phase be a setwise pattern match. The longer a content option is, the -more \emph{exact} the match. Rules without \emph{content} (or -\emph{uricontent}) slow the entire system down. - -While some detection options, such as \emph{pcre} and \emph{byte\_test}, -perform detection in the payload section of the packet, they do not use the -setwise pattern matching engine. If at all possible, try and have at least one -\emph{content} option if at all possible. +Snort groups rules by protocol (ip, tcp, udp, icmp), then by ports +(ip and icmp use slightly differnet logic), then by those with \texttt{content} +and those without. For rules with \texttt{content}, a multi-pattern matcher is +used to select rules that have a chance at matching based on a single content. +Selecting rules for evaluation via this "fast" pattern matcher was found to +increase performance, especially when applied to large rule groups like HTTP. +The longer and more unique a \texttt{content} is, the less likely that rule and +all of it's rule options will be evaluated unnecessarily - it's safe to say +there is generally more "good" traffic than "bad". Rules without +\texttt{content} are always evaluated (relative to the protocol and port group +in which they reside), potentially putting a drag on performance. +While some detection options, such as \texttt{pcre} and \texttt{byte\_test}, +perform detection in the payload section of the packet, they are not used by the +fast pattern matching engine. If at all possible, try and have at least one +\texttt{content} (or \texttt{uricontent}) rule option in your rule. \subsection{Catch the Vulnerability, Not the Exploit} @@ -11882,11 +17446,12 @@ \begin{itemize} \item The rule has a \emph{flow} option, verifying this is traffic going to the -server on an enstablished session. +server on an established session. \item The rule has a \emph{content} option, looking for \emph{root}, which is the longest, most unique string in the attack. This option is added to allow -Snort's setwise pattern match detection engine to give Snort a boost in speed. +the fast pattern matcher to select this rule for evaluation only if the +content \emph{root} is found in the payload. \item The rule has a \emph{pcre} option, looking for user, followed at least one space character (which includes tab), followed by root, ignoring case. @@ -11935,7 +17500,8 @@ found, then check the dsize again, repeating until 0x13 is not found in the payload again. -Reordering the rule options so that discrete checks (such as dsize) are moved to the begining of the rule speed up Snort. +Reordering the rule options so that discrete checks (such as dsize) are moved +to the beginning of the rule speed up Snort. The optimized rule snipping would be: \begin{verbatim} @@ -11946,7 +17512,7 @@ the first option checked and dsize is a discrete check without recursion. The following rule options are discrete and should generally be placed at the -begining of any rule: +beginning of any rule: \begin{itemize} \item \texttt{dsize} @@ -12156,31 +17722,6 @@ byte_test:4,>,200,36; \end{verbatim} -\chapter{Making Snort Faster} - -\section{MMAPed pcap} - -On Linux, a modified version of libpcap is available that implements a shared -memory ring buffer. Phil Woods (cpw@lanl.gov) is the current maintainer of the -libpcap implementation of the shared memory ring buffer. The shared memory -ring buffer libpcap can be downloaded from his website at -\url{http://public.lanl.gov/cpw/}. - -Instead of the normal mechanism of copying the packets from kernel memory into -userland memory, by using a shared memory ring buffer, libpcap is able to queue -packets into a shared buffer that Snort is able to read directly. This change -speeds up Snort by limiting the number of times the packet is copied before -Snort gets to perform its detection upon it. - -Once Snort linked against the shared memory libpcap, enabling the ring buffer -is done via setting the enviornment variable \emph{PCAP\_FRAMES}. -\emph{PCAP\_FRAMES} is the size of the ring buffer. According to Phil, the -maximum size is 32768, as this appears to be the maximum number of iovecs the -kernel can handle. By using \emph{PCAP\_FRAMES=max}, libpcap will -automatically use the most frames possible. On Ethernet, this ends up being -1530 bytes per frame, for a total of around 52 Mbytes of memory for the ring -buffer alone. - \chapter{Dynamic Modules}\label{Dynamic Modules} Preprocessors, detection capabilities, and rules can now be developed as @@ -12230,7 +17771,7 @@ \subsection{DynamicPreprocessorData} The {\em DynamicPreprocessorData} structure defines the interface the -preprocessor uses to interact with snort itself. This inclues functions to +preprocessor uses to interact with snort itself. This includes functions to register the preprocessor's configuration parsing, restart, exit, and processing functions. It includes function to log messages, errors, fatal errors, and debugging info. It also includes information for setting alerts, @@ -12620,7 +18161,7 @@ \item {OptionType: Protocol Header \& Structure: {\em HdrOptCheck}} The {\em HdrOptCheck} structure defines an option to check a protocol header -for a specific value. It incldues the header field, the operation (<,>,=,etc), +for a specific value. It includes the header field, the operation (<,>,=,etc), a value, a mask to ignore that part of the header field, and flags. \begin{verbatim} @@ -12768,20 +18309,45 @@ \subsection{Preprocessors} -Each dynamic preprocessor library must define the following functions. These -are defined in the file \texttt{sf\_dynamic\_preproc\_lib.c}. The metadata and -setup function for the preprocessor should be defined -\texttt{sf\_preproc\_info.h}. +Each dynamic preprocessor must define the following items. These must be defined +in the global scope of a source file (e.g. spp\_example.c). \begin{itemize} -\item {\em int LibVersion(DynamicPluginMeta *)} +\item {\em const int MAJOR\_VERSION} -This function returns the metadata for the shared library. +This specifies the major version of the preprocessor. -\item {\em int InitializePreprocessor(DynamicPreprocessorData *)} +\item {\em const int MINOR\_VERSION} -This function initializes the data structure for use by the preprocessor into a -library global variable, \texttt{\_dpd} and invokes the setup function. +This specifies the minor version of the preprocessor. + +\item {\em const int BUILD\_VERSION} + +This specifies the build version of the preprocessor. + +\item {\em const char *PREPROC\_NAME} + +This specifies the display name of the preprocessor. + +\item {\em void DYNAMIC\_PREPROC\_SETUP(void)} + +This function is called to register the preprocessor to be called with packets data. + +\end{itemize} + +The preprocessor must be built with the same macros defined as the Snort binary and +linked with the dynamic preprocessor library that was created during the Snort build. +A package configuration file is exported as part of the Snort build and can be accessed +using the following commands with PKG\_CONFIG\_PATH=$<$snort build prefix/lib/pkgconfig$>$: + +\begin{itemize} +\item {\em pkg-config --cflags snort\_preproc} + +Returns the macros and include path needed to compile the dynamic preprocessor. + +\item {\em pkg-config --libs snort\_preproc} + +Returns the library and library path needed to link the dynamic preprocessor. \end{itemize} @@ -12843,7 +18409,7 @@ This function extracts the bytes from a given packet, as specified by ByteExtract and delimited by cursor. Value extracted is stored in ByteExtract -memoryLocation paraneter. +memoryLocation parameter. \item {\em int processFlowbits(void *p, FlowBitsInfo *flowbits)} @@ -12969,34 +18535,29 @@ \subsection{Preprocessor Example} The following is an example of a simple preprocessor. This preprocessor always -alerts on a Packet if the TCP port matches the one configured. +alerts on a packet if the TCP port matches the one configured. -This assumes the the files {\em sf\_dynamic\_preproc\_lib.c} and {\em -sf\_dynamic\_preproc\_lib.h} are used. +The following code is defined in {\em spp\_example.c} and is compiled +together with {\em libsf\_dynamic\_preproc.a}, using pkg-config, into +lib\_sfdynamic\_preprocessor\_example.so. -This is the metadata for this preprocessor, defined in {\em -sf\_preproc\_info.h}. +Define the required meta data variables. \begin{verbatim} -#define MAJOR_VERSION 1 -#define MINOR_VERSION 0 -#define BUILD_VERSION 0 -#define PREPROC_NAME "SF_Dynamic_Example_Preprocessor" +#define GENERATOR_EXAMPLE 256 +extern DynamicPreprocessorData _dpd; -#define DYNAMIC_PREPROC_SETUP ExampleSetup -extern void ExampleSetup(); -\end{verbatim} +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 0; +const char *PREPROC_NAME = "SF_Dynamic_Example_Preprocessor"; -The remainder of the code is defined in {\em spp\_example.c} and is compiled -together with {\em sf\_dynamic\_preproc\_lib.c} into -lib\_sfdynamic\_preprocessor\_example.so. +#define ExampleSetup DYNAMIC_PREPROC_SETUP +\end{verbatim} Define the Setup function to register the initialization function. \begin{verbatim} -#define GENERATOR_EXAMPLE 256 -extern DynamicPreprocessorData _dpd; - void ExampleInit(unsigned char *); void ExampleProcess(void *, void *); @@ -13204,7 +18765,7 @@ }; \end{verbatim} -The rule itself, with the protocl header, meta data (sid, classification, +The rule itself, with the protocol header, meta data (sid, classification, message, etc). \begin{verbatim} @@ -13266,7 +18827,7 @@ If you are going to be helping out with Snort development, please use the \textsc{head} branch of cvs. We've had problems in the past of people submitting patches only to the stable branch (since they are likely writing -this stuff for their own IDS purposes). Bugfixes are what goes into +this stuff for their own IDS purposes). Bug fixes are what goes into \textsc{stable}. Features go into \textsc{head}. \section{Submitting Patches} @@ -13287,7 +18848,7 @@ preprocessor checks to see if this packet is something it should look at. Packets are then sent through the detection engine. The detection engine checks -each packet against the various options listed in the Snort rules files. Each +each packet against the various options listed in the Snort config files. Each of the keyword options is a plugin. This allows this to be easily extensible. \subsection{Preprocessors} @@ -13324,56 +18885,106 @@ \\ \textbf{Lead Snort Developers} & Steve Sturges\\ -& Todd Wease\\ +& Bhagyashree Bantwal\\ +& Hui Cao\\ & Russ Combs\\ & Ryan Jordan\\ -& Dilbagh Chahal\\ -& Bhagyashree Bantwal\\ +& Todd Wease\\ \\ -\textbf{Snort Rules Maintainer} -& Brian Caswell\\ +\textbf{Snort QA Team} +& Matt Donnan\\ +& Andrew Blunck\\ +& Victor Roemer\\ +& Scott Czajkowski\\ \\ \textbf{Snort Rules Team} +& Matt Watchinski\\ +& Nathan Benson\\ +& Christoph Cordes\\ +& Joel Esler\\ +& William Freeman\\ +& Ethan Gulla\\ +& Luca Gibelli\\ & Nigel Houghton\\ +& Richard Johnson\\ +& Tom Judge\\ +& Alex Kambis\\ & Alex Kirk\\ -& Matt Watchinski\\ +& Tomasz Kojm\\ +& Chris Marshall\\ +& Christopher McBee\\ +& Kevin Miklavcic\\ +& Patrick Mullen\\ +& Matt Olney\\ +& Ryan Pentney\\ +& David Shyu\\ +& Edvin Torok\\ +& Andy Walker\\ +& Alberto Wu\\ +& Alain Zidouemba\\ \\ \textbf{Win32 Maintainer} & Snort Team\\ \\ -\textbf{RPM Maintainers} -& JP Vossen\\ -& Daniel Wittenberg\\ +\textbf{Snort Product Manager} +& Steve Kane\\ \\ -\textbf{Inline Developers} -& Victor Julien\\ -& Rob McMillen\\ -& William Metcalf\\ +\textbf{Snort Community Manager} +& Joel Esler\\ \\ +\textbf{Snort Web Team} +& Aaron Norling\\ +& Sarah Zelechoski\\ +\\ +\end{tabular} + +\begin{tabular}{p{3in} p{3in}} \textbf{Major Contributors} & Erek Adams\\ +& Michael Altizer\\ & Andrew Baker\\ & Scott Campbell\\ +& Brian Caswell\\ +& Dilbagh Chahal\\ +& JJ Cummings\\ & Roman D.\\ & Michael Davis\\ +& Ron Dempster\\ & Chris Green\\ +& Lurene Grenier\\ +& Mike Guiterman\\ & Jed Haile\\ +& Justin Heath\\ +& Patrick Harper\\ & Jeremy Hewlett\\ +& Victor Julien\\ & Glenn Mansfield Keeni\\ & Adam Keeton\\ +& Keith Konecnik\\ +& Veronica Kovah\\ & Chad Kreimendahl\\ & Kevin Liu\\ +& Rob McMillen\\ +& William Metcalf\\ & Andrew Mullican\\ & Jeff Nathan\\ & Marc Norton\\ & Judy Novak\\ & Andreas Ostling\\ & Chris Reid\\ +& Marcos Rodriguez\\ & Daniel Roelker\\ & Dragos Ruiu\\ +& Chris Sherwin\\ +& Matt Smith\\ +& Jennifer Steffens\\ +& JP Vossen\\ +& Leon Ward\\ +& Daniel Wittenberg\\ +& Phil Wood\\ & Fyodor Yarochkin\\ -& Phil Wood \end{tabular} + \appendix \begin{thebibliography}{99} diff -Nru snort-2.8.5.2/doc/TODO snort-2.9.2/doc/TODO --- snort-2.8.5.2/doc/TODO 2003-10-20 15:03:03.000000000 +0000 +++ snort-2.9.2/doc/TODO 2009-12-22 02:56:51.000000000 +0000 @@ -1,5 +1,4 @@ $Id$ -- update obfuscation code - update the todo list diff -Nru snort-2.8.5.2/etc/classification.config snort-2.9.2/etc/classification.config --- snort-2.8.5.2/etc/classification.config 2003-10-20 15:03:03.000000000 +0000 +++ snort-2.9.2/etc/classification.config 2011-06-08 00:33:04.000000000 +0000 @@ -61,6 +61,10 @@ config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 -config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 +config classification: sdf,Senstive Data,2 +config classification: file-format,Known malicious file or file based exploit,1 +config classification: malware-cnc,Known malware command and control traffic,1 +config classification: client-side-exploit,Known client side exploit attempt,1 diff -Nru snort-2.8.5.2/etc/community-sid-msg.map snort-2.9.2/etc/community-sid-msg.map --- snort-2.8.5.2/etc/community-sid-msg.map 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/etc/community-sid-msg.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,837 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# This file is licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# Id SID -> MSG map - -100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947 -100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947 -100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281 -100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262 -100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192 -100000105 || COMMUNITY INAPPROPRIATE lolita sex -100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404 -100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404 -100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300 -100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300 -100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426 -100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243 -100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243 -100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589 -100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589 -100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542 -100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000121 || COMMUNITY WEB-MISC Test Script Access -100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646 -100000123 || COMMUNITY INAPPROPRIATE preteen sex -100000124 || COMMUNITY INAPPROPRIATE girls gone wild -100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742 -100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm -100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735 -100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735 -100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml -100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778 -100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778 -100000132 || COMMUNITY WEB-MISC Proxy Server Access -100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1 -100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391 -100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764 -100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878 -100000137 || COMMUNITY MISC BAD-SSL tcp detect -100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678 -100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678 -100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities -100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848 -100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403 -100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337 -100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381 -100000152 || COMMUNITY IMAP MDaemon authentication protocol decode -100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317 -100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode -100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317 -100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev -100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831 -100000158 || COMMUNITY SIP INVITE message flooding -100000159 || COMMUNITY SIP REGISTER message flooding -100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy -100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses -100000162 || COMMUNITY SIP 401 Unauthorized Flood -100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood -100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777 -100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326 -100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html -100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php -100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php -100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php -100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035 -100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt -100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168 -100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html -100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136 -100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389 -100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097 -100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593 -100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838 -100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492 -100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282 -100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf -100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707 -100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731 -100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356 -100000187 || COMMUNITY WEB-PHP XSS attempt -100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2 -100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org -100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com -100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819 -100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846 -100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845 -100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847 -100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347 -100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488 -100000197 || COMMUNITY ICMP undefined code -100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1 -100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703 -100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html -100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478 -100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404 -100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405 -100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407 -100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406 -100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408 -100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 -100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml -100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305 -100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt -100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities -100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities -100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591 -100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947 -100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx -100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244 -100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228 -100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200 -100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189 -100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271 -100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192 -100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm -100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493 -100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361 -100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html -100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/ -100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/ -100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/ -100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/ -100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/ -100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/ -100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/ -100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html -100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change -100000241 || COMMUNITY BOT Internal IRC server detected -100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command -100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command -100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command -100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command -100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command -100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command -100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command -100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command -100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command -100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command -100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command -100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command -100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command -100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command -100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command -100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command -100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command -100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command -100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command -100000261 || COMMUNITY BOT SDBot killthread command -100000262 || COMMUNITY BOT SDBot cdkey command -100000263 || COMMUNITY BOT SDBot getcdkey command -100000264 || COMMUNITY BOT SDBot rndnick command -100000265 || COMMUNITY BOT SDBot c_rndnick command -100000266 || COMMUNITY BOT SDBot c_nick command -100000267 || COMMUNITY BOT SpyBot stopspy command -100000268 || COMMUNITY BOT SpyBot redirectspy command -100000269 || COMMUNITY BOT SpyBot loadclones command -100000270 || COMMUNITY BOT SpyBot killclones command -100000271 || COMMUNITY BOT SpyBot rawclones command -100000272 || COMMUNITY BOT GTBot ver command -100000273 || COMMUNITY BOT GTBot info command -100000274 || COMMUNITY BOT GTBot scan command -100000275 || COMMUNITY BOT GTBot portscan command -100000276 || COMMUNITY BOT GTBot stopscan command -100000277 || COMMUNITY BOT GTBot packet command -100000278 || COMMUNITY BOT GTBot bnc command -100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx -100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials -100000282 || COMMUNITY VIRUS Nugache connect -100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html -100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/ -100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915 -100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2 -100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559 -100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964 -100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964 -100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm -100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm -100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm -100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020 -100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611 -100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052 -100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527 -100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597 -100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027 -100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027 -100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027 -100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027 -100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027 -100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027 -100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027 -100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027 -100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027 -100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040 -100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040 -100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043 -100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076 -100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076 -100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521 -100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521 -100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521 -100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/ -100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/ -100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110 -100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110 -100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110 -100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/ -100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/ -100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662 -100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135 -100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135 -100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135 -100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40 -100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40 -100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41 -100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147 -100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155 -100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/ -100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/ -100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/ -100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/ -100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163 -100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163 -100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163 -100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163 -100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163 -100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163 -100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186 -100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186 -100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186 -100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186 -100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186 -100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186 -100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186 -100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186 -100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186 -100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186 -100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186 -100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186 -100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186 -100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186 -100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186 -100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186 -100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190 -100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208 -100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208 -100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208 -100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232 -100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232 -100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232 -100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232 -100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232 -100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232 -100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232 -100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232 -100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232 -100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232 -100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232 -100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232 -100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232 -100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232 -100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232 -100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232 -100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232 -100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232 -100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232 -100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220 -100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220 -100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229 -100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234 -100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241 -100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241 -100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248 -100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248 -100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249 -100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250 -100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255 -100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258 -100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258 -100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258 -100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259 -100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole -100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 -100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole -100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261 -100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261 -100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261 -100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261 -100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261 -100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261 -100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261 -100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263 -100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265 -100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265 -100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272 -100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291 -100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313 -100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313 -100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313 -100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270 -100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273 -100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779 -100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367 -100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367 -100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368 -100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473 -100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482 -100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512 -100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526 -100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564 -100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596 -100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363 -100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370 -100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371 -100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373 -100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378 -100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378 -100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391 -100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392 -100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403 -100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403 -100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406 -100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411 -100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412 -100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413 -100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415 -100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416 -100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426 -100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435 -100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440 -100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441 -100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441 -100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441 -100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441 -100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455 -100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455 -100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455 -100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463 -100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469 -100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469 -100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471 -100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471 -100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471 -100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474 -100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475 -100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475 -100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475 -100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475 -100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480 -100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481 -100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490 -100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497 -100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497 -100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497 -100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501 -100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501 -100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505 -100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505 -100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508 -100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509 -100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516 -100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520 -100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524 -100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528 -100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533 -100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537 -100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539 -100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539 -100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541 -100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542 -100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561 -100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562 -100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567 -100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590 -100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607 -100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607 -100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609 -100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609 -100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609 -100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609 -100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626 -100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627 -100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627 -100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628 -100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633 -100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643 -100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643 -100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644 -100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649 -100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650 -100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652 -100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477 -100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477 -100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477 -100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477 -100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477 -100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477 -100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477 -100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477 -100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477 -100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477 -100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477 -100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477 -100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477 -100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477 -100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477 -100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477 -100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477 -100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477 -100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477 -100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477 -100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477 -100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477 -100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477 -100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477 -100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477 -100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477 -100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477 -100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477 -100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477 -100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477 -100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477 -100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477 -100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477 -100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477 -100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477 -100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477 -100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477 -100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477 -100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477 -100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477 -100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477 -100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477 -100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477 -100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477 -100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477 -100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477 -100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477 -100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477 -100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477 -100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477 -100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477 -100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477 -100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477 -100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477 -100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477 -100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477 -100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477 -100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477 -100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477 -100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477 -100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477 -100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477 -100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477 -100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477 -100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477 -100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477 -100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477 -100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477 -100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477 -100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477 -100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477 -100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477 -100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477 -100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477 -100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477 -100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477 -100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477 -100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477 -100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477 -100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477 -100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614 -100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614 -100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614 -100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614 -100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614 -100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614 -100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614 -100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614 -100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614 -100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614 -100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614 -100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655 -100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664 -100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664 -100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/ -100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html -100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975 -100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760 -100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507 -100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507 -100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699 -100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699 -100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699 -100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699 -100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765 -100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779 -100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899 -100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845 -100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697 -100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697 -100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697 -100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697 -100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697 -100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700 -100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718 -100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719 -100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719 -100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719 -100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719 -100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719 -100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719 -100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719 -100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719 -100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719 -100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719 -100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719 -100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719 -100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719 -100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719 -100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720 -100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729 -100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735 -100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740 -100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740 -100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740 -100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740 -100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740 -100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740 -100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740 -100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740 -100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740 -100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740 -100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740 -100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740 -100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750 -100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757 -100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760 -100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763 -100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780 -100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780 -100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780 -100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788 -100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788 -100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788 -100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788 -100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788 -100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788 -100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788 -100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793 -100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798 -100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809 -100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816 -100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834 -100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835 -100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837 -100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839 -100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840 -100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845 -100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845 -100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857 -100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857 -100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857 -100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878 -100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878 -100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881 -100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881 -100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883 -100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883 -100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883 -100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883 -100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883 -100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893 -100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897 -100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901 -100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914 -100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914 -100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917 -100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917 -100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917 -100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917 -100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919 -100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924 -100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928 -100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt -100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934 -100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937 -100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937 -100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937 -100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937 -100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941 -100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941 -100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949 -100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949 -100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949 -100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949 -100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956 -100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956 -100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998 -100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998 -100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964 -100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965 -100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966 -100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968 -100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969 -100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970 -100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970 -100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984 -100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990 -100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991 -100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798 -100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007 -100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014 -100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020 -100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/ -100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 -100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion -100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org -100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org -100000876 || COMMUNITY MISC Google Talk Version Check -100000877 || COMMUNITY MISC Google Talk Startup -100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144 -100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349 -100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295 -100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296 -100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298 -100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299 -100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291 -100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288 -100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292 -100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300 -100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300 -100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html -100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer -100000894 || COMMUNITY POLICY Weather Channel Desktop App -100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000906 || COMMUNITY WEB-PHP UBB.threads remote file include -100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info -100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info -100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info -100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info -100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912 -100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770 -100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367 -100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367 -100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600 -100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926 -100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932 -100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885 -100000923 || COMMUNITY DOS Single-Byte UDP Flood -100000924 || COMMUNITY POLICY Google SafeSearch off -100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053 -100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039 -100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx -100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674 -100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916 -100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215 -100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 -100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 diff -Nru snort-2.8.5.2/etc/gen-msg.map snort-2.9.2/etc/gen-msg.map --- snort-2.8.5.2/etc/gen-msg.map 2009-12-15 23:27:51.000000000 +0000 +++ snort-2.9.2/etc/gen-msg.map 2011-11-21 20:15:24.000000000 +0000 @@ -40,7 +40,7 @@ 111 || 5 || spp_stream4: Data on SYN Packet 111 || 6 || spp_stream4: Full XMAS Stealth Scan 111 || 7 || spp_stream4: SAPU Stealth Scan -111 || 8 || spp_stream4: FIN Stealth Scan +111 || 8 || spp_stream4: FIN Stealth Scan 111 || 9 || spp_stream4: NULL Stealth Scan 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 111 || 11 || spp_stream4: VECNA Stealth Scan @@ -81,79 +81,151 @@ 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length -116 || 1 || snort_decoder: Not IPv4 datagram! -116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! -116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len! -116 || 4 || snort_decoder: Bad IPv4 Options -116 || 5 || snort_decoder: Truncated IPv4 Options -116 || 6 || snort_decoder: WARNING: IP dgm len > captured len! -116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! -116 || 46 || snort_decoder: TCP Data Offset is less than 5! -116 || 47 || snort_decoder: TCP Data Offset is longer than payload! -116 || 54 || snort_decoder: Tcp Options found with bad lengths -116 || 55 || snort_decoder: Truncated Tcp Options -116 || 56 || snort_decoder: T/TCP Detected -116 || 57 || snort_decoder: Obsolete TCP options -116 || 58 || snort_decoder: Experimental TCP options -116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14) -116 || 95 || snort_decoder: Truncated UDP Header! -116 || 96 || snort_decoder: Invalid UDP header, length field < 8 -116 || 97 || snort_decoder: Short UDP packet, length field > payload length -116 || 98 || snort_decoder: Long UDP packet, length field < payload length -116 || 105 || snort_decoder: ICMP Header Truncated! -116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! -116 || 107 || snort_decoder: ICMP Address Header Truncated! -116 || 108 || snort_decoder: Unknown Datagram decoding problem! -116 || 109 || snort_decoder: Truncated ARP Packet! -116 || 110 || snort_decoder: Truncated EAP Header! -116 || 111 || snort_decoder: EAP Key Truncated! -116 || 112 || snort_decoder: EAP Header Truncated! -116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! -116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! -116 || 131 || snort_decoder: WARNING: Bad LLC header! -116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! -116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! -116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! -116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! -116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! -116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! -116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! -116 || 150 || snort_decoder: Bad Traffic Loopback IP! -116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! +116 || 1 || snort_decoder: WARNING: Not IPv4 datagram +116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN +116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len +116 || 4 || snort_decoder: WARNING: Bad IPv4 Options +116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options +116 || 6 || snort_decoder: WARNING: IP dgm len > captured len +116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes +116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5 +116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload +116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths +116 || 55 || snort_decoder: WARNING: Truncated Tcp Options +116 || 56 || snort_decoder: WARNING: T/TCP Detected +116 || 57 || snort_decoder: WARNING: Obsolete TCP options +116 || 58 || snort_decoder: WARNING: Experimental TCP options +116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14) +116 || 95 || snort_decoder: WARNING: Truncated UDP Header +116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8 +116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length +116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length +116 || 105 || snort_decoder: WARNING: ICMP Header Truncated +116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated +116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated +116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem +116 || 109 || snort_decoder: WARNING: Truncated ARP Packet +116 || 110 || snort_decoder: WARNING: Truncated EAP Header +116 || 111 || snort_decoder: WARNING: EAP Key Truncated +116 || 112 || snort_decoder: WARNING: EAP Header Truncated +116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected +116 || 130 || snort_decoder: WARNING: Bad VLAN Frame +116 || 131 || snort_decoder: WARNING: Bad LLC header +116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info +116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header +116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info +116 || 140 || snort_decoder: WARNING: Bad Token Ring Header +116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header +116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header +116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header +116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP +116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP 116 || 160 || snort_decoder: WARNING: GRE header length > payload length 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet 116 || 162 || snort_decoder: WARNING: Invalid GRE version 116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header 116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header 116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length -116 || 170 || snort_decoder: Bad MPLS Frame -116 || 171 || snort_decoder: MPLS Label 0 Appears in Nonbottom Header -116 || 172 || snort_decoder: MPLS Label 1 Appears in Bottom Header -116 || 173 || snort_decoder: MPLS Label 2 Appears in Nonbottom Header -116 || 174 || snort_decoder: Bad use of label 3 -116 || 175 || snort_decoder: MPLS Label 4, 5,.. or 15 Appears in Header -116 || 176 || snort_decoder: Too Many MPLS headers -116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated! -116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4! -116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length! -116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits! -116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes! -116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0! +116 || 170 || snort_decoder: WARNING: Bad MPLS Frame +116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header +116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header +116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header +116 || 174 || snort_decoder: WARNING: Bad use of label 3 +116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header +116 || 176 || snort_decoder: WARNING: Too Many MPLS headers +116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated +116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4 +116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length +116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits +116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes +116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header 116 || 273 || snort_decoder: WARNING: IPV6 truncated header -116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len! -116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len! -116 || 291 || snort_decoder: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack -116 || 400 || snort_decoder: WARNING: XMAS Attack Detected! -116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected! -116 || 402 || snort_decoder: DOS NAPTHA Vulnerability Detected! -116 || 403 || snort_decoder: Bad Traffic SYN to multicast address +116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len +116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len +116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0 +116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address +116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address +116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type +116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value +116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field +116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header +116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers +116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280 +116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with invalid code field +116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0 +116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0 +116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0 +116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour +116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack +116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header +116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present +116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header +116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header. +116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers +116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present +116 || 298 || snort_decoder: WARNING: GTP header length is invalid +116 || 400 || snort_decoder: WARNING: XMAS Attack Detected +116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected +116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected +116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) -117 || 1 || spp_portscan2: Portscan detected! -118 || 1 || spp_conversation: Bad IP protocol! +116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero +116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum +116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address +116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address +116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address +116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address +116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address +116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address +116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address +116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address +116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address +116 || 417 || snort_decoder: WARNING: ICMP4 source quence +116 || 418 || snort_decoder: WARNING: ICMP4 type other +116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload +116 || 420 || snort_decoder: WARNING: TCP SYN with FIN +116 || 421 || snort_decoder: WARNING: TCP SYN with RST +116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session +116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST +116 || 424 || snort_decoder: WARNING: truncated eth header +116 || 425 || snort_decoder: WARNING: truncated IP4 header +116 || 426 || snort_decoder: WARNING: truncated ICMP4 header +116 || 427 || snort_decoder: WARNING: truncated ICMP6 header +116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit +116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit +116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set +116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded +116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address +116 || 433 || snort_decoder: WARNING: DDOS shaft synflood +116 || 434 || snort_decoder: WARNING: ICMP PING NMAP +116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1 +116 || 436 || snort_decoder: WARNING: ICMP redirect host +116 || 437 || snort_decoder: WARNING: ICMP redirect net +116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts +116 || 439 || snort_decoder: WARNING: ICMP Source Quench +116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner +116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited +116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited +116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited +116 || 444 || snort_decoder: WARNING: MISC IP option set +116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet +116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic +116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic +116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set +116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol +116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol +116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt +116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt +116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof +116 || 454 || snort_decoder: WARNING: PGM NAK overflow +116 || 455 || snort_decoder: WARNING: IGMP options dos +116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers +117 || 1 || spp_portscan2: Portscan detected +118 || 1 || spp_conversation: Bad IP protocol 119 || 1 || http_inspect: ASCII ENCODING 119 || 2 || http_inspect: DOUBLE DECODING ATTACK 119 || 3 || http_inspect: U ENCODING @@ -173,8 +245,28 @@ 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL 119 || 19 || http_inspect: LONG HEADER +119 || 20 || http_inspect: MAX HEADERS 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS +119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED +119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER +119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED +119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS +119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION +119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS +119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION +119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT +120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE +120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE +120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE +120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET +120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED +120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE +120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 +120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED +120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded @@ -227,6 +319,11 @@ 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow +124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. +124 || 10 || smtp: Base64 Decoding failed +124 || 11 || smtp: Quoted-Printable Decoding failed +124 || 12 || smtp: 7bit/8bit/binary/text Extraction failed +124 || 13 || smtp: Unix-to-Unix Decoding failed 125 || 1 || ftp_pp: Telnet command on FTP command channel 125 || 2 || ftp_pp: Invalid FTP command 125 || 3 || ftp_pp: FTP parameter length overflow @@ -239,8 +336,8 @@ 126 || 1 || telnet_pp: Telnet consecutive AYT overflow 126 || 2 || telnet_pp: Telnet data encrypted 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End -128 || 1 || ssh: Gobbles exploit -128 || 2 || ssh: SSH1 CRC32 exploit +128 || 1 || ssh: Gobbles exploit +128 || 2 || ssh: SSH1 CRC32 exploit 128 || 3 || ssh: Server version string overflow 128 || 4 || ssh: Protocol mismatch 128 || 5 || ssh: Bad message direction @@ -256,8 +353,15 @@ 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address -129 || 11 || stream5: TCP Data with no TCP Flags set +129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded +129 || 13 || stream5: TCP 4-way handshake detected +129 || 14 || stream5: TCP Timestamp is missing +129 || 15 || stream5: Reset outside window +129 || 16 || stream5: FIN number is greater than prior FIN +129 || 17 || stream5: ACK number is greater than prior FIN +129 || 18 || stream5: Data sent on stream after TCP Reset received +129 || 19 || stream5: TCP window closed before receiving data 130 || 1 || dcerpc: Maximum memory usage reached 131 || 1 || dns: Obsolete DNS RData Type 131 || 2 || dns: Experimental DNS RData Type @@ -265,8 +369,8 @@ 133 || 1 || dcerpc2: Memory cap exceeded 133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type 133 || 3 || dcerpc2: SMB - Bad SMB message type -133 || 4 || dcerpc2: SMB - Bad SMB Id (not \xffSMB) -133 || 5 || dcerpc2: SMB - Bad word count for command +133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2) +133 || 5 || dcerpc2: SMB - Bad word count or structure size for command 133 || 6 || dcerpc2: SMB - Bad byte count for command 133 || 7 || dcerpc2: SMB - Bad format type for command 133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command @@ -284,9 +388,9 @@ 133 || 20 || dcerpc2: SMB - Excessive command chaining 133 || 21 || dcerpc2: SMB - Multiple chained login requests 133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests -133 || 23 || dcerpc2: SMB - Chained login followed by logoff -133 || 24 || dcerpc2: SMB - Chained tree connect followed by tree disconnect -133 || 25 || dcerpc2: SMB - Chained open pipe followed by close pipe +133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff +133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect +133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe 133 || 26 || dcerpc2: SMB - Invalid share access 133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version 133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version @@ -305,8 +409,74 @@ 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number +#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen +#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen +#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding +#133 || 47 || dcerpc2: SMB - Excessive command compounding 134 || 1 || ppm: rule tree disabled 134 || 2 || ppm: rule tree enabled 135 || 1 || internal: syn received 135 || 2 || internal: session established 135 || 3 || internal: session cleared +136 || 1 || reputation: Packet is blacklisted +136 || 2 || reputation: Packet is whitelisted +137 || 1 || ssp_ssl: Invalid Client HELLO after Server HELLO Detected +137 || 2 || ssp_ssl: Invalid Server HELLO without Client HELLO Detected +138 || 2 || sensitive_data: sensitive data - Credit card numbers +138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes +138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes +138 || 5 || sensitive_data: sensitive data - eMail addresses +138 || 6 || sensitive_data: sensitive data - U.S. phone numbers +139 || 1 || sensitive_data: sensitive data global threshold exceeded +140 || 1 || sip: Maximum sessions reached +140 || 2 || sip: Empty request URI +140 || 3 || sip: URI is too long +140 || 4 || sip: Empty call-Id +140 || 5 || sip: Call-Id is too long +140 || 6 || sip: CSeq number is too large or negative +140 || 7 || sip: Request name in CSeq is too long +140 || 8 || sip: Empty From header +140 || 9 || sip: From header is too long +140 || 10 || sip: Empty To header +140 || 11 || sip: To header is too long +140 || 12 || sip: Empty Via header +140 || 13 || sip: Via header is too long +140 || 14 || sip: Empty Contact +140 || 15 || sip: Contact is too long +140 || 16 || sip: Content length is too large or negative +140 || 17 || sip: Multiple SIP messages in a packet +140 || 18 || sip: Content length mismatch +140 || 19 || sip: Request name is invalid +140 || 20 || sip: Invite replay attack +140 || 21 || sip: Illegal session information modification +140 || 22 || sip: Response status code is not a 3 digit number +140 || 23 || sip: Empty Content type +140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid +140 || 25 || sip: Mismatch in Method of request and the CSEQ header +140 || 26 || sip: The method is unknown +141 || 1 || imap: Unknown IMAP4 command +141 || 2 || imap: Unknown IMAP4 response +141 || 3 || imap: No memory available for decoding. Memcap exceeded. +141 || 4 || imap: Base64 Decoding failed +141 || 5 || imap: Quoted-Printable Decoding failed +141 || 6 || imap: 7bit/8bit/binary/text Extraction failed +141 || 7 || imap: Unix-to-Unix Decoding failed +142 || 1 || pop: Unknown POP3 command +142 || 2 || pop: Unknown POP3 response +142 || 3 || pop: No memory available for decoding. Memcap exceeded. +142 || 4 || pop: Base64 Decoding failed +142 || 5 || pop: Quoted-Printable Decoding failed +142 || 6 || pop: 7bit/8bit/binary/text Extraction failed +142 || 7 || pop: Unix-to-Unix Decoding failed +143 || 1 || gtp: Message length is invalid +143 || 2 || gtp: Information element length is invalid +143 || 3 || gtp: Information elements are out of order +144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function. +144 || 2 || modbus: Modbus protocol ID is non-zero. +144 || 3 || modbus: Reserved Modbus function code in use. +145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC. +145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped. +145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly. +145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message. +145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address. +145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code. diff -Nru snort-2.8.5.2/etc/Makefile.am snort-2.9.2/etc/Makefile.am --- snort-2.8.5.2/etc/Makefile.am 2008-04-03 18:28:47.000000000 +0000 +++ snort-2.9.2/etc/Makefile.am 2010-12-20 17:14:46.000000000 +0000 @@ -1,5 +1,5 @@ ## $Id$ AUTOMAKE_OPTIONS=foreign no-dependencies -EXTRA_DIST = sid-msg.map snort.conf classification.config gen-msg.map \ +EXTRA_DIST = snort.conf classification.config gen-msg.map \ reference.config unicode.map threshold.conf attribute_table.dtd diff -Nru snort-2.8.5.2/etc/Makefile.in snort-2.9.2/etc/Makefile.in --- snort-2.8.5.2/etc/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/etc/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,10 +179,11 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies -EXTRA_DIST = sid-msg.map snort.conf classification.config gen-msg.map \ +EXTRA_DIST = snort.conf classification.config gen-msg.map \ reference.config unicode.map threshold.conf attribute_table.dtd all: all-am @@ -175,14 +193,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign etc/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign etc/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign etc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign etc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -200,6 +218,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -229,13 +248,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -263,6 +286,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -281,6 +305,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -289,18 +315,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -334,6 +370,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/etc/reference.config snort-2.9.2/etc/reference.config --- snort-2.8.5.2/etc/reference.config 2003-10-20 15:03:04.000000000 +0000 +++ snort-2.9.2/etc/reference.config 2010-06-09 22:04:49.000000000 +0000 @@ -6,6 +6,7 @@ config reference: bugtraq http://www.securityfocus.com/bid/ config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS http://www.whitehats.com/info/IDS +config reference: osvdb http://osvdb.org/show/osvdb/ # Note, this one needs a suffix as well.... lets add that in a bit. config reference: McAfee http://vil.nai.com/vil/content/v_ diff -Nru snort-2.8.5.2/etc/sid-msg.map snort-2.9.2/etc/sid-msg.map --- snort-2.8.5.2/etc/sid-msg.map 2008-07-11 21:00:23.000000000 +0000 +++ snort-2.9.2/etc/sid-msg.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,2527 +0,0 @@ -# $Id$ -# Format: SID || MSG || Optional References || Optional References ... -# SID -> MSG map - -103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ -104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 -107 || BACKDOOR subseven DEFCON8 2.1 access -108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 -109 || BACKDOOR netbus active || arachnids,401 -110 || BACKDOOR netbus getinfo || arachnids,403 -111 || BACKDOOR netbus getinfo || arachnids,403 -112 || BACKDOOR BackOrifice access || arachnids,400 -113 || BACKDOOR DeepThroat access || arachnids,405 -114 || BACKDOOR netbus active || arachnids,401 -115 || BACKDOOR netbus 2 active || arachnids,401 -116 || BACKDOOR BackOrifice access || arachnids,399 -117 || BACKDOOR Infector.1.x || arachnids,315 -118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 -119 || BACKDOOR Doly 2.0 access || arachnids,312 -120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 -121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 -122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 -124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 -125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 -126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 -127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 -128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 -129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 -130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 -131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 -132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 -133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 -134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 -135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 -136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 -137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 -138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 -140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 -141 || BACKDOOR HackAttack 1.20 Connect -142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 -143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 -144 || FTP ADMw0rm ftp login attempt || arachnids,01 -145 || BACKDOOR GirlFriendaccess || arachnids,98 -146 || BACKDOOR NetSphere access || arachnids,76 -147 || BACKDOOR GateCrasher || arachnids,99 -148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 -149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -152 || BACKDOOR BackConstruction 2.1 Connection -153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 -154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 -155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 -156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 -157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request -158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply -159 || BACKDOOR NetMetro File List || arachnids,79 -160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 -161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 -162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 -163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 -164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 -166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 -167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 -168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 -169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 -170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 -171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 -172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 -173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 -174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 -176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 -179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 -180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 -181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 -182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 -183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 -184 || BACKDOOR Q access || arachnids,203 -185 || BACKDOOR CDK || arachnids,263 -186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 -187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 -188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 -189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 -190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 -191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 -192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 -193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 -194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 -195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 -196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 -197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 -198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 -199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 -200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 -201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 -202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 -203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 -206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 -207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 -208 || BACKDOOR PhaseZero Server Active on Network -209 || BACKDOOR w00w00 attempt || arachnids,510 -210 || BACKDOOR attempt -211 || BACKDOOR MISC r00t attempt -212 || BACKDOOR MISC rewt attempt -213 || BACKDOOR MISC Linux rootkit attempt -214 || BACKDOOR MISC Linux rootkit attempt lrkr0x -215 || BACKDOOR MISC Linux rootkit attempt -216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 -217 || BACKDOOR MISC sm4ck attempt -218 || BACKDOOR MISC Solaris 2.5 attempt -219 || BACKDOOR HidePak backdoor attempt -220 || BACKDOOR HideSource backdoor attempt -221 || DDOS TFN Probe || arachnids,443 -222 || DDOS tfn2k icmp possible communication || arachnids,425 -223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 -224 || DDOS Stacheldraht server spoof || arachnids,193 -225 || DDOS Stacheldraht gag server response || arachnids,195 -226 || DDOS Stacheldraht server response || arachnids,191 -227 || DDOS Stacheldraht client spoofworks || arachnids,192 -228 || DDOS TFN client command BE || arachnids,184 -229 || DDOS Stacheldraht client check skillz || arachnids,190 -230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml -231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 -232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm -233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 -234 || DDOS Trin00 Attacker to Master default password -235 || DDOS Trin00 Attacker to Master default mdie password -236 || DDOS Stacheldraht client check gag || arachnids,194 -237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 -238 || DDOS TFN server response || arachnids,182 -239 || DDOS shaft handler to agent || arachnids,255 -240 || DDOS shaft agent to handler || arachnids,256 -241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 -243 || DDOS mstream agent to handler -244 || DDOS mstream handler to agent || cve,2000-0138 -245 || DDOS mstream handler ping to agent || cve,2000-0138 -246 || DDOS mstream agent pong to handler -247 || DDOS mstream client to handler || cve,2000-0138 -248 || DDOS mstream handler to client || cve,2000-0138 -249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 -250 || DDOS mstream handler to client || cve,2000-0138 -251 || DDOS - TFN client command LE || arachnids,183 -252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt -253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority -254 || DNS SPOOF query response with TTL of 1 min. and no authority -255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 -256 || DNS named authors attempt || arachnids,480 || nessus,10728 -257 || DNS named version attempt || arachnids,278 || nessus,10028 -258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 -259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 -260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html -261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html -262 || DNS EXPLOIT x86 Linux overflow attempt -264 || DNS EXPLOIT x86 Linux overflow attempt -265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 -266 || DNS EXPLOIT x86 FreeBSD overflow attempt -267 || DNS EXPLOIT sparc overflow attempt -268 || DOS Jolt attack || cve,1999-0345 -269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 -270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html -271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 -272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 -273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 -274 || DOS ath || arachnids,264 || cve,1999-1228 -275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx -276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 -277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 -281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 -282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 -283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -284 || POP2 x86 Linux overflow -285 || POP2 x86 Linux overflow -286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 -287 || POP3 EXPLOIT x86 BSD overflow -288 || POP3 EXPLOIT x86 Linux overflow -289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 -290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 -291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 -292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 -293 || IMAP EXPLOIT overflow -295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve, CVE-1999-0005 -300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 -301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 -302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 -303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 -304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 -305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 -306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html -307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 -308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 -309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 -310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 -311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 -313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 -314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 -315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 -319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 -320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm -321 || FINGER account enumeration attempt || nessus,10788 -322 || FINGER search query || arachnids,375 || cve,1999-0259 -323 || FINGER root query || arachnids,376 -324 || FINGER null request || arachnids,377 -325 || FINGER probe 0 attempt || arachnids,378 -326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 -327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 -328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 -329 || FINGER cybercop redirection || arachnids,11 -330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 -331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 -332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 -333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 -334 || FTP .forward || arachnids,319 -335 || FTP .rhosts || arachnids,328 -336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 -337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 -338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 -339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 -340 || FTP EXPLOIT overflow -341 || FTP EXPLOIT overflow -342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 -343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 -344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 -345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 -346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 -348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 -349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -352 || FTP EXPLOIT x86 linux overflow || bugtraq, 113 || cve, CVE-1999-0368 -353 || FTP adm scan || arachnids,332 -354 || FTP iss scan || arachnids,331 -355 || FTP pass wh00t || arachnids,324 -356 || FTP passwd retrieval attempt || arachnids,213 -357 || FTP piss scan -358 || FTP saint scan || arachnids,330 -359 || FTP satan scan || arachnids,329 -360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 -361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0080 || cve,1999-0955 -362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 -363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 -364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 -365 || ICMP PING undefined code -366 || ICMP PING *NIX -368 || ICMP PING BSDtype || arachnids,152 -369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 -370 || ICMP PING BeOS4.x || arachnids,151 -371 || ICMP PING Cisco Type.x || arachnids,153 -372 || ICMP PING Delphi-Piette Windows || arachnids,155 -373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 -374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 -375 || ICMP PING LINUX/*BSD || arachnids,447 -376 || ICMP PING Microsoft Windows || arachnids,159 -377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 -378 || ICMP PING Ping-O-MeterWindows || arachnids,164 -379 || ICMP PING Pinger Windows || arachnids,163 -380 || ICMP PING Seer Windows || arachnids,166 -381 || ICMP PING Sun Solaris || arachnids,448 -382 || ICMP PING Windows || arachnids,169 -384 || ICMP PING -385 || ICMP traceroute || arachnids,118 -386 || ICMP Address Mask Reply -387 || ICMP Address Mask Reply undefined code -388 || ICMP Address Mask Request -389 || ICMP Address Mask Request undefined code -390 || ICMP Alternate Host Address -391 || ICMP Alternate Host Address undefined code -392 || ICMP Datagram Conversion Error -393 || ICMP Datagram Conversion Error undefined code -394 || ICMP Destination Unreachable Destination Host Unknown -395 || ICMP Destination Unreachable Destination Network Unknown -396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set -397 || ICMP Destination Unreachable Host Precedence Violation -398 || ICMP Destination Unreachable Host Unreachable for Type of Service -399 || ICMP Destination Unreachable Host Unreachable -400 || ICMP Destination Unreachable Network Unreachable for Type of Service -401 || ICMP Destination Unreachable Network Unreachable -402 || ICMP Destination Unreachable Port Unreachable -403 || ICMP Destination Unreachable Precedence Cutoff in effect -404 || ICMP Destination Unreachable Protocol Unreachable -405 || ICMP Destination Unreachable Source Host Isolated -406 || ICMP Destination Unreachable Source Route Failed -407 || ICMP Destination Unreachable cndefined code -408 || ICMP Echo Reply -409 || ICMP Echo Reply undefined code -410 || ICMP Fragment Reassembly Time Exceeded -411 || ICMP IPV6 I-Am-Here -412 || ICMP IPV6 I-Am-Here undefined code -413 || ICMP IPV6 Where-Are-You -414 || ICMP IPV6 Where-Are-You undefined code -415 || ICMP Information Reply -416 || ICMP Information Reply undefined code -417 || ICMP Information Request -418 || ICMP Information Request undefined code -419 || ICMP Mobile Host Redirect -420 || ICMP Mobile Host Redirect undefined code -421 || ICMP Mobile Registration Reply -422 || ICMP Mobile Registration Reply undefined code -423 || ICMP Mobile Registration Request -424 || ICMP Mobile Registration Request undefined code -425 || ICMP Parameter Problem Bad Length -426 || ICMP Parameter Problem Missing a Required Option -427 || ICMP Parameter Problem Unspecified Error -428 || ICMP Parameter Problem undefined Code -429 || ICMP Photuris Reserved -430 || ICMP Photuris Unknown Security Parameters Index -431 || ICMP Photuris Valid Security Parameters, But Authentication Failed -432 || ICMP Photuris Valid Security Parameters, But Decryption Failed -433 || ICMP Photuris undefined code! -436 || ICMP Redirect for TOS and Host -437 || ICMP Redirect for TOS and Network -438 || ICMP Redirect undefined code -439 || ICMP Reserved for Security Type 19 -440 || ICMP Reserved for Security Type 19 undefined code -441 || ICMP Router Advertisement || arachnids,173 -443 || ICMP Router Selection || arachnids,174 -445 || ICMP SKIP -446 || ICMP SKIP undefined code -448 || ICMP Source Quench undefined code -449 || ICMP Time-To-Live Exceeded in Transit -450 || ICMP Time-To-Live Exceeded in Transit undefined code -451 || ICMP Timestamp Reply -452 || ICMP Timestamp Reply undefined code -453 || ICMP Timestamp Request -454 || ICMP Timestamp Request undefined code -455 || ICMP Traceroute ipopts || arachnids,238 -456 || ICMP Traceroute -457 || ICMP Traceroute undefined code -458 || ICMP unassigned type 1 -459 || ICMP unassigned type 1 undefined code -460 || ICMP unassigned type 2 -461 || ICMP unassigned type 2 undefined code -462 || ICMP unassigned type 7 -463 || ICMP unassigned type 7 undefined code -465 || ICMP ISS Pinger || arachnids,158 -466 || ICMP L3retriever Ping || arachnids,311 -467 || ICMP Nemesis v1.1 Echo || arachnids,449 -469 || ICMP PING NMAP || arachnids,162 -471 || ICMP icmpenum v1.1.1 || arachnids,450 -472 || ICMP redirect host || arachnids,135 || cve,1999-0265 -473 || ICMP redirect net || arachnids,199 || cve,1999-0265 -474 || ICMP superscan echo -475 || ICMP traceroute ipopts || arachnids,238 -476 || ICMP webtrends scanner || arachnids,307 -477 || ICMP Source Quench -478 || ICMP Broadscan Smurf Scanner -480 || ICMP PING speedera -481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 -482 || ICMP PING WhatsupGold Windows || arachnids,168 -483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 -484 || ICMP PING Sniffer Pro/NetXRay network scan -485 || ICMP Destination Unreachable Communication Administratively Prohibited -486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited -487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited -488 || INFO Connection Closed MSG from Port 80 -489 || INFO FTP no password || arachnids,322 -490 || INFO battle-mail traffic -491 || INFO FTP Bad login -492 || INFO TELNET Bad Login -493 || INFO psyBNC access -494 || ATTACK-RESPONSES command completed || bugtraq,1806 -495 || ATTACK-RESPONSES command error -496 || ATTACK RESPONSES directory listing -497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 -498 || ATTACK-RESPONSES id check returned root -499 || ICMP Large ICMP Packet || arachnids,246 -500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 -501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 -502 || MISC source route ssrr || arachnids,422 -503 || MISC Source Port 20 to <1024 || arachnids,06 -504 || MISC source port 53 to <1024 || arachnids,07 -505 || MISC Insecure TIMBUKTU Password || arachnids,229 -506 || MISC ramen worm incoming || arachnids,460 -507 || MISC PCAnywhere Attempted Administrator Login -508 || MISC gopher proxy || arachnids,409 -509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,CVE-2000-0707 || nessus,10783 -510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -511 || MISC Invalid PCAnywhere Login -512 || MISC PCAnywhere Failed Login || arachnids,240 -513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 -514 || MISC ramen worm || arachnids,461 -516 || MISC SNMP NT UserList || nessus,10546 -517 || MISC xdmcp query || arachnids,476 -518 || TFTP Put || arachnids,148 || cve,1999-0183 -519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 -520 || TFTP root directory || arachnids,138 || cve,1999-0183 -521 || MISC Large UDP Packet || arachnids,247 -522 || MISC Tiny Fragments -523 || BAD-TRAFFIC ip reserved bit set -524 || BAD-TRAFFIC tcp port 0 traffic -525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 -526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html -527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html -528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php -529 || NETBIOS DOS RFPoison || arachnids,454 -530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 -532 || NETBIOS SMB ADMIN$ share access -533 || NETBIOS SMB C$ share access -534 || NETBIOS SMB CD.. || arachnids,338 -535 || NETBIOS SMB CD... || arachnids,337 -536 || NETBIOS SMB D$ share access -537 || NETBIOS SMB IPC$ share access -538 || NETBIOS SMB IPC$ share unicode access -539 || NETBIOS Samba clientaccess || arachnids,341 -540 || CHAT MSN message -541 || CHAT ICQ access -542 || CHAT IRC nick change -543 || POLICY FTP 'STOR 1MB' possible warez site -544 || POLICY FTP 'RETR 1MB' possible warez site -545 || POLICY FTP 'CWD / ' possible warez site -546 || POLICY FTP 'CWD ' possible warez site -547 || POLICY FTP 'MKD ' possible warez site -548 || POLICY FTP 'MKD .' possible warez site -549 || P2P napster login -550 || P2P napster new user login -551 || P2P napster download attempt -552 || P2P napster upload request -553 || POLICY FTP anonymous login attempt -554 || POLICY FTP 'MKD / ' possible warez site -555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 -556 || P2P Outbound GNUTella client request -557 || P2P GNUTella client request -558 || INFO Outbound GNUTella client request -559 || P2P Inbound GNUTella client request -560 || POLICY VNC server response -561 || P2P Napster Client Data -562 || P2P Napster Client Data -563 || P2P Napster Client Data -564 || P2P Napster Client Data -565 || P2P Napster Server Login -566 || POLICY PCAnywhere server response || arachnids,239 -567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html -568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 -573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 -574 || RPC mountd TCP export request || arachnids,26 -575 || RPC portmap admind request UDP || arachnids,18 -576 || RPC portmap amountd request UDP || arachnids,19 -577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 -578 || RPC portmap cmsd request UDP || arachnids,17 -579 || RPC portmap mountd request UDP || arachnids,13 -580 || RPC portmap nisd request UDP || arachnids,21 -581 || RPC portmap pcnfsd request UDP || arachnids,22 -582 || RPC portmap rexd request UDP || arachnids,23 -583 || RPC portmap rstatd request UDP || arachnids,10 -584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 -585 || RPC portmap sadmind request UDP || arachnids,20 -586 || RPC portmap selection_svc request UDP || arachnids,25 -587 || RPC portmap status request UDP || arachnids,15 -588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -589 || RPC portmap yppasswd request UDP || arachnids,14 -590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -591 || RPC portmap ypupdated request TCP || arachnids,125 -592 || RPC rstatd query || arachnids,9 -593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 -596 || RPC portmap listing || arachnids,429 -597 || RPC portmap listing || arachnids,429 -598 || RPC portmap listing TCP 111 || arachnids,428 -599 || RPC portmap listing TCP 32771 || arachnids,429 -600 || RPC EXPLOIT statdx || arachnids,442 -601 || RSERVICES rlogin LinuxNIS -602 || RSERVICES rlogin bin || arachnids,384 -603 || RSERVICES rlogin echo++ || arachnids,385 -604 || RSERVICES rsh froot || arachnids,387 -605 || RSERVICES rlogin login failure || arachnids,393 -606 || RSERVICES rlogin root || arachnids,389 -607 || RSERVICES rsh bin || arachnids,390 -608 || RSERVICES rsh echo + + || arachnids,388 -609 || RSERVICES rsh froot || arachnids,387 -610 || RSERVICES rsh root || arachnids,391 -611 || RSERVICES rlogin login failure || arachnids,392 -612 || RPC rusers query UDP || cve,1999-0626 -613 || SCAN myscan || arachnids,439 -614 || BACKDOOR hack-a-tack attempt || arachnids,314 -615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ -616 || SCAN ident version request || arachnids,303 -617 || SCAN ssh-research-scanner -618 || SCAN Squid Proxy attempt -619 || SCAN cybercop os probe || arachnids,146 -620 || SCAN Proxy Port 8080 attempt -621 || SCAN FIN || arachnids,27 -622 || SCAN ipEye SYN scan || arachnids,236 -623 || SCAN NULL || arachnids,4 -624 || SCAN SYN FIN || arachnids,198 -625 || SCAN XMAS || arachnids,144 -626 || SCAN cybercop os PA12 attempt || arachnids,149 -627 || SCAN cybercop os SFU12 probe || arachnids,150 -628 || SCAN nmap TCP || arachnids,28 -629 || SCAN nmap fingerprint attempt || arachnids,05 -630 || SCAN synscan portscan || arachnids,441 -631 || SMTP ehlo cybercop attempt || arachnids,372 -632 || SMTP expn cybercop attempt || arachnids,371 -634 || SCAN Amanda client version request -635 || SCAN XTACACS logout || arachnids,408 -636 || SCAN cybercop udp bomb || arachnids,363 -637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 -638 || SHELLCODE SGI NOOP || arachnids,356 -639 || SHELLCODE SGI NOOP || arachnids,357 -640 || SHELLCODE AIX NOOP -641 || SHELLCODE Digital UNIX NOOP || arachnids,352 -642 || SHELLCODE HP-UX NOOP || arachnids,358 -643 || SHELLCODE HP-UX NOOP || arachnids,359 -644 || SHELLCODE sparc NOOP || arachnids,345 -645 || SHELLCODE sparc NOOP || arachnids,353 -646 || SHELLCODE sparc NOOP || arachnids,355 -647 || SHELLCODE sparc setuid 0 || arachnids,282 -648 || SHELLCODE x86 NOOP || arachnids,181 -649 || SHELLCODE x86 setgid 0 || arachnids,284 -650 || SHELLCODE x86 setuid 0 || arachnids,436 -651 || SHELLCODE x86 stealth NOOP || arachnids,291 -652 || SHELLCODE Linux shellcode || arachnids,343 -653 || SHELLCODE x86 0x90 unicode NOOP -654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 -655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 -656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 -657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 -658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 -659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 -660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 -661 || SMTP majordomo ifs || arachnids,143 || cve,1999-0208 -662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 -663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 -664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 -665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 -666 || SMTP sendmail 8.4.1 exploit || arachnids,120 -667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 -668 || SMTP sendmail 8.6.10 exploit || arachnids,124 -669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 -670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 -671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 -672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 -673 || MS-SQL sp_start_job - program execution -674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -676 || MS-SQL/SMB sp_start_job - program execution -677 || MS-SQL/SMB sp_password password change -678 || MS-SQL/SMB sp_delete_alert log file deletion -679 || MS-SQL/SMB sp_adduser database user creation -680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 -681 || MS-SQL/SMB xp_cmdshell program execution -682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -683 || MS-SQL sp_password - password change -684 || MS-SQL sp_delete_alert log file deletion -685 || MS-SQL sp_adduser - database user creation -686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 -687 || MS-SQL xp_cmdshell - program execution -688 || MS-SQL sa login failed || bugtraq,4797 || cve,CAN-2000-1209 || nessus,10673 -689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 -690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -691 || MS-SQL shellcode attempt -692 || MS-SQL/SMB shellcode attempt -693 || MS-SQL shellcode attempt -694 || MS-SQL/SMB shellcode attempt -695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,CAN-2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,CAN-2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 -710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 -711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 -712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 -713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 -714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 -715 || TELNET Attempted SU from wrong group -716 || TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 -717 || TELNET not on console || arachnids,365 -718 || TELNET login incorrect || arachnids,127 -719 || TELNET root login -720 || Virus - SnowWhite Trojan Incoming -721 || VIRUS OUTBOUND bad file attachment -722 || Virus - Possible NAVIDAD Worm -723 || Virus - Possible MyRomeo Worm -724 || Virus - Possible MyRomeo Worm -725 || Virus - Possible MyRomeo Worm -726 || Virus - Possible MyRomeo Worm -727 || Virus - Possible MyRomeo Worm -728 || Virus - Possible MyRomeo Worm -729 || VIRUS OUTBOUND .scr file attachment -730 || VIRUS OUTBOUND .shs file attachment -731 || Virus - Possible QAZ Worm || MCAFEE,98775 -732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 -733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 -734 || Virus - Possible Matrix worm -735 || Virus - Possible MyRomeo Worm -736 || Virus - Successful eurocalculator execution -737 || Virus - Possible eurocalculator.exe file -738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 -739 || Virus - Possible Triplesix Worm || MCAFEE,10389 -740 || Virus - Possible Tune.vbs || MCAFEE,10497 -741 || Virus - Possible NAIL Worm || MCAFEE,10109 -742 || Virus - Possible NAIL Worm || MCAFEE,10109 -743 || Virus - Possible NAIL Worm || MCAFEE,10109 -744 || Virus - Possible NAIL Worm || MCAFEE,10109 -745 || Virus - Possible Papa Worm || MCAFEE,10145 -746 || Virus - Possible Freelink Worm || MCAFEE,10225 -747 || Virus - Possible Simbiosis Worm -748 || Virus - Possible BADASS Worm || MCAFEE,10388 -749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 -751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 -752 || Virus Possible Suppl Worm || MCAFEE,10361 -753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 -754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -755 || Virus - Possible IROK Worm || MCAFEE,98552 -756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 -757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 -758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 -759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -760 || Virus - Possible Passion Worm || MCAFEE,10467 -761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 -762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 -763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 -764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 -765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 -766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 -767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 -768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 -769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 -770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 -771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 -772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 -773 || Virus - Possible Happy99 Virus || MCAFEE,10144 -774 || Virus - Possible CheckThis Trojan -775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 -776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 -777 || Virus - Possible MyPics Worm || MCAFEE,10467 -778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 -779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 -780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 -781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 -782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 -783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 -784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 -785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 -786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 -787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 -788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 -789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 -790 || Virus - Possible Common Sense Worm -791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 -792 || Virus - Possible Resume Worm || MCAFEE,98661 -793 || VIRUS OUTBOUND .vbs file attachment -794 || Virus - Possible Resume Worm || MCAFEE,98661 -795 || Virus - Possible Worm - txt.vbs file -796 || Virus - Possible Worm - xls.vbs file -797 || Virus - Possible Worm - jpg.vbs file -798 || Virus - Possible Worm - gif.vbs file -799 || Virus - Possible Timofonica Worm || MCAFEE,98674 -800 || Virus - Possible Resume Worm || MCAFEE,98661 -801 || Virus - Possible Worm - doc.vbs file -802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 -803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 -804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 -805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 -806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 -807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 -808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 -809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 -812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 -813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 -815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 -817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 -818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 -820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 -821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 -824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 -825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 -827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 -828 || WEB-CGI maillist.pl access -829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 -830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 -832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm -835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 -837 || WEB-CGI uploader.exe access || cve,1999-0177 || nessus,10291 -838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 -839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 -840 || WEB-CGI perlshop.cgi access || cve,1999-1374 -841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 -842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 -844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 -845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 -846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 -847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 || nessus,10035 -848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -850 || WEB-CGI wais.pl access -851 || WEB-CGI files.pl access || cve,1999-1081 -852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 -854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 -855 || WEB-CGI edit.pl access || bugtraq,2713 -856 || WEB-CGI environ.cgi access -857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 -858 || WEB-CGI filemail access || cve,1999-1154 -859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 -860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 -861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 -862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 -864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 -865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 -867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 -868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 -870 || WEB-CGI snorkerz.cmd access -871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 -872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 -874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 -875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 -877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -878 || WEB-CGI w3tvars.pm access -879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 -880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -881 || WEB-CGI archie access -882 || WEB-CGI calendar access -883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 -887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 -888 || WEB-CGI wwwadmin.pl access -889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 -890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt -891 || WEB-CGI upload.pl access -892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 -893 || WEB-CGI MachineInfo access || cve,1999-1067 -894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 -896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 -897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 -898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 -899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 -900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 -901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 -902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 -904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 -905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 -906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 -907 || WEB-COLDFUSION addcontent.cfm access -908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 -909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 -910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 -911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 -912 || WEB-COLDFUSION parks access || bugtraq,550 -913 || WEB-COLDFUSION cfappman access || bugtraq,550 -914 || WEB-COLDFUSION beaninfo access || bugtraq,550 -915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 -916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 -917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 -918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 -919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 -920 || WEB-COLDFUSION datasource attempt || bugtraq,550 -921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 -922 || WEB-COLDFUSION displayfile access || bugtraq,550 -923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 -924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 -925 || WEB-COLDFUSION mainframeset access || bugtraq,550 -926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 -927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 -928 || WEB-COLDFUSION exampleapp access -929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 -930 || WEB-COLDFUSION snippets attempt || bugtraq,550 -931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 -932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 -933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 -935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 -936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 -937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 -939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 -940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1594 || bugtraq,1595 || cve,CAN-2000-0746 || cve,CAN-2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx -941 || WEB-FRONTPAGE contents.htm access -942 || WEB-FRONTPAGE orders.htm access -943 || WEB-FRONTPAGE fpsrvadm.exe access -944 || WEB-FRONTPAGE fpremadm.exe access -945 || WEB-FRONTPAGE fpadmin.htm access -946 || WEB-FRONTPAGE fpadmcgi.exe access -947 || WEB-FRONTPAGE orders.txt access -948 || WEB-FRONTPAGE form_results access -949 || WEB-FRONTPAGE registrations.htm access -950 || WEB-FRONTPAGE cfgwiz.exe access -951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 -952 || WEB-FRONTPAGE author.exe access -953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 -954 || WEB-FRONTPAGE form_results.htm access -955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 -956 || WEB-FRONTPAGE register.txt access -957 || WEB-FRONTPAGE registrations.txt access -958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 -959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 -960 || WEB-FRONTPAGE service.stp access -961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 -962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,CVE-2002-0692 || nessus,10405 || nessus,11311 -963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 -964 || WEB-FRONTPAGE users.pwd access -965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 -966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 -967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx -968 || WEB-FRONTPAGE register.htm access -969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 -970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 -971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 -972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 -973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 -974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 -975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ -976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp -977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 -978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 -979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 -980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 -981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 -985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 -986 || WEB-IIS MSProxy access -987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 -988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml -989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 -990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 -991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 -992 || WEB-IIS adctest.asp access -993 || WEB-IIS iisadmin access || nessus,11032 -994 || WEB-IIS /scripts/iisadmin/default.htm access -995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 -996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 -997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 -998 || WEB-IIS asp-srch attempt -999 || WEB-IIS bdir access -1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 -1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 -1002 || WEB-IIS cmd.exe access -1003 || WEB-IIS cmd? access -1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 -1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 -1007 || WEB-IIS cross-site scripting attempt || nessus,10572 -1008 || WEB-IIS del attempt -1009 || WEB-IIS directory listing || nessus,10573 -1010 || WEB-IIS encoding access || arachnids,200 -1011 || WEB-IIS exec-src access -1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 -1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 -1015 || WEB-IIS getdrvs.exe access -1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 -1017 || WEB-IIS idc-srch attempt || cve,1999-0874 -1018 || WEB-IIS iisadmpwd attempt || bugtraq,1191 || bugtraq,2110 || cve,2000-0304 -1019 || WEB-IIS index server file source code attempt || bugtraq,1084 || nessus,10356 -1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 -1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 -1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 -1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 -1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 -1025 || WEB-IIS perl access -1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 -1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 -1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 -1029 || WEB-IIS scripts-browse access || nessus,11032 -1030 || WEB-IIS search97.vts access || bugtraq,162 -1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 -1032 || WEB-IIS showcode access || nessus,10576 -1033 || WEB-IIS showcode access || nessus,10576 -1034 || WEB-IIS showcode access || nessus,10576 -1035 || WEB-IIS showcode access || nessus,10576 -1036 || WEB-IIS showcode access || nessus,10576 -1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 -1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 -1039 || WEB-IIS srch.htm access -1040 || WEB-IIS srchadm access || nessus,11032 -1041 || WEB-IIS uploadn.asp access -1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 -1043 || WEB-IIS viewcode.asp access || nessus,10576 -1044 || WEB-IIS webhits access || arachnids,237 -1045 || WEB-IIS Unauthorized IP Access Attempt -1046 || WEB-IIS site/iisamples access -1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 -1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 -1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 -1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 -1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 -1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 -1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 -1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 -1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 -1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 -1057 || WEB-MISC ftp attempt -1058 || WEB-MISC xp_enumdsn attempt -1059 || WEB-MISC xp_filelist attempt -1060 || WEB-MISC xp_availablemedia attempt -1061 || WEB-MISC xp_cmdshell attempt -1062 || WEB-MISC nc.exe attempt -1064 || WEB-MISC wsh attempt -1065 || WEB-MISC rcmd attempt -1066 || WEB-MISC telnet attempt -1067 || WEB-MISC net attempt -1068 || WEB-MISC tftp attempt -1069 || WEB-MISC xp_regread attempt -1070 || WEB-MISC WebDAV search access || arachnids,474 -1071 || WEB-MISC .htpasswd access -1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 -1073 || WEB-MISC webhits.exe access -1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 -1076 || WEB-IIS repost.asp access || nessus,10372 -1077 || WEB-MISC queryhit.htm access || nessus,10370 -1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 -1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 -1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 -1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 -1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 -1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 -1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 -1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 -1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 -1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 -1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 -1090 || WEB-CGI Allaire Pro Web Shell attempt -1091 || WEB-MISC ICQ Webfront HTTP DOS || cve,2000-1078 -1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt -1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 -1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 -1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 -1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 -1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 -1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 -1099 || WEB-MISC cybercop scan || arachnids,374 -1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 -1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 -1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 -1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 -1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 -1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 -1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 -1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 -1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 -1112 || WEB-MISC http directory traversal || arachnids,298 -1113 || WEB-MISC http directory traversal || arachnids,297 -1114 || WEB-MISC prefix-get // -1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 -1116 || WEB-MISC Lotus DelDoc attempt -1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html -1118 || WEB-MISC ls%20-l -1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1121 || WEB-MISC O'Reilly args.bat access -1122 || WEB-MISC /etc/passwd -1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 -1124 || WEB-MISC Ecommerce check.txt access -1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 -1126 || WEB-MISC AuthChangeUrl access || bugtraq,1191 || cve,2000-0304 -1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 -1128 || WEB-MISC cpshost.dll access || bugtraq,4002 -1129 || WEB-MISC .htaccess access -1130 || WEB-MISC .wwwacl access -1131 || WEB-MISC .wwwacl access -1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 -1133 || SCAN cybercop os probe || arachnids,145 -1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 -1136 || WEB-MISC cd.. -1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 -1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 -1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 -1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1142 || WEB-MISC /.... access -1143 || WEB-MISC ///cgi-bin access || nessus,11032 -1144 || WEB-MISC /cgi-bin/// access || nessus,11032 -1145 || WEB-MISC /~root access -1146 || WEB-MISC Ecommerce import.txt access -1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 -1148 || WEB-MISC Ecommerce import.txt access -1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 -1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 -1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 -1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 -1153 || WEB-MISC Domino log.nsf access || nessus,10629 -1154 || WEB-MISC Domino names.nsf access || nessus,10629 -1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 -1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 -1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 -1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 -1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 -1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 -1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 -1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 -1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 -1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 -1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 -1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 -1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 -1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 -1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt -1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 -1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 -1176 || WEB-MISC order.log access -1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1178 || WEB-PHP Phorum read access || arachnids,208 -1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 -1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 -1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 -1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 -1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 -1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 -1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 -1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1197 || WEB-PHP Phorum code access || arachnids,207 -1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 -1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx -1201 || ATTACK-RESPONSES 403 Forbidden -1202 || WEB-MISC search.vts access || bugtraq,162 -1204 || WEB-CGI ax-admin.cgi access -1205 || WEB-CGI axs.cgi access -1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 -1207 || WEB-MISC htgrep access || cve,2000-0832 -1208 || WEB-CGI responder.cgi access || bugtraq,3155 -1209 || WEB-MISC .nsconfig access -1211 || WEB-CGI web-map.cgi access -1212 || WEB-MISC Admin_files access -1213 || WEB-MISC backup access -1214 || WEB-MISC intranet access || nessus,11626 -1215 || WEB-CGI ministats admin access -1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 -1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 -1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1219 || WEB-CGI dfire.cgi access || bugtraq,0564 || bugtraq,564 || cve,1999-0913 -1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 -1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 -1225 || X11 MIT Magic Cookie detected || arachnids,396 -1226 || X11 xopen || arachnids,395 -1227 || X11 outbound client connection detected || arachnids,126 -1228 || SCAN nmap XMAS || arachnids,30 -1229 || FTP CWD ... || bugtraq,9237 -1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1233 || WEB-CLIENT Outlook EML access || nessus,10767 -1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1236 || WEB-MISC Tomcat sourecode view -1237 || WEB-MISC Tomcat sourecode view -1238 || WEB-MISC Tomcat sourecode view -1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 -1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 -1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 -1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 -1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 -1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 -1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 -1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 -1251 || INFO TELNET Bad Login -1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html -1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 -1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 -1259 || WEB-MISC SWEditServlet access || bugtraq,2868 -1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 -1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 -1262 || RPC portmap admind request TCP || arachnids,18 -1263 || RPC portmap amountd request TCP || arachnids,19 -1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 -1265 || RPC portmap cmsd request TCP || arachnids,17 -1266 || RPC portmap mountd request TCP || arachnids,13 -1267 || RPC portmap nisd request TCP || arachnids,21 -1268 || RPC portmap pcnfsd request TCP || arachnids,22 -1269 || RPC portmap rexd request TCP || arachnids,23 -1270 || RPC portmap rstatd request TCP || arachnids,10 -1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 -1272 || RPC portmap sadmind request TCP || arachnids,20 -1273 || RPC portmap selection_svc request TCP || arachnids,25 -1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1275 || RPC portmap yppasswd request TCP || arachnids,14 -1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -1277 || RPC portmap ypupdated request UDP || arachnids,125 -1278 || RPC rstatd query || arachnids,9 -1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -1280 || RPC portmap listing UDP 111 || arachnids,428 -1281 || RPC portmap listing UDP 32771 || arachnids,429 -1282 || RPC EXPLOIT statdx || arachnids,442 -1283 || WEB-IIS outlook web dos || bugtraq,3223 -1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html -1285 || WEB-IIS msdac access || nessus,11032 -1286 || WEB-IIS _mem_bin access || nessus,11032 -1287 || WEB-IIS scripts access -1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 -1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html -1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html -1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 -1292 || ATTACK-RESPONSES directory listing -1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml -1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml -1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml -1296 || RPC portmap request yppasswdd || bugtraq,2763 -1297 || RPC portmap request yppasswdd || bugtraq,2763 -1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 -1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 -1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 -1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 -1304 || WEB-CGI txt2html.cgi access -1305 || WEB-CGI txt2html.cgi directory traversal attempt -1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 -1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 -1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -1310 || PORN free XXX -1311 || PORN hardcore anal -1312 || PORN nude cheerleader -1313 || PORN up skirt -1314 || PORN young teen -1315 || PORN hot young sex -1316 || PORN fuck fuck fuck -1317 || PORN anal sex -1318 || PORN hardcore rape -1319 || PORN real snuff -1320 || PORN fuck movies -1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt -1322 || BAD-TRAFFIC bad frag bits -1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 -1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1328 || WEB-ATTACKS ps command attempt -1329 || WEB-ATTACKS /bin/ps command attempt -1330 || WEB-ATTACKS wget command attempt -1331 || WEB-ATTACKS uname -a command attempt -1332 || WEB-ATTACKS /usr/bin/id command attempt -1333 || WEB-ATTACKS id command attempt -1334 || WEB-ATTACKS echo command attempt -1335 || WEB-ATTACKS kill command attempt -1336 || WEB-ATTACKS chmod command attempt -1337 || WEB-ATTACKS chgrp command attempt -1338 || WEB-ATTACKS chown command attempt -1339 || WEB-ATTACKS chsh command attempt -1340 || WEB-ATTACKS tftp command attempt -1341 || WEB-ATTACKS /usr/bin/gcc command attempt -1342 || WEB-ATTACKS gcc command attempt -1343 || WEB-ATTACKS /usr/bin/cc command attempt -1344 || WEB-ATTACKS cc command attempt -1345 || WEB-ATTACKS /usr/bin/cpp command attempt -1346 || WEB-ATTACKS cpp command attempt -1347 || WEB-ATTACKS /usr/bin/g++ command attempt -1348 || WEB-ATTACKS g++ command attempt -1349 || WEB-ATTACKS bin/python access attempt -1350 || WEB-ATTACKS python access attempt -1351 || WEB-ATTACKS bin/tclsh execution attempt -1352 || WEB-ATTACKS tclsh execution attempt -1353 || WEB-ATTACKS bin/nasm command attempt -1354 || WEB-ATTACKS nasm command attempt -1355 || WEB-ATTACKS /usr/bin/perl execution attempt -1356 || WEB-ATTACKS perl execution attempt -1357 || WEB-ATTACKS nt admin addition attempt -1358 || WEB-ATTACKS traceroute command attempt -1359 || WEB-ATTACKS ping command attempt -1360 || WEB-ATTACKS netcat command attempt -1361 || WEB-ATTACKS nmap command attempt -1362 || WEB-ATTACKS xterm command attempt -1363 || WEB-ATTACKS X application to remote host attempt -1364 || WEB-ATTACKS lsof command attempt -1365 || WEB-ATTACKS rm command attempt -1366 || WEB-ATTACKS mail command attempt -1367 || WEB-ATTACKS mail command attempt -1368 || WEB-ATTACKS /bin/ls| command attempt -1369 || WEB-ATTACKS /bin/ls command attempt -1370 || WEB-ATTACKS /etc/inetd.conf access -1371 || WEB-ATTACKS /etc/motd access -1372 || WEB-ATTACKS /etc/shadow access -1373 || WEB-ATTACKS conf/httpd.conf attempt -1374 || WEB-ATTACKS .htgroup access -1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html -1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 -1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt -1380 || WEB-IIS cross-site scripting attempt || nessus,10572 -1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 -1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt -1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm -1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx -1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 -1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 -1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 -1389 || WEB-MISC viewcode.jse access || bugtraq,3715 -1390 || SHELLCODE x86 inc ebx NOOP -1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 -1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 -1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ -1394 || SHELLCODE x86 NOOP -1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 -1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 -1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 -1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html -1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 -1400 || WEB-IIS /scripts/samples/ access || nessus,10370 -1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 -1402 || WEB-IIS iissamples access || nessus,11032 -1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 -1404 || WEB-MISC showcode access -1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 -1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 -1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 -1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 -1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1424 || SHELLCODE x86 0xEB0C NOOP -1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1428 || MULTIMEDIA audio galaxy keepalive -1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl -1430 || TELNET Solaris memory mismanagement exploit attempt -1431 || BAD-TRAFFIC syn to multicast address -1432 || P2P GNUTella client request -1433 || WEB-MISC .history access -1434 || WEB-MISC .bash_history access -1435 || DNS named authors attempt || arachnids,480 || nessus,10728 -1436 || MULTIMEDIA Quicktime User Agent access -1437 || MULTIMEDIA Windows Media download -1438 || MULTIMEDIA Windows Media Video download -1439 || MULTIMEDIA Shoutcast playlist redirection -1440 || MULTIMEDIA Icecast playlist redirection -1441 || TFTP GET nc.exe -1442 || TFTP GET shadow -1443 || TFTP GET passwd -1444 || TFTP Get -1445 || POLICY FTP file_id.diz access possible warez site -1446 || SMTP vrfy root -1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 -1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx -1449 || POLICY FTP anonymous ftp login attempt -1450 || SMTP expn *@ || cve,1999-1200 -1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 -1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 -1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 -1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 -1455 || WEB-CGI calender.pl access || cve,2000-0432 -1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 -1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 -1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 -1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 -1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 -1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 -1463 || CHAT IRC message -1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 -1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 -1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 -1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 -1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 -1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 -1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 -1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1475 || WEB-CGI mailit.pl access || nessus,10417 -1476 || WEB-CGI sdbsearch.cgi access || cve,2001-1130 || nessus,10503 || nessus,10720 -1477 || WEB-CGI swc attempt -1478 || WEB-CGI swc access || nessus,10493 -1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1481 || WEB-CGI upload.cgi access || nessus,10290 -1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 -1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10646 -1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -1485 || WEB-IIS mkilog.exe access || nessus,10359 -1486 || WEB-IIS ctss.idc access || nessus,10359 -1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || cve,1999-0407 || cve,2002-0421 || nessus,10371 -1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1489 || WEB-MISC /~nobody access || nessus,10484 -1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 -1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 -1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,CVE-2000-1036 || nessus,10521 -1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,CVE-2000-1036 || nessus,10521 -1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 -1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 -1496 || WEB-CGI spin_client.cgi access || nessus,10393 -1497 || WEB-MISC cross site scripting attempt -1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || nessus,10819 -1499 || WEB-MISC SiteScope Service access || nessus,10778 -1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 -1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html -1504 || MISC AFS access || nessus,10441 -1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || cve,1999-0885 || nessus,10013 -1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 -1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 -1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1518 || WEB-MISC nstelemetry.adp access || nessus,10753 -1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 -1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html -1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html -1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1526 || WEB-MISC basilix sendmail.inc access || cve,2001-1044 || nessus,10601 -1527 || WEB-MISC basilix mysql.class access || cve,2001-1044 || nessus,10601 -1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 -1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 -1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 -1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 -1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 -1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 -1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 -1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 -1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 -1541 || FINGER version query -1542 || WEB-CGI cgimail access || cve,2000-0726 -1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 -1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 -1545 || DOS Cisco attempt -1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 -1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 -1550 || SMTP ETRN overflow attempt || bugtraq,1297 || cve,2000-0490 || nessus,10438 -1551 || WEB-MISC /CVS/Entries access || nessus,11032 -1552 || WEB-MISC cvsweb version access || cve,2000-0670 -1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 -1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 -1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 -1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 -1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 -1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 -1559 || WEB-MISC /doc/packages access || nessus,11032 -1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 -1561 || WEB-MISC ?open access -1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 -1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 -1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 -1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 -1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 -1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 -1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 -1569 || WEB-CGI loadpage.cgi directory traversal attempt -1570 || WEB-CGI loadpage.cgi access -1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 -1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 -1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 -1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 -1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 -1577 || WEB-MISC Domino setup.nsf access || nessus,10629 -1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 -1579 || WEB-MISC Domino webadmin.nsf access || nessus,10629 -1580 || WEB-MISC Domino events4.nsf access || nessus,10629 -1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 -1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 -1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 -1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 -1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 -1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 -1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 -1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 -1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 -1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 -1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 -1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 -1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 -1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 -1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 -1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1603 || WEB-MISC DELETE attempt || nessus,10498 -1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 -1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 -1606 || WEB-CGI icat access || cve,1999-1069 -1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 -1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 -1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 -1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1615 || WEB-MISC htgrep attempt || cve,2000-0832 -1616 || DNS named version attempt || arachnids,278 || nessus,10028 -1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 -1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 -1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 -1620 || BAD TRAFFIC Non-Standard IP protocol -1621 || FTP CMD overflow attempt -1622 || FTP RNFR ././ attempt -1623 || FTP invalid MODE -1624 || FTP large PWD command -1625 || FTP large SYST command -1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request -1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers -1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1629 || OTHER-IDS SecureNetPro traffic -1631 || CHAT AIM login -1632 || CHAT AIM send message -1633 || CHAT AIM receive message -1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 -1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 -1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 -1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 -1638 || SCAN SSH Version map attempt -1639 || CHAT IRC DCC file transfer request -1640 || CHAT IRC DCC chat request -1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 -1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 -1643 || WEB-CGI db2www access || cve,2000-0677 -1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 -1646 || WEB-CGI test.cgi access -1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 -1651 || WEB-CGI enivorn.pl access -1652 || WEB-CGI campus attempt || bugtraq,1975 || nessus,10035 -1653 || WEB-CGI campus access || bugtraq,1975 || nessus,10035 -1654 || WEB-CGI cart32.exe access -1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt -1656 || WEB-CGI pfdispaly.cgi access -1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1659 || WEB-COLDFUSION sendmail.cfm access -1660 || WEB-IIS trace.axd access || nessus,10993 -1661 || WEB-IIS cmd32.exe access -1662 || WEB-MISC /~ftp access -1663 || WEB-MISC *%0a.pl access -1664 || WEB-MISC mkplog.exe access -1665 || WEB-MISC mkilog.exe access -1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 -1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt -1668 || WEB-CGI /cgi-bin/ access -1669 || WEB-CGI /cgi-dos/ access -1670 || WEB-MISC /home/ftp access || nessus,11032 -1671 || WEB-MISC /home/www access || nessus,11032 -1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 -1673 || ORACLE EXECUTE_SYSTEM attempt -1674 || ORACLE connect_data remote version detection attempt -1675 || ORACLE misparsed login response -1676 || ORACLE select union attempt -1677 || ORACLE select like '%' attempt -1678 || ORACLE select like '%' attempt backslash escaped -1679 || ORACLE describe attempt -1680 || ORACLE all_constraints access -1681 || ORACLE all_views access -1682 || ORACLE all_source access -1683 || ORACLE all_tables access -1684 || ORACLE all_tab_columns access -1685 || ORACLE all_tab_privs access -1686 || ORACLE dba_tablespace access -1687 || ORACLE dba_tables access -1688 || ORACLE user_tablespace access -1689 || ORACLE sys.all_users access -1690 || ORACLE grant attempt -1691 || ORACLE ALTER USER attempt -1692 || ORACLE drop table attempt -1693 || ORACLE create table attempt -1694 || ORACLE alter table attempt -1695 || ORACLE truncate table attempt -1696 || ORACLE create database attempt -1697 || ORACLE alter database attempt -1698 || ORACLE execute_system attempt -1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com -1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 -1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 -1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1709 || WEB-CGI ad.cgi access -1710 || WEB-CGI bbs_forum.cgi access -1711 || WEB-CGI bsguest.cgi access -1712 || WEB-CGI bslist.cgi access -1713 || WEB-CGI cgforum.cgi access -1714 || WEB-CGI newdesk access -1715 || WEB-CGI register.cgi access -1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 -1717 || WEB-CGI simplestguest.cgi access -1718 || WEB-CGI statusconfig.pl access -1719 || WEB-CGI talkback.cgi directory traversal attempt -1720 || WEB-CGI talkback.cgi access -1721 || WEB-CGI adcycle access -1722 || WEB-CGI MachineInfo access -1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 -1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 -1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 -1726 || WEB-IIS doctodep.btr access -1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1728 || FTP CWD ~ attempt || bugtraq,2601 || cve,2001-0421 -1729 || CHAT IRC channel join -1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || cve,2001-0466 || nessus,10645 -1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1732 || RPC portmap rwalld request UDP -1733 || RPC portmap rwalld request TCP -1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 -1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 -1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 -1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 -1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 -1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 -1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 -1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 -1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 -1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 -1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 -1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access -1750 || WEB-IIS users.xml access -1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 -1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ -1753 || WEB-IIS as_web.exe access || bugtraq,4670 -1754 || WEB-IIS as_web4.exe access || bugtraq,4670 -1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 -1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 -1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 -1759 || MS-SQL xp_cmdshell program execution 445 -1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt -1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt -1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 -1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html -1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html -1771 || POLICY IPSec PGPNet connection attempt -1772 || WEB-IIS pbserver access || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx -1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html -1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html -1775 || MYSQL root login attempt -1776 || MYSQL show databases attempt -1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 -1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 -1779 || FTP CWD .... attempt || bugtraq,4884 -1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 -1781 || PORN dildo -1782 || PORN nipple clamp -1783 || PORN oral sex -1784 || PORN nude celeb -1785 || PORN voyeur -1786 || PORN raw sex -1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 -1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 -1789 || CHAT IRC dns request -1790 || CHAT IRC dns response -1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 -1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 -1793 || PORN fetish -1794 || PORN masturbation -1795 || PORN ejaculation -1796 || PORN virgin -1797 || PORN BDSM -1798 || PORN erotica -1799 || PORN fisting -1800 || VIRUS Klez Incoming -1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 -1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 -1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 -1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1813 || ICMP digital island bandwidth query -1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || bugtraq,4794 || cve,2002-0882 || nessus,11013 -1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 -1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 -1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 -1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 -1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 -1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 -1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 -1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1826 || WEB-MISC WEB-INF access || nessus,11037 -1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 -1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 -1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 -1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 -1831 || WEB-MISC jigsaw dos attempt || nessus,11047 -1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 -1833 || PORN naked lesbians -1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 -1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 -1836 || PORN alt.binaries.pictures.erotica -1837 || PORN alt.binaries.pictures.tinygirls -1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 -1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 -1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 -1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 -1842 || IMAP login buffer overflow attempt || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || nessus,10123 || nessus,10125 -1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 -1844 || IMAP authenticate overflow attempt || cve,1999-0042 || nessus,10292 -1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1846 || POLICY vncviewer Java applet download attempt || nessus,10758 -1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,1999-0643 || cve,2001-0835 || nessus,10816 -1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 -1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 -1850 || WEB-CGI way-board.cgi access || nessus,10610 -1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 -1852 || WEB-MISC robots.txt access || nessus,10302 -1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 -1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1857 || WEB-MISC robot.txt access || nessus,10302 -1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 -1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 -1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 -1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 -1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 -1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 -1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 -1866 || POP3 USER overflow attempt || bugtraq,789 || cve,1999-0494 || nessus,10311 -1867 || MISC xdmcp info query || nessus,10891 -1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 -1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 -1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 -1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 -1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 -1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 -1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 -1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 -1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 -1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html -1882 || ATTACK-RESPONSES id check returned userid -1883 || ATTACK-RESPONSES id check returned nobody -1884 || ATTACK-RESPONSES id check returned web -1885 || ATTACK-RESPONSES id check returned http -1886 || ATTACK-RESPONSES id check returned apache -1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html -1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 -1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html -1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 -1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 -1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 -1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 -1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1917 || SCAN UPnP service discover attempt -1918 || SCAN SolarWinds IP scan attempt -1919 || FTP CWD overflow attempt || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 -1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 -1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 -1922 || RPC portmap proxy attempt TCP -1923 || RPC portmap proxy attempt UDP -1924 || RPC mountd UDP export request || arachnids,26 -1925 || RPC mountd TCP exportall request || arachnids,26 -1926 || RPC mountd UDP exportall request || arachnids,26 -1927 || FTP authorized_keys -1928 || FTP shadow retrieval attempt -1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com -1930 || IMAP auth literal overflow attempt || cve,1999-0005 -1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 -1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 -1933 || WEB-CGI cart.cgi access || bugtraq,1115 || nessus,10368 -1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 -1935 || POP2 FOLD arbitrary file attempt -1936 || POP3 AUTH overflow attempt || cve,1999-0822 || nessus,10184 -1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 -1938 || POP3 XTND overflow attempt -1939 || MISC bootp hardware address length overflow || cve,1999-0798 -1940 || MISC bootp invalid hardware type || cve,1999-0798 -1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 -1942 || FTP RMDIR overflow attempt || bugtraq,819 -1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 -1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 -1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -1946 || WEB-MISC answerbook2 admin attempt -1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 -1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 -1949 || RPC portmap SET attempt TCP 111 -1950 || RPC portmap SET attempt UDP 111 -1951 || RPC mountd TCP mount request -1952 || RPC mountd UDP mount request -1953 || RPC AMD TCP pid request -1954 || RPC AMD UDP pid request -1955 || RPC AMD TCP version request -1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 -1957 || RPC sadmind UDP PING || bugtraq,866 -1958 || RPC sadmind TCP PING || bugtraq,866 -1959 || RPC portmap NFS request UDP -1960 || RPC portmap NFS request TCP -1961 || RPC portmap RQUOTA request UDP -1962 || RPC portmap RQUOTA request TCP -1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 -1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 -1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 -1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 -1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 -1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 -1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 -1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 -1971 || FTP SITE EXEC format string attempt -1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 -1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 -1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 -1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 -1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 -1977 || WEB-MISC xp_regwrite attempt -1978 || WEB-MISC xp_regdeletekey attempt -1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 -1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 -1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 -1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 -1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 -1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 -1985 || BACKDOOR Doly 1.5 server response -1986 || CHAT MSN file transfer request -1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 -1988 || CHAT MSN file transfer accept -1989 || CHAT MSN file transfer reject -1990 || CHAT MSN user search -1991 || CHAT MSN login attempt -1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 -1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 -1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 -1995 || WEB-CGI alya.cgi access || nessus,11118 -1996 || WEB-CGI viralator.cgi access || cve,2001-0849 || nessus,11107 -1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 -1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 -1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 -2000 || WEB-PHP readmsg.php access || cve,CAN-2001-1408 || nessus,11073 -2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 -2002 || WEB-PHP remote include path -2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2008 || MISC CVS invalid user authentication response -2009 || MISC CVS invalid repository response -2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 -2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 -2012 || MISC CVS missing cvsroot response -2013 || MISC CVS invalid module response -2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 -2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 -2016 || RPC portmap status request TCP || arachnids,15 -2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 -2018 || RPC mountd TCP dump request -2019 || RPC mountd UDP dump request -2020 || RPC mountd TCP unmount request -2021 || RPC mountd UDP unmount request -2022 || RPC mountd TCP unmountall request -2023 || RPC mountd UDP unmountall request -2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 -2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2027 || RPC yppasswd old password overflow attempt UDP -2028 || RPC yppasswd old password overflow attempt TCP -2029 || RPC yppasswd new password overflow attempt UDP -2030 || RPC yppasswd new password overflow attempt TCP -2031 || RPC yppasswd user update UDP -2032 || RPC yppasswd user update TCP -2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 -2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 -2035 || RPC portmap network-status-monitor request UDP -2036 || RPC portmap network-status-monitor request TCP -2037 || RPC network-status-monitor mon-callback request UDP -2038 || RPC network-status-monitor mon-callback request TCP -2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 -2040 || POLICY xtacacs login attempt -2041 || MISC xtacacs failed login response -2042 || POLICY xtacacs accepted login response -2043 || MISC isakmp login failed -2044 || POLICY PPTP Start Control Request attempt -2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -2047 || MISC rsyncd module list access -2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,CAN-2003-0962 || nessus,11943 -2049 || MS-SQL ping attempt || nessus,10674 || nessus,10674 -2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 -2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 -2052 || WEB-CGI overflow.cgi access || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html -2053 || WEB-CGI process_bug.cgi access || cve,2002-0008 -2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || cve,2002-0008 -2055 || WEB-CGI enter_bug.cgi access || cve,2002-0008 -2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf -2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 -2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 -2059 || WEB-MISC MsmMask.exe access || nessus,11163 -2060 || WEB-MISC DB4Web access || nessus,11180 -2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 -2062 || WEB-MISC iPlanet .perf access || nessus,11220 -2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 -2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 -2065 || WEB-MISC Lotus Notes .csp script source download attempt -2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 -2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 -2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 -2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 -2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 -2071 || WEB-MISC post32.exe access || bugtraq,1485 -2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 -2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 -2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 -2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 -2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 -2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 -2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 -2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 -2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 -2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 -2088 || RPC ypupdated arbitrary command attempt UDP -2089 || RPC ypupdated arbitrary command attempt TCP -2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 -2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 -2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 -2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt -2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 -2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 -2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2107 || IMAP create buffer overflow attempt || bugtraq,7446 -2108 || POP3 CAPA overflow attempt -2109 || POP3 TOP overflow attempt -2110 || POP3 STAT overflow attempt -2111 || POP3 DELE overflow attempt -2112 || POP3 RSET overflow attempt -2113 || RSERVICES rexec username overflow attempt -2114 || RSERVICES rexec password overflow attempt -2115 || WEB-CGI album.pl access || bugtraq,7444 -2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 -2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 -2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 -2121 || POP3 DELE negative arguement attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 -2122 || POP3 UIDL negative arguement attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 -2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 -2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 -2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 -2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 -2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 -2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 -2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0349 || cve,CAN-2003-0227 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx -2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 -2131 || WEB-IIS IISProtect access || nessus,11661 -2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 -2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 -2134 || WEB-IIS register.asp access || nessus,11621 -2135 || WEB-MISC philboard.mdb access || nessus,11682 -2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 -2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 -2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 -2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 -2140 || WEB-PHP p-news.php access || nessus,11669 -2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 -2142 || WEB-PHP shoutbox.php access || nessus,11668 -2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 -2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 -2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 -2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 -2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2149 || WEB-PHP Turba status.php access || nessus,11646 -2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2152 || WEB-PHP test.php access || nessus,11617 -2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 -2154 || WEB-PHP autohtml.php access || nessus,11630 -2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 -2156 || WEB-MISC mod_gzip_status access || nessus,11685 -2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 -2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 -2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 -2160 || VIRUS OUTBOUND .exe file attachment -2161 || VIRUS OUTBOUND .doc file attachment -2162 || VIRUS OUTBOUND .hta file attachment -2163 || VIRUS OUTBOUND .chm file attachment -2164 || VIRUS OUTBOUND .reg file attachment -2165 || VIRUS OUTBOUND .ini file attachment -2166 || VIRUS OUTBOUND .bat file attachment -2167 || VIRUS OUTBOUND .diz file attachment -2168 || VIRUS OUTBOUND .cpp file attachment -2169 || VIRUS OUTBOUND .dll file attachment -2170 || VIRUS OUTBOUND .vxd file attachment -2171 || VIRUS OUTBOUND .sys file attachment -2172 || VIRUS OUTBOUND .com file attachment -2173 || VIRUS OUTBOUND .hsq file attachment -2174 || NETBIOS SMB winreg access -2175 || NETBIOS SMB winreg unicode access -2176 || NETBIOS SMB startup folder access -2177 || NETBIOS SMB startup folder unicode access -2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 -2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 -2180 || P2P BitTorrent announce request -2181 || P2P BitTorrent transfer -2182 || BACKDOOR typot trojan traffic || mcafee,100406 -2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html -2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 -2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 -2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 -2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 -2190 || NETBIOS DCERPC invalid bind attempt -2191 || NETBIOS SMB DCERPC invalid bind attempt -2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 -2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 -2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 -2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 -2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 -2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 -2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 -2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 -2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || cve,2000-0288 || nessus,11748 -2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 -2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 -2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 -2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 -2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 -2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 -2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 -2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 -2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 -2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 -2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 -2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 -2225 || WEB-CGI gozila.cgi access || nessus,11773 -2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 -2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 -2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 -2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 -2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 -2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 -2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 -2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 -2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 -2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 -2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 -2243 || WEB-MISC ndcgi.exe access || cve,2001-0922 || nessus,11730 -2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 -2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 -2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 -2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 -2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 -2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 -2250 || POP3 USER format string attempt || bugtraq,7667 || cve,2003-0391 || nessus,11742 -2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2255 || RPC sadmind query with root credentials attempt TCP -2256 || RPC sadmind query with root credentials attempt UDP -2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 -2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 -2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 -2273 || IMAP login brute force attempt -2274 || POP3 login brute force attempt -2275 || SMTP AUTH LOGON brute force attempt -2276 || WEB-MISC oracle portal demo access || nessus,11918 -2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 -2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 -2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 -2280 || WEB-PHP Title.php access || bugtraq,9057 -2281 || WEB-PHP Setup.php access || bugtraq,9057 -2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 -2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 -2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 -2285 || WEB-PHP rolis guestbook access || bugtraq,9057 -2286 || WEB-PHP friends.php access || bugtraq,9088 -2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 -2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 -2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 -2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 -2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 -2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 -2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 -2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 -2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 -2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 -2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 -2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 -2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 -2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 -2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 -2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 -2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 -2304 || WEB-PHP files.inc.php access || bugtraq,8910 -2305 || WEB-PHP chatbox.php access || bugtraq,8930 -2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 -2307 || WEB-PHP PayPal Storefront remote file include attemtp || bugtraq,8791 || nessus,11873 -2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2312 || SHELLCODE x86 0x71FB7BAB NOOP -2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode -2314 || SHELLCODE x86 0x90 NOOP unicode -2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 -2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 -2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 -2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 -2321 || WEB-IIS foxweb.exe access || nessus,11939 -2322 || WEB-IIS foxweb.dll access || nessus,11939 -2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 -2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 -2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 -2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 -2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx -2330 || IMAP auth overflow attempt || bugtraq,8861 -2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 -2332 || FTP MKDIR format string attempt || bugtraq,9262 -2333 || FTP RENAME format string attempt || bugtraq,9262 -2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 -2335 || FTP RMD / attempt || bugtraq,9159 -2336 || TFTP NULL command attempt || bugtraq,7575 -2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 -2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 -2339 || TFTP NULL command attempt || bugtraq,7575 -2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 -2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 -2344 || FTP XCWD overflow attempt || bugtraq,8704 -2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 -2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 -2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 -2348 || NETBIOS SMB-DS DCERPC print spool bind attempt -2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt -2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 -2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 -2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 -2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 -2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 -2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 -2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 -2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 -2361 || WEB-PHP news.php file include || bugtraq,6674 -2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 -2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 -2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 -2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 -2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 -2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 -2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 -2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 -2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 -2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 -2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html -2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 -2382 || NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 -2383 || NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 -2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 -2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 -2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 -2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 -2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 -2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 -2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 -2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 -2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 -2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 -2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 -2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 -2400 || WEB-MISC edittag.pl access || bugtraq,6675 -2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2405 || WEB-PHP phptest.php access || bugtraq,9737 -2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 -2407 || WEB-MISC util.pl access || bugtraq,9748 -2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 -2409 || POP3 APOP USER overflow attempt || bugtraq,9794 -2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 -2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html -2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt -2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 || cve,CAN-2004-0164 -2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 || cve,CAN-2004-0164 -2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 || cve,CAN-2004-0164 -2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 -2417 || FTP format string attempt -2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx -2419 || MULTIMEDIA realplayer .ram playlist download attempt -2420 || MULTIMEDIA realplayer .rmp playlist download attempt -2421 || MULTIMEDIA realplayer .smi playlist download attempt -2422 || MULTIMEDIA realplayer .rt playlist download attempt -2423 || MULTIMEDIA realplayer .rp playlist download attempt -2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-00045 -2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-00045 -2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-00045 -2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-00045 -2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-00045 -2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-00045 -2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-00045 -2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-00045 -2432 || NNTP article post without path attempt -2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 -2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 -2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707 -2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707 -2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 -2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 -2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 -2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 -2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 -2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 -2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 -2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 -2449 || FTP ALLO overflow attempt || bugtraq,9953 -2450 || CHAT Yahoo IM successful logon -2451 || CHAT Yahoo IM voicechat -2452 || CHAT Yahoo IM ping -2453 || CHAT Yahoo IM conference invitation -2454 || CHAT Yahoo IM conference logon success -2455 || CHAT Yahoo IM conference message -2456 || CHAT Yahoo IM file transfer request -2457 || CHAT Yahoo IM message -2458 || CHAT Yahoo IM successful chat join -2459 || CHAT Yahoo IM conference offer invitation -2460 || CHAT Yahoo IM conference request -2461 || CHAT Yahoo IM conference watch -2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve, CAN-2004-0367 || cve,2004-0176 || cve,2004-0367 -2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve, CAN-2004-0367 || cve,2004-0176 || cve,2004-0367 -2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve, CAN-2004-0367 || cve,2004-0176 || cve,2004-0367 -2465 || NETBIOS SMB-DS IPC$ share access -2466 || NETBIOS SMB-DS IPC$ share unicode access -2467 || NETBIOS SMB D$ share unicode access -2468 || NETBIOS SMB-DS D$ share access -2469 || NETBIOS SMB-DS D$ share unicode access -2470 || NETBIOS SMB C$ share unicode access -2471 || NETBIOS SMB-DS C$ share access -2472 || NETBIOS SMB-DS C$ share unicode access -2473 || NETBIOS SMB ADMIN$ share unicode access -2474 || NETBIOS SMB-DS ADMIN$ share access -2475 || NETBIOS SMB-DS ADMIN$ share unicode access -2476 || NETBIOS SMB-DS Create AndX Request winreg attempt -2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt -2478 || NETBIOS SMB-DS DCERPC bind winreg attempt -2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt -2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt -2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt -2482 || NETBIOS SMB-DS DCERPC shutdown attempt -2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt -2484 || WEB-MISC source.jsp access || nessus,12119 -2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 -2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 -2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 -2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 -2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2500 || MISC LDAP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2516 || MISC LDAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2519 || SMTP Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2520 || WEB-MISC SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2521 || WEB-MISC SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm -2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2527 || SMTP STARTTLS attempt -2528 || SMTP TLS PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2529 || IMAP SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2530 || IMAP SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2532 || MISC LDAP SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2533 || MISC LDAP SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2534 || MISC LDAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2535 || POP3 SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2536 || POP3 SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2538 || SMTP SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2539 || SMTP SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2540 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2542 || SMTP TLS SSLv3 Client_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2544 || SMTP TLS SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt -2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 -2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 -2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 -2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 -2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt -2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 -2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 -2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html -2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html -2565 || WEB-PHP modules.php access || bugtraq,9879 -2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 -2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 -2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 -2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 -2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 -2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 -2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 -2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 -2574 || FTP RETR format string attempt || bugtraq,9800 -2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 -2576 || ORACLE generate_replication_support prefix buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html -2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 -2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2580 || WEB-MISC server negative Content-Length attempt || cve,CAN-2004-0492 || url,www.guninski.com/modproxy1.html -2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,CAN-2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,CAN-2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,CAN-2004-0417 -2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 -2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 -2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html -2587 || P2P eDonkey server response || url,www.emule-project.net -2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html -2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx -2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || cve,CAN-2004-0399 || url,www.guninski.com/exim1.html -2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,CAN-2004-0400 || url,www.guninski.com/exim1.html -2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 -2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 -2599 || ORACLE add_grouped_column named sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2601 || ORACLE drop_master_repgroup named gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html -2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html -2603 || ORACLE create_mview_repgroup named fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2605 || ORACLE compare_old_values ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2606 || ORACLE comment_on_repobject named type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2608 || ORACLE check_ddl_text ordered buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2609 || ORACLE cancel_statistics named sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,CAN-2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html -2612 || ORACLE revoke_surrogate_repcat named userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt -2615 || ORACLE grant_surrogate_repcat named userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2617 || ORACLE alter_mview_propagation named gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2619 || ORACLE alter_master_repobject named type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2621 || ORACLE utl.register_flavor_change ordered buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2622 || ORACLE utl.drop_an_object ordered buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2623 || ORACLE utl.create_snapshot_repgroup ordered buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2624 || ORACLE unregister_user_repgroup named privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2626 || ORACLE send_old_values ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2627 || ORACLE repcat_import_check named gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2629 || ORACLE register_user_repgroup named privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2631 || ORACLE refresh_mview_repgroup named gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2633 || ORACLE rectifier_diff named sname1 attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2635 || ORACLE snapshot.end_load named gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2637 || ORACLE drop_master_repobject named type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2639 || ORACLE drop_mview_repgroup named gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2641 || ORACLE drop_site_instantiate named refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html -2642 || ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html -2643 || ORACLE ensure_not_published ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html -2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt -2645 || ORACLE instantiate_offline named refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html -2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html -2647 || ORACLE instantiate_online named refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html -2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html -2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html -2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html -2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt -2652 || ORACLE og.begin_load named gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 -2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 -2656 || EXPLOIT SSLv2 Client_Hello Challenge Length overflow attempt -2657 || EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow attempt -2658 || WEB-MISC SSLv2 Client_Hello request -2659 || WEB-MISC SSLv2 Client_Hello with pad request -2660 || WEB-MISC SSLv2 Server_Hello request -2661 || WEB-MISC TLS1 Client_Hello request -2662 || WEB-MISC TLS1 Server_Hello request -2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 -2664 || IMAP login format string attempt || bugtraq,10976 -2665 || IMAP login literal format string attempt || bugtraq,10976 -2666 || POP3 PASS format string attempt || bugtraq,10976 -2667 || WEB-CGI ping.asp access || nessus,10968 -2668 || WEB-CGI processit access || nessus,10649 -2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 -2670 || WEB-CGI pgpmail.pl access || nessus,11070 || cve,2001-0937 -2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || cve,2004-0566 || bugtraq,9663 -2672 || WEB-MISC sresult.exe access || nessus,14186 || bugtraq,10837 -2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 diff -Nru snort-2.8.5.2/etc/snort.conf snort-2.9.2/etc/snort.conf --- snort-2.8.5.2/etc/snort.conf 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/etc/snort.conf 2011-12-07 19:24:50.000000000 +0000 @@ -1,924 +1,596 @@ #-------------------------------------------------- -# http://www.snort.org Snort 2.8.5.2 Ruleset -# Contact: snort-sigs@lists.sourceforge.net -#-------------------------------------------------- -# $Id$ +# VRT Rule Packages Snort.conf # +# For more information visit us at: +# http://www.snort.org Snort Website +# http://vrt-sourcefire.blogspot.com/ Sourcefire VRT Blog +# +# Mailing list Contact: snort-sigs@lists.sourceforge.net +# False Positive reports: fp@sourcefire.com +# Snort bugs: bugs@snort.org +# +# Compatible with Snort Versions: +# VERSIONS : 2.9.2.0 +# +# Snort build options: +# OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 +# +# Additional information: +# This configuration file enables active response, to run snort in +# test mode -T you are required to supply an interface -i +# or test mode will fail to fully validate the configuration and +# exit with a FATAL error +#-------------------------------------------------- + ################################################### # This file contains a sample snort configuration. -# You can take the following steps to create your own custom configuration: -# -# 1) Set the variables for your network -# 2) Configure dynamic loaded libraries -# 3) Configure preprocessors -# 4) Configure output plugins -# 5) Add any runtime config directives -# 6) Customize your rule set +# You should take the following steps to create your own custom configuration: # +# 1) Set the network variables. +# 2) Configure the decoder +# 3) Configure the base detection engine +# 4) Configure dynamic loaded libraries +# 5) Configure preprocessors +# 6) Configure output plugins +# 7) Customize your rule set +# 8) Customize preprocessor and decoder rule set +# 9) Customize shared object rule set ################################################### -# Step #1: Set the network variables: -# -# You must change the following variables to reflect your local network. The -# variable is currently setup for an RFC 1918 address space. -# -# You can specify it explicitly as: -# -# var HOME_NET 10.1.1.0/24 -# -# if Snort is built with IPv6 support enabled (--enable-ipv6), use: -# -# ipvar HOME_NET 10.1.1.0/24 -# -# or use global variable $_ADDRESS which will be always -# initialized to IP address and netmask of the network interface which you run -# snort at. Under Windows, this must be specified as -# $(_ADDRESS), such as: -# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) -# -# var HOME_NET $eth0_ADDRESS -# -# You can specify lists of IP addresses for HOME_NET -# by separating the IPs with commas like this: -# -# var HOME_NET [10.1.1.0/24,192.168.1.0/24] -# -# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! -# -# or you can specify the variable to be any IP address -# like this: -var HOME_NET any +################################################### +# Step #1: Set the network variables. For more information, see README.variables +################################################### -# Set up the external network addresses as well. A good start may be "any" -var EXTERNAL_NET any -#var EXTERNAL_NET !$HOME_NET +# Setup the network addresses you are protecting +ipvar HOME_NET any -# Configure your server lists. This allows snort to only look for attacks to -# systems that have a service up. Why look for HTTP attacks if you are not -# running a web server? This allows quick filtering based on IP addresses -# These configurations MUST follow the same configuration scheme as defined -# above for $HOME_NET. +# Set up the external network addresses. Leave as "any" in most situations +ipvar EXTERNAL_NET any # List of DNS servers on your network -var DNS_SERVERS $HOME_NET +ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network -var SMTP_SERVERS $HOME_NET +ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network -var HTTP_SERVERS $HOME_NET +ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network -var SQL_SERVERS $HOME_NET +ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network -var TELNET_SERVERS $HOME_NET +ipvar TELNET_SERVERS $HOME_NET -# List of telnet servers on your network -var FTP_SERVERS $HOME_NET +# List of ssh servers on your network +ipvar SSH_SERVERS $HOME_NET -# List of snmp servers on your network -var SNMP_SERVERS $HOME_NET +# List of ftp servers on your network +ipvar FTP_SERVERS $HOME_NET -# Configure your service ports. This allows snort to look for attacks destined -# to a specific application only on the ports that application runs on. For -# example, if you run a web server on port 8180, set your HTTP_PORTS variable -# like this: -# -# portvar HTTP_PORTS 8180 -# -# Ports you run web servers on -portvar HTTP_PORTS 80 +# List of sip servers on your network +ipvar SIP_SERVERS $HOME_NET -# NOTE: If you wish to define multiple HTTP ports, use the portvar -# syntax to represent lists of ports and port ranges. Examples: -## portvar HTTP_PORTS [80,8080] -## portvar HTTP_PORTS [80,8000:8080] -# And only include the rule that uses $HTTP_PORTS once. -# -# The pre-2.8.0 approach of redefining the variable to a different port and -# including the rules file twice is obsolete. See README.variables for more -# details. +# List of ports you run web servers on +portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371] -# Ports you want to look for SHELLCODE on. +# List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 -# Ports you might see oracle attacks on -portvar ORACLE_PORTS 1521 +# List of ports you might see oracle attacks on +portvar ORACLE_PORTS 1024: + +# List of ports you want to look for SSH connections on: +portvar SSH_PORTS 22 -# Ports for FTP servers -portvar FTP_PORTS 21 +# List of ports you run ftp servers on +portvar FTP_PORTS [21,2100,3535] -# other variables -# -# AIM servers. AOL has a habit of adding new AIM servers, so instead of -# modifying the signatures when they do, we add them to this list of servers. -var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] +# List of ports you run SIP servers on +portvar SIP_PORTS [5060,5061,5600] + +# other variables, these should not be modified +ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH /etc/snort/rules -var PREPROC_RULE_PATH /etc/snort/preproc_rules +var RULE_PATH ../rules +var SO_RULE_PATH ../so_rules +var PREPROC_RULE_PATH ../preproc_rules + +################################################### +# Step #2: Configure the decoder. For more information, see README.decode +################################################### -# Configure the snort decoder -# ============================ -# -# Snort's decoder will alert on lots of things such as header -# truncation or options of unusual length or infrequently used tcp options -# -# # Stop generic decode events: -# -# config disable_decode_alerts -# +config disable_decode_alerts + # Stop Alerts on experimental TCP options -# -# config disable_tcpopt_experimental_alerts -# +config disable_tcpopt_experimental_alerts + # Stop Alerts on obsolete TCP options -# -# config disable_tcpopt_obsolete_alerts -# +config disable_tcpopt_obsolete_alerts + # Stop Alerts on T/TCP alerts -# -# In snort 2.0.1 and above, this only alerts when a TCP option is detected -# that shows T/TCP being actively used on the network. If this is normal -# behavior for your network, disable the next option. -# -# config disable_tcpopt_ttcp_alerts -# +config disable_tcpopt_ttcp_alerts + # Stop Alerts on all other TCPOption type events: -# -# config disable_tcpopt_alerts -# +config disable_tcpopt_alerts + # Stop Alerts on invalid ip options +config disable_ipopt_alerts + +# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet +# config enable_decode_oversized_alerts + +# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) +# config enable_decode_oversized_drops + +# Configure IP / TCP checksum mode +config checksum_mode: all + +# Configure maximum number of flowbit references. For more information, see README.flowbits +# config flowbits_size: 64 + +# Configure ports to ignore +# config ignore_ports: tcp 21 6667:6671 1356 +# config ignore_ports: udp 1:17 53 + +# Configure active response for non inline operation. For more information, see REAMDE.active +# config response: eth0 attempts 2 + +# Configure DAQ related options for inline operation. For more information, see README.daq # -# config disable_ipopt_alerts -# -# Alert if value in length field (IP, TCP, UDP) is greater than the -# actual length of the captured portion of the packet that the length -# is supposed to represent: +# config daq: +# config daq_dir: +# config daq_mode: +# config daq_var: # -# config enable_decode_oversized_alerts +# ::= pcap | afpacket | dump | nfq | ipq | ipfw +# ::= read-file | passive | inline +# ::= arbitrary = ::= path as to where to look for DAQ module so's + +# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options # -# Same as above, but drop packet if in Inline mode - -# enable_decode_oversized_alerts must be enabled for this to work: +# config set_gid: +# config set_uid: + +# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README # -# config enable_decode_oversized_drops +# config snaplen: # -# Configure the detection engine -# =============================== +# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F) +# +# config bpf_file: # -# Use a different pattern matcher in case you have a machine with very limited -# resources: + +# Configure default log directory for snort to log to. For more information see snort -h command line options (-l) # -# config detection: search-method lowmem +# config logdir: + + +################################################### +# Step #3: Configure the base detection engine. For more information, see README.decode +################################################### + +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 -# Configure Inline Resets -# ======================== -# -# If running an iptables firewall with snort in InlineMode() we can now -# perform resets via a physical device. We grab the indev from iptables -# and use this for the interface on which to send resets. This config -# option takes an argument for the src mac address you want to use in the -# reset packet. This way the bridge can remain stealthy. If the src mac -# option is not set we use the mac address of the indev device. If we -# don't set this option we will default to sending resets via raw socket, -# which needs an ipaddress to be assigned to the int. -# -# config layer2resets: 00:06:76:DD:5F:E3 - -################################################### -# Step #2: Configure dynamic loaded libraries -# -# If snort was configured to use dynamically loaded libraries, -# those libraries can be loaded here. -# -# Each of the following configuration options can be done via -# the command line as well. -# -# Load all dynamic preprocessors from the install path -# (same as command line option --dynamic-preprocessor-lib-dir) -# -dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ -# -# Load a specific dynamic preprocessor library from the install path -# (same as command line option --dynamic-preprocessor-lib) -# -# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/libdynamicexample.so -# -# Load a dynamic engine from the install path -# (same as command line option --dynamic-engine-lib) -# -dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so -# -# Load all dynamic rules libraries from the install path -# (same as command line option --dynamic-detection-lib-dir) -# -# dynamicdetection directory /usr/lib/snort_dynamicrule/ -# -# Load a specific dynamic rule library from the install path -# (same as command line option --dynamic-detection-lib) -# -# dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so -# - -################################################### -# Step #3: Configure preprocessors -# -# General configuration for preprocessors is of -# the form -# preprocessor : - -# frag3: Target-based IP defragmentation -# -------------------------------------- -# -# Frag3 is a brand new IP defragmentation preprocessor that is capable of -# performing "target-based" processing of IP fragments. Check out the -# README.frag3 file in the doc directory for more background and configuration -# information. -# -# Frag3 configuration is a two step process, a global initialization phase -# followed by the definition of a set of defragmentation engines. -# -# Global configuration defines the number of fragmented packets that Snort can -# track at the same time and gives you options regarding the memory cap for the -# subsystem or, optionally, allows you to preallocate all the memory for the -# entire frag3 system. -# -# frag3_global options: -# max_frags: Maximum number of frag trackers that may be active at once. -# Default value is 8192. -# memcap: Maximum amount of memory that frag3 may access at any given time. -# Default value is 4MB. -# prealloc_frags: Maximum number of individual fragments that may be processed -# at once. This is instead of the memcap system, uses static -# allocation to increase performance. No default value. Each -# preallocated fragment typically eats ~1550 bytes. However, -# the exact amount is determined by the snaplen, and this can -# go as high as 64K so beware! -# -# Target-based behavior is attached to an engine as a "policy" for handling -# overlaps and retransmissions as enumerated in the Paxson paper. There are -# currently five policy types available: "BSD", "BSD-right", "First", "Linux" -# and "Last". Engines can be bound to standard Snort CIDR blocks or -# IP lists. -# -# frag3_engine options: -# timeout: Amount of time a fragmented packet may be active before expiring. -# Default value is 60 seconds. -# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. -# Based on the initial received fragment TTL. -# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this -# value will be discarded. Default value is 0. -# detect_anomalies: Activates frag3's anomaly detection mechanisms. -# policy: Target-based policy to assign to this engine. Default is BSD. -# bind_to: IP address set to bind this engine to. Default is all hosts. -# -# Frag3 configuration example: -#preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 -#preprocessor frag3_engine: policy linux \ -# bind_to [10.1.1.12/32,10.1.1.13/32] \ -# detect_anomalies -#preprocessor frag3_engine: policy first \ -# bind_to 10.2.1.0/24 \ -# detect_anomalies -#preprocessor frag3_engine: policy last \ -# bind_to 10.3.1.0/24 -#preprocessor frag3_engine: policy bsd +# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config +config detection: search-method ac-split search-optimize max-pattern-len 20 +# Configure the event queue. For more information, see README.event_queue +config event_queue: max_queue 8 log 3 order_events content_length + +################################################### +# Per packet and rule latency enforcement +# For more information see README.ppm +################################################### + +# Per Packet latency configuration +#config ppm: max-pkt-time 250, \ +# fastpath-expensive-packets, \ +# pkt-log + +# Per Rule latency configuration +#config ppm: max-rule-time 200, \ +# threshold 3, \ +# suspend-expensive-rules, \ +# suspend-timeout 20, \ +# rule-log alert + +################################################### +# Configure Perf Profiling for debugging +# For more information see README.PerfProfiling +################################################### + +#config profile_rules: print all, sort avg_ticks +#config profile_preprocs: print all, sort avg_ticks + +################################################### +# Step #4: Configure dynamic loaded libraries. +# For more information, see Snort Manual, Configuring Snort - Dynamic Modules +################################################### + +# path to dynamic preprocessor libraries +dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ + +# path to base preprocessor engine +dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so + +# path to dynamic rules libraries +dynamicdetection directory /usr/local/lib/snort_dynamicrules + +################################################### +# Step #5: Configure preprocessors +# For more information, see the Snort Manual, Configuring Snort - Preprocessors +################################################### + +# Inline packet normalization. For more information, see README.normalize +# Does nothing in IDS mode +preprocessor normalize_ip4 +preprocessor normalize_tcp: ips ecn stream +preprocessor normalize_icmp4 +preprocessor normalize_ip6 +preprocessor normalize_icmp6 + +# Target-based IP defragmentation. For more inforation, see README.frag3 preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10 +preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 -# stream5: Target Based stateful inspection/stream reassembly for Snort -# --------------------------------------------------------------------- -# Stream5 is a target-based stream engine for Snort. It handles both -# TCP and UDP connection tracking as well as TCP reassembly. -# -# See README.stream5 for details on the configuration options. -# -# Example config -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ - track_udp no -preprocessor stream5_tcp: policy first -# Not recommended in production systems -# preprocessor stream5_tcp: policy first, use_static_footprint_sizes -# preprocessor stream5_udp: ignore_any_rules - - -# Performance Statistics -# ---------------------- -# Documentation for this is provided in the Snort Manual. You should read it. -# It is included in the release distribution as doc/snort_manual.pdf -# -# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 +# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 +preprocessor stream5_global: track_tcp yes, \ + track_udp yes, \ + track_icmp no, \ + max_tcp 262144, \ + max_udp 131072, \ + max_active_responses 2, \ + min_response_seconds 5 +preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ + overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ + ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ + 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \ + 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ + ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \ + 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ + 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 +preprocessor stream5_udp: timeout 180 -# http_inspect: normalize and detect HTTP traffic and protocol anomalies -# -# lots of options available here. See doc/README.http_inspect. -# unicode.map should be wherever your snort.conf lives, or given -# a full path to where snort can find it. -preprocessor http_inspect: global \ - iis_unicode_map unicode.map 1252 +# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor +# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 +# HTTP normalization and anomaly detection. For more information, see README.http_inspect +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ - profile all ports { 80 8080 8180 } oversize_dir_length 500 + chunk_length 500000 \ + server_flow_depth 0 \ + client_flow_depth 0 \ + post_depth 65495 \ + oversize_dir_length 500 \ + max_header_length 750 \ + max_headers 100 \ + ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 } \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + enable_cookie \ + extended_response_inspection \ + inspect_gzip \ + normalize_utf \ + unlimited_decompress \ + apache_whitespace no \ + ascii no \ + bare_byte no \ + directory no \ + double_decode no \ + iis_backslash no \ + iis_delimiter no \ + iis_unicode no \ + multi_slash no \ + utf_8 no \ + u_encode yes \ + webroot no -# -# Example unique server configuration -# -#preprocessor http_inspect_server: server 1.1.1.1 \ -# ports { 80 3128 8080 } \ -# server_flow_depth 0 \ -# ascii no \ -# double_decode yes \ -# non_rfc_char { 0x00 } \ -# chunk_length 500000 \ -# non_strict \ -# oversize_dir_length 300 \ -# no_alerts - - -# rpc_decode: normalize RPC traffic -# --------------------------------- -# RPC may be sent in alternate encodings besides the usual 4-byte encoding -# that is used by default. This plugin takes the port numbers that RPC -# services are running on as arguments - it is assumed that the given ports -# are actually running this type of service. If not, change the ports or turn -# it off. -# The RPC decode preprocessor uses generator ID 106 -# -# arguments: space separated list -# alert_fragments - alert on any rpc fragmented TCP data -# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet -# no_alert_large_fragments - don't alert when the fragmented -# sizes exceed the current packet size -# no_alert_incomplete - don't alert when a single segment -# exceeds the current packet size - -preprocessor rpc_decode: 111 32771 - -# bo: Back Orifice detector -# ------------------------- -# Detects Back Orifice traffic on the network. -# -# arguments: -# syntax: -# preprocessor bo: noalert { client | server | general | snort_attack } \ -# drop { client | server | general | snort_attack } -# example: -# preprocessor bo: noalert { general server } drop { snort_attack } -# -# -# The Back Orifice detector uses Generator ID 105 and uses the -# following SIDS for that GID: -# SID Event description -# ----- ------------------- -# 1 Back Orifice traffic detected -# 2 Back Orifice Client Traffic Detected -# 3 Back Orifice Server Traffic Detected -# 4 Back Orifice Snort Buffer Attack +# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete +# Back Orifice detection. preprocessor bo -# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow -# --------------------------------------------------------------------------- -# This preprocessor normalizes telnet negotiation strings from telnet and -# ftp traffic. It looks for traffic that breaks the normal data stream -# of the protocol, replacing it with a normalized representation of that -# traffic so that the "content" pattern matching keyword can work without -# requiring modifications. -# -# It also performs protocol correctness checks for the FTP command channel, -# and identifies open FTP data transfers. -# -# FTPTelnet has numerous options available, please read -# README.ftptelnet for help configuring the options for the global -# telnet, ftp server, and ftp client sections for the protocol. - -##### -# Per Step #2, set the following to load the ftptelnet preprocessor -# dynamicpreprocessor file -# or use commandline option -# --dynamic-preprocessor-lib - -preprocessor ftp_telnet: global \ - encrypted_traffic yes \ - inspection_type stateful - +# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet +preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 - -# This is consistent with the FTP rules as of 18 Sept 2004. -# CWD can have param length of 200 -# MODE has an additional mode of Z (compressed) -# Check for string formats in USER & PASS commands -# Check nDTM commands that set modification time on the file. + ayt_attack_thresh 20 \ + normalize ports { 23 } \ + detect_anomalies preprocessor ftp_telnet_protocol: ftp server default \ - def_max_param_len 100 \ - alt_max_param_len 200 { CWD } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ - telnet_cmds yes \ - data_chan - + def_max_param_len 100 \ + ports { 21 2100 3535 } \ + telnet_cmds yes \ + ignore_telnet_erase_cmds yes \ + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -# smtp: SMTP normalizer, protocol enforcement and buffer overflow -# --------------------------------------------------------------------------- -# This preprocessor normalizes SMTP commands by removing extraneous spaces. -# It looks for overly long command lines, response lines, and data header lines. -# It can alert on invalid commands, or specific valid commands. It can optionally -# ignore mail data, and can ignore TLS encrypted data. -# -# SMTP has numerous options available, please read README.SMTP for help -# configuring options. - -##### -# Per Step #2, set the following to load the smtp preprocessor -# dynamicpreprocessor file -# or use commandline option -# --dynamic-preprocessor-lib - -preprocessor smtp: \ - ports { 25 587 691 } \ - inspection_type stateful \ - normalize cmds \ - normalize_cmds { EXPN VRFY RCPT } \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN } \ - alt_max_command_line_len 255 { EXPN VRFY } - -# sfPortscan -# ---------- -# Portscan detection module. Detects various types of portscans and -# portsweeps. For more information on detection philosophy, alert types, -# and detailed portscan information, please refer to the README.sfportscan. -# -# -configuration options- -# proto { tcp udp icmp ip all } -# The arguments to the proto option are the types of protocol scans that -# the user wants to detect. Arguments should be separated by spaces and -# not commas. -# scan_type { portscan portsweep decoy_portscan distributed_portscan all } -# The arguments to the scan_type option are the scan types that the -# user wants to detect. Arguments should be separated by spaces and not -# commas. -# sense_level { low|medium|high } -# There is only one argument to this option and it is the level of -# sensitivity in which to detect portscans. The 'low' sensitivity -# detects scans by the common method of looking for response errors, such -# as TCP RSTs or ICMP unreachables. This level requires the least -# tuning. The 'medium' sensitivity level detects portscans and -# filtered portscans (portscans that receive no response). This -# sensitivity level usually requires tuning out scan events from NATed -# IPs, DNS cache servers, etc. The 'high' sensitivity level has -# lower thresholds for portscan detection and a longer time window than -# the 'medium' sensitivity level. Requires more tuning and may be noisy -# on very active networks. However, this sensitivity levels catches the -# most scans. -# memcap { positive integer } -# The maximum number of bytes to allocate for portscan detection. The -# higher this number the more nodes that can be tracked. -# logfile { filename } -# This option specifies the file to log portscan and detailed portscan -# values to. If there is not a leading /, then snort logs to the -# configured log directory. Refer to README.sfportscan for details on -# the logged values in the logfile. -# watch_ip { Snort IP List } -# ignore_scanners { Snort IP List } -# ignore_scanned { Snort IP List } -# These options take a snort IP list as the argument. The 'watch_ip' -# option specifies the IP(s) to watch for portscan. The -# 'ignore_scanners' option specifies the IP(s) to ignore as scanners. -# Note that these hosts are still watched as scanned hosts. The -# 'ignore_scanners' option is used to tune alerts from very active -# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option -# specifies the IP(s) to ignore as scanned hosts. Note that these hosts -# are still watched as scanner hosts. The 'ignore_scanned' option is -# used to tune alerts from very active hosts such as syslog servers, etc. -# detect_ack_scans -# This option will include sessions picked up in midstream by the stream -# module, which is necessary to detect ACK scans. However, this can lead to -# false alerts, especially under heavy load with dropped packets; which is why -# the option is off by default. -# -preprocessor sfportscan: proto { all } \ - memcap { 10000000 } \ - sense_level { low } - -# arpspoof -#---------------------------------------- -# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, -# unicast ARP requests, and specific ARP mapping monitoring. To make use of -# this preprocessor you must specify the IP and hardware address of hosts on -# the same layer 2 segment as you. Specify one host IP MAC combo per line. -# Also takes a "-unicast" option to turn on unicast ARP request detection. -# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: - -# SID Event description -# ----- ------------------- -# 1 Unicast ARP request -# 2 Etherframe ARP mismatch (src) -# 3 Etherframe ARP mismatch (dst) -# 4 ARP cache overwrite attack - -#preprocessor arpspoof -#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 - -# ssh -# ------------------------------ -# The SSH preprocessor detects the following exploits: Challenge-Response -# Authentication overflow, CRC 32 overflow, Secure CRT version string overflow, -# and protocol version mismatches. -# -# Both Challenge-Response Auth and CRC 32 attacks occur after the key exchange, -# and are therefore encrypted. Both attacks involve sending a large payload -# (20kb+) to the server immediately after the authentication challenge. -# To detect the attacks, the SSH preprocessor counts the number of bytes -# transmitted to the server. If those bytes exceed a pre-defined limit, -# set by the option "max_client_bytes", an alert is generated. Since -# the Challenge-Response Auth overflow only affects SSHv2, while CRC 32 only -# affects SSHv1, the SSH version string exchange is used to distinguish -# the attacks. -# -# The Secure CRT and protocol mismatch exploits are observable before -# the key exchange. -# -# SSH has numerous options available, please read README.ssh for help -# configuring options. - -##### -# Per Step #2, set the following to load the ssh preprocessor -# dynamicpreprocessor file -# or use commandline option -# --dynamic-preprocessor-lib -# + max_resp_len 256 \ + bounce yes \ + ignore_telnet_erase_cmds yes \ + telnet_cmds yes + + +# SMTP normalization and anomaly detection. For more information, see README.SMTP +preprocessor smtp: ports { 25 465 587 691 } \ + inspection_type stateful \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 \ + log_mailfrom \ + log_rcptto \ + log_filename \ + log_email_hdrs \ + normalize cmds \ + normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + max_command_line_len 512 \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + xlink2state { enabled } + +# Portscan detection. For more information, see README.sfportscan +# preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } + +# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor +# preprocessor arpspoof +# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +# SSH anomaly detection. For more information, see README.ssh preprocessor ssh: server_ports { 22 } \ + autodetect \ max_client_bytes 19600 \ max_encrypted_packets 20 \ + max_server_version_len 100 \ enable_respoverflow enable_ssh1crc32 \ enable_srvoverflow enable_protomismatch -# DCE/RPC -#---------------------------------------- -# -# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. -# It is primarily interested in DCE/RPC data, and only decodes SMB -# to get at the DCE/RPC data carried by the SMB layer. -# -# Currently, the preprocessor only handles reassembly of fragmentation -# at both the SMB and DCE/RPC layer. Snort rules can be evaded by -# using both types of fragmentation; with the preprocessor enabled -# the rules are given a buffer with a reassembled SMB or DCE/RPC -# packet to examine. -# -# At the SMB layer, only fragmentation using WriteAndX is currently -# reassembled. Other methods will be handled in future versions of -# the preprocessor. -# -# Autodetection of SMB is done by looking for "\xFFSMB" at the start of -# the SMB data, as well as checking the NetBIOS header (which is always -# present for SMB) for the type "SMB Session". -# -# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are -# checked in the packet. Assuming that the data is a DCE/RPC header, -# one byte is checked for DCE/RPC version (5) and another for the type -# "DCE/RPC Request". If both match, the preprocessor proceeds with that -# assumption that it is looking at DCE/RPC data. If subsequent checks -# are nonsensical, it ends processing. -# -# DCERPC has numerous options available, please read README.dcerpc for help -# configuring options. - -##### -# Per Step #2, set the following to load the dcerpc preprocessor -# dynamicpreprocessor file -# or use commandline option -# --dynamic-preprocessor-lib -# -#preprocessor dcerpc: \ -# autodetect \ -# max_frag_size 3000 \ -# memcap 100000 - - -# DCE/RPC 2 -#---------------------------------------- -# See doc/README.dcerpc2 for explanations of what the -# preprocessor does and how to configure it. -# -preprocessor dcerpc2 -preprocessor dcerpc2_server: default - - -# DNS -#---------------------------------------- -# The dns preprocessor (currently) decodes DNS Response traffic -# and detects a few vulnerabilities. -# -# DNS has a few options available, please read README.dns for -# help configuring options. - -##### -# Per Step #2, set the following to load the dns preprocessor -# dynamicpreprocessor file -# or use commandline option -# --dynamic-preprocessor-lib - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow - -# SSL -#---------------------------------------- -# Encrypted traffic should be ignored by Snort for both performance reasons -# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) -# inspects SSL traffic and optionally determines if and when to stop -# inspection of it. -# -# Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to -# inspect port 443, only the SSL handshake of each connection will be -# inspected. Once the traffic is determined to be encrypted, no further -# inspection of the data on the connection is made. -# -# If you don't necessarily trust all of the SSL capable servers on your -# network, you should remove the "trustservers" option from the configuration. -# -# Important note: Stream5 should be explicitly told to reassemble -# traffic on the ports that you intend to inspect SSL -# encrypted traffic on. -# -# To add reassembly on port 443 to Stream5, use 'port both 443' in the -# Stream5 configuration. - -preprocessor ssl: noinspect_encrypted, trustservers - - -#################################################################### -# Step #4: Configure output plugins -# -# Uncomment and configure the output plugins you decide to use. General -# configuration for output plugins is of the form: -# -# output : -# -# alert_syslog: log alerts to syslog -# ---------------------------------- -# Use one or more syslog facilities as arguments. Win32 can also optionally -# specify a particular hostname/port. Under Win32, the default hostname is -# '127.0.0.1', and the default port is 514. -# -# [Unix flavours should use this format...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# -# [Win32 can use any of these formats...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT +# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2 +preprocessor dcerpc2: memcap 102400, events [co ] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] + +# DNS anomaly detection. For more information, see README.dns +preprocessor dns: ports { 53 } enable_rdata_overflow + +# SSL anomaly detection and traffic bypass. For more information, see README.ssl +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted + +# SDF sensitive data preprocessor. For more information see README.sensitive_data +preprocessor sensitive_data: alert_threshold 25 + +# SIP Session Initiation Protocol preprocessor. For more information see README.sip +preprocessor sip: max_sessions 10000, \ + ports { 5060 5061 5600 }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_uri_len 512, \ + max_call_id_len 80, \ + max_requestName_len 20, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_contact_len 512, \ + max_content_len 1024 + +# IMAP preprocessor. For more information see README.imap +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +# POP preprocessor. For more information see README.pop +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 -# log_tcpdump: log packets in binary tcpdump format -# ------------------------------------------------- -# The only argument is the output file name. -# -output log_tcpdump: tcpdump.log - -# database: log to a variety of databases -# --------------------------------------- -# See the README.database file for more information about configuring -# and using this plugin. -# -# output database: log, mysql, user=root password=test dbname=db host=localhost -# output database: alert, postgresql, user=snort dbname=snort -# output database: log, odbc, user=snort dbname=snort -# output database: log, mssql, dbname=snort user=snort password=test -# output database: log, oracle, dbname=snort user=snort password=test -# -# On Debian Systems, the database configuration is kept in a separate file: -# /etc/snort/database.conf. -# This file can be empty, if you are not using any database information -# If you are using databases, please edit that file instead of this one, to -# ensure smoother upgrades to future versions of this package. -include database.conf - - -# unified: Snort unified binary format alerting and logging -# ------------------------------------------------------------- -# The unified output plugin provides two new formats for logging and generating -# alerts from Snort, the "unified" format. The unified format is a straight -# binary format for logging data out of Snort that is designed to be fast and -# efficient. Used with barnyard (the new alert/log processor), most of the -# overhead for logging and alerting to various slow storage mechanisms such as -# databases or the network can now be avoided. -# -# Check out the spo_unified.h file for the data formats. -# -# Two arguments are supported. -# filename - base filename to write to (current time_t is appended) -# limit - maximum size of spool file in MB (default: 128) -# -# output alert_unified: filename snort.alert, limit 128 -# output log_unified: filename snort.log, limit 128 - - -# prelude: log to the Prelude Hybrid IDS system -# --------------------------------------------- -# -# profile = Name of the Prelude profile to use (default is snort). -# -# Snort priority to IDMEF severity mappings: -# high < medium < low < info -# -# These are the default mapped from classification.config: -# info = 4 -# low = 3 -# medium = 2 -# high = anything below medium -# -# output alert_prelude -# output alert_prelude: profile=snort-profile-name +################################################### +# Step #6: Configure output plugins +# For more information, see Snort Manual, Configuring Snort - Output Modules +################################################### +# unified2 +# Recommended for most installs +# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types + +# Additional configuration for specific types of installs +# output alert_unified2: filename snort.alert, limit 128, nostamp +# output log_unified2: filename snort.log, limit 128, nostamp -# You can optionally define new rule types and associate one or more output -# plugins specifically to that type. -# -# This example will create a type that will log to just tcpdump. -# ruletype suspicious -# { -# type log -# output log_tcpdump: suspicious.log -# } -# -# EXAMPLE RULE FOR SUSPICIOUS RULETYPE: -# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) -# -# This example will create a rule type that will log to syslog and a mysql -# database: -# ruletype redalert -# { -# type alert -# output alert_syslog: LOG_AUTH LOG_ALERT -# output database: log, mysql, user=snort dbname=snort host=localhost -# } -# -# EXAMPLE RULE FOR REDALERT RULETYPE: -# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ -# (msg:"Someone is being LEET"; flags:A+;) +# syslog +# output alert_syslog: LOG_AUTH LOG_ALERT -# -# Include classification & priority settings -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\classification.config -# +# pcap +# output log_tcpdump: tcpdump.log -include classification.config +# database +# output database: alert, , user= password= test dbname= host= +# output database: log, , user= password= test dbname= host= -# -# Include reference systems -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\reference.config -# +# prelude +# output alert_prelude +# metadata reference data. do not modify these lines +include classification.config include reference.config -#################################################################### -# Step #5: Configure snort with config statements -# -# See the snort manual for a full set of configuration references -# -# config flowbits_size: 64 -# -# New global ignore_ports config option from Andy Mullican -# -# config ignore_ports: -# config ignore_ports: tcp 21 6667:6671 1356 -# config ignore_ports: udp 1:17 53 - -#################################################################### -# Step #6: Customize your rule set -# -# Up to date snort rules are available at http://www.snort.org +################################################### +# Step #7: Customize your rule set +# For more information, see Snort Manual, Writing Snort Rules # -# The snort web site has documentation about how to write your own custom snort -# rules. - -#========================================= -# Include all relevant rulesets here -# -# The following rulesets are disabled by default: -# -# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, -# chat, multimedia, and p2p -# -# These rules are either site policy specific or require tuning in order to not -# generate false positive alerts in most enviornments. -# -# Please read the specific include file for more information and -# README.alert_order for how rule ordering affects how alerts are triggered. -#========================================= +# NOTE: All categories are enabled in this conf file +################################################### +# site specific rules include $RULE_PATH/local.rules + +include $RULE_PATH/attack-responses.rules +include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules +include $RULE_PATH/blacklist.rules +include $RULE_PATH/botnet-cnc.rules +include $RULE_PATH/chat.rules +include $RULE_PATH/content-replace.rules +include $RULE_PATH/ddos.rules +include $RULE_PATH/dns.rules +include $RULE_PATH/dos.rules include $RULE_PATH/exploit.rules -include $RULE_PATH/community-exploit.rules -include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules +include $RULE_PATH/icmp.rules +include $RULE_PATH/icmp-info.rules +include $RULE_PATH/imap.rules +include $RULE_PATH/info.rules +include $RULE_PATH/misc.rules +include $RULE_PATH/multimedia.rules +include $RULE_PATH/mysql.rules +include $RULE_PATH/netbios.rules +include $RULE_PATH/nntp.rules +include $RULE_PATH/oracle.rules +include $RULE_PATH/other-ids.rules +include $RULE_PATH/p2p.rules +include $RULE_PATH/phishing-spam.rules +include $RULE_PATH/policy.rules +include $RULE_PATH/pop2.rules +include $RULE_PATH/pop3.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/community-dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules +include $RULE_PATH/scada.rules +include $RULE_PATH/scan.rules +include $RULE_PATH/shellcode.rules +include $RULE_PATH/smtp.rules +include $RULE_PATH/snmp.rules +include $RULE_PATH/specific-threats.rules +include $RULE_PATH/spyware-put.rules +include $RULE_PATH/sql.rules +include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules - -# Specific web server rules: +include $RULE_PATH/virus.rules +include $RULE_PATH/voip.rules +include $RULE_PATH/web-activex.rules +include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules +include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules +include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules -include $RULE_PATH/community-sql-injection.rules -include $RULE_PATH/community-web-client.rules -include $RULE_PATH/community-web-dos.rules -include $RULE_PATH/community-web-iis.rules -include $RULE_PATH/community-web-misc.rules -include $RULE_PATH/community-web-php.rules - -# Rules for other services: -include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/community-oracle.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/snmp.rules -include $RULE_PATH/community-ftp.rules -include $RULE_PATH/smtp.rules -include $RULE_PATH/community-smtp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/community-imap.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules -include $RULE_PATH/nntp.rules -include $RULE_PATH/community-nntp.rules -include $RULE_PATH/community-sip.rules -include $RULE_PATH/other-ids.rules - -# Attack-in-progress rules: -include $RULE_PATH/web-attacks.rules -include $RULE_PATH/backdoor.rules -include $RULE_PATH/community-bot.rules -include $RULE_PATH/community-virus.rules -# This ruleset is almost useless currently: -# include $RULE_PATH/virus.rules -# Note: this rule is extremely chatty, enable with care -# include $RULE_PATH/shellcode.rules - -# Policy related rules: -# include $RULE_PATH/policy.rules -# include $RULE_PATH/community-policy.rules -# include $RULE_PATH/porn.rules -# include $RULE_PATH/community-inappropriate.rules -# include $RULE_PATH/chat.rules -# include $RULE_PATH/multimedia.rules -# include $RULE_PATH/p2p.rules -# include $RULE_PATH/community-game.rules -# include $RULE_PATH/community-misc.rules - -# Extremely chatty rules: -# include $RULE_PATH/info.rules -# include $RULE_PATH/icmp-info.rules -# include $RULE_PATH/community-icmp.rules - -# Experimental rules: -# NOTICE: this is currently empty -include $RULE_PATH/experimental.rules +################################################### +# Step #8: Customize your preprocessor and decoder alerts +# For more information, see README.decoder_preproc_rules +################################################### +# decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules +# include $PREPROC_RULE_PATH/sensitive-data.rules -# Include any thresholding or suppression commands. See threshold.conf in the -# /etc directory for details. Commands don't necessarily need to be -# contained in this conf, but a separate conf makes it easier to maintain them. -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\threshold.conf -# Uncomment if needed. -# include threshold.conf +################################################### +# Step #9: Customize your Shared Object Snort Rules +# For more information, see http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html +################################################### + +# dynamic library rules +# include $SO_RULE_PATH/bad-traffic.rules +# include $SO_RULE_PATH/chat.rules +# include $SO_RULE_PATH/dos.rules +# include $SO_RULE_PATH/exploit.rules +# include $SO_RULE_PATH/icmp.rules +# include $SO_RULE_PATH/imap.rules +# include $SO_RULE_PATH/misc.rules +# include $SO_RULE_PATH/multimedia.rules +# include $SO_RULE_PATH/netbios.rules +# include $SO_RULE_PATH/nntp.rules +# include $SO_RULE_PATH/pop3.rules +# include $SO_RULE_PATH/p2p.rules +# include $SO_RULE_PATH/smtp.rules +# include $SO_RULE_PATH/snmp.rules +# include $SO_RULE_PATH/specific-threats.rules +# include $SO_RULE_PATH/sql.rules +# include $SO_RULE_PATH/web-activex.rules +# include $SO_RULE_PATH/web-client.rules +# include $SO_RULE_PATH/web-iis.rules +# include $SO_RULE_PATH/web-misc.rules +# Event thresholding or suppression commands. See threshold.conf +include threshold.conf diff -Nru snort-2.8.5.2/etc/unicode.map snort-2.9.2/etc/unicode.map --- snort-2.8.5.2/etc/unicode.map 2003-10-20 15:03:04.000000000 +0000 +++ snort-2.9.2/etc/unicode.map 2011-07-13 22:43:17.000000000 +0000 @@ -1,104 +1,408 @@ -# Windows Version: 5.00.2195 -# OEM codepage: 437 -# ACP codepage: 1252 - -# INSTALLED CODEPAGES -10000 (MAC - Roman) - - -10079 (MAC - Icelandic) - - -1250 (ANSI - Central Europe) -00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1251 (ANSI - Cyrillic) -00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1252 (ANSI - Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1253 (ANSI - Greek) -00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1254 (ANSI - Turkish) -00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1255 (ANSI - Hebrew) -0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1256 (ANSI - Arabic) -00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1257 (ANSI - Baltic) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1258 (ANSI/OEM - Viet Nam) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 1361 -20127 (US-ASCII) -00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -20261 (T.61) -f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f - -20866 (Russian - KOI8) -00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e - -28591 (ISO 8859-1 Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -28592 (ISO 8859-2 Central Europe) -00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 28595 -#INVALID CODEPAGE: 28597 -28605 (ISO 8859-15 Latin 9) -00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -37 (IBM EBCDIC - U.S./Canada) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f - -437 (OEM - United States) -00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -500 (IBM EBCDIC - International) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 - -850 (OEM - Multilingual Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -860 (OEM - Portuguese) -00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -861 (OEM - Icelandic) -00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -863 (OEM - Canadian French) -00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -865 (OEM - Nordic) -00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 - -874 (ANSI/OEM - Thai) -00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -932 (ANSI/OEM - Japanese Shift-JIS) -00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -936 (ANSI/OEM - Simplified Chinese GBK) -00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 - -949 (ANSI/OEM - Korean) -00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c - -950 (ANSI/OEM - Traditional Chinese Big5) -00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -65000 (UTF-7) - - -65001 (UTF-8) - - +# Windows Version: 6.01.7601 +# OEM codepage: 437 +# ACP codepage: 1252 + +# INSTALLED CODEPAGES +10081 (MAC - Turkish) + + +1254 (ANSI - Turkish) +00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +857 (OEM - Turkish) +00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c7:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02d8:5e 02dc:7e 0300:60 0302:5e 0303:7e 0306:5e 030c:5e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:7d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20905 (IBM EBCDIC - Turkish) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c4:63 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e4:43 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 010a:67 010b:47 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 + +28593 (ISO 8859-3 Latin 3) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b9:31 00ba:6f 00bb:3e 00c3:41 00c5:41 00c6:41 00d0:44 00d5:4f 00d8:4f 00dd:59 00e3:61 00e5:61 00e6:61 00f5:6f 00f8:6f 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 0122:47 0123:67 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1026 (IBM EBCDIC - Turkish (Latin-5)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 + +10003 (MAC - Korean) +00a6:7c 00ae:52 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +949 (ANSI/OEM - Korean) +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +1361 (Korean - Johab) +20a9:5c + +20833 (IBM EBCDIC - Korean Extended) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a2:4a 00a6:6a 00ac:5f ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff5c:4f ffa0:42 ffa1:43 ffa2:44 ffa3:45 ffa4:46 ffa5:47 ffa6:48 ffa7:49 ffa8:52 ffa9:53 ffaa:54 ffab:55 ffac:56 ffad:57 ffae:58 ffaf:59 ffb0:62 ffb1:63 ffb2:64 ffb3:65 ffb4:66 ffb5:67 ffb6:68 ffb7:69 ffb8:72 ffb9:73 ffba:74 ffbb:75 ffbc:76 ffbd:77 ffbe:78 + +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +50225 (ISO-2022 Korean) + + +51949 (EUC-Korean) +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +500 (IBM EBCDIC - International) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 + +10004 (MAC - Arabic) + + +1256 (ANSI - Arabic) +00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 0660:30 0661:31 0662:32 0663:33 0664:34 0665:35 0666:36 0667:37 0668:38 0669:39 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +720 (Arabic - Transparent ASMO) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +708 (Arabic - ASMO) + + +864 (OEM - Arabic) +00a7:15 00b6:14 066a:25 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 2550:05 2551:06 2554:0d 2557:0c 255a:0e 255d:0f 2560:0a 2563:08 2566:09 2569:0b 256c:07 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 263a:01 263c:04 266a:02 266b:03 + +20420 (IBM EBCDIC - Arabic) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 060c:79 0621:46 0622:47 0623:49 0624:52 0626:55 0627:56 0628:58 0629:62 062a:63 062b:65 062c:67 062d:69 062e:71 062f:73 0630:74 0631:75 0632:76 0633:77 0640:44 0651:42 066a:6c 066c:4b 066d:5c f8f6:77 f8fc:45 fe7c:42 fe7d:43 fe80:46 fe81:47 fe82:48 fe83:49 fe84:51 fe85:52 fe86:52 fe8b:55 fe8c:55 fe8d:56 fe8e:57 fe8f:58 fe90:58 fe91:59 fe92:59 fe93:62 fe94:62 fe95:63 fe96:63 fe97:64 fe98:64 fe99:65 fe9a:65 fe9b:66 fe9c:66 fe9d:67 fe9e:67 fe9f:68 fea0:68 fea1:69 fea2:69 fea3:70 fea4:70 fea5:71 fea6:71 fea7:72 fea8:72 fea9:73 feaa:73 feab:74 feac:74 fead:75 feae:75 feaf:76 feb0:76 feb3:78 feb4:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff5c:4f + +28596 (ISO 8859-6 Arabic) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10008 (MAC - Simplified Chinese GB 2312) + + +936 (ANSI/OEM - Simplified Chinese GBK) +00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 + +52936 (HZ-GB2312 Simplified Chinese) + + +54936 (GB18030 Simplified Chinese) + + +20936 (Simplified Chinese GB2312) + + +50227 (ISO-2022 Simplified Chinese) + + +10029 (MAC - Latin II) + + +775 (OEM - Baltic) +00a1:21 00a5:59 00aa:61 00ba:6f 00c0:41 00c3:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d9:55 00db:55 00e0:61 00e3:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f9:75 00fb:75 00ff:79 0108:43 0109:63 010a:43 010b:63 0114:45 0115:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 014e:4f 014f:6f 0152:4f 0153:6f 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016c:55 016d:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 201a:27 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1257 (ANSI - Baltic) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28594 (ISO 8859-4 Baltic) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c7:43 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d9:55 00dd:59 00e0:61 00e7:63 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f9:75 00fd:79 00ff:79 0102:41 0103:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28603 (ISO 8859-13 Latin 7) +00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c7:43 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d9:55 00da:55 00db:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e7:63 00e8:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f4:6f 00f9:75 00fa:75 00fb:75 00fd:79 00ff:79 0102:41 0103:61 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0128:49 0129:69 012c:49 012d:69 0130:49 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0158:52 0159:72 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0168:55 0169:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 017f:73 01a0:4f 01a1:6f 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01e0:41 01e1:61 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 01f4:47 01f5:67 01f8:4e 01f9:6e 0200:41 0201:61 0202:41 0203:61 0204:45 0205:65 0206:45 0207:65 0208:49 0209:69 020a:49 020b:69 020c:4f 020d:6f 020e:4f 020f:6f 0210:52 0211:72 0212:52 0213:72 0214:55 0215:75 0216:55 0217:75 0218:53 0219:73 021a:54 021b:74 021e:48 021f:68 0226:41 0227:61 0228:45 0229:65 022e:4f 022f:6f 0230:4f 0231:6f 0232:59 0233:79 02b0:68 02b2:6a 02b3:72 02b7:77 02b8:79 02e1:6c 02e2:73 02e3:78 037e:3b 1e00:41 1e01:61 1e02:42 1e03:62 1e04:42 1e05:62 1e06:42 1e07:62 1e08:43 1e09:63 1e0a:44 1e0b:64 1e0c:44 1e0d:64 1e0e:44 1e0f:64 1e10:44 1e11:64 1e12:44 1e13:64 1e18:45 1e19:65 1e1a:45 1e1b:65 1e1c:45 1e1d:65 1e1e:46 1e1f:66 1e20:47 1e21:67 1e22:48 1e23:68 1e24:48 1e25:68 1e26:48 1e27:68 1e28:48 1e29:68 1e2a:48 1e2b:68 1e2c:49 1e2d:69 1e2e:49 1e2f:69 1e30:4b 1e31:6b 1e32:4b 1e33:6b 1e34:4b 1e35:6b 1e36:4c 1e37:6c 1e38:4c 1e39:6c 1e3a:4c 1e3b:6c 1e3c:4c 1e3d:6c 1e3e:4d 1e3f:6d 1e40:4d 1e41:6d 1e42:4d 1e43:6d 1e44:4e 1e45:6e 1e46:4e 1e47:6e 1e48:4e 1e49:6e 1e4a:4e 1e4b:6e 1e54:50 1e55:70 1e56:50 1e57:70 1e58:52 1e59:72 1e5a:52 1e5b:72 1e5c:52 1e5d:72 1e5e:52 1e5f:72 1e60:53 1e61:73 1e62:53 1e63:73 1e68:53 1e69:73 1e6a:54 1e6b:74 1e6c:54 1e6d:74 1e6e:54 1e6f:74 1e70:54 1e71:74 1e72:55 1e73:75 1e74:55 1e76:55 1e77:75 1e78:55 1e79:75 1e7c:56 1e7d:76 1e7e:56 1e7f:76 1e80:57 1e81:77 1e82:57 1e83:77 1e84:57 1e85:77 1e86:57 1e87:77 1e88:57 1e89:77 1e8a:58 1e8b:78 1e8c:58 1e8d:78 1e8e:59 1e8f:79 1e90:5a 1e91:7a 1e92:5a 1e93:7a 1e94:5a 1e95:7a 1e96:68 1e97:74 1e98:77 1e99:79 1e9b:73 1ea0:41 1ea1:61 1ea2:41 1ea3:61 1ea4:41 1ea5:61 1ea6:41 1ea7:61 1ea8:41 1ea9:61 1eaa:41 1eab:61 1eac:41 1ead:61 1eae:41 1eaf:61 1eb0:41 1eb1:61 1eb2:41 1eb3:61 1eb4:41 1eb5:61 1eb6:41 1eb7:61 1eb8:45 1eb9:65 1eba:45 1ebb:65 1ebc:45 1ebd:65 1ebe:45 1ebf:65 1ec0:45 1ec1:65 1ec2:45 1ec3:65 1ec4:45 1ec5:65 1ec6:45 1ec7:65 1ec8:49 1ec9:69 1eca:49 1ecb:69 1ecc:4f 1ecd:6f 1ece:4f 1ecf:6f 1ed0:4f 1ed1:6f 1ed2:4f 1ed3:6f 1ed4:4f 1ed5:6f 1ed6:4f 1ed7:6f 1ed8:4f 1ed9:6f 1eda:4f 1edb:6f 1edc:4f 1edd:6f 1ede:4f 1edf:6f 1ee0:4f 1ee1:6f 1ee2:4f 1ee3:6f 1ee4:55 1ee5:75 1ee6:55 1ee7:75 1ee8:55 1ee9:75 1eea:55 1eeb:75 1eec:55 1eed:75 1eee:55 1eef:75 1ef0:55 1ef1:75 1ef2:59 1ef3:79 1ef4:59 1ef5:79 1ef6:59 1ef7:79 1ef8:59 1ef9:79 1fef:60 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2007:20 2008:20 2009:20 200a:20 2024:2e 202f:20 205f:20 2070:30 2071:69 2074:34 2075:35 2076:36 2077:37 2078:38 2079:39 207a:2b 207c:3d 207d:28 207e:29 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 208a:2b 208c:3d 208d:28 208e:29 2102:43 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212f:65 2130:45 2131:46 2133:4d 2134:6f 2139:69 2145:44 2146:64 2147:65 2148:69 2149:6a 2160:49 2164:56 2169:58 216c:4c 216d:43 216e:44 216f:4d 2170:69 2174:76 2179:78 217c:6c 217d:63 217e:64 217f:6d 2260:3d 226e:3c 226f:3e 2460:31 2461:32 2462:33 2463:34 2464:35 2465:36 2466:37 2467:38 2468:39 24b6:41 24b7:42 24b8:43 24b9:44 24ba:45 24bb:46 24bc:47 24bd:48 24be:49 24bf:4a 24c0:4b 24c1:4c 24c2:4d 24c3:4e 24c4:4f 24c5:50 24c6:51 24c7:52 24c8:53 24c9:54 24ca:55 24cb:56 24cc:57 24cd:58 24ce:59 24cf:5a 24d0:61 24d1:62 24d2:63 24d3:64 24d4:65 24d5:66 24d6:67 24d7:68 24d8:69 24d9:6a 24da:6b 24db:6c 24dc:6d 24dd:6e 24de:6f 24df:70 24e0:71 24e1:72 24e2:73 24e3:74 24e4:75 24e5:76 24e6:77 24e7:78 24e8:79 24e9:7a 24ea:30 3000:20 fb29:2b fe33:5f fe34:5f fe35:28 fe36:29 fe37:7b fe38:7d fe4d:5f fe4e:5f fe4f:5f fe50:2c fe52:2e fe54:3b fe55:3a fe57:21 fe59:28 fe5a:29 fe5b:7b fe5c:7d fe5f:23 fe60:26 fe61:2a fe62:2b fe63:2d fe64:3c fe65:3e fe66:3d fe68:5c fe69:24 fe6a:25 fe6b:40 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10001 (MAC - Japanese) +00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 + +932 (ANSI/OEM - Japanese Shift-JIS) +00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +20290 (IBM EBCDIC - Japanese Katakana Extended) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 0061:62 0062:63 0063:64 0064:65 0065:66 0066:67 0067:68 0068:69 0069:71 006a:72 006b:73 006c:74 006d:75 006e:76 006f:77 0070:78 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a3:4a 00a5:5b 00ac:5f ff01:5a ff02:7f ff03:7b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff41:62 ff42:63 ff43:64 ff44:65 ff45:66 ff46:67 ff47:68 ff48:69 ff49:71 ff4a:72 ff4b:73 ff4c:74 ff4d:75 ff4e:76 ff4f:77 ff50:78 ff5c:4f ff61:41 ff62:42 ff63:43 ff64:44 ff65:45 ff66:46 ff67:47 ff68:48 ff69:49 ff6a:51 ff6b:52 ff6c:53 ff6d:54 ff6e:55 ff6f:56 ff70:58 + +20932 (JIS X 0208-1990 & 0212-1990) + + +50220 (ISO-2022 Japanese with no halfwidth Katakana) + + +50221 (ISO-2022 Japanese with halfwidth Katakana) + + +50222 (ISO-2022 Japanese JIS X 0201-1989) + + +21027 (Ext Alpha Lowercase) +0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 00a2:4a 00ac:5f f8c4:20 f8c5:21 f8c6:22 f8c7:23 f8c8:24 f8c9:25 f8ca:26 f8cb:27 f8cc:28 f8cd:29 f8ce:2a f8cf:2b f8d0:2c f8d1:2d f8d2:2e f8d3:2f f8d4:30 f8d5:31 f8d6:32 f8d7:33 f8d8:34 f8d9:35 f8da:36 f8db:37 f8dc:38 f8dd:39 f8de:3a f8df:3b f8e0:3c f8e1:3d f8e2:3f f8e3:68 f8e4:7e ff61:42 ff62:43 ff63:44 ff64:45 ff65:46 ff66:47 ff67:48 ff68:49 ff69:51 ff6a:52 ff6b:53 ff6c:54 ff6d:55 ff6e:56 ff6f:57 ff70:58 ff71:59 ff72:62 ff73:63 ff74:64 ff75:65 ff76:66 ff77:67 ff78:68 ff79:69 ff7a:70 ff7b:71 ff7c:72 ff7d:73 ff7e:74 ff7f:75 ff80:76 ff81:77 ff82:78 + +10007 (MAC - Cyrillic) + + +1251 (ANSI - Cyrillic) +00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +866 (OEM - Russian) +00a7:15 00a9:63 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +855 (OEM - Cyrillic) +00a9:63 00ac:2d 00ae:52 00b0:6f 00b1:2b 00b5:75 00b6:14 00b7:07 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2219:07 221a:76 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:7f 2663:7f 2665:7f 2666:7f 266a:64 266b:64 + +20880 (IBM EBCDIC - Cyrillic (Russian)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +28595 (ISO 8859-5 Cyrillic) +00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20866 (Russian - KOI8) +00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +21866 (Ukrainian - KOI8-U) +00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +21025 (IBM EBCDIC - Cyrillic (Serbian, Bulgarian)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +57002 (ISCII - Devanagari) + + +57003 (ISCII - Bengali) + + +57004 (ISCII - Tamil) + + +57005 (ISCII - Telugu) + + +57006 (ISCII - Assamese) + + +57007 (ISCII - Oriya) + + +57008 (ISCII - Kannada) + + +57009 (ISCII - Malayalam) + + +57011 (ISCII - Punjabi (Gurmukhi)) + + +57010 (ISCII - Gujarati) + + +10010 (MAC - Romania) + + +10017 (MAC - Ukraine) + + +10082 (MAC - Croatia) + + +1250 (ANSI - Central Europe) +00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +852 (OEM - Latin II) +00a1:21 00a2:63 00a3:4c 00a5:59 00a6:7c 00a9:63 00aa:61 00ae:52 00b1:2b 00b2:32 00b3:33 00b5:75 00b6:14 00b7:07 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28592 (ISO 8859-2 Central Europe) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10000 (MAC - Roman) + + +437 (OEM - United States) +00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +850 (OEM - Multilingual Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +858 (OEM - Multilingual Latin I + Euro) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1252 (ANSI - Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +37 (IBM EBCDIC - U.S./Canada) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +20285 (IBM EBCDIC - United Kingdom) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +28591 (ISO 8859-1 Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20127 (US-ASCII) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20269 (ISO 6937 Non-Spacing Accent) +f8f6:7f + +20105 (IA5 IRV International Alphabet No.5) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 203e:7e 2122:54 2207:7f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20106 (IA5 German) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a7:40 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5d 00dd:59 00df:7e 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7d 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e + +20107 (IA5 Swedish) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:5d 00c6:41 00c7:43 00c8:45 00c9:40 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5e 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:7d 00e6:61 00e7:63 00e8:65 00e9:60 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7e 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c8:27 02cd:5f 02dc:7e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3f:5f ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e + +20108 (IA5 Norwegian) +007c:7e 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7e 00a7:23 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:5d 00c6:5b 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:5c 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:7d 00e6:7b 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:7c 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a + +865 (OEM - Nordic) +00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 + +863 (OEM - Canadian French) +00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +861 (OEM - Icelandic) +00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +860 (OEM - Portuguese) +00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +10079 (MAC - Icelandic) + + +1047 (IBM EBCDIC - Latin-1/Open System) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f + +1140 (IBM EBCDIC - U.S./Canada (37 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +1141 (IBM EBCDIC - Germany (20273 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 + +1142 (IBM EBCDIC - Denmark/Norway (20277 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a 20ac:5a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 + +1143 (IBM EBCDIC - Finland/Sweden (20278 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 20ac:5a ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 + +1144 (IBM EBCDIC - Italy (20280 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 + +1145 (IBM EBCDIC - Latin America/Spain (20284 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f + +1146 (IBM EBCDIC - United Kingdom (20285 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 + +1148 (IBM EBCDIC - International (500 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 + +1149 (IBM EBCDIC - Icelandic (20871 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d + +20277 (IBM EBCDIC - Denmark/Norway) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 + +20278 (IBM EBCDIC - Finland/Sweden) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 + +20280 (IBM EBCDIC - Italy) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 + +20284 (IBM EBCDIC - Latin America/Spain) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f + +20297 (IBM EBCDIC - France) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 + +20871 (IBM EBCDIC - Icelandic) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d + +20924 (IBM EBCDIC - Latin-1/Open System (1047 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dd:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 0160:6a ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f + +28599 (ISO 8859-9 Latin 5) +00d0:44 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28605 (ISO 8859-15 Latin 9) +00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +870 (IBM EBCDIC - Multilingual/ROECE (Latin-2)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c1:65 00c2:62 00c4:63 00c7:68 00c9:71 00cb:73 00cd:75 00ce:76 00df:59 00e1:45 00e2:42 00e4:43 00e7:48 00e9:51 00eb:53 00ed:55 00ee:56 0102:66 0103:46 0106:69 0107:49 010c:67 010d:47 0118:72 0119:52 0139:78 013a:58 013d:77 013e:57 0163:44 016e:74 016f:54 02c7:70 02dd:64 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +10021 (MAC - Thai) + + +874 (ANSI/OEM - Thai) +00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20838 (IBM EBCDIC - Thai) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:49 005d:59 005e:69 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 0e01:42 0e02:43 0e03:44 0e04:45 0e05:46 0e06:47 0e07:48 0e08:52 0e09:53 0e0a:54 0e0b:55 0e0c:56 0e0d:57 0e0e:58 0e0f:62 0e10:63 0e11:64 0e12:65 0e13:66 0e14:67 0e15:68 0e16:72 0e17:73 0e18:74 0e19:75 0e1a:76 0e1b:77 0e1c:78 0e3f:70 0e4e:71 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:49 ff3d:59 ff3e:69 ff3f:6d ff40:79 ff5c:4f + +10005 (MAC - Hebrew) + + +1255 (ANSI - Hebrew) +0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +862 (OEM - Hebrew) +00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28598 (ISO 8859-8 Hebrew: Visual Ordering) +00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +38598 (ISO 8859-8 Hebrew: Logical Ordering) +00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20424 (IBM EBCDIC - Hebrew) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a2:4a 00a6:6a 00ac:5f 05d0:41 05d1:42 05d2:43 05d3:44 05d4:45 05d5:46 05d6:47 05d7:48 05d8:49 05d9:51 05da:52 05db:53 05dc:54 05dd:55 05de:56 05df:57 05e0:58 05e1:59 05e2:62 05e3:63 05e4:64 05e5:65 05e6:66 05e7:67 05e8:68 05e9:69 05ea:71 2017:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +10006 (MAC - Greek I) + + +1253 (ANSI - Greek) +00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +737 (OEM - Greek 437G) +00a7:15 00b6:14 037e:3b 2022:07 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +869 (OEM - Modern Greek) +00a4:6f 00a5:59 00ae:52 00b6:14 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 2013:16 2014:16 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +20273 (IBM EBCDIC - Germany) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 + +28597 (ISO 8859-7 Greek) +00a1:21 00a2:63 00a4:24 00a5:59 00aa:61 00ae:52 00b8:2c 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20423 (IBM EBCDIC - Greek) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a3:7b 00a7:7c 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +875 (IBM EBCDIC - Modern Greek) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a8:70 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 03aa:68 03ab:69 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +1258 (ANSI/OEM - Viet Nam) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10002 (MAC - Traditional Chinese Big5) +00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +950 (ANSI/OEM - Traditional Chinese Big5) +00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +20000 (CNS - Taiwan) + + +20001 (TCA - Taiwan) + + +20002 (Eten - Taiwan) + + +20003 (IBM5550 - Taiwan) + + +20004 (TeleText - Taiwan) + + +20005 (Wang - Taiwan) + + +20261 (T.61) +f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f + +50229 (ISO-2022 Traditional Chinese) + + +65000 (UTF-7) + + +65001 (UTF-8) + + diff -Nru snort-2.8.5.2/install-sh snort-2.9.2/install-sh --- snort-2.8.5.2/install-sh 2000-08-07 02:41:44.000000000 +0000 +++ snort-2.9.2/install-sh 2011-12-07 19:23:17.000000000 +0000 @@ -1,250 +1,520 @@ #!/bin/sh -# # install - install a program, script, or datafile -# This comes from X11R5 (mit/util/scripts/install.sh). + +scriptversion=2009-04-28.21; # UTC + +# This originates from X11R5 (mit/util/scripts/install.sh), which was +# later released in X11R6 (xc/config/util/install.sh) with the +# following copyright and license. +# +# Copyright (C) 1994 X Consortium +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- +# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Except as contained in this notice, the name of the X Consortium shall not +# be used in advertising or otherwise to promote the sale, use or other deal- +# ings in this Software without prior written authorization from the X Consor- +# tium. # -# Copyright 1991 by the Massachusetts Institute of Technology # -# Permission to use, copy, modify, distribute, and sell this software and its -# documentation for any purpose is hereby granted without fee, provided that -# the above copyright notice appear in all copies and that both that -# copyright notice and this permission notice appear in supporting -# documentation, and that the name of M.I.T. not be used in advertising or -# publicity pertaining to distribution of the software without specific, -# written prior permission. M.I.T. makes no representations about the -# suitability of this software for any purpose. It is provided "as is" -# without express or implied warranty. +# FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written -# from scratch. It can only install one file at a time, a restriction -# shared with many OS's install programs. +# from scratch. +nl=' +' +IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" +doit=${DOITPROG-} +if test -z "$doit"; then + doit_exec=exec +else + doit_exec=$doit +fi + +# Put in absolute file names if you don't have them in your path; +# or use environment vars. +chgrpprog=${CHGRPPROG-chgrp} +chmodprog=${CHMODPROG-chmod} +chownprog=${CHOWNPROG-chown} +cmpprog=${CMPPROG-cmp} +cpprog=${CPPROG-cp} +mkdirprog=${MKDIRPROG-mkdir} +mvprog=${MVPROG-mv} +rmprog=${RMPROG-rm} +stripprog=${STRIPPROG-strip} + +posix_glob='?' +initialize_posix_glob=' + test "$posix_glob" != "?" || { + if (set -f) 2>/dev/null; then + posix_glob= + else + posix_glob=: + fi + } +' + +posix_mkdir= -# put in absolute paths if you don't have them in your path; or use env. vars. +# Desired mode of installed file. +mode=0755 -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" - -transformbasename="" -transform_arg="" -instcmd="$mvprog" -chmodcmd="$chmodprog 0755" -chowncmd="" -chgrpcmd="" -stripcmd="" +chgrpcmd= +chmodcmd=$chmodprog +chowncmd= +mvcmd=$mvprog rmcmd="$rmprog -f" -mvcmd="$mvprog" -src="" -dst="" -dir_arg="" - -while [ x"$1" != x ]; do - case $1 in - -c) instcmd="$cpprog" - shift - continue;; - - -d) dir_arg=true - shift - continue;; - - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; - - -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; - - -s) stripcmd="$stripprog" - shift - continue;; - - -t=*) transformarg=`echo $1 | sed 's/-t=//'` - shift - continue;; - - -b=*) transformbasename=`echo $1 | sed 's/-b=//'` - shift - continue;; +stripcmd= - *) if [ x"$src" = x ] - then - src=$1 - else - # this colon is to work around a 386BSD /bin/sh bug - : - dst=$1 - fi - shift - continue;; - esac -done +src= +dst= +dir_arg= +dst_arg= -if [ x"$src" = x ] -then - echo "install: no input file specified" - exit 1 -else - true -fi +copy_on_change=false +no_target_directory= -if [ x"$dir_arg" != x ]; then - dst=$src - src="" - - if [ -d $dst ]; then - instcmd=: - else - instcmd=mkdir - fi -else +usage="\ +Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE + or: $0 [OPTION]... SRCFILES... DIRECTORY + or: $0 [OPTION]... -t DIRECTORY SRCFILES... + or: $0 [OPTION]... -d DIRECTORIES... -# Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad -# if $src (and thus $dsttmp) contains '*'. - - if [ -f $src -o -d $src ] - then - true - else - echo "install: $src does not exist" - exit 1 - fi - - if [ x"$dst" = x ] - then - echo "install: no destination specified" - exit 1 - else - true - fi +In the 1st form, copy SRCFILE to DSTFILE. +In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. +In the 4th, create DIRECTORIES. -# If destination is a directory, append the input filename; if your system -# does not like double slashes in filenames, you may need to add some logic +Options: + --help display this help and exit. + --version display version info and exit. - if [ -d $dst ] - then - dst="$dst"/`basename $src` - else - true - fi -fi + -c (ignored) + -C install only if different (preserve the last data modification time) + -d create directories instead of installing files. + -g GROUP $chgrpprog installed files to GROUP. + -m MODE $chmodprog installed files to MODE. + -o USER $chownprog installed files to USER. + -s $stripprog installed files. + -t DIRECTORY install into DIRECTORY. + -T report an error if DSTFILE is a directory. -## this sed command emulates the dirname command -dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` +Environment variables override the default commands: + CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG + RMPROG STRIPPROG +" -# Make sure that the destination directory exists. -# this part is taken from Noah Friedman's mkinstalldirs script +while test $# -ne 0; do + case $1 in + -c) ;; -# Skip lots of stat calls in the usual case. -if [ ! -d "$dstdir" ]; then -defaultIFS=' -' -IFS="${IFS-${defaultIFS}}" + -C) copy_on_change=true;; -oIFS="${IFS}" -# Some sh's can't handle IFS=/ for some reason. -IFS='%' -set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` -IFS="${oIFS}" - -pathcomp='' - -while [ $# -ne 0 ] ; do - pathcomp="${pathcomp}${1}" - shift - - if [ ! -d "${pathcomp}" ] ; - then - $mkdirprog "${pathcomp}" - else - true - fi + -d) dir_arg=true;; - pathcomp="${pathcomp}/" -done -fi + -g) chgrpcmd="$chgrpprog $2" + shift;; -if [ x"$dir_arg" != x ] -then - $doit $instcmd $dst && - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi -else + --help) echo "$usage"; exit $?;; -# If we're going to rename the final executable, determine the name now. + -m) mode=$2 + case $mode in + *' '* | *' '* | *' +'* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; - if [ x"$transformarg" = x ] - then - dstfile=`basename $dst` - else - dstfile=`basename $dst $transformbasename | - sed $transformarg`$transformbasename - fi + -o) chowncmd="$chownprog $2" + shift;; -# don't allow the sed command to completely eliminate the filename + -s) stripcmd=$stripprog;; - if [ x"$dstfile" = x ] - then - dstfile=`basename $dst` - else - true - fi + -t) dst_arg=$2 + shift;; + + -T) no_target_directory=true;; + + --version) echo "$0 $scriptversion"; exit $?;; + + --) shift + break;; + + -*) echo "$0: invalid option: $1" >&2 + exit 1;; -# Make a temp file name in the proper directory. + *) break;; + esac + shift +done - dsttmp=$dstdir/#inst.$$# +if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then + # When -d is used, all remaining arguments are directories to create. + # When -t is used, the destination is already specified. + # Otherwise, the last argument is the destination. Remove it from $@. + for arg + do + if test -n "$dst_arg"; then + # $@ is not empty: it contains at least $arg. + set fnord "$@" "$dst_arg" + shift # fnord + fi + shift # arg + dst_arg=$arg + done +fi -# Move or copy the file name to the temp name +if test $# -eq 0; then + if test -z "$dir_arg"; then + echo "$0: no input file specified." >&2 + exit 1 + fi + # It's OK to call `install-sh -d' without argument. + # This can happen when creating conditional directories. + exit 0 +fi - $doit $instcmd $src $dsttmp && +if test -z "$dir_arg"; then + trap '(exit $?); exit' 1 2 13 15 - trap "rm -f ${dsttmp}" 0 && + # Set umask so as not to create temps with too-generous modes. + # However, 'strip' requires both read and write access to temps. + case $mode in + # Optimize common cases. + *644) cp_umask=133;; + *755) cp_umask=22;; + + *[0-7]) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw='% 200' + fi + cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; + *) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw=,u+rw + fi + cp_umask=$mode$u_plus_rw;; + esac +fi -# and set any options; do chmod last to preserve setuid bits +for src +do + # Protect names starting with `-'. + case $src in + -*) src=./$src;; + esac + + if test -n "$dir_arg"; then + dst=$src + dstdir=$dst + test -d "$dstdir" + dstdir_status=$? + else + + # Waiting for this to be detected by the "$cpprog $src $dsttmp" command + # might cause directories to be created, which would be especially bad + # if $src (and thus $dsttmp) contains '*'. + if test ! -f "$src" && test ! -d "$src"; then + echo "$0: $src does not exist." >&2 + exit 1 + fi + + if test -z "$dst_arg"; then + echo "$0: no destination specified." >&2 + exit 1 + fi + + dst=$dst_arg + # Protect names starting with `-'. + case $dst in + -*) dst=./$dst;; + esac -# If any of these fail, we abort the whole thing. If we want to -# ignore errors from any of these, just make sure not to ignore -# errors from the above "$doit $instcmd $src $dsttmp" command. + # If destination is a directory, append the input filename; won't work + # if double slashes aren't ignored. + if test -d "$dst"; then + if test -n "$no_target_directory"; then + echo "$0: $dst_arg: Is a directory" >&2 + exit 1 + fi + dstdir=$dst + dst=$dstdir/`basename "$src"` + dstdir_status=0 + else + # Prefer dirname, but fall back on a substitute if dirname fails. + dstdir=` + (dirname "$dst") 2>/dev/null || + expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$dst" : 'X\(//\)[^/]' \| \ + X"$dst" : 'X\(//\)$' \| \ + X"$dst" : 'X\(/\)' \| . 2>/dev/null || + echo X"$dst" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q' + ` + + test -d "$dstdir" + dstdir_status=$? + fi + fi + + obsolete_mkdir_used=false + + if test $dstdir_status != 0; then + case $posix_mkdir in + '') + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 -# Now rename the file to the real destination. + if (umask $mkdir_umask && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writeable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + ls_ld_tmpdir=`ls -ld "$tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/d" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + fi + trap '' 0;; + esac;; + esac - $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile + if + $posix_mkdir && ( + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + ) + then : + else + + # The umask is ridiculous, or mkdir does not conform to POSIX, + # or it failed possibly due to a race condition. Create the + # directory the slow way, step by step, checking for races as we go. + + case $dstdir in + /*) prefix='/';; + -*) prefix='./';; + *) prefix='';; + esac + + eval "$initialize_posix_glob" + + oIFS=$IFS + IFS=/ + $posix_glob set -f + set fnord $dstdir + shift + $posix_glob set +f + IFS=$oIFS + + prefixes= + + for d + do + test -z "$d" && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ + done -fi && + if test -n "$prefixes"; then + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true + fi + fi + fi + + if test -n "$dir_arg"; then + { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && + { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || + test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 + else + + # Make a couple of temp file names in the proper directory. + dsttmp=$dstdir/_inst.$$_ + rmtmp=$dstdir/_rm.$$_ + + # Trap to clean up those temp files at exit. + trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 + + # Copy the file name to the temp name. + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + + # and set any options; do chmod last to preserve setuid bits. + # + # If any of these fail, we abort the whole thing. If we want to + # ignore errors from any of these, just make sure not to ignore + # errors from the above "$doit $cpprog $src $dsttmp" command. + # + { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && + { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && + { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && + + # If -C, don't bother to copy if it wouldn't change the file. + if $copy_on_change && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + + eval "$initialize_posix_glob" && + $posix_glob set -f && + set X $old && old=:$2:$4:$5:$6 && + set X $new && new=:$2:$4:$5:$6 && + $posix_glob set +f && + + test "$old" = "$new" && + $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 + then + rm -f "$dsttmp" + else + # Rename the file to the real destination. + $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || + + # The rename failed, perhaps because mv can't rename something else + # to itself, or perhaps because mv is so ancient that it does not + # support -f. + { + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" + } + fi || exit 1 + trap '' 0 + fi +done -exit 0 +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -Nru snort-2.8.5.2/ltmain.sh snort-2.9.2/ltmain.sh --- snort-2.8.5.2/ltmain.sh 2007-04-05 14:20:16.000000000 +0000 +++ snort-2.9.2/ltmain.sh 2011-12-07 19:23:07.000000000 +0000 @@ -1,52 +1,83 @@ -# ltmain.sh - Provide generalized library-building support services. -# NOTE: Changing this file will not affect anything until you rerun configure. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005 -# Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify +# Generated from ltmain.m4sh. + +# ltmain.sh (GNU libtool) 2.2.6b +# Written by Gordon Matzigkeit , 1996 + +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# GNU Libtool is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # -# This program is distributed in the hope that it will be useful, but +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -basename="s,^.*/,,g" - -# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh -# is ksh but when the shell is invoked as "sh" and the current value of -# the _XPG environment variable is not equal to 1 (one), the special -# positional parameter $0, within a function call, is the name of the -# function. -progpath="$0" - -# The name of this program: -progname=`echo "$progpath" | $SED $basename` -modename="$progname" +# along with GNU Libtool; see the file COPYING. If not, a copy +# can be downloaded from http://www.gnu.org/licenses/gpl.html, +# or obtained by writing to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# Global variables: -EXIT_SUCCESS=0 -EXIT_FAILURE=1 +# Usage: $progname [OPTION]... [MODE-ARG]... +# +# Provide generalized library-building support services. +# +# --config show all configuration variables +# --debug enable verbose shell tracing +# -n, --dry-run display commands without modifying any files +# --features display basic configuration information and exit +# --mode=MODE use operation mode MODE +# --preserve-dup-deps don't remove duplicate dependency libraries +# --quiet, --silent don't print informational messages +# --tag=TAG use configuration variables from tag TAG +# -v, --verbose print informational messages (default) +# --version print version information +# -h, --help print short or long help message +# +# MODE must be one of the following: +# +# clean remove files from the build directory +# compile compile a source file into a libtool object +# execute automatically set library path, then run a program +# finish complete the installation of libtool libraries +# install install libraries or executables +# link create a library or an executable +# uninstall remove libraries from an installed directory +# +# MODE-ARGS vary depending on the MODE. +# Try `$progname --help --mode=MODE' for a more detailed description of MODE. +# +# When reporting a bug, please describe a test case to reproduce it and +# include the following information: +# +# host-triplet: $host +# shell: $SHELL +# compiler: $LTCC +# compiler flags: $LTCFLAGS +# linker: $LD (gnu? $with_gnu_ld) +# $progname: (GNU libtool) 2.2.6b +# automake: $automake_version +# autoconf: $autoconf_version +# +# Report bugs to . PROGRAM=ltmain.sh PACKAGE=libtool -VERSION=1.5.22 -TIMESTAMP=" (1.1220.2.365 2005/12/18 22:14:06)" +VERSION=2.2.6b +TIMESTAMP="" +package_revision=1.3017 -# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE). +# Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: @@ -57,99 +88,264 @@ else case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh -# Check that we have a working $echo. -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell, and then maybe $echo will work. - exec $SHELL "$progpath" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat <&2 - $echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit $EXIT_FAILURE -fi +dirname="s,/[^/]*$,," +basename="s,^.*/,," -# Global variables. -mode=$default_mode -nonopt= -prev= -prevopt= -run= -show="$echo" -show_help= -execute_dlfiles= -duplicate_deps=no -preserve_args= -lo2o="s/\\.lo\$/.${objext}/" -o2lo="s/\\.${objext}\$/.lo/" -extracted_archives= -extracted_serial=0 +# func_dirname_and_basename file append nondir_replacement +# perform func_basename and func_dirname in a single function +# call: +# dirname: Compute the dirname of FILE. If nonempty, +# add APPEND to the result, otherwise set result +# to NONDIR_REPLACEMENT. +# value returned in "$func_dirname_result" +# basename: Compute filename of FILE. +# value retuned in "$func_basename_result" +# Implementation must be kept synchronized with func_dirname +# and func_basename. For efficiency, we do not delegate to +# those functions but instead duplicate the functionality here. +func_dirname_and_basename () +{ + # Extract subdirectory from the argument. + func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi + func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"` +} + +# Generated shell functions inserted here. + +# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh +# is ksh but when the shell is invoked as "sh" and the current value of +# the _XPG environment variable is not equal to 1 (one), the special +# positional parameter $0, within a function call, is the name of the +# function. +progpath="$0" + +# The name of this program: +# In the unlikely event $progname began with a '-', it would play havoc with +# func_echo (imagine progname=-n), so we prepend ./ in that case: +func_dirname_and_basename "$progpath" +progname=$func_basename_result +case $progname in + -*) progname=./$progname ;; +esac + +# Make sure we have an absolute path for reexecution: +case $progpath in + [\\/]*|[A-Za-z]:\\*) ;; + *[\\/]*) + progdir=$func_dirname_result + progdir=`cd "$progdir" && pwd` + progpath="$progdir/$progname" + ;; + *) + save_IFS="$IFS" + IFS=: + for progdir in $PATH; do + IFS="$save_IFS" + test -x "$progdir/$progname" && break + done + IFS="$save_IFS" + test -n "$progdir" || progdir=`pwd` + progpath="$progdir/$progname" + ;; +esac + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +Xsed="${SED}"' -e 1s/^X//' +sed_quote_subst='s/\([`"$\\]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\(["`\\]\)/\\\1/g' + +# Re-`\' parameter expansions in output of double_quote_subst that were +# `\'-ed in input to the same. If an odd number of `\' preceded a '$' +# in input to double_quote_subst, that '$' was protected from expansion. +# Since each input `\' is now two `\'s, look for any number of runs of +# four `\'s followed by two `\'s and then a '$'. `\' that '$'. +bs='\\' +bs2='\\\\' +bs4='\\\\\\\\' +dollar='\$' +sed_double_backslash="\ + s/$bs4/&\\ +/g + s/^$bs2$dollar/$bs&/ + s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g + s/\n//g" + +# Standard options: +opt_dry_run=false +opt_help=false +opt_quiet=false +opt_verbose=false +opt_warning=: + +# func_echo arg... +# Echo program name prefixed message, along with the current mode +# name if it has been set yet. +func_echo () +{ + $ECHO "$progname${mode+: }$mode: $*" +} + +# func_verbose arg... +# Echo program name prefixed message in verbose mode only. +func_verbose () +{ + $opt_verbose && func_echo ${1+"$@"} + + # A bug in bash halts the script if the last line of a function + # fails when set -e is in force, so we need another command to + # work around that: + : +} + +# func_error arg... +# Echo program name prefixed message to standard error. +func_error () +{ + $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2 +} + +# func_warning arg... +# Echo program name prefixed warning message to standard error. +func_warning () +{ + $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2 + + # bash bug again: + : +} + +# func_fatal_error arg... +# Echo program name prefixed message to standard error, and exit. +func_fatal_error () +{ + func_error ${1+"$@"} + exit $EXIT_FAILURE +} + +# func_fatal_help arg... +# Echo program name prefixed message to standard error, followed by +# a help hint, and exit. +func_fatal_help () +{ + func_error ${1+"$@"} + func_fatal_error "$help" +} +help="Try \`$progname --help' for more information." ## default + + +# func_grep expression filename +# Check whether EXPRESSION matches any line of FILENAME, without output. +func_grep () +{ + $GREP "$1" "$2" >/dev/null 2>&1 +} + + +# func_mkdir_p directory-path +# Make sure the entire path to DIRECTORY-PATH is available. +func_mkdir_p () +{ + my_directory_path="$1" + my_dir_list= + + if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then + + # Protect directory names starting with `-' + case $my_directory_path in + -*) my_directory_path="./$my_directory_path" ;; + esac + + # While some portion of DIR does not yet exist... + while test ! -d "$my_directory_path"; do + # ...make a list in topmost first order. Use a colon delimited + # list incase some portion of path contains whitespace. + my_dir_list="$my_directory_path:$my_dir_list" + + # If the last portion added has no slash in it, the list is done + case $my_directory_path in */*) ;; *) break ;; esac + + # ...otherwise throw away the child directory and loop + my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"` + done + my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'` + + save_mkdir_p_IFS="$IFS"; IFS=':' + for my_dir in $my_dir_list; do + IFS="$save_mkdir_p_IFS" + # mkdir can fail with a `File exist' error if two processes + # try to create one of the directories concurrently. Don't + # stop in that case! + $MKDIR "$my_dir" 2>/dev/null || : + done + IFS="$save_mkdir_p_IFS" + + # Bail out if we (or some other process) failed to create a directory. + test -d "$my_directory_path" || \ + func_fatal_error "Failed to create \`$1'" + fi +} -##################################### -# Shell function definitions: -# This seems to be the best place for them # func_mktempdir [string] # Make a temporary directory that won't clash with other running @@ -159,7 +355,7 @@ { my_template="${TMPDIR-/tmp}/${1-$progname}" - if test "$run" = ":"; then + if test "$opt_dry_run" = ":"; then # Return a directory name, but don't create it in dry-run mode my_tmpdir="${my_template}-$$" else @@ -168,522 +364,790 @@ my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null` if test ! -d "$my_tmpdir"; then - # Failing that, at least try and use $RANDOM to avoid a race - my_tmpdir="${my_template}-${RANDOM-0}$$" + # Failing that, at least try and use $RANDOM to avoid a race + my_tmpdir="${my_template}-${RANDOM-0}$$" - save_mktempdir_umask=`umask` - umask 0077 - $mkdir "$my_tmpdir" - umask $save_mktempdir_umask + save_mktempdir_umask=`umask` + umask 0077 + $MKDIR "$my_tmpdir" + umask $save_mktempdir_umask fi # If we're not in dry-run mode, bomb out on failure - test -d "$my_tmpdir" || { - $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2 - exit $EXIT_FAILURE - } + test -d "$my_tmpdir" || \ + func_fatal_error "cannot create temporary directory \`$my_tmpdir'" fi - $echo "X$my_tmpdir" | $Xsed + $ECHO "X$my_tmpdir" | $Xsed } -# func_win32_libid arg -# return the library type of file 'arg' -# -# Need a lot of goo to handle *both* DLLs and import libs -# Has to be a shell function in order to 'eat' the argument -# that is supplied when $file_magic_command is called. -func_win32_libid () +# func_quote_for_eval arg +# Aesthetically quote ARG to be evaled later. +# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT +# is double-quoted, suitable for a subsequent eval, whereas +# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters +# which are still active within double quotes backslashified. +func_quote_for_eval () { - win32_libid_type="unknown" - win32_fileres=`file -L $1 2>/dev/null` - case $win32_fileres in - *ar\ archive\ import\ library*) # definitely import - win32_libid_type="x86 archive import" - ;; - *ar\ archive*) # could be an import, or static - if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \ - $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then - win32_nmres=`eval $NM -f posix -A $1 | \ - $SED -n -e '1,100{/ I /{s,.*,import,;p;q;};}'` - case $win32_nmres in - import*) win32_libid_type="x86 archive import";; - *) win32_libid_type="x86 archive static";; - esac - fi - ;; - *DLL*) - win32_libid_type="x86 DLL" - ;; - *executable*) # but shell scripts are "executable" too... - case $win32_fileres in - *MS\ Windows\ PE\ Intel*) - win32_libid_type="x86 DLL" - ;; + case $1 in + *[\\\`\"\$]*) + func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;; + *) + func_quote_for_eval_unquoted_result="$1" ;; + esac + + case $func_quote_for_eval_unquoted_result in + # Double-quote args containing shell metacharacters to delay + # word splitting, command substitution and and variable + # expansion for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\"" + ;; + *) + func_quote_for_eval_result="$func_quote_for_eval_unquoted_result" esac - ;; - esac - $echo $win32_libid_type } -# func_infer_tag arg -# Infer tagged configuration to use if any are available and -# if one wasn't chosen via the "--tag" command line option. -# Only attempt this if the compiler in the base compile -# command doesn't match the default compiler. -# arg is usually of the form 'gcc ...' -func_infer_tag () +# func_quote_for_expand arg +# Aesthetically quote ARG to be evaled later; same as above, +# but do not quote variable references. +func_quote_for_expand () { - if test -n "$available_tags" && test -z "$tagname"; then - CC_quoted= - for arg in $CC; do - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - CC_quoted="$CC_quoted $arg" - done - case $@ in - # Blanks in the command may have been stripped by the calling shell, - # but not from the CC environment variable when configure was run. - " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;; - # Blanks at the start of $base_compile will cause this to fail - # if we don't check for them as well. + case $1 in + *[\\\`\"]*) + my_arg=`$ECHO "X$1" | $Xsed \ + -e "$double_quote_subst" -e "$sed_double_backslash"` ;; *) - for z in $available_tags; do - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" - CC_quoted= - for arg in $CC; do - # Double-quote args containing other shell metacharacters. - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - CC_quoted="$CC_quoted $arg" - done - case "$@ " in - " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) - # The compiler in the base compile command matches - # the one in the tagged configuration. - # Assume this is the tagged configuration we want. - tagname=$z - break - ;; - esac - fi - done - # If $tagname still isn't set, then no tagged configuration - # was found and let the user know that the "--tag" command - # line option must be used. - if test -z "$tagname"; then - $echo "$modename: unable to infer tagged configuration" - $echo "$modename: specify a tag with \`--tag'" 1>&2 - exit $EXIT_FAILURE -# else -# $echo "$modename: using $tagname tagged configuration" - fi - ;; - esac - fi + my_arg="$1" ;; + esac + + case $my_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting and command substitution for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + my_arg="\"$my_arg\"" + ;; + esac + + func_quote_for_expand_result="$my_arg" } -# func_extract_an_archive dir oldlib -func_extract_an_archive () +# func_show_eval cmd [fail_exp] +# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. +func_show_eval () { - f_ex_an_ar_dir="$1"; shift - f_ex_an_ar_oldlib="$1" + my_cmd="$1" + my_fail_exp="${2-:}" - $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)" - $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $? - if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then - : - else - $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2 - exit $EXIT_FAILURE + ${opt_silent-false} || { + func_quote_for_expand "$my_cmd" + eval "func_echo $func_quote_for_expand_result" + } + + if ${opt_dry_run-false}; then :; else + eval "$my_cmd" + my_status=$? + if test "$my_status" -eq 0; then :; else + eval "(exit $my_status); $my_fail_exp" + fi fi } -# func_extract_archives gentop oldlib ... -func_extract_archives () + +# func_show_eval_locale cmd [fail_exp] +# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. Use the saved locale for evaluation. +func_show_eval_locale () { - my_gentop="$1"; shift - my_oldlibs=${1+"$@"} - my_oldobjs="" - my_xlib="" - my_xabs="" - my_xdir="" - my_status="" + my_cmd="$1" + my_fail_exp="${2-:}" + + ${opt_silent-false} || { + func_quote_for_expand "$my_cmd" + eval "func_echo $func_quote_for_expand_result" + } - $show "${rm}r $my_gentop" - $run ${rm}r "$my_gentop" - $show "$mkdir $my_gentop" - $run $mkdir "$my_gentop" - my_status=$? - if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then - exit $my_status + if ${opt_dry_run-false}; then :; else + eval "$lt_user_locale + $my_cmd" + my_status=$? + eval "$lt_safe_locale" + if test "$my_status" -eq 0; then :; else + eval "(exit $my_status); $my_fail_exp" + fi fi +} - for my_xlib in $my_oldlibs; do - # Extract the objects. - case $my_xlib in - [\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;; - *) my_xabs=`pwd`"/$my_xlib" ;; - esac - my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'` - my_xlib_u=$my_xlib - while :; do - case " $extracted_archives " in - *" $my_xlib_u "*) - extracted_serial=`expr $extracted_serial + 1` - my_xlib_u=lt$extracted_serial-$my_xlib ;; - *) break ;; - esac - done - extracted_archives="$extracted_archives $my_xlib_u" - my_xdir="$my_gentop/$my_xlib_u" - $show "${rm}r $my_xdir" - $run ${rm}r "$my_xdir" - $show "$mkdir $my_xdir" - $run $mkdir "$my_xdir" - exit_status=$? - if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then - exit $exit_status - fi - case $host in - *-darwin*) - $show "Extracting $my_xabs" - # Do not bother doing anything if just a dry run - if test -z "$run"; then - darwin_orig_dir=`pwd` - cd $my_xdir || exit $? - darwin_archive=$my_xabs - darwin_curdir=`pwd` - darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'` - darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null` - if test -n "$darwin_arches"; then - darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'` - darwin_arch= - $show "$darwin_base_archive has multiple architectures $darwin_arches" - for darwin_arch in $darwin_arches ; do - mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}" - lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}" - cd "unfat-$$/${darwin_base_archive}-${darwin_arch}" - func_extract_an_archive "`pwd`" "${darwin_base_archive}" - cd "$darwin_curdir" - $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" - done # $darwin_arches - ## Okay now we have a bunch of thin objects, gotta fatten them up :) - darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP` - darwin_file= - darwin_files= - for darwin_file in $darwin_filelist; do - darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP` - lipo -create -output "$darwin_file" $darwin_files - done # $darwin_filelist - ${rm}r unfat-$$ - cd "$darwin_orig_dir" - else - cd "$darwin_orig_dir" - func_extract_an_archive "$my_xdir" "$my_xabs" - fi # $darwin_arches - fi # $run - ;; - *) - func_extract_an_archive "$my_xdir" "$my_xabs" - ;; - esac - my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` - done - func_extract_archives_result="$my_oldobjs" + + + +# func_version +# Echo version message to standard output and exit. +func_version () +{ + $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / { + s/^# // + s/^# *$// + s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/ + p + }' < "$progpath" + exit $? +} + +# func_usage +# Echo short help message to standard output and exit. +func_usage () +{ + $SED -n '/^# Usage:/,/# -h/ { + s/^# // + s/^# *$// + s/\$progname/'$progname'/ + p + }' < "$progpath" + $ECHO + $ECHO "run \`$progname --help | more' for full usage" + exit $? +} + +# func_help +# Echo long help message to standard output and exit. +func_help () +{ + $SED -n '/^# Usage:/,/# Report bugs to/ { + s/^# // + s/^# *$// + s*\$progname*'$progname'* + s*\$host*'"$host"'* + s*\$SHELL*'"$SHELL"'* + s*\$LTCC*'"$LTCC"'* + s*\$LTCFLAGS*'"$LTCFLAGS"'* + s*\$LD*'"$LD"'* + s/\$with_gnu_ld/'"$with_gnu_ld"'/ + s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/ + s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/ + p + }' < "$progpath" + exit $? } -# End of Shell function definitions -##################################### -# Darwin sucks -eval std_shrext=\"$shrext_cmds\" +# func_missing_arg argname +# Echo program name prefixed message to standard error and set global +# exit_cmd. +func_missing_arg () +{ + func_error "missing argument for $1" + exit_cmd=exit +} -disable_libs=no +exit_cmd=: -# Parse our command line options once, thoroughly. -while test "$#" -gt 0 -do - arg="$1" + + + + +# Check that we have a working $ECHO. +if test "X$1" = X--no-reexec; then + # Discard the --no-reexec flag, and continue. + shift +elif test "X$1" = X--fallback-echo; then + # Avoid inline document here, it may be left over + : +elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then + # Yippee, $ECHO works! + : +else + # Restart under the correct shell, and then maybe $ECHO will work. + exec $SHELL "$progpath" --no-reexec ${1+"$@"} +fi + +if test "X$1" = X--fallback-echo; then + # used as fallback echo shift + cat <&2 - exit $EXIT_FAILURE - ;; - esac +# Global variables. +# $mode is unset +nonopt= +execute_dlfiles= +preserve_args= +lo2o="s/\\.lo\$/.${objext}/" +o2lo="s/\\.${objext}\$/.lo/" +extracted_archives= +extracted_serial=0 - case $tagname in - CC) - # Don't test for the "default" C tag, as we know, it's there, but - # not specially marked. - ;; - *) - if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then - taglist="$taglist $tagname" - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`" - else - $echo "$progname: ignoring unknown tag $tagname" 1>&2 - fi - ;; - esac - ;; - *) - eval "$prev=\$arg" - ;; - esac +opt_dry_run=false +opt_duplicate_deps=false +opt_silent=false +opt_debug=: - prev= - prevopt= - continue - fi +# If this variable is set in any of the actions, the command in it +# will be execed at the end. This prevents here-documents from being +# left over by shells. +exec_cmd= - # Have we seen a non-optional argument yet? - case $arg in - --help) - show_help=yes - ;; +# func_fatal_configuration arg... +# Echo program name prefixed message to standard error, followed by +# a configuration failure hint, and exit. +func_fatal_configuration () +{ + func_error ${1+"$@"} + func_error "See the $PACKAGE documentation for more information." + func_fatal_error "Fatal configuration error." +} - --version) - $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP" - $echo - $echo "Copyright (C) 2005 Free Software Foundation, Inc." - $echo "This is free software; see the source for copying conditions. There is NO" - $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - exit $? - ;; - --config) - ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath +# func_config +# Display the configuration for all the tags in this script. +func_config () +{ + re_begincf='^# ### BEGIN LIBTOOL' + re_endcf='^# ### END LIBTOOL' + + # Default configuration. + $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath" + # Now print the configurations for the tags. for tagname in $taglist; do - ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath" + $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath" done - exit $? - ;; - - --debug) - $echo "$progname: enabling shell trace mode" - set -x - preserve_args="$preserve_args $arg" - ;; - --dry-run | -n) - run=: - ;; + exit $? +} - --features) - $echo "host: $host" +# func_features +# Display the features supported by this script. +func_features () +{ + $ECHO "host: $host" if test "$build_libtool_libs" = yes; then - $echo "enable shared libraries" + $ECHO "enable shared libraries" else - $echo "disable shared libraries" + $ECHO "disable shared libraries" fi if test "$build_old_libs" = yes; then - $echo "enable static libraries" + $ECHO "enable static libraries" else - $echo "disable static libraries" + $ECHO "disable static libraries" fi + exit $? - ;; +} + +# func_enable_tag tagname +# Verify that TAGNAME is valid, and either flag an error and exit, or +# enable the TAGNAME tag. We also add TAGNAME to the global $taglist +# variable here. +func_enable_tag () +{ + # Global variable: + tagname="$1" - --finish) mode="finish" ;; + re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$" + re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$" + sed_extractcf="/$re_begincf/,/$re_endcf/p" + + # Validate tagname. + case $tagname in + *[!-_A-Za-z0-9,/]*) + func_fatal_error "invalid tag name: $tagname" + ;; + esac - --mode) prevopt="--mode" prev=mode ;; - --mode=*) mode="$optarg" ;; + # Don't test for the "default" C tag, as we know it's + # there but not specially marked. + case $tagname in + CC) ;; + *) + if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then + taglist="$taglist $tagname" - --preserve-dup-deps) duplicate_deps="yes" ;; + # Evaluate the configuration. Be careful to quote the path + # and the sed script, to avoid splitting on whitespace, but + # also don't use non-portable quotes within backquotes within + # quotes we have to do it in 2 steps: + extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"` + eval "$extractedcf" + else + func_error "ignoring unknown tag $tagname" + fi + ;; + esac +} - --quiet | --silent) - show=: - preserve_args="$preserve_args $arg" - ;; +# Parse options once, thoroughly. This comes as soon as possible in +# the script to make things like `libtool --version' happen quickly. +{ - --tag) - prevopt="--tag" - prev=tag - preserve_args="$preserve_args --tag" + # Shorthand for --mode=foo, only valid as the first argument + case $1 in + clean|clea|cle|cl) + shift; set dummy --mode clean ${1+"$@"}; shift ;; - --tag=*) - set tag "$optarg" ${1+"$@"} - shift - prev=tag - preserve_args="$preserve_args --tag" + compile|compil|compi|comp|com|co|c) + shift; set dummy --mode compile ${1+"$@"}; shift ;; - - -dlopen) - prevopt="-dlopen" - prev=execute_dlfiles + execute|execut|execu|exec|exe|ex|e) + shift; set dummy --mode execute ${1+"$@"}; shift ;; - - -*) - $echo "$modename: unrecognized option \`$arg'" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE + finish|finis|fini|fin|fi|f) + shift; set dummy --mode finish ${1+"$@"}; shift ;; - - *) - nonopt="$arg" - break + install|instal|insta|inst|ins|in|i) + shift; set dummy --mode install ${1+"$@"}; shift + ;; + link|lin|li|l) + shift; set dummy --mode link ${1+"$@"}; shift + ;; + uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) + shift; set dummy --mode uninstall ${1+"$@"}; shift ;; esac -done -if test -n "$prevopt"; then - $echo "$modename: option \`$prevopt' requires an argument" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE -fi + # Parse non-mode specific arguments: + while test "$#" -gt 0; do + opt="$1" + shift -case $disable_libs in -no) - ;; -shared) - build_libtool_libs=no - build_old_libs=yes - ;; -static) - build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` - ;; -esac + case $opt in + --config) func_config ;; -# If this variable is set in any of the actions, the command in it -# will be execed at the end. This prevents here-documents from being -# left over by shells. -exec_cmd= + --debug) preserve_args="$preserve_args $opt" + func_echo "enabling shell trace mode" + opt_debug='set -x' + $opt_debug + ;; -if test -z "$show_help"; then + -dlopen) test "$#" -eq 0 && func_missing_arg "$opt" && break + execute_dlfiles="$execute_dlfiles $1" + shift + ;; - # Infer the operation mode. - if test -z "$mode"; then - $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2 - $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2 - case $nonopt in - *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*) - mode=link - for arg - do - case $arg in - -c) - mode=compile - break - ;; - esac - done - ;; - *db | *dbx | *strace | *truss) - mode=execute - ;; - *install*|cp|mv) - mode=install - ;; - *rm) - mode=uninstall + --dry-run | -n) opt_dry_run=: ;; + --features) func_features ;; + --finish) mode="finish" ;; + + --mode) test "$#" -eq 0 && func_missing_arg "$opt" && break + case $1 in + # Valid mode arguments: + clean) ;; + compile) ;; + execute) ;; + finish) ;; + install) ;; + link) ;; + relink) ;; + uninstall) ;; + + # Catch anything else as an error + *) func_error "invalid argument for $opt" + exit_cmd=exit + break + ;; + esac + + mode="$1" + shift + ;; + + --preserve-dup-deps) + opt_duplicate_deps=: ;; + + --quiet|--silent) preserve_args="$preserve_args $opt" + opt_silent=: + ;; + + --verbose| -v) preserve_args="$preserve_args $opt" + opt_silent=false + ;; + + --tag) test "$#" -eq 0 && func_missing_arg "$opt" && break + preserve_args="$preserve_args $opt $1" + func_enable_tag "$1" # tagname is set here + shift + ;; + + # Separate optargs to long options: + -dlopen=*|--mode=*|--tag=*) + func_opt_split "$opt" + set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"} + shift + ;; + + -\?|-h) func_usage ;; + --help) opt_help=: ;; + --version) func_version ;; + + -*) func_fatal_help "unrecognized option \`$opt'" ;; + + *) nonopt="$opt" + break + ;; + esac + done + + + case $host in + *cygwin* | *mingw* | *pw32* | *cegcc*) + # don't eliminate duplications in $postdeps and $predeps + opt_duplicate_compiler_generated_deps=: ;; *) - # If we have no mode, but dlfiles were specified, then do execute mode. - test -n "$execute_dlfiles" && mode=execute + opt_duplicate_compiler_generated_deps=$opt_duplicate_deps + ;; + esac - # Just use the default operation mode. - if test -z "$mode"; then - if test -n "$nonopt"; then - $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2 - else - $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2 - fi + # Having warned about all mis-specified options, bail out if + # anything was wrong. + $exit_cmd $EXIT_FAILURE +} + +# func_check_version_match +# Ensure that we are using m4 macros, and libtool script from the same +# release of libtool. +func_check_version_match () +{ + if test "$package_revision" != "$macro_revision"; then + if test "$VERSION" != "$macro_version"; then + if test -z "$macro_version"; then + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from an older release. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from $PACKAGE $macro_version. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF fi - ;; - esac + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, revision $package_revision, +$progname: but the definition of this LT_INIT comes from revision $macro_revision. +$progname: You should recreate aclocal.m4 with macros from revision $package_revision +$progname: of $PACKAGE $VERSION and run autoconf again. +_LT_EOF + fi + + exit $EXIT_MISMATCH + fi +} + + +## ----------- ## +## Main. ## +## ----------- ## + +$opt_help || { + # Sanity checks first: + func_check_version_match + + if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then + func_fatal_configuration "not configured to build any kind of library" fi + test -z "$mode" && func_fatal_error "error: you must specify a MODE." + + + # Darwin sucks + eval std_shrext=\"$shrext_cmds\" + + # Only execute mode is allowed to have -dlopen flags. if test -n "$execute_dlfiles" && test "$mode" != execute; then - $echo "$modename: unrecognized option \`-dlopen'" 1>&2 - $echo "$help" 1>&2 + func_error "unrecognized option \`-dlopen'" + $ECHO "$help" 1>&2 exit $EXIT_FAILURE fi # Change the help message to a mode-specific one. generic_help="$help" - help="Try \`$modename --help --mode=$mode' for more information." + help="Try \`$progname --help --mode=$mode' for more information." +} - # These modes are in order of execution frequency so that they run quickly. - case $mode in - # libtool compile mode - compile) - modename="$modename: compile" - # Get the compilation command and the source file. - base_compile= - srcfile="$nonopt" # always keep a non-empty value in "srcfile" - suppress_opt=yes - suppress_output= - arg_mode=normal - libobj= - later= - for arg - do - case $arg_mode in - arg ) - # do not "continue". Instead, add this to base_compile - lastarg="$arg" - arg_mode=normal - ;; +# func_lalib_p file +# True iff FILE is a libtool `.la' library or `.lo' object file. +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_lalib_p () +{ + test -f "$1" && + $SED -e 4q "$1" 2>/dev/null \ + | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1 +} - target ) - libobj="$arg" - arg_mode=normal - continue - ;; +# func_lalib_unsafe_p file +# True iff FILE is a libtool `.la' library or `.lo' object file. +# This function implements the same check as func_lalib_p without +# resorting to external programs. To this end, it redirects stdin and +# closes it afterwards, without saving the original file descriptor. +# As a safety measure, use it only where a negative result would be +# fatal anyway. Works if `file' does not exist. +func_lalib_unsafe_p () +{ + lalib_p=no + if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then + for lalib_p_l in 1 2 3 4 + do + read lalib_p_line + case "$lalib_p_line" in + \#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;; + esac + done + exec 0<&5 5<&- + fi + test "$lalib_p" = yes +} - normal ) - # Accept any command-line options. - case $arg in - -o) - if test -n "$libobj" ; then - $echo "$modename: you cannot specify \`-o' more than once" 1>&2 - exit $EXIT_FAILURE - fi - arg_mode=target - continue - ;; +# func_ltwrapper_script_p file +# True iff FILE is a libtool wrapper script +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_script_p () +{ + func_lalib_p "$1" +} - -static | -prefer-pic | -prefer-non-pic) - later="$later $arg" - continue - ;; +# func_ltwrapper_executable_p file +# True iff FILE is a libtool wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_executable_p () +{ + func_ltwrapper_exec_suffix= + case $1 in + *.exe) ;; + *) func_ltwrapper_exec_suffix=.exe ;; + esac + $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1 +} - -no-suppress) - suppress_opt=no +# func_ltwrapper_scriptname file +# Assumes file is an ltwrapper_executable +# uses $file to determine the appropriate filename for a +# temporary ltwrapper_script. +func_ltwrapper_scriptname () +{ + func_ltwrapper_scriptname_result="" + if func_ltwrapper_executable_p "$1"; then + func_dirname_and_basename "$1" "" "." + func_stripname '' '.exe' "$func_basename_result" + func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" + fi +} + +# func_ltwrapper_p file +# True iff FILE is a libtool wrapper script or wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_p () +{ + func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1" +} + + +# func_execute_cmds commands fail_cmd +# Execute tilde-delimited COMMANDS. +# If FAIL_CMD is given, eval that upon failure. +# FAIL_CMD may read-access the current command in variable CMD! +func_execute_cmds () +{ + $opt_debug + save_ifs=$IFS; IFS='~' + for cmd in $1; do + IFS=$save_ifs + eval cmd=\"$cmd\" + func_show_eval "$cmd" "${2-:}" + done + IFS=$save_ifs +} + + +# func_source file +# Source FILE, adding directory component if necessary. +# Note that it is not necessary on cygwin/mingw to append a dot to +# FILE even if both FILE and FILE.exe exist: automatic-append-.exe +# behavior happens only for exec(3), not for open(2)! Also, sourcing +# `FILE.' does not work on cygwin managed mounts. +func_source () +{ + $opt_debug + case $1 in + */* | *\\*) . "$1" ;; + *) . "./$1" ;; + esac +} + + +# func_infer_tag arg +# Infer tagged configuration to use if any are available and +# if one wasn't chosen via the "--tag" command line option. +# Only attempt this if the compiler in the base compile +# command doesn't match the default compiler. +# arg is usually of the form 'gcc ...' +func_infer_tag () +{ + $opt_debug + if test -n "$available_tags" && test -z "$tagname"; then + CC_quoted= + for arg in $CC; do + func_quote_for_eval "$arg" + CC_quoted="$CC_quoted $func_quote_for_eval_result" + done + case $@ in + # Blanks in the command may have been stripped by the calling shell, + # but not from the CC environment variable when configure was run. + " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;; + # Blanks at the start of $base_compile will cause this to fail + # if we don't check for them as well. + *) + for z in $available_tags; do + if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then + # Evaluate the configuration. + eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" + CC_quoted= + for arg in $CC; do + # Double-quote args containing other shell metacharacters. + func_quote_for_eval "$arg" + CC_quoted="$CC_quoted $func_quote_for_eval_result" + done + case "$@ " in + " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) + # The compiler in the base compile command matches + # the one in the tagged configuration. + # Assume this is the tagged configuration we want. + tagname=$z + break + ;; + esac + fi + done + # If $tagname still isn't set, then no tagged configuration + # was found and let the user know that the "--tag" command + # line option must be used. + if test -z "$tagname"; then + func_echo "unable to infer tagged configuration" + func_fatal_error "specify a tag with \`--tag'" +# else +# func_verbose "using $tagname tagged configuration" + fi + ;; + esac + fi +} + + + +# func_write_libtool_object output_name pic_name nonpic_name +# Create a libtool object file (analogous to a ".la" file), +# but don't create it if we're doing a dry run. +func_write_libtool_object () +{ + write_libobj=${1} + if test "$build_libtool_libs" = yes; then + write_lobj=\'${2}\' + else + write_lobj=none + fi + + if test "$build_old_libs" = yes; then + write_oldobj=\'${3}\' + else + write_oldobj=none + fi + + $opt_dry_run || { + cat >${write_libobj}T <\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - lastarg="$lastarg $arg" + func_quote_for_eval "$arg" + lastarg="$lastarg $func_quote_for_eval_result" done IFS="$save_ifs" - lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"` + func_stripname ' ' '' "$lastarg" + lastarg=$func_stripname_result # Add the arguments to base_compile. base_compile="$base_compile $lastarg" continue ;; - * ) + *) # Accept the current argument as the source file. # The previous "srcfile" becomes the current argument. # @@ -729,65 +1187,42 @@ esac # case $arg_mode # Aesthetically quote the previous argument. - lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"` - - case $lastarg in - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, and some SunOS ksh mistreat backslash-escaping - # in scan sets (worked around with variable expansion), - # and furthermore cannot handle '|' '&' '(' ')' in scan sets - # at all, so we specify them separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - lastarg="\"$lastarg\"" - ;; - esac - - base_compile="$base_compile $lastarg" + func_quote_for_eval "$lastarg" + base_compile="$base_compile $func_quote_for_eval_result" done # for arg case $arg_mode in arg) - $echo "$modename: you must specify an argument for -Xcompile" - exit $EXIT_FAILURE + func_fatal_error "you must specify an argument for -Xcompile" ;; target) - $echo "$modename: you must specify a target with \`-o'" 1>&2 - exit $EXIT_FAILURE + func_fatal_error "you must specify a target with \`-o'" ;; *) # Get the name of the library object. - [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'` + test -z "$libobj" && { + func_basename "$srcfile" + libobj="$func_basename_result" + } ;; esac # Recognize several different file suffixes. # If the user specifies -o file.o, it is replaced with file.lo - xform='[cCFSifmso]' case $libobj in - *.ada) xform=ada ;; - *.adb) xform=adb ;; - *.ads) xform=ads ;; - *.asm) xform=asm ;; - *.c++) xform=c++ ;; - *.cc) xform=cc ;; - *.ii) xform=ii ;; - *.class) xform=class ;; - *.cpp) xform=cpp ;; - *.cxx) xform=cxx ;; - *.f90) xform=f90 ;; - *.for) xform=for ;; - *.java) xform=java ;; - *.obj) xform=obj ;; + *.[cCFSifmso] | \ + *.ada | *.adb | *.ads | *.asm | \ + *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ + *.[fF][09]? | *.for | *.java | *.obj | *.sx) + func_xform "$libobj" + libobj=$func_xform_result + ;; esac - libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"` - case $libobj in - *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;; + *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;; *) - $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2 - exit $EXIT_FAILURE + func_fatal_error "cannot determine name of library object from \`$libobj'" ;; esac @@ -795,7 +1230,15 @@ for arg in $later; do case $arg in + -shared) + test "$build_libtool_libs" != yes && \ + func_fatal_configuration "can not build a shared library" + build_old_libs=no + continue + ;; + -static) + build_libtool_libs=no build_old_libs=yes continue ;; @@ -812,28 +1255,17 @@ esac done - qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"` - case $qlibobj in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - qlibobj="\"$qlibobj\"" ;; - esac - test "X$libobj" != "X$qlibobj" \ - && $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' &()|`$[]' \ - && $echo "$modename: libobj name \`$libobj' may not contain shell special characters." - objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` - xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$obj"; then - xdir= - else - xdir=$xdir/ - fi + func_quote_for_eval "$libobj" + test "X$libobj" != "X$func_quote_for_eval_result" \ + && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ + && func_warning "libobj name \`$libobj' may not contain shell special characters." + func_dirname_and_basename "$obj" "/" "" + objname="$func_basename_result" + xdir="$func_dirname_result" lobj=${xdir}$objdir/$objname - if test -z "$base_compile"; then - $echo "$modename: you must specify a compilation command" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + test -z "$base_compile" && \ + func_fatal_help "you must specify a compilation command" # Delete any leftover library objects. if test "$build_old_libs" = yes; then @@ -842,12 +1274,9 @@ removelist="$lobj $libobj ${libobj}T" fi - $run $rm $removelist - trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15 - # On Cygwin there's no "real" PIC flag so we must build both object types case $host_os in - cygwin* | mingw* | pw32* | os2*) + cygwin* | mingw* | pw32* | os2* | cegcc*) pic_mode=default ;; esac @@ -859,10 +1288,8 @@ # Calculate the filename of the output object if compiler does # not support -o with -c if test "$compiler_c_o" = no; then - output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext} + output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext} lockfile="$output_obj.lock" - removelist="$removelist $output_obj $lockfile" - trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15 else output_obj= need_locks=no @@ -872,13 +1299,13 @@ # Lock this critical section if it is needed # We use this script file to make the link, it avoids creating a new file if test "$need_locks" = yes; then - until $run ln "$progpath" "$lockfile" 2>/dev/null; do - $show "Waiting for $lockfile to be removed" + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" sleep 2 done elif test "$need_locks" = warn; then if test -f "$lockfile"; then - $echo "\ + $ECHO "\ *** ERROR, $lockfile exists and contains: `cat $lockfile 2>/dev/null` @@ -889,34 +1316,22 @@ avoid parallel builds (make -j) in this platform, or get a better compiler." - $run $rm $removelist + $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi - $echo "$srcfile" > "$lockfile" + removelist="$removelist $output_obj" + $ECHO "$srcfile" > "$lockfile" fi + $opt_dry_run || $RM $removelist + removelist="$removelist $lockfile" + trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 + if test -n "$fix_srcfile_path"; then eval srcfile=\"$fix_srcfile_path\" fi - qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"` - case $qsrcfile in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - qsrcfile="\"$qsrcfile\"" ;; - esac - - $run $rm "$libobj" "${libobj}T" - - # Create a libtool object file (analogous to a ".la" file), - # but don't create it if we're doing a dry run. - test -z "$run" && cat > ${libobj}T </dev/null`" != "X$srcfile"; then - $echo "\ + $ECHO "\ *** ERROR, $lockfile contains: `cat $lockfile 2>/dev/null` @@ -969,45 +1371,27 @@ avoid parallel builds (make -j) in this platform, or get a better compiler." - $run $rm $removelist + $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi # Just move the object if needed, then go on to compile the next one if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then - $show "$mv $output_obj $lobj" - if $run $mv $output_obj $lobj; then : - else - error=$? - $run $rm $removelist - exit $error - fi + func_show_eval '$MV "$output_obj" "$lobj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' fi - # Append the name of the PIC object to the libtool object file. - test -z "$run" && cat >> ${libobj}T <> ${libobj}T </dev/null`" != "X$srcfile"; then - $echo "\ + $ECHO "\ *** ERROR, $lockfile contains: `cat $lockfile 2>/dev/null` @@ -1041,5446 +1420,6777 @@ avoid parallel builds (make -j) in this platform, or get a better compiler." - $run $rm $removelist + $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi # Just move the object if needed if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then - $show "$mv $output_obj $obj" - if $run $mv $output_obj $obj; then : - else - error=$? - $run $rm $removelist - exit $error - fi + func_show_eval '$MV "$output_obj" "$obj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' fi - - # Append the name of the non-PIC object the libtool object file. - # Only append if the libtool object file exists. - test -z "$run" && cat >> ${libobj}T <> ${libobj}T <&2 - fi - if test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=yes - ;; - -static) - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=built - ;; - -static-libtool-libs) - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=yes - ;; - esac - build_libtool_libs=no - build_old_libs=yes - break - ;; - esac - done +RM is the name of the program to use to delete files associated with each FILE +(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed +to RM. - # See if our shared archives depend on static archives. - test -n "$old_archive_from_new_cmds" && build_old_libs=yes +If FILE is a libtool library, object or program, all the files associated +with it are deleted. Otherwise, only FILE itself is deleted using RM." + ;; - # Go through the arguments, transforming them on the way. - while test "$#" -gt 0; do - arg="$1" - shift - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test - ;; - *) qarg=$arg ;; - esac - libtool_args="$libtool_args $qarg" + compile) + $ECHO \ +"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - output) - compile_command="$compile_command @OUTPUT@" - finalize_command="$finalize_command @OUTPUT@" - ;; - esac +Compile a source file into a libtool library object. - case $prev in - dlfiles|dlprefiles) - if test "$preload" = no; then - # Add the symbol object into the linking commands. - compile_command="$compile_command @SYMFILE@" - finalize_command="$finalize_command @SYMFILE@" - preload=yes - fi - case $arg in - *.la | *.lo) ;; # We handle these cases below. - force) - if test "$dlself" = no; then - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - self) - if test "$prev" = dlprefiles; then - dlself=yes - elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then - dlself=yes - else - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - *) - if test "$prev" = dlfiles; then - dlfiles="$dlfiles $arg" - else - dlprefiles="$dlprefiles $arg" - fi - prev= - continue - ;; - esac - ;; - expsyms) - export_symbols="$arg" - if test ! -f "$arg"; then - $echo "$modename: symbol file \`$arg' does not exist" - exit $EXIT_FAILURE - fi - prev= - continue - ;; - expsyms_regex) - export_symbols_regex="$arg" - prev= - continue - ;; - inst_prefix) - inst_prefix_dir="$arg" - prev= - continue - ;; - precious_regex) - precious_files_regex="$arg" - prev= - continue - ;; - release) - release="-$arg" - prev= - continue - ;; - objectlist) - if test -f "$arg"; then - save_arg=$arg - moreargs= - for fil in `cat $save_arg` - do -# moreargs="$moreargs $fil" - arg=$fil - # A libtool-controlled object. +This mode accepts the following additional options: - # Check to see that this really is a libtool object. - if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - pic_object= - non_pic_object= + -o OUTPUT-FILE set the output file name to OUTPUT-FILE + -no-suppress do not suppress compiler output for multiple passes + -prefer-pic try to building PIC objects only + -prefer-non-pic try to building non-PIC objects only + -shared do not build a \`.o' file suitable for static linking + -static only build a \`.o' file suitable for static linking - # Read the .lo file - # If there is no directory component, then add one. - case $arg in - */* | *\\*) . $arg ;; - *) . ./$arg ;; - esac +COMPILE-COMMAND is a command to be used in creating a \`standard' object file +from the given SOURCEFILE. - if test -z "$pic_object" || \ - test -z "$non_pic_object" || - test "$pic_object" = none && \ - test "$non_pic_object" = none; then - $echo "$modename: cannot find name of object for \`$arg'" 1>&2 - exit $EXIT_FAILURE - fi +The output file name is determined by removing the directory component from +SOURCEFILE, then substituting the C source code suffix \`.c' with the +library object suffix, \`.lo'." + ;; - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi + execute) + $ECHO \ +"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]... - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" +Automatically set library path, then run a program. - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi +This mode accepts the following additional options: - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" - prev= - fi + -dlopen FILE add the directory containing FILE to the library path - # A PIC object. - libobjs="$libobjs $pic_object" - arg="$pic_object" - fi +This mode sets the library path environment variable according to \`-dlopen' +flags. - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" +If any of the ARGS are libtool executable wrappers, then they are translated +into their corresponding uninstalled binary, and any of their required library +directories are added to the library path. - # A standard non-PIC object - non_pic_objects="$non_pic_objects $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - else - # If the PIC object exists, use it instead. - # $xdir was prepended to $pic_object above. - non_pic_object="$pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - else - # Only an error if not doing a dry-run. - if test -z "$run"; then - $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 - exit $EXIT_FAILURE - else - # Dry-run case. +Then, COMMAND is executed, with ARGS as arguments." + ;; - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi + finish) + $ECHO \ +"Usage: $progname [OPTION]... --mode=finish [LIBDIR]... - pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` - non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` - libobjs="$libobjs $pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - fi - done - else - $echo "$modename: link input file \`$save_arg' does not exist" - exit $EXIT_FAILURE - fi - arg=$save_arg - prev= - continue - ;; - rpath | xrpath) - # We need an absolute path. - case $arg in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit $EXIT_FAILURE - ;; - esac - if test "$prev" = rpath; then - case "$rpath " in - *" $arg "*) ;; - *) rpath="$rpath $arg" ;; - esac - else - case "$xrpath " in - *" $arg "*) ;; - *) xrpath="$xrpath $arg" ;; - esac - fi - prev= - continue - ;; - xcompiler) - compiler_flags="$compiler_flags $qarg" - prev= - compile_command="$compile_command $qarg" - finalize_command="$finalize_command $qarg" - continue - ;; - xlinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $wl$qarg" - prev= - compile_command="$compile_command $wl$qarg" - finalize_command="$finalize_command $wl$qarg" - continue - ;; - xcclinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $qarg" - prev= - compile_command="$compile_command $qarg" - finalize_command="$finalize_command $qarg" - continue - ;; - shrext) - shrext_cmds="$arg" - prev= - continue - ;; - darwin_framework|darwin_framework_skip) - test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg" - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - prev= - continue - ;; - *) - eval "$prev=\"\$arg\"" - prev= - continue - ;; - esac - fi # test -n "$prev" +Complete the installation of libtool libraries. - prevarg="$arg" +Each LIBDIR is a directory that contains libtool libraries. - case $arg in - -all-static) - if test -n "$link_static_flag"; then - compile_command="$compile_command $link_static_flag" - finalize_command="$finalize_command $link_static_flag" - fi - continue - ;; +The commands that this mode executes may require superuser privileges. Use +the \`--dry-run' option if you just want to see what would be executed." + ;; - -allow-undefined) - # FIXME: remove this flag sometime in the future. - $echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2 - continue - ;; + install) + $ECHO \ +"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND... - -avoid-version) - avoid_version=yes - continue - ;; +Install executables or libraries. - -dlopen) - prev=dlfiles - continue - ;; +INSTALL-COMMAND is the installation command. The first component should be +either the \`install' or \`cp' program. - -dlpreopen) - prev=dlprefiles - continue - ;; +The following components of INSTALL-COMMAND are treated specially: - -export-dynamic) - export_dynamic=yes - continue - ;; + -inst-prefix PREFIX-DIR Use PREFIX-DIR as a staging area for installation - -export-symbols | -export-symbols-regex) - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: more than one -exported-symbols argument is not allowed" - exit $EXIT_FAILURE - fi - if test "X$arg" = "X-export-symbols"; then - prev=expsyms - else - prev=expsyms_regex - fi - continue - ;; +The rest of the components are interpreted as arguments to that command (only +BSD-compatible install options are recognized)." + ;; - -framework|-arch|-isysroot) - case " $CC " in - *" ${arg} ${1} "* | *" ${arg} ${1} "*) - prev=darwin_framework_skip ;; - *) compiler_flags="$compiler_flags $arg" - prev=darwin_framework ;; - esac - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - continue - ;; + link) + $ECHO \ +"Usage: $progname [OPTION]... --mode=link LINK-COMMAND... - -inst-prefix-dir) - prev=inst_prefix - continue - ;; +Link object files or libraries together to form another library, or to +create an executable program. - # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* - # so, if we see these flags be careful not to treat them like -L - -L[A-Z][A-Z]*:*) - case $with_gcc/$host in - no/*-*-irix* | /*-*-irix*) - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - ;; - esac - continue - ;; +LINK-COMMAND is a command using the C compiler that you would use to create +a program from several object files. - -L*) - dir=`$echo "X$arg" | $Xsed -e 's/^-L//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2 - absdir="$dir" - notinst_path="$notinst_path $dir" - fi - dir="$absdir" - ;; - esac - case "$deplibs " in - *" -L$dir "*) ;; - *) - deplibs="$deplibs -L$dir" - lib_search_path="$lib_search_path $dir" - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'` - case :$dllsearchpath: in - *":$dir:"*) ;; - *) dllsearchpath="$dllsearchpath:$dir";; - esac - case :$dllsearchpath: in - *":$testbindir:"*) ;; - *) dllsearchpath="$dllsearchpath:$testbindir";; - esac - ;; - esac - continue - ;; +The following components of LINK-COMMAND are treated specially: - -l*) - if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*) - # These systems don't actually have a C or math library (as such) - continue - ;; - *-*-os2*) - # These systems don't actually have a C library (as such) - test "X$arg" = "X-lc" && continue - ;; - *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C and math libraries are in the System framework - deplibs="$deplibs -framework System" - continue - ;; - *-*-sco3.2v5* | *-*-sco5v6*) - # Causes problems with __ctype - test "X$arg" = "X-lc" && continue - ;; - *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) - # Compiler inserts libc in the correct place for threads to work - test "X$arg" = "X-lc" && continue - ;; - esac - elif test "X$arg" = "X-lc_r"; then - case $host in - *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) - # Do not include libc_r directly, use -pthread flag. - continue - ;; - esac - fi - deplibs="$deplibs $arg" - continue - ;; + -all-static do not do any dynamic linking at all + -avoid-version do not add a version suffix if possible + -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime + -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols + -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) + -export-symbols SYMFILE + try to export only the symbols listed in SYMFILE + -export-symbols-regex REGEX + try to export only the symbols matching REGEX + -LLIBDIR search LIBDIR for required installed libraries + -lNAME OUTPUT-FILE requires the installed library libNAME + -module build a library that can dlopened + -no-fast-install disable the fast-install mode + -no-install link a not-installable executable + -no-undefined declare that a library does not refer to external symbols + -o OUTPUT-FILE create OUTPUT-FILE from the specified objects + -objectlist FILE Use a list of object files found in FILE to specify objects + -precious-files-regex REGEX + don't remove output files matching REGEX + -release RELEASE specify package release information + -rpath LIBDIR the created library will eventually be installed in LIBDIR + -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries + -shared only do dynamic linking of libtool libraries + -shrext SUFFIX override the standard shared library file extension + -static do not do any dynamic linking of uninstalled libtool libraries + -static-libtool-libs + do not do any dynamic linking of libtool libraries + -version-info CURRENT[:REVISION[:AGE]] + specify library version info [each variable defaults to 0] + -weak LIBNAME declare that the target provides the LIBNAME interface - # Tru64 UNIX uses -model [arg] to determine the layout of C++ - # classes, name mangling, and exception handling. - -model) - compile_command="$compile_command $arg" - compiler_flags="$compiler_flags $arg" - finalize_command="$finalize_command $arg" - prev=xcompiler - continue - ;; +All other options (arguments beginning with \`-') are ignored. - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - compiler_flags="$compiler_flags $arg" - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - continue - ;; +Every other argument is treated as a filename. Files ending in \`.la' are +treated as uninstalled libtool libraries, other files are standard or library +object files. - -module) - module=yes - continue - ;; +If the OUTPUT-FILE ends in \`.la', then a libtool library is created, +only library objects (\`.lo' files) may be specified, and \`-rpath' is +required, except when creating a convenience library. - # -64, -mips[0-9] enable 64-bit mode on the SGI compiler - # -r[0-9][0-9]* specifies the processor on the SGI compiler - # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler - # +DA*, +DD* enable 64-bit mode on the HP compiler - # -q* pass through compiler args for the IBM compiler - # -m* pass through architecture-specific compiler args for GCC - # -m*, -t[45]*, -txscale* pass through architecture-specific - # compiler args for GCC - # -pg pass through profiling flag for GCC - # @file GCC response files - -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*|-pg| \ - -t[45]*|-txscale*|@*) +If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created +using \`ar' and \`ranlib', or on Windows using \`lib'. - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - compiler_flags="$compiler_flags $arg" - continue +If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file +is created, otherwise an executable program is created." ;; - -shrext) - prev=shrext - continue - ;; + uninstall) + $ECHO \ +"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... - -no-fast-install) - fast_install=no - continue - ;; +Remove libraries from an installation directory. - -no-install) - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - # The PATH hackery in wrapper scripts is required on Windows - # in order for the loader to find any dlls it needs. - $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2 - $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2 - fast_install=no - ;; - *) no_install=yes ;; - esac - continue - ;; +RM is the name of the program to use to delete files associated with each FILE +(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed +to RM. - -no-undefined) - allow_undefined=no - continue - ;; +If FILE is a libtool library, all the files associated with it are deleted. +Otherwise, only FILE itself is deleted using RM." + ;; - -objectlist) - prev=objectlist - continue - ;; + *) + func_fatal_help "invalid operation mode \`$mode'" + ;; + esac - -o) prev=output ;; + $ECHO + $ECHO "Try \`$progname --help' for more information about other modes." - -precious-files-regex) - prev=precious_regex - continue - ;; + exit $? +} - -release) - prev=release - continue - ;; + # Now that we've collected a possible --mode arg, show help if necessary + $opt_help && func_mode_help - -rpath) - prev=rpath - continue - ;; - -R) - prev=xrpath - continue - ;; +# func_mode_execute arg... +func_mode_execute () +{ + $opt_debug + # The first argument is the command name. + cmd="$nonopt" + test -z "$cmd" && \ + func_fatal_help "you must specify a COMMAND" - -R*) - dir=`$echo "X$arg" | $Xsed -e 's/^-R//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit $EXIT_FAILURE - ;; - esac - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - continue - ;; + # Handle -dlopen flags immediately. + for file in $execute_dlfiles; do + test -f "$file" \ + || func_fatal_help "\`$file' is not a file" - -static | -static-libtool-libs) - # The effects of -static are defined in a previous loop. - # We used to do the same as -all-static on platforms that - # didn't have a PIC flag, but the assumption that the effects - # would be equivalent was wrong. It would break on at least - # Digital Unix and AIX. - continue - ;; + dir= + case $file in + *.la) + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "\`$lib' is not a valid libtool archive" - -thread-safe) - thread_safe=yes - continue - ;; + # Read the libtool library. + dlname= + library_names= + func_source "$file" - -version-info) - prev=vinfo - continue - ;; - -version-number) - prev=vinfo - vinfo_number=yes - continue - ;; + # Skip this library if it cannot be dlopened. + if test -z "$dlname"; then + # Warn if it was a shared library. + test -n "$library_names" && \ + func_warning "\`$file' was not linked with \`-export-dynamic'" + continue + fi - -Wc,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` - ;; + func_dirname "$file" "" "." + dir="$func_dirname_result" - -Wl,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $wl$flag" - linker_flags="$linker_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` + if test -f "$dir/$objdir/$dlname"; then + dir="$dir/$objdir" + else + if test ! -f "$dir/$dlname"; then + func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" + fi + fi ;; - -Xcompiler) - prev=xcompiler - continue + *.lo) + # Just add the directory containing the .lo file. + func_dirname "$file" "" "." + dir="$func_dirname_result" ;; - -Xlinker) - prev=xlinker + *) + func_warning "\`-dlopen' is ignored for non-libtool libraries and objects" continue ;; + esac - -XCClinker) - prev=xcclinker - continue - ;; + # Get the absolute pathname. + absdir=`cd "$dir" && pwd` + test -n "$absdir" && dir="$absdir" - # Some other compiler flag. - -* | +*) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; + # Now add the directory to shlibpath_var. + if eval "test -z \"\$$shlibpath_var\""; then + eval "$shlibpath_var=\"\$dir\"" + else + eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" + fi + done - *.$objext) - # A standard object. - objs="$objs $arg" - ;; + # This variable tells wrapper scripts just to set shlibpath_var + # rather than running their programs. + libtool_execute_magic="$magic" - *.lo) - # A libtool-controlled object. + # Check if any of the arguments is a wrapper script. + args= + for file + do + case $file in + -*) ;; + *) + # Do a test to see if this is really a libtool program. + if func_ltwrapper_script_p "$file"; then + func_source "$file" + # Transform arg to wrapped name. + file="$progdir/$program" + elif func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + func_source "$func_ltwrapper_scriptname_result" + # Transform arg to wrapped name. + file="$progdir/$program" + fi + ;; + esac + # Quote arguments (to preserve shell metacharacters). + func_quote_for_eval "$file" + args="$args $func_quote_for_eval_result" + done - # Check to see that this really is a libtool object. - if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - pic_object= - non_pic_object= + if test "X$opt_dry_run" = Xfalse; then + if test -n "$shlibpath_var"; then + # Export the shlibpath_var. + eval "export $shlibpath_var" + fi - # Read the .lo file - # If there is no directory component, then add one. - case $arg in - */* | *\\*) . $arg ;; - *) . ./$arg ;; - esac + # Restore saved environment variables + for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES + do + eval "if test \"\${save_$lt_var+set}\" = set; then + $lt_var=\$save_$lt_var; export $lt_var + else + $lt_unset $lt_var + fi" + done - if test -z "$pic_object" || \ - test -z "$non_pic_object" || - test "$pic_object" = none && \ - test "$non_pic_object" = none; then - $echo "$modename: cannot find name of object for \`$arg'" 1>&2 - exit $EXIT_FAILURE - fi + # Now prepare to actually exec the command. + exec_cmd="\$cmd$args" + else + # Display what would be done. + if test -n "$shlibpath_var"; then + eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" + $ECHO "export $shlibpath_var" + fi + $ECHO "$cmd$args" + exit $EXIT_SUCCESS + fi +} - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi +test "$mode" = execute && func_mode_execute ${1+"$@"} - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi +# func_mode_finish arg... +func_mode_finish () +{ + $opt_debug + libdirs="$nonopt" + admincmds= - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" - prev= - fi + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then + for dir + do + libdirs="$libdirs $dir" + done - # A PIC object. - libobjs="$libobjs $pic_object" - arg="$pic_object" - fi + for libdir in $libdirs; do + if test -n "$finish_cmds"; then + # Do each command in the finish commands. + func_execute_cmds "$finish_cmds" 'admincmds="$admincmds +'"$cmd"'"' + fi + if test -n "$finish_eval"; then + # Do the single finish_eval. + eval cmds=\"$finish_eval\" + $opt_dry_run || eval "$cmds" || admincmds="$admincmds + $cmds" + fi + done + fi - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" + # Exit here if they wanted silent mode. + $opt_silent && exit $EXIT_SUCCESS - # A standard non-PIC object - non_pic_objects="$non_pic_objects $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - else - # If the PIC object exists, use it instead. - # $xdir was prepended to $pic_object above. - non_pic_object="$pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - else - # Only an error if not doing a dry-run. - if test -z "$run"; then - $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 - exit $EXIT_FAILURE - else - # Dry-run case. + $ECHO "X----------------------------------------------------------------------" | $Xsed + $ECHO "Libraries have been installed in:" + for libdir in $libdirs; do + $ECHO " $libdir" + done + $ECHO + $ECHO "If you ever happen to want to link against installed libraries" + $ECHO "in a given directory, LIBDIR, you must either use libtool, and" + $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'" + $ECHO "flag during linking and do at least one of the following:" + if test -n "$shlibpath_var"; then + $ECHO " - add LIBDIR to the \`$shlibpath_var' environment variable" + $ECHO " during execution" + fi + if test -n "$runpath_var"; then + $ECHO " - add LIBDIR to the \`$runpath_var' environment variable" + $ECHO " during linking" + fi + if test -n "$hardcode_libdir_flag_spec"; then + libdir=LIBDIR + eval flag=\"$hardcode_libdir_flag_spec\" - # Extract subdirectory from the argument. - xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$arg"; then - xdir= - else - xdir="$xdir/" - fi + $ECHO " - use the \`$flag' linker flag" + fi + if test -n "$admincmds"; then + $ECHO " - have your system administrator run these commands:$admincmds" + fi + if test -f /etc/ld.so.conf; then + $ECHO " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" + fi + $ECHO - pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` - non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` - libobjs="$libobjs $pic_object" - non_pic_objects="$non_pic_objects $non_pic_object" - fi - fi + $ECHO "See any operating system documentation about shared libraries for" + case $host in + solaris2.[6789]|solaris2.1[0-9]) + $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual" + $ECHO "pages." ;; + *) + $ECHO "more information, such as the ld(1) and ld.so(8) manual pages." + ;; + esac + $ECHO "X----------------------------------------------------------------------" | $Xsed + exit $EXIT_SUCCESS +} - *.$libext) - # An archive. - deplibs="$deplibs $arg" - old_deplibs="$old_deplibs $arg" - continue - ;; +test "$mode" = finish && func_mode_finish ${1+"$@"} - *.la) - # A libtool-controlled library. - if test "$prev" = dlfiles; then - # This library was specified with -dlopen. - dlfiles="$dlfiles $arg" - prev= - elif test "$prev" = dlprefiles; then - # The library was specified with -dlpreopen. - dlprefiles="$dlprefiles $arg" +# func_mode_install arg... +func_mode_install () +{ + $opt_debug + # There may be an optional sh(1) argument at the beginning of + # install_prog (especially on Windows NT). + if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || + # Allow the use of GNU shtool's install command. + $ECHO "X$nonopt" | $GREP shtool >/dev/null; then + # Aesthetically quote it. + func_quote_for_eval "$nonopt" + install_prog="$func_quote_for_eval_result " + arg=$1 + shift + else + install_prog= + arg=$nonopt + fi + + # The real first argument should be the name of the installation program. + # Aesthetically quote it. + func_quote_for_eval "$arg" + install_prog="$install_prog$func_quote_for_eval_result" + + # We need to accept at least all the BSD install flags. + dest= + files= + opts= + prev= + install_type= + isdir=no + stripme= + for arg + do + if test -n "$dest"; then + files="$files $dest" + dest=$arg + continue + fi + + case $arg in + -d) isdir=yes ;; + -f) + case " $install_prog " in + *[\\\ /]cp\ *) ;; + *) prev=$arg ;; + esac + ;; + -g | -m | -o) + prev=$arg + ;; + -s) + stripme=" -s" + continue + ;; + -*) + ;; + *) + # If the previous option needed an argument, then skip it. + if test -n "$prev"; then prev= else - deplibs="$deplibs $arg" + dest=$arg + continue fi - continue ;; + esac - # Some other compiler argument. - *) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; - esac # arg + # Aesthetically quote the argument. + func_quote_for_eval "$arg" + install_prog="$install_prog $func_quote_for_eval_result" + done - # Now actually substitute the argument into the commands. - if test -n "$arg"; then - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - fi - done # argument parsing loop + test -z "$install_prog" && \ + func_fatal_help "you must specify an install program" - if test -n "$prev"; then - $echo "$modename: the \`$prevarg' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + test -n "$prev" && \ + func_fatal_help "the \`$prev' option requires an argument" - if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then - eval arg=\"$export_dynamic_flag_spec\" - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" + if test -z "$files"; then + if test -z "$dest"; then + func_fatal_help "no file or destination specified" + else + func_fatal_help "you must specify a destination" + fi fi - oldlibs= - # calculate the name of the file, without its directory - outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'` - libobjs_save="$libobjs" + # Strip any trailing slash from the destination. + func_stripname '' '/' "$dest" + dest=$func_stripname_result - if test -n "$shlibpath_var"; then - # get the directories listed in $shlibpath_var - eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\` + # Check to see that the destination is a directory. + test -d "$dest" && isdir=yes + if test "$isdir" = yes; then + destdir="$dest" + destname= else - shlib_search_path= - fi - eval sys_lib_search_path=\"$sys_lib_search_path_spec\" - eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" + func_dirname_and_basename "$dest" "" "." + destdir="$func_dirname_result" + destname="$func_basename_result" - output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'` - if test "X$output_objdir" = "X$output"; then - output_objdir="$objdir" - else - output_objdir="$output_objdir/$objdir" - fi - # Create the object directory. - if test ! -d "$output_objdir"; then - $show "$mkdir $output_objdir" - $run $mkdir $output_objdir - exit_status=$? - if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then - exit $exit_status - fi + # Not a directory, so check to see that there is only one file specified. + set dummy $files; shift + test "$#" -gt 1 && \ + func_fatal_help "\`$dest' is not a directory" fi - - # Determine the type of output - case $output in - "") - $echo "$modename: you must specify an output file" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - ;; - *.$libext) linkmode=oldlib ;; - *.lo | *.$objext) linkmode=obj ;; - *.la) linkmode=lib ;; - *) linkmode=prog ;; # Anything else should be a program. - esac - - case $host in - *cygwin* | *mingw* | *pw32*) - # don't eliminate duplications in $postdeps and $predeps - duplicate_compiler_generated_deps=yes - ;; + case $destdir in + [\\/]* | [A-Za-z]:[\\/]*) ;; *) - duplicate_compiler_generated_deps=$duplicate_deps + for file in $files; do + case $file in + *.lo) ;; + *) + func_fatal_help "\`$destdir' must be an absolute directory name" + ;; + esac + done ;; esac - specialdeplibs= - libs= - # Find all interdependent deplibs by searching for libraries - # that are linked more than once (e.g. -la -lb -la) - for deplib in $deplibs; do - if test "X$duplicate_deps" = "Xyes" ; then - case "$libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - libs="$libs $deplib" - done + # This variable tells wrapper scripts just to set variables rather + # than running their programs. + libtool_install_magic="$magic" - if test "$linkmode" = lib; then - libs="$predeps $libs $compiler_lib_search_path $postdeps" + staticlibs= + future_libdirs= + current_libdirs= + for file in $files; do - # Compute libraries that are listed more than once in $predeps - # $postdeps and mark them as special (i.e., whose duplicates are - # not to be eliminated). - pre_post_deps= - if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then - for pre_post_dep in $predeps $postdeps; do - case "$pre_post_deps " in - *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;; + # Do each installation. + case $file in + *.$libext) + # Do the static libraries later. + staticlibs="$staticlibs $file" + ;; + + *.la) + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "\`$file' is not a valid libtool archive" + + library_names= + old_library= + relink_command= + func_source "$file" + + # Add the libdir to current_libdirs if it is the destination. + if test "X$destdir" = "X$libdir"; then + case "$current_libdirs " in + *" $libdir "*) ;; + *) current_libdirs="$current_libdirs $libdir" ;; esac - pre_post_deps="$pre_post_deps $pre_post_dep" - done - fi - pre_post_deps= - fi + else + # Note the libdir as a future libdir. + case "$future_libdirs " in + *" $libdir "*) ;; + *) future_libdirs="$future_libdirs $libdir" ;; + esac + fi - deplibs= - newdependency_libs= - newlib_search_path= - need_relink=no # whether we're linking any uninstalled libtool libraries - notinst_deplibs= # not-installed libtool libraries - case $linkmode in - lib) - passes="conv link" - for file in $dlfiles $dlprefiles; do - case $file in - *.la) ;; - *) - $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2 - exit $EXIT_FAILURE + func_dirname "$file" "/" "" + dir="$func_dirname_result" + dir="$dir$objdir" + + if test -n "$relink_command"; then + # Determine the prefix the user has applied to our future dir. + inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"` + + # Don't allow the user to place us outside of our expected + # location b/c this prevents finding dependent libraries that + # are installed to the same prefix. + # At present, this check doesn't affect windows .dll's that + # are installed into $libdir/../bin (currently, that works fine) + # but it's something to keep an eye on. + test "$inst_prefix_dir" = "$destdir" && \ + func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir" + + if test -n "$inst_prefix_dir"; then + # Stick the inst_prefix_dir data into the link command. + relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` + else + relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"` + fi + + func_warning "relinking \`$file'" + func_show_eval "$relink_command" \ + 'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"' + fi + + # See the names of the shared library. + set dummy $library_names; shift + if test -n "$1"; then + realname="$1" + shift + + srcname="$realname" + test -n "$relink_command" && srcname="$realname"T + + # Install the shared library and build the symlinks. + func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \ + 'exit $?' + tstripme="$stripme" + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + case $realname in + *.dll.a) + tstripme="" + ;; + esac ;; esac - done - ;; - prog) - compile_deplibs= - finalize_deplibs= - alldeplibs=no - newdlfiles= - newdlprefiles= - passes="conv scan dlopen dlpreopen link" - ;; - *) passes="conv" + if test -n "$tstripme" && test -n "$striplib"; then + func_show_eval "$striplib $destdir/$realname" 'exit $?' + fi + + if test "$#" -gt 0; then + # Delete the old symlinks, and create new ones. + # Try `ln -sf' first, because the `ln' binary might depend on + # the symlink we replace! Solaris /bin/ln does not understand -f, + # so we also need to try rm && ln -s. + for linkname + do + test "$linkname" != "$realname" \ + && func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })" + done + fi + + # Do each command in the postinstall commands. + lib="$destdir/$realname" + func_execute_cmds "$postinstall_cmds" 'exit $?' + fi + + # Install the pseudo-library for information purposes. + func_basename "$file" + name="$func_basename_result" + instname="$dir/$name"i + func_show_eval "$install_prog $instname $destdir/$name" 'exit $?' + + # Maybe install the static library, too. + test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" ;; - esac - for pass in $passes; do - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan"; then - libs="$deplibs" - deplibs= - fi - if test "$linkmode" = prog; then - case $pass in - dlopen) libs="$dlfiles" ;; - dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; - esac - fi - if test "$pass" = dlopen; then - # Collect dlpreopened libraries - save_deplibs="$deplibs" - deplibs= - fi - for deplib in $libs; do - lib= - found=no - case $deplib in - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - compiler_flags="$compiler_flags $deplib" - fi - continue - ;; - -l*) - if test "$linkmode" != lib && test "$linkmode" != prog; then - $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2 - continue - fi - name=`$echo "X$deplib" | $Xsed -e 's/^-l//'` - for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do - for search_ext in .la $std_shrext .so .a; do - # Search the libtool library - lib="$searchdir/lib${name}${search_ext}" - if test -f "$lib"; then - if test "$search_ext" = ".la"; then - found=yes - else - found=no - fi - break 2 - fi - done - done - if test "$found" != yes; then - # deplib doesn't seem to be a libtool library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - else # deplib is a libtool library - # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, - # We need to do some special things here, and not later. - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $deplib "*) - if (${SED} -e '2q' $lib | - grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - library_names= - old_library= - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - for l in $old_library $library_names; do - ll="$l" - done - if test "X$ll" = "X$old_library" ; then # only static version available - found=no - ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'` - test "X$ladir" = "X$lib" && ladir="." - lib=$ladir/$old_library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - fi - fi - ;; - *) ;; - esac - fi - fi - ;; # -l - -L*) - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test "$pass" = conv && continue - newdependency_libs="$deplib $newdependency_libs" - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - ;; - prog) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test "$pass" = scan; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - ;; - *) - $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2 - ;; - esac # linkmode - continue - ;; # -L - -R*) - if test "$pass" = link; then - dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'` - # Make sure the xrpath contains only unique directories. - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - fi - deplibs="$deplib $deplibs" - continue + + *.lo) + # Install (i.e. copy) a libtool object. + + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile="$destdir/$destname" + else + func_basename "$file" + destfile="$func_basename_result" + destfile="$destdir/$destfile" + fi + + # Deduce the name of the destination old-style object file. + case $destfile in + *.lo) + func_lo2o "$destfile" + staticdest=$func_lo2o_result ;; - *.la) lib="$deplib" ;; - *.$libext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - case $linkmode in - lib) - valid_a_lib=no - case $deplibs_check_method in - match_pattern*) - set dummy $deplibs_check_method - match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"` - if eval $echo \"$deplib\" 2>/dev/null \ - | $SED 10q \ - | $EGREP "$match_pattern_regex" > /dev/null; then - valid_a_lib=yes - fi - ;; - pass_all) - valid_a_lib=yes - ;; - esac - if test "$valid_a_lib" != yes; then - $echo - $echo "*** Warning: Trying to link with static lib archive $deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because the file extensions .$libext of this argument makes me believe" - $echo "*** that it is just a static archive that I should not used here." - else - $echo - $echo "*** Warning: Linking the shared library $output against the" - $echo "*** static library $deplib is not portable!" - deplibs="$deplib $deplibs" - fi - continue - ;; - prog) - if test "$pass" != link; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - continue - ;; - esac # linkmode - ;; # *.$libext - *.lo | *.$objext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - elif test "$linkmode" = prog; then - if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlopen support or we're linking statically, - # we need to preload. - newdlprefiles="$newdlprefiles $deplib" - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - newdlfiles="$newdlfiles $deplib" - fi - fi - continue + *.$objext) + staticdest="$destfile" + destfile= ;; - %DEPLIBS%) - alldeplibs=yes - continue + *) + func_fatal_help "cannot copy a libtool object to \`$destfile'" ;; - esac # case $deplib - if test "$found" = yes || test -f "$lib"; then : - else - $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2 - exit $EXIT_FAILURE + esac + + # Install the libtool object if requested. + test -n "$destfile" && \ + func_show_eval "$install_prog $file $destfile" 'exit $?' + + # Install the old object if enabled. + if test "$build_old_libs" = yes; then + # Deduce the name of the old-style object file. + func_lo2o "$file" + staticobj=$func_lo2o_result + func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?' fi + exit $EXIT_SUCCESS + ;; - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : + *) + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile="$destdir/$destname" else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit $EXIT_FAILURE + func_basename "$file" + destfile="$func_basename_result" + destfile="$destdir/$destfile" fi - ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'` - test "X$ladir" = "X$lib" && ladir="." - - dlname= - dlopen= - dlpreopen= - libdir= - library_names= - old_library= - # If the library was installed with an old release of libtool, - # it will not redefine variables installed, or shouldnotlink - installed=yes - shouldnotlink=no - avoidtemprpath= - + # If the file is missing, and there is a .exe on the end, strip it + # because it is most likely a libtool script we actually want to + # install + stripped_ext="" + case $file in + *.exe) + if test ! -f "$file"; then + func_stripname '' '.exe' "$file" + file=$func_stripname_result + stripped_ext=".exe" + fi + ;; + esac - # Read the .la file - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; + # Do a test to see if this is really a libtool program. + case $host in + *cygwin* | *mingw*) + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + wrapper=$func_ltwrapper_scriptname_result + else + func_stripname '' '.exe' "$file" + wrapper=$func_stripname_result + fi + ;; + *) + wrapper=$file + ;; esac + if func_ltwrapper_script_p "$wrapper"; then + notinst_deplibs= + relink_command= - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan" || - { test "$linkmode" != prog && test "$linkmode" != lib; }; then - test -n "$dlopen" && dlfiles="$dlfiles $dlopen" - test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen" - fi + func_source "$wrapper" - if test "$pass" = conv; then - # Only check for convenience libraries - deplibs="$lib $deplibs" - if test -z "$libdir"; then - if test -z "$old_library"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit $EXIT_FAILURE + # Check the variables that should have been set. + test -z "$generated_by_libtool_version" && \ + func_fatal_error "invalid libtool wrapper script \`$wrapper'" + + finalize=yes + for lib in $notinst_deplibs; do + # Check to see that each library is installed. + libdir= + if test -f "$lib"; then + func_source "$lib" fi - # It is a libtool convenience library, so add in its objects. - convenience="$convenience $ladir/$objdir/$old_library" - old_convenience="$old_convenience $ladir/$objdir/$old_library" - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done - elif test "$linkmode" != prog && test "$linkmode" != lib; then - $echo "$modename: \`$lib' is not a convenience library" 1>&2 - exit $EXIT_FAILURE - fi - continue - fi # $pass = conv - + libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test + if test -n "$libdir" && test ! -f "$libfile"; then + func_warning "\`$lib' has not been installed in \`$libdir'" + finalize=no + fi + done - # Get the name of the library we link against. - linklib= - for l in $old_library $library_names; do - linklib="$l" - done - if test -z "$linklib"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit $EXIT_FAILURE - fi + relink_command= + func_source "$wrapper" - # This library was specified with -dlopen. - if test "$pass" = dlopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2 - exit $EXIT_FAILURE - fi - if test -z "$dlname" || - test "$dlopen_support" != yes || - test "$build_libtool_libs" = no; then - # If there is no dlname, no dlopen support or we're linking - # statically, we need to preload. We also need to preload any - # dependent libraries so libltdl's deplib preloader doesn't - # bomb out in the load deplibs phase. - dlprefiles="$dlprefiles $lib $dependency_libs" + outputname= + if test "$fast_install" = no && test -n "$relink_command"; then + $opt_dry_run || { + if test "$finalize" = yes; then + tmpdir=`func_mktempdir` + func_basename "$file$stripped_ext" + file="$func_basename_result" + outputname="$tmpdir/$file" + # Replace the output file specification. + relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'` + + $opt_silent || { + func_quote_for_expand "$relink_command" + eval "func_echo $func_quote_for_expand_result" + } + if eval "$relink_command"; then : + else + func_error "error: relink \`$file' with the above command before installing it" + $opt_dry_run || ${RM}r "$tmpdir" + continue + fi + file="$outputname" + else + func_warning "cannot relink \`$file'" + fi + } else - newdlfiles="$newdlfiles $lib" + # Install the binary that we compiled earlier. + file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"` fi - continue - fi # $pass = dlopen + fi - # We need an absolute path. - case $ladir in - [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; - *) - abs_ladir=`cd "$ladir" && pwd` - if test -z "$abs_ladir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2 - $echo "$modename: passing it literally to the linker, although it might fail" 1>&2 - abs_ladir="$ladir" - fi + # remove .exe since cygwin /usr/bin/install will append another + # one anyway + case $install_prog,$host in + */usr/bin/install*,*cygwin*) + case $file:$destfile in + *.exe:*.exe) + # this is ok + ;; + *.exe:*) + destfile=$destfile.exe + ;; + *:*.exe) + func_stripname '' '.exe' "$destfile" + destfile=$func_stripname_result + ;; + esac ;; esac - laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` + func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?' + $opt_dry_run || if test -n "$outputname"; then + ${RM}r "$tmpdir" + fi + ;; + esac + done - # Find the relevant object directory and library name. - if test "X$installed" = Xyes; then - if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then - $echo "$modename: warning: library \`$lib' was moved." 1>&2 - dir="$ladir" - absdir="$abs_ladir" - libdir="$abs_ladir" - else - dir="$libdir" - absdir="$libdir" + for file in $staticlibs; do + func_basename "$file" + name="$func_basename_result" + + # Set up the ranlib parameters. + oldlib="$destdir/$name" + + func_show_eval "$install_prog \$file \$oldlib" 'exit $?' + + if test -n "$stripme" && test -n "$old_striplib"; then + func_show_eval "$old_striplib $oldlib" 'exit $?' + fi + + # Do each command in the postinstall commands. + func_execute_cmds "$old_postinstall_cmds" 'exit $?' + done + + test -n "$future_libdirs" && \ + func_warning "remember to run \`$progname --finish$future_libdirs'" + + if test -n "$current_libdirs"; then + # Maybe just do a dry run. + $opt_dry_run && current_libdirs=" -n$current_libdirs" + exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs' + else + exit $EXIT_SUCCESS + fi +} + +test "$mode" = install && func_mode_install ${1+"$@"} + + +# func_generate_dlsyms outputname originator pic_p +# Extract symbols from dlprefiles and create ${outputname}S.o with +# a dlpreopen symbol table. +func_generate_dlsyms () +{ + $opt_debug + my_outputname="$1" + my_originator="$2" + my_pic_p="${3-no}" + my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'` + my_dlsyms= + + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + if test -n "$NM" && test -n "$global_symbol_pipe"; then + my_dlsyms="${my_outputname}S.c" + else + func_error "not configured to extract global symbols from dlpreopened files" + fi + fi + + if test -n "$my_dlsyms"; then + case $my_dlsyms in + "") ;; + *.c) + # Discover the nlist of each of the dlfiles. + nlist="$output_objdir/${my_outputname}.nm" + + func_show_eval "$RM $nlist ${nlist}S ${nlist}T" + + # Parse the name list into a source file. + func_verbose "creating $output_objdir/$my_dlsyms" + + $opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\ +/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */ +/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */ + +#ifdef __cplusplus +extern \"C\" { +#endif + +/* External symbol declarations for the compiler. */\ +" + + if test "$dlself" = yes; then + func_verbose "generating symbol list for \`$output'" + + $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" + + # Add our own program objects to the symbol list. + progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + for progfile in $progfiles; do + func_verbose "extracting global C symbols from \`$progfile'" + $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'" + done + + if test -n "$exclude_expsyms"; then + $opt_dry_run || { + eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } fi - test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes - else - if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then - dir="$ladir" - absdir="$abs_ladir" - # Remove this search path later - notinst_path="$notinst_path $abs_ladir" + + if test -n "$export_symbols_regex"; then + $opt_dry_run || { + eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } + fi + + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + export_symbols="$output_objdir/$outputname.exp" + $opt_dry_run || { + $RM $export_symbols + eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' + case $host in + *cygwin* | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' + ;; + esac + } else - dir="$ladir/$objdir" - absdir="$abs_ladir/$objdir" - # Remove this search path later - notinst_path="$notinst_path $abs_ladir" + $opt_dry_run || { + eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' + eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + case $host in + *cygwin | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' + ;; + esac + } fi - fi # $installed = yes - name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` + fi - # This library was specified with -dlpreopen. - if test "$pass" = dlpreopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2 - exit $EXIT_FAILURE + for dlprefile in $dlprefiles; do + func_verbose "extracting global C symbols from \`$dlprefile'" + func_basename "$dlprefile" + name="$func_basename_result" + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + done + + $opt_dry_run || { + # Make sure we have at least an empty file. + test -f "$nlist" || : > "$nlist" + + if test -n "$exclude_expsyms"; then + $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T + $MV "$nlist"T "$nlist" fi - # Prefer using a static library (so that no silly _DYNAMIC symbols - # are required to link). - if test -n "$old_library"; then - newdlprefiles="$newdlprefiles $dir/$old_library" - # Otherwise, use the dlname, so that lt_dlopen finds it. - elif test -n "$dlname"; then - newdlprefiles="$newdlprefiles $dir/$dlname" + + # Try sorting and uniquifying the output. + if $GREP -v "^: " < "$nlist" | + if sort -k 3 /dev/null 2>&1; then + sort -k 3 + else + sort +2 + fi | + uniq > "$nlist"S; then + : else - newdlprefiles="$newdlprefiles $dir/$linklib" + $GREP -v "^: " < "$nlist" > "$nlist"S fi - fi # $pass = dlpreopen - if test -z "$libdir"; then - # Link the convenience library - if test "$linkmode" = lib; then - deplibs="$dir/$old_library $deplibs" - elif test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$dir/$old_library $compile_deplibs" - finalize_deplibs="$dir/$old_library $finalize_deplibs" + if test -f "$nlist"S; then + eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' else - deplibs="$lib $deplibs" # used for prog,scan pass + $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms" fi - continue - fi + $ECHO >> "$output_objdir/$my_dlsyms" "\ - if test "$linkmode" = prog && test "$pass" != link; then - newlib_search_path="$newlib_search_path $ladir" - deplibs="$lib $deplibs" +/* The mapping between symbol names and symbols. */ +typedef struct { + const char *name; + void *address; +} lt_dlsymlist; +" + case $host in + *cygwin* | *mingw* | *cegcc* ) + $ECHO >> "$output_objdir/$my_dlsyms" "\ +/* DATA imports from DLLs on WIN32 con't be const, because + runtime relocations are performed -- see ld's documentation + on pseudo-relocs. */" + lt_dlsym_const= ;; + *osf5*) + echo >> "$output_objdir/$my_dlsyms" "\ +/* This system does not cope well with relocations in const data */" + lt_dlsym_const= ;; + *) + lt_dlsym_const=const ;; + esac - linkalldeplibs=no - if test "$link_all_deplibs" != no || test -z "$library_names" || - test "$build_libtool_libs" = no; then - linkalldeplibs=yes - fi + $ECHO >> "$output_objdir/$my_dlsyms" "\ +extern $lt_dlsym_const lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[]; +$lt_dlsym_const lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[] = +{\ + { \"$my_originator\", (void *) 0 }," - tmp_libs= - for deplib in $dependency_libs; do - case $deplib in - -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test - esac - # Need to link against all dependency_libs? - if test "$linkalldeplibs" = yes; then - deplibs="$deplib $deplibs" - else - # Need to hardcode shared library paths - # or/and link against static libraries - newdependency_libs="$deplib $newdependency_libs" - fi - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done # for deplib - continue - fi # $linkmode = prog... + case $need_lib_prefix in + no) + eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + *) + eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + esac + $ECHO >> "$output_objdir/$my_dlsyms" "\ + {0, (void *) 0} +}; - if test "$linkmode,$pass" = "prog,link"; then - if test -n "$library_names" && - { { test "$prefer_static_libs" = no || - test "$prefer_static_libs,$installed" = "built,yes"; } || - test -z "$old_library"; }; then - # We need to hardcode the library path - if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then - # Make sure the rpath contains only unique directories. - case "$temp_rpath " in - *" $dir "*) ;; - *" $absdir "*) ;; - *) temp_rpath="$temp_rpath $absdir" ;; - esac - fi +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt_${my_prefix}_LTX_preloaded_symbols; +} +#endif - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" - esac - ;; - esac - fi # $linkmode,$pass = prog,link... +#ifdef __cplusplus +} +#endif\ +" + } # !$opt_dry_run - if test "$alldeplibs" = yes && - { test "$deplibs_check_method" = pass_all || - { test "$build_libtool_libs" = yes && - test -n "$library_names"; }; }; then - # We only need to search for static libraries - continue - fi - fi + pic_flag_for_symtable= + case "$compile_command " in + *" -static "*) ;; + *) + case $host in + # compiling the symbol table file with pic_flag works around + # a FreeBSD bug that causes programs to crash when -lm is + # linked before any other PIC object. But we must not use + # pic_flag when linking with -static. The problem exists in + # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. + *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) + pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; + *-*-hpux*) + pic_flag_for_symtable=" $pic_flag" ;; + *) + if test "X$my_pic_p" != Xno; then + pic_flag_for_symtable=" $pic_flag" + fi + ;; + esac + ;; + esac + symtab_cflags= + for arg in $LTCFLAGS; do + case $arg in + -pie | -fpie | -fPIE) ;; + *) symtab_cflags="$symtab_cflags $arg" ;; + esac + done - link_static=no # Whether the deplib will be linked statically - use_static_libs=$prefer_static_libs - if test "$use_static_libs" = built && test "$installed" = yes ; then - use_static_libs=no - fi - if test -n "$library_names" && - { test "$use_static_libs" = no || test -z "$old_library"; }; then - if test "$installed" = no; then - notinst_deplibs="$notinst_deplibs $lib" - need_relink=yes - fi - # This is a shared library + # Now compile the dynamic symbol file. + func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' - # Warn about portability, can't link against -module's on - # some systems (darwin) - if test "$shouldnotlink" = yes && test "$pass" = link ; then - $echo - if test "$linkmode" = prog; then - $echo "*** Warning: Linking the executable $output against the loadable module" - else - $echo "*** Warning: Linking the shared library $output against the loadable module" - fi - $echo "*** $linklib is not portable!" - fi - if test "$linkmode" = lib && - test "$hardcode_into_libs" = yes; then - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" - esac - ;; - esac + # Clean up the generated files. + func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"' + + # Transform the symbol file into the correct name. + symfileobj="$output_objdir/${my_outputname}S.$objext" + case $host in + *cygwin* | *mingw* | *cegcc* ) + if test -f "$output_objdir/$my_outputname.def"; then + compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + else + compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` fi + ;; + *) + compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` + ;; + esac + ;; + *) + func_fatal_error "unknown suffix for \`$my_dlsyms'" + ;; + esac + else + # We keep going just in case the user didn't refer to + # lt_preloaded_symbols. The linker will fail if global_symbol_pipe + # really was required. + + # Nullify the symbol file. + compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"` + finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"` + fi +} - if test -n "$old_archive_from_expsyms_cmds"; then - # figure out the soname - set dummy $library_names - realname="$2" - shift; shift - libname=`eval \\$echo \"$libname_spec\"` - # use dlname if we got it. it's perfectly good, no? - if test -n "$dlname"; then - soname="$dlname" - elif test -n "$soname_spec"; then - # bleh windows - case $host in - *cygwin* | mingw*) - major=`expr $current - $age` - versuffix="-$major" - ;; - esac - eval soname=\"$soname_spec\" - else - soname="$realname" - fi +# func_win32_libid arg +# return the library type of file 'arg' +# +# Need a lot of goo to handle *both* DLLs and import libs +# Has to be a shell function in order to 'eat' the argument +# that is supplied when $file_magic_command is called. +func_win32_libid () +{ + $opt_debug + win32_libid_type="unknown" + win32_fileres=`file -L $1 2>/dev/null` + case $win32_fileres in + *ar\ archive\ import\ library*) # definitely import + win32_libid_type="x86 archive import" + ;; + *ar\ archive*) # could be an import, or static + if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | + $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then + win32_nmres=`eval $NM -f posix -A $1 | + $SED -n -e ' + 1,100{ + / I /{ + s,.*,import, + p + q + } + }'` + case $win32_nmres in + import*) win32_libid_type="x86 archive import";; + *) win32_libid_type="x86 archive static";; + esac + fi + ;; + *DLL*) + win32_libid_type="x86 DLL" + ;; + *executable*) # but shell scripts are "executable" too... + case $win32_fileres in + *MS\ Windows\ PE\ Intel*) + win32_libid_type="x86 DLL" + ;; + esac + ;; + esac + $ECHO "$win32_libid_type" +} - # Make a new name for the extract_expsyms_cmds to use - soroot="$soname" - soname=`$echo $soroot | ${SED} -e 's/^.*\///'` - newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a" - # If the library has no export list, then create one now - if test -f "$output_objdir/$soname-def"; then : - else - $show "extracting exported symbol list from \`$soname'" - save_ifs="$IFS"; IFS='~' - cmds=$extract_expsyms_cmds - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - # Create $newlib - if test -f "$output_objdir/$newlib"; then :; else - $show "generating import library for \`$soname'" - save_ifs="$IFS"; IFS='~' - cmds=$old_archive_from_expsyms_cmds - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - # make sure the library variables are pointing to the new library - dir=$output_objdir - linklib=$newlib - fi # test -n "$old_archive_from_expsyms_cmds" +# func_extract_an_archive dir oldlib +func_extract_an_archive () +{ + $opt_debug + f_ex_an_ar_dir="$1"; shift + f_ex_an_ar_oldlib="$1" + func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?' + if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then + : + else + func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" + fi +} - if test "$linkmode" = prog || test "$mode" != relink; then - add_shlibpath= - add_dir= - add= - lib_linked=yes - case $hardcode_action in - immediate | unsupported) - if test "$hardcode_direct" = no; then - add="$dir/$linklib" - case $host in - *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;; - *-*-sysv4*uw2*) add_dir="-L$dir" ;; - *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ - *-*-unixware7*) add_dir="-L$dir" ;; - *-*-darwin* ) - # if the lib is a module then we can not link against - # it, someone is ignoring the new warnings I added - if /usr/bin/file -L $add 2> /dev/null | - $EGREP ": [^:]* bundle" >/dev/null ; then - $echo "** Warning, lib $linklib is a module, not a shared library" - if test -z "$old_library" ; then - $echo - $echo "** And there doesn't seem to be a static archive available" - $echo "** The link will probably fail, sorry" - else - add="$dir/$old_library" - fi - fi - esac - elif test "$hardcode_minus_L" = no; then - case $host in - *-*-sunos*) add_shlibpath="$dir" ;; - esac - add_dir="-L$dir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = no; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - relink) - if test "$hardcode_direct" = yes; then - add="$dir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$dir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case $libdir in - [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - *) lib_linked=no ;; - esac - if test "$lib_linked" != yes; then - $echo "$modename: configuration error: unsupported hardcode properties" - exit $EXIT_FAILURE - fi +# func_extract_archives gentop oldlib ... +func_extract_archives () +{ + $opt_debug + my_gentop="$1"; shift + my_oldlibs=${1+"$@"} + my_oldobjs="" + my_xlib="" + my_xabs="" + my_xdir="" - if test -n "$add_shlibpath"; then - case :$compile_shlibpath: in - *":$add_shlibpath:"*) ;; - *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;; - esac - fi - if test "$linkmode" = prog; then - test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" - test -n "$add" && compile_deplibs="$add $compile_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - if test "$hardcode_direct" != yes && \ - test "$hardcode_minus_L" != yes && \ - test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - fi - fi - fi + for my_xlib in $my_oldlibs; do + # Extract the objects. + case $my_xlib in + [\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;; + *) my_xabs=`pwd`"/$my_xlib" ;; + esac + func_basename "$my_xlib" + my_xlib="$func_basename_result" + my_xlib_u=$my_xlib + while :; do + case " $extracted_archives " in + *" $my_xlib_u "*) + func_arith $extracted_serial + 1 + extracted_serial=$func_arith_result + my_xlib_u=lt$extracted_serial-$my_xlib ;; + *) break ;; + esac + done + extracted_archives="$extracted_archives $my_xlib_u" + my_xdir="$my_gentop/$my_xlib_u" - if test "$linkmode" = prog || test "$mode" = relink; then - add_shlibpath= - add_dir= - add= - # Finalize command for both is simple: just hardcode it. - if test "$hardcode_direct" = yes; then - add="$libdir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$libdir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - add="-l$name" - elif test "$hardcode_automatic" = yes; then - if test -n "$inst_prefix_dir" && - test -f "$inst_prefix_dir$libdir/$linklib" ; then - add="$inst_prefix_dir$libdir/$linklib" - else - add="$libdir/$linklib" - fi - else - # We cannot seem to hardcode it, guess we'll fake it. - add_dir="-L$libdir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case $libdir in - [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - fi + func_mkdir_p "$my_xdir" - if test "$linkmode" = prog; then - test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" - test -n "$add" && finalize_deplibs="$add $finalize_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - fi - fi - elif test "$linkmode" = prog; then - # Here we assume that one of hardcode_direct or hardcode_minus_L - # is not unsupported. This is valid on all known static and - # shared platforms. - if test "$hardcode_direct" != unsupported; then - test -n "$old_library" && linklib="$old_library" - compile_deplibs="$dir/$linklib $compile_deplibs" - finalize_deplibs="$dir/$linklib $finalize_deplibs" + case $host in + *-darwin*) + func_verbose "Extracting $my_xabs" + # Do not bother doing anything if just a dry run + $opt_dry_run || { + darwin_orig_dir=`pwd` + cd $my_xdir || exit $? + darwin_archive=$my_xabs + darwin_curdir=`pwd` + darwin_base_archive=`basename "$darwin_archive"` + darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true` + if test -n "$darwin_arches"; then + darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'` + darwin_arch= + func_verbose "$darwin_base_archive has multiple architectures $darwin_arches" + for darwin_arch in $darwin_arches ; do + func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}" + $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}" + cd "unfat-$$/${darwin_base_archive}-${darwin_arch}" + func_extract_an_archive "`pwd`" "${darwin_base_archive}" + cd "$darwin_curdir" + $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" + done # $darwin_arches + ## Okay now we've a bunch of thin objects, gotta fatten them up :) + darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u` + darwin_file= + darwin_files= + for darwin_file in $darwin_filelist; do + darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP` + $LIPO -create -output "$darwin_file" $darwin_files + done # $darwin_filelist + $RM -rf unfat-$$ + cd "$darwin_orig_dir" else - compile_deplibs="-l$name -L$dir $compile_deplibs" - finalize_deplibs="-l$name -L$dir $finalize_deplibs" - fi - elif test "$build_libtool_libs" = yes; then - # Not a shared library - if test "$deplibs_check_method" != pass_all; then - # We're trying link a shared library against a static one - # but the system doesn't support it. + cd $darwin_orig_dir + func_extract_an_archive "$my_xdir" "$my_xabs" + fi # $darwin_arches + } # !$opt_dry_run + ;; + *) + func_extract_an_archive "$my_xdir" "$my_xabs" + ;; + esac + my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` + done - # Just print a warning and add the library to dependency_libs so - # that the program can be linked against the static library. - $echo - $echo "*** Warning: This system can not link to static lib archive $lib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have." - if test "$module" = yes; then - $echo "*** But as you try to build a module library, libtool will still create " - $echo "*** a static module, that should work as long as the dlopening application" - $echo "*** is linked with the -dlopen flag to resolve symbols at runtime." - if test -z "$global_symbol_pipe"; then - $echo - $echo "*** However, this would only work if libtool was able to extract symbol" - $echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - $echo "*** not find such a program. So, this module is probably useless." - $echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - else - deplibs="$dir/$old_library $deplibs" - link_static=yes - fi - fi # link shared/static library? + func_extract_archives_result="$my_oldobjs" +} - if test "$linkmode" = lib; then - if test -n "$dependency_libs" && - { test "$hardcode_into_libs" != yes || - test "$build_old_libs" = yes || - test "$link_static" = yes; }; then - # Extract -R from dependency_libs - temp_deplibs= - for libdir in $dependency_libs; do - case $libdir in - -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'` - case " $xrpath " in - *" $temp_xrpath "*) ;; - *) xrpath="$xrpath $temp_xrpath";; - esac;; - *) temp_deplibs="$temp_deplibs $libdir";; - esac - done - dependency_libs="$temp_deplibs" - fi - newlib_search_path="$newlib_search_path $absdir" - # Link against this library - test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" - # ... and its dependency_libs - tmp_libs= - for deplib in $dependency_libs; do - newdependency_libs="$deplib $newdependency_libs" - if test "X$duplicate_deps" = "Xyes" ; then - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - fi - tmp_libs="$tmp_libs $deplib" - done - if test "$link_all_deplibs" != no; then - # Add the search paths of all dependency libraries - for deplib in $dependency_libs; do - case $deplib in - -L*) path="$deplib" ;; - *.la) - dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$deplib" && dir="." - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2 - absdir="$dir" - fi - ;; - esac - if grep "^installed=no" $deplib > /dev/null; then - path="$absdir/$objdir" - else - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit $EXIT_FAILURE - fi - if test "$absdir" != "$libdir"; then - $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2 - fi - path="$absdir" - fi - depdepl= - case $host in - *-*-darwin*) - # we do not want to link against static libs, - # but need to link against shared - eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` - if test -n "$deplibrary_names" ; then - for tmp in $deplibrary_names ; do - depdepl=$tmp - done - if test -f "$path/$depdepl" ; then - depdepl="$path/$depdepl" - fi - # do not add paths which are already there - case " $newlib_search_path " in - *" $path "*) ;; - *) newlib_search_path="$newlib_search_path $path";; - esac - fi - path="" - ;; - *) - path="-L$path" - ;; - esac - ;; - -l*) - case $host in - *-*-darwin*) - # Again, we only want to link against shared libraries - eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"` - for tmp in $newlib_search_path ; do - if test -f "$tmp/lib$tmp_libs.dylib" ; then - eval depdepl="$tmp/lib$tmp_libs.dylib" - break - fi - done - path="" - ;; - *) continue ;; - esac - ;; - *) continue ;; - esac - case " $deplibs " in - *" $path "*) ;; - *) deplibs="$path $deplibs" ;; - esac - case " $deplibs " in - *" $depdepl "*) ;; - *) deplibs="$depdepl $deplibs" ;; - esac - done - fi # link_all_deplibs != no - fi # linkmode = lib - done # for deplib in $libs - dependency_libs="$newdependency_libs" - if test "$pass" = dlpreopen; then - # Link the dlpreopened libraries before other libraries - for deplib in $save_deplibs; do - deplibs="$deplib $deplibs" - done - fi - if test "$pass" != dlopen; then - if test "$pass" != conv; then - # Make sure lib_search_path contains only unique directories. - lib_search_path= - for dir in $newlib_search_path; do - case "$lib_search_path " in - *" $dir "*) ;; - *) lib_search_path="$lib_search_path $dir" ;; - esac - done - newlib_search_path= +# func_emit_wrapper_part1 [arg=no] +# +# Emit the first part of a libtool wrapper script on stdout. +# For more information, see the description associated with +# func_emit_wrapper(), below. +func_emit_wrapper_part1 () +{ + func_emit_wrapper_part1_arg1=no + if test -n "$1" ; then + func_emit_wrapper_part1_arg1=$1 fi - if test "$linkmode,$pass" != "prog,link"; then - vars="deplibs" - else - vars="compile_deplibs finalize_deplibs" - fi - for var in $vars dependency_libs; do - # Add libraries to $var in reverse order - eval tmp_libs=\"\$$var\" - new_libs= - for deplib in $tmp_libs; do - # FIXME: Pedantically, this is the right thing to do, so - # that some nasty dependency loop isn't accidentally - # broken: - #new_libs="$deplib $new_libs" - # Pragmatically, this seems to cause very few problems in - # practice: - case $deplib in - -L*) new_libs="$deplib $new_libs" ;; - -R*) ;; - *) - # And here is the reason: when a library appears more - # than once as an explicit dependence of a library, or - # is implicitly linked in more than once by the - # compiler, it is considered special, and multiple - # occurrences thereof are not removed. Compare this - # with having the same library being listed as a - # dependency of multiple other libraries: in this case, - # we know (pedantically, we assume) the library does not - # need to be listed more than once, so we keep only the - # last copy. This is not always right, but it is rare - # enough that we require users that really mean to play - # such unportable linking tricks to link the library - # using -Wl,-lname, so that libtool does not consider it - # for duplicate removal. - case " $specialdeplibs " in - *" $deplib "*) new_libs="$deplib $new_libs" ;; - *) - case " $new_libs " in - *" $deplib "*) ;; - *) new_libs="$deplib $new_libs" ;; - esac - ;; - esac - ;; - esac - done - tmp_libs= - for deplib in $new_libs; do - case $deplib in - -L*) - case " $tmp_libs " in - *" $deplib "*) ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - done - eval $var=\"$tmp_libs\" - done # for var - fi - # Last step: remove runtime libs from dependency_libs - # (they stay in deplibs) - tmp_libs= - for i in $dependency_libs ; do - case " $predeps $postdeps $compiler_lib_search_path " in - *" $i "*) - i="" - ;; - esac - if test -n "$i" ; then - tmp_libs="$tmp_libs $i" - fi - done - dependency_libs=$tmp_libs - done # for pass - if test "$linkmode" = prog; then - dlfiles="$newdlfiles" - dlprefiles="$newdlprefiles" - fi + $ECHO "\ +#! $SHELL - case $linkmode in - oldlib) - if test -n "$deplibs"; then - $echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 - fi +# $output - temporary wrapper script for $objdir/$outputname +# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION +# +# The $output program cannot be directly executed until all the libtool +# libraries that it depends on are installed. +# +# This wrapper script should never be moved out of the build directory. +# If it is, it will not operate correctly. - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2 - fi +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +Xsed='${SED} -e 1s/^X//' +sed_quote_subst='$sed_quote_subst' - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2 - fi +# Be Bourne compatible +if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac +fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for archives" 1>&2 - fi +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2 - fi +relink_command=\"$relink_command\" - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for archives" 1>&2 - fi +# This environment variable determines our operation mode. +if test \"\$libtool_install_magic\" = \"$magic\"; then + # install mode needs the following variables: + generated_by_libtool_version='$macro_version' + notinst_deplibs='$notinst_deplibs' +else + # When we are sourced in execute mode, \$file and \$ECHO are already set. + if test \"\$libtool_execute_magic\" != \"$magic\"; then + ECHO=\"$qecho\" + file=\"\$0\" + # Make sure echo works. + if test \"X\$1\" = X--no-reexec; then + # Discard the --no-reexec flag, and continue. + shift + elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then + # Yippee, \$ECHO works! + : + else + # Restart under the correct shell, and then maybe \$ECHO will work. + exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"} + fi + fi\ +" + $ECHO "\ - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2 - fi + # Find the directory that this script lives in. + thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\` + test \"x\$thisdir\" = \"x\$file\" && thisdir=. - # Now set the variables for building old libraries. - build_libtool_libs=no - oldlibs="$output" - objs="$objs$old_deplibs" - ;; + # Follow symbolic links until we get to the real thisdir. + file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\` + while test -n \"\$file\"; do + destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\` - lib) - # Make sure we only generate libraries of the form `libNAME.la'. - case $outputname in - lib*) - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` - eval shared_ext=\"$shrext_cmds\" - eval libname=\"$libname_spec\" - ;; - *) - if test "$module" = no; then - $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi - if test "$need_lib_prefix" != no; then - # Add the "lib" prefix for modules if required - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - eval shared_ext=\"$shrext_cmds\" - eval libname=\"$libname_spec\" - else - libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - fi - ;; + # If there was a directory component, then change thisdir. + if test \"x\$destdir\" != \"x\$file\"; then + case \"\$destdir\" in + [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; + *) thisdir=\"\$thisdir/\$destdir\" ;; esac + fi - if test -n "$objs"; then - if test "$deplibs_check_method" != pass_all; then - $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1 - exit $EXIT_FAILURE - else - $echo - $echo "*** Warning: Linking the shared library $output against the non-libtool" - $echo "*** objects $objs is not portable!" - libobjs="$libobjs $objs" - fi - fi + file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\` + file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\` + done +" +} +# end: func_emit_wrapper_part1 - if test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2 - fi +# func_emit_wrapper_part2 [arg=no] +# +# Emit the second part of a libtool wrapper script on stdout. +# For more information, see the description associated with +# func_emit_wrapper(), below. +func_emit_wrapper_part2 () +{ + func_emit_wrapper_part2_arg1=no + if test -n "$1" ; then + func_emit_wrapper_part2_arg1=$1 + fi + + $ECHO "\ + + # Usually 'no', except on cygwin/mingw when embedded into + # the cwrapper. + WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1 + if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then + # special case for '.' + if test \"\$thisdir\" = \".\"; then + thisdir=\`pwd\` + fi + # remove .libs from thisdir + case \"\$thisdir\" in + *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;; + $objdir ) thisdir=. ;; + esac + fi - set dummy $rpath - if test "$#" -gt 2; then - $echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2 + # Try to get the absolute directory name. + absdir=\`cd \"\$thisdir\" && pwd\` + test -n \"\$absdir\" && thisdir=\"\$absdir\" +" + + if test "$fast_install" = yes; then + $ECHO "\ + program=lt-'$outputname'$exeext + progdir=\"\$thisdir/$objdir\" + + if test ! -f \"\$progdir/\$program\" || + { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ + test \"X\$file\" != \"X\$progdir/\$program\"; }; then + + file=\"\$\$-\$program\" + + if test ! -d \"\$progdir\"; then + $MKDIR \"\$progdir\" + else + $RM \"\$progdir/\$file\" + fi" + + $ECHO "\ + + # relink executable if necessary + if test -n \"\$relink_command\"; then + if relink_command_output=\`eval \$relink_command 2>&1\`; then : + else + $ECHO \"\$relink_command_output\" >&2 + $RM \"\$progdir/\$file\" + exit 1 fi - install_libdir="$2" + fi - oldlibs= - if test -z "$rpath"; then - if test "$build_libtool_libs" = yes; then - # Building a libtool convenience library. - # Some compilers have problems with a `.al' extension so - # convenience libraries should have the same extension an - # archive normally would. - oldlibs="$output_objdir/$libname.$libext $oldlibs" - build_libtool_libs=convenience - build_old_libs=yes + $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || + { $RM \"\$progdir/\$program\"; + $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; } + $RM \"\$progdir/\$file\" + fi" + else + $ECHO "\ + program='$outputname' + progdir=\"\$thisdir/$objdir\" +" fi - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2 - fi + $ECHO "\ - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2 - fi - else + if test -f \"\$progdir/\$program\"; then" - # Parse the version information argument. - save_ifs="$IFS"; IFS=':' - set dummy $vinfo 0 0 0 - IFS="$save_ifs" + # Export our shlibpath_var if we have one. + if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then + $ECHO "\ + # Add our own library path to $shlibpath_var + $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" - if test -n "$8"; then - $echo "$modename: too many parameters to \`-version-info'" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + # Some systems cannot cope with colon-terminated $shlibpath_var + # The second colon is a workaround for a bug in BeOS R4 sed + $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\` - # convert absolute version numbers to libtool ages - # this retains compatibility with .la files and attempts - # to make the code below a bit more comprehensible + export $shlibpath_var +" + fi - case $vinfo_number in - yes) - number_major="$2" - number_minor="$3" - number_revision="$4" - # - # There are really only two kinds -- those that - # use the current revision as the major version - # and those that subtract age and use age as - # a minor version. But, then there is irix - # which has an extra 1 added just for fun - # - case $version_type in - darwin|linux|osf|windows|none) - current=`expr $number_major + $number_minor` - age="$number_minor" - revision="$number_revision" - ;; - freebsd-aout|freebsd-elf|sunos) - current="$number_major" - revision="$number_minor" - age="0" - ;; - irix|nonstopux) - current=`expr $number_major + $number_minor - 1` - age="$number_minor" - revision="$number_minor" - ;; - esac - ;; - no) - current="$2" - revision="$3" - age="$4" - ;; - esac + # fixup the dll searchpath if we need to. + if test -n "$dllsearchpath"; then + $ECHO "\ + # Add the dll search path components to the executable PATH + PATH=$dllsearchpath:\$PATH +" + fi - # Check that each of the things are valid numbers. - case $current in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; - *) - $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit $EXIT_FAILURE + $ECHO "\ + if test \"\$libtool_execute_magic\" != \"$magic\"; then + # Run the actual program with our arguments. +" + case $host in + # Backslashes separate directories on plain windows + *-*-mingw | *-*-os2* | *-cegcc*) + $ECHO "\ + exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} +" ;; - esac - case $revision in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; *) - $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit $EXIT_FAILURE + $ECHO "\ + exec \"\$progdir/\$program\" \${1+\"\$@\"} +" ;; esac + $ECHO "\ + \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 + exit 1 + fi + else + # The program doesn't exist. + \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 + \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 + $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 + exit 1 + fi +fi\ +" +} +# end: func_emit_wrapper_part2 - case $age in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; - *) - $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit $EXIT_FAILURE - ;; - esac - if test "$age" -gt "$current"; then - $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit $EXIT_FAILURE +# func_emit_wrapper [arg=no] +# +# Emit a libtool wrapper script on stdout. +# Don't directly open a file because we may want to +# incorporate the script contents within a cygwin/mingw +# wrapper executable. Must ONLY be called from within +# func_mode_link because it depends on a number of variables +# set therein. +# +# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR +# variable will take. If 'yes', then the emitted script +# will assume that the directory in which it is stored is +# the $objdir directory. This is a cygwin/mingw-specific +# behavior. +func_emit_wrapper () +{ + func_emit_wrapper_arg1=no + if test -n "$1" ; then + func_emit_wrapper_arg1=$1 fi - # Calculate the version variables. - major= - versuffix= - verstring= - case $version_type in - none) ;; + # split this up so that func_emit_cwrapperexe_src + # can call each part independently. + func_emit_wrapper_part1 "${func_emit_wrapper_arg1}" + func_emit_wrapper_part2 "${func_emit_wrapper_arg1}" +} - darwin) - # Like Linux, but with the current version available in - # verstring for coding it into the library header - major=.`expr $current - $age` - versuffix="$major.$age.$revision" - # Darwin ld doesn't like 0 for these options... - minor_current=`expr $current + 1` - verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision" - ;; - freebsd-aout) - major=".$current" - versuffix=".$current.$revision"; - ;; +# func_to_host_path arg +# +# Convert paths to host format when used with build tools. +# Intended for use with "native" mingw (where libtool itself +# is running under the msys shell), or in the following cross- +# build environments: +# $build $host +# mingw (msys) mingw [e.g. native] +# cygwin mingw +# *nix + wine mingw +# where wine is equipped with the `winepath' executable. +# In the native mingw case, the (msys) shell automatically +# converts paths for any non-msys applications it launches, +# but that facility isn't available from inside the cwrapper. +# Similar accommodations are necessary for $host mingw and +# $build cygwin. Calling this function does no harm for other +# $host/$build combinations not listed above. +# +# ARG is the path (on $build) that should be converted to +# the proper representation for $host. The result is stored +# in $func_to_host_path_result. +func_to_host_path () +{ + func_to_host_path_result="$1" + if test -n "$1" ; then + case $host in + *mingw* ) + lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' + case $build in + *mingw* ) # actually, msys + # awkward: cmd appends spaces to result + lt_sed_strip_trailing_spaces="s/[ ]*\$//" + func_to_host_path_tmp1=`( cmd //c echo "$1" |\ + $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""` + func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ + $SED -e "$lt_sed_naive_backslashify"` + ;; + *cygwin* ) + func_to_host_path_tmp1=`cygpath -w "$1"` + func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ + $SED -e "$lt_sed_naive_backslashify"` + ;; + * ) + # Unfortunately, winepath does not exit with a non-zero + # error code, so we are forced to check the contents of + # stdout. On the other hand, if the command is not + # found, the shell will set an exit code of 127 and print + # *an error message* to stdout. So we must check for both + # error code of zero AND non-empty stdout, which explains + # the odd construction: + func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null` + if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then + func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ + $SED -e "$lt_sed_naive_backslashify"` + else + # Allow warning below. + func_to_host_path_result="" + fi + ;; + esac + if test -z "$func_to_host_path_result" ; then + func_error "Could not determine host path corresponding to" + func_error " '$1'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback: + func_to_host_path_result="$1" + fi + ;; + esac + fi +} +# end: func_to_host_path - freebsd-elf) - major=".$current" - versuffix=".$current"; - ;; +# func_to_host_pathlist arg +# +# Convert pathlists to host format when used with build tools. +# See func_to_host_path(), above. This function supports the +# following $build/$host combinations (but does no harm for +# combinations not listed here): +# $build $host +# mingw (msys) mingw [e.g. native] +# cygwin mingw +# *nix + wine mingw +# +# Path separators are also converted from $build format to +# $host format. If ARG begins or ends with a path separator +# character, it is preserved (but converted to $host format) +# on output. +# +# ARG is a pathlist (on $build) that should be converted to +# the proper representation on $host. The result is stored +# in $func_to_host_pathlist_result. +func_to_host_pathlist () +{ + func_to_host_pathlist_result="$1" + if test -n "$1" ; then + case $host in + *mingw* ) + lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' + # Remove leading and trailing path separator characters from + # ARG. msys behavior is inconsistent here, cygpath turns them + # into '.;' and ';.', and winepath ignores them completely. + func_to_host_pathlist_tmp2="$1" + # Once set for this call, this variable should not be + # reassigned. It is used in tha fallback case. + func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\ + $SED -e 's|^:*||' -e 's|:*$||'` + case $build in + *mingw* ) # Actually, msys. + # Awkward: cmd appends spaces to result. + lt_sed_strip_trailing_spaces="s/[ ]*\$//" + func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\ + $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""` + func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\ + $SED -e "$lt_sed_naive_backslashify"` + ;; + *cygwin* ) + func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"` + func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\ + $SED -e "$lt_sed_naive_backslashify"` + ;; + * ) + # unfortunately, winepath doesn't convert pathlists + func_to_host_pathlist_result="" + func_to_host_pathlist_oldIFS=$IFS + IFS=: + for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do + IFS=$func_to_host_pathlist_oldIFS + if test -n "$func_to_host_pathlist_f" ; then + func_to_host_path "$func_to_host_pathlist_f" + if test -n "$func_to_host_path_result" ; then + if test -z "$func_to_host_pathlist_result" ; then + func_to_host_pathlist_result="$func_to_host_path_result" + else + func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result" + fi + fi + fi + IFS=: + done + IFS=$func_to_host_pathlist_oldIFS + ;; + esac + if test -z "$func_to_host_pathlist_result" ; then + func_error "Could not determine the host path(s) corresponding to" + func_error " '$1'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback. This may break if $1 contains DOS-style drive + # specifications. The fix is not to complicate the expression + # below, but for the user to provide a working wine installation + # with winepath so that path translation in the cross-to-mingw + # case works properly. + lt_replace_pathsep_nix_to_dos="s|:|;|g" + func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\ + $SED -e "$lt_replace_pathsep_nix_to_dos"` + fi + # Now, add the leading and trailing path separators back + case "$1" in + :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result" + ;; + esac + case "$1" in + *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;" + ;; + esac + ;; + esac + fi +} +# end: func_to_host_pathlist - irix | nonstopux) - major=`expr $current - $age + 1` +# func_emit_cwrapperexe_src +# emit the source code for a wrapper executable on stdout +# Must ONLY be called from within func_mode_link because +# it depends on a number of variable set therein. +func_emit_cwrapperexe_src () +{ + cat < +#include +#ifdef _MSC_VER +# include +# include +# include +# define setmode _setmode +#else +# include +# include +# ifdef __CYGWIN__ +# include +# define HAVE_SETENV +# ifdef __STRICT_ANSI__ +char *realpath (const char *, char *); +int putenv (char *); +int setenv (const char *, const char *, int); +# endif +# endif +#endif +#include +#include +#include +#include +#include +#include +#include +#include - osf) - major=.`expr $current - $age` - versuffix=".$current.$age.$revision" - verstring="$current.$age.$revision" +#if defined(PATH_MAX) +# define LT_PATHMAX PATH_MAX +#elif defined(MAXPATHLEN) +# define LT_PATHMAX MAXPATHLEN +#else +# define LT_PATHMAX 1024 +#endif - # Add in all the interfaces that we are compatible with. - loop=$age - while test "$loop" -ne 0; do - iface=`expr $current - $loop` - loop=`expr $loop - 1` - verstring="$verstring:${iface}.0" - done +#ifndef S_IXOTH +# define S_IXOTH 0 +#endif +#ifndef S_IXGRP +# define S_IXGRP 0 +#endif - # Make executables depend on our current version. - verstring="$verstring:${current}.0" - ;; +#ifdef _MSC_VER +# define S_IXUSR _S_IEXEC +# define stat _stat +# ifndef _INTPTR_T_DEFINED +# define intptr_t int +# endif +#endif - sunos) - major=".$current" - versuffix=".$current.$revision" - ;; +#ifndef DIR_SEPARATOR +# define DIR_SEPARATOR '/' +# define PATH_SEPARATOR ':' +#endif - windows) - # Use '-' rather than '.', since we only want one - # extension on DOS 8.3 filesystems. - major=`expr $current - $age` - versuffix="-$major" - ;; +#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ + defined (__OS2__) +# define HAVE_DOS_BASED_FILE_SYSTEM +# define FOPEN_WB "wb" +# ifndef DIR_SEPARATOR_2 +# define DIR_SEPARATOR_2 '\\' +# endif +# ifndef PATH_SEPARATOR_2 +# define PATH_SEPARATOR_2 ';' +# endif +#endif - *) - $echo "$modename: unknown library version type \`$version_type'" 1>&2 - $echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit $EXIT_FAILURE - ;; - esac +#ifndef DIR_SEPARATOR_2 +# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) +#else /* DIR_SEPARATOR_2 */ +# define IS_DIR_SEPARATOR(ch) \ + (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) +#endif /* DIR_SEPARATOR_2 */ - # Clear the version info if we defaulted, and they specified a release. - if test -z "$vinfo" && test -n "$release"; then - major= - case $version_type in - darwin) - # we can't check for "0.0" in archive_cmds due to quoting - # problems, so we reset it completely - verstring= - ;; - *) - verstring="0.0" - ;; - esac - if test "$need_version" = no; then - versuffix= - else - versuffix=".0.0" - fi - fi +#ifndef PATH_SEPARATOR_2 +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) +#else /* PATH_SEPARATOR_2 */ +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) +#endif /* PATH_SEPARATOR_2 */ - # Remove version info from name if versioning should be avoided - if test "$avoid_version" = yes && test "$need_version" = no; then - major= - versuffix= - verstring="" - fi +#ifdef __CYGWIN__ +# define FOPEN_WB "wb" +#endif - # Check to see if the archive will have undefined symbols. - if test "$allow_undefined" = yes; then - if test "$allow_undefined_flag" = unsupported; then - $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2 - build_libtool_libs=no - build_old_libs=yes - fi - else - # Don't allow undefined symbols. - allow_undefined_flag="$no_undefined_flag" - fi - fi +#ifndef FOPEN_WB +# define FOPEN_WB "w" +#endif +#ifndef _O_BINARY +# define _O_BINARY 0 +#endif - if test "$mode" != relink; then - # Remove our outputs, but don't remove object files since they - # may have been created when compiling PIC objects. - removelist= - tempremovelist=`$echo "$output_objdir/*"` - for p in $tempremovelist; do - case $p in - *.$objext) - ;; - $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) - if test "X$precious_files_regex" != "X"; then - if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 - then - continue - fi - fi - removelist="$removelist $p" - ;; - *) ;; - esac - done - if test -n "$removelist"; then - $show "${rm}r $removelist" - $run ${rm}r $removelist - fi - fi +#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) +#define XFREE(stale) do { \ + if (stale) { free ((void *) stale); stale = 0; } \ +} while (0) - # Now set the variables for building old libraries. - if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then - oldlibs="$oldlibs $output_objdir/$libname.$libext" +#undef LTWRAPPER_DEBUGPRINTF +#if defined DEBUGWRAPPER +# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args +static void +ltwrapper_debugprintf (const char *fmt, ...) +{ + va_list args; + va_start (args, fmt); + (void) vfprintf (stderr, fmt, args); + va_end (args); +} +#else +# define LTWRAPPER_DEBUGPRINTF(args) +#endif - # Transform .lo files to .o files. - oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP` - fi +const char *program_name = NULL; - # Eliminate all temporary directories. -# for path in $notinst_path; do -# lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"` -# deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"` -# dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"` -# done +void *xmalloc (size_t num); +char *xstrdup (const char *string); +const char *base_name (const char *name); +char *find_executable (const char *wrapper); +char *chase_symlinks (const char *pathspec); +int make_executable (const char *path); +int check_executable (const char *path); +char *strendzap (char *str, const char *pat); +void lt_fatal (const char *message, ...); +void lt_setenv (const char *name, const char *value); +char *lt_extend_str (const char *orig_value, const char *add, int to_end); +void lt_opt_process_env_set (const char *arg); +void lt_opt_process_env_prepend (const char *arg); +void lt_opt_process_env_append (const char *arg); +int lt_split_name_value (const char *arg, char** name, char** value); +void lt_update_exe_path (const char *name, const char *value); +void lt_update_lib_path (const char *name, const char *value); - if test -n "$xrpath"; then - # If the user specified any rpath flags, then add them. - temp_xrpath= - for libdir in $xrpath; do - temp_xrpath="$temp_xrpath -R$libdir" - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then - dependency_libs="$temp_xrpath $dependency_libs" - fi - fi +static const char *script_text_part1 = +EOF - # Make sure dlfiles contains only unique files that won't be dlpreopened - old_dlfiles="$dlfiles" - dlfiles= - for lib in $old_dlfiles; do - case " $dlprefiles $dlfiles " in - *" $lib "*) ;; - *) dlfiles="$dlfiles $lib" ;; - esac - done + func_emit_wrapper_part1 yes | + $SED -e 's/\([\\"]\)/\\\1/g' \ + -e 's/^/ "/' -e 's/$/\\n"/' + echo ";" + cat < conftest.c </dev/null` - for potent_lib in $potential_libs; do - # Follow soft links. - if ls -lLd "$potent_lib" 2>/dev/null \ - | grep " -> " >/dev/null; then - continue - fi - # The statement above tries to avoid entering an - # endless loop below, in case of cyclic links. - # We might still enter an endless loop, since a link - # loop can be closed while we follow links, - # but so what? - potlib="$potent_lib" - while test -h "$potlib" 2>/dev/null; do - potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` - case $potliblink in - [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; - *) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";; - esac - done - if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \ - | ${SED} 10q \ - | $EGREP "$file_magic_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - $echo - $echo "*** Warning: linker path does not have real file for library $a_deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $echo "*** with $libname but no candidates were found. (...for file magic test)" - else - $echo "*** with $libname and none of the candidates passed a file format test" - $echo "*** using a file magic. Last file checked: $potlib" - fi - fi else - # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" + cat <<"EOF" +const char * LIB_PATH_VALUE = ""; +EOF fi - done # Gone through all deplibs. - ;; - match_pattern*) - set dummy $deplibs_check_method - match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"` - for a_deplib in $deplibs; do - name=`expr $a_deplib : '-l\(.*\)'` - # If $name is empty we are operating on a -L argument. - if test -n "$name" && test "$name" != "0"; then - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $a_deplib "*) - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - ;; - esac - fi - if test -n "$a_deplib" ; then - libname=`eval \\$echo \"$libname_spec\"` - for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do - potential_libs=`ls $i/$libname[.-]* 2>/dev/null` - for potent_lib in $potential_libs; do - potlib="$potent_lib" # see symlink-check above in file_magic test - if eval $echo \"$potent_lib\" 2>/dev/null \ - | ${SED} 10q \ - | $EGREP "$match_pattern_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - $echo - $echo "*** Warning: linker path does not have real file for library $a_deplib." - $echo "*** I have the capability to make that library automatically link in when" - $echo "*** you link to this library. But I can only do this if you have a" - $echo "*** shared version of the library, which you do not appear to have" - $echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $echo "*** with $libname but no candidates were found. (...for regex pattern test)" - else - $echo "*** with $libname and none of the candidates passed a file format test" - $echo "*** using a regex pattern. Last file checked: $potlib" - fi - fi + + if test -n "$dllsearchpath"; then + func_to_host_pathlist "$dllsearchpath:" + cat </dev/null; then - $echo - if test "X$deplibs_check_method" = "Xnone"; then - $echo "*** Warning: inter-library dependencies are not supported in this platform." + + if test "$fast_install" = yes; then + cat < \"${export_symbols}T\"" - $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' - $show "$mv \"${export_symbols}T\" \"$export_symbols\"" - $run eval '$mv "${export_symbols}T" "$export_symbols"' - fi - fi - fi + cat <<"EOF" + printf ("%s", script_text_part1); + printf ("%s", script_text_part2); + return 0; + } + } - if test -n "$export_symbols" && test -n "$include_expsyms"; then - $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"' - fi + newargz = XMALLOC (char *, argc + 1); + tmp_pathspec = find_executable (argv[0]); + if (tmp_pathspec == NULL) + lt_fatal ("Couldn't find %s", argv[0]); + LTWRAPPER_DEBUGPRINTF (("(main) found exe (before symlink chase) at : %s\n", + tmp_pathspec)); + + actual_cwrapper_path = chase_symlinks (tmp_pathspec); + LTWRAPPER_DEBUGPRINTF (("(main) found exe (after symlink chase) at : %s\n", + actual_cwrapper_path)); + XFREE (tmp_pathspec); + + actual_cwrapper_name = xstrdup( base_name (actual_cwrapper_path)); + strendzap (actual_cwrapper_path, actual_cwrapper_name); + + /* wrapper name transforms */ + strendzap (actual_cwrapper_name, ".exe"); + tmp_pathspec = lt_extend_str (actual_cwrapper_name, ".exe", 1); + XFREE (actual_cwrapper_name); + actual_cwrapper_name = tmp_pathspec; + tmp_pathspec = 0; + + /* target_name transforms -- use actual target program name; might have lt- prefix */ + target_name = xstrdup (base_name (TARGET_PROGRAM_NAME)); + strendzap (target_name, ".exe"); + tmp_pathspec = lt_extend_str (target_name, ".exe", 1); + XFREE (target_name); + target_name = tmp_pathspec; + tmp_pathspec = 0; - tmp_deplibs= - for test_deplib in $deplibs; do - case " $convenience " in - *" $test_deplib "*) ;; - *) - tmp_deplibs="$tmp_deplibs $test_deplib" - ;; - esac - done - deplibs="$tmp_deplibs" + LTWRAPPER_DEBUGPRINTF (("(main) libtool target name: %s\n", + target_name)); +EOF - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - else - gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + cat </dev/null` && - test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then - : - else - # The command line is too long to link in one step, link piecewise. - $echo "creating reloadable object files..." + newargc=0; + for (i = 1; i < argc; i++) + { + if (strncmp (argv[i], env_set_opt, env_set_opt_len) == 0) + { + if (argv[i][env_set_opt_len] == '=') + { + const char *p = argv[i] + env_set_opt_len + 1; + lt_opt_process_env_set (p); + } + else if (argv[i][env_set_opt_len] == '\0' && i + 1 < argc) + { + lt_opt_process_env_set (argv[++i]); /* don't copy */ + } + else + lt_fatal ("%s missing required argument", env_set_opt); + continue; + } + if (strncmp (argv[i], env_prepend_opt, env_prepend_opt_len) == 0) + { + if (argv[i][env_prepend_opt_len] == '=') + { + const char *p = argv[i] + env_prepend_opt_len + 1; + lt_opt_process_env_prepend (p); + } + else if (argv[i][env_prepend_opt_len] == '\0' && i + 1 < argc) + { + lt_opt_process_env_prepend (argv[++i]); /* don't copy */ + } + else + lt_fatal ("%s missing required argument", env_prepend_opt); + continue; + } + if (strncmp (argv[i], env_append_opt, env_append_opt_len) == 0) + { + if (argv[i][env_append_opt_len] == '=') + { + const char *p = argv[i] + env_append_opt_len + 1; + lt_opt_process_env_append (p); + } + else if (argv[i][env_append_opt_len] == '\0' && i + 1 < argc) + { + lt_opt_process_env_append (argv[++i]); /* don't copy */ + } + else + lt_fatal ("%s missing required argument", env_append_opt); + continue; + } + if (strncmp (argv[i], ltwrapper_option_prefix, opt_prefix_len) == 0) + { + /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX + namespace, but it is not one of the ones we know about and + have already dealt with, above (inluding dump-script), then + report an error. Otherwise, targets might begin to believe + they are allowed to use options in the LTWRAPPER_OPTION_PREFIX + namespace. The first time any user complains about this, we'll + need to make LTWRAPPER_OPTION_PREFIX a configure-time option + or a configure.ac-settable value. + */ + lt_fatal ("Unrecognized option in %s namespace: '%s'", + ltwrapper_option_prefix, argv[i]); + } + /* otherwise ... */ + newargz[++newargc] = xstrdup (argv[i]); + } + newargz[++newargc] = NULL; - # Save the value of $output and $libobjs because we want to - # use them later. If we have whole_archive_flag_spec, we - # want to use save_libobjs as it was before - # whole_archive_flag_spec was expanded, because we can't - # assume the linker understands whole_archive_flag_spec. - # This may have to be revisited, in case too many - # convenience libraries get linked in and end up exceeding - # the spec. - if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - fi - save_output=$output - output_la=`$echo "X$output" | $Xsed -e "$basename"` + LTWRAPPER_DEBUGPRINTF (("(main) lt_argv_zero : %s\n", (lt_argv_zero ? lt_argv_zero : ""))); + for (i = 0; i < newargc; i++) + { + LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d] : %s\n", i, (newargz[i] ? newargz[i] : ""))); + } - # Clear the reloadable object creation command queue and - # initialize k to one. - test_cmds= - concat_cmds= - objlist= - delfiles= - last_robj= - k=1 - output=$output_objdir/$output_la-${k}.$objext - # Loop over the list of objects to be linked. - for obj in $save_libobjs - do - eval test_cmds=\"$reload_cmds $objlist $last_robj\" - if test "X$objlist" = X || - { len=`expr "X$test_cmds" : ".*" 2>/dev/null` && - test "$len" -le "$max_cmd_len"; }; then - objlist="$objlist $obj" - else - # The command $test_cmds is almost too long, add a - # command to the queue. - if test "$k" -eq 1 ; then - # The first file doesn't have a previous command to add. - eval concat_cmds=\"$reload_cmds $objlist $last_robj\" - else - # All subsequent reloadable object files will link in - # the last one created. - eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\" - fi - last_robj=$output_objdir/$output_la-${k}.$objext - k=`expr $k + 1` - output=$output_objdir/$output_la-${k}.$objext - objlist=$obj - len=1 - fi - done - # Handle the remaining objects by creating one last - # reloadable object file. All subsequent reloadable object - # files will link in the last one created. - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\" +EOF - if ${skipped_export-false}; then - $show "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $run $rm $export_symbols - libobjs=$output - # Append the command to create the export file. - eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\" - fi - - # Set up a command to remove the reloadable object files - # after they are used. - i=0 - while test "$i" -lt "$k" - do - i=`expr $i + 1` - delfiles="$delfiles $output_objdir/$output_la-${i}.$objext" - done + case $host_os in + mingw*) + cat <<"EOF" + /* execv doesn't actually work on mingw as expected on unix */ + rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz); + if (rval == -1) + { + /* failed to start process */ + LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno)); + return 127; + } + return rval; +EOF + ;; + *) + cat <<"EOF" + execv (lt_argv_zero, newargz); + return rval; /* =127, but avoids unused variable warning */ +EOF + ;; + esac - $echo "creating a temporary reloadable object file: $output" + cat <<"EOF" +} - # Loop through the commands generated above and execute them. - save_ifs="$IFS"; IFS='~' - for cmd in $concat_cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" +void * +xmalloc (size_t num) +{ + void *p = (void *) malloc (num); + if (!p) + lt_fatal ("Memory exhausted"); - libobjs=$output - # Restore the value of output. - output=$save_output + return p; +} - if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - fi - # Expand the library linking commands again to reset the - # value of $libobjs for piecewise linking. +char * +xstrdup (const char *string) +{ + return string ? strcpy ((char *) xmalloc (strlen (string) + 1), + string) : NULL; +} - # Do each of the archive commands. - if test "$module" = yes && test -n "$module_cmds" ; then - if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then - cmds=$module_expsym_cmds - else - cmds=$module_cmds - fi - else - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - cmds=$archive_expsym_cmds - else - cmds=$archive_cmds - fi - fi +const char * +base_name (const char *name) +{ + const char *base; - # Append the command to remove the reloadable object files - # to the just-reset $cmds. - eval cmds=\"\$cmds~\$rm $delfiles\" - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || { - lt_exit=$? +#if defined (HAVE_DOS_BASED_FILE_SYSTEM) + /* Skip over the disk name in MSDOS pathnames. */ + if (isalpha ((unsigned char) name[0]) && name[1] == ':') + name += 2; +#endif - # Restore the uninstalled library and exit - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)' - fi + for (base = name; *name; name++) + if (IS_DIR_SEPARATOR (*name)) + base = name + 1; + return base; +} - exit $lt_exit - } - done - IFS="$save_ifs" +int +check_executable (const char *path) +{ + struct stat st; - # Restore the uninstalled library and exit - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $? + LTWRAPPER_DEBUGPRINTF (("(check_executable) : %s\n", + path ? (*path ? path : "EMPTY!") : "NULL!")); + if ((!path) || (!*path)) + return 0; - if test -n "$convenience"; then - if test -z "$whole_archive_flag_spec"; then - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - fi - fi + if ((stat (path, &st) >= 0) + && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) + return 1; + else + return 0; +} - exit $EXIT_SUCCESS - fi +int +make_executable (const char *path) +{ + int rval = 0; + struct stat st; - # Create links to the real library. - for linkname in $linknames; do - if test "$realname" != "$linkname"; then - $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)" - $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $? - fi - done + LTWRAPPER_DEBUGPRINTF (("(make_executable) : %s\n", + path ? (*path ? path : "EMPTY!") : "NULL!")); + if ((!path) || (!*path)) + return 0; - # If -module or -export-dynamic was specified, set the dlname. - if test "$module" = yes || test "$export_dynamic" = yes; then - # On all known operating systems, these are identical. - dlname="$soname" - fi - fi - ;; + if (stat (path, &st) >= 0) + { + rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR); + } + return rval; +} - obj) - if test -n "$deplibs"; then - $echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 - fi +/* Searches for the full path of the wrapper. Returns + newly allocated full path name if found, NULL otherwise + Does not chase symlinks, even on platforms that support them. +*/ +char * +find_executable (const char *wrapper) +{ + int has_slash = 0; + const char *p; + const char *p_next; + /* static buffer for getcwd */ + char tmp[LT_PATHMAX + 1]; + int tmp_len; + char *concat_name; - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2 - fi + LTWRAPPER_DEBUGPRINTF (("(find_executable) : %s\n", + wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!")); - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2 - fi + if ((wrapper == NULL) || (*wrapper == '\0')) + return NULL; - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for objects" 1>&2 - fi + /* Absolute path? */ +#if defined (HAVE_DOS_BASED_FILE_SYSTEM) + if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':') + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + else + { +#endif + if (IS_DIR_SEPARATOR (wrapper[0])) + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } +#if defined (HAVE_DOS_BASED_FILE_SYSTEM) + } +#endif - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2 - fi + for (p = wrapper; *p; p++) + if (*p == '/') + { + has_slash = 1; + break; + } + if (!has_slash) + { + /* no slashes; search PATH */ + const char *path = getenv ("PATH"); + if (path != NULL) + { + for (p = path; *p; p = p_next) + { + const char *q; + size_t p_len; + for (q = p; *q; q++) + if (IS_PATH_SEPARATOR (*q)) + break; + p_len = q - p; + p_next = (*q == '\0' ? q : q + 1); + if (p_len == 0) + { + /* empty path: current directory */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal ("getcwd failed"); + tmp_len = strlen (tmp); + concat_name = + XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); + } + else + { + concat_name = + XMALLOC (char, p_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, p, p_len); + concat_name[p_len] = '/'; + strcpy (concat_name + p_len + 1, wrapper); + } + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + } + /* not found in PATH; assume curdir */ + } + /* Relative path | not found in path: prepend cwd */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal ("getcwd failed"); + tmp_len = strlen (tmp); + concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for objects" 1>&2 - fi + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + return NULL; +} - case $output in - *.lo) - if test -n "$objs$old_deplibs"; then - $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2 - exit $EXIT_FAILURE - fi - libobj="$output" - obj=`$echo "X$output" | $Xsed -e "$lo2o"` - ;; - *) - libobj= - obj="$output" - ;; - esac +char * +chase_symlinks (const char *pathspec) +{ +#ifndef S_ISLNK + return xstrdup (pathspec); +#else + char buf[LT_PATHMAX]; + struct stat s; + char *tmp_pathspec = xstrdup (pathspec); + char *p; + int has_symlinks = 0; + while (strlen (tmp_pathspec) && !has_symlinks) + { + LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n", + tmp_pathspec)); + if (lstat (tmp_pathspec, &s) == 0) + { + if (S_ISLNK (s.st_mode) != 0) + { + has_symlinks = 1; + break; + } - # Delete the old objects. - $run $rm $obj $libobj + /* search backwards for last DIR_SEPARATOR */ + p = tmp_pathspec + strlen (tmp_pathspec) - 1; + while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + p--; + if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + { + /* no more DIR_SEPARATORS left */ + break; + } + *p = '\0'; + } + else + { + char *errstr = strerror (errno); + lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr); + } + } + XFREE (tmp_pathspec); - # Objects from convenience libraries. This assumes - # single-version convenience libraries. Whenever we create - # different ones for PIC/non-PIC, this we'll have to duplicate - # the extraction. - reload_conv_objs= - gentop= - # reload_cmds runs $LD directly, so let us get rid of - # -Wl from whole_archive_flag_spec and hope we can get by with - # turning comma into space.. - wl= + if (!has_symlinks) + { + return xstrdup (pathspec); + } - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" - reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'` - else - gentop="$output_objdir/${obj}x" - generated="$generated $gentop" + tmp_pathspec = realpath (pathspec, buf); + if (tmp_pathspec == 0) + { + lt_fatal ("Could not follow symlinks for %s", pathspec); + } + return xstrdup (tmp_pathspec); +#endif +} - func_extract_archives $gentop $convenience - reload_conv_objs="$reload_objs $func_extract_archives_result" - fi - fi +char * +strendzap (char *str, const char *pat) +{ + size_t len, patlen; - # Create the old-style object. - reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test + assert (str != NULL); + assert (pat != NULL); - output="$obj" - cmds=$reload_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" + len = strlen (str); + patlen = strlen (pat); - # Exit if we aren't doing a library object file. - if test -z "$libobj"; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi + if (patlen <= len) + { + str += len - patlen; + if (strcmp (str, pat) == 0) + *str = '\0'; + } + return str; +} - exit $EXIT_SUCCESS - fi +static void +lt_error_core (int exit_status, const char *mode, + const char *message, va_list ap) +{ + fprintf (stderr, "%s: %s: ", program_name, mode); + vfprintf (stderr, message, ap); + fprintf (stderr, ".\n"); - if test "$build_libtool_libs" != yes; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi + if (exit_status >= 0) + exit (exit_status); +} - # Create an invalid libtool object if no PIC, so that we don't - # accidentally link it into a program. - # $show "echo timestamp > $libobj" - # $run eval "echo timestamp > $libobj" || exit $? - exit $EXIT_SUCCESS - fi +void +lt_fatal (const char *message, ...) +{ + va_list ap; + va_start (ap, message); + lt_error_core (EXIT_FAILURE, "FATAL", message, ap); + va_end (ap); +} - if test -n "$pic_flag" || test "$pic_mode" != default; then - # Only do commands if we really have different PIC objects. - reload_objs="$libobjs $reload_conv_objs" - output="$libobj" - cmds=$reload_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi +void +lt_setenv (const char *name, const char *value) +{ + LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n", + (name ? name : ""), + (value ? value : ""))); + { +#ifdef HAVE_SETENV + /* always make a copy, for consistency with !HAVE_SETENV */ + char *str = xstrdup (value); + setenv (name, str, 1); +#else + int len = strlen (name) + 1 + strlen (value) + 1; + char *str = XMALLOC (char, len); + sprintf (str, "%s=%s", name, value); + if (putenv (str) != EXIT_SUCCESS) + { + XFREE (str); + } +#endif + } +} - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi +char * +lt_extend_str (const char *orig_value, const char *add, int to_end) +{ + char *new_value; + if (orig_value && *orig_value) + { + int orig_value_len = strlen (orig_value); + int add_len = strlen (add); + new_value = XMALLOC (char, add_len + orig_value_len + 1); + if (to_end) + { + strcpy (new_value, orig_value); + strcpy (new_value + orig_value_len, add); + } + else + { + strcpy (new_value, add); + strcpy (new_value + add_len, orig_value); + } + } + else + { + new_value = xstrdup (add); + } + return new_value; +} - exit $EXIT_SUCCESS - ;; +int +lt_split_name_value (const char *arg, char** name, char** value) +{ + const char *p; + int len; + if (!arg || !*arg) + return 1; - prog) - case $host in - *cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;; - esac - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2 - fi + p = strchr (arg, (int)'='); - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for programs" 1>&2 - fi + if (!p) + return 1; - if test "$preload" = yes; then - if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown && - test "$dlopen_self_static" = unknown; then - $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support." - fi - fi + *value = xstrdup (++p); - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - ;; - esac + len = strlen (arg) - strlen (*value); + *name = XMALLOC (char, len); + strncpy (*name, arg, len-1); + (*name)[len - 1] = '\0'; - case $host in - *darwin*) - # Don't allow lazy linking, it breaks C++ global constructors - if test "$tagname" = CXX ; then - compile_command="$compile_command ${wl}-bind_at_load" - finalize_command="$finalize_command ${wl}-bind_at_load" - fi - ;; - esac + return 0; +} +void +lt_opt_process_env_set (const char *arg) +{ + char *name = NULL; + char *value = NULL; - # move library search paths that coincide with paths to not yet - # installed libraries to the beginning of the library search list - new_libs= - for path in $notinst_path; do - case " $new_libs " in - *" -L$path/$objdir "*) ;; - *) - case " $compile_deplibs " in - *" -L$path/$objdir "*) - new_libs="$new_libs -L$path/$objdir" ;; - esac - ;; - esac - done - for deplib in $compile_deplibs; do - case $deplib in - -L*) - case " $new_libs " in - *" $deplib "*) ;; - *) new_libs="$new_libs $deplib" ;; - esac - ;; - *) new_libs="$new_libs $deplib" ;; - esac - done - compile_deplibs="$new_libs" + if (lt_split_name_value (arg, &name, &value) != 0) + { + XFREE (name); + XFREE (value); + lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg); + } + lt_setenv (name, value); + XFREE (name); + XFREE (value); +} - compile_command="$compile_command $compile_deplibs" - finalize_command="$finalize_command $finalize_deplibs" +void +lt_opt_process_env_prepend (const char *arg) +{ + char *name = NULL; + char *value = NULL; + char *new_value = NULL; - if test -n "$rpath$xrpath"; then - # If the user specified any rpath flags, then add them. - for libdir in $rpath $xrpath; do - # This is the magic to use -rpath. - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - fi + if (lt_split_name_value (arg, &name, &value) != 0) + { + XFREE (name); + XFREE (value); + lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg); + } - # Now hardcode the library paths - rpath= - hardcode_libdirs= - for libdir in $compile_rpath $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; - esac - fi - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'` - case :$dllsearchpath: in - *":$libdir:"*) ;; - *) dllsearchpath="$dllsearchpath:$libdir";; - esac - case :$dllsearchpath: in - *":$testbindir:"*) ;; - *) dllsearchpath="$dllsearchpath:$testbindir";; - esac - ;; - esac - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - compile_rpath="$rpath" + new_value = lt_extend_str (getenv (name), value, 0); + lt_setenv (name, new_value); + XFREE (new_value); + XFREE (name); + XFREE (value); +} - rpath= - hardcode_libdirs= - for libdir in $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$finalize_perm_rpath " in - *" $libdir "*) ;; - *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - finalize_rpath="$rpath" +void +lt_opt_process_env_append (const char *arg) +{ + char *name = NULL; + char *value = NULL; + char *new_value = NULL; - if test -n "$libobjs" && test "$build_old_libs" = yes; then - # Transform all the library objects into standard objects. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - fi + if (lt_split_name_value (arg, &name, &value) != 0) + { + XFREE (name); + XFREE (value); + lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg); + } - dlsyms= - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - if test -n "$NM" && test -n "$global_symbol_pipe"; then - dlsyms="${outputname}S.c" - else - $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2 - fi - fi + new_value = lt_extend_str (getenv (name), value, 1); + lt_setenv (name, new_value); + XFREE (new_value); + XFREE (name); + XFREE (value); +} - if test -n "$dlsyms"; then - case $dlsyms in - "") ;; - *.c) - # Discover the nlist of each of the dlfiles. - nlist="$output_objdir/${outputname}.nm" +void +lt_update_exe_path (const char *name, const char *value) +{ + LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n", + (name ? name : ""), + (value ? value : ""))); - $show "$rm $nlist ${nlist}S ${nlist}T" - $run $rm "$nlist" "${nlist}S" "${nlist}T" + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + /* some systems can't cope with a ':'-terminated path #' */ + int len = strlen (new_value); + while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1])) + { + new_value[len-1] = '\0'; + } + lt_setenv (name, new_value); + XFREE (new_value); + } +} - # Parse the name list into a source file. - $show "creating $output_objdir/$dlsyms" +void +lt_update_lib_path (const char *name, const char *value) +{ + LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n", + (name ? name : ""), + (value ? value : ""))); - test -z "$run" && $echo > "$output_objdir/$dlsyms" "\ -/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */ -/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */ + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + lt_setenv (name, new_value); + XFREE (new_value); + } +} -#ifdef __cplusplus -extern \"C\" { -#endif -/* Prevent the only kind of declaration conflicts we can make. */ -#define lt_preloaded_symbols some_other_symbol +EOF +} +# end: func_emit_cwrapperexe_src -/* External symbol declarations for the compiler. */\ -" +# func_mode_link arg... +func_mode_link () +{ + $opt_debug + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + # It is impossible to link a dll without this setting, and + # we shouldn't force the makefile maintainer to figure out + # which system we are compiling for in order to pass an extra + # flag for every libtool invocation. + # allow_undefined=no - if test "$dlself" = yes; then - $show "generating symbol list for \`$output'" + # FIXME: Unfortunately, there are problems with the above when trying + # to make a dll which has undefined symbols, in which case not + # even a static library is built. For now, we need to specify + # -no-undefined on the libtool link line when we can be certain + # that all symbols are satisfied, otherwise we get a static library. + allow_undefined=yes + ;; + *) + allow_undefined=yes + ;; + esac + libtool_args=$nonopt + base_compile="$nonopt $@" + compile_command=$nonopt + finalize_command=$nonopt - test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist" + compile_rpath= + finalize_rpath= + compile_shlibpath= + finalize_shlibpath= + convenience= + old_convenience= + deplibs= + old_deplibs= + compiler_flags= + linker_flags= + dllsearchpath= + lib_search_path=`pwd` + inst_prefix_dir= + new_inherited_linker_flags= - # Add our own program objects to the symbol list. - progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - for arg in $progfiles; do - $show "extracting global C symbols from \`$arg'" - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done + avoid_version=no + dlfiles= + dlprefiles= + dlself=no + export_dynamic=no + export_symbols= + export_symbols_regex= + generated= + libobjs= + ltlibs= + module=no + no_install=no + objs= + non_pic_objects= + precious_files_regex= + prefer_static_libs=no + preload=no + prev= + prevarg= + release= + rpath= + xrpath= + perm_rpath= + temp_rpath= + thread_safe=no + vinfo= + vinfo_number=no + weak_libs= + single_module="${wl}-single_module" + func_infer_tag $base_compile - if test -n "$exclude_expsyms"; then - $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - if test -n "$export_symbols_regex"; then - $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - export_symbols="$output_objdir/$outputname.exp" - $run $rm $export_symbols - $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' - case $host in - *cygwin* | *mingw* ) - $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' - $run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' - ;; - esac - else - $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' - $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' - $run eval 'mv "$nlist"T "$nlist"' - case $host in - *cygwin* | *mingw* ) - $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' - $run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' - ;; - esac - fi + # We need to know -static, to get the right output filenames. + for arg + do + case $arg in + -shared) + test "$build_libtool_libs" != yes && \ + func_fatal_configuration "can not build a shared library" + build_old_libs=no + break + ;; + -all-static | -static | -static-libtool-libs) + case $arg in + -all-static) + if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then + func_warning "complete static linking is impossible in this configuration" fi - - for arg in $dlprefiles; do - $show "extracting global C symbols from \`$arg'" - name=`$echo "$arg" | ${SED} -e 's%^.*/%%'` - $run eval '$echo ": $name " >> "$nlist"' - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done - - if test -z "$run"; then - # Make sure we have at least an empty file. - test -f "$nlist" || : > "$nlist" - - if test -n "$exclude_expsyms"; then - $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T - $mv "$nlist"T "$nlist" - fi - - # Try sorting and uniquifying the output. - if grep -v "^: " < "$nlist" | - if sort -k 3 /dev/null 2>&1; then - sort -k 3 - else - sort +2 - fi | - uniq > "$nlist"S; then - : - else - grep -v "^: " < "$nlist" > "$nlist"S - fi - - if test -f "$nlist"S; then - eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"' - else - $echo '/* NONE */' >> "$output_objdir/$dlsyms" - fi - - $echo >> "$output_objdir/$dlsyms" "\ - -#undef lt_preloaded_symbols - -#if defined (__STDC__) && __STDC__ -# define lt_ptr void * -#else -# define lt_ptr char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -" - - case $host in - *cygwin* | *mingw* ) - $echo >> "$output_objdir/$dlsyms" "\ -/* DATA imports from DLLs on WIN32 can't be const, because - runtime relocations are performed -- see ld's documentation - on pseudo-relocs */ -struct { -" - ;; - * ) - $echo >> "$output_objdir/$dlsyms" "\ -const struct { -" - ;; - esac - - - $echo >> "$output_objdir/$dlsyms" "\ - const char *name; - lt_ptr address; -} -lt_preloaded_symbols[] = -{\ -" - - eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms" - - $echo >> "$output_objdir/$dlsyms" "\ - {0, (lt_ptr) 0} -}; - -/* This works around a problem in FreeBSD linker */ -#ifdef FREEBSD_WORKAROUND -static const void *lt_preloaded_setup() { - return lt_preloaded_symbols; -} -#endif - -#ifdef __cplusplus -} -#endif\ -" + if test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static fi - - pic_flag_for_symtable= - case $host in - # compiling the symbol table file with pic_flag works around - # a FreeBSD bug that causes programs to crash when -lm is - # linked before any other PIC object. But we must not use - # pic_flag when linking with -static. The problem exists in - # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";; - esac;; - *-*-hpux*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag";; - esac - esac - - # Now compile the dynamic symbol file. - $show "(cd $output_objdir && $LTCC $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")" - $run eval '(cd $output_objdir && $LTCC $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $? - - # Clean up the generated files. - $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T" - $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T" - - # Transform the symbol file into the correct name. - case $host in - *cygwin* | *mingw* ) - if test -f "$output_objdir/${outputname}.def" ; then - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP` - else - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP` - fi - ;; - * ) - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP` - ;; - esac + prefer_static_libs=yes ;; - *) - $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2 - exit $EXIT_FAILURE + -static) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=built + ;; + -static-libtool-libs) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=yes ;; esac - else - # We keep going just in case the user didn't refer to - # lt_preloaded_symbols. The linker will fail if global_symbol_pipe - # really was required. - - # Nullify the symbol file. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP` - fi - - if test "$need_relink" = no || test "$build_libtool_libs" != yes; then - # Replace the output file specification. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP` - link_command="$compile_command$compile_rpath" + build_libtool_libs=no + build_old_libs=yes + break + ;; + esac + done - # We have no uninstalled library dependencies, so finalize right now. - $show "$link_command" - $run eval "$link_command" - exit_status=$? + # See if our shared archives depend on static archives. + test -n "$old_archive_from_new_cmds" && build_old_libs=yes - # Delete the generated files. - if test -n "$dlsyms"; then - $show "$rm $output_objdir/${outputname}S.${objext}" - $run $rm "$output_objdir/${outputname}S.${objext}" - fi + # Go through the arguments, transforming them on the way. + while test "$#" -gt 0; do + arg="$1" + shift + func_quote_for_eval "$arg" + qarg=$func_quote_for_eval_unquoted_result + func_append libtool_args " $func_quote_for_eval_result" - exit $exit_status - fi + # If the previous option needs an argument, assign it. + if test -n "$prev"; then + case $prev in + output) + func_append compile_command " @OUTPUT@" + func_append finalize_command " @OUTPUT@" + ;; + esac - if test -n "$shlibpath_var"; then - # We should set the shlibpath_var - rpath= - for dir in $temp_rpath; do - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) - # Absolute path. - rpath="$rpath$dir:" + case $prev in + dlfiles|dlprefiles) + if test "$preload" = no; then + # Add the symbol object into the linking commands. + func_append compile_command " @SYMFILE@" + func_append finalize_command " @SYMFILE@" + preload=yes + fi + case $arg in + *.la | *.lo) ;; # We handle these cases below. + force) + if test "$dlself" = no; then + dlself=needless + export_dynamic=yes + fi + prev= + continue + ;; + self) + if test "$prev" = dlprefiles; then + dlself=yes + elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then + dlself=yes + else + dlself=needless + export_dynamic=yes + fi + prev= + continue ;; *) - # Relative path: add a thisdir entry. - rpath="$rpath\$thisdir/$dir:" + if test "$prev" = dlfiles; then + dlfiles="$dlfiles $arg" + else + dlprefiles="$dlprefiles $arg" + fi + prev= + continue ;; esac - done - temp_rpath="$rpath" - fi + ;; + expsyms) + export_symbols="$arg" + test -f "$arg" \ + || func_fatal_error "symbol file \`$arg' does not exist" + prev= + continue + ;; + expsyms_regex) + export_symbols_regex="$arg" + prev= + continue + ;; + framework) + case $host in + *-*-darwin*) + case "$deplibs " in + *" $qarg.ltframework "*) ;; + *) deplibs="$deplibs $qarg.ltframework" # this is fixed later + ;; + esac + ;; + esac + prev= + continue + ;; + inst_prefix) + inst_prefix_dir="$arg" + prev= + continue + ;; + objectlist) + if test -f "$arg"; then + save_arg=$arg + moreargs= + for fil in `cat "$save_arg"` + do +# moreargs="$moreargs $fil" + arg=$fil + # A libtool-controlled object. - if test -n "$compile_shlibpath$finalize_shlibpath"; then - compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" - fi - if test -n "$finalize_shlibpath"; then - finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" - fi + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= - compile_var= - finalize_var= - if test -n "$runpath_var"; then - if test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - rpath="$rpath$dir:" - done - compile_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - if test -n "$finalize_perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $finalize_perm_rpath; do - rpath="$rpath$dir:" - done - finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - fi + # Read the .lo file + func_source "$arg" - if test "$no_install" = yes; then - # We don't need to create a wrapper script. - link_command="$compile_var$compile_command$compile_rpath" - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` - # Delete the old output file. - $run $rm $output - # Link the executable and exit - $show "$link_command" - $run eval "$link_command" || exit $? - exit $EXIT_SUCCESS - fi + if test -z "$pic_object" || + test -z "$non_pic_object" || + test "$pic_object" = none && + test "$non_pic_object" = none; then + func_fatal_error "cannot find name of object for \`$arg'" + fi - if test "$hardcode_action" = relink; then - # Fast installation is not supported - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" - $echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2 - $echo "$modename: \`$output' will be relinked during installation" 1>&2 - else - if test "$fast_install" != no; then - link_command="$finalize_var$compile_command$finalize_rpath" - if test "$fast_install" = yes; then - relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP` - else - # fast_install is set to needless - relink_command= - fi - else - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - fi - fi + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + dlfiles="$dlfiles $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi - # Delete the old output files. - $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + dlprefiles="$dlprefiles $pic_object" + prev= + fi - $show "$link_command" - $run eval "$link_command" || exit $? + # A PIC object. + func_append libobjs " $pic_object" + arg="$pic_object" + fi - # Now create the wrapper script. - $show "creating $output" + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" - # Quote the relink command for shipping. - if test -n "$relink_command"; then - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object="$pic_object" + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" + + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "\`$arg' is not a valid libtool object" + fi + fi + done else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" + func_fatal_error "link input file \`$arg' does not exist" fi - done - relink_command="(cd `pwd`; $relink_command)" - relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP` - fi - - # Quote $echo for shipping. - if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then - case $progpath in - [\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";; - *) qecho="$SHELL `pwd`/$progpath --fallback-echo";; - esac - qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"` - else - qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"` - fi - - # Only actually do things if our run command is non-null. - if test -z "$run"; then - # win32 will think the script is a binary if it has - # a .exe suffix, so we strip it off here. - case $output in - *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;; - esac - # test for cygwin because mv fails w/o .exe extensions - case $host in - *cygwin*) - exeext=.exe - outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;; - *) exeext= ;; + arg=$save_arg + prev= + continue + ;; + precious_regex) + precious_files_regex="$arg" + prev= + continue + ;; + release) + release="-$arg" + prev= + continue + ;; + rpath | xrpath) + # We need an absolute path. + case $arg in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + if test "$prev" = rpath; then + case "$rpath " in + *" $arg "*) ;; + *) rpath="$rpath $arg" ;; + esac + else + case "$xrpath " in + *" $arg "*) ;; + *) xrpath="$xrpath $arg" ;; + esac + fi + prev= + continue + ;; + shrext) + shrext_cmds="$arg" + prev= + continue + ;; + weak) + weak_libs="$weak_libs $arg" + prev= + continue + ;; + xcclinker) + linker_flags="$linker_flags $qarg" + compiler_flags="$compiler_flags $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xcompiler) + compiler_flags="$compiler_flags $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xlinker) + linker_flags="$linker_flags $qarg" + compiler_flags="$compiler_flags $wl$qarg" + prev= + func_append compile_command " $wl$qarg" + func_append finalize_command " $wl$qarg" + continue + ;; + *) + eval "$prev=\"\$arg\"" + prev= + continue + ;; esac - case $host in - *cygwin* | *mingw* ) - output_name=`basename $output` - output_path=`dirname $output` - cwrappersource="$output_path/$objdir/lt-$output_name.c" - cwrapper="$output_path/$output_name.exe" - $rm $cwrappersource $cwrapper - trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 - - cat > $cwrappersource <> $cwrappersource<<"EOF" -#include -#include -#include -#include -#include -#include -#include -#include -#include + prevarg="$arg" -#if defined(PATH_MAX) -# define LT_PATHMAX PATH_MAX -#elif defined(MAXPATHLEN) -# define LT_PATHMAX MAXPATHLEN -#else -# define LT_PATHMAX 1024 -#endif + case $arg in + -all-static) + if test -n "$link_static_flag"; then + # See comment for -static flag below, for more details. + func_append compile_command " $link_static_flag" + func_append finalize_command " $link_static_flag" + fi + continue + ;; -#ifndef DIR_SEPARATOR -# define DIR_SEPARATOR '/' -# define PATH_SEPARATOR ':' -#endif + -allow-undefined) + # FIXME: remove this flag sometime in the future. + func_fatal_error "\`-allow-undefined' must not be used because it is the default" + ;; -#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ - defined (__OS2__) -# define HAVE_DOS_BASED_FILE_SYSTEM -# ifndef DIR_SEPARATOR_2 -# define DIR_SEPARATOR_2 '\\' -# endif -# ifndef PATH_SEPARATOR_2 -# define PATH_SEPARATOR_2 ';' -# endif -#endif + -avoid-version) + avoid_version=yes + continue + ;; -#ifndef DIR_SEPARATOR_2 -# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) -#else /* DIR_SEPARATOR_2 */ -# define IS_DIR_SEPARATOR(ch) \ - (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) -#endif /* DIR_SEPARATOR_2 */ + -dlopen) + prev=dlfiles + continue + ;; -#ifndef PATH_SEPARATOR_2 -# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) -#else /* PATH_SEPARATOR_2 */ -# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) -#endif /* PATH_SEPARATOR_2 */ + -dlpreopen) + prev=dlprefiles + continue + ;; -#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) -#define XFREE(stale) do { \ - if (stale) { free ((void *) stale); stale = 0; } \ -} while (0) + -export-dynamic) + export_dynamic=yes + continue + ;; -/* -DDEBUG is fairly common in CFLAGS. */ -#undef DEBUG -#if defined DEBUGWRAPPER -# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__) -#else -# define DEBUG(format, ...) -#endif + -export-symbols | -export-symbols-regex) + if test -n "$export_symbols" || test -n "$export_symbols_regex"; then + func_fatal_error "more than one -exported-symbols argument is not allowed" + fi + if test "X$arg" = "X-export-symbols"; then + prev=expsyms + else + prev=expsyms_regex + fi + continue + ;; -const char *program_name = NULL; + -framework) + prev=framework + continue + ;; -void * xmalloc (size_t num); -char * xstrdup (const char *string); -const char * base_name (const char *name); -char * find_executable(const char *wrapper); -int check_executable(const char *path); -char * strendzap(char *str, const char *pat); -void lt_fatal (const char *message, ...); + -inst-prefix-dir) + prev=inst_prefix + continue + ;; -int -main (int argc, char *argv[]) -{ - char **newargz; - int i; + # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* + # so, if we see these flags be careful not to treat them like -L + -L[A-Z][A-Z]*:*) + case $with_gcc/$host in + no/*-*-irix* | /*-*-irix*) + func_append compile_command " $arg" + func_append finalize_command " $arg" + ;; + esac + continue + ;; - program_name = (char *) xstrdup (base_name (argv[0])); - DEBUG("(main) argv[0] : %s\n",argv[0]); - DEBUG("(main) program_name : %s\n",program_name); - newargz = XMALLOC(char *, argc+2); -EOF + -L*) + func_stripname '-L' '' "$arg" + dir=$func_stripname_result + if test -z "$dir"; then + if test "$#" -gt 0; then + func_fatal_error "require no space between \`-L' and \`$1'" + else + func_fatal_error "need path for \`-L' option" + fi + fi + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + absdir=`cd "$dir" && pwd` + test -z "$absdir" && \ + func_fatal_error "cannot determine absolute directory name of \`$dir'" + dir="$absdir" + ;; + esac + case "$deplibs " in + *" -L$dir "*) ;; + *) + deplibs="$deplibs -L$dir" + lib_search_path="$lib_search_path $dir" + ;; + esac + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$dir:"*) ;; + ::) dllsearchpath=$dir;; + *) dllsearchpath="$dllsearchpath:$dir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) dllsearchpath="$dllsearchpath:$testbindir";; + esac + ;; + esac + continue + ;; - cat >> $cwrappersource <> $cwrappersource <<"EOF" - newargz[1] = find_executable(argv[0]); - if (newargz[1] == NULL) - lt_fatal("Couldn't find %s", argv[0]); - DEBUG("(main) found exe at : %s\n",newargz[1]); - /* we know the script has the same name, without the .exe */ - /* so make sure newargz[1] doesn't end in .exe */ - strendzap(newargz[1],".exe"); - for (i = 1; i < argc; i++) - newargz[i+1] = xstrdup(argv[i]); - newargz[argc+1] = NULL; + -module) + module=yes + continue + ;; - for (i=0; i> $cwrappersource <> $cwrappersource <> $cwrappersource <<"EOF" - return 127; -} + -no-fast-install) + fast_install=no + continue + ;; -void * -xmalloc (size_t num) -{ - void * p = (void *) malloc (num); - if (!p) - lt_fatal ("Memory exhausted"); + -no-install) + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*) + # The PATH hackery in wrapper scripts is required on Windows + # and Darwin in order for the loader to find any dlls it needs. + func_warning "\`-no-install' is ignored for $host" + func_warning "assuming \`-no-fast-install' instead" + fast_install=no + ;; + *) no_install=yes ;; + esac + continue + ;; - return p; -} + -no-undefined) + allow_undefined=no + continue + ;; -char * -xstrdup (const char *string) -{ - return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL -; -} + -objectlist) + prev=objectlist + continue + ;; -const char * -base_name (const char *name) -{ - const char *base; + -o) prev=output ;; -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - /* Skip over the disk name in MSDOS pathnames. */ - if (isalpha ((unsigned char)name[0]) && name[1] == ':') - name += 2; -#endif + -precious-files-regex) + prev=precious_regex + continue + ;; - for (base = name; *name; name++) - if (IS_DIR_SEPARATOR (*name)) - base = name + 1; - return base; -} + -release) + prev=release + continue + ;; -int -check_executable(const char * path) -{ - struct stat st; + -rpath) + prev=rpath + continue + ;; - DEBUG("(check_executable) : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!"); - if ((!path) || (!*path)) - return 0; + -R) + prev=xrpath + continue + ;; - if ((stat (path, &st) >= 0) && - ( - /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */ -#if defined (S_IXOTH) - ((st.st_mode & S_IXOTH) == S_IXOTH) || -#endif -#if defined (S_IXGRP) - ((st.st_mode & S_IXGRP) == S_IXGRP) || -#endif - ((st.st_mode & S_IXUSR) == S_IXUSR)) - ) - return 1; - else - return 0; -} + -R*) + func_stripname '-R' '' "$arg" + dir=$func_stripname_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + case "$xrpath " in + *" $dir "*) ;; + *) xrpath="$xrpath $dir" ;; + esac + continue + ;; -/* Searches for the full path of the wrapper. Returns - newly allocated full path name if found, NULL otherwise */ -char * -find_executable (const char* wrapper) -{ - int has_slash = 0; - const char* p; - const char* p_next; - /* static buffer for getcwd */ - char tmp[LT_PATHMAX + 1]; - int tmp_len; - char* concat_name; + -shared) + # The effects of -shared are defined in a previous loop. + continue + ;; - DEBUG("(find_executable) : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!"); + -shrext) + prev=shrext + continue + ;; - if ((wrapper == NULL) || (*wrapper == '\0')) - return NULL; + -static | -static-libtool-libs) + # The effects of -static are defined in a previous loop. + # We used to do the same as -all-static on platforms that + # didn't have a PIC flag, but the assumption that the effects + # would be equivalent was wrong. It would break on at least + # Digital Unix and AIX. + continue + ;; - /* Absolute path? */ -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':') - { - concat_name = xstrdup (wrapper); - if (check_executable(concat_name)) - return concat_name; - XFREE(concat_name); - } - else - { -#endif - if (IS_DIR_SEPARATOR (wrapper[0])) - { - concat_name = xstrdup (wrapper); - if (check_executable(concat_name)) - return concat_name; - XFREE(concat_name); - } -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - } -#endif + -thread-safe) + thread_safe=yes + continue + ;; - for (p = wrapper; *p; p++) - if (*p == '/') - { - has_slash = 1; - break; - } - if (!has_slash) - { - /* no slashes; search PATH */ - const char* path = getenv ("PATH"); - if (path != NULL) - { - for (p = path; *p; p = p_next) - { - const char* q; - size_t p_len; - for (q = p; *q; q++) - if (IS_PATH_SEPARATOR(*q)) - break; - p_len = q - p; - p_next = (*q == '\0' ? q : q + 1); - if (p_len == 0) - { - /* empty path: current directory */ - if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal ("getcwd failed"); - tmp_len = strlen(tmp); - concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1); - memcpy (concat_name, tmp, tmp_len); - concat_name[tmp_len] = '/'; - strcpy (concat_name + tmp_len + 1, wrapper); - } - else - { - concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1); - memcpy (concat_name, p, p_len); - concat_name[p_len] = '/'; - strcpy (concat_name + p_len + 1, wrapper); - } - if (check_executable(concat_name)) - return concat_name; - XFREE(concat_name); - } - } - /* not found in PATH; assume curdir */ - } - /* Relative path | not found in path: prepend cwd */ - if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal ("getcwd failed"); - tmp_len = strlen(tmp); - concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1); - memcpy (concat_name, tmp, tmp_len); - concat_name[tmp_len] = '/'; - strcpy (concat_name + tmp_len + 1, wrapper); + -version-info) + prev=vinfo + continue + ;; - if (check_executable(concat_name)) - return concat_name; - XFREE(concat_name); - return NULL; -} + -version-number) + prev=vinfo + vinfo_number=yes + continue + ;; -char * -strendzap(char *str, const char *pat) -{ - size_t len, patlen; + -weak) + prev=weak + continue + ;; - assert(str != NULL); - assert(pat != NULL); + -Wc,*) + func_stripname '-Wc,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs="$IFS"; IFS=',' + for flag in $args; do + IFS="$save_ifs" + func_quote_for_eval "$flag" + arg="$arg $wl$func_quote_for_eval_result" + compiler_flags="$compiler_flags $func_quote_for_eval_result" + done + IFS="$save_ifs" + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; - len = strlen(str); - patlen = strlen(pat); + -Wl,*) + func_stripname '-Wl,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs="$IFS"; IFS=',' + for flag in $args; do + IFS="$save_ifs" + func_quote_for_eval "$flag" + arg="$arg $wl$func_quote_for_eval_result" + compiler_flags="$compiler_flags $wl$func_quote_for_eval_result" + linker_flags="$linker_flags $func_quote_for_eval_result" + done + IFS="$save_ifs" + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; - if (patlen <= len) - { - str += len - patlen; - if (strcmp(str, pat) == 0) - *str = '\0'; - } - return str; -} + -Xcompiler) + prev=xcompiler + continue + ;; -static void -lt_error_core (int exit_status, const char * mode, - const char * message, va_list ap) -{ - fprintf (stderr, "%s: %s: ", program_name, mode); - vfprintf (stderr, message, ap); - fprintf (stderr, ".\n"); + -Xlinker) + prev=xlinker + continue + ;; - if (exit_status >= 0) - exit (exit_status); -} + -XCClinker) + prev=xcclinker + continue + ;; -void -lt_fatal (const char *message, ...) -{ - va_list ap; - va_start (ap, message); - lt_error_core (EXIT_FAILURE, "FATAL", message, ap); - va_end (ap); -} -EOF - # we should really use a build-platform specific compiler - # here, but OTOH, the wrappers (shell script and this C one) - # are only useful if you want to execute the "real" binary. - # Since the "real" binary is built for $host, then this - # wrapper might as well be built for $host, too. - $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource - ;; - esac - $rm $output - trap "$rm $output; exit $EXIT_FAILURE" 1 2 15 + # -msg_* for osf cc + -msg_*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; - $echo > $output "\ -#! $SHELL + # -64, -mips[0-9] enable 64-bit mode on the SGI compiler + # -r[0-9][0-9]* specifies the processor on the SGI compiler + # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler + # +DA*, +DD* enable 64-bit mode on the HP compiler + # -q* pass through compiler args for the IBM compiler + # -m*, -t[45]*, -txscale* pass through architecture-specific + # compiler args for GCC + # -F/path gives path to uninstalled frameworks, gcc on darwin + # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC + # @file GCC response files + -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ + -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + func_append compile_command " $arg" + func_append finalize_command " $arg" + compiler_flags="$compiler_flags $arg" + continue + ;; -# $output - temporary wrapper script for $objdir/$outputname -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# The $output program cannot be directly executed until all the libtool -# libraries that it depends on are installed. -# -# This wrapper script should never be moved out of the build directory. -# If it is, it will not operate correctly. + # Some other compiler flag. + -* | +*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='${SED} -e 1s/^X//' -sed_quote_subst='$sed_quote_subst' + *.$objext) + # A standard object. + objs="$objs $arg" + ;; -# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE). -if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which - # is contrary to our usage. Disable this feature. - alias -g '\${1+\"\$@\"}'='\"\$@\"' - setopt NO_GLOB_SUBST -else - case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac -fi + *.lo) + # A libtool-controlled object. -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= -relink_command=\"$relink_command\" + # Read the .lo file + func_source "$arg" -# This environment variable determines our operation mode. -if test \"\$libtool_install_magic\" = \"$magic\"; then - # install mode needs the following variable: - notinst_deplibs='$notinst_deplibs' -else - # When we are sourced in execute mode, \$file and \$echo are already set. - if test \"\$libtool_execute_magic\" != \"$magic\"; then - echo=\"$qecho\" - file=\"\$0\" - # Make sure echo works. - if test \"X\$1\" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift - elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then - # Yippee, \$echo works! - : - else - # Restart under the correct shell, and then maybe \$echo will work. - exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"} - fi - fi\ -" - $echo >> $output "\ + if test -z "$pic_object" || + test -z "$non_pic_object" || + test "$pic_object" = none && + test "$non_pic_object" = none; then + func_fatal_error "cannot find name of object for \`$arg'" + fi - # Find the directory that this script lives in. - thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\` - test \"x\$thisdir\" = \"x\$file\" && thisdir=. + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" - # Follow symbolic links until we get to the real thisdir. - file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\` - while test -n \"\$file\"; do - destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\` + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" - # If there was a directory component, then change thisdir. - if test \"x\$destdir\" != \"x\$file\"; then - case \"\$destdir\" in - [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; - *) thisdir=\"\$thisdir/\$destdir\" ;; - esac - fi + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + dlfiles="$dlfiles $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi - file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\` - file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\` - done + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + dlprefiles="$dlprefiles $pic_object" + prev= + fi - # Try to get the absolute directory name. - absdir=\`cd \"\$thisdir\" && pwd\` - test -n \"\$absdir\" && thisdir=\"\$absdir\" -" + # A PIC object. + func_append libobjs " $pic_object" + arg="$pic_object" + fi - if test "$fast_install" = yes; then - $echo >> $output "\ - program=lt-'$outputname'$exeext - progdir=\"\$thisdir/$objdir\" + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" - if test ! -f \"\$progdir/\$program\" || \\ - { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ - test \"X\$file\" != \"X\$progdir/\$program\"; }; then + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object="$pic_object" + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" - file=\"\$\$-\$program\" + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "\`$arg' is not a valid libtool object" + fi + fi + ;; - if test ! -d \"\$progdir\"; then - $mkdir \"\$progdir\" - else - $rm \"\$progdir/\$file\" - fi" + *.$libext) + # An archive. + deplibs="$deplibs $arg" + old_deplibs="$old_deplibs $arg" + continue + ;; - $echo >> $output "\ + *.la) + # A libtool-controlled library. - # relink executable if necessary - if test -n \"\$relink_command\"; then - if relink_command_output=\`eval \$relink_command 2>&1\`; then : - else - $echo \"\$relink_command_output\" >&2 - $rm \"\$progdir/\$file\" - exit $EXIT_FAILURE + if test "$prev" = dlfiles; then + # This library was specified with -dlopen. + dlfiles="$dlfiles $arg" + prev= + elif test "$prev" = dlprefiles; then + # The library was specified with -dlpreopen. + dlprefiles="$dlprefiles $arg" + prev= + else + deplibs="$deplibs $arg" + fi + continue + ;; + + # Some other compiler argument. + *) + # Unknown arguments in both finalize_command and compile_command need + # to be aesthetically quoted because they are evaled later. + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; + esac # arg + + # Now actually substitute the argument into the commands. + if test -n "$arg"; then + func_append compile_command " $arg" + func_append finalize_command " $arg" fi + done # argument parsing loop + + test -n "$prev" && \ + func_fatal_help "the \`$prevarg' option requires an argument" + + if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then + eval arg=\"$export_dynamic_flag_spec\" + func_append compile_command " $arg" + func_append finalize_command " $arg" fi - $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || - { $rm \"\$progdir/\$program\"; - $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; } - $rm \"\$progdir/\$file\" - fi" - else - $echo >> $output "\ - program='$outputname' - progdir=\"\$thisdir/$objdir\" -" - fi + oldlibs= + # calculate the name of the file, without its directory + func_basename "$output" + outputname="$func_basename_result" + libobjs_save="$libobjs" - $echo >> $output "\ + if test -n "$shlibpath_var"; then + # get the directories listed in $shlibpath_var + eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\` + else + shlib_search_path= + fi + eval sys_lib_search_path=\"$sys_lib_search_path_spec\" + eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" - if test -f \"\$progdir/\$program\"; then" + func_dirname "$output" "/" "" + output_objdir="$func_dirname_result$objdir" + # Create the object directory. + func_mkdir_p "$output_objdir" - # Export our shlibpath_var if we have one. - if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then - $echo >> $output "\ - # Add our own library path to $shlibpath_var - $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" + # Determine the type of output + case $output in + "") + func_fatal_help "you must specify an output file" + ;; + *.$libext) linkmode=oldlib ;; + *.lo | *.$objext) linkmode=obj ;; + *.la) linkmode=lib ;; + *) linkmode=prog ;; # Anything else should be a program. + esac - # Some systems cannot cope with colon-terminated $shlibpath_var - # The second colon is a workaround for a bug in BeOS R4 sed - $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\` + specialdeplibs= - export $shlibpath_var -" - fi + libs= + # Find all interdependent deplibs by searching for libraries + # that are linked more than once (e.g. -la -lb -la) + for deplib in $deplibs; do + if $opt_duplicate_deps ; then + case "$libs " in + *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + esac + fi + libs="$libs $deplib" + done - # fixup the dll searchpath if we need to. - if test -n "$dllsearchpath"; then - $echo >> $output "\ - # Add the dll search path components to the executable PATH - PATH=$dllsearchpath:\$PATH -" + if test "$linkmode" = lib; then + libs="$predeps $libs $compiler_lib_search_path $postdeps" + + # Compute libraries that are listed more than once in $predeps + # $postdeps and mark them as special (i.e., whose duplicates are + # not to be eliminated). + pre_post_deps= + if $opt_duplicate_compiler_generated_deps; then + for pre_post_dep in $predeps $postdeps; do + case "$pre_post_deps " in + *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;; + esac + pre_post_deps="$pre_post_deps $pre_post_dep" + done + fi + pre_post_deps= + fi + + deplibs= + newdependency_libs= + newlib_search_path= + need_relink=no # whether we're linking any uninstalled libtool libraries + notinst_deplibs= # not-installed libtool libraries + notinst_path= # paths that contain not-installed libtool libraries + + case $linkmode in + lib) + passes="conv dlpreopen link" + for file in $dlfiles $dlprefiles; do + case $file in + *.la) ;; + *) + func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file" + ;; + esac + done + ;; + prog) + compile_deplibs= + finalize_deplibs= + alldeplibs=no + newdlfiles= + newdlprefiles= + passes="conv scan dlopen dlpreopen link" + ;; + *) passes="conv" + ;; + esac + + for pass in $passes; do + # The preopen pass in lib mode reverses $deplibs; put it back here + # so that -L comes before libs that need it for instance... + if test "$linkmode,$pass" = "lib,link"; then + ## FIXME: Find the place where the list is rebuilt in the wrong + ## order, and fix it there properly + tmp_deplibs= + for deplib in $deplibs; do + tmp_deplibs="$deplib $tmp_deplibs" + done + deplibs="$tmp_deplibs" + fi + + if test "$linkmode,$pass" = "lib,link" || + test "$linkmode,$pass" = "prog,scan"; then + libs="$deplibs" + deplibs= + fi + if test "$linkmode" = prog; then + case $pass in + dlopen) libs="$dlfiles" ;; + dlpreopen) libs="$dlprefiles" ;; + link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + esac + fi + if test "$linkmode,$pass" = "lib,dlpreopen"; then + # Collect and forward deplibs of preopened libtool libs + for lib in $dlprefiles; do + # Ignore non-libtool-libs + dependency_libs= + case $lib in + *.la) func_source "$lib" ;; + esac + + # Collect preopened libtool deplibs, except any this library + # has declared as weak libs + for deplib in $dependency_libs; do + deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"` + case " $weak_libs " in + *" $deplib_base "*) ;; + *) deplibs="$deplibs $deplib" ;; + esac + done + done + libs="$dlprefiles" + fi + if test "$pass" = dlopen; then + # Collect dlpreopened libraries + save_deplibs="$deplibs" + deplibs= + fi + + for deplib in $libs; do + lib= + found=no + case $deplib in + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads) + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + compiler_flags="$compiler_flags $deplib" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;; + esac + fi + fi + continue + ;; + -l*) + if test "$linkmode" != lib && test "$linkmode" != prog; then + func_warning "\`-l' is ignored for archives/objects" + continue + fi + func_stripname '-l' '' "$deplib" + name=$func_stripname_result + if test "$linkmode" = lib; then + searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path" + else + searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path" + fi + for searchdir in $searchdirs; do + for search_ext in .la $std_shrext .so .a; do + # Search the libtool library + lib="$searchdir/lib${name}${search_ext}" + if test -f "$lib"; then + if test "$search_ext" = ".la"; then + found=yes + else + found=no + fi + break 2 + fi + done + done + if test "$found" != yes; then + # deplib doesn't seem to be a libtool library + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" + fi + continue + else # deplib is a libtool library + # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, + # We need to do some special things here, and not later. + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + case " $predeps $postdeps " in + *" $deplib "*) + if func_lalib_p "$lib"; then + library_names= + old_library= + func_source "$lib" + for l in $old_library $library_names; do + ll="$l" + done + if test "X$ll" = "X$old_library" ; then # only static version available + found=no + func_dirname "$lib" "" "." + ladir="$func_dirname_result" + lib=$ladir/$old_library + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" + fi + continue + fi + fi + ;; + *) ;; + esac + fi + fi + ;; # -l + *.ltframework) + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;; + esac + fi + fi + continue + ;; + -L*) + case $linkmode in + lib) + deplibs="$deplib $deplibs" + test "$pass" = conv && continue + newdependency_libs="$deplib $newdependency_libs" + func_stripname '-L' '' "$deplib" + newlib_search_path="$newlib_search_path $func_stripname_result" + ;; + prog) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + continue + fi + if test "$pass" = scan; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + func_stripname '-L' '' "$deplib" + newlib_search_path="$newlib_search_path $func_stripname_result" + ;; + *) + func_warning "\`-L' is ignored for archives/objects" + ;; + esac # linkmode + continue + ;; # -L + -R*) + if test "$pass" = link; then + func_stripname '-R' '' "$deplib" + dir=$func_stripname_result + # Make sure the xrpath contains only unique directories. + case "$xrpath " in + *" $dir "*) ;; + *) xrpath="$xrpath $dir" ;; + esac + fi + deplibs="$deplib $deplibs" + continue + ;; + *.la) lib="$deplib" ;; + *.$libext) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + continue + fi + case $linkmode in + lib) + # Linking convenience modules into shared libraries is allowed, + # but linking other static libraries is non-portable. + case " $dlpreconveniencelibs " in + *" $deplib "*) ;; + *) + valid_a_lib=no + case $deplibs_check_method in + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \ + | $EGREP "$match_pattern_regex" > /dev/null; then + valid_a_lib=yes + fi + ;; + pass_all) + valid_a_lib=yes + ;; + esac + if test "$valid_a_lib" != yes; then + $ECHO + $ECHO "*** Warning: Trying to link with static lib archive $deplib." + $ECHO "*** I have the capability to make that library automatically link in when" + $ECHO "*** you link to this library. But I can only do this if you have a" + $ECHO "*** shared version of the library, which you do not appear to have" + $ECHO "*** because the file extensions .$libext of this argument makes me believe" + $ECHO "*** that it is just a static archive that I should not use here." + else + $ECHO + $ECHO "*** Warning: Linking the shared library $output against the" + $ECHO "*** static library $deplib is not portable!" + deplibs="$deplib $deplibs" + fi + ;; + esac + continue + ;; + prog) + if test "$pass" != link; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + continue + ;; + esac # linkmode + ;; # *.$libext + *.lo | *.$objext) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + elif test "$linkmode" = prog; then + if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then + # If there is no dlopen support or we're linking statically, + # we need to preload. + newdlprefiles="$newdlprefiles $deplib" + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + newdlfiles="$newdlfiles $deplib" + fi + fi + continue + ;; + %DEPLIBS%) + alldeplibs=yes + continue + ;; + esac # case $deplib + + if test "$found" = yes || test -f "$lib"; then : + else + func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'" + fi + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$lib" \ + || func_fatal_error "\`$lib' is not a valid libtool archive" + + func_dirname "$lib" "" "." + ladir="$func_dirname_result" + + dlname= + dlopen= + dlpreopen= + libdir= + library_names= + old_library= + inherited_linker_flags= + # If the library was installed with an old release of libtool, + # it will not redefine variables installed, or shouldnotlink + installed=yes + shouldnotlink=no + avoidtemprpath= + + + # Read the .la file + func_source "$lib" + + # Convert "-framework foo" to "foo.ltframework" + if test -n "$inherited_linker_flags"; then + tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'` + for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do + case " $new_inherited_linker_flags " in + *" $tmp_inherited_linker_flag "*) ;; + *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";; + esac + done + fi + dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + if test "$linkmode,$pass" = "lib,link" || + test "$linkmode,$pass" = "prog,scan" || + { test "$linkmode" != prog && test "$linkmode" != lib; }; then + test -n "$dlopen" && dlfiles="$dlfiles $dlopen" + test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen" + fi + + if test "$pass" = conv; then + # Only check for convenience libraries + deplibs="$lib $deplibs" + if test -z "$libdir"; then + if test -z "$old_library"; then + func_fatal_error "cannot find name of link library for \`$lib'" + fi + # It is a libtool convenience library, so add in its objects. + convenience="$convenience $ladir/$objdir/$old_library" + old_convenience="$old_convenience $ladir/$objdir/$old_library" + elif test "$linkmode" != prog && test "$linkmode" != lib; then + func_fatal_error "\`$lib' is not a convenience library" + fi + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_duplicate_deps ; then + case "$tmp_libs " in + *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + esac + fi + tmp_libs="$tmp_libs $deplib" + done + continue + fi # $pass = conv + + + # Get the name of the library we link against. + linklib= + for l in $old_library $library_names; do + linklib="$l" + done + if test -z "$linklib"; then + func_fatal_error "cannot find name of link library for \`$lib'" + fi + + # This library was specified with -dlopen. + if test "$pass" = dlopen; then + if test -z "$libdir"; then + func_fatal_error "cannot -dlopen a convenience library: \`$lib'" + fi + if test -z "$dlname" || + test "$dlopen_support" != yes || + test "$build_libtool_libs" = no; then + # If there is no dlname, no dlopen support or we're linking + # statically, we need to preload. We also need to preload any + # dependent libraries so libltdl's deplib preloader doesn't + # bomb out in the load deplibs phase. + dlprefiles="$dlprefiles $lib $dependency_libs" + else + newdlfiles="$newdlfiles $lib" + fi + continue + fi # $pass = dlopen + + # We need an absolute path. + case $ladir in + [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; + *) + abs_ladir=`cd "$ladir" && pwd` + if test -z "$abs_ladir"; then + func_warning "cannot determine absolute directory name of \`$ladir'" + func_warning "passing it literally to the linker, although it might fail" + abs_ladir="$ladir" + fi + ;; + esac + func_basename "$lib" + laname="$func_basename_result" + + # Find the relevant object directory and library name. + if test "X$installed" = Xyes; then + if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then + func_warning "library \`$lib' was moved." + dir="$ladir" + absdir="$abs_ladir" + libdir="$abs_ladir" + else + dir="$libdir" + absdir="$libdir" + fi + test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes + else + if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then + dir="$ladir" + absdir="$abs_ladir" + # Remove this search path later + notinst_path="$notinst_path $abs_ladir" + else + dir="$ladir/$objdir" + absdir="$abs_ladir/$objdir" + # Remove this search path later + notinst_path="$notinst_path $abs_ladir" + fi + fi # $installed = yes + func_stripname 'lib' '.la' "$laname" + name=$func_stripname_result + + # This library was specified with -dlpreopen. + if test "$pass" = dlpreopen; then + if test -z "$libdir" && test "$linkmode" = prog; then + func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'" + fi + # Prefer using a static library (so that no silly _DYNAMIC symbols + # are required to link). + if test -n "$old_library"; then + newdlprefiles="$newdlprefiles $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library" + # Otherwise, use the dlname, so that lt_dlopen finds it. + elif test -n "$dlname"; then + newdlprefiles="$newdlprefiles $dir/$dlname" + else + newdlprefiles="$newdlprefiles $dir/$linklib" + fi + fi # $pass = dlpreopen + + if test -z "$libdir"; then + # Link the convenience library + if test "$linkmode" = lib; then + deplibs="$dir/$old_library $deplibs" + elif test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$dir/$old_library $compile_deplibs" + finalize_deplibs="$dir/$old_library $finalize_deplibs" + else + deplibs="$lib $deplibs" # used for prog,scan pass + fi + continue + fi + + + if test "$linkmode" = prog && test "$pass" != link; then + newlib_search_path="$newlib_search_path $ladir" + deplibs="$lib $deplibs" + + linkalldeplibs=no + if test "$link_all_deplibs" != no || test -z "$library_names" || + test "$build_libtool_libs" = no; then + linkalldeplibs=yes + fi + + tmp_libs= + for deplib in $dependency_libs; do + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + newlib_search_path="$newlib_search_path $func_stripname_result" + ;; + esac + # Need to link against all dependency_libs? + if test "$linkalldeplibs" = yes; then + deplibs="$deplib $deplibs" + else + # Need to hardcode shared library paths + # or/and link against static libraries + newdependency_libs="$deplib $newdependency_libs" + fi + if $opt_duplicate_deps ; then + case "$tmp_libs " in + *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + esac + fi + tmp_libs="$tmp_libs $deplib" + done # for deplib + continue + fi # $linkmode = prog... + + if test "$linkmode,$pass" = "prog,link"; then + if test -n "$library_names" && + { { test "$prefer_static_libs" = no || + test "$prefer_static_libs,$installed" = "built,yes"; } || + test -z "$old_library"; }; then + # We need to hardcode the library path + if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then + # Make sure the rpath contains only unique directories. + case "$temp_rpath:" in + *"$absdir:"*) ;; + *) temp_rpath="$temp_rpath$absdir:" ;; + esac + fi + + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) compile_rpath="$compile_rpath $absdir" + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) finalize_rpath="$finalize_rpath $libdir" + esac + ;; + esac + fi # $linkmode,$pass = prog,link... + + if test "$alldeplibs" = yes && + { test "$deplibs_check_method" = pass_all || + { test "$build_libtool_libs" = yes && + test -n "$library_names"; }; }; then + # We only need to search for static libraries + continue + fi + fi + + link_static=no # Whether the deplib will be linked statically + use_static_libs=$prefer_static_libs + if test "$use_static_libs" = built && test "$installed" = yes; then + use_static_libs=no + fi + if test -n "$library_names" && + { test "$use_static_libs" = no || test -z "$old_library"; }; then + case $host in + *cygwin* | *mingw* | *cegcc*) + # No point in relinking DLLs because paths are not encoded + notinst_deplibs="$notinst_deplibs $lib" + need_relink=no + ;; + *) + if test "$installed" = no; then + notinst_deplibs="$notinst_deplibs $lib" + need_relink=yes + fi + ;; + esac + # This is a shared library + + # Warn about portability, can't link against -module's on some + # systems (darwin). Don't bleat about dlopened modules though! + dlopenmodule="" + for dlpremoduletest in $dlprefiles; do + if test "X$dlpremoduletest" = "X$lib"; then + dlopenmodule="$dlpremoduletest" + break + fi + done + if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then + $ECHO + if test "$linkmode" = prog; then + $ECHO "*** Warning: Linking the executable $output against the loadable module" + else + $ECHO "*** Warning: Linking the shared library $output against the loadable module" + fi + $ECHO "*** $linklib is not portable!" + fi + if test "$linkmode" = lib && + test "$hardcode_into_libs" = yes; then + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) compile_rpath="$compile_rpath $absdir" + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) finalize_rpath="$finalize_rpath $libdir" + esac + ;; + esac + fi + + if test -n "$old_archive_from_expsyms_cmds"; then + # figure out the soname + set dummy $library_names + shift + realname="$1" + shift + libname=`eval "\\$ECHO \"$libname_spec\""` + # use dlname if we got it. it's perfectly good, no? + if test -n "$dlname"; then + soname="$dlname" + elif test -n "$soname_spec"; then + # bleh windows + case $host in + *cygwin* | mingw* | *cegcc*) + func_arith $current - $age + major=$func_arith_result + versuffix="-$major" + ;; + esac + eval soname=\"$soname_spec\" + else + soname="$realname" + fi + + # Make a new name for the extract_expsyms_cmds to use + soroot="$soname" + func_basename "$soroot" + soname="$func_basename_result" + func_stripname 'lib' '.dll' "$soname" + newlib=libimp-$func_stripname_result.a + + # If the library has no export list, then create one now + if test -f "$output_objdir/$soname-def"; then : + else + func_verbose "extracting exported symbol list from \`$soname'" + func_execute_cmds "$extract_expsyms_cmds" 'exit $?' + fi + + # Create $newlib + if test -f "$output_objdir/$newlib"; then :; else + func_verbose "generating import library for \`$soname'" + func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?' + fi + # make sure the library variables are pointing to the new library + dir=$output_objdir + linklib=$newlib + fi # test -n "$old_archive_from_expsyms_cmds" + + if test "$linkmode" = prog || test "$mode" != relink; then + add_shlibpath= + add_dir= + add= + lib_linked=yes + case $hardcode_action in + immediate | unsupported) + if test "$hardcode_direct" = no; then + add="$dir/$linklib" + case $host in + *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;; + *-*-sysv4*uw2*) add_dir="-L$dir" ;; + *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ + *-*-unixware7*) add_dir="-L$dir" ;; + *-*-darwin* ) + # if the lib is a (non-dlopened) module then we can not + # link against it, someone is ignoring the earlier warnings + if /usr/bin/file -L $add 2> /dev/null | + $GREP ": [^:]* bundle" >/dev/null ; then + if test "X$dlopenmodule" != "X$lib"; then + $ECHO "*** Warning: lib $linklib is a module, not a shared library" + if test -z "$old_library" ; then + $ECHO + $ECHO "*** And there doesn't seem to be a static archive available" + $ECHO "*** The link will probably fail, sorry" + else + add="$dir/$old_library" + fi + elif test -n "$old_library"; then + add="$dir/$old_library" + fi + fi + esac + elif test "$hardcode_minus_L" = no; then + case $host in + *-*-sunos*) add_shlibpath="$dir" ;; + esac + add_dir="-L$dir" + add="-l$name" + elif test "$hardcode_shlibpath_var" = no; then + add_shlibpath="$dir" + add="-l$name" + else + lib_linked=no + fi + ;; + relink) + if test "$hardcode_direct" = yes && + test "$hardcode_direct_absolute" = no; then + add="$dir/$linklib" + elif test "$hardcode_minus_L" = yes; then + add_dir="-L$dir" + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + add_dir="$add_dir -L$inst_prefix_dir$libdir" + ;; + esac + fi + add="-l$name" + elif test "$hardcode_shlibpath_var" = yes; then + add_shlibpath="$dir" + add="-l$name" + else + lib_linked=no + fi + ;; + *) lib_linked=no ;; + esac + + if test "$lib_linked" != yes; then + func_fatal_configuration "unsupported hardcode properties" + fi + + if test -n "$add_shlibpath"; then + case :$compile_shlibpath: in + *":$add_shlibpath:"*) ;; + *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;; + esac + fi + if test "$linkmode" = prog; then + test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" + test -n "$add" && compile_deplibs="$add $compile_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + if test "$hardcode_direct" != yes && + test "$hardcode_minus_L" != yes && + test "$hardcode_shlibpath_var" = yes; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; + esac + fi + fi + fi + + if test "$linkmode" = prog || test "$mode" = relink; then + add_shlibpath= + add_dir= + add= + # Finalize command for both is simple: just hardcode it. + if test "$hardcode_direct" = yes && + test "$hardcode_direct_absolute" = no; then + add="$libdir/$linklib" + elif test "$hardcode_minus_L" = yes; then + add_dir="-L$libdir" + add="-l$name" + elif test "$hardcode_shlibpath_var" = yes; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; + esac + add="-l$name" + elif test "$hardcode_automatic" = yes; then + if test -n "$inst_prefix_dir" && + test -f "$inst_prefix_dir$libdir/$linklib" ; then + add="$inst_prefix_dir$libdir/$linklib" + else + add="$libdir/$linklib" + fi + else + # We cannot seem to hardcode it, guess we'll fake it. + add_dir="-L$libdir" + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + add_dir="$add_dir -L$inst_prefix_dir$libdir" + ;; + esac + fi + add="-l$name" + fi + + if test "$linkmode" = prog; then + test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" + test -n "$add" && finalize_deplibs="$add $finalize_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + fi + fi + elif test "$linkmode" = prog; then + # Here we assume that one of hardcode_direct or hardcode_minus_L + # is not unsupported. This is valid on all known static and + # shared platforms. + if test "$hardcode_direct" != unsupported; then + test -n "$old_library" && linklib="$old_library" + compile_deplibs="$dir/$linklib $compile_deplibs" + finalize_deplibs="$dir/$linklib $finalize_deplibs" + else + compile_deplibs="-l$name -L$dir $compile_deplibs" + finalize_deplibs="-l$name -L$dir $finalize_deplibs" + fi + elif test "$build_libtool_libs" = yes; then + # Not a shared library + if test "$deplibs_check_method" != pass_all; then + # We're trying link a shared library against a static one + # but the system doesn't support it. + + # Just print a warning and add the library to dependency_libs so + # that the program can be linked against the static library. + $ECHO + $ECHO "*** Warning: This system can not link to static lib archive $lib." + $ECHO "*** I have the capability to make that library automatically link in when" + $ECHO "*** you link to this library. But I can only do this if you have a" + $ECHO "*** shared version of the library, which you do not appear to have." + if test "$module" = yes; then + $ECHO "*** But as you try to build a module library, libtool will still create " + $ECHO "*** a static module, that should work as long as the dlopening application" + $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime." + if test -z "$global_symbol_pipe"; then + $ECHO + $ECHO "*** However, this would only work if libtool was able to extract symbol" + $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could" + $ECHO "*** not find such a program. So, this module is probably useless." + $ECHO "*** \`nm' from GNU binutils and a full rebuild may help." + fi + if test "$build_old_libs" = no; then + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + else + deplibs="$dir/$old_library $deplibs" + link_static=yes + fi + fi # link shared/static library? + + if test "$linkmode" = lib; then + if test -n "$dependency_libs" && + { test "$hardcode_into_libs" != yes || + test "$build_old_libs" = yes || + test "$link_static" = yes; }; then + # Extract -R from dependency_libs + temp_deplibs= + for libdir in $dependency_libs; do + case $libdir in + -R*) func_stripname '-R' '' "$libdir" + temp_xrpath=$func_stripname_result + case " $xrpath " in + *" $temp_xrpath "*) ;; + *) xrpath="$xrpath $temp_xrpath";; + esac;; + *) temp_deplibs="$temp_deplibs $libdir";; + esac + done + dependency_libs="$temp_deplibs" + fi + + newlib_search_path="$newlib_search_path $absdir" + # Link against this library + test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" + # ... and its dependency_libs + tmp_libs= + for deplib in $dependency_libs; do + newdependency_libs="$deplib $newdependency_libs" + if $opt_duplicate_deps ; then + case "$tmp_libs " in + *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + esac + fi + tmp_libs="$tmp_libs $deplib" + done + + if test "$link_all_deplibs" != no; then + # Add the search paths of all dependency libraries + for deplib in $dependency_libs; do + case $deplib in + -L*) path="$deplib" ;; + *.la) + func_dirname "$deplib" "" "." + dir="$func_dirname_result" + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; + *) + absdir=`cd "$dir" && pwd` + if test -z "$absdir"; then + func_warning "cannot determine absolute directory name of \`$dir'" + absdir="$dir" + fi + ;; + esac + if $GREP "^installed=no" $deplib > /dev/null; then + case $host in + *-*-darwin*) + depdepl= + eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` + if test -n "$deplibrary_names" ; then + for tmp in $deplibrary_names ; do + depdepl=$tmp + done + if test -f "$absdir/$objdir/$depdepl" ; then + depdepl="$absdir/$objdir/$depdepl" + darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + if test -z "$darwin_install_name"; then + darwin_install_name=`${OTOOL64} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + fi + compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" + linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}" + path= + fi + fi + ;; + *) + path="-L$absdir/$objdir" + ;; + esac + else + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + test -z "$libdir" && \ + func_fatal_error "\`$deplib' is not a valid libtool archive" + test "$absdir" != "$libdir" && \ + func_warning "\`$deplib' seems to be moved" + + path="-L$absdir" + fi + ;; + esac + case " $deplibs " in + *" $path "*) ;; + *) deplibs="$path $deplibs" ;; + esac + done + fi # link_all_deplibs != no + fi # linkmode = lib + done # for deplib in $libs + if test "$pass" = link; then + if test "$linkmode" = "prog"; then + compile_deplibs="$new_inherited_linker_flags $compile_deplibs" + finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" + else + compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + fi + fi + dependency_libs="$newdependency_libs" + if test "$pass" = dlpreopen; then + # Link the dlpreopened libraries before other libraries + for deplib in $save_deplibs; do + deplibs="$deplib $deplibs" + done + fi + if test "$pass" != dlopen; then + if test "$pass" != conv; then + # Make sure lib_search_path contains only unique directories. + lib_search_path= + for dir in $newlib_search_path; do + case "$lib_search_path " in + *" $dir "*) ;; + *) lib_search_path="$lib_search_path $dir" ;; + esac + done + newlib_search_path= + fi + + if test "$linkmode,$pass" != "prog,link"; then + vars="deplibs" + else + vars="compile_deplibs finalize_deplibs" + fi + for var in $vars dependency_libs; do + # Add libraries to $var in reverse order + eval tmp_libs=\"\$$var\" + new_libs= + for deplib in $tmp_libs; do + # FIXME: Pedantically, this is the right thing to do, so + # that some nasty dependency loop isn't accidentally + # broken: + #new_libs="$deplib $new_libs" + # Pragmatically, this seems to cause very few problems in + # practice: + case $deplib in + -L*) new_libs="$deplib $new_libs" ;; + -R*) ;; + *) + # And here is the reason: when a library appears more + # than once as an explicit dependence of a library, or + # is implicitly linked in more than once by the + # compiler, it is considered special, and multiple + # occurrences thereof are not removed. Compare this + # with having the same library being listed as a + # dependency of multiple other libraries: in this case, + # we know (pedantically, we assume) the library does not + # need to be listed more than once, so we keep only the + # last copy. This is not always right, but it is rare + # enough that we require users that really mean to play + # such unportable linking tricks to link the library + # using -Wl,-lname, so that libtool does not consider it + # for duplicate removal. + case " $specialdeplibs " in + *" $deplib "*) new_libs="$deplib $new_libs" ;; + *) + case " $new_libs " in + *" $deplib "*) ;; + *) new_libs="$deplib $new_libs" ;; + esac + ;; + esac + ;; + esac + done + tmp_libs= + for deplib in $new_libs; do + case $deplib in + -L*) + case " $tmp_libs " in + *" $deplib "*) ;; + *) tmp_libs="$tmp_libs $deplib" ;; + esac + ;; + *) tmp_libs="$tmp_libs $deplib" ;; + esac + done + eval $var=\"$tmp_libs\" + done # for var + fi + # Last step: remove runtime libs from dependency_libs + # (they stay in deplibs) + tmp_libs= + for i in $dependency_libs ; do + case " $predeps $postdeps $compiler_lib_search_path " in + *" $i "*) + i="" + ;; + esac + if test -n "$i" ; then + tmp_libs="$tmp_libs $i" + fi + done + dependency_libs=$tmp_libs + done # for pass + if test "$linkmode" = prog; then + dlfiles="$newdlfiles" + fi + if test "$linkmode" = prog || test "$linkmode" = lib; then + dlprefiles="$newdlprefiles" + fi + + case $linkmode in + oldlib) + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + func_warning "\`-dlopen' is ignored for archives" + fi + + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "\`-l' and \`-L' are ignored for archives" ;; + esac + + test -n "$rpath" && \ + func_warning "\`-rpath' is ignored for archives" + + test -n "$xrpath" && \ + func_warning "\`-R' is ignored for archives" + + test -n "$vinfo" && \ + func_warning "\`-version-info/-version-number' is ignored for archives" + + test -n "$release" && \ + func_warning "\`-release' is ignored for archives" + + test -n "$export_symbols$export_symbols_regex" && \ + func_warning "\`-export-symbols' is ignored for archives" + + # Now set the variables for building old libraries. + build_libtool_libs=no + oldlibs="$output" + objs="$objs$old_deplibs" + ;; + + lib) + # Make sure we only generate libraries of the form `libNAME.la'. + case $outputname in + lib*) + func_stripname 'lib' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + ;; + *) + test "$module" = no && \ + func_fatal_help "libtool library \`$output' must begin with \`lib'" + + if test "$need_lib_prefix" != no; then + # Add the "lib" prefix for modules if required + func_stripname '' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + else + func_stripname '' '.la' "$outputname" + libname=$func_stripname_result + fi + ;; + esac + + if test -n "$objs"; then + if test "$deplibs_check_method" != pass_all; then + func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs" + else + $ECHO + $ECHO "*** Warning: Linking the shared library $output against the non-libtool" + $ECHO "*** objects $objs is not portable!" + libobjs="$libobjs $objs" + fi + fi + + test "$dlself" != no && \ + func_warning "\`-dlopen self' is ignored for libtool libraries" + + set dummy $rpath + shift + test "$#" -gt 1 && \ + func_warning "ignoring multiple \`-rpath's for a libtool library" + + install_libdir="$1" + + oldlibs= + if test -z "$rpath"; then + if test "$build_libtool_libs" = yes; then + # Building a libtool convenience library. + # Some compilers have problems with a `.al' extension so + # convenience libraries should have the same extension an + # archive normally would. + oldlibs="$output_objdir/$libname.$libext $oldlibs" + build_libtool_libs=convenience + build_old_libs=yes + fi + + test -n "$vinfo" && \ + func_warning "\`-version-info/-version-number' is ignored for convenience libraries" + + test -n "$release" && \ + func_warning "\`-release' is ignored for convenience libraries" + else + + # Parse the version information argument. + save_ifs="$IFS"; IFS=':' + set dummy $vinfo 0 0 0 + shift + IFS="$save_ifs" + + test -n "$7" && \ + func_fatal_help "too many parameters to \`-version-info'" + + # convert absolute version numbers to libtool ages + # this retains compatibility with .la files and attempts + # to make the code below a bit more comprehensible + + case $vinfo_number in + yes) + number_major="$1" + number_minor="$2" + number_revision="$3" + # + # There are really only two kinds -- those that + # use the current revision as the major version + # and those that subtract age and use age as + # a minor version. But, then there is irix + # which has an extra 1 added just for fun + # + case $version_type in + darwin|linux|osf|windows|none) + func_arith $number_major + $number_minor + current=$func_arith_result + age="$number_minor" + revision="$number_revision" + ;; + freebsd-aout|freebsd-elf|sunos) + current="$number_major" + revision="$number_minor" + age="0" + ;; + irix|nonstopux) + func_arith $number_major + $number_minor + current=$func_arith_result + age="$number_minor" + revision="$number_minor" + lt_irix_increment=no + ;; + esac + ;; + no) + current="$1" + revision="$2" + age="$3" + ;; + esac + + # Check that each of the things are valid numbers. + case $current in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "CURRENT \`$current' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + case $revision in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "REVISION \`$revision' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + case $age in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "AGE \`$age' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + if test "$age" -gt "$current"; then + func_error "AGE \`$age' is greater than the current interface number \`$current'" + func_fatal_error "\`$vinfo' is not valid version information" + fi + + # Calculate the version variables. + major= + versuffix= + verstring= + case $version_type in + none) ;; + + darwin) + # Like Linux, but with the current version available in + # verstring for coding it into the library header + func_arith $current - $age + major=.$func_arith_result + versuffix="$major.$age.$revision" + # Darwin ld doesn't like 0 for these options... + func_arith $current + 1 + minor_current=$func_arith_result + xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision" + verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" + ;; + + freebsd-aout) + major=".$current" + versuffix=".$current.$revision"; + ;; + + freebsd-elf) + major=".$current" + versuffix=".$current" + ;; + + irix | nonstopux) + if test "X$lt_irix_increment" = "Xno"; then + func_arith $current - $age + else + func_arith $current - $age + 1 + fi + major=$func_arith_result + + case $version_type in + nonstopux) verstring_prefix=nonstopux ;; + *) verstring_prefix=sgi ;; + esac + verstring="$verstring_prefix$major.$revision" + + # Add in all the interfaces that we are compatible with. + loop=$revision + while test "$loop" -ne 0; do + func_arith $revision - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring="$verstring_prefix$major.$iface:$verstring" + done + + # Before this point, $major must not contain `.'. + major=.$major + versuffix="$major.$revision" + ;; + + linux) + func_arith $current - $age + major=.$func_arith_result + versuffix="$major.$age.$revision" + ;; + + osf) + func_arith $current - $age + major=.$func_arith_result + versuffix=".$current.$age.$revision" + verstring="$current.$age.$revision" + + # Add in all the interfaces that we are compatible with. + loop=$age + while test "$loop" -ne 0; do + func_arith $current - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring="$verstring:${iface}.0" + done + + # Make executables depend on our current version. + verstring="$verstring:${current}.0" + ;; + + qnx) + major=".$current" + versuffix=".$current" + ;; + + sunos) + major=".$current" + versuffix=".$current.$revision" + ;; + + windows) + # Use '-' rather than '.', since we only want one + # extension on DOS 8.3 filesystems. + func_arith $current - $age + major=$func_arith_result + versuffix="-$major" + ;; + + *) + func_fatal_configuration "unknown library version type \`$version_type'" + ;; + esac + + # Clear the version info if we defaulted, and they specified a release. + if test -z "$vinfo" && test -n "$release"; then + major= + case $version_type in + darwin) + # we can't check for "0.0" in archive_cmds due to quoting + # problems, so we reset it completely + verstring= + ;; + *) + verstring="0.0" + ;; + esac + if test "$need_version" = no; then + versuffix= + else + versuffix=".0.0" + fi + fi + + # Remove version info from name if versioning should be avoided + if test "$avoid_version" = yes && test "$need_version" = no; then + major= + versuffix= + verstring="" + fi + + # Check to see if the archive will have undefined symbols. + if test "$allow_undefined" = yes; then + if test "$allow_undefined_flag" = unsupported; then + func_warning "undefined symbols not allowed in $host shared libraries" + build_libtool_libs=no + build_old_libs=yes + fi + else + # Don't allow undefined symbols. + allow_undefined_flag="$no_undefined_flag" + fi + + fi + + func_generate_dlsyms "$libname" "$libname" "yes" + libobjs="$libobjs $symfileobj" + test "X$libobjs" = "X " && libobjs= + + if test "$mode" != relink; then + # Remove our outputs, but don't remove object files since they + # may have been created when compiling PIC objects. + removelist= + tempremovelist=`$ECHO "$output_objdir/*"` + for p in $tempremovelist; do + case $p in + *.$objext | *.gcno) + ;; + $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) + if test "X$precious_files_regex" != "X"; then + if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 + then + continue + fi + fi + removelist="$removelist $p" + ;; + *) ;; + esac + done + test -n "$removelist" && \ + func_show_eval "${RM}r \$removelist" + fi + + # Now set the variables for building old libraries. + if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then + oldlibs="$oldlibs $output_objdir/$libname.$libext" + + # Transform .lo files to .o files. + oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP` + fi + + # Eliminate all temporary directories. + #for path in $notinst_path; do + # lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"` + # deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"` + # dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"` + #done + + if test -n "$xrpath"; then + # If the user specified any rpath flags, then add them. + temp_xrpath= + for libdir in $xrpath; do + temp_xrpath="$temp_xrpath -R$libdir" + case "$finalize_rpath " in + *" $libdir "*) ;; + *) finalize_rpath="$finalize_rpath $libdir" ;; + esac + done + if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then + dependency_libs="$temp_xrpath $dependency_libs" + fi + fi + + # Make sure dlfiles contains only unique files that won't be dlpreopened + old_dlfiles="$dlfiles" + dlfiles= + for lib in $old_dlfiles; do + case " $dlprefiles $dlfiles " in + *" $lib "*) ;; + *) dlfiles="$dlfiles $lib" ;; + esac + done + + # Make sure dlprefiles contains only unique files + old_dlprefiles="$dlprefiles" + dlprefiles= + for lib in $old_dlprefiles; do + case "$dlprefiles " in + *" $lib "*) ;; + *) dlprefiles="$dlprefiles $lib" ;; + esac + done + + if test "$build_libtool_libs" = yes; then + if test -n "$rpath"; then + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*) + # these systems don't actually have a c library (as such)! + ;; + *-*-rhapsody* | *-*-darwin1.[012]) + # Rhapsody C library is in the System framework + deplibs="$deplibs System.ltframework" + ;; + *-*-netbsd*) + # Don't link with libc until the a.out ld.so is fixed. + ;; + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) + # Do not include libc due to us having libc/libc_r. + ;; + *-*-sco3.2v5* | *-*-sco5v6*) + # Causes problems with __ctype + ;; + *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) + # Compiler inserts libc in the correct place for threads to work + ;; + *) + # Add libc to deplibs on all other systems if necessary. + if test "$build_libtool_need_lc" = "yes"; then + deplibs="$deplibs -lc" + fi + ;; + esac + fi + + # Transform deplibs into only deplibs that can be linked in shared. + name_save=$name + libname_save=$libname + release_save=$release + versuffix_save=$versuffix + major_save=$major + # I'm not sure if I'm treating the release correctly. I think + # release should show up in the -l (ie -lgmp5) so we don't want to + # add it in twice. Is that correct? + release="" + versuffix="" + major="" + newdeplibs= + droppeddeps=no + case $deplibs_check_method in + pass_all) + # Don't check for shared/static. Everything works. + # This might be a little naive. We might want to check + # whether the library exists or not. But this is on + # osf3 & osf4 and I'm not really sure... Just + # implementing what was already the behavior. + newdeplibs=$deplibs + ;; + test_compile) + # This code stresses the "libraries are programs" paradigm to its + # limits. Maybe even breaks it. We compile a program, linking it + # against the deplibs as a proxy for the library. Then we can check + # whether they linked in statically or dynamically with ldd. + $opt_dry_run || $RM conftest.c + cat > conftest.c </dev/null` + for potent_lib in $potential_libs; do + # Follow soft links. + if ls -lLd "$potent_lib" 2>/dev/null | + $GREP " -> " >/dev/null; then + continue + fi + # The statement above tries to avoid entering an + # endless loop below, in case of cyclic links. + # We might still enter an endless loop, since a link + # loop can be closed while we follow links, + # but so what? + potlib="$potent_lib" + while test -h "$potlib" 2>/dev/null; do + potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` + case $potliblink in + [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; + *) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";; + esac + done + if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | + $SED -e 10q | + $EGREP "$file_magic_regex" > /dev/null; then + newdeplibs="$newdeplibs $a_deplib" + a_deplib="" + break 2 + fi + done + done + fi + if test -n "$a_deplib" ; then + droppeddeps=yes + $ECHO + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + $ECHO "*** I have the capability to make that library automatically link in when" + $ECHO "*** you link to this library. But I can only do this if you have a" + $ECHO "*** shared version of the library, which you do not appear to have" + $ECHO "*** because I did check the linker path looking for a file starting" + if test -z "$potlib" ; then + $ECHO "*** with $libname but no candidates were found. (...for file magic test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a file magic. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + newdeplibs="$newdeplibs $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + for a_deplib in $deplibs; do + case $a_deplib in + -l*) + func_stripname -l '' "$a_deplib" + name=$func_stripname_result + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + case " $predeps $postdeps " in + *" $a_deplib "*) + newdeplibs="$newdeplibs $a_deplib" + a_deplib="" + ;; + esac + fi + if test -n "$a_deplib" ; then + libname=`eval "\\$ECHO \"$libname_spec\""` + for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do + potential_libs=`ls $i/$libname[.-]* 2>/dev/null` + for potent_lib in $potential_libs; do + potlib="$potent_lib" # see symlink-check above in file_magic test + if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \ + $EGREP "$match_pattern_regex" > /dev/null; then + newdeplibs="$newdeplibs $a_deplib" + a_deplib="" + break 2 + fi + done + done + fi + if test -n "$a_deplib" ; then + droppeddeps=yes + $ECHO + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + $ECHO "*** I have the capability to make that library automatically link in when" + $ECHO "*** you link to this library. But I can only do this if you have a" + $ECHO "*** shared version of the library, which you do not appear to have" + $ECHO "*** because I did check the linker path looking for a file starting" + if test -z "$potlib" ; then + $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a regex pattern. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + newdeplibs="$newdeplibs $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + none | unknown | *) + newdeplibs="" + tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \ + -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'` + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + for i in $predeps $postdeps ; do + # can't use Xsed below, because $i might contain '/' + tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"` + done + fi + if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[ ]//g' | + $GREP . >/dev/null; then + $ECHO + if test "X$deplibs_check_method" = "Xnone"; then + $ECHO "*** Warning: inter-library dependencies are not supported in this platform." + else + $ECHO "*** Warning: inter-library dependencies are not known to be supported." + fi + $ECHO "*** All declared inter-library dependencies are being dropped." + droppeddeps=yes + fi + ;; + esac + versuffix=$versuffix_save + major=$major_save + release=$release_save + libname=$libname_save + name=$name_save + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library with the System framework + newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'` + ;; + esac + + if test "$droppeddeps" = yes; then + if test "$module" = yes; then + $ECHO + $ECHO "*** Warning: libtool could not satisfy all declared inter-library" + $ECHO "*** dependencies of module $libname. Therefore, libtool will create" + $ECHO "*** a static module, that should work as long as the dlopening" + $ECHO "*** application is linked with the -dlopen flag." + if test -z "$global_symbol_pipe"; then + $ECHO + $ECHO "*** However, this would only work if libtool was able to extract symbol" + $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could" + $ECHO "*** not find such a program. So, this module is probably useless." + $ECHO "*** \`nm' from GNU binutils and a full rebuild may help." + fi + if test "$build_old_libs" = no; then + oldlibs="$output_objdir/$libname.$libext" + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + else + $ECHO "*** The inter-library dependencies that have been dropped here will be" + $ECHO "*** automatically added whenever a program is linked with this library" + $ECHO "*** or is declared to -dlopen it." + + if test "$allow_undefined" = no; then + $ECHO + $ECHO "*** Since this library must not contain undefined symbols," + $ECHO "*** because either the platform does not support them or" + $ECHO "*** it was explicitly requested with -no-undefined," + $ECHO "*** libtool will only create a static version of it." + if test "$build_old_libs" = no; then + oldlibs="$output_objdir/$libname.$libext" + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + fi fi - - $echo >> $output "\ - if test \"\$libtool_execute_magic\" != \"$magic\"; then - # Run the actual program with our arguments. -" - case $host in - # Backslashes separate directories on plain windows - *-*-mingw | *-*-os2*) - $echo >> $output "\ - exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} -" + # Done checking deplibs! + deplibs=$newdeplibs + fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + case $host in + *-*-darwin*) + newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` ;; + esac + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; *) - $echo >> $output "\ - exec \"\$progdir/\$program\" \${1+\"\$@\"} -" + case " $deplibs " in + *" -L$path/$objdir "*) + new_libs="$new_libs -L$path/$objdir" ;; + esac ;; esac - $echo >> $output "\ - \$echo \"\$0: cannot exec \$program \$*\" - exit $EXIT_FAILURE - fi - else - # The program doesn't exist. - \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 - \$echo \"This script is just a wrapper for \$program.\" 1>&2 - $echo \"See the $PACKAGE documentation for more information.\" 1>&2 - exit $EXIT_FAILURE - fi -fi\ -" - chmod +x $output - fi - exit $EXIT_SUCCESS - ;; - esac + done + for deplib in $deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) new_libs="$new_libs $deplib" ;; + esac + ;; + *) new_libs="$new_libs $deplib" ;; + esac + done + deplibs="$new_libs" - # See if we need to build an old-fashioned archive. - for oldlib in $oldlibs; do + # All the library-specific variables (install_libdir is set above). + library_names= + old_library= + dlname= - if test "$build_libtool_libs" = convenience; then - oldobjs="$libobjs_save" - addlibs="$convenience" - build_libtool_libs=no - else - if test "$build_libtool_libs" = module; then - oldobjs="$libobjs_save" - build_libtool_libs=no - else - oldobjs="$old_deplibs $non_pic_objects" + # Test again, we may have decided not to build it any more + if test "$build_libtool_libs" = yes; then + if test "$hardcode_into_libs" = yes; then + # Hardcode the library paths + hardcode_libdirs= + dep_rpath= + rpath="$finalize_rpath" + test "$mode" != relink && rpath="$compile_rpath$rpath" + for libdir in $rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + dep_rpath="$dep_rpath $flag" + fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) perm_rpath="$perm_rpath $libdir" ;; + esac + fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + if test -n "$hardcode_libdir_flag_spec_ld"; then + eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" + else + eval dep_rpath=\"$hardcode_libdir_flag_spec\" + fi + fi + if test -n "$runpath_var" && test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + rpath="$rpath$dir:" + done + eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" + fi + test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" fi - addlibs="$old_convenience" - fi - if test -n "$addlibs"; then - gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + shlibpath="$finalize_shlibpath" + test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath" + if test -n "$shlibpath"; then + eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" + fi - func_extract_archives $gentop $addlibs - oldobjs="$oldobjs $func_extract_archives_result" - fi + # Get the real and link names of the library. + eval shared_ext=\"$shrext_cmds\" + eval library_names=\"$library_names_spec\" + set dummy $library_names + shift + realname="$1" + shift - # Do each command in the archive commands. - if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then - cmds=$old_archive_from_new_cmds - else - # POSIX demands no paths to be encoded in archives. We have - # to avoid creating archives with duplicate basenames if we - # might have to extract them afterwards, e.g., when creating a - # static archive out of a convenience library, or when linking - # the entirety of a libtool archive into another (currently - # not supported by libtool). - if (for obj in $oldobjs - do - $echo "X$obj" | $Xsed -e 's%^.*/%%' - done | sort | sort -uc >/dev/null 2>&1); then - : + if test -n "$soname_spec"; then + eval soname=\"$soname_spec\" else - $echo "copying selected object files to avoid basename conflicts..." + soname="$realname" + fi + if test -z "$dlname"; then + dlname=$soname + fi - if test -z "$gentop"; then - gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + lib="$output_objdir/$realname" + linknames= + for link + do + linknames="$linknames $link" + done + + # Use standard objects if they are pic + test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + test "X$libobjs" = "X " && libobjs= - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "$mkdir $gentop" - $run $mkdir "$gentop" - exit_status=$? - if test "$exit_status" -ne 0 && test ! -d "$gentop"; then - exit $exit_status + delfiles= + if test -n "$export_symbols" && test -n "$include_expsyms"; then + $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" + export_symbols="$output_objdir/$libname.uexp" + delfiles="$delfiles $export_symbols" + fi + + orig_export_symbols= + case $host_os in + cygwin* | mingw* | cegcc*) + if test -n "$export_symbols" && test -z "$export_symbols_regex"; then + # exporting using user supplied symfile + if test "x`$SED 1q $export_symbols`" != xEXPORTS; then + # and it's NOT already a .def file. Must figure out + # which of the given symbols are data symbols and tag + # them as such. So, trigger use of export_symbols_cmds. + # export_symbols gets reassigned inside the "prepare + # the list of exported symbols" if statement, so the + # include_expsyms logic still works. + orig_export_symbols="$export_symbols" + export_symbols= + always_export_symbols=yes fi fi + ;; + esac - save_oldobjs=$oldobjs - oldobjs= - counter=1 - for obj in $save_oldobjs - do - objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` - case " $oldobjs " in - " ") oldobjs=$obj ;; - *[\ /]"$objbase "*) - while :; do - # Make sure we don't pick an alternate name that also - # overlaps. - newobj=lt$counter-$objbase - counter=`expr $counter + 1` - case " $oldobjs " in - *[\ /]"$newobj "*) ;; - *) if test ! -f "$gentop/$newobj"; then break; fi ;; - esac - done - $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" - $run ln "$obj" "$gentop/$newobj" || - $run cp "$obj" "$gentop/$newobj" - oldobjs="$oldobjs $gentop/$newobj" - ;; - *) oldobjs="$oldobjs $obj" ;; - esac - done + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then + func_verbose "generating symbol list for \`$libname.la'" + export_symbols="$output_objdir/$libname.exp" + $opt_dry_run || $RM $export_symbols + cmds=$export_symbols_cmds + save_ifs="$IFS"; IFS='~' + for cmd in $cmds; do + IFS="$save_ifs" + eval cmd=\"$cmd\" + func_len " $cmd" + len=$func_len_result + if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + func_show_eval "$cmd" 'exit $?' + skipped_export=false + else + # The command line is too long to execute in one step. + func_verbose "using reloadable object file for export list..." + skipped_export=: + # Break out early, otherwise skipped_export may be + # set to false by a later but shorter cmd. + break + fi + done + IFS="$save_ifs" + if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi + fi fi - eval cmds=\"$old_archive_cmds\" + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols="$export_symbols" + test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" + $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"' + fi + + if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + delfiles="$delfiles $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi - if len=`expr "X$cmds" : ".*"` && - test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then - cmds=$old_archive_cmds - else - # the command line is too long to link in one step, link in parts - $echo "using piecewise archive linking..." - save_RANLIB=$RANLIB - RANLIB=: - objlist= - concat_cmds= - save_oldobjs=$oldobjs + tmp_deplibs= + for test_deplib in $deplibs; do + case " $convenience " in + *" $test_deplib "*) ;; + *) + tmp_deplibs="$tmp_deplibs $test_deplib" + ;; + esac + done + deplibs="$tmp_deplibs" - # Is there a better way of finding the last object in the list? - for obj in $save_oldobjs - do - last_oldobj=$obj - done - for obj in $save_oldobjs - do - oldobjs="$objlist $obj" - objlist="$objlist $obj" - eval test_cmds=\"$old_archive_cmds\" - if len=`expr "X$test_cmds" : ".*" 2>/dev/null` && - test "$len" -le "$max_cmd_len"; then - : - else - # the above command should be used before it gets too long - oldobjs=$objlist - if test "$obj" = "$last_oldobj" ; then - RANLIB=$save_RANLIB - fi - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" - objlist= - fi - done - RANLIB=$save_RANLIB - oldobjs=$objlist - if test "X$oldobjs" = "X" ; then - eval cmds=\"\$concat_cmds\" + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec" && + test "$compiler_needs_object" = yes && + test -z "$libobjs"; then + # extract the archives, so we have objects to list. + # TODO: could optimize this to just extract one archive. + whole_archive_flag_spec= + fi + if test -n "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= else - eval cmds=\"\$concat_cmds~\$old_archive_cmds\" + gentop="$output_objdir/${outputname}x" + generated="$generated $gentop" + + func_extract_archives $gentop $convenience + libobjs="$libobjs $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= fi fi - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - eval cmd=\"$cmd\" - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done - if test -n "$generated"; then - $show "${rm}r$generated" - $run ${rm}r$generated - fi + if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then + eval flag=\"$thread_safe_flag_spec\" + linker_flags="$linker_flags $flag" + fi - # Now create the libtool archive. - case $output in - *.la) - old_library= - test "$build_old_libs" = yes && old_library="$libname.$libext" - $show "creating $output" + # Make a backup of the uninstalled library when relinking + if test "$mode" = relink; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? + fi - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" + # Do each of the archive commands. + if test "$module" = yes && test -n "$module_cmds" ; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + eval test_cmds=\"$module_expsym_cmds\" + cmds=$module_expsym_cmds + else + eval test_cmds=\"$module_cmds\" + cmds=$module_cmds + fi else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + eval test_cmds=\"$archive_expsym_cmds\" + cmds=$archive_expsym_cmds + else + eval test_cmds=\"$archive_cmds\" + cmds=$archive_cmds + fi fi - done - # Quote the link command for shipping. - relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP` - if test "$hardcode_automatic" = yes ; then - relink_command= - fi + if test "X$skipped_export" != "X:" && + func_len " $test_cmds" && + len=$func_len_result && + test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + : + else + # The command line is too long to link in one step, link piecewise + # or, if using GNU ld and skipped_export is not :, use a linker + # script. - # Only create the output if not a dry run. - if test -z "$run"; then - for installed in no yes; do - if test "$installed" = yes; then - if test -z "$install_libdir"; then - break + # Save the value of $output and $libobjs because we want to + # use them later. If we have whole_archive_flag_spec, we + # want to use save_libobjs as it was before + # whole_archive_flag_spec was expanded, because we can't + # assume the linker understands whole_archive_flag_spec. + # This may have to be revisited, in case too many + # convenience libraries get linked in and end up exceeding + # the spec. + if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + fi + save_output=$output + output_la=`$ECHO "X$output" | $Xsed -e "$basename"` + + # Clear the reloadable object creation command queue and + # initialize k to one. + test_cmds= + concat_cmds= + objlist= + last_robj= + k=1 + + if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then + output=${output_objdir}/${output_la}.lnkscript + func_verbose "creating GNU ld script: $output" + $ECHO 'INPUT (' > $output + for obj in $save_libobjs + do + $ECHO "$obj" >> $output + done + $ECHO ')' >> $output + delfiles="$delfiles $output" + elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then + output=${output_objdir}/${output_la}.lnk + func_verbose "creating linker input file list: $output" + : > $output + set x $save_libobjs + shift + firstobj= + if test "$compiler_needs_object" = yes; then + firstobj="$1 " + shift fi - output="$output_objdir/$outputname"i - # Replace all uninstalled libtool libraries with the installed ones - newdependency_libs= - for deplib in $dependency_libs; do - case $deplib in - *.la) - name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit $EXIT_FAILURE - fi - newdependency_libs="$newdependency_libs $libdir/$name" - ;; - *) newdependency_libs="$newdependency_libs $deplib" ;; - esac + for obj + do + $ECHO "$obj" >> $output done - dependency_libs="$newdependency_libs" - newdlfiles= - for lib in $dlfiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit $EXIT_FAILURE + delfiles="$delfiles $output" + output=$firstobj\"$file_list_spec$output\" + else + if test -n "$save_libobjs"; then + func_verbose "creating reloadable object files..." + output=$output_objdir/$output_la-${k}.$objext + eval test_cmds=\"$reload_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + + # Loop over the list of objects to be linked. + for obj in $save_libobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + if test "X$objlist" = X || + test "$len" -lt "$max_cmd_len"; then + func_append objlist " $obj" + else + # The command $test_cmds is almost too long, add a + # command to the queue. + if test "$k" -eq 1 ; then + # The first file doesn't have a previous command to add. + eval concat_cmds=\"$reload_cmds $objlist $last_robj\" + else + # All subsequent reloadable object files will link in + # the last one created. + eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\" + fi + last_robj=$output_objdir/$output_la-${k}.$objext + func_arith $k + 1 + k=$func_arith_result + output=$output_objdir/$output_la-${k}.$objext + objlist=$obj + func_len " $last_robj" + func_arith $len0 + $func_len_result + len=$func_arith_result + fi + done + # Handle the remaining objects by creating one last + # reloadable object file. All subsequent reloadable object + # files will link in the last one created. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\" + if test -n "$last_robj"; then + eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\" fi - newdlfiles="$newdlfiles $libdir/$name" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit $EXIT_FAILURE + delfiles="$delfiles $output" + + else + output= + fi + + if ${skipped_export-false}; then + func_verbose "generating symbol list for \`$libname.la'" + export_symbols="$output_objdir/$libname.exp" + $opt_dry_run || $RM $export_symbols + libobjs=$output + # Append the command to create the export file. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\" + if test -n "$last_robj"; then + eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" fi - newdlprefiles="$newdlprefiles $libdir/$name" - done - dlprefiles="$newdlprefiles" - else - newdlfiles= - for lib in $dlfiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - newdlfiles="$newdlfiles $abs" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - newdlprefiles="$newdlprefiles $abs" + fi + + test -n "$save_libobjs" && + func_verbose "creating a temporary reloadable object file: $output" + + # Loop through the commands generated above and execute them. + save_ifs="$IFS"; IFS='~' + for cmd in $concat_cmds; do + IFS="$save_ifs" + $opt_silent || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? + + # Restore the uninstalled library and exit + if test "$mode" = relink; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } done - dlprefiles="$newdlprefiles" + IFS="$save_ifs" + + if test -n "$export_symbols_regex" && ${skipped_export-false}; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi fi - $rm $output - # place dlname in correct position for cygwin - tdlname=$dlname - case $host,$output,$installed,$module,$dlname in - *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;; - esac - $echo > $output "\ -# $outputname - a libtool library file -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# Please DO NOT delete this file! -# It is necessary for linking the library. -# The name that we can dlopen(3). -dlname='$tdlname' + if ${skipped_export-false}; then + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols="$export_symbols" + test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" + $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"' + fi + + if test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + delfiles="$delfiles $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi + fi -# Names of this library. -library_names='$library_names' + libobjs=$output + # Restore the value of output. + output=$save_output -# The name of the static archive. -old_library='$old_library' + if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= + fi + # Expand the library linking commands again to reset the + # value of $libobjs for piecewise linking. -# Libraries that this one depends upon. -dependency_libs='$dependency_libs' + # Do each of the archive commands. + if test "$module" = yes && test -n "$module_cmds" ; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + cmds=$module_expsym_cmds + else + cmds=$module_cmds + fi + else + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + cmds=$archive_expsym_cmds + else + cmds=$archive_cmds + fi + fi + fi -# Version information for $libname. -current=$current -age=$age -revision=$revision + if test -n "$delfiles"; then + # Append the command to remove temporary files to $cmds. + eval cmds=\"\$cmds~\$RM $delfiles\" + fi -# Is this an already installed library? -installed=$installed + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop="$output_objdir/${outputname}x" + generated="$generated $gentop" -# Should we warn about portability when linking against -modules? -shouldnotlink=$module + func_extract_archives $gentop $dlprefiles + libobjs="$libobjs $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= + fi -# Files to dlopen/dlpreopen -dlopen='$dlfiles' -dlpreopen='$dlprefiles' + save_ifs="$IFS"; IFS='~' + for cmd in $cmds; do + IFS="$save_ifs" + eval cmd=\"$cmd\" + $opt_silent || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? -# Directory that this library needs to be installed in: -libdir='$install_libdir'" - if test "$installed" = no && test "$need_relink" = yes; then - $echo >> $output "\ -relink_command=\"$relink_command\"" - fi + # Restore the uninstalled library and exit + if test "$mode" = relink; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } done - fi + IFS="$save_ifs" - # Do a symbolic link so that the libtool archive can be found in - # LD_LIBRARY_PATH before the program is installed. - $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)" - $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $? - ;; - esac - exit $EXIT_SUCCESS - ;; + # Restore the uninstalled library and exit + if test "$mode" = relink; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? + + if test -n "$convenience"; then + if test -z "$whole_archive_flag_spec"; then + func_show_eval '${RM}r "$gentop"' + fi + fi - # libtool install mode - install) - modename="$modename: install" + exit $EXIT_SUCCESS + fi - # There may be an optional sh(1) argument at the beginning of - # install_prog (especially on Windows NT). - if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || - # Allow the use of GNU shtool's install command. - $echo "X$nonopt" | grep shtool > /dev/null; then - # Aesthetically quote it. - arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - install_prog="$arg " - arg="$1" - shift - else - install_prog= - arg=$nonopt - fi + # Create links to the real library. + for linkname in $linknames; do + if test "$realname" != "$linkname"; then + func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?' + fi + done - # The real first argument should be the name of the installation program. - # Aesthetically quote it. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" + # If -module or -export-dynamic was specified, set the dlname. + if test "$module" = yes || test "$export_dynamic" = yes; then + # On all known operating systems, these are identical. + dlname="$soname" + fi + fi ;; - esac - install_prog="$install_prog$arg" - # We need to accept at least all the BSD install flags. - dest= - files= - opts= - prev= - install_type= - isdir=no - stripme= - for arg - do - if test -n "$dest"; then - files="$files $dest" - dest=$arg - continue + obj) + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + func_warning "\`-dlopen' is ignored for objects" fi - case $arg in - -d) isdir=yes ;; - -f) - case " $install_prog " in - *[\\\ /]cp\ *) ;; - *) prev=$arg ;; - esac - ;; - -g | -m | -o) prev=$arg ;; - -s) - stripme=" -s" - continue - ;; - -*) + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "\`-l' and \`-L' are ignored for objects" ;; + esac + + test -n "$rpath" && \ + func_warning "\`-rpath' is ignored for objects" + + test -n "$xrpath" && \ + func_warning "\`-R' is ignored for objects" + + test -n "$vinfo" && \ + func_warning "\`-version-info' is ignored for objects" + + test -n "$release" && \ + func_warning "\`-release' is ignored for objects" + + case $output in + *.lo) + test -n "$objs$old_deplibs" && \ + func_fatal_error "cannot build library object \`$output' from non-libtool objects" + + libobj=$output + func_lo2o "$libobj" + obj=$func_lo2o_result ;; *) - # If the previous option needed an argument, then skip it. - if test -n "$prev"; then - prev= - else - dest=$arg - continue - fi + libobj= + obj="$output" ;; esac - # Aesthetically quote the argument. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - install_prog="$install_prog $arg" - done + # Delete the old objects. + $opt_dry_run || $RM $obj $libobj - if test -z "$install_prog"; then - $echo "$modename: you must specify an install program" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + # Objects from convenience libraries. This assumes + # single-version convenience libraries. Whenever we create + # different ones for PIC/non-PIC, this we'll have to duplicate + # the extraction. + reload_conv_objs= + gentop= + # reload_cmds runs $LD directly, so let us get rid of + # -Wl from whole_archive_flag_spec and hope we can get by with + # turning comma into space.. + wl= - if test -n "$prev"; then - $echo "$modename: the \`$prev' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec"; then + eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" + reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'` + else + gentop="$output_objdir/${obj}x" + generated="$generated $gentop" - if test -z "$files"; then - if test -z "$dest"; then - $echo "$modename: no file or destination specified" 1>&2 - else - $echo "$modename: you must specify a destination" 1>&2 + func_extract_archives $gentop $convenience + reload_conv_objs="$reload_objs $func_extract_archives_result" + fi fi - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi - # Strip any trailing slash from the destination. - dest=`$echo "X$dest" | $Xsed -e 's%/$%%'` + # Create the old-style object. + reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test - # Check to see that the destination is a directory. - test -d "$dest" && isdir=yes - if test "$isdir" = yes; then - destdir="$dest" - destname= - else - destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'` - test "X$destdir" = "X$dest" && destdir=. - destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'` + output="$obj" + func_execute_cmds "$reload_cmds" 'exit $?' - # Not a directory, so check to see that there is only one file specified. - set dummy $files - if test "$#" -gt 2; then - $echo "$modename: \`$dest' is not a directory" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE + # Exit if we aren't doing a library object file. + if test -z "$libobj"; then + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS fi - fi - case $destdir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - for file in $files; do - case $file in - *.lo) ;; - *) - $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - ;; - esac - done + + if test "$build_libtool_libs" != yes; then + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + # Create an invalid libtool object if no PIC, so that we don't + # accidentally link it into a program. + # $show "echo timestamp > $libobj" + # $opt_dry_run || eval "echo timestamp > $libobj" || exit $? + exit $EXIT_SUCCESS + fi + + if test -n "$pic_flag" || test "$pic_mode" != default; then + # Only do commands if we really have different PIC objects. + reload_objs="$libobjs $reload_conv_objs" + output="$libobj" + func_execute_cmds "$reload_cmds" 'exit $?' + fi + + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS ;; - esac - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" + prog) + case $host in + *cygwin*) func_stripname '' '.exe' "$output" + output=$func_stripname_result.exe;; + esac + test -n "$vinfo" && \ + func_warning "\`-version-info' is ignored for programs" - staticlibs= - future_libdirs= - current_libdirs= - for file in $files; do + test -n "$release" && \ + func_warning "\`-release' is ignored for programs" - # Do each installation. - case $file in - *.$libext) - # Do the static libraries later. - staticlibs="$staticlibs $file" + test "$preload" = yes \ + && test "$dlopen_support" = unknown \ + && test "$dlopen_self" = unknown \ + && test "$dlopen_self_static" = unknown && \ + func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support." + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library is the System framework + compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'` + finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'` ;; + esac - *.la) - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$file' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE + case $host in + *-*-darwin*) + # Don't allow lazy linking, it breaks C++ global constructors + # But is supposedly fixed on 10.4 or later (yay!). + if test "$tagname" = CXX ; then + case ${MACOSX_DEPLOYMENT_TARGET-10.0} in + 10.[0123]) + compile_command="$compile_command ${wl}-bind_at_load" + finalize_command="$finalize_command ${wl}-bind_at_load" + ;; + esac fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + ;; + esac - library_names= - old_library= - relink_command= - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - # Add the libdir to current_libdirs if it is the destination. - if test "X$destdir" = "X$libdir"; then - case "$current_libdirs " in - *" $libdir "*) ;; - *) current_libdirs="$current_libdirs $libdir" ;; + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; + *) + case " $compile_deplibs " in + *" -L$path/$objdir "*) + new_libs="$new_libs -L$path/$objdir" ;; esac - else - # Note the libdir as a future libdir. - case "$future_libdirs " in - *" $libdir "*) ;; - *) future_libdirs="$future_libdirs $libdir" ;; + ;; + esac + done + for deplib in $compile_deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) new_libs="$new_libs $deplib" ;; esac - fi + ;; + *) new_libs="$new_libs $deplib" ;; + esac + done + compile_deplibs="$new_libs" - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/ - test "X$dir" = "X$file/" && dir= - dir="$dir$objdir" - if test -n "$relink_command"; then - # Determine the prefix the user has applied to our future dir. - inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"` + compile_command="$compile_command $compile_deplibs" + finalize_command="$finalize_command $finalize_deplibs" - # Don't allow the user to place us outside of our expected - # location b/c this prevents finding dependent libraries that - # are installed to the same prefix. - # At present, this check doesn't affect windows .dll's that - # are installed into $libdir/../bin (currently, that works fine) - # but it's something to keep an eye on. - if test "$inst_prefix_dir" = "$destdir"; then - $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2 - exit $EXIT_FAILURE - fi + if test -n "$rpath$xrpath"; then + # If the user specified any rpath flags, then add them. + for libdir in $rpath $xrpath; do + # This is the magic to use -rpath. + case "$finalize_rpath " in + *" $libdir "*) ;; + *) finalize_rpath="$finalize_rpath $libdir" ;; + esac + done + fi - if test -n "$inst_prefix_dir"; then - # Stick the inst_prefix_dir data into the link command. - relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP` + # Now hardcode the library paths + rpath= + hardcode_libdirs= + for libdir in $compile_rpath $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + ;; + esac + fi else - relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP` + eval flag=\"$hardcode_libdir_flag_spec\" + rpath="$rpath $flag" fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) perm_rpath="$perm_rpath $libdir" ;; + esac + fi + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$libdir:"*) ;; + ::) dllsearchpath=$libdir;; + *) dllsearchpath="$dllsearchpath:$libdir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) dllsearchpath="$dllsearchpath:$testbindir";; + esac + ;; + esac + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + compile_rpath="$rpath" - $echo "$modename: warning: relinking \`$file'" 1>&2 - $show "$relink_command" - if $run eval "$relink_command"; then : + rpath= + hardcode_libdirs= + for libdir in $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + ;; + esac + fi else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - exit $EXIT_FAILURE + eval flag=\"$hardcode_libdir_flag_spec\" + rpath="$rpath $flag" fi + elif test -n "$runpath_var"; then + case "$finalize_perm_rpath " in + *" $libdir "*) ;; + *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;; + esac fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + finalize_rpath="$rpath" - # See the names of the shared library. - set dummy $library_names - if test -n "$2"; then - realname="$2" - shift - shift + if test -n "$libobjs" && test "$build_old_libs" = yes; then + # Transform all the library objects into standard objects. + compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + fi - srcname="$realname" - test -n "$relink_command" && srcname="$realname"T + func_generate_dlsyms "$outputname" "@PROGRAM@" "no" - # Install the shared library and build the symlinks. - $show "$install_prog $dir/$srcname $destdir/$realname" - $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $? - if test -n "$stripme" && test -n "$striplib"; then - $show "$striplib $destdir/$realname" - $run eval "$striplib $destdir/$realname" || exit $? - fi + # template prelinking step + if test -n "$prelink_cmds"; then + func_execute_cmds "$prelink_cmds" 'exit $?' + fi - if test "$#" -gt 0; then - # Delete the old symlinks, and create new ones. - # Try `ln -sf' first, because the `ln' binary might depend on - # the symlink we replace! Solaris /bin/ln does not understand -f, - # so we also need to try rm && ln -s. - for linkname - do - if test "$linkname" != "$realname"; then - $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })" - $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })" - fi - done - fi + wrappers_required=yes + case $host in + *cygwin* | *mingw* ) + if test "$build_libtool_libs" != yes; then + wrappers_required=no + fi + ;; + *cegcc) + # Disable wrappers for cegcc, we are cross compiling anyway. + wrappers_required=no + ;; + *) + if test "$need_relink" = no || test "$build_libtool_libs" != yes; then + wrappers_required=no + fi + ;; + esac + if test "$wrappers_required" = no; then + # Replace the output file specification. + compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` + link_command="$compile_command$compile_rpath" - # Do each command in the postinstall commands. - lib="$destdir/$realname" - cmds=$postinstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || { - lt_exit=$? - - # Restore the uninstalled library and exit - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)' - fi + # We have no uninstalled library dependencies, so finalize right now. + exit_status=0 + func_show_eval "$link_command" 'exit_status=$?' - exit $lt_exit - } - done - IFS="$save_ifs" + # Delete the generated files. + if test -f "$output_objdir/${outputname}S.${objext}"; then + func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"' fi - # Install the pseudo-library for information purposes. - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - instname="$dir/$name"i - $show "$install_prog $instname $destdir/$name" - $run eval "$install_prog $instname $destdir/$name" || exit $? - - # Maybe install the static library, too. - test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" - ;; + exit $exit_status + fi - *.lo) - # Install (i.e. copy) a libtool object. + if test -n "$compile_shlibpath$finalize_shlibpath"; then + compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" + fi + if test -n "$finalize_shlibpath"; then + finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" + fi - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" + compile_var= + finalize_var= + if test -n "$runpath_var"; then + if test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + rpath="$rpath$dir:" + done + compile_var="$runpath_var=\"$rpath\$$runpath_var\" " fi - - # Deduce the name of the destination old-style object file. - case $destfile in - *.lo) - staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"` - ;; - *.$objext) - staticdest="$destfile" - destfile= - ;; - *) - $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - ;; - esac - - # Install the libtool object if requested. - if test -n "$destfile"; then - $show "$install_prog $file $destfile" - $run eval "$install_prog $file $destfile" || exit $? + if test -n "$finalize_perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $finalize_perm_rpath; do + rpath="$rpath$dir:" + done + finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " fi + fi - # Install the old object if enabled. - if test "$build_old_libs" = yes; then - # Deduce the name of the old-style object file. - staticobj=`$echo "X$file" | $Xsed -e "$lo2o"` - - $show "$install_prog $staticobj $staticdest" - $run eval "$install_prog \$staticobj \$staticdest" || exit $? - fi + if test "$no_install" = yes; then + # We don't need to create a wrapper script. + link_command="$compile_var$compile_command$compile_rpath" + # Replace the output file specification. + link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` + # Delete the old output file. + $opt_dry_run || $RM $output + # Link the executable and exit + func_show_eval "$link_command" 'exit $?' exit $EXIT_SUCCESS - ;; + fi - *) - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" + if test "$hardcode_action" = relink; then + # Fast installation is not supported + link_command="$compile_var$compile_command$compile_rpath" + relink_command="$finalize_var$finalize_command$finalize_rpath" + + func_warning "this platform does not like uninstalled shared libraries" + func_warning "\`$output' will be relinked during installation" + else + if test "$fast_install" != no; then + link_command="$finalize_var$compile_command$finalize_rpath" + if test "$fast_install" = yes; then + relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'` + else + # fast_install is set to needless + relink_command= + fi else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" + link_command="$compile_var$compile_command$compile_rpath" + relink_command="$finalize_var$finalize_command$finalize_rpath" fi + fi - # If the file is missing, and there is a .exe on the end, strip it - # because it is most likely a libtool script we actually want to - # install - stripped_ext="" - case $file in - *.exe) - if test ! -f "$file"; then - file=`$echo $file|${SED} 's,.exe$,,'` - stripped_ext=".exe" - fi - ;; - esac - - # Do a test to see if this is really a libtool program. - case $host in - *cygwin*|*mingw*) - wrapper=`$echo $file | ${SED} -e 's,.exe$,,'` - ;; - *) - wrapper=$file - ;; - esac - if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then - notinst_deplibs= - relink_command= - - # Note that it is not necessary on cygwin/mingw to append a dot to - # foo even if both foo and FILE.exe exist: automatic-append-.exe - # behavior happens only for exec(3), not for open(2)! Also, sourcing - # `FILE.' does not work on cygwin managed mounts. - # - # If there is no directory component, then add one. - case $wrapper in - */* | *\\*) . ${wrapper} ;; - *) . ./${wrapper} ;; - esac - - # Check the variables that should have been set. - if test -z "$notinst_deplibs"; then - $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2 - exit $EXIT_FAILURE - fi + # Replace the output file specification. + link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` - finalize=yes - for lib in $notinst_deplibs; do - # Check to see that each library is installed. - libdir= - if test -f "$lib"; then - # If there is no directory component, then add one. - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - fi - libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test - if test -n "$libdir" && test ! -f "$libfile"; then - $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2 - finalize=no - fi - done + # Delete the old output files. + $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname - relink_command= - # Note that it is not necessary on cygwin/mingw to append a dot to - # foo even if both foo and FILE.exe exist: automatic-append-.exe - # behavior happens only for exec(3), not for open(2)! Also, sourcing - # `FILE.' does not work on cygwin managed mounts. - # - # If there is no directory component, then add one. - case $wrapper in - */* | *\\*) . ${wrapper} ;; - *) . ./${wrapper} ;; - esac + func_show_eval "$link_command" 'exit $?' - outputname= - if test "$fast_install" = no && test -n "$relink_command"; then - if test "$finalize" = yes && test -z "$run"; then - tmpdir=`func_mktempdir` - file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'` - outputname="$tmpdir/$file" - # Replace the output file specification. - relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP` + # Now create the wrapper script. + func_verbose "creating $output" - $show "$relink_command" - if $run eval "$relink_command"; then : - else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - ${rm}r "$tmpdir" - continue - fi - file="$outputname" - else - $echo "$modename: warning: cannot relink \`$file'" 1>&2 - fi + # Quote the relink command for shipping. + if test -n "$relink_command"; then + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" else - # Install the binary that we compiled earlier. - file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"` + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi - fi + done + relink_command="(cd `pwd`; $relink_command)" + relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"` + fi - # remove .exe since cygwin /usr/bin/install will append another - # one anyway - case $install_prog,$host in - */usr/bin/install*,*cygwin*) - case $file:$destfile in - *.exe:*.exe) - # this is ok - ;; - *.exe:*) - destfile=$destfile.exe - ;; - *:*.exe) - destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'` - ;; - esac - ;; + # Quote $ECHO for shipping. + if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then + case $progpath in + [\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";; + *) qecho="$SHELL `pwd`/$progpath --fallback-echo";; + esac + qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"` + else + qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"` + fi + + # Only actually do things if not in dry run mode. + $opt_dry_run || { + # win32 will think the script is a binary if it has + # a .exe suffix, so we strip it off here. + case $output in + *.exe) func_stripname '' '.exe' "$output" + output=$func_stripname_result ;; esac - $show "$install_prog$stripme $file $destfile" - $run eval "$install_prog\$stripme \$file \$destfile" || exit $? - test -n "$outputname" && ${rm}r "$tmpdir" - ;; - esac - done + # test for cygwin because mv fails w/o .exe extensions + case $host in + *cygwin*) + exeext=.exe + func_stripname '' '.exe' "$outputname" + outputname=$func_stripname_result ;; + *) exeext= ;; + esac + case $host in + *cygwin* | *mingw* ) + func_dirname_and_basename "$output" "" "." + output_name=$func_basename_result + output_path=$func_dirname_result + cwrappersource="$output_path/$objdir/lt-$output_name.c" + cwrapper="$output_path/$output_name.exe" + $RM $cwrappersource $cwrapper + trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 + + func_emit_cwrapperexe_src > $cwrappersource + + # The wrapper executable is built using the $host compiler, + # because it contains $host paths and files. If cross- + # compiling, it, like the target executable, must be + # executed on the $host or under an emulation environment. + $opt_dry_run || { + $LTCC $LTCFLAGS -o $cwrapper $cwrappersource + $STRIP $cwrapper + } - for file in $staticlibs; do - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` + # Now, create the wrapper script for func_source use: + func_ltwrapper_scriptname $cwrapper + $RM $func_ltwrapper_scriptname_result + trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15 + $opt_dry_run || { + # note: this script will not be executed, so do not chmod. + if test "x$build" = "x$host" ; then + $cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result + else + func_emit_wrapper no > $func_ltwrapper_scriptname_result + fi + } + ;; + * ) + $RM $output + trap "$RM $output; exit $EXIT_FAILURE" 1 2 15 - # Set up the ranlib parameters. - oldlib="$destdir/$name" + func_emit_wrapper no > $output + chmod +x $output + ;; + esac + } + exit $EXIT_SUCCESS + ;; + esac - $show "$install_prog $file $oldlib" - $run eval "$install_prog \$file \$oldlib" || exit $? + # See if we need to build an old-fashioned archive. + for oldlib in $oldlibs; do - if test -n "$stripme" && test -n "$old_striplib"; then - $show "$old_striplib $oldlib" - $run eval "$old_striplib $oldlib" || exit $? + if test "$build_libtool_libs" = convenience; then + oldobjs="$libobjs_save $symfileobj" + addlibs="$convenience" + build_libtool_libs=no + else + if test "$build_libtool_libs" = module; then + oldobjs="$libobjs_save" + build_libtool_libs=no + else + oldobjs="$old_deplibs $non_pic_objects" + if test "$preload" = yes && test -f "$symfileobj"; then + oldobjs="$oldobjs $symfileobj" + fi + fi + addlibs="$old_convenience" fi - # Do each command in the postinstall commands. - cmds=$old_postinstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done + if test -n "$addlibs"; then + gentop="$output_objdir/${outputname}x" + generated="$generated $gentop" - if test -n "$future_libdirs"; then - $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2 - fi + func_extract_archives $gentop $addlibs + oldobjs="$oldobjs $func_extract_archives_result" + fi - if test -n "$current_libdirs"; then - # Maybe just do a dry run. - test -n "$run" && current_libdirs=" -n$current_libdirs" - exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs' - else - exit $EXIT_SUCCESS - fi - ;; + # Do each command in the archive commands. + if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then + cmds=$old_archive_from_new_cmds + else - # libtool finish mode - finish) - modename="$modename: finish" - libdirs="$nonopt" - admincmds= + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop="$output_objdir/${outputname}x" + generated="$generated $gentop" - if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then - for dir - do - libdirs="$libdirs $dir" - done + func_extract_archives $gentop $dlprefiles + oldobjs="$oldobjs $func_extract_archives_result" + fi - for libdir in $libdirs; do - if test -n "$finish_cmds"; then - # Do each command in the finish commands. - cmds=$finish_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" || admincmds="$admincmds - $cmd" + # POSIX demands no paths to be encoded in archives. We have + # to avoid creating archives with duplicate basenames if we + # might have to extract them afterwards, e.g., when creating a + # static archive out of a convenience library, or when linking + # the entirety of a libtool archive into another (currently + # not supported by libtool). + if (for obj in $oldobjs + do + func_basename "$obj" + $ECHO "$func_basename_result" + done | sort | sort -uc >/dev/null 2>&1); then + : + else + $ECHO "copying selected object files to avoid basename conflicts..." + gentop="$output_objdir/${outputname}x" + generated="$generated $gentop" + func_mkdir_p "$gentop" + save_oldobjs=$oldobjs + oldobjs= + counter=1 + for obj in $save_oldobjs + do + func_basename "$obj" + objbase="$func_basename_result" + case " $oldobjs " in + " ") oldobjs=$obj ;; + *[\ /]"$objbase "*) + while :; do + # Make sure we don't pick an alternate name that also + # overlaps. + newobj=lt$counter-$objbase + func_arith $counter + 1 + counter=$func_arith_result + case " $oldobjs " in + *[\ /]"$newobj "*) ;; + *) if test ! -f "$gentop/$newobj"; then break; fi ;; + esac + done + func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" + oldobjs="$oldobjs $gentop/$newobj" + ;; + *) oldobjs="$oldobjs $obj" ;; + esac done - IFS="$save_ifs" - fi - if test -n "$finish_eval"; then - # Do the single finish_eval. - eval cmds=\"$finish_eval\" - $run eval "$cmds" || admincmds="$admincmds - $cmds" fi - done - fi - - # Exit here if they wanted silent mode. - test "$show" = : && exit $EXIT_SUCCESS + eval cmds=\"$old_archive_cmds\" - $echo "X----------------------------------------------------------------------" | $Xsed - $echo "Libraries have been installed in:" - for libdir in $libdirs; do - $echo " $libdir" + func_len " $cmds" + len=$func_len_result + if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + cmds=$old_archive_cmds + else + # the command line is too long to link in one step, link in parts + func_verbose "using piecewise archive linking..." + save_RANLIB=$RANLIB + RANLIB=: + objlist= + concat_cmds= + save_oldobjs=$oldobjs + oldobjs= + # Is there a better way of finding the last object in the list? + for obj in $save_oldobjs + do + last_oldobj=$obj + done + eval test_cmds=\"$old_archive_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + for obj in $save_oldobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + func_append objlist " $obj" + if test "$len" -lt "$max_cmd_len"; then + : + else + # the above command should be used before it gets too long + oldobjs=$objlist + if test "$obj" = "$last_oldobj" ; then + RANLIB=$save_RANLIB + fi + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" + objlist= + len=$len0 + fi + done + RANLIB=$save_RANLIB + oldobjs=$objlist + if test "X$oldobjs" = "X" ; then + eval cmds=\"\$concat_cmds\" + else + eval cmds=\"\$concat_cmds~\$old_archive_cmds\" + fi + fi + fi + func_execute_cmds "$cmds" 'exit $?' done - $echo - $echo "If you ever happen to want to link against installed libraries" - $echo "in a given directory, LIBDIR, you must either use libtool, and" - $echo "specify the full pathname of the library, or use the \`-LLIBDIR'" - $echo "flag during linking and do at least one of the following:" - if test -n "$shlibpath_var"; then - $echo " - add LIBDIR to the \`$shlibpath_var' environment variable" - $echo " during execution" - fi - if test -n "$runpath_var"; then - $echo " - add LIBDIR to the \`$runpath_var' environment variable" - $echo " during linking" - fi - if test -n "$hardcode_libdir_flag_spec"; then - libdir=LIBDIR - eval flag=\"$hardcode_libdir_flag_spec\" - - $echo " - use the \`$flag' linker flag" - fi - if test -n "$admincmds"; then - $echo " - have your system administrator run these commands:$admincmds" - fi - if test -f /etc/ld.so.conf; then - $echo " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" - fi - $echo - $echo "See any operating system documentation about shared libraries for" - $echo "more information, such as the ld(1) and ld.so(8) manual pages." - $echo "X----------------------------------------------------------------------" | $Xsed - exit $EXIT_SUCCESS - ;; - - # libtool execute mode - execute) - modename="$modename: execute" - # The first argument is the command name. - cmd="$nonopt" - if test -z "$cmd"; then - $echo "$modename: you must specify a COMMAND" 1>&2 - $echo "$help" - exit $EXIT_FAILURE - fi + test -n "$generated" && \ + func_show_eval "${RM}r$generated" - # Handle -dlopen flags immediately. - for file in $execute_dlfiles; do - if test ! -f "$file"; then - $echo "$modename: \`$file' is not a file" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + # Now create the libtool archive. + case $output in + *.la) + old_library= + test "$build_old_libs" = yes && old_library="$libname.$libext" + func_verbose "creating $output" - dir= - case $file in - *.la) - # Check to see that this really is a libtool archive. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi + done + # Quote the link command for shipping. + relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" + relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"` + if test "$hardcode_automatic" = yes ; then + relink_command= + fi - # Read the libtool library. - dlname= - library_names= + # Only create the output if not a dry run. + $opt_dry_run || { + for installed in no yes; do + if test "$installed" = yes; then + if test -z "$install_libdir"; then + break + fi + output="$output_objdir/$outputname"i + # Replace all uninstalled libtool libraries with the installed ones + newdependency_libs= + for deplib in $dependency_libs; do + case $deplib in + *.la) + func_basename "$deplib" + name="$func_basename_result" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + test -z "$libdir" && \ + func_fatal_error "\`$deplib' is not a valid libtool archive" + newdependency_libs="$newdependency_libs $libdir/$name" + ;; + *) newdependency_libs="$newdependency_libs $deplib" ;; + esac + done + dependency_libs="$newdependency_libs" + newdlfiles= - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac + for lib in $dlfiles; do + case $lib in + *.la) + func_basename "$lib" + name="$func_basename_result" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "\`$lib' is not a valid libtool archive" + newdlfiles="$newdlfiles $libdir/$name" + ;; + *) newdlfiles="$newdlfiles $lib" ;; + esac + done + dlfiles="$newdlfiles" + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + *.la) + # Only pass preopened files to the pseudo-archive (for + # eventual linking with the app. that links it) if we + # didn't already link the preopened objects directly into + # the library: + func_basename "$lib" + name="$func_basename_result" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "\`$lib' is not a valid libtool archive" + newdlprefiles="$newdlprefiles $libdir/$name" + ;; + esac + done + dlprefiles="$newdlprefiles" + else + newdlfiles= + for lib in $dlfiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; + *) abs=`pwd`"/$lib" ;; + esac + newdlfiles="$newdlfiles $abs" + done + dlfiles="$newdlfiles" + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; + *) abs=`pwd`"/$lib" ;; + esac + newdlprefiles="$newdlprefiles $abs" + done + dlprefiles="$newdlprefiles" + fi + $RM $output + # place dlname in correct position for cygwin + tdlname=$dlname + case $host,$output,$installed,$module,$dlname in + *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;; + esac + $ECHO > $output "\ +# $outputname - a libtool library file +# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION +# +# Please DO NOT delete this file! +# It is necessary for linking the library. - # Skip this library if it cannot be dlopened. - if test -z "$dlname"; then - # Warn if it was a shared library. - test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'" - continue - fi +# The name that we can dlopen(3). +dlname='$tdlname' - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. +# Names of this library. +library_names='$library_names' - if test -f "$dir/$objdir/$dlname"; then - dir="$dir/$objdir" - else - $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2 - exit $EXIT_FAILURE - fi - ;; +# The name of the static archive. +old_library='$old_library' - *.lo) - # Just add the directory containing the .lo file. - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. - ;; +# Linker flags that can not go in dependency_libs. +inherited_linker_flags='$new_inherited_linker_flags' - *) - $echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2 - continue - ;; - esac +# Libraries that this one depends upon. +dependency_libs='$dependency_libs' - # Get the absolute pathname. - absdir=`cd "$dir" && pwd` - test -n "$absdir" && dir="$absdir" +# Names of additional weak libraries provided by this library +weak_library_names='$weak_libs' - # Now add the directory to shlibpath_var. - if eval "test -z \"\$$shlibpath_var\""; then - eval "$shlibpath_var=\"\$dir\"" - else - eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" - fi - done +# Version information for $libname. +current=$current +age=$age +revision=$revision - # This variable tells wrapper scripts just to set shlibpath_var - # rather than running their programs. - libtool_execute_magic="$magic" +# Is this an already installed library? +installed=$installed - # Check if any of the arguments is a wrapper script. - args= - for file - do - case $file in - -*) ;; - *) - # Do a test to see if this is really a libtool program. - if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac +# Should we warn about portability when linking against -modules? +shouldnotlink=$module - # Transform arg to wrapped name. - file="$progdir/$program" - fi - ;; - esac - # Quote arguments (to preserve shell metacharacters). - file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"` - args="$args \"$file\"" - done +# Files to dlopen/dlpreopen +dlopen='$dlfiles' +dlpreopen='$dlprefiles' - if test -z "$run"; then - if test -n "$shlibpath_var"; then - # Export the shlibpath_var. - eval "export $shlibpath_var" - fi +# Directory that this library needs to be installed in: +libdir='$install_libdir'" + if test "$installed" = no && test "$need_relink" = yes; then + $ECHO >> $output "\ +relink_command=\"$relink_command\"" + fi + done + } - # Restore saved environment variables - for lt_var in LANG LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES - do - eval "if test \"\${save_$lt_var+set}\" = set; then - $lt_var=\$save_$lt_var; export $lt_var - fi" - done + # Do a symbolic link so that the libtool archive can be found in + # LD_LIBRARY_PATH before the program is installed. + func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?' + ;; + esac + exit $EXIT_SUCCESS +} +{ test "$mode" = link || test "$mode" = relink; } && + func_mode_link ${1+"$@"} - # Now prepare to actually exec the command. - exec_cmd="\$cmd$args" - else - # Display what would be done. - if test -n "$shlibpath_var"; then - eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\"" - $echo "export $shlibpath_var" - fi - $echo "$cmd$args" - exit $EXIT_SUCCESS - fi - ;; - # libtool clean and uninstall mode - clean | uninstall) - modename="$modename: $mode" - rm="$nonopt" +# func_mode_uninstall arg... +func_mode_uninstall () +{ + $opt_debug + RM="$nonopt" files= rmforce= exit_status=0 @@ -6492,30 +8202,28 @@ for arg do case $arg in - -f) rm="$rm $arg"; rmforce=yes ;; - -*) rm="$rm $arg" ;; + -f) RM="$RM $arg"; rmforce=yes ;; + -*) RM="$RM $arg" ;; *) files="$files $arg" ;; esac done - if test -z "$rm"; then - $echo "$modename: you must specify an RM program" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - fi + test -z "$RM" && \ + func_fatal_help "you must specify an RM program" rmdirs= origobjdir="$objdir" for file in $files; do - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - if test "X$dir" = "X$file"; then - dir=. + func_dirname "$file" "" "." + dir="$func_dirname_result" + if test "X$dir" = X.; then objdir="$origobjdir" else objdir="$dir/$origobjdir" fi - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` + func_basename "$file" + name="$func_basename_result" test "$mode" = uninstall && objdir="$dir" # Remember objdir for removal later, being careful to avoid duplicates @@ -6527,9 +8235,9 @@ fi # Don't error if the file doesn't exist and rm -f was used. - if (test -L "$file") >/dev/null 2>&1 \ - || (test -h "$file") >/dev/null 2>&1 \ - || test -f "$file"; then + if { test -L "$file"; } >/dev/null 2>&1 || + { test -h "$file"; } >/dev/null 2>&1 || + test -f "$file"; then : elif test -d "$file"; then exit_status=1 @@ -6543,8 +8251,8 @@ case $name in *.la) # Possibly a libtool archive, so verify it. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - . $dir/$name + if func_lalib_p "$file"; then + func_source $dir/$name # Delete the libtool libraries and symlinks. for n in $library_names; do @@ -6559,39 +8267,17 @@ *" $dlname "*) ;; *) rmfiles="$rmfiles $objdir/$dlname" ;; esac - test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i" + test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i" ;; uninstall) if test -n "$library_names"; then # Do each command in the postuninstall commands. - cmds=$postuninstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" - if test "$?" -ne 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" + func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' fi if test -n "$old_library"; then # Do each command in the old_postuninstall commands. - cmds=$old_postuninstall_cmds - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $show "$cmd" - $run eval "$cmd" - if test "$?" -ne 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" + func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' fi # FIXME: should reinstall the best remaining shared library. ;; @@ -6601,20 +8287,20 @@ *.lo) # Possibly a libtool object, so verify it. - if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then + if func_lalib_p "$file"; then # Read the .lo file - . $dir/$name + func_source $dir/$name # Add PIC object to the list of files to remove. - if test -n "$pic_object" \ - && test "$pic_object" != none; then + if test -n "$pic_object" && + test "$pic_object" != none; then rmfiles="$rmfiles $dir/$pic_object" fi # Add non-PIC object to the list of files to remove. - if test -n "$non_pic_object" \ - && test "$non_pic_object" != none; then + if test -n "$non_pic_object" && + test "$non_pic_object" != none; then rmfiles="$rmfiles $dir/$non_pic_object" fi fi @@ -6625,17 +8311,26 @@ noexename=$name case $file in *.exe) - file=`$echo $file|${SED} 's,.exe$,,'` - noexename=`$echo $name|${SED} 's,.exe$,,'` + func_stripname '' '.exe' "$file" + file=$func_stripname_result + func_stripname '' '.exe' "$name" + noexename=$func_stripname_result # $file with .exe has already been added to rmfiles, # add $file without .exe rmfiles="$rmfiles $file" ;; esac # Do a test to see if this is a libtool program. - if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - relink_command= - . $dir/$noexename + if func_ltwrapper_p "$file"; then + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + relink_command= + func_source $func_ltwrapper_scriptname_result + rmfiles="$rmfiles $func_ltwrapper_scriptname_result" + else + relink_command= + func_source $dir/$noexename + fi # note $name still contains .exe if it was in $file originally # as does the version of $file that was added into $rmfiles @@ -6650,239 +8345,38 @@ fi ;; esac - $show "$rm $rmfiles" - $run $rm $rmfiles || exit_status=1 + func_show_eval "$RM $rmfiles" 'exit_status=1' done objdir="$origobjdir" # Try to remove the ${objdir}s in the directories where we deleted files for dir in $rmdirs; do if test -d "$dir"; then - $show "rmdir $dir" - $run rmdir $dir >/dev/null 2>&1 + func_show_eval "rmdir $dir >/dev/null 2>&1" fi done exit $exit_status - ;; +} - "") - $echo "$modename: you must specify a MODE" 1>&2 - $echo "$generic_help" 1>&2 - exit $EXIT_FAILURE - ;; - esac +{ test "$mode" = uninstall || test "$mode" = clean; } && + func_mode_uninstall ${1+"$@"} - if test -z "$exec_cmd"; then - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$generic_help" 1>&2 - exit $EXIT_FAILURE - fi -fi # test -z "$show_help" +test -z "$mode" && { + help="$generic_help" + func_fatal_help "you must specify a MODE" +} + +test -z "$exec_cmd" && \ + func_fatal_help "invalid operation mode \`$mode'" if test -n "$exec_cmd"; then - eval exec $exec_cmd + eval exec "$exec_cmd" exit $EXIT_FAILURE fi -# We need to display help for each of the modes. -case $mode in -"") $echo \ -"Usage: $modename [OPTION]... [MODE-ARG]... - -Provide generalized library-building support services. - - --config show all configuration variables - --debug enable verbose shell tracing --n, --dry-run display commands without modifying any files - --features display basic configuration information and exit - --finish same as \`--mode=finish' - --help display this help message and exit - --mode=MODE use operation mode MODE [default=inferred from MODE-ARGS] - --quiet same as \`--silent' - --silent don't print informational messages - --tag=TAG use configuration variables from tag TAG - --version print version information - -MODE must be one of the following: - - clean remove files from the build directory - compile compile a source file into a libtool object - execute automatically set library path, then run a program - finish complete the installation of libtool libraries - install install libraries or executables - link create a library or an executable - uninstall remove libraries from an installed directory - -MODE-ARGS vary depending on the MODE. Try \`$modename --help --mode=MODE' for -a more detailed description of MODE. - -Report bugs to ." - exit $EXIT_SUCCESS - ;; - -clean) - $echo \ -"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE... - -Remove files from the build directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, object or program, all the files associated -with it are deleted. Otherwise, only FILE itself is deleted using RM." - ;; - -compile) - $echo \ -"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE - -Compile a source file into a libtool library object. - -This mode accepts the following additional options: - - -o OUTPUT-FILE set the output file name to OUTPUT-FILE - -prefer-pic try to building PIC objects only - -prefer-non-pic try to building non-PIC objects only - -static always build a \`.o' file suitable for static linking - -COMPILE-COMMAND is a command to be used in creating a \`standard' object file -from the given SOURCEFILE. - -The output file name is determined by removing the directory component from -SOURCEFILE, then substituting the C source code suffix \`.c' with the -library object suffix, \`.lo'." - ;; - -execute) - $echo \ -"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]... - -Automatically set library path, then run a program. - -This mode accepts the following additional options: - - -dlopen FILE add the directory containing FILE to the library path - -This mode sets the library path environment variable according to \`-dlopen' -flags. - -If any of the ARGS are libtool executable wrappers, then they are translated -into their corresponding uninstalled binary, and any of their required library -directories are added to the library path. - -Then, COMMAND is executed, with ARGS as arguments." - ;; - -finish) - $echo \ -"Usage: $modename [OPTION]... --mode=finish [LIBDIR]... - -Complete the installation of libtool libraries. - -Each LIBDIR is a directory that contains libtool libraries. - -The commands that this mode executes may require superuser privileges. Use -the \`--dry-run' option if you just want to see what would be executed." - ;; - -install) - $echo \ -"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND... - -Install executables or libraries. - -INSTALL-COMMAND is the installation command. The first component should be -either the \`install' or \`cp' program. - -The rest of the components are interpreted as arguments to that command (only -BSD-compatible install options are recognized)." - ;; - -link) - $echo \ -"Usage: $modename [OPTION]... --mode=link LINK-COMMAND... - -Link object files or libraries together to form another library, or to -create an executable program. +exit $exit_status -LINK-COMMAND is a command using the C compiler that you would use to create -a program from several object files. - -The following components of LINK-COMMAND are treated specially: - - -all-static do not do any dynamic linking at all - -avoid-version do not add a version suffix if possible - -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime - -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols - -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) - -export-symbols SYMFILE - try to export only the symbols listed in SYMFILE - -export-symbols-regex REGEX - try to export only the symbols matching REGEX - -LLIBDIR search LIBDIR for required installed libraries - -lNAME OUTPUT-FILE requires the installed library libNAME - -module build a library that can dlopened - -no-fast-install disable the fast-install mode - -no-install link a not-installable executable - -no-undefined declare that a library does not refer to external symbols - -o OUTPUT-FILE create OUTPUT-FILE from the specified objects - -objectlist FILE Use a list of object files found in FILE to specify objects - -precious-files-regex REGEX - don't remove output files matching REGEX - -release RELEASE specify package release information - -rpath LIBDIR the created library will eventually be installed in LIBDIR - -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries - -static do not do any dynamic linking of uninstalled libtool libraries - -static-libtool-libs - do not do any dynamic linking of libtool libraries - -version-info CURRENT[:REVISION[:AGE]] - specify library version info [each variable defaults to 0] - -All other options (arguments beginning with \`-') are ignored. - -Every other argument is treated as a filename. Files ending in \`.la' are -treated as uninstalled libtool libraries, other files are standard or library -object files. - -If the OUTPUT-FILE ends in \`.la', then a libtool library is created, -only library objects (\`.lo' files) may be specified, and \`-rpath' is -required, except when creating a convenience library. - -If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created -using \`ar' and \`ranlib', or on Windows using \`lib'. - -If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file -is created, otherwise an executable program is created." - ;; - -uninstall) - $echo \ -"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... - -Remove libraries from an installation directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, all the files associated with it are deleted. -Otherwise, only FILE itself is deleted using RM." - ;; - -*) - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$help" 1>&2 - exit $EXIT_FAILURE - ;; -esac - -$echo -$echo "Try \`$modename --help' for more information about other modes." - -exit $? # The TAGs below are defined such that we never get into a situation # in which we disable both kinds of libraries. Given conflicting @@ -6896,14 +8390,17 @@ # configuration. But we'll never go from static-only to shared-only. # ### BEGIN LIBTOOL TAG CONFIG: disable-shared -disable_libs=shared +build_libtool_libs=no +build_old_libs=yes # ### END LIBTOOL TAG CONFIG: disable-shared # ### BEGIN LIBTOOL TAG CONFIG: disable-static -disable_libs=static +build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` # ### END LIBTOOL TAG CONFIG: disable-static # Local Variables: # mode:shell-script # sh-indentation:2 # End: +# vi:sw=2 + diff -Nru snort-2.8.5.2/m4/Makefile.in snort-2.9.2/m4/Makefile.in --- snort-2.8.5.2/m4/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/m4/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -175,14 +193,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign m4/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign m4/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign m4/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign m4/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -200,6 +218,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -229,13 +248,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -263,6 +286,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -281,6 +305,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -289,18 +315,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -334,6 +370,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/Makefile.am snort-2.9.2/Makefile.am --- snort-2.8.5.2/Makefile.am 2009-07-07 15:36:57.000000000 +0000 +++ snort-2.9.2/Makefile.am 2011-07-14 18:33:44.000000000 +0000 @@ -1,6 +1,6 @@ ## $Id$ AUTOMAKE_OPTIONS=foreign no-dependencies -SUBDIRS = src doc etc templates contrib schemas rpm m4 preproc_rules +SUBDIRS = src doc etc templates contrib rpm schemas m4 preproc_rules tools INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/Makefile.in snort-2.9.2/Makefile.in --- snort-2.8.5.2/Makefile.in 2009-10-19 21:18:02.000000000 +0000 +++ snort-2.9.2/Makefile.in 2011-12-07 19:23:23.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -36,8 +38,8 @@ DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/snort.pc.in $(top_srcdir)/configure COPYING \ - ChangeLog config.guess config.sub install-sh ltmain.sh missing \ - mkinstalldirs ylwrap + ChangeLog config.guess config.sub depcomp install-sh ltmain.sh \ + missing mkinstalldirs ylwrap ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ $(top_srcdir)/configure.in @@ -48,6 +50,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = config.h CONFIG_CLEAN_FILES = snort.pc +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -59,20 +62,37 @@ install-pdf-recursive install-ps-recursive install-recursive \ installcheck-recursive installdirs-recursive pdf-recursive \ ps-recursive uninstall-recursive -man8dir = $(mandir)/man8 -am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)" -NROFF = nroff -MANS = $(man_MANS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; -pkgconfigDATA_INSTALL = $(INSTALL_DATA) +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +man8dir = $(mandir)/man8 +am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)" +NROFF = nroff +MANS = $(man_MANS) DATA = $(pkgconfig_DATA) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir dist dist-all distcheck ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) @@ -80,9 +100,34 @@ distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ - { test ! -d $(distdir) \ - || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \ - && rm -fr $(distdir); }; } + { test ! -d "$(distdir)" \ + || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ + && rm -fr "$(distdir)"; }; } +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best distuninstallcheck_listfiles = find . -type f -print @@ -96,31 +141,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -133,12 +178,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -146,20 +197,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -191,6 +249,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -203,10 +262,11 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies -SUBDIRS = src doc etc templates contrib schemas rpm m4 preproc_rules +SUBDIRS = src doc etc templates contrib rpm schemas m4 preproc_rules tools EXTRA_DIST = ChangeLog snort.8 LICENSE verstuff.pl RELEASE.NOTES snort.pc.in man_MANS = snort.8 DISTCLEANFILES = stamp-h.in cflags.out cppflags.out @@ -222,15 +282,15 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \ - cd $(srcdir) && $(AUTOMAKE) --foreign \ + echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ + $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ && exit 0; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -246,9 +306,10 @@ $(SHELL) ./config.status --recheck $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(srcdir) && $(AUTOCONF) + $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) + $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) +$(am__aclocal_m4_deps): config.h: stamp-h1 @if test ! -f $@; then \ @@ -260,7 +321,7 @@ @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status config.h $(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_srcdir) && $(AUTOHEADER) + ($(am__cd) $(top_srcdir) && $(AUTOHEADER)) rm -f stamp-h1 touch $@ @@ -276,69 +337,65 @@ -rm -rf .libs _libs distclean-libtool: - -rm -f libtool -install-man8: $(man8_MANS) $(man_MANS) + -rm -f libtool config.lt +install-man8: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" - @list='$(pkgconfig_DATA)'; for p in $$list; do \ + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(pkgconfigDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(pkgconfigdir)/$$f'"; \ - $(pkgconfigDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(pkgconfigdir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \ done uninstall-pkgconfigDATA: @$(NORMAL_UNINSTALL) - @list='$(pkgconfig_DATA)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(pkgconfigdir)/$$f'"; \ - rm -f "$(DESTDIR)$(pkgconfigdir)/$$f"; \ - done + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(pkgconfigdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(pkgconfigdir)" && rm -f $$files # This directory's subdirectories are mostly independent; you can cd # into them and run `make' without going through this Makefile. @@ -347,7 +404,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -364,7 +421,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -372,7 +429,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -398,16 +455,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -415,14 +472,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -434,46 +491,63 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi $(am__remove_distdir) - test -d $(distdir) || mkdir $(distdir) + test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -489,29 +563,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -519,11 +608,13 @@ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook - -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ + -test -n "$(am__skip_mode_fix)" \ + || find "$(distdir)" -type d ! -perm -755 \ + -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ - || chmod -R a+r $(distdir) + || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__remove_distdir) @@ -532,6 +623,14 @@ tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 $(am__remove_distdir) +dist-lzma: distdir + tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma + $(am__remove_distdir) + +dist-xz: distdir + tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz + $(am__remove_distdir) + dist-tarZ: distdir tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__remove_distdir) @@ -555,13 +654,17 @@ distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ - bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\ + bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ + *.tar.lzma*) \ + lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ + *.tar.xz*) \ + xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac @@ -569,9 +672,11 @@ mkdir $(distdir)/_build mkdir $(distdir)/_inst chmod a-w $(distdir) + test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ - && cd $(distdir)/_build \ + && am__cwd=`pwd` \ + && $(am__cd) $(distdir)/_build \ && ../configure --srcdir=.. --prefix="$$dc_install_base" \ $(DISTCHECK_CONFIGURE_FLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) \ @@ -593,13 +698,15 @@ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ - && $(MAKE) $(AM_MAKEFLAGS) distcleancheck + && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ + && cd "$$am__cwd" \ + || exit 1 $(am__remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: - @cd $(distuninstallcheck_dir) \ + @$(am__cd) '$(distuninstallcheck_dir)' \ && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ @@ -644,6 +751,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) maintainer-clean-generic: @@ -665,6 +773,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -673,18 +783,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-man8 install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -709,22 +829,22 @@ uninstall-man: uninstall-man8 -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all \ + ctags-recursive install-am install-strip tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-generic \ clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \ - dist-gzip dist-hook dist-shar dist-tarZ dist-zip distcheck \ - distclean distclean-generic distclean-hdr distclean-libtool \ - distclean-tags distcleancheck distdir distuninstallcheck dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-pkgconfigDATA install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ + dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-xz \ + dist-zip distcheck distclean distclean-generic distclean-hdr \ + distclean-libtool distclean-tags distcleancheck distdir \ + distuninstallcheck dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man8 install-pdf install-pdf-am install-pkgconfigDATA \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ uninstall uninstall-am uninstall-man uninstall-man8 \ @@ -736,6 +856,7 @@ perl $(distdir)/verstuff.pl $(distdir) # work around a horrible doc/Makefile.am rm -rf $(distdir)/doc/signatures/CVS + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/missing snort-2.9.2/missing --- snort-2.8.5.2/missing 2007-07-06 15:57:46.000000000 +0000 +++ snort-2.9.2/missing 2011-12-07 19:23:17.000000000 +0000 @@ -1,13 +1,16 @@ #! /bin/sh # Common stub for a few missing GNU programs while installing. -# Copyright 1996, 1997, 1999, 2000 Free Software Foundation, Inc. + +scriptversion=2009-04-28.21; # UTC + +# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, +# 2008, 2009 Free Software Foundation, Inc. # Originally by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License Version 2 as -# published by the Free Software Foundation. You may not use, modify or -# distribute this program under any other version of the GNU General -# Public License. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -15,9 +18,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -30,6 +31,8 @@ fi run=: +sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' +sed_minuso='s/.* -o \([^ ]*\).*/\1/p' # In the cases where this matters, `missing' is being run in the # srcdir already. @@ -39,18 +42,24 @@ configure_ac=configure.in fi -case "$1" in +msg="missing on your system" + +case $1 in --run) # Try to run requested program, and just exit if it succeeds. run= shift "$@" && exit 0 + # Exit code 63 means version mismatch. This often happens + # when the user try to use an ancient version of a tool on + # a file that requires a minimum version. In this case we + # we should proceed has if the program had been absent, or + # if --run hadn't been passed. + if test $? = 63; then + run=: + msg="probably too old" + fi ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case "$1" in -h|--h|--he|--hel|--help) echo "\ @@ -68,6 +77,7 @@ aclocal touch file \`aclocal.m4' autoconf touch file \`configure' autoheader touch file \`config.h.in' + autom4te touch the output file, or create a stub one automake touch all \`Makefile.in' files bison create \`y.tab.[ch]', if possible, from existing .[ch] flex create \`lex.yy.c', if possible, from existing .c @@ -75,11 +85,18 @@ lex create \`lex.yy.c', if possible, from existing .c makeinfo touch the output file tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch]" + yacc create \`y.tab.[ch]', if possible, from existing .[ch] + +Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and +\`g' are ignored when checking the name. + +Send bug reports to ." + exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) - echo "missing 0.3 - GNU automake" + echo "missing $scriptversion (GNU Automake)" + exit $? ;; -*) @@ -88,27 +105,69 @@ exit 1 ;; - aclocal) +esac + +# normalize program name to check for. +program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + +# Now exit if we have it, but it failed. Also exit now if we +# don't have it and --version was passed (most likely to detect +# the program). This is about non-GNU programs, so use $1 not +# $program. +case $1 in + lex*|yacc*) + # Not GNU programs, they don't have --version. + ;; + + tar*) + if test -n "$run"; then + echo 1>&2 "ERROR: \`tar' requires --run" + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + exit 1 + fi + ;; + + *) + if test -z "$run" && ($1 --version) > /dev/null 2>&1; then + # We have it, but it failed. + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + # Could not run --version or --help. This is probably someone + # running `$TOOL --version' or `$TOOL --help' to check whether + # $TOOL exists and not knowing $TOOL uses missing. + exit 1 + fi + ;; +esac + +# If it does not exist, or fails to run (possibly an outdated version), +# try to emulate it. +case $program in + aclocal*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." touch aclocal.m4 ;; - autoconf) + autoconf*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." touch configure ;; - autoheader) + autoheader*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`acconfig.h' or \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." @@ -116,7 +175,7 @@ test -z "$files" && files="config.h" touch_files= for f in $files; do - case "$f" in + case $f in *:*) touch_files="$touch_files "`echo "$f" | sed -e 's/^[^:]*://' -e 's/:.*//'`;; *) touch_files="$touch_files $f.in";; @@ -125,9 +184,9 @@ touch $touch_files ;; - automake) + automake*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." @@ -136,128 +195,153 @@ while read f; do touch "$f"; done ;; - bison|yacc) + autom4te*) + echo 1>&2 "\ +WARNING: \`$1' is needed, but is $msg. + You might have modified some files without having the + proper tools for further handling them. + You can get \`$1' as part of \`Autoconf' from any GNU + archive site." + + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then + touch $file + else + test -z "$file" || exec >$file + echo "#! /bin/sh" + echo "# Created by GNU Automake missing as a replacement of" + echo "# $ $@" + echo "exit 0" + chmod +x $file + exit 1 + fi + ;; + + bison*|yacc*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' $msg. You should only need it if you modified a \`.y' file. You may need the \`Bison' package in order for those modifications to take effect. You can get \`Bison' from any GNU archive site." rm -f y.tab.c y.tab.h - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.y) SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.c fi SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.h fi ;; esac fi - if [ ! -f y.tab.h ]; then + if test ! -f y.tab.h; then echo >y.tab.h fi - if [ ! -f y.tab.c ]; then + if test ! -f y.tab.c; then echo 'main() { return 0; }' >y.tab.c fi ;; - lex|flex) + lex*|flex*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a \`.l' file. You may need the \`Flex' package in order for those modifications to take effect. You can get \`Flex' from any GNU archive site." rm -f lex.yy.c - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.l) SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" lex.yy.c fi ;; esac fi - if [ ! -f lex.yy.c ]; then + if test ! -f lex.yy.c; then echo 'main() { return 0; }' >lex.yy.c fi ;; - help2man) + help2man*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a dependency of a manual page. You may need the \`Help2man' package in order for those modifications to take effect. You can get \`Help2man' from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'` - fi - if [ -f "$file" ]; then + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then touch $file else test -z "$file" || exec >$file echo ".ab help2man is required to generate this page" - exit 1 + exit $? fi ;; - makeinfo) - if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then - # We have makeinfo, but it failed. - exit 1 - fi - + makeinfo*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a \`.texi' or \`.texinfo' file, or any other file indirectly affecting the aspect of the manual. The spurious call might also be the consequence of using a buggy \`make' (AIX, DU, IRIX). You might want to install the \`Texinfo' package or the \`GNU make' package. Grab either from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` + # The file to touch is that specified with -o ... + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -z "$file"; then - file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file` - fi + # ... or it is the one specified with @setfilename ... + infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` + file=`sed -n ' + /^@setfilename/{ + s/.* \([^ ]*\) *$/\1/ + p + q + }' $infile` + # ... or it is derived from the source name (dir/f.texi becomes f.info) + test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info + fi + # If the file does not exist, the user really needs makeinfo; + # let's fail without touching anything. + test -f $file || exit 1 touch $file ;; - tar) + tar*) shift - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - fi # We have already tried tar in the generic part. # Look for gnutar/gtar before invocation to avoid ugly error # messages. if (gnutar --version > /dev/null 2>&1); then - gnutar ${1+"$@"} && exit 0 + gnutar "$@" && exit 0 fi if (gtar --version > /dev/null 2>&1); then - gtar ${1+"$@"} && exit 0 + gtar "$@" && exit 0 fi firstarg="$1" if shift; then - case "$firstarg" in + case $firstarg in *o*) firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac - case "$firstarg" in + case $firstarg in *h*) firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac fi @@ -271,10 +355,10 @@ *) echo 1>&2 "\ -WARNING: \`$1' is needed, and you do not seem to have it handy on your - system. You might have modified some files without having the +WARNING: \`$1' is needed, and is $msg. + You might have modified some files without having the proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequirements for installing + it often tells you about the needed prerequisites for installing this package. You may also peek at any GNU archive site, in case some other package would contain this missing \`$1' program." exit 1 @@ -282,3 +366,11 @@ esac exit 0 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -Nru snort-2.8.5.2/preproc_rules/decoder.rules snort-2.9.2/preproc_rules/decoder.rules --- snort-2.8.5.2/preproc_rules/decoder.rules 2009-01-26 15:33:38.000000000 +0000 +++ snort-2.9.2/preproc_rules/decoder.rules 2011-10-26 18:28:52.000000000 +0000 @@ -1,65 +1,142 @@ -alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode;) -alert ( msg: "DECODE_IPV4_INVALID_HEADER_LEN"; sid: 2; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV4_DGRAM_LT_IPHDR"; sid: 3; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV4OPT_BADLEN"; sid: 4; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV4OPT_TRUNCATED"; sid: 5; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode;) -alert ( msg: "DECODE_IPV4_DGRAM_GT_IPHDR"; sid: 6; gid: 116; rev: 1; metadata: rule-type decode ;classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCP_DGRAM_LT_TCPHDR"; sid: 45; gid: 116; rev: 1; metadata: rule-type decode ;classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCP_INVALID_OFFSET"; sid: 46; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_TCP_LARGE_OFFSET"; sid: 47; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_TCPOPT_BADLEN"; sid: 54; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCPOPT_TRUNCATED"; sid: 55; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCPOPT_TTCP"; sid: 56; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCPOPT_OBSOLETE"; sid: 57; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCPOPT_EXPERIMENT"; sid: 58; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_TCPOPT_WSCALE_INVALID"; sid: 59; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_UDP_DGRAM_LT_UDPHDR"; sid: 95; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_UDP_DGRAM_INVALID_LENGTH"; sid: 96; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_UDP_DGRAM_SHORT_PACKET"; sid: 97; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_UDP_DGRAM_LONG_PACKET"; sid: 98; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_DGRAM_LT_ICMPHDR"; sid: 105; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR"; sid: 106; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_DGRAM_LT_ADDRHDR"; sid: 107; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV4_DGRAM_UNKNOWN"; sid: 108; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ARP_TRUNCATED"; sid: 109; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_EAPOL_TRUNCATED"; sid: 110; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_EAPKEY_TRUNCATED"; sid: 111; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_EAP_TRUNCATED"; sid: 112; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_PPPOE"; sid: 120; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_VLAN"; sid: 130; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_VLAN_ETHLLC"; sid: 131; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_VLAN_OTHER"; sid: 132; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_80211_ETHLLC"; sid: 133; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_80211_OTHER"; sid: 134; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TRH"; sid: 140; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TR_ETHLLC"; sid: 141; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TR_MR_LEN"; sid: 142; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TRHMR"; sid: 143; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TRAFFIC_LOOPBACK"; sid: 150; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_BAD_TRAFFIC_SAME_SRCDST"; sid: 151; gid: 116; rev: 1; metadata: rule-type decode ;classtype:bad-unknown; ) -alert ( msg: "DECODE_GRE_DGRAM_LT_GREHDR"; sid: 160; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_GRE_MULTIPLE_ENCAPSULATION"; sid: 161; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_GRE_INVALID_VERSION"; sid: 162; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_GRE_INVALID_HEADER"; sid: 163; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_GRE_V1_INVALID_HEADER"; sid: 164; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR"; sid: 165; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_ORIG_IP_TRUNCATED"; sid: 250; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_ICMP_ORIG_IP_NOT_IPV4"; sid: 251; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP"; sid: 252; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_ORIG_PAYLOAD_LT_64"; sid: 253; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_ORIG_PAYLOAD_GT_576"; sid: 254; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET"; sid: 255; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV6_MIN_TTL"; sid: 270 ; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV6_IS_NOT"; sid: 271; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV6_TRUNCATED_EXT"; sid: 272; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_IPV6_TRUNCATED"; sid: 273; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) -alert ( msg: "DECODE_IPV6_DGRAM_LT_IPHDR"; sid: 274; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV6_DGRAM_GT_IPHDR"; sid: 275; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_IPV6_TUNNELED_IPV4_TRUNCATED"; sid: 291; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-dos; reference:cve,2008-2136; reference:bugtraq,29235; ) -alert ( msg: "DECODE_BAD_MPLS_STR"; sid: 170; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_BAD_MPLS_LABEL0_STR"; sid: 171; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_BAD_MPLS_LABEL1_STR"; sid: 172; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_BAD_MPLS_LABEL2_STR"; sid: 173; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_BAD_MPLS_LABEL3_STR"; sid: 174; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_MPLS_RESERVEDLABEL_STR"; sid: 175; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) -alert ( msg: "DECODE_MPLS_LABEL_STACK_STR"; sid: 176; gid: 116; rev: 1; metadata: rule-type decode ; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;) +alert ( msg:"DECODE_IPV4_INVALID_HEADER_LEN"; sid:2; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV4_DGRAM_LT_IPHDR"; sid:3; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV4OPT_BADLEN"; sid:4; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV4OPT_TRUNCATED"; sid:5; gid:116; rev:1; metadata:rule-type decode; reference:cve,2005-0048; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:protocol-command-decode;) +alert ( msg:"DECODE_IPV4_DGRAM_GT_IPHDR"; sid:6; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCP_DGRAM_LT_TCPHDR"; sid:45; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCP_INVALID_OFFSET"; sid:46; gid:116; rev:1; metadata:rule-type decode; reference:cve,2004-0816; classtype:bad-unknown; ) +alert ( msg:"DECODE_TCP_LARGE_OFFSET"; sid:47; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_TCPOPT_BADLEN"; sid:54; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,14811; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_TRUNCATED"; sid:55; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_TTCP"; sid:56; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_OBSOLETE"; sid:57; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_WSCALE_INVALID"; sid:59; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_UDP_DGRAM_LT_UDPHDR"; sid:95; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_UDP_DGRAM_INVALID_LENGTH"; sid:96; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_UDP_DGRAM_SHORT_PACKET"; sid:97; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_UDP_DGRAM_LONG_PACKET"; sid:98; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_DGRAM_LT_ICMPHDR"; sid:105; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR"; sid:106; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_DGRAM_LT_ADDRHDR"; sid:107; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV4_DGRAM_UNKNOWN"; sid:108; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ARP_TRUNCATED"; sid:109; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_EAPOL_TRUNCATED"; sid:110; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_EAPKEY_TRUNCATED"; sid:111; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_EAP_TRUNCATED"; sid:112; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_PPPOE"; sid:120; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_VLAN"; sid:130; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_VLAN_ETHLLC"; sid:131; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_VLAN_OTHER"; sid:132; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_80211_ETHLLC"; sid:133; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_80211_OTHER"; sid:134; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TRH"; sid:140; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TR_ETHLLC"; sid:141; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TR_MR_LEN"; sid:142; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TRHMR"; sid:143; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TRAFFIC_LOOPBACK"; sid:150; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) +alert ( msg:"DECODE_BAD_TRAFFIC_SAME_SRCDST"; sid:151; gid:116; rev:1; metadata:rule-type decode; reference:cve,1999-0016; reference:cve,2005-0688; reference:bugtraq,2666; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:bad-unknown; ) +alert ( msg:"DECODE_GRE_DGRAM_LT_GREHDR"; sid:160; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GRE_MULTIPLE_ENCAPSULATION"; sid:161; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GRE_INVALID_VERSION"; sid:162; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GRE_INVALID_HEADER"; sid:163; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GRE_V1_INVALID_HEADER"; sid:164; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR"; sid:165; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_ORIG_IP_TRUNCATED"; sid:250; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_ICMP_ORIG_IP_VER_MISMATCH"; sid:251; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP"; sid:252; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_LT_64"; sid:253; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_GT_576"; sid:254; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET"; sid:255; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_MIN_TTL"; sid:270; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_IS_NOT"; sid:271; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_TRUNCATED_EXT"; sid:272; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_IPV6_TRUNCATED"; sid:273; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) +alert ( msg:"DECODE_IPV6_DGRAM_LT_IPHDR"; sid:274; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_DGRAM_GT_IPHDR"; sid:275; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_DST_ZERO"; sid:276; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_SRC_MULTICAST"; sid:277; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_DST_RESERVED_MULTICAST"; sid:278; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_BAD_OPT_TYPE"; sid:279; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_BAD_MULTICAST_SCOPE"; sid:280; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_BAD_NEXT_HEADER"; sid:281; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_ROUTE_AND_HOPBYHOP"; sid:282; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_TWO_ROUTE_HEADERS"; sid:283; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_TOO_BIG_BAD_MTU"; sid:285; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_UNREACHABLE_BAD_CODE"; sid:286; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:287; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_CODE"; sid:288; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_RESERVED"; sid:289; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_REACHABLE"; sid:290; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_TUNNELED_IPV4_TRUNCATED"; sid:291; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2008-2136; reference:bugtraq,29235; ) +alert ( msg:"DECODE_IPV6_DSTOPTS_WITH_ROUTING"; sid:292; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IP_MULTIPLE_ENCAPSULATION"; sid:293; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_ESP_HEADER_TRUNC"; sid:294; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_BAD_OPT_LEN"; sid:295; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IPV6_UNORDERED_EXTENSIONS"; sid:296; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GTP_MULTIPLE_ENCAPSULATION"; sid:297; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GTP_BAD_LEN_STR"; sid:298; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_BAD_MPLS"; sid:170; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_BAD_MPLS_LABEL0"; sid:171; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_BAD_MPLS_LABEL1"; sid:172; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_BAD_MPLS_LABEL2"; sid:173; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_BAD_MPLS_LABEL3"; sid:174; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_MPLS_RESERVEDLABEL"; sid:175; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_MPLS_LABEL_STACK"; sid:176; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCP_XMAS"; sid: 400; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; ) +alert ( msg:"DECODE_TCP_NMAP_XMAS"; sid: 401; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; ) +alert ( msg:"DECODE_DOS_NAPTHA"; sid: 402; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-dos; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; ) +alert ( msg:"DECODE_SYN_TO_MULTICAST"; sid: 403; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) +alert ( msg:"DECODE_ZERO_TTL"; sid: 404; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; reference:url,support.microsoft.com/kb/q138268; reference:url,tools.ietf.org/html/rfc1122; ) +alert ( msg:"DECODE_BAD_FRAGBITS"; sid: 405; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; ) +alert ( msg:"DECODE_UDP_IPV6_ZERO_CHECKSUM"; sid:406; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_IP4_LEN_OFFSET"; sid:407; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_SRC_THIS_NET"; sid:408; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_DST_THIS_NET"; sid:409; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_SRC_MULTICAST"; sid:410; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_SRC_RESERVED"; sid:411; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_DST_RESERVED"; sid:412; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_SRC_BROADCAST"; sid:413; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_DST_BROADCAST"; sid:414; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP4_DST_MULTICAST"; sid:415; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP4_DST_BROADCAST"; sid:416; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_BAD_URP"; sid:419; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_SYN_FIN"; sid:420; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_SYN_RST"; sid:421; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_MUST_ACK"; sid:422; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:1; metadata:rule-type decode; reference:arachnids,4; reference:arachnids,27; classtype:misc-activity; ) +alert ( msg:"DECODE_ETH_HDR_TRUNC"; sid:424; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_HDR_TRUNC"; sid:425; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP4_HDR_TRUNC"; sid:426; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP6_HDR_TRUNC"; sid:427; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_MIN_TTL"; sid:428; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP6_ZERO_HOP_LIMIT"; sid:429; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_IP4_DF_OFFSET"; sid:430; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP6_TYPE_OTHER"; sid:431; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_ICMP6_DST_MULTICAST"; sid:432; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_SHAFT_SYNFLOOD"; sid:433; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2000-0138; ) +alert ( msg:"DECODE_ICMP_PING_NMAP"; sid:434; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_ICMPENUM"; sid:435; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_REDIRECT_HOST"; sid:436; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_REDIRECT_NET"; sid:437; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_TRACEROUTE_IPOPTS"; sid:438; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_SOURCE_QUENCH"; sid:439; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_BROADSCAN_SMURF_SCANNER"; sid:440; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED"; sid:441; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED"; sid:442; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED"; sid:443; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) +alert ( msg:"DECODE_IP_OPTION_SET"; sid:444; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; ) +alert ( msg:"DECODE_UDP_LARGE_PACKET"; sid:445; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; ) +alert ( msg:"DECODE_TCP_PORT_ZERO"; sid:446; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) +alert ( msg:"DECODE_UDP_PORT_ZERO"; sid:447; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) +alert ( msg:"DECODE_IP_RESERVED_FRAG_BIT"; sid:448; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) +alert ( msg:"DECODE_IP_UNASSIGNED_PROTO"; sid:449; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; ) +alert ( msg:"DECODE_IP_BAD_PROTO"; sid:450; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; ) +alert ( msg:"DECODE_ICMP_PATH_MTU_DOS"; sid:451; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos;) +alert ( msg:"DECODE_ICMP_DOS_ATTEMPT"; sid:452; gid:116; rev:1; metadata:rule-type decode; reference:url,www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3; reference:cve,2006-0454; reference:bugtraq,16532; classtype:denial-of-service;) +alert ( msg:"DECODE_IPV6_ISATAP_SPOOF"; sid:453; gid:116; rev:1; metadata:rule-type decode; reference:cve,2010-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS10-029.mspx; classtype:misc-attack; ) +alert ( msg:"DECODE_PGM_NAK_OVERFLOW"; sid:454; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-052.mspx; reference:cve,2006-3442; reference:bugtraq,19922; classtype:attempted-admin; ) +alert ( msg:"DECODE_IGMP_OPTIONS_DOS"; sid:455; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-007.mspx; reference:cve,2006-0021; reference:bugtraq,16645; classtype:attempted-dos; ) +alert ( msg:"DECODE_IP6_EXCESS_EXT_HDR"; sid:456; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) diff -Nru snort-2.8.5.2/preproc_rules/Makefile.am snort-2.9.2/preproc_rules/Makefile.am --- snort-2.8.5.2/preproc_rules/Makefile.am 2009-01-28 16:38:37.000000000 +0000 +++ snort-2.9.2/preproc_rules/Makefile.am 2010-01-22 23:59:25.000000000 +0000 @@ -1,3 +1,3 @@ AUTOMAKE_OPTIONS=foreign no-dependencies -EXTRA_DIST = preprocessor.rules decoder.rules +EXTRA_DIST = preprocessor.rules decoder.rules sensitive-data.rules diff -Nru snort-2.8.5.2/preproc_rules/Makefile.in snort-2.9.2/preproc_rules/Makefile.in --- snort-2.8.5.2/preproc_rules/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/preproc_rules/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,10 +179,11 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies -EXTRA_DIST = preprocessor.rules decoder.rules +EXTRA_DIST = preprocessor.rules decoder.rules sensitive-data.rules all: all-am .SUFFIXES: @@ -173,14 +191,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign preproc_rules/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign preproc_rules/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign preproc_rules/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign preproc_rules/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -198,6 +216,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -227,13 +246,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -261,6 +284,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -279,6 +303,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -287,18 +313,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -332,6 +368,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/preproc_rules/preprocessor.rules snort-2.9.2/preproc_rules/preprocessor.rules --- snort-2.8.5.2/preproc_rules/preprocessor.rules 2009-01-26 15:33:39.000000000 +0000 +++ snort-2.9.2/preproc_rules/preprocessor.rules 2011-11-21 20:15:24.000000000 +0000 @@ -1,66 +1,57 @@ alert ( msg: "TAG_LOG_PKT"; sid: 1; gid: 2; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 1; metadata: rule-type preproc ; classtype:trojan-activity; reference:cve,1999-0660; ) -alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 1; metadata: rule-type preproc ; classtype:trojan-activity; reference:cve,1999-0660; ) -alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 1; metadata: rule-type preproc ; classtype:trojan-activity; reference:cve,1999-0660;) -alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 1; metadata: rule-type preproc ; classtype:trojan-activity; reference:cve,2005-3252; ) -alert ( msg: "RPC_FRAG_TRAFFIC"; sid: 1; gid: 106; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "RPC_MULTIPLE_RECORD"; sid: 2; gid: 106; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_STEALTH_ACTIVITY"; sid: 1; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon;) -alert ( msg: "STREAM4_EVASIVE_RST"; sid: 2; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_EVASIVE_RETRANS"; sid: 3; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_WINDOW_VIOLATION"; sid: 4; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM4_DATA_ON_SYN"; sid: 5; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_STEALTH_FULL_XMAS"; sid: 6; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_SAPU"; sid: 7; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_FIN_SCAN"; sid: 8; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_NULL_SCAN"; sid: 9; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_NMAP_XMAS_SCAN"; sid: 10; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_VECNA_SCAN"; sid: 11; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_NMAP_FINGERPRINT"; sid: 12; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_STEALTH_SYN_FIN_SCAN"; sid: 13; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "STREAM4_FORWARD_OVERLAP"; sid: 14; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_TTL_EVASION"; sid: 15; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_EVASIVE_RETRANS_DATA"; sid: 16; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_EVASIVE_RETRANS_DATASPLIT"; sid: 17; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_MULTIPLE_ACKED"; sid: 18; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM4_EMERGENCY"; sid: 19; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) -alert ( msg: "STREAM4_SUSPEND"; sid: 20; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) -alert ( msg: "STREAM4_ZERO_TIMESTAMP"; sid: 21; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM4_OVERLAP_LIMIT"; sid: 22; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) -alert ( msg: "STREAM4_TCP_NO_ACK"; sid: 23; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM4_EVASIVE_FIN"; sid: 24; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM4_SYN_ON_ESTABLISHED"; sid: 25; gid: 111; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; ) +alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; ) +alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;) +alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; ) +alert ( msg: "RPC_FRAG_TRAFFIC"; sid: 1; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; ) +alert ( msg: "RPC_MULTIPLE_RECORD"; sid: 2; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; ) +alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) +alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) +alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_UNICAST_ARP_REQUEST"; sid: 1; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "HI_CLIENT_ASCII"; sid: 1; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_BASE36"; sid: 5; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_MULTI_SLASH"; sid: 8; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_IIS_BACKSLASH"; sid: 9; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_SELF_DIR_TRAV"; sid: 10; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "HI_CLIENT_DIR_TRAV"; sid: 11; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "HI_CLIENT_APACHE_WS"; sid: 12; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "HI_CLIENT_IIS_DELIMITER"; sid: 13; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791;) -alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; ) -alert ( msg: "HI_CLIENT_PROXY_USE"; sid: 17; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "HI_CLIENT_WEBROOT_DIR"; sid: 18; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "HI_ANOM_SERVER_ALERT"; sid: 1; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) -alert ( msg: "FLOW_SCANNER_FIXED_ALERT"; sid: 1; gid: 121; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "FLOW_SCANNER_SLIDING_ALERT"; sid: 2; gid: 121; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "FLOW_TALKER_FIXED_ALERT"; sid: 3; gid: 121; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) -alert ( msg: "FLOW_TALKER_SLIDING_ALERT"; sid: 4; gid: 121; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) +alert ( msg: "HI_CLIENT_ASCII"; sid: 1; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; reference:url,docs.idsresearch.org/http_ids_evasions.pdf; ) +alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1122; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) +alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) +alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) +alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2008-2938; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) +alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2009-1535; ) +alert ( msg: "HI_CLIENT_MULTI_SLASH"; sid: 8; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) +alert ( msg: "HI_CLIENT_IIS_BACKSLASH"; sid: 9; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) +alert ( msg: "HI_CLIENT_SELF_DIR_TRAV"; sid: 10; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_DIR_TRAV"; sid: 11; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; ) +alert ( msg: "HI_CLIENT_APACHE_WS"; sid: 12; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_IIS_DELIMITER"; sid: 13; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) +alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; ) +alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:attempted-admin; ) +alert ( msg: "HI_CLIENT_PROXY_USE"; sid: 17; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:protocol-command-decode; ) +alert ( msg: "HI_CLIENT_WEBROOT_DIR"; sid: 18; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; ) +alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2009-4873; ) +alert ( msg: "HI_CLIENT_MAX_HEADERS"; sid: 20; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_MULTIPLE_CONTLEN"; sid: 21; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CHUNK_SIZE_MISMATCH"; sid: 22; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_INVALID_TRUEIP"; sid:23; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_MULTIPLE_HOST_HDRS"; sid:24; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_LONG_HOSTNAME"; sid:25; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_EXCEEDS_SPACES"; sid:26; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos;reference:cve,2004-0942; ) +alert ( msg: "HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 27; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_UNBOUNDED POST"; sid: 28; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION"; sid: 29; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_BOTH_TRUEIP_XFF_HDRS"; sid: 30; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_ANOM_SERVER_ALERT"; sid: 1; gid: 120; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) +alert ( msg: "HI_SERVER_INVALID_STATCODE"; sid: 2; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_UTF_NORM_FAIL"; sid: 4; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_UTF7"; sid: 5; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_DECOMPR_FAILED"; sid: 6; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 7; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_MIXED_ENCODINGS "; sid: 11; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_DECOY_PORTSCAN"; sid: 2; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_PORTSWEEP"; sid: 3; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) @@ -89,7 +80,7 @@ alert ( msg: "PSNG_ICMP_PORTSWEEP_FILTERED"; sid: 26; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_OPEN_PORT"; sid: 27; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "FRAG3_TEARDROP"; sid: 2; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) +alert ( msg: "FRAG3_TEARDROP"; sid: 2; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,1999-0015; reference:bugtraq,124; classtype:attempted-dos; ) alert ( msg: "FRAG3_SHORT_FRAG"; sid: 3; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "FRAG3_ANOMALY_OVERSIZE"; sid: 4; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) alert ( msg: "FRAG3_ANOMALY_ZERO"; sid: 5; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) @@ -99,28 +90,44 @@ alert ( msg: "FRAG3_IPV6_BSD_ICMP_FRAG"; sid: 9; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) alert ( msg: "FRAG3_IPV6_BAD_FRAG_PKT"; sid: 10; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) alert ( msg: "FRAG3_MIN_TTL"; sid: 11; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2001-0260; ) -alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2002-1337; ) -alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; reference:cve,2002-1090; ) -alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; ) -alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2004-0105; ) -alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2004-0286; ) -alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2000-0573; ) -alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; reference:cve,2007-3161; ) -alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "FTPP_FTP_BOUNCE"; sid: 8; gid: 125; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,1999-0017; ) -alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2001-0554; ) -alert ( msg: "FTPP_TELNET_ENCRYPTED"; sid: 2; gid: 126; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode;) -alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "FRAG3_EXCESSIVE_OVERLAP"; sid: 12; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) +alert ( msg: "FRAG3_TINY_FAGMENT"; sid: 13; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,2005-0209; classtype:attempted-dos; ) +alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) +alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; ) +alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; ) +alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) +alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) +alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) +alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; ) +alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) +alert ( msg: "SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_UU_DECODING_FAILED"; sid: 13; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; reference:cve,2010-3867; reference:cve,2010-3972; reference:cve,2010-4221; reference:url,www.microsoft.com/technet/security/bulletin/MS11-004.mspx; ) +alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,2010-4221; ) +alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; ) +alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) +alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; ) +alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; ) +alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) +alert ( msg: "FTPP_FTP_BOUNCE"; sid: 8; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,1999-0017; reference:url,www.kb.cert.org/vuls/id/276653; ) +alert ( msg: "FTPP_FTP_EVASIVE_TELNET_CMD"; sid: 9; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; ) +alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; ) +alert ( msg: "FTPP_TELNET_ENCRYPTED"; sid: 2; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode;) +alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode; ) +alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;) +alert ( msg: "SSH_EVENT_CRC32"; sid: 2; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-1024; reference:cve,2002-1547; reference:cve,2006-2971; reference:cve,2007-1051; reference:cve,2007-4654; classtype:attempted-admin;) +alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;) +alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) +alert ( msg: "SSH_EVENT_WRONGDIR"; sid: 5; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) +alert ( msg: "SSH_EVENT_PAYLOAD_SIZE"; sid: 6; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:bad-unknown;) +alert ( msg: "SSH_EVENT_VERSION"; sid: 7; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) alert ( msg: "STREAM5_SYN_ON_EST"; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; reference: cve,2009-1157; reference: bugtraq, 34429; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_DATA_ON_CLOSED"; sid: 3; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; reference:cve,2009-1925; ) alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_WINDOW_TOO_LARGE"; sid: 6; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_EXCESSIVE_TCP_OVERLAPS"; sid: 7; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) @@ -128,51 +135,119 @@ alert ( msg: "STREAM5_SESSION_HIJACKED_CLIENT"; sid: 9; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; ) alert ( msg: "STREAM5_SESSION_HIJACKED_SERVER"; sid: 10; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; ) alert ( msg: "STREAM5_DATA_WITHOUT_FLAGS"; sid: 11; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "DCERPC_MEMORY_OVERFLOW"; sid: 1; gid: 130; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) -alert ( msg: "DNS_EVENT_OBSOLETE_TYPES"; sid: 1; gid: 131; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "DNS_EVENT_EXPERIMENTAL_TYPES"; sid: 2; gid: 131; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; ) +alert ( msg: "STREAM5_SMALL_SEGMENT"; sid: 12; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_4WAY_HANDSHAKE"; sid: 13; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_BAD_RST"; sid: 15; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_BAD_FIN"; sid: 16; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_BAD_ACK"; sid: 17; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_DATA_AFTER_RST_RCVD"; sid: 18; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "STREAM5_WINDOW_SLAM"; sid: 19; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "DNS_EVENT_OBSOLETE_TYPES"; sid: 1; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; ) +alert ( msg: "DNS_EVENT_EXPERIMENTAL_TYPES"; sid: 2; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; ) +alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 1; metadata: rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; ) alert ( msg: "DCE2_EVENT__MEMCAP"; sid: 1; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: attempted-dos; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_NBSS_TYPE"; sid: 2; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_TYPE"; sid: 3; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_ID"; sid: 4; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_WCT"; sid: 5; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_BCC"; sid: 6; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_FORMAT"; sid: 7; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BAD_OFF"; sid: 8; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_TDCNT_ZERO"; sid: 9; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_NB_LT_SMBHDR"; sid: 10; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_NB_LT_COM"; sid: 11; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_NB_LT_BCC"; sid: 12; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_NB_LT_DSIZE"; sid: 13; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_TDCNT_LT_DSIZE"; sid: 14; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_DSENT_GT_TDCNT"; sid: 15; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_BCC_LT_DSIZE"; sid: 16; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_INVALID_DSIZE"; sid: 17; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS"; sid: 18; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_READS"; sid: 19; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_CHAINING"; sid: 20; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_SS"; sid: 21; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_TC"; sid: 22; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_CHAIN_SS_LOGOFF"; sid: 23; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_CHAIN_TC_TDIS"; sid: 24; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE"; sid: 25; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__SMB_INVALID_SHARE"; sid: 26; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_BAD_MAJ_VERSION"; sid: 27; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_BAD_MIN_VERSION"; sid: 28; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_BAD_PDU_TYPE"; sid: 29; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FLEN_LT_HDR"; sid: 30; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FLEN_LT_SIZE"; sid: 31; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_ZERO_CTX_ITEMS"; sid: 32; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_ZERO_TSYNS"; sid: 33; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG"; sid: 34; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG"; sid: 35; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER"; sid: 36; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CALL_ID"; sid: 37; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_OPNUM"; sid: 38; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CTX_ID"; sid: 39; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CL_BAD_MAJ_VERSION"; sid: 40; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CL_BAD_PDU_TYPE"; sid: 41; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CL_DATA_LT_HDR"; sid: 42; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) -alert ( msg: "DCE2_EVENT__CL_BAD_SEQ_NUM"; sid: 43; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: bad-unknown; reference:url,http://msdn.microsoft.com/en-us/library/cc201989.aspx; ) - +alert ( msg: "DCE2_EVENT__SMB_BAD_NBSS_TYPE"; sid: 2; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_TYPE"; sid: 3; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_ID"; sid: 4; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_WCT"; sid: 5; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_BCC"; sid: 6; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_FORMAT"; sid: 7; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BAD_OFF"; sid: 8; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_TDCNT_ZERO"; sid: 9; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_NB_LT_SMBHDR"; sid: 10; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_NB_LT_COM"; sid: 11; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_NB_LT_BCC"; sid: 12; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_NB_LT_DSIZE"; sid: 13; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_TDCNT_LT_DSIZE"; sid: 14; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_DSENT_GT_TDCNT"; sid: 15; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_BCC_LT_DSIZE"; sid: 16; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_INVALID_DSIZE"; sid: 17; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS"; sid: 18; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_READS"; sid: 19; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_CHAINING"; sid: 20; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_SS"; sid: 21; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_TC"; sid: 22; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_CHAIN_SS_LOGOFF"; sid: 23; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_CHAIN_TC_TDIS"; sid: 24; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE"; sid: 25; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__SMB_INVALID_SHARE"; sid: 26; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_BAD_MAJ_VERSION"; sid: 27; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_BAD_MIN_VERSION"; sid: 28; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_BAD_PDU_TYPE"; sid: 29; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FLEN_LT_HDR"; sid: 30; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FLEN_LT_SIZE"; sid: 31; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_ZERO_CTX_ITEMS"; sid: 32; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_ZERO_TSYNS"; sid: 33; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG"; sid: 34; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG"; sid: 35; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER"; sid: 36; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CALL_ID"; sid: 37; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_OPNUM"; sid: 38; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CTX_ID"; sid: 39; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CL_BAD_MAJ_VERSION"; sid: 40; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CL_BAD_PDU_TYPE"; sid: 41; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CL_DATA_LT_HDR"; sid: 42; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "DCE2_EVENT__CL_BAD_SEQ_NUM"; sid: 43; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) +alert ( msg: "PPM_EVENT_RULE_TREE_DISABLED"; sid: 1; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; ) +alert ( msg: "PPM_EVENT_RULE_TREE_ENABLED"; sid: 2; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; ) +alert ( msg: "INTERNAL_EVENT_SYN_RECEIVED"; sid: 1; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) +alert ( msg: "INTERNAL_EVENT_SESSION_ADD"; sid: 2; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) +alert ( msg: "INTERNAL_EVENT_SESSION_DEL"; sid: 3; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) +alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SSL_INVALID_CLIENT_HELLO"; sid: 1; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; reference:cve,2004-0120; reference:bugtraq,10115; ) +alert ( msg: "SSL_INVALID_SERVER_HELLO"; sid: 2; gid: 137; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; ) +alert ( msg: "SIP_EVENT_MAX_SESSIONS"; sid: 1; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; ) +alert ( msg: "SIP_EVENT_BAD_URI"; sid: 3; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CALL_ID"; sid: 4; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CALL_ID"; sid: 5; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CSEQ_NUM"; sid: 6; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CSEQ_NAME"; sid: 7; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_FROM"; sid: 8; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_FROM"; sid: 9; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_TO"; sid: 10; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_TO"; sid: 11; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_VIA"; sid: 12; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25446; ) +alert ( msg: "SIP_EVENT_BAD_VIA"; sid: 13; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CONTACT"; sid: 14; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CONTACT"; sid: 15; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CONTENT_LEN"; sid: 16; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MULTI_MSGS"; sid: 17; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MISMATCH_CONTENT_LEN"; sid: 18; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_INVALID_CSEQ_NAME"; sid: 19; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK"; sid: 20; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_AUTH_INVITE_DIFF_SESSION"; sid: 21; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_STATUS_CODE"; sid: 22; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CONTENT_TYPE"; sid: 23; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25300; ) +alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_B64_DECODING_FAILED"; sid: 4; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_QP_DECODING_FAILED"; sid: 5; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_BITENC_DECODING_FAILED"; sid: 6; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_UU_DECODING_FAILED"; sid: 7; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "POP_MEMCAP_EXCEEDED"; sid: 3; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_B64_DECODING_FAILED"; sid: 4; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_QP_DECODING_FAILED"; sid: 5; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_BITENC_DECODING_FAILED"; sid: 6; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_UU_DECODING_FAILED"; sid: 7; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "GTP_EVENT_BAD_MSG_LEN"; sid: 1; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "GTP_EVENT_BAD_IE_LEN"; sid: 2; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "GTP_EVENT_OUT_OF_ORDER_IE"; sid: 3; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "MODBUS_BAD_LENGTH"; sid:1; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "MODBUS_BAD_PROTO_ID"; sid:2; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "MODBUS_RESERVED_FUNCTION"; sid:3; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_BAD_CRC"; sid:1; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_DROPPED_SEGMENT"; sid:3; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_REASSEMBLY_BUFFER_CLEARED"; sid:4; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_RESERVED_ADDRESS"; sid:5; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_RESERVED_FUNCTION"; sid:6; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) diff -Nru snort-2.8.5.2/preproc_rules/sensitive-data.rules snort-2.9.2/preproc_rules/sensitive-data.rules --- snort-2.8.5.2/preproc_rules/sensitive-data.rules 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/preproc_rules/sensitive-data.rules 2010-08-25 20:10:47.000000000 +0000 @@ -0,0 +1,5 @@ +alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;) diff -Nru snort-2.8.5.2/RELEASE.NOTES snort-2.9.2/RELEASE.NOTES --- snort-2.8.5.2/RELEASE.NOTES 2009-12-15 23:27:50.000000000 +0000 +++ snort-2.9.2/RELEASE.NOTES 2011-12-07 17:58:22.000000000 +0000 @@ -1,14 +1,51 @@ -2009-12-15 - Snort 2.8.5.2 +2011-12-14 - Snort 2.9.2 +[*] New Additions + * SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors + to support writing rules for detecting attacks for control systems. + New rule keywords are supported, and DNP3 leverages Stream5 PAF + support for TCP reassembly. See the Snort Manual, README.dnp3 and + README.modbus for details of the configurations and new rule + options. + + * GTP decoding and preprocessor. Updated the Snort packet decoders + and added a preprocessor to support detecting attacks over GTP (GPRS + Tunneling Protocol). Snort's GTP support handles multiple versions + of GTP and has a rich configuration set. See the Snort Manual and + README.GTP for details. + + * Updates to the HTTP preprocessor to normalize HTTP responses that + include javascript escaped data in the HTTP response body. This + expands Snort's coverage in detecting HTTP client-side attacks. + See the Snort Manual and README.http_inspect for configuration + details. + + * Added Protocol-Aware Flushing (PAF) support for FTP. [*] Improvements - * Improvements to HTTP Inspect for handling of pipelined requests - and chunked encodings. + * Updates to Stream preprocessor to be able to track and store + "stream" data for non TCP/UDP flows. Also improvements to handle + when memory associated with a blocked stream is released and usable + for other connections. + + * Updates to dce_stub_data to make it act the same as file_data + and pkt_data rule option keywords in how it interacts with + subsequent content/pcre/etc rule options. + + * Updates to how Snort handles and processes signals received + from the OS. - * Updated the documentation for output plugins and log limits. + * Enabled logging of normalized JavaScript to unified2 without the + use of the --enable-sourcefire configuration option. - * Fixed building on AIX 6. + * Improved handling of gaps and overlaps for "first" and "vista" + policies in Stream5. - * Fixed reloading of auto-iface variables when privileges had been dropped. + * Added support for signal handler customization. At compile-time, + Snort can be customized to use different signal numbers. + This allows problems with overlapping signals to be fixed on a + per-platform basis, which is especially helpful for the BSDs. + See the Snort Manual for more details. - * Fixed issues at startup and perfstats rotation with old versions of - libc (2.2, 2.3) & linux threads. + * Perfmonitor's output files ("now" files) are now created after + Snort drops privileges. Output files will now be owned by the + user and group specified with "-u" and "-g" at the command line. diff -Nru snort-2.8.5.2/rpm/Makefile.in snort-2.9.2/rpm/Makefile.in --- snort-2.8.5.2/rpm/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/rpm/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -182,14 +200,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign rpm/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign rpm/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign rpm/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign rpm/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -207,6 +225,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -236,13 +255,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -270,6 +293,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -288,6 +312,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -296,18 +322,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -341,6 +377,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/rpm/snort.spec snort-2.9.2/rpm/snort.spec --- snort-2.8.5.2/rpm/snort.spec 2009-10-19 21:18:58.000000000 +0000 +++ snort-2.9.2/rpm/snort.spec 2011-12-07 19:24:50.000000000 +0000 @@ -91,14 +91,14 @@ Name: %{realname}%{inlinetext} %{?_with_inline:%define Name: %{realname}-inline } -Version: 2.8.5.2 +Version: 2.9.2 Epoch: 1 Release: %{release} Summary: An open source Network Intrusion Detection System (NIDS) Group: Applications/Internet License: GPL Url: http://www.snort.org/ -Source0: http://www.snort.org/dl/2.8.5.2/%{realname}-%{version}.tar.gz +Source0: http://www.snort.org/snort-downloads/2.9.1/%{realname}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Packager: Official Snort.org %{for_distro} @@ -346,27 +346,20 @@ %__mkdir_p -m 0755 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor %__install -p -m 0755 plain/src/dynamic-plugins/sf_engine/.libs/libsf_engine.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicengine %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dcerpc_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dcerpc_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.so + %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/*.so* $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor + + for file in $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/*.so; do + preprocessor=`basename $file` + %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/$preprocessor.0 $file + done + %__install -p -m 0644 snort.8 $RPM_BUILD_ROOT%{_mandir}/man8 %__gzip $RPM_BUILD_ROOT%{_mandir}/man8/snort.8 %__install -p -m 0755 rpm/snortd $RPM_BUILD_ROOT%{_initrddir} %__install -p -m 0644 rpm/snort.sysconfig $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/%{realname} %__install -p -m 0644 rpm/snort.logrotate $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/snort %__install -p -m 0644 etc/reference.config etc/classification.config \ - etc/unicode.map etc/gen-msg.map etc/sid-msg.map \ + etc/unicode.map etc/gen-msg.map \ etc/threshold.conf etc/snort.conf \ $RPM_BUILD_ROOT/%{_sysconfdir}/snort find doc -maxdepth 1 -type f -not -name 'Makefile*' -exec %__install -p -m 0644 {} $RPM_BUILD_ROOT%{_docdir}/%{realname}-%{version} \; @@ -529,13 +522,8 @@ %attr(0755,root,root) %dir %{_libdir}/%{realname}-%{version}_dynamicengine %attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.* %attr(0755,root,root) %dir %{_libdir}/%{realname}-%{version}_dynamicpreprocessor -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dcerpc_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.* +%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_*_preproc.* + %dir %{_docdir}/%{realname}-%{version} %docdir %{_docdir}/%{realname}-%{version} diff -Nru snort-2.8.5.2/rules/attack-responses.rules snort-2.9.2/rules/attack-responses.rules --- snort-2.8.5.2/rules/attack-responses.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/attack-responses.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,44 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: attack-responses.rules,v 1.32.2.3.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -# ---------------- -# ATTACK RESPONSES -# ---------------- -# These signatures are those when they happen, its usually because a machine -# has been compromised. These should not false that often and almost always -# mean a compromise. - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:9;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:10;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:8;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:12;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;) - -alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;) -alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;) - -alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:5;) -alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;) -alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;) -alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:12;) -alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;) -alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2104; rev:5;) -alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;) diff -Nru snort-2.8.5.2/rules/backdoor.rules snort-2.9.2/rules/backdoor.rules --- snort-2.8.5.2/rules/backdoor.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/backdoor.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,119 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#--------------- -# BACKDOOR RULES -#--------------- -# - -alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;) -alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;) - - -alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) - -alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;) - -# 3150, 4120 -alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;) -alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;) -alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;) - - -alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;) -alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;) - - -alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;) -alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;) - - -alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;) -alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;) -alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;) -alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;) - -alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;) - -alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;) -alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;) -alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;) -alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;) -alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;) -alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;) -alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;) -# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;) -alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;) -alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;) -alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;) -alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;) -alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;) - - -alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;) -alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;) -alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;) - - -# NOTES: this string should be within the first 3 bytes of the connection -alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;) -alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;) -alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;) -alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;) -alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;) -alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;) -alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;) -alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) diff -Nru snort-2.8.5.2/rules/bad-traffic.rules snort-2.9.2/rules/bad-traffic.rules --- snort-2.8.5.2/rules/bad-traffic.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/bad-traffic.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,41 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------------ -# BAD TRAFFIC RULES -#------------------ -# These signatures are representitive of traffic that should never be seen on -# any network. None of these signatures include datagram content checking -# and are extremely quick signatures -# - -alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) -alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) -alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) -alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) -# linux happens. Blah -# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) -alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) diff -Nru snort-2.8.5.2/rules/cgi-bin.list snort-2.9.2/rules/cgi-bin.list --- snort-2.8.5.2/rules/cgi-bin.list 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/cgi-bin.list 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -# (C) Copyright 2001,2002 Brian Caswell, et al. All rights reserved. -# $Id: cgi-bin.list,v 1.3 2002/08/18 20:28:43 cazz Exp $ -#-------------- -# cgi-bin list -#-------------- -# if content-list actually worked, this would be our content-list for -# the different CGI bin directories we would check for. - -"/cgi-bin/" -"/cgi/" -"/cgi-local/" -"/perl/" -"/mod_perl/" -"/scripts/" -"/comps/" -"/cgi-bin-sdb/" diff -Nru snort-2.8.5.2/rules/chat.rules snort-2.9.2/rules/chat.rules --- snort-2.8.5.2/rules/chat.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/chat.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#------------- -# CHAT RULES -#------------- -# These signatures look for people using various types of chat programs (for -# example: AIM, ICQ, and IRC) which may be against corporate policy - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;) - -alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;) -alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;) - -alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;) -alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;) - - - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) -alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:" $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) diff -Nru snort-2.8.5.2/rules/classification.config snort-2.9.2/rules/classification.config --- snort-2.8.5.2/rules/classification.config 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/classification.config 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -# $Id: classification.config,v 1.11 2003/10/20 15:03:03 chrisgreen Exp $ -# The following includes information for prioritizing rules -# -# Each classification includes a shortname, a description, and a default -# priority for that classification. -# -# This allows alerts to be classified and prioritized. You can specify -# what priority each classification has. Any rule can override the default -# priority for that rule. -# -# Here are a few example rules: -# -# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; -# dsize: > 128; classtype:attempted-admin; priority:10; -# -# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ -# content:"expn root"; nocase; classtype:attempted-recon;) -# -# The first rule will set its type to "attempted-admin" and override -# the default priority for that type to 10. -# -# The second rule set its type to "attempted-recon" and set its -# priority to the default for that type. -# - -# -# config classification:shortname,short description,priority -# - -config classification: not-suspicious,Not Suspicious Traffic,3 -config classification: unknown,Unknown Traffic,3 -config classification: bad-unknown,Potentially Bad Traffic, 2 -config classification: attempted-recon,Attempted Information Leak,2 -config classification: successful-recon-limited,Information Leak,2 -config classification: successful-recon-largescale,Large Scale Information Leak,2 -config classification: attempted-dos,Attempted Denial of Service,2 -config classification: successful-dos,Denial of Service,2 -config classification: attempted-user,Attempted User Privilege Gain,1 -config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 -config classification: successful-user,Successful User Privilege Gain,1 -config classification: attempted-admin,Attempted Administrator Privilege Gain,1 -config classification: successful-admin,Successful Administrator Privilege Gain,1 - - -# NEW CLASSIFICATIONS -config classification: rpc-portmap-decode,Decode of an RPC Query,2 -config classification: shellcode-detect,Executable code was detected,1 -config classification: string-detect,A suspicious string was detected,3 -config classification: suspicious-filename-detect,A suspicious filename was detected,2 -config classification: suspicious-login,An attempted login using a suspicious username was detected,2 -config classification: system-call-detect,A system call was detected,2 -config classification: tcp-connection,A TCP connection was detected,4 -config classification: trojan-activity,A Network Trojan was detected, 1 -config classification: unusual-client-port-connection,A client was using an unusual port,2 -config classification: network-scan,Detection of a Network Scan,3 -config classification: denial-of-service,Detection of a Denial of Service Attack,2 -config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 -config classification: protocol-command-decode,Generic Protocol Command Decode,3 -config classification: web-application-activity,access to a potentially vulnerable web application,2 -config classification: web-application-attack,Web Application Attack,1 -config classification: misc-activity,Misc activity,3 -config classification: misc-attack,Misc Attack,2 -config classification: icmp-event,Generic ICMP event,3 -config classification: kickass-porn,SCORE! Get the lotion!,1 -config classification: policy-violation,Potential Corporate Privacy Violation,1 -config classification: default-login-attempt,Attempt to login by a default username and password,2 diff -Nru snort-2.8.5.2/rules/community-bot.rules snort-2.9.2/rules/community-bot.rules --- snort-2.8.5.2/rules/community-bot.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-bot.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,117 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-bot.rules,v 1.5 2006/10/23 12:49:52 akirk Exp $ - - -# Some rules to look for botnets using popular bot software. -# Contributed by David J. Bianco -# -# A more detailed writeup can be found at: -# -#http://infosecpotpourri.blogspot.com/2006/03/detecting-common-botnets-with-snort.html -# -# -# This rule merely looks for IRC traffic on any TCP port (by detecting -# NICK change events, which occur at the beginning of the session) and -# sets the is_proto_irc flowbit. It does not actually generate any alerts -# itself. -alert tcp any any -> any any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;) - -# Using the aforementioned is_proto_irc flowbits, do some IRC checks. -# This one looks for IRC servers running on the $HOME_NET -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;) - -# These rules look for specific Agobot/PhatBot commands on an IRC session -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.about command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.about"; classtype: trojan-activity; sid:100000242; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.die command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.die"; classtype: trojan-activity; sid:100000243; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.dns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.dns"; classtype: trojan-activity; sid:100000244; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.execute command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.execute"; classtype: trojan-activity; sid:100000245; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.id command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.id"; classtype: trojan-activity; sid:100000246; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.nick"; classtype: trojan-activity; sid:100000247; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.open command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.open"; classtype: trojan-activity; sid:100000248; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.remove command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.remove"; classtype: trojan-activity; sid:100000249; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.removeallbut command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.removeallbut"; classtype: trojan-activity; sid:100000250; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.rndnick"; classtype: trojan-activity; sid:100000251; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.status command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.status"; classtype: trojan-activity; sid:100000252; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.sysinfo command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.sysinfo"; classtype: trojan-activity; sid:100000253; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.longuptime command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.longuptime"; classtype: trojan-activity; sid:100000254; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.highspeed command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.highspeed"; classtype: trojan-activity; sid:100000255; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.quit command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.quit"; classtype: trojan-activity; sid:100000256; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.flushdns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.flushdns"; classtype: trojan-activity; sid:100000257; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.secure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.secure"; classtype: trojan-activity; sid:100000258; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.unsecure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.unsecure"; classtype: trojan-activity; sid:100000259; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.command command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.command"; classtype: trojan-activity; sid:100000260; rev:2;) - -# Now some rules to look for SDBot traffic, also on established IRC sessions. -# There are fewer of these, since the commands themselves aren't so distinctive -# (don't want a lot of false positives on regular IRC conversations). -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot killthread command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killthread"; pcre:"/killthread\s+\d+\b/"; classtype: trojan-activity; sid:100000261; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot cdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"cdkey"; classtype: trojan-activity; sid:100000262; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot getcdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"getcdkey"; classtype: trojan-activity; sid:100000263; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rndnick"; classtype: trojan-activity; sid:100000264; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_rndnick"; classtype: trojan-activity; sid:100000265; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_nick"; classtype: trojan-activity; sid:100000266; rev:2;) - -# Ok, on to SpyBot rules - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot stopspy command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopspy"; classtype: trojan-activity; sid:100000267; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot redirectspy command"; flow: established; flowbits:isset,community_is_proto_irc; content:"redirectspy"; classtype: trojan-activity; sid:100000268; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot loadclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"loadclones"; classtype: trojan-activity; sid:100000269; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot killclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killclones"; classtype: trojan-activity; sid:100000270; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot rawclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rawclones"; classtype: trojan-activity; sid:100000271; rev:2;) - -# Finally GT Bot rules. These try to account for the case where the bot -# herder has redifined the command character away from the default '!'. -# The only bug here is that this won't detect the ':' as the cmdchar. IRC -# uses the colon as part of the protocol message, and it was confusing -# any message the started with (e.g.) "portscan" at the beginning of the line -# and bot commands in the form of ":portscan". -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot ver command"; flow: established; flowbits:isset,community_is_proto_irc; content:"ver"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot info command"; flow: established; flowbits:isset,community_is_proto_irc; content:"info"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"scan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot portscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"portscan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot stopscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopscan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot packet command"; flow: established; flowbits:isset,community_is_proto_irc; content:"packet"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot bnc command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bnc"; pcre:"/(? $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC file transfer request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000900; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC chat request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000901; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC channel join"; flow:established,to_server; content:"JOIN "; nocase; pcre:"/^\s*JOIN/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000902; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC dns request"; flow:established,to_server; content:"USERHOST "; nocase; pcre:"/^\s*USERHOST/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000903; rev:1;) -alert tcp $EXTERNAL_NET 8585 -> $HOME_NET any (msg:"COMMUNITY BOT Mytob IRC dns response"; flow:established,to_client; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000904; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC nick change"; flow:established,to_server; content:"NICK "; nocase; pcre:"/^\s*NICK/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000905; rev:1;) diff -Nru snort-2.8.5.2/rules/community-deleted.rules snort-2.9.2/rules/community-deleted.rules --- snort-2.8.5.2/rules/community-deleted.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-deleted.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $ - -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;) diff -Nru snort-2.8.5.2/rules/community-dos.rules snort-2.9.2/rules/community-dos.rules --- snort-2.8.5.2/rules/community-dos.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-dos.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-dos.rules,v 1.7 2007/02/22 20:44:35 akirk Exp $ - -#Rule submitted by rmkml -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY DOS Tcpdump rsvp attack"; ip_proto:46; content:"|00 08 14 01 03 00 00 00|"; reference:cve,2005-1280; reference:cve,2005-1281; reference:bugtraq,13391; classtype:attempted-dos; sid:100000134; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1069 (msg:"COMMUNITY DOS Ethereal slimp overflow attempt"; content:"|6C C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 FF FF 00 00 01 00 00 00 56 57 F7|"; reference:cve,2005-3243; reference:url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html; classtype:attempted-dos; sid:100000175; rev:1;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 5005 (msg:"COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt"; flow:stateless; content:"|21 43 65 87|"; reference:cve,2005-1928; reference:url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities; classtype:attempted-dos; sid:100000215; rev:2;) - -#Rules submitted by the Verisign MSS Operations Team -alert tcp $EXTERNAL_NET any -> $HOME_NET 6667:7000 (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000686; rev:2;) -alert tcp $HOME_NET 6667:7000 -> $EXTERNAL_NET any (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000687; rev:2;) - -#Rule submitted by Dan Protich -alert udp $EXTERNAL_NET !53 <> $HOME_NET !53 (msg:"COMMUNITY DOS Single-Byte UDP Flood"; content:"0"; dsize:1; classtype:attempted-dos; threshold: type threshold, track by_dst, count 200, seconds 60; sid:100000923; rev:1;) diff -Nru snort-2.8.5.2/rules/community-exploit.rules snort-2.9.2/rules/community-exploit.rules --- snort-2.8.5.2/rules/community-exploit.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-exploit.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) diff -Nru snort-2.8.5.2/rules/community-ftp.rules snort-2.9.2/rules/community-ftp.rules --- snort-2.8.5.2/rules/community-ftp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-ftp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-ftp.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ diff -Nru snort-2.8.5.2/rules/community-game.rules snort-2.9.2/rules/community-game.rules --- snort-2.8.5.2/rules/community-game.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-game.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ - -alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) -alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) diff -Nru snort-2.8.5.2/rules/community-icmp.rules snort-2.9.2/rules/community-icmp.rules --- snort-2.8.5.2/rules/community-icmp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-icmp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $ - -#Rule submitted by rmkml -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;) diff -Nru snort-2.8.5.2/rules/community-imap.rules snort-2.9.2/rules/community-imap.rules --- snort-2.8.5.2/rules/community-imap.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-imap.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-imap.rules,v 1.7 2006/04/07 13:34:06 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils request tag format string vulnerability"; flow:to_server,established; content:"|25|"; pcre:"/^\S*\x25\S*\s/sm"; reference:cve,CAN-2005-1523; reference:bugtraq,13764; classtype:attempted-admin; sid:100000135; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.*\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt"; flow:to_server,established; flowbits:isset,community_imap.auth; isdataat:342; pcre:"/[^\x0A]{342,}/"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000153; rev:3;) -alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"COMMUNITY IMAP MDaemon authentication okay protocol decode"; flow:to_client,established; content:"AUTHENTICATE"; nocase; pcre:"/\sOK\sAUTHENTICATE/smi"; flowbits:unset,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000154; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN][^\n]*\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:2;) diff -Nru snort-2.8.5.2/rules/community-inappropriate.rules snort-2.9.2/rules/community-inappropriate.rules --- snort-2.8.5.2/rules/community-inappropriate.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-inappropriate.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $ - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;) diff -Nru snort-2.8.5.2/rules/community-mail-client.rules snort-2.9.2/rules/community-mail-client.rules --- snort-2.8.5.2/rules/community-mail-client.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-mail-client.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ diff -Nru snort-2.8.5.2/rules/community-misc.rules snort-2.9.2/rules/community-misc.rules --- snort-2.8.5.2/rules/community-misc.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-misc.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $ - -alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;) -#Rule submitted by rmkml -alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;) -#Rules submitted by Thierry Chich -alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;) -alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;) -#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;) -#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet -alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) -#Rules submitted by Crusoe Researches Team -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;) -#Rule submitted by Nigel Houghton -alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;) - -#Jabber/Google Talk traffic from the client submitted by Steven Alexander -alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;) - -# TOR Rules by Dan Ramaswami -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;) - -# Additional GoogleTalk Rules by Will Young -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;) - -# Rule submitted by dprotich@sagonet.com -alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;) diff -Nru snort-2.8.5.2/rules/community-nntp.rules snort-2.9.2/rules/community-nntp.rules --- snort-2.8.5.2/rules/community-nntp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-nntp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-nntp.rules,v 1.3 2006/02/16 15:51:19 akirk Exp $ - -alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"COMMUNITY NNTP Lynx overflow attempt"; flow:to_server,established; content:"Subject"; nocase; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; reference:bugtraq,15117; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:2;) diff -Nru snort-2.8.5.2/rules/community-oracle.rules snort-2.9.2/rules/community-oracle.rules --- snort-2.8.5.2/rules/community-oracle.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-oracle.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;) diff -Nru snort-2.8.5.2/rules/community-policy.rules snort-2.9.2/rules/community-policy.rules --- snort-2.8.5.2/rules/community-policy.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-policy.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-policy.rules,v 1.5 2007/03/05 14:39:58 akirk Exp $ - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY POLICY Ajax Remote Desktop Connection"; flow:from_server,established; content:""; content:"AJAX Remote Desktop Viewer"; distance:0; reference:url,www.peterdamen.com/ajaxrd/; classtype:policy-violation; sid:100000688; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App Installer"; flow: established,to_server; uricontent:"/desktopfw"; nocase; uricontent:"/stubinstaller.txt?"; nocase; classtype:policy-violation; sid:100000893; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App"; flow: established,to_server; uricontent:"/weather/local/"; nocase; content:"Host|3A|"; nocase; content:"desktopfw.weather.com"; nocase; distance:0; pcre:"/^Host\x3A\s+desktopfw\x2Eweather\x2Ecom/smi"; classtype:policy-violation; sid:100000894; rev:1;) -# alert ip 169.254.0.0/16 any <> any any (msg:"COMMUNITY POLICY Link Local IP addresses traffic seen"; threshold:type limit, track by_src, count 1, seconds 60; classtype:bad-unknown;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Google SafeSearch off"; flow:to_server,established; content:"/images?"; nocase; content:"&safe=off"; nocase; content:"&q="; nocase; classtype:policy-violation; sid:100000924; rev:1;) diff -Nru snort-2.8.5.2/rules/community-sid-msg.map snort-2.9.2/rules/community-sid-msg.map --- snort-2.8.5.2/rules/community-sid-msg.map 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-sid-msg.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,837 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# This file is licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# Id SID -> MSG map - -100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947 -100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947 -100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281 -100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262 -100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192 -100000105 || COMMUNITY INAPPROPRIATE lolita sex -100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404 -100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404 -100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300 -100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300 -100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426 -100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243 -100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243 -100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589 -100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589 -100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542 -100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000121 || COMMUNITY WEB-MISC Test Script Access -100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646 -100000123 || COMMUNITY INAPPROPRIATE preteen sex -100000124 || COMMUNITY INAPPROPRIATE girls gone wild -100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742 -100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm -100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735 -100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735 -100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml -100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778 -100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778 -100000132 || COMMUNITY WEB-MISC Proxy Server Access -100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1 -100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391 -100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764 -100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878 -100000137 || COMMUNITY MISC BAD-SSL tcp detect -100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678 -100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678 -100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities -100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848 -100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403 -100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337 -100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381 -100000152 || COMMUNITY IMAP MDaemon authentication protocol decode -100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317 -100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode -100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317 -100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev -100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831 -100000158 || COMMUNITY SIP INVITE message flooding -100000159 || COMMUNITY SIP REGISTER message flooding -100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy -100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses -100000162 || COMMUNITY SIP 401 Unauthorized Flood -100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood -100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777 -100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326 -100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html -100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php -100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php -100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php -100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035 -100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt -100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168 -100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html -100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136 -100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389 -100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097 -100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593 -100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838 -100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492 -100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282 -100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf -100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707 -100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731 -100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356 -100000187 || COMMUNITY WEB-PHP XSS attempt -100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2 -100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org -100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com -100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819 -100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846 -100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845 -100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847 -100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347 -100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488 -100000197 || COMMUNITY ICMP undefined code -100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1 -100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703 -100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html -100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478 -100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404 -100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405 -100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407 -100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406 -100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408 -100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 -100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml -100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305 -100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt -100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities -100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities -100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591 -100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947 -100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx -100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244 -100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228 -100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200 -100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189 -100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271 -100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192 -100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm -100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493 -100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361 -100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html -100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/ -100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/ -100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/ -100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/ -100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/ -100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/ -100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/ -100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html -100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change -100000241 || COMMUNITY BOT Internal IRC server detected -100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command -100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command -100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command -100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command -100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command -100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command -100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command -100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command -100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command -100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command -100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command -100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command -100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command -100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command -100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command -100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command -100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command -100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command -100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command -100000261 || COMMUNITY BOT SDBot killthread command -100000262 || COMMUNITY BOT SDBot cdkey command -100000263 || COMMUNITY BOT SDBot getcdkey command -100000264 || COMMUNITY BOT SDBot rndnick command -100000265 || COMMUNITY BOT SDBot c_rndnick command -100000266 || COMMUNITY BOT SDBot c_nick command -100000267 || COMMUNITY BOT SpyBot stopspy command -100000268 || COMMUNITY BOT SpyBot redirectspy command -100000269 || COMMUNITY BOT SpyBot loadclones command -100000270 || COMMUNITY BOT SpyBot killclones command -100000271 || COMMUNITY BOT SpyBot rawclones command -100000272 || COMMUNITY BOT GTBot ver command -100000273 || COMMUNITY BOT GTBot info command -100000274 || COMMUNITY BOT GTBot scan command -100000275 || COMMUNITY BOT GTBot portscan command -100000276 || COMMUNITY BOT GTBot stopscan command -100000277 || COMMUNITY BOT GTBot packet command -100000278 || COMMUNITY BOT GTBot bnc command -100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx -100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials -100000282 || COMMUNITY VIRUS Nugache connect -100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html -100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/ -100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915 -100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2 -100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559 -100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964 -100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964 -100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm -100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm -100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm -100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020 -100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611 -100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052 -100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527 -100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597 -100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027 -100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027 -100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027 -100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027 -100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027 -100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027 -100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027 -100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027 -100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027 -100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040 -100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040 -100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043 -100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076 -100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076 -100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521 -100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521 -100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521 -100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/ -100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/ -100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110 -100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110 -100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110 -100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/ -100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/ -100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662 -100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135 -100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135 -100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135 -100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40 -100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40 -100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41 -100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147 -100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155 -100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/ -100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/ -100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/ -100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/ -100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163 -100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163 -100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163 -100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163 -100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163 -100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163 -100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186 -100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186 -100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186 -100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186 -100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186 -100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186 -100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186 -100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186 -100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186 -100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186 -100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186 -100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186 -100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186 -100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186 -100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186 -100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186 -100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190 -100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208 -100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208 -100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208 -100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232 -100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232 -100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232 -100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232 -100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232 -100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232 -100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232 -100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232 -100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232 -100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232 -100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232 -100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232 -100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232 -100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232 -100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232 -100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232 -100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232 -100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232 -100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232 -100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220 -100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220 -100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229 -100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234 -100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241 -100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241 -100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248 -100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248 -100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249 -100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250 -100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255 -100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258 -100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258 -100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258 -100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259 -100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole -100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 -100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole -100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261 -100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261 -100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261 -100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261 -100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261 -100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261 -100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261 -100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263 -100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265 -100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265 -100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272 -100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291 -100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313 -100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313 -100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313 -100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270 -100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273 -100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779 -100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367 -100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367 -100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368 -100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473 -100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482 -100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512 -100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526 -100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564 -100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596 -100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363 -100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370 -100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371 -100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373 -100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378 -100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378 -100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391 -100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392 -100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403 -100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403 -100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406 -100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411 -100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412 -100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413 -100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415 -100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416 -100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426 -100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435 -100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440 -100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441 -100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441 -100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441 -100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441 -100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455 -100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455 -100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455 -100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463 -100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469 -100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469 -100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471 -100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471 -100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471 -100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474 -100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475 -100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475 -100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475 -100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475 -100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480 -100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481 -100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490 -100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497 -100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497 -100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497 -100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501 -100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501 -100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505 -100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505 -100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508 -100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509 -100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516 -100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520 -100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524 -100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528 -100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533 -100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537 -100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539 -100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539 -100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541 -100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542 -100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561 -100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562 -100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567 -100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590 -100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607 -100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607 -100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609 -100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609 -100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609 -100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609 -100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626 -100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627 -100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627 -100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628 -100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633 -100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643 -100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643 -100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644 -100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649 -100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650 -100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652 -100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477 -100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477 -100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477 -100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477 -100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477 -100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477 -100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477 -100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477 -100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477 -100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477 -100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477 -100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477 -100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477 -100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477 -100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477 -100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477 -100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477 -100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477 -100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477 -100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477 -100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477 -100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477 -100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477 -100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477 -100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477 -100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477 -100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477 -100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477 -100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477 -100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477 -100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477 -100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477 -100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477 -100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477 -100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477 -100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477 -100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477 -100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477 -100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477 -100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477 -100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477 -100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477 -100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477 -100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477 -100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477 -100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477 -100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477 -100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477 -100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477 -100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477 -100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477 -100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477 -100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477 -100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477 -100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477 -100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477 -100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477 -100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477 -100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477 -100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477 -100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477 -100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477 -100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477 -100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477 -100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477 -100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477 -100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477 -100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477 -100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477 -100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477 -100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477 -100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477 -100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477 -100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477 -100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477 -100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477 -100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477 -100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477 -100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477 -100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477 -100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614 -100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614 -100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614 -100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614 -100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614 -100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614 -100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614 -100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614 -100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614 -100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614 -100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614 -100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655 -100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664 -100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664 -100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/ -100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html -100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975 -100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760 -100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507 -100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507 -100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699 -100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699 -100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699 -100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699 -100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765 -100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779 -100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899 -100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845 -100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697 -100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697 -100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697 -100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697 -100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697 -100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700 -100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718 -100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719 -100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719 -100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719 -100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719 -100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719 -100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719 -100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719 -100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719 -100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719 -100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719 -100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719 -100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719 -100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719 -100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719 -100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720 -100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729 -100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735 -100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740 -100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740 -100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740 -100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740 -100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740 -100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740 -100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740 -100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740 -100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740 -100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740 -100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740 -100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740 -100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750 -100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757 -100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760 -100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763 -100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780 -100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780 -100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780 -100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788 -100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788 -100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788 -100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788 -100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788 -100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788 -100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788 -100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793 -100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798 -100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809 -100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816 -100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834 -100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835 -100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837 -100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839 -100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840 -100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845 -100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845 -100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857 -100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857 -100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857 -100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878 -100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878 -100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881 -100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881 -100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883 -100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883 -100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883 -100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883 -100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883 -100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893 -100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897 -100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901 -100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914 -100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914 -100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917 -100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917 -100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917 -100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917 -100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919 -100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924 -100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928 -100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt -100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934 -100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937 -100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937 -100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937 -100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937 -100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941 -100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941 -100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949 -100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949 -100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949 -100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949 -100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956 -100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956 -100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998 -100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998 -100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964 -100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965 -100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966 -100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968 -100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969 -100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970 -100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970 -100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984 -100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990 -100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991 -100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798 -100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007 -100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014 -100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020 -100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/ -100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 -100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion -100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org -100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org -100000876 || COMMUNITY MISC Google Talk Version Check -100000877 || COMMUNITY MISC Google Talk Startup -100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144 -100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349 -100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295 -100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296 -100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298 -100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299 -100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291 -100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288 -100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292 -100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300 -100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300 -100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html -100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer -100000894 || COMMUNITY POLICY Weather Channel Desktop App -100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000906 || COMMUNITY WEB-PHP UBB.threads remote file include -100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info -100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info -100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info -100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info -100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912 -100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770 -100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367 -100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367 -100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600 -100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926 -100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932 -100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885 -100000923 || COMMUNITY DOS Single-Byte UDP Flood -100000924 || COMMUNITY POLICY Google SafeSearch off -100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053 -100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039 -100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx -100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674 -100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916 -100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215 -100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 -100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 diff -Nru snort-2.8.5.2/rules/community-sip.rules snort-2.9.2/rules/community-sip.rules --- snort-2.8.5.2/rules/community-sip.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-sip.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $ - -#Rules submitted by Jiri Markl -#Rule for alerting of INVITE flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;) -#Rule for alerting of REGISTER flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;) -#Rule for alerting common TCP/UDP flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;) -#Rule for alerting attack using unresolvable DNS names: -alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;) -#Threshold rule for unauthorized responses: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;) -alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;) -#Rule submitted by rmkml -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;) diff -Nru snort-2.8.5.2/rules/community-smtp.rules snort-2.9.2/rules/community-smtp.rules --- snort-2.8.5.2/rules/community-smtp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-smtp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;) -# Enable only if SMTP_SERVERS is not any -# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;) diff -Nru snort-2.8.5.2/rules/community-sql-injection.rules snort-2.9.2/rules/community-sql-injection.rules --- snort-2.8.5.2/rules/community-sql-injection.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-sql-injection.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;) -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;) diff -Nru snort-2.8.5.2/rules/community-virus.rules snort-2.9.2/rules/community-virus.rules --- snort-2.8.5.2/rules/community-virus.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-virus.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-virus.rules,v 1.15 2006/10/19 20:20:29 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET 5554 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 5554"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000110; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 1023"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000111; rev:1;) -alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS Possible BlackWorm or Nymex infected host"; flow:to_server,established; uricontent:"/cgi-bin/Count.cgi?df=765247"; reference:url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm; reference:url,cme.mitre.org/data/list.html#24; reference:url,isc.sans.org/blackworm; classtype:trojan-activity; sid:100000226; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache connect"; flow:to_server,established; content:"|00 02|"; flowbits:set,nugache.connection; flowbits:noalert; classtype:trojan-activity; sid:100000282; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache data"; flow:to_server,established; flowbits:isset,nugache.connection; dsize:64; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:100000283; rev:1;) - -# DNS Rules submitted by urleet@gmail.com -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net"; content:"|01 00|"; offset:2; depth:2; content:"|05|scfzf|04|xicp|03|net";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000310; rev:2;) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org"; content:"|01 00|"; offset:2; depth:2; content:"|0A|localhosts|04|3322|03|org";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000311; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY VIRUS Ginwui.B POST attempt"; flow:to_server,established; content:"POST|20 2F|"; nocase; depth:6; content:"Host|3a|"; nocase; content:"scfzf.xicp.net"; nocase; pcre:"/Host\x3A[^\n\r]+scfzf.xicp.net/smi"; content:"Content-Length|3a 20|0"; nocase; content:"Connection|3a| Keep-Alive"; nocase; threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000312; rev:3;) - - -alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS OutBound Dremn Trojan Beacon"; content:"|00 00 01|"; offset:3; depth:3; content:"aaaaaaaaaaaaaaaaaaaaa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...a{21})/"; reference:url,symantec.com/avcenter/venc/data/trojan.dremn.html; classtype:trojan-activity; sid:100000684; rev:1;) -alert udp $EXTERNAL_NET 53 -> !$DNS_SERVERS any (msg: "COMMUNITY VIRUS Answering Dremn Trojan Server"; content:"|80 00 01|"; offset:3; depth:3; content:"aa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...aa)/"; reference:url,symantec.com/avcenter/venc/data/ trojan.dremn.html; classtype:trojan-activity; sid:100000685; rev:1;) - diff -Nru snort-2.8.5.2/rules/community-web-attacks.rules snort-2.9.2/rules/community-web-attacks.rules --- snort-2.8.5.2/rules/community-web-attacks.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-attacks.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;) diff -Nru snort-2.8.5.2/rules/community-web-cgi.rules snort-2.9.2/rules/community-web-cgi.rules --- snort-2.8.5.2/rules/community-web-cgi.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-cgi.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-cgi.rules,v 1.20 2006/09/19 13:46:50 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Readfile.tcl Access"; flow:to_server,established; uricontent:"/readfile.tcl?file="; nocase; classtype:web-application-attack; reference:bugtraq,7426; sid:100000112; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi"; flow:to_server,established; uricontent:"/member_html.cgi?"; pcre:"/member_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000113; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi"; flow:to_server,established; uricontent:"/normal_html.cgi?"; pcre:"/normal_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000114; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:!"cid="; classtype:web-application-attack; reference:bugtraq,7589; sid:100000115; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:"cid="; pcre:"/cid=[^0-9]+/Ui"; classtype:web-application-attack; reference:bugtraq,7589; sid:100000116; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/forumdisplay.php?"; nocase; uricontent:"comma="; nocase; pcre:"/forumdisplay.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"; classtype:web-application-attack; reference:bugtraq,12542; sid:100000117; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php"; flow:to_server,established; uricontent:"/formmail.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/formmail.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000127; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php"; flow:to_server,established; uricontent:"/download_center_lite.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/download_center_lite.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000128; rev:1;) -#Rule submitted by Chas Tomlin -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?"; nocase; pcre:"/rev=\d*\s*\x7C/Ui"; classtype:web-application-activity; reference:bugtraq,14834; reference:cve,2005-2877; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev; sid:100000156; rev:2;) -#Rule submitted by David Maciejak -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt"; flow: to_server,established; uricontent:"/password_reminder.php?"; nocase; pcre:"/form_email=[^\r\n\x26]+UNION\s+SELECT/Ui"; reference:bugtraq,14831; classtype:web-application-attack; sid:100000157; rev:1;) - -#Rules submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=post"; nocase; pcre:"/(name|email|url)=[^\r\n]*\x3Cscript\x3E/smi"; reference:bugtraq,20045; classtype:web-application-activity; sid:100000878; rev:2;) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=preview"; nocase; content:"content="; nocase; distance:0; reference:bugtraq,20045; classtype:web-application-activity; sid:100000879; rev:2;) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; uricontent:"/sitesearch.do"; nocase; uricontent:"q="; nocase; uricontent:"<script>"; nocase; reference:bugtraq,20045; classtype:web-application-activity; sid:100000880; rev:2;) diff -Nru snort-2.8.5.2/rules/community-web-client.rules snort-2.9.2/rules/community-web-client.rules --- snort-2.8.5.2/rules/community-web-client.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-client.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-client.rules,v 1.21 2006/10/20 13:22:38 akirk Exp $ - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000118; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000119; rev:2;) -#Rule submitted by Crusoe Researches Team -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt"; flow:from_server,established; content:"playlist"; nocase; content:"\\\\"; reference:bugtraq,16410; reference:cve,2006-0476; reference:url,www.frsirt.com/english/advisories/2006/0361; classtype:attempted-admin; sid:100000228; rev:2;) - -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt"; flow:established; content:"on"; nocase; pcre:"/<[^>]*?(on[^>]*?=[\d\w]+\s+){30,}/smi"; reference:bugtraq,17131; reference:cve,2006-1245; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; classtype:attempted-user; sid:100000238; rev:3;) -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE createTextRange overflow attempt"; flow:to_client,established; content:".createTextRange"; nocase; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; sid:100000239; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding|3a|"; nocase; content:"chunked"; nocase; content:"Content-Type|3a|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document|2e|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2e|body|2e|appendChild|28|document|2e|getElementById|28|"; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:100000447; rev:1;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT midi file download attempt"; flow:to_client,established; content:"Content-Type|3a|"; nocase; content:"audio|2f|midi"; nocase; distance:0; pcre:"/^Content-Type\s*\x3A\s*audio\x2Fmidi/smi"; flowbits:set,midi.download; flowbits:noalert; reference:bugtraq,18507; classtype:misc-activity; sid:100000692; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,midi.download; content:"|4d 54 68 64 00 00 00 06 00 00 00 01 00 60 4d 54 72 6b 00 00 00|"; nocase; flowbits:unset,midi.download; reference:bugtraq,18507; classtype:attempted-user; sid:100000693; rev:2;) - -# Rule by <urleet@gmail.com> -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability"; flow:from_server,established; content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; nocase; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14; classtype:attempted-user; sid:100000864; rev:2;) - -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt"; content:"|01 da|"; byte_test: 2,>,4,9,relative; classtype: attempted-user; reference:bugtraq,19507; reference:cve,2006-4144; sid:100000881; rev:1;) diff -Nru snort-2.8.5.2/rules/community-web-dos.rules snort-2.9.2/rules/community-web-dos.rules --- snort-2.8.5.2/rules/community-web-dos.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-dos.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ - diff -Nru snort-2.8.5.2/rules/community-web-iis.rules snort-2.9.2/rules/community-web-iis.rules --- snort-2.8.5.2/rules/community-web-iis.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-iis.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ - -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) diff -Nru snort-2.8.5.2/rules/community-web-misc.rules snort-2.9.2/rules/community-web-misc.rules --- snort-2.8.5.2/rules/community-web-misc.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-misc.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,215 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;) -# Following rule submitted by Alexandru Ionica <gremlin@networked.ro>, and revised by Jason Haar <Jason.Haar@trimble.co.nz> -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;) -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;) -alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;) - -#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco -alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;) - -#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;) -#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;) - -# JBoss Rules from Jon Hart <jhart@spoofed.org> -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;) - -# Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;) - -# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;) diff -Nru snort-2.8.5.2/rules/community-web-php.rules snort-2.9.2/rules/community-web-php.rules --- snort-2.8.5.2/rules/community-web-php.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/community-web-php.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,474 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-php.rules,v 1.32 2007/02/22 20:44:35 akirk Exp $ - -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization|3A| Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; classtype:attempted-recon; sid:100000151; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpinfo access"; flow:to_server,established; uricontent:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:100000186; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XSS attempt"; flow:to_server,established; uricontent:"|2E|php"; nocase; uricontent:"|3C|script|3E|"; nocase; uricontent:"|3C 2F|script|3E|"; nocase; classtype:web-application-attack; sid:100000187; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vubb Path attempt"; flow:to_server,established; uricontent:"/forum/index.php"; nocase; content:"|26 66 3D 27|"; reference:cve,2005-3513; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2; classtype:web-application-attack; sid:100000188; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access"; flow:to_server,established; content:"GET"; nocase; depth:3; uricontent:"|2E|php"; nocase; uricontent:"|5F|SERVER|5B|HTTP|5F|ACCEPT|5F|LANGUAGE|5D|"; nocase; reference:bugtraq,15414; reference:cve,2005-3347; classtype:web-application-attack; sid:100000195; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CuteNews flood.db.php access"; flow:to_server,established; uricontent:"/data/flood.db.php"; nocase; reference:bugtraq,14869; reference:cve,2005-3010; reference:nessus,19756; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19478; classtype:web-application-attack; sid:100000201; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB topic.php access"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"tid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19404; classtype:web-application-attack; sid:100000202; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB misc.php access"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19405; classtype:web-application-attack; sid:100000203; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB pm.php access"; flow:to_server,established; uricontent:"/pm.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19407; classtype:web-application-attack; sid:100000204; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB forums.php access"; flow:to_server,established; uricontent:"/forums.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19406; classtype:web-application-attack; sid:100000205; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpost.php access"; flow:to_server,established; uricontent:"/newpost.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19408; classtype:web-application-attack; sid:100000206; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_itemId access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_itemId|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000211; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_return access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_return|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000212; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_view access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_view|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000213; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_subView access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_subView|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000214; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MailGust SQL Injection email attempt"; flow:to_server,established; uricontent:"method|3D|remind_password"; nocase; uricontent:"list|3D|maillistuser"; nocase; uricontent:"email|3D 27|"; nocase; reference:bugtraq,14933; reference:cve,2005-3063; reference:nessus,19947; classtype:web-application-attack; sid:100000218; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path|3D|"; nocase; reference:url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=16244; classtype:web-application-attack; sid:100000220; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AppServ main.php appserv_root param access"; flow:to_server,established; uricontent:"/appserv/main.php"; nocase; uricontent:"appserv_root|3D|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22228; classtype:web-application-attack; sid:100000221; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt"; flow:to_server,established; uricontent:"ldap_var.inc.php"; nocase; uricontent:"includePath="; nocase; pcre:"/includePath=(https?|ftp)/Ui"; reference:bugtraq,17915; classtype:web-application-attack; sid:100000285; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP X Poll admin access"; flow:to_server,established; uricontent:"/admin/images/add.php"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2; classtype:web-application-attack; sid:100000286; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ldap.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ldap.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000287; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline atutor.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/atutor.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000288; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline db-generic.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/db-generic.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000289; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline docebo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/docebo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000290; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.1.6.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000291; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000292; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ganesha.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ganesha.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000293; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline mambo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/mambo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000294; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline moodle.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/moodle.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000295; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline phpnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/phpnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000296; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline postnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/postnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000297; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline spip.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/spip.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000298; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/event/init_event_manager.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000299; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/export_exe_tracking.class.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000300; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000304; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000305; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000306; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000307; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000308; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000309; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt"; flow:to_server,established; uricontent:"viewimage.php?imageid="; nocase; pcre:"/viewimage\.php\?imageid=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18270; classtype:web-application-attack; sid:100000445; rev:1;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt"; flow:to_server,established; uricontent:"version="; nocase; pcre:"/[\x3f\x26\x3b]version=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18273; classtype:web-application-attack; sid:100000446; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Joomla joomla.php remote file include"; flow:to_server,established; uricontent:"/joomla.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18363; classtype:web-application-attack; sid:100000463; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include"; flow:to_server,established; uricontent:"/design.inc.php"; nocase; uricontent:"dir[data]="; nocase; pcre:"/dir\[data\]=(https?|ftp)/Ui"; reference:bugtraq,18370; classtype:web-application-attack; sid:100000464; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include"; flow:to_server,established; uricontent:"/sql_fcnsOLD.php"; nocase; uricontent:"phormationdir="; nocase; pcre:"/phormationdir=(https?|ftp)/Ui"; reference:bugtraq,18371; classtype:web-application-attack; sid:100000465; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard post.php remote file include"; flow:to_server,established; uricontent:"/post.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18373; classtype:web-application-attack; sid:100000466; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB nav.php remote file include"; flow:to_server,established; uricontent:"/nav.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000467; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB lang.php remote file include"; flow:to_server,established; uricontent:"/lang.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000468; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP iFoto index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dir="; nocase; pcre:"/dir(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18391; classtype:web-application-attack; sid:100000469; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Foing manage_songs.php remote file include"; flow:to_server,established; uricontent:"/manage_songs.php"; nocase; uricontent:"foing_root_path="; nocase; pcre:"/foing_root_path=(https?|ftp)/Ui"; reference:bugtraq,18392; classtype:web-application-attack; sid:100000470; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"objectID="; nocase; pcre:"/objectID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000471; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"MAINID="; nocase; pcre:"/MAINID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000472; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt"; flow:to_server,established; uricontent:"/language.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000473; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"QuaranID="; nocase; pcre:"/QuaranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000474; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"ShowByQuranID="; nocase; pcre:"/ShowByQuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000475; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000476; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt"; flow:to_server,established; uricontent:"/subject.php"; nocase; uricontent:"MainID="; nocase; pcre:"/MainID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000477; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP aWebNews visview.php remote file include"; flow:to_server,established; uricontent:"/visview.php"; nocase; uricontent:"path_to_news="; nocase; pcre:"/path_to_news=(https?|ftp)/Ui"; reference:bugtraq,18406; classtype:web-application-attack; sid:100000478; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CzarNews headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"tpath="; nocase; pcre:"/tpath=(https?|ftp)/Ui"; reference:bugtraq,18411; classtype:web-application-attack; sid:100000479; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery team.php remote file include"; flow:to_server,established; uricontent:"/team.php"; nocase; uricontent:"checkauth="; nocase; pcre:"/checkauth=(https?|ftp)/Ui"; reference:bugtraq,18412; classtype:web-application-attack; sid:100000480; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include"; flow:to_server,established; uricontent:"/signed.php"; nocase; uricontent:"phphg_real_path="; nocase; pcre:"/phphg_real_path=(https?|ftp)/Ui"; reference:bugtraq,18413; classtype:web-application-attack; sid:100000481; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BoastMachine vote.php remote file include"; flow:to_server,established; uricontent:"/vote.php"; nocase; uricontent:"bmc_dir="; nocase; pcre:"/bmc_dir=(https?|ftp)/Ui"; reference:bugtraq,18415; classtype:web-application-attack; sid:100000482; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wheatblog view_links.php remote file include"; flow:to_server,established; uricontent:"/view_links.php"; nocase; uricontent:"wb_inc_dir="; nocase; pcre:"/wb_inc_dir=(https?|ftp)/Ui"; reference:bugtraq,18416; classtype:web-application-attack; sid:100000483; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt"; flow:to_server,established; uricontent:"/ftp_index.php"; nocase; uricontent:"lpath="; nocase; pcre:"/lpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18426; classtype:web-application-attack; sid:100000484; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"osCsid="; nocase; pcre:"/osCsid=(https?|ftp)/Ui"; reference:bugtraq,18435; classtype:web-application-attack; sid:100000485; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"vsDragonRootPath="; nocase; pcre:"/vsDragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18440; classtype:web-application-attack; sid:100000486; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include"; flow:to_server,established; uricontent:"/server.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000487; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include"; flow:to_server,established; uricontent:"/app.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000488; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000489; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include"; flow:to_server,established; uricontent:"/trylogin.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000490; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB posting.php remote file include"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000491; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include"; flow:to_server,established; uricontent:"/newpm.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000492; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include"; flow:to_server,established; uricontent:"/postreply.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000493; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$s_file_name="; nocase; pcre:"/$s_file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000494; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$file_name="; nocase; pcre:"/$file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000495; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"anfang="; nocase; pcre:"/anfang(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18463; classtype:web-application-attack; sid:100000496; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_event.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000497; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_popup.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000498; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include"; flow:to_server,established; uricontent:"/thumstbl.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000499; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include"; flow:to_server,established; uricontent:"/wpfiles.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000500; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include"; flow:to_server,established; uricontent:"/wallpapr.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000501; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include"; flow:to_server,established; uricontent:"/tag.class.php"; nocase; uricontent:"mycfg="; nocase; pcre:"/mycfg=(https?|ftp)/Ui"; reference:bugtraq,18474; classtype:web-application-attack; sid:100000502; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS action.php remote file include"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000503; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS media.php remote file include"; flow:to_server,established; uricontent:"/media.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000504; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS server.php remote file include"; flow:to_server,established; uricontent:"/server.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000505; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include"; flow:to_server,established; uricontent:"/api_metaweblog.inc.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000506; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlashChat adminips.php remote file include"; flow:to_server,established; uricontent:"/adminips.php"; nocase; uricontent:"banned_file="; nocase; pcre:"/banned_file=(https?|ftp)/Ui"; reference:bugtraq,18480; classtype:web-application-attack; sid:100000507; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wikkawiki wakka.php access"; flow:to_server,established; uricontent:"/wakka.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18481; classtype:web-application-activity; sid:100000508; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"pageid="; nocase; pcre:"/pageid=(https?|ftp)/Ui"; reference:bugtraq,18490; classtype:web-application-attack; sid:100000509; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt"; flow:to_server,established; uricontent:"/rank.php"; nocase; uricontent:"MemberID="; nocase; pcre:"/MemberID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000510; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt"; flow:to_server,established; uricontent:"/message.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000511; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt"; flow:to_server,established; uricontent:"/lng.php"; nocase; uricontent:"QuranID="; nocase; pcre:"/QuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000512; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt"; flow:to_server,established; uricontent:"/showcat.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000513; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000514; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon header.php xss attempt"; flow:to_server,established; uricontent:"data/header.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000515; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt"; flow:to_server,established; uricontent:"data/footer.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000516; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP e107 search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"ep="; nocase; pcre:"/ep(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18508; classtype:web-application-attack; sid:100000517; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include"; flow:to_server,established; uricontent:"/initiate.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,18509; classtype:web-application-attack; sid:100000518; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18516; classtype:web-application-attack; sid:100000519; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt"; flow:to_server,established; uricontent:"/xaramcms_haupt.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18520; classtype:web-application-attack; sid:100000520; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"first_row="; nocase; pcre:"/first_row(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18524; classtype:web-application-attack; sid:100000521; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt"; flow:to_server,established; uricontent:"/productDetail.php"; nocase; uricontent:"cart_id="; nocase; pcre:"/cart_id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18528; classtype:web-application-attack; sid:100000522; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18533; classtype:web-application-attack; sid:100000523; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include"; flow:to_server,established; uricontent:"/microcms-include.php"; nocase; uricontent:"microcms_path="; nocase; pcre:"/microcms_path=(https?|ftp)/Ui"; reference:bugtraq,18537; classtype:web-application-attack; sid:100000524; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt"; flow:to_server,established; uricontent:"/offer-pix.php"; nocase; uricontent:"PIC="; nocase; pcre:"/PIC(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000525; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt"; flow:to_server,established; uricontent:"cp/index.php"; nocase; uricontent:"from="; nocase; pcre:"/from(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000526; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AssoCIateD index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"menu="; nocase; pcre:"/menu(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18541; classtype:web-application-attack; sid:100000527; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"highlight="; nocase; pcre:"/highlight(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18542; classtype:web-application-attack; sid:100000528; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000529; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"view="; nocase; pcre:"/view(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000530; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"by="; nocase; pcre:"/by(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000531; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000532; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt"; flow:to_server,established; uricontent:"includes/functions.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18561; classtype:web-application-attack; sid:100000533; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB english.php xss attempt"; flow:to_server,established; uricontent:"language/english.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18562; classtype:web-application-attack; sid:100000534; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"start="; nocase; pcre:"/start(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000535; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000536; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000537; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"catid="; nocase; pcre:"/catid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000538; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt"; flow:to_server,established; uricontent:"/printarticle.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000539; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"module="; nocase; pcre:"/module(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18590; classtype:web-application-attack; sid:100000540; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"pid="; nocase; pcre:"/pid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000541; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt"; flow:to_server,established; uricontent:"/mem.php"; nocase; uricontent:"mid="; nocase; pcre:"/mid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000542; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"sex="; nocase; pcre:"/sex(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000543; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"relationship="; nocase; pcre:"/relationship(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000544; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/team_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000545; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/rss_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000546; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/manual_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000547; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/forum_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000548; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt"; flow:to_server,established; uricontent:"/user_view.php"; nocase; uricontent:"u="; nocase; pcre:"/u(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18626; classtype:web-application-attack; sid:100000549; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18627; classtype:web-application-activity; sid:100000550; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access"; flow:to_server,established; uricontent:"/aolbonics.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18627; classtype:web-application-activity; sid:100000551; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include"; flow:to_server,established; uricontent:"include/inc_foot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18628; classtype:web-application-attack; sid:100000552; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include"; flow:to_server,established; uricontent:"sms_config/gateway.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:bugtraq,18633; classtype:web-application-attack; sid:100000553; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000554; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000555; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"sid="; nocase; pcre:"/sid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000556; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"f_user="; nocase; pcre:"/f_user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000557; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"pag="; nocase; pcre:"/pag(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000558; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post="; nocase; pcre:"/post(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18644; classtype:web-application-attack; sid:100000559; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include"; flow:to_server,established; uricontent:"/root_header.php"; nocase; uricontent:"ppath="; nocase; pcre:"/ppath=(https?|ftp)/Ui"; reference:bugtraq,18649; classtype:web-application-attack; sid:100000560; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP dotProject ui.class.php xss attempt"; flow:to_server,established; uricontent:"/ui.class.php"; nocase; uricontent:"login="; nocase; pcre:"/login(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18650; classtype:web-application-attack; sid:100000561; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000562; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000563; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000564; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000565; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XennoBB messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18652; classtype:web-application-attack; sid:100000566; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"pre_gallery="; nocase; pcre:"/pre_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000567; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post_gallery="; nocase; pcre:"/post_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000568; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_email.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_email.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000569; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_pwd.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000570; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include"; flow:to_server,established; uricontent:"admin/app_mod_rewrite.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000571; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include"; flow:to_server,established; uricontent:"admin/app_page_caching.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000572; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_setup.php remote file include"; flow:to_server,established; uricontent:"admin/app_setup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000573; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_add.php remote file include"; flow:to_server,established; uricontent:"admin/cat_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000574; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_delete.php remote file include"; flow:to_server,established; uricontent:"admin/cat_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000575; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_edit.php remote file include"; flow:to_server,established; uricontent:"admin/cat_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000576; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include"; flow:to_server,established; uricontent:"admin/cat_path_update.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000577; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_search.php remote file include"; flow:to_server,established; uricontent:"admin/cat_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000578; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_struc.php remote file include"; flow:to_server,established; uricontent:"admin/cat_struc.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000579; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000580; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hidden.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000581; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hierarchy.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000582; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_registered_only.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000583; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include"; flow:to_server,established; uricontent:"admin/checkurl_web.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000584; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000585; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter_change.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000586; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_backup.php remote file include"; flow:to_server,established; uricontent:"admin/db_backup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000587; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_export.php remote file include"; flow:to_server,established; uricontent:"admin/db_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000588; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_import.php remote file include"; flow:to_server,established; uricontent:"admin/db_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000589; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_add.php remote file include"; flow:to_server,established; uricontent:"admin/editor_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000590; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_delete.php remote file include"; flow:to_server,established; uricontent:"admin/editor_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000591; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_validate.php remote file include"; flow:to_server,established; uricontent:"admin/editor_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000592; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu head.php remote file include"; flow:to_server,established; uricontent:"admin/head.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000593; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000594; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000595; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config_payment.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000596; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_create.php remote file include"; flow:to_server,established; uricontent:"admin/inv_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000597; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_delete.php remote file include"; flow:to_server,established; uricontent:"admin/inv_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000598; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_edit.php remote file include"; flow:to_server,established; uricontent:"admin/inv_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000599; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000600; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markunpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000601; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include"; flow:to_server,established; uricontent:"admin/inv_overdue.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000602; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_paid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_paid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000603; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_send.php remote file include"; flow:to_server,established; uricontent:"admin/inv_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000604; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_unpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000605; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu lang_modify.php remote file include"; flow:to_server,established; uricontent:"admin/lang_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000606; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_add.php remote file include"; flow:to_server,established; uricontent:"admin/link_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000607; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000608; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000609; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include"; flow:to_server,established; uricontent:"admin/link_checkurl.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000610; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000611; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/link_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000612; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000613; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000614; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_sponsored.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000615; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_search.php remote file include"; flow:to_server,established; uricontent:"admin/link_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000616; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_sponsored_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000617; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000618; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000619; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_view.php remote file include"; flow:to_server,established; uricontent:"admin/link_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000620; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu log_search.php remote file include"; flow:to_server,established; uricontent:"admin/log_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000621; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu mail_modify.php remote file include"; flow:to_server,established; uricontent:"admin/mail_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000622; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu menu.php remote file include"; flow:to_server,established; uricontent:"admin/menu.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000623; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_create.php remote file include"; flow:to_server,established; uricontent:"admin/message_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000624; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_delete.php remote file include"; flow:to_server,established; uricontent:"admin/message_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000625; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_edit.php remote file include"; flow:to_server,established; uricontent:"admin/message_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000626; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_send.php remote file include"; flow:to_server,established; uricontent:"admin/message_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000627; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include"; flow:to_server,established; uricontent:"admin/message_subscriber.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000628; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_view.php remote file include"; flow:to_server,established; uricontent:"admin/message_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000629; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000630; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000631; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu summary.php remote file include"; flow:to_server,established; uricontent:"admin/summary.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000632; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_active.php remote file include"; flow:to_server,established; uricontent:"admin/template_active.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000633; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include"; flow:to_server,established; uricontent:"admin/template_add_custom.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000634; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000635; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000636; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/template_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000637; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_export.php remote file include"; flow:to_server,established; uricontent:"admin/template_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000638; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_import.php remote file include"; flow:to_server,established; uricontent:"admin/template_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000639; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_manager.php remote file include"; flow:to_server,established; uricontent:"admin/template_manager.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000640; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000641; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000642; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_rename.php remote file include"; flow:to_server,established; uricontent:"admin/template_rename.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000643; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_add.php remote file include"; flow:to_server,established; uricontent:"admin/user_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000644; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_delete.php remote file include"; flow:to_server,established; uricontent:"admin/user_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000645; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_edit.php remote file include"; flow:to_server,established; uricontent:"admin/user_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000646; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_search.php remote file include"; flow:to_server,established; uricontent:"admin/user_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000647; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu whos.php remote file include"; flow:to_server,established; uricontent:"admin/whos.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000648; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000649; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000650; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000651; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000652; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000653; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000654; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000655; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000656; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000657; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"number="; nocase; pcre:"/number(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000658; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000659; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000660; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000661; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000662; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"icq="; nocase; pcre:"/icq(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000663; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000664; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000665; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"footer_prog="; nocase; pcre:"/footer_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000666; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000667; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pheader.php remote file include"; flow:to_server,established; uricontent:"/pheader.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000668; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000669; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"mod_dir="; nocase; pcre:"/mod_dir=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000670; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia preload.php remote file include"; flow:to_server,established; uricontent:"/preload.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000671; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000672; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"php_ext="; nocase; pcre:"/php_ext=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000673; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000674; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pfooter.php remote file include"; flow:to_server,established; uricontent:"/pfooter.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000675; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia missing.php remote file include"; flow:to_server,established; uricontent:"/missing.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000676; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia topics.php remote file include"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000677; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"mod_root="; nocase; pcre:"/mod_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000678; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000679; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000680; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000681; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia email.php remote file include"; flow:to_server,established; uricontent:"/email.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000682; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP cPanel select.html xss attempt"; flow:to_server,established; uricontent:"/select.html"; nocase; uricontent:"file="; nocase; pcre:"/file(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18655; classtype:web-application-attack; sid:100000683; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt"; flow:established,to_server; uricontent:"/services/help/index.php"; nocase; uricontent:"show="; nocase; uricontent:"URL=javascript"; nocase; reference:bugtraq,18845; classtype:web-application-attack; sid:100000703; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000704; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include"; flow:to_server,established; uricontent:"admin/test.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000705; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000706; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include"; flow:to_server,established; uricontent:"admin/include/inc_adminfoot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000707; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include"; flow:to_server,established; uricontent:"admin/comedit.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000708; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SquirrelMail search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mailbox="; nocase; pcre:"/mailbox(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18700; classtype:web-application-attack; sid:100000709; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt"; flow:to_server,established; uricontent:"/annonces-p-f.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18718; classtype:web-application-attack; sid:100000710; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid raids.php remote file include"; flow:to_server,established; uricontent:"/raids.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000711; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid register.php remote file include"; flow:to_server,established; uricontent:"/register.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000712; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid roster.php remote file include"; flow:to_server,established; uricontent:"/roster.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000713; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php remote file include"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000714; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid logs.php remote file include"; flow:to_server,established; uricontent:"/logs.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000715; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000716; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid configuration.php remote file include"; flow:to_server,established; uricontent:"/configuration.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000717; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid guilds.php remote file include"; flow:to_server,established; uricontent:"/guilds.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000718; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000719; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid locations.php remote file include"; flow:to_server,established; uricontent:"/locations.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000720; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000721; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include"; flow:to_server,established; uricontent:"/lua_output.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000722; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid permissions.php remote file include"; flow:to_server,established; uricontent:"/permissions.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000723; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid profile.php remote file include"; flow:to_server,established; uricontent:"/profile.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000724; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"raid_id="; nocase; pcre:"/raid_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18720; classtype:web-application-attack; sid:100000725; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt"; flow:to_server,established; uricontent:"/diver.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18729; classtype:web-application-attack; sid:100000726; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt"; flow:to_server,established; uricontent:"/insertmember.php"; nocase; uricontent:"city="; nocase; pcre:"/city(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18735; classtype:web-application-attack; sid:100000727; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/links/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/polls/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/BlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/DeleteComment.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000731; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIPofURL.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000732; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MTBlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000733; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelete.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000734; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MailAdmin.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000735; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelTrackback.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000736; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditHeader.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000737; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIP.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000738; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/IPofUrl.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000739; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/Import.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000740; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/LogView.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000741; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/staticpages/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000742; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include"; flow:to_server,established; uricontent:"/dbinstall.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18750; classtype:web-application-attack; sid:100000743; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt"; flow:to_server,established; uricontent:"/tree.php"; nocase; uricontent:"grp_id="; nocase; pcre:"/grp_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18757; classtype:web-application-attack; sid:100000744; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18760; classtype:web-application-attack; sid:100000745; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop header.inc.php remote file include"; flow:to_server,established; uricontent:"/header.inc.php"; nocase; uricontent:"dateiPfad="; nocase; pcre:"/dateiPfad=(https?|ftp)/Ui"; reference:bugtraq,18763; classtype:web-application-attack; sid:100000746; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000747; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS rss.php remote file include"; flow:to_server,established; uricontent:"/rss.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000748; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000749; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000750; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard about.php remote file include"; flow:to_server,established; uricontent:"/about.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000751; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard contact.php remote file include"; flow:to_server,established; uricontent:"/contact.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000752; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard delete.php remote file include"; flow:to_server,established; uricontent:"/delete.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000753; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard faq.php remote file include"; flow:to_server,established; uricontent:"/faq.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000754; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard features.php remote file include"; flow:to_server,established; uricontent:"/features.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000755; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard history.php remote file include"; flow:to_server,established; uricontent:"/history.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000756; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"delete="; nocase; pcre:"/delete(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000757; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"pathext="; nocase; pcre:"/pathext(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000758; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"edit="; nocase; pcre:"/edit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000759; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Banner Engine top.php xss attempt"; flow:to_server,established; uricontent:"/top.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18793; classtype:web-application-attack; sid:100000760; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt"; flow:to_server,established; uricontent:"/comments.php"; nocase; uricontent:"keyword="; nocase; pcre:"/keyword(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18798; classtype:web-application-attack; sid:100000761; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"incl="; nocase; pcre:"/incl=(https?|ftp)/Ui"; reference:bugtraq,18809; classtype:web-application-attack; sid:100000762; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access"; flow:to_server,established; uricontent:"/config.inc"; nocase; uricontent:"="; nocase; reference:bugtraq,18816; classtype:web-application-activity; sid:100000763; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include"; flow:to_server,established; uricontent:"/global_header.php"; nocase; uricontent:"domain="; nocase; pcre:"/domain=(https?|ftp)/Ui"; reference:bugtraq,18834; classtype:web-application-attack; sid:100000764; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LifeType index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"date="; nocase; pcre:"/date(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18835; classtype:web-application-attack; sid:100000765; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS thumb.php remote file include"; flow:to_server,established; uricontent:"/thumb.php"; nocase; uricontent:"gallery="; nocase; pcre:"/gallery=(https?|ftp)/Ui"; reference:bugtraq,18837; classtype:web-application-attack; sid:100000766; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"item="; nocase; pcre:"/item(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000767; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"blog="; nocase; pcre:"/blog(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000768; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"member="; nocase; pcre:"/member(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000769; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"typeface="; nocase; pcre:"/typeface(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000770; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"results="; nocase; pcre:"/results(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000771; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"DokiWiki="; nocase; pcre:"/DokiWiki(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000772; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"archives="; nocase; pcre:"/archives(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000773; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"category="; nocase; pcre:"/category(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000774; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"PHPSESSID="; nocase; pcre:"/PHPSESSID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000775; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"query="; nocase; pcre:"/query(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000776; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000777; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt"; flow:to_server,established; uricontent:"/maillist.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18840; classtype:web-application-attack; sid:100000778; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php xss attempt"; flow:to_server,established; uricontent:"services/help/index.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000779; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde problem.php xss attempt"; flow:to_server,established; uricontent:"services/problem.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000780; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"untrusted="; nocase; pcre:"/untrusted(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000781; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"url="; nocase; pcre:"/url(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000782; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"show_courses="; nocase; pcre:"/show_courses(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000783; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"current_cat="; nocase; pcre:"/current_cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000784; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt"; flow:to_server,established; uricontent:"/password_reminder.php"; nocase; uricontent:"forgot="; nocase; pcre:"/forgot(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000785; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor browse.php xss attempt"; flow:to_server,established; uricontent:"/browse.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000786; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor fix_content.php xss attempt"; flow:to_server,established; uricontent:"/fix_content.php"; nocase; uricontent:"submit="; nocase; pcre:"/submit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000787; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000788; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt"; flow:to_server,established; uricontent:"/details.php"; nocase; uricontent:"prod="; nocase; pcre:"/prod(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000789; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot edit_new.php remote file include"; flow:to_server,established; uricontent:"/edit_new.php"; nocase; uricontent:"Paths[extensions_path]="; nocase; pcre:"/Paths\[extensions_path\]=(https?|ftp)/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000790; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot pv_core.php access"; flow:to_server,established; uricontent:"/pv_core.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18881; classtype:web-application-activity; sid:100000791; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"fg="; nocase; pcre:"/fg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000792; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line1="; nocase; pcre:"/line1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000793; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line2="; nocase; pcre:"/line2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000794; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"bg="; nocase; pcre:"/bg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000795; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c1="; nocase; pcre:"/c1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000796; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c2="; nocase; pcre:"/c2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000797; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c3="; nocase; pcre:"/c3(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000798; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c4="; nocase; pcre:"/c4(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000799; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000800; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"js_name="; nocase; pcre:"/js_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000801; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000802; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds recent.php remote file include"; flow:to_server,established; uricontent:"/recent.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000803; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds account.php remote file include"; flow:to_server,established; uricontent:"/account.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000804; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds classified.php remote file include"; flow:to_server,established; uricontent:"/classified.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000805; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000806; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"q="; nocase; pcre:"/q(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18893; classtype:web-application-attack; sid:100000807; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt"; flow:to_server,established; uricontent:"/ajaxp.php"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18897; classtype:web-application-attack; sid:100000808; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RW Download stats.php remote file include"; flow:to_server,established; uricontent:"/stats.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18901; classtype:web-application-attack; sid:100000809; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB download.php remote file include"; flow:to_server,established; uricontent:"/download.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000810; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include"; flow:to_server,established; uricontent:"/attach_rules.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000811; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000812; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include"; flow:to_server,established; uricontent:"/file_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000813; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include"; flow:to_server,established; uricontent:"/image_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000814; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000815; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include"; flow:to_server,established; uricontent:"/pccookbook.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18919; classtype:web-application-attack; sid:100000816; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SMF Forum smf.php remote file include"; flow:to_server,established; uricontent:"/smf.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18924; classtype:web-application-attack; sid:100000817; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"f="; nocase; pcre:"/f(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18928; classtype:web-application-attack; sid:100000818; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt"; flow:to_server,established; uricontent:"/add.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18934; classtype:web-application-attack; sid:100000820; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt"; flow:to_server,established; uricontent:"/sub-join.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000821; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt"; flow:to_server,established; uricontent:"/reply.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000822; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt"; flow:to_server,established; uricontent:"/ignore-pm.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000823; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt"; flow:to_server,established; uricontent:"/sendmail.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000824; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum posting.php xss attempt"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000825; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000826; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000827; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"cond="; nocase; pcre:"/cond(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000828; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000829; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dayprune="; nocase; pcre:"/dayprune(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000830; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt"; flow:to_server,established; uricontent:"/compose.email.php"; nocase; uricontent:"data[to]="; nocase; pcre:"/data\[to\](=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000831; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt"; flow:to_server,established; uricontent:"/read.markas.php"; nocase; uricontent:"markas="; nocase; pcre:"/markas(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000832; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.results.php"; nocase; uricontent:"fields[]="; nocase; pcre:"/fields\[\](=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000833; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt"; flow:to_server,established; uricontent:"/codes-english.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000834; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus picture.php xss attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"img="; nocase; pcre:"/img(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000835; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include"; flow:to_server,established; uricontent:"/com_minibb.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000836; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000837; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt"; flow:to_server,established; uricontent:"/photocycle.php"; nocase; uricontent:"phppage="; nocase; pcre:"/phppage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18964; classtype:web-application-attack; sid:100000838; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include"; flow:to_server,established; uricontent:"/calendar.php"; nocase; uricontent:"path_to_calendar="; nocase; pcre:"/path_to_calendar=(https?|ftp)/Ui"; reference:bugtraq,18965; classtype:web-application-attack; sid:100000839; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlatNuke index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"mod="; nocase; pcre:"/mod=(https?|ftp)/Ui"; reference:bugtraq,18966; classtype:web-application-attack; sid:100000840; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PerForms performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18968; classtype:web-application-attack; sid:100000841; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt"; flow:to_server,established; uricontent:"/memberlist.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18969; classtype:web-application-attack; sid:100000842; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000843; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000844; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt"; flow:to_server,established; uricontent:"/ipsclass.php"; nocase; uricontent:"HTTP_CLIENT_IP="; nocase; pcre:"/HTTP_CLIENT_IP(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18984; classtype:web-application-attack; sid:100000845; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include"; flow:to_server,established; uricontent:"/user-func.php"; nocase; uricontent:"myadmindir="; nocase; pcre:"/myadmindir=(https?|ftp)/i"; reference:bugtraq,18990; classtype:web-application-attack; sid:100000846; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include"; flow:to_server,established; uricontent:"components/com_sitemap/sitemap.xml.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18991; classtype:web-application-attack; sid:100000847; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/i"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000849; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000850; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000851; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000852; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp settings.html remote file include"; flow:to_server,established; uricontent:"mail/settings.html"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000853; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include"; flow:to_server,established; uricontent:"/listmessenger.php"; nocase; uricontent:"lm_path="; nocase; pcre:"/lm_path=(https?|ftp)/Ui"; reference:bugtraq,19014; classtype:web-application-attack; sid:100000854; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000855; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"mail="; nocase; pcre:"/mail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000856; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000857; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000858; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"hidemail="; nocase; pcre:"/hidemail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000859; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt"; flow:to_server,established; uricontent:"/room.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19020; classtype:web-application-attack; sid:100000860; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/rich_files/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000861; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000862; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt"; flow:to_server,established; uricontent:"/view_com.php"; nocase; uricontent:"idsite="; nocase; pcre:"/idsite(=|\x3f)?\w*\x27/Ui"; reference:url,secunia.com/advisories/21451/; classtype:web-application-attack; sid:100000863; rev:1;) - -# Rules from <urleet@gmail.com> -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01"; flow:to_server,established; uricontent:"/s01.php|3f|shopid|3d|"; nocase; pcre:"/s01.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000865; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02"; flow:to_server,established; uricontent:"/s02.php|3f|shopid|3d|"; nocase; pcre:"/s02.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000866; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03"; flow:to_server,established; uricontent:"/s03.php|3f|shopid|3d|"; nocase; pcre:"/s03.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000867; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04"; flow:to_server,established; uricontent:"/s04.php|3f|shopid|3d|"; nocase; pcre:"/s04.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000868; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; content:"|26|shopid|3d|"; nocase; within:20; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000869; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; pcre:"/sid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000870; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/filemanager/preview.php?file="; nocase; pcre:"/((1)?&(x|y)=)?/Ri"; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000871; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/login.php?email="; nocase; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000872; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion"; flow:to_server,established; uricontent:"/plugins/plugins.php?type="; nocase; pcre:"/type\x3d(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000873; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include"; flow:to_server,established; uricontent:"/globals.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,19349; classtype:web-application-attack; sid:100000882; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Inlink remote file inclusion exploit"; flow:to_server,established; uricontent:"/includes/adodb/back/adodb-postgres7.inc.php"; nocase; reference:url,milw0rm.com/exploits/2295; classtype:web-application-attack; sid:100000883; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; content:"view=plink"; nocase; reference:url,milw0rm.com/exploits/2296; classtype:web-application-attack; sid:100000884; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pHNews access attempt"; flow:to_server,established; uricontent:"/modules/commens.php"; nocase; content:"templates_dir"; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2298; classtype:web-application-attack; sid:100000885; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Proxima access attempt"; flow:to_server,established; uricontent:"/modules/Forums/bb_smilies.php"; nocase; content:"name="; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2299; classtype:web-application-attack; sid:100000886; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pmwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"pmwiki.php"; nocase; distance:0; content:"n=PmWiki.BasicEditing"; nocase; distance:0; content:"action=edit"; nocase; distance:0; reference:url,milw0rm.com/exploits/2291; classtype:web-application-attack; sid:100000887; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP tikiwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"jhot.php"; nocase; distance:0; reference:url,milw0rm.com/exploits/2288; classtype:web-application-attack; sid:100000888; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP yappa-ng exploit attempt"; flow:to_server,established; uricontent:"/admin_modules/admin_module_deldir.inc.php"; nocase; content:"config"; nocase; reference:url,milw0rm.com/exploits/2292; classtype:web-application-attack; sid:100000889; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP UBB.threads remote file include"; flow:to_server,established; uricontent:"addpost_newpoll.php?"; nocase; uricontent:"thispath="; nocase; pcre:"/addpost_newpoll\x2Ephp\x3F[^\r\n]*thispath=(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000906; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include"; flow:to_server,established; uricontent:"change_preferences.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000907; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include"; flow:to_server,established; uricontent:"create_file.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000908; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include"; flow:to_server,established; uricontent:"upload_local.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000909; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include"; flow:to_server,established; uricontent:"upload_multi.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000910; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include"; flow:to_server,established; uricontent:"/edit/adminlog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000911; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include"; flow:to_server,established; uricontent:"/edit/postblog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000912; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include"; flow:to_server,established; uricontent:"/edit/index.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000913; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include"; flow:to_server,established; uricontent:"/edit/index2.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000914; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery Include.php remote file include"; flow:established,to_server; uricontent:"/include.php"; nocase; content:"skindir="; nocase; pcre:"/skindir=(https?|ftp)/Ui"; reference:bugtraq,19912; classtype:web-application-attack; sid:100000915; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt"; flow:established,to_server; uricontent:"/functions_post.php?"; nocase; content:"script="; nocase; pcre:"/script(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,19770; classtype:web-application-attack; sid:100000916; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt";flow:established,to_server; uricontent:"/includes/functions_kb.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000917; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt"; flow:established,to_server; uricontent:"/includes/themen_portal_mitte.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000918; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt"; flow:established,to_server; uricontent:"themesettings.inc.php"; uricontent:"themesdir="; pcre:"/themesdir=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20640; reference:cve,2006-5497; reference:url,osvdb.org/29904; reference:nessus,22922; reference:url,www.milw0rm.com/exploits/2600; classtype:web-application-attack; sid:100000919; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include"; flow:to_server,established; uricontent:"/bb_func_txt.php"; nocase; uricontent:"pathToFiles="; nocase; pcre:"/pathToFiles=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20757; reference:url,osvdb.org/29971; reference:nessus,22926; classtype:web-application-attack; sid:100000920; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PunBB register.php language variable remote file include"; flow:to_server,established; content:"register.php"; nocase; content:"language="; nocase; pcre:"/language=(\x2F|\x2E)/Ui"; reference:bugtraq,20786; reference:cve,2006-5735; reference:url,osvdb.org/30132; reference:nessus,22932; classtype:web-application-attack; sid:100000921; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection"; flow:to_server,established; uricontent:"/etomite/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id=[A-Za-z0-9]{1,}\'/Ui"; reference:bugtraq,21135; reference:url,osvdb.org/30442; reference:url,secunia.com/advisories/22885; classtype:web-application-attack; sid:100000922; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon"; uricontent:"/users/admin.txt"; nocase; reference:url,www.milw0rm.com/exploits/3053; classtype:web-application-attack; sid:100000925; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon"; uricontent:"/newsboard/data/users.txt"; nocase; reference:url,www.milw0rm.com/exploits/3039; classtype:web-application-attack; sid:100000926; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit"; flow:to_server,established; uricontent:"/modules/articles/index.php"; nocase; uricontent:"cat_id="; nocase; reference:url,www.securityfocus.com/archive/1/463916; classtype:web-application-attack; sid:100000929; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability"; flow:established,to_server; uricontent:"404.php?"; nocase; uricontent:"d_private="; nocase; reference:bugtraq,23215; classtype:web-application-attack; sid:100000930; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"lib_dir="; nocase; pcre:"/lib_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000931; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"inc_dir="; nocase; pcre:"/inc_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000932; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/settings_sql.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000933; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/new_day.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000934; rev:1;) diff -Nru snort-2.8.5.2/rules/ddos.rules snort-2.9.2/rules/ddos.rules --- snort-2.8.5.2/rules/ddos.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/ddos.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#----------- -# DDOS RULES -#----------- - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) - - -alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) -# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) - - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) -alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) -alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) - - -alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) diff -Nru snort-2.8.5.2/rules/deleted.rules snort-2.9.2/rules/deleted.rules --- snort-2.8.5.2/rules/deleted.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/deleted.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,451 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------- -# DELETED RULES -#------------- -# These signatures have been deleted for various reasons, but we are keeping -# them here for historical purposes. - -# Duplicate to 332 -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;) - -# Duplicate of 512 -alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;) - -# Duplicate of 514 -alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;) - -# Duplicate of 557 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) - -# Duplicate of 559 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) - -# Duplicate of 844 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;) - -# Yeah, so the one site that was vulnerable to edit.pl aint no more. -# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;) - -# duplicate of 987 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;) - -# webmasters suck, so this happens ever so often. Its really not that bad, -# so lets disable it. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;) - -# dup of 1660 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;) - -# dup -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;) - - -# Falses WAAAYYY too often. -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;) - -# Replaced with 1801,1802,1803,1804 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;) - -# duplicate of sid:1673 -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;) - -# Port based only sigs suck, this is why stream4 has flow logs -alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) - -# basically duplicate of 330 -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;) - -# duplicate of 1478 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;) - -# duplicate of 1248 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;) - -# duplicate of 1249 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;) - -# duplicate of 1755 -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;) - -# duplicate of 1538 -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) - -# This rule looks for the exploit for w3-msql, but very badly -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) - - -# duplicate of 109 -alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;) - -# duplicate of 110 -alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;) - - -# we have a backorifice preprocessor -alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;) - -# we have a backorifice preprocessor -alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) - - - -alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;) -alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;) -alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;) -alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;) - -# The following ftp rules look for specific exploits, which are not needed now -# that initial protocol decoding is available. - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;) - -# duplicate of 475 -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;) - - -# not needed thanks to 1964 and 1965 -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;) - -# dup of 589 -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) -# dup of 1275 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;) - -# dup of 1280 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;) - -# dup of 1281 -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;) - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;) - -# this has been replaced with sid 1905 and 1906 -alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;) - -# these have been replaced by 1915, 1916, 1914, and 1913 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;) - -# duplicate of 1088 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;) - - -# these are obsolete -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;) - -# what is this rule? we have no idea... -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;) - -# These have been replaced by better rules (1915,1916,1913,1914) -alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;) - -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;) - -# specific example for sid:1549 -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;) - -# this is properly caught by sid:527 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;) - -# duplicate of 1546 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;) - -# these are obsoleted by cleaning up 663 -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;) - -# dup of 588 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;) -# dup of 1274 -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;) - -# these virus rules suck. -alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;) -alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;) -alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;) -alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;) -alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;) -alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;) -# pcre makes this not needed -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;) - -# historical reference... this used to be here... -alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;) - -# taken care of by http_inspect now -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;) - -# better rule for 1054 caused these rules to not be needed -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;) - -# these rules are dumb. sid:857 looks for the access, and thats all we can do -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;) - -# dup of 2061 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;) - - - -# squash all of the virus rules into one rule. go PCRE! -alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;) - -# uh, yeah this happens quite a bit. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;) - -# dup of 1485 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;) - -# dup of 2339 -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;) - -# these happen. more research = more better rules -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;) - - -#nmap is no longer as dumb as it once was... -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) - -# dup of 553 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;) - -# dup of 2417, which is a better rule anyways -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;) - -# ans1 goodness takes care of this one for us -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;) - - -# because this rule sucks -alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;) - - -# http inspect does a better job than these rules do -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;) - -# dup of 1672 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;) - -# dup of 1229 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;) - -# dup of 1757 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;) - -# dup of 653 -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;) - -# converted to a dup by 1437 moving to regex -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;) - -# handled by 1212 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;) - diff -Nru snort-2.8.5.2/rules/dns.rules snort-2.9.2/rules/dns.rules --- snort-2.8.5.2/rules/dns.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/dns.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#---------- -# DNS RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) - - - -alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) -alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) diff -Nru snort-2.8.5.2/rules/dos.rules snort-2.9.2/rules/dos.rules --- snort-2.8.5.2/rules/dos.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/dos.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ -#---------- -# DOS RULES -#---------- - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) -# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) -# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) -# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) diff -Nru snort-2.8.5.2/rules/experimental.rules snort-2.9.2/rules/experimental.rules --- snort-2.8.5.2/rules/experimental.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/experimental.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -# --------------- -# EXPERIMENTAL RULES -# --------------- -# These signatures are experimental, new and may trigger way too often. -# -# Be forwarned, this is our testing ground. We put new signatures here for -# testing before incorporating them into the default signature set. This is -# for bleeding edge stuff only. -# diff -Nru snort-2.8.5.2/rules/exploit.rules snort-2.9.2/rules/exploit.rules --- snort-2.8.5.2/rules/exploit.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/exploit.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,121 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# EXPLOIT RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;) -alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;) - -alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;) -alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;) - -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) -alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;) -alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) -alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;) -alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;) diff -Nru snort-2.8.5.2/rules/finger.rules snort-2.9.2/rules/finger.rules --- snort-2.8.5.2/rules/finger.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/finger.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: finger.rules,v 1.26.2.2.2.2 2005/05/31 17:13:02 mwatchinski Exp $ -#------------- -# FINGER RULES -#------------- -# - -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:3;) diff -Nru snort-2.8.5.2/rules/ftp.rules snort-2.9.2/rules/ftp.rules --- snort-2.8.5.2/rules/ftp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/ftp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,112 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: ftp.rules,v 1.57.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#---------- -# FTP RULES -#---------- - - -# protocol verification -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2343; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:22;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:1734; rev:30;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:1972; rev:16;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:1973; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1975; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1976; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; dsize:10; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;) - - - - -# bad ftp commands -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1777; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1778; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;) - -# bad directories -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:11;) - -# vulnerabilities against specific implementations of ftp -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:8;) - - -# BAD FILES -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;) - -# suspicious login attempts -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:16;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2179; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2338; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;) diff -Nru snort-2.8.5.2/rules/generators snort-2.9.2/rules/generators --- snort-2.8.5.2/rules/generators 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/generators 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -# Master Registry of Snort Generator Ids -# -# -# This file is used to maintain unique generator ids for files even if -# the default snort configuration doesn't include some patch that is -# required for a specific preprocessor to work -# -# -# -# Maintainer: Chris Green <cmg@sourcefire.com> -# -# Contact cmg@sourcefire.com for an assignment - -rules_subsystem 1 # Snort Rules Engine -tag_subsystem 2 # Tagging Subsystem -portscan 100 # Portscan1 -minfrag 101 # Minfrag [ removed ] -http_decode 102 # HTTP decode 1/2 -defrag 103 # First defragmenter [ removed ] -spade 104 # SPADE [ not included anymore ] -bo 105 # Back Orifice -rpc_decode 106 # RPC Preprocessor -stream2 107 # 2nd stream preprocessor [removed] -stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ] -telnet_neg 109 # telnet option decoder -unidecode 110 # unicode decoder -stream4 111 # Stream4 preprocessor -arpspoof 112 # Arp Spoof detector -frag2 113 # 2nd fragment preprocessor -fnord 114 # NOP detector [ removed ] -asn1 115 # ASN.1 Validator [ removed ] -decode 116 # Snort Internal Decoder -scan2 117 # portscan2 -conversation 118 # conversation -reserved 119 # TBA -reserved 120 # TBA -snmp 121 # Andrew Baker's newer SNMP decoder -sfportscan 122 # Dan Roelkers portscan -frag3 123 # Marty Roesch's ip frag reassembler diff -Nru snort-2.8.5.2/rules/gen-msg.map snort-2.9.2/rules/gen-msg.map --- snort-2.8.5.2/rules/gen-msg.map 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/gen-msg.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,175 +0,0 @@ -# $Id: gen-msg.map,v 1.16.2.2.2.2 2005/04/22 22:11:53 jhewlett Exp $ -# GENERATORS -> msg map -# Format: generatorid || alertid || MSG - -1 || 1 || snort general alert -2 || 1 || tag: Tagged Packet -100 || 1 || spp_portscan: Portscan Detected -100 || 2 || spp_portscan: Portscan Status -100 || 3 || spp_portscan: Portscan Ended -101 || 1 || spp_minfrag: minfrag alert -102 || 1 || http_decode: Unicode Attack -102 || 2 || http_decode: CGI NULL Byte Attack -102 || 3 || http_decode: large method attempted -102 || 4 || http_decode: missing uri -102 || 5 || http_decode: double encoding detected -102 || 6 || http_decode: illegal hex values detected -102 || 7 || http_decode: overlong character detected -103 || 1 || spp_defrag: Fragmentation Overflow Detected -103 || 2 || spp_defrag: Stale Fragments Discarded -104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded -104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted -105 || 1 || spp_bo: Back Orifice Traffic Detected -105 || 2 || spp_bo: Back Orifice Client Traffic Detected -105 || 3 || spp_bo: Back Orifice Server Traffic Detected -106 || 1 || spp_rpc_decode: Fragmented RPC Records -106 || 2 || spp_rpc_decode: Multiple Records in one packet -106 || 3 || spp_rpc_decode: Large RPC Record Fragment -106 || 4 || spp_rpc_decode: Incomplete RPC segment -110 || 1 || spp_unidecode: CGI NULL Attack -110 || 2 || spp_unidecode: Directory Traversal -110 || 3 || spp_unidecode: Unknown Mapping -110 || 4 || spp_unidecode: Invalid Mapping -111 || 1 || spp_stream4: Stealth Activity Detected -111 || 2 || spp_stream4: Evasive Reset Packet -111 || 3 || spp_stream4: Retransmission -111 || 4 || spp_stream4: Window Violation -111 || 5 || spp_stream4: Data on SYN Packet -111 || 6 || spp_stream4: Full XMAS Stealth Scan -111 || 7 || spp_stream4: SAPU Stealth Scan -111 || 8 || spp_stream4: FIN Stealth Scan -111 || 9 || spp_stream4: NULL Stealth Scan -111 || 10 || spp_stream4: NMAP XMAS Stealth Scan -111 || 11 || spp_stream4: VECNA Stealth Scan -111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection -111 || 13 || spp_stream4: SYN FIN Stealth Scan -111 || 14 || spp_stream4: TCP forward overlap detected -111 || 15 || spp_stream4: TTL Evasion attempt -111 || 16 || spp_stream4: Evasive retransmitited data attempt -111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt -111 || 18 || spp_stream4: Multiple acked -111 || 19 || spp_stream4: Shifting to Emegency Session Mode -111 || 20 || spp_stream4: Shifting to Suspend Mode -111 || 21 || spp_stream4: TCP Timestamp option has value of zero -111 || 22 || spp_stream4: Too many overlapping TCP packets -111 || 23 || spp_stream4: Packet in established TCP stream missing ACK -112 || 1 || spp_arpspoof: Directed ARP Request -112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC -112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST -112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack -113 || 1 || spp_frag2: Oversized Frag -113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack -113 || 3 || spp_frag2: TTL evasion detected -113 || 4 || spp_frag2: overlap detected -113 || 5 || spp_frag2: Duplicate first fragments -113 || 6 || spp_frag2: memcap exceeded -113 || 7 || spp_frag2: Out of order fragments -113 || 8 || spp_frag2: IP Options on Fragmented Packet -113 || 9 || spp_frag2: Shifting to Emegency Session Mode -113 || 10 || spp_frag2: Shifting to Suspend Mode -114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected -114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected -114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected -114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected -115 || 1 || spp_asn1: Indefinite ASN.1 length encoding -115 || 2 || spp_asn1: Invalid ASN.1 length encoding -115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow -115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow -115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length -116 || 1 || snort_decoder: Not IPv4 datagram! -116 || 2 || snort_decoder: WARNING: Not IPv4 datagram! -116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! -116 || 4 || snort_decoder: Bad IPv4 Options -116 || 5 || snort_decoder: Truncated IPv4 Options -116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! -116 || 46 || snort_decoder: TCP Data Offset is less than 5! -116 || 47 || snort_decoder: TCP Data Offset is longer than payload! -116 || 54 || snort_decoder: Tcp Options found with bad lengths -116 || 55 || snort_decoder: Truncated Tcp Options -116 || 56 || snort_decoder: T/TCP Detected -116 || 57 || snort_decoder: Obsolete TCP options -116 || 58 || snort_decoder: Experimental TCP options -116 || 95 || snort_decoder: Truncated UDP Header! -116 || 96 || snort_decoder: Invalid UDP header, length field < 8 -116 || 97 || snort_decoder: Short UDP packet, length field > payload length -116 || 105 || snort_decoder: ICMP Header Truncated! -116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! -116 || 107 || snort_decoder: ICMP Address Header Truncated! -116 || 108 || snort_decoder: Unknown Datagram decoding problem! -116 || 109 || snort_decoder: Truncated ARP Packet! -116 || 110 || snort_decoder: Truncated EAP Header! -116 || 111 || snort_decoder: EAP Key Truncated! -116 || 112 || snort_decoder: EAP Header Truncated! -116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! -116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! -116 || 131 || snort_decoder: WARNING: Bad LLC header! -116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! -116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! -116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! -116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! -116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! -116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! -116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! -116 || 150 || snort_decoder: Bad Traffic Loopback IP! -116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! -117 || 1 || spp_portscan2: Portscan detected! -118 || 1 || spp_conversation: Bad IP protocol! -119 || 1 || http_inspect: ASCII ENCODING -119 || 2 || http_inspect: DOUBLE DECODING ATTACK -119 || 3 || http_inspect: U ENCODING -119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING -119 || 5 || http_inspect: BASE36 ENCODING -119 || 6 || http_inspect: UTF-8 ENCODING -119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING -119 || 8 || http_inspect: MULTI_SLASH ENCODING -119 || 9 || http_inspect: IIS BACKSLASH EVASION -119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL -119 || 11 || http_inspect: DIRECTORY TRAVERSAL -119 || 12 || http_inspect: APACHE WHITESPACE (TAB) -119 || 13 || http_inspect: NON-RFC HTTP DELIMITER -119 || 14 || http_inspect: NON-RFC DEFINED CHAR -119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY -119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING -119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED -119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL -120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT -121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded -121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded -121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded -121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded -122 || 1 || portscan: TCP Portscan -122 || 2 || portscan: TCP Decoy Portscan -122 || 3 || portscan: TCP Portsweep -122 || 4 || portscan: TCP Distributed Portscan -122 || 5 || portscan: TCP Filtered Portscan -122 || 6 || portscan: TCP Filtered Decoy Portscan -122 || 7 || portscan: TCP Filtered Portsweep -122 || 8 || portscan: TCP Filtered Distributed Portscan -122 || 9 || portscan: IP Protocol Scan -122 || 10 || portscan: IP Decoy Protocol Scan -122 || 11 || portscan: IP Protocol Sweep -122 || 12 || portscan: IP Distributed Protocol Scan -122 || 13 || portscan: IP Filtered Protocol Scan -122 || 14 || portscan: IP Filtered Decoy Protocol Scan -122 || 15 || portscan: IP Filtered Protocol Sweep -122 || 16 || portscan: IP Filtered Distributed Protocol Scan -122 || 17 || portscan: UDP Portscan -122 || 18 || portscan: UDP Decoy Portscan -122 || 19 || portscan: UDP Portsweep -122 || 20 || portscan: UDP Distributed Portscan -122 || 21 || portscan: UDP Filtered Portscan -122 || 22 || portscan: UDP Filtered Decoy Portscan -122 || 23 || portscan: UDP Filtered Portsweep -122 || 24 || portscan: UDP Filtered Distributed Portscan -122 || 25 || portscan: ICMP Sweep -122 || 26 || portscan: ICMP Filtered Sweep -122 || 27 || portscan: Open Port -123 || 1 || frag3: IP Options on fragmented packet -123 || 2 || frag3: Teardrop attack -123 || 3 || frag3: Short fragment, possible DoS attempt -123 || 4 || frag3: Fragment packet ends after defragmented packet -123 || 5 || frag3: Zero-byte fragment -123 || 6 || frag3: Bad fragment size, packet size is negative -123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 -123 || 8 || frag3: Fragmentation overlap -124 || 1 || xlink2state: X-Link2State length greater than 1024 diff -Nru snort-2.8.5.2/rules/icmp-info.rules snort-2.9.2/rules/icmp-info.rules --- snort-2.8.5.2/rules/icmp-info.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/icmp-info.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,122 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: icmp-info.rules,v 1.23.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#-------------- -# ICMP-INFO -#-------------- -# -# Description: -# These rules are standard ICMP traffic. They include OS pings, as well -# as normal routing done by ICMP. There are a number of "catch all" rules -# that will alert on unknown ICMP types. -# -# Potentially "BAD" ICMP rules are included in icmp.rules - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;) diff -Nru snort-2.8.5.2/rules/icmp.rules snort-2.9.2/rules/icmp.rules --- snort-2.8.5.2/rules/icmp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/icmp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,50 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: icmp.rules,v 1.25.2.1.2.2 2005/05/16 22:17:51 mwatchinski Exp $ -#----------- -# ICMP RULES -#----------- -# -# Description: -# These rules are potentially bad ICMP traffic. They include most of the -# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host) -# -# Other ICMP rules are included in icmp-info.rules - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;) diff -Nru snort-2.8.5.2/rules/imap.rules snort-2.9.2/rules/imap.rules --- snort-2.8.5.2/rules/imap.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/imap.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: imap.rules,v 1.24.2.7.2.5 2005/06/15 23:02:33 mwatchinski Exp $ -#-------------- -# IMAP RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:11;) - -# auth is an imap2 function and only accepts literal usage -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;) - -# FIND does not accept a literal command -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:13;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2529; rev:6;) -alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2530; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;) diff -Nru snort-2.8.5.2/rules/info.rules snort-2.9.2/rules/info.rules --- snort-2.8.5.2/rules/info.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/info.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $ -#----------- -# INFO RULES -#----------- - -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) -alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) -alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;) diff -Nru snort-2.8.5.2/rules/LICENSE snort-2.9.2/rules/LICENSE --- snort-2.8.5.2/rules/LICENSE 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/LICENSE 1970-01-01 00:00:00.000000000 +0000 @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - <one line to give the program's name and a brief idea of what it does.> - Copyright (C) 19yy <name of author> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - <signature of Ty Coon>, 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff -Nru snort-2.8.5.2/rules/local.rules snort-2.9.2/rules/local.rules --- snort-2.8.5.2/rules/local.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/local.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. diff -Nru snort-2.8.5.2/rules/misc.rules snort-2.9.2/rules/misc.rules --- snort-2.8.5.2/rules/misc.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/misc.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,119 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# MISC RULES -#----------- - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) -alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) -alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) -alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) - -# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; -alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) -# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) -# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) -alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) - - -# once we get response, check for content:"|03|"; offset:0; depth:1; -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) - -alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) -alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) - - -# This rule needs some work since you don't have to pass BEGIN and END -# anywhere near each other. -# -#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ -#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ -#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ -#! within:255; classtype:misc-attack;) - - -# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) - -# this rule is specificly not looking for flow, since tcpdump handles lengths wrong -alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) -alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) diff -Nru snort-2.8.5.2/rules/multimedia.rules snort-2.9.2/rules/multimedia.rules --- snort-2.8.5.2/rules/multimedia.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/multimedia.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: multimedia.rules,v 1.13.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------- -# MULTIMEDIA RULES -#------------- -# These signatures look for people using streaming multimedia technologies. -# Using streaming media may be a violation of corporate policies. - - -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:6;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; nocase; classtype:policy-violation; sid:1436; rev:5;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;) -alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:3;) diff -Nru snort-2.8.5.2/rules/mysql.rules snort-2.9.2/rules/mysql.rules --- snort-2.8.5.2/rules/mysql.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/mysql.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,31 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#---------- -# MYSQL RULES -#---------- -# -# These signatures detect unusual and potentially malicious mysql traffic. -# -# These signatures are not enabled by default as they may generate false -# positive alarms on networks that do mysql development. -# - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;) diff -Nru snort-2.8.5.2/rules/netbios.rules snort-2.9.2/rules/netbios.rules --- snort-2.8.5.2/rules/netbios.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/netbios.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,512 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: netbios.rules,v 1.46.2.9.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# NETBIOS RULES -#-------------- - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:538; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2465; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2466; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:536; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2467; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2468; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2469; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:533; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2470; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2471; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2472; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:532; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2473; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2474; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2475; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:8;) - -# where did these come from? I don't know. lets disable them for real for now -# and deal with it later... -### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) -### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2480; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2481; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2482; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2483; rev:7;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;) - - - -# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;) -alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:9;) - - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:7;) - - - - - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2382; rev:18;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2383; rev:18;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;) -alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;) -alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2932; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2994; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2976; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2939; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2958; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2937; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2971; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2944; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2972; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2936; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2953; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2961; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2960; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2948; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2949; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2930; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2931; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2970; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2965; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2997; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2947; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2943; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2998; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2935; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2962; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2977; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2981; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2993; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2942; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2969; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2973; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2999; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2952; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2966; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2940; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2996; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2963; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2959; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2992; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2929; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2956; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2946; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2934; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2967; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2957; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2941; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2995; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2974; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2938; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2964; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2980; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2933; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2945; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2928; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2968; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3004; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3003; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3005; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3002; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3001; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3051; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3044; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3047; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3054; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3057; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3048; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3050; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3046; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3053; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3043; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3042; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3052; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3045; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3056; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3055; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3049; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3109; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3092; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3111; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3100; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3114; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3119; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3127; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3096; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3123; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3110; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3117; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3108; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3098; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3095; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3121; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3103; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3102; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3099; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3126; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3118; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3124; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3116; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3113; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3120; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3129; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3091; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3094; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3105; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3107; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3115; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3125; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3093; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3112; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3101; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3097; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3128; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3090; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3122; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3104; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3106; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3135; rev:2;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3144; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3141; rev:2;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3143; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3140; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3139; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3137; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3142; rev:2;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3146; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3136; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3138; rev:2;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3145; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3163; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3185; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3256; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3431; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3421; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3238; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3239; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3241; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3419; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3260; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3413; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3218; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3157; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3180; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3406; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3251; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3205; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3211; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3384; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3397; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3217; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3416; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3170; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3160; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3377; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3428; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3233; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3435; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3178; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3183; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3248; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3245; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3412; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3386; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3166; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3392; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3409; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3270; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3227; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3203; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3226; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3208; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3255; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3196; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3430; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3389; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3174; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3275; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3265; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3415; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3268; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3156; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3439; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3162; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3186; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3230; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3383; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3250; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3231; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3216; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3378; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3171; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3427; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3402; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3264; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3423; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3222; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3204; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3210; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3240; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3396; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3247; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3259; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3411; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3223; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3405; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3244; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3385; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3380; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3184; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3440; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3426; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3189; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3179; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3254; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3195; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3175; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3167; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3228; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3202; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3420; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3269; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3401; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3390; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3172; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3207; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3391; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3232; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3158; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3224; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3258; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3176; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3379; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3213; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3422; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3262; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3436; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3190; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3165; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3243; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3425; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3418; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3395; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3246; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3408; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3253; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3198; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3215; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3394; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3263; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3433; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3187; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3236; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3181; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3168; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3414; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3388; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3382; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3229; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3276; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3429; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3220; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3404; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3219; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3398; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3212; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3206; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3399; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3159; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3169; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3261; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3257; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3417; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3410; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3249; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3271; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3437; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3252; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3173; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3161; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3400; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3266; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3225; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3214; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3197; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3434; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3393; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3424; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3221; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3242; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3182; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3267; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3177; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3387; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3403; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3209; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3407; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3381; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3191; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3438; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3237; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3164; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3188; rev:2;) diff -Nru snort-2.8.5.2/rules/nntp.rules snort-2.9.2/rules/nntp.rules --- snort-2.8.5.2/rules/nntp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/nntp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: nntp.rules,v 1.12.2.4.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#---------- -# NNTP RULES -#---------- - -alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2424; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2425; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2426; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2427; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2428; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2429; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2430; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2431; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2927; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:3078; rev:1;) diff -Nru snort-2.8.5.2/rules/oracle.rules snort-2.9.2/rules/oracle.rules --- snort-2.8.5.2/rules/oracle.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/oracle.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,375 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ -#---------- -# ORACLE RULES -#---------- -# -# These signatures detect unusual and potentially malicious oracle traffic. -# These signatures are based from signatures written by Hank Leininger -# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released -# publicly. -# -# These signatures are not enabled by default as they may generate false -# positive alarms on networks that do oracle development. If you use an -# Oracle based web application, you should set the destination port to -# 80 to catch attackers attempting to exploit your web application. -# - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) diff -Nru snort-2.8.5.2/rules/other-ids.rules snort-2.9.2/rules/other-ids.rules --- snort-2.8.5.2/rules/other-ids.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/other-ids.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: other-ids.rules,v 1.10.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# OTHER-IDS RULES -# --------------- -# These signatures look for uses of other IDSs. -# -# These signatures serve two purposes. -# 1) If you are "IDS GUY" for a company, and someone else sets up an IDS -# without letting you know, thats bad. -# 2) If you are "pen-tester", this is a good way to find out what IDS -# systems your target is using after you have gained access to their -# network. -# - - -alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;) -alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;) - -# To limit false positives, limit to the default port of 975 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;) diff -Nru snort-2.8.5.2/rules/p2p.rules snort-2.9.2/rules/p2p.rules --- snort-2.8.5.2/rules/p2p.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/p2p.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,43 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: p2p.rules,v 1.17.2.3.2.3 2005/06/15 23:02:34 mwatchinski Exp $ -#------------- -# P2P RULES -#------------- -# These signatures look for usage of P2P protocols, which are usually -# against corporate policy - -alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;) -alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:2;) -alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:2;) -alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; content:"|01 02 00 14|"; depth:4; offset:16; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:3;) diff -Nru snort-2.8.5.2/rules/policy.rules snort-2.9.2/rules/policy.rules --- snort-2.8.5.2/rules/policy.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/policy.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $ -#------------- -# POLICY RULES -#------------- -# - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;) - -alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;) - - -# we have started to see multiple versions of this beyond 003.003, so we have -# expanded this signature to take that into account. -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;) -alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;) - -# NOTES: This signature would be better off using uricontent, and having the -# http decoder looking at 5800 and 5802, but that is on by default -alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;) -alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;) diff -Nru snort-2.8.5.2/rules/pop2.rules snort-2.9.2/rules/pop2.rules --- snort-2.8.5.2/rules/pop2.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/pop2.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#-------------- -# POP2 RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) diff -Nru snort-2.8.5.2/rules/pop3.rules snort-2.9.2/rules/pop3.rules --- snort-2.8.5.2/rules/pop3.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/pop3.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ -#-------------- -# POP3 RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;) - -# bsd-qpopper.c -# overflow in the reading of a line in qpopper -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;) -alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) diff -Nru snort-2.8.5.2/rules/porn.rules snort-2.9.2/rules/porn.rules --- snort-2.8.5.2/rules/porn.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/porn.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: porn.rules,v 1.12.6.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#------------- -# PORN RULES -#------------- -# - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;) - diff -Nru snort-2.8.5.2/rules/purge-non-gpl.sh snort-2.9.2/rules/purge-non-gpl.sh --- snort-2.8.5.2/rules/purge-non-gpl.sh 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/purge-non-gpl.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -#!/bin/sh -# Purges non-GPL rules from a common set - -if [ -z "$1" ] ; then - echo "Usage: $0 directory_with_rules" -fi - -if [ ! -d "$1" ] ; then - echo "ERROR: $1 is not a directory" - exit 1 -fi - -for file in $1/*rules; do - if [ -r "$file" ] ; then - name=`basename $file` - if [ ! -e "$name" ] ; then - cat $file |perl remove-non-gpl.pl >$name - else - echo "ERROR: Cowardly refusing to overwrite $name" - fi - fi -done - diff -Nru snort-2.8.5.2/rules/reference.config snort-2.9.2/rules/reference.config --- snort-2.8.5.2/rules/reference.config 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/reference.config 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -# $Id: reference.config,v 1.4 2003/10/20 15:03:04 chrisgreen Exp $ -# The following defines URLs for the references found in the rules -# -# config reference: system URL - -config reference: bugtraq http://www.securityfocus.com/bid/ -config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= -config reference: arachNIDS http://www.whitehats.com/info/IDS - -# Note, this one needs a suffix as well.... lets add that in a bit. -config reference: McAfee http://vil.nai.com/vil/content/v_ -config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= -config reference: url http:// - diff -Nru snort-2.8.5.2/rules/remove-non-gpl.pl snort-2.9.2/rules/remove-non-gpl.pl --- snort-2.8.5.2/rules/remove-non-gpl.pl 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/remove-non-gpl.pl 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -#!/usr/bin/perl -# -# Give a rules file, remove all alerts which are not GPL. Based on -# Sourcefire's VRT Certified Rules License Agreement -# (http://www.snort.org/about_snort/licenses/vrt_license.html) -# this means that the rule's sid must be outside the 3,465 - 1,000,000 range -# -# This program is copyright 2007 by Javier Fernandez-Sanguino <jfs@debian.org> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# For more information please see -# http://www.gnu.org/licenses/licenses.html#GPL -# - -while (<STDIN>) { - if ( ! /^alert/ ) { - print ; - } elsif ( /sid:(\d+)[^\d]/ ) { - print if ( $1 < 3465 || $1 > 1000000 ); - } else { - print "WARN: Alert without sid, will not print\n"; - } -} - diff -Nru snort-2.8.5.2/rules/rpc.rules snort-2.9.2/rules/rpc.rules --- snort-2.8.5.2/rules/rpc.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/rpc.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,234 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: rpc.rules,v 1.58.2.2.2.5 2005/06/29 15:35:04 mwatchinski Exp $ -#---------- -# RPC RULES -#---------- - - -# portmap specific stuff. - -## bleck. Not happy about this. because of the non-rule ordering foo, I'm -## checking the first byte in the version, which should always be 0. When we -## alert multiple times on a packet, I'll put these rules back to: -## content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|"; -## distance:4; within:4; -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;) -# this rule makes me not happy as well. see above. -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;) - - -# rusers -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;) -# XXX - Need to find out if rusers exists on TCP and if so, implement one of -# these for TCP... -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;) - - -# amd -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:8;) - -# cmsd -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:12;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;) - - -# sadmind -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;) - - -# statd -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;) - -# NFS -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;) - - -# rquota -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;) - -# not sure what this rule is looking for, other than the procedure 15 -# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;) - - - -# XXX - These need re-verified -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;) diff -Nru snort-2.8.5.2/rules/rservices.rules snort-2.9.2/rules/rservices.rules --- snort-2.8.5.2/rules/rservices.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/rservices.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: rservices.rules,v 1.22.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#---------------- -# RSERVICES RULES -#---------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;) -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;) -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;) diff -Nru snort-2.8.5.2/rules/scan.rules snort-2.9.2/rules/scan.rules --- snort-2.8.5.2/rules/scan.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/scan.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: scan.rules,v 1.29.2.3.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#----------- -# SCAN RULES -#----------- -# These signatures are representitive of network scanners. These include -# port scanning, ip mapping, and various application scanners. -# -# NOTE: This does NOT include web scanners such as whisker. Those are -# in web* -# - -alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;) diff -Nru snort-2.8.5.2/rules/shellcode.rules snort-2.9.2/rules/shellcode.rules --- snort-2.8.5.2/rules/shellcode.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/shellcode.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,50 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: shellcode.rules,v 1.25.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# SHELLCODE RULES -# --------------- -# These signatures are based on shellcode that is common ammong multiple -# publicly available exploits. -# -# Because these signatures check ALL traffic for shellcode, these signatures -# are disabled by default. There is a LARGE performance hit by enabling -# these signatures. -# - -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;) diff -Nru snort-2.8.5.2/rules/sid snort-2.9.2/rules/sid --- snort-2.8.5.2/rules/sid 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/sid 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -3827 diff -Nru snort-2.8.5.2/rules/sid-msg.map snort-2.9.2/rules/sid-msg.map --- snort-2.8.5.2/rules/sid-msg.map 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/sid-msg.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,3544 +0,0 @@ -103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ -104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 -107 || BACKDOOR subseven DEFCON8 2.1 access -108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 -109 || BACKDOOR netbus active || arachnids,401 -110 || BACKDOOR netbus getinfo || arachnids,403 -111 || BACKDOOR netbus getinfo || arachnids,403 -112 || BACKDOOR BackOrifice access || arachnids,400 -113 || BACKDOOR DeepThroat access || arachnids,405 -114 || BACKDOOR netbus active || arachnids,401 -115 || BACKDOOR NetBus Pro 2.0 connection established -116 || BACKDOOR BackOrifice access || arachnids,399 -117 || BACKDOOR Infector.1.x || arachnids,315 -118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 -119 || BACKDOOR Doly 2.0 access || arachnids,312 -120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 -121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 -122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 -124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 -125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 -126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 -127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 -128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 -129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 -130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 -131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 -132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 -133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 -134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 -135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 -136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 -137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 -138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 -140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 -141 || BACKDOOR HackAttack 1.20 Connect -142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 -143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 -144 || FTP ADMw0rm ftp login attempt || arachnids,01 -145 || BACKDOOR GirlFriendaccess || arachnids,98 -146 || BACKDOOR NetSphere access || arachnids,76 -147 || BACKDOOR GateCrasher || arachnids,99 -148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 -149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -152 || BACKDOOR BackConstruction 2.1 Connection -153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 -154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 -155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 -156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 -157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request -158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply -159 || BACKDOOR NetMetro File List || arachnids,79 -160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 -161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 -162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 -163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 -164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 -166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 -167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 -168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 -169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 -170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 -171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 -172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 -173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 -174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 -176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 -179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 -180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 -181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 -182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 -183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 -184 || BACKDOOR Q access || arachnids,203 -185 || BACKDOOR CDK || arachnids,263 -186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 -187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 -188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 -189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 -190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 -191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 -192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 -193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 -194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 -195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 -196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 -197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 -198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 -199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 -200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 -201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 -202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 -203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 -206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 -207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 -208 || BACKDOOR PhaseZero Server Active on Network -209 || BACKDOOR w00w00 attempt || arachnids,510 -210 || BACKDOOR attempt -211 || BACKDOOR MISC r00t attempt -212 || BACKDOOR MISC rewt attempt -213 || BACKDOOR MISC Linux rootkit attempt -214 || BACKDOOR MISC Linux rootkit attempt lrkr0x -215 || BACKDOOR MISC Linux rootkit attempt -216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 -217 || BACKDOOR MISC sm4ck attempt -218 || BACKDOOR MISC Solaris 2.5 attempt -219 || BACKDOOR HidePak backdoor attempt -220 || BACKDOOR HideSource backdoor attempt -221 || DDOS TFN Probe || arachnids,443 -222 || DDOS tfn2k icmp possible communication || arachnids,425 -223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 -224 || DDOS Stacheldraht server spoof || arachnids,193 -225 || DDOS Stacheldraht gag server response || arachnids,195 -226 || DDOS Stacheldraht server response || arachnids,191 -227 || DDOS Stacheldraht client spoofworks || arachnids,192 -228 || DDOS TFN client command BE || arachnids,184 -229 || DDOS Stacheldraht client check skillz || arachnids,190 -230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml -231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 -232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm -233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 -234 || DDOS Trin00 Attacker to Master default password -235 || DDOS Trin00 Attacker to Master default mdie password -236 || DDOS Stacheldraht client check gag || arachnids,194 -237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 -238 || DDOS TFN server response || arachnids,182 -239 || DDOS shaft handler to agent || arachnids,255 -240 || DDOS shaft agent to handler || arachnids,256 -241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 -243 || DDOS mstream agent to handler -244 || DDOS mstream handler to agent || cve,2000-0138 -245 || DDOS mstream handler ping to agent || cve,2000-0138 -246 || DDOS mstream agent pong to handler -247 || DDOS mstream client to handler || cve,2000-0138 -248 || DDOS mstream handler to client || cve,2000-0138 -249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 -250 || DDOS mstream handler to client || cve,2000-0138 -251 || DDOS - TFN client command LE || arachnids,183 -252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt -253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority -254 || DNS SPOOF query response with TTL of 1 min. and no authority -255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 -256 || DNS named authors attempt || arachnids,480 || nessus,10728 -257 || DNS named version attempt || arachnids,278 || nessus,10028 -258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 -259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 -260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html -261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html -262 || DNS EXPLOIT x86 Linux overflow attempt -264 || DNS EXPLOIT x86 Linux overflow attempt -265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 -266 || DNS EXPLOIT x86 FreeBSD overflow attempt -267 || DNS EXPLOIT sparc overflow attempt -268 || DOS Jolt attack || cve,1999-0345 -269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 -270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html -271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 -272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx -273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 -274 || DOS ath || arachnids,264 || cve,1999-1228 -275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx -276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 -277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 -281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 -282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 -283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 -285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 -286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 -287 || POP3 EXPLOIT x86 BSD overflow -288 || POP3 EXPLOIT x86 Linux overflow -289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 -290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 -291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 -292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 -293 || IMAP EXPLOIT overflow -295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 -301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 -302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 -303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 -304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 -305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 -306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html -307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 -308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 -309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 -310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 -311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 -313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 -314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 -315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 -319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 -320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm -321 || FINGER account enumeration attempt || nessus,10788 -322 || FINGER search query || arachnids,375 || cve,1999-0259 -323 || FINGER root query || arachnids,376 -324 || FINGER null request || arachnids,377 -325 || FINGER probe 0 attempt || arachnids,378 -326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 -327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 -328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 -329 || FINGER cybercop redirection || arachnids,11 -330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 -331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 -332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 -333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 -334 || FTP .forward || arachnids,319 -335 || FTP .rhosts || arachnids,328 -336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 -337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 -338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 -339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 -340 || FTP EXPLOIT overflow -341 || FTP EXPLOIT overflow -342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 -343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 -344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 -345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 -346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 -348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 -349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368 -353 || FTP adm scan || arachnids,332 -354 || FTP iss scan || arachnids,331 -355 || FTP pass wh00t || arachnids,324 -356 || FTP passwd retrieval attempt || arachnids,213 -357 || FTP piss scan -358 || FTP saint scan || arachnids,330 -359 || FTP satan scan || arachnids,329 -360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 -361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 -362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 -363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 -364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 -365 || ICMP PING undefined code -366 || ICMP PING *NIX -368 || ICMP PING BSDtype || arachnids,152 -369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 -370 || ICMP PING BeOS4.x || arachnids,151 -371 || ICMP PING Cisco Type.x || arachnids,153 -372 || ICMP PING Delphi-Piette Windows || arachnids,155 -373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 -374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 -375 || ICMP PING LINUX/*BSD || arachnids,447 -376 || ICMP PING Microsoft Windows || arachnids,159 -377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 -378 || ICMP PING Ping-O-MeterWindows || arachnids,164 -379 || ICMP PING Pinger Windows || arachnids,163 -380 || ICMP PING Seer Windows || arachnids,166 -381 || ICMP PING Sun Solaris || arachnids,448 -382 || ICMP PING Windows || arachnids,169 -384 || ICMP PING -385 || ICMP traceroute || arachnids,118 -386 || ICMP Address Mask Reply -387 || ICMP Address Mask Reply undefined code -388 || ICMP Address Mask Request -389 || ICMP Address Mask Request undefined code -390 || ICMP Alternate Host Address -391 || ICMP Alternate Host Address undefined code -392 || ICMP Datagram Conversion Error -393 || ICMP Datagram Conversion Error undefined code -394 || ICMP Destination Unreachable Destination Host Unknown -395 || ICMP Destination Unreachable Destination Network Unknown -396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set -397 || ICMP Destination Unreachable Host Precedence Violation -398 || ICMP Destination Unreachable Host Unreachable for Type of Service -399 || ICMP Destination Unreachable Host Unreachable -400 || ICMP Destination Unreachable Network Unreachable for Type of Service -401 || ICMP Destination Unreachable Network Unreachable -402 || ICMP Destination Unreachable Port Unreachable -403 || ICMP Destination Unreachable Precedence Cutoff in effect -404 || ICMP Destination Unreachable Protocol Unreachable -405 || ICMP Destination Unreachable Source Host Isolated -406 || ICMP Destination Unreachable Source Route Failed -407 || ICMP Destination Unreachable cndefined code -408 || ICMP Echo Reply -409 || ICMP Echo Reply undefined code -410 || ICMP Fragment Reassembly Time Exceeded -411 || ICMP IPV6 I-Am-Here -412 || ICMP IPV6 I-Am-Here undefined code -413 || ICMP IPV6 Where-Are-You -414 || ICMP IPV6 Where-Are-You undefined code -415 || ICMP Information Reply -416 || ICMP Information Reply undefined code -417 || ICMP Information Request -418 || ICMP Information Request undefined code -419 || ICMP Mobile Host Redirect -420 || ICMP Mobile Host Redirect undefined code -421 || ICMP Mobile Registration Reply -422 || ICMP Mobile Registration Reply undefined code -423 || ICMP Mobile Registration Request -424 || ICMP Mobile Registration Request undefined code -425 || ICMP Parameter Problem Bad Length -426 || ICMP Parameter Problem Missing a Required Option -427 || ICMP Parameter Problem Unspecified Error -428 || ICMP Parameter Problem undefined Code -429 || ICMP Photuris Reserved -430 || ICMP Photuris Unknown Security Parameters Index -431 || ICMP Photuris Valid Security Parameters, But Authentication Failed -432 || ICMP Photuris Valid Security Parameters, But Decryption Failed -433 || ICMP Photuris undefined code! -436 || ICMP Redirect for TOS and Host -437 || ICMP Redirect for TOS and Network -438 || ICMP Redirect undefined code -439 || ICMP Reserved for Security Type 19 -440 || ICMP Reserved for Security Type 19 undefined code -441 || ICMP Router Advertisement || arachnids,173 -443 || ICMP Router Selection || arachnids,174 -445 || ICMP SKIP -446 || ICMP SKIP undefined code -448 || ICMP Source Quench undefined code -449 || ICMP Time-To-Live Exceeded in Transit -450 || ICMP Time-To-Live Exceeded in Transit undefined code -451 || ICMP Timestamp Reply -452 || ICMP Timestamp Reply undefined code -453 || ICMP Timestamp Request -454 || ICMP Timestamp Request undefined code -455 || ICMP Traceroute ipopts || arachnids,238 -456 || ICMP Traceroute -457 || ICMP Traceroute undefined code -458 || ICMP unassigned type 1 -459 || ICMP unassigned type 1 undefined code -460 || ICMP unassigned type 2 -461 || ICMP unassigned type 2 undefined code -462 || ICMP unassigned type 7 -463 || ICMP unassigned type 7 undefined code -465 || ICMP ISS Pinger || arachnids,158 -466 || ICMP L3retriever Ping || arachnids,311 -467 || ICMP Nemesis v1.1 Echo || arachnids,449 -469 || ICMP PING NMAP || arachnids,162 -471 || ICMP icmpenum v1.1.1 || arachnids,450 -472 || ICMP redirect host || arachnids,135 || cve,1999-0265 -473 || ICMP redirect net || arachnids,199 || cve,1999-0265 -474 || ICMP superscan echo -475 || ICMP traceroute ipopts || arachnids,238 -476 || ICMP webtrends scanner || arachnids,307 -477 || ICMP Source Quench -478 || ICMP Broadscan Smurf Scanner -480 || ICMP PING speedera -481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 -482 || ICMP PING WhatsupGold Windows || arachnids,168 -483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 -484 || ICMP PING Sniffer Pro/NetXRay network scan -485 || ICMP Destination Unreachable Communication Administratively Prohibited -486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited -487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited -488 || INFO Connection Closed MSG from Port 80 -489 || INFO FTP no password || arachnids,322 -490 || INFO battle-mail traffic -491 || INFO FTP Bad login -492 || INFO TELNET login failed -493 || INFO psyBNC access -494 || ATTACK-RESPONSES command completed || bugtraq,1806 -495 || ATTACK-RESPONSES command error -496 || ATTACK RESPONSES directory listing -497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 -498 || ATTACK-RESPONSES id check returned root -499 || ICMP Large ICMP Packet || arachnids,246 -500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx -501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx -502 || MISC source route ssrr || arachnids,422 -503 || MISC Source Port 20 to <1024 || arachnids,06 -504 || MISC source port 53 to <1024 || arachnids,07 -505 || MISC Insecure TIMBUKTU Password || arachnids,229 -506 || MISC ramen worm incoming || arachnids,460 -507 || MISC PCAnywhere Attempted Administrator Login -508 || MISC gopher proxy || arachnids,409 -509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783 -510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -511 || MISC Invalid PCAnywhere Login -512 || MISC PCAnywhere Failed Login || arachnids,240 -513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 -514 || MISC ramen worm || arachnids,461 -516 || MISC SNMP NT UserList || nessus,10546 -517 || MISC xdmcp query || arachnids,476 -518 || TFTP Put || arachnids,148 || cve,1999-0183 -519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 -520 || TFTP root directory || arachnids,138 || cve,1999-0183 -521 || MISC Large UDP Packet || arachnids,247 -522 || MISC Tiny Fragments -523 || BAD-TRAFFIC ip reserved bit set -524 || BAD-TRAFFIC tcp port 0 traffic -525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 -526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html -527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html -528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php -529 || NETBIOS DOS RFPoison || arachnids,454 -530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 -532 || NETBIOS SMB ADMIN$ share access -533 || NETBIOS SMB C$ share access -534 || NETBIOS SMB CD.. || arachnids,338 -535 || NETBIOS SMB CD... || arachnids,337 -536 || NETBIOS SMB D$ share access -537 || NETBIOS SMB IPC$ share access -538 || NETBIOS SMB IPC$ unicode share access -539 || NETBIOS Samba clientaccess || arachnids,341 -540 || CHAT MSN message -541 || CHAT ICQ access -542 || CHAT IRC nick change -543 || POLICY FTP 'STOR 1MB' possible warez site -544 || POLICY FTP 'RETR 1MB' possible warez site -545 || POLICY FTP 'CWD / ' possible warez site -546 || POLICY FTP 'CWD ' possible warez site -547 || POLICY FTP 'MKD ' possible warez site -548 || POLICY FTP 'MKD .' possible warez site -549 || P2P napster login -550 || P2P napster new user login -551 || P2P napster download attempt -552 || P2P napster upload request -553 || POLICY FTP anonymous login attempt -554 || POLICY FTP 'MKD / ' possible warez site -555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 -556 || P2P Outbound GNUTella client request -557 || P2P GNUTella client request -558 || INFO Outbound GNUTella client request -559 || P2P Inbound GNUTella client request -560 || POLICY VNC server response -561 || P2P Napster Client Data -562 || P2P Napster Client Data -563 || P2P Napster Client Data -564 || P2P Napster Client Data -565 || P2P Napster Server Login -566 || POLICY PCAnywhere server response || arachnids,239 -567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html -568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 -573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 -574 || RPC mountd TCP export request || arachnids,26 -575 || RPC portmap admind request UDP || arachnids,18 -576 || RPC portmap amountd request UDP || arachnids,19 -577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 -578 || RPC portmap cmsd request UDP || arachnids,17 -579 || RPC portmap mountd request UDP || arachnids,13 -580 || RPC portmap nisd request UDP || arachnids,21 -581 || RPC portmap pcnfsd request UDP || arachnids,22 -582 || RPC portmap rexd request UDP || arachnids,23 -583 || RPC portmap rstatd request UDP || arachnids,10 -584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 -585 || RPC portmap sadmind request UDP || arachnids,20 -586 || RPC portmap selection_svc request UDP || arachnids,25 -587 || RPC portmap status request UDP || arachnids,15 -588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -589 || RPC portmap yppasswd request UDP || arachnids,14 -590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -591 || RPC portmap ypupdated request TCP || arachnids,125 -592 || RPC rstatd query || arachnids,9 -593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 -596 || RPC portmap listing || arachnids,429 -597 || RPC portmap listing || arachnids,429 -598 || RPC portmap listing TCP 111 || arachnids,428 -599 || RPC portmap listing TCP 32771 || arachnids,429 -600 || RPC EXPLOIT statdx || arachnids,442 -601 || RSERVICES rlogin LinuxNIS -602 || RSERVICES rlogin bin || arachnids,384 -603 || RSERVICES rlogin echo++ || arachnids,385 -604 || RSERVICES rsh froot || arachnids,387 -605 || RSERVICES rlogin login failure || arachnids,393 -606 || RSERVICES rlogin root || arachnids,389 -607 || RSERVICES rsh bin || arachnids,390 -608 || RSERVICES rsh echo + + || arachnids,388 -609 || RSERVICES rsh froot || arachnids,387 -610 || RSERVICES rsh root || arachnids,391 -611 || RSERVICES rlogin login failure || arachnids,392 -612 || RPC rusers query UDP || cve,1999-0626 -613 || SCAN myscan || arachnids,439 -614 || BACKDOOR hack-a-tack attempt || arachnids,314 -615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ -616 || SCAN ident version request || arachnids,303 -617 || SCAN ssh-research-scanner -618 || SCAN Squid Proxy attempt -619 || SCAN cybercop os probe || arachnids,146 -620 || SCAN Proxy Port 8080 attempt -621 || SCAN FIN || arachnids,27 -622 || SCAN ipEye SYN scan || arachnids,236 -623 || SCAN NULL || arachnids,4 -624 || SCAN SYN FIN || arachnids,198 -625 || SCAN XMAS || arachnids,144 -626 || SCAN cybercop os PA12 attempt || arachnids,149 -627 || SCAN cybercop os SFU12 probe || arachnids,150 -628 || SCAN nmap TCP || arachnids,28 -629 || SCAN nmap fingerprint attempt || arachnids,05 -630 || SCAN synscan portscan || arachnids,441 -631 || SMTP ehlo cybercop attempt || arachnids,372 -632 || SMTP expn cybercop attempt || arachnids,371 -634 || SCAN Amanda client version request -635 || SCAN XTACACS logout || arachnids,408 -636 || SCAN cybercop udp bomb || arachnids,363 -637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 -638 || SHELLCODE SGI NOOP || arachnids,356 -639 || SHELLCODE SGI NOOP || arachnids,357 -640 || SHELLCODE AIX NOOP -641 || SHELLCODE Digital UNIX NOOP || arachnids,352 -642 || SHELLCODE HP-UX NOOP || arachnids,358 -643 || SHELLCODE HP-UX NOOP || arachnids,359 -644 || SHELLCODE sparc NOOP || arachnids,345 -645 || SHELLCODE sparc NOOP || arachnids,353 -646 || SHELLCODE sparc NOOP || arachnids,355 -647 || SHELLCODE sparc setuid 0 || arachnids,282 -648 || SHELLCODE x86 NOOP || arachnids,181 -649 || SHELLCODE x86 setgid 0 || arachnids,284 -650 || SHELLCODE x86 setuid 0 || arachnids,436 -651 || SHELLCODE x86 stealth NOOP || arachnids,291 -652 || SHELLCODE Linux shellcode || arachnids,343 -653 || SHELLCODE x86 0x90 unicode NOOP -654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 -655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 -656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 -657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 -658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx -659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 -660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 -661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207 -662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 -663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 -664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 -665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 -666 || SMTP sendmail 8.4.1 exploit || arachnids,120 -667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 -668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204 -669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 -670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 -671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 -672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 -673 || MS-SQL sp_start_job - program execution -674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -676 || MS-SQL/SMB sp_start_job - program execution -677 || MS-SQL/SMB sp_password password change -678 || MS-SQL/SMB sp_delete_alert log file deletion -679 || MS-SQL/SMB sp_adduser database user creation -680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 -681 || MS-SQL/SMB xp_cmdshell program execution -682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -683 || MS-SQL sp_password - password change -684 || MS-SQL sp_delete_alert log file deletion -685 || MS-SQL sp_adduser - database user creation -686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 -687 || MS-SQL xp_cmdshell - program execution -688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 -689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 -690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -691 || MS-SQL shellcode attempt -692 || MS-SQL/SMB shellcode attempt -693 || MS-SQL shellcode attempt -694 || MS-SQL/SMB shellcode attempt -695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 -710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 -711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 -712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 -713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 -714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 -715 || TELNET Attempted SU from wrong group -716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 -717 || TELNET not on console || arachnids,365 -718 || INFO TELNET login incorrect || arachnids,127 -719 || TELNET root login -720 || Virus - SnowWhite Trojan Incoming -721 || VIRUS OUTBOUND bad file attachment -722 || Virus - Possible NAVIDAD Worm -723 || Virus - Possible MyRomeo Worm -724 || Virus - Possible MyRomeo Worm -725 || Virus - Possible MyRomeo Worm -726 || Virus - Possible MyRomeo Worm -727 || Virus - Possible MyRomeo Worm -728 || Virus - Possible MyRomeo Worm -729 || VIRUS OUTBOUND .scr file attachment -730 || VIRUS OUTBOUND .shs file attachment -731 || Virus - Possible QAZ Worm || MCAFEE,98775 -732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 -733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 -734 || Virus - Possible Matrix worm -735 || Virus - Possible MyRomeo Worm -736 || Virus - Successful eurocalculator execution -737 || Virus - Possible eurocalculator.exe file -738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 -739 || Virus - Possible Triplesix Worm || MCAFEE,10389 -740 || Virus - Possible Tune.vbs || MCAFEE,10497 -741 || Virus - Possible NAIL Worm || MCAFEE,10109 -742 || Virus - Possible NAIL Worm || MCAFEE,10109 -743 || Virus - Possible NAIL Worm || MCAFEE,10109 -744 || Virus - Possible NAIL Worm || MCAFEE,10109 -745 || Virus - Possible Papa Worm || MCAFEE,10145 -746 || Virus - Possible Freelink Worm || MCAFEE,10225 -747 || Virus - Possible Simbiosis Worm -748 || Virus - Possible BADASS Worm || MCAFEE,10388 -749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 -751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 -752 || Virus Possible Suppl Worm || MCAFEE,10361 -753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 -754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -755 || Virus - Possible IROK Worm || MCAFEE,98552 -756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 -757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 -758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 -759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -760 || Virus - Possible Passion Worm || MCAFEE,10467 -761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 -762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 -763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 -764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 -765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 -766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 -767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 -768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 -769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 -770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 -771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 -772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 -773 || Virus - Possible Happy99 Virus || MCAFEE,10144 -774 || Virus - Possible CheckThis Trojan -775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 -776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 -777 || Virus - Possible MyPics Worm || MCAFEE,10467 -778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 -779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 -780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 -781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 -782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 -783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 -784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 -785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 -786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 -787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 -788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 -789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 -790 || Virus - Possible Common Sense Worm -791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 -792 || Virus - Possible Resume Worm || MCAFEE,98661 -793 || VIRUS OUTBOUND .vbs file attachment -794 || Virus - Possible Resume Worm || MCAFEE,98661 -795 || Virus - Possible Worm - txt.vbs file -796 || Virus - Possible Worm - xls.vbs file -797 || Virus - Possible Worm - jpg.vbs file -798 || Virus - Possible Worm - gif.vbs file -799 || Virus - Possible Timofonica Worm || MCAFEE,98674 -800 || Virus - Possible Resume Worm || MCAFEE,98661 -801 || Virus - Possible Worm - doc.vbs file -802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 -803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 -804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 -805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 -806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 -807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 -808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 -809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 -812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 -813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 -815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 -817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 -818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 -820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 -821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 -824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 -825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 -827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 -828 || WEB-CGI maillist.pl access -829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 -830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 -832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm -835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 -837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291 -838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 -839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 -840 || WEB-CGI perlshop.cgi access || cve,1999-1374 -841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 -842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 -844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 -845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 -846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 -847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 -848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -850 || WEB-CGI wais.pl access -851 || WEB-CGI files.pl access || cve,1999-1081 -852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 -854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 -855 || WEB-CGI edit.pl access || bugtraq,2713 -856 || WEB-CGI environ.cgi access -857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 -858 || WEB-CGI filemail access || cve,1999-1154 -859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 -860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 -861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 -862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 -864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 -865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 -867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 -868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 -870 || WEB-CGI snorkerz.cmd access -871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 -872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 -874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 -875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 -877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -878 || WEB-CGI w3tvars.pm access -879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 -880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -881 || WEB-CGI archie access -882 || WEB-CGI calendar access -883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 -887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 -888 || WEB-CGI wwwadmin.pl access -889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 -890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt -891 || WEB-CGI upload.pl access -892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 -893 || WEB-CGI MachineInfo access || cve,1999-1067 -894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 -896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 -897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 -898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 -899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 -900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 -901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 -902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 -904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 -905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 -906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 -907 || WEB-COLDFUSION addcontent.cfm access -908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 -909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 -910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 -911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 -912 || WEB-COLDFUSION parks access || bugtraq,550 -913 || WEB-COLDFUSION cfappman access || bugtraq,550 -914 || WEB-COLDFUSION beaninfo access || bugtraq,550 -915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 -916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 -917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 -918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 -919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 -920 || WEB-COLDFUSION datasource attempt || bugtraq,550 -921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 -922 || WEB-COLDFUSION displayfile access || bugtraq,550 -923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 -924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 -925 || WEB-COLDFUSION mainframeset access || bugtraq,550 -926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 -927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 -928 || WEB-COLDFUSION exampleapp access -929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 -930 || WEB-COLDFUSION snippets attempt || bugtraq,550 -931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 -932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 -933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 -935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 -936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 -937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 -939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx -940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx -941 || WEB-FRONTPAGE contents.htm access -942 || WEB-FRONTPAGE orders.htm access -943 || WEB-FRONTPAGE fpsrvadm.exe access -944 || WEB-FRONTPAGE fpremadm.exe access -945 || WEB-FRONTPAGE fpadmin.htm access -946 || WEB-FRONTPAGE fpadmcgi.exe access -947 || WEB-FRONTPAGE orders.txt access -948 || WEB-FRONTPAGE form_results access || cve,1999-1052 -949 || WEB-FRONTPAGE registrations.htm access -950 || WEB-FRONTPAGE cfgwiz.exe access -951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 -952 || WEB-FRONTPAGE author.exe access -953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 -954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052 -955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 -956 || WEB-FRONTPAGE register.txt access -957 || WEB-FRONTPAGE registrations.txt access -958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 -959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 -960 || WEB-FRONTPAGE service.stp access -961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 -962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311 -963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 -964 || WEB-FRONTPAGE users.pwd access -965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 -966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 -967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx -968 || WEB-FRONTPAGE register.htm access -969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 -970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 -971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx -972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 -973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 -974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 -975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ -976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp -977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 -978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx -979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx -980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 -981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 -985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 -986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066 -987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 -988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml -989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 -990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 -991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 -992 || WEB-IIS adctest.asp access -993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 -994 || WEB-IIS /scripts/iisadmin/default.htm access -995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 -996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 -997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 -998 || WEB-IIS asp-srch attempt -999 || WEB-IIS bdir access || bugtraq,2280 -1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 -1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 -1002 || WEB-IIS cmd.exe access -1003 || WEB-IIS cmd? access -1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 -1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 -1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx -1008 || WEB-IIS del attempt -1009 || WEB-IIS directory listing || nessus,10573 -1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx -1011 || WEB-IIS exec-src access -1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 -1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 -1015 || WEB-IIS getdrvs.exe access -1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 -1017 || WEB-IIS idc-srch attempt || cve,1999-0874 -1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 -1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762 -1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 -1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx -1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 -1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 -1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 -1025 || WEB-IIS perl access -1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 -1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 -1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 -1029 || WEB-IIS scripts-browse access || nessus,11032 -1030 || WEB-IIS search97.vts access || bugtraq,162 -1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 -1032 || WEB-IIS showcode access || nessus,10576 -1033 || WEB-IIS showcode access || nessus,10576 -1034 || WEB-IIS showcode access || nessus,10576 -1035 || WEB-IIS showcode access || nessus,10576 -1036 || WEB-IIS showcode access || nessus,10576 -1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx -1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 -1039 || WEB-IIS srch.htm access -1040 || WEB-IIS srchadm access || nessus,11032 -1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360 -1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778 -1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576 -1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097 -1045 || WEB-IIS Unauthorized IP Access Attempt -1046 || WEB-IIS site/iisamples access || nessus,10370 -1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 -1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 -1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 -1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 -1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 -1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 -1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464 -1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 -1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 -1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 -1057 || WEB-MISC ftp attempt -1058 || WEB-MISC xp_enumdsn attempt -1059 || WEB-MISC xp_filelist attempt -1060 || WEB-MISC xp_availablemedia attempt -1061 || WEB-MISC xp_cmdshell attempt -1062 || WEB-MISC nc.exe attempt -1064 || WEB-MISC wsh attempt -1065 || WEB-MISC rcmd attempt -1066 || WEB-MISC telnet attempt -1067 || WEB-MISC net attempt -1068 || WEB-MISC tftp attempt -1069 || WEB-MISC xp_regread attempt -1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951 -1071 || WEB-MISC .htpasswd access -1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 -1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097 -1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 -1076 || WEB-IIS repost.asp access || nessus,10372 -1077 || WEB-MISC queryhit.htm access || nessus,10370 -1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 -1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 -1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 -1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 -1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 -1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025 -1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049 -1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 -1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 -1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532 -1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 -1090 || WEB-CGI Allaire Pro Web Shell attempt -1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078 -1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt -1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 -1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 -1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html -1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html -1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 -1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 -1099 || WEB-MISC cybercop scan || arachnids,374 -1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 -1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 -1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 -1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 -1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459 -1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 -1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 -1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 -1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 -1112 || WEB-MISC http directory traversal || arachnids,298 -1113 || WEB-MISC http directory traversal || arachnids,297 -1114 || WEB-MISC prefix-get // -1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html -1116 || WEB-MISC Lotus DelDoc attempt -1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html -1118 || WEB-MISC ls%20-l -1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1121 || WEB-MISC O'Reilly args.bat access -1122 || WEB-MISC /etc/passwd -1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 -1124 || WEB-MISC Ecommerce check.txt access -1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 -1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407 -1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 -1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360 -1129 || WEB-MISC .htaccess access -1130 || WEB-MISC .wwwacl access -1131 || WEB-MISC .wwwacl access -1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 -1133 || SCAN cybercop os probe || arachnids,145 -1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 -1136 || WEB-MISC cd.. -1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 -1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 -1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 -1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1142 || WEB-MISC /.... access -1143 || WEB-MISC ///cgi-bin access || nessus,11032 -1144 || WEB-MISC /cgi-bin/// access || nessus,11032 -1145 || WEB-MISC /~root access -1146 || WEB-MISC Ecommerce import.txt access -1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 -1148 || WEB-MISC Ecommerce import.txt access -1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 -1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 -1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 -1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 -1153 || WEB-MISC Domino log.nsf access || nessus,10629 -1154 || WEB-MISC Domino names.nsf access || nessus,10629 -1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 -1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 -1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364 -1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 -1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 -1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 -1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 -1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 -1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 -1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 -1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 -1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 -1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 -1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 -1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt -1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 -1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 -1176 || WEB-MISC order.log access -1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1178 || WEB-PHP Phorum read access || arachnids,208 -1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 -1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 -1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 -1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 -1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352 -1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 -1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349 -1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349 -1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1197 || WEB-PHP Phorum code access || arachnids,207 -1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 -1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx -1201 || ATTACK-RESPONSES 403 Forbidden -1202 || WEB-MISC search.vts access || bugtraq,162 -1204 || WEB-CGI ax-admin.cgi access -1205 || WEB-CGI axs.cgi access -1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 -1207 || WEB-MISC htgrep access || cve,2000-0832 -1208 || WEB-CGI responder.cgi access || bugtraq,3155 -1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709 -1211 || WEB-CGI web-map.cgi access -1212 || WEB-MISC Admin_files access -1213 || WEB-MISC backup access -1214 || WEB-MISC intranet access || nessus,11626 -1215 || WEB-CGI ministats admin access -1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 -1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 -1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913 -1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 -1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 -1225 || X11 MIT Magic Cookie detected || arachnids,396 -1226 || X11 xopen || arachnids,395 -1227 || X11 outbound client connection detected || arachnids,126 -1228 || SCAN nmap XMAS || arachnids,30 -1229 || FTP CWD ... || bugtraq,9237 -1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1233 || WEB-CLIENT Outlook EML access || nessus,10767 -1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1236 || WEB-MISC Tomcat sourecode view -1237 || WEB-MISC Tomcat sourecode view -1238 || WEB-MISC Tomcat sourecode view -1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 -1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 -1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555 -1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 -1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 -1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 -1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 -1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 -1251 || INFO TELNET Bad Login -1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html -1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 -1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 -1259 || WEB-MISC SWEditServlet access || bugtraq,2868 -1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 -1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 -1262 || RPC portmap admind request TCP || arachnids,18 -1263 || RPC portmap amountd request TCP || arachnids,19 -1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 -1265 || RPC portmap cmsd request TCP || arachnids,17 -1266 || RPC portmap mountd request TCP || arachnids,13 -1267 || RPC portmap nisd request TCP || arachnids,21 -1268 || RPC portmap pcnfsd request TCP || arachnids,22 -1269 || RPC portmap rexd request TCP || arachnids,23 -1270 || RPC portmap rstatd request TCP || arachnids,10 -1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 -1272 || RPC portmap sadmind request TCP || arachnids,20 -1273 || RPC portmap selection_svc request TCP || arachnids,25 -1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1275 || RPC portmap yppasswd request TCP || arachnids,14 -1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -1277 || RPC portmap ypupdated request UDP || arachnids,125 -1278 || RPC rstatd query || arachnids,9 -1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -1280 || RPC portmap listing UDP 111 || arachnids,428 -1281 || RPC portmap listing UDP 32771 || arachnids,429 -1282 || RPC EXPLOIT statdx || arachnids,442 -1283 || WEB-IIS outlook web dos || bugtraq,3223 -1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html -1285 || WEB-IIS msdac access || nessus,11032 -1286 || WEB-IIS _mem_bin access || nessus,11032 -1287 || WEB-IIS scripts access -1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 -1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html -1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html -1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 -1292 || ATTACK-RESPONSES directory listing -1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml -1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml -1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml -1296 || RPC portmap request yppasswdd || bugtraq,2763 -1297 || RPC portmap request yppasswdd || bugtraq,2763 -1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 -1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 -1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 -1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 -1304 || WEB-CGI txt2html.cgi access -1305 || WEB-CGI txt2html.cgi directory traversal attempt -1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 -1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 -1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt -1322 || BAD-TRAFFIC bad frag bits -1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 -1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1328 || WEB-ATTACKS /bin/ps command attempt -1329 || WEB-ATTACKS ps command attempt -1330 || WEB-ATTACKS wget command attempt || bugtraq,10361 -1331 || WEB-ATTACKS uname -a command attempt -1332 || WEB-ATTACKS /usr/bin/id command attempt -1333 || WEB-ATTACKS id command attempt -1334 || WEB-ATTACKS echo command attempt -1335 || WEB-ATTACKS kill command attempt -1336 || WEB-ATTACKS chmod command attempt -1337 || WEB-ATTACKS chgrp command attempt -1338 || WEB-ATTACKS chown command attempt -1339 || WEB-ATTACKS chsh command attempt -1340 || WEB-ATTACKS tftp command attempt -1341 || WEB-ATTACKS /usr/bin/gcc command attempt -1342 || WEB-ATTACKS gcc command attempt -1343 || WEB-ATTACKS /usr/bin/cc command attempt -1344 || WEB-ATTACKS cc command attempt -1345 || WEB-ATTACKS /usr/bin/cpp command attempt -1346 || WEB-ATTACKS cpp command attempt -1347 || WEB-ATTACKS /usr/bin/g++ command attempt -1348 || WEB-ATTACKS g++ command attempt -1349 || WEB-ATTACKS bin/python access attempt -1350 || WEB-ATTACKS python access attempt -1351 || WEB-ATTACKS bin/tclsh execution attempt -1352 || WEB-ATTACKS tclsh execution attempt -1353 || WEB-ATTACKS bin/nasm command attempt -1354 || WEB-ATTACKS nasm command attempt -1355 || WEB-ATTACKS /usr/bin/perl execution attempt -1356 || WEB-ATTACKS perl execution attempt -1357 || WEB-ATTACKS nt admin addition attempt -1358 || WEB-ATTACKS traceroute command attempt -1359 || WEB-ATTACKS ping command attempt -1360 || WEB-ATTACKS netcat command attempt -1361 || WEB-ATTACKS nmap command attempt -1362 || WEB-ATTACKS xterm command attempt -1363 || WEB-ATTACKS X application to remote host attempt -1364 || WEB-ATTACKS lsof command attempt -1365 || WEB-ATTACKS rm command attempt -1366 || WEB-ATTACKS mail command attempt -1367 || WEB-ATTACKS mail command attempt -1368 || WEB-ATTACKS /bin/ls| command attempt -1369 || WEB-ATTACKS /bin/ls command attempt -1370 || WEB-ATTACKS /etc/inetd.conf access -1371 || WEB-ATTACKS /etc/motd access -1372 || WEB-ATTACKS /etc/shadow access -1373 || WEB-ATTACKS conf/httpd.conf attempt -1374 || WEB-MISC .htgroup access -1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html -1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 -1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt -1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 -1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 -1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt -1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm -1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx -1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 -1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 -1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 -1389 || WEB-MISC viewcode.jse access || bugtraq,3715 -1390 || SHELLCODE x86 inc ebx NOOP -1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 -1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 -1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ -1394 || SHELLCODE x86 NOOP -1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 -1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 -1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 -1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html -1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 -1400 || WEB-IIS /scripts/samples/ access || nessus,10370 -1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 -1402 || WEB-IIS iissamples access || nessus,11032 -1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 -1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007 -1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 -1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 -1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 -1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 -1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1424 || SHELLCODE x86 0xEB0C NOOP -1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1428 || MULTIMEDIA audio galaxy keepalive -1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl -1430 || TELNET Solaris memory mismanagement exploit attempt -1431 || BAD-TRAFFIC syn to multicast address -1432 || P2P GNUTella client request -1433 || WEB-MISC .history access -1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408 -1435 || DNS named authors attempt || arachnids,480 || nessus,10728 -1436 || MULTIMEDIA Quicktime User Agent access -1437 || MULTIMEDIA Windows Media download -1438 || MULTIMEDIA Windows Media Video download -1439 || MULTIMEDIA Shoutcast playlist redirection -1440 || MULTIMEDIA Icecast playlist redirection -1441 || TFTP GET nc.exe -1442 || TFTP GET shadow -1443 || TFTP GET passwd -1444 || TFTP Get -1445 || POLICY FTP file_id.diz access possible warez site -1446 || SMTP vrfy root -1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx -1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx -1449 || POLICY FTP anonymous ftp login attempt -1450 || SMTP expn *@ || cve,1999-1200 -1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 -1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 -1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 -1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 -1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432 -1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 -1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 -1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 -1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 -1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 -1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 -1463 || CHAT IRC message -1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 -1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 -1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 -1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 -1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 -1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 -1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 -1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1475 || WEB-CGI mailit.pl access || nessus,10417 -1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720 -1477 || WEB-CGI swc attempt -1478 || WEB-CGI swc access || nessus,10493 -1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1481 || WEB-CGI upload.cgi access || nessus,10290 -1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 -1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645 -1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274 -1486 || WEB-IIS ctss.idc access || nessus,10359 -1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 -1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1489 || WEB-MISC /~nobody access || nessus,10484 -1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 -1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 -1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521 -1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521 -1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725 -1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 -1496 || WEB-CGI spin_client.cgi access || nessus,10393 -1497 || WEB-MISC cross site scripting attempt -1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 -1499 || WEB-MISC SiteScope Service access || nessus,10778 -1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 -1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html -1504 || MISC AFS access || nessus,10441 -1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013 -1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 -1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 -1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1518 || WEB-MISC nstelemetry.adp access || nessus,10753 -1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 -1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html -1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html -1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601 -1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601 -1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 -1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 -1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 -1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 -1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 -1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 -1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 -1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 -1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 -1541 || FINGER version query -1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721 -1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 -1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 -1545 || DOS Cisco attempt -1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 -1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 -1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438 -1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032 -1552 || WEB-MISC cvsweb version access || cve,2000-0670 -1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 -1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 -1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 -1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 -1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 -1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 -1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032 -1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 -1561 || WEB-MISC ?open access -1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 -1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 -1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 -1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 -1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 -1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx -1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 -1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092 -1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092 -1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 -1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 -1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 -1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 -1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 -1577 || WEB-MISC Domino setup.nsf access || nessus,10629 -1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 -1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629 -1580 || WEB-MISC Domino events4.nsf access || nessus,10629 -1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 -1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 -1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 -1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 -1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 -1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 -1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131 -1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 -1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 -1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 -1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 -1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 -1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 -1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 -1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 -1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1603 || WEB-MISC DELETE attempt || nessus,10498 -1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 -1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 -1606 || WEB-CGI icat access || cve,1999-1069 -1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 -1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 -1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532 -1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1615 || WEB-MISC htgrep attempt || cve,2000-0832 -1616 || DNS named version attempt || arachnids,278 || nessus,10028 -1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 -1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 -1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 -1620 || BAD TRAFFIC Non-Standard IP protocol -1621 || FTP CMD overflow attempt -1622 || FTP RNFR ././ attempt -1623 || FTP invalid MODE -1624 || FTP large PWD command -1625 || FTP large SYST command -1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request -1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers -1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1629 || OTHER-IDS SecureNetPro traffic -1631 || CHAT AIM login -1632 || CHAT AIM send message -1633 || CHAT AIM receive message -1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 -1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 -1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 -1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 -1638 || SCAN SSH Version map attempt -1639 || CHAT IRC DCC file transfer request -1640 || CHAT IRC DCC chat request -1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 -1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 -1643 || WEB-CGI db2www access || cve,2000-0677 -1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 -1646 || WEB-CGI test.cgi access -1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 -1651 || WEB-CGI environ.pl access -1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035 -1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035 -1654 || WEB-CGI cart32.exe access || bugtraq,1153 -1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174 -1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174 -1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1659 || WEB-COLDFUSION sendmail.cfm access -1660 || WEB-IIS trace.axd access || nessus,10993 -1661 || WEB-IIS cmd32.exe access -1662 || WEB-MISC /~ftp access -1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482 -1664 || WEB-MISC mkplog.exe access -1665 || WEB-MISC mkilog.exe access -1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 -1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902 -1668 || WEB-CGI /cgi-bin/ access -1669 || WEB-CGI /cgi-dos/ access -1670 || WEB-MISC /home/ftp access || nessus,11032 -1671 || WEB-MISC /home/www access || nessus,11032 -1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 -1673 || ORACLE EXECUTE_SYSTEM attempt -1674 || ORACLE connect_data remote version detection attempt -1675 || ORACLE misparsed login response -1676 || ORACLE select union attempt -1677 || ORACLE select like '%' attempt -1678 || ORACLE select like '%' attempt backslash escaped -1679 || ORACLE describe attempt -1680 || ORACLE all_constraints access -1681 || ORACLE all_views access -1682 || ORACLE all_source access -1683 || ORACLE all_tables access -1684 || ORACLE all_tab_columns access -1685 || ORACLE all_tab_privs access -1686 || ORACLE dba_tablespace access -1687 || ORACLE dba_tables access -1688 || ORACLE user_tablespace access -1689 || ORACLE sys.all_users access -1690 || ORACLE grant attempt -1691 || ORACLE ALTER USER attempt -1692 || ORACLE drop table attempt -1693 || ORACLE create table attempt -1694 || ORACLE alter table attempt -1695 || ORACLE truncate table attempt -1696 || ORACLE create database attempt -1697 || ORACLE alter database attempt -1698 || ORACLE execute_system attempt -1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com -1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 -1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 -1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464 -1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt -1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099 -1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100 -1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132 -1714 || WEB-CGI newdesk access -1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076 -1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 -1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022 -1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113 -1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420 -1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420 -1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226 -1722 || WEB-CGI MachineInfo access || cve,1999-1067 -1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 -1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 -1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx -1726 || WEB-IIS doctodep.btr access -1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1728 || FTP CWD ~<CR><NEWLINE> attempt || bugtraq,2601 || cve,2001-0421 -1729 || CHAT IRC channel join -1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645 -1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1732 || RPC portmap rwalld request UDP -1733 || RPC portmap rwalld request TCP -1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 -1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 -1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 -1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 -1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 -1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 -1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 -1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 -1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 -1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 -1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 -1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access -1750 || WEB-IIS users.xml access -1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 -1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ -1753 || WEB-IIS as_web.exe access || bugtraq,4670 -1754 || WEB-IIS as_web4.exe access || bugtraq,4670 -1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 -1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 -1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 -1759 || MS-SQL xp_cmdshell program execution 445 -1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt -1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt -1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 -1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html -1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html -1771 || POLICY IPSec PGPNet connection attempt -1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx -1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html -1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html -1775 || MYSQL root login attempt -1776 || MYSQL show databases attempt -1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1779 || FTP CWD .... attempt || bugtraq,4884 -1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 -1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 -1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 -1789 || CHAT IRC dns request -1790 || CHAT IRC dns response -1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 -1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 -1800 || VIRUS Klez Incoming -1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 -1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 -1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 -1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1813 || ICMP digital island bandwidth query -1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013 -1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 -1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 -1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 -1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 -1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 -1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 -1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 -1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037 -1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 -1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 -1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 -1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 -1831 || WEB-MISC jigsaw dos attempt || nessus,11047 -1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 -1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 -1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 -1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 -1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 -1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 -1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 -1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125 -1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 -1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 -1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1846 || POLICY vncviewer Java applet download attempt || nessus,10758 -1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 -1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 -1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 -1850 || WEB-CGI way-board.cgi access || nessus,10610 -1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 -1852 || WEB-MISC robots.txt access || nessus,10302 -1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 -1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1857 || WEB-MISC robot.txt access || nessus,10302 -1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 -1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 -1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 -1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 -1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 -1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 -1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 -1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 -1867 || MISC xdmcp info query || nessus,10891 -1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 -1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 -1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 -1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 -1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 -1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 -1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 -1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 -1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 -1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html -1882 || ATTACK-RESPONSES id check returned userid -1883 || ATTACK-RESPONSES id check returned nobody -1884 || ATTACK-RESPONSES id check returned web -1885 || ATTACK-RESPONSES id check returned http -1886 || ATTACK-RESPONSES id check returned apache -1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html -1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 -1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html -1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 -1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 -1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977 -1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 -1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1917 || SCAN UPnP service discover attempt -1918 || SCAN SolarWinds IP scan attempt -1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 -1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 -1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 -1922 || RPC portmap proxy attempt TCP -1923 || RPC portmap proxy attempt UDP -1924 || RPC mountd UDP export request || arachnids,26 -1925 || RPC mountd TCP exportall request || arachnids,26 -1926 || RPC mountd UDP exportall request || arachnids,26 -1927 || FTP authorized_keys -1928 || FTP shadow retrieval attempt -1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com -1930 || IMAP auth literal overflow attempt || cve,1999-0005 -1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 -1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 -1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368 -1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 -1935 || POP2 FOLD arbitrary file attempt -1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 -1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 -1938 || POP3 XTND overflow attempt -1939 || MISC bootp hardware address length overflow || cve,1999-0798 -1940 || MISC bootp invalid hardware type || cve,1999-0798 -1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 -1942 || FTP RMDIR overflow attempt || bugtraq,819 -1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 -1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 -1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696 -1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 -1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 -1949 || RPC portmap SET attempt TCP 111 -1950 || RPC portmap SET attempt UDP 111 -1951 || RPC mountd TCP mount request -1952 || RPC mountd UDP mount request -1953 || RPC AMD TCP pid request -1954 || RPC AMD UDP pid request -1955 || RPC AMD TCP version request -1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 -1957 || RPC sadmind UDP PING || bugtraq,866 -1958 || RPC sadmind TCP PING || bugtraq,866 -1959 || RPC portmap NFS request UDP -1960 || RPC portmap NFS request TCP -1961 || RPC portmap RQUOTA request UDP -1962 || RPC portmap RQUOTA request TCP -1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 -1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 -1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 -1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 -1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 -1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 -1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 -1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx -1971 || FTP SITE EXEC format string attempt -1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 -1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 -1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 -1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 -1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 -1977 || WEB-MISC xp_regwrite attempt -1978 || WEB-MISC xp_regdeletekey attempt -1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 -1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 -1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 -1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 -1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 -1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 -1985 || BACKDOOR Doly 1.5 server response -1986 || CHAT MSN outbound file transfer request -1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 -1988 || CHAT MSN outbound file transfer accept -1989 || CHAT MSN outbound file transfer rejected -1990 || CHAT MSN user search -1991 || CHAT MSN login attempt -1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 -1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 -1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 -1995 || WEB-CGI alya.cgi access || nessus,11118 -1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107 -1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 -1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 -1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 -2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073 -2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 -2002 || WEB-PHP remote include path -2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2008 || MISC CVS invalid user authentication response -2009 || MISC CVS invalid repository response -2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 -2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 -2012 || MISC CVS missing cvsroot response -2013 || MISC CVS invalid module response -2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 -2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 -2016 || RPC portmap status request TCP || arachnids,15 -2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 -2018 || RPC mountd TCP dump request -2019 || RPC mountd UDP dump request -2020 || RPC mountd TCP unmount request -2021 || RPC mountd UDP unmount request -2022 || RPC mountd TCP unmountall request -2023 || RPC mountd UDP unmountall request -2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 -2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 -2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 -2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 -2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 -2035 || RPC portmap network-status-monitor request UDP -2036 || RPC portmap network-status-monitor request TCP -2037 || RPC network-status-monitor mon-callback request UDP -2038 || RPC network-status-monitor mon-callback request TCP -2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 -2040 || POLICY xtacacs login attempt -2041 || MISC xtacacs failed login response -2042 || POLICY xtacacs accepted login response -2043 || MISC isakmp login failed -2044 || POLICY PPTP Start Control Request attempt -2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -2047 || MISC rsyncd module list access -2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 -2049 || MS-SQL ping attempt || nessus,10674 -2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 -2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 -2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html -2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008 -2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008 -2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008 -2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf -2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 -2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 -2059 || WEB-MISC MsmMask.exe access || nessus,11163 -2060 || WEB-MISC DB4Web access || nessus,11180 -2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 -2062 || WEB-MISC iPlanet .perf access || nessus,11220 -2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 -2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 -2065 || WEB-MISC Lotus Notes .csp script source download attempt -2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 -2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 -2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 -2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 -2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 -2071 || WEB-MISC post32.exe access || bugtraq,1485 -2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 -2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 -2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 -2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 -2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 -2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 -2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 -2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 -2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 -2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 -2088 || RPC ypupdated arbitrary command attempt UDP -2089 || RPC ypupdated arbitrary command attempt TCP -2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 -2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 -2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 -2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt -2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 -2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 -2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2107 || IMAP create buffer overflow attempt || bugtraq,7446 -2108 || POP3 CAPA overflow attempt -2109 || POP3 TOP overflow attempt -2110 || POP3 STAT overflow attempt -2111 || POP3 DELE overflow attempt -2112 || POP3 RSET overflow attempt -2113 || RSERVICES rexec username overflow attempt -2114 || RSERVICES rexec password overflow attempt -2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581 -2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html -2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 -2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 -2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 -2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 -2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 -2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 -2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 -2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx -2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 -2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 -2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx -2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 -2131 || WEB-IIS IISProtect access || nessus,11661 -2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 -2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -2134 || WEB-IIS register.asp access || nessus,11621 -2135 || WEB-MISC philboard.mdb access || nessus,11682 -2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 -2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 -2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 -2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 -2140 || WEB-PHP p-news.php access || nessus,11669 -2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 -2142 || WEB-PHP shoutbox.php access || nessus,11668 -2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 -2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 -2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 -2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 -2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2149 || WEB-PHP Turba status.php access || nessus,11646 -2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2152 || WEB-PHP test.php access || nessus,11617 -2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 -2154 || WEB-PHP autohtml.php access || nessus,11630 -2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 -2156 || WEB-MISC mod_gzip_status access || nessus,11685 -2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 -2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 -2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 -2160 || VIRUS OUTBOUND .exe file attachment -2161 || VIRUS OUTBOUND .doc file attachment -2162 || VIRUS OUTBOUND .hta file attachment -2163 || VIRUS OUTBOUND .chm file attachment -2164 || VIRUS OUTBOUND .reg file attachment -2165 || VIRUS OUTBOUND .ini file attachment -2166 || VIRUS OUTBOUND .bat file attachment -2167 || VIRUS OUTBOUND .diz file attachment -2168 || VIRUS OUTBOUND .cpp file attachment -2169 || VIRUS OUTBOUND .dll file attachment -2170 || VIRUS OUTBOUND .vxd file attachment -2171 || VIRUS OUTBOUND .sys file attachment -2172 || VIRUS OUTBOUND .com file attachment -2173 || VIRUS OUTBOUND .hsq file attachment -2174 || NETBIOS SMB winreg create tree attempt -2175 || NETBIOS SMB winreg unicode create tree attempt -2176 || NETBIOS SMB startup folder access -2177 || NETBIOS SMB startup folder unicode access -2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 -2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 -2180 || P2P BitTorrent announce request -2181 || P2P BitTorrent transfer -2182 || BACKDOOR typot trojan traffic || mcafee,100406 -2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html -2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 -2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 -2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 -2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 -2190 || NETBIOS DCERPC invalid bind attempt -2191 || NETBIOS SMB DCERPC invalid bind attempt -2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 -2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 -2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 -2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 -2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 -2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 -2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 -2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 -2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748 -2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 -2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 -2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 -2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 -2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 -2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 -2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 -2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 -2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 -2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 -2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 -2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 -2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773 -2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 -2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 -2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 -2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 -2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 -2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 -2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 -2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 -2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 -2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 -2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 -2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730 -2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 -2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 -2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 -2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 -2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 -2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 -2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 -2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2255 || RPC sadmind query with root credentials attempt TCP -2256 || RPC sadmind query with root credentials attempt UDP -2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 -2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 -2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 -2273 || IMAP login brute force attempt -2274 || POP3 login brute force attempt -2275 || SMTP AUTH LOGON brute force attempt -2276 || WEB-MISC oracle portal demo access || nessus,11918 -2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 -2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 -2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 -2280 || WEB-PHP Title.php access || bugtraq,9057 -2281 || WEB-PHP Setup.php access || bugtraq,9057 -2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 -2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 -2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 -2285 || WEB-PHP rolis guestbook access || bugtraq,9057 -2286 || WEB-PHP friends.php access || bugtraq,9088 -2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 -2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 -2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 -2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 -2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 -2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 -2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 -2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 -2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 -2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 -2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 -2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 -2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 -2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 -2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 -2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 -2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 -2304 || WEB-PHP files.inc.php access || bugtraq,8910 -2305 || WEB-PHP chatbox.php access || bugtraq,8930 -2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 -2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873 -2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2312 || SHELLCODE x86 0x71FB7BAB NOOP -2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode -2314 || SHELLCODE x86 0x90 NOOP unicode -2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 -2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 -2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 -2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 -2321 || WEB-IIS foxweb.exe access || nessus,11939 -2322 || WEB-IIS foxweb.dll access || nessus,11939 -2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 -2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 -2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 -2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 -2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx -2330 || IMAP auth overflow attempt || bugtraq,8861 -2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 -2332 || FTP MKDIR format string attempt || bugtraq,9262 -2333 || FTP RENAME format string attempt || bugtraq,9262 -2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 -2335 || FTP RMD / attempt || bugtraq,9159 -2336 || TFTP NULL command attempt || bugtraq,7575 -2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 -2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx -2339 || TFTP NULL command attempt || bugtraq,7575 -2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 -2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 -2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 -2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 -2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 -2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 -2348 || NETBIOS SMB-DS DCERPC print spool bind attempt -2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt -2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 -2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 -2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 -2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 -2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 -2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 -2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 -2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 -2361 || WEB-PHP news.php file include || bugtraq,6674 -2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 -2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 -2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 -2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 -2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 -2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 -2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 -2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 -2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 -2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 -2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html -2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 -2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 -2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 -2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 -2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 -2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 -2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 -2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 -2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/ -2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/ -2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 -2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 -2400 || WEB-MISC edittag.pl access || bugtraq,6675 -2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2405 || WEB-PHP phptest.php access || bugtraq,9737 -2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 -2407 || WEB-MISC util.pl access || bugtraq,9748 -2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 -2409 || POP3 APOP USER overflow attempt || bugtraq,9794 -2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 -2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html -2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt -2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 -2417 || FTP format string attempt -2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx -2419 || MULTIMEDIA realplayer .ram playlist download attempt -2420 || MULTIMEDIA realplayer .rmp playlist download attempt -2421 || MULTIMEDIA realplayer .smi playlist download attempt -2422 || MULTIMEDIA realplayer .rt playlist download attempt -2423 || MULTIMEDIA realplayer .rp playlist download attempt -2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 -2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 -2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 -2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 -2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 -2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 -2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 -2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 -2432 || NNTP article post without path attempt -2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/ -2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/ -2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 -2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 -2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 -2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 -2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 -2449 || FTP ALLO overflow attempt || bugtraq,9953 -2450 || CHAT Yahoo IM successful logon -2451 || CHAT Yahoo IM voicechat -2452 || CHAT Yahoo IM ping -2453 || CHAT Yahoo IM conference invitation -2454 || CHAT Yahoo IM conference logon success -2455 || CHAT Yahoo IM conference message -2456 || CHAT Yahoo Messenger File Transfer Receive Request -2457 || CHAT Yahoo IM message -2458 || CHAT Yahoo IM successful chat join -2459 || CHAT Yahoo IM conference offer invitation -2460 || CHAT Yahoo IM conference request -2461 || CHAT Yahoo IM conference watch -2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2465 || NETBIOS SMB-DS IPC$ share access -2466 || NETBIOS SMB-DS IPC$ unicode share access -2467 || NETBIOS SMB D$ unicode share access -2468 || NETBIOS SMB-DS D$ share access -2469 || NETBIOS SMB-DS D$ unicode share access -2470 || NETBIOS SMB C$ unicode share access -2471 || NETBIOS SMB-DS C$ share access -2472 || NETBIOS SMB-DS C$ unicode share access -2473 || NETBIOS SMB ADMIN$ unicode share access -2474 || NETBIOS SMB-DS ADMIN$ share access -2475 || NETBIOS SMB-DS ADMIN$ unicode share access -2476 || NETBIOS SMB-DS winreg create tree attempt -2477 || NETBIOS SMB-DS winreg unicode create tree attempt -2478 || NETBIOS SMB-DS winreg bind attempt -2479 || NETBIOS SMB-DS winreg unicode bind attempt -2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt -2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt -2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt -2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt -2484 || WEB-MISC source.jsp access || nessus,12119 -2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 -2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 -2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 -2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 -2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2520 || WEB-MISC SSLv3 Client_Hello request -2521 || WEB-MISC SSLv3 Server_Hello request -2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm -2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2527 || SMTP STARTTLS attempt -2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2529 || IMAP SSLv3 Client_Hello request -2530 || IMAP SSLv3 Server_Hello request -2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2532 || POP3 SSLv3 Client_Hello request -2533 || POP3 SSLv3 Server_Hello request -2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2535 || POP3 SSLv3 Client_Hello request -2536 || POP3 SSLv3 Server_Hello request -2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2542 || SMTP SSLv3 Client_Hello request -2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt -2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 -2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 -2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 -2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 -2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt -2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 -2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 -2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html -2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html -2565 || WEB-PHP modules.php access || bugtraq,9879 -2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 -2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 -2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 -2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 -2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 -2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 -2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 -2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 -2574 || FTP RETR format string attempt || bugtraq,9800 -2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 -2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html -2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 -2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html -2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 -2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 -2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 -2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html -2587 || P2P eDonkey server response || url,www.emule-project.net -2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html -2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx -2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html -2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 -2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 -2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt -2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt -2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html -2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt -2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html -2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt -2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt -2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html -2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html -2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt -2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt -2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html -2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt -2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html -2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html -2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html -2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt -2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 -2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 -2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt -2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt -2658 || WEB-MISC SSLv2 Client_Hello request -2659 || WEB-MISC SSLv2 Client_Hello with pad request -2660 || WEB-MISC SSLv2 Server_Hello request -2661 || WEB-MISC TLSv1 Client_Hello request -2662 || WEB-MISC TLSv1 Server_Hello request -2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 -2664 || IMAP login format string attempt || bugtraq,10976 -2665 || IMAP login literal format string attempt || bugtraq,10976 -2666 || POP3 PASS format string attempt || bugtraq,10976 -2667 || WEB-IIS ping.asp access || nessus,10968 -2668 || WEB-CGI processit access || nessus,10649 -2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 -2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070 -2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 -2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186 -2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 -2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt -2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt -2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt -2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt -2678 || ORACLE ctx_output.start_log buffer overflow attempt -2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt -2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt -2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt -2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt -2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt -2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt -2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt -2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt -2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt -2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt -2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt -2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt -2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt -2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt -2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt -2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt -2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt -2697 || ORACLE alter file buffer overflow attempt -2698 || ORACLE create file buffer overflow attempt -2699 || ORACLE TO_CHAR buffer overflow attempt -2700 || ORACLE numtoyminterval buffer overflow attempt -2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx -2706 || WEB-CLIENT JPEG transfer -2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx -2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010 -2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010 -2923 || NETBIOS SMB repeated logon failure -2924 || NETBIOS SMB-DS repeated logon failure -2925 || INFO web bug 0x0 gif attempt -2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368 -2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx -2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 -2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 -2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 -2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 -2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 -2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 -2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 -2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 -2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 -2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 -2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 -2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 -2940 || NETBIOS SMB winreg bind attempt -2941 || NETBIOS SMB winreg unicode bind attempt -2942 || NETBIOS SMB InitiateSystemShutdown attempt -2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt -2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt -2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt -2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2950 || NETBIOS SMB too many stacked requests -2951 || NETBIOS SMB-DS too many stacked requests -2952 || NETBIOS SMB IPC$ andx share access -2953 || NETBIOS SMB IPC$ unicode andx share access -2954 || NETBIOS SMB-DS IPC$ andx share access -2955 || NETBIOS SMB-DS IPC$ unicode andx share access -2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 -2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 -2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 -2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 -2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2972 || NETBIOS SMB D$ andx share access -2973 || NETBIOS SMB D$ unicode andx share access -2974 || NETBIOS SMB-DS D$ andx share access -2975 || NETBIOS SMB-DS D$ unicode andx share access -2976 || NETBIOS SMB C$ andx share access -2977 || NETBIOS SMB C$ unicode andx share access -2978 || NETBIOS SMB-DS C$ andx share access -2979 || NETBIOS SMB-DS C$ unicode andx share access -2980 || NETBIOS SMB ADMIN$ andx share access -2981 || NETBIOS SMB ADMIN$ unicode andx share access -2982 || NETBIOS SMB-DS ADMIN$ andx share access -2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access -2984 || NETBIOS SMB winreg andx create tree attempt -2985 || NETBIOS SMB winreg unicode andx create tree attempt -2986 || NETBIOS SMB-DS winreg andx create tree attempt -2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt -2988 || NETBIOS SMB winreg andx bind attempt -2989 || NETBIOS SMB winreg unicode andx bind attempt -2990 || NETBIOS SMB-DS winreg andx bind attempt -2991 || NETBIOS SMB-DS winreg unicode andx bind attempt -2992 || NETBIOS SMB InitiateSystemShutdown andx attempt -2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt -2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt -2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt -2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt -2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt -2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt -2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt -3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785 -3007 || IMAP delete overflow attempt || bugtraq,11675 -3008 || IMAP delete literal overflow attempt || bugtraq,11675 -3009 || BACKDOOR NetBus Pro 2.0 connection request -3010 || BACKDOOR RUX the Tick get windows directory attempt -3011 || BACKDOOR RUX the Tick get system directory attempt -3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt -3013 || BACKDOOR Asylum 0.1 connection request -3014 || BACKDOOR Asylum 0.1 connection established -3015 || BACKDOOR Insane Network 4.0 connection established -3016 || BACKDOOR Insane Network 4.0 connection established port 63536 -3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx -3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 -3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 -3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 -3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 -3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 -3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 -3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 -3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 -3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 -3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 -3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 -3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 -3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 -3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 -3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 -3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 -3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 -3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 -3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 -3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 -3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 -3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 -3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 -3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 -3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt -3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt -3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt -3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt -3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt -3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt -3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt -3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt -3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3058 || IMAP copy literal overflow attempt || bugtraq,1110 -3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request -3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html -3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 -3063 || BACKDOOR Vampire 1.2 connection request -3064 || BACKDOOR Vampire 1.2 connection confirmation -3065 || IMAP append literal overflow attempt || bugtraq,11775 -3066 || IMAP append overflow attempt || bugtraq,11775 -3067 || IMAP examine literal overflow attempt || bugtraq,11775 -3068 || IMAP examine overflow attempt || bugtraq,11775 -3069 || IMAP fetch literal overflow attempt || bugtraq,11775 -3070 || IMAP fetch overflow attempt || bugtraq,11775 -3071 || IMAP status literal overflow attempt || bugtraq,11775 -3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 -3073 || IMAP subscribe literal overflow attempt || bugtraq,11775 -3074 || IMAP subscribe overflow attempt || bugtraq,11775 -3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775 -3076 || IMAP unsubscribe overflow attempt || bugtraq,11775 -3077 || FTP RNFR overflow attempt -3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx -3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 -3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 -3081 || BACKDOOR Y3KRAT 1.5 Connect -3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response -3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation -3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172 -3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636 -3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408 -3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134 -3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730 -3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 -3090 || NETBIOS SMB llsrpc create tree attempt -3091 || NETBIOS SMB llsrpc unicode create tree attempt -3092 || NETBIOS SMB llsrpc andx create tree attempt -3093 || NETBIOS SMB llsrpc unicode andx create tree attempt -3094 || NETBIOS SMB-DS llsrpc create tree attempt -3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt -3096 || NETBIOS SMB-DS llsrpc andx create tree attempt -3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt -3098 || NETBIOS SMB llsrpc bind attempt -3099 || NETBIOS SMB llsrpc little endian bind attempt -3100 || NETBIOS SMB llsrpc unicode bind attempt -3101 || NETBIOS SMB llsrpc unicode little endian bind attempt -3102 || NETBIOS SMB llsrpc andx bind attempt -3103 || NETBIOS SMB llsrpc little endian andx bind attempt -3104 || NETBIOS SMB llsrpc unicode andx bind attempt -3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt -3106 || NETBIOS SMB-DS llsrpc bind attempt -3107 || NETBIOS SMB-DS llsrpc little endian bind attempt -3108 || NETBIOS SMB-DS llsrpc unicode bind attempt -3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt -3110 || NETBIOS SMB-DS llsrpc andx bind attempt -3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt -3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt -3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt -3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202 -3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt -3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt -3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt -3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt -3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt -3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt -3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt -3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt -3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797 -3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt -3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx -3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt -3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915 -3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 -3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 -3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 -3155 || BACKDOOR BackOrifice 2000 Inbound Traffic -3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx -3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 -3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886 -3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 -3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 -3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx -3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx -3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333 -3202 || NETBIOS SMB winreg bind attempt -3203 || NETBIOS SMB winreg little endian bind attempt -3204 || NETBIOS SMB winreg unicode bind attempt -3205 || NETBIOS SMB winreg unicode little endian bind attempt -3206 || NETBIOS SMB winreg andx bind attempt -3207 || NETBIOS SMB winreg little endian andx bind attempt -3208 || NETBIOS SMB winreg unicode andx bind attempt -3209 || NETBIOS SMB winreg unicode little endian andx bind attempt -3210 || NETBIOS SMB-DS winreg bind attempt -3211 || NETBIOS SMB-DS winreg little endian bind attempt -3212 || NETBIOS SMB-DS winreg unicode bind attempt -3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt -3214 || NETBIOS SMB-DS winreg andx bind attempt -3215 || NETBIOS SMB-DS winreg little endian andx bind attempt -3216 || NETBIOS SMB-DS winreg unicode andx bind attempt -3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt -3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx -3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 -3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 -3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 -3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx -3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 -3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 -3236 || NETBIOS DCERPC irot bind attempt -3237 || NETBIOS DCERPC irot little endian bind attempt -3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3240 || NETBIOS SMB irot bind attempt -3241 || NETBIOS SMB irot little endian bind attempt -3242 || NETBIOS SMB irot unicode bind attempt -3243 || NETBIOS SMB irot unicode little endian bind attempt -3244 || NETBIOS SMB irot andx bind attempt -3245 || NETBIOS SMB irot little endian andx bind attempt -3246 || NETBIOS SMB irot unicode andx bind attempt -3247 || NETBIOS SMB irot unicode little endian andx bind attempt -3248 || NETBIOS SMB-DS irot bind attempt -3249 || NETBIOS SMB-DS irot little endian bind attempt -3250 || NETBIOS SMB-DS irot unicode bind attempt -3251 || NETBIOS SMB-DS irot unicode little endian bind attempt -3252 || NETBIOS SMB-DS irot andx bind attempt -3253 || NETBIOS SMB-DS irot little endian andx bind attempt -3254 || NETBIOS SMB-DS irot unicode andx bind attempt -3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt -3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3272 || BACKDOOR mydoom.a backdoor upload/execute attempt -3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 -3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 -3275 || NETBIOS DCERPC IActivation bind attempt -3276 || NETBIOS DCERPC IActivation little endian bind attempt -3377 || NETBIOS SMB IActivation bind attempt -3378 || NETBIOS SMB IActivation little endian bind attempt -3379 || NETBIOS SMB IActivation unicode bind attempt -3380 || NETBIOS SMB IActivation unicode little endian bind attempt -3381 || NETBIOS SMB IActivation andx bind attempt -3382 || NETBIOS SMB IActivation little endian andx bind attempt -3383 || NETBIOS SMB IActivation unicode andx bind attempt -3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt -3385 || NETBIOS SMB-DS IActivation bind attempt -3386 || NETBIOS SMB-DS IActivation little endian bind attempt -3387 || NETBIOS SMB-DS IActivation unicode bind attempt -3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt -3389 || NETBIOS SMB-DS IActivation andx bind attempt -3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt -3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt -3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt -3393 || NETBIOS SMB ISystemActivator bind attempt -3394 || NETBIOS SMB ISystemActivator little endian bind attempt -3395 || NETBIOS SMB ISystemActivator unicode bind attempt -3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt -3397 || NETBIOS SMB ISystemActivator andx bind attempt -3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt -3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt -3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt -3401 || NETBIOS SMB-DS ISystemActivator bind attempt -3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt -3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt -3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt -3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt -3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt -3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt -3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt -3409 || NETBIOS SMB RemoteActivation attempt -3410 || NETBIOS SMB RemoteActivation little endian attempt -3411 || NETBIOS SMB RemoteActivation unicode attempt -3412 || NETBIOS SMB RemoteActivation unicode little endian attempt -3413 || NETBIOS SMB RemoteActivation andx attempt -3414 || NETBIOS SMB RemoteActivation little endian andx attempt -3415 || NETBIOS SMB RemoteActivation unicode andx attempt -3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt -3417 || NETBIOS SMB-DS RemoteActivation attempt -3418 || NETBIOS SMB-DS RemoteActivation little endian attempt -3419 || NETBIOS SMB-DS RemoteActivation unicode attempt -3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt -3421 || NETBIOS SMB-DS RemoteActivation andx attempt -3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt -3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt -3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt -3425 || NETBIOS SMB CoGetInstanceFromFile attempt -3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt -3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt -3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt -3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt -3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt -3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt -3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt -3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt -3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt -3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt -3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt -3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt -3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt -3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt -3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt -3441 || FTP PORT bounce attempt -3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx -3443 || MS-SQL DNS query with 1 requests -3444 || MS-SQL DNS query with 2 requests -3445 || MS-SQL DNS query with 3 requests -3446 || MS-SQL DNS query with 4 requests -3447 || MS-SQL DNS query with 5 requests -3448 || MS-SQL DNS query with 6 requests -3449 || MS-SQL DNS query with 7 requests -3450 || MS-SQL DNS query with 8 requests -3451 || MS-SQL DNS query with 9 requests -3452 || MS-SQL DNS query with 10 requests -3453 || MISC Arkeia client backup system info probe || bugtraq,12594 -3454 || MISC Arkeia client backup generic info probe || bugtraq,12594 -3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt -3456 || MYSQL 4.0 root login attempt -3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594 -3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594 -3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com -3460 || FTP REST with numeric argument || bugtraq,7825 -3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -3463 || WEB-CGI awstats access || bugtraq,12572 -3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572 -3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812 -3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727 -3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882 -3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182 -3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/ -3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html -3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043 -3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260 -3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455 -3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563 -3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563 -3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563 -3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563 -3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563 -3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563 -3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563 -3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563 -3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563 -3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563 -3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563 -3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563 -3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -3487 || IMAP SSLv2 Client_Hello request -3488 || IMAP SSLv2 Client_Hello with pad request -3489 || IMAP TLSv1 Client_Hello request -3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request -3491 || IMAP SSLv2 Server_Hello request -3492 || IMAP TLSv1 Server_Hello request -3493 || SMTP SSLv2 Client_Hello request -3494 || SMTP SSLv2 Client_Hello with pad request -3495 || SMTP TLSv1 Client_Hello request -3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request -3497 || SMTP SSLv2 Server_Hello request -3498 || SMTP TLSv1 Server_Hello request -3499 || POP3 SSLv2 Client_Hello request -3500 || POP3 SSLv2 Client_Hello with pad request -3501 || POP3 TLSv1 Client_Hello request -3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request -3503 || POP3 SSLv2 Server_Hello request -3504 || POP3 TLSv1 Server_Hello request -3505 || POP3 SSLv2 Client_Hello request -3506 || POP3 SSLv2 Client_Hello with pad request -3507 || POP3 TLSv1 Client_Hello request -3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request -3509 || POP3 SSLv2 Server_Hello request -3510 || POP3 TLSv1 Server_Hello request -3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749 -3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749 -3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749 -3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749 -3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749 -3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581 -3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265 -3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265 -3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581 -3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581 -3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581 -3523 || FTP SITE INDEX format string attempt -3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581 -3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581 -3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727 -3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274 -3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709 -3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581 -3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563 -3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563 -3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375 -3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469 -3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399 -3535 || WEB-CLIENT GIF transfer -3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399 -3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469 -3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699 -3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699 -3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 -3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 -3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673 -3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673 -3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481 -3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481 -3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481 -3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481 -3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481 -3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553 -3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553 -3551 || WEB-CLIENT .hta download attempt -3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063 -3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553 -3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt -3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt -3556 || NETBIOS DCERPC mqqm bind attempt -3557 || NETBIOS DCERPC mqqm little endian bind attempt -3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt -3559 || NETBIOS SMB mqqm WriteAndX bind attempt -3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt -3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt -3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt -3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt -3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt -3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt -3566 || NETBIOS SMB mqqm andx bind attempt -3567 || NETBIOS SMB mqqm bind attempt -3568 || NETBIOS SMB mqqm little endian andx bind attempt -3569 || NETBIOS SMB mqqm little endian bind attempt -3570 || NETBIOS SMB mqqm unicode andx bind attempt -3571 || NETBIOS SMB mqqm unicode bind attempt -3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt -3573 || NETBIOS SMB mqqm unicode little endian bind attempt -3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt -3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt -3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt -3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt -3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt -3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt -3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt -3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt -3582 || NETBIOS SMB-DS mqqm andx bind attempt -3583 || NETBIOS SMB-DS mqqm bind attempt -3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt -3585 || NETBIOS SMB-DS mqqm little endian bind attempt -3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt -3587 || NETBIOS SMB-DS mqqm unicode bind attempt -3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt -3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt -3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3626 || ICMP PATH MTU denial of service || cve,2004-1060 -3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx -3628 || POLICY IDA Pro startup license check attempt -3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975 -3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375 -3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375 -3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 -3633 || WEB-CLIENT bitmap transfer -3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 -3635 || BACKDOOR Amanda 2.0 connection established -3636 || BACKDOOR Crazzy Net 5.0 connection established -3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581 -3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926 -3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 -3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 -3653 || SMTP SAML overflow attempt || bugtraq,11238 -3654 || SMTP SOML overflow attempt || bugtraq,11238 -3655 || SMTP SEND overflow attempt || bugtraq,11238 -3656 || SMTP MAIL overflow attempt || bugtraq,11238 -3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637 -3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213 -3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, -3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, -3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728 -3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182 -3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781 -3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761 -3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html -3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html -3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476 -3680 || P2P AOL Instant Messenger Message Send -3681 || P2P AOL Instant Messenger Message Receive -3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx -3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx -3684 || WEB-CLIENT Bitmap Transfer -3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566 -3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555 -3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx -3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx -3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx -3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194 -3691 || CHAT Yahoo Messenger Message -3692 || CHAT Yahoo Messenger File Transfer Initiation Request -3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853 -3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174 -3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773 -3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772 -3697 || NETBIOS DCERPC DIRECT veritas alter context attempt -3698 || NETBIOS DCERPC DIRECT veritas bind attempt -3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt -3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt -3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt -3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt -3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt -3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt -3705 || NETBIOS SMB veritas WriteAndX alter context attempt -3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt -3707 || NETBIOS SMB veritas WriteAndX andx bind attempt -3708 || NETBIOS SMB veritas WriteAndX bind attempt -3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt -3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt -3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt -3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt -3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt -3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt -3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt -3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt -3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt -3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt -3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt -3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt -3721 || NETBIOS SMB veritas alter context attempt -3722 || NETBIOS SMB veritas andx alter context attempt -3723 || NETBIOS SMB veritas andx bind attempt -3724 || NETBIOS SMB veritas bind attempt -3725 || NETBIOS SMB veritas little endian alter context attempt -3726 || NETBIOS SMB veritas little endian andx alter context attempt -3727 || NETBIOS SMB veritas little endian andx bind attempt -3728 || NETBIOS SMB veritas little endian bind attempt -3729 || NETBIOS SMB veritas unicode alter context attempt -3730 || NETBIOS SMB veritas unicode andx alter context attempt -3731 || NETBIOS SMB veritas unicode andx bind attempt -3732 || NETBIOS SMB veritas unicode bind attempt -3733 || NETBIOS SMB veritas unicode little endian alter context attempt -3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt -3735 || NETBIOS SMB veritas unicode little endian andx bind attempt -3736 || NETBIOS SMB veritas unicode little endian bind attempt -3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt -3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt -3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt -3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt -3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt -3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt -3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt -3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt -3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt -3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt -3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt -3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt -3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt -3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt -3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt -3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt -3753 || NETBIOS SMB-DS veritas alter context attempt -3754 || NETBIOS SMB-DS veritas andx alter context attempt -3755 || NETBIOS SMB-DS veritas andx bind attempt -3756 || NETBIOS SMB-DS veritas bind attempt -3757 || NETBIOS SMB-DS veritas little endian alter context attempt -3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt -3759 || NETBIOS SMB-DS veritas little endian andx bind attempt -3760 || NETBIOS SMB-DS veritas little endian bind attempt -3761 || NETBIOS SMB-DS veritas unicode alter context attempt -3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt -3763 || NETBIOS SMB-DS veritas unicode andx bind attempt -3764 || NETBIOS SMB-DS veritas unicode bind attempt -3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt -3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt -3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt -3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt -3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt -3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt -3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt -3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt -3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt -3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt -3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt -3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt -3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt -3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt -3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt -3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt -3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt -3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt -3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt -3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt -3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt -3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt -3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt -3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt -3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt -3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt -3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt -3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt -3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt -3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt -3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt -3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt -3797 || NETBIOS-DG SMB veritas alter context attempt -3798 || NETBIOS-DG SMB veritas andx alter context attempt -3799 || NETBIOS-DG SMB veritas andx bind attempt -3800 || NETBIOS-DG SMB veritas bind attempt -3801 || NETBIOS-DG SMB veritas little endian alter context attempt -3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt -3803 || NETBIOS-DG SMB veritas little endian andx bind attempt -3804 || NETBIOS-DG SMB veritas little endian bind attempt -3805 || NETBIOS-DG SMB veritas unicode alter context attempt -3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt -3807 || NETBIOS-DG SMB veritas unicode andx bind attempt -3808 || NETBIOS-DG SMB veritas unicode bind attempt -3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt -3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt -3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt -3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt -3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116 -3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087 -3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180 -3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387 -3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 -3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 -3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3822 || WEB-MISC Real Player realtext long URI request -3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766 -3824 || SMTP AUTH user overflow attempt || bugtraq,13772 -3825 || POLICY AOL Instant Messenger Message Send -3826 || POLICY AOL Instant Messenger Message Receive -3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921 diff -Nru snort-2.8.5.2/rules/smtp.rules snort-2.9.2/rules/smtp.rules --- snort-2.8.5.2/rules/smtp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/smtp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,94 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# SMTP RULES -#----------- - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;) -alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;) -alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;) diff -Nru snort-2.8.5.2/rules/snmp.rules snort-2.9.2/rules/snmp.rules --- snort-2.8.5.2/rules/snmp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/snmp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: snmp.rules,v 1.17.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# SNMP RULES -# --------------- -# -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;) -alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;) -alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;) diff -Nru snort-2.8.5.2/rules/snort.conf snort-2.9.2/rules/snort.conf --- snort-2.8.5.2/rules/snort.conf 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/snort.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,753 +0,0 @@ -#-------------------------------------------------- -# http://www.snort.org Snort 2.4.0 config file -# Contact: snort-sigs@lists.sourceforge.net -#-------------------------------------------------- -# $Id: snort.conf,v 1.144.2.9.2.10 2005/07/22 15:10:16 roesch Exp $ -# -################################################### -# This file contains a sample snort configuration. -# You can take the following steps to create your own custom configuration: -# -# 1) Set the variables for your network -# 2) Configure preprocessors -# 3) Configure output plugins -# 4) Add any runtime config directives -# 5) Customize your rule set -# -################################################### -# Step #1: Set the network variables: -# -# You must change the following variables to reflect your local network. The -# variable is currently setup for an RFC 1918 address space. -# -# You can specify it explicitly as: -# -# var HOME_NET 10.1.1.0/24 -# -# or use global variable $<interfacename>_ADDRESS which will be always -# initialized to IP address and netmask of the network interface which you run -# snort at. Under Windows, this must be specified as -# $(<interfacename>_ADDRESS), such as: -# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) -# -# var HOME_NET $eth0_ADDRESS -# -# You can specify lists of IP addresses for HOME_NET -# by separating the IPs with commas like this: -# -# var HOME_NET [10.1.1.0/24,192.168.1.0/24] -# -# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! -# -# or you can specify the variable to be any IP address -# like this: - -var HOME_NET any - -# Set up the external network addresses as well. A good start may be "any" -var EXTERNAL_NET any - -# Configure your server lists. This allows snort to only look for attacks to -# systems that have a service up. Why look for HTTP attacks if you are not -# running a web server? This allows quick filtering based on IP addresses -# These configurations MUST follow the same configuration scheme as defined -# above for $HOME_NET. - -# List of DNS servers on your network -var DNS_SERVERS $HOME_NET - -# List of SMTP servers on your network -var SMTP_SERVERS $HOME_NET - -# List of web servers on your network -var HTTP_SERVERS $HOME_NET - -# List of sql servers on your network -var SQL_SERVERS $HOME_NET - -# List of telnet servers on your network -var TELNET_SERVERS $HOME_NET - -# List of snmp servers on your network -var SNMP_SERVERS $HOME_NET - -# Configure your service ports. This allows snort to look for attacks destined -# to a specific application only on the ports that application runs on. For -# example, if you run a web server on port 8081, set your HTTP_PORTS variable -# like this: -# -# var HTTP_PORTS 8081 -# -# Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. -# We will adding support for a real list of ports in the future. - -# Ports you run web servers on -# -# Please note: [80,8080] does not work. -# If you wish to define multiple HTTP ports, -# -## var HTTP_PORTS 80 -## include somefile.rules -## var HTTP_PORTS 8080 -## include somefile.rules -var HTTP_PORTS 80 - -# Ports you want to look for SHELLCODE on. -var SHELLCODE_PORTS !80 - -# Ports you do oracle attacks on -var ORACLE_PORTS 1521 - -# other variables -# -# AIM servers. AOL has a habit of adding new AIM servers, so instead of -# modifying the signatures when they do, we add them to this list of servers. -var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] - -# Path to your rules files (this can be a relative path) -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\rules -var RULE_PATH ../rules - -# Configure the snort decoder -# ============================ -# -# Snort's decoder will alert on lots of things such as header -# truncation or options of unusual length or infrequently used tcp options -# -# -# Stop generic decode events: -# -# config disable_decode_alerts -# -# Stop Alerts on experimental TCP options -# -# config disable_tcpopt_experimental_alerts -# -# Stop Alerts on obsolete TCP options -# -# config disable_tcpopt_obsolete_alerts -# -# Stop Alerts on T/TCP alerts -# -# In snort 2.0.1 and above, this only alerts when a TCP option is detected -# that shows T/TCP being actively used on the network. If this is normal -# behavior for your network, disable the next option. -# -# config disable_tcpopt_ttcp_alerts -# -# Stop Alerts on all other TCPOption type events: -# -# config disable_tcpopt_alerts -# -# Stop Alerts on invalid ip options -# -# config disable_ipopt_alerts - -# Configure the detection engine -# =============================== -# -# Use a different pattern matcher in case you have a machine with very limited -# resources: -# -# config detection: search-method lowmem - -# Configure Inline Resets -# ======================== -# -# If running an iptables firewall with snort in InlineMode() we can now -# perform resets via a physical device. We grab the indev from iptables -# and use this for the interface on which to send resets. This config -# option takes an argument for the src mac address you want to use in the -# reset packet. This way the bridge can remain stealthy. If the src mac -# option is not set we use the mac address of the indev device. If we -# don't set this option we will default to sending resets via raw socket, -# which needs an ipaddress to be assigned to the int. -# -# config layer2resets: 00:06:76:DD:5F:E3 - -################################################### -# Step #2: Configure preprocessors -# -# General configuration for preprocessors is of -# the form -# preprocessor <name_of_processor>: <configuration_options> - -# Configure Flow tracking module -# ------------------------------- -# -# The Flow tracking module is meant to start unifying the state keeping -# mechanisms of snort into a single place. Right now, only a portscan detector -# is implemented but in the long term, many of the stateful subsystems of -# snort will be migrated over to becoming flow plugins. This must be enabled -# for flow-portscan to work correctly. -# -# See README.flow for additional information -# -preprocessor flow: stats_interval 0 hash 2 - -# frag2: IP defragmentation support -# ------------------------------- -# This preprocessor performs IP defragmentation. This plugin will also detect -# people launching fragmentation attacks (usually DoS) against hosts. No -# arguments loads the default configuration of the preprocessor, which is a 60 -# second timeout and a 4MB fragment buffer. - -# The following (comma delimited) options are available for frag2 -# timeout [seconds] - sets the number of [seconds] that an unfinished -# fragment will be kept around waiting for completion, -# if this time expires the fragment will be flushed -# memcap [bytes] - limit frag2 memory usage to [number] bytes -# (default: 4194304) -# -# min_ttl [number] - minimum ttl to accept -# -# ttl_limit [number] - difference of ttl to accept without alerting -# will cause false positves with router flap -# -# Frag2 uses Generator ID 113 and uses the following SIDS -# for that GID: -# SID Event description -# ----- ------------------- -# 1 Oversized fragment (reassembled frag > 64k bytes) -# 2 Teardrop-type attack - -#preprocessor frag2 - -# frag3: Target-based IP defragmentation -# -------------------------------------- -# -# Frag3 is a brand new IP defragmentation preprocessor that is capable of -# performing "target-based" processing of IP fragments. Check out the -# README.frag3 file in the doc directory for more background and configuration -# information. -# -# Frag3 configuration is a two step process, a global initialization phase -# followed by the definition of a set of defragmentation engines. -# -# Global configuration defines the number of fragmented packets that Snort can -# track at the same time and gives you options regarding the memory cap for the -# subsystem or, optionally, allows you to preallocate all the memory for the -# entire frag3 system. -# -# frag3_global options: -# max_frags: Maximum number of frag trackers that may be active at once. -# Default value is 8192. -# memcap: Maximum amount of memory that frag3 may access at any given time. -# Default value is 4MB. -# prealloc_frags: Maximum number of individual fragments that may be processed -# at once. This is instead of the memcap system, uses static -# allocation to increase performance. No default value. Each -# preallocated fragment eats ~1550 bytes. -# -# Target-based behavior is attached to an engine as a "policy" for handling -# overlaps and retransmissions as enumerated in the Paxson paper. There are -# currently five policy types available: "BSD", "BSD-right", "First", "Linux" -# and "Last". Engines can be bound to bound to standard Snort CIDR blocks or -# IP lists. -# -# frag3_engine options: -# timeout: Amount of time a fragmented packet may be active before expiring. -# Default value is 60 seconds. -# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. -# Based on the initial received fragment TTL. -# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this -# value will be discarded. Default value is 0. -# detect_anomalies: Activates frag3's anomaly detection mechanisms. -# policy: Target-based policy to assign to this engine. Default is BSD. -# bind_to: IP address set to bind this engine to. Default is all hosts. -# -# Frag3 configuration example: -#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 -#preprocessor frag3_engine: policy linux \ -# bind_to [10.1.1.12/32,10.1.1.13/32] \ -# detect_anomalies -#preprocessor frag3_engine: policy first \ -# bind_to 10.2.1.0/24 \ -# detect_anomalies -#preprocessor frag3_engine: policy last \ -# bind_to 10.3.1.0/24 -#preprocessor frag3_engine: policy bsd - -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy first detect_anomalies - - -# stream4: stateful inspection/stream reassembly for Snort -#---------------------------------------------------------------------- -# Use in concert with the -z [all|est] command line switch to defeat stick/snot -# against TCP rules. Also performs full TCP stream reassembly, stateful -# inspection of TCP streams, etc. Can statefully detect various portscan -# types, fingerprinting, ECN, etc. - -# stateful inspection directive -# no arguments loads the defaults (timeout 30, memcap 8388608) -# options (options are comma delimited): -# detect_scans - stream4 will detect stealth portscans and generate alerts -# when it sees them when this option is set -# detect_state_problems - detect TCP state problems, this tends to be very -# noisy because there are a lot of crappy ip stack -# implementations out there -# -# disable_evasion_alerts - turn off the possibly noisy mitigation of -# overlapping sequences. -# -# -# min_ttl [number] - set a minium ttl that snort will accept to -# stream reassembly -# -# ttl_limit [number] - differential of the initial ttl on a session versus -# the normal that someone may be playing games. -# Routing flap may cause lots of false positives. -# -# keepstats [machine|binary] - keep session statistics, add "machine" to -# get them in a flat format for machine reading, add -# "binary" to get them in a unified binary output -# format -# noinspect - turn off stateful inspection only -# timeout [number] - set the session timeout counter to [number] seconds, -# default is 30 seconds -# max_sessions [number] - limit the number of sessions stream4 keeps -# track of -# memcap [number] - limit stream4 memory usage to [number] bytes -# log_flushed_streams - if an event is detected on a stream this option will -# cause all packets that are stored in the stream4 -# packet buffers to be flushed to disk. This only -# works when logging in pcap mode! -# server_inspect_limit [bytes] - Byte limit on server side inspection. -# flush_behavior [number] - -# number > 0 use old static flushpoints (default) -# number = 0 use new larger static flushpoints -# number < 0 use random flushpoints defined by flush_base, flush_seed -# and flush_range -# flush_base [number] - lowest allowed random flushpoint (512 by default) -# flush_range [number] - number is the space within which random flushpoints -# are generated (default 1213) -# flush_seed [number] - seed for the random number generator, defaults to -# Snort PID + time -# -# Using the default random flushpoints, the smallest flushpoint is 512, -# and the largest is 1725 bytes. -# -# Stream4 uses Generator ID 111 and uses the following SIDS -# for that GID: -# SID Event description -# ----- ------------------- -# 1 Stealth activity -# 2 Evasive RST packet -# 3 Evasive TCP packet retransmission -# 4 TCP Window violation -# 5 Data on SYN packet -# 6 Stealth scan: full XMAS -# 7 Stealth scan: SYN-ACK-PSH-URG -# 8 Stealth scan: FIN scan -# 9 Stealth scan: NULL scan -# 10 Stealth scan: NMAP XMAS scan -# 11 Stealth scan: Vecna scan -# 12 Stealth scan: NMAP fingerprint scan stateful detect -# 13 Stealth scan: SYN-FIN scan -# 14 TCP forward overlap - -preprocessor stream4: disable_evasion_alerts - -# tcp stream reassembly directive -# no arguments loads the default configuration -# Only reassemble the client, -# Only reassemble the default list of ports (See below), -# Give alerts for "bad" streams -# -# Available options (comma delimited): -# clientonly - reassemble traffic for the client side of a connection only -# serveronly - reassemble traffic for the server side of a connection only -# both - reassemble both sides of a session -# noalerts - turn off alerts from the stream reassembly stage of stream4 -# ports [list] - use the space separated list of ports in [list], "all" -# will turn on reassembly for all ports, "default" will turn -# on reassembly for ports 21, 23, 25, 42, 53, 80, 110, -# 111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521, -# and 3306 -# favor_old - favor an old segment (based on sequence number) over a new one. -# This is the default. -# favor_new - favor an new segment (based on sequence number) over an old one. -preprocessor stream4_reassemble - -# Performance Statistics -# ---------------------- -# Documentation for this is provided in the Snort Manual. You should read it. -# It is included in the release distribution as doc/snort_manual.pdf -# -preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 - -# http_inspect: normalize and detect HTTP traffic and protocol anomalies -# -# lots of options available here. See doc/README.http_inspect. -# unicode.map should be wherever your snort.conf lives, or given -# a full path to where snort can find it. -preprocessor http_inspect: global \ - iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - profile all ports { 80 8080 8180 } oversize_dir_length 500 - -# -# Example unqiue server configuration -# -#preprocessor http_inspect_server: server 1.1.1.1 \ -# ports { 80 3128 8080 } \ -# flow_depth 0 \ -# ascii no \ -# double_decode yes \ -# non_rfc_char { 0x00 } \ -# chunk_length 500000 \ -# non_strict \ -# oversize_dir_length 300 \ -# no_alerts - - -# rpc_decode: normalize RPC traffic -# --------------------------------- -# RPC may be sent in alternate encodings besides the usual 4-byte encoding -# that is used by default. This plugin takes the port numbers that RPC -# services are running on as arguments - it is assumed that the given ports -# are actually running this type of service. If not, change the ports or turn -# it off. -# The RPC decode preprocessor uses generator ID 106 -# -# arguments: space separated list -# alert_fragments - alert on any rpc fragmented TCP data -# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet -# no_alert_large_fragments - don't alert when the fragmented -# sizes exceed the current packet size -# no_alert_incomplete - don't alert when a single segment -# exceeds the current packet size - -preprocessor rpc_decode: 111 32771 - -# bo: Back Orifice detector -# ------------------------- -# Detects Back Orifice traffic on the network. Takes no arguments in 2.0. -# -# The Back Orifice detector uses Generator ID 105 and uses the -# following SIDS for that GID: -# SID Event description -# ----- ------------------- -# 1 Back Orifice traffic detected - -preprocessor bo - -# telnet_decode: Telnet negotiation string normalizer -# --------------------------------------------------- -# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp -# traffic. It works in much the same way as the http_decode preprocessor, -# searching for traffic that breaks up the normal data stream of a protocol and -# replacing it with a normalized representation of that traffic so that the -# "content" pattern matching keyword can work without requiring modifications. -# This preprocessor requires no arguments. -# Portscan uses Generator ID 109 and does not generate any SID currently. - -preprocessor telnet_decode - -# sfPortscan -# ---------- -# Portscan detection module. Detects various types of portscans and -# portsweeps. For more information on detection philosophy, alert types, -# and detailed portscan information, please refer to the README.sfportscan. -# -# -configuration options- -# proto { tcp udp icmp ip_proto all } -# The arguments to the proto option are the types of protocol scans that -# the user wants to detect. Arguments should be separated by spaces and -# not commas. -# scan_type { portscan portsweep decoy_portscan distributed_portscan all } -# The arguments to the scan_type option are the scan types that the -# user wants to detect. Arguments should be separated by spaces and not -# commas. -# sense_level { low|medium|high } -# There is only one argument to this option and it is the level of -# sensitivity in which to detect portscans. The 'low' sensitivity -# detects scans by the common method of looking for response errors, such -# as TCP RSTs or ICMP unreachables. This level requires the least -# tuning. The 'medium' sensitivity level detects portscans and -# filtered portscans (portscans that receive no response). This -# sensitivity level usually requires tuning out scan events from NATed -# IPs, DNS cache servers, etc. The 'high' sensitivity level has -# lower thresholds for portscan detection and a longer time window than -# the 'medium' sensitivity level. Requires more tuning and may be noisy -# on very active networks. However, this sensitivity levels catches the -# most scans. -# memcap { positive integer } -# The maximum number of bytes to allocate for portscan detection. The -# higher this number the more nodes that can be tracked. -# logfile { filename } -# This option specifies the file to log portscan and detailed portscan -# values to. If there is not a leading /, then snort logs to the -# configured log directory. Refer to README.sfportscan for details on -# the logged values in the logfile. -# watch_ip { Snort IP List } -# ignore_scanners { Snort IP List } -# ignore_scanned { Snort IP List } -# These options take a snort IP list as the argument. The 'watch_ip' -# option specifies the IP(s) to watch for portscan. The -# 'ignore_scanners' option specifies the IP(s) to ignore as scanners. -# Note that these hosts are still watched as scanned hosts. The -# 'ignore_scanners' option is used to tune alerts from very active -# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option -# specifies the IP(s) to ignore as scanned hosts. Note that these hosts -# are still watched as scanner hosts. The 'ignore_scanned' option is -# used to tune alerts from very active hosts such as syslog servers, etc. -# -preprocessor sfportscan: proto { all } \ - memcap { 10000000 } \ - sense_level { low } - -# arpspoof -#---------------------------------------- -# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, -# unicast ARP requests, and specific ARP mapping monitoring. To make use of -# this preprocessor you must specify the IP and hardware address of hosts on -# the same layer 2 segment as you. Specify one host IP MAC combo per line. -# Also takes a "-unicast" option to turn on unicast ARP request detection. -# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: - -# SID Event description -# ----- ------------------- -# 1 Unicast ARP request -# 2 Etherframe ARP mismatch (src) -# 3 Etherframe ARP mismatch (dst) -# 4 ARP cache overwrite attack - -#preprocessor arpspoof -#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 - -# X-Link2State mini-preprocessor -# ------------------------------ -# This preprocessor will catch the X-Link2State vulnerability -# (www.microsoft.com/technet/security/bulletin/MS05-021.mspx). -# -# Format: -# preprocessor xlink2state: ports { <port> [<port> <...>] } [drop] -# -# "drop" will drop the attack if in Inline-mode. - -# SID Event description -# ----- ------------------- -# 1 X-Link2State length greater than 1024 - -preprocessor xlink2state: ports { 25 691 } - -#################################################################### -# Step #3: Configure output plugins -# -# Uncomment and configure the output plugins you decide to use. General -# configuration for output plugins is of the form: -# -# output <name_of_plugin>: <configuration_options> -# -# alert_syslog: log alerts to syslog -# ---------------------------------- -# Use one or more syslog facilities as arguments. Win32 can also optionally -# specify a particular hostname/port. Under Win32, the default hostname is -# '127.0.0.1', and the default port is 514. -# -# [Unix flavours should use this format...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# -# [Win32 can use any of these formats...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT - -# log_tcpdump: log packets in binary tcpdump format -# ------------------------------------------------- -# The only argument is the output file name. -# -# output log_tcpdump: tcpdump.log - -# database: log to a variety of databases -# --------------------------------------- -# See the README.database file for more information about configuring -# and using this plugin. -# -# output database: log, mysql, user=root password=test dbname=db host=localhost -# output database: alert, postgresql, user=snort dbname=snort -# output database: log, odbc, user=snort dbname=snort -# output database: log, mssql, dbname=snort user=snort password=test -# output database: log, oracle, dbname=snort user=snort password=test - -# unified: Snort unified binary format alerting and logging -# ------------------------------------------------------------- -# The unified output plugin provides two new formats for logging and generating -# alerts from Snort, the "unified" format. The unified format is a straight -# binary format for logging data out of Snort that is designed to be fast and -# efficient. Used with barnyard (the new alert/log processor), most of the -# overhead for logging and alerting to various slow storage mechanisms such as -# databases or the network can now be avoided. -# -# Check out the spo_unified.h file for the data formats. -# -# Two arguments are supported. -# filename - base filename to write to (current time_t is appended) -# limit - maximum size of spool file in MB (default: 128) -# -# output alert_unified: filename snort.alert, limit 128 -# output log_unified: filename snort.log, limit 128 - - -# prelude: log to the Prelude Hybrid IDS system -# --------------------------------------------- -# -# output prelude: profile=snort -# profile = Name of the Prelude profile to use (default is snort). -# config = Optional name of a specific prelude configuration file to use for snort. -# -# Snort priority to IDMEF severity mappings: -# high < medium < low < info -# -# info = 4 -# low = 3 -# medium = 2 -# high = anything below medium -# -# These are the default mapped from classification.config. -# -# output alert_prelude - - -# You can optionally define new rule types and associate one or more output -# plugins specifically to that type. -# -# This example will create a type that will log to just tcpdump. -# ruletype suspicious -# { -# type log -# output log_tcpdump: suspicious.log -# } -# -# EXAMPLE RULE FOR SUSPICIOUS RULETYPE: -# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) -# -# This example will create a rule type that will log to syslog and a mysql -# database: -# ruletype redalert -# { -# type alert -# output alert_syslog: LOG_AUTH LOG_ALERT -# output database: log, mysql, user=snort dbname=snort host=localhost -# } -# -# EXAMPLE RULE FOR REDALERT RULETYPE: -# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ -# (msg:"Someone is being LEET"; flags:A+;) - -# -# Include classification & priority settings -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\classification.config -# - -include classification.config - -# -# Include reference systems -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\reference.config -# - -include reference.config - -#################################################################### -# Step #4: Configure snort with config statements -# -# See the snort manual for a full set of configuration references -# -# config flowbits_size: 64 -# -# New global ignore_ports config option from Andy Mullican -# -# config ignore_ports: <tcp|udp> <list of ports separated by whitespace> -# config ignore_ports: tcp 21 6667:6671 1356 -# config ignore_ports: udp 1:17 53 - - -#################################################################### -# Step #5: Customize your rule set -# -# Up to date snort rules are available at http://www.snort.org -# -# The snort web site has documentation about how to write your own custom snort -# rules. - -#========================================= -# Include all relevant rulesets here -# -# The following rulesets are disabled by default: -# -# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, -# chat, multimedia, and p2p -# -# These rules are either site policy specific or require tuning in order to not -# generate false positive alerts in most enviornments. -# -# Please read the specific include file for more information and -# README.alert_order for how rule ordering affects how alerts are triggered. -#========================================= - -include $RULE_PATH/local.rules -include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/exploit.rules -include $RULE_PATH/scan.rules -include $RULE_PATH/finger.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/tftp.rules - -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-client.rules -include $RULE_PATH/web-php.rules - -include $RULE_PATH/sql.rules -include $RULE_PATH/x11.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/snmp.rules - -include $RULE_PATH/smtp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules - -include $RULE_PATH/nntp.rules -include $RULE_PATH/other-ids.rules -# include $RULE_PATH/web-attacks.rules -# include $RULE_PATH/backdoor.rules -# include $RULE_PATH/shellcode.rules -# include $RULE_PATH/policy.rules -# include $RULE_PATH/porn.rules -# include $RULE_PATH/info.rules -# include $RULE_PATH/icmp-info.rules - include $RULE_PATH/virus.rules -# include $RULE_PATH/chat.rules -# include $RULE_PATH/multimedia.rules -# include $RULE_PATH/p2p.rules -include $RULE_PATH/experimental.rules - -# Include any thresholding or suppression commands. See threshold.conf in the -# <snort src>/etc directory for details. Commands don't necessarily need to be -# contained in this conf, but a separate conf makes it easier to maintain them. -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\threshold.conf -# Uncomment if needed. -# include threshold.conf diff -Nru snort-2.8.5.2/rules/sql.rules snort-2.9.2/rules/sql.rules --- snort-2.8.5.2/rules/sql.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/sql.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: sql.rules,v 1.28.2.3.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#---------- -# SQL RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:1386; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;) -alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:8;) -alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flowbits:isnotset,ms_sql_seen_dns; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:8;) -alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 4 requests"; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3446; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 9 requests"; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3451; rev:3;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 5 requests"; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3447; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 2 requests"; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3444; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 1 requests"; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3443; rev:3;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 10 requests"; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3452; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 6 requests"; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3448; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 3 requests"; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3445; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 8 requests"; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3450; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 7 requests"; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3449; rev:3;) diff -Nru snort-2.8.5.2/rules/telnet.rules snort-2.9.2/rules/telnet.rules --- snort-2.8.5.2/rules/telnet.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/telnet.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $ -#------------- -# TELNET RULES -#------------- -# -# These signatures are based on various telnet exploits and unpassword -# protected accounts. -# - - -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;) diff -Nru snort-2.8.5.2/rules/tftp.rules snort-2.9.2/rules/tftp.rules --- snort-2.8.5.2/rules/tftp.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/tftp.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# TFTP RULES -#----------- -# -# These signatures are based on TFTP traffic. These include malicious files -# that are distributed via TFTP. -# -# The last two signatures refer to generic GET and PUT via TFTP, which is -# generally frowned upon on most networks, but may be used in some enviornments - -alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) -alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) -alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) diff -Nru snort-2.8.5.2/rules/threshold.conf snort-2.9.2/rules/threshold.conf --- snort-2.8.5.2/rules/threshold.conf 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/threshold.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -# Configure Thresholding and Suppression -# ====================================== -# -# Thresholding: -# -# This feature is used to reduce the number of logged alerts for noisy rules. -# This can be tuned to significantly reduce false alarms, and it can also be -# used to write a newer breed of rules. Thresholding commands limit the number -# of times a particular event is logged during a specified time interval. -# There are 3 types of thresholding: -# -# 1) Limit -# Alert on the 1st M events during the time interval, then ignore -# events -# for the rest of the time interval. -# 2) Threshold -# Alert every M times we see this event during the time interval. -# 3) Both -# Alert once per time interval after seeing M occurrences of the -# event, -# then ignore any additional events during the time interval. -# -# Threshold commands are formatted as: -# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track -# by_src|by_dst, count n , seconds m -# -# Limit to logging 1 event per 60 seconds -# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds -# 60 - -# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering -# each rule (rules are gen_id 1). -# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 - -# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering -# any alert for any event generator -# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 -# -# Thresholding does not need to be a stand-alone command, and can instead be -# written directly into a rule. Please see README.thresholding for more -# information on thresholding. -# -# Suppression: -# -# Suppression commands are standalone commands that reference generators and -# sids and IP addresses via a CIDR block. This allows a rule to be completely -# suppressed, or suppressed when the causitive traffic is going to or comming -# from a specific IP or group of IP addresses. -# -# Suppress this event completely -# -# suppress gen_id 1, sig_id 1852 -# -# Suppress this event from this IP -# -# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 -# -# Suppress this event to this CIDR block -# -# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 - diff -Nru snort-2.8.5.2/rules/unicode.map snort-2.9.2/rules/unicode.map --- snort-2.8.5.2/rules/unicode.map 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/unicode.map 1970-01-01 00:00:00.000000000 +0000 @@ -1,104 +0,0 @@ -# Windows Version: 5.00.2195 -# OEM codepage: 437 -# ACP codepage: 1252 - -# INSTALLED CODEPAGES -10000 (MAC - Roman) - - -10079 (MAC - Icelandic) - - -1250 (ANSI - Central Europe) -00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1251 (ANSI - Cyrillic) -00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1252 (ANSI - Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1253 (ANSI - Greek) -00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1254 (ANSI - Turkish) -00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1255 (ANSI - Hebrew) -0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1256 (ANSI - Arabic) -00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1257 (ANSI - Baltic) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1258 (ANSI/OEM - Viet Nam) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 1361 -20127 (US-ASCII) -00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -20261 (T.61) -f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f - -20866 (Russian - KOI8) -00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e - -28591 (ISO 8859-1 Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -28592 (ISO 8859-2 Central Europe) -00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 28595 -#INVALID CODEPAGE: 28597 -28605 (ISO 8859-15 Latin 9) -00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -37 (IBM EBCDIC - U.S./Canada) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f - -437 (OEM - United States) -00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -500 (IBM EBCDIC - International) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 - -850 (OEM - Multilingual Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -860 (OEM - Portuguese) -00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -861 (OEM - Icelandic) -00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -863 (OEM - Canadian French) -00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -865 (OEM - Nordic) -00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 - -874 (ANSI/OEM - Thai) -00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -932 (ANSI/OEM - Japanese Shift-JIS) -00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -936 (ANSI/OEM - Simplified Chinese GBK) -00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 - -949 (ANSI/OEM - Korean) -00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c - -950 (ANSI/OEM - Traditional Chinese Big5) -00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -65000 (UTF-7) - - -65001 (UTF-8) - - diff -Nru snort-2.8.5.2/rules/virus.rules snort-2.9.2/rules/virus.rules --- snort-2.8.5.2/rules/virus.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/virus.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: virus.rules,v 1.28.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#------------ -# VIRUS RULES -#------------ -# -# We don't care about virus rules anymore. BUT, you people won't stop asking -# us for virus rules. So... here ya go. -# -# There is now one rule that looks for any of the following attachment types: -# -# ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf, -# eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp, -# nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb, -# vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh, -# xlt, xlw -# - -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:8;) diff -Nru snort-2.8.5.2/rules/VRT-License.txt snort-2.9.2/rules/VRT-License.txt --- snort-2.8.5.2/rules/VRT-License.txt 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/VRT-License.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,326 +0,0 @@ - SOURCEFIRE, INC. - VRT CERTIFIED RULES LICENSE AGREEMENT - VERSION 1.1 - -THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC. -("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE -AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR -BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE -BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND -CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO -NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. - -1. Definitions. - - 1.1. "Commercial Purpose" means the use, reproduction or distribution of - (i) the VRT Certified Rules or any Modification, or any portion of the - foregoing, or (ii) a Compilation that includes, in whole or in part, the - VRT Certified Rules or any Modification that in either case is intended - to result in a direct or indirect pecuniary gain or any other - consideration or economic benefit to any person or entity involved in - such use, reproduction or distribution. Examples of a Commercial - Purpose, include without limitation, (v) integrating the VRT Certified - Rules with other software or hardware for sale, (w) licensing the VRT - Certified Rules for a fee, (x) using the VRT Certified Rules to provide - a service to a third party, (y) selling the VRT Certified Rules, or (z) - distributing the VRT Certified Rules for use with other products or - other services. - - 1.2. "Compilation" means a work which combines the VRT Certified Rules - or any Modification or portions thereof with any services, programs, - code or other products not governed by the terms of this Agreement. - - 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule - (or to a modified VRT Certified Rule) that corrects a bug, defect, or - error in such rule without affecting the overall functionality of such - VRT Certified Rule (or Modification thereof). - - 1.4. "Modifications" means any alteration, addition to or deletion from - the substance or structure of the VRT Certified Rules or any - Modifications of such, including, without limitation, - - (a) any addition to or deletion from the contents of a file - containing a VRT Certified Rule or a Modification; - (b) any derivative of the VRT Certified Rule or of any Modification; - or - (c) any new file that contains any part of the VRT Certified Rule or - Modifications. - - 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. - - 1.6. "Restricted Activities" shall have the meaning given such term in - Section 2.1. - - 1.7. "Snort(r) Registered User" shall mean an individual who has - registered or subscribed on www.snort.org to use the VRT Certified Rules. - - 1.8. "VRT Certified Rules" means those Snort(r) rules (in text form, - source code form, object code form and all documentation related - thereto) that have been created, developed, tested and officially - approved by Sourcefire. These rules are designated with SIDs of 3465 - - 1,000,000, except as otherwise noted in the license file. - - 1.9. "You" (or "your") means an individual exercising rights under this - Agreement. For legal entities, "you'' includes any entity which - controls, is controlled by, or is under common control with you or any - such entity you are acting on behalf of. For purposes of this - definition, "control'' means (a) the power, direct or indirect, to cause - the direction or management of such entity, whether by contract or - otherwise, or (b) ownership of more than forty percent (40%) of the - outstanding shares or beneficial ownership of such entity. - -2. Sourcefire License Grant. - - 2.1. Grant of License; Permitted Use. Subject to the terms and - conditions of this Agreement, Sourcefire hereby grants you a world-wide, - non-exclusive license to do any of the following with respect to the VRT - Certified Rules: - - (a) use and deploy the VRT Certified Rules on management consoles and - sensors that you manage (over which you have administrative control); - - (b) use and deploy the VRT Certified Rules on behalf of your employer - on its internal management consoles and sensors (e.g., where a valid - employer-employee relationship exists between you and a legal entity); - - (c) modify the VRT Certified Rules and use those Modifications - consistent with paragraphs (a) and (b) above; - - (d) distribute those VRT Certified Rules and any Modifications - generally available to Snort(r) Registered Users on a limited basis - to other Snort(r) Registered Users; - - (e) distribute any Improvement generally available to Snort(r) - Registered Users on mailing lists commonly used by the Snort(r) user - community as a whole; - - (f) reproduce the VRT Certified Rules as strictly necessary in - exercising your rights under this Section 2.1; and - - (g) Make the VRT Certified Rules (or any Modification) available to - your or your employer's consultants, agents and subcontractors for - the limited purpose of exercising your rights under this Section 2.1 - provided that such use is in compliance with this Agreement. - - Paragraphs (a) though (g) of this Section 2.1 are collectively referred - to as the "Permitted Uses". All rights not granted under this Agreement - are reserved by Sourcefire. - - 2.2. Limitations on License; Restricted Activities. You recognize and - agree that the VRT Certified Rules are the property of Sourcefire, - contain valuable assets and proprietary information and property of - Sourcefire, and are provided to you under the terms and conditions of - this Agreement. Notwithstanding anything to the contrary in this - Agreement, You agree that you shall NOT do any of the following without - Sourcefire's prior written consent: - - (a) use, deploy, perform, modify, license, display, reproduce or - distribute the VRT Certified Rules or Modifications (even if merged - with other materials as a Compilation) other than as allowed under a - Permitted Use; - - (b) sell, license, transfer, rent, loan, use, modify, reproduce or - disclose the VRT Certified Rules or any Modifications (in whole or in - part and whether done independently or as part of a Compilation) for - a Commercial Purpose; - - (c) post or make generally available any VRT Certified Rule (in whole - or in part or any Modifications thereto) to individuals or a group of - individuals who have not agreed to the terms and conditions of this - Agreement, provided, however, that nothing in this Section 2.2(c) - shall preclude the Permitted Use in Section 2.1(e); - - (d) share any user authentication information and/or password - provided to you by Sourcefire with any third party to allow such - party access your snort.org account or to otherwise access the VRT - Certified Rules; - - (e) alter or remove any copyright notice or proprietary legend - contained in or on the VRT Certified Rules. - - Paragraphs (a) though (e) of this Section 2.2 are collectively referred - to as the "Restricted Activities"). - - 2.3. Reproduction Obligations. You agree that any embodiment of the VRT - Certified Rules permitted under this Agreement will contain the notices - set forth in Exhibit A. In addition, to the extent you make any copies - of or distribute the VRT Certified Rules or any Modifications under this - Agreement, you agree to ensure that any and all such copies shall contain: - - (a) a copy of an appropriate copyright notice and all other - applicable proprietary legends; - - (b) a disclaimer of any warranty consistent with this Agreement; and - - (c) any and all notices referencing this Agreement and absence of warranties. - -3. Modifications; Derivative Works. In the event you create a -Modification, the use, reproduction and distribution of such -Modifications shall be governed by the terms and conditions of this -Agreement. Additionally, you hereby grant Sourcefire and any other -licensee of the VRT Certified Rules an irrevocable, perpetual, fully -paid-up, world-wide, royalty-free, non-exclusive license to use, -reproduce, modify, display, perform and distribute such Modifications -(and the source code thereto), provided, however, that you and any -recipient of such Modifications must include: - - (a) the original copyright notice and all other applicable - proprietary legends; - - (b) the original warranty disclaimer; - - (c) the original notices referencing this Agreement and absence of - warranties; and - - (d) a prominent notice stating that you changed the VRT Certified - Rule (or any Modification thereto) and the date of any change. - -4. Distribution Obligations. - - 4.1. General. The source code version of the VRT Certified Rules (or - any Modification thereof) may be distributed only under the terms of - this Agreement, and you must include a copy of this Agreement with every - copy of the VRT Certified Rules you distribute. - - 4.2. Required Notices. You must duplicate the notice in Exhibit A in - each file of the source code. If it is not possible to put such notice - in a particular source code file due to its structure, then you must - include such notice in a location (such as a relevant directory) where a - user would be likely to look for such a notice. If you created one or - more Modification(s) you may add your name as a contributor to the - notice described in Exhibit A. You must also duplicate this Agreement in - any documentation for the source code where you describe recipients' - rights or ownership rights relating to the VRT Certified Rules. To the - extent you offer additional warranty, support, indemnity or liability - obligations, you may do so only on your own behalf, and not on behalf of - Sourcefire. You must make it absolutely clear that any such warranty, - support, indemnity or liability obligation is offered by you alone, and - you hereby agree to indemnify and hold Sourcefire harmless for any - liability incurred by Sourcefire as a result of any warranty, support, - indemnity or liability terms you offer. - -5. Inability to Comply Due to Statute or Regulation. If it is -impossible for you to comply with any of the terms of this Agreement -with respect to some or all of the VRT Certified Rules due to statute, -judicial order, or regulation then you must: (a) comply with the terms -of this Agreement to the maximum extent possible; and (b) describe the -limitations and the code they affect. Such description must be included -with all distributions of the source code. Except to the extent -prohibited by statute or regulation, such description must be -sufficiently detailed for a recipient of ordinary skill to be able to -understand it. - -6. Application of this Agreement. This Agreement also applies to code -to which Sourcefire has attached the notice in Exhibit A and to related -Modifications created under Section 3. - -7. Versions of the Agreement. - - 7.1. New Versions. Sourcefire may publish revised and/or new versions - of the Agreement from time to time. Each version will be given a - distinguishing version number. - - 7.2. Effect of New Versions. Once a VRT Certified Rule has been - published under a particular version of the Agreement, you may always - continue to use it under the terms of that version. You may also choose - to use such VRT Certified Rule under the terms of any subsequent version - of the Agreement published by Sourcefire. No one other than Sourcefire - has the right to modify the terms applicable to a VRT Certified Rule. - -8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS IS -ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, -WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF -DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. -THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED -RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR -MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) -ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS -DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. -NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED -HEREUNDER EXCEPT UNDER THIS DISCLAIMER. - -9. Termination. This Agreement and the rights granted hereunder will -terminate automatically if you fail to comply with any or all of the -terms herein and fail to cure such breach within 30 days of becoming -aware of the breach. All sublicenses to the VRT Certified Rules, which -are properly granted, shall survive any termination of this Agreement. -Provisions which, by their nature, must remain in effect beyond the -termination of this Agreement shall survive. - -10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL -THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, -SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, -SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER -INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK -STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR -MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY -SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS -LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW -PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE -EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS -EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. - -11. Audit Rights. You will, from time to time and as requested by -Sourcefire, provide assurances to Sourcefire that you are using the VRT -Certified Rules consistent with a Permitted Use, and you grant -Sourcefire access, at reasonable times and in a reasonable manner, to -the VRT Certified Rules in your possession or control, and to your -books, records and facilities to permit Sourcefire to verify appropriate -use of the VRT Certified Rules and compliance with this Agreement. -Sourcefire's non-exercise of this right, or its failure to discover or -object to any inappropriate use or other breach of this Agreement by -you, shall not constitute its consent thereto or waiver of Sourcefire's -rights hereunder or under law. In the event your use of the VRT -Certified Rules is not in compliance with a Permitted Use, or if you -otherwise violate the terms of this Agreement, Sourcefire may, since -remedies at law may be inadequate, in addition to its other remedies: -(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your -further use of the VRT Certified Rules; (c) assess you the cost of -Sourcefire's inspection and enforcement efforts (including attorney -fees); and/or (d) assess you a use fee appropriate to your actual use of -the VRT Certified Rules. - -12. United States Government Users. If the VRT Certified Rules or -Modifications are being acquired by or on behalf of the U.S. Government -or by a U.S. Government prime contractor or subcontractor (at any tier), -then the Government's rights in the VRT Certified Rules and -Modifications shall be subject to Sourcefire's standard commercial terms -and only as set forth in this Agreement; and only with "Limited Rights" -and "Restricted Rights" as defined the federal regulations if the -commercial terms are deemed not to apply.. - -13. Miscellaneous. This Agreement represents the complete agreement -concerning subject matter hereof. If any provision of this Agreement is -held to be unenforceable, such provision shall be reformed only to the -extent necessary to make it enforceable. This Agreement shall be -governed by Maryland law provisions (except to the extent applicable -law, if any, provides otherwise), excluding its conflict-of-law -provisions. Any litigation relating to this Agreement shall be subject -to the jurisdiction of the state and Federal Courts serving Greenbelt, -Maryland, with the losing party responsible for costs, including without -limitation, court costs and reasonable attorneys' fees and expenses. -You hereby submit to jurisdiction and venue in such courts. The -application of the United Nations Convention on Contracts for the -International Sale of Goods is expressly excluded. Any law or regulation -which provides that the language of a contract shall be construed -against the drafter shall not apply to this Agreement. Headings and -section references are used for reference only and shall not be used -define, limit or describe such section. - -EXHIBIT A - VRT Certified Rules License Agreement -The contents of this file are subject to the VRT Certified Rules License -Agreement 1.1 (the "Agreement"). You may not use this file except in -compliance with the Agreement. You may obtain a copy of the Agreement -at www.snort.org. -Software distributed under the Agreement is distributed on an "AS IS" -basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the -Agreement for the specific language governing rights and limitations -under the Agreement. -The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware -corporation. -Contributor: -2005(c) Sourcefire, Inc. All Rights Reserved. Snort(r), Sourcefire(tm), -the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire. - -Note: A printer friendly version of this Agreement is available in PDF format. diff -Nru snort-2.8.5.2/rules/web-attacks.rules snort-2.9.2/rules/web-attacks.rules --- snort-2.8.5.2/rules/web-attacks.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-attacks.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# ---------------- -# WEB ATTACKS -# ---------------- -# These signatures are generic signatures that will catch common commands -# used to exploit form variable vulnerabilities. These signatures should -# not false very often. -# -# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net -# if you find one of these signatures to be too false possitive. - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;) diff -Nru snort-2.8.5.2/rules/web-cgi.rules snort-2.9.2/rules/web-cgi.rules --- snort-2.8.5.2/rules/web-cgi.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-cgi.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,396 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-cgi.rules,v 1.77.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-CGI RULES -#-------------- -# - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;) -# testcgi is *one* of many scripts to look for. this *ALSO* triggers on testcgi.exe. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:bugtraq,3328; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:bugtraq,2172; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; reference:nessus,10493; classtype:attempted-recon; sid:1478; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:bugtraq,770; reference:cve ,CAN-1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-attack; sid:1569; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-activity; sid:1570; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.pl access"; flow:to_server,established; uricontent:"/environ.pl"; nocase; classtype:web-application-activity; sid:1651; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-activity; sid:1653; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; reference:bugtraq,1153; classtype:web-application-activity; sid:1654; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statsconfig.pl access"; flow:to_server,established; uricontent:"/statsconfig.pl"; nocase; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;) -# do we really need two of these? -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:5;) - -# NOTES: this signature looks for someone accessing the web application -# "way-board.cgi". This application allows attackers to view arbitrary -# files that are readable with the privilages of the web server. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/swsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;) -# when we get por lists... merge this with 2387... -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:3;) -# the prevous rule looks for the attack, but we still want to catch the -# scanners. if we had port lists, this rule would be HTTP_PORTS and 3000 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pgpmail.pl access"; flow:to_server,established; uricontent:"/pgpmail.pl"; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI processit access"; flow:to_server,established; uricontent:"/processit.pl"; nocase; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI WhatsUpGold instancename overflow attempt"; flow:to_server,established; uricontent:"/_maincfgret.cgi"; nocase; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ibillpm.pl access"; flow:to_server,established; uricontent:"/ibillpm.pl"; nocase; reference:bugtraq,3476; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; uricontent:"/delhomepage.cgi"; reference:bugtraq,9791; classtype:web-application-activity; sid:3062; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailman directory traversal attempt"; flow:to_server,established; uricontent:"/mailman/"; uricontent:".../"; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats.pl command execution attempt"; flow:to_server,established; uricontent:"/awstats.pl?"; nocase; uricontent:"update="; pcre:"/update=[^\r\n\x26]+/Ui"; uricontent:"logfile="; nocase; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; reference:bugtraq,12572; classtype:web-application-attack; sid:3464; rev:1;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Ipswitch WhatsUp Gold dos attempt"; flow:to_server,established; uricontent:"/prn"; nocase; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; reference:bugtraq,11110; reference:cve,2004-0799; reference:url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities; reference:url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html; reference:url,www.secunia.com/advisories/12578/; classtype:attempted-dos; sid:3469; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats access"; flow:to_server,established; uricontent:"/awstats.pl"; nocase; reference:bugtraq,12572; classtype:web-application-activity; sid:3463; rev:1;) diff -Nru snort-2.8.5.2/rules/web-client.rules snort-2.9.2/rules/web-client.rules --- snort-2.8.5.2/rules/web-client.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-client.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#--------------- -# WEB-CLIENT RULES -#--------------- -# -# These signatures look for two things: -# * bad things coming from our users -# * attacks against our web users - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:7;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;) diff -Nru snort-2.8.5.2/rules/web-coldfusion.rules snort-2.9.2/rules/web-coldfusion.rules --- snort-2.8.5.2/rules/web-coldfusion.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-coldfusion.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#--------------------- -# WEB-COLDFUSION RULES -#--------------------- -# - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) diff -Nru snort-2.8.5.2/rules/web-frontpage.rules snort-2.9.2/rules/web-frontpage.rules --- snort-2.8.5.2/rules/web-frontpage.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-frontpage.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $ -#-------------------- -# WEB-FRONTPAGE RULES -#-------------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) - diff -Nru snort-2.8.5.2/rules/web-iis.rules snort-2.9.2/rules/web-iis.rules --- snort-2.8.5.2/rules/web-iis.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-iis.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,167 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-IIS RULES -#-------------- - - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;) - -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;) -# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;) - -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;) diff -Nru snort-2.8.5.2/rules/web-misc.rules snort-2.9.2/rules/web-misc.rules --- snort-2.8.5.2/rules/web-misc.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-misc.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,446 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#--------------- -# WEB-MISC RULES -#--------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; uricontent:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?>/iR"; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 2.x 404 probe"; flow:to_server,established; uricontent:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; uricontent:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; reference:bugtraq,4022; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; reference:bugtraq,9900; reference:bugtraq,9901; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; reference:bugtraq,881; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache directory disclosure attempt"; flow:to_server,established; content:"////////"; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:8;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; reference:url,www.osvdb.org/5709; classtype:attempted-recon; sid:1209; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi"; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-attack; sid:1404; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; reference:nessus,11007; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;) - - -# The following signatures are for non-standard ports. When ports lists work, -# then these will be converted to use HTTP_PORTS & HTTP_SERVERS -alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:web-application-attack; sid:1498; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:8;) - -# uricontent would be nice, but we can't be sure we are running http decoding -# on 2301. oh for rna integration... -alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;) - - -# when we get real ports list, we will merge these sigs. so for now, keep the -# message the same. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:10;) - - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;) - - - -# NOTES: this signature looks for access to common webalizer output directories. -# Webalizer is a http server log reporting program. By allowing anyone on the -# internet to view the web access logs, attackers can gain information about -# your customers that probably should not be made public. webalizer had cross -# site scripting bugs prior to version 2.01-09. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:9;) - - -# NOTES: this signature looks for someone accessing the directory webcart-lite. -# webcart-lite allows users to access world readable plain text customer -# information databases. To correct this issue, users should make the -# data directories and databases not world readable, move the files outside of -# WEBROOT if possible, and verify that a compromise of customer information has -# not occured. -# SIMILAR RULES: sid:1125 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;) - - -# NOTES: this signature looks for someone accessing the web application -# "webfind.exe". This application has a buffer overflow in the keywords -# argument. An attacker can use this vulnerability to execute arbitrary -# code on the web server. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;) - -# NOTES: this signature looks for someone accessing the file "active.log" via -# a web server. By allowing anyone on the internet to view the web access -# logs, attackers can gain information about your customers that probably -# should not be made public. -# -# This logfile is made available from the WebActive webserver. This webserver -# is no longer maintained and should be replaced with an actively maintained -# webserver. If converting to another webserver is not possible, remove read -# access to this file. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;) - - - -# NOTES: this signature looks for someone accessing the file "robots.txt" via -# web server. This file is used to make web spider agents (including search -# engines) more efficient. robots.txt is often used to inform a web spider -# which directories that the spider should ignore because the content may be -# dynamic or restricted. An attacker can use this information to gain insite -# into directories that may have been deemed sensitive. -# -# Verify that the robots.txt does not include any sensitive information. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+OmFkbWlu/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:10;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; flow:to_server,established; dsize:1; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;) - -# uricontent would be nice, but we can't be sure we are running http decoding -# on 8888. oh for rna integration... -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2064; rev:4;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2066; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2067; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;) - -# YES, the contents are logically backwards as to how the contents are seen on -# the wire. snort picks up the first of the longest pattern. login=0 happens -# MUCH less than Cookie. so we do this for speed. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2520; rev:10;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2521; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:10;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:13;) - -# one of these days, we will have port lists... -alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;) -# Note: URI size is unlimited as per RFC2068, the depth here is calculated -# based on method (5) + space + URI + space + version -# to prevent false positives from User-Agent strings with HTTP content (jfs) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; depth:300; nocase; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:8;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; content:"dynamicimage=../"; nocase; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-attack; sid:2582; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2597; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"WEB-MISC Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2598; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2658; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2661; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sresult.exe access"; flow:to_server,established; uricontent:"/sresult.exe"; nocase; reference:bugtraq,10837; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:1;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2660; rev:4;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2662; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus username overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/username=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/sid=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tls1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|03 01|"; depth:2; offset:4; flowbits:set,tls1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3060; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3059; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; uricontent:"/app_sta.stm"; nocase; reference:bugtraq,11408; classtype:web-application-activity; sid:3086; rev:1;) diff -Nru snort-2.8.5.2/rules/web-php.rules snort-2.9.2/rules/web-php.rules --- snort-2.8.5.2/rules/web-php.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/web-php.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,162 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-PHP RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;) -alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;) - - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;) diff -Nru snort-2.8.5.2/rules/x11.rules snort-2.9.2/rules/x11.rules --- snort-2.8.5.2/rules/x11.rules 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/rules/x11.rules 1970-01-01 00:00:00.000000000 +0000 @@ -1,24 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#---------- -# X11 RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) diff -Nru snort-2.8.5.2/schemas/Makefile.in snort-2.9.2/schemas/Makefile.in --- snort-2.8.5.2/schemas/Makefile.in 2009-10-19 21:17:58.000000000 +0000 +++ snort-2.9.2/schemas/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -179,14 +197,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign schemas/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign schemas/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign schemas/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign schemas/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -204,6 +222,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -233,13 +252,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -267,6 +290,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -285,6 +309,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -293,18 +319,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -338,6 +374,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/snort.8 snort-2.9.2/snort.8 --- snort-2.8.5.2/snort.8 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/snort.8 2011-12-07 17:58:22.000000000 +0000 @@ -2,11 +2,11 @@ .\" groff -man -Tascii snort.8 .\" .\" $Id$ -.TH SNORT 8 "February 2009" +.TH SNORT 8 "December 2011" .SH NAME Snort \- open source network intrusion detection system .SH SYNOPSIS -.B snort [-bCdDeEfHIMNoOpqQsTUvVwWxXy?] [-A +.B snort [-bCdDeEfHIMNOpqQsTUvVwWxXy?] [-A .I alert-mode .B ] [-B .I address-conversion-mask @@ -15,15 +15,13 @@ .B ] [-F .I bpf-file .B ] [-g -.I grpname +.I group-name .B ] [-G .I id .B ] [-h .I home-net .B ] [-i .I interface -.B ] [-J -.I port .B ] [-k .I checksum-mode .B ] [-K @@ -37,7 +35,7 @@ .B ] [-n .I packet-count .B ] [-P -.I snap-length +.I snap-length .B ] [-r .I tcpdump-file .B ] [-R @@ -47,7 +45,7 @@ .B ] [-t .I chroot_directory .B ] [-u -.I usrname +.I user-name .B ] [-Z .I pathname .B ] [--logid @@ -57,7 +55,7 @@ .B ] [--pid-path .I pathname .B ] [--snaplen -.I snap-length +.I snap-length .B ] [--help .B ] [--version .B ] [--dynamic-engine-lib @@ -76,10 +74,11 @@ .I directory .B ] [--alert-before-pass .B ] [--treat-drop-as-alert +.B ] [--treat-drop-as-ignore .B ] [--process-all-events +.B ] [--enable-inline-test .B ] [--create-pidfile .B ] [--nolock-pidfile -.B ] [--disable-inline-initialization .B ] [--pcap-single= .I tcpdump-file .B ] [--pcap-filter= @@ -93,74 +92,87 @@ .B ] [--pcap-no-filter .B ] [--pcap-reset .B ] [--pcap-show +.B ] [--exit-check .I count .B ] [--conf-error-out .B ] [--require-rule-sid +.B ] [--daq +.I type +.B ] [--daq-mode +.I mode +.B ] [--daq-var +.I name=value +.B ] [--daq-dir +.I dir +.B ] [--daq-list +.I [dir] +.B ] [--cs-dir +.I dir .B ] .I expression .SH DESCRIPTION .B Snort -is an open source network intrusion detection system, capable of performing -real-time traffic analysis and packet logging on IP networks. It can perform -protocol analysis, content searching/matching and can be used to detect a -variety of attacks and probes, such as buffer overflows, stealth port scans, +is an open source network intrusion detection system, capable of performing +real-time traffic analysis and packet logging on IP networks. It can perform +protocol analysis, content searching/matching and can be used to detect a +variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses -a flexible rules language to describe traffic that it should collect or pass, +a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort also has a modular real-time alerting capability, incorporating alerting -and logging plugins for syslog, a ASCII text files, UNIX sockets, database +and logging plugins for syslog, a ASCII text files, UNIX sockets, database (Mysql/PostgreSQL/Oracle/ODBC) or XML. .PP Snort has three primary uses. It can be used as a straight packet sniffer like .BR tcpdump (1), -a packet logger (useful for network traffic debugging, etc), or as a full +a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. .PP -Snort logs packets in +Snort logs packets in .BR tcpdump (1) -binary format, to a database or in Snort's decoded ASCII format to a hierarchy -of logging directories that are named based on the IP address of the "foreign" +binary format, to a database or in Snort's decoded ASCII format to a hierarchy +of logging directories that are named based on the IP address of the "foreign" host. .SH OPTIONS .IP "-A alert-mode" Alert using the specified .I alert-mode. -Valid alert modes include +Valid alert modes include .B fast, full, none, and .B unsock. -.B Fast +.B Fast writes alerts to the default "alert" file in a single-line, syslog style alert -message. -.B Full -writes the alert to the "alert" file with the full decoded header as well as -the alert message. +message. +.B Full +writes the alert to the "alert" file with the full decoded header as well as +the alert message. .B None -turns off alerting. -.B Unsock +turns off alerting. +.B Unsock is an experimental mode that sends the alert information out over a UNIX socket to another process that attaches to that socket. .IP -b Log packets in a .BR tcpdump (1) formatted file. All packets are logged in their native binary state to a -tcpdump formatted log file named with the snort start timestamp and +tcpdump formatted log file named with the snort start timestamp and "snort.log". This option results in much faster operation of the program since it doesn't have to spend time in the packet binary->text converters. Snort can keep up pretty well with 100Mbps networks in '-b' mode. To choose an alternate name for the binary log file, use the '-L' switch. .IP "-B address-conversion-mask" Convert all IP addresses in -.I home-net +.I home-net to addresses specified by -.I address-conversion-mask. +.I address-conversion-mask. Used to obfuscate IP addresses within binary logs. Specify .I home-net with the '-h' switch. Note this is .B not the same as $HOME_NET. .IP "-c config-file" -Use the rules located in file +Use the rules located in file .I config-file. .IP -C Print the character data from the packet payload only (no hex). @@ -168,7 +180,7 @@ Dump the application layer data when displaying packets in verbose or packet logging mode. .IP -D -Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless +Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless otherwise specified. .IP -e Display/log the link layer packet headers. @@ -178,79 +190,77 @@ .IP -f Activate PCAP line buffering .IP "-F bpf-file" -Read BPF filters from +Read BPF filters from .I bpf-file. This is handy for people running Snort as a SHADOW replacement or with a love -Of super complex BPF filters. See the "expressions" section of this man page -for more info on writing BPF fileters. +Of super complex BPF filters. See the "expressions" section of this man page +for more info on writing BPF filters. .IP "-g group" -Change the group/GID Snort runs under to +Change the group/GID Snort runs under to .I group -after initialization. This switch allows Snort to drop root priveleges after +after initialization. This switch allows Snort to drop root privileges after it's initialization phase has completed as a security measure. .IP "-G id" Use id as a base event ID when logging events. Useful for distinguishing events logged to the same database from multiple snort instances. .IP "-h home-net" -Set the "home network" to +Set the "home network" to .I home-net. The format of this address variable is a network prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is set, all decoded packet logging will be done relative to the home network address space. This is useful because of -the way that Snort formats its ASCII log data. With this value set to the +the way that Snort formats its ASCII log data. With this value set to the local network, all decoded output will be logged into decode directories with the address of the foreign computer as the directory name, which is -very useful during traffic analysis. +very useful during traffic analysis. This option does not change "$HOME_NET" in +IDS mode. .IP "-H" Force hash tables to be deterministic instead of using a random number generator for the seed & scale. Useful for testing and generating repeatable results with the same traffic. .IP "-i interface" -Sniff packets on +Sniff packets on .I interface. .IP "-I" Print out the receiving interface name in alerts. -.IP "-J port" -Use port to read packets when running inline mode on system with divert -socket. .IP "-k checksum-mode" Tune the internal checksum verification functionality with .I alert-mode. -Valid checksum modes include +Valid checksum modes include .B all, noip, notcp, noudp, noicmp, and .B none. -.B All +.B All activates checksum verification for all supported protocols. .B Noip -turns off IP checksum verification, which is handy if the gateway router is +turns off IP checksum verification, which is handy if the gateway router is already dropping packets that fail their IP checksum checks. .B Notcp -turns off TCP checksum verification, all other checksum modes are +turns off TCP checksum verification, all other checksum modes are .B on. .B noudp turns off UDP checksum verification. .B Noicmp -turns off ICMP checksum verification. +turns off ICMP checksum verification. .B None turns off the entire checksum verification subsystem. .IP "-K logging-mode" Select a packet logging mode. The default is pcap. .I logging-mode. -Valid logging modes include +Valid logging modes include .B pcap, ascii, and .B none. -.B Pcap +.B Pcap logs packets through the pcap library into pcap (tcpdump) format. -.B Ascii +.B Ascii logs packets in the old "directories and files" format with packet printouts in each file. .B None Turns off packet logging. .IP "-l log-dir" -Set the output logging directory to +Set the output logging directory to .I log-dir. -All plain text alerts and packet logs go into this directory. If this option +All plain text alerts and packet logs go into this directory. If this option is not specified, the default logging directory is set to /var/log/snort. .IP "-L binary-log-file" Set the filename of the binary log file to @@ -258,13 +268,13 @@ If this switch is not used, the default name is a timestamp for the time that the file is created plus "snort.log". .IP "-m umask" -Set the file mode creation mask to +Set the file mode creation mask to .I umask .IP "-M" Log console messages to syslog when not running daemon mode. This switch has no impact on logging of alerts. .IP "-n packet-count" -Process +Process .I packet-count packets and exit. .IP -N @@ -278,18 +288,18 @@ .IP -p Turn off promiscuous mode sniffing. .IP "-P snap-length" -Set the packet snaplen to -.I snap-length -\&. By default, this is set to 1514. +Set the packet snaplen to +.I snap-length. +By default, this is set to 1514. .IP "-q" Quiet operation. Don't display banner and initialization information. .IP "-Q" -Read packets from iptables/IPQ (Linux only) when running in-line mode. +Enable inline mode operation. .IP "-r tcpdump-file" -Read the tcpdump-formatted file +Read the tcpdump-formatted file .I tcpdump-file. This will cause Snort to read and process the file fed to it. This is -useful if, for instance, you've got a bunch of SHADOW files that you want to +useful if, for instance, you've got a bunch of SHADOW files that you want to process for content, or even if you've got a bunch of reassembled packet fragments which have been written into a tcpdump formatted file. .IP "-R name" @@ -298,13 +308,13 @@ Send alert messages to syslog. On linux boxen, they will appear in /var/log/secure, /var/log/messages on many other platforms. .IP "-S variable=value" -Set variable name "variable" to value "value". This is useful for setting the -value of a defined variable name in a Snort rules file to a command line -specified value. For instance, if you define a HOME_NET variable name inside -of a Snort rules file, you can set this value from it's predefined value at the +Set variable name "variable" to value "value". This is useful for setting the +value of a defined variable name in a Snort rules file to a command line +specified value. For instance, if you define a HOME_NET variable name inside +of a Snort rules file, you can set this value from it's predefined value at the command line. .IP "-t chroot" -Changes Snort's root directory to +Changes Snort's root directory to .I chroot after initialization. Please note that all log/alert filenames are relative to the chroot directory if chroot is used. @@ -314,14 +324,14 @@ indicating that everything is ready to proceed. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort configuration that is about to be used is valid and won't fail at -run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. -If your config lives elsewhere, use the -c option to specify a valid +run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. +If your config lives elsewhere, use the -c option to specify a valid .I config-file. .IP "-u user" Change the user/UID Snort runs under to .I user after initialization. -.IP -U +.IP -U Changes the timestamp in all logs to be in UTC .IP -v Be verbose. Prints packets out to the console. There is one big problem with @@ -381,27 +391,27 @@ Default is pass before alert, drop, etc. .IP "--treat-drop-as-alert" Converts drop, sdrop, and reject rules into alert rules during startup. +.IP "--treat-drop-as-ignore" +Use drop, sdrop, and reject rules to ignore session traffic when not inline. .IP "--process-all-events" Process all triggered events in group order, per Rule Ordering configuration. Default stops after first group. +.IP "--enable-inline-test" +Enable Inline-Test Mode Operation. .IP "--pid-path directory" Specify the path for Snort's PID file. .IP "--create-pidfile" Create PID file, even when not in Daemon mode. .IP "--nolock-pidfile" Do not try to lock Snort PID file. -.IP "--disable-inline-initialization" -Do not initialize IPTables when in inline mode. To be used with -T -to test for a valid configuration without requiring opening inline -devices and adversely affecting traffic flow. .IP "--pcap-single=\fItcpdump-file\fP" Same as -r. Added for completeness. .IP "--pcap-filter=\fIfilter\fP" Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any --pcap-file or --pcap-dir arguments following. Use ---pcap-no-filter to delete filter for following ---pcap-file or --pcap-dir arguments or specifiy +--pcap-no-filter to delete filter for following +--pcap-file or --pcap-dir arguments or specify --pcap-filter again to forget previous filter and to apply to following --pcap-file or --pcap-dir arguments. .IP "--pcap-list=\fI""list""\fP" @@ -409,7 +419,7 @@ .IP "--pcap-dir=\fIdirectory\fP" A directory to recurse to look for pcaps. Sorted in ascii order. .IP "--pcap-file=\fIfile\fP" -File that contains a list of pcaps to read. Can specifiy path to +File that contains a list of pcaps to read. Can specify path to pcap or directory to recurse to get pcaps. .IP "--pcap-no-filter" Reset to use no filter when getting pcaps from file or directory. @@ -420,12 +430,24 @@ .IP "--pcap-show" Print a line saying what pcap is currently being read. .IP "--exit-check=\fIcount\fP" -Signal termination after <count> callbacks from pcap_dispatch(), showing the -time it takes from signaling until pcap_close() is called. +Signal termination after <count> callbacks from DAQ_Acquire(), showing the +time it takes from signaling until DAQ_Stop() is called. .IP "--conf-error-out" Same as -x. .IP "--require-rule-sid" -Require an SID for every rule to be correctly hreshold all rules. +Require an SID for every rule to be correctly threshold all rules. +.IP "--daq <type>" +Select packet acquisition module (default is pcap). +.IP "--daq-mode <mode>" +Select the DAQ operating mode. +.IP "--daq-var <name=value>" +Specify extra DAQ configuration variable. +.IP "--daq-dir <dir>" +Tell Snort where to find desired DAQ. +.IP "--daq-list [<dir>]" +List packet acquisition modules available in dir. +.IP "--cs-dir <dir>" +Tell Snort to use control socket and create the socket in dir. .IP "\fI expression\fP" .RS @@ -523,7 +545,7 @@ which may be either an address or a name. .IP "\fBsrc host \fIhost\fR" True if the IP source field of the packet is \fIhost\fP. -.IP "\fBhost \fIhost\fP +.IP "\fBhost \fIhost\fP" True if either the IP source or destination of the packet is \fIhost\fP. Any of the above host expressions can be prepended with the keywords, \fBip\fP, \fBarp\fP, or \fBrarp\fP as in: @@ -540,16 +562,16 @@ .in -.5i If \fIhost\fR is a name with multiple IP addresses, each address will be checked for a match. -.IP "\fBether dst \fIehost\fP +.IP "\fBether dst \fIehost\fP" True if the ethernet destination address is \fIehost\fP. \fIEhost\fP may be either a name from /etc/ethers or a number (see .IR ethers (3N) for numeric format). -.IP "\fBether src \fIehost\fP +.IP "\fBether src \fIehost\fP" True if the ethernet source address is \fIehost\fP. -.IP "\fBether host \fIehost\fP +.IP "\fBether host \fIehost\fP" True if either the ethernet source or destination address is \fIehost\fP. -.IP "\fBgateway\fP \fIhost\fP +.IP "\fBgateway\fP \fIhost\fP" True if the packet used \fIhost\fP as a gateway. I.e., the ethernet source or destination address was \fIhost\fP but neither the IP source nor the IP destination was \fIhost\fP. \fIHost\fP must be a name and @@ -764,7 +786,7 @@ easier to pass it as a single, quoted argument. Multiple arguments are concatenated with spaces before being parsed. .SH READING PCAPS -Instead of having Snort listen on an interface, you can give it a packet +Instead of having Snort listen on an interface, you can give it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This can be useful for testing and debugging Snort. @@ -791,7 +813,7 @@ $ snort --pcap-file=foo.txt This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. -Note that Snort will not try to determine whether the files under that +Note that Snort will not try to determine whether the files under that directory are really pcap files or not. .RE 0 @@ -846,7 +868,7 @@ In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, -so all files found under /home/foo/pcaps will be included. +so all files found under /home/foo/pcaps will be included. $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \\ .PP @@ -857,7 +879,7 @@ In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included, then the -filter "*.cap" will be applied to files found under /home/foo/pcaps2. +filter "*.cap" will be applied to files found under /home/foo/pcaps2. .RE 0 \fBResetting state\fR @@ -865,8 +887,8 @@ .RS 5 $ snort --pcap-dir=/home/foo/pcaps --pcap-reset -The above example will read all of the files under /home/foo/pcaps, but -after each pcap is read, Snort will be reset to a post-configuration +The above example will read all of the files under /home/foo/pcaps, but +after each pcap is read, Snort will be reset to a post-configuration state, meaning all buffers will be flushed, statistics reset, etc. For each pcap, it will be like Snort is seeing traffic for the first time. @@ -881,28 +903,34 @@ .RE 0 .PD .SH RULES -Snort uses a simple but flexible rules language to describe network packet +Snort uses a simple but flexible rules language to describe network packet signatures and associate them with actions. The current rules document can -be found at http://www.snort.org/snort_rules.html. +be found at http://www.snort.org/snort-rules. .SH NOTES The following signals have the specified effect when sent to the daemon process using the \fBkill(1)\fR command: .PP .IP SIGHUP Causes the daemon to close all opened files and restart. Please \fBnote\fR that this will only work if the \fBfull\fR pathname is -used to invoke snort in daemon mode, otherwise snort will just exit with an -error message being sent to -.B syslogd(8) -. -.PP +used to invoke snort in daemon mode, otherwise snort will just exit with an +error message being sent to \fBsyslogd(8)\fR. +.PP .IP SIGUSR1 Causes the program to dump its current packet statistical information to the -console or -.B syslogd(8) -if in daemon mode. -. +console or \fBsyslogd(8)\fR if in daemon mode. +.PP +.IP SIGUSR2 +Causes the program to rotate Perfmonitor statistical information to the +console or \fBsyslogd(8)\fR if in daemon mode. +.PP +.IP SIGURG +Causes the program to reload attribute table. +.PP +.IP SIGCHLD +Used internally. .PP -Any other signal causes the daemon to close all opened files and exit. +Please refer to manual for more details. Any other signal might cause the +daemon to close all opened files and exit. .SH HISTORY .B Snort diff -Nru snort-2.8.5.2/snort.pc.in snort-2.9.2/snort.pc.in --- snort-2.8.5.2/snort.pc.in 2009-05-07 19:02:54.000000000 +0000 +++ snort-2.9.2/snort.pc.in 2011-06-08 00:32:59.000000000 +0000 @@ -3,6 +3,7 @@ bindir=@bindir@ libdir=@libdir@ includedir=@includedir@ +datarootdir=@datarootdir@ datadir=@datadir@ mandir=@infodir@ infodir=@infodir@ diff -Nru snort-2.8.5.2/src/active.c snort-2.9.2/src/active.c --- snort-2.8.5.2/src/active.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/active.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,484 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file active.c +// @author Russ Combs <rcombs@sourcefire.com> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_DUMBNET_H +#include <dumbnet.h> +#else +#include <dnet.h> +#endif + +#include "active.h" +#include "stream_api.h" +#include "snort.h" + +#include "preprocessors/spp_frag3.h" + +#ifdef ACTIVE_RESPONSE +#include "encode.h" +#include "sfdaq.h" +#endif + +// these can't be pkt flags because we do the handling +// of these flags following all processing and the drop +// or response may have been produced by a pseudopacket. +tActiveDrop active_drop_pkt = ACTIVE_ALLOW; +int active_drop_ssn = 0; +// TBD consider performance of replacing active_drop_pkt/ssn +// with a active_verdict. change over if it is a wash or better. + +#ifdef ACTIVE_RESPONSE +int active_have_rsp = 0; + +#define MAX_ATTEMPTS 20 +static uint8_t s_attempts = 0; +static int s_enabled = 0; + +static eth_t* s_link = NULL; +static ip_t* s_ipnet = NULL; + +static void* s_rejData, *s_rspData; +static Active_ResponseFunc s_rejFunc = NULL, s_rspFunc = NULL; + +static int Active_Open(const char*); +static int Active_Close(void); + +static int Active_SendEth(const DAQ_PktHdr_t*, int, const uint8_t*, uint32_t); +static int Active_SendIp(const DAQ_PktHdr_t*, int, const uint8_t*, uint32_t); + +typedef int (*send_t) ( + const DAQ_PktHdr_t* h, int rev, const uint8_t* buf, uint32_t len); +static send_t s_send = DAQ_Inject; +static uint64_t s_injects = 0; + +static inline PROTO_ID GetInnerProto (const Packet* p) +{ + if ( !p->next_layer ) return PROTO_MAX; + return ( p->layers[p->next_layer-1].proto ); +} + +//-------------------------------------------------------------------- +// this implementation ensures that flexible responses +// take precedence over active responses. + +int Active_QueueReject (void) +{ + if ( !s_rejFunc ) + { + s_rejFunc = (Active_ResponseFunc)Active_KillSession; + s_rejData = NULL; + active_have_rsp = 1; + } + return 0; +} + +int Active_QueueResponse (Active_ResponseFunc f, void* pv) +{ + if ( !s_rspFunc ) + { + s_rspFunc = f; + s_rspData = pv; + active_have_rsp = 1; + } + return 0; +} + +// helper function +static inline void Active_ClearQueue (void) +{ + s_rejFunc = s_rspFunc = NULL; + s_rejData = s_rspData = NULL; +} + +int Active_ResetQueue () +{ + Active_ClearQueue(); + return 0; +} + +int Active_SendResponses (Packet* p) +{ + if ( s_rspFunc ) + { + s_rspFunc(p, s_rspData); + } + else if ( s_rejFunc ) + { + s_rejFunc(p, s_rejData); + } + else + { + return 0; + } + if ( p->ssnptr && stream_api ) + { + stream_api->init_active_response(p, p->ssnptr); + } + Active_ClearQueue(); + return 1; +} + +//-------------------------------------------------------------------- + +void Active_KillSession (Packet* p, EncodeFlags* pf) +{ + EncodeFlags flags = pf ? *pf : ENC_FLAG_FWD; + + switch ( GET_IPH_PROTO(p) ) + { + case IPPROTO_TCP: + Active_SendReset(p, 0); + if ( flags & ENC_FLAG_FWD ) + Active_SendReset(p, ENC_FLAG_FWD); + break; + + default: + Active_SendUnreach(p, ENC_UNR_PORT); + break; + } +} + +//-------------------------------------------------------------------- + +int Active_Init (SnortConfig* sc) +{ + s_attempts = sc->respond_attempts; + if ( s_attempts > MAX_ATTEMPTS ) s_attempts = MAX_ATTEMPTS; + if ( s_enabled && !s_attempts ) s_attempts = 1; + + if ( s_enabled && (!DAQ_CanInject() || sc->respond_device) ) + { + + if ( ScReadMode() || Active_Open(sc->respond_device) ) + { + LogMessage("WARNING: active responses disabled since DAQ " + "can't inject packets.\n"); +#ifndef REG_TEST + s_attempts = s_enabled = 0; +#endif + } + + if (NULL != sc->eth_dst) + Encode_SetDstMAC(sc->eth_dst); + } + return 0; +} + +int Active_Term (void) +{ + Active_Close(); + return 0; +} + +int Active_IsEnabled (void) { return s_enabled; } + +void Active_SetEnabled (int on_off) { s_enabled = on_off; } + +static inline uint32_t GetFlags (void) +{ + uint32_t flags = ENC_FLAG_ID; + if ( DAQ_RawInjection() || s_ipnet ) flags |= ENC_FLAG_RAW; + return flags; +} + +//-------------------------------------------------------------------- + +static uint32_t Strafe(int, uint32_t, const Packet*); + +void Active_SendReset(Packet* p, EncodeFlags ef) +{ + int i; + uint32_t flags = (GetFlags() | ef) & ~ENC_FLAG_VAL; + uint32_t value = ef & ENC_FLAG_VAL; + + for ( i = 0; i < s_attempts; i++ ) + { + uint32_t len = 0; + const uint8_t* rej; + + value = Strafe(i, value, p); + + rej = Encode_Reject(ENC_TCP_RST, flags|value, p, &len); + if ( !rej ) return; + + s_send(p->pkth, !(ef & ENC_FLAG_FWD), rej, len); + } +} + +void Active_SendUnreach(Packet* p, EncodeType type) +{ + uint32_t len; + const uint8_t* rej; + uint32_t flags = GetFlags(); + + if ( !s_attempts ) + return; + + rej = Encode_Reject(type, flags, p, &len); + if ( !rej ) return; + + s_send(p->pkth, 1, rej, len); +} + +void Active_SendData ( + Packet* p, EncodeFlags flags, const uint8_t* buf, uint32_t blen) +{ + int i; + flags |= GetFlags(); + + for ( i = 0; i < s_attempts; i++ ) + { + uint32_t plen = 0; + const uint8_t* seg; + + flags &= ~ENC_FLAG_VAL; + flags |= (i & ENC_FLAG_VAL); + + seg = Encode_Response(ENC_TCP_FIN, flags, p, &plen, buf, blen); + + if ( !seg ) return; + s_send(p->pkth, !(flags & ENC_FLAG_FWD), seg, plen); + } +} + +//-------------------------------------------------------------------- + +int Active_IsRSTCandidate(const Packet* p) +{ + if ( GetInnerProto(p) != PROTO_TCP ) + return 0; + + if ( !p->tcph ) + return 0; + + /* + ** This ensures that we don't reset packets that we just + ** spoofed ourselves, thus inflicting a self-induced DOS + ** attack. + */ + return ( p->tcph->th_flags != TH_RST ); +} + +int Active_IsUNRCandidate(const Packet* p) +{ + // FIXTHIS allow unr to tcp/udp/icmp4/icmp6 only or for all + switch ( GetInnerProto(p) ) { + case PROTO_UDP: + case PROTO_TCP: + case PROTO_ICMP4: +#ifdef SUP_IP6 + case PROTO_ICMP6: +#endif + return 1; + + default: + break; + } + return 0; +} + +//-------------------------------------------------------------------- +// TBD strafed sequence numbers could be divided by window +// scaling if present. + +static uint32_t Strafe (int i, uint32_t flags, const Packet* p) +{ + flags &= ENC_FLAG_VAL; + + switch ( i ) { + case 0: + flags |= ENC_FLAG_SEQ; + break; + + case 1: + flags = p->dsize; + flags &= ENC_FLAG_VAL; + flags |= ENC_FLAG_SEQ; + break; + + case 2: + case 3: + flags += (p->dsize << 1); + flags &= ENC_FLAG_VAL; + flags |= ENC_FLAG_SEQ; + break; + + case 4: + flags += (p->dsize << 2); + flags &= ENC_FLAG_VAL; + flags |= ENC_FLAG_SEQ; + break; + + default: + flags += (ntohs(p->tcph->th_win) >> 1); + flags &= ENC_FLAG_VAL; + flags |= ENC_FLAG_SEQ; + break; + } + return flags; +} +#endif // ACTIVE_RESPONSE + +//-------------------------------------------------------------------- +// support for decoder and rule actions + +static inline void _Active_DoIgnoreSession(Packet *p) +{ + if ( ScInlineMode() || ScTreatDropAsIgnore() ) + { + if (p->ssnptr && stream_api) + { + stream_api->drop_packet(p); + } + + //drop this and all following fragments + frag3DropAllFragments(p); + } +} + +int Active_IgnoreSession (Packet* p) +{ + Active_DropPacket(); + + _Active_DoIgnoreSession(p); + + return 0; +} + +int Active_ForceDropAction(Packet *p) +{ + // explicitly drop packet + Active_ForceDropPacket(); + + _Active_DoIgnoreSession(p); + return 0; +} + +static inline int _Active_DoReset(Packet *p) +{ +#ifdef ACTIVE_RESPONSE + if ( !Active_IsEnabled() ) + return 0; + + if ( !IPH_IS_VALID(p) ) + return 0; + + switch ( GET_IPH_PROTO(p) ) + { + case IPPROTO_TCP: + if ( Active_IsRSTCandidate(p) ) + Active_QueueReject(); + break; + + // FIXTHIS send unr to udp/icmp4/icmp6 only or for all non-tcp? + case IPPROTO_UDP: + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + if ( Active_IsUNRCandidate(p) ) + Active_QueueReject(); + break; + } +#endif + + return 0; +} + +int Active_DropAction (Packet* p) +{ + Active_IgnoreSession(p); + + return _Active_DoReset(p); +} + +int Active_ForceDropResetAction(Packet *p) +{ + Active_ForceDropAction(p); + + return _Active_DoReset(p); +} + +//-------------------------------------------------------------------- +// support for non-DAQ injection + +#ifdef ACTIVE_RESPONSE +static int Active_Open (const char* dev) +{ + if ( dev && strcasecmp(dev, "ip") ) + { + s_link = eth_open(dev); + + if ( !s_link ) + FatalError("%s: can't open %s!\n", + "Active response", dev); + s_send = Active_SendEth; + } + else + { + s_ipnet = ip_open(); + + if ( !s_ipnet ) + FatalError("%s: can't open ip!\n", + "Active response"); + s_send = Active_SendIp; + } + return ( s_link || s_ipnet ) ? 0 : -1; +} + +static int Active_Close (void) +{ + if ( s_link ) + eth_close(s_link); + + if ( s_ipnet ) + ip_close(s_ipnet); + + s_link = NULL; + s_ipnet = NULL; + + return 0; +} + +static int Active_SendEth ( + const DAQ_PktHdr_t* h, int rev, const uint8_t* buf, uint32_t len) +{ + ssize_t sent = eth_send(s_link, buf, len); + s_injects++; + return ( (uint32_t) sent != len ); +} + +static int Active_SendIp ( + const DAQ_PktHdr_t* h, int rev, const uint8_t* buf, uint32_t len) +{ + ssize_t sent = ip_send(s_ipnet, buf, len); + s_injects++; + return ( (uint32_t) sent != len ); +} + +uint64_t Active_GetInjects (void) { return s_injects; } +#endif + diff -Nru snort-2.8.5.2/src/active.h snort-2.9.2/src/active.h --- snort-2.8.5.2/src/active.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/active.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,154 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file active.h +// @author Russ Combs <rcombs@sourcefire.com> + +#ifndef __ACTIVE_H__ +#define __ACTIVE_H__ + +#include "decode.h" +#include "snort.h" + +#ifdef ACTIVE_RESPONSE +#include "encode.h" + +int Active_Init(SnortConfig*); +int Active_Term(void); + +typedef void (*Active_ResponseFunc)(Packet*, void* data); + +int Active_QueueReject(void); +int Active_QueueResponse(Active_ResponseFunc, void*); +int Active_ResetQueue(void); + +// this must be called on the wire packet and not a +// reassembled packet so that encoding is correct. +int Active_SendResponses(Packet*); +uint64_t Active_GetInjects(void); + +// NULL flags implies ENC_FLAG_FWD +void Active_KillSession(Packet*, EncodeFlags*); + +void Active_SendReset(Packet*, EncodeFlags); +void Active_SendUnreach(Packet*, EncodeType); +void Active_SendData(Packet*, EncodeFlags, const uint8_t* buf, uint32_t len); + +int Active_IsRSTCandidate(const Packet*); +int Active_IsUNRCandidate(const Packet*); + +int Active_IsEnabled(void); +void Active_SetEnabled(int on_off); +#endif // ACTIVE_RESPONSE + +typedef enum { + ACTIVE_ALLOW = 0, + ACTIVE_DROP = 1, + ACTIVE_WOULD_DROP = 2, + ACTIVE_FORCE_DROP = 3 +} tActiveDrop; +extern tActiveDrop active_drop_pkt; +extern int active_drop_ssn; +#ifdef ACTIVE_RESPONSE +extern int active_have_rsp; +#endif + +static inline void Active_Reset (void) +{ + active_drop_pkt = ACTIVE_ALLOW; + active_drop_ssn = 0; +#ifdef ACTIVE_RESPONSE + active_have_rsp = 0; +#endif +} + +static inline void Active_ForceDropPacket (void) +{ + active_drop_pkt = ACTIVE_FORCE_DROP; +} + +static inline void Active_DropPacket (void) +{ + if ( active_drop_pkt != ACTIVE_FORCE_DROP ) + { + if ( ScInlineMode() ) + { + active_drop_pkt = ACTIVE_DROP; + } + else if (ScInlineTestMode()) + { + active_drop_pkt = ACTIVE_WOULD_DROP; + } + } +} + +static inline void Active_DropSession (void) +{ + active_drop_ssn = 1; + Active_DropPacket(); +} + +static inline int Active_PacketWouldBeDropped (void) +{ + return (active_drop_pkt == ACTIVE_WOULD_DROP ); +} + +static inline int Active_PacketForceDropped (void) +{ + return (active_drop_pkt == ACTIVE_FORCE_DROP ); +} + +static inline int Active_PacketWasDropped (void) +{ + return ( active_drop_pkt == ACTIVE_DROP ) || Active_PacketForceDropped(); +} + +static inline int Active_SessionWasDropped (void) +{ + return ( active_drop_ssn != 0 ); +} + +#ifdef ACTIVE_RESPONSE +static inline int Active_ResponseQueued (void) +{ + return ( active_have_rsp != 0 ); +} +#endif + +// drops current session with active response invoked +// for rules with action = drop | sdrop | reject +int Active_DropAction(Packet*); + +// drops current session w/o active response invoked +// for rules with custom response = resp3 | react +int Active_IgnoreSession(Packet*); + +// force drops the current session w/o active response invoked +// ignores policy/inline test mode and treat drop as alert +int Active_ForceDropAction(Packet *p); + +// force drops the current session with active response invoked +// ignores policy/inline test mode and treat drop as alert +int Active_ForceDropResetAction(Packet *p); + +#endif // __ACTIVE_H__ + diff -Nru snort-2.8.5.2/src/bounds.h snort-2.9.2/src/bounds.h --- snort-2.8.5.2/src/bounds.h 2009-05-06 22:28:07.000000000 +0000 +++ snort-2.9.2/src/bounds.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,184 +0,0 @@ -#ifndef _BOUNDS_H -#define _BOUNDS_H -/* -** Copyright (C) 2003-2009 Sourcefire, Inc. -** Chris Green <cmg@sourcefire.com> -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -** -*/ - - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef OSF1 -#include <sys/bitypes.h> -#endif - -#include <string.h> -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <assert.h> -#include <unistd.h> - -#define SAFEMEM_ERROR 0 -#define SAFEMEM_SUCCESS 1 - -#include "debug.h" -#ifndef DEBUG - #define ERRORRET return SAFEMEM_ERROR; -#else - #define ERRORRET assert(0==1) -#endif /* DEBUG */ - -#include "sf_types.h" - - -/* - * Check to make sure that p is less than or equal to the ptr range - * pointers - * - * 1 means it's in bounds, 0 means it's not - */ -static INLINE int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p) -{ - if(p >= start && p < end) - { - return 1; - } - - return 0; -} - -/** - * A Safer Memcpy - * - * @param dst where to copy to - * @param src where to copy from - * @param n number of bytes to copy - * @param start start of the dest buffer - * @param end end of the dst buffer - * - * @return 0 on failure, 1 on success - */ -static INLINE int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end) -{ - void *tmp; - - if(n < 1) - { - ERRORRET; - } - - if (!dst || !src || !start || !end) - { - ERRORRET; - } - - tmp = ((uint8_t*)dst) + (n-1); - if (tmp < dst) - { - ERRORRET; - } - - if(!inBounds(start,end, dst) || !inBounds(start,end,tmp)) - { - ERRORRET; - } - - memcpy(dst, src, n); - - return SAFEMEM_SUCCESS; -} - -/** - * A Safer Memmove - * dst and src can be in the same buffer - * - * @param dst where to copy to - * @param src where to copy from - * @param n number of bytes to copy - * @param start start of the dest buffer - * @param end end of the dst buffer - * - * @return 0 on failure, 1 on success - */ -static INLINE int SafeMemmove(void *dst, const void *src, size_t n, const void *start, const void *end) -{ - void *tmp; - - if(n < 1) - { - ERRORRET; - } - - if (!dst || !src || !start || !end) - { - ERRORRET; - } - - tmp = ((uint8_t*)dst) + (n-1); - if (tmp < dst) - { - ERRORRET; - } - - if(!inBounds(start,end, dst) || !inBounds(start,end,tmp)) - { - ERRORRET; - } - - memmove(dst, src, n); - - return SAFEMEM_SUCCESS; -} - -/** - * A Safer *a = *b - * - * @param start start of the dst buffer - * @param end end of the dst buffer - * @param dst the location to write to - * @param src the source to read from - * - * @return 0 on failure, 1 on success - */ -static INLINE int SafeWrite(uint8_t *start, uint8_t *end, uint8_t *dst, uint8_t *src) -{ - if(!inBounds(start, end, dst)) - { - ERRORRET; - } - - *dst = *src; - return 1; -} - -static INLINE int SafeRead(uint8_t *start, uint8_t *end, uint8_t *src, uint8_t *read) -{ - if(!inBounds(start,end, src)) - { - ERRORRET; - } - - *read = *start; - return 1; -} - -#endif /* _BOUNDS_H */ diff -Nru snort-2.8.5.2/src/build.h snort-2.9.2/src/build.h --- snort-2.8.5.2/src/build.h 2009-12-15 23:27:51.000000000 +0000 +++ snort-2.9.2/src/build.h 2011-12-08 16:49:14.000000000 +0000 @@ -1 +1 @@ -#define BUILD "121" +#define BUILD "78" diff -Nru snort-2.8.5.2/src/byte_extract.c snort-2.9.2/src/byte_extract.c --- snort-2.8.5.2/src/byte_extract.c 2009-05-06 22:28:08.000000000 +0000 +++ snort-2.9.2/src/byte_extract.c 2011-06-08 00:33:05.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2003-2009 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** Chris Green <cmg@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,6 +21,12 @@ ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "snort.h" + #include <sys/types.h> #include <stdlib.h> #include <ctype.h> @@ -29,18 +35,18 @@ #endif #include <errno.h> -#include "bounds.h" +#include "snort_bounds.h" #include "byte_extract.h" -#include "debug.h" +#include "snort_debug.h" #define TEXTLEN (PARSELEN + 1) - -/** + +/** * Grab a binary representation of data from a buffer * * This method will read either a big or little endian value in binary - * data from the packet and return an uint32_t value. - * + * data from the packet and return an uint32_t value. + * * @param endianess value to read the byte as * @param bytes_to_grab how many bytes should we grab from the packet * @param data pointer to where to grab the data from @@ -65,11 +71,11 @@ { return -3; } - + if(!inBounds(start,end,ptr)) { return -3; - } + } /* * We only support grabbing 1, 2, or 4 bytes of binary data. @@ -130,9 +136,9 @@ return 0; } -/** +/** * Grab a string representation of data from a buffer - * + * * @param base base representation for data: -> man stroul() * @param bytes_to_grab how many bytes should we grab from the packet * @param data pointer to where to grab the data from @@ -160,11 +166,11 @@ { return -3; } - + if(!inBounds(start,end,ptr)) { return -3; - } + } for(x=0;x<bytes_to_grab; x++) { @@ -172,22 +178,22 @@ } byte_array[bytes_to_grab] = '\0'; - + *value = strtoul(byte_array, &parse_helper, base); - + if(byte_array == parse_helper) { return -1; } -#ifdef TEST_BYTE_EXTRACT +#ifdef TEST_BYTE_EXTRACT printf("[----]\n"); for(x=0;(x<=TEXTLEN) && (byte_array[x] != '\0');x++) printf("%c", byte_array[x]); printf("\n"); - + printf("converted value: 0x%08X (%u) %s\n", *value, *value, (char *) byte_array); -#endif /* TEST_BYTE_EXTRACT */ +#endif /* TEST_BYTE_EXTRACT */ return(parse_helper - byte_array); /* Return the number of bytes actually extracted */ } @@ -199,8 +205,8 @@ { int i; uint32_t ret; - - uint8_t value1[2]; + + uint8_t value1[2]; uint8_t value2[2]; uint8_t value3[4]; @@ -233,7 +239,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 2, value1 + 2, value1, value1 + 2, &ret)) { printf("test 3 failed correctly\n"); @@ -262,7 +268,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 2, value2 + 2, value2, value2 + 2, &ret)) { printf("test 3 failed correctly\n"); @@ -291,7 +297,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 4, value3 + 2, value3, value3 + 4, &ret)) { printf("test 3 failed correctly\n"); @@ -310,7 +316,7 @@ printf("[loop] %d failed correctly\n", i); } else - { + { printf("[loop] value: %x %x\n", ret, *(uint32_t *) &value3); } } @@ -321,7 +327,7 @@ char *stringdata = "21212312412"; int datalen = strlen(stringdata); uint32_t ret; - + if(string_extract(4, 10, stringdata, stringdata, stringdata + datalen, &ret) < 0) { printf("TS1: Failed\n"); @@ -349,7 +355,7 @@ printf("TS3: value %x %u\n", ret, ret); } - + if(string_extract(19, 10, stringdata, stringdata, stringdata + datalen, &ret) < 0) { printf("TS4: Failed Normally\n"); diff -Nru snort-2.8.5.2/src/byte_extract.h snort-2.9.2/src/byte_extract.h --- snort-2.8.5.2/src/byte_extract.h 2009-05-06 22:28:08.000000000 +0000 +++ snort-2.9.2/src/byte_extract.h 2011-02-09 23:22:45.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,8 +22,10 @@ #ifndef _BYTE_EXTRACT_H #define _BYTE_EXTRACT_H +#define ENDIAN_NONE -1 #define BIG 0 #define LITTLE 1 +#define ENDIAN_FUNC 2 #define PARSELEN 10 diff -Nru snort-2.8.5.2/src/checksum.h snort-2.9.2/src/checksum.h --- snort-2.8.5.2/src/checksum.h 2009-05-06 22:28:08.000000000 +0000 +++ snort-2.9.2/src/checksum.h 2011-06-08 00:33:05.000000000 +0000 @@ -3,7 +3,7 @@ ** Copyright (C) 2000,2001 Christopher Cramer <cec@ee.duke.edu> ** Snort is Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -35,25 +35,17 @@ #include "config.h" #endif -#include "debug.h" +#include "snort_debug.h" #include <sys/types.h> - -/* define checksum error flags */ -#define CSE_IP 0x01 -#define CSE_TCP 0x02 -#define CSE_UDP 0x04 -#define CSE_ICMP 0x08 -#define CSE_IGMP 0x10 - /* * checksum IP - header=20+ bytes * * w - short words of data * blen - byte length -* +* */ -static INLINE unsigned short in_chksum_ip( unsigned short * w, int blen ) +static inline unsigned short in_chksum_ip( unsigned short * w, int blen ) { unsigned int cksum; @@ -82,7 +74,7 @@ cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short) (~cksum); } @@ -94,7 +86,7 @@ * dlen - length of tcp hdr + payload in bytes * */ -static INLINE unsigned short in_chksum_tcp( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_tcp( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -120,7 +112,7 @@ cksum += d[9]; dlen -= 20; /* bytes */ - d += 10; /* short's */ + d += 10; /* short's */ while(dlen >=32) { @@ -144,13 +136,13 @@ dlen -= 32; } - while(dlen >=8) + while(dlen >=8) { cksum += d[0]; cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } @@ -160,19 +152,19 @@ dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { /* printf("new checksum odd byte-packet\n"); */ *(unsigned char*)(&answer) = (*(unsigned char*)d); /* cksum += (uint16_t) (*(uint8_t*)d); */ - + cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } /* @@ -183,7 +175,7 @@ * dlen - length of tcp hdr + payload in bytes * */ -static INLINE unsigned short in_chksum_tcp6( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_tcp6( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -221,7 +213,7 @@ cksum += d[9]; dlen -= 20; /* bytes */ - d += 10; /* short's */ + d += 10; /* short's */ while(dlen >=32) { @@ -245,13 +237,13 @@ dlen -= 32; } - while(dlen >=8) + while(dlen >=8) { cksum += d[0]; cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } @@ -261,19 +253,19 @@ dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { /* printf("new checksum odd byte-packet\n"); */ *(unsigned char*)(&answer) = (*(unsigned char*)d); /* cksum += (uint16_t) (*(uint8_t*)d); */ - + cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } @@ -285,7 +277,7 @@ * dlen - length of payload in bytes * */ -static INLINE unsigned short in_chksum_udp6( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_udp6( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -317,9 +309,9 @@ cksum += d[3]; dlen -= 8; /* bytes */ - d += 4; /* short's */ + d += 4; /* short's */ - while(dlen >=32) + while(dlen >=32) { cksum += d[0]; cksum += d[1]; @@ -347,31 +339,31 @@ cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } - while(dlen > 1) + while(dlen > 1) { cksum += *d++; dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { *(unsigned char*)(&answer) = (*(unsigned char*)d); cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } -static INLINE unsigned short in_chksum_udp( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_udp( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -391,9 +383,9 @@ cksum += d[3]; dlen -= 8; /* bytes */ - d += 4; /* short's */ + d += 4; /* short's */ - while(dlen >=32) + while(dlen >=32) { cksum += d[0]; cksum += d[1]; @@ -421,37 +413,37 @@ cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } - while(dlen > 1) + while(dlen > 1) { cksum += *d++; dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { *(unsigned char*)(&answer) = (*(unsigned char*)d); cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } /* * checksum icmp */ -static INLINE unsigned short in_chksum_icmp( unsigned short * w, int blen ) +static inline unsigned short in_chksum_icmp( unsigned short * w, int blen ) { unsigned short answer=0; unsigned int cksum = 0; - while(blen >=32) + while(blen >=32) { cksum += w[0]; cksum += w[1]; @@ -473,7 +465,7 @@ blen -= 32; } - while(blen >=8) + while(blen >=8) { cksum += w[0]; cksum += w[1]; @@ -483,13 +475,13 @@ blen -= 8; } - while(blen > 1) + while(blen > 1) { cksum += *w++; blen -= 2; } - if( blen == 1 ) + if( blen == 1 ) { *(unsigned char*)(&answer) = (*(unsigned char*)w); cksum += answer; @@ -505,15 +497,32 @@ /* * checksum icmp6 */ -static INLINE unsigned short in_chksum_icmp6( unsigned short * w, int blen ) +static inline unsigned short in_chksum_icmp6( unsigned short *h, unsigned short *w, int blen ) { -// XXX ICMP6 CHECKSUM NOT YET IMPLEMENTED - return 0; -#if 0 unsigned short answer=0; unsigned int cksum = 0; - while(blen >=32) + /* PseudoHeader must have 36 bytes */ + cksum = h[0]; + cksum += h[1]; + cksum += h[2]; + cksum += h[3]; + cksum += h[4]; + cksum += h[5]; + cksum += h[6]; + cksum += h[7]; + cksum += h[8]; + cksum += h[9]; + cksum += h[10]; + cksum += h[11]; + cksum += h[12]; + cksum += h[13]; + cksum += h[14]; + cksum += h[15]; + cksum += h[16]; + cksum += h[17]; + + while(blen >=32) { cksum += w[0]; cksum += w[1]; @@ -535,7 +544,7 @@ blen -= 32; } - while(blen >=8) + while(blen >=8) { cksum += w[0]; cksum += w[1]; @@ -545,13 +554,13 @@ blen -= 8; } - while(blen > 1) + while(blen > 1) { cksum += *w++; blen -= 2; } - if( blen == 1 ) + if( blen == 1 ) { *(unsigned char*)(&answer) = (*(unsigned char*)w); cksum += answer; @@ -562,7 +571,6 @@ return (unsigned short)(~cksum); -#endif } diff -Nru snort-2.8.5.2/src/control/Makefile.am snort-2.9.2/src/control/Makefile.am --- snort-2.8.5.2/src/control/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/control/Makefile.am 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,8 @@ +AUTOMAKE_OPTIONS=foreign no-dependencies + +noinst_LIBRARIES = libsfcontrol.a + +libsfcontrol_a_SOURCES = sfcontrol.c sfcontrol.h sfcontrol_funcs.h + +INCLUDES = @INCLUDES@ + diff -Nru snort-2.8.5.2/src/control/Makefile.in snort-2.9.2/src/control/Makefile.in --- snort-2.8.5.2/src/control/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/control/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -0,0 +1,468 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/control +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +LIBRARIES = $(noinst_LIBRARIES) +ARFLAGS = cru +libsfcontrol_a_AR = $(AR) $(ARFLAGS) +libsfcontrol_a_LIBADD = +am_libsfcontrol_a_OBJECTS = sfcontrol.$(OBJEXT) +libsfcontrol_a_OBJECTS = $(am_libsfcontrol_a_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsfcontrol_a_SOURCES) +DIST_SOURCES = $(libsfcontrol_a_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = @INCLUDES@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +noinst_LIBRARIES = libsfcontrol.a +libsfcontrol_a_SOURCES = sfcontrol.c sfcontrol.h sfcontrol_funcs.h +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/control/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/control/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLIBRARIES: + -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +libsfcontrol.a: $(libsfcontrol_a_OBJECTS) $(libsfcontrol_a_DEPENDENCIES) + -rm -f libsfcontrol.a + $(libsfcontrol_a_AR) libsfcontrol.a $(libsfcontrol_a_OBJECTS) $(libsfcontrol_a_LIBADD) + $(RANLIB) libsfcontrol.a + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LIBRARIES) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/control/sfcontrol.c snort-2.9.2/src/control/sfcontrol.c --- snort-2.8.5.2/src/control/sfcontrol.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/control/sfcontrol.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,640 @@ +/* +** +** sfcontrol.c +** +** Copyright (C) 2002-2011 Sourcefire, Inc. +** Author(s): Ron Dempster <rdempster@sourcefire.com> +** +** NOTES +** 5.16.11 - Initial Source Code. Dempster +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +** +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <ctype.h> + +#include "snort.h" +#include "sfcontrol_funcs.h" +#include "sfcontrol.h" + +#ifdef CONTROL_SOCKET + +#ifndef WIN32 +#include <sys/select.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <signal.h> +#include <unistd.h> +#include <pthread.h> +#include <netinet/in.h> +#endif + +static char config_unix_socket_fn[PATH_MAX]; +static int config_unix_socket; +static volatile int stop_processing = 0; + +typedef struct _CS_RESPONSE_MESSAGE +{ + CSMessageHeader hdr; + char msg[1024]; +} CSResponseMessage; + +typedef struct _CS_MESSAGE +{ + CSMessageHeader hdr; + uint8_t *data; +} CSMessage; + +typedef struct _CS_MESSAGE_HANDLER +{ + struct _CS_MESSAGE_HANDLER *next; + uint32_t type; + OOBPreControlFunc oobpre; + IBControlFunc ibcontrol; + OOBPostControlFunc oobpost; + pthread_mutex_t mutex; + void *new_context; + void *old_context; + volatile int handled; + volatile int ib_rval; +} CSMessageHandler; + +#define CS_MAX_WORK 3 +#define CS_MAX_IDLE_WORK 10 + +static unsigned s_work_to_do = 0; +static unsigned s_work_done = 0; + +static pthread_mutex_t work_mutex = PTHREAD_MUTEX_INITIALIZER; +static CSMessageHandler *work_queue; +static CSMessageHandler *work_queue_tail; + +static CSMessageHandler *msg_handlers[CS_TYPE_MAX]; +static pthread_mutex_t msg_handler_mutex = PTHREAD_MUTEX_INITIALIZER; + +typedef struct _THREAD_ELEMENT +{ + struct _THREAD_ELEMENT *next; + int socket_fd; + volatile int stop_processing; +} ThreadElement; + +static ThreadElement *thread_list; +static pthread_mutex_t thread_mutex = PTHREAD_MUTEX_INITIALIZER; +static pthread_t thread_id; +static pthread_t *p_thread_id; + +void ControlSocketConfigureDirectory(const char *optarg) +{ + const char *sep; + ssize_t len; + + if (!optarg || config_unix_socket_fn[0]) + return; + + len = strlen(optarg); + if (len && optarg[len - 1] == '/') + sep = ""; + else + sep = "/"; + snprintf(config_unix_socket_fn, sizeof(config_unix_socket_fn), "%s%s%s", optarg, sep, CONTROL_FILE); +} + +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost) +{ + if (type > CS_TYPE_MAX) + return -1; + pthread_mutex_lock(&msg_handler_mutex); + if (msg_handlers[type]) + { + pthread_mutex_unlock(&msg_handler_mutex); + return -1; + } + if ((msg_handlers[type] = calloc(1, sizeof(*msg_handlers[type]))) == NULL) + { + pthread_mutex_unlock(&msg_handler_mutex); + return -1; + } + pthread_mutex_init(&msg_handlers[type]->mutex, NULL); + msg_handlers[type]->type = type; + msg_handlers[type]->oobpre = oobpre; + msg_handlers[type]->ibcontrol = ib; + msg_handlers[type]->oobpost = oobpost; + pthread_mutex_unlock(&msg_handler_mutex); + return 0; +} + +static void SendResponse(ThreadElement *t, const CSResponseMessage *resp, uint32_t len) +{ + ssize_t numsent; + unsigned total_len = sizeof(resp->hdr) + len; + unsigned total = 0; + + do + { + numsent = write(t->socket_fd, (*(uint8_t **)&resp) + total, total_len - total); + if (!numsent) + return; + else if (numsent > 0) + total += numsent; + else if (errno != EINTR && errno != EAGAIN) + return; + } while (total < total_len && !t->stop_processing); +} + +static int ReadHeader(ThreadElement *t, CSMessageHeader *hdr) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(t->socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < sizeof(*hdr) && !t->stop_processing); + + if (total < sizeof(*hdr)) + return 0; + + hdr->length = ntohl(hdr->length); + hdr->type = ntohs(hdr->type); + hdr->version = ntohs(hdr->version); + return 1; +} + +static int ReadData(ThreadElement *t, uint8_t *buffer, uint32_t length) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(t->socket_fd, buffer + total, length - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < length && !t->stop_processing); + + if (total < length) + return 0; + + return 1; +} + +static void *ControlSocketProcessThread(void *arg) +{ + CSResponseMessage response; + ThreadElement *t = (ThreadElement *)arg; + int fd; + pthread_t tid = pthread_self(); + CSMessageHeader hdr; + uint32_t len; + uint8_t *data = NULL; + ThreadElement **it; + int rval; + + if (t == NULL) + { + ErrorMessage("Control Socket: Invalid process thread parameter\n"); + return NULL; + } + if ((fd = t->socket_fd) == -1) + { + ErrorMessage("Control Socket: Invalid process thread socket\n"); + return NULL; + } + + for (;;) + { + if ((rval = ReadHeader(t, &hdr)) == 0) + goto done; + else if (rval < 0) + goto done; + + if (hdr.version != CS_HEADER_VERSION) + { + static const char * const bad_version = "Bad message header version"; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", bad_version); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + goto done; + } + + if (hdr.length > 4096) + { + static const char * const bad_data = "Bad message data"; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", bad_data); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + goto done; + } + + if (hdr.length) + { + if ((data = malloc(hdr.length)) == NULL) + goto done; + + if ((rval = ReadData(t, data, hdr.length)) == 0) + goto done; + else if (rval < 0) + goto done; + } + + if (hdr.type > CS_TYPE_MAX) + { + static const char invalid_type[] = "Invalid type. Must be 0-2047 inclusive."; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", invalid_type); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + } + else + { + CSMessageHandler *handler; + + pthread_mutex_lock(&msg_handler_mutex); + handler = msg_handlers[hdr.type]; + pthread_mutex_unlock(&msg_handler_mutex); + if (handler) + { + static const char failed[] = "Failed to process the command."; + + pthread_mutex_lock(&handler->mutex); + + handler->handled = 0; + handler->new_context = NULL; + handler->old_context = NULL; + handler->next = NULL; + if (handler->oobpre && handler->oobpre(hdr.type, data, hdr.length, &handler->new_context)) + { + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", failed); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + pthread_mutex_unlock(&handler->mutex); + goto next; + } + if (handler->ibcontrol) + { + pthread_mutex_lock(&work_mutex); + if (work_queue_tail) + work_queue_tail->next = handler; + work_queue_tail = handler; + if (!work_queue) + work_queue = handler; + s_work_to_do++; + pthread_mutex_unlock(&work_mutex); + while (!handler->handled) + usleep(100000); + if (handler->ib_rval) + { + if (handler->oobpost && handler->new_context) + handler->oobpost(hdr.type, handler->new_context); + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", failed); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + pthread_mutex_unlock(&handler->mutex); + goto next; + } + } + if (handler->oobpost) + handler->oobpost(hdr.type, handler->old_context); + + pthread_mutex_unlock(&handler->mutex); + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0000); + response.hdr.length = 0; + SendResponse(t, &response, 0); + } + else + { + static const char no_handler[] = "No handler for the command."; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", no_handler); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + } + } +next:; + if (data) + free(data); + data = NULL; + } + +done:; + if (data) + free(data); + close(fd); + pthread_mutex_lock(&thread_mutex); + for (it=&thread_list; *it; it=&(*it)->next) + { + if (t == *it) + { + *it = t->next; + free(t); + break; + } + } + pthread_mutex_unlock(&thread_mutex); + pthread_detach(tid); + return NULL; +} + +static void *ControlSocketThread(void *arg) +{ + ThreadElement *t; + fd_set rfds; + int rval; + struct timeval to; + int socket; + struct sockaddr_un sunaddr; + socklen_t addrlen = sizeof(sunaddr); + pthread_t tid; + + if (config_unix_socket < 0) + { + ErrorMessage("Control Socket: Invalid socket in thread - %d\n", config_unix_socket); + goto bail; + } + nice(2); + + while (!stop_processing) + { + to.tv_sec = 2; + to.tv_usec = 0; + FD_ZERO(&rfds); + FD_SET(config_unix_socket, &rfds); + rval = select(config_unix_socket + 1, &rfds, NULL, NULL, &to); + if (rval > 0) + { + memset(&sunaddr, 0, sizeof(sunaddr)); + if ((socket = accept(config_unix_socket, (struct sockaddr *)&sunaddr, &addrlen)) == -1) + { + if (errno != EINTR) + { + ErrorMessage("Control Socket: Accept failed: %s\n", strerror(errno)); + goto bail; + } + } + else + { + DEBUG_WRAP( DebugMessage(DEBUG_INIT, "Control Socket: Creating a processing thread for %d\n", + socket);); + if ((t = calloc(1, sizeof(*t))) == NULL) + { + close(socket); + ErrorMessage("Control Socket: Failed to allocate a thread struct"); + goto bail; + } + t->socket_fd = socket; + if ((rval = pthread_create(&tid, NULL, &ControlSocketProcessThread, (void *)t)) != 0) + { + close(socket); + ErrorMessage("Control Socket: Unable to create a processing thread: %s", strerror(rval)); + goto bail; + } + pthread_mutex_lock(&thread_mutex); + t->next = thread_list; + thread_list = t; + pthread_mutex_unlock(&thread_mutex); + } + } + else if (rval < 0) + { + if (errno != EINTR) + { + ErrorMessage("Control Socket: Select failed: %s\n", strerror(errno)); + goto bail; + } + } + } + +bail:; + close(config_unix_socket); + DEBUG_WRAP( DebugMessage(DEBUG_INIT, "Control Socket: Thread exiting\n");); + return NULL; +} + +static void SetupUnixSocket(const char * const name, int * const psock, const int listen_backlog) +{ + struct sockaddr_un sunaddr; + int sock = -1; + int yes = 1; + int rval; + + memset(&sunaddr, 0, sizeof(sunaddr)); + + rval = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), "%s", name); + if (rval < 0 || (size_t)rval >= sizeof(sunaddr.sun_path)) + FatalError("Control Socket: Socket name '%s' is too long\n", name); + + sunaddr.sun_family = AF_UNIX; + + unlink(name); /* remove existing file */ + + /* open the socket */ + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) + { + FatalError("Control Socket: Error opening socket %s: %s\n", name, strerror(errno)); + } + + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) == -1) + { + WarningMessage("Control Socket: setsockopt failed for %s: %s", name, strerror(errno)); + } + + if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) + { + rval = errno; + close(sock); + FatalError("Control Socket: Unable to bind to %s: %s\n", name, strerror(rval)); + } + + if (chmod(name, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP)) + { + rval = errno; + close(sock); + FatalError("Control Socket: Error changing the mode for socket %s: %s", name, strerror(rval)); + } + + /* listen on the socket */ + if (listen(sock, listen_backlog) == -1) + { + rval = errno; + close(sock); + FatalError("Control Socket: Unable to listen on UNIX socket %s: %s\n", name, strerror(rval)); + } + + *psock = sock; +} + +void ControlSocketInit(void) +{ + int rval; + sigset_t mask; + + if (!config_unix_socket_fn[0]) + return; + + SetupUnixSocket(config_unix_socket_fn, &config_unix_socket, 10); + + sigemptyset(&mask); + sigaddset(&mask, SIGTERM); + sigaddset(&mask, SIGQUIT); + sigaddset(&mask, SIGPIPE); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGNAL_SNORT_RELOAD); + sigaddset(&mask, SIGNAL_SNORT_DUMP_STATS); + sigaddset(&mask, SIGUSR1); + sigaddset(&mask, SIGUSR2); + sigaddset(&mask, SIGNAL_SNORT_ROTATE_STATS); + sigaddset(&mask, SIGNAL_SNORT_CHILD_READY); +#ifdef TARGET_BASED + sigaddset(&mask, SIGNAL_SNORT_READ_ATTR_TBL); + sigaddset(&mask, SIGVTALRM); +#endif + pthread_sigmask(SIG_SETMASK, &mask, NULL); + + if((rval=pthread_create(&thread_id, NULL, &ControlSocketThread, NULL)) != 0) + { + sigemptyset(&mask); + pthread_sigmask(SIG_SETMASK, &mask, NULL); + FatalError("Control Socket: Unable to create thread: %s\n", strerror(rval)); + } + p_thread_id = &thread_id; + sigemptyset(&mask); + pthread_sigmask(SIG_SETMASK, &mask, NULL); +} + +void ControlSocketCleanUp(void) +{ + ThreadElement *t; + int rval; + int done = 0; + + if (p_thread_id != NULL) + { + stop_processing = 1; + + if ((rval=pthread_join(*p_thread_id, NULL)) != 0) + WarningMessage("Thread termination returned an error: %s\n", strerror(rval)); + } + + if (config_unix_socket_fn[0]) + unlink(config_unix_socket_fn); + + for (t = thread_list; t; t = t->next) + t->stop_processing = 1; + + rval = 50; + do + { + pthread_mutex_lock(&thread_mutex); + done = thread_list ? 0:1; + pthread_mutex_unlock(&thread_mutex); + if (!done) + { + usleep(100000); + rval--; + } + } while (!done && rval > 0); + + pthread_mutex_lock(&work_mutex); + if (work_queue) + WarningMessage("%s\n", "Work queue is not emtpy during termination"); + pthread_mutex_unlock(&work_mutex); +} + +void ControlSocketDoWork(int idle) +{ + unsigned max_work; + CSMessageHandler *handler; + + if ( s_work_done == s_work_to_do ) + return; + + max_work = idle ? CS_MAX_IDLE_WORK : CS_MAX_WORK; + pthread_mutex_lock(&work_mutex); + + for (; work_queue && max_work; max_work--) + { + handler = work_queue; + work_queue = handler->next; + if (!work_queue) + work_queue_tail = NULL; + handler->ib_rval = handler->ibcontrol(handler->type, handler->new_context, &handler->old_context); + handler->handled = 1; + s_work_done++; + } + + pthread_mutex_unlock(&work_mutex); +} + +#else + +void ControlSocketConfigureDirectory(const char *optarg) +{ + FatalError("%s\n", "Control socket is not available."); +} + +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost) +{ + return 0; +} + +void ControlSocketInit(void) +{ +} + +void ControlSocketCleanUp(void) +{ +} + +#endif + diff -Nru snort-2.8.5.2/src/control/sfcontrol_funcs.h snort-2.9.2/src/control/sfcontrol_funcs.h --- snort-2.8.5.2/src/control/sfcontrol_funcs.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/control/sfcontrol_funcs.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,19 @@ +#ifndef __SF_CONTROL_FUNCS_H__ +#define __SF_CONTROL_FUNCS_H__ + +#include "sfcontrol.h" + +void ControlSocketConfigureDirectory(const char *optarg); +void ControlSocketInit(void); +void ControlSocketCleanUp(void); +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost); + +#ifdef CONTROL_SOCKET +void ControlSocketDoWork(int idle); +#else +#define ControlSocketDoWork(idle) do {} while(0) +#endif + +#endif + diff -Nru snort-2.8.5.2/src/control/sfcontrol.h snort-2.9.2/src/control/sfcontrol.h --- snort-2.8.5.2/src/control/sfcontrol.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/control/sfcontrol.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,23 @@ +#ifndef __SF_CONTROL_H__ +#define __SF_CONTROL_H__ + +#define CONTROL_FILE "SNORT.sock" + +#define CS_TYPE_HUP_DAQ 0x0001 +#define CS_TYPE_MAX 0x1FFF +#define CS_HEADER_VERSION 0x0001 + +typedef struct _CS_MESSAGE_HEADER +{ + /* All values must be in network byte order */ + uint16_t version; + uint16_t type; + uint32_t length; /* Does not include the header */ +} CSMessageHeader; + +typedef int (*OOBPreControlFunc)(uint16_t type, const uint8_t *data, uint32_t length, void **new_context); +typedef int (*IBControlFunc)(uint16_t type, void *new_context, void **old_context); +typedef void (*OOBPostControlFunc)(uint16_t type, void *old_context); + +#endif + diff -Nru snort-2.8.5.2/src/cpuclock.h snort-2.9.2/src/cpuclock.h --- snort-2.8.5.2/src/cpuclock.h 2009-05-06 22:28:09.000000000 +0000 +++ snort-2.9.2/src/cpuclock.h 2011-06-08 00:33:05.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2009 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,13 +20,6 @@ #ifndef CPU_CLOCK_TICKS_H #define CPU_CLOCK_TICKS_H -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "debug.h" -#include "sf_types.h" /* for uint64_t */ - /* Assembly to find clock ticks. */ #ifdef WIN32 #include <windows.h> @@ -92,7 +85,7 @@ #else /* SPARC */ #ifdef SPARCV9 -#ifdef _LP64 +#ifdef _LP64 #define get_clockticks(val) \ { \ __asm__ __volatile__("rd %%tick, %0" : "=r"(val)); \ @@ -116,7 +109,7 @@ #endif /* I386 || AMD64 || X86_64 */ #endif /* WIN32 */ -static INLINE double get_ticks_per_usec (void) +static inline double get_ticks_per_usec (void) { uint64_t start = 0, end = 0; get_clockticks(start); diff -Nru snort-2.8.5.2/src/debug.c snort-2.9.2/src/debug.c --- snort-2.8.5.2/src/debug.c 2009-08-10 20:41:37.000000000 +0000 +++ snort-2.9.2/src/debug.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,18 +27,15 @@ #include <stdarg.h> #include <stdlib.h> #include <stdio.h> -#include "debug.h" - +#include "sf_types.h" +#include "snort_debug.h" #include "snort.h" -#ifdef DEBUG -int debuglevel = DEBUG_ALL; +#ifdef DEBUG_MSGS char *DebugMessageFile = NULL; int DebugMessageLine = 0; -extern SnortConfig *snort_conf; - -int DebugThis(int level) +int DebugThis(uint64_t level) { if (!(level & GetDebugLevel())) return 0; @@ -46,30 +43,34 @@ return 1; } -int GetDebugLevel(void) +uint64_t GetDebugLevel(void) { static int debug_init = 0; - static unsigned int debug_level = 0; + static uint64_t debug_level = 0; - // declared here for compatibility with older compilers - // not initialized here cuz the next step is done once const char* key; - if (debug_init) + if ( debug_init ) return debug_level; - key = getenv(DEBUG_VARIABLE); + key = getenv(DEBUG_PP_VAR); if ( key ) debug_level = strtoul(key, NULL, 0); - else - debug_level = 0; + + debug_level <<= 32; + + key = getenv(DEBUG_VARIABLE); + + if ( key ) + debug_level |= strtoul(key, NULL, 0); debug_init = 1; + return debug_level; } -void DebugMessageFunc(int level, char *fmt, ...) +void DebugMessageFunc(uint64_t level, char *fmt, ...) { va_list ap; @@ -77,7 +78,7 @@ return; va_start(ap, fmt); - + if ((snort_conf != NULL) && ScDaemonMode()) { char buf[STD_BUF]; @@ -108,8 +109,8 @@ va_end(ap); } -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int level, wchar_t *fmt, ...) +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t level, wchar_t *fmt, ...) { va_list ap; wchar_t buf[STD_BUF+1]; @@ -120,13 +121,13 @@ return; } buf[STD_BUF]= (wchar_t)0; - + /* filename and line number information */ if (DebugMessageFile != NULL) printf("%s:%d: ", DebugMessageFile, DebugMessageLine); va_start(ap, fmt); - + if (ScDaemonMode()) { #ifdef WIN32 @@ -148,13 +149,13 @@ va_end(ap); } #endif -#else -void DebugMessageFunc(int level, char *fmt, ...) +#else /* DEBUG_MSGS */ +void DebugMessageFunc(uint64_t level, char *fmt, ...) { } -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int level, wchar_t *fmt, ...) +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t level, wchar_t *fmt, ...) { } #endif -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ diff -Nru snort-2.8.5.2/src/debug.h snort-2.9.2/src/debug.h --- snort-2.8.5.2/src/debug.h 2009-01-26 16:25:53.000000000 +0000 +++ snort-2.9.2/src/debug.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,120 +0,0 @@ -/* $Id$ */ -/* -** Copyright (C) 2002-2009 Sourcefire, Inc. -** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - - -#ifndef DEBUG_H -#define DEBUG_H - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#if !defined(INLINE) -#ifdef WIN32 -#define INLINE __inline -#else /* WIN32 */ -#define INLINE inline -#endif /* WIN32 */ -#endif /* !def INLINE */ - -#include <ctype.h> -#ifdef HAVE_WCHAR_H -/* ISOC99 is defined to get required prototypes */ -#ifndef __USE_ISOC99 -#define __USE_ISOC99 -#endif -#include <wchar.h> -#endif - -#define DEBUG_VARIABLE "SNORT_DEBUG" - -#define DEBUG_ALL 0xffffffff /* 4294967295 */ -#define DEBUG_INIT 0x00000001 /* 1 */ -#define DEBUG_CONFIGRULES 0x00000002 /* 2 */ -#define DEBUG_PLUGIN 0x00000004 /* 4 */ -#define DEBUG_DATALINK 0x00000008 /* 8 */ -//#define DEBUG_IP 0x00000010 /* 16 */ -//#define DEBUG_TCPUDP 0x00000020 /* 32 */ -#define DEBUG_DECODE 0x00000040 /* 64 */ -#define DEBUG_LOG 0x00000080 /* 128 */ -#define DEBUG_MSTRING 0x00000100 /* 256 */ -#define DEBUG_PARSER 0x00000200 /* 512 */ -#define DEBUG_PLUGBASE 0x00000400 /* 1024 */ -#define DEBUG_RULES 0x00000800 /* 2048 */ -#define DEBUG_FLOW 0x00001000 /* 4096 */ -#define DEBUG_STREAM 0x00002000 /* 8192 */ -#define DEBUG_PATTERN_MATCH 0x00004000 /* 16384 */ -#define DEBUG_DETECT 0x00008000 /* 32768 */ -#define DEBUG_SKYPE 0x00010000 /* 65536 */ -#define DEBUG_FRAG 0x00020000 /* 131072 */ -#define DEBUG_HTTP_DECODE 0x00040000 /* 262144 */ -//#define DEBUG_PORTSCAN2 0x00080000 /* 524288 / (+ conv2 ) 589824 */ -#define DEBUG_RPC 0x00100000 /* 1048576 */ -//#define DEBUG_FLOWSYS 0x00200000 /* 2097152 */ -#define DEBUG_HTTPINSPECT 0x00400000 /* 4194304 */ -#define DEBUG_STREAM_STATE 0x00800000 /* 8388608 */ -#define DEBUG_ASN1 0x01000000 /* 16777216 */ -#define DEBUG_FTPTELNET 0x02000000 /* 33554432 */ -#define DEBUG_SMTP 0x04000000 /* 67108864 */ -#define DEBUG_DCERPC 0x08000000 /* 134217728 */ -#define DEBUG_DNS 0x10000000 /* 268435456 */ -#define DEBUG_ATTRIBUTE 0x20000000 /* 536870912 */ -#define DEBUG_PORTLISTS 0x40000000 /* 1073741824 */ -#define DEBUG_SSL 0x80000000 /* 2147483648 */ - -void DebugMessageFunc(int dbg,char *fmt, ...); -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); -#endif - -#ifdef DEBUG - - extern char *DebugMessageFile; - extern int DebugMessageLine; - - #define DebugMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugMessageFunc - #define DebugWideMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugWideMessageFunc - - int GetDebugLevel (void); - int DebugThis(int level); -#else - -#ifdef WIN32 -/* Visual C++ uses the keyword "__inline" rather than "__inline__" */ - #define __inline__ __inline -#endif - -#endif /* DEBUG */ - - -#ifdef DEBUG -#define DEBUG_WRAP(code) code -void DebugMessageFunc(int dbg,char *fmt, ...); -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); -#endif -#else -#define DEBUG_WRAP(code) -/* I would use DebugMessage(dbt,fmt...) but that only works with GCC */ - -#endif - -#endif /* DEBUG_H */ diff -Nru snort-2.8.5.2/src/decode.c snort-2.9.2/src/decode.c --- snort-2.8.5.2/src/decode.c 2009-10-12 16:39:07.000000000 +0000 +++ snort-2.9.2/src/decode.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -31,47 +31,46 @@ #include <string.h> #include <stdlib.h> +#ifdef HAVE_DUMBNET_H +#include <dumbnet.h> +#else +#include <dnet.h> +#endif + #include "decode.h" #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "detect.h" #include "checksum.h" #include "log.h" #include "generators.h" #include "event_queue.h" -#include "inline.h" +#include "active.h" #include "sfxhash.h" -#include "bounds.h" +#include "snort_bounds.h" #include "strlcpyu.h" #include "sf_iph.h" #include "fpdetect.h" #include "profiler.h" #include "sfActionQueue.h" #include "mempool.h" +#include "spp_normalize.h" +#include "sfdaq.h" -extern uint32_t pcap_snaplen; -extern SFBASE sfBase; extern tSfActionQueueId decoderActionQ; extern MemPool decoderAlertMemPool; - static IpAddrSet *SynToMulticastDstIp = NULL; #ifdef PERF_PROFILING PreprocStats decodePerfStats; #endif -/* No great place to put this right now */ -HttpUri UriBufs[URI_COUNT]; -uint8_t DecodeBuffer[DECODE_BLEN]; -#ifndef SUP_IP6 -Packet *BsdPseudoPacket; -/* For the BSD fragmentation vulnerability */ -SFXHASH *ipv6_frag_hash; -#endif +// Array to check if the decoder rules are enabled in at least one policy +static uint8_t decodeRulesArray[DECODE_INDEX_MAX]; #ifdef SUP_IP6 -IPH_API ip4 = +IPH_API ip4 = { ip4_ret_src, ip4_ret_dst, @@ -124,247 +123,156 @@ }; #endif -static INLINE void execDecoderInlineDrop( - void *data - ) -{ - Packet *p = data; - - if (ScDecoderAlerts() && ScDecoderDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } -} - -static INLINE void queueDecoderInlineDrop( - Packet *p - ) -{ - int ret = sfActionQueueAdd( decoderActionQ, execDecoderInlineDrop, (void*)p); - if (ret == -1) - { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); - } -} - -static INLINE void execIpOptInlineDrop( - void *data - ) -{ - Packet *p = data; - - if ((ScInlineMode()) && ScDecoderIpOptDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } -} - -static INLINE void queueIpOptInlineDrop( - Packet *p - ) -{ - int ret = sfActionQueueAdd( decoderActionQ, execIpOptInlineDrop, (void*)p); - if (ret == -1) - { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); - } -} - -static INLINE void execTcpOptInlineDrop( - void *data - ) -{ - Packet *p = data; - - if ((ScInlineMode()) && ScDecoderTcpOptDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } -} - -static INLINE void queueTcpOptInlineDrop( - Packet *p - ) -{ - int ret = sfActionQueueAdd( decoderActionQ, execTcpOptInlineDrop, (void*)p); - if (ret == -1) - { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); - } -} +//-------------------------------------------------------------------- +// decode.c::event support +//-------------------------------------------------------------------- -static INLINE void execTcpOptExpInlineDrop( - void *data - ) +#ifdef NORMALIZER +static inline int ScNormalDrop (NormFlags nf) { - Packet *p = data; - - if ((ScInlineMode()) && ScDecoderTcpOptExpDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } + return !Normalize_IsEnabled(snort_conf, nf); } +#else +#define ScNormalDrop(nf) 1 +#endif -static INLINE void queueTcpOptExpInlineDrop( - Packet *p - ) +static inline void queueExecDrop( + void (*callback)(void *), Packet* p) { - int ret = sfActionQueueAdd( decoderActionQ, execTcpOptExpInlineDrop, (void*)p); + int ret = sfActionQueueAdd( decoderActionQ, callback, (void*)p); if (ret == -1) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + ErrorMessage("Could not add drop event to decoderActionQ\n"); } } -static INLINE void execTcpOptObsInlineDrop( - void *data - ) +// no harm declaring the exec*Drop()s as inline, but since +// the only use is via pointer, these won't get inlined. +static inline void execDecoderDrop (void *data) { - Packet *p = data; - - if ((ScInlineMode()) && ScDecoderTcpOptObsDrops()) + if ( ScDecoderAlerts() && ScDecoderDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet\n");); + Active_DropSession(); } } -static INLINE void queueTcpOptObsInlineDrop( - Packet *p - ) +static inline void execIpOptDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execTcpOptObsInlineDrop, (void*)p); - if (ret == -1) + if ( ScDecoderIpOptDrops() ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (IP opts)\n");); + Active_DropPacket(); } } -static INLINE void execTcpOptTTcpInlineDrop( - void *data - ) +static inline void execTtlDrop (void *data) { - Packet *p = data; - - if ((ScInlineMode()) && ScDecoderTcpOptTTcpDrops()) + if ( ScNormalDrop(NORM_IP4_TTL) ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); + Packet* p = (Packet*)data; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (IP4 TTL)\n");); + p->error_flags |= PKT_ERR_BAD_TTL; + Active_DropPacket(); } } -static INLINE void queueTcpOptTTcpInlineDrop( - Packet *p - ) +#ifdef SUP_IP6 +static inline void execHopDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execTcpOptTTcpInlineDrop, (void*)p); - if (ret == -1) + if ( ScNormalDrop(NORM_IP6_TTL) ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + Packet* p = (Packet*)data; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (IP6 hop limit)\n");); + p->error_flags |= PKT_ERR_BAD_TTL; + Active_DropPacket(); } } +#endif -static INLINE void execIpChksmInlineDrop( - void *data - ) +static inline void execTcpOptDrop (void *data) { - Packet *p = data; - - if(ScInlineMode() && ScIpChecksumDrops()) + if ( ScDecoderTcpOptDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Dropping packet with Bad IP checksum\n");); - InlineDrop(p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (TCP opts)\n");); + Active_DropPacket(); } } -static INLINE void queueIpChksmInlineDrop( - Packet *p - ) +static inline void execTcpOptExpDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execIpChksmInlineDrop, (void*)p); - if (ret == -1) + if ( ScDecoderTcpOptExpDrops() ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (TCP exp opts)\n");); + Active_DropPacket(); } } -static INLINE void execTcpChksmInlineDrop( - void *data - ) +static inline void execTcpOptObsDrop (void *data) { - Packet *p = data; - - if(ScInlineMode() && ScTcpChecksumDrops()) + if ( ScDecoderTcpOptObsDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Dropping packet with Bad TCP checksum\n");); - InlineDrop(p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (TCP obs opts)\n");); + Active_DropPacket(); } } -static INLINE void queueTcpChksmInlineDrop( - Packet *p - ) +static inline void execTcpOptTTcpDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execTcpChksmInlineDrop, (void*)p); - if (ret == -1) + if ( ScDecoderTcpOptTTcpDrops() ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (TTCP opts)\n");); + Active_DropPacket(); } } -static INLINE void execUdpChksmInlineDrop( - void *data - ) +static inline void execIpChksmDrop (void *data) { - Packet *p = data; - - if(ScInlineMode() && ScUdpChecksumDrops()) + // TBD only set policy csum drop if policy inline + // and delete this inline mode check + if( ScInlineMode() && ScIpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Dropping packet with Bad UDP checksum\n");); - InlineDrop(p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (IP checksum)\n");); + Active_DropPacket(); } } -static INLINE void queueUdpChksmInlineDrop( - Packet *p - ) +static inline void execTcpChksmDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execUdpChksmInlineDrop, (void*)p); - if (ret == -1) + if( ScInlineMode() && ScTcpChecksumDrops() ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (TCP checksum)\n");); + Active_DropPacket(); } } -static INLINE void execIcmpChksmInlineDrop( - void *data - ) +static inline void execUdpChksmDrop (void *data) { - Packet *p = data; - - if(ScInlineMode() && ScIcmpChecksumDrops()) + if( ScInlineMode() && ScUdpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Dropping packet with Bad ICMP checksum\n");); - InlineDrop(p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (UDP checksum)\n");); + Active_DropPacket(); } } -static INLINE void queueIcmpChksmInlineDrop( - Packet *p - ) +static inline void execIcmpChksmDrop (void *data) { - int ret = sfActionQueueAdd( decoderActionQ, execIcmpChksmInlineDrop, (void*)p); - if (ret == -1) + if( ScInlineMode() && ScIcmpChecksumDrops() ) { - ErrorMessage("Could not add inlineDrop() to decoderActionQ\n"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Dropping bad packet (ICMP checksum)\n");); + Active_DropPacket(); } } @@ -372,140 +280,54 @@ { MemBucket *alertBucket = (MemBucket *)data; EventNode *en = (EventNode *)alertBucket->data; + int add; - //This list can be shortened by making it a list of sid exceptions switch (en->sid) { - case DECODE_BAD_80211_ETHLLC: - case DECODE_BAD_MPLS: - case DECODE_MPLS_LABEL_STACK: - case DECODE_BAD_MPLS_LABEL0: - case DECODE_BAD_MPLS_LABEL2: - case DECODE_BAD_MPLS_LABEL1: - case DECODE_BAD_MPLS_LABEL3: - case DECODE_MPLS_RESERVED_LABEL: - case DECODE_BAD_VLAN: - case DECODE_BAD_VLAN_ETHLLC: - case DECODE_BAD_VLAN_OTHER: - case DECODE_BAD_TRH: - case DECODE_BAD_TR_ETHLLC: - case DECODE_BAD_TRHMR: - case DECODE_BAD_TR_MR_LEN: - case DECODE_BAD_PPPOE: - case DECODE_BAD_TRAFFIC_SAME_SRCDST: - case DECODE_BAD_TRAFFIC_LOOPBACK: - case DECODE_NOT_IPV4_DGRAM: - case DECODE_IPV4_INVALID_HEADER_LEN: - case DECODE_IPV4_DGRAM_LT_IPHDR: - case DECODE_ARP_TRUNCATED: - case DECODE_EAPOL_TRUNCATED: - case DECODE_EAPKEY_TRUNCATED: - case DECODE_EAP_TRUNCATED: - - case DECODE_TCP_DGRAM_LT_TCPHDR: - case DECODE_TCP_INVALID_OFFSET: - case DECODE_TCP_XMAS: - - case DECODE_UDP_DGRAM_LT_UDPHDR: - case DECODE_UDP_DGRAM_INVALID_LENGTH: - case DECODE_UDP_DGRAM_SHORT_PACKET: - - case DECODE_ICMP_ORIG_IP_TRUNCATED: - case DECODE_ICMP_ORIG_IP_NOT_IPV4: - case DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP: - case DECODE_ICMP_ORIG_PAYLOAD_LT_64: - case DECODE_ICMP_ORIG_PAYLOAD_GT_576: - case DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET: - case DECODE_ICMP_DGRAM_LT_ICMPHDR: - case DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR: - case DECODE_ICMP_DGRAM_LT_ADDRHDR: - - //gre events -#ifdef GRE - case DECODE_GRE_MULTIPLE_ENCAPSULATION: - case DECODE_GRE_DGRAM_LT_GREHDR: - case DECODE_GRE_INVALID_HEADER: - case DECODE_GRE_V1_INVALID_HEADER: - case DECODE_GRE_INVALID_VERSION: - case DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR: -#endif - - //decoder events - case DECODE_IPV6_TUNNELED_IPV4_TRUNCATED: - case DECODE_IPV6_TRUNCATED_EXT: - case DECODE_IPV6_MIN_TTL: - case DECODE_IPV6_IS_NOT: - case DECODE_IPV6_TRUNCATED: - if (ScDecoderAlerts() == 0) - { - //check if these events are raised outside DecoderAlerts() check - mempool_free(&decoderAlertMemPool, alertBucket); - return; - - } - break; - case DECODE_IPV4OPT_BADLEN: case DECODE_IPV4OPT_TRUNCATED: - if (ScDecoderIpOptAlerts() == 0) - { - mempool_free(&decoderAlertMemPool, alertBucket); - return; - } + add = ScDecoderIpOptAlerts(); break; case DECODE_TCPOPT_WSCALE_INVALID: case DECODE_TCPOPT_BADLEN: case DECODE_TCPOPT_TRUNCATED: - if (ScDecoderTcpOptAlerts() == 0) - { - mempool_free(&decoderAlertMemPool, alertBucket); - return; - } + add = ScDecoderTcpOptAlerts(); break; case DECODE_TCPOPT_EXPERIMENT: - if (ScDecoderTcpOptExpAlerts() == 0) - { - mempool_free(&decoderAlertMemPool, alertBucket); - return; - } + add = ScDecoderTcpOptExpAlerts(); break; case DECODE_TCPOPT_OBSOLETE: - if (ScDecoderTcpOptObsAlerts() == 0) - { - mempool_free(&decoderAlertMemPool, alertBucket); - return; - } + add = ScDecoderTcpOptObsAlerts(); break; case DECODE_TCPOPT_TTCP: - if (ScDecoderTcpOptTTcpAlerts() == 0) - { - mempool_free(&decoderAlertMemPool, alertBucket); - return; - } + add = ScDecoderTcpOptTTcpAlerts(); break; default: + add = ScDecoderAlerts(); break; } - SnortEventqAdd(en->gid, en->sid, en->rev, en->classification, + if ( add ) + { + SnortEventqAdd(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg, en->rule_info); - + } mempool_free(&decoderAlertMemPool, alertBucket); - } -void queueDecoderEvent(unsigned int gid, - unsigned int sid, - unsigned int rev, - unsigned int classification, - unsigned int pri, - char *msg, - void *rule_info) +void queueDecoderEvent( + unsigned int gid, + unsigned int sid, + unsigned int rev, + unsigned int classification, + unsigned int pri, + char *msg, + void *rule_info) { MemBucket *alertBucket; EventNode *en; @@ -532,206 +354,309 @@ } } -static INLINE void DecoderEvent( - Packet *p, int gid, char *str, int event_flag, int drop_flag) +static inline void DecoderEvent ( + Packet *p, int sid, char *str, int event_flag, int drop_flag) { - if (ScIdsMode() && event_flag) + if ( ScLogVerbose() ) + ErrorMessage("%s\n", str); + + if (ScIdsMode() && event_flag) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, gid, 1, - DECODE_CLASS, 3, str, 0); - if ((ScInlineMode()) && drop_flag) + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + DECODE_CLASS, 3, str, 0); + + if ( drop_flag ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - queueDecoderInlineDrop(p); + queueExecDrop(execDecoderDrop, p); } } } -/* - * Function: DecodeEthPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decode those fun loving ethernet packets, one at a time! - * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeEthPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +static inline void DecoderOptEvent ( + Packet *p, int sid, char *str, int event_flag, int drop_flag, + void (*callback)(void*) ) { - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - pc.eth++; - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; + if ( ScLogVerbose() ) + ErrorMessage("%s\n", str); - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ - - if (ScReadMode() && (pkt_len < cap_len)) + if (ScIdsMode() && event_flag) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet capture length is " - "greater than the packet's total length. Broken PCAP?\n");); - p->iph = NULL; - pc.discards++; - pc.ethdisc++; - PREPROC_PROFILE_END(decodePerfStats); - return; + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + DECODE_CLASS, 3, str, 0); + + if ( drop_flag ) + { + queueExecDrop(callback, p); + } } - - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; +} - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len); - ); +static inline void DecoderEventDrop ( + Packet *p, int sid, char *str, int event_flag, int drop_flag) +{ + if ( ScLogVerbose() ) + ErrorMessage("%s\n", str); - /* do a little validation */ - if(cap_len < ETHERNET_HEADER_LEN) + if (ScIdsMode() && event_flag) { - if (ScLogVerbose()) + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + DECODE_CLASS, 3, str, 0); + + if ( drop_flag ) { - ErrorMessage("Captured data length < Ethernet header length!" - " (%d bytes)\n", p->pkth->caplen); + Active_DropPacket(); } - - p->iph = NULL; - pc.discards++; - pc.ethdisc++; - PREPROC_PROFILE_END(decodePerfStats); - return; } +} - /* lay the ethernet structure over the packet data */ - p->eh = (EtherHdr *) pkt; +void DecoderAlertEncapsulated( + Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len) +{ + DecoderEvent(p, type, (char*)str, 1, 1); - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n", - p->eh->ether_src[0], - p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], - p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0], - p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], - p->eh->ether_dst[4], p->eh->ether_dst[5]); - ); - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n", - ntohs(p->eh->ether_type), p->pkth->len) - ); + p->data = pkt; + p->dsize = (uint16_t)len; - /* grab out the network type */ - switch(ntohs(p->eh->ether_type)) - { - case ETHERNET_TYPE_IP: - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, - "IP datagram size calculated to be %lu bytes\n", - (unsigned long)(cap_len - ETHERNET_HEADER_LEN)); - ); + p->greh = NULL; +} - DecodeIP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); +#define EVARGS(ID) DECODE_ ## ID, DECODE_ ## ID ## _STR - PREPROC_PROFILE_END(decodePerfStats); - return; +static inline int Event_Enabled(int sid) +{ + return ( decodeRulesArray[sid] ); +} - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; +//-------------------------------------------------------------------- +// decode.c::miscellaneous public methods and helper functions +//-------------------------------------------------------------------- - case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; +#if defined(WORDS_MUSTALIGN) && !defined(__GNUC__) +uint32_t EXTRACT_32BITS (u_char *p) +{ + uint32_t __tmp; -#ifndef NO_NON_ETHER_DECODER - case ETHERNET_TYPE_PPPoE_DISC: - case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(p, pkthdr, pkt); - PREPROC_PROFILE_END(decodePerfStats); - return; + memmove(&__tmp, p, sizeof(uint32_t)); + return (uint32_t) ntohl(__tmp); +} +#endif /* WORDS_MUSTALIGN && !__GNUC__ */ - case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; +void InitSynToMulticastDstIp( void ) +{ +#ifdef SUP_IP6 + extern SnortConfig *snort_conf_for_parsing; + snort_conf_for_parsing = snort_conf; #endif + SynToMulticastDstIp = IpAddrSetParse("[232.0.0.0/8,233.0.0.0/8,239.0.0.0/8]"); - case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; -#ifdef MPLS - case ETHERNET_TYPE_MPLS_MULTICAST: - if(!ScMplsMulticast()) - { - //additional check for DecoderAlerts will be done now. - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0); - } - case ETHERNET_TYPE_MPLS_UNICAST: - { - struct pcap_pkthdr pkthdrTmp; - pkthdrTmp.caplen = pkthdr->caplen - ETHERNET_HEADER_LEN; - pkthdrTmp.len = pkthdr->len - ETHERNET_HEADER_LEN; - DecodeMPLS(p->pkt + ETHERNET_HEADER_LEN, &pkthdrTmp, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - } -#endif - default: - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + if( SynToMulticastDstIp == NULL ) + { + FatalError("Could not initialize SynToMulticastDstIp\n"); } +#ifdef SUP_IP6 + snort_conf_for_parsing = NULL; +#endif +} - PREPROC_PROFILE_END(decodePerfStats); - return; +void SynToMulticastDstIpDestroy( void ) +{ + + if( SynToMulticastDstIp ) + { + IpAddrSetDestroy(SynToMulticastDstIp); +#ifndef SUP_IP6 + free(SynToMulticastDstIp); + SynToMulticastDstIp = NULL; +#endif + } } +static inline void CheckIPv4_MinTTL(Packet *p, uint8_t ttl) +{ -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeIEEE80211Pkt(Packet *, char *, struct pcap_pkthdr*, - * uint8_t*) + // this sequence of tests is best for the "normal" case where + // the packet ttl is >= the configured min (the default is 1) + if( ttl < ScMinTTL() ) + { + if ( Event_Enabled(DECODE_ZERO_TTL) && (ttl == 0) ) + { + DecoderOptEvent(p, DECODE_ZERO_TTL, DECODE_ZERO_TTL_STR, + 1, 1, execTtlDrop); + } + else if ( Event_Enabled(DECODE_IP4_MIN_TTL) ) + { + DecoderOptEvent(p, DECODE_IP4_MIN_TTL, DECODE_IP4_MIN_TTL_STR, + 1, 1, execTtlDrop); + } + } +} + +#ifdef SUP_IP6 +static inline void CheckIPv6_MinTTL(Packet *p, uint8_t hop_limit) +{ + // this sequence of tests is best for the "normal" case where + // the packet ttl is >= the configured min (the default is 1) + if( hop_limit < ScMinTTL() ) + { + if ( Event_Enabled(DECODE_IP6_ZERO_HOP_LIMIT) && (hop_limit == 0) ) + { + DecoderOptEvent(p, DECODE_IP6_ZERO_HOP_LIMIT, + DECODE_IP6_ZERO_HOP_LIMIT_STR, 1, 1, execHopDrop); + } + else if ( Event_Enabled(DECODE_IPV6_MIN_TTL) ) + { + DecoderOptEvent(p, DECODE_IPV6_MIN_TTL, + DECODE_IPV6_MIN_TTL_STR, 1, 1, execHopDrop); + } + } +} +#endif + +/* Decoding of ttl/hop_limit is based on the policy min_ttl */ +static inline void DecodeIP_MinTTL(Packet *p) +{ +# ifndef SUP_IP6 + if(p->outer_iph) + { + CheckIPv4_MinTTL( p, p->outer_iph->ip_ttl ); + return; + + } + else if(p->iph) + { + CheckIPv4_MinTTL( p, GET_IPH_TTL(p) ); + return; + } +#else + switch(p->outer_family) + { + case AF_INET: + CheckIPv4_MinTTL( p, p->outer_ip4h.ip_ttl); + return; + + case AF_INET6: + CheckIPv6_MinTTL( p, p->outer_ip6h.hop_lmt); + return; + + default: + break; + } + + switch(p->family) + { + case AF_INET: + CheckIPv4_MinTTL( p, p->ip4h->ip_ttl); + return; + + case AF_INET6: + CheckIPv6_MinTTL( p, p->ip6h->hop_lmt); + return; + + default: + break; + } +#endif + + return; +} + +/* Any policy specific decoding should be done in this function which is called by ProcessPacket*/ +void DecodePolicySpecific(Packet *p) +{ + DecodeIP_MinTTL(p); +} + +/* This function enables or disables the decoder rule. value can only be 0 or 1*/ +void UpdateDecodeRulesArray(uint32_t sid, int value, int all_rules) +{ + int i; + if(all_rules) + { + for(i=0; i<DECODE_INDEX_MAX ; i++) + decodeRulesArray[i] = ( value != 0 ); + } + else + decodeRulesArray[sid] = ( value != 0 ); +} + +// this must be called iff the layer is successfully decoded because, when +// enabled, the normalizer assumes that the encoding is structurally sound +static inline void PushLayer(PROTO_ID type, Packet* p, const uint8_t* hdr, uint32_t len) +{ + if ( p->next_layer < LAYER_MAX ) + { + Layer* lyr = p->layers + p->next_layer++; + lyr->proto = type; + lyr->start = (uint8_t*)hdr; + lyr->length = (uint16_t)len; + } + else + { + LogMessage("WARNING: decoder got too many layers;" + " next proto is %u.\n", type); + } +} + +//-------------------------------------------------------------------- +// decode.c::ARP +//-------------------------------------------------------------------- + +/* + * Function: DecodeARP(uint8_t *, uint32_t, Packet *) * - * Purpose: Decode those fun loving wireless LAN packets, one at a time! + * Purpose: Decode ARP stuff * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p) +{ + pc.arp++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_arp++; +#endif + + p->ah = (EtherARP *) pkt; + + if(len < sizeof(EtherARP)) + { + DecoderEvent(p, DECODE_ARP_TRUNCATED, + DECODE_ARP_TRUNCATED_STR, 1, 1); + + pc.discards++; + return; + } + + p->proto_bits |= PROTO_BIT__ARP; + PushLayer(PROTO_ARP, p, pkt, sizeof(*p->ah)); +} + +//-------------------------------------------------------------------- +// decode.c::NULL and Loopback +//-------------------------------------------------------------------- + +/* + * Function: DecodeNullPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decoding on loopback devices. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeIEEE80211Pkt(Packet * p, const struct pcap_pkthdr * pkthdr, - const uint8_t * pkt) +void DecodeNullPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ + uint32_t cap_len = pkthdr->caplen; PROFILE_VARS; - + PREPROC_PROFILE_START(decodePerfStats); pc.total_processed++; @@ -741,196 +666,273 @@ p->pkth = pkthdr; p->pkt = pkt; - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ - - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len);); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); ); /* do a little validation */ - if(p->pkth->caplen < MINIMAL_IEEE80211_HEADER_LEN) + if(cap_len < NULL_HDRLEN) { if (ScLogVerbose()) { - ErrorMessage("Captured data length < IEEE 802.11 header length! " - "(%d bytes)\n", p->pkth->caplen); + ErrorMessage("NULL header length < captured len! (%d bytes)\n", + cap_len); } PREPROC_PROFILE_END(decodePerfStats); return; } - /* lay the wireless structure over the packet data */ - p->wifih = (WifiHdr *) pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", *p->wifih->addr1, - *p->wifih->addr2);); + DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); +} - /* determine frame type */ - switch(p->wifih->frame_control & 0x00ff) - { - /* management frames */ - case WLAN_TYPE_MGMT_ASREQ: - case WLAN_TYPE_MGMT_ASRES: - case WLAN_TYPE_MGMT_REREQ: - case WLAN_TYPE_MGMT_RERES: - case WLAN_TYPE_MGMT_PRREQ: - case WLAN_TYPE_MGMT_PRRES: - case WLAN_TYPE_MGMT_BEACON: - case WLAN_TYPE_MGMT_ATIM: - case WLAN_TYPE_MGMT_DIS: - case WLAN_TYPE_MGMT_AUTH: - case WLAN_TYPE_MGMT_DEAUTH: - pc.wifi_mgmt++; - break; +/* + * Function: DecodeEthLoopback(uint8_t *, uint32_t) + * + * Purpose: Just like IPX, it's just for counting. + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * + * Returns: void function + */ +void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p) +{ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n");); - /* Control frames */ - case WLAN_TYPE_CONT_PS: - case WLAN_TYPE_CONT_RTS: - case WLAN_TYPE_CONT_CTS: - case WLAN_TYPE_CONT_ACK: - case WLAN_TYPE_CONT_CFE: - case WLAN_TYPE_CONT_CFACK: - pc.wifi_control++; - break; - /* Data packets without data */ - case WLAN_TYPE_DATA_NULL: - case WLAN_TYPE_DATA_CFACK: - case WLAN_TYPE_DATA_CFPL: - case WLAN_TYPE_DATA_ACKPL: + pc.ethloopback++; - pc.wifi_data++; - break; - case WLAN_TYPE_DATA_DTCFACK: - case WLAN_TYPE_DATA_DTCFPL: - case WLAN_TYPE_DATA_DTACKPL: - case WLAN_TYPE_DATA_DATA: - pc.wifi_data++; +#ifdef GRE + if (p->greh != NULL) + pc.gre_loopback++; +#endif - if(cap_len < IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)) - { - if (ScLogVerbose()) - ErrorMessage("Not enough data for EthLlc header\n"); + return; +} - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_BAD_80211_ETHLLC, 1, DECODE_CLASS, 3, - DECODE_BAD_80211_ETHLLC_STR, 0); +//-------------------------------------------------------------------- +// decode.c::Ethernet +//-------------------------------------------------------------------- - if ((ScInlineMode())) - { - queueDecoderInlineDrop(p); - } - } +/* + * Function: DecodeEthPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode those fun loving ethernet packets, one at a time! + * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeEthPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - PREPROC_PROFILE_END(decodePerfStats); - return; - } + PREPROC_PROFILE_START(decodePerfStats); + pc.eth++; + pc.total_processed++; - p->ehllc = (EthLlc *) (pkt + IEEE802_11_DATA_HDR_LEN); + memset(p, 0, PKT_ZERO_LEN); -#ifdef DEBUG - PrintNetData(stdout,(uint8_t *) p->ehllc, sizeof(EthLlc)); - //ClearDumpBuf(); + p->pkth = pkthdr; + p->pkt = pkt; - printf("LLC Header:\n"); - printf(" DSAP: 0x%X\n", p->ehllc->dsap); - printf(" SSAP: 0x%X\n", p->ehllc->ssap); -#endif + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen); + ); - if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) - { - if(cap_len < IEEE802_11_DATA_HDR_LEN + - sizeof(EthLlc) + sizeof(EthLlcOther)) - { - if (ScLogVerbose()) - ErrorMessage("Not enough data for EthLlcOther header\n"); + /* do a little validation */ + if(cap_len < ETHERNET_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated eth header (%d bytes).\n", cap_len);); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_BAD_80211_ETHLLC, 1, DECODE_CLASS, 3, - DECODE_BAD_80211_ETHLLC_STR, 0); + if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - PREPROC_PROFILE_END(decodePerfStats); - return; - } + p->iph = NULL; + pc.discards++; + pc.ethdisc++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } - p->ehllcother = (EthLlcOther *) (pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)); -#ifdef DEBUG - PrintNetData(stdout,(uint8_t *) p->ehllcother, sizeof(EthLlcOther)); - //ClearDumpBuf(); - printf("LLC Other Header:\n"); - printf(" CTRL: 0x%X\n", p->ehllcother->ctrl); - printf(" ORG: 0x%02X%02X%02X\n", p->ehllcother->org_code[0], - p->ehllcother->org_code[1], p->ehllcother->org_code[2]); - printf(" PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); -#endif + /* lay the ethernet structure over the packet data */ + p->eh = (EtherHdr *) pkt; + PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); - switch(ntohs(p->ehllcother->proto_id)) - { - case ETHERNET_TYPE_IP: - DecodeIP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - pkt_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n", + p->eh->ether_src[0], + p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], + p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0], + p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], + p->eh->ether_dst[4], p->eh->ether_dst[5]); + ); + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n", + ntohs(p->eh->ether_type), p->pkth->pktlen) + ); - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - pkt_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - case ETHERNET_TYPE_EAPOL: - DecodeEapol(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - pkt_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + IEEE802_11_DATA_HDR_LEN , - cap_len - IEEE802_11_DATA_HDR_LEN , p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + IEEE802_11_DATA_HDR_LEN, - cap_len - IEEE802_11_DATA_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + /* grab out the network type */ + switch(ntohs(p->eh->ether_type)) + { + case ETHERNET_TYPE_IP: + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, + "IP datagram size calculated to be %lu bytes\n", + (unsigned long)(cap_len - ETHERNET_HEADER_LEN)); + ); - default: - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } + DecodeIP(p->pkt + ETHERNET_HEADER_LEN, + cap_len - ETHERNET_HEADER_LEN, p); + + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(p->pkt + ETHERNET_HEADER_LEN, + cap_len - ETHERNET_HEADER_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, + (cap_len - ETHERNET_HEADER_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_PPPoE_DISC: + case ETHERNET_TYPE_PPPoE_SESS: + DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN, + (cap_len - ETHERNET_HEADER_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + +#ifndef NO_NON_ETHER_DECODER + case ETHERNET_TYPE_IPX: + DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, + (cap_len - ETHERNET_HEADER_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#endif + + case ETHERNET_TYPE_LOOP: + DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, + (cap_len - ETHERNET_HEADER_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, + cap_len - ETHERNET_HEADER_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#ifdef MPLS + case ETHERNET_TYPE_MPLS_MULTICAST: + if(!ScMplsMulticast()) + { + //additional check for DecoderAlerts will be done now. + DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1); } - break; + case ETHERNET_TYPE_MPLS_UNICAST: + DecodeMPLS(p->pkt + ETHERNET_HEADER_LEN, + cap_len - ETHERNET_HEADER_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#endif default: + // TBD add decoder drop event for unknown eth type pc.other++; - break; + PREPROC_PROFILE_END(decodePerfStats); + return; } PREPROC_PROFILE_END(decodePerfStats); return; } -#endif //NO_NON_ETHER_DECODER + +#ifdef GRE +/* + * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet) + * + * Purpose: Decode Transparent Ethernet Bridging + * + * Arguments: pkt => pointer to the real live packet data + * len => length of remaining data in packet + * p => pointer to the decoded packet struct + * + * + * Returns: void function + * + * Note: This is basically the code from DecodeEthPkt but the calling + * convention needed to be changed and the stuff at the beginning + * wasn't needed since we are already deep into the packet + */ +void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p) +{ + pc.gre_eth++; + + if(len < ETHERNET_HEADER_LEN) + { + DecoderAlertEncapsulated(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR, + DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR, + pkt, len); + return; + } + + /* The Packet struct's ethernet header will now point to the inner ethernet + * header of the packet + */ + p->eh = (EtherHdr *)pkt; + PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); + + switch (ntohs(p->eh->ether_type)) + { + case ETHERNET_TYPE_IP: + DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; + +#ifndef NO_NON_ETHER_DECODER + case ETHERNET_TYPE_IPX: + DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; +#endif + + case ETHERNET_TYPE_LOOP: + DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; + + default: + // TBD add decoder drop event for unknown xbrdg/eth type + pc.other++; + p->data = pkt + ETHERNET_HEADER_LEN; + p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN); + return; + } +} +#endif /* GRE */ + +//-------------------------------------------------------------------- +// decode.c::MPLS +//-------------------------------------------------------------------- #ifdef MPLS /* @@ -952,24 +954,17 @@ iRet = MPLS_PAYLOADTYPE_IPV6; - /* when label == 2, IPv6 is expected; + /* when label == 2, IPv6 is expected; * when label == 0, IPv4 is expected */ if((label&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV6)) ||((!label)&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV4))) { - if (ScIdsMode()) - { - if( !label ) - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL0, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL0_STR, 0); - else - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL2, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL2_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + if( !label ) + DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, + DECODE_BAD_MPLS_LABEL0_STR, 1, 1); + else + DecoderEvent(p, DECODE_BAD_MPLS_LABEL2, + DECODE_BAD_MPLS_LABEL2_STR, 1, 1); } break; } @@ -978,28 +973,13 @@ /* This is valid per RFC 4182. Just pop this label off, ignore it * and move on to the next one. */ - if (ScLogVerbose()) - { - if( !label ) - ErrorMessage("Label value zero appears in nonbottom MPLS header\n"); - else - ErrorMessage("Label value two appears in nonbottom MPLS header\n"); - } + if( !label ) + DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, + DECODE_BAD_MPLS_LABEL0_STR, 1, 1); + else + DecoderEvent(p, DECODE_BAD_MPLS_LABEL2, + DECODE_BAD_MPLS_LABEL2_STR, 1, 1); - if (ScIdsMode()) - { - if( !label ) - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL0, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL0_STR, 0); - else - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL2, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL2_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1010,19 +990,10 @@ break; case 1: if(!bos) break; - - if (ScLogVerbose()) - ErrorMessage("Label value one appears in bottom MPLS header\n"); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL1, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL1_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + DecoderEvent(p, DECODE_BAD_MPLS_LABEL1, + DECODE_BAD_MPLS_LABEL1_STR, 1, 1); + pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1030,21 +1001,11 @@ #endif iRet = MPLS_PAYLOADTYPE_ERROR; break; - - case 3: - if (ScLogVerbose()) - ErrorMessage("Label value three appears in MPLS header\n"); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS_LABEL3, 1, - DECODE_CLASS, 3, DECODE_BAD_MPLS_LABEL3_STR, 0); + case 3: + DecoderEvent(p, DECODE_BAD_MPLS_LABEL3, + DECODE_BAD_MPLS_LABEL3_STR, 1, 1); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1064,18 +1025,12 @@ case 13: case 14: case 15: - if (ScLogVerbose()) - ErrorMessage("Reserved label value appears in MPLS header\n"); - - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_MPLS_RESERVED_LABEL, 1, - DECODE_CLASS, 3, DECODE_MPLS_RESERVEDLABEL_STR, 0); - } + DecoderEvent(p, DECODE_MPLS_RESERVED_LABEL, + DECODE_MPLS_RESERVEDLABEL_STR, 1, 1); break; - default: + default: break; - } + } if ( !iRet ) { iRet = ScMplsPayloadType(); @@ -1083,36 +1038,31 @@ return iRet; } -void DecodeMPLS(const uint8_t * pkt, struct pcap_pkthdr * pkthdr, Packet * p) +void DecodeMPLS(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t *tmpMplsHdr; - uint32_t mpls_h; - uint32_t label; - uint8_t exp; - uint8_t bos = 0; - uint8_t ttl; - uint8_t chainLen = 0; - int iRet = 0; - + uint32_t* tmpMplsHdr; + uint32_t mpls_h; + uint32_t label; + uint32_t mlen = 0; + + uint8_t exp; + uint8_t bos = 0; + uint8_t ttl; + uint8_t chainLen = 0; + + int iRet = 0; + pc.mpls++; - UpdateMPLSStats(&sfBase, pkthdr->caplen); + UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped()); tmpMplsHdr = (uint32_t *) pkt; p->mpls = NULL; - while (!bos) + + while (!bos) { - if(pkthdr->caplen < MPLS_HEADER_LEN) + if(len < MPLS_HEADER_LEN) { - if (ScLogVerbose()) - ErrorMessage("Not enough data to process an MPLS header\n"); + DecoderEvent(p, DECODE_BAD_MPLS, DECODE_BAD_MPLS_STR, 1, 1); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_BAD_MPLS_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1120,17 +1070,17 @@ #endif return; } - + mpls_h = ntohl(*tmpMplsHdr); ttl = (uint8_t)(mpls_h & 0x000000FF); mpls_h = mpls_h>>8; bos = (uint8_t)(mpls_h & 0x00000001); exp = (uint8_t)(mpls_h & 0x0000000E); label = (mpls_h>>4) & 0x000FFFFF; - + if((label<NUM_RESERVED_LABELS)&&((iRet = checkMplsHdr(label, exp, bos, ttl, p)) < 0)) return; - + if( bos ) { p->mplsHdr.label = label; @@ -1147,23 +1097,12 @@ } } tmpMplsHdr++; - pkthdr->caplen -= MPLS_HEADER_LEN; - pkthdr->len -= MPLS_HEADER_LEN; - if ((ScMplsStackDepth() != -1) && (chainLen++ >= ScMplsStackDepth())) - { - if (ScLogVerbose()) - ErrorMessage("MPLS header chain too long\n"); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_MPLS_LABEL_STACK, 1, - DECODE_CLASS, 3, DECODE_MPLS_LABEL_STACK_STR, 0); + if ((ScMplsStackDepth() != -1) && (chainLen++ >= ScMplsStackDepth())) + { + DecoderEvent(p, DECODE_MPLS_LABEL_STACK, + DECODE_MPLS_LABEL_STACK_STR, 1, 1); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1172,62 +1111,55 @@ return; } } /* while bos not 1, peel off more labels */ - + + mlen = (uint8_t*)tmpMplsHdr - pkt; + PushLayer(PROTO_MPLS, p, pkt, mlen); + mlen = len - mlen; + switch (iRet) { case MPLS_PAYLOADTYPE_IPV4: - DecodeIP((uint8_t *)tmpMplsHdr, pkthdr->caplen, p); + DecodeIP((uint8_t *)tmpMplsHdr, mlen, p); break; case MPLS_PAYLOADTYPE_IPV6: - DecodeIPV6((uint8_t *)tmpMplsHdr, pkthdr->caplen, p); + DecodeIPV6((uint8_t *)tmpMplsHdr, mlen, p); break; - + case MPLS_PAYLOADTYPE_ETHERNET: - DecodeEthOverMPLS(p, pkthdr, (uint8_t *)tmpMplsHdr); + DecodeEthOverMPLS((uint8_t *)tmpMplsHdr, mlen, p); break; - + default: - break; + break; } - return; } -void DecodeEthOverMPLS(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +void DecodeEthOverMPLS(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t pkt_len; - uint32_t cap_len; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; - - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ - /* do a little validation */ - if(cap_len < ETHERNET_HEADER_LEN) + if(len < ETHERNET_HEADER_LEN) { if (ScLogVerbose()) { ErrorMessage("Captured data length < Ethernet header length!" - " (%d bytes)\n", p->pkth->caplen); + " (%d bytes)\n", len); } - + p->iph = NULL; + // TBD add decoder drop event for eth over MPLS cap len issue pc.discards++; pc.ethdisc++; return; } /* lay the ethernet structure over the packet data */ - p->eh = (EtherHdr *) pkt; + p->eh = (EtherHdr *) pkt; // FIXTHIS squashes outer eth! + PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "%X %X\n", + DebugMessage(DEBUG_DECODE, "%X %X\n", *p->eh->ether_src, *p->eh->ether_dst); ); @@ -1236,57 +1168,84 @@ { case ETHERNET_TYPE_IP: DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, + DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu bytes\n", - (unsigned long)(cap_len - ETHERNET_HEADER_LEN)); + (unsigned long)(len - ETHERNET_HEADER_LEN)); ); - DecodeIP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); + DecodeIP(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); + DecodeARP(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); + DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; -#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(p, pkthdr, pkt); + DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; +#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); + DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; #endif case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); - return; + DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); + return; case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); - return; - + DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); + return; + default: + // TBD add decoder drop event for unknown mpls/eth type pc.other++; return; } return; } -#endif + +int isPrivateIP(uint32_t addr) +{ + switch (addr & 0xff) + { + case 0x0a: + return 1; + break; + case 0xac: + if ((addr & 0xf000) == 0x1000) + return 1; + break; + case 0xc0: + if (((addr & 0xff00) ) == 0xa800) + return 1; + break; + } + return 0; +} +#endif // MPLS + +//-------------------------------------------------------------------- +// decode.c::VLAN +//-------------------------------------------------------------------- + +#define LEN_VLAN_LLC_OTHER (sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)) void DecodeVlan(const uint8_t * pkt, const uint32_t len, Packet * p) { @@ -1299,21 +1258,9 @@ if(len < sizeof(VlanTagHdr)) { - if (ScLogVerbose()) - ErrorMessage("Not enough data to process a vlan header\n"); + DecoderEvent(p, DECODE_BAD_VLAN, DECODE_BAD_VLAN_STR, 1, 1); - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_VLAN, 1, - DECODE_CLASS, 3, DECODE_BAD_VLAN_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } - + // TBD add decoder drop event for VLAN hdr len issue pc.discards++; p->iph = NULL; #ifdef SUP_IP6 @@ -1323,14 +1270,14 @@ } p->vh = (VlanTagHdr *) pkt; - + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Vlan traffic:\n"); - DebugMessage(DEBUG_DECODE, " Priority: %d(0x%X)\n", + DebugMessage(DEBUG_DECODE, " Priority: %d(0x%X)\n", VTH_PRIORITY(p->vh), VTH_PRIORITY(p->vh)); DebugMessage(DEBUG_DECODE, " CFI: %d\n", VTH_CFI(p->vh)); - DebugMessage(DEBUG_DECODE, " Vlan ID: %d(0x%04X)\n", + DebugMessage(DEBUG_DECODE, " Vlan ID: %d(0x%04X)\n", VTH_VLAN(p->vh), VTH_VLAN(p->vh)); - DebugMessage(DEBUG_DECODE, " Vlan Proto: 0x%04X\n", + DebugMessage(DEBUG_DECODE, " Vlan Proto: 0x%04X\n", ntohs(p->vh->vth_proto)); ); @@ -1341,30 +1288,17 @@ { if(len < sizeof(VlanTagHdr) + sizeof(EthLlc)) { - if (ScLogVerbose()) - { - ErrorMessage("Not enough data for EthLlc header"); - } - - if (ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_VLAN_ETHLLC, - 1, DECODE_CLASS, 3, DECODE_BAD_VLAN_ETHLLC_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + DecoderEvent(p, DECODE_BAD_VLAN_ETHLLC, + DECODE_BAD_VLAN_ETHLLC_STR, 1, 1); pc.discards++; p->iph = NULL; #ifdef SUP_IP6 p->family = NO_IP; #endif - return; + return; } - + p->ehllc = (EthLlc *) (pkt + sizeof(VlanTagHdr)); DEBUG_WRAP( @@ -1375,111 +1309,91 @@ if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) { - if(len < sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)) + if ( len < LEN_VLAN_LLC_OTHER ) { - if (ScLogVerbose()) - { - ErrorMessage("Not enough data for VLAN header"); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_BAD_VLAN_OTHER, 1, DECODE_CLASS, 3, - DECODE_BAD_VLAN_OTHER_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + DecoderEvent(p, DECODE_BAD_VLAN_OTHER, + DECODE_BAD_VLAN_OTHER_STR, 1, 1); - } - pc.discards++; p->iph = NULL; #ifdef SUP_IP6 p->family = NO_IP; #endif - return; + return; } p->ehllcother = (EthLlcOther *) (pkt + sizeof(VlanTagHdr) + sizeof(EthLlc)); DEBUG_WRAP( DebugMessage(DEBUG_DECODE, "LLC Other Header:\n"); - DebugMessage(DEBUG_DECODE, " CTRL: 0x%X\n", + DebugMessage(DEBUG_DECODE, " CTRL: 0x%X\n", p->ehllcother->ctrl); - DebugMessage(DEBUG_DECODE, " ORG: 0x%02X%02X%02X\n", - p->ehllcother->org_code[0], p->ehllcother->org_code[1], + DebugMessage(DEBUG_DECODE, " ORG: 0x%02X%02X%02X\n", + p->ehllcother->org_code[0], p->ehllcother->org_code[1], p->ehllcother->org_code[2]); - DebugMessage(DEBUG_DECODE, " PROTO: 0x%04X\n", + DebugMessage(DEBUG_DECODE, " PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); ); + PushLayer(PROTO_VLAN, p, pkt, sizeof(*p->vh)); + switch(ntohs(p->ehllcother->proto_id)) { case ETHERNET_TYPE_IP: - DecodeIP(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIP(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeARP(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIPV6(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_8021Q: pc.nested_vlan++; - DecodeVlan(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeVlan(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeEthLoopback(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; #ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIPX(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; +#endif - /* Add these after DecodePPPoEPkt() has been reimplemented */ case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - { - struct pcap_pkthdr pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - pkthdrTmp.len = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - DecodePPPoEPkt(p,&pkthdrTmp, p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)); - return; - } -#endif + DecodePPPoEPkt(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); + return; #ifdef MPLS case ETHERNET_TYPE_MPLS_MULTICAST: if(!ScMplsMulticast()) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0); + DecoderEvent(p, DECODE_BAD_MPLS, + DECODE_MULTICAST_MPLS_STR, 1, 1); } case ETHERNET_TYPE_MPLS_UNICAST: - { - struct pcap_pkthdr pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - pkthdrTmp.len = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - DecodeMPLS(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), &pkthdrTmp, p); - return; - } + DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); + return; #endif - default: + // TBD add decoder drop event for unknown vlan/eth type pc.other++; return; } @@ -1487,50 +1401,49 @@ } else { + PushLayer(PROTO_VLAN, p, pkt, sizeof(*p->vh)); + switch(ntohs(p->vh->vth_proto)) { case ETHERNET_TYPE_IP: - DecodeIP(pkt + sizeof(VlanTagHdr), + DecodeIP(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(pkt + sizeof(VlanTagHdr), + DecodeARP(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt +sizeof(VlanTagHdr), + DecodeIPV6(pkt +sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_8021Q: pc.nested_vlan++; - DecodeVlan(pkt + sizeof(VlanTagHdr), + DecodeVlan(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + sizeof(VlanTagHdr), + DecodeEthLoopback(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; #ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + sizeof(VlanTagHdr), + DecodeIPX(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; +#endif -#if 0 - /* Add these after DecodePPPoEPkt() has been reimplemented */ case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(pkt + sizeof(VlanTagHdr), + DecodePPPoEPkt(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; -#endif -#endif #ifdef MPLS case ETHERNET_TYPE_MPLS_MULTICAST: @@ -1539,399 +1452,423 @@ SnortEventqAdd(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0); } case ETHERNET_TYPE_MPLS_UNICAST: - { - struct pcap_pkthdr pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr); - pkthdrTmp.len = len - sizeof(VlanTagHdr); - DecodeMPLS(pkt + sizeof(VlanTagHdr), &pkthdrTmp, p); - return; - } + DecodeMPLS(pkt + sizeof(VlanTagHdr), + len - sizeof(VlanTagHdr), p); + return; #endif default: + // TBD add decoder drop event for unknown vlan/eth type pc.other++; return; } } + // TBD add decoder drop event for unknown vlan/llc type pc.other++; return; } -#ifdef GIDS -#ifndef IPFW -/* - * Function: DecodeIptablesPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decoding iptables. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - */ -void DecodeIptablesPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t len; - uint32_t cap_len; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.iptables++; - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - p->pkth = pkthdr; - p->pkt = pkt; - - len = pkthdr->len; - cap_len = pkthdr->caplen; - - DecodeIP(p->pkt, cap_len, p); - - PREPROC_PROFILE_END(decodePerfStats); -} -#else -/* - * Function: DecodeIpfwPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decoding ipfw divert socket - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - */ -void DecodeIpfwPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t len; - uint32_t cap_len; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.ipfw++; - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - p->pkth = pkthdr; - p->pkt = pkt; - - len = pkthdr->len; - cap_len = pkthdr->caplen; - - DecodeIP(p->pkt, cap_len, p); - - PREPROC_PROFILE_END(decodePerfStats); -} -#endif -#endif /* GIDS */ - +//-------------------------------------------------------------------- +// decode.c::PPP related +//-------------------------------------------------------------------- /* - * Function: DecodeNullPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) + * Function: DecodePPPoEPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Decoding on loopback devices. + * Purpose: Decode those fun loving ethernet packets, one at a time! * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function + * + * see http://www.faqs.org/rfcs/rfc2516.html + * */ -void DecodeNullPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +void DecodePPPoEPkt(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t len; - uint32_t cap_len; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; - - len = pkthdr->len; - cap_len = pkthdr->caplen; + const PPPoEHdr* pppoep = NULL; + //PPPoE_Tag *ppppoe_tag=0; + //PPPoE_Tag tag; /* needed to avoid alignment problems */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); ); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPPoE with len: %lu\n", + (unsigned long)len);); /* do a little validation */ - if(cap_len < NULL_HDRLEN) + if(len < PPPOE_HEADER_LEN) { - if (ScLogVerbose()) - { - ErrorMessage("NULL header length < captured len! (%d bytes)\n", - cap_len); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < PPPoE header length! " + "(%d bytes)\n", len);); + + DecoderEvent(p, DECODE_BAD_PPPOE, DECODE_BAD_PPPOE_STR, 1, 1); - PREPROC_PROFILE_END(decodePerfStats); return; } - DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); -} - -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeTRPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decode Token Ring packets! - * - * Arguments: p=> pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeTRPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ - uint32_t dataoff; /* data offset is variable here */ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", + *p->eh->ether_src, *p->eh->ether_dst);); - pc.total_processed++; + /* lay the PPP over ethernet structure over the packet data */ + pppoep = p->pppoeh = (PPPoEHdr *)pkt; - memset(p, 0, PKT_ZERO_LEN); + /* grab out the network type */ + switch(ntohs(p->eh->ether_type)) + { + case ETHERNET_TYPE_PPPoE_DISC: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) ");); + break; - p->pkth = pkthdr; - p->pkt = pkt; + case ETHERNET_TYPE_PPPoE_SESS: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) ");); + break; + default: + return; + } - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ +#ifdef DEBUG_MSGS + switch(pppoep->code) + { + case PPPoE_CODE_PADI: + /* The Host sends the PADI packet with the DESTINATION_ADDR set + * to the broadcast address. The CODE field is set to 0x09 and + * the SESSION_ID MUST be set to 0x0000. + * + * The PADI packet MUST contain exactly one TAG of TAG_TYPE + * Service-Name, indicating the service the Host is requesting, + * and any number of other TAG types. An entire PADI packet + * (including the PPPoE header) MUST NOT exceed 1484 octets so + * as to leave sufficient room for a relay agent to add a + * Relay-Session-Id TAG. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n"); + break; - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; + case PPPoE_CODE_PADO: + /* When the Access Concentrator receives a PADI that it can + * serve, it replies by sending a PADO packet. The + * DESTINATION_ADDR is the unicast address of the Host that + * sent the PADI. The CODE field is set to 0x07 and the + * SESSION_ID MUST be set to 0x0000. + * + * The PADO packet MUST contain one AC-Name TAG containing the + * Access Concentrator's name, a Service-Name TAG identical to + * the one in the PADI, and any number of other Service-Name + * TAGs indicating other services that the Access Concentrator + * offers. If the Access Concentrator can not serve the PADI + * it MUST NOT respond with a PADO. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n"); + break; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len,(unsigned long) pkt_len); - ); + case PPPoE_CODE_PADR: + /* Since the PADI was broadcast, the Host may receive more than + * one PADO. The Host looks through the PADO packets it receives + * and chooses one. The choice can be based on the AC-Name or + * the Services offered. The Host then sends one PADR packet + * to the Access Concentrator that it has chosen. The + * DESTINATION_ADDR field is set to the unicast Ethernet address + * of the Access Concentrator that sent the PADO. The CODE + * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000. + * + * The PADR packet MUST contain exactly one TAG of TAG_TYPE + * Service-Name, indicating the service the Host is requesting, + * and any number of other TAG types. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n"); + break; - if(cap_len < sizeof(Trh_hdr)) - { - if (ScLogVerbose()) - ErrorMessage("Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", p->pkth->caplen, TR_HLEN); + case PPPoE_CODE_PADS: + /* When the Access Concentrator receives a PADR packet, it + * prepares to begin a PPP session. It generates a unique + * SESSION_ID for the PPPoE session and replies to the Host with + * a PADS packet. The DESTINATION_ADDR field is the unicast + * Ethernet address of the Host that sent the PADR. The CODE + * field is set to 0x65 and the SESSION_ID MUST be set to the + * unique value generated for this PPPoE session. + * + * The PADS packet contains exactly one TAG of TAG_TYPE + * Service-Name, indicating the service under which Access + * Concentrator has accepted the PPPoE session, and any number + * of other TAG types. + * + * If the Access Concentrator does not like the Service-Name in + * the PADR, then it MUST reply with a PADS containing a TAG of + * TAG_TYPE Service-Name-Error (and any number of other TAG + * types). In this case the SESSION_ID MUST be set to 0x0000. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery " + "Session-confirmation (PADS)\n"); + break; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_TRH, 1, - DECODE_CLASS, 3, DECODE_BAD_TRH_STR, 0); + case PPPoE_CODE_PADT: + /* This packet may be sent anytime after a session is established + * to indicate that a PPPoE session has been terminated. It may + * be sent by either the Host or the Access Concentrator. The + * DESTINATION_ADDR field is a unicast Ethernet address, the + * CODE field is set to 0xa7 and the SESSION_ID MUST be set to + * indicate which session is to be terminated. No TAGs are + * required. + * + * When a PADT is received, no further PPP traffic is allowed to + * be sent using that session. Even normal PPP termination + * packets MUST NOT be sent after sending or receiving a PADT. + * A PPP peer SHOULD use the PPP protocol itself to bring down a + * PPPoE session, but the PADT MAY be used when PPP can not be + * used. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n"); + break; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + case PPPoE_CODE_SESS: + DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n"); + break; - } + default: + DebugMessage(DEBUG_DECODE, "(Unknown)\n"); + break; + } +#endif - PREPROC_PROFILE_END(decodePerfStats); + if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC) + { + PushLayer(PROTO_PPPOE, p, pkt, PPPOE_HEADER_LEN); + DecodePppPktEncapsulated(pkt + PPPOE_HEADER_LEN, len - PPPOE_HEADER_LEN, p); + return; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n");); return; } - /* lay the tokenring header structure over the packet data */ - p->trh = (Trh_hdr *) pkt; - - /* - * according to rfc 1042: - * - * The presence of a Routing Information Field is indicated by the Most - * Significant Bit (MSB) of the source address, called the Routing - * Information Indicator (RII). If the RII equals zero, a RIF is - * not present. If the RII equals 1, the RIF is present. - * .. - * However the MSB is already zeroed by this moment, so there's no - * real way to figure out whether RIF is presented in packet, so we are - * doing some tricks to find IPARP signature.. - */ +#if 0 + ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr)); - /* - * first I assume that we have single-ring network with no RIF - * information presented in frame - */ - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc))) + while (ppppoe_tag < (PPPoE_Tag *)(pkt + len)) { - if (ScLogVerbose()) + if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + len)) { - ErrorMessage("Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc))); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n");); + break; } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_TR_ETHLLC, 1, - DECODE_CLASS, 3, DECODE_BAD_TR_ETHLLC_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */ + memcpy(&tag, ppppoe_tag, sizeof(tag)); - } - PREPROC_PROFILE_END(decodePerfStats); - return; - } + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ", + ntohs(tag.type), ntohs(tag.length));); - - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); - - if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) - { - /* - * DSAP != SSAP != 0xAA .. either we are having frame which doesn't - * carry IP datagrams or has RIF information present. We assume - * lattest ... - */ +#ifdef DEBUG_MSGS + switch(ntohs(tag.type)) + { + case PPPoE_TAG_END_OF_LIST: + DebugMessage(DEBUG_DECODE, "(End of list)\n\t"); + break; + case PPPoE_TAG_SERVICE_NAME: + DebugMessage(DEBUG_DECODE, "(Service name)\n\t"); + break; + case PPPoE_TAG_AC_NAME: + DebugMessage(DEBUG_DECODE, "(AC Name)\n\t"); + break; + case PPPoE_TAG_HOST_UNIQ: + DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t"); + break; + case PPPoE_TAG_AC_COOKIE: + DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t"); + break; + case PPPoE_TAG_VENDOR_SPECIFIC: + DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t"); + break; + case PPPoE_TAG_RELAY_SESSION_ID: + DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t"); + break; + case PPPoE_TAG_SERVICE_NAME_ERROR: + DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t"); + break; + case PPPoE_TAG_AC_SYSTEM_ERROR: + DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t"); + break; + case PPPoE_TAG_GENERIC_ERROR: + DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t"); + break; + default: + DebugMessage(DEBUG_DECODE, "(Unknown)\n\t"); + break; + } +#endif - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))) +#ifdef DEBUG_MSGS + if (ntohs(tag.length) > 0) { - if (ScLogVerbose()) - ErrorMessage("Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))); - - if(ScIdsMode()) + char *buf; + int i; + + switch (ntohs(tag.type)) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_TRHMR, 1, - DECODE_CLASS, 3, DECODE_BAD_TRHMR_STR, 0); + case PPPoE_TAG_SERVICE_NAME: + case PPPoE_TAG_AC_NAME: + case PPPoE_TAG_SERVICE_NAME_ERROR: + case PPPoE_TAG_AC_SYSTEM_ERROR: + case PPPoE_TAG_GENERIC_ERROR: * ascii data * + buf = (char *)SnortAlloc(ntohs(tag.length) + 1); + strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length)); + DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf); + free(buf); + break; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + case PPPoE_TAG_HOST_UNIQ: + case PPPoE_TAG_AC_COOKIE: + case PPPoE_TAG_RELAY_SESSION_ID: + DebugMessage(DEBUG_DECODE, "data (bin): "); + for (i = 0; i < ntohs(tag.length); i++) + DebugMessage(DEBUG_DECODE, + "%02x", *(((unsigned char *)ppppoe_tag) + + sizeof(PPPoE_Tag) + i)); + DebugMessage(DEBUG_DECODE, "\n"); + break; + default: + DebugMessage(DEBUG_DECODE, "unrecognized data\n"); + break; } - - PREPROC_PROFILE_END(decodePerfStats); - return; } - - p->trhmr = (Trh_mr *) (pkt + sizeof(Trh_hdr)); +#endif - - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + - sizeof(Trh_mr) + TRH_MR_LEN(p->trhmr))) - { - if (ScLogVerbose()) - ErrorMessage("Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))); + ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length)); + } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_TR_MR_LEN, 1, - DECODE_CLASS, 3, DECODE_BAD_TR_MR_LEN_STR, 0); +#endif /* #if 0 */ - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } - - PREPROC_PROFILE_END(decodePerfStats); - return; + return; +} + +/* + * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*) + * + * Purpose: Decode PPP traffic (RFC1661 framing). + * + * Arguments: p => pointer to decoded packet struct + * len => length of data to process + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodePppPktEncapsulated(const uint8_t* pkt, const uint32_t len, Packet* p) +{ + static int had_vj = 0; + uint16_t protocol; + uint32_t hlen = 1; /* HEADER - try 1 then 2 */ + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n");); + +#ifdef WORDS_MUSTALIGN + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header. " + "PPP is only 1 or 2 bytes and will throw off " + "alignment on this architecture when decoding IP, " + "causing a bus error - stop decoding packet.\n");); + + p->data = pkt; + p->dsize = (uint16_t)len; + return; +#endif /* WORDS_MUSTALIGN */ + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ppp++; +#endif /* GRE */ + + /* do a little validation: + * + */ + if(len < 2) + { + if (ScLogVerbose()) + { + ErrorMessage("Length not big enough for even a single " + "header or a one byte payload\n"); } - - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr)); - dataoff = sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr) + sizeof(Trh_llc); + return; + } + + if(pkt[0] & 0x01) + { + /* Check for protocol compression rfc1661 section 5 + * + */ + hlen = 1; + protocol = pkt[0]; } else { - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); - dataoff = sizeof(Trh_hdr) + sizeof(Trh_llc); + protocol = ntohs(*((uint16_t *)pkt)); + hlen = 2; } /* - * ideally we would need to check both SSAP, DSAP, and protoid fields: IP - * datagrams and ARP requests and replies are transmitted in standard - * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with - * the DSAP and the SSAP fields of the 802.2 header set to 170, the - * assigned global SAP value for SNAP [6]. The 24-bit Organization Code - * in the SNAP is zero, and the remaining 16 bits are the EtherType from - * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check - * SSAP and DSAP and assume this would be enough to trust. + * We only handle uncompressed packets. Handling VJ compression would mean + * to implement a PPP state machine. */ - if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) - { - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "DSAP and SSAP arent set to SNAP\n"); - ); - p->trhllc = NULL; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - switch(htons(p->trhllc->ethertype)) + switch (protocol) { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); - DecodeIP(p->pkt + dataoff, cap_len - dataoff, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "Decoding ARP\n"); - ); - pc.arp++; + case PPP_VJ_COMP: + if (!had_vj) + ErrorMessage("PPP link seems to use VJ compression, " + "cannot handle compressed packets!\n"); + had_vj = 1; + break; + case PPP_VJ_UCOMP: + /* VJ compression modifies the protocol field. It must be set + * to tcp (only TCP packets can be VJ compressed) */ + if(len < (hlen + IP_HEADER_LEN)) + { + if (ScLogVerbose()) + ErrorMessage("PPP VJ min packet length > captured len! " + "(%d bytes)\n", len); + return; + } - PREPROC_PROFILE_END(decodePerfStats); - return; + ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP; + /* fall through */ - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + dataoff, cap_len - dataoff, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + case PPP_IP: + PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen); + DecodeIP(pkt + hlen, len - hlen, p); + break; - default: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", - htons(p->trhllc->ethertype))); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; +#ifndef NO_NON_ETHER_DECODER + case PPP_IPX: + PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen); + DecodeIPX(pkt + hlen, len - hlen, p); + break; +#endif } - - PREPROC_PROFILE_END(decodePerfStats); - return; } +//-------------------------------------------------------------------- +// decode.c::Raw packets +//-------------------------------------------------------------------- /* - * Function: DecodeFDDIPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) + * Function: DecodeRawPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Mainly taken from CyberPsycotic's Token Ring Code -worm5er + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. * * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeFDDIPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +void DecodeRawPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - uint32_t pkt_len; /* length of the packet */ - uint32_t cap_len; /* capture length variable */ - uint32_t dataoff = sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps); PROFILE_VARS; PREPROC_PROFILE_START(decodePerfStats); @@ -1943,2547 +1880,2572 @@ p->pkth = pkthdr; p->pkt = pkt; - pkt_len = pkthdr->len; - cap_len = pkthdr->caplen; - - if (pcap_snaplen < pkt_len) - { - pkt_len = cap_len; - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP4 Packet!\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long) cap_len,(unsigned long) pkt_len); - ); + DecodeIP(pkt, p->pkth->caplen, p); - /* Bounds checking (might not be right yet -worm5er) */ - if(p->pkth->caplen < dataoff) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", p->pkth->caplen, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } - /* let's put this in as the fddi header structure */ - p->fddihdr = (Fddi_hdr *) pkt; + PREPROC_PROFILE_END(decodePerfStats); + return; +} - p->fddisaps = (Fddi_llc_saps *) (pkt + sizeof(Fddi_hdr)); +// raw packets are predetermined to be ip4 (above) or ip6 (below) by the DLT - /* First we'll check and see if it's an IP/ARP Packet... */ - /* Then we check to see if it's a SNA packet */ - /* - * Lastly we'll declare it none of the above and just slap something - * generic on it to discard it with (I know that sucks, but heck we're - * only looking for IP/ARP type packets currently... -worm5er - */ - if((p->fddisaps->dsap == FDDI_DSAP_IP) && (p->fddisaps->ssap == FDDI_SSAP_IP)) +void DecodeRawPkt6(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + PROFILE_VARS; + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP6 Packet!\n");); + + DecodeIPV6(pkt, p->pkth->caplen, p); + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + +//-------------------------------------------------------------------- +// decode.c::IP4 misc +//-------------------------------------------------------------------- + +/* + * Some IP Header tests + * Land Attack(same src/dst ip) + * Loopback (src or dst in 127/8 block) + * Modified: 2/22/05-man for High Endian Architecture. + */ +#define IP4_THIS_NET 0x00 // msb +#define IP4_MULTICAST 0x0E // ms nibble +#define IP4_RESERVED 0x0F // ms nibble +#define IP4_LOOPBACK 0x7F // msb +#define IP4_BROADCAST 0xffffffff + +void IP4AddrTests (Packet* p) +{ + uint8_t msb_src, msb_dst; + + // check all 32 bits ... + if( p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr ) { - dataoff += sizeof(Fddi_llc_iparp); - - if(p->pkth->caplen < dataoff) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", p->pkth->caplen, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } - - p->fddiiparp = (Fddi_llc_iparp *) (pkt + sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps)); + DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, + DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1); + } - else if((p->fddisaps->dsap == FDDI_DSAP_SNA) && - (p->fddisaps->ssap == FDDI_SSAP_SNA)) + + // check all 32 bits ... + if ( Event_Enabled(DECODE_IP4_SRC_BROADCAST ) ) + if ( p->iph->ip_src.s_addr == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(IP4_SRC_BROADCAST), 1, 1); + + if ( Event_Enabled(DECODE_IP4_DST_BROADCAST ) ) + if ( p->iph->ip_dst.s_addr == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(IP4_DST_BROADCAST), 1, 1); + + /* Loopback traffic - don't use htonl for speed reasons - + * s_addr is always in network order */ +#ifdef WORDS_BIGENDIAN + msb_src = (p->iph->ip_src.s_addr >> 24); + msb_dst = (p->iph->ip_dst.s_addr >> 24); +#else + msb_src = (uint8_t)(p->iph->ip_src.s_addr & 0xff); + msb_dst = (uint8_t)(p->iph->ip_dst.s_addr & 0xff); +#endif + // check the msb ... + if ( msb_src == IP4_LOOPBACK || msb_dst == IP4_LOOPBACK ) { - dataoff += sizeof(Fddi_llc_sna); + DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, + DECODE_BAD_TRAFFIC_LOOPBACK_STR, 1, 1); + } + // check the msb ... + if ( Event_Enabled(DECODE_IP4_SRC_THIS_NET ) ) + if ( msb_src == IP4_THIS_NET ) + DecoderEvent(p, EVARGS(IP4_SRC_THIS_NET), 1, 1); + + if ( Event_Enabled(DECODE_IP4_DST_THIS_NET ) ) + if ( msb_dst == IP4_THIS_NET ) + DecoderEvent(p, EVARGS(IP4_DST_THIS_NET), 1, 1); + + // check the 'msn' (most significant nibble) ... + msb_src >>= 4; + msb_dst >>= 4; + + if ( Event_Enabled(DECODE_IP4_SRC_MULTICAST) ) + if ( msb_src == IP4_MULTICAST ) + DecoderEvent(p, EVARGS(IP4_SRC_MULTICAST), 1, 1); + + if ( Event_Enabled(DECODE_IP4_SRC_RESERVED) ) + if ( msb_src == IP4_RESERVED ) + DecoderEvent(p, EVARGS(IP4_SRC_RESERVED), 1, 1); + + if ( Event_Enabled(DECODE_IP4_DST_RESERVED) ) + if ( msb_dst == IP4_RESERVED ) + DecoderEvent(p, EVARGS(IP4_DST_RESERVED), 1, 1); +} + +static inline void ICMP4AddrTests (Packet* p) +{ + uint8_t msb_dst; - if(p->pkth->caplen < dataoff) +#ifdef SUP_IP6 + uint32_t dst = GET_DST_IP(p)->ip32[0]; +#else + uint32_t dst = GET_DST_IP(p); +#endif + + // check all 32 bits; all set so byte order is irrelevant ... + if ( Event_Enabled(DECODE_ICMP4_DST_BROADCAST ) ) + if ( dst == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(ICMP4_DST_BROADCAST), 1, 1); + + /* - don't use htonl for speed reasons - + * s_addr is always in network order */ +#ifdef WORDS_BIGENDIAN + msb_dst = (uint8_t)(dst >> 24); +#else + msb_dst = (uint8_t)(dst & 0xff); +#endif + + // check the 'msn' (most significant nibble) ... + msb_dst >>= 4; + + if ( Event_Enabled(DECODE_ICMP4_DST_MULTICAST) ) + if ( msb_dst == IP4_MULTICAST ) + DecoderEvent(p, EVARGS(ICMP4_DST_MULTICAST), 1, 1); +} + +static inline void ICMP4MiscTests (Packet *p) +{ + if ( Event_Enabled(DECODE_ICMP_PING_NMAP) ) + { + if ((p->dsize == 0) && + (p->icmph->type == ICMP_ECHO)) + DecoderEvent(p, EVARGS(ICMP_PING_NMAP), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_ICMPENUM) ) + { + if ((p->dsize == 0) && + (p->icmph->s_icmp_seq == 666)) + DecoderEvent(p, EVARGS(ICMP_ICMPENUM), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_REDIRECT_HOST) ) + { + if ((p->icmph->code == 1) && + (p->icmph->type == ICMP_REDIRECT)) + DecoderEvent(p, EVARGS(ICMP_REDIRECT_HOST), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_REDIRECT_NET) ) + { + if ((p->icmph->type == ICMP_REDIRECT) && + (p->icmph->code == 0)) + DecoderEvent(p, EVARGS(ICMP_REDIRECT_NET), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_TRACEROUTE_IPOPTS) ) + { + if (p->icmph->type == ICMP_ECHOREPLY) { - if (ScLogVerbose()) + int i; + for (i = 0; i < p->ip_option_count; i++) { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", p->pkth->caplen, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; + if (p->ip_options[i].code == IPOPT_RR) + DecoderEvent(p, EVARGS(ICMP_TRACEROUTE_IPOPTS), 1, 1); } } - - p->fddisna = (Fddi_llc_sna *) (pkt + sizeof(Fddi_hdr) + - sizeof(Fddi_llc_saps)); } - else + + if ( Event_Enabled(DECODE_ICMP_SOURCE_QUENCH) ) { - dataoff += sizeof(Fddi_llc_other); - p->fddiother = (Fddi_llc_other *) (pkt + sizeof(Fddi_hdr) + - sizeof(Fddi_llc_other)); + if ((p->icmph->type == ICMP_SOURCE_QUENCH) && + (p->icmph->code == 0)) + DecoderEvent(p, DECODE_ICMP_SOURCE_QUENCH, + DECODE_ICMP_SOURCE_QUENCH_STR, 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_BROADSCAN_SMURF_SCANNER) ) + { + if ((p->dsize == 4) && + (p->icmph->type == ICMP_ECHO) && + (p->icmph->s_icmp_seq == 0) && + (p->icmph->code == 0)) + DecoderEvent(p, EVARGS(ICMP_BROADSCAN_SMURF_SCANNER), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED) ) + { + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 13)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_ADMIN_PROHIBITED), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED) ) + { + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 10)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_HOST_PROHIBITED), 1, 1); + } + + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED) ) + { + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 9)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_NET_PROHIBITED), 1, 1); + } + +} + +/* IPv4-layer decoder rules */ +static inline void IPMiscTests(Packet *p) +{ + if ( Event_Enabled(DECODE_ICMP_DOS_ATTEMPT) ) + { + /* Yes, it's an ICMP-related vuln in IP options. */ + uint8_t i, length, pointer; - if(p->pkth->caplen < dataoff) + /* Alert on IP packets with either 0x07 (Record Route) or 0x44 (Timestamp) + options that are specially crafted. */ + for (i = 0; i < p->ip_option_count; i++) { - if (ScLogVerbose()) + if (p->ip_options[i].data == NULL) + continue; + + if (p->ip_options[i].code == IPOPT_RR) { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", p->pkth->caplen, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; + length = p->ip_options[i].len; + if (length < 1) + continue; + + pointer = p->ip_options[i].data[0]; + + /* If the pointer goes past the end of the data, then the data + is full. That's okay. */ + if (pointer >= length + 2) + continue; + /* If the remaining space in the option isn't a multiple of 4 + bytes, alert. */ + if (((length + 3) - pointer) % 4) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); + } + else if (p->ip_options[i].code == IPOPT_TS) + { + length = p->ip_options[i].len; + if (length < 2) + continue; + + pointer = p->ip_options[i].data[0]; + + /* If the pointer goes past the end of the data, then the data + is full. That's okay. */ + if (pointer >= length + 2) + continue; + /* If the remaining space in the option isn't a multiple of 4 + bytes, alert. */ + if (((length + 3) - pointer) % 4) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); + /* If there is a timestamp + address, we need a multiple of 8 + bytes instead. */ + if ((p->ip_options[i].data[1] & 0x01) && /* address flag */ + (((length + 3) - pointer) % 8)) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); } } } + if ( Event_Enabled(DECODE_IP_OPTION_SET) ) + { + if (p->ip_option_count > 0) + DecoderEvent(p, EVARGS(IP_OPTION_SET), 1, 1); + } - /* - * Now let's see if we actually care about the packet... If we don't, - * throw it out!!! - */ - if((p->fddisaps->dsap != FDDI_DSAP_IP) && - (p->fddisaps->ssap != FDDI_SSAP_IP)) + if ( Event_Enabled(DECODE_IP_RESERVED_FRAG_BIT) ) { - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, - "This FDDI Packet isn't an IP/ARP packet...\n"); - ); - PREPROC_PROFILE_END(decodePerfStats); - return; + if (p->rf) + DecoderEvent(p, EVARGS(IP_RESERVED_FRAG_BIT), 1, 1); } +} - pkt_len -= dataoff; - cap_len -= dataoff; +//-------------------------------------------------------------------- +// decode.c::IP4 vulnerabilities +//-------------------------------------------------------------------- - switch(htons(p->fddiiparp->ethertype)) - { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); - DecodeIP(p->pkt + dataoff, cap_len, p); - PREPROC_PROFILE_END(decodePerfStats); - return; +/* This PGM NAK function started off as an SO rule, sid 8351. */ +static inline int pgm_nak_detect (uint8_t *data, uint16_t length) { + uint16_t data_left; + uint16_t checksum; + PGM_HEADER *header; - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding ARP\n");); - pc.arp++; + if (NULL == data) { + return PGM_NAK_ERR; + } - PREPROC_PROFILE_END(decodePerfStats); - return; + /* request must be bigger than 44 bytes to cause vuln */ + if (length <= sizeof(PGM_HEADER)) { + return PGM_NAK_ERR; + } - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + dataoff, cap_len, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + header = (PGM_HEADER *) data; + if (8 != header->type) { + return PGM_NAK_ERR; + } - default: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", - htons(p->fddiiparp->ethertype)); - ); - pc.other++; + if (2 != header->nak.opt.type) { + return PGM_NAK_ERR; + } - PREPROC_PROFILE_END(decodePerfStats); - return; + + /* + * alert if the amount of data after the options is more than the length + * specified. + */ + + + data_left = length - 36; + if (data_left > header->nak.opt.len) { + + /* checksum is expensive... do that only if the length is bad */ + if (header->checksum != 0) { + checksum = in_chksum_ip((unsigned short*)data, (int)length); + if (checksum != 0) + return PGM_NAK_ERR; + } + + return PGM_NAK_VULN; } - PREPROC_PROFILE_END(decodePerfStats); - return; + return PGM_NAK_OK; +} + +static inline void CheckPGMVuln(Packet *p) +{ + if ( pgm_nak_detect((uint8_t *)p->data, p->dsize) == PGM_NAK_VULN ) + DecoderEvent(p, EVARGS(PGM_NAK_OVERFLOW), 1, 1); +} + +/* This function is a port of an old .so rule, sid 3:8092. */ +static inline void CheckIGMPVuln(Packet *p) +{ + int i, alert = 0; + + if (p->dsize >= 1 && p->data[0] == 0x11) + { + if (p->ip_options_data != NULL) { + if (p->ip_options_len >= 2) { + if (*(p->ip_options_data) == 0 && *(p->ip_options_data+1) == 0) + { + DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1); + return; + } + } + } + + for(i=0; i< (int) p->ip_option_count; i++) { + /* All IGMPv2 packets contain IP option code 148 (router alert). + This vulnerability only applies to IGMPv3, so return early. */ + if (p->ip_options[i].code == 148) { + return; /* No alert. */ + } + + if (p->ip_options[i].len == 1) { + alert++; + } + } + + if (alert > 0) + DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1); + } } +//-------------------------------------------------------------------- +// decode.c::IP4 decoder +//-------------------------------------------------------------------- + /* - * Function: DecodeLinuxSLLPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) + * Function: DecodeIP(uint8_t *, const uint32_t, Packet *) * - * Purpose: Decode those fun loving LinuxSLL (linux cooked sockets) - * packets, one at a time! + * Purpose: Decode the IP network layer * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to the packet decode struct * * Returns: void function */ - -#ifdef DLT_LINUX_SLL - -void DecodeLinuxSLLPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p) { - uint32_t pkt_len; /* the length of the packet */ - uint32_t cap_len; /* caplen value */ - PROFILE_VARS; + uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */ + uint32_t hlen; /* ip header length */ - PREPROC_PROFILE_START(decodePerfStats); + pc.ip++; - pc.total_processed++; +#ifdef GRE + if (p->greh != NULL) + pc.gre_ip++; +#endif - memset(p, 0, PKT_ZERO_LEN); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - p->pkth = pkthdr; - p->pkt = pkt; + /* do a little validation */ + if(len < IP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated IP4 header (%d bytes).\n", len);); - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ + if ( Event_Enabled(DECODE_IP4_HDR_TRUNC) && ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)) + DecoderEvent(p, EVARGS(IP4_HDR_TRUNC), 1, 1); - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; + p->iph = NULL; + pc.discards++; + pc.ipdisc++; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len);); +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; + } - /* do a little validation */ - if(p->pkth->caplen < SLL_HDR_LEN) +#ifndef SUP_IP6 + if (p->iph != NULL) +#else + if (p->family != NO_IP) +#endif /* SUP_IP6 */ { - if (ScLogVerbose()) + if (p->encapsulated) { - ErrorMessage("Captured data length < SLL header length (your " - "libpcap is broken?)! (%d bytes)\n", p->pkth->caplen); + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + return; + } + else + { + p->encapsulated = 1; + p->outer_iph = p->iph; + p->outer_ip_data = p->ip_data; + p->outer_ip_dsize = p->ip_dsize; } - PREPROC_PROFILE_END(decodePerfStats); - return; } - /* lay the ethernet structure over the packet data */ - p->sllh = (SLLHdr *) pkt; - - /* grab out the network type */ - switch(ntohs(p->sllh->sll_protocol)) - { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "IP datagram size calculated to be %lu bytes\n", - (unsigned long)(cap_len - SLL_HDR_LEN));); - - DecodeIP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; + /* lay the IP struct over the raw data */ + p->inner_iph = p->iph = (IPHdr *)pkt; - case LINUX_SLL_P_802_3: - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, - "Linux SLL P 802.3 is not supported.\n");); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + /* + * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. + * So we are just ignoring non IP datagrams + */ + if(IP_VER(p->iph) != 4) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Not IPv4 datagram! ([ver: 0x%x][len: 0x%x])\n", + IP_VER(p->iph), p->iph->ip_len);); - case LINUX_SLL_P_802_2: - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, - "Linux SLL P 802.2 is not supported.\n");); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_NOT_IPV4_DGRAM, + DECODE_NOT_IPV4_DGRAM_STR, 1, 1); - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + p->iph = NULL; + pc.discards++; + pc.ipdisc++; - default: - /* shouldn't go here unless pcap library changes again */ - /* should be a DECODE generated alert */ - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK,"(Unknown) %X is not supported. " - "(need tcpdump snapshots to test. Please contact us)\n", - p->sllh->sll_protocol);); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; } - PREPROC_PROFILE_END(decodePerfStats); - return; -} - -#endif /* DLT_LINUX_SLL */ - -/* - * Function: DecodeOldPflog(Packet *, struct pcap_pkthdr *, uint8_t *) - * - * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck - * - * Arguments: p => pointer to the decoded packet struct - * pkthdr => ptr to the packet header - * pkt => pointer to the packet data - * - * Returns: void function - * - */ -void DecodeOldPflog(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ - PROFILE_VARS; +#ifdef SUP_IP6 + sfiph_build(p, p->iph, AF_INET); +#endif - PREPROC_PROFILE_START(decodePerfStats); +// p->ip_payload_len = p->iph->ip_len; +// p->ip_payload_off = p->ip_payload_len + (int)pkt; - pc.total_processed++; + /* get the IP datagram length */ + ip_len = ntohs(p->iph->ip_len); - memset(p, 0, PKT_ZERO_LEN); + /* get the IP header length */ + hlen = IP_HLEN(p->iph) << 2; - p->pkth = pkthdr; - p->pkt = pkt; + /* header length sanity check */ + if(hlen < IP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Bogus IP header length of %i bytes\n", hlen);); - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ + DecoderEvent(p, DECODE_IPV4_INVALID_HEADER_LEN, + DECODE_IPV4_INVALID_HEADER_LEN_STR, 1, 1); - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; + } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len);); + if (ip_len > len) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP Len field is %d bytes bigger than captured length.\n" + " (ip.len: %lu, cap.len: %lu)\n", + ip_len - len, ip_len, len);); + + DecoderEventDrop(p, DECODE_IPV4_DGRAM_GT_CAPLEN, + DECODE_IPV4_DGRAM_GT_CAPLEN_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); - /* do a little validation */ - if(p->pkth->caplen < PFLOG1_HDRLEN) + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; + } +#if 0 + // There is no need to alert when (ip_len < len). + // Libpcap will capture more bytes than are part of the IP payload. + // These could be Ethernet trailers, ESP trailers, etc. + // This code is left in, commented, to keep us from re-writing it later. + else if (ip_len < len) { if (ScLogVerbose()) - { - ErrorMessage("Captured data length < Pflog header length! " - "(%d bytes)\n", p->pkth->caplen); - } - PREPROC_PROFILE_END(decodePerfStats); - return; + ErrorMessage("IP Len field is %d bytes " + "smaller than captured length.\n" + " (ip.len: %lu, cap.len: %lu)\n", + len - ip_len, ip_len, len); } +#endif - /* lay the pf header structure over the packet data */ - p->pf1h = (Pflog1Hdr*)pkt; - - /* get the network type - should only be AF_INET or AF_INET6 */ - switch(ntohl(p->pf1h->af)) + if(ip_len < hlen) { - case AF_INET: /* IPv4 */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " - "bytes\n", (unsigned long)(cap_len - PFLOG1_HDRLEN));); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP dgm len (%d bytes) < IP hdr " + "len (%d bytes), packet discarded\n", ip_len, hlen);); - DecodeIP(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + DecoderEvent(p, DECODE_IPV4_DGRAM_LT_IPHDR, + DECODE_IPV4_DGRAM_LT_IPHDR_STR, 1, 1); -#if defined(AF_INET6) || defined(SUP_IP6) - case AF_INET6: /* IPv6 */ - DecodeIPV6(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; #endif - - default: - /* To my knowledge, pflog devices can only - * pass IP and IP6 packets. -fleck - */ - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + return; } - PREPROC_PROFILE_END(decodePerfStats); - return; -} - -/* - * Function: DecodePflog(Packet *, struct pcap_pkthdr *, uint8_t *) - * - * Purpose: Pass pflog device packets off to IP or IP6 -fleck - * - * Arguments: p => pointer to the decoded packet struct - * pkthdr => ptr to the packet header - * pkt => pointer to the packet data - * - * Returns: void function - * - */ -void DecodePflog(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ - uint8_t af, pflen; - uint32_t hlen; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; + /* + * IP Header tests: Land attack, and Loop back test + */ + if(ScIdsMode()) + { + IP4AddrTests(p); + } - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; + if (ScIpChecksums()) + { + /* routers drop packets with bad IP checksums, we don't really + * need to check them (should make this a command line/config + * option + */ + int16_t csum = in_chksum_ip((u_short *)p->iph, hlen); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len);); + if(csum) + { + p->error_flags |= PKT_ERR_CKSUM_IP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n");); - /* do a little validation */ - if(p->pkth->caplen < PFLOG2_HDRMIN) - { - if (ScLogVerbose()) + if ( ScIdsMode() ) + queueExecDrop(execIpChksmDrop, p); + } +#ifdef DEBUG_MSGS + else { - ErrorMessage("Captured data length < minimum Pflog length! " - "(%d < %d)\n", p->pkth->caplen, PFLOG2_HDRMIN); + DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n"); } - PREPROC_PROFILE_END(decodePerfStats); - return; +#endif /* DEBUG */ } - /* lay the pf header structure over the packet data */ - if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) + + PushLayer(PROTO_IP4, p, pkt, hlen); + + /* test for IP options */ + p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN); + + if(p->ip_options_len > 0) { - p->pf2h = (Pflog2Hdr*)pkt; - pflen = p->pf2h->length; - hlen = PFLOG2_HDRLEN; - af = p->pf2h->af; + p->ip_options_data = pkt + IP_HEADER_LEN; + DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p); } else { - p->pf3h = (Pflog3Hdr*)pkt; - pflen = p->pf3h->length; - hlen = PFLOG3_HDRLEN; - af = p->pf3h->af; - } - /* now that we know a little more, do a little more validation */ - if(p->pkth->caplen < hlen) - { - if (ScLogVerbose()) +#ifdef GRE + /* If delivery header for GRE encapsulated packet is IP and it + * had options, the packet's ip options will be refering to this + * outer IP's options + * Zero these options so they aren't associated with this inner IP + * since p->iph will be pointing to this inner IP + */ + if (p->encapsulated) { - ErrorMessage("Captured data length < Pflog header length! " - "(%d < %d)\n", p->pkth->caplen, hlen); + p->ip_options_data = NULL; + p->ip_options_len = 0; + p->ip_lastopt_bad = 0; } - PREPROC_PROFILE_END(decodePerfStats); - return; - } - /* note that the pflen may exclude the padding which is always present */ - if(pflen < hlen - PFLOG_PADLEN || pflen > hlen) - { - if (ScLogVerbose()) - { - ErrorMessage("Bad Pflog header length! (%d bytes)\n", pflen); - } - PREPROC_PROFILE_END(decodePerfStats); - return; +#endif + p->ip_option_count = 0; } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be " - "%lu bytes\n", (unsigned long)(cap_len - hlen));); - - /* check the network type - should only be AF_INET or AF_INET6 */ - switch(af) - { - case AF_INET: /* IPv4 */ - DecodeIP(p->pkt + hlen, cap_len - hlen, p); - PREPROC_PROFILE_END(decodePerfStats); - return; -#if defined(AF_INET6) || defined(SUP_IP6) - case AF_INET6: /* IPv6 */ - DecodeIPV6(p->pkt + hlen, cap_len - hlen, p); - PREPROC_PROFILE_END(decodePerfStats); - return; -#endif + /* set the real IP length for logging */ + p->actual_ip_len = (uint16_t) ip_len; - default: - /* To my knowledge, pflog devices can only - * pass IP and IP6 packets. -fleck - */ - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } + /* set the remaining packet length */ + ip_len -= hlen; - PREPROC_PROFILE_END(decodePerfStats); - return; -} + /* check for fragmented packets */ + p->frag_offset = ntohs(p->iph->ip_off); -/* - * Function: DecodePPPoEPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decode those fun loving ethernet packets, one at a time! - * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - * - * see http://www.faqs.org/rfcs/rfc2516.html - * - */ -void DecodePPPoEPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t pkt_len; /* suprisingly, the length of the packet */ - uint32_t cap_len; /* caplen value */ - const PPPoEHdr *ppppoep=NULL; - //PPPoE_Tag *ppppoe_tag=0; - //PPPoE_Tag tag; /* needed to avoid alignment problems */ + /* + * get the values of the reserved, more + * fragments and don't fragment flags + */ + p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15); + p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14); + p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13); - /* set the lengths we need */ - pkt_len = pkthdr->len; /* total packet length */ - cap_len = pkthdr->caplen; /* captured packet length */ + /* mask off the high bits in the fragment offset field */ + p->frag_offset &= 0x1FFF; - if (pcap_snaplen < pkt_len) - pkt_len = cap_len; + if ( Event_Enabled(DECODE_IP4_DF_OFFSET) ) + if ( p->df && p->frag_offset ) + DecoderEvent(p, EVARGS(IP4_DF_OFFSET), 1, 1); + + if ( Event_Enabled(DECODE_IP4_LEN_OFFSET) ) + if ( p->frag_offset + p->actual_ip_len > IP_MAXPACKET ) + DecoderEvent(p, EVARGS(IP4_LEN_OFFSET), 1, 1); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkt_len);); + if(p->frag_offset || p->mf) + { + /* set the packet fragment flag */ + p->frag_flag = 1; + p->ip_frag_start = pkt + hlen; + p->ip_frag_len = (uint16_t)ip_len; + pc.frags++; + } + else + { + p->frag_flag = 0; + } - /* do a little validation */ - if(cap_len < PPPOE_HEADER_LEN) + if(Event_Enabled(DECODE_BAD_FRAGBITS)) { - if (ScLogVerbose()) + + if( p->mf && p->df ) { - ErrorMessage("Captured data length < Ethernet header length! " - "(%d bytes)\n", p->pkth->caplen); + DecoderEvent(p, DECODE_BAD_FRAGBITS, + DECODE_BAD_FRAGBITS_STR, 1, 1); } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_PPPOE, 1, - DECODE_CLASS, 3, DECODE_BAD_PPPOE_STR, 0); + } - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + /* Set some convienience pointers */ + p->ip_data = pkt + hlen; + p->ip_dsize = (u_short) ip_len; - } - - return; + if (ScIdsMode()) + { + /* See if there are any ip_proto only rules that match */ + fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); + p->proto_bits |= PROTO_BIT__IP; } - /* XXX - MFR - * This code breaks the decode model that Snort uses, we should - * reimplement it properly ASAP - */ - /* - * Not sure how long ago the above comment was added, but - * it is now fixed. It may or may not fall under the 'ASAP' - * category. - */ + IPMiscTests(p); - /* lay the ethernet structure over the packet data */ - /* Don't need to do this. It is already done in the decoding - * of the ethernet header, which then calls this function for - * PPP over Ethernet. - p->eh = (EtherHdr *) pkt; - */ + /* if this packet isn't a fragment + * or if it is, its a UDP packet and offset is 0 */ + if(!(p->frag_flag) || + (p->frag_flag && (p->frag_offset == 0) && + (p->iph->ip_proto == IPPROTO_UDP))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n", + (unsigned long)hlen);); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", - *p->eh->ether_src, *p->eh->ether_dst);); + switch(p->iph->ip_proto) + { + case IPPROTO_TCP: + pc.tcp++; + DecodeTCP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - /* lay the PPP over ethernet structure over the packet data */ - ppppoep = p->pppoeh = (PPPoEHdr *)pkt; + case IPPROTO_UDP: + pc.udp++; + DecodeUDP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - /* grab out the network type */ - switch(ntohs(p->eh->ether_type)) - { - case ETHERNET_TYPE_PPPoE_DISC: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) ");); - break; + case IPPROTO_ICMP: + pc.icmp++; + DecodeICMP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - case ETHERNET_TYPE_PPPoE_SESS: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) ");); - break; +#ifdef GRE + case IPPROTO_IPV6: + if (ip_len < 40) + { + /* Insufficient size for IPv6 Header. */ + /* This could be an attempt to exploit Linux kernel + * vulnerability, so log an alert */ + DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED, + DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR, + 1, 1); + } + pc.ip4ip6++; + DecodeIPV6(pkt + hlen, ip_len, p); + return; - default: - return; - } + case IPPROTO_GRE: + pc.gre++; + DecodeGRE(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; -#ifdef DEBUG - switch(ppppoep->code) - { - case PPPoE_CODE_PADI: - /* The Host sends the PADI packet with the DESTINATION_ADDR set - * to the broadcast address. The CODE field is set to 0x09 and - * the SESSION_ID MUST be set to 0x0000. - * - * The PADI packet MUST contain exactly one TAG of TAG_TYPE - * Service-Name, indicating the service the Host is requesting, - * and any number of other TAG types. An entire PADI packet - * (including the PPPoE header) MUST NOT exceed 1484 octets so - * as to leave sufficient room for a relay agent to add a - * Relay-Session-Id TAG. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n"); - break; + case IPPROTO_IPIP: + pc.ip4ip4++; + DecodeIP(pkt + hlen, ip_len, p); + return; +#endif - case PPPoE_CODE_PADO: - /* When the Access Concentrator receives a PADI that it can - * serve, it replies by sending a PADO packet. The - * DESTINATION_ADDR is the unicast address of the Host that - * sent the PADI. The CODE field is set to 0x07 and the - * SESSION_ID MUST be set to 0x0000. - * - * The PADO packet MUST contain one AC-Name TAG containing the - * Access Concentrator's name, a Service-Name TAG identical to - * the one in the PADI, and any number of other Service-Name - * TAGs indicating other services that the Access Concentrator - * offers. If the Access Concentrator can not serve the PADI - * it MUST NOT respond with a PADO. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n"); - break; + case IPPROTO_ESP: + if (ScESPDecoding()) + DecodeESP(pkt + hlen, ip_len, p); + return; - case PPPoE_CODE_PADR: - /* Since the PADI was broadcast, the Host may receive more than - * one PADO. The Host looks through the PADO packets it receives - * and chooses one. The choice can be based on the AC-Name or - * the Services offered. The Host then sends one PADR packet - * to the Access Concentrator that it has chosen. The - * DESTINATION_ADDR field is set to the unicast Ethernet address - * of the Access Concentrator that sent the PADO. The CODE - * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000. - * - * The PADR packet MUST contain exactly one TAG of TAG_TYPE - * Service-Name, indicating the service the Host is requesting, - * and any number of other TAG types. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n"); - break; + case IPPROTO_SWIPE: + case IPPROTO_IP_MOBILITY: + case IPPROTO_SUN_ND: + case IPPROTO_PIM: + if ( Event_Enabled(DECODE_IP_BAD_PROTO) ) + DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1); + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; + return; - case PPPoE_CODE_PADS: - /* When the Access Concentrator receives a PADR packet, it - * prepares to begin a PPP session. It generates a unique - * SESSION_ID for the PPPoE session and replies to the Host with - * a PADS packet. The DESTINATION_ADDR field is the unicast - * Ethernet address of the Host that sent the PADR. The CODE - * field is set to 0x65 and the SESSION_ID MUST be set to the - * unique value generated for this PPPoE session. - * - * The PADS packet contains exactly one TAG of TAG_TYPE - * Service-Name, indicating the service under which Access - * Concentrator has accepted the PPPoE session, and any number - * of other TAG types. - * - * If the Access Concentrator does not like the Service-Name in - * the PADR, then it MUST reply with a PADS containing a TAG of - * TAG_TYPE Service-Name-Error (and any number of other TAG - * types). In this case the SESSION_ID MUST be set to 0x0000. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery " - "Session-confirmation (PADS)\n"); - break; + case IPPROTO_PGM: + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; - case PPPoE_CODE_PADT: - /* This packet may be sent anytime after a session is established - * to indicate that a PPPoE session has been terminated. It may - * be sent by either the Host or the Access Concentrator. The - * DESTINATION_ADDR field is a unicast Ethernet address, the - * CODE field is set to 0xa7 and the SESSION_ID MUST be set to - * indicate which session is to be terminated. No TAGs are - * required. - * - * When a PADT is received, no further PPP traffic is allowed to - * be sent using that session. Even normal PPP termination - * packets MUST NOT be sent after sending or receiving a PADT. - * A PPP peer SHOULD use the PPP protocol itself to bring down a - * PPPoE session, but the PADT MAY be used when PPP can not be - * used. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n"); - break; + if ( Event_Enabled(DECODE_PGM_NAK_OVERFLOW) ) + CheckPGMVuln(p); + return; - case PPPoE_CODE_SESS: - DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n"); - break; + case IPPROTO_IGMP: + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; - default: - DebugMessage(DEBUG_DECODE, "(Unknown)\n"); - break; - } -#endif + if ( Event_Enabled(DECODE_IGMP_OPTIONS_DOS) ) + CheckIGMPVuln(p); + return; - if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC) - { - DecodePppPktEncapsulated(p, cap_len - PPPOE_HEADER_LEN, pkt + PPPOE_HEADER_LEN); - return; + default: + if ( Event_Enabled(DECODE_IP_UNASSIGNED_PROTO) ) + { + if (GET_IPH_PROTO(p) >= MIN_UNASSIGNED_IP_PROTO) + DecoderEvent(p, EVARGS(IP_UNASSIGNED_PROTO), 1, 1); + } + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; + //ClearDumpBuf(); + return; + } } else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n");); - return; + /* set the payload pointer and payload size */ + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; } +} -#if 0 - ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr)); +//-------------------------------------------------------------------- +// decode.c::ICMP +//-------------------------------------------------------------------- - while (ppppoe_tag < (PPPoE_Tag *)(pkt + pkthdr->caplen)) +/* + * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the ICMP transport layer + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to the decoded packet struct + * + * Returns: void function + */ +void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p) +{ + if(len < ICMP_HEADER_LEN) { - if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + pkthdr->caplen)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n");); - break; - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP4 header (%d bytes).\n", len);); - /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */ - memcpy(&tag, ppppoe_tag, sizeof(tag)); + if ( Event_Enabled(DECODE_ICMP4_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ICMP4_HDR_TRUNC), 1, 1); - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ", - ntohs(tag.type), ntohs(tag.length));); + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; -#ifdef DEBUG - switch(ntohs(tag.type)) - { - case PPPoE_TAG_END_OF_LIST: - DebugMessage(DEBUG_DECODE, "(End of list)\n\t"); - break; - case PPPoE_TAG_SERVICE_NAME: - DebugMessage(DEBUG_DECODE, "(Service name)\n\t"); - break; - case PPPoE_TAG_AC_NAME: - DebugMessage(DEBUG_DECODE, "(AC Name)\n\t"); - break; - case PPPoE_TAG_HOST_UNIQ: - DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t"); - break; - case PPPoE_TAG_AC_COOKIE: - DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t"); - break; - case PPPoE_TAG_VENDOR_SPECIFIC: - DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t"); - break; - case PPPoE_TAG_RELAY_SESSION_ID: - DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t"); - break; - case PPPoE_TAG_SERVICE_NAME_ERROR: - DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t"); - break; - case PPPoE_TAG_AC_SYSTEM_ERROR: - DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t"); - break; - case PPPoE_TAG_GENERIC_ERROR: - DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t"); - break; - default: - DebugMessage(DEBUG_DECODE, "(Unknown)\n\t"); - break; - } -#endif + return; + } - if (ntohs(tag.length) > 0) - { -#ifdef DEBUG - char *buf; - int i; + /* set the header ptr first */ + p->icmph = (ICMPHdr *) pkt; - switch (ntohs(tag.type)) + switch (p->icmph->type) + { + // fall through ... + case ICMP_SOURCE_QUENCH: + case ICMP_DEST_UNREACH: + case ICMP_REDIRECT: + case ICMP_TIME_EXCEEDED: + case ICMP_PARAMETERPROB: + case ICMP_ECHOREPLY: + case ICMP_ECHO: + case ICMP_ROUTER_ADVERTISE: + case ICMP_ROUTER_SOLICIT: + case ICMP_INFO_REQUEST: + case ICMP_INFO_REPLY: + if (len < 8) { - case PPPoE_TAG_SERVICE_NAME: - case PPPoE_TAG_AC_NAME: - case PPPoE_TAG_SERVICE_NAME_ERROR: - case PPPoE_TAG_AC_SYSTEM_ERROR: - case PPPoE_TAG_GENERIC_ERROR: * ascii data * - buf = (char *)SnortAlloc(ntohs(tag.length) + 1); - strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length)); - DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf); - free(buf); - break; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); - case PPPoE_TAG_HOST_UNIQ: - case PPPoE_TAG_AC_COOKIE: - case PPPoE_TAG_RELAY_SESSION_ID: - DebugMessage(DEBUG_DECODE, "data (bin): "); - for (i = 0; i < ntohs(tag.length); i++) - DebugMessage(DEBUG_DECODE, - "%02x", *(((unsigned char *)ppppoe_tag) + - sizeof(PPPoE_Tag) + i)); - DebugMessage(DEBUG_DECODE, "\n"); - break; + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - default: - DebugMessage(DEBUG_DECODE, "unrecognized data\n"); - break; + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; + + return; } -#endif - } + break; - ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length)); - } + case ICMP_TIMESTAMP: + case ICMP_TIMESTAMPREPLY: + if (len < 20) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); -#endif /* #if 0 */ + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR, + DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 1, 1); - return; -} -#endif // NO_NON_ETHER_DECODER + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; + return; + } + break; -/* - * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*) - * - * Purpose: Decode PPP traffic (RFC1661 framing). - * - * Arguments: p => pointer to decoded packet struct - * len => length of data to process - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodePppPktEncapsulated(Packet * p, const uint32_t len, const uint8_t * pkt) -{ - static int had_vj = 0; - uint16_t protocol; - uint32_t hlen = 1; /* HEADER - try 1 then 2 */ - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n");); + case ICMP_ADDRESS: + case ICMP_ADDRESSREPLY: + if (len < 12) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); -#ifdef WORDS_MUSTALIGN - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header. " - "PPP is only 1 or 2 bytes and will throw off " - "alignment on this architecture when decoding IP, " - "causing a bus error - stop decoding packet.\n");); - p->data = pkt; - p->dsize = (uint16_t)len; - return; -#endif /* WORDS_MUSTALIGN */ + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ADDRHDR, + DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 1, 1); -#ifdef GRE - if (p->greh != NULL) - pc.gre_ppp++; -#endif /* GRE */ + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; - /* do a little validation: - * - */ - if(len < 2) + return; + } + break; + + default: + if ( Event_Enabled(DECODE_ICMP4_TYPE_OTHER) ) + DecoderEvent(p, EVARGS(ICMP4_TYPE_OTHER), 1, 1); + break; + } + + + if (ScIcmpChecksums()) { - if (ScLogVerbose()) + uint16_t csum = in_chksum_icmp((uint16_t *)p->icmph, len); + + if(csum) { - ErrorMessage("Length not big enough for even a single " - "header or a one byte payload\n"); + p->error_flags |= PKT_ERR_CKSUM_ICMP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); + + if ( ScIdsMode() ) + queueExecDrop(execIcmpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); } - return; } - - if(pkt[0] & 0x01) - { - /* Check for protocol compression rfc1661 section 5 - * - */ - hlen = 1; - protocol = pkt[0]; - } - else - { - protocol = ntohs(*((uint16_t *)pkt)); - hlen = 2; - } - - /* - * We only handle uncompressed packets. Handling VJ compression would mean - * to implement a PPP state machine. - */ - switch (protocol) + p->dsize = (u_short)(len - ICMP_HEADER_LEN); + p->data = pkt + ICMP_HEADER_LEN; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", + p->icmph->type, p->icmph->code);); + + switch(p->icmph->type) { - case PPP_VJ_COMP: - if (!had_vj) - ErrorMessage("PPP link seems to use VJ compression, " - "cannot handle compressed packets!\n"); - had_vj = 1; + case ICMP_ECHO: + ICMP4AddrTests(p); + // fall through ... + + case ICMP_ECHOREPLY: + /* setup the pkt id and seq numbers */ + p->dsize -= sizeof(struct idseq); /* add the size of the + * echo ext to the data + * ptr and subtract it + * from the data size */ + p->data += sizeof(struct idseq); + PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); break; - case PPP_VJ_UCOMP: - /* VJ compression modifies the protocol field. It must be set - * to tcp (only TCP packets can be VJ compressed) */ - if(len < (hlen + IP_HEADER_LEN)) + + case ICMP_DEST_UNREACH: + if ((p->icmph->code == ICMP_FRAG_NEEDED) + && (ntohs(p->icmph->s_icmp_nextmtu) < 576)) { - if (ScLogVerbose()) - ErrorMessage("PPP VJ min packet length > captured len! " - "(%d bytes)\n", len); - return; + if ( Event_Enabled(DECODE_ICMP_PATH_MTU_DOS) ) + DecoderEvent(p, EVARGS(ICMP_PATH_MTU_DOS), 1, 1); } - ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP; - /* fall through */ + /* Fall through */ - case PPP_IP: - DecodeIP(pkt + hlen, len - hlen, p); + case ICMP_SOURCE_QUENCH: + case ICMP_REDIRECT: + case ICMP_TIME_EXCEEDED: + case ICMP_PARAMETERPROB: + /* account for extra 4 bytes in header */ + p->dsize -= 4; + p->data += 4; + + PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP(p->data, p->dsize, p); break; -#ifndef NO_NON_ETHER_DECODER - case PPP_IPX: - DecodeIPX(pkt + hlen, len - hlen, p); + default: + PushLayer(PROTO_ICMP4, p, pkt, ICMP_HEADER_LEN); break; -#endif } -} + /* Run a bunch of ICMP decoder rules */ + ICMP4MiscTests(p); + + p->proto_bits |= PROTO_BIT__ICMP; +} /* - * Function: DecodePppPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) + * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *) * - * Purpose: Decode PPP traffic (either RFC1661 or RFC1662 framing). - * This really is intended to handle IPCP + * Purpose: Decode the ICMP embedded IP header + 64 bits payload * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to dummy packet decode struct * * Returns: void function */ -void DecodePppPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p) { - int hlen = 0; - PROFILE_VARS; + uint32_t ip_len; /* length from the start of the ip hdr to the + * pkt end */ + uint32_t hlen; /* ip header length */ + uint16_t orig_frag_offset; - PREPROC_PROFILE_START(decodePerfStats); + /* do a little validation */ + if(len < IP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: IP short header (%d bytes)\n", len);); - pc.total_processed++; + DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, + DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - - if(p->pkth->caplen < 2) - { - if (ScLogVerbose()) - { - ErrorMessage("Length not big enough for even a single " - "header or a one byte payload\n"); - } - PREPROC_PROFILE_END(decodePerfStats); +#ifdef SUP_IP6 + p->orig_family = NO_IP; +#endif + p->orig_iph = NULL; return; } - if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) + /* lay the IP struct over the raw data */ +#ifdef SUP_IP6 + sfiph_orig_build(p, pkt, AF_INET); +#endif + p->orig_iph = (IPHdr *) pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header" + " starts at: %p, length is %lu\n", p->orig_iph, + (unsigned long) len);); + /* + * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. + * So we are just ignoring non IP datagrams + */ + if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p)) { - /* - * Check for full HDLC header (rfc1662 section 3.2) - */ - hlen = 2; - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: not IPv4 datagram ([ver: 0x%x][len: 0x%x])\n", + GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p));); - DecodePppPktEncapsulated(p, p->pkth->caplen - hlen, p->pkt + hlen); + DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, + DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); - PREPROC_PROFILE_END(decodePerfStats); - return; -} +#ifdef SUP_IP6 + p->orig_family = NO_IP; +#endif + p->orig_iph = NULL; + return; + } -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodePppSerialPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decode Mixed PPP/CHDLC traffic. The PPP frames will always have the - * full HDLC header. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodePppSerialPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - PROFILE_VARS; + /* set the IP datagram length */ + ip_len = ntohs(GET_ORIG_IPH_LEN(p)); - PREPROC_PROFILE_START(decodePerfStats); + /* set the IP header length */ +#ifdef SUP_IP6 + hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2; +#else + hlen = IP_HLEN(p->orig_iph) << 2; +#endif - pc.total_processed++; + if(len < hlen) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: IP len (%d bytes) < IP hdr len (%d bytes), packet discarded\n", + ip_len, hlen);); - memset(p, 0, PKT_ZERO_LEN); + DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, + DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); - p->pkth = pkthdr; - p->pkt = pkt; +#ifdef SUP_IP6 + p->orig_family = NO_IP; +#endif + p->orig_iph = NULL; + return; + } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + /* set the remaining packet length */ + ip_len = len - hlen; + + orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); + orig_frag_offset &= 0x1FFF; - if(p->pkth->caplen < PPP_HDRLEN) + if (orig_frag_offset == 0) { - if (ScLogVerbose()) + /* Original IP payload should be 64 bits */ + if (ip_len < 8) { - ErrorMessage("Captured data length < PPP header length" - " (%d bytes)\n", p->pkth->caplen); + DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_LT_64, + DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 1, 1); + + return; + } + /* ICMP error packets could contain as much of original payload + * as possible, but not exceed 576 bytes + */ + else if (ntohs(GET_IPH_LEN(p)) > 576) + { + DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_GT_576, + DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 1, 1); } - PREPROC_PROFILE_END(decodePerfStats); - return; } - - if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) + else { - DecodePppPktEncapsulated(p, p->pkth->caplen - 2, p->pkt + 2); - } else { - DecodeChdlcPkt(p, pkthdr, pkt); + /* RFC states that only first frag will get an ICMP response */ + DecoderEvent(p, DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET, + DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 1, 1); + return; } - PREPROC_PROFILE_END(decodePerfStats); - return; -} - - -/* - * Function: DecodeSlipPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decode SLIP traffic - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeSlipPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - uint32_t len; - uint32_t cap_len; - PROFILE_VARS; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: " + "%lu\n", (unsigned long)hlen);); - PREPROC_PROFILE_START(decodePerfStats); + switch(GET_ORIG_IPH_PROTO(p)) + { + case IPPROTO_TCP: /* decode the interesting part of the header */ + p->orig_tcph = (TCPHdr *)(pkt + hlen); - pc.total_processed++; + /* stuff more data into the printout data struct */ + p->orig_sp = ntohs(p->orig_tcph->th_sport); + p->orig_dp = ntohs(p->orig_tcph->th_dport); - memset(p, 0, PKT_ZERO_LEN); + break; - p->pkth = pkthdr; - p->pkt = pkt; + case IPPROTO_UDP: + p->orig_udph = (UDPHdr *)(pkt + hlen); - len = pkthdr->len; - cap_len = pkthdr->caplen; + /* fill in the printout data structs */ + p->orig_sp = ntohs(p->orig_udph->uh_sport); + p->orig_dp = ntohs(p->orig_udph->uh_dport); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + break; - /* do a little validation */ - if(cap_len < SLIP_HEADER_LEN) - { - ErrorMessage("SLIP header length < captured len! (%d bytes)\n", - cap_len); - PREPROC_PROFILE_END(decodePerfStats); - return; + case IPPROTO_ICMP: + p->orig_icmph = (ICMPHdr *)(pkt + hlen); + break; } - DecodeIP(p->pkt + SLIP_HEADER_LEN, cap_len - SLIP_HEADER_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); + return; } -#endif // NO_NON_ETHER_DECODER +//-------------------------------------------------------------------- +// decode.c::NON SUP_IP6 IP6 vulnerabilities +//-------------------------------------------------------------------- +#ifndef SUP_IP6 +/* For the BSD fragmentation vulnerability */ +SFXHASH *ipv6_frag_hash; -/* - * Function: DecodeRawPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) +static inline void FragEvent ( + Packet *p, int gid, char *str, int event_flag, int drop_flag) { - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); + if(ScIdsMode() && event_flag) + { + queueDecoderEvent(GENERATOR_SPP_FRAG3, gid, 1, + DECODE_CLASS, 3, str, 0); - pc.total_processed++; + if ( drop_flag ) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); + Active_DropSession(); + } + } +} - memset(p, 0, PKT_ZERO_LEN); +void BsdFragHashCleanup(void) +{ + if (ipv6_frag_hash) + { + sfxhash_delete(ipv6_frag_hash); + ipv6_frag_hash = NULL; + } +} - p->pkth = pkthdr; - p->pkt = pkt; +void BsdFragHashReset(void) +{ + if (ipv6_frag_hash != NULL) + sfxhash_make_empty(ipv6_frag_hash); +} - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); +void BsdFragHashInit(int max) +{ + int rows = sfxhash_calcrows((int) (max * 1.4)); - DecodeIP(pkt, p->pkth->caplen, p); + ipv6_frag_hash = sfxhash_new( + /* one row per element in table, when possible */ + rows, + 40, /* key size padded for 64 bit alignment */ + sizeof(time_t), /* data size */ + /* Set max to the sizeof a hash node, plus the size of + * the stored data, plus the size of the key (32), plus + * this size of a node pointer plus max rows plus 1. */ + max * (40 + sizeof(SFXHASH_NODE) + sizeof(time_t) + sizeof(SFXHASH_NODE*)) + + (rows+1) * sizeof(SFXHASH_NODE*), + 1, /* enable AutoNodeRecovery */ + NULL, /* provide a function to let user know we want to kill a node */ + NULL, /* provide a function to release user memory */ + 1); /* Recycle nodes */ - PREPROC_PROFILE_END(decodePerfStats); - return; + if (!ipv6_frag_hash) { + FatalError("could not allocate ipv6_frag_hash"); + } } +#endif // !SUP_IP6 +//-------------------------------------------------------------------- +// decode.c::NON SUP_IP6 IP6 decoder +//-------------------------------------------------------------------- - -#ifndef NO_NON_ETHER_DECODER /* - * Function: DecodeI4LRawIPPkt(Packet *, char *, struct pcap_pkthdr*, uint8_t*) + * Function: DecodeIPV6(uint8_t *, uint32_t) * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. + * Purpose: Decoding IPv6 headers * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet * * Returns: void function */ -void DecodeI4LRawIPPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt) -{ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; +#ifndef SUP_IP6 +Packet *BsdPseudoPacket; - memset(p, 0, PKT_ZERO_LEN); +/* This is the Snort-IPv4 version of the IPv6 BSD frag checking code */ +enum { + IPV6_FRAG_NO_ALERT = 0, + IPV6_FRAG_ALERT, + IPV6_FRAG_BAD_PKT, + IPV6_IS_NOT, + IPV6_TRUNCATED_EXT, + IPV6_TRUNCATED, - p->pkth = pkthdr; - p->pkt = pkt; + IPV6_NEXT +}; - if(p->pkth->len < 2) +int CheckIPV6Frag (char *data, uint32_t size, Packet *p) +{ + typedef struct _IP6HdrChain { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - DecodeIP(pkt + 2, p->pkth->len - 2, p); + uint8_t next_header; + uint8_t length; + } IP6HdrChain; - PREPROC_PROFILE_END(decodePerfStats); - return; -} + IP6RawHdr *hdr; + IP6Frag *frag; + IP6HdrChain *chain; + uint8_t next_header; + uint32_t offset; + unsigned int header_length; + unsigned short frag_data; + char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ + SFXHASH_NODE *hash_node; + if (sizeof(IP6RawHdr) > size) + return IPV6_TRUNCATED; + hdr = (IP6RawHdr *) data; -/* - * Function: DecodeI4LCiscoIPPkt(Packet *, char *, - * struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeI4LCiscoIPPkt(Packet *p, const struct pcap_pkthdr *pkthdr, const uint8_t *pkt) -{ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; + if ((hdr->ip6vfc >> 4) != 6) + return IPV6_IS_NOT; - memset(p, 0, PKT_ZERO_LEN); + if (sizeof(IP6RawHdr) + ntohs(hdr->ip6plen) > size) + return IPV6_TRUNCATED; - p->pkth = pkthdr; - p->pkt = pkt; + next_header = hdr->ip6nxt; + offset = sizeof(IP6RawHdr); - if(p->pkth->len < 4) + while (offset < size) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - + switch (next_header) { + case IP_PROTO_IPV6: + return CheckIPV6Frag(data + offset, size - offset, p); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + case IP_PROTO_HOPOPTS: + case IP_PROTO_DSTOPTS: + case IP_PROTO_ROUTING: + case IP_PROTO_AH: + if (sizeof(IP6HdrChain) + offset > size) + return IPV6_TRUNCATED_EXT; - DecodeIP(pkt + 4, p->pkth->caplen - 4, p); + chain = (IP6HdrChain* ) (data + offset); - PREPROC_PROFILE_END(decodePerfStats); - return; -} + next_header = chain->next_header; + header_length = 8 + (8 * chain->length); -/* - * Function: DecodeChdlcPkt(Packet *, char *, - * struct pcap_pkthdr*, uint8_t*) - * - * Purpose: Decodes Cisco HDLC encapsulated packets, f.ex. from SONET. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeChdlcPkt(Packet *p, const struct pcap_pkthdr *pkthdr, const uint8_t *pkt) -{ - PROFILE_VARS; + if (offset + header_length > size) + return IPV6_TRUNCATED_EXT; - PREPROC_PROFILE_START(decodePerfStats); + offset += header_length; + break; - pc.total_processed++; + case IP_PROTO_FRAGMENT: + if (offset + sizeof(IP6Frag) > size) + return IPV6_TRUNCATED_EXT; - memset(p, 0, PKT_ZERO_LEN); + frag = (IP6Frag *) (data + offset); + frag_data = frag->ip6f_offlg; - p->pkth = pkthdr; - p->pkt = pkt; + /* srcip / dstip */ + memcpy(key, (data + 8), 32); + *(uint32_t*)(key+32) = frag->ip6f_ident; + *(uint32_t*)(key+36) = 0; /* zero out pad */ - if(p->pkth->caplen < CHDLC_HEADER_LEN) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < CHDLC header length" - " (%d bytes)\n", p->pkth->caplen); - } - PREPROC_PROFILE_END(decodePerfStats); - return; - } + hash_node = sfxhash_find_node(ipv6_frag_hash, key); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + /* Check if the frag offset mask is set. + * If it is, we're not looking at the exploit in question */ + if(IP6F_OFFSET(frag) != 0) + { + /* If this arrives before the two 0 offset frags, we will + * still add them as though they were the first, and false + * positive */ + if(hash_node) sfxhash_free_node(ipv6_frag_hash, hash_node); + return IPV6_FRAG_NO_ALERT; + } - if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) && - ntohs(*(uint16_t *)&pkt[2]) == ETHERNET_TYPE_IP) - { - DecodeIP(p->pkt + CHDLC_HEADER_LEN, - p->pkth->caplen - CHDLC_HEADER_LEN, p); - } else { - pc.other++; - } + /* Check if there are no more frags */ + if(!IP6F_MF(frag)) + { + /* At this point, we've seen a frag header with no offset + * that doesn't have the more flags set. Need to see if + * this follows a packet that did have the more flag set. */ + if(hash_node) + { + /* Check if the first packet timed out */ + if((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) + { + sfxhash_free_node(ipv6_frag_hash, hash_node); + return IPV6_FRAG_BAD_PKT; + } - PREPROC_PROFILE_END(decodePerfStats); - return; -} -#endif // NO_NON_ETHER_DECODER + if(size - offset > 100) + { + return IPV6_FRAG_ALERT; + } -/* - * Some IP Header tests - * Land Attack(same src/dst ip) - * Loopback (src or dst in 127/8 block) - * Modified: 2/22/05-man for High Endian Architecture. - */ -void IPHdrTestsv4( Packet * p ) -{ -#if 0 -#ifdef WORDS_BIGENDIAN - unsigned int ip4_ip = 0x7f000000; -#else - unsigned int ip4_ip = 0x7f; -#endif -#endif /* #if 0 */ + sfxhash_free_node(ipv6_frag_hash, hash_node); - if( p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr ) - { - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_BAD_TRAFFIC_SAME_SRCDST, 1, DECODE_CLASS, 3, - DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 0); + return IPV6_FRAG_BAD_PKT; + } - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - } + /* We never saw the first packet, but this one is still bogus */ + return IPV6_FRAG_BAD_PKT; + } - /* Loopback traffic - don't use htonl for speed reasons - - * s_addr is always in network order */ -#ifdef WORDS_BIGENDIAN - if( (p->iph->ip_src.s_addr & 0xff000000) == 0x7f000000 || - (p->iph->ip_dst.s_addr & 0xff000000 ) == 0x7f000000 ) /* BE */ -#else - if( (p->iph->ip_src.s_addr & 0xff) == 0x7f || - (p->iph->ip_dst.s_addr & 0xff ) == 0x7f ) /* LE */ -#endif - { - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_BAD_TRAFFIC_LOOPBACK, 1, DECODE_CLASS, 3, - DECODE_BAD_TRAFFIC_LOOPBACK_STR, 0); + /* At this point, we've seen a header with no offset and a + * more flag */ + if(!hash_node) + { + /* There are more frags remaining, add current to hash */ + if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) + == SFXHASH_NOMEM) + { + return -1; + } + } + else + { + /* Update this node's timestamp */ + *(time_t *)hash_node->data = p->pkth->ts.tv_sec; + } - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + default: + return IPV6_FRAG_NO_ALERT; } } + + return IPV6_FRAG_NO_ALERT; } -#ifdef DLT_ENC -/* see http://sourceforge.net/mailarchive/message.php?msg_id=1000380 */ -/* - * Function: DecodeEncPkt(Packet *, struct pcap_pkthdr *, uint8_t *) - * - * Purpose: Decapsulate packets of type DLT_ENC. - * XXX Are these always going to be IP in IP? - * - * Arguments: p => pointer to decoded packet struct - * pkthdr => pointer to the packet header - * pkt => pointer to the real live packet data - */ -void DecodeEncPkt(Packet *p, const struct pcap_pkthdr *pkthdr, const uint8_t *pkt) +void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) { - struct enc_header *enc_h; - PROFILE_VARS; + static uint8_t pseudopacket_buf[SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET]; + static Packet pseudopacket; + static DAQ_PktHdr_t pseudopkt_header; + IP6RawHdr *ip6h; + int alert_status; - PREPROC_PROFILE_START(decodePerfStats); + pc.ipv6++; - pc.total_processed++; +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6++; +#endif - memset(p, 0, PKT_ZERO_LEN); - p->pkth = pkthdr; - p->pkt = pkt; + alert_status = CheckIPV6Frag((char *) pkt, len, p); - if (p->pkth->caplen < ENC_HEADER_LEN) + if(alert_status == IPV6_FRAG_NO_ALERT) { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < Encap header length! (%d bytes)\n", p->pkth->caplen); - } - PREPROC_PROFILE_END(decodePerfStats); return; } - enc_h = (struct enc_header *)p->pkt; - if (enc_h->af == AF_INET) - { - DecodeIP(p->pkt + ENC_HEADER_LEN + IP_HEADER_LEN, - pkthdr->caplen - ENC_HEADER_LEN - IP_HEADER_LEN, p); - } - else + p->packet_flags |= PKT_NO_DETECT; + + /* Need to set up a fake IP header for logging purposes. First make sure + * there is room */ + if(sizeof(IP6RawHdr) <= len) { - ErrorMessage("[!] WARNING: Unknown address family! (af: 0x%x)\n", - enc_h->af); - } - PREPROC_PROFILE_END(decodePerfStats); - return; -} -#endif /* DLT_ENC */ + pseudopkt_header.ts.tv_sec = p->pkth->ts.tv_sec; + pseudopkt_header.ts.tv_usec = p->pkth->ts.tv_usec; -/* - * Function: DecodeIP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the IP network layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to the packet decode struct - * - * Returns: void function - */ -void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p) -{ - uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */ - uint32_t hlen; /* ip header length */ - uint16_t csum; /* checksum */ + BsdPseudoPacket = &pseudopacket; + pseudopacket.pkt = pseudopacket_buf + SPARC_TWIDDLE; + pseudopacket.pkth = &pseudopkt_header; + if(p->eh) + { + SafeMemcpy(pseudopacket_buf + SPARC_TWIDDLE, p->eh, + ETHERNET_HEADER_LEN, + pseudopacket_buf, + pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); - pc.ip++; + pseudopkt_header.pktlen = IP_HEADER_LEN + ETHERNET_HEADER_LEN; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ip++; -#endif + pseudopacket.eh = (EtherHdr*)(pseudopacket_buf + SPARC_TWIDDLE); + pseudopacket.iph = (IPHdr*)(pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN); + ((EtherHdr*)pseudopacket.eh)->ether_type = htons(ETHERNET_TYPE_IP); + } + else + { + SafeMemcpy(pseudopacket_buf, p->pkt, + (pkt - p->pkt), + pseudopacket_buf, + pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + pseudopkt_header.pktlen = IP_HEADER_LEN + (pkt - p->pkt); - /* do a little validation */ - if(len < IP_HEADER_LEN) - { - if (ScLogVerbose()) - { - ErrorMessage("IP header truncated! (%d bytes)\n", len); + pseudopacket.iph = (IPHdr*)(pseudopacket_buf + (pkt - p->pkt)); + pseudopacket.eh = NULL; } - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } + pseudopkt_header.caplen = pseudopkt_header.pktlen; -#ifdef GRE -#ifndef SUP_IP6 - if (p->iph != NULL) -#else - if (p->family != NO_IP) -#endif /* SUP_IP6 */ - { - IPHdr *tmp = (IPHdr *)pkt; + /* Need IP addresses for packet logging -- for now, just using the + * lowest 4 bytes of the IPv6 addresses */ + memset((IPHdr *)pseudopacket.iph, 0, sizeof(IPHdr)); - if (p->encapsulated || - ((tmp->ip_proto == IPPROTO_IPIP) || (tmp->ip_proto == IPPROTO_GRE)) -#ifdef SUP_IP6 - || (tmp->ip_proto == IPPROTO_IPV6) + ((IPHdr *)pseudopacket.iph)->ip_len = htons(IP_HEADER_LEN); + SET_IP_VER((IPHdr *)pseudopacket.iph, 0x4); + SET_IP_HLEN((IPHdr *)pseudopacket.iph, 0x5); + + ip6h = (IP6RawHdr*)pkt; + +#ifdef WORDS_BIGENDIAN + ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = + ip6h->ip6_src.s6_addr[13] << 16 | ip6h->ip6_src.s6_addr[14] << 8 | ip6h->ip6_src.s6_addr[15]; + ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = + ip6h->ip6_dst.s6_addr[13] << 16 | ip6h->ip6_dst.s6_addr[14] << 8 | ip6h->ip6_dst.s6_addr[15]; +#else + ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = + ip6h->ip6_src.s6_addr[15] << 24 | ip6h->ip6_src.s6_addr[14] << 16 | ip6h->ip6_src.s6_addr[13] << 8; + ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = + ip6h->ip6_dst.s6_addr[15] << 24 | ip6h->ip6_dst.s6_addr[14] << 16 | ip6h->ip6_dst.s6_addr[13] << 8; #endif - ) - { - DecoderAlertGRE(p, DECODE_GRE_MULTIPLE_ENCAPSULATION, - DECODE_GRE_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; - } - else - { - p->encapsulated = 1; - p->outer_iph = p->iph; - p->outer_ip_data = p->ip_data; - p->outer_ip_dsize = p->ip_dsize; - } } -#endif /* GRE */ + else + { + p->iph = NULL; + } - /* lay the IP struct over the raw data */ - p->inner_iph = p->iph = (IPHdr *)pkt; + switch(alert_status) { + case IPV6_FRAG_ALERT: + FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, + FRAG3_IPV6_BSD_ICMP_FRAG_STR, + ScDecoderIpv6BsdIcmpFragAlerts(), + ScDecoderIpv6BsdIcmpFragDrops()); + break; - /* - * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. - * So we are just ignoring non IP datagrams - */ - if(IP_VER(p->iph) != 4) - { - if (ScLogVerbose()) - { - ErrorMessage("Not IPv4 datagram! " - "([ver: 0x%x][len: 0x%x])\n", - IP_VER(p->iph), p->iph->ip_len); - } + case IPV6_FRAG_BAD_PKT: + FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, + FRAG3_IPV6_BAD_FRAG_PKT_STR, + ScDecoderIpv6BadFragAlerts(), + ScDecoderIpv6BadFragDrops()); + break; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_NOT_IPV4_DGRAM, 1, - DECODE_CLASS, 3, DECODE_NOT_IPV4_DGRAM_STR, 0); + case IPV6_IS_NOT: + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_IS_NOT, + DECODE_IPV6_IS_NOT_STR, 1, 1); + break; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - p->iph = NULL; - pc.discards++; - pc.ipdisc++; + case IPV6_TRUNCATED_EXT: + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, 1, 1); + break; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } + case IPV6_TRUNCATED: + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_TRUNCATED, + DECODE_IPV6_TRUNCATED_STR, 1, 1); + }; -#ifdef SUP_IP6 - sfiph_build(p, p->iph, AF_INET); -#endif + BsdPseudoPacket = NULL; + pc.discards++; + return; +} +#endif // !SUP_IP6 -// p->ip_payload_len = p->iph->ip_len; -// p->ip_payload_off = p->ip_payload_len + (int)pkt; +//-------------------------------------------------------------------- +// decode.c::IP6 misc +//-------------------------------------------------------------------- +#ifdef SUP_IP6 - /* set the IP datagram length */ - ip_len = ntohs(p->iph->ip_len); +#define IP6_MULTICAST 0xFF // first/most significant octet +#define IP6_MULTICAST_SCOPE_RESERVED 0x00 +#define IP6_MULTICAST_SCOPE_INTERFACE 0x01 +#define IP6_MULTICAST_SCOPE_LINK 0x02 +#define IP6_MULTICAST_SCOPE_ADMIN 0x04 +#define IP6_MULTICAST_SCOPE_SITE 0x05 +#define IP6_MULTICAST_SCOPE_ORG 0x08 +#define IP6_MULTICAST_SCOPE_GLOBAL 0x0E - /* set the IP header length */ - hlen = IP_HLEN(p->iph) << 2; +/* Check for multiple IPv6 Multicast-related alerts */ +static void CheckIPV6Multicast(Packet *p) +{ + uint8_t multicast_scope; - /* header length sanity check */ - if(hlen < IP_HEADER_LEN) + if ( p->ip6h->ip_src.ip.u6_addr8[0] == IP6_MULTICAST ) { -#ifdef DEBUG - if (ScLogVerbose()) - ErrorMessage("Bogus IP header length of %i bytes\n", - hlen); -#endif - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_IPV4_INVALID_HEADER_LEN, 1, DECODE_CLASS, 3, - DECODE_IPV4_INVALID_HEADER_LEN_STR, 0); + DecoderEvent(p, DECODE_IPV6_SRC_MULTICAST, + DECODE_IPV6_SRC_MULTICAST_STR, 1, 1); + } + if ( p->ip6h->ip_dst.ip.u6_addr8[0] != IP6_MULTICAST ) + { + return; + } - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + multicast_scope = p->ip6h->ip_dst.ip.u6_addr8[1] & 0x0F; + switch (multicast_scope) + { + case IP6_MULTICAST_SCOPE_RESERVED: + case IP6_MULTICAST_SCOPE_INTERFACE: + case IP6_MULTICAST_SCOPE_LINK: + case IP6_MULTICAST_SCOPE_ADMIN: + case IP6_MULTICAST_SCOPE_SITE: + case IP6_MULTICAST_SCOPE_ORG: + case IP6_MULTICAST_SCOPE_GLOBAL: + break; - } + default: + DecoderEvent(p, DECODE_IPV6_BAD_MULTICAST_SCOPE, + DECODE_IPV6_BAD_MULTICAST_SCOPE_STR, 1, 1); + } + /* Check against assigned multicast addresses. These are listed at: + http://www.iana.org/assignments/ipv6-multicast-addresses/ */ - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif + /* Multicast addresses only specify the first 16 and last 40 bits. + Others should be zero. */ + if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || + (p->ip6h->ip_dst.ip.u6_addr8[10] != 0)) + { + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); return; } - if (ip_len != len) + if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_INTERFACE) { - if (ip_len > len) + // Node-local scope + if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[5] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[6] != 0)) { -#ifdef DEBUG - if (ScLogVerbose()) - ErrorMessage("IP Len field is %d bytes bigger" - " than captured length.\n" - " (ip.len: %lu, cap.len: %lu)\n", - ip_len - len, ip_len, len); -#endif - if(ScIdsMode() && ScDecoderOversizedAlerts()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_IPV4_DGRAM_GT_CAPLEN, - 1, DECODE_CLASS, 3, DECODE_IPV4_DGRAM_GT_CAPLEN_STR, 0); - - if ((ScInlineMode()) && ScDecoderOversizedDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } - - } - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } else { -#ifdef DEBUG - if (ScLogVerbose()) - ErrorMessage("IP Len field is %d bytes " - "smaller than captured length.\n" - " (ip.len: %lu, cap.len: %lu)\n", - len - ip_len, ip_len, len); -#endif - + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x00000001: // All Nodes + case 0x00000002: // All Routers + case 0x000000FB: // mDNSv6 + break; + default: + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } } } - - if(ip_len < hlen) + else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_LINK) { - if(ScLogVerbose()) - { - ErrorMessage("IP dgm len (%d bytes) < IP hdr " - "len (%d bytes), packet discarded\n", ip_len, hlen); + // Link-local scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x00000001: // All Nodes + case 0x00000002: // All Routers + case 0x00000004: // DVMRP Routers + case 0x00000005: // OSPFIGP + case 0x00000006: // OSPFIGP Designated Routers + case 0x00000007: // ST Routers + case 0x00000008: // ST Hosts + case 0x00000009: // RIP Routers + case 0x0000000A: // EIGRP Routers + case 0x0000000B: // Mobile-Agents + case 0x0000000C: // SSDP + case 0x0000000D: // All PIMP Routers + case 0x0000000E: // RSVP-ENCAPSULATION + case 0x0000000F: // UPnP + case 0x00000012: // VRRP + case 0x00000016: // All MLDv2-capable routers + case 0x0000006A: // All-Snoopers + case 0x0000006B: // PTP-pdelay + case 0x0000006C: // Saratoga + case 0x0000006D: // LL-MANET-Routers + case 0x0000006E: // IGRS + case 0x0000006F: // iADT Discovery + case 0x000000FB: // mDNSv6 + case 0x00010001: // Link Name + case 0x00010002: // All-dhcp-agents + case 0x00010003: // Link-local Multicast Name Resolution + case 0x00010004: // DTCP Announcement + break; + default: + if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 1) && + (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) + { + break; // Solicited-Node Address + } + if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 2) && + (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) + { + break; // Node Information Queries + } + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } - - if(ScIdsMode()) + } + else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_SITE) + { + // Site-local scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_IPV4_DGRAM_LT_IPHDR, - 1, DECODE_CLASS, 3, DECODE_IPV4_DGRAM_LT_IPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - + case 0x00000002: // All Routers + case 0x000000FB: // mDNSv6 + case 0x00010003: // All-dhcp-servers + case 0x00010004: // Deprecated + break; + default: + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } - - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; } - if( snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_ZERO_TTL - DECODE_START_INDEX] == 1 ) + else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 0) { - if( GET_IPH_TTL(p) == 0 ) + // Variable scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) { - if(ScLogVerbose()) - { - ErrorMessage("Bad packet with zero TTL \n"); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_ZERO_TTL, - 1, DECODE_CLASS, 3, DECODE_ZERO_TTL_STR, 0); - - if (ScInlineMode()) + case 0x0000000C: // SSDP + case 0x000000FB: // mDNSv6 + case 0x00000181: // PTP-primary + case 0x00000182: // PTP-alternate1 + case 0x00000183: // PTP-alternate2 + case 0x00000184: // PTP-alternate3 + case 0x0000018C: // All ACs multicast address + case 0x00000201: // "rwho" Group (BSD) + case 0x00000202: // SUN RPC PMAPPROC_CALLIT + case 0x00000204: // All C1222 Nodes + case 0x00000300: // Mbus/IPv6 + case 0x00027FFE: // SAPv1 Announcements + case 0x00027FFF: // SAPv0 Announcements + break; + default: + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000100) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00000136)) { - queueDecoderInlineDrop(p); + break; // Several addresses assigned in a contiguous block } - - } - - } - } + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000140) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0000014F)) + { + break; // EPSON-disc-set + } - /* - * IP Header tests: Land attack, and Loop back test - */ - if(ScIdsMode()) - { - IPHdrTestsv4(p); - } + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00020000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00027FFD)) + { + break; // Multimedia Conference Calls + } + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00011000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x000113FF)) + { + break; // Service Location, Version 2 + } - if (ScIpChecksums()) - { - /* routers drop packets with bad IP checksums, we don't really - * need to check them (should make this a command line/config - * option - */ - csum = in_chksum_ip((u_short *)p->iph, hlen); + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00028000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0002FFFF)) + { + break; // SAP Dynamic Assignments + } - if(csum) + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } + } + else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 3) + { + // Source-Specific Multicast block + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x40000001) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x7FFFFFFF)) { - p->csum_flags |= CSE_IP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n");); - - if (ScIdsMode() && ScInlineMode()) - queueIpChksmInlineDrop(p); + return; // IETF consensus + } + else if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x80000000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0xFFFFFFFF)) + { + return; // Dynamiclly allocated by hosts when needed } -#ifdef DEBUG else { - DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n"); + // Other addresses in this block are reserved. + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } -#endif /* DEBUG */ - } - - /* test for IP options */ - p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN); - - if(p->ip_options_len > 0) - { - p->ip_options_data = pkt + IP_HEADER_LEN; - DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p); } else { -#ifdef GRE - /* If delivery header for GRE encapsulated packet is IP and it - * had options, the packet's ip options will be refering to this - * outer IP's options - * Zero these options so they aren't associated with this inner IP - * since p->iph will be pointing to this inner IP - */ - if (p->encapsulated) - { - p->ip_options_data = NULL; - p->ip_options_len = 0; - p->ip_lastopt_bad = 0; - } -#endif - p->ip_option_count = 0; + /* Addresses not listed above are reserved. */ + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } +} - /* set the real IP length for logging */ - p->actual_ip_len = (uint16_t) ip_len; - - /* set the remaining packet length */ - ip_len -= hlen; +/* Teredo packets need to have one of their IPs use either the Teredo prefix, + or a link-local prefix (in the case of Router Solicitation messages) */ +static inline int CheckTeredoPrefix(IP6RawHdr *hdr) +{ + /* Check if src address matches 2001::/32 */ + if ((hdr->ip6_src.s6_addr[0] == 0x20) && + (hdr->ip6_src.s6_addr[1] == 0x01) && + (hdr->ip6_src.s6_addr[2] == 0x00) && + (hdr->ip6_src.s6_addr[3] == 0x00)) + return 1; + + /* Check if src address matches fe80::/64 */ + if ((hdr->ip6_src.s6_addr[0] == 0xfe) && + (hdr->ip6_src.s6_addr[1] == 0x80) && + (hdr->ip6_src.s6_addr[2] == 0x00) && + (hdr->ip6_src.s6_addr[3] == 0x00) && + (hdr->ip6_src.s6_addr[4] == 0x00) && + (hdr->ip6_src.s6_addr[5] == 0x00) && + (hdr->ip6_src.s6_addr[6] == 0x00) && + (hdr->ip6_src.s6_addr[7] == 0x00)) + return 1; + + /* Check if dst address matches 2001::/32 */ + if ((hdr->ip6_dst.s6_addr[0] == 0x20) && + (hdr->ip6_dst.s6_addr[1] == 0x01) && + (hdr->ip6_dst.s6_addr[2] == 0x00) && + (hdr->ip6_dst.s6_addr[3] == 0x00)) + return 1; + + /* Check if dst address matches fe80::/64 */ + if ((hdr->ip6_dst.s6_addr[0] == 0xfe) && + (hdr->ip6_dst.s6_addr[1] == 0x80) && + (hdr->ip6_dst.s6_addr[2] == 0x00) && + (hdr->ip6_dst.s6_addr[3] == 0x00) && + (hdr->ip6_dst.s6_addr[4] == 0x00) && + (hdr->ip6_dst.s6_addr[5] == 0x00) && + (hdr->ip6_dst.s6_addr[6] == 0x00) && + (hdr->ip6_dst.s6_addr[7] == 0x00)) + return 1; - /* check for fragmented packets */ - p->frag_offset = ntohs(p->iph->ip_off); + /* No Teredo prefix found. */ + return 0; +} - /* - * get the values of the reserved, more - * fragments and don't fragment flags - */ - p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15); - p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14); - p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13); - - /* mask off the high bits in the fragment offset field */ - p->frag_offset &= 0x1FFF; - - if(p->frag_offset || p->mf) +/* Function: IPV6MiscTests(Packet *p) + * + * Purpose: A bunch of IPv6 decoder alerts + * + * Arguments: p => the Packet to check + * + * Returns: void function + */ +static inline void IPV6MiscTests(Packet *p) +{ + /* + * Some IP Header tests + * Land Attack(same src/dst ip) + * Loopback (src or dst in 127/8 block) + * Modified: 2/22/05-man for High Endian Architecture. + * + * some points in the code assume an IP of 0.0.0.0 matches anything, but + * that is not so here. The sfip_compare makes that assumption for + * compatibility, but sfip_contains does not. Hence, sfip_contains + * is used here in the interrim. */ + if( sfip_contains(&p->ip6h->ip_src, &p->ip6h->ip_dst) == SFIP_CONTAINS) { - /* set the packet fragment flag */ - p->frag_flag = 1; - p->ip_frag_start = pkt + hlen; - p->ip_frag_len = (uint16_t)ip_len; - pc.frags++; - } - else + DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, + DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, + 1,1); + } + + if(sfip_is_loopback(&p->ip6h->ip_src) || sfip_is_loopback(&p->ip6h->ip_dst)) { - p->frag_flag = 0; + DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, + DECODE_BAD_TRAFFIC_LOOPBACK_STR, + 1,1); } - if( snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_BAD_FRAGBITS - DECODE_START_INDEX] == 1 ) + /* Other decoder alerts for IPv6 addresses + Added: 5/24/10 (Snort 2.9.0) */ + if (!sfip_is_set(&p->ip6h->ip_dst)) { + DecoderEvent(p, DECODE_IPV6_DST_ZERO, DECODE_IPV6_DST_ZERO_STR, 1, 1); + } - if( p->mf && p->df ) + CheckIPV6Multicast(p); + + if ( Event_Enabled(DECODE_IPV6_ISATAP_SPOOF) ) + { + /* Only check for IPv6 over IPv4 */ + if (p->ip4h && p->ip4h->ip_proto == IPPROTO_IPV6) { - if(ScLogVerbose()) - { - ErrorMessage("Bad packet with more frag bit (MF) and dont frag bit (DF) set\n"); - } - - if(ScIdsMode()) + uint32_t isatap_interface_id = ntohl(p->ip6h->ip_src.ip.u6_addr32[2]) & 0xFCFFFFFF; + + /* ISATAP uses address with prefix fe80:0000:0000:0000:0200:5efe or + fe80:0000:0000:0000:0000:5efe, followed by the IPv4 address. */ + if (isatap_interface_id == 0x00005EFE) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_BAD_FRAGBITS, - 1, DECODE_CLASS, 3, DECODE_BAD_FRAGBITS_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + if (p->ip4h->ip_src.ip.u6_addr32[0] != p->ip6h->ip_src.ip.u6_addr32[3]) + DecoderEvent(p, EVARGS(IPV6_ISATAP_SPOOF), 1, 1); } - } } +} +#endif // SUP_IP6 - /* Set some convienience pointers */ - p->ip_data = pkt + hlen; - p->ip_dsize = (u_short) ip_len; +//-------------------------------------------------------------------- +// decode.c::IP6 extensions +//-------------------------------------------------------------------- - if (ScIdsMode()) +#ifdef SUP_IP6 +static inline int IPV6ExtensionOrder(uint8_t type) +{ + switch (type) { - /* See if there are any ip_proto only rules that match */ - fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); - p->proto_bits |= PROTO_BIT__IP; + case IPPROTO_HOPOPTS: return 1; + case IPPROTO_DSTOPTS: return 2; + case IPPROTO_ROUTING: return 3; + case IPPROTO_FRAGMENT: return 4; + case IPPROTO_AH: return 5; + case IPPROTO_ESP: return 6; + default: return 7; } +} - /* if this packet isn't a fragment - * or if it is, its a UDP packet and offset isn't 0 */ - if(!(p->frag_flag) || - (p->frag_flag && (p->frag_offset == 0) && - (p->iph->ip_proto == IPPROTO_UDP))) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n", - (unsigned long)hlen);); +void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p); - switch(p->iph->ip_proto) - { - case IPPROTO_TCP: - pc.tcp++; - DecodeTCP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; +static inline int CheckIPV6HopOptions(const uint8_t *pkt, uint32_t len, Packet *p) +{ + IP6Extension *exthdr = (IP6Extension *)pkt; + uint32_t total_octets = (exthdr->ip6e_len * 8) + 8; + const uint8_t *hdr_end = pkt + total_octets; + uint8_t type, oplen; - case IPPROTO_UDP: - pc.udp++; - DecodeUDP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; + if (len < total_octets) + DecoderEvent(p, EVARGS(IPV6_TRUNCATED_EXT), 1, 1); - case IPPROTO_ICMP: - pc.icmp++; - DecodeICMP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - -#ifdef GRE - case IPPROTO_IPV6: - if (ip_len < 40) + /* Skip to the options */ + pkt += 2; + + /* Iterate through the options, check for bad ones */ + while (pkt < hdr_end) + { + type = *pkt; + switch (type) + { + case IP6_OPT_PAD1: + pkt++; + break; + case IP6_OPT_PADN: + case IP6_OPT_JUMBO: + case IP6_OPT_RTALERT: + case IP6_OPT_TUNNEL_ENCAP: + case IP6_OPT_QUICK_START: + case IP6_OPT_CALIPSO: + case IP6_OPT_HOME_ADDRESS: + case IP6_OPT_ENDPOINT_IDENT: + oplen = *(++pkt); + if ((pkt + oplen + 1) > hdr_end) { - /* Insufficient size for IPv6 Header. */ - /* This could be an attempt to exploit Linux kernel - * vulnerability, so log an alert */ - DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED, - DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR, - 1, 1); + DecoderEvent(p, EVARGS(IPV6_BAD_OPT_LEN), 1, 1); + return -1; } - pc.ip4ip6++; - DecodeIPV6(pkt + hlen, ip_len, p); - return; - - case IPPROTO_GRE: - pc.gre++; - DecodeGRE(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - - case IPPROTO_IPIP: - pc.ip4ip4++; - DecodeIP(pkt + hlen, ip_len, p); - return; -#endif - + pkt += oplen + 1; + break; default: - pc.other++; - p->data = pkt + hlen; - p->dsize = (u_short) ip_len; - //ClearDumpBuf(); - return; + DecoderEvent(p, EVARGS(IPV6_BAD_OPT_TYPE), 1, 1); + return -1; } } - else - { - /* set the payload pointer and payload size */ - p->data = pkt + hlen; - p->dsize = (u_short) ip_len; - } + + return 0; } -/* - * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the TCP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => Pointer to packet decode struct - * - * Returns: void function - */ -void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p) +void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) { - struct pseudoheader6 /* pseudo header for TCP checksum calculations */ - { - uint32_t sip[4], dip[4]; /* IP addr */ - uint8_t zero; /* checksum placeholder */ - uint8_t protocol; /* protocol number */ - uint16_t tcplen; /* tcp packet length */ - }; + IP6Extension *exthdr; + uint32_t hdrlen = 0; - struct pseudoheader /* pseudo header for TCP checksum calculations */ - { - uint32_t sip, dip; /* IP addr */ - uint8_t zero; /* checksum placeholder */ - uint8_t protocol; /* protocol number */ - uint16_t tcplen; /* tcp packet length */ - }; - uint32_t hlen; /* TCP header length */ - u_short csum; /* checksum */ - struct pseudoheader ph; /* pseudo header declaration */ -#ifdef SUP_IP6 - struct pseudoheader6 ph6; /* pseudo header declaration */ -#endif + /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions + * so no validation performed. Otherwise, uncomment the following: */ + /* if(IPH_IS_VALID(p)) return */ + pc.ipv6opts++; - if(len < TCP_HEADER_LEN) + /* Need at least two bytes, one for next header, one for len. */ + /* But size is an integer multiple of 8 octets, so 8 is min. */ + if(len < sizeof(IP6Extension)) { - if (ScLogVerbose()) - { - ErrorMessage("TCP packet (len = %d) cannot contain " - "20 byte header\n", len); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCP_DGRAM_LT_TCPHDR, - 1, DECODE_CLASS, 3, DECODE_TCP_DGRAM_LT_TCPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } - - p->tcph = NULL; - pc.discards++; - pc.tdisc++; - + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); return; } - /* lay TCP on top of the data cause there is enough of it! */ - p->tcph = (TCPHdr *) pkt; + if ( p->ip6_extension_count >= IP6_EXTMAX ) + { + DecoderEvent(p, DECODE_IP6_EXCESS_EXT_HDR, + DECODE_IP6_EXCESS_EXT_HDR_STR, + 1, 1); + return; + } - /* multiply the payload offset value by 4 */ - hlen = TCP_OFFSET(p->tcph) << 2; + exthdr = (IP6Extension *)pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n", - TCP_OFFSET(p->tcph), (unsigned long)len);); + p->ip6_extensions[p->ip6_extension_count].type = type; + p->ip6_extensions[p->ip6_extension_count].data = pkt; - if(hlen < TCP_HEADER_LEN) + // TBD add layers for other ip6 ext headers + switch (type) { - if (ScLogVerbose()) - { - ErrorMessage("TCP Data Offset (%d) < hlen (%d) \n", - TCP_OFFSET(p->tcph), hlen); - } + case IPPROTO_HOPOPTS: + if (len < sizeof(IP6HopByHop)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; + } + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCP_INVALID_OFFSET, - 1, DECODE_CLASS, 3, DECODE_TCP_INVALID_OFFSET_STR, 0); + if ( CheckIPV6HopOptions(pkt, len, p) == 0 ) + PushLayer(PROTO_IP6_HOP_OPTS, p, pkt, hdrlen); + break; + + case IPPROTO_DSTOPTS: + if (len < sizeof(IP6Dest)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; + } + if (exthdr->ip6e_nxt == IPPROTO_ROUTING) + { + DecoderEvent(p, DECODE_IPV6_DSTOPTS_WITH_ROUTING, + DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR, + 1, 1); + } + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); + if ( CheckIPV6HopOptions(pkt, len, p) == 0 ) + PushLayer(PROTO_IP6_DST_OPTS, p, pkt, hdrlen); + break; + + case IPPROTO_ROUTING: + if (len < sizeof(IP6Route)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; + } + if (exthdr->ip6e_nxt == IPPROTO_HOPOPTS) + { + DecoderEvent(p, DECODE_IPV6_ROUTE_AND_HOPBYHOP, + DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR, + 1, 1); + } + if (exthdr->ip6e_nxt == IPPROTO_ROUTING) + { + DecoderEvent(p, DECODE_IPV6_TWO_ROUTE_HEADERS, + DECODE_IPV6_TWO_ROUTE_HEADERS_STR, + 1, 1); } + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); + break; - } + case IPPROTO_FRAGMENT: + if (len < sizeof(IP6Frag)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; + } + else + { + IP6Frag *ip6frag_hdr = (IP6Frag *)pkt; + /* If this is an IP Fragment, set some data... */ + p->ip6_frag_index = p->ip6_extension_count; + p->ip_frag_start = pkt + sizeof(IP6Frag); + p->frag_flag = 1; + pc.frag6++; + + p->df = 0; + p->rf = IP6F_RES(ip6frag_hdr); + p->mf = IP6F_MF(ip6frag_hdr); + p->frag_offset = IP6F_OFFSET(ip6frag_hdr); + } + hdrlen = sizeof(IP6Frag); + p->ip_frag_len = (uint16_t)(len - hdrlen); + + if ( (p->frag_offset > 0) || + (exthdr->ip6e_nxt != IPPROTO_UDP) ) + { + /* For non-zero offset frags, we stop decoding after the + Frag header. According to RFC 2460, the "Next Header" + value may differ from that of the offset zero frag, + but only the Next Header of the original frag is used. */ + // check DecodeIP(); we handle frags the same way here + p->ip6_extension_count++; + return; + } + break; - p->tcph = NULL; - pc.discards++; - pc.tdisc++; + case IPPROTO_AH: + /* Auth Headers work in both IPv4 & IPv6, and their lengths are + given in 4-octet increments instead of 8-octet increments. */ + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 2); + break; + + default: + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); + break; + } + p->ip6_extension_count++; + + if(hdrlen > len) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); return; } - if(hlen > len) + if ( hdrlen > 0 ) { - if (ScLogVerbose()) - { - ErrorMessage("TCP Data Offset(%d) < longer than payload(%d)!\n", - TCP_OFFSET(p->tcph) << 2, len); - } + DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); + } +#ifdef DEBUG_MSGS + else + { + DebugMessage(DEBUG_DECODE, "WARNING - no next ip6 header decoded\n"); + } +#endif +} - if(ScIdsMode() && ScDecoderOversizedAlerts()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCP_LARGE_OFFSET, 1, - DECODE_CLASS, 3, DECODE_TCP_LARGE_OFFSET_STR, 0); +/* Check for out-of-order IPv6 Extension Headers */ +static inline void CheckIPv6ExtensionOrder(Packet *p) +{ + int routing_seen = 0; + int current_type_order, next_type_order, i; - if ((ScInlineMode()) && ScDecoderOversizedDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } - - } + if (Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS)) + { + if (p->ip6_extension_count > 0) + current_type_order = IPV6ExtensionOrder(p->ip6_extensions[0].type); - p->tcph = NULL; - pc.discards++; - pc.tdisc++; + for (i = 1; i < (p->ip6_extension_count); i++) + { + next_type_order = IPV6ExtensionOrder(p->ip6_extensions[i].type); - return; - } + if (p->ip6_extensions[i].type == IPPROTO_ROUTING) + routing_seen = 1; - if((snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_TCP_XMAS - DECODE_START_INDEX] == 1) - || (snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_TCP_NMAP_XMAS - DECODE_START_INDEX] == 1)) - { - if(TCP_ISFLAGSET(p->tcph, (TH_FIN|TH_PUSH|TH_URG))) - { - if(TCP_ISFLAGSET(p->tcph, (TH_SYN|TH_ACK|TH_RST))) + if (next_type_order <= current_type_order) { - if (ScLogVerbose()) + /* A second "Destination Options" header is allowed iff: + 1) A routing header was already seen, and + 2) The second destination header is the last one before the upper layer. + */ + if (!routing_seen || + !(p->ip6_extensions[i].type == IPPROTO_DSTOPTS) || + !(i+1 == p->ip6_extension_count)) { - ErrorMessage("WARNING: XMAS Attack detected\n"); + DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1); } - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCP_XMAS, 1, - DECODE_CLASS, 3, DECODE_TCP_XMAS_STR, 0); - } - } - else - { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: NMAP XMAS Attack detected\n"); - } - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCP_NMAP_XMAS, 1, - DECODE_CLASS, 3, DECODE_TCP_NMAP_XMAS_STR, 0); - } - } - if (ScInlineMode()) - { - //dropped only if ScDecoderAlerts() is enabled. - queueDecoderInlineDrop(p); } - //Allowing this packet for further processing (in case there is a valid data inside it). - /*p->tcph = NULL; - pc.discards++; - pc.tdisc++; - return;*/ + + current_type_order = next_type_order; } } +} - /*check if the decoder rule for the sid is set*/ +void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) +{ + pc.ip6ext++; - /* check if only SYN is set */ - if( p->tcph->th_flags == TH_SYN ) - { - if( snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_DOS_NAPTHA - DECODE_START_INDEX] == 1 ) - { - if( p->tcph->th_seq == 6060842 ) - { - if( GET_IPH_ID(p) == 413 ) - { - if( ScLogVerbose() ) - { - ErrorMessage("WARNING: DOS NAPTHA Vulnerability detected\n"); - } - if( ScIdsMode() ) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_DOS_NAPTHA, 1, - DECODE_CLASS, 3, DECODE_DOS_NAPTHA_STR, 0); - - if(ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - } - } - } - } +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6ext++; +#endif - if(TCP_ISFLAGSET(p->tcph, (TH_SYN))) + /* XXX might this introduce an issue if the "next" field is invalid? */ + p->ip6h->next = next; + + if (ScIdsMode()) { - if( snort_conf->targeted_policies[getRuntimePolicy()]->decodeRulesArray[DECODE_SYN_TO_MULTICAST - DECODE_START_INDEX] == 1 ) - { - if( IpAddrSetContains(SynToMulticastDstIp, GET_DST_ADDR(p)) ) - { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: SYN to Multicast address\n"); - } - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_SYN_TO_MULTICAST, 1, - DECODE_CLASS, 3, DECODE_SYN_TO_MULTICAST_STR, 0); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - } - } + /* See if there are any ip_proto only rules that match */ + fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); + p->proto_bits |= PROTO_BIT__IP; } - /* stuff more data into the printout data struct */ - p->sp = ntohs(p->tcph->th_sport); - p->dp = ntohs(p->tcph->th_dport); - - if (ScTcpChecksums()) - { -#ifdef SUP_IP6 - if(IS_IP4(p)) - { - ph.sip = *p->ip4h->ip_src.ip32; - ph.dip = *p->ip4h->ip_dst.ip32; -#else - ph.sip = (uint32_t)(p->iph->ip_src.s_addr); - ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); + switch(next) { + case IPPROTO_TCP: + pc.tcp6++; + CheckIPv6ExtensionOrder(p); + DecodeTCP(pkt, len, p); + return; + case IPPROTO_UDP: + pc.udp6++; + CheckIPv6ExtensionOrder(p); + DecodeUDP(pkt, len, p); + return; + case IPPROTO_ICMPV6: + pc.icmp6++; + CheckIPv6ExtensionOrder(p); + DecodeICMP6(pkt , len, p); + return; + case IPPROTO_NONE: + CheckIPv6ExtensionOrder(p); + p->dsize = 0; + return; + case IPPROTO_HOPOPTS: + case IPPROTO_DSTOPTS: + case IPPROTO_ROUTING: + case IPPROTO_FRAGMENT: + case IPPROTO_AH: + DecodeIPV6Options(next, pkt, len, p); + // Anything special to do here? just return? + return; +#ifdef GRE + case IPPROTO_GRE: + pc.gre++; + CheckIPv6ExtensionOrder(p); + DecodeGRE(pkt, len, p); + return; + case IPPROTO_IPIP: + pc.ip6ip4++; + CheckIPv6ExtensionOrder(p); + DecodeIP(pkt, len, p); + return; + case IPPROTO_IPV6: + pc.ip6ip6++; + CheckIPv6ExtensionOrder(p); + DecodeIPV6(pkt, len, p); + return; + case IPPROTO_ESP: + CheckIPv6ExtensionOrder(p); + if (ScESPDecoding()) + DecodeESP(pkt, len, p); + return; #endif - /* setup the pseudo header for checksum calculation */ - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.tcplen = htons((u_short)len); - - /* if we're being "stateless" we probably don't care about the TCP - * checksum, but it's not bad to keep around for shits and giggles */ - /* calculate the checksum */ - csum = in_chksum_tcp((uint16_t *)&ph, (uint16_t *)(p->tcph), len); + default: + // There may be valid headers after this unsupported one, + // need to decode this header, set "next" and continue + // looping. + + DecoderEvent(p, DECODE_IPV6_BAD_NEXT_HEADER, + DECODE_IPV6_BAD_NEXT_HEADER_STR, 1, 1); + + pc.other++; + p->data = pkt; + p->dsize = (uint16_t)len; + break; + }; +} +#endif /* SUP_IP6 */ + +//-------------------------------------------------------------------- +// decode.c::IP6 decoder +//-------------------------------------------------------------------- + #ifdef SUP_IP6 - } - /* IPv6 traffic */ - else - { - COPY4(ph6.sip, p->ip6h->ip_src.ip32); - COPY4(ph6.dip, p->ip6h->ip_dst.ip32); - ph6.zero = 0; - ph6.protocol = GET_IPH_PROTO(p); - ph6.tcplen = htons((u_short)len); +void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) +{ + IP6RawHdr *hdr; + uint32_t payload_len; - csum = in_chksum_tcp6((uint16_t *)&ph6, (uint16_t *)(p->tcph), len); - } + pc.ipv6++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6++; #endif - - if(csum) + + hdr = (IP6RawHdr*)pkt; + + if(len < IP6_HDR_LEN) + { + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR, + 1, 1); + + goto decodeipv6_fail; + } + + /* Verify version in IP6 Header agrees */ + if((hdr->ip6vfc >> 4) != 6) + { + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR, + 1, 1); + + goto decodeipv6_fail; + } + + if (p->family != NO_IP) + { + /* Snort currently supports only 2 IP layers. Any more will fail to be + decoded. */ + if (p->encapsulated) { - p->csum_flags |= CSE_TCP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", - "0x%x versus 0x%x\n", csum, - ntohs(p->tcph->th_sum));); - if (ScIdsMode() && ScInlineMode()) - queueTcpChksmInlineDrop(p); + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + goto decodeipv6_fail; } else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"TCP Checksum: OK\n");); + p->encapsulated = 1; + p->outer_iph = p->iph; + p->outer_ip_data = p->ip_data; + p->outer_ip_dsize = p->ip_dsize; } } + payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "tcp header starts at: %p\n", p->tcph);); - - - /* if options are present, decode them */ - p->tcp_options_len = (uint16_t)(hlen - TCP_HEADER_LEN); - - if(p->tcp_options_len > 0) + if(payload_len != len) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%lu bytes of tcp options....\n", - (unsigned long)(p->tcp_options_len));); + if (payload_len > len) + { + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN, + DECODE_IPV6_DGRAM_GT_CAPLEN_STR, + ScDecoderOversizedAlerts(), ScDecoderOversizedDrops()); - p->tcp_options_data = pkt + TCP_HEADER_LEN; - DecodeTCPOptions((uint8_t *) (pkt + TCP_HEADER_LEN), p->tcp_options_len, p); + goto decodeipv6_fail; + } } - else + + /* Teredo packets should always use the 2001:0000::/32 prefix, or in some + cases the link-local prefix fe80::/64. + Source: RFC 4380, section 2.6 & section 5.2.1 + + Checking the addresses will save us from numerous false positives + when UDP clients use 3544 as their ephemeral port, or "Deep Teredo + Inspection" is turned on. + + If we ever start decoding more than 2 layers of IP in a packet, this + check against p->proto_bits will need to be refactored. */ + if ((p->proto_bits & PROTO_BIT__TEREDO) && (CheckTeredoPrefix(hdr) == 0)) { - p->tcp_option_count = 0; + goto decodeipv6_fail; } - /* set the data pointer and size */ - p->data = (uint8_t *) (pkt + hlen); + /* lay the IP struct over the raw data */ + // this is ugly but necessary to keep the rest of the code happy + p->inner_iph = p->iph = (IPHdr *)pkt; - if(hlen < len) - { - p->dsize = (u_short)(len - hlen); - } - else + /* Build Packet structure's version of the IP6 header */ + sfiph_build(p, hdr, AF_INET6); + +#ifdef GRE + /* Remove outer IP options */ + if (p->encapsulated) { - p->dsize = 0; + p->ip_options_data = NULL; + p->ip_options_len = 0; + p->ip_lastopt_bad = 0; } +#endif + p->ip_option_count = 0; - /* Drop packet if we ignore this port */ - if (ScIgnoreTcpPort(p->sp) || ScIgnoreTcpPort(p->dp)) + /* set the real IP length for logging */ + p->actual_ip_len = ntohs(p->ip6h->len); + p->ip_data = pkt + IP6_HDR_LEN; + p->ip_dsize = ntohs(p->ip6h->len); + + PushLayer(PROTO_IP6, p, pkt, sizeof(*hdr)); + + IPV6MiscTests(p); + + DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p); + return; + +decodeipv6_fail: + /* If this was Teredo, back up and treat the packet as normal UDP. */ + if (p->proto_bits & PROTO_BIT__TEREDO) { - /* Ignore all preprocessors for this packet */ - p->packet_flags |= PKT_IGNORE_PORT; + pc.ipv6--; + pc.teredo--; + p->proto_bits &= ~PROTO_BIT__TEREDO; +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6--; +#endif + return; } - p->proto_bits |= PROTO_BIT__TCP; + pc.discards++; + pc.ipv6disc++; } +#endif /* SUP_IP6 */ +//-------------------------------------------------------------------- +// decode.c::ICMP6 +//-------------------------------------------------------------------- -/* - * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the UDP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct - * - * Returns: void function - */ -void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p) +#ifdef SUP_IP6 +void DecodeICMP6(const uint8_t *pkt, uint32_t len, Packet *p) { struct pseudoheader6 { uint32_t sip[4], dip[4]; uint8_t zero; uint8_t protocol; - uint16_t udplen; + uint16_t icmplen; }; - - struct pseudoheader + if(len < ICMP6_MIN_HEADER_LEN) { - uint32_t sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t udplen; - }; - u_short csum; - uint16_t uhlen; - struct pseudoheader ph; -#ifdef SUP_IP6 - struct pseudoheader6 ph6; -#endif - u_char fragmented_udp_flag = 0; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP6 header (%d bytes).\n", len);); - if(len < sizeof(UDPHdr)) - { - if (ScLogVerbose()) - ErrorMessage("Truncated UDP header (%d bytes)\n", len); - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_UDP_DGRAM_LT_UDPHDR, - 1, DECODE_CLASS, 3, DECODE_UDP_DGRAM_LT_UDPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } - - p->udph = NULL; - pc.discards++; - pc.udisc++; - - return; - } - - /* set the ptr to the start of the UDP header */ - p->udph = (UDPHdr *) pkt; - - if (!p->frag_flag) - { - uhlen = ntohs(p->udph->uh_len); - } - else - { - if(IS_IP6(p)) - { - uint16_t ip_len = ntohs(GET_IPH_LEN(p)); - /* subtract the distance from udp header to 1st ip6 extension */ - /* This gives the length of the UDP "payload", when fragmented */ - uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data); - } - else - { - uint16_t ip_len = ntohs(GET_IPH_LEN(p)); - /* Don't forget, IP_HLEN is a word - multiply x 4 */ - uhlen = ip_len - (GET_IPH_HLEN(p) * 4 ); - } - fragmented_udp_flag = 1; - } - - /* verify that the header len is a valid value */ - if(uhlen < UDP_HEADER_LEN) - { - if (ScLogVerbose()) - ErrorMessage("Invalid UDP Packet, length field < 8\n"); - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_UDP_DGRAM_INVALID_LENGTH, 1, DECODE_CLASS, 3, - DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + if ( Event_Enabled(DECODE_ICMP6_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ICMP6_HDR_TRUNC), 1, 1); - } - p->udph = NULL; - pc.udisc++; pc.discards++; - return; } - /* make sure there are enough bytes as designated by length field */ - if(len < uhlen) - { - if (ScLogVerbose()) - { - ErrorMessage("Short UDP packet, length field > payload length\n"); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_UDP_DGRAM_SHORT_PACKET, 1, DECODE_CLASS, 3, - DECODE_UDP_DGRAM_SHORT_PACKET_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } - - p->udph = NULL; - pc.discards++; - pc.udisc++; - - return; - } - else if(len > uhlen) + p->icmph = (ICMPHdr*)pkt; + /* Do checksums */ + if (ScIcmpChecksums()) { - if (ScLogVerbose()) - { - ErrorMessage("Long UDP packet, length field < payload length\n"); - } - - if(ScIdsMode() && ScDecoderOversizedAlerts()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_UDP_DGRAM_LONG_PACKET, 1, DECODE_CLASS, 3, - DECODE_UDP_DGRAM_LONG_PACKET_STR, 0); - - if ((ScInlineMode()) && ScDecoderOversizedDrops()) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } - - } - - p->udph = NULL; - pc.discards++; - pc.udisc++; - - return; - } - - /* fill in the printout data structs */ - p->sp = ntohs(p->udph->uh_sport); - p->dp = ntohs(p->udph->uh_dport); + uint16_t csum; - if (ScUdpChecksums()) - { - /* look at the UDP checksum to make sure we've got a good packet */ #ifdef SUP_IP6 - if(IS_IP4(p)) + if(IS_IP4(p)) { - ph.sip = *p->ip4h->ip_src.ip32; - ph.dip = *p->ip4h->ip_dst.ip32; -#else - ph.sip = (uint32_t)(p->iph->ip_src.s_addr); - ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); #endif - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.udplen = p->udph->uh_len; - /* Don't do checksum calculation if - * 1) Framented, OR - * 2) UDP header chksum value is 0. - */ - if( !fragmented_udp_flag && p->udph->uh_chk ) - { - csum = in_chksum_udp((uint16_t *)&ph, - (uint16_t *)(p->udph), uhlen); - } - else - { - csum = 0; - } + csum = in_chksum_icmp((uint16_t *)(p->icmph), len); #ifdef SUP_IP6 } - else + /* IPv6 traffic */ + else { + struct pseudoheader6 ph6; COPY4(ph6.sip, p->ip6h->ip_src.ip32); COPY4(ph6.dip, p->ip6h->ip_dst.ip32); ph6.zero = 0; ph6.protocol = GET_IPH_PROTO(p); - ph6.udplen = htons((u_short)len); - /* Don't do checksum calculation if - * 1) Framented, OR - * 2) UDP header chksum value is 0. - */ - if( !fragmented_udp_flag && p->udph->uh_chk ) - { - csum = in_chksum_udp6((uint16_t *)&ph6, - (uint16_t *)(p->udph), uhlen); - } - else if ( !p->udph->uh_chk ) - { - csum = 1; - } - else - { - csum = 0; - } + ph6.icmplen = htons((u_short)len); + + csum = in_chksum_icmp6((uint16_t *)&ph6, (uint16_t *)(p->icmph), len); } #endif if(csum) { - p->csum_flags |= CSE_UDP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n");); + p->error_flags |= PKT_ERR_CKSUM_ICMP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); - if (ScIdsMode() && ScInlineMode()) - queueUdpChksmInlineDrop(p); + if ( ScIdsMode() ) + queueExecDrop(execIcmpChksmDrop, p); } else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n");); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); } } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph);); + p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN); + p->data = pkt + ICMP6_MIN_HEADER_LEN; - p->data = (uint8_t *) (pkt + UDP_HEADER_LEN); - - /* length was validated up above */ - p->dsize = uhlen - UDP_HEADER_LEN; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", + p->icmph->type, p->icmph->code);); - /* Drop packet if we ignore this port */ - if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp)) + switch(p->icmph->type) { - /* Ignore all preprocessors for this packet */ - p->packet_flags |= PKT_IGNORE_PORT; - } - - p->proto_bits |= PROTO_BIT__UDP; -} - - + case ICMP6_ECHO: + case ICMP6_REPLY: + if (p->dsize >= sizeof(struct idseq)) + { + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer to that of the "echo message" */ + /* add the size of the echo ext to the data + * ptr and subtract it from the data size */ + p->dsize -= sizeof(struct idseq); + p->data += sizeof(struct idseq); -/* - * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the ICMP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to the decoded packet struct - * - * Returns: void function - */ -void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p) -{ - uint16_t csum; + if ( Event_Enabled(DECODE_ICMP6_DST_MULTICAST) ) + if ( p->ip6h->ip_dst.ip.u6_addr8[0] == IP6_MULTICAST ) + DecoderEvent(p, EVARGS(ICMP6_DST_MULTICAST), 1, 1); - if(len < ICMP_HEADER_LEN) - { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: Truncated ICMP header " - "(%d bytes)\n", len); - } - - p->icmph = NULL; - pc.discards++; - pc.icmpdisc++; + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP Echo header (%d bytes).\n", len);); - return; - } + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - /* set the header ptr first */ - p->icmph = (ICMPHdr *) pkt; + p->icmp6h = NULL; + pc.discards++; + pc.icmpdisc++; + return; + } + break; - switch (p->icmph->type) - { - case ICMP_DEST_UNREACH: - case ICMP_SOURCE_QUENCH: - case ICMP_REDIRECT: - case ICMP_TIME_EXCEEDED: - case ICMP_PARAMETERPROB: - case ICMP_ECHOREPLY: - case ICMP_ECHO: - case ICMP_ROUTER_ADVERTISE: - case ICMP_ROUTER_SOLICIT: - case ICMP_INFO_REQUEST: - case ICMP_INFO_REPLY: - if (len < 8) + case ICMP6_BIG: + if (p->dsize >= sizeof(ICMP6TooBig)) { - if (ScLogVerbose()) - { - ErrorMessage("Truncated ICMP header(%d bytes)\n", len); - } + ICMP6TooBig *too_big = (ICMP6TooBig *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer past MTU */ + p->data += 4; + p->dsize -= 4; - if(ScIdsMode()) + if (ntohl(too_big->mtu) < 1280) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_DGRAM_LT_ICMPHDR, 1, DECODE_CLASS, 3, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - + DecoderEvent(p, DECODE_ICMPV6_TOO_BIG_BAD_MTU, + DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR, 1, 1); } - p->icmph = NULL; + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP header (%d bytes).\n", len);); + + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); + + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } - break; - case ICMP_TIMESTAMP: - case ICMP_TIMESTAMPREPLY: - if (len < 20) + case ICMP6_TIME: + case ICMP6_PARAMS: + case ICMP6_UNREACH: + if (p->dsize >= 4) { - if (ScLogVerbose()) + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer past the 'unused/mtu/pointer block */ + p->data += 4; + p->dsize -= 4; + + if ((p->icmp6h->type == ICMP6_UNREACH) && (p->icmp6h->code == 2)) { - ErrorMessage("Truncated ICMP header(%d bytes)\n", len); + DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_BAD_CODE, + DECODE_ICMPV6_UNREACHABLE_BAD_CODE_STR, 1, 1); } - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR, 1, DECODE_CLASS, - 3, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - } + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - p->icmph = NULL; + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } - break; - case ICMP_ADDRESS: - case ICMP_ADDRESSREPLY: - if (len < 12) + case ICMP6_ADVERTISEMENT: + if (p->dsize >= (sizeof(ICMP6RouterAdvertisement) - ICMP6_MIN_HEADER_LEN)) { - if (ScLogVerbose()) + ICMP6RouterAdvertisement *ra = (ICMP6RouterAdvertisement *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + if (p->icmp6h->code != 0) { - ErrorMessage("Truncated ICMP header(%d bytes)\n", len); + DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_CODE, + DECODE_ICMPV6_ADVERT_BAD_CODE_STR, 1, 1); } - - - if(ScIdsMode()) + if (ntohl(ra->reachable_time) > 3600000) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_DGRAM_LT_ADDRHDR, 1, DECODE_CLASS, 3, - DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - + DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_REACHABLE, + DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR, 1, 1); } + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - p->icmph = NULL; + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); + + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } - break; - } - - - if (ScIcmpChecksums()) - { - csum = in_chksum_icmp((uint16_t *)p->icmph, len); - if(csum) - { - p->csum_flags |= CSE_ICMP; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); - - if (ScIdsMode() && ScInlineMode()) - queueIcmpChksmInlineDrop(p); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); - } - } - - p->dsize = (u_short)(len - ICMP_HEADER_LEN); - p->data = pkt + ICMP_HEADER_LEN; + case ICMP6_SOLICITATION: + if (p->dsize >= (sizeof(ICMP6RouterSolicitation) - ICMP6_MIN_HEADER_LEN)) + { + ICMP6RouterSolicitation *rs = (ICMP6RouterSolicitation *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + if (rs->code != 0) + { + DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_CODE, + DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR, 1, 1); + } + if (ntohl(rs->reserved) != 0) + { + DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED, + DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR, 1, 1); + } + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", - p->icmph->code, p->icmph->type);); + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - switch(p->icmph->type) - { - case ICMP_ECHO: - case ICMP_ECHOREPLY: - /* setup the pkt id and seq numbers */ - p->dsize -= sizeof(struct idseq); /* add the size of the - * echo ext to the data - * ptr and subtract it - * from the data size */ - p->data += sizeof(struct idseq); + p->icmp6h = NULL; + pc.discards++; + pc.icmpdisc++; + return; + } break; - case ICMP_DEST_UNREACH: - case ICMP_REDIRECT: - case ICMP_SOURCE_QUENCH: - case ICMP_TIME_EXCEEDED: - case ICMP_PARAMETERPROB: - /* account for extra 4 bytes in header */ - p->dsize -= 4; - p->data += 4; - - DecodeICMPEmbeddedIP(p->data, p->dsize, p); + default: + if ( Event_Enabled(DECODE_ICMP6_TYPE_OTHER) ) + DecoderEvent(p, EVARGS(ICMP6_TYPE_OTHER), 1, 1); + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); break; } @@ -4491,9 +4453,9 @@ } /* - * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *) + * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *) * - * Purpose: Decode the ICMP embedded IP header + 64 bits payload + * Purpose: Decode the ICMP embedded IP6 header + payload * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet @@ -4501,197 +4463,76 @@ * * Returns: void function */ -void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p) +void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p) { - uint32_t ip_len; /* length from the start of the ip hdr to the - * pkt end */ - uint32_t hlen; /* ip header length */ uint16_t orig_frag_offset; + /* lay the IP struct over the raw data */ + IP6RawHdr* hdr = (IP6RawHdr*)pkt; + pc.embdip++; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header" + " starts at: %p, length is %lu\n", hdr, + (unsigned long) len);); + /* do a little validation */ - if(len < IP_HEADER_LEN) + if ( len < IP6_HDR_LEN ) { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: IP short header (%d bytes)\n", len); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_TRUNCATED, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 0); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP6: IP short header (%d bytes)\n", len);); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, + DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); -#ifdef SUP_IP6 - p->orig_family = NO_IP; -#endif - p->orig_iph = NULL; + pc.discards++; return; } - /* lay the IP struct over the raw data */ -#ifdef SUP_IP6 - sfiph_orig_build(p, pkt, AF_INET); -#endif - p->orig_iph = (IPHdr *) pkt; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header" - " starts at: %p, length is %lu\n", p->orig_iph, - (unsigned long) len);); /* * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. * So we are just ignoring non IP datagrams */ - if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p)) + if ( (hdr->ip6vfc >> 4) != 6 ) { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: not IPv4 datagram " - "([ver: 0x%x][len: 0x%x])\n", - GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p)); - - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_NOT_IPV4, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_NOT_IPV4_STR, 0); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: not IPv6 datagram ([ver: 0x%x][len: 0x%x])\n", + (hdr->ip6vfc >> 4), len);); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, + DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); -#ifdef SUP_IP6 - p->orig_family = NO_IP; -#endif - p->orig_iph = NULL; + pc.discards++; return; } - /* set the IP datagram length */ - ip_len = ntohs(GET_ORIG_IPH_LEN(p)); - - /* set the IP header length */ -#ifdef SUP_IP6 - hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2; -#else - hlen = IP_HLEN(p->orig_iph) << 2; -#endif - - if(len < hlen) + if ( len < IP6_HDR_LEN ) { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: IP len (%d bytes) < " - "IP hdr len (%d bytes), packet discarded\n", ip_len, hlen); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP6: IP6 len (%d bytes) < IP6 hdr len (%d bytes), packet discarded\n", + len, IP6_HDR_LEN);); - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 0); + DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, + DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - -#ifdef SUP_IP6 - p->orig_family = NO_IP; -#endif - p->orig_iph = NULL; + pc.discards++; return; } - - /* set the remaining packet length */ - ip_len = len - hlen; +#ifdef SUP_IP6 + sfiph_orig_build(p, pkt, AF_INET6); +#endif orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); orig_frag_offset &= 0x1FFF; - if (orig_frag_offset == 0) - { - /* Original IP payload should be 64 bits */ - if (ip_len < 8) - { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: IP payload length < 64 bits\n"); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_PAYLOAD_LT_64, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - return; - } - /* ICMP error packets could contain as much of original payload - * as possible, but not exceed 576 bytes - */ - else if (ntohs(GET_IPH_LEN(p)) > 576) - { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: ICMP error packet length > 576 bytes\n"); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_PAYLOAD_GT_576, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - } - } - else - { - /* RFC states that only first frag will get an ICMP response */ - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - return; - } + // XXX NOT YET IMPLEMENTED - fragments inside ICMP payload - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: " - "%lu\n", (unsigned long)hlen);); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: " + "%lu\n", (unsigned long)IP6_HDR_LEN);); switch(GET_ORIG_IPH_PROTO(p)) { case IPPROTO_TCP: /* decode the interesting part of the header */ - p->orig_tcph = (TCPHdr *)(pkt + hlen); + p->orig_tcph = (TCPHdr *)(pkt + IP6_HDR_LEN); /* stuff more data into the printout data struct */ p->orig_sp = ntohs(p->orig_tcph->th_sport); @@ -4700,7 +4541,7 @@ break; case IPPROTO_UDP: - p->orig_udph = (UDPHdr *)(pkt + hlen); + p->orig_udph = (UDPHdr *)(pkt + IP6_HDR_LEN); /* fill in the printout data structs */ p->orig_sp = ntohs(p->orig_udph->uh_sport); @@ -4709,2194 +4550,2839 @@ break; case IPPROTO_ICMP: - p->orig_icmph = (ICMPHdr *)(pkt + hlen); + p->orig_icmph = (ICMPHdr *)(pkt + IP6_HDR_LEN); break; } return; } +#endif -/* - * Function: DecodeARP(uint8_t *, uint32_t, Packet *) - * - * Purpose: Decode ARP stuff +//-------------------------------------------------------------------- +// decode.c::Teredo +//-------------------------------------------------------------------- + +/* Function: DecodeTeredo(uint8_t *, uint32_t, Packet *) * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct + * Teredo is IPv6 layered over UDP, with optional "indicators" in between. + * Decode these (if present) and go to DecodeIPv6. * - * Returns: void function */ -void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p) -{ - pc.arp++; -#ifdef GRE - if (p->greh != NULL) - pc.gre_arp++; -#endif - - p->ah = (EtherARP *) pkt; +#ifdef SUP_IP6 +void DecodeTeredo(const uint8_t *pkt, uint32_t len, Packet *p) +{ + if (len < TEREDO_MIN_LEN) + return; - if(len < sizeof(EtherARP)) + /* Decode indicators. If both are present, Auth always comes before Origin. */ + if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_AUTH) { - if (ScLogVerbose()) - ErrorMessage("Truncated packet\n"); + uint8_t client_id_length, auth_data_length; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_ARP_TRUNCATED, 1, - DECODE_CLASS, 3, DECODE_ARP_TRUNCATED_STR, 0); + if (len < TEREDO_INDICATOR_AUTH_MIN_LEN) + return; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + client_id_length = *(pkt + 2); + auth_data_length = *(pkt + 3); - pc.discards++; - return; - } + if (len < (uint32_t)(TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length)) + return; - p->proto_bits |= PROTO_BIT__ARP; -} + pkt += (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); + len -= (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); + } -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeEapol(uint8_t *, uint32_t, Packet *) - * - * Purpose: Decode 802.1x eapol stuff - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct - * - * Returns: void function - */ -void DecodeEapol(const uint8_t * pkt, uint32_t len, Packet * p) -{ - p->eplh = (EtherEapol *) pkt; - pc.eapol++; - if(len < sizeof(EtherEapol)) + if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_ORIGIN) { - if (ScLogVerbose()) - ErrorMessage("Truncated packet\n"); + if (len < TEREDO_INDICATOR_ORIGIN_LEN) + return; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_EAPOL_TRUNCATED, 1, - DECODE_CLASS, 3, DECODE_EAPOL_TRUNCATED_STR, 0); + pkt += TEREDO_INDICATOR_ORIGIN_LEN; + len -= TEREDO_INDICATOR_ORIGIN_LEN; + } - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + /* If this is an IPv6 datagram, the first 4 bits will be the number 6. */ + if (( (*pkt & 0xF0) >> 4) == 6) + { + p->proto_bits |= PROTO_BIT__TEREDO; + pc.teredo++; - } + if (ScDeepTeredoInspection() && (p->sp != TEREDO_PORT) && (p->dp != TEREDO_PORT)) + p->packet_flags |= PKT_UNSURE_ENCAP; - pc.discards++; - return; - } - if (p->eplh->eaptype == EAPOL_TYPE_EAP) { - DecodeEAP(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); - } - else if(p->eplh->eaptype == EAPOL_TYPE_KEY) { - DecodeEapolKey(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); + DecodeIPV6(pkt, len, p); + + p->packet_flags &= ~PKT_UNSURE_ENCAP; } + + /* Otherwise, we treat this as normal UDP traffic. */ return; } +#endif + +//-------------------------------------------------------------------- +// decode.c::ESP +//-------------------------------------------------------------------- /* - * Function: DecodeEapolKey(uint8_t *, uint32_t, Packet *) + * Function: DecodeESP(const uint8_t *, uint32_t, Packet *) * - * Purpose: Decode 1x key setup + * Purpose: Attempt to decode Encapsulated Security Payload. + * The contents are probably encrypted, but ESP is sometimes used + * with "null" encryption, solely for Authentication. + * This is more of a heuristic -- there is no ESP field that specifies + * the encryption type (or lack thereof). * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet - * p => pointer to decoded packet struct + * p => ptr to the Packet struct being filled out * * Returns: void function */ -void DecodeEapolKey(const uint8_t * pkt, uint32_t len, Packet * p) +void DecodeESP(const uint8_t *pkt, uint32_t len, Packet *p) { - p->eapolk = (EapolKey *) pkt; - if(len < sizeof(EapolKey)) + uint8_t next_header; + uint8_t pad_length; + const uint8_t *esp_payload; + + /* The ESP header contains a crypto Initialization Vector (IV) and + a sequence number. Skip these. */ + if (len < (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN)) { - if (ScLogVerbose()) - ErrorMessage("Truncated packet\n"); + /* Truncated ESP traffic. Bail out here and inspect the rest as payload. */ + DecoderEvent(p, EVARGS(ESP_HEADER_TRUNC), 1, 1); + p->data = pkt; + p->dsize = (uint16_t) len; + return; + } + esp_payload = pkt + ESP_HEADER_LEN; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_EAPKEY_TRUNCATED, 1, - DECODE_CLASS, 3, DECODE_EAPKEY_TRUNCATED_STR, 0); + /* The Authentication Data at the end of the packet is variable-length. + RFC 2406 says that Encryption and Authentication algorithms MUST NOT + both be NULL, so we assume NULL Encryption and some other Authentication. - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + The mandatory algorithms for Authentication are HMAC-MD5-96 and + HMAC-SHA-1-96, so we assume a 12-byte authentication data at the end. */ + len -= (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN); - } + pad_length = *(esp_payload + len); + next_header = *(esp_payload + len + 1); - pc.discards++; + /* Adjust the packet length to account for the padding. + If the padding length is too big, this is probably encrypted traffic. */ + if (pad_length < len) + { + len -= (pad_length); + } + else + { + p->data = esp_payload; + p->dsize = (u_short) len; return; } - return; + /* Attempt to decode the inner payload. + There is a small chance that an encrypted next_header would become a + different valid next_header. The PKT_UNSURE_ENCAP flag tells the next + decoder stage to silently ignore invalid headers. */ + + p->packet_flags |= PKT_UNSURE_ENCAP; + switch (next_header) + { + case IPPROTO_IPIP: + DecodeIP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_IPV6: + DecodeIPV6(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_TCP: + pc.tcp++; + DecodeTCP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_UDP: + pc.udp++; + DecodeUDP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_ICMP: + pc.icmp++; + DecodeICMP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + +#ifdef GRE + case IPPROTO_GRE: + pc.gre++; + DecodeGRE(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; +#endif + + default: + /* If we didn't get a valid next_header, this packet is probably + encrypted. Start data here and treat it as an IP datagram. */ + p->data = esp_payload; + p->dsize = (u_short) len; + p->packet_flags &= ~PKT_UNSURE_ENCAP; + } } +//-------------------------------------------------------------------- +// decode.c::GRE +//-------------------------------------------------------------------- + +#ifdef GRE /* - * Function: DecodeEAP(uint8_t *, uint32_t, Packet *) + * Function: DecodeGRE(uint8_t *, uint32_t, Packet *) * - * Purpose: Decode Extensible Authentication Protocol + * Purpose: Decode Generic Routing Encapsulation Protocol + * This will decode normal GRE and PPTP GRE. * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => pointer to decoded packet struct * * Returns: void function + * + * Notes: see RFCs 1701, 2784 and 2637 */ -void DecodeEAP(const uint8_t * pkt, const uint32_t len, Packet * p) +void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p) { - p->eaph = (EAPHdr *) pkt; - if(len < sizeof(EAPHdr)) - { - if (ScLogVerbose()) - printf("Truncated packet\n"); - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_EAP_TRUNCATED, 1, - DECODE_CLASS, 3, DECODE_EAP_TRUNCATED_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - - } + uint32_t hlen; /* GRE header length */ + uint32_t payload_len; - pc.discards++; + if (len < GRE_HEADER_LEN) + { + DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, + DECODE_GRE_DGRAM_LT_GREHDR_STR, + pkt, len); return; } - if (p->eaph->code == EAP_CODE_REQUEST || - p->eaph->code == EAP_CODE_RESPONSE) { - p->eaptype = pkt + sizeof(EAPHdr); - } - return; -} -#endif // NO_NON_ETHER_DECODER -#ifndef SUP_IP6 -static INLINE void FragEvent( - Packet *p, int gid, char *str, int event_flag, int drop_flag) -{ - if(ScIdsMode() && event_flag) + if (p->encapsulated) { - queueDecoderEvent(GENERATOR_SPP_FRAG3, gid, 1, - DECODE_CLASS, 3, str, 0); - if ((ScInlineMode()) && drop_flag) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - InlineDrop(p); - } + /* discard packet - multiple GRE encapsulation */ + /* not sure if this is ever used but I am assuming it is not */ + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + return; } -} -void BsdFragHashCleanup(void) -{ - if (ipv6_frag_hash) + /* Note: Since GRE doesn't have a field to indicate header length and + * can contain a few options, we need to walk through the header to + * figure out the length + */ + + p->greh = (GREHdr *)pkt; + hlen = GRE_HEADER_LEN; + + switch (GRE_VERSION(p->greh)) { - sfxhash_delete(ipv6_frag_hash); - ipv6_frag_hash = NULL; - } -} + case 0x00: + /* these must not be set */ + if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh)) + { + DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_HEADER, + DECODE_GRE_INVALID_HEADER_STR, + pkt, len); + return; + } -void BsdFragHashReset(void) -{ - if (ipv6_frag_hash != NULL) - sfxhash_make_empty(ipv6_frag_hash); -} + if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh)) + hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN; -void BsdFragHashInit(int max) -{ - int rows = sfxhash_calcrows((int) (max * 1.4)); + if (GRE_KEY(p->greh)) + hlen += GRE_KEY_LEN; - ipv6_frag_hash = sfxhash_new( - /* one row per element in table, when possible */ - rows, - 40, /* key size padded for 64 bit alignment */ - sizeof(time_t), /* data size */ - /* Set max to the sizeof a hash node, plus the size of - * the stored data, plus the size of the key (32), plus - * this size of a node pointer plus max rows plus 1. */ - max * (40 + sizeof(SFXHASH_NODE) + sizeof(time_t) + sizeof(SFXHASH_NODE*)) - + (rows+1) * sizeof(SFXHASH_NODE*), - 1, /* enable AutoNodeRecovery */ - NULL, /* provide a function to let user know we want to kill a node */ - NULL, /* provide a function to release user memory */ - 1); /* Recycle nodes */ + if (GRE_SEQ(p->greh)) + hlen += GRE_SEQ_LEN; - if (!ipv6_frag_hash) { - FatalError("could not allocate ipv6_frag_hash"); - } -} + /* if this flag is set, we need to walk through all of the + * Source Route Entries */ + if (GRE_ROUTE(p->greh)) + { + uint16_t sre_addrfamily; + uint8_t sre_offset; + uint8_t sre_length; + const uint8_t *sre_ptr; -static INLINE void BsdFragVulnCheck(Packet *p, const uint8_t *data, uint32_t size) -{ - IP6Frag *frag; - unsigned short frag_data; - char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ - SFXHASH_NODE *hash_node; + sre_ptr = pkt + hlen; - if(sizeof(IP6Frag) > size) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } + while (1) + { + hlen += GRE_SRE_HEADER_LEN; + if (hlen > len) + break; - frag = (IP6Frag *)data; - frag_data = frag->ip6f_offlg; + sre_addrfamily = ntohs(*((uint16_t *)sre_ptr)); + sre_ptr += sizeof(sre_addrfamily); - /* Source and dest IPs */ - memcpy(key, (u_char*)p->iph + 8, 32); - *(uint32_t*)(key+32) = frag->ip6f_ident; - *(uint32_t*)(key+36) = 0; /* zero out the pad */ + sre_offset = *((uint8_t *)sre_ptr); + sre_ptr += sizeof(sre_offset); - hash_node = sfxhash_find_node(ipv6_frag_hash, key); + sre_length = *((uint8_t *)sre_ptr); + sre_ptr += sizeof(sre_length); - /* Check if the frag offset mask is set. - * If it is, we're not looking at the exploit in question */ - if(IP6F_OFFSET(frag) != 0) - { - /* If this arrives before the two 0 offset frags, we will - * still add them as though they were the first, and false - * positive */ - if(hash_node) - sfxhash_free_node(ipv6_frag_hash, hash_node); + if ((sre_addrfamily == 0) && (sre_length == 0)) + break; - return; - } + hlen += sre_length; + sre_ptr += sre_length; + } + } - /* Check if there are no more frags */ - if(!IP6F_MF(frag)) - { - /* At this point, we've seen a frag header with no offset - * that doesn't have the more flags set. Need to see if - * this follows a packet that did have the more flag set. */ - if(hash_node) - { - /* Check if the first packet timed out */ - if ((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) + break; + + /* PPTP */ + case 0x01: + /* these flags should never be present */ + if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) || + GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh)) { - sfxhash_free_node(ipv6_frag_hash, hash_node); + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); + return; + } - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); + /* protocol must be 0x880B - PPP */ + if (GRE_PROTO(p->greh) != GRE_TYPE_PPP) + { + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); return; } - if(size > 100) + /* this flag should always be present */ + if (!(GRE_KEY(p->greh))) { - /* XXX One of the alert message or alert type is mixed up? */ - FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, - FRAG3_IPV6_BSD_ICMP_FRAG_STR, - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); return; } - sfxhash_free_node(ipv6_frag_hash, hash_node); - - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - return; - } - - /* We never saw the first packet, but this one is still bogus */ - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - return; - } - - /* At this point, we've seen a header with no offset and a - * more flag */ - if(!hash_node) - { - /* There are more frags remaining, add current to hash */ - if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) - == SFXHASH_NOMEM) - { - return; - } - } - else - { - /* Update this node's timestamp */ - *(time_t *)hash_node->data = p->pkth->ts.tv_sec; - } -} -#endif + hlen += GRE_KEY_LEN; + if (GRE_SEQ(p->greh)) + hlen += GRE_SEQ_LEN; -#ifdef SUP_IP6 -/* - * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the ICMP embedded IP6 header + payload - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to dummy packet decode struct - * - * Returns: void function - */ -void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p) -{ - uint32_t ip_len; /* length from the start of the ip hdr to the - * pkt end */ - uint32_t hlen; /* ip header length */ - uint16_t orig_frag_offset; - + if (GRE_V1_ACK(p->greh)) + hlen += GRE_V1_ACK_LEN; - /* lay the IP struct over the raw data */ - IP6Hdr *ip6h = (IP6Hdr *) pkt; - pc.embdip++; + break; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header" - " starts at: %p, length is %lu\n", ip6h, - (unsigned long) len);); + default: + DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_VERSION, + DECODE_GRE_INVALID_VERSION_STR, + pkt, len); + return; + } - /* do a little validation */ - if(len < IP6_HDR_LEN) + if (hlen > len) { - if (ScLogVerbose()) - ErrorMessage("ICMP6: IP short header (%d bytes)\n", len); - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_TRUNCATED, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - pc.discards++; + DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, + DECODE_GRE_DGRAM_LT_GREHDR_STR, + pkt, len); return; } - /* - * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. - * So we are just ignoring non IP datagrams - */ -// XXX-IPv6 double check this - checking version in IPv6 header - if((ip6h->vcl & 0xf0) != 0x60) - { - if (ScLogVerbose()) - { - ErrorMessage("ICMP: not IPv6 datagram " - "([ver: 0x%x][len: 0x%x])\n", - // XXX-IPv6 shouldn't the length be ntohs'ed? - (ip6h->vcl & 0x0f)>>4, ip6h->len); + PushLayer(PROTO_GRE, p, pkt, hlen); + payload_len = len - hlen; - } + /* Send to next protocol decoder */ + /* As described in RFC 2784 the possible protocols are listed in + * RFC 1700 under "ETHER TYPES" + * See also "Current List of Protocol Types" in RFC 1701 + */ + switch (GRE_PROTO(p->greh)) + { + case ETHERNET_TYPE_IP: + DecodeIP(pkt + hlen, payload_len, p); + return; - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_NOT_IPV4, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_NOT_IPV4_STR, 0); + case GRE_TYPE_TRANS_BRIDGING: + DecodeTransBridging(pkt + hlen, payload_len, p); + return; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - pc.discards++; - return; - } + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + /* clear outer IP headers */ + p->iph = NULL; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + DecodeARP(pkt + hlen, payload_len, p); + return; - /* set the IP datagram length */ - ip_len = ntohs(ip6h->len); + case ETHERNET_TYPE_IPV6: + DecodeIPV6(pkt + hlen, payload_len, p); + return; - /* set the IP header length */ - hlen = (ip6h->vcl & 0x0f ) << 2; + case GRE_TYPE_PPP: + DecodePppPktEncapsulated(pkt + hlen, payload_len, p); + return; - if(len < hlen) - { - if (ScLogVerbose()) - { - ErrorMessage("ICMP6: IP6 len (%d bytes) < " - "IP6 hdr len (%d bytes), packet discarded\n", ip_len, hlen); - } +#ifndef NO_NON_ETHER_DECODER + case ETHERNET_TYPE_IPX: + DecodeIPX(pkt + hlen, payload_len, p); + return; +#endif - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 0); + case ETHERNET_TYPE_LOOP: + DecodeEthLoopback(pkt + hlen, payload_len, p); + return; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + /* not sure if this occurs, but 802.1q is an Ether type */ + case ETHERNET_TYPE_8021Q: + DecodeVlan(pkt + hlen, payload_len, p); + return; - pc.discards++; - return; + default: + // TBD add decoder drop event for unknown gre/eth type + pc.other++; + p->data = pkt + hlen; + p->dsize = (uint16_t)payload_len; + return; } -#ifdef SUP_IP6 - sfiph_orig_build(p, pkt, AF_INET6); -#endif +} +#endif // GRE - /* set the remaining packet length */ - ip_len = len - hlen; +//-------------------------------------------------------------------- +// decode.c::GTP +//-------------------------------------------------------------------- - orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); - orig_frag_offset &= 0x1FFF; +/* Function: DecodeGTP(uint8_t *, uint32_t, Packet *) + * + * GTP (GPRS Tunneling Protocol) is layered over UDP. + * Decode these (if present) and go to DecodeIPv6/DecodeIP. + * + */ -// XXX NOT YET IMPLEMENTED - fragments inside ICMP payload -#if 0 - if (orig_frag_offset == 0) +void DecodeGTP(const uint8_t *pkt, uint32_t len, Packet *p) +{ + uint32_t header_len; + uint8_t next_hdr_type; + uint8_t version; + uint8_t ip_ver; + GTPHdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Start GTP decoding.\n");); + + hdr = (GTPHdr *) pkt; + + if (p->GTPencapsulated) { - /* Original IP payload should be 64 bits */ - if (ip_len < 8) - { - if (ScLogVerbose()) - { - ErrorMessage("ICMP6: IP6 payload length < 64 bits\n"); - } + DecoderAlertEncapsulated(p, DECODE_GTP_MULTIPLE_ENCAPSULATION, + DECODE_GTP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + return; + } + else + { + p->GTPencapsulated = 1; + } + /*Check the length*/ + if (len < GTP_MIN_LEN) + return; + /* We only care about PDU*/ + if ( hdr->type != 255) + return; + /*Check whether this is GTP or GTP', Exit if GTP'*/ + if (!(hdr->flag & 0x10)) + return; - if(ScIdsMode()) - { - sfActionQueueAdd(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_PAYLOAD_LT_64, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 0); + /*The first 3 bits are version number*/ + version = (hdr->flag & 0xE0) >> 5; + switch (version) + { + case 0: /*GTP v0*/ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v0 packets.\n");); - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } + header_len = GTP_V0_HEADER_LEN; + /*Check header fields*/ + if (len < header_len) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } + + p->proto_bits |= PROTO_BIT__GTP; + /*Check the length field. */ + if (len != ((unsigned int)ntohs(hdr->length) + header_len)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n", + len - header_len, ntohs(hdr->length));); + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); return; } - /* ICMP6 error packets could contain as much of original payload - * as possible, but not exceed the MTU - */ -#warning "MTU?" - else if (ntohs(p->iph->ip_len) > 576) + + break; + case 1: /*GTP v1*/ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v1 packets.\n");); + + /*Check the length based on optional fields and extension header*/ + if (hdr->flag & 0x07) { - if (ScLogVerbose()) + + header_len = GTP_V1_HEADER_LEN; + + /*Check optional fields*/ + if (len < header_len) { - ErrorMessage("ICMP: ICMP error packet length > 576 bytes\n"); + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; } + next_hdr_type = *(pkt + header_len - 1); - if(ScIdsMode()) + /*Check extension headers*/ + while (next_hdr_type) { - sfActionQueueAdd(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_PAYLOAD_GT_576, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 0); + /*check length before reading data*/ + if (len < header_len + 4) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } + /*Extension header length is a unit of 4 octets*/ + header_len += *(pkt + header_len) * 4; - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); + /*check length before reading data*/ + if (len < header_len) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; } + next_hdr_type = *(pkt + header_len - 1); } } - } - else - { - /* RFC states that only first frag will get an ICMP response */ - if(ScIdsMode()) + else + header_len = GTP_MIN_LEN; + + p->proto_bits |= PROTO_BIT__GTP; + + /*Check the length field. */ + if (len != ((unsigned int)ntohs(hdr->length) + GTP_MIN_LEN)) { - sfActionQueueAdd(GENERATOR_SNORT_DECODE, - DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET, 1, DECODE_CLASS, 3, - DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n", + len - GTP_MIN_LEN, ntohs(hdr->length));); + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; } + break; + default: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown protocol version.\n");); return; + } -#endif - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: " - "%lu\n", (unsigned long)hlen);); + PushLayer(PROTO_GTP, p, pkt, header_len); - switch(GET_ORIG_IPH_PROTO(p)) + len -= header_len; + if (len > 0) { - case IPPROTO_TCP: /* decode the interesting part of the header */ - p->orig_tcph = (TCPHdr *)(pkt + hlen); - - /* stuff more data into the printout data struct */ - p->orig_sp = ntohs(p->orig_tcph->th_sport); - p->orig_dp = ntohs(p->orig_tcph->th_dport); - - break; + ip_ver = *(pkt+header_len) & 0xF0; + if (ip_ver == 0x40) + DecodeIP(pkt+header_len, len, p); + else if (ip_ver == 0x60) + DecodeIPV6(pkt+header_len, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + } - case IPPROTO_UDP: - p->orig_udph = (UDPHdr *)(pkt + hlen); +} - /* fill in the printout data structs */ - p->orig_sp = ntohs(p->orig_udph->uh_sport); - p->orig_dp = ntohs(p->orig_udph->uh_dport); +//-------------------------------------------------------------------- +// decode.c::UDP +//-------------------------------------------------------------------- - break; +/* UDP-layer decoder alerts */ +static inline void UDPMiscTests(Packet *p) +{ + if ( Event_Enabled(DECODE_UDP_LARGE_PACKET) ) + { + if (p->dsize > 4000) + DecoderEvent(p, EVARGS(UDP_LARGE_PACKET), 1, 1); + } - case IPPROTO_ICMP: - p->orig_icmph = (ICMPHdr *)(pkt + hlen); - break; + if ( Event_Enabled(DECODE_UDP_PORT_ZERO) ) + { + if (p->sp == 0 || p->dp == 0) + DecoderEvent(p, EVARGS(UDP_PORT_ZERO), 1, 1); } +} - return; +/* + * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the UDP transport layer + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +static inline void PopUdp (Packet* p) +{ + p->udph = p->outer_udph; + p->outer_udph = NULL; + pc.discards++; + pc.udisc++; + + // required for detect.c to short-circuit preprocessing + if ( !p->dsize ) + p->dsize = p->ip_dsize; } -void DecodeICMP6(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p) { - if(len < ICMP6_MIN_HEADER_LEN) + struct pseudoheader6 { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: Truncated ICMP header " - "(%d bytes)\n", len); - } - - pc.discards++; + uint32_t sip[4], dip[4]; + uint8_t zero; + uint8_t protocol; + uint16_t udplen; + }; + + struct pseudoheader + { + uint32_t sip, dip; + uint8_t zero; + uint8_t protocol; + uint16_t udplen; + }; + uint16_t uhlen; + u_char fragmented_udp_flag = 0; + + if (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP)) + p->outer_udph = p->udph; + + if(len < sizeof(UDPHdr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated UDP header (%d bytes)\n", len);); + + DecoderEvent(p, DECODE_UDP_DGRAM_LT_UDPHDR, + DECODE_UDP_DGRAM_LT_UDPHDR_STR, 1, 1); + + PopUdp(p); return; } - - p->icmph = (ICMPHdr*)pkt; -// p->icmp6h = pkt; -// p->icmph = (ICMPHdr*)p->icmp6h; -// memcpy(&p->icmp6h, pkt, ICMP6_MIN_HEADER_LEN); -// p->icmp6h.body = pkt + ICMP6_MIN_HEADER_LEN; - /* Do checksums */ - if(ScIcmpChecksums() && in_chksum_icmp6((uint16_t*)p->icmph, len)) - { - p->csum_flags |= CSE_ICMP; + /* set the ptr to the start of the UDP header */ + p->inner_udph = p->udph = (UDPHdr *) pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); - - if (ScIdsMode() && ScInlineMode()) - queueIcmpChksmInlineDrop(p); + if (!p->frag_flag) + { + uhlen = ntohs(p->udph->uh_len); } else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); + if(IS_IP6(p)) + { + uint16_t ip_len = ntohs(GET_IPH_LEN(p)); + /* subtract the distance from udp header to 1st ip6 extension */ + /* This gives the length of the UDP "payload", when fragmented */ + uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data); + } + else + { + uint16_t ip_len = ntohs(GET_IPH_LEN(p)); + /* Don't forget, IP_HLEN is a word - multiply x 4 */ + uhlen = ip_len - (GET_IPH_HLEN(p) * 4 ); + } + fragmented_udp_flag = 1; } - - p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN); - p->data = pkt + ICMP6_MIN_HEADER_LEN; + /* verify that the header len is a valid value */ + if(uhlen < UDP_HEADER_LEN) + { + DecoderEvent(p, DECODE_UDP_DGRAM_INVALID_LENGTH, + DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 1, 1); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", - p->icmph->code, p->icmph->type);); + PopUdp(p); + return; + } - switch(p->icmph->type) + /* make sure there are enough bytes as designated by length field */ + if(uhlen > len) { - case ICMP6_ECHO: - case ICMP6_REPLY: - if (p->dsize >= sizeof(struct idseq)) + DecoderEventDrop(p, DECODE_UDP_DGRAM_SHORT_PACKET, + DECODE_UDP_DGRAM_SHORT_PACKET_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); + + PopUdp(p); + return; + } + else if(uhlen < len) + { + DecoderEvent(p, DECODE_UDP_DGRAM_LONG_PACKET, + DECODE_UDP_DGRAM_LONG_PACKET_STR, 1, 1); + + PopUdp(p); + return; + } + + if (ScUdpChecksums()) + { + /* look at the UDP checksum to make sure we've got a good packet */ + uint16_t csum; +#ifdef SUP_IP6 + if(IS_IP4(p)) + { + struct pseudoheader ph; + ph.sip = *p->ip4h->ip_src.ip32; + ph.dip = *p->ip4h->ip_dst.ip32; +#else + struct pseudoheader ph; + ph.sip = (uint32_t)(p->iph->ip_src.s_addr); + ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); +#endif + ph.zero = 0; + ph.protocol = GET_IPH_PROTO(p); + ph.udplen = p->udph->uh_len; + /* Don't do checksum calculation if + * 1) Fragmented, OR + * 2) UDP header chksum value is 0. + */ + if( !fragmented_udp_flag && p->udph->uh_chk ) { - p->icmp6h = (ICMP6Hdr *)pkt; - /* Set data pointer to that of the "echo message" */ - p->dsize -= sizeof(struct idseq); /* add the size of the - * echo ext to the data - * ptr and subtract it - * from the data size */ - p->data += sizeof(struct idseq); + csum = in_chksum_udp((uint16_t *)&ph, + (uint16_t *)(p->udph), uhlen); } else { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: Truncated ICMP Echo header " - "(%d bytes)\n", len); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_DGRAM_LT_ICMPHDR, 1, DECODE_CLASS, 3, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; - return; + csum = 0; } - break; +#ifdef SUP_IP6 + } + else + { + struct pseudoheader6 ph6; + COPY4(ph6.sip, p->ip6h->ip_src.ip32); + COPY4(ph6.dip, p->ip6h->ip_dst.ip32); + ph6.zero = 0; + ph6.protocol = GET_IPH_PROTO(p); + ph6.udplen = htons((u_short)len); - case ICMP6_TIME: - case ICMP6_PARAMS: - case ICMP6_BIG: - case ICMP6_UNREACH: - if (p->dsize >= 4) + /* Alert on checksum value 0 for ipv6 packets */ + if(!p->udph->uh_chk) { - p->icmp6h = (ICMP6Hdr *)pkt; - /* Set data pointer past the 'unused/mtu/pointer block */ - p->data += 4; - p->dsize -= 4; - DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + csum = 1; + DecoderEvent(p, DECODE_UDP_IPV6_ZERO_CHECKSUM, + DECODE_UDP_IPV6_ZERO_CHECKSUM_STR, 1, 1); + } + /* Don't do checksum calculation if + * 1) Fragmented + * (UDP checksum is not optional in IP6) + */ + else if( !fragmented_udp_flag ) + { + csum = in_chksum_udp6((uint16_t *)&ph6, + (uint16_t *)(p->udph), uhlen); } else { - if (ScLogVerbose()) - { - ErrorMessage("WARNING: Truncated ICMP header " - "(%d bytes)\n", len); - } - - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_ICMP_DGRAM_LT_ICMPHDR, 1, DECODE_CLASS, 3, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 0); - - if (ScInlineMode()) - { - queueDecoderInlineDrop(p); - } - } - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; + csum = 0; + } + } +#endif + if(csum) + { + /* Don't drop the packet if this was ESP or Teredo. + Just stop decoding. */ + if (p->packet_flags & PKT_UNSURE_ENCAP) + { + PopUdp(p); return; } - break; + + p->error_flags |= PKT_ERR_CKSUM_UDP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n");); + + if ( ScIdsMode() ) + queueExecDrop(execUdpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n");); + } } - p->proto_bits |= PROTO_BIT__ICMP; -} + /* fill in the printout data structs */ + p->sp = ntohs(p->udph->uh_sport); + p->dp = ntohs(p->udph->uh_dport); -void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph);); -void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) -{ - IP6Extension *exthdr; - uint32_t hdrlen = 0; + PushLayer(PROTO_UDP, p, pkt, sizeof(*p->udph)); - /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions - * so no validation performed. Otherwise, uncomment the following: */ - /* if(IPH_IS_VALID(p)) return */ + p->data = (uint8_t *) (pkt + UDP_HEADER_LEN); - pc.ipv6opts++; + /* length was validated up above */ + p->dsize = uhlen - UDP_HEADER_LEN; - /* Need at least two bytes, one for next header, one for len. */ - /* But size is an integer multiple of 8 octets, so 8 is min. */ - if(len < sizeof(IP6Extension)) + p->proto_bits |= PROTO_BIT__UDP; + + /* Drop packet if we ignore this port */ + if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp)) { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); + /* Ignore all preprocessors for this packet */ + p->packet_flags |= PKT_IGNORE_PORT; return; } - exthdr = (IP6Extension *)pkt; + UDPMiscTests(p); - if(p->ip6_extension_count < IP6_EXTMAX) +#ifdef SUP_IP6 + if (p->sp == TEREDO_PORT || + p->dp == TEREDO_PORT || + ScDeepTeredoInspection()) { - p->ip6_extensions[p->ip6_extension_count].type = type; - p->ip6_extensions[p->ip6_extension_count].data = pkt; + if ( !p->frag_flag ) + DecodeTeredo(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p); + } +#endif + if (ScGTPDecoding() && + (ScIsGTPPort(p->sp)||ScIsGTPPort(p->dp))) + { + if ( !p->frag_flag ) + DecodeGTP(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p); + } - switch (type) - { - case IPPROTO_HOPOPTS: - if (len < sizeof(IP6HopByHop)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; - case IPPROTO_DSTOPTS: - if (len < sizeof(IP6Dest)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; - case IPPROTO_ROUTING: - if (len < sizeof(IP6Route)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; - case IPPROTO_FRAGMENT: - { - IP6Frag *ip6frag_hdr = (IP6Frag *)pkt; - if (len < sizeof(IP6Frag)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - /* If this is an IP Fragment, set some data... */ - p->ip6_frag_index = p->ip6_extension_count; - p->ip_frag_start = pkt + sizeof(IP6Frag); - p->frag_flag = 1; - pc.frag6++; - - p->df = 0; - p->rf = IP6F_RES(ip6frag_hdr); - p->mf = IP6F_MF(ip6frag_hdr); - p->frag_offset = IP6F_OFFSET(ip6frag_hdr); - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - p->ip_frag_len = (uint16_t)(len - hdrlen); - break; - default: - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; - } +} - p->ip6_extension_count++; - } +//-------------------------------------------------------------------- +// decode.c::TCP +//-------------------------------------------------------------------- - if(hdrlen > len) +/* TCP-layer decoder alerts */ +static inline void TCPMiscTests(Packet *p) +{ + if ( Event_Enabled(DECODE_TCP_SHAFT_SYNFLOOD) ) { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; + if ( ((p->tcph->th_flags & TH_NORESERVED) == TH_SYN ) && + (p->tcph->th_seq == htonl(674711609)) ) + DecoderEvent(p, EVARGS(TCP_SHAFT_SYNFLOOD), 1, 1); } - DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); + if ( Event_Enabled(DECODE_TCP_PORT_ZERO) ) + { + if (p->sp == 0 || p->dp == 0) + DecoderEvent(p, EVARGS(TCP_PORT_ZERO), 1, 1); + } } -void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) +/* + * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the TCP transport layer + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => Pointer to packet decode struct + * + * Returns: void function + */ +void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p) { - pc.ip6ext++; - -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6ext++; -#endif + struct pseudoheader6 /* pseudo header for TCP checksum calculations */ + { + uint32_t sip[4], dip[4]; /* IP addr */ + uint8_t zero; /* checksum placeholder */ + uint8_t protocol; /* protocol number */ + uint16_t tcplen; /* tcp packet length */ + }; - /* XXX might this introduce an issue if the "next" field is invalid? */ - p->ip6h->next = next; + struct pseudoheader /* pseudo header for TCP checksum calculations */ + { + uint32_t sip, dip; /* IP addr */ + uint8_t zero; /* checksum placeholder */ + uint8_t protocol; /* protocol number */ + uint16_t tcplen; /* tcp packet length */ + }; + uint32_t hlen; /* TCP header length */ - if (ScIdsMode()) + if(len < TCP_HEADER_LEN) { - /* See if there are any ip_proto only rules that match */ - fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); - p->proto_bits |= PROTO_BIT__IP; - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP packet (len = %d) cannot contain " "20 byte header\n", len);); - switch(next) { - case IPPROTO_TCP: - pc.tcp6++; - DecodeTCP(pkt, len, p); - return; - case IPPROTO_UDP: - pc.udp6++; - DecodeUDP(pkt, len, p); - return; - case IPPROTO_ICMP: - pc.icmp++; - DecodeICMP(pkt, len, p); - return; - case IPPROTO_ICMPV6: - pc.icmp6++; - DecodeICMP6(pkt , len, p); - return; -#ifndef SUP_IP6 - case IPPROTO_FRAGMENT: - /* This should later be moved into frag3 */ - BsdFragVulnCheck(p, pkt, len); + DecoderEvent(p, DECODE_TCP_DGRAM_LT_TCPHDR, + DECODE_TCP_DGRAM_LT_TCPHDR_STR, 1, 1); - // XXX - // Fragmentation not yet supported - // DecodeIPv6FragHdr(p, pkt); - // XXX - - p->frag_flag = 1; - pc.frag6++; - p->dsize = 0; - return; -#endif - case IPPROTO_NONE: - p->dsize = 0; - return; - case IPPROTO_HOPOPTS: - case IPPROTO_DSTOPTS: - case IPPROTO_ROUTING: -#ifdef SUP_IP6 - case IPPROTO_FRAGMENT: -#endif - DecodeIPV6Options(next, pkt, len, p); - // Anything special to do here? just return? - return; -#ifdef GRE - case IPPROTO_GRE: - pc.gre++; - DecodeGRE(pkt, len, p); - return; - case IPPROTO_IPIP: - pc.ip6ip4++; - DecodeIP(pkt, len, p); - return; - case IPPROTO_IPV6: - pc.ip6ip6++; - DecodeIPV6(pkt, len, p); - return; -#endif - default: - // There may be valid headers after this unsupported one, - // need to decode this header, set "next" and continue - // looping. - pc.other++; - p->data = pkt; - p->dsize = (uint16_t)len; - break; - }; -} -#endif /* SUP_IP6 */ + p->tcph = NULL; + pc.discards++; + pc.tdisc++; + return; + } -#ifndef SUP_IP6 + /* lay TCP on top of the data cause there is enough of it! */ + p->tcph = (TCPHdr *) pkt; -/* This is the Snort-IPv4 version of the IPv6 BSD frag checking code */ + /* multiply the payload offset value by 4 */ + hlen = TCP_OFFSET(p->tcph) << 2; -#define IPV6_FRAG_STR_ALERTED 1 -#define IPV6_FRAG_NO_ALERT 0 -#define IPV6_FRAG_ALERT 1 -#define IPV6_FRAG_BAD_PKT 2 -#define IPV6_MIN_TTL_EXCEEDED 3 -#define IPV6_IS_NOT 4 -#define IPV6_TRUNCATED_EXT 5 -#define IPV6_TRUNCATED_FRAG 6 -#define IPV6_TRUNCATED 7 + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n", + TCP_OFFSET(p->tcph), (unsigned long)len);); -int CheckIPV6Frag (char *data, uint32_t size, Packet *p) -{ - typedef struct _IP6HdrChain + if(hlen < TCP_HEADER_LEN) { - uint8_t next_header; - uint8_t length; - } IP6HdrChain; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP Data Offset (%d) < hlen (%d) \n", + TCP_OFFSET(p->tcph), hlen);); - IP6RawHdr *hdr; - IP6Frag *frag; - IP6HdrChain *chain; - uint8_t next_header; - uint32_t offset; - unsigned int header_length; - unsigned short frag_data; - char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ - SFXHASH_NODE *hash_node; - - if (sizeof(IP6RawHdr) > size) - return IPV6_TRUNCATED; - - hdr = (IP6RawHdr *) data; + DecoderEvent(p, DECODE_TCP_INVALID_OFFSET, + DECODE_TCP_INVALID_OFFSET_STR, 1, 1); - if (((hdr->ip6vfc & 0xf0) >> 4) != 6) - return IPV6_IS_NOT; - - if (sizeof(IP6RawHdr) + ntohs(hdr->ip6plen) > size) - return IPV6_TRUNCATED; + p->tcph = NULL; + pc.discards++; + pc.tdisc++; - /* Check TTL */ - if(hdr->ip6hops < ScMinTTL()) - { - return IPV6_MIN_TTL_EXCEEDED; + return; } - next_header = hdr->ip6nxt; - offset = sizeof(IP6RawHdr); - - while (offset < size) + if(hlen > len) { - switch (next_header) { - case IP_PROTO_IPV6: - return CheckIPV6Frag(data + offset, size - offset, p); - case IP_PROTO_HOPOPTS: - case IP_PROTO_ROUTING: - case IP_PROTO_AH: - case IP_PROTO_DSTOPTS: - if (sizeof(IP6HdrChain) + offset > size) - return IPV6_TRUNCATED_EXT; - - chain = (IP6HdrChain* ) (data + offset); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP Data Offset(%d) < longer than payload(%d)!\n", + TCP_OFFSET(p->tcph) << 2, len);); - next_header = chain->next_header; - header_length = 8 + (8 * chain->length); + DecoderEventDrop(p, DECODE_TCP_LARGE_OFFSET, + DECODE_TCP_LARGE_OFFSET_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); - if (offset + header_length > size) - return IPV6_TRUNCATED_EXT; + p->tcph = NULL; + pc.discards++; + pc.tdisc++; - offset += header_length; - break; + return; + } - case IP_PROTO_FRAGMENT: - if (offset + sizeof(IP6Frag) > size) - return IPV6_TRUNCATED_EXT; + /* Checksum code moved in front of the other decoder alerts. + If it's a bad checksum (maybe due to encrypted ESP traffic), the other + alerts could be false positives. */ + if (ScTcpChecksums()) + { + uint16_t csum; +#ifdef SUP_IP6 + if(IS_IP4(p)) + { + struct pseudoheader ph; + ph.sip = *p->ip4h->ip_src.ip32; + ph.dip = *p->ip4h->ip_dst.ip32; +#else + struct pseudoheader ph; + ph.sip = (uint32_t)(p->iph->ip_src.s_addr); + ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); +#endif + /* setup the pseudo header for checksum calculation */ + ph.zero = 0; + ph.protocol = GET_IPH_PROTO(p); + ph.tcplen = htons((u_short)len); - frag = (IP6Frag *) (data + offset); - frag_data = frag->ip6f_offlg; + /* if we're being "stateless" we probably don't care about the TCP + * checksum, but it's not bad to keep around for shits and giggles */ + /* calculate the checksum */ + csum = in_chksum_tcp((uint16_t *)&ph, (uint16_t *)(p->tcph), len); +#ifdef SUP_IP6 + } + /* IPv6 traffic */ + else + { + struct pseudoheader6 ph6; + COPY4(ph6.sip, p->ip6h->ip_src.ip32); + COPY4(ph6.dip, p->ip6h->ip_dst.ip32); + ph6.zero = 0; + ph6.protocol = GET_IPH_PROTO(p); + ph6.tcplen = htons((u_short)len); - /* srcip / dstip */ - memcpy(key, (data + 8), 32); - *(uint32_t*)(key+32) = frag->ip6f_ident; - *(uint32_t*)(key+36) = 0; /* zero out pad */ + csum = in_chksum_tcp6((uint16_t *)&ph6, (uint16_t *)(p->tcph), len); + } +#endif - hash_node = sfxhash_find_node(ipv6_frag_hash, key); + if(csum) + { + /* Don't drop the packet if this is encapuslated in Teredo or ESP. + Just get rid of the TCP header and stop decoding. */ + if (p->packet_flags & PKT_UNSURE_ENCAP) + { + p->tcph = NULL; + return; + } - /* Check if the frag offset mask is set. - * If it is, we're not looking at the exploit in question */ - if(IP6F_OFFSET(frag) != 0) - { - /* If this arrives before the two 0 offset frags, we will - * still add them as though they were the first, and false - * positive */ - if(hash_node) sfxhash_free_node(ipv6_frag_hash, hash_node); - return IPV6_FRAG_NO_ALERT; - } + p->error_flags |= PKT_ERR_CKSUM_TCP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", + "0x%x versus 0x%x\n", csum, + ntohs(p->tcph->th_sum));); - /* Check if there are no more frags */ - if(!IP6F_MF(frag)) - { - /* At this point, we've seen a frag header with no offset - * that doesn't have the more flags set. Need to see if - * this follows a packet that did have the more flag set. */ - if(hash_node) - { - /* Check if the first packet timed out */ - if((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) - { - sfxhash_free_node(ipv6_frag_hash, hash_node); - return IPV6_FRAG_BAD_PKT; - } + if ( ScIdsMode() ) + queueExecDrop(execTcpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"TCP Checksum: OK\n");); + } + } - if(size - offset > 100) - { - return IPV6_FRAG_ALERT; - } + if(Event_Enabled(DECODE_TCP_XMAS) || Event_Enabled(DECODE_TCP_NMAP_XMAS)) + { + if(TCP_ISFLAGSET(p->tcph, (TH_FIN|TH_PUSH|TH_URG))) + { + if(TCP_ISFLAGSET(p->tcph, (TH_SYN|TH_ACK|TH_RST))) + { + DecoderEvent(p, DECODE_TCP_XMAS, DECODE_TCP_XMAS_STR, 1, 1); + } + else + { + DecoderEvent(p, DECODE_TCP_NMAP_XMAS, DECODE_TCP_NMAP_XMAS_STR, 1, 1); + } + // Allowing this packet for further processing + // (in case there is a valid data inside it). + /*p->tcph = NULL; + pc.discards++; + pc.tdisc++; + return;*/ + } + } - sfxhash_free_node(ipv6_frag_hash, hash_node); - - return IPV6_FRAG_BAD_PKT; - } - - /* We never saw the first packet, but this one is still bogus */ - return IPV6_FRAG_BAD_PKT; - } - - /* At this point, we've seen a header with no offset and a - * more flag */ - if(!hash_node) + if(TCP_ISFLAGSET(p->tcph, (TH_SYN))) + { + /* check if only SYN is set */ + if( p->tcph->th_flags == TH_SYN ) + { + if( Event_Enabled(DECODE_DOS_NAPTHA) ) + { + if( p->tcph->th_seq == 6060842 ) { - /* There are more frags remaining, add current to hash */ - if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) - == SFXHASH_NOMEM) + if( GET_IPH_ID(p) == 413 ) { - return -1; + DecoderEvent(p, DECODE_DOS_NAPTHA, + DECODE_DOS_NAPTHA_STR, 1, 1); } } - else - { - /* Update this node's timestamp */ - *(time_t *)hash_node->data = p->pkth->ts.tv_sec; - } + } + } - default: - return IPV6_FRAG_NO_ALERT; + if( Event_Enabled(DECODE_SYN_TO_MULTICAST) ) + { + if( IpAddrSetContains(SynToMulticastDstIp, GET_DST_ADDR(p)) ) + { + DecoderEvent(p, DECODE_SYN_TO_MULTICAST, + DECODE_SYN_TO_MULTICAST_STR, 1, 1); + } } + if ( Event_Enabled(DECODE_TCP_SYN_RST) ) + if ( (p->tcph->th_flags & TH_RST) ) + DecoderEvent(p, EVARGS(TCP_SYN_RST), 1, 1); + + if ( Event_Enabled(DECODE_TCP_SYN_FIN) ) + if ( (p->tcph->th_flags & TH_FIN) ) + DecoderEvent(p, EVARGS(TCP_SYN_FIN), 1, 1); + } + else + { // we already know there is no SYN + if ( Event_Enabled(DECODE_TCP_NO_SYN_ACK_RST) ) + if ( !(p->tcph->th_flags & (TH_ACK|TH_RST)) ) + DecoderEvent(p, EVARGS(TCP_NO_SYN_ACK_RST), 1, 1); } - return IPV6_FRAG_NO_ALERT; -} + if ( Event_Enabled(DECODE_TCP_MUST_ACK) ) + if ( (p->tcph->th_flags & (TH_FIN|TH_PUSH|TH_URG)) && + !(p->tcph->th_flags & TH_ACK) ) + DecoderEvent(p, EVARGS(TCP_MUST_ACK), 1, 1); -#endif + /* stuff more data into the printout data struct */ + p->sp = ntohs(p->tcph->th_sport); + p->dp = ntohs(p->tcph->th_dport); -/* - * Function: DecodeIPV6(uint8_t *, uint32_t) - * - * Purpose: Decoding IPv6 headers - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * - * Returns: void function - */ -void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) -{ -#ifndef SUP_IP6 - static uint8_t pseudopacket_buf[SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET]; - static Packet pseudopacket; - static struct pcap_pkthdr pseudopcap_header; - IP6RawHdr *ip6h; - int alert_status; - pc.ipv6++; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "tcp header starts at: %p\n", p->tcph);); -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6++; -#endif + PushLayer(PROTO_TCP, p, pkt, hlen); - alert_status = CheckIPV6Frag((char *) pkt, len, p); + /* if options are present, decode them */ + p->tcp_options_len = (uint16_t)(hlen - TCP_HEADER_LEN); - if(alert_status == IPV6_FRAG_NO_ALERT) + if(p->tcp_options_len > 0) { - return; - } - - p->packet_flags |= PKT_NO_DETECT; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%lu bytes of tcp options....\n", + (unsigned long)(p->tcp_options_len));); - /* Need to set up a fake IP header for logging purposes. First make sure - * there is room */ - if(sizeof(IP6RawHdr) <= len) + p->tcp_options_data = pkt + TCP_HEADER_LEN; + DecodeTCPOptions((uint8_t *) (pkt + TCP_HEADER_LEN), p->tcp_options_len, p); + } + else { - pseudopcap_header.ts.tv_sec = p->pkth->ts.tv_sec; - pseudopcap_header.ts.tv_usec = p->pkth->ts.tv_usec; - - BsdPseudoPacket = &pseudopacket; - pseudopacket.pkt = pseudopacket_buf + SPARC_TWIDDLE; - pseudopacket.pkth = &pseudopcap_header; + p->tcp_option_count = 0; + } - if(p->eh) - { - SafeMemcpy(pseudopacket_buf + SPARC_TWIDDLE, p->eh, - ETHERNET_HEADER_LEN, - pseudopacket_buf, - pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); + /* set the data pointer and size */ + p->data = (uint8_t *) (pkt + hlen); - pseudopcap_header.len = IP_HEADER_LEN + ETHERNET_HEADER_LEN; + if(hlen < len) + { + p->dsize = (u_short)(len - hlen); + } + else + { + p->dsize = 0; + } - pseudopacket.eh = (EtherHdr*)(pseudopacket_buf + SPARC_TWIDDLE); - pseudopacket.iph = (IPHdr*)(pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN); - ((EtherHdr*)pseudopacket.eh)->ether_type = htons(ETHERNET_TYPE_IP); - } - else - { - SafeMemcpy(pseudopacket_buf, p->pkt, - (pkt - p->pkt), - pseudopacket_buf, - pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); + if ( Event_Enabled(DECODE_TCP_BAD_URP) ) + if ( (p->tcph->th_flags & TH_URG) && + (!p->dsize || ntohs(p->tcph->th_urp) > p->dsize) ) + DecoderEvent(p, EVARGS(TCP_BAD_URP), 1, 1); - pseudopcap_header.len = IP_HEADER_LEN + (pkt - p->pkt); + p->proto_bits |= PROTO_BIT__TCP; - pseudopacket.iph = (IPHdr*)(pseudopacket_buf + (pkt - p->pkt)); - pseudopacket.eh = NULL; - } + /* Drop packet if we ignore this port */ + if (ScIgnoreTcpPort(p->sp) || ScIgnoreTcpPort(p->dp)) + { + /* Ignore all preprocessors for this packet */ + p->packet_flags |= PKT_IGNORE_PORT; + return; + } - pseudopcap_header.caplen = pseudopcap_header.len; + TCPMiscTests(p); +} - /* Need IP addresses for packet logging -- for now, just using the - * lowest 4 bytes of the IPv6 addresses */ - memset((IPHdr *)pseudopacket.iph, 0, sizeof(IPHdr)); +//-------------------------------------------------------------------- +// decode.c::Option Handling +//-------------------------------------------------------------------- - ((IPHdr *)pseudopacket.iph)->ip_len = htons(IP_HEADER_LEN); - SET_IP_VER((IPHdr *)pseudopacket.iph, 0x4); - SET_IP_HLEN((IPHdr *)pseudopacket.iph, 0x5); +/** + * Validate that the length is an expected length AND that it's in bounds + * + * EOL and NOP are handled separately + * + * @param option_ptr current location + * @param end the byte past the end of the decode list + * @param len_ptr the pointer to the length field + * @param expected_len the number of bytes we expect to see per rfc KIND+LEN+DATA, -1 means dynamic. + * @param tcpopt options structure to populate + * @param byte_skip distance to move upon completion + * + * @return returns 0 on success, < 0 on error + */ +static inline int OptLenValidate(const uint8_t *option_ptr, + const uint8_t *end, + const uint8_t *len_ptr, + int expected_len, + Options *tcpopt, + uint8_t *byte_skip) +{ + *byte_skip = 0; - ip6h = (IP6RawHdr*)pkt; - -#ifdef WORDS_BIGENDIAN - ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = - ip6h->ip6_src.s6_addr[13] << 16 | ip6h->ip6_src.s6_addr[14] << 8 | ip6h->ip6_src.s6_addr[15]; - ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = - ip6h->ip6_dst.s6_addr[13] << 16 | ip6h->ip6_dst.s6_addr[14] << 8 | ip6h->ip6_dst.s6_addr[15]; -#else - ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = - ip6h->ip6_src.s6_addr[15] << 24 | ip6h->ip6_src.s6_addr[14] << 16 | ip6h->ip6_src.s6_addr[13] << 8; - ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = - ip6h->ip6_dst.s6_addr[15] << 24 | ip6h->ip6_dst.s6_addr[14] << 16 | ip6h->ip6_dst.s6_addr[13] << 8; -#endif - } - else + if(len_ptr == NULL) { - p->iph = NULL; + return TCP_OPT_TRUNC; } - switch(alert_status) { - case IPV6_FRAG_ALERT: - FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, FRAG3_IPV6_BSD_ICMP_FRAG_STR, - ScDecoderIpv6BsdIcmpFragAlerts(), - ScDecoderIpv6BsdIcmpFragDrops()); - break; - case IPV6_FRAG_BAD_PKT: - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, FRAG3_IPV6_BAD_FRAG_PKT_STR, - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - break; - case IPV6_MIN_TTL_EXCEEDED: - DecoderEvent(p, DECODE_IPV6_MIN_TTL, DECODE_IPV6_MIN_TTL_STR, - 1, 1); - break; - - case IPV6_IS_NOT: - DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR, - 1, 1); - break; - case IPV6_TRUNCATED_EXT: - DecoderEvent(p,DECODE_IPV6_TRUNCATED_EXT,DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - break; - case IPV6_TRUNCATED: - DecoderEvent(p,DECODE_IPV6_TRUNCATED,DECODE_IPV6_TRUNCATED_STR, - 1, 1); - }; - - pc.discards++; - return; -#else - - IP6RawHdr *hdr; - uint32_t payload_len; - - pc.ipv6++; - -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6++; -#endif - - hdr = (IP6RawHdr*)pkt; - - if(len < IP6_HDR_LEN) + if(*len_ptr == 0 || expected_len == 0 || expected_len == 1) { - if (ScLogVerbose()) - { - ErrorMessage("IP6 header truncated! (%d bytes)\n", len); - } - - DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR, - 1, 1); - - goto decodeipv6_fail; + return TCP_OPT_BADLEN; } - - /* Verify version in IP6 Header agrees */ - if((hdr->ip6vfc >> 4) != 6) + else if(expected_len > 1) { - if (ScLogVerbose()) + if((option_ptr + expected_len) > end) { - ErrorMessage("Not IPv6 datagram! ([ver: 0x%x][len: 0x%x])\n", - (hdr->ip6vfc >> 4), hdr->ip6plen + IP6_HDR_LEN); + /* not enough data to read in a perfect world */ + return TCP_OPT_TRUNC; } - DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR, - 1, 1); - - goto decodeipv6_fail; - } - -#ifdef GRE - if (p->family != NO_IP) - { - IP6RawHdr *tmp = (IP6RawHdr *)pkt; - - if (p->encapsulated || - ((tmp->ip6nxt == IPPROTO_IPIP) || (tmp->ip6nxt == IPPROTO_GRE) || - (tmp->ip6nxt == IPPROTO_IPV6))) - { - - DecoderAlertGRE(p, DECODE_GRE_MULTIPLE_ENCAPSULATION, - DECODE_GRE_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; - } - else + if(*len_ptr != expected_len) { - p->encapsulated = 1; - p->outer_iph = p->iph; - p->outer_ip_data = p->ip_data; - p->outer_ip_dsize = p->ip_dsize; + /* length is not valid */ + return TCP_OPT_BADLEN; } } -#endif - /* lay the IP struct over the raw data */ - p->inner_iph = p->iph = (IPHdr *)pkt; - - payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN; - - if(payload_len != len) + else /* expected_len < 0 (i.e. variable length) */ { - if (payload_len > len) + if(*len_ptr < 2) { -#ifdef DEBUG - if (ScLogVerbose()) - { - ErrorMessage("IP Len field is %d bytes bigger than captured " - "length (ip.len: %lu, cap.len: %lu)\n", - payload_len - len, payload_len, len); - } -#endif - DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN, - DECODE_IPV6_DGRAM_GT_CAPLEN_STR, - ScDecoderOversizedAlerts(), ScDecoderOversizedDrops()); - - goto decodeipv6_fail; + /* RFC sez that we MUST have atleast this much data */ + return TCP_OPT_BADLEN; } - else + + if((option_ptr + *len_ptr) > end) { -#ifdef DEBUG - if (ScLogVerbose()) - { - ErrorMessage("IP Len field is %d bytes smaller than captured " - "length (ip.len: %lu, cap.len: %lu)\n", - len - payload_len, payload_len, len); - } -#endif + /* not enough data to read in a perfect world */ + return TCP_OPT_TRUNC; } } - /* Check TTL */ - if(hdr->ip6hops < ScMinTTL()) - { - DecoderEvent(p, DECODE_IPV6_MIN_TTL, DECODE_IPV6_MIN_TTL_STR, - 1, 1); - } - - /* Build Packet structure's version of the IP6 header */ - sfiph_build(p, hdr, AF_INET6); + tcpopt->len = *len_ptr - 2; - /* - * Some IP Header tests - * Land Attack(same src/dst ip) - * Loopback (src or dst in 127/8 block) - * Modified: 2/22/05-man for High Endian Architecture. - */ - if(ScIdsMode()) + if(*len_ptr == 2) { - /* some points in the code assume an IP of 0.0.0.0 matches anything, but - * that is not so here. The sfip_compare makes that assumption for - * compatibility, but sfip_contains does not. Hence, sfip_contains - * is used here in the interrim. */ - if( sfip_contains(&p->ip6h->ip_src, &p->ip6h->ip_dst) == SFIP_CONTAINS) - { - DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, - DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, - 1,1); - } - - if(sfip_is_loopback(&p->ip6h->ip_src) || sfip_is_loopback(&p->ip6h->ip_dst)) - { - DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, - DECODE_BAD_TRAFFIC_LOOPBACK_STR, - 1,1); - } + tcpopt->data = NULL; } - + else { -#ifdef GRE - /* Remove outer IP options */ - if (p->encapsulated) - { - p->ip_options_data = NULL; - p->ip_options_len = 0; - p->ip_lastopt_bad = 0; - } -#endif - p->ip_option_count = 0; + tcpopt->data = option_ptr + 2; } - /* set the real IP length for logging */ - p->actual_ip_len = ntohs(p->ip6h->len); - p->ip_data = pkt + IP6_HDR_LEN; - p->ip_dsize = ntohs(p->ip6h->len); - - DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p); - return; + *byte_skip = *len_ptr; -decodeipv6_fail: - pc.discards++; - pc.ipv6disc++; - p->iph = NULL; - p->family = NO_IP; -#endif + return 0; } /* - * Function: DecodeEthLoopback(uint8_t *, uint32_t) + * Function: DecodeTCPOptions(uint8_t *, uint32_t, Packet *) * - * Purpose: Just like IPX, it's just for counting. + * Purpose: Fairly self explainatory name, don't you think? * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet + * TCP Option Header length validation is left to the caller * - * Returns: void function - */ -void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p) -{ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n");); - - pc.ethloopback++; - -#ifdef GRE - if (p->greh != NULL) - pc.gre_loopback++; -#endif - - return; -} - - -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeIPX(uint8_t *, uint32_t) + * For a good listing of TCP Options, + * http://www.iana.org/assignments/tcp-parameters * - * Purpose: Well, it doesn't do much of anything right now... + * ------------------------------------------------------------ + * From: "Kastenholz, Frank" <FKastenholz@unispherenetworks.com> + * Subject: Re: skeeter & bubba TCP options? * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet + * ah, the sins of ones youth that never seem to be lost... * - * Returns: void function + * it was something that ben levy and stev and i did at ftp many + * many moons ago. bridgham and stev were the instigators of it. + * the idea was simple, put a dh key exchange directly in tcp + * so that all tcp sessions could be encrypted without requiring + * any significant key management system. authentication was not + * a part of the idea, it was to be provided by passwords or + * whatever, which could now be transmitted over the internet + * with impunity since they were encrypted... we implemented + * a simple form of this (doing the math was non trivial on the + * machines of the day). it worked. the only failure that i + * remember was that it was vulnerable to man-in-the-middle + * attacks. + * + * why "skeeter" and "bubba"? well, that's known only to stev... + * ------------------------------------------------------------ + * + * 4.2.2.5 TCP Options: RFC-793 Section 3.1 + * + * A TCP MUST be able to receive a TCP option in any segment. A TCP + * MUST ignore without error any TCP option it does not implement, + * assuming that the option has a length field (all TCP options + * defined in the future will have length fields). TCP MUST be + * prepared to handle an illegal option length (e.g., zero) without + * crashing; a suggested procedure is to reset the connection and log + * the reason. + * + * Arguments: o_list => ptr to the option list + * o_len => length of the option list + * p => pointer to decoded packet struct * + * Returns: void function */ -void DecodeIPX(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeTCPOptions(const uint8_t *start, uint32_t o_len, Packet *p) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPX is not supported.\n");); + const uint8_t *option_ptr = start; + const uint8_t *end_ptr = start + o_len; /* points to byte after last option */ + const uint8_t *len_ptr; + uint8_t opt_count = 0; + u_char done = 0; /* have we reached TCPOPT_EOL yet?*/ + u_char experimental_option_found = 0; /* are all options RFC compliant? */ + u_char obsolete_option_found = 0; + u_char ttcp_found = 0; - pc.ipx++; + int code = 2; + uint8_t byte_skip; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipx++; -#endif + /* Here's what we're doing so that when we find out what these + * other buggers of TCP option codes are, we can do something + * useful + * + * 1) get option code + * 2) check for enough space for current option code + * 3) set option data ptr + * 4) increment option code ptr + * + * TCP_OPTLENMAX = 40 because of + * (((2^4) - 1) * 4 - TCP_HEADER_LEN) + * + */ + + if(o_len > TCP_OPTLENMAX) + { + /* This shouldn't ever alert if we are doing our job properly + * in the caller */ + p->tcph = NULL; /* let's just alert */ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "o_len(%u) > TCP_OPTLENMAX(%u)\n", + o_len, TCP_OPTLENMAX)); + return; + } + + while((option_ptr < end_ptr) && (opt_count < TCP_OPTLENMAX) && (code >= 0) && !done) + { + p->tcp_options[opt_count].code = *option_ptr; + + if((option_ptr + 1) < end_ptr) + { + len_ptr = option_ptr + 1; + } + else + { + len_ptr = NULL; + } + + switch(*option_ptr) + { + case TCPOPT_EOL: + done = 1; /* fall through to the NOP case */ + case TCPOPT_NOP: + p->tcp_options[opt_count].len = 0; + p->tcp_options[opt_count].data = NULL; + byte_skip = 1; + code = 0; + break; + case TCPOPT_MAXSEG: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MAXSEG, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_SACKOK: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_SACKOK, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_WSCALE: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_WSCALE, + &p->tcp_options[opt_count], &byte_skip); + if (code == 0) + { + if ( + ((uint16_t) p->tcp_options[opt_count].data[0] > 14)) + { + /* LOG INVALID WINDOWSCALE alert */ + if (ScDecoderTcpOptAlerts()) + { + DecoderOptEvent(p, DECODE_TCPOPT_WSCALE_INVALID, + DECODE_TCPOPT_WSCALE_INVALID_STR, 1, 1, + execTcpOptDrop); + } + } + } + break; + case TCPOPT_ECHO: /* both use the same lengths */ + case TCPOPT_ECHOREPLY: + obsolete_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_ECHO, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_MD5SIG: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_SACK: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + if(p->tcp_options[opt_count].data == NULL) + code = TCP_OPT_BADLEN; + + break; + case TCPOPT_CC_ECHO: + ttcp_found = 1; + /* fall through */ + case TCPOPT_CC: /* all 3 use the same lengths / T/TCP */ + case TCPOPT_CC_NEW: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_CC, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_TRAILER_CSUM: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TRAILER_CSUM, + &p->tcp_options[opt_count], &byte_skip); + break; + + case TCPOPT_TIMESTAMP: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TIMESTAMP, + &p->tcp_options[opt_count], &byte_skip); + break; + + case TCPOPT_SKEETER: + case TCPOPT_BUBBA: + case TCPOPT_UNASSIGNED: + obsolete_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + break; + default: + case TCPOPT_SCPS: + case TCPOPT_SELNEGACK: + case TCPOPT_RECORDBOUND: + case TCPOPT_CORRUPTION: + case TCPOPT_PARTIAL_PERM: + case TCPOPT_PARTIAL_SVC: + case TCPOPT_ALTCSUM: + case TCPOPT_SNAP: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + break; + } + + if(code < 0) + { + if(code == TCP_OPT_BADLEN) + { + DecoderOptEvent(p, DECODE_TCPOPT_BADLEN, + DECODE_TCPOPT_BADLEN_STR, 1, 1, + execTcpOptDrop); + } + else if(code == TCP_OPT_TRUNC) + { + DecoderOptEvent(p, DECODE_TCPOPT_TRUNCATED, + DECODE_TCPOPT_TRUNCATED_STR, 1, 1, + execTcpOptDrop); + } + + /* set the option count to the number of valid + * options found before this bad one + * some implementations (BSD and Linux) ignore + * the bad ones, but accept the good ones */ + p->tcp_option_count = opt_count; + + return; + } + + opt_count++; + + option_ptr += byte_skip; + } + + p->tcp_option_count = opt_count; + + if (experimental_option_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_EXPERIMENT, + DECODE_TCPOPT_EXPERIMENT_STR, 1, 1, + execTcpOptExpDrop); + } + else if (obsolete_option_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_OBSOLETE, + DECODE_TCPOPT_OBSOLETE_STR, 1, 1, + execTcpOptObsDrop); + } + else if (ttcp_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_TTCP, + DECODE_TCPOPT_TTCP_STR, 1, 1, + execTcpOptTTcpDrop); + } + + return; +} + + +/* + * Function: DecodeIPOptions(uint8_t *, uint32_t, Packet *) + * + * Purpose: Once again, a fairly self-explainatory name + * + * Arguments: o_list => ptr to the option list + * o_len => length of the option list + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeIPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +{ + const uint8_t *option_ptr = start; + u_char done = 0; /* have we reached IP_OPTEOL yet? */ + const uint8_t *end_ptr = start + o_len; + uint8_t opt_count = 0; /* what option are we processing right now */ + uint8_t byte_skip; + const uint8_t *len_ptr; + int code = 0; /* negative error codes are returned from bad options */ + + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding %d bytes of IP options\n", o_len);); + + + while((option_ptr < end_ptr) && (opt_count < IP_OPTMAX) && (code >= 0)) + { + p->ip_options[opt_count].code = *option_ptr; + + if((option_ptr + 1) < end_ptr) + { + len_ptr = option_ptr + 1; + } + else + { + len_ptr = NULL; + } + + switch(*option_ptr) + { + case IPOPT_NOP: + case IPOPT_EOL: + /* if we hit an EOL, we're done */ + if(*option_ptr == IPOPT_EOL) + done = 1; + + p->ip_options[opt_count].len = 0; + p->ip_options[opt_count].data = NULL; + byte_skip = 1; + break; + default: + /* handle all the dynamic features */ + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->ip_options[opt_count], &byte_skip); + } + + if(code < 0) + { + /* Yes, we use TCP_OPT_* for the IP option decoder. + */ + if(code == TCP_OPT_BADLEN) + { + DecoderOptEvent(p, DECODE_IPV4OPT_BADLEN, + DECODE_IPV4OPT_BADLEN_STR, 1, 1, + execIpOptDrop); + } + else if(code == TCP_OPT_TRUNC) + { + DecoderOptEvent(p, DECODE_IPV4OPT_TRUNCATED, + DECODE_IPV4OPT_TRUNCATED_STR, 1, 1, + execIpOptDrop); + } + return; + } + + if(!done) + opt_count++; + + option_ptr += byte_skip; + } + + p->ip_option_count = opt_count; + + return; +} + +//-------------------------------------------------------------------- +// decode.c::NON-ETHER STUFF +//-------------------------------------------------------------------- + +#ifndef NO_NON_ETHER_DECODER +#ifdef DLT_IEEE802_11 +/* + * Function: DecodeIEEE80211Pkt(Packet *, char *, DAQ_PktHdr_t*, + * uint8_t*) + * + * Purpose: Decode those fun loving wireless LAN packets, one at a time! + * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeIEEE80211Pkt(Packet * p, const DAQ_PktHdr_t * pkthdr, + const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + + /* do a little validation */ + if(cap_len < MINIMAL_IEEE80211_HEADER_LEN) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < IEEE 802.11 header length! " + "(%d bytes)\n", cap_len); + } + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + /* lay the wireless structure over the packet data */ + p->wifih = (WifiHdr *) pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", *p->wifih->addr1, + *p->wifih->addr2);); + + /* determine frame type */ + switch(p->wifih->frame_control & 0x00ff) + { + /* management frames */ + case WLAN_TYPE_MGMT_ASREQ: + case WLAN_TYPE_MGMT_ASRES: + case WLAN_TYPE_MGMT_REREQ: + case WLAN_TYPE_MGMT_RERES: + case WLAN_TYPE_MGMT_PRREQ: + case WLAN_TYPE_MGMT_PRRES: + case WLAN_TYPE_MGMT_BEACON: + case WLAN_TYPE_MGMT_ATIM: + case WLAN_TYPE_MGMT_DIS: + case WLAN_TYPE_MGMT_AUTH: + case WLAN_TYPE_MGMT_DEAUTH: + pc.wifi_mgmt++; + break; + + /* Control frames */ + case WLAN_TYPE_CONT_PS: + case WLAN_TYPE_CONT_RTS: + case WLAN_TYPE_CONT_CTS: + case WLAN_TYPE_CONT_ACK: + case WLAN_TYPE_CONT_CFE: + case WLAN_TYPE_CONT_CFACK: + pc.wifi_control++; + break; + /* Data packets without data */ + case WLAN_TYPE_DATA_NULL: + case WLAN_TYPE_DATA_CFACK: + case WLAN_TYPE_DATA_CFPL: + case WLAN_TYPE_DATA_ACKPL: + + pc.wifi_data++; + break; + case WLAN_TYPE_DATA_DTCFACK: + case WLAN_TYPE_DATA_DTCFPL: + case WLAN_TYPE_DATA_DTACKPL: + case WLAN_TYPE_DATA_DATA: + pc.wifi_data++; + + if(cap_len < IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)) + { + DecoderEvent(p, DECODE_BAD_80211_ETHLLC, + DECODE_BAD_80211_ETHLLC_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->ehllc = (EthLlc *) (pkt + IEEE802_11_DATA_HDR_LEN); + +#ifdef DEBUG_MSGS + PrintNetData(stdout,(uint8_t *) p->ehllc, sizeof(EthLlc), NULL); + //ClearDumpBuf(); + + printf("LLC Header:\n"); + printf(" DSAP: 0x%X\n", p->ehllc->dsap); + printf(" SSAP: 0x%X\n", p->ehllc->ssap); +#endif + + if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) + { + if(cap_len < IEEE802_11_DATA_HDR_LEN + + sizeof(EthLlc) + sizeof(EthLlcOther)) + { + DecoderEvent(p, DECODE_BAD_80211_OTHER, + DECODE_BAD_80211_OTHER_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->ehllcother = (EthLlcOther *) (pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)); +#ifdef DEBUG_MSGS + PrintNetData(stdout,(uint8_t *) p->ehllcother, sizeof(EthLlcOther), NULL ); + //ClearDumpBuf(); + printf("LLC Other Header:\n"); + printf(" CTRL: 0x%X\n", p->ehllcother->ctrl); + printf(" ORG: 0x%02X%02X%02X\n", p->ehllcother->org_code[0], + p->ehllcother->org_code[1], p->ehllcother->org_code[2]); + printf(" PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); +#endif + + switch(ntohs(p->ehllcother->proto_id)) + { + case ETHERNET_TYPE_IP: + DecodeIP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + case ETHERNET_TYPE_EAPOL: + DecodeEapol(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + IEEE802_11_DATA_HDR_LEN , + cap_len - IEEE802_11_DATA_HDR_LEN , p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(p->pkt + IEEE802_11_DATA_HDR_LEN, + cap_len - IEEE802_11_DATA_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + default: + // TBD add decoder drop event for unknown wifi/eth type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + break; + default: + // TBD add decoder drop event for unknown wlan frame type + pc.other++; + break; + } + + PREPROC_PROFILE_END(decodePerfStats); + return; +} +#endif // DLT_IEEE802_11 + +/* + * Function: DecodeTRPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode Token Ring packets! + * + * Arguments: p=> pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + uint32_t dataoff; /* data offset is variable here */ + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len,(unsigned long) pkthdr->pktlen); + ); + + if(cap_len < sizeof(Trh_hdr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, TR_HLEN);); + + DecoderEvent(p, DECODE_BAD_TRH, DECODE_BAD_TRH_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + /* lay the tokenring header structure over the packet data */ + p->trh = (Trh_hdr *) pkt; + + /* + * according to rfc 1042: + * + * The presence of a Routing Information Field is indicated by the Most + * Significant Bit (MSB) of the source address, called the Routing + * Information Indicator (RII). If the RII equals zero, a RIF is + * not present. If the RII equals 1, the RIF is present. + * .. + * However the MSB is already zeroed by this moment, so there's no + * real way to figure out whether RIF is presented in packet, so we are + * doing some tricks to find IPARP signature.. + */ + + /* + * first I assume that we have single-ring network with no RIF + * information presented in frame + */ + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc)));); + + DecoderEvent(p, DECODE_BAD_TR_ETHLLC, DECODE_BAD_TR_ETHLLC_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); + + if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) + { + /* + * DSAP != SSAP != 0xAA .. either we are having frame which doesn't + * carry IP datagrams or has RIF information present. We assume + * lattest ... + */ + + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); + + DecoderEvent(p, DECODE_BAD_TRHMR, DECODE_BAD_TRHMR_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->trhmr = (Trh_mr *) (pkt + sizeof(Trh_hdr)); + + + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + + sizeof(Trh_mr) + TRH_MR_LEN(p->trhmr))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); + + DecoderEvent(p, DECODE_BAD_TR_MR_LEN, DECODE_BAD_TR_MR_LEN_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr)); + dataoff = sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr) + sizeof(Trh_llc); + + } + else + { + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); + dataoff = sizeof(Trh_hdr) + sizeof(Trh_llc); + } + + /* + * ideally we would need to check both SSAP, DSAP, and protoid fields: IP + * datagrams and ARP requests and replies are transmitted in standard + * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with + * the DSAP and the SSAP fields of the 802.2 header set to 170, the + * assigned global SAP value for SNAP [6]. The 24-bit Organization Code + * in the SNAP is zero, and the remaining 16 bits are the EtherType from + * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check + * SSAP and DSAP and assume this would be enough to trust. + */ + if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) + { + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "DSAP and SSAP arent set to SNAP\n"); + ); + p->trhllc = NULL; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + switch(htons(p->trhllc->ethertype)) + { + case ETHERNET_TYPE_IP: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); + DecodeIP(p->pkt + dataoff, cap_len - dataoff, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "Decoding ARP\n"); + ); + pc.arp++; + + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + dataoff, cap_len - dataoff, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + default: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", + htons(p->trhllc->ethertype))); + // TBD add decoder drop event for unknown tr/eth type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + + +/* + * Function: DecodeFDDIPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Mainly taken from CyberPsycotic's Token Ring Code -worm5er + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeFDDIPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + uint32_t dataoff = sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps); + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long) cap_len,(unsigned long) pkthdr->pktlen); + ); + + /* Bounds checking (might not be right yet -worm5er) */ + if(cap_len < dataoff) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + /* let's put this in as the fddi header structure */ + p->fddihdr = (Fddi_hdr *) pkt; + + p->fddisaps = (Fddi_llc_saps *) (pkt + sizeof(Fddi_hdr)); + + /* First we'll check and see if it's an IP/ARP Packet... */ + /* Then we check to see if it's a SNA packet */ + /* + * Lastly we'll declare it none of the above and just slap something + * generic on it to discard it with (I know that sucks, but heck we're + * only looking for IP/ARP type packets currently... -worm5er + */ + if((p->fddisaps->dsap == FDDI_DSAP_IP) && (p->fddisaps->ssap == FDDI_SSAP_IP)) + { + dataoff += sizeof(Fddi_llc_iparp); + + if(cap_len < dataoff) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + + p->fddiiparp = (Fddi_llc_iparp *) (pkt + sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps)); + } + else if((p->fddisaps->dsap == FDDI_DSAP_SNA) && + (p->fddisaps->ssap == FDDI_SSAP_SNA)) + { + dataoff += sizeof(Fddi_llc_sna); + + if(cap_len < dataoff) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + + p->fddisna = (Fddi_llc_sna *) (pkt + sizeof(Fddi_hdr) + + sizeof(Fddi_llc_saps)); + } + else + { + dataoff += sizeof(Fddi_llc_other); + p->fddiother = (Fddi_llc_other *) (pkt + sizeof(Fddi_hdr) + + sizeof(Fddi_llc_other)); + + if(cap_len < dataoff) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + } + + /* + * Now let's see if we actually care about the packet... If we don't, + * throw it out!!! + */ + if((p->fddisaps->dsap != FDDI_DSAP_IP) && + (p->fddisaps->ssap != FDDI_SSAP_IP)) + { + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, + "This FDDI Packet isn't an IP/ARP packet...\n"); + ); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + cap_len -= dataoff; + + switch(htons(p->fddiiparp->ethertype)) + { + case ETHERNET_TYPE_IP: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); + DecodeIP(p->pkt + dataoff, cap_len, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding ARP\n");); + pc.arp++; + + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + dataoff, cap_len, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + + default: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", + htons(p->fddiiparp->ethertype)); + ); + // TBD add decoder drop event for unknown fddi/eth type + pc.other++; + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + +#ifdef DLT_LINUX_SLL +/* + * Function: DecodeLinuxSLLPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode those fun loving LinuxSLL (linux cooked sockets) + * packets, one at a time! + * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ + +void DecodeLinuxSLLPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + + /* do a little validation */ + if(cap_len < SLL_HDR_LEN) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < SLL header length (your " + "libpcap is broken?)! (%d bytes)\n", cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); + return; + } + /* lay the ethernet structure over the packet data */ + p->sllh = (SLLHdr *) pkt; + + /* grab out the network type */ + switch(ntohs(p->sllh->sll_protocol)) + { + case ETHERNET_TYPE_IP: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP datagram size calculated to be %lu bytes\n", + (unsigned long)(cap_len - SLL_HDR_LEN));); + + DecodeIP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_IPX: + DecodeIPX(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case LINUX_SLL_P_802_3: + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, + "Linux SLL P 802.3 is not supported.\n");); + // TBD add decoder drop event for unsupported linux sll p 802.3 + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + + case LINUX_SLL_P_802_2: + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, + "Linux SLL P 802.2 is not supported.\n");); + // TBD add decoder drop event for unsupported linux sll p 802.2 + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + default: + /* shouldn't go here unless pcap library changes again */ + /* should be a DECODE generated alert */ + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK,"(Unknown) %X is not supported. " + "(need tcpdump snapshots to test. Please contact us)\n", + p->sllh->sll_protocol);); + // TBD add decoder drop event for unknown sll encapsulation + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + PREPROC_PROFILE_END(decodePerfStats); return; } -#endif // NO_NON_ETHER_DECODER - +#endif /* DLT_LINUX_SLL */ -#ifdef GRE /* - * Function: DecodeGRE(uint8_t *, uint32_t, Packet *) + * Function: DecodeOldPflog(Packet *, DAQ_PktHdr_t *, uint8_t *) * - * Purpose: Decode Generic Routing Encapsulation Protocol - * This will decode normal GRE and PPTP GRE. + * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct + * Arguments: p => pointer to the decoded packet struct + * pkthdr => ptr to the packet header + * pkt => pointer to the packet data * * Returns: void function * - * Notes: see RFCs 1701, 2784 and 2637 */ -void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p) +void DecodeOldPflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - uint32_t hlen; /* GRE header length */ - uint32_t payload_len; - - if (len < GRE_HEADER_LEN) - { - DecoderAlertGRE(p, DECODE_GRE_DGRAM_LT_GREHDR, - DECODE_GRE_DGRAM_LT_GREHDR_STR, - pkt, len); - return; - } - - if (p->encapsulated) - { - /* discard packet - multiple GRE encapsulation */ - /* not sure if this is ever used but I am assuming it is not */ - DecoderAlertGRE(p, DECODE_GRE_MULTIPLE_ENCAPSULATION, - DECODE_GRE_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; - } - - /* Note: Since GRE doesn't have a field to indicate header length and - * can contain a few options, we need to walk through the header to - * figure out the length - */ - - p->greh = (GREHdr *)pkt; - hlen = GRE_HEADER_LEN; - - switch (GRE_VERSION(p->greh)) - { - case 0x00: - /* these must not be set */ - if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh)) - { - DecoderAlertGRE(p, DECODE_GRE_INVALID_HEADER, - DECODE_GRE_INVALID_HEADER_STR, - pkt, len); - return; - } + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh)) - hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN; + PREPROC_PROFILE_START(decodePerfStats); - if (GRE_KEY(p->greh)) - hlen += GRE_KEY_LEN; + pc.total_processed++; - if (GRE_SEQ(p->greh)) - hlen += GRE_SEQ_LEN; + memset(p, 0, PKT_ZERO_LEN); - /* if this flag is set, we need to walk through all of the - * Source Route Entries */ - if (GRE_ROUTE(p->greh)) - { - uint16_t sre_addrfamily; - uint8_t sre_offset; - uint8_t sre_length; - const uint8_t *sre_ptr; - - sre_ptr = pkt + hlen; + p->pkth = pkthdr; + p->pkt = pkt; - while (1) - { - hlen += GRE_SRE_HEADER_LEN; - if (hlen > len) - break; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); - sre_addrfamily = ntohs(*((uint16_t *)sre_ptr)); - sre_ptr += sizeof(sre_addrfamily); + /* do a little validation */ + if(cap_len < PFLOG1_HDRLEN) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < Pflog header length! " + "(%d bytes)\n", cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); + return; + } - sre_offset = *((uint8_t *)sre_ptr); - sre_ptr += sizeof(sre_offset); + /* lay the pf header structure over the packet data */ + p->pf1h = (Pflog1Hdr*)pkt; - sre_length = *((uint8_t *)sre_ptr); - sre_ptr += sizeof(sre_length); + /* get the network type - should only be AF_INET or AF_INET6 */ + switch(ntohl(p->pf1h->af)) + { + case AF_INET: /* IPv4 */ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " + "bytes\n", (unsigned long)(cap_len - PFLOG1_HDRLEN));); - if ((sre_addrfamily == 0) && (sre_length == 0)) - break; + DecodeIP(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; - hlen += sre_length; - sre_ptr += sre_length; - } - } +#if defined(AF_INET6) || defined(SUP_IP6) + case AF_INET6: /* IPv6 */ + DecodeIPV6(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#endif - break; + default: + /* To my knowledge, pflog devices can only + * pass IP and IP6 packets. -fleck + */ + // TBD add decoder drop event for unknown old pflog network type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } - /* PPTP */ - case 0x01: - /* these flags should never be present */ - if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) || - GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh)) - { - DecoderAlertGRE(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); - return; - } + PREPROC_PROFILE_END(decodePerfStats); + return; +} - /* protocol must be 0x880B - PPP */ - if (GRE_PROTO(p->greh) != GRE_TYPE_PPP) - { - DecoderAlertGRE(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); - return; - } +/* + * Function: DecodePflog(Packet *, DAQ_PktHdr_t *, uint8_t *) + * + * Purpose: Pass pflog device packets off to IP or IP6 -fleck + * + * Arguments: p => pointer to the decoded packet struct + * pkthdr => ptr to the packet header + * pkt => pointer to the packet data + * + * Returns: void function + * + */ +void DecodePflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + uint8_t af, pflen; + uint32_t hlen; + PROFILE_VARS; - /* this flag should always be present */ - if (!(GRE_KEY(p->greh))) - { - DecoderAlertGRE(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); - return; - } + PREPROC_PROFILE_START(decodePerfStats); - hlen += GRE_KEY_LEN; + pc.total_processed++; - if (GRE_SEQ(p->greh)) - hlen += GRE_SEQ_LEN; + memset(p, 0, PKT_ZERO_LEN); - if (GRE_V1_ACK(p->greh)) - hlen += GRE_V1_ACK_LEN; + p->pkth = pkthdr; + p->pkt = pkt; - break; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); - default: - DecoderAlertGRE(p, DECODE_GRE_INVALID_VERSION, - DECODE_GRE_INVALID_VERSION_STR, - pkt, len); - return; + /* do a little validation */ + if(cap_len < PFLOG2_HDRMIN) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < minimum Pflog length! " + "(%d < %lu)\n", cap_len, PFLOG2_HDRMIN); + } + PREPROC_PROFILE_END(decodePerfStats); + return; + } + /* lay the pf header structure over the packet data */ + if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) + { + p->pf2h = (Pflog2Hdr*)pkt; + pflen = p->pf2h->length; + hlen = PFLOG2_HDRLEN; + af = p->pf2h->af; + } + else + { + p->pf3h = (Pflog3Hdr*)pkt; + pflen = p->pf3h->length; + hlen = PFLOG3_HDRLEN; + af = p->pf3h->af; } - - if (hlen > len) + /* now that we know a little more, do a little more validation */ + if(cap_len < hlen) { - DecoderAlertGRE(p, DECODE_GRE_DGRAM_LT_GREHDR, - DECODE_GRE_DGRAM_LT_GREHDR_STR, - pkt, len); + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < Pflog header length! " + "(%d < %d)\n", cap_len, hlen); + } + PREPROC_PROFILE_END(decodePerfStats); return; } - - payload_len = len - hlen; - - /* Send to next protocol decoder */ - /* As described in RFC 2784 the possible protocols are listed in - * RFC 1700 under "ETHER TYPES" - * See also "Current List of Protocol Types" in RFC 1701 - */ - switch (GRE_PROTO(p->greh)) + /* note that the pflen may exclude the padding which is always present */ + if(pflen < hlen - PFLOG_PADLEN || pflen > hlen) { - case ETHERNET_TYPE_IP: - DecodeIP(pkt + hlen, payload_len, p); - return; - - case GRE_TYPE_TRANS_BRIDGING: - DecodeTransBridging(pkt + hlen, payload_len, p); - return; - - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - /* clear outer IP headers */ - p->iph = NULL; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - DecodeARP(pkt + hlen, payload_len, p); - return; - - case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt + hlen, payload_len, p); - return; + if (ScLogVerbose()) + { + ErrorMessage("Bad Pflog header length! (%d bytes)\n", pflen); + } + PREPROC_PROFILE_END(decodePerfStats); + return; + } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be " + "%lu bytes\n", (unsigned long)(cap_len - hlen));); - case GRE_TYPE_PPP: - DecodePppPktEncapsulated(p, payload_len, pkt + hlen); + /* check the network type - should only be AF_INET or AF_INET6 */ + switch(af) + { + case AF_INET: /* IPv4 */ + DecodeIP(p->pkt + hlen, cap_len - hlen, p); + PREPROC_PROFILE_END(decodePerfStats); return; -#ifndef NO_NON_ETHER_DECODER - case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + hlen, payload_len, p); +#if defined(AF_INET6) || defined(SUP_IP6) + case AF_INET6: /* IPv6 */ + DecodeIPV6(p->pkt + hlen, cap_len - hlen, p); + PREPROC_PROFILE_END(decodePerfStats); return; #endif - case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + hlen, payload_len, p); - return; - - /* not sure if this occurs, but 802.1q is an Ether type */ - case ETHERNET_TYPE_8021Q: - DecodeVlan(pkt + hlen, payload_len, p); - return; - default: + /* To my knowledge, pflog devices can only + * pass IP and IP6 packets. -fleck + */ + // TBD add decoder drop event for unknown pflog network type pc.other++; - p->data = pkt + hlen; - p->dsize = (uint16_t)payload_len; + PREPROC_PROFILE_END(decodePerfStats); return; } + + PREPROC_PROFILE_END(decodePerfStats); + return; } /* - * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet) + * Function: DecodePppPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Decode Transparent Ethernet Bridging + * Purpose: Decode PPP traffic (either RFC1661 or RFC1662 framing). + * This really is intended to handle IPCP * - * Arguments: pkt => pointer to the real live packet data - * len => length of remaining data in packet - * p => pointer to the decoded packet struct - * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function - * - * Note: This is basically the code from DecodeEthPkt but the calling - * convention needed to be changed and the stuff at the beginning - * wasn't needed since we are already deep into the packet */ -void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p) +// DecodePppPkt() and DecodePppSerialPkt() may be incorrect ... +// both skip past 2 byte protocol and then call DecodePppPktEncapsulated() +// which does the same thing. That one works inside DecodePPPoEPkt(); +void DecodePppPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - pc.gre_eth++; + uint32_t cap_len = pkthdr->caplen; + int hlen = 0; + PROFILE_VARS; - if(len < ETHERNET_HEADER_LEN) + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + + if(cap_len < 2) { - DecoderAlertGRE(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR, - DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR, - pkt, len); + if (ScLogVerbose()) + { + ErrorMessage("Length not big enough for even a single " + "header or a one byte payload\n"); + } + PREPROC_PROFILE_END(decodePerfStats); return; } - /* The Packet struct's ethernet header will now point to the inner ethernet - * header of the packet - */ - p->eh = (EtherHdr *)pkt; - - switch (ntohs(p->eh->ether_type)) + if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) { - case ETHERNET_TYPE_IP: - DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + /* + * Check for full HDLC header (rfc1662 section 3.2) + */ + hlen = 2; + } - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + DecodePppPktEncapsulated(p->pkt + hlen, cap_len - hlen, p); - case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + PREPROC_PROFILE_END(decodePerfStats); + return; +} -#ifndef NO_NON_ETHER_DECODER - case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; -#endif +/* + * Function: DecodePppSerialPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode Mixed PPP/CHDLC traffic. The PPP frames will always have the + * full HDLC header. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodePppSerialPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + PREPROC_PROFILE_START(decodePerfStats); - case ETHERNET_TYPE_8021Q: - DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + pc.total_processed++; - default: - pc.other++; - p->data = pkt + ETHERNET_HEADER_LEN; - p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN); - return; - } -} + memset(p, 0, PKT_ZERO_LEN); -/* should probably generalize for all decoder alerts */ -void DecoderAlertGRE(Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len) -{ - if(ScIdsMode()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, type, - 1, DECODE_CLASS, 3, (char *)str, 0); + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - if (ScInlineMode()) + if(cap_len < PPP_HDRLEN) + { + if (ScLogVerbose()) { - queueDecoderInlineDrop(p); + ErrorMessage("Captured data length < PPP header length" + " (%d bytes)\n", cap_len); } + PREPROC_PROFILE_END(decodePerfStats); + return; } - p->data = pkt; - p->dsize = (uint16_t)len; + if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) + { + DecodePppPktEncapsulated(p->pkt + 2, cap_len - 2, p); + } else { + DecodeChdlcPkt(p, pkthdr, pkt); + } - p->greh = NULL; + PREPROC_PROFILE_END(decodePerfStats); + return; } -#endif /* GRE */ - -/** - * Validate that the length is an expected length AND that it's in bounds +/* + * Function: DecodeSlipPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * EOL and NOP are handled separately - * - * @param option_ptr current location - * @param end the byte past the end of the decode list - * @param len_ptr the pointer to the length field - * @param expected_len the number of bytes we expect to see per rfc KIND+LEN+DATA, -1 means dynamic. - * @param tcpopt options structure to populate - * @param byte_skip distance to move upon completion + * Purpose: Decode SLIP traffic * - * @return returns 0 on success, < 0 on error + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function */ -static INLINE int OptLenValidate(const uint8_t *option_ptr, - const uint8_t *end, - const uint8_t *len_ptr, - int expected_len, - Options *tcpopt, - uint8_t *byte_skip) +void DecodeSlipPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - *byte_skip = 0; - - if(len_ptr == NULL) - { - return TCP_OPT_TRUNC; - } - - if(*len_ptr == 0 || expected_len == 0 || expected_len == 1) - { - return TCP_OPT_BADLEN; - } - else if(expected_len > 1) - { - if((option_ptr + expected_len) > end) - { - /* not enough data to read in a perfect world */ - return TCP_OPT_TRUNC; - } + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - if(*len_ptr != expected_len) - { - /* length is not valid */ - return TCP_OPT_BADLEN; - } - } - else /* expected_len < 0 (i.e. variable length) */ - { - if(*len_ptr < 2) - { - /* RFC sez that we MUST have atleast this much data */ - return TCP_OPT_BADLEN; - } - - if((option_ptr + *len_ptr) > end) - { - /* not enough data to read in a perfect world */ - return TCP_OPT_TRUNC; - } - } + PREPROC_PROFILE_START(decodePerfStats); - tcpopt->len = *len_ptr - 2; + pc.total_processed++; - if(*len_ptr == 2) - { - tcpopt->data = NULL; - } - else + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + + /* do a little validation */ + if(cap_len < SLIP_HEADER_LEN) { - tcpopt->data = option_ptr + 2; + ErrorMessage("SLIP header length < captured len! (%d bytes)\n", + cap_len); + PREPROC_PROFILE_END(decodePerfStats); + return; } - *byte_skip = *len_ptr; - - return 0; + DecodeIP(p->pkt + SLIP_HEADER_LEN, cap_len - SLIP_HEADER_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); } /* - * Function: DecodeTCPOptions(uint8_t *, uint32_t, Packet *) - * - * Purpose: Fairly self explainatory name, don't you think? - * - * TCP Option Header length validation is left to the caller - * - * For a good listing of TCP Options, - * http://www.iana.org/assignments/tcp-parameters - * - * ------------------------------------------------------------ - * From: "Kastenholz, Frank" <FKastenholz@unispherenetworks.com> - * Subject: Re: skeeter & bubba TCP options? - * - * ah, the sins of ones youth that never seem to be lost... - * - * it was something that ben levy and stev and i did at ftp many - * many moons ago. bridgham and stev were the instigators of it. - * the idea was simple, put a dh key exchange directly in tcp - * so that all tcp sessions could be encrypted without requiring - * any significant key management system. authentication was not - * a part of the idea, it was to be provided by passwords or - * whatever, which could now be transmitted over the internet - * with impunity since they were encrypted... we implemented - * a simple form of this (doing the math was non trivial on the - * machines of the day). it worked. the only failure that i - * remember was that it was vulnerable to man-in-the-middle - * attacks. - * - * why "skeeter" and "bubba"? well, that's known only to stev... - * ------------------------------------------------------------ - * - * 4.2.2.5 TCP Options: RFC-793 Section 3.1 + * Function: DecodeI4LRawIPPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * A TCP MUST be able to receive a TCP option in any segment. A TCP - * MUST ignore without error any TCP option it does not implement, - * assuming that the option has a length field (all TCP options - * defined in the future will have length fields). TCP MUST be - * prepared to handle an illegal option length (e.g., zero) without - * crashing; a suggested procedure is to reset the connection and log - * the reason. + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. * - * Arguments: o_list => ptr to the option list - * o_len => length of the option list - * p => pointer to decoded packet struct + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeTCPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +void DecodeI4LRawIPPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - const uint8_t *option_ptr = start; - const uint8_t *end_ptr = start + o_len; /* points to byte after last option */ - const uint8_t *len_ptr; - uint8_t opt_count = 0; - u_char done = 0; /* have we reached TCPOPT_EOL yet?*/ - u_char experimental_option_found = 0; /* are all options RFC compliant? */ - u_char obsolete_option_found = 0; - u_char ttcp_found = 0; - - int code = 2; - uint8_t byte_skip; + PROFILE_VARS; - /* Here's what we're doing so that when we find out what these - * other buggers of TCP option codes are, we can do something - * useful - * - * 1) get option code - * 2) check for enough space for current option code - * 3) set option data ptr - * 4) increment option code ptr - * - * TCP_OPTLENMAX = 40 because of - * (((2^4) - 1) * 4 - TCP_HEADER_LEN) - * - */ + PREPROC_PROFILE_START(decodePerfStats); - if(o_len > TCP_OPTLENMAX) + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + if(p->pkth->pktlen < 2) { - /* This shouldn't ever alert if we are doing our job properly - * in the caller */ - p->tcph = NULL; /* let's just alert */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "o_len(%u) > TCP_OPTLENMAX(%u)\n", - o_len, TCP_OPTLENMAX)); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); + // TBD add decoder drop event for bad i4l raw pkt + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); return; } - - while((option_ptr < end_ptr) && (opt_count < TCP_OPTLENMAX) && (code >= 0) && !done) - { - p->tcp_options[opt_count].code = *option_ptr; - - if((option_ptr + 1) < end_ptr) - { - len_ptr = option_ptr + 1; - } - else - { - len_ptr = NULL; - } - - switch(*option_ptr) - { - case TCPOPT_EOL: - done = 1; /* fall through to the NOP case */ - case TCPOPT_NOP: - p->tcp_options[opt_count].len = 0; - p->tcp_options[opt_count].data = NULL; - byte_skip = 1; - code = 0; - break; - case TCPOPT_MAXSEG: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MAXSEG, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_SACKOK: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_SACKOK, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_WSCALE: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_WSCALE, - &p->tcp_options[opt_count], &byte_skip); - if (code == 0) - { - if (ScIdsMode() && - ((uint16_t) p->tcp_options[opt_count].data[0] > 14)) - { - /* LOG INVALID WINDOWSCALE alert */ - if (ScDecoderTcpOptAlerts()) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_TCPOPT_WSCALE_INVALID, 1, DECODE_CLASS, 3, - DECODE_TCPOPT_WSCALE_INVALID_STR, 0); - queueTcpOptInlineDrop(p); - } - } - } - break; - case TCPOPT_ECHO: /* both use the same lengths */ - case TCPOPT_ECHOREPLY: - obsolete_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_ECHO, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_MD5SIG: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_SACK: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - if(p->tcp_options[opt_count].data == NULL) - code = TCP_OPT_BADLEN; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + DecodeIP(pkt + 2, p->pkth->pktlen - 2, p); - break; - case TCPOPT_CC_ECHO: - ttcp_found = 1; - /* fall through */ - case TCPOPT_CC: /* all 3 use the same lengths / T/TCP */ - case TCPOPT_CC_NEW: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_CC, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_TRAILER_CSUM: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TRAILER_CSUM, - &p->tcp_options[opt_count], &byte_skip); - break; + PREPROC_PROFILE_END(decodePerfStats); + return; +} - case TCPOPT_TIMESTAMP: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TIMESTAMP, - &p->tcp_options[opt_count], &byte_skip); - break; - - case TCPOPT_SKEETER: - case TCPOPT_BUBBA: - case TCPOPT_UNASSIGNED: - obsolete_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - break; - default: - case TCPOPT_SCPS: - case TCPOPT_SELNEGACK: - case TCPOPT_RECORDBOUND: - case TCPOPT_CORRUPTION: - case TCPOPT_PARTIAL_PERM: - case TCPOPT_PARTIAL_SVC: - case TCPOPT_ALTCSUM: - case TCPOPT_SNAP: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - break; - } - if(code < 0) - { - if (ScIdsMode()) - { - if(code == TCP_OPT_BADLEN) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_TCPOPT_BADLEN, 1, DECODE_CLASS, 3, - DECODE_TCPOPT_BADLEN_STR, 0); - queueTcpOptInlineDrop(p); - } - else if(code == TCP_OPT_TRUNC) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_TCPOPT_TRUNCATED, 1, DECODE_CLASS, 3, - DECODE_TCPOPT_TRUNCATED_STR, 0); +/* + * Function: DecodeI4LCiscoIPPkt(Packet *, char *, + * DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeI4LCiscoIPPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) +{ + PROFILE_VARS; - queueTcpOptInlineDrop(p); - } - } + PREPROC_PROFILE_START(decodePerfStats); - /* set the option count to the number of valid - * options found before this bad one - * some implementations (BSD and Linux) ignore - * the bad ones, but accept the good ones */ - p->tcp_option_count = opt_count; + pc.total_processed++; - return; - } + memset(p, 0, PKT_ZERO_LEN); - opt_count++; + p->pkth = pkthdr; + p->pkt = pkt; - option_ptr += byte_skip; + if(p->pkth->pktlen < 4) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); + // TBD add decoder drop event for bad i4l cisco pkt + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; } - p->tcp_option_count = opt_count; - - if (ScIdsMode() && experimental_option_found) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCPOPT_EXPERIMENT, 1, - DECODE_CLASS, 3, DECODE_TCPOPT_EXPERIMENT_STR, 0); - queueTcpOptExpInlineDrop(p); - } - else if (ScIdsMode() && obsolete_option_found) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCPOPT_OBSOLETE, 1, - DECODE_CLASS, 3, DECODE_TCPOPT_OBSOLETE_STR, 0); - queueTcpOptObsInlineDrop(p); - } - else if (ScIdsMode() && ttcp_found) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, DECODE_TCPOPT_TTCP, 1, - DECODE_CLASS, 3, DECODE_TCPOPT_TTCP_STR, 0); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - queueTcpOptTTcpInlineDrop(p); - } + DecodeIP(pkt + 4, p->pkth->caplen - 4, p); + PREPROC_PROFILE_END(decodePerfStats); return; } - /* - * Function: DecodeIPOptions(uint8_t *, uint32_t, Packet *) + * Function: DecodeChdlcPkt(Packet *, char *, + * DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Once again, a fairly self-explainatory name + * Purpose: Decodes Cisco HDLC encapsulated packets, f.ex. from SONET. * - * Arguments: o_list => ptr to the option list - * o_len => length of the option list - * p => pointer to decoded packet struct + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeIPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +void DecodeChdlcPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) { - const uint8_t *option_ptr = start; - u_char done = 0; /* have we reached IP_OPTEOL yet? */ - const uint8_t *end_ptr = start + o_len; - uint8_t opt_count = 0; /* what option are we processing right now */ - uint8_t byte_skip; - const uint8_t *len_ptr; - int code = 0; /* negative error codes are returned from bad options */ - + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding %d bytes of IP options\n", o_len);); + PREPROC_PROFILE_START(decodePerfStats); + pc.total_processed++; - while((option_ptr < end_ptr) && (opt_count < IP_OPTMAX) && (code >= 0)) - { - p->ip_options[opt_count].code = *option_ptr; + memset(p, 0, PKT_ZERO_LEN); - if((option_ptr + 1) < end_ptr) - { - len_ptr = option_ptr + 1; - } - else - { - len_ptr = NULL; - } + p->pkth = pkthdr; + p->pkt = pkt; - switch(*option_ptr) + if(cap_len < CHDLC_HEADER_LEN) + { + if (ScLogVerbose()) { - case IPOPT_NOP: - case IPOPT_EOL: - /* if we hit an EOL, we're done */ - if(*option_ptr == IPOPT_EOL) - done = 1; - - p->ip_options[opt_count].len = 0; - p->ip_options[opt_count].data = NULL; - byte_skip = 1; - break; - default: - /* handle all the dynamic features */ - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->ip_options[opt_count], &byte_skip); + ErrorMessage("Captured data length < CHDLC header length" + " (%d bytes)\n", cap_len); } + PREPROC_PROFILE_END(decodePerfStats); + return; + } - if(code < 0) - { - if (ScIdsMode()) - { - /* Yes, we use TCP_OPT_* for the IP option decoder. - */ - if(code == TCP_OPT_BADLEN) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_IPV4OPT_BADLEN, 1, DECODE_CLASS, 3, - DECODE_IPV4OPT_BADLEN_STR, 0); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - queueIpOptInlineDrop(p); - } - else if(code == TCP_OPT_TRUNC) - { - queueDecoderEvent(GENERATOR_SNORT_DECODE, - DECODE_IPV4OPT_TRUNCATED, 1, DECODE_CLASS, 3, - DECODE_IPV4OPT_TRUNCATED_STR, 0); - - queueIpOptInlineDrop(p); - } - } + if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) && + ntohs(*(uint16_t *)&pkt[2]) == ETHERNET_TYPE_IP) + { + DecodeIP(p->pkt + CHDLC_HEADER_LEN, + cap_len - CHDLC_HEADER_LEN, p); + } else { + // TBD add decoder drop event for unsupported chdlc encapsulation + pc.other++; + } - return; - } + PREPROC_PROFILE_END(decodePerfStats); + return; +} - if(!done) - opt_count++; +/* + * Function: DecodeEapol(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode 802.1x eapol stuff + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEapol(const uint8_t * pkt, uint32_t len, Packet * p) +{ + p->eplh = (EtherEapol *) pkt; + pc.eapol++; + if(len < sizeof(EtherEapol)) + { + DecoderEvent(p, DECODE_EAPOL_TRUNCATED, + DECODE_EAPOL_TRUNCATED_STR, 1, 1); - option_ptr += byte_skip; + pc.discards++; + return; + } + if (p->eplh->eaptype == EAPOL_TYPE_EAP) { + DecodeEAP(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); + } + else if(p->eplh->eaptype == EAPOL_TYPE_KEY) { + DecodeEapolKey(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); } - - p->ip_option_count = opt_count; - return; } -#if defined(WORDS_MUSTALIGN) && !defined(__GNUC__) -uint32_t -EXTRACT_32BITS (u_char *p) +/* + * Function: DecodeEapolKey(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode 1x key setup + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEapolKey(const uint8_t * pkt, uint32_t len, Packet * p) { - uint32_t __tmp; + p->eapolk = (EapolKey *) pkt; + if(len < sizeof(EapolKey)) + { + DecoderEvent(p, DECODE_EAPKEY_TRUNCATED, + DECODE_EAPKEY_TRUNCATED_STR, 1, 1); - memmove(&__tmp, p, sizeof(uint32_t)); - return (uint32_t) ntohl(__tmp); + pc.discards++; + return; + } + + return; } -#endif /* WORDS_MUSTALIGN && !__GNUC__ */ -#ifdef MPLS -int isPrivateIP(uint32_t addr) +/* + * Function: DecodeEAP(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode Extensible Authentication Protocol + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEAP(const uint8_t * pkt, const uint32_t len, Packet * p) { - switch (addr & 0xff) + p->eaph = (EAPHdr *) pkt; + if(len < sizeof(EAPHdr)) { - case 0x0a: - return 1; - break; - case 0xac: - if ((addr & 0xf000) == 0x1000) - return 1; - break; - case 0xc0: - if (((addr & 0xff00) ) == 0xa800) - return 1; - break; + DecoderEvent(p, DECODE_EAP_TRUNCATED, + DECODE_EAP_TRUNCATED_STR, 1, 1); + + pc.discards++; + return; } - return 0; + if (p->eaph->code == EAP_CODE_REQUEST || + p->eaph->code == EAP_CODE_RESPONSE) { + p->eaptype = pkt + sizeof(EAPHdr); + } + return; } -#endif -void InitSynToMulticastDstIp( void ) +/* + * Function: DecodeIPX(uint8_t *, uint32_t) + * + * Purpose: Well, it doesn't do much of anything right now... + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * + * Returns: void function + * + */ +void DecodeIPX(const uint8_t *pkt, uint32_t len, Packet *p) { -#ifdef SUP_IP6 - extern SnortConfig *snort_conf_for_parsing; - snort_conf_for_parsing = snort_conf; -#endif - SynToMulticastDstIp = IpAddrSetParse("[232.0.0.0/8,233.0.0.0/8,239.0.0.0/8]"); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPX is not supported.\n");); - if( SynToMulticastDstIp == NULL ) - { - FatalError("Could not initialize SynToMulticastDstIp\n"); - } -#ifdef SUP_IP6 - snort_conf_for_parsing = NULL; + pc.ipx++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipx++; #endif + + return; } -void SynToMulticastDstIpDestroy( void ) +#ifdef DLT_ENC +/* see http://sourceforge.net/mailarchive/message.php?msg_id=1000380 */ +/* + * Function: DecodeEncPkt(Packet *, DAQ_PktHdr_t *, uint8_t *) + * + * Purpose: Decapsulate packets of type DLT_ENC. + * XXX Are these always going to be IP in IP? + * + * Arguments: p => pointer to decoded packet struct + * pkthdr => pointer to the packet header + * pkt => pointer to the real live packet data + */ +void DecodeEncPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) { + uint32_t cap_len = pkthdr->caplen; + struct enc_header *enc_h; + PROFILE_VARS; - if( SynToMulticastDstIp ) + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + p->pkth = pkthdr; + p->pkt = pkt; + + if (cap_len < ENC_HEADER_LEN) { - IpAddrSetDestroy(SynToMulticastDstIp); -#ifndef SUP_IP6 - free(SynToMulticastDstIp); - SynToMulticastDstIp = NULL; -#endif + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < Encap header length! (%d bytes)\n", + cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); + return; } -} + enc_h = (struct enc_header *)p->pkt; + if (enc_h->af == AF_INET) + { + DecodeIP(p->pkt + ENC_HEADER_LEN + IP_HEADER_LEN, + cap_len - ENC_HEADER_LEN - IP_HEADER_LEN, p); + } + else + { + ErrorMessage("WARNING: Unknown address family (af: 0x%x).\n", + enc_h->af); + } + PREPROC_PROFILE_END(decodePerfStats); + return; +} +#endif /* DLT_ENC */ +#endif // NO_NON_ETHER_DECODER diff -Nru snort-2.8.5.2/src/decode.h snort-2.9.2/src/decode.h --- snort-2.8.5.2/src/decode.h 2009-08-10 20:41:38.000000000 +0000 +++ snort-2.9.2/src/decode.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,7 +20,6 @@ /* $Id$ */ - #ifndef __DECODE_H__ #define __DECODE_H__ @@ -33,7 +32,6 @@ #include <stddef.h> #include <sys/types.h> -#include <pcap.h> #ifndef WIN32 #include <sys/socket.h> @@ -41,18 +39,23 @@ #include <net/if.h> #else /* !WIN32 */ #include <netinet/in_systm.h> -#include "libnet/IPExport.h" #ifndef IFNAMSIZ #define IFNAMESIZ MAX_ADAPTER_NAME #endif /* !IFNAMSIZ */ #endif /* !WIN32 */ +#include <daq.h> +#include <sfbpf_dlt.h> + #include "bitop.h" #include "ipv6_port.h" #include "sf_ip.h" +#include "sf_protocols.h" +#include "sfdaq.h" #include "util.h" /* D E F I N E S ************************************************************/ + #define ETHERNET_MTU 1500 #define ETHERNET_TYPE_IP 0x0800 #define ETHERNET_TYPE_ARP 0x0806 @@ -79,9 +82,10 @@ #define ETHERNET_HEADER_LEN 14 #define ETHERNET_MAX_LEN_ENCAP 1518 /* 802.3 (+LLC) or ether II ? */ -#define PPPOE_HEADER_LEN 20 /* ETHERNET_HEADER_LEN + 6 */ +#define PPPOE_HEADER_LEN 6 #define VLAN_HEADER_LEN 4 + #ifndef NO_NON_ETHER_DECODER #define MINIMAL_TOKENRING_HEADER_LEN 22 #define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */ @@ -97,7 +101,7 @@ #define WLAN_TYPE_MGMT_REREQ 0x20 /* 0010 00 Reassoc. Req. */ #define WLAN_TYPE_MGMT_RERES 0x30 /* 0011 00 Reassoc. Resp. */ #define WLAN_TYPE_MGMT_PRREQ 0x40 /* 0100 00 Probe Request */ -#define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */ +#define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */ #define WLAN_TYPE_MGMT_BEACON 0x80 /* 1000 00 Beacon */ #define WLAN_TYPE_MGMT_ATIM 0x90 /* 1001 00 ATIM message */ #define WLAN_TYPE_MGMT_DIS 0xa0 /* 1010 00 Disassociation */ @@ -139,7 +143,7 @@ #define EAPOL_TYPE_ASF 0x04 /* EAPOL Encapsulated ASF-Alert */ /* Extensible Authentication Protocol Codes RFC 2284*/ -#define EAP_CODE_REQUEST 0x01 +#define EAP_CODE_REQUEST 0x01 #define EAP_CODE_RESPONSE 0x02 #define EAP_CODE_SUCCESS 0x03 #define EAP_CODE_FAILURE 0x04 @@ -160,6 +164,24 @@ #define CHDLC_ADDR_BROADCAST 0xff #define CHDLC_CTRL_UNNUMBERED 0x03 +/* Teredo values */ +#define TEREDO_PORT 3544 +#define TEREDO_INDICATOR_ORIGIN 0x00 +#define TEREDO_INDICATOR_ORIGIN_LEN 8 +#define TEREDO_INDICATOR_AUTH 0x01 +#define TEREDO_INDICATOR_AUTH_MIN_LEN 13 +#define TEREDO_MIN_LEN 2 + +/* GTP values */ + +#define GTP_MIN_LEN 8 +#define GTP_V0_HEADER_LEN 20 +#define GTP_V1_HEADER_LEN 12 +/* ESP constants */ +#define ESP_HEADER_LEN 8 +#define ESP_AUTH_DATA_LEN 12 +#define ESP_TRAILER_LEN 2 + #define MAX_PORTS 65536 /* ppp header structure @@ -204,25 +226,46 @@ #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 #define ICMP_HEADER_LEN 4 +#define ICMP_NORMAL_LEN 8 #define IP_OPTMAX 40 -#define IP6_EXTMAX 40 +#define IP6_EXTMAX 8 #define TCP_OPTLENMAX 40 /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */ +#define LOG_FUNC_MAX 32 + #ifndef IP_MAXPACKET #define IP_MAXPACKET 65535 /* maximum packet size */ #endif /* IP_MAXPACKET */ + +/* http://www.iana.org/assignments/ipv6-parameters + * + * IPv6 Options (not Extension Headers) + */ +#define IP6_OPT_TUNNEL_ENCAP 0x04 +#define IP6_OPT_QUICK_START 0x06 +#define IP6_OPT_CALIPSO 0x07 +#define IP6_OPT_HOME_ADDRESS 0xC9 +#define IP6_OPT_ENDPOINT_IDENT 0x8A + +// these are bits in th_flags: #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 -#define TH_RES2 0x40 -#define TH_RES1 0x80 +#define TH_ECE 0x40 +#define TH_CWR 0x80 +#define TH_RES2 TH_ECE // TBD TH_RES* should be deleted (see log.c) +#define TH_RES1 TH_CWR #define TH_NORESERVED (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) +// these are bits in th_offx2: +#define TH_RSV 0x0E // reserved bits +#define TH_NS 0x01 // ECN nonce bit + /* http://www.iana.org/assignments/tcp-parameters * * tcp options stuff. used to be in <netinet/tcp.h> but it breaks @@ -273,7 +316,7 @@ #define TCPOPT_BUBBA 17 /* Bubba [Knowles] */ #define TCPOPT_TRAILER_CSUM 18 /* Trailer Checksum Option [Subbu & Monroe] */ -#define TCPOLEN_TRAILER_CSUM 3 +#define TCPOLEN_TRAILER_CSUM 3 #define TCPOPT_MD5SIG 19 /* MD5 Signature Option [RFC2385] */ #define TCPOLEN_MD5SIG 18 @@ -312,7 +355,7 @@ #define TCP_MAXWIN 65535 /* largest value for (unscaled) window */ #endif -#ifndef TCP_MAX_WINSHIFT +#ifndef TCP_MAX_WINSHIFT #define TCP_MAX_WINSHIFT 14 /* maximum window shift */ #endif @@ -335,15 +378,6 @@ #define DHCP_CLIENT_PORT 68 #define DHCP_SERVER_PORT 67 -/* IRIX 6.2 hack! */ -#ifndef IRIX - #define SNAPLEN 1514 -#else - #define SNAPLEN 1500 -#endif - -#define READ_TIMEOUT 500 - #ifndef NO_NON_ETHER_DECODER /* Start Token Ring */ #define TR_ALEN 6 /* octets in an Ethernet header */ @@ -557,60 +591,84 @@ #define PKT_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */ #define PKT_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */ #define PKT_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and - * we've only seen traffic in one - * direction - */ -#define PKT_STREAM_UNEST_BI 0x00000008 /* is from an unestablished stream and - * we've seen traffic in both - * directions - */ -#define PKT_STREAM_EST 0x00000010 /* is from an established stream */ -#define PKT_ECN 0x00000020 /* this is ECN traffic */ + * we've only seen traffic in one direction */ +#define PKT_STREAM_EST 0x00000008 /* is from an established stream */ + +#define PKT_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */ +#define PKT_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */ #define PKT_FROM_SERVER 0x00000040 /* this packet came from the server side of a connection (TCP) */ #define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client side of a connection (TCP) */ -#define PKT_HTTP_DECODE 0x00000100 /* this packet has normalized http */ -#define PKT_FRAG_ALERTED 0x00000200 /* this packet has been alerted by - defrag */ -#define PKT_STREAM_INSERT 0x00000400 /* this packet has been inserted into stream4 */ -#define PKT_ALT_DECODE 0x00000800 /* this packet has been normalized by telnet - (only set when we must look at an alernative buffer) - */ -#define PKT_STREAM_TWH 0x00001000 -#define PKT_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */ -#define PKT_PASS_RULE 0x00004000 /* this packet has matched a pass rule */ -#define PKT_NO_DETECT 0x00008000 /* this packet should not be preprocessed */ -#define PKT_PREPROC_RPKT 0x00010000 /* set in original packet to indicate a preprocessor - * has a reassembled packet */ -#define PKT_DCE_RPKT 0x00020000 /* this packet is a DCE/RPC reassembled one */ + +#define PKT_PDU_HEAD 0x00000100 /* start of PDU */ +#define PKT_PDU_TAIL 0x00000200 /* end of PDU */ +#define PKT_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */ + /* don't alert if "next layer" is invalid. */ +#define PKT_HTTP_DECODE 0x00000800 /* this packet has normalized http */ + +#define PKT_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */ +#define PKT_NO_DETECT 0x00002000 /* this packet should not be preprocessed */ +#define PKT_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */ + /* or pipeline http requests */ +#define PKT_PAYLOAD_OBFUSCATE 0x00008000 + +#define PKT_STATELESS 0x00010000 /* Packet has matched a stateless rule */ +#define PKT_PASS_RULE 0x00020000 /* this packet has matched a pass rule */ #define PKT_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */ #define PKT_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */ -#define PKT_SMB_SEG 0x00100000 /* this is an SMB desegmented packet */ -#define PKT_DCE_SEG 0x00200000 /* this is a DCE/RPC desegmented packet */ -#define PKT_DCE_FRAG 0x00400000 /* this is a DCE/RPC defragmented packet */ -#define PKT_SMB_TRANS 0x00800000 /* this is an SMB Transact reassembled packet */ -#define PKT_DCE_PKT 0x01000000 /* this is a DCE packet processed by DCE/RPC preprocessor */ - -#define PKT_STATELESS 0x10000000 /* Packet has matched a stateless rule */ -#define PKT_INLINE_DROP 0x20000000 -#define PKT_OBFUSCATED 0x40000000 /* this packet has been obfuscated */ -#define PKT_LOGGED 0x80000000 /* this packet has been logged */ -#define DECODE_START_INDEX 400 -#define DECODE_SID_MAX 405 /* Highest numbered sid in decoder rules */ -#define DECODE_INDEX_MAX (DECODE_SID_MAX - DECODE_START_INDEX + 1) - +#define PKT_LOGGED 0x00100000 /* this packet has been logged */ +#define PKT_PSEUDO 0x00200000 /* is a pseudo packet */ +#define PKT_MODIFIED 0x00400000 /* packet had normalizations, etc. */ +#ifdef NORMALIZER +#define PKT_RESIZED 0x00800000 /* packet has new size; must set modified too */ +#endif + +// neither of these flags will be set for (full) retransmissions or non-data segments +// a partial overlap results in out of sequence condition +// out of sequence condition is sticky +#define PKT_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */ +#define PKT_STREAM_ORDER_BAD 0x02000000 /* this stream had at last one gap */ +#define PKT_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */ + +// 0x0F800000 are available + +#define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL) + +#define REASSEMBLED_PACKET_FLAGS (PKT_REBUILT_STREAM|PKT_REASSEMBLED_OLD) + +typedef enum { + PSEUDO_PKT_IP, + PSEUDO_PKT_TCP, + PSEUDO_PKT_DCE_RPKT, + PSEUDO_PKT_SMB_SEG, + PSEUDO_PKT_DCE_SEG, + PSEUDO_PKT_DCE_FRAG, + PSEUDO_PKT_SMB_TRANS, + PSEUDO_PKT_PS, + PSEUDO_PKT_SDF, + PSEUDO_PKT_MAX +} PseudoPacketType; + +/* error flags */ +#define PKT_ERR_CKSUM_IP 0x01 +#define PKT_ERR_CKSUM_TCP 0x02 +#define PKT_ERR_CKSUM_UDP 0x04 +#define PKT_ERR_CKSUM_ICMP 0x08 +#define PKT_ERR_CKSUM_IGMP 0x10 +#define PKT_ERR_CKSUM_ANY 0x1F +#define PKT_ERR_BAD_TTL 0x20 /* D A T A S T R U C T U R E S *********************************************/ +typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type); #ifndef NO_NON_ETHER_DECODER /* Start Token Ring Data Structures */ - #ifdef _MSC_VER /* Visual C++ pragma to disable warning messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif /* LLC structure */ @@ -630,7 +688,7 @@ #ifdef _MSC_VER /* Visual C++ pragma to disable warning messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif @@ -643,9 +701,9 @@ uint16_t bcast:3, len:5, dir:1, lf:3, res:4; #else uint16_t len:5, length of RIF field, including RC itself - bcast:3, broadcast indicator - res:4, reserved - lf:3, largest frame size + bcast:3, broadcast indicator + res:4, reserved + lf:3, largest frame size dir:1; direction */ @@ -831,10 +889,10 @@ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to disable warning messages + * about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13) @@ -874,7 +932,7 @@ #define SPARC_TWIDDLE 0 #endif -/* +/* * Ethernet header */ @@ -884,7 +942,7 @@ uint8_t ether_src[6]; uint16_t ether_type; -} EtherHdr; +} EtherHdr; #ifndef NO_NON_ETHER_DECODER @@ -904,13 +962,13 @@ #endif // NO_NON_ETHER_DECODER -/* Can't add any fields not in the real header here +/* Can't add any fields not in the real header here because of how the decoder uses structure overlaying */ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to disable warning messages + * about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif /* tcpdump shows us the way to cross platform compatibility */ @@ -923,6 +981,26 @@ #define NUM_IP_PROTOS 256 +/* Last updated 6/2/2010. + Source: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml */ +#define MIN_UNASSIGNED_IP_PROTO 143 + +#ifndef IPPROTO_SWIPE +#define IPPROTO_SWIPE 53 +#endif +#ifndef IPPROTO_IP_MOBILITY +#define IPPROTO_IP_MOBILITY 55 +#endif +#ifndef IPPROTO_SUN_ND +#define IPPROTO_SUN_ND 77 +#endif +#ifndef IPPROTO_PIM +#define IPPROTO_PIM 103 +#endif +#ifndef IPPROTO_PGM +#define IPPROTO_PGM 113 +#endif + typedef struct _IPHdr { uint8_t ip_verhl; /* version & header length */ @@ -945,23 +1023,23 @@ uint16_t ip_id; /* identification */ uint16_t ip_off; /* fragment offset */ uint8_t ip_ttl; /* time to live field */ - uint8_t ip_proto; /* datagram protocol */ + uint8_t ip_proto; /* datagram protocol */ uint16_t ip_csum; /* checksum */ sfip_t ip_src; /* source IP */ sfip_t ip_dst; /* dest IP */ } IP4Hdr; typedef struct _IPv6Hdr -{ +{ uint32_t vcl; /* version, class, and label */ uint16_t len; /* length of the payload */ uint8_t next; /* next header * Uses the same flags as * the IPv4 protocol field */ - uint8_t hop_lmt; /* hop limit */ + uint8_t hop_lmt; /* hop limit */ sfip_t ip_src; sfip_t ip_dst; -} IP6Hdr; +} IP6Hdr; /* IPv6 address */ #ifndef s6_addr @@ -1096,12 +1174,42 @@ } ICMP6Hdr; +typedef struct _ICMP6TooBig +{ + uint8_t type; + uint8_t code; + uint16_t csum; + uint32_t mtu; +} ICMP6TooBig; + +typedef struct _ICMP6RouterAdvertisement +{ + uint8_t type; + uint8_t code; + uint16_t csum; + uint8_t num_addrs; + uint8_t addr_entry_size; + uint16_t lifetime; + uint32_t reachable_time; + uint32_t retrans_time; +} ICMP6RouterAdvertisement; + +typedef struct _ICMP6RouterSolicitation +{ + uint8_t type; + uint8_t code; + uint16_t csum; + uint32_t reserved; +} ICMP6RouterSolicitation; + #define ICMP6_UNREACH 1 #define ICMP6_BIG 2 #define ICMP6_TIME 3 #define ICMP6_PARAMS 4 #define ICMP6_ECHO 128 #define ICMP6_REPLY 129 +#define ICMP6_SOLICITATION 133 +#define ICMP6_ADVERTISEMENT 134 /* Minus 1 due to the 'body' field */ #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) ) @@ -1109,73 +1217,73 @@ struct _Packet; /* IPHeader access calls */ -sfip_t * ip4_ret_src(struct _Packet *); -sfip_t * ip4_ret_dst(struct _Packet *); -uint16_t ip4_ret_tos(struct _Packet *); -uint8_t ip4_ret_ttl(struct _Packet *); -uint16_t ip4_ret_len(struct _Packet *); -uint32_t ip4_ret_id(struct _Packet *); -uint8_t ip4_ret_proto(struct _Packet *); -uint16_t ip4_ret_off(struct _Packet *); -uint8_t ip4_ret_ver(struct _Packet *); -uint8_t ip4_ret_hlen(struct _Packet *); - -sfip_t * orig_ip4_ret_src(struct _Packet *); -sfip_t * orig_ip4_ret_dst(struct _Packet *); -uint16_t orig_ip4_ret_tos(struct _Packet *); -uint8_t orig_ip4_ret_ttl(struct _Packet *); -uint16_t orig_ip4_ret_len(struct _Packet *); -uint32_t orig_ip4_ret_id(struct _Packet *); -uint8_t orig_ip4_ret_proto(struct _Packet *); -uint16_t orig_ip4_ret_off(struct _Packet *); -uint8_t orig_ip4_ret_ver(struct _Packet *); -uint8_t orig_ip4_ret_hlen(struct _Packet *); - -sfip_t * ip6_ret_src(struct _Packet *); -sfip_t * ip6_ret_dst(struct _Packet *); -uint16_t ip6_ret_toc(struct _Packet *); -uint8_t ip6_ret_hops(struct _Packet *); -uint16_t ip6_ret_len(struct _Packet *); -uint32_t ip6_ret_id(struct _Packet *); -uint8_t ip6_ret_next(struct _Packet *); -uint16_t ip6_ret_off(struct _Packet *); -uint8_t ip6_ret_ver(struct _Packet *); -uint8_t ip6_ret_hlen(struct _Packet *); - -sfip_t * orig_ip6_ret_src(struct _Packet *); -sfip_t * orig_ip6_ret_dst(struct _Packet *); -uint16_t orig_ip6_ret_toc(struct _Packet *); -uint8_t orig_ip6_ret_hops(struct _Packet *); -uint16_t orig_ip6_ret_len(struct _Packet *); -uint32_t orig_ip6_ret_id(struct _Packet *); -uint8_t orig_ip6_ret_next(struct _Packet *); -uint16_t orig_ip6_ret_off(struct _Packet *); -uint8_t orig_ip6_ret_ver(struct _Packet *); -uint8_t orig_ip6_ret_hlen(struct _Packet *); - -typedef struct _IPH_API -{ - sfip_t * (*iph_ret_src)(struct _Packet *); - sfip_t * (*iph_ret_dst)(struct _Packet *); - uint16_t (*iph_ret_tos)(struct _Packet *); - uint8_t (*iph_ret_ttl)(struct _Packet *); - uint16_t (*iph_ret_len)(struct _Packet *); - uint32_t (*iph_ret_id)(struct _Packet *); - uint8_t (*iph_ret_proto)(struct _Packet *); - uint16_t (*iph_ret_off)(struct _Packet *); - uint8_t (*iph_ret_ver)(struct _Packet *); - uint8_t (*iph_ret_hlen)(struct _Packet *); - - sfip_t * (*orig_iph_ret_src)(struct _Packet *); - sfip_t * (*orig_iph_ret_dst)(struct _Packet *); - uint16_t (*orig_iph_ret_tos)(struct _Packet *); - uint8_t (*orig_iph_ret_ttl)(struct _Packet *); - uint16_t (*orig_iph_ret_len)(struct _Packet *); - uint32_t (*orig_iph_ret_id)(struct _Packet *); - uint8_t (*orig_iph_ret_proto)(struct _Packet *); - uint16_t (*orig_iph_ret_off)(struct _Packet *); - uint8_t (*orig_iph_ret_ver)(struct _Packet *); - uint8_t (*orig_iph_ret_hlen)(struct _Packet *); +sfip_t * ip4_ret_src(const struct _Packet *); +sfip_t * ip4_ret_dst(const struct _Packet *); +uint16_t ip4_ret_tos(const struct _Packet *); +uint8_t ip4_ret_ttl(const struct _Packet *); +uint16_t ip4_ret_len(const struct _Packet *); +uint32_t ip4_ret_id(const struct _Packet *); +uint8_t ip4_ret_proto(const struct _Packet *); +uint16_t ip4_ret_off(const struct _Packet *); +uint8_t ip4_ret_ver(const struct _Packet *); +uint8_t ip4_ret_hlen(const struct _Packet *); + +sfip_t * orig_ip4_ret_src(const struct _Packet *); +sfip_t * orig_ip4_ret_dst(const struct _Packet *); +uint16_t orig_ip4_ret_tos(const struct _Packet *); +uint8_t orig_ip4_ret_ttl(const struct _Packet *); +uint16_t orig_ip4_ret_len(const struct _Packet *); +uint32_t orig_ip4_ret_id(const struct _Packet *); +uint8_t orig_ip4_ret_proto(const struct _Packet *); +uint16_t orig_ip4_ret_off(const struct _Packet *); +uint8_t orig_ip4_ret_ver(const struct _Packet *); +uint8_t orig_ip4_ret_hlen(const struct _Packet *); + +sfip_t * ip6_ret_src(const struct _Packet *); +sfip_t * ip6_ret_dst(const struct _Packet *); +uint16_t ip6_ret_toc(const struct _Packet *); +uint8_t ip6_ret_hops(const struct _Packet *); +uint16_t ip6_ret_len(const struct _Packet *); +uint32_t ip6_ret_id(const struct _Packet *); +uint8_t ip6_ret_next(const struct _Packet *); +uint16_t ip6_ret_off(const struct _Packet *); +uint8_t ip6_ret_ver(const struct _Packet *); +uint8_t ip6_ret_hlen(const struct _Packet *); + +sfip_t * orig_ip6_ret_src(const struct _Packet *); +sfip_t * orig_ip6_ret_dst(const struct _Packet *); +uint16_t orig_ip6_ret_toc(const struct _Packet *); +uint8_t orig_ip6_ret_hops(const struct _Packet *); +uint16_t orig_ip6_ret_len(const struct _Packet *); +uint32_t orig_ip6_ret_id(const struct _Packet *); +uint8_t orig_ip6_ret_next(const struct _Packet *); +uint16_t orig_ip6_ret_off(const struct _Packet *); +uint8_t orig_ip6_ret_ver(const struct _Packet *); +uint8_t orig_ip6_ret_hlen(const struct _Packet *); + +typedef struct _IPH_API +{ + sfip_t * (*iph_ret_src)(const struct _Packet *); + sfip_t * (*iph_ret_dst)(const struct _Packet *); + uint16_t (*iph_ret_tos)(const struct _Packet *); + uint8_t (*iph_ret_ttl)(const struct _Packet *); + uint16_t (*iph_ret_len)(const struct _Packet *); + uint32_t (*iph_ret_id)(const struct _Packet *); + uint8_t (*iph_ret_proto)(const struct _Packet *); + uint16_t (*iph_ret_off)(const struct _Packet *); + uint8_t (*iph_ret_ver)(const struct _Packet *); + uint8_t (*iph_ret_hlen)(const struct _Packet *); + + sfip_t * (*orig_iph_ret_src)(const struct _Packet *); + sfip_t * (*orig_iph_ret_dst)(const struct _Packet *); + uint16_t (*orig_iph_ret_tos)(const struct _Packet *); + uint8_t (*orig_iph_ret_ttl)(const struct _Packet *); + uint16_t (*orig_iph_ret_len)(const struct _Packet *); + uint32_t (*orig_iph_ret_id)(const struct _Packet *); + uint8_t (*orig_iph_ret_proto)(const struct _Packet *); + uint16_t (*orig_iph_ret_off)(const struct _Packet *); + uint8_t (*orig_iph_ret_ver)(const struct _Packet *); + uint8_t (*orig_iph_ret_hlen)(const struct _Packet *); char ver; } IPH_API; @@ -1186,7 +1294,7 @@ #define IPH_API_V4 4 #define IPH_API_V6 6 -#define iph_is_valid(p) (p->family != NO_IP) +#define iph_is_valid(p) ((p)->family != NO_IP) #define NO_IP 0 #endif @@ -1196,13 +1304,13 @@ #endif -/* Can't add any fields not in the real header here +/* Can't add any fields not in the real header here because of how the decoder uses structure overlaying */ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning - * messages about nonstandard bit field type + /* Visual C++ pragma to disable warning + * messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif #ifndef IPPROTO_IPIP @@ -1277,8 +1385,8 @@ } TCPHdr; #ifdef _MSC_VER - /* Visual C++ pragma to enable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to enable warning messages + * about nonstandard bit field type */ #pragma warning( default : 4214 ) #endif @@ -1301,7 +1409,12 @@ uint16_t csum; union { - uint8_t pptr; + struct + { + uint8_t pptr; + uint8_t pres1; + uint16_t pres2; + } param; struct in_addr gwaddr; @@ -1311,15 +1424,15 @@ uint16_t seq; } idseq; - int sih_void; + uint32_t sih_void; - struct pmtu + struct pmtu { uint16_t ipm_void; uint16_t nextmtu; } pmtu; - struct rtradv + struct rtradv { uint8_t num_addrs; uint8_t wpa; @@ -1327,7 +1440,7 @@ } rtradv; } icmp_hun; -#define s_icmp_pptr icmp_hun.pptr +#define s_icmp_pptr icmp_hun.param.pptr #define s_icmp_gwaddr icmp_hun.gwaddr #define s_icmp_id icmp_hun.idseq.id #define s_icmp_seq icmp_hun.idseq.seq @@ -1338,24 +1451,24 @@ #define s_icmp_wpa icmp_hun.rtradv.wpa #define s_icmp_lifetime icmp_hun.rtradv.lifetime - union + union { /* timestamp */ - struct ts + struct ts { uint32_t otime; uint32_t rtime; uint32_t ttime; } ts; - + /* IP header for unreach */ - struct ih_ip + struct ih_ip { IPHdr *ip; /* options and then 64 bits of data */ } ip; - - struct ra_addr + + struct ra_addr { uint32_t addr; uint32_t preference; @@ -1434,7 +1547,6 @@ /* PPPoEHdr Header; EtherHdr plus the PPPoE Header */ typedef struct _PPPoEHdr { - EtherHdr ethhdr; /* ethernet header */ unsigned char ver_type; /* pppoe version/type */ unsigned char code; /* pppoe code CODE_* */ unsigned short session; /* session id */ @@ -1450,31 +1562,9 @@ /* payload follows */ } PPPoE_Tag; -#define DECODE_BLEN 65535 - -/* Max Number of HTTP/1.1 requests in a single segment */ -#define URI_COUNT 5 - -#define HTTPURI_PIPELINE_REQ 0x01 - -#define HTTP_BUFFER_URI 0 -#define HTTP_BUFFER_HEADER 1 -#define HTTP_BUFFER_CLIENT_BODY 2 -#define HTTP_BUFFER_METHOD 3 -#define HTTP_BUFFER_COOKIE 4 - #define MPLS_HEADER_LEN 4 #define NUM_RESERVED_LABELS 16 -typedef struct _HttpUri -{ - const uint8_t *uri; /* static buffer for uri length */ - uint16_t length; - uint32_t decode_flags; -} HttpUri; - -struct IPH_API; - typedef struct _MplsHdr { uint32_t label; @@ -1483,16 +1573,71 @@ uint8_t ttl; } MplsHdr; +#define PGM_NAK_ERR -1 +#define PGM_NAK_OK 0 +#define PGM_NAK_VULN 1 + +typedef struct _PGM_NAK_OPT +{ + uint8_t type; /* 02 = vuln */ + uint8_t len; + uint8_t res[2]; + uint32_t seq[1]; /* could be many many more, but 1 is sufficient */ +} PGM_NAK_OPT; + +typedef struct _PGM_NAK +{ + uint32_t seqnum; + uint16_t afil1; + uint16_t res1; + uint32_t src; + uint16_t afi2; + uint16_t res2; + uint32_t multi; + PGM_NAK_OPT opt; +} PGM_NAK; + +typedef struct _PGM_HEADER +{ + uint16_t srcport; + uint16_t dstport; + uint8_t type; + uint8_t opt; + uint16_t checksum; + uint8_t gsd[6]; + uint16_t length; + PGM_NAK nak; +} PGM_HEADER; + +/* GTP basic Header */ +typedef struct _GTPHdr +{ + uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */ + uint8_t type; /* message type */ + uint16_t length; /* length */ + +} GTPHdr; + +#define LAYER_MAX 32 + +// REMEMBER match any changes you make here in: +// dynamic-plugins/sf_engine/sf_snort_packet.h typedef struct _Packet { - const struct pcap_pkthdr *pkth; /* BPF data */ - const uint8_t *pkt; /* base pointer to the raw packet data */ + const DAQ_PktHdr_t *pkth; // packet meta data + const uint8_t *pkt; // raw packet data + + //vvv------------------------------------------------ + // TODO convenience stuff to be refactored for layers + //^^^------------------------------------------------ + //vvv----------------------------- EtherARP *ah; const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ const VlanTagHdr *vh; EthLlc *ehllc; EthLlcOther *ehllcother; + const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */ const GREHdr *greh; uint32_t *mpls; @@ -1501,6 +1646,8 @@ const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */ const TCPHdr *tcph, *orig_tcph; const UDPHdr *udph, *orig_udph; + const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */ + const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */ const ICMPHdr *icmph, *orig_icmph; const uint8_t *data; /* packet payload pointer */ @@ -1509,12 +1656,15 @@ const uint8_t *ip_frag_start; const uint8_t *ip_options_data; const uint8_t *tcp_options_data; + //^^^----------------------------- void *ssnptr; /* for tcp session tracking info... */ void *fragtracker; /* for ip fragmentation tracking info... */ void *flow; /* for flow info */ void *streamptr; /* for tcp pkt dump */ - + void *policyEngineData; + + //vvv----------------------------- IP4Hdr *ip4h, *orig_ip4h; /* SUP_IP6 members */ IP6Hdr *ip6h, *orig_ip6h; ICMP6Hdr *icmp6h, *orig_icmp6h; @@ -1537,32 +1687,37 @@ int bytes_to_inspect; /* Number of bytes to check against rules */ /* this is not set - always 0 (inspect all) */ - uint32_t preprocessor_bits; /* flags for preprocessors to check */ - uint32_t preproc_reassembly_pkt_bits; - /* int ip_payload_len; */ /* Replacement for IP_LEN(p->iph->ip_len) << 2 */ /* int ip_payload_off; */ /* IP_LEN(p->iph->ip_len) << 2 + p->data */ + //^^^----------------------------- + + uint32_t preprocessor_bits; /* flags for preprocessors to check */ + uint32_t preproc_reassembly_pkt_bits; - uint32_t caplen; uint32_t http_pipeline_count; /* Counter for HTTP pipelined requests */ uint32_t packet_flags; /* special flags for the packet */ - uint32_t proto_bits; + uint16_t proto_bits; + //vvv----------------------------- uint16_t dsize; /* packet payload size */ uint16_t ip_dsize; /* IP payload size */ uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/ uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/ uint16_t outer_ip_dsize; /* Outer IP payload size */ + //^^^----------------------------- uint16_t frag_offset; /* fragment offset number */ uint16_t ip_frag_len; uint16_t ip_options_len; uint16_t tcp_options_len; + //vvv----------------------------- uint16_t sp; /* source port (TCP/UDP) */ uint16_t dp; /* dest port (TCP/UDP) */ uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */ uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */ + //^^^----------------------------- + // and so on ... int16_t application_protocol_ordinal; @@ -1572,8 +1727,9 @@ uint8_t rf; /* IP reserved bit */ uint8_t uri_count; /* number of URIs in this packet */ - uint8_t csum_flags; /* checksum flags */ + uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */ uint8_t encapsulated; + uint8_t GTPencapsulated; uint8_t ip_option_count; /* number of options in this packet */ uint8_t tcp_option_count; @@ -1585,11 +1741,16 @@ uint8_t tcp_lastopt_bad; /* flag to indicate that option decoding was halted due to a bad option */ + uint8_t next_layer; /* index into layers for next encap */ + + uint32_t xtradata_mask; + uint32_t per_packet_xtradata; + #ifndef NO_NON_ETHER_DECODER const Fddi_hdr *fddihdr; /* FDDI support headers */ Fddi_llc_saps *fddisaps; Fddi_llc_sna *fddisna; - Fddi_llc_iparp *fddiiparp; + Fddi_llc_iparp *fddiiparp; Fddi_llc_other *fddiother; const Trh_hdr *trh; /* Token Ring support headers */ @@ -1600,10 +1761,12 @@ Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */ Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */ +#ifdef DLT_LINUX_SLL const SLLHdr *sllh; /* Linux cooked sockets header */ +#endif +#ifdef DLT_IEEE802_11 const WifiHdr *wifih; /* wireless LAN header */ - const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */ - +#endif const EtherEapol *eplh; /* 802.1x EAPOL header */ const EAPHdr *eaph; const uint8_t *eaptype; @@ -1615,7 +1778,13 @@ Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */ IP6Option ip6_extensions[IP6_EXTMAX]; /* IPv6 Extension References */ - /**policyId provided in configuration file. Used for correlating configuration + const IP6RawHdr* raw_ip6h; // innermost raw ip6 header + Layer layers[LAYER_MAX]; /* decoded encapsulations */ + + PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set + uint16_t max_dsize; + + /**policyId provided in configuration file. Used for correlating configuration * with event output */ uint16_t configPolicyId; @@ -1624,28 +1793,40 @@ #define PKT_ZERO_LEN offsetof(Packet, ip_options) -#define PROTO_BIT__NONE 0x00000000 -#define PROTO_BIT__IP 0x00000001 -#define PROTO_BIT__ARP 0x00000002 -#define PROTO_BIT__TCP 0x00000004 -#define PROTO_BIT__UDP 0x00000008 -#define PROTO_BIT__ICMP 0x00000010 -#define PROTO_BIT__ALL 0xffffffff +#define PROTO_BIT__NONE 0x0000 +#define PROTO_BIT__IP 0x0001 +#define PROTO_BIT__ARP 0x0002 +#define PROTO_BIT__TCP 0x0004 +#define PROTO_BIT__UDP 0x0008 +#define PROTO_BIT__ICMP 0x0010 +#define PROTO_BIT__TEREDO 0x0020 +#define PROTO_BIT__GTP 0x0040 +#define PROTO_BIT__ALL 0xffff #define IsIP(p) (IPH_IS_VALID(p)) #define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP)) #define IsUDP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_UDP)) #define IsICMP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_ICMP)) +#define GET_PKT_SEQ(p) (ntohl(p->tcph->th_seq)) + +/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */ +#define SEQ_LT(a,b) ((int)((a) - (b)) < 0) +#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) +#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0) -#ifdef SUP_IP6 -/* Sets the callbacks to point at the family selected by +#define BIT(i) (0x1 << (i-1)) + +#ifdef SUP_IP6 +/* Sets the callbacks to point at the family selected by * * "family". "family" is either AF_INET or AF_INET6 */ #define CALLBACK_IP 0 #define CALLBACK_ICMP_ORIG 1 -static INLINE void set_callbacks(struct _Packet *p, int family, char orig) +static inline void set_callbacks(struct _Packet *p, int family, char orig) { - if (p == NULL) + if (p == NULL) { ErrorMessage("%s(%d) Can't set iph api callback: Packet is NULL.\n", __FILE__, __LINE__); @@ -1679,18 +1860,17 @@ } #endif - typedef struct s_pseudoheader { - uint32_t sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t len; + uint32_t sip, dip; + uint8_t zero; + uint8_t protocol; + uint16_t len; } PSEUDO_HDR; /* Default classification for decoder alerts */ -#define DECODE_CLASS 25 +#define DECODE_CLASS 25 typedef struct _DecoderFlags { @@ -1712,7 +1892,7 @@ /* To be moved to the frag preprocessor once it supports IPv6 */ char ipv6_bad_frag_pkt; char bsd_icmp_frag; - char drop_bad_ipv6_frag; + char drop_bad_ipv6_frag; } DecoderFlags; @@ -1720,50 +1900,62 @@ /* P R O T O T Y P E S ******************************************************/ + +// root decoders +void DecodeEthPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeNullPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeRawPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeRawPkt6(Packet *, const DAQ_PktHdr_t*, const uint8_t *); + +// chained decoders void DecodeARP(const uint8_t *, uint32_t, Packet *); -void DecodeEthPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *); void DecodeVlan(const uint8_t *, const uint32_t, Packet *); -void DecodePppPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodePppPktEncapsulated(Packet *, const uint32_t, const uint8_t *); -void DecodeNullPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeRawPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); +void DecodePppPktEncapsulated(const uint8_t *, const uint32_t, Packet *); +void DecodePPPoEPkt(const uint8_t *, const uint32_t, Packet *); void DecodeIP(const uint8_t *, const uint32_t, Packet *); void DecodeIPV6(const uint8_t *, uint32_t, Packet *); void DecodeTCP(const uint8_t *, const uint32_t, Packet *); void DecodeUDP(const uint8_t *, const uint32_t, Packet *); void DecodeICMP(const uint8_t *, const uint32_t, Packet *); +void DecodeICMP6(const uint8_t *, const uint32_t, Packet *); void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *); +void DecodeICMPEmbeddedIP6(const uint8_t *, const uint32_t, Packet *); void DecodeIPOptions(const uint8_t *, uint32_t, Packet *); void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *); -void DecodeIPOptions(const uint8_t *, uint32_t, Packet *); -void DecodePPPoEPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); +void DecodeTeredo(const uint8_t *, uint32_t, Packet *); +void DecodeESP(const uint8_t *, uint32_t, Packet *); +void DecodeGTP(const uint8_t *, uint32_t, Packet *); + #ifdef GRE void DecodeGRE(const uint8_t *, const uint32_t, Packet *); void DecodeTransBridging(const uint8_t *, const uint32_t, Packet *); -void DecoderAlertGRE(Packet *, int, const char *, const uint8_t *, uint32_t); #endif /* GRE */ -#ifdef GIDS -#ifndef IPFW -void DecodeIptablesPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -#else -void DecodeIpfwPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -#endif /* IPFW */ -#endif /* GIDS */ +void DecoderAlertEncapsulated(Packet *, int, const char *, const uint8_t *, uint32_t); + +#ifdef MPLS +int isPrivateIP(uint32_t addr); +void DecodeEthOverMPLS(const uint8_t*, const uint32_t, Packet*); +void DecodeMPLS(const uint8_t*, const uint32_t, Packet*); +#endif #ifndef NO_NON_ETHER_DECODER -void DecodeTRPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeFDDIPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeLinuxSLLPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeIEEE80211Pkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeSlipPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeI4LRawIPPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeI4LCiscoIPPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeChdlcPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodePflog(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeOldPflog(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodePppSerialPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); -void DecodeEncPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *); +// root decoders +void DecodeTRPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeFDDIPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeLinuxSLLPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeIEEE80211Pkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeSlipPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeI4LRawIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeI4LCiscoIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeChdlcPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodePflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeOldPflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodePppSerialPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeEncPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); + +// chained decoders void DecodeEAP(const uint8_t *, const uint32_t, Packet *); void DecodeEapol(const uint8_t *, uint32_t, Packet *); void DecodeEapolKey(const uint8_t *, uint32_t, Packet *); @@ -1778,6 +1970,11 @@ uint32_t EXTRACT_32BITS (u_char *); #endif /* WORDS_MUSTALIGN && !__GNUC__ */ +extern void UpdateDecodeRulesArray(uint32_t sid, int bOn, int bAll); + +/*Decode functions that need to be called once the policies are set */ +extern void DecodePolicySpecific(Packet *); + /* XXX not sure where this guy needs to live at the moment */ typedef struct _PortList { @@ -1787,15 +1984,42 @@ } PortList; -#ifdef MPLS -int isPrivateIP(uint32_t addr); -void DecodeEthOverMPLS(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt); -void DecodeMPLS(const uint8_t * pkt, struct pcap_pkthdr * pkthdr, Packet * p); -#endif - void InitSynToMulticastDstIp( void ); void SynToMulticastDstIpDestroy( void ); #define SFTARGET_UNKNOWN_PROTOCOL -1 -#endif /* __DECODE_H__ */ +static inline int PacketWasCooked(Packet* p) +{ + return ( p->packet_flags & PKT_PSEUDO ) != 0; +} + +#ifdef ENABLE_PAF +static inline bool PacketHasFullPDU (const Packet* p) +{ + return ( (p->packet_flags & PKT_PDU_FULL) == PKT_PDU_FULL ); +} + +static inline bool PacketHasStartOfPDU (const Packet* p) +{ + return ( (p->packet_flags & PKT_PDU_HEAD) != 0 ); +} + +static inline bool PacketHasPAFPayload (const Packet* p) +{ + return ( (p->packet_flags & PKT_REBUILT_STREAM) || PacketHasFullPDU(p) ); +} +#endif + +static inline void SetLogFuncs(Packet *p, uint32_t id, uint8_t per_packet) +{ + if(!id) + return; + if(per_packet) + p->per_packet_xtradata |= BIT(id); + else + p->xtradata_mask |= BIT(id); +} + +#endif /* __DECODE_H__ */ + diff -Nru snort-2.8.5.2/src/detect.c snort-2.9.2/src/detect.c --- snort-2.8.5.2/src/detect.c 2009-07-07 15:37:00.000000000 +0000 +++ snort-2.9.2/src/detect.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -39,7 +39,7 @@ #include "snort.h" #include "detect.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "tag.h" @@ -49,25 +49,25 @@ #include "sfthreshold.h" #include "event_wrapper.h" #include "event_queue.h" +#include "obfuscation.h" +#include "profiler.h" #include "stream_api.h" -#include "inline.h" +#include "active.h" #include "signature.h" #include "ipv6_port.h" #include "ppm.h" #include "sf_types.h" -#include "sp_replace.h" +#include "active.h" +#include "detection_util.h" #ifdef PORTLISTS #include "sfutil/sfportobject.h" #endif - -#include "profiler.h" #ifdef PERF_PROFILING PreprocStats detectPerfStats; #endif extern int preproc_proto_mask; -extern SnortConfig *snort_conf; extern OutputFuncNode *AlertList; extern OutputFuncNode *LogList; @@ -80,13 +80,10 @@ OptTreeNode *otn_tmp = NULL; /* OptTreeNode temp ptr */ -/* The HTTP decode structre */ -extern HttpUri UriBufs[URI_COUNT]; - int do_detect; int do_detect_content; uint16_t event_id; -char check_tags_flag; +static char check_tags_flag; static int CheckTagging(Packet *); @@ -125,48 +122,121 @@ } } #endif - - /* - * If the packet has an invalid checksum marked, throw that - * traffic away as no end host should accept it. - * - * This can be disabled by config checksum_mode: none - */ - if(!p->csum_flags) + + // If the packet has errors, we won't analyze it. + if ( p->error_flags ) + { + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);); + + if ( p->error_flags & PKT_ERR_BAD_TTL ) + pc.bad_ttl++; + else + pc.invalid_checksums++; + } + else { + tSfPolicyId new_policy_id; + PreprocEvalFuncNode *new_idx; + PreprocEvalFuncNode *idx = policy->preproc_eval_funcs; + + /* Not a completely ideal place for this since any entries added on the + * PacketCallback -> ProcessPacket -> Preprocess trail will get + * obliterated - right now there isn't anything adding entries there. + * Really need it here for stream5 clean exit, since all of the + * flushed, reassembled packets are going to be injected directly into + * this function and there may be enough that the obfuscation entry + * table will overflow if we don't reset it. Putting it here does + * have the advantage of fewer entries per logging cycle */ + obApi->resetObfuscationEntries(); + do_detect = do_detect_content = 1; /* ** Reset the appropriate application-layer protocol fields */ p->uri_count = 0; - UriBufs[0].decode_flags = 0; - - /* Most preprocessor protocols are over TCP and 90+ percent of traffic in most - * environments is TCP so this check almost always passes. Initial performance - * tests indicate this check hinders performance slightly, but keep it here - * commented in case initial performance tests are wrong. Its main purpose is - * to filter out traffic that no preprocessors are going to look at thus - * avoiding iterating through each preprocessor */ - //if (p->proto_bits & preproc_proto_mask) - { - PreprocEvalFuncNode *idx = policy->preproc_eval_funcs; + p->alt_dsize = 0; + DetectReset((uint8_t *)p->data, p->dsize); - /* Turn on all preprocessors */ - EnablePreprocessors(p); + /* Turn on all preprocessors */ + EnablePreprocessors(p); - for (; (idx != NULL) && !(p->packet_flags & PKT_PASS_RULE); idx = idx->next) + if ( p->dsize ) + { + while ((idx != NULL) && !(p->packet_flags & PKT_PASS_RULE)) + { + if ( ((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL) ) && + IsPreprocBitSet(p, idx->preproc_bit)) + { + idx->func(p, idx->context); + new_policy_id = getRuntimePolicy(); + if (new_policy_id != policy_id) + { + policy_id = new_policy_id; + policy = snort_conf->targeted_policies[policy_id]; + if (!policy) + break; + for (new_idx = policy->preproc_eval_funcs; new_idx; new_idx = new_idx->next) + { + if (new_idx->func == idx->func) + { + new_idx = new_idx->next; + break; + } + else if ((idx->next && new_idx->func == idx->next->func) || new_idx->priority > idx->priority) + break; + } + idx = new_idx; + } + else + idx = idx->next; + } + else + idx = idx->next; + } + } + else + { + while ((idx != NULL) && !(p->packet_flags & PKT_PASS_RULE)) { - if (((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL)) && + // short-circuit here if no app data + if ( idx->priority >= PRIORITY_APPLICATION ) + { + break; + } + if ( ((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL) ) && IsPreprocBitSet(p, idx->preproc_bit)) { idx->func(p, idx->context); + new_policy_id = getRuntimePolicy(); + if (new_policy_id != policy_id) + { + policy_id = new_policy_id; + policy = snort_conf->targeted_policies[policy_id]; + if (!policy) + break; + for (new_idx = policy->preproc_eval_funcs; new_idx; new_idx = new_idx->next) + { + if (new_idx->func == idx->func) + { + new_idx = new_idx->next; + break; + } + else if ((idx->next && new_idx->func == idx->next->func) || new_idx->priority > idx->priority) + break; + } + idx = new_idx; + } + else + idx = idx->next; } + else + idx = idx->next; } + DisableDetect(p); } - check_tags_flag = 1; - if ((do_detect) && (p->bytes_to_inspect != -1)) { /* Check if we are only inspecting a portion of this packet... */ @@ -185,66 +255,20 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Ignoring server traffic!!!\n");); } } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Invalid Checksum, Ignoring traffic!!!\n");); - pc.invalid_checksums++; - } - /* - ** By checking tagging here, we make sure that we log the - ** tagged packet whether it generates an alert or not. - */ - if (IPH_IS_VALID(p)) - CheckTagging(p); + check_tags_flag = 1; PREPROC_PROFILE_START(eventqPerfStats); retval = SnortEventqLog(snort_conf->event_queue, p); - Replace_ModifyPacket(p); SnortEventqReset(); PREPROC_PROFILE_END(eventqPerfStats); - /* Simulate above behavior for preprocessor reassembled packets */ - if ((p->packet_flags & PKT_PREPROC_RPKT) && do_detect && (p->bytes_to_inspect != -1)) - { - PreprocReassemblyPktFuncNode *rpkt_idx = policy->preproc_reassembly_pkt_funcs; - - /* Loop through the preprocessors that have registered a - * function to get a reassembled packet */ - while (rpkt_idx != NULL) - { - Packet *pp = NULL; - - assert(rpkt_idx->func != NULL); - - /* If the preprocessor bit is set, get the reassembled packet */ - if (IsPreprocReassemblyPktBitSet(p, rpkt_idx->preproc_id)) - { - pp = (Packet *)rpkt_idx->func(); - } - - if (pp != NULL) - { - /* If the original packet's bytes to inspect is set, - * set it for the reassembled packet */ - if (p->bytes_to_inspect > 0) - pp->dsize = (uint16_t)p->bytes_to_inspect; - - if (Detect(pp)) - { - PREPROC_PROFILE_START(eventqPerfStats); - - retval |= SnortEventqLog(snort_conf->event_queue, pp); - Replace_ModifyPacket(p); - SnortEventqReset(); - - PREPROC_PROFILE_END(eventqPerfStats); - } - } - - rpkt_idx = rpkt_idx->next; - } - } + /* + ** By checking tagging here, we make sure that we log the + ** tagged packet whether it generates an alert or not. + */ + if (IPH_IS_VALID(p)) + CheckTagging(p); otn_tmp = NULL; @@ -270,18 +294,18 @@ } PPM_PKT_LOG(); - } - if( PPM_RULES_ENABLED() ) - { + } + if( PPM_RULES_ENABLED() ) + { PPM_RULE_LOG(pktcnt, p); - } - if( PPM_PKTS_ENABLED() ) - { + } + if( PPM_PKTS_ENABLED() ) + { PPM_END_PKT_TIMER(); - } + } #endif - return retval; + return retval; } /* @@ -303,7 +327,7 @@ { Event event; - if(check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM)) + if(check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM)) { DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "calling CheckTagList\n");); @@ -316,7 +340,7 @@ * logging mechanism */ CallLogFuncs(p, "Tagged Packet", NULL, &event); - } + } } return 0; @@ -331,18 +355,21 @@ { OutputFuncNode *idx = NULL; - event->ref_time.tv_sec = p->pkth->ts.tv_sec; - event->ref_time.tv_usec = p->pkth->ts.tv_usec; - + if (event->sig_generator != GENERATOR_TAG) + { + event->ref_time.tv_sec = p->pkth->ts.tv_sec; + event->ref_time.tv_usec = p->pkth->ts.tv_usec; + } /* set the event number */ event->event_id = event_id | ScEventLogId(); #ifndef SUP_IP6 - if(BsdPseudoPacket) + if(BsdPseudoPacket) { p = BsdPseudoPacket; } #endif + check_tags_flag = 0; if(head == NULL) { @@ -350,11 +377,8 @@ return; } - if ((p != NULL) && ScObfuscate()) - ObfuscatePacket(p); - pc.log_pkts++; - + idx = head->LogList; if(idx == NULL) idx = LogList; @@ -372,9 +396,6 @@ idx = LogList; - if ((p != NULL) && (snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE)) - ObfuscatePacket(p); - pc.log_pkts++; while(idx != NULL) @@ -391,9 +412,6 @@ idx = otn->outputFuncs; - if ((p != NULL) && (snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE)) - ObfuscatePacket(p); - while(idx) { idx->func(p, otn->sigInfo.message, idx->arg, event); @@ -419,7 +437,7 @@ event->event_reference = event->event_id; #ifndef SUP_IP6 - if(BsdPseudoPacket) + if(BsdPseudoPacket) { p = BsdPseudoPacket; } @@ -431,9 +449,6 @@ return; } - if ((p != NULL) && (snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE)) - ObfuscatePacket(p); - pc.alert_pkts++; idx = head->AlertList; if(idx == NULL) @@ -454,9 +469,6 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Call Alert Plugins\n");); idx = AlertList; - if ((p != NULL) && (snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE)) - ObfuscatePacket(p); - pc.alert_pkts++; while(idx != NULL) { @@ -465,8 +477,6 @@ } } - - /**************************************************************************** * * Function: Detect(Packet *) @@ -489,6 +499,7 @@ return 0; } + if (!snort_conf->ip_proto_array[GET_IPH_PROTO(p)]) { #ifdef GRE @@ -536,12 +547,12 @@ PPM_PACKET_TEST(); if( PPM_PACKET_ABORT_FLAG() ) - return 0; + return 0; } #endif /* - ** This is where we short circuit so + ** This is where we short circuit so ** that we can do IP checks. */ PREPROC_PROFILE_START(detectPerfStats); @@ -562,7 +573,7 @@ while(idx != NULL) { - idx->func(p, idx); + idx->func(p, idx->params); idx = idx->next; } @@ -574,12 +585,8 @@ #else IpAddrSet *rule_addr, #endif -#ifdef PORTLISTS - PortObject * po, -#else - uint16_t hi_port, uint16_t lo_port, -#endif - Packet *p, + PortObject * po, + Packet *p, uint32_t flags, int mode) { snort_ip_p pkt_addr; /* packet IP address */ @@ -635,7 +642,7 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "addr %lx, port %d ", pkt_addr, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "addr %lx, port %d ", pkt_addr, pkt_port);); if(!rule_addr) @@ -644,7 +651,7 @@ if(!(global_except_addr_flag)) /*modeled after Check{Src,Dst}IP function*/ { #ifdef SUP_IP6 - if(sfvar_ip_in(rule_addr, pkt_addr)) + if(sfvar_ip_in(rule_addr, pkt_addr)) ip_match = 1; #else ip_match = 0; @@ -653,40 +660,40 @@ { for(idx=rule_addr->iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { - ip_match = 1; + ip_match = 1; break; } } } - else + else ip_match = 1; - + if(ip_match) { for(idx=rule_addr->neg_iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { ip_match = 0; break; } } } - - if(ip_match) + + if(ip_match) goto bail; #endif } else { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, ", global exception flag set");); - /* global exception flag is up, we can't match on *any* - * of the source addresses + /* global exception flag is up, we can't match on *any* + * of the source addresses */ #ifdef SUP_IP6 - if(sfvar_ip_in(rule_addr, pkt_addr)) + if(sfvar_ip_in(rule_addr, pkt_addr)) return 0; ip_match=1; @@ -696,28 +703,28 @@ ip_match = 0; for(idx=rule_addr->iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { - ip_match = 1; + ip_match = 1; break; } } } - else + else ip_match = 1; - + if(ip_match) { for(idx=rule_addr->neg_iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { ip_match = 0; break; } } } - - if(!ip_match) + + if(!ip_match) return 0; #endif } @@ -731,7 +738,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_DETECT, ", addresses accepted");); - + /* if the any port flag is up, we're all done (success) */ if(any_port_flag) { @@ -740,7 +747,6 @@ return 1; } -#ifdef PORTLISTS #ifdef TARGET_BASED if (!(mode & (CHECK_SRC_PORT | CHECK_DST_PORT))) { @@ -761,9 +767,6 @@ /* check the packet port against the rule port */ if( !PortObjectHasPort(po,pkt_port) ) -#else - if( (pkt_port > hi_port) || (pkt_port < lo_port) ) -#endif /* PORTLISTS */ { /* if the exception flag isn't up, fail */ if(!except_port_flag) @@ -799,7 +802,7 @@ * Purpose: print out the chain lists by header block node group * * Arguments: node => the head node - * + * * Returns: void function * ***************************************************************************/ @@ -824,7 +827,7 @@ if(negated) { - DEBUG_WRAP(DebugMessage(DEBUG_RULES, + DEBUG_WRAP(DebugMessage(DEBUG_RULES, " (EXCEPTION_FLAG Active)\n");); } else @@ -833,7 +836,7 @@ } idx = idx->next; - } + } } @@ -870,15 +873,10 @@ #endif } -#ifdef PORTLISTS #define CHECK_ADDR_SRC_ARGS(x) (x)->src_portobject #define CHECK_ADDR_DST_ARGS(x) (x)->dst_portobject -#else -#define CHECK_ADDR_SRC_ARGS(x) (x)->hsp, (x)->lsp -#define CHECK_ADDR_DST_ARGS(x) (x)->hdp, (x)->ldp -#endif -int CheckBidirectional(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckBidirectional(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Checking bidirectional rule...\n");); @@ -932,7 +930,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " Dst->Src check passed\n");); - if(!CheckAddrPort(rtn_idx->sip, CHECK_ADDR_SRC_ARGS(rtn_idx), p, + if(!CheckAddrPort(rtn_idx->sip, CHECK_ADDR_SRC_ARGS(rtn_idx), p, rtn_idx->flags, CHECK_DST_IP | INVERSE | (check_ports ? CHECK_DST_PORT : 0))) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, @@ -946,7 +944,7 @@ } } else - { + { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Inverse test failed, " "testing next rule...\n");); return 0; @@ -981,24 +979,24 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcIPEqual: ");); #ifdef SUP_IP6 - if(!(rtn_idx->flags & EXCEPT_SRC_IP)) + if(!(rtn_idx->flags & EXCEPT_SRC_IP)) { if( sfvar_ip_in(rtn_idx->sip, GET_SRC_IP(p)) ) { // XXX NOT YET IMPLEMENTED - debugging in Snort6 #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS sfip_t ip; if(idx->addr_flags & EXCEPT_IP) { DebugMessage(DEBUG_DETECT, " SIP exception match\n"); - } + } else { DebugMessage(DEBUG_DETECT, " SIP match\n"); } - + ip = *iph_ret_src(p); /* necessary due to referencing/dereferencing */ - DebugMessage(DEBUG_DETECT, "Rule: %s Packet: %s\n", + DebugMessage(DEBUG_DETECT, "Rule: %s Packet: %s\n", inet_ntoa(idx->ip_addr), inet_ntoa(ip)); #endif /* DEBUG */ #endif @@ -1009,8 +1007,8 @@ } else { - /* global exception flag is up, we can't match on *any* - * of the source addresses + /* global exception flag is up, we can't match on *any* + * of the source addresses */ DEBUG_WRAP(DebugMessage(DEBUG_DETECT," global exception flag, \n");); @@ -1029,38 +1027,38 @@ { match = 0; - pos_idx = rtn_idx->sip->iplist; - neg_idx = rtn_idx->sip->neg_iplist; + pos_idx = rtn_idx->sip->iplist; + neg_idx = rtn_idx->sip->neg_iplist; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(neg_idx->ip_addr == - (p->iph->ip_src.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_src.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); return 0; } - } + } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," SIP match\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - - while(pos_idx) + + while(pos_idx) { if(neg_idx) { - if(neg_idx->ip_addr == - (p->iph->ip_src.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_src.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { @@ -1068,10 +1066,10 @@ return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - if(!match) + if(!match) { - if(pos_idx->ip_addr == - (p->iph->ip_src.s_addr & pos_idx->netmask)) + if(pos_idx->ip_addr == + (p->iph->ip_src.s_addr & pos_idx->netmask)) { match = 1; } @@ -1080,7 +1078,7 @@ pos_idx = pos_idx->next; } } - } + } } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); @@ -1114,11 +1112,11 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "CheckDstIPEqual: ");) #ifdef SUP_IP6 - if(!(rtn_idx->flags & EXCEPT_DST_IP)) + if(!(rtn_idx->flags & EXCEPT_DST_IP)) { if( sfvar_ip_in(rtn_idx->dip, GET_DST_IP(p)) ) { -// #ifdef DEBUG +// #ifdef DEBUG_MSGS // XXX idx's equivalent is lost inside of sfvar_ip_in // DebugMessage(DEBUG_DETECT, "Rule: %s Packet: ", // inet_ntoa(idx->ip_addr)); @@ -1131,7 +1129,7 @@ } else { - /* global exception flag is up, we can't match on *any* + /* global exception flag is up, we can't match on *any* * of the source addresses */ DEBUG_WRAP(DebugMessage(DEBUG_DETECT," global exception flag, \n");); @@ -1147,38 +1145,38 @@ { match = 0; - pos_idx = rtn_idx->dip->iplist; - neg_idx = rtn_idx->dip->neg_iplist; + pos_idx = rtn_idx->dip->iplist; + neg_idx = rtn_idx->dip->neg_iplist; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(neg_idx->ip_addr == - (p->iph->ip_dst.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_dst.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on DIP\n");); return 0; } - } + } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," DIP match\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - while(pos_idx) + while(pos_idx) { if(neg_idx) { - if(neg_idx->ip_addr == - (p->iph->ip_dst.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_dst.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " DIP exception match\n");); return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { @@ -1186,19 +1184,19 @@ return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - if(!match) + if(!match) { - if(pos_idx->ip_addr == - (p->iph->ip_dst.s_addr & pos_idx->netmask)) + if(pos_idx->ip_addr == + (p->iph->ip_dst.s_addr & pos_idx->netmask)) { match = 1; } - else + else { pos_idx = pos_idx->next; } } - } + } } DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " DIP exception match\n");); @@ -1207,12 +1205,11 @@ } -int CheckSrcPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckSrcPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcPortEqual: ");); -#ifdef PORTLISTS #ifdef TARGET_BASED /* Check if attributes provided match earlier */ if (check_ports == 0) @@ -1232,9 +1229,6 @@ } #endif /* TARGET_BASED */ if( PortObjectHasPort(rtn_idx->src_portobject,p->sp) ) -#else - if( (p->sp <= rtn_idx->hsp) && (p->sp >= rtn_idx->lsp) ) -#endif /* PORTLISTS */ { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " SP match!\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); @@ -1247,12 +1241,11 @@ return 0; } -int CheckSrcPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckSrcPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcPortNotEq: ");); -#ifdef PORTLISTS #ifdef TARGET_BASED /* Check if attributes provided match earlier */ if (check_ports == 0) @@ -1272,9 +1265,6 @@ } #endif /* TARGET_BASED */ if( !PortObjectHasPort(rtn_idx->src_portobject,p->sp) ) -#else - if( (p->sp > rtn_idx->hsp) || (p->sp < rtn_idx->lsp) ) -#endif /* PORTLISTS */ { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " !SP match!\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); @@ -1287,12 +1277,11 @@ return 0; } -int CheckDstPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckDstPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckDstPortEqual: ");); -#ifdef PORTLISTS #ifdef TARGET_BASED /* Check if attributes provided match earlier */ if (check_ports == 0) @@ -1312,9 +1301,6 @@ } #endif /* TARGET_BASED */ if( PortObjectHasPort(rtn_idx->dst_portobject,p->dp) ) -#else - if( (p->dp <= rtn_idx->hdp) && (p->dp >= rtn_idx->ldp) ) -#endif /* PORTLISTS */ { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " DP match!\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); @@ -1327,12 +1313,11 @@ } -int CheckDstPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckDstPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckDstPortNotEq: ");); -#ifdef PORTLISTS #ifdef TARGET_BASED /* Check if attributes provided match earlier */ if (check_ports == 0) @@ -1352,9 +1337,6 @@ } #endif /* TARGET_BASED */ if( !PortObjectHasPort(rtn_idx->dst_portobject,p->dp) ) -#else - if( (p->dp > rtn_idx->hdp) || (p->dp < rtn_idx->ldp) ) -#endif /* PORTLISTS */ { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " !DP match!\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); @@ -1400,23 +1382,23 @@ if (otn->OTN_activation_ptr == NULL) { LogMessage("WARNING: an activation rule with no " - "dynamic rules matched!\n"); + "dynamic rules matched.\n"); return 0; } otn->OTN_activation_ptr->active_flag = 1; - otn->OTN_activation_ptr->countdown = + otn->OTN_activation_ptr->countdown = otn->OTN_activation_ptr->activation_counter; otn->RTN_activation_ptr->active_flag = 1; - otn->RTN_activation_ptr->countdown += + otn->RTN_activation_ptr->countdown += otn->OTN_activation_ptr->activation_counter; snort_conf->active_dynamic_nodes++; DEBUG_WRAP(DebugMessage(DEBUG_DETECT," => Finishing activation packet!\n");); - + CallLogFuncs(p, otn->sigInfo.message, rtn->listhead, event); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => Activation packet finished, returning!\n");); return 1; @@ -1432,8 +1414,7 @@ /* Call OptTreeNode specific output functions */ if(otn->outputFuncs) CallSigOutputFuncs(p, otn, event); - -//PORTLISTS + if (ScAlertPacketCount()) print_packet_count(); @@ -1469,16 +1450,16 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Generating Alert and dropping! \"%s\"\n", otn->sigInfo.message);); - + if(stream_api && !stream_api->alert_inline_midstream_drops()) { - if(stream_api->get_session_flags(p->ssnptr) & SSNFLAG_MIDSTREAM) + if(stream_api->get_session_flags(p->ssnptr) & SSNFLAG_MIDSTREAM) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Alert Came From Midstream Session Silently Drop! " - "\"%s\"\n", otn->sigInfo.message);); + "\"%s\"\n", otn->sigInfo.message);); - InlineDrop(p); + Active_DropSession(); return 1; } } @@ -1487,7 +1468,7 @@ ** Set packet flag so output plugins will know we dropped the ** packet we just logged. */ - InlineDrop(p); + Active_DropSession(); CallAlertFuncs(p, otn->sigInfo.message, rtn->listhead, event); @@ -1496,7 +1477,6 @@ return 1; } -#ifdef GIDS int SDropAction(Packet * p, OptTreeNode * otn, Event *event) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, @@ -1504,46 +1484,10 @@ otn->sigInfo.message);); // Let's silently drop the packet - InlineDrop(p); - return 1; -} - -int RejectAction(Packet * p, OptTreeNode * otn, Event *event) -{ - RuleTreeNode *rtn = getRuntimeRtnFromOtn(otn); - - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - " <!!>Ignoring! \"%s\"\n", - otn->sigInfo.message);); - - // Let's log/alert, drop the packet, and mark it for reset. - CallAlertFuncs(p, otn->sigInfo.message, rtn->listhead, event); - - CallLogFuncs(p, otn->sigInfo.message, rtn->listhead, event); - - /* - if(p->ssnptr != NULL) - { - if(stream_api && stream_api->alert_flush_stream(p) == 0) - { - CallLogFuncs(p, otn->sigInfo.message, otn->rtn->listhead, event); - } - } - else - { - CallLogFuncs(p, otn->sigInfo.message, otn->rtn->listhead, event); - } - - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - " => Alert packet finished, returning!\n");); - */ - - InlineReject(p); + Active_DropSession(); return 1; } -#endif /* GIDS */ - int DynamicAction(Packet * p, OptTreeNode * otn, Event *event) { @@ -1563,7 +1507,7 @@ snort_conf->active_dynamic_nodes--; DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Shutting down dynamic OTN node\n");); } - + rtn->countdown--; if( rtn->countdown <= 0 ) @@ -1592,96 +1536,5 @@ return 1; } -void ObfuscatePacket(Packet *p) -{ - snort_ip cleared; - IP_CLEAR(cleared); - - /* only obfuscate once */ - if(p->packet_flags & PKT_OBFUSCATED) - return; - - /* we only obfuscate IP packets */ - if(!IPH_IS_VALID(p)) - return; - -#ifdef SUP_IP6 - if(!IS_SET(snort_conf->obfuscation_net)) - { - sfip_t *tmp = GET_SRC_IP(p); - - if(!tmp) - { - /* XXX we're hosed */ - return; - } - memset(tmp->ip8, 0, 16); - - tmp = GET_DST_IP(p); - if(!tmp) - { - return; - } - memset(tmp->ip8, 0, 16); - } -#else - if(snort_conf->obfuscation_net == 0) - { - ((IPHdr *)p->iph)->ip_src.s_addr = 0x00000000; - ((IPHdr *)p->iph)->ip_dst.s_addr = 0x00000000; - } -#endif - else - { -#ifdef SUP_IP6 - sfip_t *src; - sfip_t *dst; - - src = GET_SRC_IP(p); - dst = GET_DST_IP(p); - - if(IS_SET(snort_conf->homenet)) - { - if(sfip_contains(&snort_conf->homenet, src) == SFIP_CONTAINS) - { - sfip_obfuscate(&snort_conf->obfuscation_net, src); - } - - if(sfip_contains(&snort_conf->homenet, dst) == SFIP_CONTAINS) - { - sfip_obfuscate(&snort_conf->obfuscation_net, dst); - } - } - else - { - sfip_obfuscate(&snort_conf->obfuscation_net, src); - sfip_obfuscate(&snort_conf->obfuscation_net, dst); - } -#else - if(snort_conf->homenet != 0) - { - if((p->iph->ip_src.s_addr & snort_conf->netmask) == snort_conf->homenet) - { - ((IPHdr *)p->iph)->ip_src.s_addr = snort_conf->obfuscation_net | - (p->iph->ip_src.s_addr & snort_conf->obfuscation_mask); - } - if((p->iph->ip_dst.s_addr & snort_conf->netmask) == snort_conf->homenet) - { - ((IPHdr *)p->iph)->ip_dst.s_addr = snort_conf->obfuscation_net | - (p->iph->ip_dst.s_addr & snort_conf->obfuscation_mask); - } - } - else - { - ((IPHdr *)p->iph)->ip_src.s_addr = snort_conf->obfuscation_net | - (p->iph->ip_src.s_addr & snort_conf->obfuscation_mask); - ((IPHdr *)p->iph)->ip_dst.s_addr = snort_conf->obfuscation_net | - (p->iph->ip_dst.s_addr & snort_conf->obfuscation_mask); - } -#endif - } - p->packet_flags |= PKT_OBFUSCATED; -} - /* end of rule action functions */ diff -Nru snort-2.8.5.2/src/detect.h snort-2.9.2/src/detect.h --- snort-2.8.5.2/src/detect.h 2009-05-06 22:28:10.000000000 +0000 +++ snort-2.9.2/src/detect.h 2011-06-08 00:33:05.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,30 +27,27 @@ #include "config.h" #endif -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "rules.h" +#include "treenodes.h" #include "parser.h" #include "plugbase.h" #include "log.h" #include "event.h" -#ifdef PORTLISTS #include "sfutil/sfportobject.h" -#endif /* P R O T O T Y P E S ******************************************************/ extern int do_detect; extern int do_detect_content; +extern uint16_t event_id; /* rule match action functions */ int PassAction(void); int ActivateAction(Packet *, OptTreeNode *, Event *); int AlertAction(Packet *, OptTreeNode *, Event *); int DropAction(Packet *, OptTreeNode *, Event *); -#ifdef GIDS int SDropAction(Packet *, OptTreeNode *, Event *); -int RejectAction(Packet *, OptTreeNode *, Event *); -#endif /* GIDS */ int DynamicAction(Packet *, OptTreeNode *, Event *); int LogAction(Packet *, OptTreeNode *, Event *); @@ -63,19 +60,11 @@ int EvalOpts(OptTreeNode *, Packet *); void TriggerResponses(Packet *, OptTreeNode *); -#ifdef PORTLISTS #ifdef SUP_IP6 int CheckAddrPort(sfip_var_t *, PortObject* , Packet *, uint32_t, int); #else int CheckAddrPort(IpAddrSet *, PortObject* , Packet *, uint32_t, int); #endif -#else -#ifdef SUP_IP6 -int CheckAddrPort(sfip_var_t *, uint16_t, uint16_t, Packet *, uint32_t, int); -#else -int CheckAddrPort(IpAddrSet *, uint16_t, uint16_t, Packet *, uint32_t, int); -#endif -#endif /* detection modules */ int CheckBidirectional(Packet *, struct _RuleTreeNode *, RuleFpList *, int); @@ -96,18 +85,21 @@ void CallLogFuncs(Packet *, char *, ListHead *, Event *); void CallAlertFuncs(Packet *, char *, ListHead *, Event *); -void ObfuscatePacket(Packet *p); - -static INLINE void DisableDetect(Packet *p) +static inline void DisableDetect(Packet *p) { DisablePreprocessors(p); do_detect_content = 0; } -static INLINE void DisableAllDetect(Packet *p) +static inline void DisableAllDetect(Packet *p) { DisablePreprocessors(p); do_detect = do_detect_content = 0; } +/* counter for number of times we evaluate rules. Used to + * cache result of check for rule option tree nodes. */ +extern uint64_t rule_eval_pkt_count; + + #endif /* __DETECT_H__ */ diff -Nru snort-2.8.5.2/src/detection_filter.c snort-2.9.2/src/detection_filter.c --- snort-2.8.5.2/src/detection_filter.c 2009-07-07 15:37:00.000000000 +0000 +++ snort-2.9.2/src/detection_filter.c 2011-06-08 00:33:05.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,11 +19,15 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #include <stdio.h> #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "mstring.h" #include "util.h" #include "parser.h" @@ -101,7 +105,7 @@ } int detection_filter_test ( - void* pv, + void* pv, snort_ip_p sip, snort_ip_p dip, long curtime ) { diff -Nru snort-2.8.5.2/src/detection_filter.h snort-2.9.2/src/detection_filter.h --- snort-2.8.5.2/src/detection_filter.h 2009-07-07 15:37:00.000000000 +0000 +++ snort-2.9.2/src/detection_filter.h 2011-02-09 23:22:47.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/detection-plugins/detection_options.c snort-2.9.2/src/detection-plugins/detection_options.c --- snort-2.8.5.2/src/detection-plugins/detection_options.c 2009-08-10 20:41:43.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/detection_options.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -23,7 +23,7 @@ ** @file detection_options.c ** ** @author Steven Sturges -** +** ** @brief Support functions for rule option tree ** ** This implements tree processing for rule options, evaluating common @@ -31,10 +31,16 @@ ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfutil/sfxhash.h" #include "sfutil/sfhashfcn.h" #include "detection_options.h" +#include "detection_util.h" #include "rules.h" +#include "treenodes.h" #include "util.h" #include "fpcreate.h" #include "parser.h" @@ -42,6 +48,7 @@ #include "sp_asn1.h" #include "sp_byte_check.h" #include "sp_byte_jump.h" +#include "sp_byte_extract.h" #include "sp_clientserver.h" #include "sp_cvs.h" #include "sp_dsize_check.h" @@ -57,6 +64,8 @@ #include "sp_ip_proto.h" #include "sp_ip_same_check.h" #include "sp_ip_tos_check.h" +#include "sp_file_data.h" +#include "sp_base64_decode.h" #include "sp_isdataat.h" #include "sp_pattern_match.h" #include "sp_pcre.h" @@ -86,15 +95,6 @@ #include "sfPolicy.h" #include "detection_filter.h" -extern const uint8_t *doe_ptr; - -/* Used when adding detection option tree */ -extern SnortConfig *snort_conf_for_fast_pattern; - -/* Used when parsing detection options */ -extern SnortConfig *snort_conf_for_parsing; -extern SnortConfig *snort_conf; - typedef struct _detection_option_key { option_type_t option_type; @@ -121,6 +121,9 @@ case RULE_OPTION_TYPE_BYTE_JUMP: hash = ByteJumpHash(key->option_data); break; + case RULE_OPTION_TYPE_BYTE_EXTRACT: + hash = ByteExtractHash(key->option_data); + break; case RULE_OPTION_TYPE_FLOW: hash = FlowHash(key->option_data); break; @@ -135,6 +138,16 @@ break; case RULE_OPTION_TYPE_FTPBOUNCE: break; + case RULE_OPTION_TYPE_FILE_DATA: + hash = FileDataHash(key->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DECODE: + hash = Base64DecodeHash(key->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DATA: + break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: hash = IcmpCodeCheckHash(key->option_data); break; @@ -262,6 +275,9 @@ case RULE_OPTION_TYPE_BYTE_JUMP: ret = ByteJumpCompare(key1->option_data, key2->option_data); break; + case RULE_OPTION_TYPE_BYTE_EXTRACT: + ret = ByteExtractCompare(key1->option_data, key2->option_data); + break; case RULE_OPTION_TYPE_FLOW: ret = FlowCompare(key1->option_data, key2->option_data); break; @@ -276,6 +292,16 @@ break; case RULE_OPTION_TYPE_FTPBOUNCE: break; + case RULE_OPTION_TYPE_FILE_DATA: + ret = FileDataCompare(key1->option_data, key2->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DECODE: + ret = Base64DecodeCompare(key1->option_data, key2->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DATA: + break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: ret = IcmpCodeCheckCompare(key1->option_data, key2->option_data); break; @@ -356,6 +382,7 @@ #ifdef DYNAMIC_PLUGIN case RULE_OPTION_TYPE_HDR_OPT_CHECK: ret = HdrOptCheckCompare(key1->option_data, key2->option_data); + break; case RULE_OPTION_TYPE_PREPROCESSOR: ret = PreprocessorRuleOptionCompare(key1->option_data, key2->option_data); break; @@ -384,6 +411,9 @@ case RULE_OPTION_TYPE_BYTE_JUMP: free(key->option_data); break; + case RULE_OPTION_TYPE_BYTE_EXTRACT: + ByteExtractFree(key->option_data); + break; case RULE_OPTION_TYPE_FLOW: free(key->option_data); break; @@ -399,6 +429,16 @@ case RULE_OPTION_TYPE_FTPBOUNCE: /* Data is NULL, nothing to free */ break; + case RULE_OPTION_TYPE_FILE_DATA: + free(key->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DECODE: + free(key->option_data); + break; + case RULE_OPTION_TYPE_BASE64_DATA: + break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: free(key->option_data); break; @@ -693,6 +733,7 @@ "RULE_OPTION_TYPE_ASN1", "RULE_OPTION_TYPE_BYTE_TEST", "RULE_OPTION_TYPE_BYTE_JUMP", + "RULE_OPTION_TYPE_BYTE_EXTRACT", "RULE_OPTION_TYPE_FLOW", "RULE_OPTION_TYPE_CVS", "RULE_OPTION_TYPE_DSIZE", @@ -710,6 +751,10 @@ "RULE_OPTION_TYPE_IP_SAME", "RULE_OPTION_TYPE_IP_TOS", "RULE_OPTION_TYPE_IS_DATA_AT", + "RULE_OPTION_TYPE_FILE_DATA", + "RULE_OPTION_TYPE_BASE64_DECODE", + "RULE_OPTION_TYPE_BASE64_DATA", + "RULE_OPTION_TYPE_PKT_DATA", "RULE_OPTION_TYPE_CONTENT", "RULE_OPTION_TYPE_CONTENT_URI", "RULE_OPTION_TYPE_PCRE", @@ -729,6 +774,7 @@ "RULE_OPTION_TYPE_URILEN" #ifdef DYNAMIC_PLUGIN , + "RULE_OPTION_TYPE_HDR_OPT_CHECK", "RULE_OPTION_TYPE_PREPROCESSOR", "RULE_OPTION_TYPE_DYNAMIC" #endif @@ -756,7 +802,7 @@ int add_detection_option_tree(detection_option_tree_node_t *option_tree, void **existing_data) { - SnortConfig *sc = snort_conf_for_fast_pattern; + SnortConfig *sc = snort_conf_for_parsing; detection_option_key_t key; if (sc == NULL) @@ -787,38 +833,45 @@ return DETECTION_OPTION_NOT_EQUAL; } -extern uint8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */ +uint64_t rule_eval_pkt_count = 0; int detection_option_node_evaluate(detection_option_tree_node_t *node, detection_option_eval_data_t *eval_data) { int i, result = 0, prior_result = 0; int rval = DETECTION_OPTION_NO_MATCH; - const uint8_t *start_doe_ptr = NULL, *tmp_doe_ptr, *orig_doe_ptr; + const uint8_t *orig_doe_ptr; char tmp_noalert_flag = 0; PatternMatchData dup_content_option_data; PcreData dup_pcre_option_data; const uint8_t *dp = NULL; - int dsize; char continue_loop = 1; + char flowbits_setoperation = 0; + int loop_count = 0; + uint32_t tmp_byte_extract_vars[NUM_BYTE_EXTRACT_VARS]; + uint16_t save_dflags = 0; NODE_PROFILE_VARS; if (!node || !eval_data || !eval_data->p || !eval_data->pomd || !eval_data->otnx) return 0; + save_dflags = Get_DetectFlags(); + /* see if evaluated it before ... */ if (node->last_check.is_relative == 0) { /* Only matters if not relative... */ if ((node->last_check.ts.tv_usec == eval_data->p->pkth->ts.tv_usec) && (node->last_check.ts.tv_sec == eval_data->p->pkth->ts.tv_sec) && - (node->last_check.packet_number == pc.total_from_pcap) && + (node->last_check.packet_number == rule_eval_pkt_count) && (node->last_check.pipeline_number == eval_data->p->http_pipeline_count) && (node->last_check.rebuild_flag == (eval_data->p->packet_flags & REBUILD_FLAGS)) && - (!(eval_data->p->packet_flags & PKT_DCE_PKT))) + (!(eval_data->p->packet_flags & PKT_ALLOW_MULTIPLE_DETECT))) { /* eval'd this rule option before on this packet, * use the cached result. */ - if ((node->last_check.flowbit_failed == 0) && !(eval_data->p->packet_flags & PKT_IP_RULE_2ND)) + if ((node->last_check.flowbit_failed == 0) && + !(eval_data->p->packet_flags & PKT_IP_RULE_2ND) && + !(eval_data->p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP ))) { return node->last_check.result; } @@ -829,7 +882,7 @@ node->last_check.ts.tv_sec = eval_data->p->pkth->ts.tv_sec; node->last_check.ts.tv_usec = eval_data->p->pkth->ts.tv_usec; - node->last_check.packet_number = pc.total_from_pcap; + node->last_check.packet_number = rule_eval_pkt_count; node->last_check.pipeline_number = eval_data->p->http_pipeline_count; node->last_check.rebuild_flag = (eval_data->p->packet_flags & REBUILD_FLAGS); node->last_check.flowbit_failed = 0; @@ -840,20 +893,92 @@ if (node->option_type == RULE_OPTION_TYPE_CONTENT) { PatternMatchDuplicatePmd(node->option_data, &dup_content_option_data); - if ((eval_data->p->packet_flags & PKT_ALT_DECODE) && (dup_content_option_data.rawbytes == 0)) + + if (dup_content_option_data.buffer_func == CHECK_URI_PATTERN_MATCH) + { + if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_STAT_MSG)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_STAT_MSG].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_STAT_CODE)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_STAT_CODE].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_RAW_COOKIE)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_COOKIE].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_RAW_HEADER)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_HEADER].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_RAW_URI)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_URI].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_COOKIE)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_COOKIE].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_METHOD)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_METHOD].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_CLIENT_BODY)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_CLIENT_BODY].uri; + else if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_HEADER)) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_HEADER].uri; + else /* if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_URI)) */ + dp = (uint8_t *)UriBufs[HTTP_BUFFER_URI].uri; + } + else if (dup_content_option_data.rawbytes == 0) { - dp = (uint8_t *)DecodeBuffer; - dsize = eval_data->p->alt_dsize; + /* If AltDetect is set by calling the rule options which set it, + * we should use the Alt Detect before checking for any other buffers. + * Alt Detect will take precedence over the Alt Decode and/or packet data. + */ + if(Is_DetectFlag(FLAG_ALT_DETECT)) + dp = (uint8_t *)DetectBuffer.data; + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + dp = (uint8_t *)DecodeBuffer.data; + else + dp = eval_data->p->data; } else { dp = eval_data->p->data; - dsize = eval_data->p->dsize; } } else if (node->option_type == RULE_OPTION_TYPE_PCRE) { PcreDuplicatePcreData(node->option_data, &dup_pcre_option_data); + + if (dup_pcre_option_data.options & SNORT_PCRE_URI_BUFS) + { + if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_STAT_MSG) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_STAT_MSG].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_STAT_CODE) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_STAT_CODE].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_RAW_COOKIE) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_COOKIE].uri; + else if(dup_pcre_option_data.options & SNORT_PCRE_HTTP_RAW_HEADER) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_HEADER].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_RAW_URI) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_RAW_URI].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_COOKIE) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_COOKIE].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_METHOD) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_METHOD].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_BODY) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_CLIENT_BODY].uri; + else if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_HEADER) + dp = (uint8_t *)UriBufs[HTTP_BUFFER_HEADER].uri; + else /* if (dup_pcre_option_data.options & SNORT_PCRE_HTTP_URI) */ + dp = (uint8_t *)UriBufs[HTTP_BUFFER_URI].uri; + } + else if (!(dup_pcre_option_data.options & SNORT_PCRE_RAWBYTES)) + { + /* If AltDetect is set by calling the rule options which set it, + * we should use the Alt Detect before checking for any other buffers. + * Alt Detect will take precedence over the Alt Decode and/or packet data. + */ + if(Is_DetectFlag(FLAG_ALT_DETECT)) + dp = (uint8_t *)DetectBuffer.data; + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + dp = (uint8_t *)DecodeBuffer.data; + else + dp = eval_data->p->data; + } + else + { + dp = eval_data->p->data; + } } /* No, haven't evaluated this one before... Check it. */ @@ -875,7 +1000,6 @@ if (pmd) pattern_size = pmd->pattern_size; #ifdef TARGET_BASED -#ifdef PORTLISTS if (eval_data->p->application_protocol_ordinal != 0) { for (svc_idx = 0; @@ -903,7 +1027,6 @@ } } #endif -#endif if (fpEvalRTN(getRuntimeRtnFromOtn(otn), eval_data->p, check_ports)) { if ( !otn->detection_filter || @@ -920,8 +1043,7 @@ { fpAddMatch(eval_data->pomd, eval_data->otnx, pattern_size, otn); } - result++; - rval = DETECTION_OPTION_MATCH; + result = rval = DETECTION_OPTION_MATCH; } } } @@ -939,7 +1061,7 @@ { if ((dup_content_option_data.last_check.ts.tv_sec == eval_data->p->pkth->ts.tv_sec) && (dup_content_option_data.last_check.ts.tv_usec == eval_data->p->pkth->ts.tv_usec) && - (dup_content_option_data.last_check.packet_number == pc.total_from_pcap) && + (dup_content_option_data.last_check.packet_number == rule_eval_pkt_count) && (dup_content_option_data.last_check.rebuild_flag == (eval_data->p->packet_flags & REBUILD_FLAGS))) { rval = DETECTION_OPTION_NO_MATCH; @@ -948,50 +1070,48 @@ } rval = node->evaluate(&dup_content_option_data, eval_data->p); - if (rval == DETECTION_OPTION_MATCH) - { - if (!dup_content_option_data.exception_flag) - { - if (doe_ptr == start_doe_ptr) - { - /* result doe_ptr == starting doe_ptr, meaning - * this is the same search result we just had. - * and already evaluated. We're done. - */ - rval = DETECTION_OPTION_NO_MATCH; - } - else - { - start_doe_ptr = doe_ptr - dup_content_option_data.pattern_size + dup_content_option_data.pattern_max_jump_size; - } - } - else - { - start_doe_ptr = NULL; - } - } } break; case RULE_OPTION_TYPE_PCRE: if (node->evaluate) { rval = node->evaluate(&dup_pcre_option_data, eval_data->p); - if (rval == DETECTION_OPTION_MATCH) + } + break; + case RULE_OPTION_TYPE_PKT_DATA: + case RULE_OPTION_TYPE_FILE_DATA: + case RULE_OPTION_TYPE_BASE64_DATA: + if (node->evaluate) + { + save_dflags = Get_DetectFlags(); + rval = node->evaluate(node->option_data, eval_data->p); + } + break; + case RULE_OPTION_TYPE_FLOWBIT: + if (node->evaluate) + { + flowbits_setoperation = FlowBits_SetOperation(node->option_data); + if (!flowbits_setoperation) + { + rval = node->evaluate(node->option_data, eval_data->p); + } + else { - /* Start at end of current pattern */ - start_doe_ptr = doe_ptr; + /* set to match so we don't bail early. */ + rval = DETECTION_OPTION_MATCH; } } break; case RULE_OPTION_TYPE_ASN1: case RULE_OPTION_TYPE_BYTE_TEST: case RULE_OPTION_TYPE_BYTE_JUMP: + case RULE_OPTION_TYPE_BYTE_EXTRACT: case RULE_OPTION_TYPE_FLOW: case RULE_OPTION_TYPE_CVS: case RULE_OPTION_TYPE_CONTENT_URI: case RULE_OPTION_TYPE_DSIZE: - case RULE_OPTION_TYPE_FLOWBIT: case RULE_OPTION_TYPE_FTPBOUNCE: + case RULE_OPTION_TYPE_BASE64_DECODE: case RULE_OPTION_TYPE_ICMP_CODE: case RULE_OPTION_TYPE_ICMP_ID: case RULE_OPTION_TYPE_ICMP_SEQ: @@ -1021,6 +1141,9 @@ #ifdef DYNAMIC_PLUGIN case RULE_OPTION_TYPE_HDR_OPT_CHECK: case RULE_OPTION_TYPE_PREPROCESSOR: + if (node->evaluate) + rval = node->evaluate(node->option_data, eval_data->p); + break; case RULE_OPTION_TYPE_DYNAMIC: #endif if (node->evaluate) @@ -1051,30 +1174,31 @@ eval_data->flowbit_noalert = 1; } - tmp_doe_ptr = doe_ptr; + /* Back up byte_extract vars so they don't get overwritten between rules */ + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) + { + GetByteExtractValue(&(tmp_byte_extract_vars[i]), (int8_t)i); + } #ifdef PPM_MGR - if( PPM_ENABLED() ) + if( PPM_PKTS_ENABLED() ) { PPM_GET_TIME(); - /* Packet test */ - if( PPM_PKTS_ENABLED() ) + PPM_PACKET_TEST(); + if( PPM_PACKET_ABORT_FLAG() ) { - PPM_PACKET_TEST(); - if( PPM_PACKET_ABORT_FLAG() ) + /* bail if we exceeded time */ + if (result == DETECTION_OPTION_NO_MATCH) { - /* bail if we exceeded time */ - if (result == DETECTION_OPTION_NO_MATCH) - { - NODE_PROFILE_END_NOMATCH(node); - } - else - { - NODE_PROFILE_END_MATCH(node); - } - node->last_check.result = result; - return result; + NODE_PROFILE_END_NOMATCH(node); } + else + { + NODE_PROFILE_END_MATCH(node); + } + node->last_check.result = result; + Reset_DetectFlags(save_dflags); + return result; } } #endif @@ -1084,37 +1208,123 @@ /* Passed, check the children. */ if (node->num_children) { + const uint8_t *tmp_doe_ptr = doe_ptr; + const uint8_t tmp_doe_flags = doe_buf_flags; + for (i=0;i<node->num_children; i++) { - doe_ptr = tmp_doe_ptr; /* reset the DOE ptr for each child from here */ - result += detection_option_node_evaluate(node->children[i], eval_data); -#ifdef PPM_MGR - if( PPM_ENABLED() ) + int j = 0; + detection_option_tree_node_t *child_node = node->children[i]; + + /* reset the DOE ptr for each child from here */ + SetDoePtr(tmp_doe_ptr, tmp_doe_flags); + + for (j = 0; j < NUM_BYTE_EXTRACT_VARS; j++) { - PPM_GET_TIME(); + SetByteExtractValue(tmp_byte_extract_vars[j], (int8_t)j); + } - /* Packet test */ - if( PPM_PKTS_ENABLED() ) + if (loop_count > 0) + { + if (child_node->result == DETECTION_OPTION_NO_MATCH) { - PPM_PACKET_TEST(); - if( PPM_PACKET_ABORT_FLAG() ) + if (((child_node->option_type == RULE_OPTION_TYPE_CONTENT) + || (child_node->option_type == RULE_OPTION_TYPE_PCRE)) + && !child_node->last_check.is_relative) + { + /* If it's a non-relative content or pcre, no reason + * to check again. Only increment result once. + * Should hit this condition on first loop iteration. */ + if (loop_count == 1) + result++; + continue; + } + else if ((child_node->option_type == RULE_OPTION_TYPE_CONTENT) + && child_node->last_check.is_relative) { - /* bail if we exceeded time */ - node->last_check.result = result; - return result; + PatternMatchData *pmd = (PatternMatchData *)child_node->option_data; + + /* Check for an unbounded relative search. If this + * failed before, it's going to fail again so don't + * go down this path again */ + if (pmd->within == 0) + { + /* Only increment result once. Should hit this + * condition on first loop iteration. */ + if (loop_count == 1) + result++; + continue; + } } } + else if (child_node->option_type == RULE_OPTION_TYPE_LEAF_NODE) + { + /* Leaf node matched, don't eval again */ + continue; + } + else if (child_node->result == child_node->num_children) + { + /* This branch of the tree matched or has options that + * don't need to be evaluated again, so don't need to + * evaluate this option again */ + continue; + } + } + + child_node->result = detection_option_node_evaluate(node->children[i], eval_data); + if (child_node->option_type == RULE_OPTION_TYPE_LEAF_NODE) + { + /* Leaf node won't have any children but will return success + * or failure */ + result += child_node->result; + } + else if (child_node->result == child_node->num_children) + { + /* Indicate that the child's tree branches are done */ + result++; + } +#ifdef PPM_MGR + if( PPM_PKTS_ENABLED() ) + { + PPM_GET_TIME(); + PPM_PACKET_TEST(); + if( PPM_PACKET_ABORT_FLAG() ) + { + /* bail if we exceeded time */ + node->last_check.result = result; + Reset_DetectFlags(save_dflags); + return result; + } } #endif } + + /* If all children branches matched, we don't need to reeval any of + * the children so don't need to reeval this content/pcre rule + * option at a new offset. + * Else, reset the DOE ptr to last eval for offset/depth, + * distance/within adjustments for this same content/pcre + * rule option */ + if (result == node->num_children) + continue_loop = 0; + else + SetDoePtr(tmp_doe_ptr, tmp_doe_flags); + + /* Don't need to reset since it's only checked after we've gone + * through the loop at least once and the result will have + * been set again already */ + //for (i = 0; i < node->num_children; i++) + // node->children[i]->result; } - if (result - prior_result > 0 + + if (result - prior_result > 0 && node->option_type == RULE_OPTION_TYPE_CONTENT && Replace_OffsetStored(&dup_content_option_data) && ScInlineMode()) { Replace_QueueChange(&dup_content_option_data); prior_result = result; } + NODE_PROFILE_TMPSTART(node); if (rval == DETECTION_OPTION_NO_ALERT) @@ -1123,7 +1333,7 @@ eval_data->flowbit_noalert = tmp_noalert_flag; } - if ((rval == DETECTION_OPTION_MATCH) && (node->relative_children)) + if (continue_loop && (rval == DETECTION_OPTION_MATCH) && (node->relative_children)) { if (node->option_type == RULE_OPTION_TYPE_CONTENT) { @@ -1133,15 +1343,34 @@ } else { - continue_loop = PatternMatchAdjustRelativeOffsets(&dup_content_option_data, orig_doe_ptr, start_doe_ptr, dp); - doe_ptr = start_doe_ptr; - dup_content_option_data.use_doe = 1; + const uint8_t *orig_ptr; + + if (dup_content_option_data.use_doe) + orig_ptr = (orig_doe_ptr == NULL) ? dp : orig_doe_ptr; + else + orig_ptr = dp; + + continue_loop = PatternMatchAdjustRelativeOffsets((PatternMatchData *)node->option_data, + &dup_content_option_data, doe_ptr, orig_ptr); } } else if (node->option_type == RULE_OPTION_TYPE_PCRE) { - continue_loop = PcreAdjustRelativeOffsets(&dup_pcre_option_data, doe_ptr - orig_doe_ptr); - doe_ptr = start_doe_ptr; + if (dup_pcre_option_data.options & SNORT_PCRE_INVERT) + { + continue_loop = 0; + } + else + { + const uint8_t *orig_ptr; + + if (dup_pcre_option_data.options & SNORT_PCRE_RELATIVE) + orig_ptr = (orig_doe_ptr == NULL) ? dp : orig_doe_ptr; + else + orig_ptr = dp; + + continue_loop = PcreAdjustRelativeOffsets(&dup_pcre_option_data, doe_ptr - orig_ptr); + } } else { @@ -1160,8 +1389,24 @@ node->checks++; #endif + loop_count++; + + if (continue_loop) + UpdateDoePtr(orig_doe_ptr, 0); + } while (continue_loop); + if (flowbits_setoperation && (result == DETECTION_OPTION_MATCH)) + { + /* Do any setting/clearing/resetting/toggling of flowbits here + * given that other rule options matched. */ + rval = node->evaluate(node->option_data, eval_data->p); + if (rval != DETECTION_OPTION_MATCH) + { + result = rval; + } + } + if (eval_data->flowbit_failed) { /* something deeper in the tree failed a flowbit test, we may need to @@ -1178,6 +1423,8 @@ { NODE_PROFILE_END_MATCH(node); } + + Reset_DetectFlags(save_dflags); return result; } diff -Nru snort-2.8.5.2/src/detection-plugins/detection_options.h snort-2.9.2/src/detection-plugins/detection_options.h --- snort-2.8.5.2/src/detection-plugins/detection_options.h 2009-08-10 20:41:43.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/detection_options.h 2011-02-09 23:22:56.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -37,54 +37,7 @@ #include "sf_types.h" #include "decode.h" #include "sfutil/sfxhash.h" - -typedef enum _option_type_t -{ - RULE_OPTION_TYPE_LEAF_NODE, - RULE_OPTION_TYPE_ASN1, - RULE_OPTION_TYPE_BYTE_TEST, - RULE_OPTION_TYPE_BYTE_JUMP, - RULE_OPTION_TYPE_FLOW, - RULE_OPTION_TYPE_CVS, - RULE_OPTION_TYPE_DSIZE, - RULE_OPTION_TYPE_FLOWBIT, - RULE_OPTION_TYPE_FTPBOUNCE, - RULE_OPTION_TYPE_ICMP_CODE, - RULE_OPTION_TYPE_ICMP_ID, - RULE_OPTION_TYPE_ICMP_SEQ, - RULE_OPTION_TYPE_ICMP_TYPE, - RULE_OPTION_TYPE_IP_FRAGBITS, - RULE_OPTION_TYPE_IP_FRAG_OFFSET, - RULE_OPTION_TYPE_IP_ID, - RULE_OPTION_TYPE_IP_OPTION, - RULE_OPTION_TYPE_IP_PROTO, - RULE_OPTION_TYPE_IP_SAME, - RULE_OPTION_TYPE_IP_TOS, - RULE_OPTION_TYPE_IS_DATA_AT, - RULE_OPTION_TYPE_CONTENT, - RULE_OPTION_TYPE_CONTENT_URI, - RULE_OPTION_TYPE_PCRE, -#ifdef ENABLE_REACT - RULE_OPTION_TYPE_REACT, -#endif -#ifdef ENABLE_RESPOND - RULE_OPTION_TYPE_RESPOND, -#endif - RULE_OPTION_TYPE_RPC_CHECK, - RULE_OPTION_TYPE_SESSION, - RULE_OPTION_TYPE_TCP_ACK, - RULE_OPTION_TYPE_TCP_FLAG, - RULE_OPTION_TYPE_TCP_SEQ, - RULE_OPTION_TYPE_TCP_WIN, - RULE_OPTION_TYPE_TTL, - RULE_OPTION_TYPE_URILEN -#ifdef DYNAMIC_PLUGIN - , - RULE_OPTION_TYPE_HDR_OPT_CHECK, - RULE_OPTION_TYPE_PREPROCESSOR, - RULE_OPTION_TYPE_DYNAMIC -#endif -} option_type_t; +#include "rule_option_types.h" #define DETECTION_OPTION_EQUAL 0 #define DETECTION_OPTION_NOT_EQUAL 1 @@ -106,6 +59,7 @@ int num_children; struct _detection_option_tree_node **children; int relative_children; + int result; struct { struct timeval ts; diff -Nru snort-2.8.5.2/src/detection-plugins/Makefile.am snort-2.9.2/src/detection-plugins/Makefile.am --- snort-2.8.5.2/src/detection-plugins/Makefile.am 2009-08-10 20:41:43.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/Makefile.am 2011-06-08 00:33:09.000000000 +0000 @@ -5,11 +5,21 @@ BUILT_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h nodist_libspd_a_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h + +if BUILD_REACT +REACT_SOURCE = sp_react.c sp_react.h +endif + +if BUILD_RESPOND3 +RESPOND3_SOURCE = sp_respond3.c sp_respond.h +endif libspd_a_SOURCES = \ detection_options.c detection_options.h \ @@ -17,6 +27,7 @@ sp_asn1_detect.c sp_asn1_detect.h \ sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h \ +sp_byte_extract.c sp_byte_extract.h \ sp_clientserver.c sp_clientserver.h \ sp_cvs.c sp_cvs.h \ sp_dsize_check.c sp_dsize_check.h \ @@ -36,10 +47,9 @@ sp_isdataat.c sp_isdataat.h \ sp_pattern_match.c sp_pattern_match.h \ sp_pcre.c sp_pcre.h \ -sp_react.c sp_react.h \ +$(REACT_SOURCE) \ +$(RESPOND3_SOURCE) \ sp_replace.c sp_replace.h \ -sp_respond.c sp_respond.h \ -sp_respond2.c \ sp_rpc_check.c sp_rpc_check.h \ sp_session.c sp_session.h \ sp_tcp_ack_check.c sp_tcp_ack_check.h \ @@ -47,7 +57,11 @@ sp_tcp_seq_check.c sp_tcp_seq_check.h \ sp_tcp_win_check.c sp_tcp_win_check.h \ sp_ttl_check.c sp_ttl_check.h \ -sp_urilen_check.c sp_urilen_check.h +sp_urilen_check.c sp_urilen_check.h \ +sp_file_data.c sp_file_data.h \ +sp_base64_decode.c sp_base64_decode.h \ +sp_base64_data.c sp_base64_data.h \ +sp_pkt_data.c sp_pkt_data.h copy_files = \ if test -f $$dst_file; then \ @@ -83,6 +97,7 @@ -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" \ -e "s/icmph_union.echo.id/s_icmp_id/g" \ -e "s/icmph_union.echo.seq/s_icmp_seq/g" \ + -e "/sf_snort_detection_engine.h/d" \ $$src_file > $$dst_file; sf_snort_plugin_hdropts.c: ../dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c @@ -91,10 +106,13 @@ sf_snort_plugin_api.h: ../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_file=$?; dst_file=$@; $(copy_files) +sf_decompression.h: ../dynamic-plugins/sf_engine/sf_decompression.h + @src_file=$?; dst_file=$@; $(copy_files) + sf_snort_packet.h: ../dynamic-plugins/sf_engine/sf_snort_packet.h @src_file=$?; dst_file=$@; $(copy_files) clean-local: - rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h + rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h sf_decompression.h INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/src/detection-plugins/Makefile.in snort-2.9.2/src/detection-plugins/Makefile.in --- snort-2.8.5.2/src/detection-plugins/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,31 +44,60 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libspd_a_AR = $(AR) $(ARFLAGS) libspd_a_LIBADD = +am__libspd_a_SOURCES_DIST = detection_options.c detection_options.h \ + sp_asn1.c sp_asn1.h sp_asn1_detect.c sp_asn1_detect.h \ + sp_byte_check.c sp_byte_check.h sp_byte_jump.c sp_byte_jump.h \ + sp_byte_extract.c sp_byte_extract.h sp_clientserver.c \ + sp_clientserver.h sp_cvs.c sp_cvs.h sp_dsize_check.c \ + sp_dsize_check.h sp_flowbits.c sp_flowbits.h sp_ftpbounce.c \ + sp_ftpbounce.h sp_hdr_opt_wrap.c sp_hdr_opt_wrap.h \ + sp_icmp_code_check.c sp_icmp_code_check.h sp_icmp_id_check.c \ + sp_icmp_id_check.h sp_icmp_seq_check.c sp_icmp_seq_check.h \ + sp_icmp_type_check.c sp_icmp_type_check.h sp_ip_fragbits.c \ + sp_ip_fragbits.h sp_ip_id_check.c sp_ip_id_check.h \ + sp_ip_proto.c sp_ip_proto.h sp_ip_same_check.c \ + sp_ip_same_check.h sp_ip_tos_check.c sp_ip_tos_check.h \ + sp_ipoption_check.c sp_ipoption_check.h sp_isdataat.c \ + sp_isdataat.h sp_pattern_match.c sp_pattern_match.h sp_pcre.c \ + sp_pcre.h sp_react.c sp_react.h sp_respond3.c sp_respond.h \ + sp_replace.c sp_replace.h sp_rpc_check.c sp_rpc_check.h \ + sp_session.c sp_session.h sp_tcp_ack_check.c \ + sp_tcp_ack_check.h sp_tcp_flag_check.h sp_tcp_flag_check.c \ + sp_tcp_seq_check.c sp_tcp_seq_check.h sp_tcp_win_check.c \ + sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ + sp_urilen_check.c sp_urilen_check.h sp_file_data.c \ + sp_file_data.h sp_base64_decode.c sp_base64_decode.h \ + sp_base64_data.c sp_base64_data.h sp_pkt_data.c sp_pkt_data.h +@BUILD_REACT_TRUE@am__objects_1 = sp_react.$(OBJEXT) +@BUILD_RESPOND3_TRUE@am__objects_2 = sp_respond3.$(OBJEXT) am_libspd_a_OBJECTS = detection_options.$(OBJEXT) sp_asn1.$(OBJEXT) \ sp_asn1_detect.$(OBJEXT) sp_byte_check.$(OBJEXT) \ - sp_byte_jump.$(OBJEXT) sp_clientserver.$(OBJEXT) \ - sp_cvs.$(OBJEXT) sp_dsize_check.$(OBJEXT) \ - sp_flowbits.$(OBJEXT) sp_ftpbounce.$(OBJEXT) \ - sp_hdr_opt_wrap.$(OBJEXT) sp_icmp_code_check.$(OBJEXT) \ - sp_icmp_id_check.$(OBJEXT) sp_icmp_seq_check.$(OBJEXT) \ - sp_icmp_type_check.$(OBJEXT) sp_ip_fragbits.$(OBJEXT) \ - sp_ip_id_check.$(OBJEXT) sp_ip_proto.$(OBJEXT) \ - sp_ip_same_check.$(OBJEXT) sp_ip_tos_check.$(OBJEXT) \ - sp_ipoption_check.$(OBJEXT) sp_isdataat.$(OBJEXT) \ - sp_pattern_match.$(OBJEXT) sp_pcre.$(OBJEXT) \ - sp_react.$(OBJEXT) sp_replace.$(OBJEXT) sp_respond.$(OBJEXT) \ - sp_respond2.$(OBJEXT) sp_rpc_check.$(OBJEXT) \ + sp_byte_jump.$(OBJEXT) sp_byte_extract.$(OBJEXT) \ + sp_clientserver.$(OBJEXT) sp_cvs.$(OBJEXT) \ + sp_dsize_check.$(OBJEXT) sp_flowbits.$(OBJEXT) \ + sp_ftpbounce.$(OBJEXT) sp_hdr_opt_wrap.$(OBJEXT) \ + sp_icmp_code_check.$(OBJEXT) sp_icmp_id_check.$(OBJEXT) \ + sp_icmp_seq_check.$(OBJEXT) sp_icmp_type_check.$(OBJEXT) \ + sp_ip_fragbits.$(OBJEXT) sp_ip_id_check.$(OBJEXT) \ + sp_ip_proto.$(OBJEXT) sp_ip_same_check.$(OBJEXT) \ + sp_ip_tos_check.$(OBJEXT) sp_ipoption_check.$(OBJEXT) \ + sp_isdataat.$(OBJEXT) sp_pattern_match.$(OBJEXT) \ + sp_pcre.$(OBJEXT) $(am__objects_1) $(am__objects_2) \ + sp_replace.$(OBJEXT) sp_rpc_check.$(OBJEXT) \ sp_session.$(OBJEXT) sp_tcp_ack_check.$(OBJEXT) \ sp_tcp_flag_check.$(OBJEXT) sp_tcp_seq_check.$(OBJEXT) \ sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \ - sp_urilen_check.$(OBJEXT) + sp_urilen_check.$(OBJEXT) sp_file_data.$(OBJEXT) \ + sp_base64_decode.$(OBJEXT) sp_base64_data.$(OBJEXT) \ + sp_pkt_data.$(OBJEXT) nodist_libspd_a_OBJECTS = sf_snort_plugin_hdropts.$(OBJEXT) libspd_a_OBJECTS = $(am_libspd_a_OBJECTS) $(nodist_libspd_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -79,7 +110,7 @@ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(libspd_a_SOURCES) $(nodist_libspd_a_SOURCES) -DIST_SOURCES = $(libspd_a_SOURCES) +DIST_SOURCES = $(am__libspd_a_SOURCES_DIST) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -92,31 +123,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -129,12 +160,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -142,20 +179,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -187,6 +231,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -199,24 +244,30 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies noinst_LIBRARIES = libspd.a BUILT_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h nodist_libspd_a_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h +@BUILD_REACT_TRUE@REACT_SOURCE = sp_react.c sp_react.h +@BUILD_RESPOND3_TRUE@RESPOND3_SOURCE = sp_respond3.c sp_respond.h libspd_a_SOURCES = \ detection_options.c detection_options.h \ sp_asn1.c sp_asn1.h \ sp_asn1_detect.c sp_asn1_detect.h \ sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h \ +sp_byte_extract.c sp_byte_extract.h \ sp_clientserver.c sp_clientserver.h \ sp_cvs.c sp_cvs.h \ sp_dsize_check.c sp_dsize_check.h \ @@ -236,10 +287,9 @@ sp_isdataat.c sp_isdataat.h \ sp_pattern_match.c sp_pattern_match.h \ sp_pcre.c sp_pcre.h \ -sp_react.c sp_react.h \ +$(REACT_SOURCE) \ +$(RESPOND3_SOURCE) \ sp_replace.c sp_replace.h \ -sp_respond.c sp_respond.h \ -sp_respond2.c \ sp_rpc_check.c sp_rpc_check.h \ sp_session.c sp_session.h \ sp_tcp_ack_check.c sp_tcp_ack_check.h \ @@ -247,7 +297,11 @@ sp_tcp_seq_check.c sp_tcp_seq_check.h \ sp_tcp_win_check.c sp_tcp_win_check.h \ sp_ttl_check.c sp_ttl_check.h \ -sp_urilen_check.c sp_urilen_check.h +sp_urilen_check.c sp_urilen_check.h \ +sp_file_data.c sp_file_data.h \ +sp_base64_decode.c sp_base64_decode.h \ +sp_base64_data.c sp_base64_data.h \ +sp_pkt_data.c sp_pkt_data.h copy_files = \ if test -f $$dst_file; then \ @@ -283,6 +337,7 @@ -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" \ -e "s/icmph_union.echo.id/s_icmp_id/g" \ -e "s/icmph_union.echo.seq/s_icmp_seq/g" \ + -e "/sf_snort_detection_engine.h/d" \ $$src_file > $$dst_file; all: $(BUILT_SOURCES) @@ -294,14 +349,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/detection-plugins/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/detection-plugins/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/detection-plugins/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/detection-plugins/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -319,6 +374,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -353,45 +409,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -412,13 +472,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -448,6 +512,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -469,6 +534,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -477,18 +544,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -510,7 +587,7 @@ uninstall-am: -.MAKE: install-am install-strip +.MAKE: all check install install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-libtool clean-local clean-noinstLIBRARIES ctags \ @@ -533,11 +610,15 @@ sf_snort_plugin_api.h: ../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_file=$?; dst_file=$@; $(copy_files) +sf_decompression.h: ../dynamic-plugins/sf_engine/sf_decompression.h + @src_file=$?; dst_file=$@; $(copy_files) + sf_snort_packet.h: ../dynamic-plugins/sf_engine/sf_snort_packet.h @src_file=$?; dst_file=$@; $(copy_files) clean-local: - rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h + rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h sf_decompression.h + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/detection-plugins/sp_asn1.c snort-2.9.2/src/detection-plugins/sp_asn1.c --- snort-2.8.5.2/src/detection-plugins/sp_asn1.c 2009-07-07 15:37:03.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_asn1.c 2011-06-08 00:33:09.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2009 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Daniel Roelker ** ** This program is free software; you can redistribute it and/or modify @@ -23,13 +23,13 @@ ** @file sp_asn1.c ** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief Decode and detect ASN.1 types, lengths, and data. ** ** This detection plugin adds ASN.1 detection functions on a per rule ** basis. ASN.1 detection plugins can be added by editing this file and ** providing an interface in the configuration code. -** +** ** Detection Plugin Interface: ** ** asn1: [detection function],[arguments],[offset type],[size] @@ -60,18 +60,21 @@ #include <ctype.h> #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "asn1.h" #include "sp_asn1.h" #include "sp_asn1_detect.h" #include "sfhashfcn.h" +#include "detection_util.h" #define BITSTRING_OPT "bitstring_overflow" #define DOUBLE_OPT "double_overflow" @@ -108,7 +111,7 @@ a += data->length; b += data->max_length; c += data->offset; - + mix(a,b,c); a += data->offset_type; @@ -126,7 +129,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if ((left->bs_overflow == right->bs_overflow) && (left->double_overflow == right->double_overflow) && (left->print == right->print) && @@ -141,8 +144,6 @@ return DETECTION_OPTION_NOT_EQUAL; } -extern const uint8_t *doe_ptr; - /* ** NAME ** Asn1RuleParse:: @@ -161,6 +162,7 @@ static void Asn1RuleParse(char *data, OptTreeNode *otn, ASN1_CTXT *asn1) { char *pcTok; + char *endTok; if(!data) { @@ -198,17 +200,17 @@ if(!pcTok) { FatalError("%s(%d) => No option to '%s' in 'asn1' detection " - "plugin\n", LENGTH_OPT, file_name, file_line); + "plugin\n", file_name, file_line, LENGTH_OPT); } - max_length = strtol(pcTok, &pcEnd, 10); + max_length = SnortStrtolRange(pcTok, &pcEnd, 10, 0, INT32_MAX); - if((*pcEnd) || (max_length < 0) || (errno == ERANGE)) + if ((pcEnd == pcTok) || (*pcEnd) || (errno == ERANGE)) { FatalError("%s(%d) => Negative size, underflow or overflow " "(of long int) to '%s' in 'asn1' detection plugin. " - "Must be positive or zero.\n", - LENGTH_OPT, file_name, file_line); + "Must be positive or zero.\n", + file_name, file_line, LENGTH_OPT); } asn1->length = 1; @@ -220,11 +222,18 @@ if(!pcTok) { FatalError("%s(%d) => No option to '%s' in 'asn1' detection " - "plugin\n", ABS_OFFSET_OPT, file_name, file_line); + "plugin\n", file_name, file_line, ABS_OFFSET_OPT); } asn1->offset_type = ABS_OFFSET; - asn1->offset = atoi(pcTok); + asn1->offset = SnortStrtol(pcTok, &endTok, 10); + if (endTok == pcTok) + { + FatalError("%s(%d) => Invalid parameter to '%s' in 'asn1' " + "detection plugin\n", + file_name, file_line, ABS_OFFSET_OPT); + } + } else if(!strcasecmp(pcTok, REL_OFFSET_OPT)) { @@ -232,11 +241,17 @@ if(!pcTok) { FatalError("%s(%d) => No option to '%s' in 'asn1' detection " - "plugin\n", REL_OFFSET_OPT, file_name, file_line); + "plugin\n", file_name, file_line, REL_OFFSET_OPT); } asn1->offset_type = REL_OFFSET; - asn1->offset = atoi(pcTok); + asn1->offset = SnortStrtol(pcTok, &endTok, 10); + if (endTok == pcTok) + { + FatalError("%s(%d) => Invalid parameter to '%s' in 'asn1' " + "detection plugin\n", + file_name, file_line, pcTok); + } } else { @@ -295,9 +310,9 @@ void *ds_ptr_dup; OptFpList *ofl; - /* - * allocate the data structure and attach - * it to the rule's data struct list + /* + * allocate the data structure and attach + * it to the rule's data struct list */ asn1 = (ASN1_CTXT *)SnortAlloc(sizeof(ASN1_CTXT)); @@ -322,7 +337,7 @@ void SetupAsn1(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("asn1", Asn1Init, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("asn1", Asn1Init, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("asn1", &asn1PerfStats, 3, &ruleOTNEvalPerfStats); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_asn1_detect.c snort-2.9.2/src/detection-plugins/sp_asn1_detect.c --- snort-2.8.5.2/src/detection-plugins/sp_asn1_detect.c 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_asn1_detect.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2009 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Daniel Roelker ** ** This program is free software; you can redistribute it and/or modify @@ -23,13 +23,13 @@ ** @file sp_asn1_detect.c ** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief Decode and detect ASN.1 types, lengths, and data. ** ** This detection plugin adds ASN.1 detection functions on a per rule ** basis. ASN.1 detection plugins can be added by editing this file and ** providing an interface in the configuration code. -** +** ** Detection Plugin Interface: ** ** asn1: [detection function],[arguments],[offset type],[size] @@ -59,15 +59,16 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" + #ifndef SF_SNORT_ENGINE_DLL -#include "debug.h" +#include "snort_debug.h" #else /* Ignore debug statements */ #include <stdint.h> #define DEBUG_WRAP(x) #endif -#include "sf_types.h" #include "sfutil/asn1.h" #include "sp_asn1_detect.h" #include "snort.h" @@ -78,14 +79,14 @@ * * 1 means it's in bounds, 0 means it's not */ -static INLINE int inBounds( +static inline int inBounds( const uint8_t *start, const uint8_t *end, const uint8_t *p) { if(p >= start && p < end) { return 1; } - + return 0; } @@ -118,7 +119,7 @@ */ if(asn1->ident.tag == SF_ASN1_TAG_BIT_STR && !asn1->ident.flag) { - if(asn1->len.size && asn1->data && + if(asn1->len.size && asn1->data && (((asn1->len.size - 1)<<3) < (unsigned int)asn1->data[0])) { return 1; @@ -176,7 +177,7 @@ if(asn1->ident.tag == SF_ASN1_TAG_REAL && !asn1->ident.flag) { if(asn1->len.size && asn1->data && - ((asn1->data[0] & 0xc0) == 0x00) && + ((asn1->data[0] & 0xc0) == 0x00) && (asn1->len.size > 256)) { return 1; @@ -212,7 +213,7 @@ ** This is the most generic of our ASN.1 detection functionalities. This ** will compare the ASN.1 type lengths against the user defined max ** length and alert if the length is greater than the user supplied length. -** +** ** @return integer ** ** @retval 0 failed @@ -270,7 +271,7 @@ /* ** Print first, before we do other detection. If print is the only ** option, then we want to evaluate this option as true and continue. - ** Otherwise, if another option is wrong, then we + ** Otherwise, if another option is wrong, then we */ if(ctxt->print) { @@ -302,7 +303,7 @@ /* ** If we didn't detect any oversize length in the decoded structs, ** that might be because we had a really overlong length that is - ** bigger than our data type could hold. In this case, it's + ** bigger than our data type could hold. In this case, it's ** overlong too. */ if(!iRet && dec_ret_val == ASN1_ERR_OVERLONG_LEN) @@ -360,11 +361,14 @@ "relative offset, so we are bailing.\n");); return 0; } - + /* ** Check that it is in bounds first. + ** Because rel_ptr can be "end" in the last match, + ** use end + 1 for upper bound + ** Bound checked also after offset is applied */ - if(!inBounds(start, end, rel_ptr)) + if(!inBounds(start, end + 1, rel_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds " "check failed for rel_ptr.\n");); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_asn1_detect.h snort-2.9.2/src/detection-plugins/sp_asn1_detect.h --- snort-2.8.5.2/src/detection-plugins/sp_asn1_detect.h 2009-05-06 22:28:25.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_asn1_detect.h 2011-02-09 23:22:56.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/detection-plugins/sp_asn1.h snort-2.9.2/src/detection-plugins/sp_asn1.h --- snort-2.8.5.2/src/detection-plugins/sp_asn1.h 2009-05-06 22:28:25.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_asn1.h 2011-02-09 23:22:56.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/detection-plugins/sp_base64_data.c snort-2.9.2/src/detection-plugins/sp_base64_data.c --- snort-2.8.5.2/src/detection-plugins/sp_base64_data.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_base64_data.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,182 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_base64_data + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#include <errno.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "snort_debug.h" +#include "util.h" +#include "mstring.h" + +#include "snort.h" +#include "profiler.h" +#include "sp_base64_data.h" +#ifdef PERF_PROFILING +PreprocStats base64DataPerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +#include "detection_options.h" +#include "detection_util.h" + +extern char *file_name; /* this is the file name from rules.c, generally used + for error messages */ + +extern int file_line; /* this is the file line number from rules.c that is + used to indicate file lines for error messages */ + +static void Base64DataInit(char *, OptTreeNode *, int); +void Base64DataParse(char *, OptTreeNode *); +int Base64DataEval(void *option_data, Packet *p); + +/**************************************************************************** + * + * Function: SetupBase64Data() + * + * Purpose: Load 'er up + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupBase64Data(void) +{ + /* map the keyword to an initialization/processing function */ + RegisterRuleOption("base64_data", Base64DataInit, NULL, OPT_TYPE_DETECTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("base64_data", &base64DataPerfStats, 3, &ruleOTNEvalPerfStats); +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: base64_data Setup\n");); +} + + +/**************************************************************************** + * + * Function: Base64DataInit(char *, OptTreeNode *, int protocol) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * protocol => protocol the rule is on (we don't care in this case) + * + * Returns: void function + * + ****************************************************************************/ +static void Base64DataInit(char *data, OptTreeNode *otn, int protocol) +{ + OptFpList *fpl; + if(otn->ds_list[PLUGIN_BASE64_DECODE] == NULL ) + { + /*use base64_decode before base64_data*/ + FatalError("%s(%d): base64_decode needs to be specified before base64_data in a rule\n", + file_name, file_line); + } + + Base64DataParse(data, otn); + + fpl = AddOptFuncToList(Base64DataEval, otn); + fpl->type = RULE_OPTION_TYPE_BASE64_DATA; + +} + + + +/**************************************************************************** + * + * Function: Base64DataParse(char *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void Base64DataParse(char *data, OptTreeNode *otn) +{ + if (!IsEmptyStr(data)) + { + FatalError("%s(%d): base64_data takes no arguments\n", + file_name, file_line); + } + +} + + +/**************************************************************************** + * + * Function: Base64DataEval(char *, OptTreeNode *, OptFpList *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: p => pointer to the decoded packet + * otn => pointer to the current rule's OTN + * fp_list => pointer to the function pointer list + * + * Returns: If the detection test fails, this function *must* return a zero! + * On success, it calls the next function in the detection list + * + ****************************************************************************/ +int Base64DataEval(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_NO_MATCH; + PROFILE_VARS; + + PREPROC_PROFILE_START(base64DataPerfStats); + + if ((p->dsize == 0) || !base64_decode_size ) + { + PREPROC_PROFILE_END(base64DataPerfStats); + return rval; + } + + SetDoePtr(base64_decode_buf, DOE_BUF_STD); + SetAltDetect(base64_decode_buf, (uint16_t)base64_decode_size); + rval = DETECTION_OPTION_MATCH; + + PREPROC_PROFILE_END(base64DataPerfStats); + return rval; +} diff -Nru snort-2.8.5.2/src/detection-plugins/sp_base64_data.h snort-2.9.2/src/detection-plugins/sp_base64_data.h --- snort-2.8.5.2/src/detection-plugins/sp_base64_data.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_base64_data.h 2011-02-09 23:22:56.000000000 +0000 @@ -0,0 +1,27 @@ +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef __SP_BASE64_DATA_H__ +#define __SP_BASE64_DATA_H__ + +void SetupBase64Data(void); + +#endif diff -Nru snort-2.8.5.2/src/detection-plugins/sp_base64_decode.c snort-2.9.2/src/detection-plugins/sp_base64_decode.c --- snort-2.8.5.2/src/detection-plugins/sp_base64_decode.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_base64_decode.c 2011-06-08 00:33:09.000000000 +0000 @@ -0,0 +1,375 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_base64_decode + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#include <errno.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "snort_debug.h" +#include "util.h" +#include "mstring.h" + +#include "snort.h" +#include "profiler.h" +#include "sp_base64_decode.h" +#include "sfutil/sf_base64decode.h" +#ifdef PERF_PROFILING +PreprocStats base64DecodePerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +#include "detection_options.h" +#include "detection_util.h" + + +extern char *file_name; /* this is the file name from rules.c, generally used + for error messages */ + +extern int file_line; /* this is the file line number from rules.c that is + used to indicate file lines for error messages */ + +void Base64DecodeInit(char *, OptTreeNode *, int); +void Base64DecodeParse(char *, Base64DecodeData *, OptTreeNode *); +int Base64DecodeEval(void *option_data, Packet *p); + +uint32_t Base64DecodeHash(void *d) +{ + uint32_t a,b,c; + Base64DecodeData *data = (Base64DecodeData *)d; + + a = data->bytes_to_decode; + b = data->offset; + c = data->flags; + + mix(a,b,c); + + a += RULE_OPTION_TYPE_BASE64_DECODE; + + final(a,b,c); + + return c; +} + +int Base64DecodeCompare(void *l, void *r) +{ + Base64DecodeData *left = (Base64DecodeData *)l; + Base64DecodeData *right = (Base64DecodeData *)r; + + if (!left || !right) + return DETECTION_OPTION_NOT_EQUAL; + + if ((left->bytes_to_decode == right->bytes_to_decode) && + ( left->offset == right->offset) && + ( left->flags == right->flags)) + { + return DETECTION_OPTION_EQUAL; + } + + return DETECTION_OPTION_NOT_EQUAL; +} + + +/**************************************************************************** + * + * Function: SetupBase64Decode() + * + * Purpose: Load 'er up + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupBase64Decode(void) +{ + /* map the keyword to an initialization/processing function */ + RegisterRuleOption("base64_decode", Base64DecodeInit, NULL, OPT_TYPE_DETECTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("base64_decode", &base64DecodePerfStats, 3, &ruleOTNEvalPerfStats); +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: base64_decode Setup\n");); +} + + +/**************************************************************************** + * + * Function: Base64DecodeInit(char *, OptTreeNode *, int protocol) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * protocol => protocol the rule is on (we don't care in this case) + * + * Returns: void function + * + ****************************************************************************/ +void Base64DecodeInit(char *data, OptTreeNode *otn, int protocol) +{ + Base64DecodeData *idx; + OptFpList *fpl; + void *idx_dup; + + if(otn->ds_list[PLUGIN_BASE64_DECODE]) + { + FatalError("%s(%d): Multiple base64_decode options in rule\n", file_name, + file_line); + } + + + idx = (Base64DecodeData *) SnortAlloc(sizeof(Base64DecodeData)); + + if(idx == NULL) + { + FatalError("%s(%d): Unable to allocate Base64Decode data node\n", + file_name, file_line); + } + + otn->ds_list[PLUGIN_BASE64_DECODE] = idx; + + Base64DecodeParse(data, idx, otn); + + if (add_detection_option(RULE_OPTION_TYPE_BASE64_DECODE, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) + { + free(idx); + idx = otn->ds_list[PLUGIN_BASE64_DECODE] = idx_dup; + } + + fpl = AddOptFuncToList(Base64DecodeEval, otn); + fpl->type = RULE_OPTION_TYPE_BASE64_DECODE; + + fpl->context = (void *) idx; + + if (idx->flags & BASE64DECODE_RELATIVE_FLAG) + fpl->isRelative = 1; +} + +/**************************************************************************** + * + * Function: Base64DecodeParse(char *, Base64DecodeData *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void Base64DecodeParse(char *data, Base64DecodeData *idx, OptTreeNode *otn) +{ + char **toks; + char **toks1; + int num_toks; + int num_toks1; + char *token; + int i=0; + char *endptr; + int value = 0; + + + /*no arguments*/ + if (IsEmptyStr(data)) + { + idx->offset = 0; + idx->bytes_to_decode = 0; + idx->flags = 0; + return; + } + + toks = mSplit(data, ",", 0, &num_toks, 0); + + if (num_toks > 3 ) + { + FatalError("%s (%d): Bad arguments to base64_decode.\n", + file_name, file_line); + + } + + while (i < num_toks ) + { + token = toks[i]; + + if( strcmp(token , "relative") == 0 ) + { + idx->flags |= BASE64DECODE_RELATIVE_FLAG; + i++; + continue; + } + + toks1 = mSplit(token, " \t", 0, &num_toks1, 0); + + if ( num_toks1 != 2 ) + { + FatalError("%s (%d): Bad arguments to base64_decode.\n", + file_name, file_line); + } + + if( strcmp(toks1[0], "offset") == 0 ) + { + value = SnortStrtol(toks1[1], &endptr, 10); + if(*endptr || value < 0) + { + FatalError("%s (%d): Bad arguments to base64_decode.\n", + file_name, file_line); + } + idx->offset = value; + } + else if( strcmp(toks1[0], "bytes") == 0 ) + { + value = SnortStrtol(toks1[1], &endptr, 10); + if(*endptr || (value < 0) ) + { + FatalError("%s (%d): Bad arguments to base64_decode.\n", + file_name, file_line); + } + + if(!value) + { + FatalError("%s (%d): \"bytes\" option to base64_decode cannot be" + " zero.\n", file_name, file_line); + } + idx->bytes_to_decode = value; + } + else + { + FatalError("%s (%d): Bad arguments to base64_decode.\n", + file_name, file_line); + } + + mSplitFree(&toks1,num_toks1); + i++; + } + + mSplitFree(&toks,num_toks); + return; + +} + + +/**************************************************************************** + * + * Function: Base64DecodeEval(char *, OptTreeNode *, OptFpList *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: p => pointer to the decoded packet + * otn => pointer to the current rule's OTN + * fp_list => pointer to the function pointer list + * + * Returns: If the detection test fails, this function *must* return a zero! + * On success, it calls the next function in the detection list + * + ****************************************************************************/ +int Base64DecodeEval(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_NO_MATCH; + const uint8_t *start_ptr = NULL; + uint8_t base64_buf[DECODE_BLEN]; + uint32_t base64_size =0; + Base64DecodeData *idx; + PROFILE_VARS; + + PREPROC_PROFILE_START(base64DecodePerfStats); + + base64_decode_size = 0; + + if ((!p->dsize) || (!p->data)) + { + PREPROC_PROFILE_END(base64DecodePerfStats); + return rval; + } + + idx = (Base64DecodeData *)option_data; + + if(!idx) + { + PREPROC_PROFILE_END(base64DecodePerfStats); + return rval; + } + + if(idx->flags & BASE64DECODE_RELATIVE_FLAG) + { + if(!doe_ptr) + { + start_ptr = p->data; + start_ptr = start_ptr + idx->offset; + } + else + { + start_ptr = doe_ptr; + start_ptr = start_ptr + idx->offset; + } + } + else + { + start_ptr = p->data + idx->offset; + } + + if(start_ptr > (p->data + p->dsize) ) + { + PREPROC_PROFILE_END(base64DecodePerfStats); + return rval; + } + + if(sf_unfold_header(start_ptr, p->dsize, base64_buf, sizeof(base64_buf), &base64_size, 0, 0) != 0) + { + PREPROC_PROFILE_END(base64DecodePerfStats); + return rval; + } + + + if (idx->bytes_to_decode && (base64_size > idx->bytes_to_decode)) + { + base64_size = idx->bytes_to_decode; + } + + if(sf_base64decode(base64_buf, base64_size, (uint8_t *)base64_decode_buf, sizeof(base64_decode_buf), &base64_decode_size) != 0) + { + PREPROC_PROFILE_END(base64DecodePerfStats); + return rval; + } + + PREPROC_PROFILE_END(base64DecodePerfStats); + + return DETECTION_OPTION_MATCH; +} diff -Nru snort-2.8.5.2/src/detection-plugins/sp_base64_decode.h snort-2.9.2/src/detection-plugins/sp_base64_decode.h --- snort-2.8.5.2/src/detection-plugins/sp_base64_decode.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_base64_decode.h 2011-02-09 23:22:57.000000000 +0000 @@ -0,0 +1,39 @@ +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef __SP_BASE64_DECODE_H__ +#define __SP_BASE64_DECODE_H__ + + +#define BASE64DECODE_RELATIVE_FLAG 0x01 + +typedef struct _Base64DecodeData +{ + uint32_t bytes_to_decode; + uint32_t offset; + uint8_t flags; +}Base64DecodeData; + +int Base64DecodeCompare(void *, void *); +uint32_t Base64DecodeHash(void *); +void SetupBase64Decode(void); + +#endif diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_check.c snort-2.9.2/src/detection-plugins/sp_byte_check.c --- snort-2.8.5.2/src/detection-plugins/sp_byte_check.c 2009-05-06 22:28:26.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_check.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2009 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,8 +19,8 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_byte_check - * +/* sp_byte_check + * * Purpose: * Test a byte field against a specific value (with operator). Capable * of testing binary values or converting represenative byte strings @@ -41,7 +41,7 @@ * ["hex"]: converted string data is represented in hexidecimal * ["dec"]: converted string data is represented in decimal * ["oct"]: converted string data is represented in octal - * + * * sample rules: * alert udp $EXTERNAL_NET any -> $HOME_NET any \ * (msg:"AMD procedure 7 plog overflow "; \ @@ -77,7 +77,7 @@ * * Effect: * - * Reads in the indicated bytes, converts them to an numeric + * Reads in the indicated bytes, converts them to an numeric * representation and then performs the indicated operation/test on * the data using the value field. Returns 1 if the operation is true, * 0 if it is not. @@ -100,18 +100,21 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "byte_extract.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" #include "sfhashfcn.h" #include "sp_byte_check.h" +#include "sp_byte_extract.h" #define PARSELEN 10 #define TEXTLEN (PARSELEN + 2) @@ -120,27 +123,29 @@ #include "profiler.h" #include "sfhashfcn.h" #include "detection_options.h" +#include "detection_util.h" #ifdef PERF_PROFILING PreprocStats byteTestPerfStats; extern PreprocStats ruleOTNEvalPerfStats; #endif -extern const uint8_t *doe_ptr; -extern uint8_t DecodeBuffer[DECODE_BLEN]; - typedef struct _ByteTestOverrideData { char *keyword; char *option; - RuleOptOverrideFunc func; + union + { + RuleOptOverrideFunc fptr; + void *void_fptr; + } fptr; struct _ByteTestOverrideData *next; } ByteTestOverrideData; ByteTestOverrideData *byteTestOverrideFuncs = NULL; -static void ByteTestOverride(char *keyword, char *option, RuleOptOverrideFunc func); +static void ByteTestOverride(char *keyword, char *option, RuleOptOverrideFunc roo_func); static void ByteTestOverrideFuncsFree(void); static void ByteTestInit(char *, OptTreeNode *, int); static ByteTestOverrideData * ByteTestParse(char *data, ByteTestData *idx, OptTreeNode *otn); @@ -167,6 +172,24 @@ mix(a,b,c); a += RULE_OPTION_TYPE_BYTE_TEST; + b += data->cmp_value_var; + c += data->offset_var; + + mix(a,b,c); + +#if (defined(__ia64) || defined(__amd64) || defined(_LP64)) + { + /* Cleanup warning because of cast from 64bit ptr to 32bit int + * warning on 64bit OSs */ + uint64_t ptr; /* Addresses are 64bits */ + + ptr = (uint64_t) data->byte_order_func; + a += (ptr << 32) & 0XFFFFFFFF; + b += (ptr & 0xFFFFFFFF); + } +#else + a += (uint32_t)data->byte_order_func; +#endif final(a,b,c); @@ -180,7 +203,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->bytes_to_compare == right->bytes_to_compare) && ( left->cmp_value == right->cmp_value) && ( left->operator == right->operator) && @@ -189,7 +212,10 @@ ( left->relative_flag == right->relative_flag) && ( left->data_string_convert_flag == right->data_string_convert_flag) && ( left->endianess == right->endianess) && - ( left->base == right->base) ) + ( left->base == right->base) && + ( left->cmp_value_var == right->cmp_value_var) && + ( left->offset_var == right->offset_var) && + ( left->byte_order_func == right->byte_order_func)) { return DETECTION_OPTION_EQUAL; } @@ -197,14 +223,14 @@ return DETECTION_OPTION_NOT_EQUAL; } -static void ByteTestOverride(char *keyword, char *option, RuleOptOverrideFunc func) +static void ByteTestOverride(char *keyword, char *option, RuleOptOverrideFunc roo_func) { ByteTestOverrideData *new = SnortAlloc(sizeof(ByteTestOverrideData)); new->keyword = SnortStrdup(keyword); new->option = SnortStrdup(option); - new->func = func; - + new->func = roo_func; + new->next = byteTestOverrideFuncs; byteTestOverrideFuncs = new; } @@ -244,7 +270,7 @@ void SetupByteTest(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("byte_test", ByteTestInit, ByteTestOverride, OPT_TYPE_DETECTION); + RegisterRuleOption("byte_test", ByteTestInit, ByteTestOverride, OPT_TYPE_DETECTION, NULL); AddFuncToCleanExitList(ByteTestOverrideCleanup, NULL); AddFuncToRuleOptParseCleanupList(ByteTestOverrideFuncsFree); @@ -256,10 +282,10 @@ /**************************************************************************** - * + * * Function: ByteTestInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -283,11 +309,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate byte_test data node\n", + FatalError("%s(%d): Unable to allocate byte_test data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ override = ByteTestParse(data, idx, otn); if (override) @@ -300,7 +326,7 @@ fpl = AddOptFuncToList(ByteTest, otn); fpl->type = RULE_OPTION_TYPE_BYTE_TEST; - + if (add_detection_option(RULE_OPTION_TYPE_BYTE_TEST, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) { #ifdef DEBUG_RULE_OPTION_TREE @@ -311,14 +337,14 @@ idx->operator, idx->offset, idx->not_flag, idx->relative_flag, - idx->data_string_convert_flag, + idx->data_string_convert_flag, idx->endianess, idx->base, ((ByteTestData *)idx_dup)->bytes_to_compare, ((ByteTestData *)idx_dup)->cmp_value, ((ByteTestData *)idx_dup)->operator, ((ByteTestData *)idx_dup)->offset, ((ByteTestData *)idx_dup)->not_flag, ((ByteTestData *)idx_dup)->relative_flag, - ((ByteTestData *)idx_dup)->data_string_convert_flag, + ((ByteTestData *)idx_dup)->data_string_convert_flag, ((ByteTestData *)idx_dup)->endianess, ((ByteTestData *)idx_dup)->base); #endif free(idx); @@ -335,7 +361,7 @@ } /**************************************************************************** - * + * * Function: ByteTestParse(char *, ByteTestData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -355,6 +381,7 @@ int num_toks; char *cptr; int i =0; + RuleOptByteOrderFunc tmp_byte_order_func; toks = mSplit(data, ",", 12, &num_toks, 0); @@ -371,6 +398,11 @@ file_name, file_line, toks[0]); } + if(*endp != '\0') + { + ParseError("byte_test option has bad value: %s.", toks[0]); + } + if(idx->bytes_to_compare > PARSELEN || idx->bytes_to_compare == 0) { FatalError("%s(%d): byte_test can't process more than " @@ -383,13 +415,13 @@ if(*cptr == '!') { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "enabling not flag\n");); idx->not_flag = 1; cptr++; } - - if (idx->not_flag && strlen(cptr) == 0) + + if (idx->not_flag && strlen(cptr) == 0) { idx->operator = BT_EQUALS; } @@ -424,38 +456,70 @@ break; default: FatalError("%s(%d): byte_test unknown " - "operator ('%c, %s')\n", file_name, file_line, + "operator ('%c, %s')\n", file_name, file_line, *cptr, toks[1]); } } - errno = 0; /* set the value to test against */ - idx->cmp_value = strtoul(toks[2], &endp, 0); + if (isdigit(toks[2][0]) || toks[2][0] == '-') + { + idx->cmp_value = SnortStrtoul(toks[2], &endp, 0); + idx->cmp_value_var = -1; + + if(toks[2] == endp) + { + FatalError("%s(%d): Unable to parse as comparison value %s\n", + file_name, file_line, toks[2]); + } - if(toks[2] == endp) + if(*endp != '\0') + { + ParseError("byte_test option has bad comparison value: %s.", toks[2]); + } + + if(errno == ERANGE) + { + printf("Bad range: %s\n", toks[2]); + } + } + else { - FatalError("%s(%d): Unable to parse as comparison value %s\n", - file_name, file_line, toks[2]); + idx->cmp_value_var = GetVarByName(toks[2]); + if (idx->cmp_value_var == BYTE_EXTRACT_NO_VAR) + { + FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + } } - if(errno == ERANGE) + if (isdigit(toks[3][0]) || toks[3][0] == '-') { - printf("Bad range: %s\n", toks[2]); - } + /* set offset */ + idx->offset = strtol(toks[3], &endp, 10); + idx->offset_var = -1; - /* set offset */ - idx->offset = strtol(toks[3], &endp, 10); + if(toks[3] == endp) + { + FatalError("%s(%d): Unable to parse as offset value %s\n", + file_name, file_line, toks[3]); + } - - if(toks[3] == endp) + if(*endp != '\0') + { + ParseError("byte_test option has bad offset: %s.", toks[3]); + } + } + else { - FatalError("%s(%d): Unable to parse as offset value %s\n", - file_name, file_line, toks[3]); + idx->offset_var = GetVarByName(toks[3]); + if (idx->offset_var == BYTE_EXTRACT_NO_VAR) + { + FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + } } - + i = 4; /* is it a relative offset? */ @@ -474,7 +538,7 @@ } else if(!strcasecmp(cptr, "string")) { - /* the data will be represented as a string that needs + /* the data will be represented as a string that needs * to be converted to an int, binary is assumed otherwise */ idx->data_string_convert_flag = 1; @@ -500,6 +564,10 @@ { idx->base = 8; } + else if((tmp_byte_order_func = GetByteOrderFunc(cptr)) != NULL) + { + idx->byte_order_func = tmp_byte_order_func; + } else { ByteTestOverrideData *override = byteTestOverrideFuncs; @@ -515,7 +583,7 @@ override = override->next; } - FatalError("%s(%d): unknown modifier \"%s\"\n", + FatalError("%s(%d): unknown modifier \"%s\"\n", file_name, file_line, cptr); } @@ -529,14 +597,14 @@ FatalError("%s(%d): hex, dec and oct modifiers must be used in conjunction \n" " with the 'string' modifier\n", file_name,file_line); } - + mSplitFree(&toks, num_toks); return NULL; } /**************************************************************************** - * + * * Function: ByteTest(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -547,7 +615,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int ByteTest(void *option_data, Packet *p) @@ -556,50 +624,77 @@ int rval = DETECTION_OPTION_NO_MATCH; uint32_t value = 0; int success = 0; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; int dsize; const char *base_ptr, *end_ptr, *start_ptr; uint32_t payload_bytes_grabbed = 0; - int32_t tmp = 0; + int32_t offset, tmp = 0; + uint32_t extract_offset, extract_cmp_value; PROFILE_VARS; PREPROC_PROFILE_START(byteTestPerfStats); - if(use_alt_buffer) + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = p->alt_dsize; - start_ptr = (char *)DecodeBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dsize = DetectBuffer.len; + start_ptr = (char *)DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + start_ptr = (char *)DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { - dsize = p->dsize; + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; start_ptr = (char *) p->data; } base_ptr = start_ptr; end_ptr = start_ptr + dsize; - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte test firing...\npayload starts at %p\n", start_ptr);); - if(doe_ptr) + + /* Get values from byte_extract variables, if present. */ + if (btd->cmp_value_var >= 0 && btd->cmp_value_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_cmp_value, btd->cmp_value_var); + btd->cmp_value = (int32_t) extract_cmp_value; + } + if (btd->offset_var >= 0 && btd->offset_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_offset, btd->offset_var); + btd->offset = (int32_t) extract_offset; + } + + + if(btd->relative_flag && doe_ptr) { - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ - if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, doe_ptr)) + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Checking relative offset!\n");); + + /* @todo: possibly degrade to use the other buffer, seems non-intuitive + * Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * (see byte_extract() and string_extract()) + */ + if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte test bounds check failed..\n");); PREPROC_PROFILE_END(byteTestPerfStats); return rval; } - } - if(btd->relative_flag && doe_ptr) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Checking relative offset!\n");); base_ptr = (const char *)doe_ptr + btd->offset; } else @@ -609,11 +704,22 @@ base_ptr = start_ptr + btd->offset; } + /* Use byte_order_func to determine endianess, if present */ + if (btd->byte_order_func) + { + offset = (int32_t) ((const uint8_t *)base_ptr - p->data); + btd->endianess = btd->byte_order_func(p, offset); + if (btd->endianess == -1) + { + PREPROC_PROFILE_END(byteTestPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + } /* both of these functions below perform their own bounds checking within * byte_extract.c */ - + if(!btd->data_string_convert_flag) { if(byte_extract(btd->endianess, btd->bytes_to_compare, @@ -644,7 +750,7 @@ } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Grabbed %d bytes at offset %d, value = 0x%08X(%u)\n", payload_bytes_grabbed, btd->offset, value, value); ); @@ -693,7 +799,7 @@ if (btd->not_flag) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "checking for not success...flag\n");); if (!success) { diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_check.h snort-2.9.2/src/detection-plugins/sp_byte_check.h --- snort-2.8.5.2/src/detection-plugins/sp_byte_check.h 2009-05-06 22:28:26.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_check.h 2011-02-09 23:22:57.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -25,6 +25,7 @@ #include "sf_engine/sf_snort_plugin_api.h" #include "decode.h" +#include "plugbase.h" #define BT_LESS_THAN CHECK_LT #define BT_EQUALS CHECK_EQ @@ -50,8 +51,11 @@ uint8_t not_flag; uint8_t relative_flag; uint8_t data_string_convert_flag; - uint8_t endianess; + int8_t endianess; uint32_t base; + int8_t cmp_value_var; + int8_t offset_var; + RuleOptByteOrderFunc byte_order_func; } ByteTestData; void SetupByteTest(void); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_extract.c snort-2.9.2/src/detection-plugins/sp_byte_extract.c --- snort-2.8.5.2/src/detection-plugins/sp_byte_extract.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_extract.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,657 @@ +/* + ** Copyright (C) 2010-2011 Sourcefire, Inc. + ** Author: Ryan Jordan <ryan.jordan@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_byte_extract + * + * Description goes here. Snort rule interface for byte_extract functionality. + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort.h" +#include "parser.h" +#include "plugbase.h" +#include "preprocids.h" +#include "detection_options.h" +#include "detection_util.h" +#include "sfhashfcn.h" +#include "profiler.h" +#include "byte_extract.h" + +#include "sp_byte_extract.h" + +#ifdef PERF_PROFILING +PreprocStats byteExtractPerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +extern int file_line; +extern char *file_name; + +/* Storage for extracted variables */ +static uint32_t extracted_values[NUM_BYTE_EXTRACT_VARS]; +static char *variable_names[NUM_BYTE_EXTRACT_VARS]; + +/* Prototypes */ +static void ByteExtractInit(char *, OptTreeNode *, int); +static void ByteExtractCleanup(int, void *); + +/* Setup function */ +void SetupByteExtract(void) +{ + RegisterRuleOption("byte_extract", ByteExtractInit, NULL, OPT_TYPE_DETECTION, NULL); + AddFuncToCleanExitList(ByteExtractCleanup, NULL); + +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("byte_extract", &byteExtractPerfStats, 3, &ruleOTNEvalPerfStats); +#endif +} + +/* Clean up some strings left over from parsing */ +static void ByteExtractCleanup(int signal, void *data) +{ + int i; + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) + { + free(variable_names[i]); + variable_names[i] = NULL; + } +} + +#ifdef DEBUG_MSGS +/* Print a byte_extract option to console. For debugging purposes. */ +void PrintByteExtract(ByteExtractData *data) +{ + if (data == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + "bytes_to_grab = %d, offset = %d, relative = %d, convert = %d, " + "align = %d, endianess = %d, base = %d, " + "multiplier = %d, var_num = %d, name = %s\n", + data->bytes_to_grab, + data->offset, + data->relative_flag, + data->data_string_convert_flag, + data->align, + data->endianess, + data->base, + data->multiplier, + data->var_number, + data->name);); +} +#endif + +/* Hash functions. Make sure to update these when the data struct changes! */ +uint32_t ByteExtractHash(void *d) +{ + uint32_t a,b,c; + ByteExtractData *data = (ByteExtractData *)d; + + a = data->bytes_to_grab; + b = data->offset; + c = data->base; + + mix(a,b,c); + + a += (data->relative_flag << 24 | + data->data_string_convert_flag << 16 | + data->align << 8 | + data->endianess); + b += data->multiplier; + c += data->var_number; + + mix(a,b,c); + + a += RULE_OPTION_TYPE_BYTE_EXTRACT; +#if (defined(__ia64) || defined(__amd64) || defined(_LP64)) + { + /* Cleanup warning because of cast from 64bit ptr to 32bit int + * warning on 64bit OSs */ + uint64_t ptr; /* Addresses are 64bits */ + + ptr = (uint64_t) data->byte_order_func; + b += (ptr << 32) & 0XFFFFFFFF; + c += (ptr & 0xFFFFFFFF); + } +#else + b += (uint32_t)data->byte_order_func; +#endif + + final(a,b,c); + + return c; +} + +int ByteExtractCompare(void *l, void *r) +{ + ByteExtractData *left = (ByteExtractData *) l; + ByteExtractData *right = (ByteExtractData *) r; + + if (!left || !right) + return DETECTION_OPTION_NOT_EQUAL; + + if ((left->bytes_to_grab == right->bytes_to_grab) && + (left->offset == right->offset) && + (left->relative_flag == right->relative_flag) && + (left->data_string_convert_flag == right->data_string_convert_flag) && + (left->align == right->align) && + (left->endianess == right->endianess) && + (left->base == right->base) && + (left->multiplier == right->multiplier) && + (left->var_number == right->var_number) && + (left->byte_order_func == right->byte_order_func)) + { + return DETECTION_OPTION_EQUAL; + } + + return DETECTION_OPTION_NOT_EQUAL; +} + +void ByteExtractFree(void *d) +{ + ByteExtractData *data = (ByteExtractData *)d; + free(data->name); + free(data); +} + +/* Checks a ByteExtractData instance for errors. */ +static int ByteExtractVerify(ByteExtractData *data) +{ + if (data->bytes_to_grab > MAX_BYTES_TO_GRAB && data->data_string_convert_flag == 0) + { + ParseError("byte_extract rule option cannot extract more than %d bytes.", + MAX_BYTES_TO_GRAB); + } + + if (data->bytes_to_grab > PARSELEN && data->data_string_convert_flag == 1) + { + ParseError("byte_extract rule cannot process more than %d bytes for " + "string extraction.", PARSELEN); + } + + if (data->offset < MIN_BYTE_EXTRACT_OFFSET || data->offset > MAX_BYTE_EXTRACT_OFFSET) + { + ParseError("byte_extract rule option has invalid offset. " + "Valid offsets are between %d and %d.", + MIN_BYTE_EXTRACT_OFFSET, MAX_BYTE_EXTRACT_OFFSET); + } + + if (data->multiplier < MIN_BYTE_EXTRACT_MULTIPLIER || data->multiplier > MAX_BYTE_EXTRACT_MULTIPLIER) + { + ParseError("byte_extract rule option has invalid multiplier. " + "Valid multipliers are between %d and %d.", + MIN_BYTE_EXTRACT_MULTIPLIER, MAX_BYTE_EXTRACT_MULTIPLIER); + } + + if (data->bytes_to_grab == 0) + ParseError("byte_extract rule option extracts zero bytes. " + "\"bytes_to_extract\" must be 1 or greater."); + + if (data->align != 0 && data->align != 2 && data->align != 4) + ParseError("byte_extract rule option has an invalid argument " + "to \"align\". Valid arguments are \'2\' and \'4\'."); + + if (data->offset < 0 && data->relative_flag == 0) + ParseError("byte_extract rule option has a negative offset, but does " + "not use the \"relative\" option."); + + if (data->name && isdigit(data->name[0])) + { + ParseError("byte_extract rule option has a name which starts with a digit. " + "Variable names must start with a letter."); + } + + if (data->base && !data->data_string_convert_flag) + { + ParseError("byte_extract rule option has a string converstion type " + "(\"dec\", \"hex\", or \"oct\") without the \"string\" " + "argument."); + } + + return BYTE_EXTRACT_SUCCESS; +} + +/* Parsing function. */ +static int ByteExtractParse(ByteExtractData *data, char *args) +{ + char *args_copy = SnortStrdup(args); + char *endptr, *saveptr = args_copy; + char *token = strtok_r(args_copy, ",", &saveptr); + RuleOptByteOrderFunc tmp_byte_order_func = NULL; + + /* set defaults / sentinels */ + data->multiplier = 1; + data->endianess = ENDIAN_NONE; + + /* first: bytes_to_extract */ + if (token) + { + data->bytes_to_grab = SnortStrtoul(token, &endptr, 10); + if (*endptr != '\0') + ParseError("byte_extract rule option has non-digits in the " + "\"bytes_to_extract\" field."); + token = strtok_r(NULL, ",", &saveptr); + } + + /* second: offset */ + if (token) + { + data->offset = SnortStrtoul(token, &endptr, 10); + if (*endptr != '\0') + ParseError("byte_extract rule option has non-digits in the " + "\"offset\" field."); + token = strtok_r(NULL, ",", &saveptr); + } + + /* third: variable name */ + if (token) + { + data->name = SnortStrdup(token); + token = strtok_r(NULL, ",", &saveptr); + } + + /* optional arguments */ + while (token) + { + if (strcmp(token, "relative") == 0) + { + data->relative_flag = 1; + } + + else if (strncmp(token, "align ", 6) == 0) + { + char *value = (token+6); + + if (data->align == 0) + data->align = (uint8_t)SnortStrtoul(value, &endptr, 10); + else + ParseError("byte_extract rule option includes the " + "\"align\" argument twice."); + + if (*endptr != '\0') + ParseError("byte_extract rule option has non-digits in the " + "argument to \"align\". "); + } + + else if (strcmp(token, "little") == 0) + { + if (data->endianess == ENDIAN_NONE) + data->endianess = LITTLE; + else + ParseError("byte_extract rule option specifies the " + "byte order twice. Use only one of \"big\", \"little\", " + "or \"dce\"."); + } + + else if (strcmp(token, "big") == 0) + { + if (data->endianess == ENDIAN_NONE) + data->endianess = BIG; + else + ParseError("byte_extract rule option specifies the " + "byte order twice. Use only one of \"big\", \"little\", " + "or \"dce\"."); + } + + else if (strncmp(token, "multiplier ", 11) == 0) + { + char *value = (token+11); + if (token == NULL) + ParseError("byte_extract rule option has a \"multiplier\" " + "argument with no value specified."); + + if (data->multiplier == 1) + { + data->multiplier = SnortStrtoul(value, &endptr, 10); + + if (*endptr != '\0') + ParseError("byte_extract rule option has non-digits in the " + "argument to \"multiplier\". "); + } + else + ParseError("byte_extract rule option has multiple " + "\"multiplier\" arguments. Use only one."); + } + + else if (strcmp(token, "string") == 0) + { + if (data->data_string_convert_flag == 0) + data->data_string_convert_flag = 1; + else + ParseError("byte_extract rule option has multiple " + "\"string\" arguments. Use only one."); + } + + else if (strcmp(token, "dec") == 0) + { + if (data->base == 0) + data->base = 10; + else + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); + } + + else if (strcmp(token, "hex") == 0) + { + if (data->base == 0) + data->base = 16; + else + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); + } + + else if (strcmp(token, "oct") == 0) + { + if (data->base == 0) + data->base = 8; + else + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); + } + + else if ((tmp_byte_order_func = GetByteOrderFunc(token)) != NULL) + { + if (data->endianess == ENDIAN_NONE) + { + data->endianess = ENDIAN_FUNC; + data->byte_order_func = tmp_byte_order_func; + } + else + { + ParseError("byte_extract rule option specifies the " + "byte order twice. Use only one of \"big\", \"little\", " + "or \"dce\"."); + } + } + + else + { + ParseError("byte_extract rule option has invalid argument \"%s\".", token); + } + + token = strtok_r(NULL, ",", &saveptr); + } + + free(args_copy); + + /* Need to check this error before the sentinel gets replaced */ + if (data->endianess != ENDIAN_NONE && data->data_string_convert_flag == 1) + { + ParseError("byte_extract rule option can't have \"string\" specified " + "at the same time as a byte order (\"big\" or \"little\")."); + } + + /* Replace sentinels with defaults */ + if (data->endianess == ENDIAN_NONE) + data->endianess = BIG; + + if (data->data_string_convert_flag && (data->base == 0)) + data->base = 10; + + /* At this point you could verify the data and return something. */ + return ByteExtractVerify(data); +} + +/* Given a variable name, retrieve its index. For use by other options. */ +int8_t GetVarByName(char *name) +{ + int i; + + if (name == NULL) + return BYTE_EXTRACT_NO_VAR; + + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) + { + if (variable_names[i] != NULL && strcmp(variable_names[i], name) == 0) + return i; + } + + return BYTE_EXTRACT_NO_VAR; +} + +/* If given an OptFpList with no byte_extracts, clear the variable_names array */ +void ClearVarNames(OptFpList *fpl) +{ + int i; + + while (fpl != NULL) + { + if (fpl->type == RULE_OPTION_TYPE_BYTE_EXTRACT) + return; + + fpl = fpl->next; + } + + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) + { + free(variable_names[i]); + variable_names[i] = NULL; + } +} + +/* Add a variable's name to the variable_names array + Returns: variable index +*/ +int8_t AddVarNameToList(ByteExtractData *data) +{ + int i; + + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) + { + if (variable_names[i] == NULL) + { + variable_names[i] = SnortStrdup(data->name); + break; + } + + else if ( strcmp(variable_names[i], data->name) == 0 ) + { + break; + } + } + + return i; +} + + +/* Inititialization function. Handles rule parsing. */ +static void ByteExtractInit(char *data, OptTreeNode *otn, int protocol) +{ + ByteExtractData *idx; + OptFpList *fpl; + void *idx_dup; + + idx = (ByteExtractData *) SnortAlloc(sizeof(ByteExtractData)); + + /* Clear out the variable_names array if this is the first byte_extract in a rule. */ + ClearVarNames(otn->opt_func); + + /* Parse the options */ + ByteExtractParse(idx, data); + + /* There can only be two unique variables names in a rule. */ + idx->var_number = AddVarNameToList(idx); + if (idx->var_number >= NUM_BYTE_EXTRACT_VARS) + { + ParseError("Rule has more than %d byte_extract variables.", NUM_BYTE_EXTRACT_VARS); + } +#ifdef DEBUG_MSGS + PrintByteExtract(idx); +#endif + + fpl = AddOptFuncToList(DetectByteExtract, otn); + fpl->type = RULE_OPTION_TYPE_BYTE_EXTRACT; + if (add_detection_option(RULE_OPTION_TYPE_BYTE_EXTRACT, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) + { + /* duplicate exists. */ + free(idx->name); + free(idx); + idx = idx_dup; + } + + fpl->context = (void *) idx; + + if (idx->relative_flag == 1) + fpl->isRelative = 1; +} + + +/* Main detection callback */ +int DetectByteExtract(void *option_data, Packet *p) +{ + ByteExtractData *data = (ByteExtractData *) option_data; + int ret, bytes_read, dsize; + const uint8_t *ptr, *start, *end; + uint32_t *value; + int32_t offset; + uint8_t rst_doe_flags = 1; + PROFILE_VARS; + + PREPROC_PROFILE_START(byteExtractPerfStats); + + if (data == NULL || p == NULL) + { + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + + /* setup our fun pointers */ + if (Is_DetectFlag(FLAG_ALT_DETECT)) + { + dsize = DetectBuffer.len; + start = DetectBuffer.data; + } + else if (Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + start = DecodeBuffer.data; + } + else + { + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; + start = p->data; + } + + if (data->relative_flag) + { + ptr = doe_ptr; + rst_doe_flags = 0; + } + else + ptr = start; + + ptr += data->offset; + end = start + dsize; + value = &(extracted_values[data->var_number]); + + /* check bounds */ + if (ptr < start || ptr >= end) + { + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + + /* get the endianess at run-time if we have a byte_order_func */ + if (data->byte_order_func) + { + offset = (int32_t) (ptr - start); + data->endianess = data->byte_order_func((void *)p, offset); + } + if (data->endianess == -1) + { + /* Sometimes the byte_order_func deems that the packet should be skipped */ + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + + /* do the extraction */ + if (data->data_string_convert_flag == 0) + { + ret = byte_extract(data->endianess, data->bytes_to_grab, ptr, start, end, value); + if (ret < 0) + { + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + bytes_read = data->bytes_to_grab; + } + else + { + ret = string_extract(data->bytes_to_grab, data->base, ptr, start, end, value); + if (ret < 0) + { + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + bytes_read = ret; + } + + /* mulitply */ + *value *= data->multiplier; + + /* align to next 32-bit or 16-bit boundary */ + if ((data->align == 4) && (*value % 4)) + { + *value = *value + 4 - (*value % 4); + } + else if ((data->align == 2) && (*value % 2)) + { + *value = *value + 2 - (*value % 2); + } + + /* push doe_ptr */ + UpdateDoePtr((ptr + bytes_read), rst_doe_flags); + + /* this rule option always "matches" if the read is performed correctly */ + PREPROC_PROFILE_END(byteExtractPerfStats); + return DETECTION_OPTION_MATCH; +} + +/* Setters & Getters for extracted values */ +int GetByteExtractValue(uint32_t *dst, int8_t var_number) +{ + if (dst == NULL || var_number >= NUM_BYTE_EXTRACT_VARS) + return BYTE_EXTRACT_NO_VAR; + + *dst = extracted_values[var_number]; + + return 0; +} + +int SetByteExtractValue(uint32_t value, int8_t var_number) +{ + if (var_number >= NUM_BYTE_EXTRACT_VARS) + return BYTE_EXTRACT_NO_VAR; + + extracted_values[var_number] = value; + + return 0; +} diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_extract.h snort-2.9.2/src/detection-plugins/sp_byte_extract.h --- snort-2.8.5.2/src/detection-plugins/sp_byte_extract.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_extract.h 2011-06-08 00:33:09.000000000 +0000 @@ -0,0 +1,68 @@ +/* +** Copyright (C) 2010-2011 Sourcefire, Inc. +** Author: Ryan Jordan <ryan.jordan@sourcefire.com> +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifndef __SP_BYTE_EXTRACT_H__ +#define __SP_BYTE_EXTRACT_H__ + +#include "decode.h" +#include "plugbase.h" + +#define BYTE_EXTRACT_SUCCESS 1 +#define BYTE_EXTRACT_FAILURE -1 + +#define NUM_BYTE_EXTRACT_VARS 2 +#define BYTE_EXTRACT_NO_VAR -1 +#define BYTE_EXTRACT_INVALID_ERR_STR "Rule option uses an undefined byte_extract variable name." +#define MAX_BYTES_TO_GRAB 4 + +#define MIN_BYTE_EXTRACT_OFFSET -65535 +#define MAX_BYTE_EXTRACT_OFFSET 65535 +#define MIN_BYTE_EXTRACT_MULTIPLIER 1 +#define MAX_BYTE_EXTRACT_MULTIPLIER 65535 + +typedef struct _ByteExtractData +{ + uint32_t bytes_to_grab; + int32_t offset; + uint8_t relative_flag; + uint8_t data_string_convert_flag; + uint8_t align; + int8_t endianess; + uint32_t base; + uint32_t multiplier; + int8_t var_number; + char *name; + RuleOptByteOrderFunc byte_order_func; +} ByteExtractData; + +void SetupByteExtract(void); +uint32_t ByteExtractHash(void *d); +int ByteExtractCompare(void *l, void *r); +int DetectByteExtract(void *, Packet *); +void ByteExtractFree(void *d); + +int8_t GetVarByName(char *name); +void ClearVarNames(OptFpList *fpl); +int8_t AddVarNameToList(ByteExtractData *data); + +int GetByteExtractValue(uint32_t *dst, int8_t var_number); +int SetByteExtractValue(uint32_t value, int8_t var_number); + +#endif /* __SP_BYTE_EXTRACT_H__ */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_jump.c snort-2.9.2/src/detection-plugins/sp_byte_jump.c --- snort-2.8.5.2/src/detection-plugins/sp_byte_jump.c 2009-05-06 22:28:27.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_jump.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2009 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,10 +19,10 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_byte_jump - * +/* sp_byte_jump + * * Purpose: - * Grab some number of bytes, convert them to their numeric + * Grab some number of bytes, convert them to their numeric * representation, jump the doe_ptr up that many bytes (for * further pattern matching/byte_testing). * @@ -39,10 +39,10 @@ * ["hex"]: converted string data is represented in hexidecimal * ["dec"]: converted string data is represented in decimal * ["oct"]: converted string data is represented in octal - * ["align"]: round the number of converted bytes up to the next + * ["align"]: round the number of converted bytes up to the next * 32-bit boundry - * ["post_offset"]: number of bytes to adjust after applying - * + * ["post_offset"]: number of bytes to adjust after applying + * * sample rules: * alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|"; \ * content: "|00 00 00 01|"; distance: 4; within: 4; \ @@ -52,7 +52,7 @@ * * Effect: * - * Reads in the indicated bytes, converts them to an numeric + * Reads in the indicated bytes, converts them to an numeric * representation and then jumps the doe_ptr up * that number of bytes. Returns 1 if the jump is in range (within the * packet) and 0 if it's not. @@ -75,17 +75,20 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" #include "byte_extract.h" #include "sp_byte_jump.h" +#include "sp_byte_extract.h" #include "sfhashfcn.h" #include "snort.h" @@ -97,21 +100,23 @@ #include "sfhashfcn.h" #include "detection_options.h" - -extern const uint8_t *doe_ptr; -extern uint8_t DecodeBuffer[DECODE_BLEN]; +#include "detection_util.h" typedef struct _ByteJumpOverrideData { char *keyword; char *option; - RuleOptOverrideFunc func; + union + { + RuleOptOverrideFunc fptr; + void *void_fptr; + } fptr; struct _ByteJumpOverrideData *next; } ByteJumpOverrideData; ByteJumpOverrideData *byteJumpOverrideFuncs = NULL; -static void ByteJumpOverride(char *keyword, char *option, RuleOptOverrideFunc func); +static void ByteJumpOverride(char *keyword, char *option, RuleOptOverrideFunc roo_func); static void ByteJumpOverrideFuncsFree(void); static void ByteJumpInit(char *, OptTreeNode *, int); static ByteJumpOverrideData * ByteJumpParse(char *, ByteJumpData *, OptTreeNode *); @@ -127,25 +132,42 @@ b = data->offset; c = data->base; - mix(a,b,c); - + mix(a,b,c); + a += (data->relative_flag << 24 | data->data_string_convert_flag << 16 | data->from_beginning_flag << 8 | - data->align_flag); + data->align_flag); b += data->endianess; c += data->multiplier; mix(a,b,c); - + a += RULE_OPTION_TYPE_BYTE_JUMP; b += data->post_offset; + c += data->offset_var; + + mix(a,b,c); + +#if (defined(__ia64) || defined(__amd64) || defined(_LP64)) + { + /* Cleanup warning because of cast from 64bit ptr to 32bit int + * warning on 64bit OSs */ + uint64_t ptr; /* Addresses are 64bits */ + + ptr = (uint64_t) data->byte_order_func; + a += (ptr << 32) & 0XFFFFFFFF; + b += (ptr & 0xFFFFFFFF); + } +#else + a += (uint32_t)data->byte_order_func; +#endif final(a,b,c); - + return c; -} - +} + int ByteJumpCompare(void *l, void *r) { ByteJumpData *left = (ByteJumpData *)l; @@ -156,6 +178,7 @@ if (( left->bytes_to_grab == right->bytes_to_grab) && ( left->offset == right->offset) && + ( left->offset_var == right->offset_var) && ( left->relative_flag == right->relative_flag) && ( left->data_string_convert_flag == right->data_string_convert_flag) && ( left->from_beginning_flag == right->from_beginning_flag) && @@ -163,7 +186,8 @@ ( left->endianess == right->endianess) && ( left->base == right->base) && ( left->multiplier == right->multiplier) && - ( left->post_offset == right->post_offset)) + ( left->post_offset == right->post_offset) && + ( left->byte_order_func == right->byte_order_func)) { return DETECTION_OPTION_EQUAL; } @@ -171,14 +195,14 @@ return DETECTION_OPTION_NOT_EQUAL; } -static void ByteJumpOverride(char *keyword, char *option, RuleOptOverrideFunc func) +static void ByteJumpOverride(char *keyword, char *option, RuleOptOverrideFunc roo_func) { ByteJumpOverrideData *new = SnortAlloc(sizeof(ByteJumpOverrideData)); new->keyword = strdup(keyword); new->option = strdup(option); - new->func = func; - + new->func = roo_func; + new->next = byteJumpOverrideFuncs; byteJumpOverrideFuncs = new; } @@ -206,7 +230,7 @@ } /**************************************************************************** - * + * * Function: SetupByteJump() * * Purpose: Load 'er up @@ -223,7 +247,7 @@ ByteJumpOverrideFuncsFree(); /* map the keyword to an initialization/processing function */ - RegisterRuleOption("byte_jump", ByteJumpInit, ByteJumpOverride, OPT_TYPE_DETECTION); + RegisterRuleOption("byte_jump", ByteJumpInit, ByteJumpOverride, OPT_TYPE_DETECTION, NULL); AddFuncToCleanExitList(ByteJumpOverrideCleanup, NULL); AddFuncToRuleOptParseCleanupList(ByteJumpOverrideFuncsFree); @@ -236,10 +260,10 @@ /**************************************************************************** - * + * * Function: ByteJumpInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -263,11 +287,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate byte_jump data node\n", + FatalError("%s(%d): Unable to allocate byte_jump data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ override = ByteJumpParse(data, idx, otn); if (override != NULL) @@ -320,7 +344,7 @@ } /**************************************************************************** - * + * * Function: ByteJumpParse(char *, ByteJumpData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -340,8 +364,7 @@ int num_toks; char *cptr; int i =0; - - idx->multiplier = 1; + RuleOptByteOrderFunc tmp_byte_order_func = NULL; toks = mSplit(data, ",", 12, &num_toks, 0); @@ -365,12 +388,24 @@ } /* set offset */ - idx->offset = strtol(toks[1], &endp, 10); + if (isdigit(toks[1][0]) || toks[1][0] == '-') + { + idx->offset = strtol(toks[1], &endp, 10); + idx->offset_var = -1; - if(endp==toks[1]) + if(endp==toks[1]) + { + FatalError("%s(%d): Unable to parse as offset %s\n", + file_name, file_line, toks[1]); + } + } + else { - FatalError("%s(%d): Unable to parse as offset %s\n", - file_name, file_line, toks[1]); + idx->offset_var = GetVarByName(toks[1]); + if (idx->offset_var == BYTE_EXTRACT_NO_VAR) + { + FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + } } i = 2; @@ -395,7 +430,7 @@ } else if(!strcasecmp(cptr, "string")) { - /* the data will be represented as a string that needs + /* the data will be represented as a string that needs * to be converted to an int, binary is assumed otherwise */ idx->data_string_convert_flag = 1; @@ -439,7 +474,7 @@ } if ((factor <= 0) || (endp != cptr + multiplier_len)) { - FatalError("%s(%d): invalid length multiplier \"%s\"\n", + FatalError("%s(%d): invalid length multiplier \"%s\"\n", file_name, file_line, cptr); } idx->multiplier = factor; @@ -458,11 +493,15 @@ } if (endp != cptr + postoffset_len) { - FatalError("%s(%d): invalid post_offset \"%s\"\n", + FatalError("%s(%d): invalid post_offset \"%s\"\n", file_name, file_line, cptr); } idx->post_offset = factor; } + else if ((tmp_byte_order_func = GetByteOrderFunc(cptr)) != NULL) + { + idx->byte_order_func = tmp_byte_order_func; + } else { ByteJumpOverrideData *override = byteJumpOverrideFuncs; @@ -478,7 +517,7 @@ override = override->next; } - FatalError("%s(%d): unknown modifier \"%s\"\n", + FatalError("%s(%d): unknown modifier \"%s\"\n", file_name, file_line, cptr); } @@ -499,7 +538,7 @@ /**************************************************************************** - * + * * Function: ByteJump(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -510,7 +549,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int ByteJump(void *option_data, Packet *p) @@ -520,26 +559,36 @@ uint32_t value = 0; uint32_t jump_value = 0; uint32_t payload_bytes_grabbed = 0; - int32_t tmp = 0; + uint32_t extract_offset; + int32_t offset, tmp = 0; int dsize; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; const uint8_t *base_ptr, *end_ptr, *start_ptr; + uint8_t rst_doe_flags = 1; PROFILE_VARS; PREPROC_PROFILE_START(byteJumpPerfStats); - if(use_alt_buffer) + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = p->alt_dsize; - start_ptr = DecodeBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); - } else { start_ptr = p->data; - dsize = p->dsize; + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; } DEBUG_WRAP( @@ -551,10 +600,25 @@ end_ptr = start_ptr + dsize; base_ptr = start_ptr; - if(doe_ptr) + /* Get values from byte_extract variables, if present. */ + if (bjd->offset_var >= 0 && bjd->offset_var < NUM_BYTE_EXTRACT_VARS) { - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ - if(!inBounds(start_ptr, end_ptr, doe_ptr)) + GetByteExtractValue(&extract_offset, bjd->offset_var); + bjd->offset = (int32_t) extract_offset; + } + + if(bjd->relative_flag && doe_ptr) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Checking relative offset!\n");); + + /* @todo: possibly degrade to use the other buffer, seems non-intuitive + * Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * (see byte_extract() and string_extract()) + */ + if(!inBounds(start_ptr, end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte jump bounds check failed..\n");); @@ -562,13 +626,9 @@ PREPROC_PROFILE_END(byteJumpPerfStats); return rval; } - } - if(bjd->relative_flag && doe_ptr) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Checking relative offset!\n");); base_ptr = doe_ptr + bjd->offset; + rst_doe_flags = 0; } else { @@ -577,9 +637,21 @@ base_ptr = start_ptr + bjd->offset; } + /* Use byte_order_func to determine endianess, if present */ + if (bjd->byte_order_func) + { + offset = (int32_t) (base_ptr - p->data); + bjd->endianess = bjd->byte_order_func(p, offset); + if (bjd->endianess == -1) + { + PREPROC_PROFILE_END(byteJumpPerfStats); + return DETECTION_OPTION_NO_MATCH; + } + } + /* Both of the extraction functions contain checks to insure the data * is always inbounds */ - + if(!bjd->data_string_convert_flag) { if(byte_extract(bjd->endianess, bjd->bytes_to_grab, @@ -610,16 +682,17 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "grabbed %d of %d bytes, value = %08X\n", + "grabbed %d of %d bytes, value = %08X\n", payload_bytes_grabbed, bjd->bytes_to_grab, value);); - /* Adjust the jump_value (# bytes to jump forward) with - * the multiplier. - */ - jump_value = value * bjd->multiplier; + /* Adjust the jump_value (# bytes to jump forward) with the multiplier. */ + if (bjd->multiplier) + jump_value = value * bjd->multiplier; + else + jump_value = value; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "grabbed %d of %d bytes, after multiplier value = %08X\n", + "grabbed %d of %d bytes, after multiplier value = %08X\n", payload_bytes_grabbed, bjd->bytes_to_grab, jump_value);); @@ -628,7 +701,7 @@ */ if(bjd->align_flag) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "offset currently at %d\n", jump_value);); if ((jump_value % 4) != 0) { @@ -650,15 +723,14 @@ base_ptr = start_ptr; /* from base, push doe_ptr ahead "value" number of bytes */ - doe_ptr = base_ptr + jump_value; + SetDoePtr((base_ptr + jump_value), DOE_BUF_STD); } else { - doe_ptr = base_ptr + payload_bytes_grabbed + jump_value; - + UpdateDoePtr((base_ptr + payload_bytes_grabbed + jump_value), rst_doe_flags); } - + /* now adjust using post_offset -- before bounds checking */ doe_ptr += bjd->post_offset; @@ -670,7 +742,7 @@ return rval; } else - { + { rval = DETECTION_OPTION_MATCH; } diff -Nru snort-2.8.5.2/src/detection-plugins/sp_byte_jump.h snort-2.9.2/src/detection-plugins/sp_byte_jump.h --- snort-2.8.5.2/src/detection-plugins/sp_byte_jump.h 2009-05-06 22:28:27.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_byte_jump.h 2011-02-09 23:22:57.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -24,6 +24,7 @@ #define __SP_BYTE_JUMP_H__ #include "decode.h" +#include "plugbase.h" typedef struct _ByteJumpData { @@ -33,11 +34,12 @@ uint8_t data_string_convert_flag; uint8_t from_beginning_flag; uint8_t align_flag; - uint8_t endianess; + int8_t endianess; uint32_t base; uint32_t multiplier; int32_t post_offset; - + int8_t offset_var; + RuleOptByteOrderFunc byte_order_func; } ByteJumpData; void SetupByteJump(void); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_clientserver.c snort-2.9.2/src/detection-plugins/sp_clientserver.c --- snort-2.8.5.2/src/detection-plugins/sp_clientserver.c 2009-05-06 22:28:27.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_clientserver.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2009 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,18 +19,18 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_clientserver - * +/* sp_clientserver + * * Purpose: * - * Wouldn't be nice if we could tell a TCP rule to only apply if it's going - * to or from the client or server side of a connection? Think of all the + * Wouldn't be nice if we could tell a TCP rule to only apply if it's going + * to or from the client or server side of a connection? Think of all the * false alarms we could elminate! That's what we're doing with this one, * it allows you to write rules that only apply to client or server packets. * One thing though, you *must* have stream4 enabled for it to work! * * Arguments: - * + * * None. * * Effect: @@ -55,11 +55,13 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -104,13 +106,13 @@ } int FlowCompare(void *l, void *r) -{ +{ ClientServerData *left = (ClientServerData *)l; ClientServerData *right = (ClientServerData *)r; if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->from_server == right->from_server) && ( left->from_client == right->from_client) && ( left->ignore_reassembled == right->ignore_reassembled) && @@ -134,7 +136,7 @@ { if( csd->from_server ) return 1; } - return 0; + return 0; } int OtnFlowFromClient( OptTreeNode * otn ) { @@ -145,7 +147,7 @@ { if( csd->from_client ) return 1; } - return 0; + return 0; } int OtnFlowIgnoreReassembled( OptTreeNode * otn ) { @@ -156,7 +158,7 @@ { if( csd->ignore_reassembled ) return 1; } - return 0; + return 0; } int OtnFlowOnlyReassembled( OptTreeNode * otn ) { @@ -167,11 +169,11 @@ { if( csd->only_reassembled ) return 1; } - return 0; + return 0; } /**************************************************************************** - * + * * Function: SetupClientServer() * * Purpose: Generic detection engine plugin template. Registers the @@ -186,19 +188,19 @@ void SetupClientServer(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("flow", FlowInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("flow", FlowInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("flow", &flowCheckPerfStats, 3, &ruleOTNEvalPerfStats); #endif - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: ClientServerName(Flow) Setup\n");); } /**************************************************************************** - * + * * Function: FlowInit(char *, OptTreeNode *) * * Purpose: Configure the flow init option to register the appropriate checks @@ -215,10 +217,10 @@ /* multiple declaration check */ if(otn->ds_list[PLUGIN_CLIENTSERVER]) { - FatalError("%s(%d): Multiple flow options in rule\n", file_name, + FatalError("%s(%d): Multiple flow options in rule\n", file_name, file_line); } - + InitFlowData(otn); ParseFlowArgs(data, otn); @@ -232,7 +234,7 @@ "for UDP traffic\n", file_name, file_line); } } - + if (protocol == IPPROTO_ICMP) { if ((csd->only_reassembled != ONLY_FRAG) && (csd->ignore_reassembled != IGNORE_FRAG)) @@ -244,7 +246,7 @@ } -static INLINE void CheckStream(char *token) +static inline void CheckStream(char *token) { if (!stream_api) { @@ -254,7 +256,7 @@ } /**************************************************************************** - * + * * Function: ParseFlowArgs(char *, OptTreeNode *) * * Purpose: parse the arguments to the flow plugin and alter the otn @@ -283,9 +285,9 @@ token = strtok(p, ","); - while(token) + while(token) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "parsed %s,(%d)\n", token,strlen(token));); while(isspace((int)*token)) @@ -300,12 +302,12 @@ { CheckStream(token); csd->from_server = 1; - } + } else if(!strcasecmp(token, "from_server")) { CheckStream(token); csd->from_server = 1; - } + } else if(!strcasecmp(token, "from_client")) { CheckStream(token); @@ -363,13 +365,19 @@ "and flow_from server", file_name, file_line); } - if(csd->ignore_reassembled && csd->only_reassembled) + if((csd->ignore_reassembled & IGNORE_STREAM) && (csd->only_reassembled & ONLY_STREAM)) { FatalError("%s:%d: Can't use no_stream and" " only_stream", file_name,file_line); } - if(otn->stateless && (csd->from_client || csd->from_server)) + if((csd->ignore_reassembled & IGNORE_FRAG) && (csd->only_reassembled & ONLY_FRAG)) + { + FatalError("%s:%d: Can't use no_frag and" + " only_frag", file_name,file_line); + } + + if(otn->stateless && (csd->from_client || csd->from_server)) { FatalError("%s:%d: Can't use flow: stateless option with" " other options", file_name, file_line); @@ -416,12 +424,12 @@ fpl->type = RULE_OPTION_TYPE_FLOW; fpl->context = (void *)csd; } - + free(str); } /**************************************************************************** - * + * * Function: InitFlowData(OptTreeNode *) * * Purpose: calloc the clientserver data node @@ -436,10 +444,10 @@ /* allocate the data structure and attach it to the rule's data struct list */ - otn->ds_list[PLUGIN_CLIENTSERVER] = (ClientServerData *) + otn->ds_list[PLUGIN_CLIENTSERVER] = (ClientServerData *) calloc(sizeof(ClientServerData), sizeof(char)); - if(otn->ds_list[PLUGIN_CLIENTSERVER] == NULL) + if(otn->ds_list[PLUGIN_CLIENTSERVER] == NULL) { FatalError("FlowData calloc Failed!\n"); } @@ -458,41 +466,11 @@ if ((csd->established == 1) && !(p->packet_flags & PKT_STREAM_EST)) { /* - ** We check to see if this packet may have been picked up in - ** midstream by stream4 on a timed out session. If it was, then - ** we'll go ahead and inspect it anyway because it might be a - ** packet that we dropped but the attacker has retransmitted after - ** the stream4 session timed out. + ** This option requires an established connection and it isn't + ** in that state yet, so no match. */ -#if 0 - if(ScInlineMode()) - { - switch(List->rtn->type) - { - case RULE_DROP: - case RULE_SDROP: - - if(stream_api && - !(stream_api->get_session_flags(p->ssnptr) & SSNFLAG_MIDSTREAM)) - { - return DETECTION_OPTION_NO_MATCH; - } - break; - - default: - return DETECTION_OPTION_NO_MATCH; - } - } - else -#endif - { - /* - ** This option requires an established connection and it isn't - ** in that state yet, so no match. - */ - PREPROC_PROFILE_END(flowCheckPerfStats); - return DETECTION_OPTION_NO_MATCH; - } + PREPROC_PROFILE_END(flowCheckPerfStats); + return DETECTION_OPTION_NO_MATCH; } else if ((csd->unestablished == 1) && (p->packet_flags & PKT_STREAM_EST)) { @@ -510,7 +488,7 @@ { if (ScStateful()) { - if (!(p->packet_flags & PKT_FROM_CLIENT) && + if (!(p->packet_flags & PKT_FROM_CLIENT) && (p->packet_flags & PKT_FROM_SERVER)) { /* No match on from_client */ @@ -525,7 +503,7 @@ { if (ScStateful()) { - if (!(p->packet_flags & PKT_FROM_SERVER) && + if (!(p->packet_flags & PKT_FROM_SERVER) && (p->packet_flags & PKT_FROM_CLIENT)) { /* No match on from_server */ @@ -557,8 +535,11 @@ /* ...only_reassembled */ if (csd->only_reassembled & ONLY_STREAM) { - if (!(p->packet_flags & PKT_REBUILT_STREAM)) - { + if ( !(p->packet_flags & PKT_REBUILT_STREAM) +#ifdef ENABLE_PAF + && !PacketHasFullPDU(p) +#endif + ) { PREPROC_PROFILE_END(flowCheckPerfStats); return DETECTION_OPTION_NO_MATCH; } diff -Nru snort-2.8.5.2/src/detection-plugins/sp_clientserver.h snort-2.9.2/src/detection-plugins/sp_clientserver.h --- snort-2.8.5.2/src/detection-plugins/sp_clientserver.h 2009-05-06 22:28:28.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_clientserver.h 2011-02-09 23:22:58.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_cvs.c snort-2.9.2/src/detection-plugins/sp_cvs.c --- snort-2.8.5.2/src/detection-plugins/sp_cvs.c 2009-05-06 22:28:28.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_cvs.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -22,7 +22,7 @@ ** ** @author Taimur Aslam ** @author Todd Wease -** +** ** @brief Decode and detect CVS vulnerabilities ** ** This CVS detection plugin provides support for detecting published CVS vulnerabilities. The @@ -46,14 +46,16 @@ #include <sys/types.h> #include <errno.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sp_cvs.h" @@ -98,7 +100,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (left->type == right->type) { return DETECTION_OPTION_EQUAL; @@ -109,19 +111,19 @@ /* ** NAME -** SetupCvs +** SetupCvs ** Register the CVS detection plugin. -** +** */ /** -** +** ** @return None ** */ void SetupCvs(void) -{ - RegisterRuleOption("cvs", CvsInit, NULL, OPT_TYPE_DETECTION); +{ + RegisterRuleOption("cvs", CvsInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("cvs", &cvsPerfStats, 3, &ruleOTNEvalPerfStats); @@ -136,10 +138,10 @@ ** NAME ** CvsInit ** Initialize the CVS context and set it up so we can detect commands. -** +** */ /** -** +** ** @return None ** */ @@ -151,7 +153,7 @@ OptFpList *ofl; cvs_rule_option = (CvsRuleOption *)SnortAlloc(sizeof(CvsRuleOption)); - + CvsRuleParse(data, cvs_rule_option); if (add_detection_option(RULE_OPTION_TYPE_CVS, (void *)cvs_rule_option, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -174,7 +176,7 @@ ** Parse the CVS rules and set the threshold criteria. */ /** -** +** ** @return None ** */ @@ -185,7 +187,7 @@ int num_toks = 0; - toks = mSplit(rule_args, CVS_CONFIG_DELIMITERS, 2, &num_toks, 0); + toks = mSplit(rule_args, CVS_CONFIG_DELIMITERS, 2, &num_toks, 0); switch (num_toks) { @@ -210,7 +212,7 @@ break; } - mSplitFree(&toks, num_toks); + mSplitFree(&toks, num_toks); } @@ -218,10 +220,10 @@ ** NAME ** CvsDetect ** This function is called on a per rule basis for CVS detection. -** +** */ /** -** +** ** @return integer ** @retval CVS_NO_ALERT ** @retval CVS_ALERT @@ -266,10 +268,10 @@ ** NAME ** CvsDecode ** This main decode function. Decode the CVS commands and detect the vulnerabilities. -** +** */ /** -** +** ** @return integer ** */ @@ -313,8 +315,8 @@ { ret = CvsValidateEntry(command.cmd_arg, (command.cmd_arg + command.cmd_arg_len)); - - if (ret == CVS_ENTRY_INVALID) + + if ((ret == CVS_ENTRY_INVALID)&&(eol < end)) { return CVS_ALERT; } @@ -357,7 +359,7 @@ return 1; } - + /* ** NAME @@ -369,7 +371,7 @@ ** command member. A pointer to the rest of the string after ** the replacement '\0' is put into the structure's command ** argument member. If there isn't a space, the entire line -** is put in the command and the command argument is set to +** is put in the command and the command argument is set to ** NULL. ** */ @@ -404,7 +406,7 @@ { cmd->cmd_str_len = cmd_end - line; cmd->cmd_arg = cmd_end + 1; - cmd->cmd_arg_len = end - cmd_end; + cmd->cmd_arg_len = end - cmd_end - 1; } else { @@ -445,17 +447,17 @@ /* There should be exactly 5 slashes in the string */ while (entry_arg < end_arg) { - /* if on the 3rd slash, check for next char == '/' + /* if on the 3rd slash, check for next char == '/' or '+' * This is where the heap overflow on multiple Is-Modified * commands occurs */ if (slashes == 3) { - if (*entry_arg != '/') + if((*entry_arg != '/')&&(*entry_arg != '+')) { return CVS_ENTRY_INVALID; } } - else + if (*entry_arg != '/') { entry_arg = memchr(entry_arg, '/', end_arg - entry_arg); if (entry_arg == NULL) diff -Nru snort-2.8.5.2/src/detection-plugins/sp_cvs.h snort-2.9.2/src/detection-plugins/sp_cvs.h --- snort-2.8.5.2/src/detection-plugins/sp_cvs.h 2009-05-06 22:28:28.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_cvs.h 2011-02-09 23:22:59.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/detection-plugins/sp_dsize_check.c snort-2.9.2/src/detection-plugins/sp_dsize_check.c --- snort-2.8.5.2/src/detection-plugins/sp_dsize_check.c 2009-05-06 22:28:28.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_dsize_check.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,10 +27,12 @@ #include <stdlib.h> #include <string.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "plugin_enum.h" #include "util.h" @@ -88,7 +90,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->dsize == right->dsize) && ( left->dsize2 == right->dsize2) && ( left->operator == right->operator)) @@ -100,7 +102,7 @@ } /**************************************************************************** - * + * * Function: SetupDsizeCheck() * * Purpose: Attach the dsize keyword to the rule parse function @@ -113,7 +115,7 @@ void SetupDsizeCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("dsize", DsizeCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("dsize", DsizeCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("dsize_eq", &dsizePerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -122,10 +124,10 @@ /**************************************************************************** - * + * * Function: DsizeCheckInit(char *, OptTreeNode *) * - * Purpose: Parse the rule argument and attach it to the rule data struct, + * Purpose: Parse the rule argument and attach it to the rule data struct, * then attach the detection function to the function list * * Arguments: data => rule arguments/data @@ -149,7 +151,7 @@ otn->ds_list[PLUGIN_DSIZE_CHECK] = (DsizeCheckData *) SnortAlloc(sizeof(DsizeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseDsize(data, otn); @@ -160,11 +162,11 @@ /**************************************************************************** - * + * * Function: ParseDsize(char *, OptTreeNode *) * * Purpose: Parse the dsize function argument and attach the detection - * function to the rule list as well. + * function to the rule list as well. * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -189,7 +191,7 @@ /* If a range is specified, put min in ds_ptr->dsize and max in ds_ptr->dsize2 */ - + if(isdigit((int)*data) && strchr(data, '<') && strchr(data, '>')) { pcTok = strtok(data, " <>"); @@ -229,9 +231,9 @@ ds_ptr->operator = DSIZE_RANGE; -#ifdef DEBUG - printf("min dsize: %d\n", ds_ptr->dsize); - printf("max dsize: %d\n", ds_ptr->dsize2); +#ifdef DEBUG_MSGS + DebugMessage(DEBUG_PLUGIN, "min dsize: %d\n", ds_ptr->dsize); + DebugMessage(DEBUG_PLUGIN, "max dsize: %d\n", ds_ptr->dsize2); #endif fpl = AddOptFuncToList(CheckDsize, otn); fpl->type = RULE_OPTION_TYPE_DSIZE; @@ -288,7 +290,7 @@ } /**************************************************************************** - * + * * Function: CheckDsizeEq(char *, OptTreeNode *) * * Purpose: Test the packet's payload size against the rule payload size value @@ -310,7 +312,10 @@ PREPROC_PROFILE_END(dsizePerfStats); /* fake packet dsizes are always wrong */ - if(p->packet_flags & PKT_REBUILT_STREAM) + /* (unless they are PDUs) */ + if ( + (p->packet_flags & PKT_REBUILT_STREAM) && + !(p->packet_flags & PKT_PDU_HEAD) ) { PREPROC_PROFILE_END(dsizePerfStats); return rval; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_dsize_check.h snort-2.9.2/src/detection-plugins/sp_dsize_check.h --- snort-2.8.5.2/src/detection-plugins/sp_dsize_check.h 2009-05-06 22:28:28.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_dsize_check.h 2011-02-09 23:22:59.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_file_data.c snort-2.9.2/src/detection-plugins/sp_file_data.c --- snort-2.8.5.2/src/detection-plugins/sp_file_data.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_file_data.c 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,250 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_file_data + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#include <errno.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "snort_debug.h" +#include "util.h" +#include "mstring.h" + +#include "snort.h" +#include "profiler.h" +#include "sp_file_data.h" +#ifdef PERF_PROFILING +PreprocStats fileDataPerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +#include "detection_options.h" +#include "detection_util.h" + +extern char *file_name; /* this is the file name from rules.c, generally used + for error messages */ + +extern int file_line; /* this is the file line number from rules.c that is + used to indicate file lines for error messages */ + +static void FileDataInit(char *, OptTreeNode *, int); +void FileDataParse(char *, FileData *, OptTreeNode *); +int FileDataEval(void *option_data, Packet *p); + +uint32_t FileDataHash(void *d) +{ + uint32_t a,b,c; + + FileData *data = (FileData *)d; + + a = data->mime_decode_flag; + b = RULE_OPTION_TYPE_FILE_DATA; + c = 0; + + final(a,b,c); + + return c; +} + +int FileDataCompare(void *l, void *r) +{ + FileData *left = (FileData *)l; + FileData *right = (FileData *)r; + if (!left || !right) + return DETECTION_OPTION_NOT_EQUAL; + if( left->mime_decode_flag == right->mime_decode_flag ) + return DETECTION_OPTION_EQUAL; + + return DETECTION_OPTION_NOT_EQUAL; +} + + + +/**************************************************************************** + * + * Function: SetupFileData() + * + * Purpose: Load 'er up + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupFileData(void) +{ + /* map the keyword to an initialization/processing function */ + RegisterRuleOption("file_data", FileDataInit, NULL, OPT_TYPE_DETECTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("file_data", &fileDataPerfStats, 3, &ruleOTNEvalPerfStats); +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: file_data Setup\n");); +} + + +/**************************************************************************** + * + * Function: FileDataInit(char *, OptTreeNode *, int protocol) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * protocol => protocol the rule is on (we don't care in this case) + * + * Returns: void function + * + ****************************************************************************/ +static void FileDataInit(char *data, OptTreeNode *otn, int protocol) +{ + FileData *idx; + OptFpList *fpl; + void *idx_dup; + + idx = (FileData *) SnortAlloc(sizeof(FileData)); + + if(idx == NULL) + { + FatalError("%s(%d): Unable to allocate file_data node\n", + file_name, file_line); + } + + + + otn->ds_list[PLUGIN_FILE_DATA] = (void *)1; + + FileDataParse(data, idx, otn); + + if (add_detection_option(RULE_OPTION_TYPE_FILE_DATA, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) + { + free(idx); + idx = idx_dup; + } + + fpl = AddOptFuncToList(FileDataEval, otn); + fpl->type = RULE_OPTION_TYPE_FILE_DATA; + fpl->context = (void *)idx; + + return; +} + + + +/**************************************************************************** + * + * Function: FileDataParse(char *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void FileDataParse(char *data, FileData *idx, OptTreeNode *otn) +{ + + if (IsEmptyStr(data)) + { + idx->mime_decode_flag = 0; + } + else if(!strcasecmp("mime",data)) + { + ParseWarning("The argument 'mime' to 'file_data' rule option is deprecated.\n"); + } + else + { + FatalError("%s(%d) file_data: Invalid token %s\n", + file_name, file_line, data); + } + + return; + +} + + +/**************************************************************************** + * + * Function: FileDataEval(char *, OptTreeNode *, OptFpList *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: p => pointer to the decoded packet + * otn => pointer to the current rule's OTN + * fp_list => pointer to the function pointer list + * + * Returns: If the detection test fails, this function *must* return a zero! + * On success, it calls the next function in the detection list + * + ****************************************************************************/ +int FileDataEval(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_NO_MATCH; + uint8_t *data; + uint16_t len; + FileData *idx; + PROFILE_VARS; + + PREPROC_PROFILE_START(fileDataPerfStats); + idx = (FileData *)option_data; + + data = file_data_ptr.data; + len = file_data_ptr.len; + + if ((p->dsize == 0) || (data == NULL)|| (len == 0) || !idx) + { + PREPROC_PROFILE_END(fileDataPerfStats); + return rval; + } + + if(idx->mime_decode_flag) + mime_present = 1; + else + mime_present = 0; + + SetDoePtr(data, DOE_BUF_STD); + SetAltDetect(data, len); + rval = DETECTION_OPTION_MATCH; + + PREPROC_PROFILE_END(fileDataPerfStats); + return rval; +} diff -Nru snort-2.8.5.2/src/detection-plugins/sp_file_data.h snort-2.9.2/src/detection-plugins/sp_file_data.h --- snort-2.8.5.2/src/detection-plugins/sp_file_data.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_file_data.h 2011-02-09 23:22:59.000000000 +0000 @@ -0,0 +1,34 @@ +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef __SP_FILE_DATA_H__ +#define __SP_FILE_DATA_H__ + +typedef struct _FileData +{ + uint8_t mime_decode_flag; +}FileData; + +void SetupFileData(void); +int FileDataCompare(void *, void *); +uint32_t FileDataHash(void *); + +#endif diff -Nru snort-2.8.5.2/src/detection-plugins/sp_flowbits.c snort-2.9.2/src/detection-plugins/sp_flowbits.c --- snort-2.8.5.2/src/detection-plugins/sp_flowbits.c 2009-05-06 22:28:29.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_flowbits.c 2011-11-21 20:15:24.000000000 +0000 @@ -2,10 +2,10 @@ ** $Id$ ** ** sp_flowbits -** +** ** Purpose: ** -** Wouldn't it be nice if we could do some simple state tracking +** Wouldn't it be nice if we could do some simple state tracking ** across multiple packets? Well, this allows you to do just that. ** ** Effect: @@ -13,8 +13,8 @@ ** - [Un]set a bitmask stored with the session ** - Check the value of the bitmask ** -** Copyright (C) 2003-2009 Sourcefire, Inc. -** +** Copyright (C) 2003-2011 Sourcefire, Inc. +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -36,11 +36,17 @@ #include <ctype.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -48,6 +54,7 @@ #include "sfghash.h" #include "sp_flowbits.h" #include "sf_types.h" +#include "mstring.h" #include "stream_api.h" @@ -60,23 +67,25 @@ #include "sfhashfcn.h" #include "detection_options.h" +#define DEFAULT_FLOWBIT_GROUP "default" SFGHASH *flowbits_hash = NULL; +SFGHASH *flowbits_grp_hash = NULL; SF_QUEUE *flowbits_bit_queue = NULL; uint32_t flowbits_count = 0; int flowbits_toggle = 1; - extern const unsigned int giFlowbitSize; -extern SnortConfig *snort_conf_for_parsing; +void FlowItemFree(void *); +void FlowBitsGrpFree(void *); static void FlowBitsInit(char *, OptTreeNode *, int); static void FlowBitsParse(char *, FLOWBITS_OP *, OptTreeNode *); static void FlowBitsCleanExit(int, void *); /**************************************************************************** - * + * * Function: FlowBitsHashInit(void) * * Purpose: Initialize the hash table and queue storage for flowbits IDs @@ -91,13 +100,14 @@ if (flowbits_hash != NULL) return; - flowbits_hash = sfghash_new(10000, 0, 0, free); + flowbits_hash = sfghash_new(10000, 0, 0, FlowItemFree); if (flowbits_hash == NULL) { FatalError("%s(%d) Could not create flowbits hash.\n", __FILE__, __LINE__); } + flowbits_bit_queue = sfqueue_new(); if (flowbits_bit_queue == NULL) { @@ -106,11 +116,40 @@ } } +void FlowBitsGrpHashInit(void) +{ + if (flowbits_grp_hash != NULL) + return; + + flowbits_grp_hash = sfghash_new(10000, 0, 0, FlowBitsGrpFree); + if (flowbits_grp_hash == NULL) + { + FatalError("%s(%d) Could not create flowbits group hash.\n", + __FILE__, __LINE__); + } + +} + +void FlowItemFree(void *d) +{ + FLOWBITS_OBJECT *data = (FLOWBITS_OBJECT *)d; + free(data->group); + free(data); +} + +void FlowBitsGrpFree(void *d) +{ + FLOWBITS_GRP *data = (FLOWBITS_GRP *)d; + boFreeBITOP(&(data->GrpBitOp)); + free(data); +} + void FlowBitsFree(void *d) { FLOWBITS_OP *data = (FLOWBITS_OP *)d; free(data->name); + free(data->group); free(data); } @@ -121,7 +160,7 @@ a = data->id; b = data->type; - c = RULE_OPTION_TYPE_FLOWBIT; + c= RULE_OPTION_TYPE_FLOWBIT; final(a,b,c); @@ -135,7 +174,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->id == right->id) && ( left->type == right->type)) { @@ -146,7 +185,7 @@ } /**************************************************************************** - * + * * Function: SetupFlowBits() * * Purpose: Generic detection engine plugin template. Registers the @@ -163,7 +202,7 @@ void SetupFlowBits(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("flowbits", FlowBitsInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("flowbits", FlowBitsInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("flowbits", &flowBitsPerfStats, 3, &ruleOTNEvalPerfStats); @@ -176,7 +215,7 @@ /**************************************************************************** - * + * * Function: FlowBitsInit(char *, OptTreeNode *) * * Purpose: Configure the flow init option to register the appropriate checks @@ -197,19 +236,19 @@ * We avoid adding the flowbit twice by skipping it here. */ if (otn->sigInfo.generator == 3) return; - + /* Flow bits are handled by Stream5 if its enabled */ if( stream_api && stream_api->version != STREAM_API_VERSION5) { if (ScConfErrorOut()) { - FatalError("Warning: %s (%d) => flowbits without Stream5. " + FatalError("WARNING: %s (%d) => flowbits without Stream5. " "Stream5 must be enabled for this plugin.\n", file_name,file_line); } else { - LogMessage("Warning: %s (%d) => flowbits without Stream5. " + LogMessage("WARNING: %s (%d) => flowbits without Stream5. " "Stream5 must be enabled for this plugin.\n", file_name,file_line); } @@ -219,6 +258,9 @@ if (flowbits_hash == NULL) FlowBitsHashInit(); + if (flowbits_grp_hash == NULL ) + FlowBitsGrpHashInit(); + flowbits = (FLOWBITS_OP *) SnortAlloc(sizeof(FLOWBITS_OP)); if (!flowbits) { FatalError("%s (%d): Unable to allocate flowbits node\n", file_name, @@ -239,6 +281,7 @@ ((FLOWBITS_OP *)idx_dup)->type); #endif free(flowbits->name); + free(flowbits->group); free(flowbits); flowbits = idx_dup; } @@ -247,17 +290,17 @@ fpl->type = RULE_OPTION_TYPE_FLOWBIT; /* - * attach it to the context node so that we can call each instance + * attach it to the context node so that we can call each instance * individually */ - + fpl->context = (void *) flowbits; return; } /**************************************************************************** - * + * * Function: FlowBitsParse(char *, FlowBits *flowbits, OptTreeNode *) * * Purpose: parse the arguments to the flow plugin and alter the otn @@ -271,9 +314,15 @@ static void FlowBitsParse(char *data, FLOWBITS_OP *flowbits, OptTreeNode *otn) { FLOWBITS_OBJECT *flowbits_item; - char *token, *str, *p; + FLOWBITS_GRP *flowbits_grp; + char **toks; + int num_toks; + char *token; + char *pch= NULL; uint32_t id = 0; int hstatus; + int found = 0; + int default_grp = 0; SnortConfig *sc = snort_conf_for_parsing; if (sc == NULL) @@ -283,28 +332,19 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "flowbits parsing %s\n",data);); - - str = SnortStrdup(data); - p = str; - - /* nuke leading whitespace */ - while(isspace((int)*p)) p++; - - token = strtok(p, ", \t"); - if(!token || !strlen(token)) + toks = mSplit(data, ",", 0, &num_toks, 0); + if(num_toks < 1) { - FatalError("%s(%d) ParseFlowArgs: Must specify flowbits operation.", + FatalError("%s (%d): ParseFlowArgs: Must specify flowbits operation.\n", file_name, file_line); } - - while(isspace((int)*token)) - token++; + token = toks[0]; if(!strcasecmp("set",token)) { flowbits->type = FLOWBITS_SET; - } + } else if(!strcasecmp("unset",token)) { flowbits->type = FLOWBITS_UNSET; @@ -320,10 +360,10 @@ else if(!strcasecmp("isnotset",token)) { flowbits->type = FLOWBITS_ISNOTSET; - } + } else if(!strcasecmp("noalert", token)) { - if(strtok(NULL, " ,\t")) + if(num_toks > 1) { FatalError("%s (%d): Do not specify a flowbits tag id for the " "keyword 'noalert'.\n", file_name, file_line); @@ -331,12 +371,13 @@ flowbits->type = FLOWBITS_NOALERT; flowbits->id = 0; - free(str); + + mSplitFree(&toks, num_toks); return; } else if(!strcasecmp("reset",token)) { - if(strtok(NULL, " ,\t")) + if(num_toks > 1) { FatalError("%s (%d): Do not specify a flowbits tag id for the " "keyword 'reset'.\n", file_name, file_line); @@ -344,9 +385,9 @@ flowbits->type = FLOWBITS_RESET; flowbits->id = 0; - free(str); + mSplitFree(&toks, num_toks); return; - } + } else { FatalError("%s(%d) ParseFlowArgs: Invalid token %s\n", @@ -356,32 +397,15 @@ /* ** Let's parse the flowbits name */ - token = strtok(NULL, " ,\t"); - if(!token || !strlen(token)) + if( num_toks < 2 ) { FatalError("%s (%d): flowbits tag id must be provided\n", file_name, file_line); } + token = toks[1]; + pch = strtok(token, " ,\t" ); - /* - ** Take space from the beginning - */ - while(isspace((int)*token)) - token++; - - /* - ** Do we still have a ID tag left. - */ - if (!strlen(token)) - { - FatalError("%s (%d): flowbits tag id must be provided\n", - file_name, file_line); - } - - /* - ** Is there a anything left? - */ - if(strtok(NULL, " ,\t")) + if(pch && (pch != token )) { FatalError("%s (%d): flowbits tag id cannot include spaces or " "commas.\n", file_name, file_line); @@ -389,13 +413,14 @@ flowbits_item = (FLOWBITS_OBJECT *)sfghash_find(flowbits_hash, token); - if (flowbits_item != NULL) + if (flowbits_item != NULL) { id = flowbits_item->id; + found = 1; } else { - flowbits_item = + flowbits_item = (FLOWBITS_OBJECT *)SnortAlloc(sizeof(FLOWBITS_OBJECT)); if (sfqueue_count(flowbits_bit_queue) > 0) @@ -419,7 +444,7 @@ } hstatus = sfghash_add(flowbits_hash, token, flowbits_item); - if(hstatus != SFGHASH_OK) + if(hstatus != SFGHASH_OK) { FatalError("Could not add flowbits key (%s) to hash.\n",token); } @@ -428,89 +453,108 @@ flowbits_item->toggle = flowbits_toggle; flowbits_item->types |= flowbits->type; + switch (flowbits->type) + { + case FLOWBITS_SET: + case FLOWBITS_UNSET: + case FLOWBITS_TOGGLE: + case FLOWBITS_RESET: + flowbits_item->set++; + break; + case FLOWBITS_ISSET: + case FLOWBITS_ISNOTSET: + flowbits_item->isset++; + break; + default: + break; + } + flowbits->id = id; flowbits->name = SnortStrdup(token); - free(str); -} - -static int ResetFlowbits(Packet *p) -{ - if(!p || !p->ssnptr) + if(num_toks < 3) { - return 0; + if (flowbits->type == FLOWBITS_SET || flowbits->type == FLOWBITS_TOGGLE) + token = DEFAULT_FLOWBIT_GROUP; + else + { + mSplitFree(&toks, num_toks); + return; + } } - - /* - ** UDP or ICMP, don't reset. This is handled by the - ** session tracking within Stream, since we may not - ** have seen both sides at this point. - */ - if (p->udph || p->icmph) + else { - return 0; + if (flowbits->type == FLOWBITS_SET || flowbits->type == FLOWBITS_TOGGLE) + token = toks[2]; + else + { + FatalError("%s (%d): Group name can be specified only with set and toggle " + "operations \n", file_name, file_line); + } } - - /* - ** Check session_flags for new TCP session - ** - ** PKT_STREAM_EST is pretty obvious why it's in here - ** - ** SEEN_CLIENT and SEEN_SERVER allow us to only reset the bits - ** once on the first SYN pkt. There after bits will be - ** accumulated for that session. - */ - if((p->packet_flags & PKT_STREAM_EST) || - (stream_api && p->tcph && - ((stream_api->get_session_flags(p->ssnptr) & (SSNFLAG_SEEN_CLIENT | SSNFLAG_SEEN_SERVER)) == - (SSNFLAG_SEEN_CLIENT | SSNFLAG_SEEN_SERVER)))) + if (strcmp(token, DEFAULT_FLOWBIT_GROUP) == 0) + default_grp = 1; + flowbits_grp = (FLOWBITS_GRP *)sfghash_find(flowbits_grp_hash, token); + + if (flowbits_grp == NULL && !default_grp ) + { + flowbits_grp = (FLOWBITS_GRP *)SnortAlloc(sizeof(FLOWBITS_GRP)); + boInitBITOP(&(flowbits_grp->GrpBitOp), giFlowbitSize); + boSetAllBits(&(flowbits_grp->GrpBitOp)); + hstatus = sfghash_add(flowbits_grp_hash, token, flowbits_grp); + if(hstatus != SFGHASH_OK) + { + FatalError("Could not add flowbits group (%s) to hash.\n",token); + } + } + if ( found && flowbits_item->group) { - return 0; + if (strcmp((flowbits_item->group), token) != 0) + { + FatalError("%s(%d) Flowbits %s already belongs to a group %s\n", + file_name, file_line, flowbits->name, flowbits_item->group); + } + } + else + { + if ( !default_grp) + { + flowbits_grp->count++; + if ( flowbits_grp->max_id < id ) + flowbits_grp->max_id = id; + boClearBit(&(flowbits_grp->GrpBitOp),flowbits->id); + } + flowbits_item->group = SnortStrdup(token); } + flowbits->group = SnortStrdup(token); + mSplitFree(&toks, num_toks); - return 1; } -/* -** NAME -** GetFlowbitsData:: -*/ -/** -** This function initializes/retrieves flowbits data that is associated -** with a given flow. -*/ -StreamFlowData *GetFlowbitsData(Packet *p) +static inline int boSetGrpBit(BITOP *BitOp, char *group, unsigned int uiPos) { - StreamFlowData *flowdata = NULL; - if(stream_api) - { - flowdata = stream_api->get_flow_data(p); - } - - if(!flowdata) - return NULL; - /* - ** Since we didn't initialize BITOP (which resets during init) - ** we have to check for resetting here, because it may be - ** a new flow. - ** - ** NOTE: - ** We can only do this on TCP flows because we know when a - ** connection begins and ends. So that's what we check. - */ - if(ResetFlowbits(p)) + FLOWBITS_GRP *flowbits_grp; + BITOP *GrpBitOp; + unsigned int i; + flowbits_grp = (FLOWBITS_GRP *)sfghash_find(flowbits_grp_hash, group); + if( flowbits_grp == NULL ) + return 0; + if((BitOp == NULL) || (BitOp->uiMaxBits <= uiPos) || (BitOp->uiMaxBits <= flowbits_grp->max_id) || flowbits_grp->count <= 0) + return 0; + GrpBitOp = &(flowbits_grp->GrpBitOp); + boClearBit(BitOp, uiPos); + for ( i = 0; i <= flowbits_grp->max_id ; i++ ) { - boResetBITOP(&(flowdata->boFlowbits)); + BitOp->pucBitBuffer[i >> 3] &= GrpBitOp->pucBitBuffer[i >> 3]; } - - return flowdata; + return 1; } /**************************************************************************** - * + * * Function: FlowBitsCheck(Packet *, struct _OptTreeNode *, OptFpList *) * - * Purpose: Check flow bits foo + * Purpose: Check flow bits foo * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -524,18 +568,16 @@ int rval = DETECTION_OPTION_NO_MATCH; StreamFlowData *flowdata; int result = 0; + int iRet = 0; PROFILE_VARS; - if(!p) - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, - "FLOWBITSCHECK: No pkt.");); + /* Need session pointer to get flowbits */ + if ((stream_api == NULL) || (p->ssnptr == NULL)) return rval; - } PREPROC_PROFILE_START(flowBitsPerfStats); - flowdata = GetFlowbitsData(p); + flowdata = stream_api->get_flow_data(p); if(!flowdata) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "No FLOWBITS_DATA");); @@ -549,6 +591,15 @@ DebugMessage(DEBUG_PLUGIN,"flowbits: value = %d\n",flowbits->id); ); + if(((flowbits->type == FLOWBITS_SET) || (((flowbits->type == FLOWBITS_TOGGLE) && + (!boIsBitSet(&(flowdata->boFlowbits),flowbits->id))))) && + (flowbits->group && (strcasecmp(flowbits->group, DEFAULT_FLOWBIT_GROUP) != 0 ))) + { + if ( (iRet = boSetGrpBit(&(flowdata->boFlowbits), flowbits->group, flowbits->id)) == 0 ) + return rval; + + } + switch(flowbits->type) { case FLOWBITS_SET: @@ -618,7 +669,7 @@ PREPROC_PROFILE_END(flowBitsPerfStats); return rval; } - + /* ** Now return what we found */ @@ -632,12 +683,12 @@ } /**************************************************************************** - * + * * Function: FlowBitsVerify() * * Purpose: Check flow bits foo to make sure its valid * - * Arguments: + * Arguments: * * Returns: 0 on failure * @@ -651,8 +702,8 @@ if (flowbits_hash == NULL) return; - for (n = sfghash_findfirst(flowbits_hash); - n != NULL; + for (n = sfghash_findfirst(flowbits_hash); + n != NULL; n= sfghash_findnext(flowbits_hash)) { fb = (FLOWBITS_OBJECT *)n->data; @@ -669,19 +720,19 @@ continue; } - if (fb->types & FLOWBITS_SET) + if ((fb->set > 0) && (fb->isset == 0)) { - if (!((fb->types & FLOWBITS_ISSET) || (fb->types & FLOWBITS_ISNOTSET))) - { - LogMessage("Warning: flowbits key '%s' is set but not ever checked.\n",n->key); - } + LogMessage("WARNING: flowbits key '%s' is set but not ever checked.\n", + (char*)n->key); } - else + else if ((fb->isset > 0) && (fb->set == 0)) { - if ((fb->types & FLOWBITS_ISSET) || (fb->types & FLOWBITS_ISNOTSET)) - { - LogMessage("Warning: flowbits key '%s' is checked but not ever set.\n",n->key); - } + LogMessage("WARNING: flowbits key '%s' is checked but not ever set.\n", + (char*)n->key); + } + else if ((fb->set == 0) && (fb->isset == 0)) + { + continue; /* don't count this bit as used */ } num_flowbits++; @@ -689,7 +740,7 @@ flowbits_toggle ^= 1; - LogMessage("%d out of %d flowbits in use.\n", + LogMessage("%d out of %d flowbits in use.\n", num_flowbits, giFlowbitSize<<3); } @@ -701,6 +752,12 @@ flowbits_hash = NULL; } + if (flowbits_grp_hash != NULL) + { + sfghash_delete(flowbits_grp_hash); + flowbits_grp_hash = NULL; + } + if (flowbits_bit_queue != NULL) { sfqueue_free_all(flowbits_bit_queue, NULL); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_flowbits.h snort-2.9.2/src/detection-plugins/sp_flowbits.h --- snort-2.8.5.2/src/detection-plugins/sp_flowbits.h 2009-05-06 22:28:29.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_flowbits.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -25,10 +25,11 @@ #ifndef __SP_FLOWBITS_H__ #define __SP_FLOWBITS_H__ -#include "stream_api.h" #include "sfghash.h" #include "sf_types.h" #include "decode.h" +#include "bitop_funcs.h" +#include "snort_debug.h" /* Normally exported functions, for plugin registration. */ void SetupFlowBits(void); @@ -39,9 +40,6 @@ int FlowBitsCheck(void *, Packet *); void FlowBitsHashInit(void); -/* These functions are now exported to be used by dynamic plugins */ -StreamFlowData *GetFlowbitsData(Packet *p); - /** ** The FLOWBITS_OBJECT is used to track the different ** flowbit names that set/unset/etc. bits. We use these @@ -57,6 +55,9 @@ uint32_t id; uint8_t types; int toggle; + char *group; + int set; + int isset; } FLOWBITS_OBJECT; @@ -71,8 +72,16 @@ uint32_t id; uint8_t type; /* Set, Unset, Invert, IsSet, IsNotSet, Reset */ char *name; + char *group; } FLOWBITS_OP; +typedef struct _FLOWBITS_GRP +{ + uint32_t count; + uint32_t max_id; + char *name; + BITOP GrpBitOp; +} FLOWBITS_GRP; #define FLOWBITS_SET 0x01 #define FLOWBITS_UNSET 0x02 @@ -82,4 +91,14 @@ #define FLOWBITS_RESET 0x20 #define FLOWBITS_NOALERT 0x40 +static inline int FlowBits_SetOperation(void *option_data) +{ + FLOWBITS_OP *flowbits = (FLOWBITS_OP*)option_data; + if (flowbits->type & (FLOWBITS_SET | FLOWBITS_UNSET | FLOWBITS_TOGGLE | FLOWBITS_RESET)) + { + return 1; + } + return 0; +} + #endif /* __SP_FLOWBITS_H__ */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ftpbounce.c snort-2.9.2/src/detection-plugins/sp_ftpbounce.c --- snort-2.8.5.2/src/detection-plugins/sp_ftpbounce.c 2009-05-06 22:28:29.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ftpbounce.c 2011-06-08 00:33:09.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2005-2009 Sourcefire, Inc. + ** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges ** ** This program is free software; you can redistribute it and/or modify @@ -19,8 +19,8 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_ftpbounce - * +/* sp_ftpbounce + * * Purpose: * Checks the address listed (a,b,c,d format) in the packet * against the source address. @@ -32,7 +32,7 @@ * None * Optional: * None - * + * * sample rules: * alert tcp any any -> any 21 (content: "PORT"; \ * ftpbounce; @@ -60,12 +60,14 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" @@ -79,9 +81,7 @@ #include "sfhashfcn.h" #include "detection_options.h" - -extern const uint8_t *doe_ptr; -extern uint8_t DecodeBuffer[DECODE_BLEN]; +#include "detection_util.h" void FTPBounceInit(char *, OptTreeNode *, int); void FTPBounceParse(char *, OptTreeNode *); @@ -109,7 +109,7 @@ } /**************************************************************************** - * + * * Function: SetupFTPBounce() * * Purpose: Load 'er up @@ -122,7 +122,7 @@ void SetupFTPBounce(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("ftpbounce", FTPBounceInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("ftpbounce", FTPBounceInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("ftpbounce", &ftpBouncePerfStats, 3, &ruleOTNEvalPerfStats); @@ -133,10 +133,10 @@ /**************************************************************************** - * + * * Function: FTPBounceInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -152,7 +152,7 @@ OptFpList *fpl; void *ds_ptr_dup; - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ FTPBounceParse(data, otn); @@ -173,7 +173,7 @@ /**************************************************************************** - * + * * Function: FTPBounceParse(char *, void *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -196,7 +196,7 @@ /**************************************************************************** - * + * * Function: FTPBounce(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -207,7 +207,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int FTPBounce(void *option_data, Packet *p) @@ -217,31 +217,39 @@ const uint8_t *this_param = doe_ptr; int dsize; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; const uint8_t *base_ptr, *end_ptr, *start_ptr; PROFILE_VARS; if (!doe_ptr) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] ftpbounce no doe_ptr set..\n");); return 0; } PREPROC_PROFILE_START(ftpBouncePerfStats); - if(use_alt_buffer) + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = p->alt_dsize; - start_ptr = DecodeBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Alternative Decode buffer!\n");); - + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Decode buffer!\n");); } else { start_ptr = p->data; - dsize = p->dsize; + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; } DEBUG_WRAP( @@ -255,7 +263,7 @@ if(doe_ptr) { - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ + /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ if(!inBounds(start_ptr, end_ptr, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, @@ -266,7 +274,7 @@ } while (isspace((int)*this_param) && (this_param < end_ptr)) this_param++; - + do { int value = 0; @@ -309,20 +317,18 @@ return DETECTION_OPTION_NO_MATCH; } - if (ip != ntohl(p->iph->ip_src.s_addr)) +#ifdef SUP_IP6 + if ( ip != ntohl(GET_SRC_IP(p)->ip32[0]) ) +#else + if ( ip != ntohl(GET_SRC_IP(p)) ) +#endif { PREPROC_PROFILE_END(ftpBouncePerfStats); return DETECTION_OPTION_MATCH; } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "PORT command not being used in bounce\n");); - PREPROC_PROFILE_END(ftpBouncePerfStats); - return DETECTION_OPTION_NO_MATCH; - } - - /* Never reached */ + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "PORT command not being used in bounce\n");); PREPROC_PROFILE_END(ftpBouncePerfStats); return DETECTION_OPTION_NO_MATCH; } diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ftpbounce.h snort-2.9.2/src/detection-plugins/sp_ftpbounce.h --- snort-2.8.5.2/src/detection-plugins/sp_ftpbounce.h 2009-05-06 22:28:29.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ftpbounce.h 2011-02-09 23:23:01.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges <ssturges@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_hdr_opt_wrap.c snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.c --- snort-2.8.5.2/src/detection-plugins/sp_hdr_opt_wrap.c 2009-05-06 22:57:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.c 2011-06-08 00:33:09.000000000 +0000 @@ -1,6 +1,30 @@ +/**************************************************************************** + * Copyright (C) 2008-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + /* Necessary hash/wrapper functions to put a .so rule's HdrOptCheck option * directly on the rule option tree. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sp_hdr_opt_wrap.h" #include "sf_engine/sf_snort_plugin_api.h" diff -Nru snort-2.8.5.2/src/detection-plugins/sp_hdr_opt_wrap.h snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.h --- snort-2.8.5.2/src/detection-plugins/sp_hdr_opt_wrap.h 2009-05-06 22:57:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.h 2011-02-09 23:23:01.000000000 +0000 @@ -1,3 +1,23 @@ +/**************************************************************************** + * Copyright (C) 2008-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + /* Necessary hash/wrapper functions to put a .so rule's HdrOptCheck option * directly on the rule option tree. */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_code_check.c snort-2.9.2/src/detection-plugins/sp_icmp_code_check.c --- snort-2.8.5.2/src/detection-plugins/sp_icmp_code_check.c 2009-05-06 22:28:29.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_code_check.c 2011-06-08 00:33:09.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,14 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "sfhashfcn.h" @@ -102,7 +104,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpCodeCheck() * * Purpose: Register the icode keyword and configuration function @@ -115,7 +117,7 @@ void SetupIcmpCodeCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("icode", IcmpCodeCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("icode", IcmpCodeCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("icode", &icmpCodePerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -125,7 +127,7 @@ /**************************************************************************** - * + * * Function: IcmpCodeCheckInit(char *, OptTreeNode *) * * Purpose: Initialize the rule data structs and parse the rule argument @@ -145,7 +147,7 @@ FatalError( "%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_CODE]) { FatalError("%s(%d): Multiple icmp code options in rule\n", file_name, @@ -158,13 +160,13 @@ otn->ds_list[PLUGIN_ICMP_CODE] = (IcmpCodeCheckData *) SnortAlloc(sizeof(IcmpCodeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpCode(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ - + fpl = AddOptFuncToList(IcmpCodeCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_CODE; fpl->context = otn->ds_list[PLUGIN_ICMP_CODE]; @@ -173,7 +175,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpCode(char *, OptTreeNode *) * * Purpose: Process the icode argument and stick it in the data struct @@ -215,8 +217,8 @@ file_name, file_line); } - /* - * If a range is specified, put the min in icmp_code, and the max in + /* + * If a range is specified, put the min in icmp_code, and the max in * icmp_code2 */ @@ -303,7 +305,7 @@ /**************************************************************************** - * + * * Function: IcmpCodeCheck(Packet *p, OptTreeNode *, OptFpList *fp_list) * * Purpose: Test the packet's ICMP code field value against the option's @@ -325,7 +327,7 @@ /* return 0 if we don't have an icmp header */ if(!p->icmph) - return rval; + return rval; PREPROC_PROFILE_START(icmpCodePerfStats); @@ -344,7 +346,7 @@ rval = DETECTION_OPTION_MATCH; break; case ICMP_CODE_TEST_RG: - if (p->icmph->code > ds_ptr->icmp_code && + if (p->icmph->code > ds_ptr->icmp_code && p->icmph->code < ds_ptr->icmp_code2) rval = DETECTION_OPTION_MATCH; break; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_code_check.h snort-2.9.2/src/detection-plugins/sp_icmp_code_check.h --- snort-2.8.5.2/src/detection-plugins/sp_icmp_code_check.h 2009-05-06 22:28:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_code_check.h 2011-02-09 23:23:01.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_id_check.c snort-2.9.2/src/detection-plugins/sp_icmp_id_check.c --- snort-2.8.5.2/src/detection-plugins/sp_icmp_id_check.c 2009-05-06 22:28:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_id_check.c 2011-06-08 00:33:09.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,20 +19,20 @@ */ /* $Id$ */ -/* sp_icmp_id - * +/* sp_icmp_id + * * Purpose: * - * Test the ID field of ICMP ECHO and ECHO_REPLY packets for specified + * Test the ID field of ICMP ECHO and ECHO_REPLY packets for specified * values. This is useful for detecting TFN attacks, amongst others. * * Arguments: - * + * * The ICMP ID plugin takes a number as an option argument. * * Effect: * - * Tests ICMP ECHO and ECHO_REPLY packet ID field values and returns a + * Tests ICMP ECHO and ECHO_REPLY packet ID field values and returns a * "positive" detection result (i.e. passthrough) upon a value match. * * Comments: @@ -49,11 +49,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -108,7 +110,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpIdCheck() * * Purpose: Registers the configuration function and links it to a rule @@ -123,7 +125,7 @@ void SetupIcmpIdCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("icmp_id", IcmpIdCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("icmp_id", IcmpIdCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("icmp_id", &icmpIdPerfStats, 3, &ruleOTNEvalPerfStats); @@ -133,7 +135,7 @@ /**************************************************************************** - * + * * Function: IcmpIdCheckInit(char *, OptTreeNode *) * * Purpose: Handles parsing the rule information and attaching the associated @@ -153,7 +155,7 @@ FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_ID_CHECK]) { FatalError("%s(%d): Multiple icmp id options in rule\n", file_name, @@ -165,12 +167,12 @@ otn->ds_list[PLUGIN_ICMP_ID_CHECK] = (IcmpIdCheckData *) SnortAlloc(sizeof(IcmpIdCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpId(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpIdCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_ID; @@ -180,7 +182,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpId(char *, OptTreeNode *) * * Purpose: Convert the rule option argument to program data. @@ -195,6 +197,7 @@ { IcmpIdCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; + char *endTok; /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -203,7 +206,13 @@ /* advance past whitespace */ while(isspace((int)*data)) data++; - ds_ptr->icmpid = atoi(data); + ds_ptr->icmpid = (uint16_t)SnortStrtoulRange(data, &endTok, 10, 0, UINT16_MAX); + if ((endTok == data) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to icmp_id. " + "Must be between 0 & 65535, inclusive\n", + file_name, file_line, data); + } ds_ptr->icmpid = htons(ds_ptr->icmpid); if (add_detection_option(RULE_OPTION_TYPE_ICMP_ID, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -216,7 +225,7 @@ /**************************************************************************** - * + * * Function: IcmpIdCheck(char *, OptTreeNode *) * * Purpose: Compare the ICMP ID field to the rule value. @@ -225,7 +234,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IcmpIdCheck(void *option_data, Packet *p) @@ -239,11 +248,11 @@ PREPROC_PROFILE_START(icmpIdPerfStats); - if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) + if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) #ifdef SUP_IP6 - || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) + || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) #endif - ) + ) { /* test the rule ID value against the ICMP extension ID field */ if(icmpId->icmpid == p->icmph->s_icmp_id) diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_id_check.h snort-2.9.2/src/detection-plugins/sp_icmp_id_check.h --- snort-2.8.5.2/src/detection-plugins/sp_icmp_id_check.h 2009-05-06 22:28:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_id_check.h 2011-02-09 23:23:02.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_seq_check.c snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.c --- snort-2.8.5.2/src/detection-plugins/sp_icmp_seq_check.c 2009-05-06 22:28:30.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,20 +19,20 @@ */ /* $Id$ */ -/* sp_icmp_seq_check - * +/* sp_icmp_seq_check + * * Purpose: * - * Test the Sequence number field of ICMP ECHO and ECHO_REPLY packets for + * Test the Sequence number field of ICMP ECHO and ECHO_REPLY packets for * specified values. This is useful for detecting TFN attacks, amongst others. * * Arguments: - * + * * The ICMP Seq plugin takes a number as an option argument. * * Effect: * - * Tests ICMP ECHO and ECHO_REPLY packet Seq field values and returns a + * Tests ICMP ECHO and ECHO_REPLY packet Seq field values and returns a * "positive" detection result (i.e. passthrough) upon a value match. * * Comments: @@ -48,11 +48,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -70,7 +72,7 @@ { unsigned short icmpseq; -} IcmpSeqCheckData; +} IcmpSeqCheckData; void IcmpSeqCheckInit(char *, OptTreeNode *, int); void ParseIcmpSeq(char *, OptTreeNode *); @@ -109,7 +111,7 @@ /**************************************************************************** - * + * * Function: SetupIcmpSeqCheck() * * Purpose: Registers the configuration function and links it to a rule @@ -124,7 +126,7 @@ void SetupIcmpSeqCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("icmp_seq", IcmpSeqCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("icmp_seq", IcmpSeqCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("icmp_seq", &icmpSeqPerfStats, 3, &ruleOTNEvalPerfStats); @@ -134,7 +136,7 @@ /**************************************************************************** - * + * * Function: IcmpSeqCheckInit(char *, OptTreeNode *) * * Purpose: Handles parsing the rule information and attaching the associated @@ -154,7 +156,7 @@ FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_SEQ_CHECK]) { FatalError("%s(%d): Multiple ICMP seq options in rule\n", file_name, @@ -166,11 +168,11 @@ otn->ds_list[PLUGIN_ICMP_SEQ_CHECK] = (IcmpSeqCheckData *) SnortAlloc(sizeof(IcmpSeqCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpSeq(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpSeqCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_SEQ; @@ -180,7 +182,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpSeq(char *, OptTreeNode *) * * Purpose: Convert the rule option argument to program data. @@ -195,6 +197,7 @@ { IcmpSeqCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; + char *endTok; /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -203,9 +206,15 @@ /* advance past whitespace */ while(isspace((int)*data)) data++; - ds_ptr->icmpseq = atoi(data); + ds_ptr->icmpseq = (uint16_t)SnortStrtoulRange(data, &endTok, 10, 0, UINT16_MAX); + if ((endTok == data) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to icmp_seq. " + "Must be between 0 & 65535, inclusive\n", + file_name, file_line, data); + } ds_ptr->icmpseq = htons(ds_ptr->icmpseq); - + if (add_detection_option(RULE_OPTION_TYPE_ICMP_SEQ, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) { free(ds_ptr); @@ -217,7 +226,7 @@ /**************************************************************************** - * + * * Function: IcmpSeqCheck(char *, OptTreeNode *) * * Purpose: Compare the ICMP Sequence field to the rule value. @@ -226,7 +235,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IcmpSeqCheck(void *option_data, Packet *p) @@ -240,11 +249,11 @@ PREPROC_PROFILE_START(icmpSeqPerfStats); - if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) + if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) #ifdef SUP_IP6 - || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) + || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) #endif - ) + ) { /* test the rule ID value against the ICMP extension ID field */ if(icmpSeq->icmpseq == p->icmph->s_icmp_seq) diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_seq_check.h snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.h --- snort-2.8.5.2/src/detection-plugins/sp_icmp_seq_check.h 2009-05-06 22:28:31.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.h 2011-02-09 23:23:02.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_type_check.c snort-2.9.2/src/detection-plugins/sp_icmp_type_check.c --- snort-2.8.5.2/src/detection-plugins/sp_icmp_type_check.c 2009-05-06 22:28:31.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_type_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,11 +28,13 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_icmp_type_check.h" @@ -44,7 +46,7 @@ PreprocStats icmpTypePerfStats; extern PreprocStats ruleOTNEvalPerfStats; #endif - + #include "sfhashfcn.h" #include "detection_options.h" @@ -89,7 +91,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpTypeCheck() * * Purpose: Register the itype keyword and configuration function @@ -102,7 +104,7 @@ void SetupIcmpTypeCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("itype", IcmpTypeCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("itype", IcmpTypeCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("itype", &icmpTypePerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -111,7 +113,7 @@ /**************************************************************************** - * + * * Function: IcmpTypeCheckInit(char *, OptTreeNode *) * * Purpose: Initialize the rule data structs and parse the rule argument @@ -130,24 +132,24 @@ { FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - - /* multiple declaration check */ + + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_TYPE]) { FatalError("%s(%d): Multiple ICMP type options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_ICMP_TYPE] = (IcmpTypeCheckData *) SnortAlloc(sizeof(IcmpTypeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpType(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpTypeCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_TYPE; @@ -157,7 +159,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpType(char *, OptTreeNode *) * * Purpose: Process the itype argument and stick it in the data struct @@ -187,7 +189,7 @@ FatalError("%s (%d): No ICMP Type Specified\n", file_name, file_line); } - + /* get rid of spaces before the data */ while(isspace((int)*data)) data++; @@ -199,7 +201,7 @@ } /* - * if a range is specified, put the min in icmp_type, and the max in + * if a range is specified, put the min in icmp_type, and the max in * icmp_type2 */ @@ -286,7 +288,7 @@ } /**************************************************************************** - * + * * Function: IcmpTypeCheck(char *, OptTreeNode *) * * Purpose: Test the packet's ICMP type field value against the option's @@ -327,7 +329,7 @@ rval = DETECTION_OPTION_MATCH; break; case ICMP_TYPE_TEST_RG: - if (p->icmph->type > ds_ptr->icmp_type && + if (p->icmph->type > ds_ptr->icmp_type && p->icmph->type < ds_ptr->icmp_type2) rval = DETECTION_OPTION_MATCH; break; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_icmp_type_check.h snort-2.9.2/src/detection-plugins/sp_icmp_type_check.h --- snort-2.8.5.2/src/detection-plugins/sp_icmp_type_check.h 2009-05-06 22:28:31.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_icmp_type_check.h 2011-02-09 23:23:02.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_fragbits.c snort-2.9.2/src/detection-plugins/sp_ip_fragbits.c --- snort-2.8.5.2/src/detection-plugins/sp_ip_fragbits.c 2009-05-06 22:28:31.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_fragbits.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,17 +21,17 @@ /* Snort Detection Plugin Source File for IP Fragment Bits plugin */ -/* sp_ip_fragbits - * +/* sp_ip_fragbits + * * Purpose: * * Check the fragmentation bits of the IP header for set values. Possible * bits are don't fragment (DF), more fragments (MF), and reserved (RB). * * Arguments: - * + * * The keyword to reference this plugin is "fragbits". Possible arguments are - * D, M and R for DF, MF and RB, respectively. + * D, M and R for DF, MF and RB, respectively. * * Effect: * @@ -52,11 +52,13 @@ #include <ctype.h> #include <string.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "plugbase.h" #include "decode.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -177,7 +179,7 @@ } /**************************************************************************** - * + * * Function: SetupFragBits() * * Purpose: Assign the keyword to the rules parser. @@ -190,7 +192,7 @@ void SetupFragBits(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("fragbits", FragBitsInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("fragbits", FragBitsInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("fragbits", &fragBitsPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -200,7 +202,7 @@ /**************************************************************************** - * + * * Function: FragBitsInit(char *, OptTreeNode *) * * Purpose: Initialize the detection function and parse the arguments. @@ -215,29 +217,29 @@ void FragBitsInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_FRAG_BITS]) { FatalError("%s(%d): Multiple fragbits options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_FRAG_BITS] = (FragBitsData *) SnortAlloc(sizeof(FragBitsData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseFragBits(data, otn); - /* - * set the bitmask needed to mask off the IP offset field + /* + * set the bitmask needed to mask off the IP offset field * in the check function */ bitmask = htons(0xE000); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckFragBits, otn); fpl->type = RULE_OPTION_TYPE_IP_FRAGBITS; @@ -247,7 +249,7 @@ /**************************************************************************** - * + * * Function: ParseFragBits(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -300,7 +302,7 @@ case 'M': /* more frags bit */ ds_ptr->frag_bits |= FB_MF; break; - + case 'r': case 'R': /* reserved bit */ ds_ptr->frag_bits |= FB_RB; @@ -309,24 +311,24 @@ case '!': /* NOT flag, fire if flags are not set */ ds_ptr->mode = FB_NOT; break; - + case '*': /* ANY flag, fire on any of these bits */ ds_ptr->mode = FB_ANY; break; - + case '+': /* ALL flag, fire on these bits plus any others */ ds_ptr->mode = FB_ALL; break; default: FatalError("[!] Line %s (%d): Bad Frag Bits = \"%c\"\n" - " Valid options are: RDM+!*\n", file_name, + " Valid options are: RDM+!*\n", file_name, file_line, *fptr); } - + fptr++; } - + /* put the bits in network order for fast comparisons */ ds_ptr->frag_bits = htons(ds_ptr->frag_bits); @@ -341,7 +343,7 @@ /**************************************************************************** - * + * * Function: CheckFragBits(Packet *p, OptTreeNode *otn, OptFpList *fp_list) * * Purpose: This function checks the frag bits in the packets @@ -364,7 +366,7 @@ } PREPROC_PROFILE_START(fragBitsPerfStats); - + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, " <!!> CheckFragBits: "); DebugMessage(DEBUG_PLUGIN, "[rule: 0x%X:%d pkt: 0x%X] ", fb->frag_bits, fb->mode, (GET_IPH_OFF(p)&bitmask));); @@ -373,7 +375,7 @@ { case FB_NORMAL: /* check if the rule bits match the bits in the packet */ - if(fb->frag_bits == (GET_IPH_OFF(p)&bitmask)) + if(fb->frag_bits == (GET_IPH_OFF(p)&bitmask)) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Got Normal bits match\n");); rval = DETECTION_OPTION_MATCH; @@ -396,7 +398,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"NOT test failed\n");); } break; - + case FB_ALL: /* check if the rule bits are present in the packet */ if((fb->frag_bits & (GET_IPH_OFF(p)&bitmask)) == fb->frag_bits) @@ -409,7 +411,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ALL test failed\n");); } break; - + case FB_ANY: /* check if any of the rule bits match the bits in the packet */ if((fb->frag_bits & (GET_IPH_OFF(p)&bitmask)) != 0) @@ -433,7 +435,7 @@ /**************************************************************************** - * + * * Function: SetupFragOffset() * * Purpose: Assign the keyword to the rules parser. @@ -446,7 +448,7 @@ void SetupFragOffset(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("fragoffset", FragOffsetInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("fragoffset", FragOffsetInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("fragoffset", &fragOffsetPerfStats, 3, &ruleOTNEvalPerfStats); @@ -455,7 +457,7 @@ } /**************************************************************************** - * + * * Function: FragOffsetInit(char *, OptTreeNode *) * * Purpose: Initialize the detection function and parse the arguments. @@ -463,7 +465,7 @@ * Arguments: data => rule arguments/data * otn => pointer to the current rule option list node * protocol => protocol that must be specified to use this plugin - * + * * Returns: void function * ****************************************************************************/ @@ -474,11 +476,11 @@ rule's data struct list */ otn->ds_list[PLUGIN_FRAG_OFFSET] = (FragOffsetData *)SnortAlloc(sizeof(FragOffsetData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseFragOffset(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckFragOffset, otn); fpl->type = RULE_OPTION_TYPE_IP_FRAG_OFFSET; @@ -487,7 +489,7 @@ /**************************************************************************** - * + * * Function: ParseFragOffset(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -502,6 +504,7 @@ void ParseFragOffset(char *data, OptTreeNode *otn) { char *fptr; + char *endTok; FragOffsetData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; @@ -531,22 +534,27 @@ if(*fptr == '>') { - ds_ptr->comparison_flag = GREATER_THAN; - fptr++; + if(!ds_ptr->not_flag) + { + ds_ptr->comparison_flag = GREATER_THAN; + fptr++; + } } if(*fptr == '<') { - ds_ptr->comparison_flag = LESS_THAN; - fptr++; + if(!ds_ptr->comparison_flag && !ds_ptr->not_flag) + { + ds_ptr->comparison_flag = LESS_THAN; + fptr++; + } } - if(isdigit((int)*fptr)) + ds_ptr->offset = (uint16_t)SnortStrtoulRange(fptr, &endTok, 10, 0, UINT16_MAX); + if ((endTok == fptr) || (*endTok != '\0')) { - ds_ptr->offset = atoi(fptr); - } else { - FatalError("[!] Line %s (%d): Argument to fragoffset is not a number: %s\n", - file_name, file_line, fptr); + FatalError("%s(%d) => Invalid parameter '%s' to fragoffset (not a " + "number?) \n", file_name, file_line, fptr); } if (add_detection_option(RULE_OPTION_TYPE_IP_FRAG_OFFSET, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -558,7 +566,7 @@ } /**************************************************************************** - * + * * Function: CheckFragOffset(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine @@ -568,7 +576,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int CheckFragOffset(void *option_data, Packet *p) @@ -577,7 +585,7 @@ int p_offset = p->frag_offset * 8; int rval = DETECTION_OPTION_NO_MATCH; PROFILE_VARS; - + if(!IPH_IS_VALID(p)) { return rval; @@ -585,8 +593,8 @@ PREPROC_PROFILE_START(fragOffsetPerfStats); - -#ifdef DEBUG + +#ifdef DEBUG_MSGS DebugMessage(DEBUG_PLUGIN, "[!] Checking fragoffset %d against %d\n", ipd->offset, p->frag_offset * 8); @@ -629,7 +637,7 @@ } } } - + /* if the test isn't successful, this function *must* return 0 */ PREPROC_PROFILE_END(fragOffsetPerfStats); return rval; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_fragbits.h snort-2.9.2/src/detection-plugins/sp_ip_fragbits.h --- snort-2.8.5.2/src/detection-plugins/sp_ip_fragbits.h 2009-05-06 22:28:31.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_fragbits.h 2011-02-09 23:23:02.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_id_check.c snort-2.9.2/src/detection-plugins/sp_ip_id_check.c --- snort-2.8.5.2/src/detection-plugins/sp_ip_id_check.c 2009-05-06 22:28:32.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_id_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,11 +28,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "parser.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "util.h" @@ -87,7 +89,7 @@ } /**************************************************************************** - * + * * Function: SetupIpIdCheck() * * Purpose: Associate the id keyword with IpIdCheckInit @@ -100,7 +102,7 @@ void SetupIpIdCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("id", IpIdCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("id", IpIdCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("id", &ipIdPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -110,7 +112,7 @@ /**************************************************************************** - * + * * Function: IpIdCheckInit(char *, OptTreeNode *) * * Purpose: Setup the id data struct and link the function into option @@ -125,23 +127,23 @@ void IpIdCheckInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_ID_CHECK]) { FatalError("%s(%d): Multiple IP id options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_IP_ID_CHECK] = (IpIdCheckData *) SnortAlloc(sizeof(IpIdCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpId(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpIdCheckEq, otn); fpl->type = RULE_OPTION_TYPE_IP_ID; @@ -151,10 +153,10 @@ /**************************************************************************** - * + * * Function: ParseIpId(char *, OptTreeNode *) * - * Purpose: Convert the id option argument to data and plug it into the + * Purpose: Convert the id option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -167,6 +169,8 @@ { IpIdCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; + int ip_id; + char *endTok; /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -178,7 +182,13 @@ data++; } - ds_ptr->ip_id = htons( (u_short) atoi(data)); + ip_id = SnortStrtolRange(data, &endTok, 10, 0, UINT16_MAX); + if ((endTok == data) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to id (not a " + "number?) \n", file_name, file_line, data); + } + ds_ptr->ip_id = htons( (u_short) ip_id); if (add_detection_option(RULE_OPTION_TYPE_IP_ID, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) { @@ -191,7 +201,7 @@ /**************************************************************************** - * + * * Function: IpIdCheckEq(char *, OptTreeNode *) * * Purpose: Test the ip header's id field to see if its value is equal to the diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_id_check.h snort-2.9.2/src/detection-plugins/sp_ip_id_check.h --- snort-2.8.5.2/src/detection-plugins/sp_ip_id_check.h 2009-05-06 22:28:32.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_id_check.h 2011-02-09 23:23:02.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ipoption_check.c snort-2.9.2/src/detection-plugins/sp_ipoption_check.c --- snort-2.8.5.2/src/detection-plugins/sp_ipoption_check.c 2009-05-06 22:28:33.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ipoption_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,11 +28,13 @@ #include <ctype.h> #include <string.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -89,7 +91,7 @@ } /**************************************************************************** - * + * * Function: SetupTemplate() * * Purpose: Generic detection engine plugin template. Registers the @@ -103,7 +105,7 @@ void SetupIpOptionCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("ipopts", IpOptionInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("ipopts", IpOptionInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("ipopts", &ipOptionPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -112,10 +114,10 @@ /**************************************************************************** - * + * * Function: TemplateInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -128,7 +130,7 @@ void IpOptionInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IPOPTION_CHECK]) { FatalError("%s(%d): Multiple ipopts options in rule\n", file_name, @@ -140,11 +142,11 @@ otn->ds_list[PLUGIN_IPOPTION_CHECK] = (IpOptionData *) SnortAlloc(sizeof(IpOptionData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpOptionData(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckIpOptions, otn); fpl->type = RULE_OPTION_TYPE_IP_OPTION; @@ -154,7 +156,7 @@ /**************************************************************************** - * + * * Function: TemplateRuleParseFunction(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -181,7 +183,7 @@ } while(isspace((u_char)*data)) - data++; + data++; if(strcasecmp(data, "rr") == 0) @@ -245,7 +247,7 @@ /**************************************************************************** - * + * * Function: TemplateDetectorFunction(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ipoption_check.h snort-2.9.2/src/detection-plugins/sp_ipoption_check.h --- snort-2.8.5.2/src/detection-plugins/sp_ipoption_check.h 2009-05-06 22:28:33.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ipoption_check.h 2011-02-09 23:23:03.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_proto.c snort-2.9.2/src/detection-plugins/sp_ip_proto.c --- snort-2.8.5.2/src/detection-plugins/sp_ip_proto.c 2009-05-06 22:28:32.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_proto.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,19 +20,19 @@ * ****************************************************************************/ -/* sp_ip_proto - * +/* sp_ip_proto + * * Purpose: * * Check the IP header's protocol field value. * * Arguments: - * + * * Number, protocol name, ! for negation * * Effect: * - * Success on protocol match, failure otherwise + * Success on protocol match, failure otherwise * * Comments: * @@ -53,10 +53,11 @@ #endif /* !WIN32 */ #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_ip_proto.h" @@ -72,7 +73,7 @@ #include "detection_options.h" #define IP_PROTO__EQUAL 0 -#define IP_PROTO__NOT_EQUAL 1 +#define IP_PROTO__NOT_EQUAL 1 #define IP_PROTO__GREATER_THAN 2 #define IP_PROTO__LESS_THAN 3 @@ -121,7 +122,7 @@ /**************************************************************************** - * + * * Function: SetupIpProto() * * Purpose: Generic detection engine plugin ip_proto. Registers the @@ -136,7 +137,7 @@ void SetupIpProto(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("ip_proto", IpProtoInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("ip_proto", IpProtoInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("ip_proto", &ipProtoPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -145,10 +146,10 @@ /**************************************************************************** - * + * * Function: IpProtoInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -171,7 +172,7 @@ "\"ip\" rule.\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ /*if(otn->ds_list[PLUGIN_IP_PROTO_CHECK]) { FatalError("%s(%d): Multiple ip_proto options in rule\n", file_name, @@ -184,11 +185,11 @@ rule's data struct list */ //otn->ds_list[PLUGIN_IP_PROTO_CHECK] = (IpProtoData *) calloc(sizeof(IpProtoData), sizeof(char)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ IpProtoRuleParseFunction(data, ipd); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ ofl = AddOptFuncToList(IpProtoDetectorFunction, otn); ofl->type = RULE_OPTION_TYPE_IP_PROTO; @@ -211,7 +212,7 @@ /**************************************************************************** - * + * * Function: IpProtoRuleParseFunction(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -233,22 +234,22 @@ if (*data == '!') { - ds_ptr->comparison_flag = IP_PROTO__NOT_EQUAL; + ds_ptr->comparison_flag = IP_PROTO__NOT_EQUAL; data++; } else if (*data == '>') { - ds_ptr->comparison_flag = IP_PROTO__GREATER_THAN; + ds_ptr->comparison_flag = IP_PROTO__GREATER_THAN; data++; } else if (*data == '<') { - ds_ptr->comparison_flag = IP_PROTO__LESS_THAN; + ds_ptr->comparison_flag = IP_PROTO__LESS_THAN; data++; } else { - ds_ptr->comparison_flag = IP_PROTO__EQUAL; + ds_ptr->comparison_flag = IP_PROTO__EQUAL; } /* check for a number or a protocol name */ @@ -257,7 +258,7 @@ unsigned long ip_proto; char *endptr; - ip_proto = strtoul(data, &endptr, 10); + ip_proto = SnortStrtoul(data, &endptr, 10); if ((errno == ERANGE) || (ip_proto >= NUM_IP_PROTOS)) { FatalError("%s(%d) Invalid protocol number for \"ip_proto\" " @@ -286,7 +287,7 @@ /**************************************************************************** - * + * * Function: IpProtoDetectorFunction(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine @@ -296,7 +297,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IpProtoDetectorFunction(void *option_data, Packet *p) @@ -315,12 +316,12 @@ switch (ipd->comparison_flag) { - case IP_PROTO__EQUAL: + case IP_PROTO__EQUAL: if (GET_IPH_PROTO(p) == ipd->protocol) rval = DETECTION_OPTION_MATCH; break; - case IP_PROTO__NOT_EQUAL: + case IP_PROTO__NOT_EQUAL: if (GET_IPH_PROTO(p) != ipd->protocol) rval = DETECTION_OPTION_MATCH; break; @@ -369,7 +370,7 @@ proto_array[ipd->protocol] = 1; break; - case IP_PROTO__NOT_EQUAL: + case IP_PROTO__NOT_EQUAL: for (i = 0; i < ipd->protocol; i++) proto_array[i] = 1; for (i = i + 1; i < NUM_IP_PROTOS; i++) @@ -396,7 +397,7 @@ } /* - * Extract the IP Protocol field. + * Extract the IP Protocol field. */ int GetOtnIpProto(OptTreeNode *otn) { @@ -404,9 +405,9 @@ if (otn == NULL) return -1; - + ipd = (IpProtoData *)otn->ds_list[PLUGIN_IP_PROTO_CHECK]; - + if ((ipd != NULL) && (ipd->comparison_flag == IP_PROTO__EQUAL)) return (int)ipd->protocol; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_proto.h snort-2.9.2/src/detection-plugins/sp_ip_proto.h --- snort-2.8.5.2/src/detection-plugins/sp_ip_proto.h 2009-01-26 16:23:20.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_proto.h 2011-02-09 23:23:03.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -24,6 +24,7 @@ #define __SP_IP_PROTO_H__ #include "rules.h" +#include "treenodes.h" #include "sf_types.h" void SetupIpProto(void); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_same_check.c snort-2.9.2/src/detection-plugins/sp_ip_same_check.c --- snort-2.8.5.2/src/detection-plugins/sp_ip_same_check.c 2009-05-06 22:28:32.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_same_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Phil Wood <cpw@lanl.gov> ** @@ -29,11 +29,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -79,7 +81,7 @@ /**************************************************************************** - * + * * Function: SetupIpSameCheck() * * Purpose: Associate the same keyword with IpSameCheckInit @@ -92,7 +94,7 @@ void SetupIpSameCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("sameip", IpSameCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("sameip", IpSameCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("sameip", &ipSamePerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -101,7 +103,7 @@ /**************************************************************************** - * + * * Function: IpSameCheckInit(char *, OptTreeNode *) * * Purpose: Setup the same data struct and link the function into option @@ -118,7 +120,7 @@ OptFpList *fpl; void *ds_ptr_dup; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_SAME_CHECK]) { FatalError("%s(%d): Multiple sameip options in rule\n", file_name, @@ -131,7 +133,7 @@ //otn->ds_list[PLUGIN_IP_SAME_CHECK] = (IpSameData *) // SnortAlloc(sizeof(IpSameData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpSame(data, otn); @@ -140,7 +142,7 @@ //otn->ds_list[PLUGIN_IP_SAME_CHECK] = ds_ptr_dup; } - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpSameCheck, otn); fpl->type = RULE_OPTION_TYPE_IP_SAME; @@ -149,10 +151,10 @@ /**************************************************************************** - * + * * Function: ParseIpSame(char *, OptTreeNode *) * - * Purpose: Convert the id option argument to data and plug it into the + * Purpose: Convert the id option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -185,7 +187,7 @@ /**************************************************************************** - * + * * Function: IpSameCheck(char *, OptTreeNode *) * * Purpose: Test the ip header's id field to see if its value is equal to the diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_same_check.h snort-2.9.2/src/detection-plugins/sp_ip_same_check.h --- snort-2.8.5.2/src/detection-plugins/sp_ip_same_check.h 2009-05-06 22:28:33.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_same_check.h 2011-02-09 23:23:03.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Phil Wood <cpw@lanl.gov> ** diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_tos_check.c snort-2.9.2/src/detection-plugins/sp_ip_tos_check.c --- snort-2.8.5.2/src/detection-plugins/sp_ip_tos_check.c 2009-05-06 22:28:33.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_tos_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -33,11 +33,13 @@ #include <strings.h> #endif +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "util.h" @@ -96,7 +98,7 @@ /**************************************************************************** - * + * * Function: SetupIpTosCheck() * * Purpose: Associate the tos keyword with IpTosCheckInit @@ -109,7 +111,7 @@ void SetupIpTosCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("tos", IpTosCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("tos", IpTosCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("tos", &ipTosPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -118,7 +120,7 @@ /**************************************************************************** - * + * * Function: IpTosCheckInit(char *, OptTreeNode *) * * Purpose: Setup the tos data struct and link the function into option @@ -133,7 +135,7 @@ void IpTosCheckInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_TOS_CHECK]) { FatalError("%s(%d): Multiple IP tos options in rule\n", file_name, @@ -145,11 +147,11 @@ otn->ds_list[PLUGIN_IP_TOS_CHECK] = (IpTosCheckData *) SnortAlloc(sizeof(IpTosCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpTos(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpTosCheckEq, otn); fpl->type = RULE_OPTION_TYPE_IP_TOS; @@ -159,10 +161,10 @@ /**************************************************************************** - * + * * Function: ParseIpTos(char *, OptTreeNode *) * - * Purpose: Convert the tos option argument to data and plug it into the + * Purpose: Convert the tos option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -175,6 +177,8 @@ { IpTosCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; + char *endTok; + char *start; /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -189,21 +193,38 @@ if(data[0] == '!') { ds_ptr->not_flag = 1; + start = &data[1]; + } + else + { + start = &data[0]; } - if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL) + if(index(start, (int) 'x') == NULL && index(start, (int)'X') == NULL) { - ds_ptr->ip_tos = atoi(data); + ds_ptr->ip_tos = (uint8_t)SnortStrtoulRange(start, &endTok, 10, 0, UINT8_MAX); + if ((endTok == start) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'tos' (not a " + "number?) \n", file_name, file_line, data); + } } else { - if(index(data,(int)'x')) + /* hex? */ + start = index(data,(int)'x'); + if(!start) + { + start = index(data,(int)'X'); + } + if (start) { - ds_ptr->ip_tos = (u_char) strtol((index(data, (int)'x')+1), NULL, 16); + ds_ptr->ip_tos = (uint8_t)SnortStrtoulRange(start+1, &endTok, 16, 0, UINT8_MAX); } - else + if (!start || (endTok == start+1) || (*endTok != '\0')) { - ds_ptr->ip_tos = (u_char) strtol((index(data, (int)'X')+1), NULL, 16); + FatalError("%s(%d) => Invalid parameter '%s' to 'tos' (not a " + "number?) \n", file_name, file_line, data); } } @@ -218,7 +239,7 @@ /**************************************************************************** - * + * * Function: IpTosCheckEq(char *, OptTreeNode *) * * Purpose: Test the ip header's tos field to see if its value is equal to the @@ -252,7 +273,7 @@ /* you can put debug comments here or not */ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); } - + /* if the test isn't successful, return 0 */ PREPROC_PROFILE_END(ipTosPerfStats); return rval; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ip_tos_check.h snort-2.9.2/src/detection-plugins/sp_ip_tos_check.h --- snort-2.8.5.2/src/detection-plugins/sp_ip_tos_check.h 2009-05-06 22:28:33.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ip_tos_check.h 2011-02-09 23:23:03.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_isdataat.c snort-2.9.2/src/detection-plugins/sp_isdataat.c --- snort-2.8.5.2/src/detection-plugins/sp_isdataat.c 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_isdataat.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2009 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -19,7 +19,7 @@ */ /* sp_isdataat - * + * * Purpose: * Test a specific byte to see if there is data. (Basicly, rule keyword * into inBounds) @@ -29,7 +29,7 @@ * ["relative"] look for byte location relative to the end of the last * pattern match * ["rawbytes"] force use of the non-normalized buffer. - * + * * Sample: * alert tcp any any -> any 110 (msg:"POP3 user overflow"; \ * content:"USER"; isdataat:30,relative; content:!"|0a|"; within:30;) @@ -47,18 +47,21 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "snort.h" #include "profiler.h" #include "sp_isdataat.h" +#include "sp_byte_extract.h" #ifdef PERF_PROFILING PreprocStats isDataAtPerfStats; extern PreprocStats ruleOTNEvalPerfStats; @@ -66,6 +69,7 @@ #include "sfhashfcn.h" #include "detection_options.h" +#include "detection_util.h" extern char *file_name; /* this is the file name from rules.c, generally used for error messages */ @@ -73,10 +77,6 @@ extern int file_line; /* this is the file line number from rules.c that is used to indicate file lines for error messages */ -extern const uint8_t *doe_ptr; - -extern uint8_t DecodeBuffer[DECODE_BLEN]; - void IsDataAtInit(char *, OptTreeNode *, int); void IsDataAtParse(char *, IsDataAtData *, OptTreeNode *); int IsDataAt(void *option_data, Packet *p); @@ -90,6 +90,10 @@ b = data->flags; c = RULE_OPTION_TYPE_IS_DATA_AT; + mix(a,b,c); + + a += data->offset_var; + final(a,b,c); return c; @@ -102,9 +106,10 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->offset == right->offset) && - ( left->flags == right->flags)) + ( left->flags == right->flags) && + ( left->offset_var == right->offset_var) ) { return DETECTION_OPTION_EQUAL; } @@ -113,7 +118,7 @@ } /**************************************************************************** - * + * * Function: SetupIsDataAt() * * Purpose: Load 'er up @@ -126,7 +131,7 @@ void SetupIsDataAt(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("isdataat", IsDataAtInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("isdataat", IsDataAtInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("isdataat", &isDataAtPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -136,10 +141,10 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, OptTreeNode *, int protocol) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -162,11 +167,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate IsDataAt data node\n", + FatalError("%s(%d): Unable to allocate IsDataAt data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ IsDataAtParse(data, idx, otn); @@ -178,7 +183,7 @@ fpl = AddOptFuncToList(IsDataAt, otn); fpl->type = RULE_OPTION_TYPE_IS_DATA_AT; - + /* attach it to the context node so that we can call each instance * individually */ @@ -191,7 +196,7 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, IsDataAtData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -211,26 +216,46 @@ int i; char *cptr; char *endp; + char *offset; toks = mSplit(data, ",", 3, &num_toks, 0); - if(num_toks > 3) + if(num_toks > 3) FatalError("%s (%d): Bad arguments to IsDataAt: %s\n", file_name, file_line, data); + offset = toks[0]; + if(*offset == '!') + { + idx->flags |= ISDATAAT_NOT_FLAG; + offset++; + while(isspace((int)*offset)) {offset++;} + } /* set how many bytes to process from the packet */ - idx->offset = strtol(toks[0], &endp, 10); - - if(toks[0] == endp) + if (isdigit(offset[0]) || offset[0] == '-') { - FatalError("%s(%d): Unable to parse as byte value %s\n", - file_name, file_line, toks[0]); - } + idx->offset = strtol(offset, &endp, 10); + idx->offset_var = -1; + + if(offset == endp) + { + FatalError("%s(%d): Unable to parse as byte value %s\n", + file_name, file_line, toks[0]); + } - if(idx->offset > 65535) + if(idx->offset > 65535) + { + FatalError("%s(%d): IsDataAt offset greater than max IPV4 packet size", + file_name, file_line); + } + } + else { - FatalError("%s(%d): IsDataAt offset greater than max IPV4 packet size", - file_name, file_line); + idx->offset_var = GetVarByName(offset); + if (idx->offset_var == BYTE_EXTRACT_NO_VAR) + { + FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + } } for (i=1; i< num_toks; i++) @@ -261,7 +286,7 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -272,7 +297,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IsDataAt(void *option_data, Packet *p) @@ -291,46 +316,65 @@ return rval; } + /* Get values from byte_extract variables, if present. */ + if (isdata->offset_var >= 0 && isdata->offset_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&(isdata->offset), isdata->offset_var); + } + if (isdata->flags & ISDATAAT_RAWBYTES_FLAG) { /* Rawbytes specified, force use of that buffer */ dsize = p->dsize; start_ptr = p->data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using RAWBYTES buffer!\n");); } - else if(p->packet_flags & PKT_ALT_DECODE) + else if (Is_DetectFlag(FLAG_ALT_DETECT)) + { + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { /* If normalized buffer available, use it... */ - dsize = p->alt_dsize; - start_ptr = DecodeBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dsize = DecodeBuffer.len; + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { - dsize = p->dsize; + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; start_ptr = p->data; } base_ptr = start_ptr; end_ptr = start_ptr + dsize; - - if(doe_ptr) + + if((isdata->flags & ISDATAAT_RELATIVE_FLAG) && doe_ptr) { - if(!inBounds(start_ptr, end_ptr, doe_ptr)) + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Checking relative offset!\n");); + + /* Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * + */ + if(!inBounds(start_ptr, end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] isdataat bounds check failed..\n");); PREPROC_PROFILE_END(isDataAtPerfStats); return rval; } - } - if((isdata->flags & ISDATAAT_RELATIVE_FLAG) && doe_ptr) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Checking relative offset!\n");); base_ptr = doe_ptr + isdata->offset; } else diff -Nru snort-2.8.5.2/src/detection-plugins/sp_isdataat.h snort-2.9.2/src/detection-plugins/sp_isdataat.h --- snort-2.8.5.2/src/detection-plugins/sp_isdataat.h 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_isdataat.h 2011-02-09 23:23:03.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2009 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** Brian Caswell <bmc@snort.org> ** @@ -33,6 +33,7 @@ uint32_t offset; /* byte location into the packet */ uint8_t flags; /* relative to the doe_ptr? */ /* rawbytes buffer? */ + int8_t offset_var; /* index of byte_extract variable for offset */ } IsDataAtData; void SetupIsDataAt(void); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pattern_match.c snort-2.9.2/src/detection-plugins/sp_pattern_match.c --- snort-2.8.5.2/src/detection-plugins/sp_pattern_match.c 2009-08-10 20:41:44.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pattern_match.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,6 @@ +/* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -18,1933 +19,1341 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* $Id$ */ - -/* +/* * 06/07/2007 - tw * Commented out 'content-list' code since it's considered broken and there * are no plans to fix it */ -#include <errno.h> - #ifdef HAVE_CONFIG_H -#include "config.h" +# include "config.h" #endif +#include <errno.h> #ifdef HAVE_STRINGS_H -#include <strings.h> +# include <strings.h> #endif - -#ifdef DEBUG -#include <assert.h> +#ifdef DEBUG_MSGS +# include <assert.h> #endif +#include "sf_types.h" #include "sp_pattern_match.h" #include "sp_replace.h" -#include "bounds.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" -#include "util.h" -#include "parser.h" /* why does parser.h define Add functions.. */ +#include "util.h" +#include "parser.h" #include "plugin_enum.h" #include "checksum.h" -#include "inline.h" #include "sfhashfcn.h" #include "spp_httpinspect.h" - #include "snort.h" #include "profiler.h" +#include "sfhashfcn.h" +#include "detection_options.h" +#include "sp_byte_extract.h" +#include "detection_util.h" + +/******************************************************************** + * Macros + ********************************************************************/ +#define MAX_PATTERN_SIZE 2048 +#define PM_FP_ONLY "only" +#define URIBUFS_SET(pmd, flags) (((pmd)->uri_buffer & (flags)) == (flags)) + +/******************************************************************** + * Global variables + ********************************************************************/ #ifdef PERF_PROFILING PreprocStats contentPerfStats; PreprocStats uricontentPerfStats; -extern PreprocStats ruleOTNEvalPerfStats; +#endif +int lastType = PLUGIN_PATTERN_MATCH; + +#if 0 +/* For OR patterns - not currently used */ +int list_file_line; /* current line being processed in the list file */ #endif -#define MAX_PATTERN_SIZE 2048 +/******************************************************************** + * Extern variables + ********************************************************************/ +#ifdef PERF_PROFILING +extern PreprocStats ruleOTNEvalPerfStats; +#endif +/******************************************************************** + * Private function prototypes + ********************************************************************/ static void PayloadSearchInit(char *, OptTreeNode *, int); -//static void PayloadSearchListInit(char *, OptTreeNode *, int); -//static void ParseContentListFile(char *, OptTreeNode *, int); static void PayloadSearchUri(char *, OptTreeNode *, int); -static void PayloadSearchHttpBody(char *, OptTreeNode *, int); +static void PayloadSearchHttpMethod(char *, OptTreeNode *, int); static void PayloadSearchHttpUri(char *, OptTreeNode *, int); static void PayloadSearchHttpHeader(char *, OptTreeNode *, int); -static void PayloadSearchHttpMethod(char *, OptTreeNode *, int); static void PayloadSearchHttpCookie(char *, OptTreeNode *, int); -static void PayloadSearchFastPattern(char *data, OptTreeNode *otn, int protocol); -//void ParsePattern(char *, OptTreeNode *, int); -//int CheckANDPatternMatch(void *option_data, Packet *p); -//int CheckORPatternMatch(void *option_data, Packet *p); -//int CheckUriPatternMatch(void *option_data, Packet *p); +static void PayloadSearchHttpBody(char *, OptTreeNode *, int); +static void PayloadSearchHttpRawUri(char *, OptTreeNode *, int); +static void PayloadSearchHttpRawHeader(char *, OptTreeNode *, int); +//static void PayloadSearchHttpRawBody(char *, OptTreeNode *, int); +static void PayloadSearchHttpRawCookie(char *, OptTreeNode *, int); +static void PayloadSearchHttpStatCode(char *, OptTreeNode *, int); +static void PayloadSearchHttpStatMsg(char *, OptTreeNode *, int); static void PayloadSearchOffset(char *, OptTreeNode *, int); static void PayloadSearchDepth(char *, OptTreeNode *, int); -static void PayloadSearchNocase(char *, OptTreeNode *, int); static void PayloadSearchDistance(char *, OptTreeNode *, int); static void PayloadSearchWithin(char *, OptTreeNode *, int); +static void PayloadSearchNocase(char *, OptTreeNode *, int); static void PayloadSearchRawbytes(char *, OptTreeNode *, int); +static void PayloadSearchFastPattern(char *, OptTreeNode *, int); +static inline int HasFastPattern(OptTreeNode *, int); +static int32_t ParseInt(const char *, const char *); +static inline PatternMatchData * GetLastPmdError(OptTreeNode *, int, const char *); +static inline PatternMatchData * GetLastPmd(OptTreeNode *, int); +static void ValidateHttpContentModifiers(PatternMatchData *); +static void MovePmdToUriDsList(OptTreeNode *, PatternMatchData *); +static char *PayloadExtractParameter(char *, int *); +static inline void ValidateContent(PatternMatchData *, int); +static unsigned int GetMaxJumpSize(char *, int); +static inline int computeWithin(int, PatternMatchData *); +static int uniSearch(const char *, int, PatternMatchData *); static int uniSearchReal(const char *data, int dlen, PatternMatchData *pmd, int nocase); -//PatternMatchData * NewNode(OptTreeNode *, int); -void PayloadSearchCompile(); - -int list_file_line; /* current line being processed in the list file */ -int lastType = PLUGIN_PATTERN_MATCH; -const uint8_t *doe_ptr; +#if 0 +/* Not currently used - DO NOT REMOVE */ +static inline int computeDepth(int dlen, PatternMatchData * pmd); +static int uniSearchREG(char * data, int dlen, PatternMatchData * pmd); +#endif -int detect_depth; /* depth to the first char of the match */ +#if 0 +static const char *format_uri_buffer_str(int, int, char *); +static void PayloadSearchListInit(char *, OptTreeNode *, int); +static void ParseContentListFile(char *, OptTreeNode *, int); +static void PrintDupDOTPmds(PatternMatchData *pmd, + PatternMatchData *pmd_dup, option_type_t type) +#endif -extern HttpUri UriBufs[URI_COUNT]; /* the set of buffers that we are using to match against - set in decode.c */ -extern uint8_t DecodeBuffer[DECODE_BLEN]; +/******************************************************************** + * Setup and parsing functions + ********************************************************************/ +void SetupPatternMatch(void) +{ + /* initial pmd setup options */ + RegisterRuleOption("content", PayloadSearchInit, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("uricontent", PayloadSearchUri, NULL, OPT_TYPE_DETECTION, NULL); + + /* http content modifiers */ + RegisterRuleOption("http_method", PayloadSearchHttpMethod, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_uri", PayloadSearchHttpUri, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_header", PayloadSearchHttpHeader, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_cookie", PayloadSearchHttpCookie, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_client_body", PayloadSearchHttpBody, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_raw_uri", PayloadSearchHttpRawUri, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_raw_header", PayloadSearchHttpRawHeader, NULL, OPT_TYPE_DETECTION, NULL); + /*RegisterRuleOption("http_raw_client_body", PayloadSearchHttpRawBody, NULL, OPT_TYPE_DETECTION, NULL);*/ + RegisterRuleOption("http_raw_cookie", PayloadSearchHttpRawCookie, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_stat_code", PayloadSearchHttpStatCode, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("http_stat_msg", PayloadSearchHttpStatMsg, NULL, OPT_TYPE_DETECTION, NULL); + + /* pattern offsets and depths */ + RegisterRuleOption("offset", PayloadSearchOffset, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("depth", PayloadSearchDepth, NULL, OPT_TYPE_DETECTION, NULL); + + /* distance and within are offset and depth, but relative to last match */ + RegisterRuleOption("distance", PayloadSearchDistance, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("within", PayloadSearchWithin, NULL, OPT_TYPE_DETECTION, NULL); + + /* other modifiers */ + RegisterRuleOption("nocase", PayloadSearchNocase, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("rawbytes", PayloadSearchRawbytes, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("fast_pattern", PayloadSearchFastPattern, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("replace", PayloadReplaceInit, NULL, OPT_TYPE_DETECTION, NULL); -extern char *file_name; -extern int file_line; +#if 0 + /* Not implemented yet */ + RegisterRuleOption("content-list", PayloadSearchListInit, NULL, OPT_TYPE_DETECTION, NULL); +#endif -#include "sfhashfcn.h" -#include "detection_options.h" +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("content", &contentPerfStats, 3, &ruleOTNEvalPerfStats); + RegisterPreprocessorProfile("uricontent", &uricontentPerfStats, 3, &ruleOTNEvalPerfStats); +#endif + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Plugin: PatternMatch Initialized!\n");); +} -void PatternMatchFree(void *d) +static void PayloadSearchInit(char *data, OptTreeNode * otn, int protocol) { - PatternMatchData *pmd = (PatternMatchData *)d; - - if (pmd == NULL) - return; + OptFpList *fpl; + PatternMatchData *pmd; + char *data_end; + char *data_dup; + char *opt_data; + int opt_len = 0; + char *next_opt; - if (pmd->pattern_buf) - free(pmd->pattern_buf); - if (pmd->replace_buf) - free(pmd->replace_buf); - if(pmd->skip_stride) - free(pmd->skip_stride); - if(pmd->shift_stride) - free(pmd->shift_stride); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchInit()\n");); - free(pmd); -} + /* whack a new node onto the list */ + pmd = NewNode(otn, PLUGIN_PATTERN_MATCH); + lastType = PLUGIN_PATTERN_MATCH; -uint32_t PatternMatchHash(void *d) -{ - uint32_t a,b,c,tmp; - unsigned int i,j,k,l; - PatternMatchData *pmd = (PatternMatchData *)d; + if (!data) + ParseError("No Content Pattern specified!"); - a = pmd->exception_flag; - b = pmd->offset; - c = pmd->depth; + data_dup = SnortStrdup(data); + data_end = data_dup + strlen(data_dup); - mix(a,b,c); + opt_data = PayloadExtractParameter(data_dup, &opt_len); - a += pmd->distance; - b += pmd->within; - c += pmd->rawbytes; - - mix(a,b,c); + /* set up the pattern buffer */ + ParsePattern(opt_data, otn, PLUGIN_PATTERN_MATCH); + next_opt = opt_data + opt_len; - a += pmd->nocase; - b += pmd->use_doe; - c += pmd->uri_buffer; - - mix(a,b,c); + /* link the plugin function in to the current OTN */ + fpl = AddOptFuncToList(CheckANDPatternMatch, otn); + fpl->type = RULE_OPTION_TYPE_CONTENT; + pmd->buffer_func = CHECK_AND_PATTERN_MATCH; - a += pmd->pattern_size; - b += pmd->replace_size; - c += pmd->pattern_max_jump_size; - - mix(a,b,c); + fpl->context = pmd; + pmd->fpl = fpl; - for (i=0,j=0;i<pmd->pattern_size;i+=4) + // if content is followed by any comma separated options, + // we have to parse them here. content related options + // separated by semicolons go straight to the callbacks. + while (next_opt < data_end) { - tmp = 0; - k = pmd->pattern_size - i; - if (k > 4) - k=4; - - for (l=0;l<k;l++) + char **opts; /* dbl ptr for mSplit call, holds rule tokens */ + int num_opts; /* holds number of tokens found by mSplit */ + char* opt1; + + next_opt++; + if (next_opt == data_end) + break; + + opt_len = 0; + opt_data = PayloadExtractParameter(next_opt, &opt_len); + if (!opt_data) + break; + + next_opt = opt_data + opt_len; + + opts = mSplit(opt_data, " \t", 2, &num_opts, 0); + + if (!opts) + continue; + opt1 = (num_opts == 2) ? opts[1] : NULL; + + if (!strcasecmp(opts[0], "offset")) { - tmp |= *(pmd->pattern_buf + i + l) << l*8; + PayloadSearchOffset(opt1, otn, protocol); } - - switch (j) + else if (!strcasecmp(opts[0], "depth")) { - case 0: - a += tmp; - break; - case 1: - b += tmp; - break; - case 2: - c += tmp; - break; + PayloadSearchDepth(opt1, otn, protocol); } - j++; - - if (j == 3) + else if (!strcasecmp(opts[0], "nocase")) { - mix(a,b,c); - j = 0; + PayloadSearchNocase(opt1, otn, protocol); } - } - - for (i=0;i<pmd->replace_size;i+=4) - { - tmp = 0; - k = pmd->replace_size - i; - if (k > 4) - k=4; - - for (l=0;l<k;l++) + else if (!strcasecmp(opts[0], "rawbytes")) { - tmp |= *(pmd->replace_buf + i + l) << l*8; + PayloadSearchRawbytes(opt1, otn, protocol); } - - switch (j) + else if (!strcasecmp(opts[0], "http_uri")) { - case 0: - a += tmp; - break; - case 1: - b += tmp; - break; - case 2: - c += tmp; - break; + PayloadSearchHttpUri(opt1, otn, protocol); } - j++; - - if (j == 3) + else if (!strcasecmp(opts[0], "http_client_body")) { - mix(a,b,c); - j = 0; + PayloadSearchHttpBody(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_header")) + { + PayloadSearchHttpHeader(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_method")) + { + PayloadSearchHttpMethod(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_cookie")) + { + PayloadSearchHttpCookie(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_raw_uri")) + { + PayloadSearchHttpRawUri(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_raw_header")) + { + PayloadSearchHttpRawHeader(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_raw_cookie")) + { + PayloadSearchHttpRawCookie(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_stat_code")) + { + PayloadSearchHttpStatCode(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "http_stat_msg")) + { + PayloadSearchHttpStatMsg(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "fast_pattern")) + { + PayloadSearchFastPattern(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "distance")) + { + PayloadSearchDistance(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "within")) + { + PayloadSearchWithin(opt1, otn, protocol); + } + else if (!strcasecmp(opts[0], "replace")) + { + PayloadReplaceInit(opt1, otn, protocol); + } + else + { + ParseError("Invalid Content parameter specified!"); } + mSplitFree(&opts, num_opts); } - if (j != 0) - { - mix(a,b,c); - } - if (pmd->uri_buffer) - { - a += RULE_OPTION_TYPE_CONTENT_URI; - } - else - { - a += RULE_OPTION_TYPE_CONTENT; - } - b+= pmd->flags; + free(data_dup); - final(a,b,c); + if(pmd->use_doe == 1) + fpl->isRelative = 1; - return c; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "OTN function PatternMatch Added to rule!\n");); } -int PatternMatchCompare(void *l, void *r) +static void PayloadSearchUri(char *data, OptTreeNode * otn, int protocol) { - PatternMatchData *left = (PatternMatchData *)l; - PatternMatchData *right = (PatternMatchData *)r; - unsigned int i; - - if (!left || !right) - return DETECTION_OPTION_NOT_EQUAL; - - if (left->buffer_func != right->buffer_func) - return DETECTION_OPTION_NOT_EQUAL; - - /* Sizes will be most different, check that first */ - if ((left->pattern_size != right->pattern_size) || - (left->replace_size != right->replace_size) || - (left->nocase != right->nocase)) - return DETECTION_OPTION_NOT_EQUAL; - - /* Next compare the patterns for uniqueness */ - if (left->pattern_size) - { - if (left->nocase) - { - /* If nocase is set, do case insensitive compare on pattern */ - for (i=0;i<left->pattern_size;i++) - { - if (toupper(left->pattern_buf[i]) != toupper(right->pattern_buf[i])) - { - return DETECTION_OPTION_NOT_EQUAL; - } - } - } - else - { - /* If nocase is not set, do case sensitive compare on pattern */ - if (memcmp(left->pattern_buf, right->pattern_buf, left->pattern_size) != 0) - { - return DETECTION_OPTION_NOT_EQUAL; - } - } - } - - /* Check the replace pattern if exists */ - if (left->replace_size) - { - if (memcmp(left->replace_buf, right->replace_buf, left->replace_size) != 0) - { - return DETECTION_OPTION_NOT_EQUAL; - } - } - - /* Now check the rest of the options */ - if ((left->exception_flag == right->exception_flag) && - (left->offset == right->offset) && - (left->depth == right->depth) && - (left->distance == right->distance) && - (left->within == right->within) && - (left->rawbytes == right->rawbytes) && - (left->use_doe == right->use_doe) && - (left->uri_buffer == right->uri_buffer) && - (left->search == right->search) && - (left->pattern_max_jump_size == right->pattern_max_jump_size) && - (left->flags == right->flags)) - { - return DETECTION_OPTION_EQUAL; - } - - return DETECTION_OPTION_NOT_EQUAL; -} - -void FinalizeContentUniqueness(OptTreeNode *otn) -{ - OptFpList *opt_fp = otn->opt_func; - option_type_t option_type; - PatternMatchData *pmd; - void *pmd_dup; - - while (opt_fp) - { - if ((opt_fp->OptTestFunc == CheckANDPatternMatch) || - (opt_fp->OptTestFunc == CheckUriPatternMatch)) - { - pmd = (PatternMatchData *)opt_fp->context; - if (opt_fp->OptTestFunc == CheckANDPatternMatch) - option_type = RULE_OPTION_TYPE_CONTENT; - else - option_type = RULE_OPTION_TYPE_CONTENT_URI; - - if (add_detection_option(option_type, (void *)pmd, &pmd_dup) == DETECTION_OPTION_EQUAL) - { -#if 0 - PatternMatchData *pmd_dup_ptr = (PatternMatchData *)pmd_dup; - LogMessage("Duplicate %sContent:\n" - "%d %d %d %d %d %d %d %d %d %d\n" - "%d %d %d %d %d %d %d %d %d %d\n", - (opt_fp->OptTestFunc == CheckANDPatternMatch) ? "" : "Uri", - pmd->exception_flag, - pmd->offset, - pmd->depth, - pmd->distance, - pmd->within, - pmd->rawbytes, - pmd->nocase, - pmd->use_doe, - pmd->uri_buffer, - pmd->pattern_max_jump_size, - pmd_dup_ptr->exception_flag, - pmd_dup_ptr->offset, - pmd_dup_ptr->depth, - pmd_dup_ptr->distance, - pmd_dup_ptr->within, - pmd_dup_ptr->rawbytes, - pmd_dup_ptr->nocase, - pmd_dup_ptr->use_doe, - pmd_dup_ptr->uri_buffer, - pmd_dup_ptr->pattern_max_jump_size); -#endif -/* - for (i=0;i<pmd->pattern_size;i++) - { - LogMessage("0x%x 0x%x", pmd->pattern_buf[i], pmd_dup_ptr->pattern_buf[i]); - } - LogMessage("\n"); - for (i=0;i<pmd->replace_size;i++) - { - LogMessage("0x%x 0x%x", pmd->replace_buf[i], pmd_dup_ptr->replace_buf[i]); - } - LogMessage("\n"); - LogMessage("\n"); -*/ - if (pmd->buffer_func == CHECK_AND_PATTERN_MATCH) - { - if (pmd == otn->ds_list[PLUGIN_PATTERN_MATCH]) - { - otn->ds_list[PLUGIN_PATTERN_MATCH] = pmd_dup; - } - } - else if (pmd->buffer_func == CHECK_URI_PATTERN_MATCH) - { - if (pmd == otn->ds_list[PLUGIN_PATTERN_MATCH_URI]) - { - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = pmd_dup; - } - } - - PatternMatchFree(pmd); - - opt_fp->context = pmd_dup; - } - else - { -#if 0 - LogMessage("Unique %sContent\n", - (opt_fp->OptTestFunc == CheckANDPatternMatch) ? "" : "Uri"); -#endif - } - } - - opt_fp = opt_fp->next; - } - - return; -} - -void PatternMatchDuplicatePmd(void *src, PatternMatchData *pmd_dup) -{ - /* Oh, C++ where r u? can't we have a friggin' copy constructor? */ - PatternMatchData *pmd_src = (PatternMatchData *)src; - if (!pmd_src || !pmd_dup) - return; - - pmd_dup->exception_flag = pmd_src->exception_flag; - pmd_dup->offset = pmd_src->offset; - pmd_dup->depth = pmd_src->depth; - pmd_dup->distance = pmd_src->distance; - pmd_dup->within = pmd_src->within; - pmd_dup->rawbytes = pmd_src->rawbytes; - pmd_dup->nocase = pmd_src->nocase; - pmd_dup->use_doe = pmd_src->use_doe; - pmd_dup->uri_buffer = pmd_src->uri_buffer; - pmd_dup->buffer_func = pmd_src->buffer_func; - pmd_dup->pattern_size = pmd_src->pattern_size; - pmd_dup->replace_size = pmd_src->replace_size; - pmd_dup->replace_buf = pmd_src->replace_buf; - pmd_dup->pattern_buf = pmd_src->pattern_buf; - pmd_dup->search = pmd_src->search; - pmd_dup->skip_stride = pmd_src->skip_stride; - pmd_dup->shift_stride = pmd_src->shift_stride; - pmd_dup->pattern_max_jump_size = pmd_src->pattern_max_jump_size; - pmd_dup->flags = pmd_src->flags; - - pmd_dup->last_check.ts.tv_sec = pmd_src->last_check.ts.tv_sec; - pmd_dup->last_check.ts.tv_usec = pmd_src->last_check.ts.tv_usec; - pmd_dup->last_check.packet_number = pmd_src->last_check.packet_number; - pmd_dup->last_check.rebuild_flag = pmd_src->last_check.rebuild_flag; - - pmd_dup->next = NULL; - pmd_dup->fpl = NULL; - - Replace_ResetOffset(pmd_dup); -} - -int PatternMatchAdjustRelativeOffsets(PatternMatchData *pmd, const uint8_t *orig_doe_ptr, const uint8_t *start_doe_ptr, const uint8_t *dp) -{ - int retval = 1; /* return 1 if still valid */ - - if (orig_doe_ptr) - { - if (((pmd->distance != 0) && ((int)(start_doe_ptr - orig_doe_ptr) > pmd->distance)) || - ((pmd->offset != 0) && ((int)(start_doe_ptr - orig_doe_ptr) > pmd->offset))) - { - /* This was relative to a previously found pattern. - * No space left to search, we're done */ - retval = 0; - } - - if (((pmd->within != 0) && ((int)(start_doe_ptr - orig_doe_ptr + pmd->pattern_size) > pmd->within)) || - ((pmd->depth != 0) && ((int)(start_doe_ptr - orig_doe_ptr + pmd->pattern_size) > pmd->depth))) - { - /* This was within to a previously found pattern. - * No space left to search, we're done */ - retval = 0; - } - } - else - { - if (((pmd->distance != 0) && (start_doe_ptr - dp > pmd->distance)) || - ((pmd->offset != 0) && (start_doe_ptr - dp > pmd->offset))) - { - /* This was relative to a beginning of packet. - * No space left to search, we're done */ - retval = 0; - } - - if (((pmd->within != 0) && ((int)(start_doe_ptr - dp + pmd->pattern_size) > pmd->within)) || - ((pmd->depth != 0) && ((int)(start_doe_ptr - dp + pmd->pattern_size) > pmd->depth))) - { - /* This was within to a previously found pattern. - * No space left to search, we're done */ - retval = 0; - } - } - return retval; -} - - -void SetupPatternMatch(void) -{ - RegisterRuleOption("content", PayloadSearchInit, NULL, OPT_TYPE_DETECTION); - //RegisterRuleOption("content-list", PayloadSearchListInit, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("offset", PayloadSearchOffset, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("depth", PayloadSearchDepth, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("nocase", PayloadSearchNocase, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("rawbytes", PayloadSearchRawbytes, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("uricontent", PayloadSearchUri, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("http_client_body", PayloadSearchHttpBody, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("http_uri", PayloadSearchHttpUri, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("http_header", PayloadSearchHttpHeader, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("http_method", PayloadSearchHttpMethod, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("http_cookie", PayloadSearchHttpCookie, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("fast_pattern", PayloadSearchFastPattern, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("distance", PayloadSearchDistance, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("within", PayloadSearchWithin, NULL, OPT_TYPE_DETECTION); - RegisterRuleOption("replace", PayloadReplaceInit, NULL, OPT_TYPE_DETECTION); - -#ifdef PERF_PROFILING - RegisterPreprocessorProfile("content", &contentPerfStats, 3, &ruleOTNEvalPerfStats); - RegisterPreprocessorProfile("uricontent", &uricontentPerfStats, 3, &ruleOTNEvalPerfStats); -#endif - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Plugin: PatternMatch Initialized!\n");); -} - -static INLINE int computeDepth(int dlen, PatternMatchData * pmd) -{ - /* do some tests to make sure we stay in bounds */ - if((pmd->depth + pmd->offset) > dlen) - { - /* we want to check only depth bytes anyway */ - int sub_depth = dlen - pmd->offset; - - if((sub_depth > 0) && (sub_depth >= (int)pmd->pattern_size)) - { - return sub_depth; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Pattern Match failed -- sub_depth: %d < " - "(int)pmd->pattern_size: %d!\n", - sub_depth, (int)pmd->pattern_size);); - - return -1; - } - } - else - { - if(pmd->depth && (dlen - pmd->offset > pmd->depth)) - { - return pmd->depth; - } - else - { - return dlen - pmd->offset; - } - } -} - -/* - * Figure out how deep the into the packet from the base_ptr we can go - * - * base_ptr = the offset into the payload relative to the last match plus the offset - * contained within the current pmd - * - * dlen = amount of data in the packet from the base_ptr to the end of the packet - * - * pmd = the patterm match data struct for this test - */ -static INLINE int computeWithin(int dlen, PatternMatchData *pmd) -{ - /* do we want to check more bytes than there are in the buffer? */ - if(pmd->within > dlen) - { - /* should we just return -1 here since the data might actually be within - * the stream but not the current packet's payload? - */ - - /* if the buffer size is greater than the size of the pattern to match */ - if(dlen >= (int)pmd->pattern_size) - { - /* return the size of the buffer */ - return dlen; - } - else - { - /* failed, pattern size is greater than number of bytes in the buffer */ - return -1; - } - } - - /* the within vaule is in range of the number of buffer bytes */ - return pmd->within; -} - -#if 0 -/* not in use - delete? */ -static int uniSearchREG(char * data, int dlen, PatternMatchData * pmd) -{ - int depth = computeDepth(dlen, pmd); - /* int distance_adjustment = 0; - * int depth_adjustment = 0; - */ - int success = 0; - - if (depth < 0) - return 0; - - /* XXX DESTROY ME */ - /*success = mSearchREG(data + pmd->offset + distance_adjustment, - depth_adjustment!=0?depth_adjustment:depth, - pmd->pattern_buf, pmd->pattern_size, pmd->skip_stride, - pmd->shift_stride);*/ - - return success; -} -#endif - -/* - * case sensitive search - * - * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated - * against offset + depth before function entry (not distance/within) - * pmd = pointer to pattern match data struct - */ - -static int uniSearch(const char *data, int dlen, PatternMatchData *pmd) -{ - return uniSearchReal(data, dlen, pmd, 0); -} - -/* - * case insensitive search - * - * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated - * against offset + depth before function entry (not distance/within) - * pmd = pointer to pattern match data struct - */ -int uniSearchCI(const char *data, int dlen, PatternMatchData *pmd) -{ - return uniSearchReal(data, dlen, pmd, 1); -} - - -/* - * single search function. - * - * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated - * against offset + depth before function entry (not distance/within) - * pmd = pointer to pattern match data struct - * nocase = 0 means case sensitve, 1 means case insensitive - * - * return 1 for found - * return 0 for not found - * return -1 for error (search out of bounds) - */ -static int uniSearchReal(const char *data, int dlen, PatternMatchData *pmd, int nocase) -{ - /* - * in theory computeDepth doesn't need to be called because the - * depth + offset adjustments have been made by the calling function - */ - int depth = dlen; - int old_depth = dlen; - int success = 0; - const char *start_ptr = data; - const char *end_ptr = data + dlen; - const char *base_ptr = start_ptr; - - DEBUG_WRAP(char *hexbuf;); - - - if(pmd->use_doe != 1) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "NOT Using Doe Ptr\n");); - doe_ptr = NULL; /* get rid of all our pattern match state */ - } - - /* check to see if we've got a stateful start point */ - if(doe_ptr) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Doe Ptr\n");); - - base_ptr = (const char *)doe_ptr; - depth = dlen - ((char *) doe_ptr - data); - } - else - { - base_ptr = start_ptr; - depth = dlen; - } - - /* if we're using a distance call */ - if(pmd->distance) - { - /* set the base pointer up for the distance */ - base_ptr += pmd->distance; - depth -= pmd->distance; - } - else /* otherwise just use the offset (validated by calling function) */ - { - base_ptr += pmd->offset; - depth -= pmd->offset; - } - - if(pmd->within != 0) - { - /* - * calculate the "real" depth based on the current base and available - * number of bytes in the buffer - * - * this should account for the current base_ptr as it relates to - * the back of the buffer being tested - */ - old_depth = depth; - - depth = computeWithin(depth, pmd); - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Changing Depth from %d to %d\n", old_depth, depth);); - } - - /* make sure we and in range */ - if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)base_ptr)) - { - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "returning because base_ptr" - " is out of bounds start_ptr: %p end: %p base: %p\n", - start_ptr, end_ptr, base_ptr);); - return -1; - } - - if(depth < 0) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "returning because depth is negative (%d)\n", - depth);); - return -1; - } - - if(depth > dlen) - { - /* if offsets are negative but somehow before the start of the - packet, let's make sure that we get everything going - straight */ - depth = dlen; - } - - if((pmd->depth > 0) && (depth > pmd->depth)) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Setting new depth to %d from %d\n", - pmd->depth, depth);); - - depth = pmd->depth; - } - - /* make sure we end in range */ - if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)(base_ptr + depth - 1))) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "returning because base_ptr + depth - 1" - " is out of bounds start_ptr: %p end: %p base: %p\n", - start_ptr, end_ptr, base_ptr);); - return 0; - } - -#ifdef DEBUG - assert(depth <= old_depth); - - DebugMessage(DEBUG_PATTERN_MATCH, "uniSearchReal:\n "); - - hexbuf = hex((u_char *)pmd->pattern_buf, pmd->pattern_size); - DebugMessage(DEBUG_PATTERN_MATCH, " p->data: %p\n doe_ptr: %p\n " - "base_ptr: %p\n depth: %d\n searching for: %s\n", - data, doe_ptr, base_ptr, depth, hexbuf); - free(hexbuf); -#endif /* DEBUG */ - - if(nocase) - { - success = mSearchCI(base_ptr, depth, - pmd->pattern_buf, - pmd->pattern_size, - pmd->skip_stride, - pmd->shift_stride); - } - else - { - success = mSearch(base_ptr, depth, - pmd->pattern_buf, - pmd->pattern_size, - pmd->skip_stride, - pmd->shift_stride); - } - - -#ifdef DEBUG - if(success) - { - DebugMessage(DEBUG_PATTERN_MATCH, "matched, doe_ptr: %p (%d)\n", - doe_ptr, ((char *)doe_ptr - data)); - } -#endif - - return success; -} - - -void make_precomp(PatternMatchData * idx) -{ - if(idx->skip_stride) - free(idx->skip_stride); - if(idx->shift_stride) - free(idx->shift_stride); - - idx->skip_stride = make_skip(idx->pattern_buf, idx->pattern_size); - - idx->shift_stride = make_shift(idx->pattern_buf, idx->pattern_size); -} - -#if 0 -void PayloadSearchListInit(char *data, OptTreeNode * otn, int protocol) -{ - char *sptr; - char *eptr; + PatternMatchData *pmd = NewNode(otn, PLUGIN_PATTERN_MATCH_URI); + OptFpList *fpl; - lastType = PLUGIN_PATTERN_MATCH_OR; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchUri()\n");); - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchListInit()\n");); + lastType = PLUGIN_PATTERN_MATCH_URI; - /* get the path/file name from the data */ - while(isspace((int) *data)) - data++; + /* set up the pattern buffer */ + ParsePattern(data, otn, PLUGIN_PATTERN_MATCH_URI); - /* grab everything between the starting " and the end one */ - sptr = index(data, '"'); - eptr = strrchr(data, '"'); + pmd->uri_buffer |= HTTP_SEARCH_URI; - if(sptr != NULL && eptr != NULL) - { - /* increment past the first quote */ - sptr++; + /* link the plugin function in to the current OTN */ + fpl = AddOptFuncToList(CheckUriPatternMatch, otn); - /* zero out the second one */ - *eptr = 0; - } - else - { - sptr = data; - } + fpl->type = RULE_OPTION_TYPE_CONTENT_URI; + pmd->buffer_func = CHECK_URI_PATTERN_MATCH; - /* read the content keywords from the list file */ - ParseContentListFile(sptr, otn, protocol); + fpl->context = pmd; + pmd->fpl = fpl; - /* link the plugin function in to the current OTN */ - AddOptFuncToList(CheckORPatternMatch, otn); + if (pmd->use_doe == 1) + fpl->isRelative = 1; - return; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "OTN function PatternMatch Added to rule!\n");); } -#endif -static char *PayloadExtractParameter(char *data, int *result_len) +static void PayloadSearchHttpMethod(char *data, OptTreeNode * otn, int protocol) { - char *quote_one = NULL, *quote_two = NULL; - char *comma = NULL; - - quote_one = index(data, '"'); - if (quote_one) - { - quote_two = index(quote_one+1, '"'); - while ( quote_two && quote_two[-1] == '\\' ) - quote_two = index(quote_two+1, '"'); - } - - if (quote_one && quote_two) - { - comma = index(quote_two, ','); - } - else if (!quote_one) - { - comma = index(data, ','); - } + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_method"); - if (comma) - { - *result_len = comma - data; - *comma = '\0'; - } - else - { - *result_len = strlen(data); - } + if (data != NULL) + ParseError("'http_method' does not take an argument"); - return data; + pmd->uri_buffer |= HTTP_SEARCH_METHOD; + MovePmdToUriDsList(otn, pmd); } -void PayloadSearchInit(char *data, OptTreeNode * otn, int protocol) +static void PayloadSearchHttpUri(char *data, OptTreeNode * otn, int protocol) { - OptFpList *fpl; - PatternMatchData *pmd; - char *data_end; - char *data_dup; - char *opt_data; - int opt_len = 0; - char *next_opt; - - lastType = PLUGIN_PATTERN_MATCH; - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchInit()\n");); - - /* whack a new node onto the list */ - pmd = NewNode(otn, PLUGIN_PATTERN_MATCH); - - if (!data) - { - FatalError("%s(%d) => No Content Pattern specified!\n", - file_name, file_line); - } + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_uri"); - data_dup = SnortStrdup(data); - data_end = data_dup + strlen(data_dup); - - opt_data = PayloadExtractParameter(data_dup, &opt_len); + if (data != NULL) + ParseError("'http_uri' does not take an argument"); - /* set up the pattern buffer */ - ParsePattern(opt_data, otn, PLUGIN_PATTERN_MATCH); - next_opt = opt_data + opt_len; + pmd->uri_buffer |= HTTP_SEARCH_URI; + MovePmdToUriDsList(otn, pmd); +} - /* link the plugin function in to the current OTN */ - fpl = AddOptFuncToList(CheckANDPatternMatch, otn); - fpl->type = RULE_OPTION_TYPE_CONTENT; - pmd->buffer_func = CHECK_AND_PATTERN_MATCH; +static void PayloadSearchHttpHeader(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_header"); - fpl->context = pmd; - pmd->fpl = fpl; + if (data != NULL) + ParseError("'http_header' does not take an argument"); - // if content is followed by any comma separated options, - // we have to parse them here. content related options - // separated by semicolons go straight to the callbacks. - while (next_opt < data_end) - { - char **opts; /* dbl ptr for mSplit call, holds rule tokens */ - int num_opts; /* holds number of tokens found by mSplit */ - char* opt1; + pmd->uri_buffer |= HTTP_SEARCH_HEADER; + MovePmdToUriDsList(otn, pmd); +} - next_opt++; - if (next_opt == data_end) - break; +static void PayloadSearchHttpCookie(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_cookie"); - opt_len = 0; - opt_data = PayloadExtractParameter(next_opt, &opt_len); - if (!opt_data) - break; + if (data != NULL) + ParseError("'http_cookie' does not take an argument"); - next_opt = opt_data + opt_len; + pmd->uri_buffer |= HTTP_SEARCH_COOKIE; + MovePmdToUriDsList(otn, pmd); +} - opts = mSplit(opt_data, " \t", 2, &num_opts, 0); +static void PayloadSearchHttpBody(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_client_body"); - if (!opts) - continue; - opt1 = (num_opts == 2) ? opts[1] : NULL; + if (data != NULL) + ParseError("'http_client_body' does not take an argument"); - if (!strcasecmp(opts[0], "offset")) - { - PayloadSearchOffset(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "depth")) - { - PayloadSearchDepth(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "nocase")) - { - PayloadSearchNocase(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "rawbytes")) - { - PayloadSearchRawbytes(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "http_uri")) - { - PayloadSearchHttpUri(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "http_client_body")) - { - PayloadSearchHttpBody(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "http_header")) - { - PayloadSearchHttpHeader(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "http_method")) - { - PayloadSearchHttpMethod(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "http_cookie")) - { - PayloadSearchHttpCookie(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "fast_pattern")) - { - PayloadSearchFastPattern(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "distance")) - { - PayloadSearchDistance(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "within")) - { - PayloadSearchWithin(opt1, otn, protocol); - } - else if (!strcasecmp(opts[0], "replace")) - { - PayloadReplaceInit(opt1, otn, protocol); - } - else - { - FatalError("%s(%d) => Invalid Content parameter specified!\n", - file_name, file_line); - } - mSplitFree(&opts, num_opts); - } + pmd->uri_buffer |= HTTP_SEARCH_CLIENT_BODY; + MovePmdToUriDsList(otn, pmd); +} - free(data_dup); +static void PayloadSearchHttpRawUri(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_raw_uri"); - if(pmd->use_doe == 1) - fpl->isRelative = 1; + if (data != NULL) + ParseError("'http_raw_uri' does not take an argument"); - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "OTN function PatternMatch Added to rule!\n");); + pmd->uri_buffer |= HTTP_SEARCH_RAW_URI; + MovePmdToUriDsList(otn, pmd); } - - -void PayloadSearchUri(char *data, OptTreeNode * otn, int protocol) +static void PayloadSearchHttpRawHeader(char *data, OptTreeNode * otn, int protocol) { - PatternMatchData * pmd; - OptFpList *fpl; - - if (!IsPreprocEnabled(PP_HTTPINSPECT)) - { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'uricontent' modifier.\n", file_name, file_line); - } + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_raw_header"); - lastType = PLUGIN_PATTERN_MATCH_URI; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchUri()\n");); + if (data != NULL) + ParseError("'http_raw_header' does not take an argument"); - /* whack a new node onto the list */ - pmd = NewNode(otn, PLUGIN_PATTERN_MATCH_URI); + pmd->uri_buffer |= HTTP_SEARCH_RAW_HEADER; + MovePmdToUriDsList(otn, pmd); +} +static void PayloadSearchHttpRawCookie(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_raw_cookie"); - /* set up the pattern buffer */ - ParsePattern(data, otn, PLUGIN_PATTERN_MATCH_URI); + if (data != NULL) + ParseError("'http_raw_cookie' does not take an argument"); - pmd->uri_buffer |= HTTP_SEARCH_URI; + pmd->uri_buffer |= HTTP_SEARCH_RAW_COOKIE; + MovePmdToUriDsList(otn, pmd); +} +static void PayloadSearchHttpStatCode(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_stat_code"); -#ifdef PATTERN_FAST - pmd->search = uniSearch; - make_precomp(pmd); -#endif + if (data != NULL) + ParseError("'http_stat_code' does not take an argument"); - /* link the plugin function in to the current OTN */ - fpl = AddOptFuncToList(CheckUriPatternMatch, otn); + pmd->uri_buffer |= HTTP_SEARCH_STAT_CODE; + MovePmdToUriDsList(otn, pmd); +} +static void PayloadSearchHttpStatMsg(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "http_stat_msg"); - fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - pmd->buffer_func = CHECK_URI_PATTERN_MATCH; + if (data != NULL) + ParseError("'http_stat_msg' does not take an argument"); - fpl->context = pmd; - pmd->fpl = fpl; + pmd->uri_buffer |= HTTP_SEARCH_STAT_MSG; + MovePmdToUriDsList(otn, pmd); +} - if(pmd->use_doe == 1) - fpl->isRelative = 1; +typedef enum { + CMF_DISTANCE = 0x1, CMF_WITHIN = 0x2, CMF_OFFSET = 0x4, CMF_DEPTH = 0x8 +} ContentModifierFlags; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "OTN function PatternMatch Added to rule!\n");); +static unsigned GetCMF (PatternMatchData* pmd) +{ + unsigned cmf = 0; + if ( (pmd->distance != 0) || (pmd->distance_var != -1) ) cmf |= CMF_DISTANCE; + if ( (pmd->within != 0) || (pmd->within_var != -1) ) cmf |= CMF_WITHIN; + if ( (pmd->offset != 0) || (pmd->offset_var != -1) ) cmf |= CMF_OFFSET; + if ( (pmd->depth != 0) || (pmd->depth_var != -1) ) cmf |= CMF_DEPTH; + return cmf; } +#define BAD_DISTANCE (CMF_DISTANCE | CMF_OFFSET | CMF_DEPTH) +#define BAD_WITHIN (CMF_WITHIN | CMF_OFFSET | CMF_DEPTH) +#define BAD_OFFSET (CMF_OFFSET | CMF_DISTANCE | CMF_WITHIN) +#define BAD_DEPTH (CMF_DEPTH | CMF_DISTANCE | CMF_WITHIN) -void PayloadSearchHttpBody(char *data, OptTreeNode * otn, int protocol) +static void PayloadSearchOffset(char *data, OptTreeNode * otn, int protocol) { - PatternMatchData *idx = NULL; - PatternMatchData *uriidx = NULL, *previdx = NULL; + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "offset"); - if ( data ) - { - FatalError("%s(%d) => 'http_client_body' does not take an argument\n", - file_name, file_line); - } - if (!IsPreprocEnabled(PP_HTTPINSPECT)) - { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'http_client_body' modifier.\n", file_name, file_line); - } + if ( GetCMF(pmd) & BAD_OFFSET ) + ParseError("offset can't be used with itself, distance, or within"); - idx = (PatternMatchData *) otn->ds_list[lastType]; + if (data == NULL) + ParseError("Missing argument to 'offset' option"); - if(idx == NULL) - { - FatalError("(%s)%d => Please place \"content\" rules before" - " http_client_body modifier.\n", file_name, file_line); - } - while(idx->next != NULL) - { - previdx = idx; - idx = idx->next; - } - if( idx->replace_buf != NULL ) + if (isdigit(data[0]) || data[0] == '-') { - FatalError("(%s)%d => \"replace\" option is not supported in" - " conjunction with 'http_client_body' modifier.\n", file_name, file_line); + pmd->offset = ParseInt(data, "offset"); } - - if (lastType != PLUGIN_PATTERN_MATCH_URI) + else { - /* Need to move this PatternMatchData structure to the - * PLUGIN_PATTERN_MATCH_URI */ - - /* Remove it from the tail of the old list */ - if (previdx) + pmd->offset_var = GetVarByName(data); + if (pmd->offset_var == BYTE_EXTRACT_NO_VAR) { - previdx->next = idx->next; - } - else - { - otn->ds_list[lastType] = NULL; + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } + } - if (idx) - { - idx->next = NULL; - } + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", + pmd->offset);); +} + +static void PayloadSearchDepth(char *data, OptTreeNode * otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth"); + + if ( GetCMF(pmd) & BAD_DEPTH ) + ParseError("depth can't be used with itself, distance, or within"); - uriidx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + if (data == NULL) + ParseError("Missing argument to 'depth' option"); + + if (isdigit(data[0]) || data[0] == '-') + { + pmd->depth = ParseInt(data, "depth"); - if (uriidx) + /* check to make sure that this the depth allows this rule to fire */ + if (pmd->depth < (int)pmd->pattern_size) { - /* There are some uri/post patterns in this rule already */ - while (uriidx->next != NULL) - { - uriidx = uriidx->next; - } - uriidx->next = idx; - } - else - { - /* This is the first uri/post patterns in this rule */ - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = idx; + ParseError("The depth (%d) is less than the size of the content(%u)!", + pmd->depth, pmd->pattern_size); } - lastType = PLUGIN_PATTERN_MATCH_URI; - idx->fpl->OptTestFunc = CheckUriPatternMatch; - idx->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - idx->buffer_func = CHECK_URI_PATTERN_MATCH; } - - idx->uri_buffer |= HTTP_SEARCH_CLIENT_BODY; - - if (idx->rawbytes == 1) + else { - FatalError("(%s)%d => Cannot use 'rawbytes' and 'http_client_body'" - " as modifiers for the same \"content\".\n", file_name, file_line); + pmd->depth_var = GetVarByName(data); + if (pmd->depth_var == BYTE_EXTRACT_NO_VAR) + { + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); + } } - return; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", + pmd->depth);); } - -void PayloadSearchHttpUri(char *data, OptTreeNode * otn, int protocol) +static void PayloadSearchDistance(char *data, OptTreeNode *otn, int protocol) { - PatternMatchData *idx = NULL; - PatternMatchData *uriidx = NULL, *previdx = NULL; + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance"); - if ( data ) - { - FatalError("%s(%d) => 'http_uri' does not take an argument\n", - file_name, file_line); - } - if (!IsPreprocEnabled(PP_HTTPINSPECT)) - { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'http_uri' modifier.\n", file_name, file_line); - } + if ( GetCMF(pmd) & BAD_DISTANCE ) + ParseError("distance can't be used with itself, offset, or depth"); - idx = (PatternMatchData *) otn->ds_list[lastType]; + if (data == NULL) + ParseError("Missing argument to 'distance' option"); - if(idx == NULL) + if (isdigit(data[0]) || data[0] == '-') { - FatalError("(%s)%d => Please place \"content\" rules before" - " http_uri modifiers.\n", file_name, file_line); + pmd->distance = ParseInt(data, "distance"); } - while(idx->next != NULL) + else { - previdx = idx; - idx = idx->next; + pmd->distance_var = GetVarByName(data); + if (pmd->distance_var == BYTE_EXTRACT_NO_VAR) + { + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); + } } - if( idx->replace_buf != NULL ) + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", + pmd->distance);); + + /* Only do a relative search if this is a normal content match. */ + if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI) { - FatalError("(%s)%d => \"replace\" option is not supported in" - " conjunction with 'http_uri' modifiers.\n", file_name, file_line); + pmd->use_doe = 1; + pmd->fpl->isRelative = 1; } - - if (lastType != PLUGIN_PATTERN_MATCH_URI) - { - /* Need to move this PatternMatchData structure to the - * PLUGIN_PATTERN_MATCH_URI */ - - /* Remove it from the tail of the old list */ - if (previdx) - { - previdx->next = idx->next; - } - else - { - otn->ds_list[lastType] = NULL; - } +} - if (idx) - { - idx->next = NULL; - } +static void PayloadSearchWithin(char *data, OptTreeNode *otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "within"); - uriidx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + if ( GetCMF(pmd) & BAD_WITHIN ) + ParseError("within can't be used with itself, offset, or depth"); - if (uriidx) - { - /* There are some uri/post patterns in this rule already */ - while (uriidx->next != NULL) - { - uriidx = uriidx->next; - } - uriidx->next = idx; - } - else + if (data == NULL) + ParseError("Missing argument to 'within' option"); + + if (isdigit(data[0]) || data[0] == '-') + { + pmd->within = ParseInt(data, "within"); + + if (pmd->within < pmd->pattern_size) + ParseError("within (%d) is smaller than size of pattern", pmd->within); + } + else + { + pmd->within_var = GetVarByName(data); + if (pmd->within_var == BYTE_EXTRACT_NO_VAR) { - /* This is the first uri/post patterns in this rule */ - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = idx; + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } - lastType = PLUGIN_PATTERN_MATCH_URI; - idx->fpl->OptTestFunc = CheckUriPatternMatch; - idx->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - idx->buffer_func = CHECK_URI_PATTERN_MATCH; } - idx->uri_buffer |= HTTP_SEARCH_URI; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", + pmd->within);); - if (idx->rawbytes == 1) + /* Only do a relative search if this is a normal content match. */ + if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI) { - FatalError("(%s)%d => Cannot use 'rawbytes' and 'http_uri'" - " as modifiers for the same \"content\".\n", file_name, file_line); + pmd->use_doe = 1; + pmd->fpl->isRelative = 1; } +} - return; +static void PayloadSearchNocase(char *data, OptTreeNode * otn, int protocol) +{ + unsigned int i; + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "nocase"); + + if (data != NULL) + ParseError("'nocase' does not take an argument"); + + for (i = 0; i < pmd->pattern_size; i++) + pmd->pattern_buf[i] = toupper((int)pmd->pattern_buf[i]); + + pmd->nocase = 1; + + pmd->search = uniSearchCI; + make_precomp(pmd); } -void PayloadSearchHttpHeader(char *data, OptTreeNode * otn, int protocol) +static void PayloadSearchRawbytes(char *data, OptTreeNode * otn, int protocol) { - PatternMatchData *idx = NULL; - PatternMatchData *uriidx = NULL, *previdx = NULL; + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "rawbytes"); - if ( data ) - { - FatalError("%s(%d) => 'http_header' does not take an argument\n", - file_name, file_line); - } - if (!IsPreprocEnabled(PP_HTTPINSPECT)) - { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'http_header' modifier.\n", file_name, file_line); - } + if (data != NULL) + ParseError("'rawbytes' does not take an argument"); - idx = (PatternMatchData *) otn->ds_list[lastType]; + /* mark this as inspecting a raw pattern match rather than a + * decoded application buffer */ + pmd->rawbytes = 1; +} - if(idx == NULL) - { - FatalError("(%s)%d => Please place \"content\" rules before" - " http_header modifiers.\n", file_name, file_line); - } - while(idx->next != NULL) - { - previdx = idx; - idx = idx->next; - } - if( idx->replace_buf != NULL ) +static void PayloadSearchFastPattern(char *data, OptTreeNode *otn, int protocol) +{ + PatternMatchData *pmd = GetLastPmdError(otn, lastType, "fast_pattern"); + + /* There can only be one fast pattern content in the rule, whether + * normal, http or other */ + if (pmd->fp) { - FatalError("(%s)%d => \"replace\" option is not supported in" - " conjunction with 'http_header' modifiers.\n", file_name, file_line); + ParseError("Cannot set fast_pattern modifier more than once " + "for the same \"content\"."); } - - if (lastType != PLUGIN_PATTERN_MATCH_URI) + + if (HasFastPattern(otn, PLUGIN_PATTERN_MATCH)) + ParseError("Can only use the fast_pattern modifier once in a rule."); + if (HasFastPattern(otn, PLUGIN_PATTERN_MATCH_URI)) + ParseError("Can only use the fast_pattern modifier once in a rule."); + //if (HasFastPattern(otn, PLUGIN_PATTERN_MATCH_OR)) + // ParseError("Can only use the fast_pattern modifier once in a rule."); + + pmd->fp = 1; + + if (data != NULL) { - /* Need to move this PatternMatchData structure to the - * PLUGIN_PATTERN_MATCH_URI */ - - /* Remove it from the tail of the old list */ - if (previdx) - { - previdx->next = idx->next; - } - else - { - otn->ds_list[lastType] = NULL; - } + char *error_str = "Rule option \"fast_pattern\": Invalid parameter: " + "\"%s\". Valid parameters are: \"only\" | <offset>,<length>. " + "Offset and length must be integers less than 65536, offset cannot " + "be negative, length must be positive and (offset + length) must " + "evaluate to less than or equal to the actual pattern length. " + "Pattern length: %u"; - if (idx) + if (isdigit((int)*data)) { - idx->next = NULL; - } + /* Specifying offset and length of pattern to use for + * fast pattern matcher */ - uriidx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + long int offset, length; + char *endptr; + char **toks; + int num_toks; - if (uriidx) - { - /* There are some uri/post patterns in this rule already */ - while (uriidx->next != NULL) + toks = mSplit(data, ",", 0, &num_toks, 0); + if (num_toks != 2) + { + mSplitFree(&toks, num_toks); + ParseError(error_str, data, pmd->pattern_size); + } + + offset = SnortStrtol(toks[0], &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0') + || (offset < 0) || (offset > UINT16_MAX)) { - uriidx = uriidx->next; + mSplitFree(&toks, num_toks); + ParseError(error_str, data, pmd->pattern_size); } - uriidx->next = idx; + + length = SnortStrtol(toks[1], &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0') + || (length <= 0) || (length > UINT16_MAX)) + { + mSplitFree(&toks, num_toks); + ParseError(error_str, data, pmd->pattern_size); + } + + mSplitFree(&toks, num_toks); + + if ((int)pmd->pattern_size < (offset + length)) + ParseError(error_str, data, pmd->pattern_size); + + pmd->fp_offset = (uint16_t)offset; + pmd->fp_length = (uint16_t)length; } else { - /* This is the first uri/post patterns in this rule */ - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = idx; + /* Specifies that this content should only be used for + * fast pattern matching */ + + if (strcasecmp(data, PM_FP_ONLY) != 0) + ParseError(error_str, data, pmd->pattern_size); + + pmd->fp_only = 1; } - lastType = PLUGIN_PATTERN_MATCH_URI; - idx->fpl->OptTestFunc = CheckUriPatternMatch; - idx->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - idx->buffer_func = CHECK_URI_PATTERN_MATCH; } +} + +static inline int HasFastPattern(OptTreeNode *otn, int list_type) +{ + PatternMatchData *tmp; - idx->uri_buffer |= HTTP_SEARCH_HEADER; + if ((otn == NULL) || (otn->ds_list[list_type] == NULL)) + return 0; - if (idx->rawbytes == 1) + for (tmp = otn->ds_list[list_type]; tmp != NULL; tmp = tmp->next) { - FatalError("(%s)%d => Cannot use 'rawbytes' and 'http_header'" - " as modifiers for the same \"content\".\n", file_name, file_line); + if (tmp->fp) + return 1; } - return; + return 0; } -void PayloadSearchHttpMethod(char *data, OptTreeNode * otn, int protocol) +PatternMatchData * NewNode(OptTreeNode *otn, int type) { - PatternMatchData *idx = NULL; - PatternMatchData *uriidx = NULL, *previdx = NULL; + PatternMatchData *pmd = NULL; - if ( data ) + if (otn->ds_list[type] == NULL) { - FatalError("%s(%d) => 'http_method' does not take an argument\n", - file_name, file_line); + otn->ds_list[type] = (PatternMatchData *)SnortAlloc(sizeof(PatternMatchData)); + pmd = otn->ds_list[type]; } - if (!IsPreprocEnabled(PP_HTTPINSPECT)) + else { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'http_method' modifier.\n", file_name, file_line); + pmd = GetLastPmd(otn, type); + if (pmd != NULL) + { + pmd->next = (PatternMatchData *)SnortAlloc(sizeof(PatternMatchData)); + pmd->next->prev = pmd; + pmd = pmd->next; + } } - idx = (PatternMatchData *) otn->ds_list[lastType]; + /* Set any non-zero default values here. */ + pmd->offset_var = BYTE_EXTRACT_NO_VAR; + pmd->depth_var = BYTE_EXTRACT_NO_VAR; + pmd->distance_var = BYTE_EXTRACT_NO_VAR; + pmd->within_var = BYTE_EXTRACT_NO_VAR; - if(idx == NULL) - { - FatalError("(%s)%d => Please place \"content\" rules before" - " http_method modifiers.\n", file_name, file_line); - } - while(idx->next != NULL) - { - previdx = idx; - idx = idx->next; - } - if( idx->replace_buf != NULL ) - { - FatalError("(%s)%d => \"replace\" option is not supported in" - " conjunction with 'http_method' modifiers.\n", file_name, file_line); - } - - if (lastType != PLUGIN_PATTERN_MATCH_URI) - { - /* Need to move this PatternMatchData structure to the - * PLUGIN_PATTERN_MATCH_URI */ - - /* Remove it from the tail of the old list */ - if (previdx) - { - previdx->next = idx->next; - } - else - { - otn->ds_list[lastType] = NULL; - } + return pmd; +} - if (idx) - { - idx->next = NULL; - } +void PatternMatchFree(void *d) +{ + PatternMatchData *pmd = (PatternMatchData *)d; - uriidx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + if (pmd == NULL) + return; - if (uriidx) - { - /* There are some uri/post patterns in this rule already */ - while (uriidx->next != NULL) - { - uriidx = uriidx->next; - } - uriidx->next = idx; - } - else - { - /* This is the first uri/post patterns in this rule */ - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = idx; - } - lastType = PLUGIN_PATTERN_MATCH_URI; - idx->fpl->OptTestFunc = CheckUriPatternMatch; - idx->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - idx->buffer_func = CHECK_URI_PATTERN_MATCH; - } + (void)RemovePmdFromList(pmd); - idx->uri_buffer |= HTTP_SEARCH_METHOD; + if (pmd->pattern_buf) + free(pmd->pattern_buf); + if (pmd->replace_buf) + free(pmd->replace_buf); + if(pmd->skip_stride) + free(pmd->skip_stride); + if(pmd->shift_stride) + free(pmd->shift_stride); - if (idx->rawbytes == 1) - { - FatalError("(%s)%d => Cannot use 'rawbytes' and 'http_method'" - " as modifiers for the same \"content\".\n", file_name, file_line); - } + free(pmd); +} - return; +static int32_t ParseInt(const char* data, const char* tag) +{ + int32_t value = 0; + char *endptr = NULL; + + value = SnortStrtol(data, &endptr, 10); + + if (*endptr) + ParseError("Invalid '%s' format.", tag); + + if (errno == ERANGE) + ParseError("Range problem on '%s' value.", tag); + + if ((value > 65535) || (value < -65535)) + ParseError("'%s' must in -65535:65535", tag); + + return value; } -void PayloadSearchHttpCookie(char *data, OptTreeNode * otn, int protocol) +/* Used for content modifiers that are used as rule options - need to get the + * last pmd which is the one they are modifying. If there isn't a last pmd + * error that a content must be specified before the modifier */ +static inline PatternMatchData * GetLastPmdError(OptTreeNode *otn, int type, const char *option) { - PatternMatchData *idx = NULL; - PatternMatchData *uriidx = NULL, *previdx = NULL; + PatternMatchData *pmd = GetLastPmd(otn, type); - if ( data ) + if (pmd == NULL) { - FatalError("%s(%d) => 'http_cookie' does not take an argument\n", - file_name, file_line); + ParseError("Please place \"content\" rules before \"%s\" modifier", + option == NULL ? "unknown" : option); } + + return pmd; +} + +/* Gets the last pmd in the ds_list specified */ +static inline PatternMatchData * GetLastPmd(OptTreeNode *otn, int type) +{ + PatternMatchData *pmd; + + if ((otn == NULL) || (otn->ds_list[type] == NULL)) + return NULL; + + for (pmd = otn->ds_list[type]; pmd->next != NULL; pmd = pmd->next); + return pmd; +} + + +/* Options that can't be used with http content modifiers. Additionally + * http_inspect preprocessor needs to be enabled */ +static void ValidateHttpContentModifiers(PatternMatchData *pmd) +{ + if (pmd == NULL) + ParseError("Please place \"content\" rules before http content modifiers"); + if (!IsPreprocEnabled(PP_HTTPINSPECT)) { - FatalError("(%s)%d => Please enable the HTTP Inspect preprocessor " - "before using the 'http_cookie' modifier.\n", file_name, file_line); + ParseError("Please enable the HTTP Inspect preprocessor " + "before using the http content modifiers"); } - idx = (PatternMatchData *) otn->ds_list[lastType]; + if (pmd->replace_buf != NULL) + { + ParseError("\"replace\" option is not supported in conjunction with " + "http content modifiers"); + } - if(idx == NULL) + if (pmd->rawbytes == 1) { - FatalError("(%s)%d => Please place \"content\" rules before" - " http_cookie modifiers.\n", file_name, file_line); + ParseError("Cannot use 'rawbytes' and http content as modifiers for " + "the same \"content\""); } - while(idx->next != NULL) + + if ( URIBUFS_SET(pmd , (HTTP_SEARCH_URI | HTTP_SEARCH_RAW_URI)) ) { - previdx = idx; - idx = idx->next; + ParseError("Cannot use 'http_uri' and 'http_raw_uri' modifiers for " + "the same \"content\""); } - if( idx->replace_buf != NULL ) + + if ( URIBUFS_SET(pmd , (HTTP_SEARCH_HEADER | HTTP_SEARCH_RAW_HEADER)) ) { - FatalError("(%s)%d => \"replace\" option is not supported in" - " conjunction with 'http_cookie' modifiers.\n", file_name, file_line); + ParseError("Cannot use 'http_header' and 'http_raw_header' modifiers for " + "the same \"content\""); } - - if (lastType != PLUGIN_PATTERN_MATCH_URI) + if ( URIBUFS_SET(pmd , (HTTP_SEARCH_COOKIE | HTTP_SEARCH_RAW_COOKIE)) ) { - /* Need to move this PatternMatchData structure to the - * PLUGIN_PATTERN_MATCH_URI */ - - /* Remove it from the tail of the old list */ - if (previdx) - { - previdx->next = idx->next; - } - else - { - otn->ds_list[lastType] = NULL; - } + ParseError("Cannot use 'http_cookie' and 'http_raw_cookie' modifiers for " + "the same \"content\""); + } +} - if (idx) - { - idx->next = NULL; - } +/* This is used if we get an http content modifier, since specifying "content" + * defaults to the PLUGIN_PATTERN_MATCH list. We need to move the pmd to the + * PLUGIN_PATTERN_MATCH_URI list */ +static void MovePmdToUriDsList(OptTreeNode *otn, PatternMatchData *pmd) +{ + int type = PLUGIN_PATTERN_MATCH_URI; + + /* It's not currently in the correct list */ + if (lastType != type) + { + /* Just in case it's moved from the middle of the list */ + if (pmd->prev != NULL) + pmd->prev->next = pmd->next; + if (pmd->next != NULL) + pmd->next->prev = pmd->prev; - uriidx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + /* Reset pointers */ + pmd->next = NULL; + pmd->prev = NULL; - if (uriidx) + if (otn->ds_list[type] == NULL) { - /* There are some uri/post patterns in this rule already */ - while (uriidx->next != NULL) - { - uriidx = uriidx->next; - } - uriidx->next = idx; + otn->ds_list[type] = pmd; } else { - /* This is the first uri/post patterns in this rule */ - otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = idx; + /* Make it the last in the URI list */ + PatternMatchData *tmp; + for (tmp = otn->ds_list[type]; tmp->next != NULL; tmp = tmp->next); + tmp->next = pmd; + pmd->prev = tmp; } - lastType = PLUGIN_PATTERN_MATCH_URI; - idx->fpl->OptTestFunc = CheckUriPatternMatch; - idx->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; - idx->buffer_func = CHECK_URI_PATTERN_MATCH; - } - idx->uri_buffer |= HTTP_SEARCH_COOKIE; - - if (idx->rawbytes == 1) - { - FatalError("(%s)%d => Cannot use 'rawbytes' and 'http_cookie'" - " as modifiers for the same \"content\".\n", file_name, file_line); + /* Set the last type to the URI list */ + lastType = type; + + /* Reset these to URI type */ + pmd->fpl->OptTestFunc = CheckUriPatternMatch; + pmd->fpl->type = RULE_OPTION_TYPE_CONTENT_URI; + pmd->buffer_func = CHECK_URI_PATTERN_MATCH; } +} - if (idx->flags & CONTENT_FAST_PATTERN) - { - FatalError("Error %s(%d) => FastPattern cannot be set for \"content\" with " - "http cookie buffer\n", file_name, file_line); - } +#if 0 +/* Not currently used */ +static void PrintDupDOTPmds(PatternMatchData *pmd, + PatternMatchData *pmd_dup, option_type_t type) +{ + int i; - return; + if ((pmd == NULL) || (pmd_dup == NULL)) + return; + + LogMessage("Duplicate %sContent:\n" + "%d %d %d %d %d %d %d %d %d %d\n" + "%d %d %d %d %d %d %d %d %d %d\n", + option_type == RULE_OPTION_TYPE_CONTENT ? "" : "Uri", + pmd->exception_flag, + pmd->offset, + pmd->depth, + pmd->distance, + pmd->within, + pmd->rawbytes, + pmd->nocase, + pmd->use_doe, + pmd->uri_buffer, + pmd->pattern_max_jump_size, + pmd_dup->exception_flag, + pmd_dup->offset, + pmd_dup->depth, + pmd_dup->distance, + pmd_dup->within, + pmd_dup->rawbytes, + pmd_dup->nocase, + pmd_dup->use_doe, + pmd_dup->uri_buffer, + pmd_dup->pattern_max_jump_size); + + for (i = 0; i < pmd->pattern_size; i++) + LogMessage("0x%x 0x%x", pmd->pattern_buf[i], pmd_dup->pattern_buf[i]); + LogMessage("\n"); + for (i = 0; i < pmd->replace_size; i++) + LogMessage("0x%x 0x%x", pmd->replace_buf[i], pmd_dup->replace_buf[i]); + LogMessage("\n"); + LogMessage("\n"); } +#endif -static int32_t ParseInt (const char* data, const char* tag) +/******************************************************************** + * Functions for detection option tree hashing and comparison + * and other detection option tree uses + ********************************************************************/ +uint32_t PatternMatchHash(void *d) { - int32_t value = 0; - char* endptr = NULL; - errno = 0; - - value = strtol(data, &endptr, 10); + uint32_t a,b,c,tmp; + unsigned int i,j,k,l; + PatternMatchData *pmd = (PatternMatchData *)d; - if ( *endptr ) - { - FatalError("%s(%d) => Invalid '%s' format.\n", - file_name, file_line, tag); - } - if ( errno == ERANGE ) - { - FatalError("%s(%d) => Range problem on '%s' value\n", - file_name, file_line, tag); - } + a = pmd->exception_flag; + b = pmd->offset; + c = pmd->depth; + + mix(a,b,c); + + a += pmd->distance; + b += pmd->within; + c += pmd->rawbytes; + + mix(a,b,c); + + a += pmd->nocase; + b += pmd->use_doe; + c += pmd->uri_buffer; + + mix(a,b,c); - if ( value > 65535 || value < -65535 ) + a += pmd->pattern_size; + b += pmd->replace_size; + c += pmd->pattern_max_jump_size; + + mix(a,b,c); + + for (i=0,j=0;i<pmd->pattern_size;i+=4) { - FatalError("%s(%d) => '%s' must in -65535:65535\n", - tag, file_name, file_line); - } - return value; -} + tmp = 0; + k = pmd->pattern_size - i; + if (k > 4) + k=4; -void PayloadSearchOffset(char *data, OptTreeNode * otn, int protocol) -{ - PatternMatchData *idx; + for (l=0;l<k;l++) + { + tmp |= *(pmd->pattern_buf + i + l) << l*8; + } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearch()\n");); + switch (j) + { + case 0: + a += tmp; + break; + case 1: + b += tmp; + break; + case 2: + c += tmp; + break; + } + j++; - if ( !data ) - { - FatalError("%s(%d) => Missing argument to 'offset' option\n", - file_name, file_line); + if (j == 3) + { + mix(a,b,c); + j = 0; + } } - idx = otn->ds_list[lastType]; - if(idx == NULL) + for (i=0;i<pmd->replace_size;i+=4) { - FatalError("%s(%d) => Please place \"content\" rules before " - "depth, nocase or offset modifiers.\n", file_name, file_line); - } - - while(idx->next != NULL) - idx = idx->next; - - idx->offset = ParseInt(data, "offset"); + tmp = 0; + k = pmd->replace_size - i; + if (k > 4) + k=4; - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", - idx->offset);); -} + for (l=0;l<k;l++) + { + tmp |= *(pmd->replace_buf + i + l) << l*8; + } -void PayloadSearchDepth(char *data, OptTreeNode * otn, int protocol) -{ - PatternMatchData *idx; + switch (j) + { + case 0: + a += tmp; + break; + case 1: + b += tmp; + break; + case 2: + c += tmp; + break; + } + j++; - if ( !data ) - { - FatalError("%s(%d) => Missing argument to 'depth' option\n", - file_name, file_line); + if (j == 3) + { + mix(a,b,c); + j = 0; + } } - idx = (PatternMatchData *) otn->ds_list[lastType]; - if(idx == NULL) + if (j != 0) { - FatalError("%s(%d) => Please place \"content\" rules " - "before depth, nocase or offset modifiers.\n", - file_name, file_line); + mix(a,b,c); } - while(idx->next != NULL) - idx = idx->next; - - idx->depth = ParseInt(data, "depth"); - - /* check to make sure that this the depth allows this rule to fire */ - if(idx->depth != 0 && idx->depth < (int)idx->pattern_size) + if (pmd->uri_buffer) { - FatalError("%s(%d) => The depth(%d) is less than the size of the content(%u)!\n", - file_name, file_line, idx->depth, idx->pattern_size); + a += RULE_OPTION_TYPE_CONTENT_URI; } - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", - idx->depth);); -} - -void PayloadSearchNocase(char *data, OptTreeNode * otn, int protocol) -{ - PatternMatchData *idx; - int i; - - if ( data ) + else { - FatalError("%s(%d) => 'nocase' does not take an argument\n", - file_name, file_line); + a += RULE_OPTION_TYPE_CONTENT; } - idx = (PatternMatchData *) otn->ds_list[lastType]; - if(idx == NULL) - { - FatalError("(%s)%d => Please place \"content\" rules before" - " depth, nocase or offset modifiers.\n", file_name, file_line); - } - while(idx->next != NULL) - idx = idx->next; + b += pmd->fp; + c += pmd->fp_only; - i = idx->pattern_size; + mix(a,b,c); - while(--i >= 0) - idx->pattern_buf[i] = toupper((unsigned char) idx->pattern_buf[i]); + a += pmd->fp_offset; + b += pmd->fp_length; + c += pmd->offset_var; - idx->nocase = 1; + mix(a,b,c); -#ifdef PATTERN_FAST - idx->search = setSearch; -#else - idx->search = uniSearchCI; - make_precomp(idx); -#endif + a += pmd->depth_var; + b += pmd->distance_var; + c += pmd->within_var; + final(a,b,c); - return; + return c; } -const char *format_uri_buffer_str(int uri_buffer, int search_buf, char *first_buf) +int PatternMatchCompare(void *l, void *r) { - if (uri_buffer & search_buf) + PatternMatchData *left = (PatternMatchData *)l; + PatternMatchData *right = (PatternMatchData *)r; + unsigned int i; + + if (!left || !right) + return DETECTION_OPTION_NOT_EQUAL; + + if (left->buffer_func != right->buffer_func) + return DETECTION_OPTION_NOT_EQUAL; + + /* Sizes will be most different, check that first */ + if ((left->pattern_size != right->pattern_size) || + (left->replace_size != right->replace_size) || + (left->nocase != right->nocase)) + return DETECTION_OPTION_NOT_EQUAL; + + /* Next compare the patterns for uniqueness */ + if (left->pattern_size) { - if (*first_buf == 1) + if (left->nocase) { - switch (search_buf) + /* If nocase is set, do case insensitive compare on pattern */ + for (i=0;i<left->pattern_size;i++) { - case HTTP_SEARCH_URI: - return "http_uri"; - break; - case HTTP_SEARCH_CLIENT_BODY: - return "http_client_body"; - break; - case HTTP_SEARCH_HEADER: - return "http_header"; - break; - case HTTP_SEARCH_METHOD: - return "http_method"; - break; - case HTTP_SEARCH_COOKIE: - return "http_cookie"; - break; + if (toupper(left->pattern_buf[i]) != toupper(right->pattern_buf[i])) + { + return DETECTION_OPTION_NOT_EQUAL; + } } - *first_buf = 0; } else { - switch (search_buf) + /* If nocase is not set, do case sensitive compare on pattern */ + if (memcmp(left->pattern_buf, right->pattern_buf, left->pattern_size) != 0) { - case HTTP_SEARCH_URI: - return " | http_uri"; - break; - case HTTP_SEARCH_CLIENT_BODY: - return " | http_client_body"; - break; - case HTTP_SEARCH_HEADER: - return " | http_header"; - break; - case HTTP_SEARCH_METHOD: - return " | http_method"; - break; - case HTTP_SEARCH_COOKIE: - return " | http_cookie"; - break; + return DETECTION_OPTION_NOT_EQUAL; } } } - return ""; -} - -void PayloadSearchRawbytes(char *data, OptTreeNode * otn, int protocol) -{ - char first_buf = 1; - PatternMatchData *idx; - - if ( data ) - { - FatalError("%s(%d) => 'rawbytes' does not take an argument\n", - file_name, file_line); - } - idx = (PatternMatchData *) otn->ds_list[lastType]; - if(idx == NULL) + /* Check the replace pattern if exists */ + if (left->replace_size) { - FatalError("Line %d => Please place \"content\" rules before" - " rawbytes, depth, nocase or offset modifiers.\n", file_line); + if (memcmp(left->replace_buf, right->replace_buf, left->replace_size) != 0) + { + return DETECTION_OPTION_NOT_EQUAL; + } } - while(idx->next != NULL) - idx = idx->next; - - /* mark this as inspecting a raw pattern match rather than a - decoded application buffer */ - idx->rawbytes = 1; - if (lastType == PLUGIN_PATTERN_MATCH_URI) + /* Now check the rest of the options */ + if ((left->exception_flag == right->exception_flag) && + (left->offset == right->offset) && + (left->depth == right->depth) && + (left->distance == right->distance) && + (left->within == right->within) && + (left->rawbytes == right->rawbytes) && + (left->use_doe == right->use_doe) && + (left->uri_buffer == right->uri_buffer) && + (left->search == right->search) && + (left->pattern_max_jump_size == right->pattern_max_jump_size) && + (left->fp == right->fp) && + (left->fp_only == right->fp_only) && + (left->fp_offset == right->fp_offset) && + (left->fp_length == right->fp_length) && + (left->offset_var == right->offset_var) && + (left->depth_var == right->depth_var) && + (left->distance_var == right->distance_var) && + (left->within_var == right->within_var) ) { - FatalError("(%s)%d => Cannot use 'rawbytes' and '%s%s%s%s%s' as modifiers for " - "the same \"content\" nor use 'rawbytes' with \"uricontent\".\n", - file_name, file_line, - format_uri_buffer_str(idx->uri_buffer, HTTP_SEARCH_URI, &first_buf), - format_uri_buffer_str(idx->uri_buffer, HTTP_SEARCH_CLIENT_BODY, &first_buf), - format_uri_buffer_str(idx->uri_buffer, HTTP_SEARCH_HEADER, &first_buf), - format_uri_buffer_str(idx->uri_buffer, HTTP_SEARCH_METHOD, &first_buf), - format_uri_buffer_str(idx->uri_buffer, HTTP_SEARCH_COOKIE, &first_buf) ); + return DETECTION_OPTION_EQUAL; } - return; + return DETECTION_OPTION_NOT_EQUAL; } -void PayloadSearchFastPattern(char *data, OptTreeNode *otn, int protocol) +/* This function is called in parser.c after the rule has been + * completely parsed */ +void FinalizeContentUniqueness(OptTreeNode *otn) { - PatternMatchData *idx; - PatternMatchData *last; - int uri_buffers = 0; + OptFpList *opt_fp = otn->opt_func; - if ( data ) + while (opt_fp) { - FatalError("%s(%d) => 'fast_pattern' does not take an argument\n", - file_name, file_line); - } - idx = (PatternMatchData *) otn->ds_list[lastType]; + if ((opt_fp->type == RULE_OPTION_TYPE_CONTENT) + || (opt_fp->type == RULE_OPTION_TYPE_CONTENT_URI)) + { + PatternMatchData *pmd = (PatternMatchData *)opt_fp->context; + option_type_t option_type = opt_fp->type; + void *pmd_dup; + + /* Since each content modifier can be parsed as a rule option, + * do this check now that the entire rule has been parsed */ + if (option_type == RULE_OPTION_TYPE_CONTENT_URI) + ValidateContent(pmd, PLUGIN_PATTERN_MATCH_URI); + else + ValidateContent(pmd, PLUGIN_PATTERN_MATCH); - if(idx == NULL) - { - FatalError("Error %s(%d) => FastPattern without context, please place " - "\"content\" keywords before fast_pattern modifiers\n", file_name, - file_line); - } + if (add_detection_option(option_type, (void *)pmd, &pmd_dup) == DETECTION_OPTION_EQUAL) + { + /* Don't do anything if they are the same pointer. This might happen when + * converting an so rule to a text rule via ConvertDynamicRule() in sf_convert_dynamic.c + * since we need to iterate through the RTN list in the OTN to verify that for http + * contents, the http_inspect preprocessor is enabled in the policy that is using a + * rule with http contents. */ + if (pmd != pmd_dup) + { +#if 0 + PrintDupDOTPmds(pmd, (PatternMatchData *)pmd_dup, option_type); +#endif - while(idx->next != NULL) - idx = idx->next; - - last = idx; + /* Hack since some places check for non-nullness of ds_list. + * Beware of iterating the pmd lists after this point since + * they'll be messed up - only check for non-nullness */ + if (option_type == RULE_OPTION_TYPE_CONTENT) + { + if (pmd == otn->ds_list[PLUGIN_PATTERN_MATCH]) + otn->ds_list[PLUGIN_PATTERN_MATCH] = pmd_dup; + } + else + { + if (pmd == otn->ds_list[PLUGIN_PATTERN_MATCH_URI]) + otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = pmd_dup; + } - idx = (PatternMatchData *) otn->ds_list[lastType]; - while(idx->next != NULL) - { - if (idx->flags & CONTENT_FAST_PATTERN) - { - if ((lastType == PLUGIN_PATTERN_MATCH) || /* regular content */ - ((idx->uri_buffer & ~HTTP_SEARCH_COOKIE) & uri_buffers)) /* or uri buffer is same */ + PatternMatchFree(pmd); + opt_fp->context = pmd_dup; + } + } +#if 0 + else { - FatalError("Error %s(%d) => FastPattern set for another \"content\" " - "within this rule\n", file_name, file_line); + LogMessage("Unique %sContent\n", + (opt_fp->OptTestFunc == CheckANDPatternMatch) ? "" : "Uri"); } - uri_buffers |= idx->uri_buffer; +#endif } - idx = idx->next; - } - - if ((idx->uri_buffer & ~HTTP_SEARCH_COOKIE) & uri_buffers) /* uri buffer is same as earlier fast pattern */ - { - FatalError("Error %s(%d) => FastPattern set for another \"content\" " - "within this rule\n", file_name, file_line); - } - - if ((lastType == PLUGIN_PATTERN_MATCH_URI) && (last->uri_buffer == HTTP_SEARCH_COOKIE)) - { - FatalError("Error %s(%d) => FastPattern cannot be set for \"content\" with " - "http cookie buffer\n", file_name, file_line); - } - - if (idx->exception_flag) - { - FatalError("Error %s(%d) => FastPattern cannot be set for negated " - "\"content\" searches\n", file_name, file_line); + opt_fp = opt_fp->next; } - - idx->flags |= CONTENT_FAST_PATTERN; - - return; } -void PayloadSearchDistance(char *data, OptTreeNode *otn, int protocol) +void make_precomp(PatternMatchData * idx) { - PatternMatchData *idx; - - if ( !data ) - { - FatalError("%s(%d) => Missing argument to 'distance' option\n", - file_name, file_line); - } - idx = (PatternMatchData *) otn->ds_list[lastType]; - - if(idx == NULL) - { - FatalError("Error %s(%d) => Distance without context, please place " - "\"content\" keywords before distance modifiers\n", file_name, - file_line); - } - - while(idx->next != NULL) - idx = idx->next; - - idx->distance = ParseInt(data, "distance"); - - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", - idx->distance);); - + if(idx->skip_stride) + free(idx->skip_stride); + if(idx->shift_stride) + free(idx->shift_stride); - /* Only do a relative search if this is a normal content match. */ - if((lastType == PLUGIN_PATTERN_MATCH) && - !SetUseDoePtr(otn)) - { - FatalError("%s(%d) => Unable to initialize doe_ptr\n", - file_name, file_line); - } + idx->skip_stride = make_skip(idx->pattern_buf, idx->pattern_size); - if (idx->use_doe) - { - idx->fpl->isRelative = 1; - } + idx->shift_stride = make_shift(idx->pattern_buf, idx->pattern_size); } - -void PayloadSearchWithin(char *data, OptTreeNode *otn, int protocol) +static char *PayloadExtractParameter(char *data, int *result_len) { - PatternMatchData *idx; + char *quote_one = NULL, *quote_two = NULL; + char *comma = NULL; - if ( !data ) + quote_one = index(data, '"'); + if (quote_one) { - FatalError("%s(%d) => Missing argument to 'within' option\n", - file_name, file_line); + quote_two = index(quote_one+1, '"'); + while ( quote_two && quote_two[-1] == '\\' ) + quote_two = index(quote_two+1, '"'); } - idx = (PatternMatchData *) otn->ds_list[lastType]; - if(idx == NULL) + if (quote_one && quote_two) { - FatalError("Error %s(%d) => Distance without context, please place " - "\"content\" keywords before distance modifiers\n", file_name, - file_line); + comma = index(quote_two, ','); } - - while(idx->next != NULL) - idx = idx->next; - - idx->within = ParseInt(data, "within"); - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", - idx->within);); - - /* Only do a relative search if this is a normal content match. */ - if((lastType == PLUGIN_PATTERN_MATCH) && - !SetUseDoePtr(otn)) + else if (!quote_one) { - FatalError("%s(%d) => Unable to initialize doe_ptr\n", - file_name, file_line); + comma = index(data, ','); } - if (idx->use_doe) + if (comma) { - idx->fpl->isRelative = 1; + *result_len = comma - data; + *comma = '\0'; + } + else + { + *result_len = strlen(data); } -} + return data; +} -PatternMatchData * NewNode(OptTreeNode * otn, int type) +/* Since each content modifier can be parsed as a rule option, do this check + * after parsing the entire rule in FinalizeContentUniqueness() */ +static inline void ValidateContent(PatternMatchData *pmd, int type) { - PatternMatchData *idx; - - idx = (PatternMatchData *) otn->ds_list[type]; + if (pmd == NULL) + return; - if(idx == NULL) + if (pmd->fp) { - if((otn->ds_list[type] = - (PatternMatchData *) calloc(sizeof(PatternMatchData), - sizeof(char))) == NULL) - { - FatalError("sp_pattern_match NewNode() calloc failed!\n"); - } - - return otn->ds_list[type]; - } - else - { - idx = otn->ds_list[type]; - - while(idx->next != NULL) - idx = idx->next; + if ((type == PLUGIN_PATTERN_MATCH_URI) && !IsHttpBufFpEligible(pmd->uri_buffer)) - if((idx->next = (PatternMatchData *) - calloc(sizeof(PatternMatchData), sizeof(char))) == NULL) { - FatalError("sp_pattern_match NewNode() calloc failed!\n"); + ParseError("Cannot use the fast_pattern content modifier for a lone " + "http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content."); } - return idx->next; - } -} - -/* This is an exported function that sets - * PatternMatchData->use_doe so that when - * - * distance, within, byte_jump, byte_test are used, they can make the - * pattern matching functions "keep state" WRT the current packet. - */ -int SetUseDoePtr(OptTreeNode * otn) -{ - PatternMatchData *idx; + if (pmd->use_doe || (pmd->offset != 0) || (pmd->depth != 0)) + { + if (pmd->exception_flag) + { + ParseError("Cannot use the fast_pattern modifier for negated, " + "relative or non-zero offset/depth content searches."); + } - idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH]; + if (pmd->fp_only) + { + ParseError("Fast pattern only contents cannot be relative or " + "have non-zero offset/depth content modifiers."); + } + } - if(idx == NULL) - { - LogMessage("SetUseDoePtr: No pattern match data found\n"); - return 0; - } - else - { - /* Walk the linked list of content checks */ - while(idx->next != NULL) + if (pmd->fp_only) { - idx = idx->next; - } + if (pmd->replace_buf != NULL) + { + ParseError("Fast pattern only contents cannot use " + "replace modifier."); + } - idx->use_doe = 1; - return 1; + if (pmd->exception_flag) + ParseError("Fast pattern only contents cannot be negated."); + } } -} + if (type == PLUGIN_PATTERN_MATCH_URI) + ValidateHttpContentModifiers(pmd); +} /**************************************************************************** * @@ -1962,7 +1371,7 @@ static unsigned int GetMaxJumpSize(char *data, int data_len) { int i, j; - + j = 0; for ( i = 1; i < data_len; i++ ) { @@ -1980,7 +1389,6 @@ return data_len; } - /**************************************************************************** * * Function: ParsePattern(char *) @@ -2018,12 +1426,8 @@ /* clear out the temp buffer */ bzero(tmp_buf, MAX_PATTERN_SIZE); - if(rule == NULL) - { - FatalError("%s(%d) => ParsePattern Got Null " - "enclosed in quotation marks (\")!\n", - file_name, file_line); - } + if (rule == NULL) + ParseError("ParsePattern Got Null enclosed in quotation marks (\")!"); while(isspace((int)*rule)) rule++; @@ -2037,12 +1441,8 @@ /* find the start of the data */ start_ptr = index(rule, '"'); - if(start_ptr != rule) - { - FatalError("%s(%d) => Content data needs to be " - "enclosed in quotation marks (\")!\n", - file_name, file_line); - } + if (start_ptr != rule) + ParseError("Content data needs to be enclosed in quotation marks (\")!"); /* move the start up from the beggining quotes */ start_ptr++; @@ -2050,11 +1450,8 @@ /* find the end of the data */ end_ptr = strrchr(start_ptr, '"'); - if(end_ptr == NULL) - { - FatalError("%s(%d) => Content data needs to be enclosed " - "in quotation marks (\")!\n", file_name, file_line); - } + if (end_ptr == NULL) + ParseError("Content data needs to be enclosed in quotation marks (\")!"); /* Move the null termination up a bit more */ *end_ptr = '\0'; @@ -2067,20 +1464,17 @@ if (strlen (tmp) > 0) { - FatalError("%s(%d) => Bad data (possibly due to missing semicolon) " - "after trailing double quote.", - file_name, file_line, end_ptr + 1); + ParseError("Bad data (possibly due to missing semicolon) after " + "trailing double quote."); } /* how big is it?? */ size = end_ptr - start_ptr; /* uh, this shouldn't happen */ - if(size <= 0) - { - FatalError("%s(%d) => Bad pattern length!\n", - file_name, file_line); - } + if (size <= 0) + ParseError("Bad pattern length!"); + /* set all the pointers to the appropriate places... */ idx = start_ptr; @@ -2098,9 +1492,8 @@ if (dummy_size >= MAX_PATTERN_SIZE-1) { /* Have more data to parse and pattern is about to go beyond end of buffer */ - FatalError("ParsePattern() dummy " - "buffer overflow, make a smaller " - "pattern please! (Max size = %d)\n", MAX_PATTERN_SIZE-1); + ParseError("ParsePattern() dummy buffer overflow, make a smaller " + "pattern please! (Max size = %d)", MAX_PATTERN_SIZE-1); } DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "processing char: %c\n", *idx);); @@ -2125,10 +1518,9 @@ */ if(!hexsize || hexsize % 2) { - FatalError("%s(%d) => Content hexmode argument has invalid " - "number of hex digits. The argument '%s' must " - "contain a full even byte string.\n", - file_name, file_line, start_ptr); + ParseError("Content hexmode argument has invalid " + "number of hex digits. The argument '%s' " + "must contain a full even byte string.", start_ptr); } hexmode = 0; @@ -2158,8 +1550,7 @@ */ if (idx [1] != '\0' && strchr ("\\\":;", idx [1]) == NULL) { - FatalError("%s(%d) => bad escape sequence starting " - "with \"%s\". ", file_name, file_line, idx); + ParseError("Bad escape sequence starting with \"%s\".", idx); } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Setting literal\n");); @@ -2176,10 +1567,8 @@ break; case '"': - if (!literal) { - FatalError("%s(%d) => Non-escaped " - " '\"' character!\n", file_name, file_line); - } + if (!literal) + ParseError("Non-escaped '\"' character!"); /* otherwise process the character as default */ default: if(hexmode) @@ -2199,8 +1588,8 @@ pending--; if(dummy_idx < dummy_end) - { - tmp_buf[dummy_size] = (u_char) + { + tmp_buf[dummy_size] = (u_char) strtol(hex_buf, (char **) NULL, 16)&0xFF; dummy_size++; @@ -2209,9 +1598,9 @@ } else { - FatalError("ParsePattern() dummy " - "buffer overflow, make a smaller " - "pattern please! (Max size = %d)\n", MAX_PATTERN_SIZE-1); + ParseError("ParsePattern() dummy buffer " + "overflow, make a smaller pattern " + "please! (Max size = %d)", MAX_PATTERN_SIZE-1); } } } @@ -2219,12 +1608,10 @@ { if(*idx != ' ') { - FatalError("%s(%d) => What is this " - "\"%c\"(0x%X) doing in your binary " - "buffer? Valid hex values only please! " - "(0x0 - 0xF) Position: %d\n", - file_name, - file_line, (char) *idx, (char) *idx, cnt); + ParseError("What is this \"%c\"(0x%X) doing in " + "your binary buffer? Valid hex values " + "only please! (0x0 - 0xF) Position: %d", + (char) *idx, (char) *idx, cnt); } } } @@ -2239,8 +1626,9 @@ } else { - FatalError("%s(%d)=> ParsePattern() " - "dummy buffer overflow!\n", file_name, file_line); + ParseError("ParsePattern() dummy buffer " + "overflow, make a smaller pattern " + "please! (Max size = %d)", MAX_PATTERN_SIZE-1); } if(literal) @@ -2259,9 +1647,8 @@ } else { - FatalError("%s(%d)=> character value out " - "of range, try a binary buffer\n", - file_name, file_line); + ParseError("Character value out of range, try a " + "binary buffer."); } } } @@ -2277,123 +1664,287 @@ /* error prunning */ - if (literal) { - FatalError("%s(%d)=> backslash escape is not " - "completed\n", file_name, file_line); - } - if (hexmode) { - FatalError("%s(%d)=> hexmode is not " - "completed\n", file_name, file_line); - } + if (literal) + ParseError("Backslash escape is not completed."); + + if (hexmode) + ParseError("Hexmode is not completed."); ds_idx = (PatternMatchData *) otn->ds_list[type]; while(ds_idx->next != NULL) ds_idx = ds_idx->next; - if((ds_idx->pattern_buf = (char *) calloc(dummy_size+1, sizeof(char))) - == NULL) - { - FatalError("ParsePattern() pattern_buf malloc failed!\n"); - } - + ds_idx->pattern_buf = (char *)SnortAlloc(dummy_size+1); memcpy(ds_idx->pattern_buf, tmp_buf, dummy_size); ds_idx->pattern_size = dummy_size; ds_idx->search = uniSearch; - + make_precomp(ds_idx); ds_idx->exception_flag = exception_flag; ds_idx->pattern_max_jump_size = GetMaxJumpSize(ds_idx->pattern_buf, ds_idx->pattern_size); - - return; } -#if 0 -static int CheckORPatternMatch(Packet * p, struct _OptTreeNode * otn_idx, - OptFpList * fp_list) +/******************************************************************** + * Runtime functions + ********************************************************************/ +/* + * Figure out how deep the into the packet from the base_ptr we can go + * + * base_ptr = the offset into the payload relative to the last match plus the offset + * contained within the current pmd + * + * dlen = amount of data in the packet from the base_ptr to the end of the packet + * + * pmd = the patterm match data struct for this test + */ +static inline int computeWithin(int dlen, PatternMatchData *pmd) { - int found = 0; - int dsize; - char *dp; - - - PatternMatchData *idx; - - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternORMatch: ");); - - idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH_OR]; - - while(idx != NULL) + /* do we want to check more bytes than there are in the buffer? */ + if(pmd->within > (unsigned int)dlen) { + /* should we just return -1 here since the data might actually be within + * the stream but not the current packet's payload? + */ - if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) + /* if the buffer size is greater than the size of the pattern to match */ + if(dlen >= (int)pmd->pattern_size) { - dsize = p->alt_dsize; - dp = (char *) DecodeBuffer; /* decode.c */ - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Alternative Decode buffer!\n");); + /* return the size of the buffer */ + return dlen; } else { - dsize = p->dsize; - dp = (char *) p->data; + /* failed, pattern size is greater than number of bytes in the buffer */ + return -1; } - + } - if(idx->offset > dsize) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Initial offset larger than payload!\n");); + /* the within vaule is in range of the number of buffer bytes */ + return pmd->within; +} - goto sizetoosmall; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "testing pattern: %s\n", idx->pattern_buf);); - found = idx->search(dp, dsize, idx); +/* + * case sensitive search + * + * data = ptr to buffer to search + * dlen = distance to the back of the buffer being tested, validated + * against offset + depth before function entry (not distance/within) + * pmd = pointer to pattern match data struct + */ - if(!found) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Pattern Match failed!\n");); - } - } +static int uniSearch(const char *data, int dlen, PatternMatchData *pmd) +{ + return uniSearchReal(data, dlen, pmd, 0); +} - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Checking the results\n");); +/* + * case insensitive search + * + * data = ptr to buffer to search + * dlen = distance to the back of the buffer being tested, validated + * against offset + depth before function entry (not distance/within) + * pmd = pointer to pattern match data struct + * + * NOTE - this is used in sf_convert_dynamic.c so cannot be static + */ +int uniSearchCI(const char *data, int dlen, PatternMatchData *pmd) +{ + return uniSearchReal(data, dlen, pmd, 1); +} + +/* + * single search function. + * + * data = ptr to buffer to search + * dlen = distance to the back of the buffer being tested, validated + * against offset + depth before function entry (not distance/within) + * pmd = pointer to pattern match data struct + * nocase = 0 means case sensitve, 1 means case insensitive + * + * return 1 for found + * return 0 for not found + * return -1 for error (search out of bounds) + */ +static int uniSearchReal(const char *data, int dlen, PatternMatchData *pmd, int nocase) +{ + /* + * in theory computeDepth doesn't need to be called because the + * depth + offset adjustments have been made by the calling function + */ + int depth = dlen; + int old_depth = dlen; + int success = 0; + const char *start_ptr = data; + const char *end_ptr = data + dlen; + const char *base_ptr = start_ptr; + uint32_t extract_offset, extract_depth, extract_distance, extract_within; + + DEBUG_WRAP(char *hexbuf;); + + + if(pmd->use_doe != 1) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "NOT Using Doe Ptr\n");); + UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ + } + + /* Get byte_extract variables */ + if (pmd->offset_var >= 0 && pmd->offset_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_offset, pmd->offset_var); + pmd->offset = (int) extract_offset; + } + if (pmd->depth_var >= 0 && pmd->depth_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_depth, pmd->depth_var); + pmd->depth = (int) extract_depth; + } + if (pmd->distance_var >= 0 && pmd->distance_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_distance, pmd->distance_var); + pmd->distance = (int) extract_distance; + } + if (pmd->within_var >= 0 && pmd->within_var < NUM_BYTE_EXTRACT_VARS) + { + GetByteExtractValue(&extract_within, pmd->within_var); + pmd->within = (u_int) extract_within; + } + + /* check to see if we've got a stateful start point */ + if(doe_ptr) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Doe Ptr\n");); + + base_ptr = (const char *)doe_ptr; + depth = dlen - ((char *) doe_ptr - data); + } + else + { + base_ptr = start_ptr; + depth = dlen; + } + + /* if we're using a distance call */ + if(pmd->distance) + { + /* set the base pointer up for the distance */ + base_ptr += pmd->distance; + depth -= pmd->distance; + } + else /* otherwise just use the offset (validated by calling function) */ + { + base_ptr += pmd->offset; + depth -= pmd->offset; + } + + if(pmd->within != 0) + { + /* + * calculate the "real" depth based on the current base and available + * number of bytes in the buffer + * + * this should account for the current base_ptr as it relates to + * the back of the buffer being tested + */ + old_depth = depth; + + depth = computeWithin(depth, pmd); + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Changing Depth from %d to %d\n", old_depth, depth);); + } + + /* make sure we and in range */ + if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)base_ptr)) + { + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "returning because base_ptr" + " is out of bounds start_ptr: %p end: %p base: %p\n", + start_ptr, end_ptr, base_ptr);); + return -1; + } + + if(depth < 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "returning because depth is negative (%d)\n", + depth);); + return -1; + } + + if(depth > dlen) + { + /* if offsets are negative but somehow before the start of the + packet, let's make sure that we get everything going + straight */ + depth = dlen; + } + + if((pmd->depth > 0) && (depth > pmd->depth)) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Setting new depth to %d from %d\n", + pmd->depth, depth);); - if(found) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match " - "successful: %s!\n", idx->pattern_buf);); + depth = pmd->depth; + } - return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); + /* make sure we end in range */ + if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)(base_ptr + depth - 1))) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "returning because base_ptr + depth - 1" + " is out of bounds start_ptr: %p end: %p base: %p\n", + start_ptr, end_ptr, base_ptr);); + return 0; + } - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Pattern match failed\n");); - } +#ifdef DEBUG_MSGS + assert(depth <= old_depth); - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Stepping to next content keyword\n");); + DebugMessage(DEBUG_PATTERN_MATCH, "uniSearchReal:\n "); - sizetoosmall: + hexbuf = hex((u_char *)pmd->pattern_buf, pmd->pattern_size); + DebugMessage(DEBUG_PATTERN_MATCH, " p->data: %p\n doe_ptr: %p\n " + "base_ptr: %p\n depth: %d\n searching for: %s\n", + data, doe_ptr, base_ptr, depth, hexbuf); + free(hexbuf); +#endif /* DEBUG_MSGS */ - idx = idx->next; + if(nocase) + { + success = mSearchCI(base_ptr, depth, + pmd->pattern_buf, + pmd->pattern_size, + pmd->skip_stride, + pmd->shift_stride); + } + else + { + success = mSearch(base_ptr, depth, + pmd->pattern_buf, + pmd->pattern_size, + pmd->skip_stride, + pmd->shift_stride); } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "No more keywords, exiting... \n");); - return 0; -} +#ifdef DEBUG_MSGS + if(success) + { + DebugMessage(DEBUG_PATTERN_MATCH, "matched, doe_ptr: %p (%d)\n", + doe_ptr, ((char *)doe_ptr - data)); + } #endif + return success; +} + int CheckANDPatternMatch(void *option_data, Packet *p) { int rval = DETECTION_OPTION_NO_MATCH; @@ -2412,22 +1963,56 @@ idx = (PatternMatchData *)option_data; origUseDoe = idx->use_doe; - if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) + if(idx->rawbytes == 0) { - dsize = p->alt_dsize; - dp = (char *) DecodeBuffer; /* decode.c */ - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Alternative Decode buffer!\n");); + if(Is_DetectFlag(FLAG_ALT_DETECT)) + { + dsize = DetectBuffer.len; + dp = (char *) DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + dp = (char *) DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Decode buffer!\n");); + } + else + { + if(IsLimitedDetect(p)) + { + dsize = p->alt_dsize; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Limited Packet Data!\n");); + } + else + { + dsize = p->dsize; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Full Packet Data!\n");); + } + dp = (char *) p->data; + } } else { dsize = p->dsize; dp = (char *) p->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Full Packet Data!\n");); } /* this now takes care of all the special cases where we'd run * over the buffer */ orig_doe = (char *)doe_ptr; + + if(doe_buf_flags & DOE_BUF_URI) + UpdateDoePtr(NULL, 0); + + doe_buf_flags = DOE_BUF_STD; + #ifndef NO_FOUND_ERROR found = idx->search(dp, dsize, idx); if ( found == -1 ) @@ -2447,21 +2032,20 @@ found = (idx->search(dp, dsize, idx) ^ idx->exception_flag); #endif - if (found && idx->replace_buf) + if ( found ) { - //fix the packet buffer to have the new string - detect_depth = (char *)doe_ptr - idx->pattern_size - dp; - - if (detect_depth < 0) + if ( idx->replace_buf && !PacketWasCooked(p) ) { - PREPROC_PROFILE_END(contentPerfStats); - return rval; - } - Replace_StoreOffset(idx, detect_depth); - } + //fix the packet buffer to have the new string + int detect_depth = (char *)doe_ptr - idx->pattern_size - dp; - if (found) - { + if (detect_depth < 0) + { + PREPROC_PROFILE_END(contentPerfStats); + return rval; + } + Replace_StoreOffset(idx, detect_depth); + } rval = DETECTION_OPTION_MATCH; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match found\n");); } @@ -2478,7 +2062,7 @@ /* save start doe as beginning of this pattern + non-repeating length*/ start_doe = (char *)doe_ptr - idx->pattern_size + idx->pattern_max_jump_size; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Check next functions!\n");); /* PROFILING Don't count rest of options towards content */ PREPROC_PROFILE_TMPEND(contentPerfStats); @@ -2489,9 +2073,9 @@ /* PROFILING Don't count rest of options towards content */ PREPROC_PROFILE_TMPSTART(contentPerfStats); - if(next_found != 0) + if(next_found != 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Next functions matched!\n");); /* We found a successful match, return that this rule has fired off */ @@ -2511,7 +2095,7 @@ if(new_dsize <= 0 || new_dsize > dsize) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The new dsize is less than <= 0 or > " "the the original dsize;returning " "false\n");); @@ -2526,7 +2110,7 @@ if (((idx->distance != 0) && (start_doe - orig_doe > idx->distance)) || ((idx->offset != 0) && (start_doe - orig_doe > idx->offset)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); @@ -2540,7 +2124,7 @@ ((idx->depth != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->depth)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); @@ -2555,7 +2139,7 @@ if (((idx->distance != 0) && (start_doe - dp > idx->distance)) || ((idx->offset != 0) && (start_doe - dp > idx->offset)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); @@ -2569,7 +2153,7 @@ ((idx->depth != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->depth)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); @@ -2579,19 +2163,19 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "At least ONE of the next functions does to match!\n");); - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "At least ONE of the next functions does to match!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Start search again from a next point!\n");); /* Start the search again from the last set of contents, with a new depth and dsize */ doe_ptr = (uint8_t *)start_doe; idx->use_doe = 1; found = (idx->search(start_doe, new_dsize,idx) ^ idx->exception_flag); - + /* ** If we haven't updated doe since we set it at the beginning - ** of the loop, then that means we have already done the exact + ** of the loop, then that means we have already done the exact ** same search previously, and have nothing else to gain from ** doing the same search again. */ @@ -2604,127 +2188,327 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Returning 0 because tmp_doe is NULL\n");); - - idx->use_doe = origUseDoe; - PREPROC_PROFILE_END(contentPerfStats); - return 0; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Returning 0 because tmp_doe is NULL\n");); + + idx->use_doe = origUseDoe; + PREPROC_PROFILE_END(contentPerfStats); + return 0; + } + + } +#endif + + //idx->use_doe = origUseDoe; + PREPROC_PROFILE_END(contentPerfStats); + return rval; +} + +int CheckUriPatternMatch(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_NO_MATCH; + int found = 0; + int i = 0; + PatternMatchData *idx = (PatternMatchData *)option_data; + PROFILE_VARS; + + if(p->uri_count <= 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"CheckUriPatternMatch: no " + "HTTP buffers set, retuning");); + return rval; + } + + PREPROC_PROFILE_START(uricontentPerfStats); + for (i = 0; i<p->uri_count; i++) + + { + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "CheckUriPatternMatch: ");); + + if (!UriBufs[i].uri || (UriBufs[i].length == 0)) + { + DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Checking for %s pattern in " + "buffer %d: HTTP buffer not set/zero length, returning", + uri_buffer_name[i], i);); + continue; + } + + if (!(idx->uri_buffer & (1 << i))) + { + DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Skipping %s pattern in " + "buffer %d: buffer not part of inspection set", + uri_buffer_name[i], i);); + continue; + } + + DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Checking for %s pattern in " + "buffer %d ", + uri_buffer_name[i], i);); + +#ifdef DEBUG_MSGS /* for variable declaration */ + { + int j; + + DebugMessage(DEBUG_HTTP_DECODE,"Checking against HTTP data (%s): ", uri_buffer_name[idx->uri_buffer]); + for(j=0; j<UriBufs[i].length; j++) + { + DebugMessage(DEBUG_HTTP_DECODE, "%c", UriBufs[i].uri[j]); + } + DebugMessage(DEBUG_HTTP_DECODE,"\n"); + } +#endif /* DEBUG_MSGS */ + + /* + * have to reset the doe_ptr for each new UriBuf + */ + if(idx->use_doe != 1) + UpdateDoePtr(NULL, 0); + + else if(!(doe_buf_flags & DOE_BUF_URI)) + SetDoePtr(UriBufs[i].uri, DOE_BUF_URI); + + /* this now takes care of all the special cases where we'd run + * over the buffer */ + found = (idx->search((const char *)UriBufs[i].uri, UriBufs[i].length, idx) ^ idx->exception_flag); + + if(found > 0 ) + { + doe_buf_flags = DOE_BUF_URI; + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); + /*if found print the normalized and unnormalized buffer */ +#ifdef DEBUG_MSGS + if ( idx->uri_buffer & (HTTP_SEARCH_URI | HTTP_SEARCH_COOKIE | HTTP_SEARCH_HEADER )) + { + DEBUG_WRAP( + if(UriBufs[i].uri) + DebugMessage(DEBUG_HTTP_DECODE, "Normalized contents of the matched Http buffer is: %s\n", + UriBufs[i].uri); + if(UriBufs[i+1].uri) + DebugMessage(DEBUG_HTTP_DECODE, "Unnormalized/Raw contents of the matched Http buffer is: %s\n", + UriBufs[i+1].uri); + ); + } + else + { + DEBUG_WRAP( + if(UriBufs[i].uri) + DebugMessage(DEBUG_HTTP_DECODE, "Unnormalized/Raw contents of the matched Http buffer is: %s\n", + UriBufs[i].uri); + ); + } +#endif + /* call the next function in the OTN */ + PREPROC_PROFILE_END(uricontentPerfStats); + return DETECTION_OPTION_MATCH; + } + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); + } + + PREPROC_PROFILE_END(uricontentPerfStats); + return rval; +} + +void PatternMatchDuplicatePmd(void *src, PatternMatchData *pmd_dup) +{ + /* Oh, C++ where r u? can't we have a friggin' copy constructor? */ + PatternMatchData *pmd_src = (PatternMatchData *)src; + if (!pmd_src || !pmd_dup) + return; + + pmd_dup->exception_flag = pmd_src->exception_flag; + pmd_dup->offset = pmd_src->offset; + pmd_dup->depth = pmd_src->depth; + pmd_dup->distance = pmd_src->distance; + pmd_dup->within = pmd_src->within; + pmd_dup->offset_var = pmd_src->offset_var; + pmd_dup->depth_var = pmd_src->depth_var; + pmd_dup->distance_var = pmd_src->distance_var; + pmd_dup->within_var = pmd_src->within_var; + pmd_dup->rawbytes = pmd_src->rawbytes; + pmd_dup->nocase = pmd_src->nocase; + pmd_dup->use_doe = pmd_src->use_doe; + pmd_dup->uri_buffer = pmd_src->uri_buffer; + pmd_dup->buffer_func = pmd_src->buffer_func; + pmd_dup->pattern_size = pmd_src->pattern_size; + pmd_dup->replace_size = pmd_src->replace_size; + pmd_dup->replace_buf = pmd_src->replace_buf; + pmd_dup->pattern_buf = pmd_src->pattern_buf; + pmd_dup->search = pmd_src->search; + pmd_dup->skip_stride = pmd_src->skip_stride; + pmd_dup->shift_stride = pmd_src->shift_stride; + pmd_dup->pattern_max_jump_size = pmd_src->pattern_max_jump_size; + pmd_dup->fp = pmd_src->fp; + pmd_dup->fp_only = pmd_src->fp_only; + pmd_dup->fp_offset = pmd_src->fp_offset; + pmd_dup->fp_length = pmd_src->fp_length; + + pmd_dup->last_check.ts.tv_sec = pmd_src->last_check.ts.tv_sec; + pmd_dup->last_check.ts.tv_usec = pmd_src->last_check.ts.tv_usec; + pmd_dup->last_check.packet_number = pmd_src->last_check.packet_number; + pmd_dup->last_check.rebuild_flag = pmd_src->last_check.rebuild_flag; + + pmd_dup->prev = NULL; + pmd_dup->next = NULL; + pmd_dup->fpl = NULL; + + Replace_ResetOffset(pmd_dup); +} + +/* current_cursor should be the doe_ptr after this content rule option matched + * orig_cursor is the place from where we first did evaluation of this content */ +int PatternMatchAdjustRelativeOffsets(PatternMatchData *orig_pmd, PatternMatchData *dup_pmd, + const uint8_t *current_cursor, const uint8_t *orig_cursor) +{ + /* Adjust for repeating patterns, e.g. ABAB + * This is where the new search for this content should start */ + const uint8_t *start_cursor = + (current_cursor - dup_pmd->pattern_size) + dup_pmd->pattern_max_jump_size; + + if (orig_pmd->depth != 0) + { + /* This was relative to a previously found pattern. No space left to + * search, we're done */ + if ((start_cursor + dup_pmd->pattern_size) + > (orig_cursor + dup_pmd->offset + dup_pmd->depth)) + { + return 0; + } + + /* Adjust offset and depth to reflect new position */ + /* Lop off what we used */ + dup_pmd->depth -= start_cursor - (orig_cursor + dup_pmd->offset); + /* Make offset where we will start the next search */ + dup_pmd->offset = start_cursor - orig_cursor; + } + else if (orig_pmd->within != 0) + { + /* This was relative to a previously found pattern. No space left to + * search, we're done */ + if ((start_cursor + dup_pmd->pattern_size) + > (orig_cursor + dup_pmd->distance + dup_pmd->within)) + { + return 0; + } + + /* Adjust distance and within to reflect new position */ + /* Lop off what we used */ + dup_pmd->within -= start_cursor - (orig_cursor + dup_pmd->distance); + /* Make distance where we will start the next search */ + dup_pmd->distance = start_cursor - orig_cursor; + } + else if (orig_pmd->use_doe) + { + dup_pmd->distance = start_cursor - orig_cursor; + } + else + { + dup_pmd->offset = start_cursor - orig_cursor; + } + + return 1; +} + +#if 0 +/* Not currently in use - DO NOT REMOVE */ +static inline int computeDepth(int dlen, PatternMatchData * pmd) +{ + /* do some tests to make sure we stay in bounds */ + if((pmd->depth + pmd->offset) > dlen) + { + /* we want to check only depth bytes anyway */ + int sub_depth = dlen - pmd->offset; + + if((sub_depth > 0) && (sub_depth >= (int)pmd->pattern_size)) + { + return sub_depth; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Pattern Match failed -- sub_depth: %d < " + "(int)pmd->pattern_size: %d!\n", + sub_depth, (int)pmd->pattern_size);); + + return -1; + } + } + else + { + if(pmd->depth && (dlen - pmd->offset > pmd->depth)) + { + return pmd->depth; + } + else + { + return dlen - pmd->offset; } - } -#endif - - //idx->use_doe = origUseDoe; - PREPROC_PROFILE_END(contentPerfStats); - return rval; } -/************************************************************************/ -/************************************************************************/ -/************************************************************************/ - -char *uri_buffer_name[] = +static int uniSearchREG(char * data, int dlen, PatternMatchData * pmd) { - "http_uri", - "http_header", - "http_client_body", - "http_method", - "http_cookie" -}; + int depth = computeDepth(dlen, pmd); + /* int distance_adjustment = 0; + * int depth_adjustment = 0; + */ + int success = 0; -int PatternMatchUriBuffer(void *p) -{ - PatternMatchData *pmd = (PatternMatchData *)p; + if (depth < 0) + return 0; - if (pmd->uri_buffer != 0) - { - /* return 1 if not just cookie */ - return pmd->uri_buffer != HTTP_SEARCH_COOKIE; - } - return 0; /* not set */ + /* XXX DESTROY ME */ + /*success = mSearchREG(data + pmd->offset + distance_adjustment, + depth_adjustment!=0?depth_adjustment:depth, + pmd->pattern_buf, pmd->pattern_size, pmd->skip_stride, + pmd->shift_stride);*/ + + return success; } +#endif -int CheckUriPatternMatch(void *option_data, Packet *p) +#if 0 +/* XXX Not completetly implemented */ +static void PayloadSearchListInit(char *data, OptTreeNode * otn, int protocol) { - int rval = DETECTION_OPTION_NO_MATCH; - int found = 0; - int i = 0; - PatternMatchData *idx = (PatternMatchData *)option_data; - PROFILE_VARS; - - if(p->uri_count <= 0) - { - DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"CheckUriPatternMatch: no " - "HTTP buffers set, retuning");); - return rval; - } + char *sptr; + char *eptr; - PREPROC_PROFILE_START(uricontentPerfStats); - for (i = 0; i<p->uri_count; i++) + lastType = PLUGIN_PATTERN_MATCH_OR; - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "CheckUriPatternMatch: ");); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "In PayloadSearchListInit()\n");); - if (!UriBufs[i].uri || (UriBufs[i].length == 0)) - { - DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Checking for %s pattern in " - "buffer %d: HTTP buffer not set/zero length, returning", - uri_buffer_name[i], i);); - continue; - } + /* get the path/file name from the data */ + while(isspace((int) *data)) + data++; - if (!(idx->uri_buffer & (1 << i))) - { - DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Skipping %s pattern in " - "buffer %d: buffer not part of inspection set", - uri_buffer_name[i], i);); - continue; - } + /* grab everything between the starting " and the end one */ + sptr = index(data, '"'); + eptr = strrchr(data, '"'); - DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Checking for %s pattern in " - "buffer %d ", - uri_buffer_name[i], i);); + if(sptr != NULL && eptr != NULL) + { + /* increment past the first quote */ + sptr++; -#ifdef DEBUG /* for variable declaration */ - { - int j; - - DebugMessage(DEBUG_HTTP_DECODE,"Checking against HTTP data (%s): ", uri_buffer_name[idx->uri_buffer]); - for(j=0; j<UriBufs[i].length; j++) - { - DebugMessage(DEBUG_HTTP_DECODE, "%c", UriBufs[i].uri[j]); - } - DebugMessage(DEBUG_HTTP_DECODE,"\n"); - } -#endif /* DEBUG */ + /* zero out the second one */ + *eptr = 0; + } + else + { + sptr = data; + } - /* - * have to reset the doe_ptr for each new UriBuf - */ - doe_ptr = NULL; - - /* this now takes care of all the special cases where we'd run - * over the buffer */ - found = (idx->search((const char *)UriBufs[i].uri, UriBufs[i].length, idx) ^ idx->exception_flag); - - if(found) - { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); - /* call the next function in the OTN */ - PREPROC_PROFILE_END(uricontentPerfStats); - return DETECTION_OPTION_MATCH; - } + /* read the content keywords from the list file */ + ParseContentListFile(sptr, otn, protocol); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); - } + /* link the plugin function in to the current OTN */ + AddOptFuncToList(CheckORPatternMatch, otn); - PREPROC_PROFILE_END(uricontentPerfStats); - return rval; + return; } - -#if 0 /**************************************************************************** * * Function: ParseContentListFile(char *, OptTreeNode *, int protocol) @@ -2747,15 +2531,15 @@ int frazes_count; /* frazes counter */ -#ifdef DEBUG +#ifdef DEBUG_MSGS PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Opening content_list file: %s\n", file);); -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ /* open the list file */ thefp = fopen(file, "r"); if (thefp == NULL) { - FatalError("Unable to open list file: %s\n", file); + ParseError("Unable to open list file: %s", file); } /* clear the line and rule buffers */ @@ -2769,13 +2553,13 @@ /* inc the line counter */ list_file_line++; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Got line %d: %s", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Got line %d: %s", list_file_line, buf);); /* if it's not a comment or a <CR>, send it to the parser */ if((buf[0] != '#') && (buf[0] != 0x0a) && (buf[0] != ';')) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Adding content keyword: %s", buf);); frazes_count++; @@ -2790,10 +2574,10 @@ "Content keyword %s\" added!\n", buf);); } } -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "%d frazes read...\n", frazes_count);); idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; - + if(idx == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No patterns loaded\n");); @@ -2802,16 +2586,160 @@ { while(idx != NULL) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern = %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern = %s\n", idx->pattern_buf);); idx = idx->next; } } -#endif /* DEBUG */ - +#endif /* DEBUG_MSGS */ + fclose(thefp); return; } + +int CheckORPatternMatch(Packet * p, OptTreeNode * otn_idx, OptFpList * fp_list) +{ + int found = 0; + int dsize; + char *dp; + + + PatternMatchData *idx; + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternORMatch: ");); + + idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH_OR]; + + while(idx != NULL) + { + if (Is_DetectFlag(FLAG_ALT_DETECT) && (idx->rawbytes == 0)) + { + dsize = DetectBuffer.len; + dp = (char *)DetectBufffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE) && (idx->rawbytes == 0)) + { + dsize = DecodeBuffer.len; + dp = (char *) DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Decode buffer!\n");); + } + else + { + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; + dp = (char *) p->data; + } + + + if(idx->offset > dsize) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Initial offset larger than payload!\n");); + + goto sizetoosmall; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "testing pattern: %s\n", idx->pattern_buf);); + found = idx->search(dp, dsize, idx); + + if(!found) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Pattern Match failed!\n");); + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Checking the results\n");); + + if(found) + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match " + "successful: %s!\n", idx->pattern_buf);); + + return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); + + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Pattern match failed\n");); + } + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Stepping to next content keyword\n");); + + sizetoosmall: + + idx = idx->next; + } + + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "No more keywords, exiting... \n");); + + return 0; +} +#endif + +#if 0 +/* Not currently used */ +static const char *format_uri_buffer_str(int uri_buffer, int search_buf, char *first_buf) +{ + if (uri_buffer & search_buf) + { + if (*first_buf == 1) + { + switch (search_buf) + { + case HTTP_SEARCH_URI: + return "http_uri"; + break; + case HTTP_SEARCH_CLIENT_BODY: + return "http_client_body"; + break; + case HTTP_SEARCH_HEADER: + return "http_header"; + break; + case HTTP_SEARCH_METHOD: + return "http_method"; + break; + case HTTP_SEARCH_COOKIE: + return "http_cookie"; + break; + } + *first_buf = 0; + } + else + { + switch (search_buf) + { + case HTTP_SEARCH_URI: + return " | http_uri"; + break; + case HTTP_SEARCH_CLIENT_BODY: + return " | http_client_body"; + break; + case HTTP_SEARCH_HEADER: + return " | http_header"; + break; + case HTTP_SEARCH_METHOD: + return " | http_method"; + break; + case HTTP_SEARCH_COOKIE: + return " | http_cookie"; + break; + } + } + } + return ""; +} #endif diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pattern_match.h snort-2.9.2/src/detection-plugins/sp_pattern_match.h --- snort-2.8.5.2/src/detection-plugins/sp_pattern_match.h 2009-08-10 20:41:44.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pattern_match.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,6 @@ +/* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -18,40 +19,54 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* $Id$ */ - #ifndef __SP_PATTERN_MATCH_H__ #define __SP_PATTERN_MATCH_H__ #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "rules.h" /* needed for OptTreeNode defintion */ -#include "sf_engine/sf_snort_plugin_api.h" +#include "treenodes.h" #include <ctype.h> +/******************************************************************** + * Macros + ********************************************************************/ #define CHECK_AND_PATTERN_MATCH 1 #define CHECK_URI_PATTERN_MATCH 2 -#define HTTP_SEARCH_URI 0x01 -#define HTTP_SEARCH_HEADER 0x02 -#define HTTP_SEARCH_CLIENT_BODY 0x04 -#define HTTP_SEARCH_METHOD 0x08 -#define HTTP_SEARCH_COOKIE 0x10 - -/* Flags */ -//#define CONTENT_FAST_PATTERN 0x01 - +#define HTTP_SEARCH_URI 0x01 +#define HTTP_SEARCH_RAW_URI 0x02 +#define HTTP_SEARCH_HEADER 0x04 +#define HTTP_SEARCH_RAW_HEADER 0x08 +#define HTTP_SEARCH_CLIENT_BODY 0x10 +#define HTTP_SEARCH_METHOD 0x20 +#define HTTP_SEARCH_COOKIE 0x40 +#define HTTP_SEARCH_RAW_COOKIE 0x80 +#define HTTP_SEARCH_STAT_CODE 0x100 +#define HTTP_SEARCH_STAT_MSG 0x200 +/*Only these Http buffers are eligible for fast pattern match */ +#define FAST_PATTERN_HTTP_BUFS ( HTTP_SEARCH_URI | HTTP_SEARCH_HEADER | HTTP_SEARCH_CLIENT_BODY ) + +/******************************************************************** + * Data structures + ********************************************************************/ typedef struct _PatternMatchData { - uint8_t exception_flag; /* search for "not this pattern" */ int offset; /* pattern search start offset */ int depth; /* pattern search depth */ int distance; /* offset to start from based on last match */ - int within; /* this pattern must be found + u_int within; /* this pattern must be found within X bytes of last match*/ + + int8_t offset_var; /* byte_extract variable indices for offset, */ + int8_t depth_var; /* depth, distance, within */ + int8_t distance_var; + int8_t within_var; + int rawbytes; /* Search the raw bytes rather than any decoded app buffer */ + int replace_depth; /* >=0 is offset to start of replace */ int nocase; /* Toggle case insensitity */ int use_doe; /* Use the doe_ptr for relative pattern searching */ @@ -66,15 +81,13 @@ int *shift_stride; /* B-M shift array */ u_int pattern_max_jump_size; /* Maximum distance we can jump to search for * this pattern again. */ - struct _PatternMatchData *next; /* ptr to next match struct */ - int flags; /* flags */ OptFpList *fpl; /* Pointer to the OTN FPList for this pattern */ /* Needed to be able to set the isRelative flag */ /* Set if fast pattern matcher found a content in the packet, - but the rule option specifies a negated content. Only + but the rule option specifies a negated content. Only applies to negative contents that are not relative */ - struct + struct { struct timeval ts; uint64_t packet_number; @@ -82,23 +95,119 @@ } last_check; - int replace_depth; /* >=0 is offset to start of replace */ + /* For fast_pattern arguments */ + uint8_t fp; + uint8_t fp_only; + uint16_t fp_offset; + uint16_t fp_length; + + uint8_t exception_flag; /* search for "not this pattern" */ + + /* Used in ds_list - do not try to iterate after parsing a rule + * since the detection option tree will eliminate duplicates and + * the list may have missing pmds */ + struct _PatternMatchData *prev; /* ptr to previous match struct */ + struct _PatternMatchData *next; /* ptr to next match struct */ } PatternMatchData; +/******************************************************************** + * Public function prototypes + ********************************************************************/ void SetupPatternMatch(void); -int SetUseDoePtr(OptTreeNode *otn); +PatternMatchData * NewNode(OptTreeNode *, int); void PatternMatchFree(void *d); uint32_t PatternMatchHash(void *d); int PatternMatchCompare(void *l, void *r); void FinalizeContentUniqueness(OptTreeNode *otn); -void PatternMatchDuplicatePmd(void *src, PatternMatchData *pmd_dup); -int PatternMatchAdjustRelativeOffsets(PatternMatchData *pmd, const uint8_t *orig_doe_ptr, const uint8_t *start_doe_ptr, const uint8_t *dp); -int PatternMatchUriBuffer(void *p); - -PatternMatchData * NewNode(OptTreeNode *, int); +void make_precomp(PatternMatchData *); void ParsePattern(char *, OptTreeNode *, int); -int CheckANDPatternMatch(void *option_data, Packet *p); -int CheckUriPatternMatch(void *option_data, Packet *p); +int uniSearchCI(const char *, int, PatternMatchData *); +int CheckANDPatternMatch(void *, Packet *); +int CheckUriPatternMatch(void *, Packet *); +void PatternMatchDuplicatePmd(void *, PatternMatchData *); +int PatternMatchAdjustRelativeOffsets(PatternMatchData *orig_pmd, PatternMatchData *dup_pmd, + const uint8_t *current_cursor, const uint8_t *orig_cursor); + +#if 0 +/* Not implemented */ +int CheckORPatternMatch(Packet *, OptTreeNode *, OptFpList *); +#endif + + +static inline int IsHttpBufFpEligible(int uri_buffer) +{ + return uri_buffer & FAST_PATTERN_HTTP_BUFS; +} + +static inline PatternMatchData * RemovePmdFromList(PatternMatchData *pmd) +{ + if (pmd == NULL) + return NULL; + + if (pmd->prev) + pmd->prev->next = pmd->next; + if (pmd->next) + pmd->next->prev = pmd->prev; + + pmd->next = NULL; + pmd->prev = NULL; + + return pmd; +} + +static inline int InsertPmdAtFront(PatternMatchData **head, PatternMatchData *ins) +{ + if (head == NULL) + return -1; + + if (ins == NULL) + return 0; + + ins->next = *head; + if (*head != NULL) + (*head)->prev = ins; + *head = ins; + + return 0; +} + +static inline int AppendPmdToList(PatternMatchData **head, PatternMatchData *ins) +{ + PatternMatchData *tmp; + + if (head == NULL) + return -1; + + if (ins == NULL) + return 0; + + if (*head == NULL) + { + *head = ins; + ins->prev = NULL; + return 0; + } + + for (tmp = *head; tmp->next != NULL; tmp = tmp->next); + tmp->next = ins; + ins->prev = tmp; + + return 0; +} + + +static inline void FreePmdList(PatternMatchData *pmd_list) +{ + if (pmd_list == NULL) + return; + + while (pmd_list != NULL) + { + PatternMatchData *tmp = pmd_list->next; + PatternMatchFree((void *)pmd_list); + pmd_list = tmp; + } +} #endif /* __SP_PATTERN_MATCH_H__ */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pcre.c snort-2.9.2/src/detection-plugins/sp_pcre.c --- snort-2.8.5.2/src/detection-plugins/sp_pcre.c 2009-10-02 20:29:56.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pcre.c 2011-06-08 00:33:10.000000000 +0000 @@ -2,8 +2,8 @@ /* ** Copyright (C) 2003 Brian Caswell <bmc@snort.org> ** Copyright (C) 2003 Michael J. Pomraning <mjp@securepipe.com> -** Copyright (C) 2003-2009 Sourcefire, Inc. -** +** Copyright (C) 2003-2011 Sourcefire, Inc. +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -20,13 +20,17 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#include <sys/types.h> + #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" -#include "debug.h" +#include "treenodes.h" +#include "snort_debug.h" #include "decode.h" #include "plugbase.h" #include "parser.h" @@ -34,7 +38,6 @@ #include "util.h" #include "mstring.h" #include "sfhashfcn.h" -#include <sys/types.h> #ifdef WIN32 #define PCRE_DEFINITION @@ -53,18 +56,16 @@ #include "sfhashfcn.h" #include "detection_options.h" +#include "detection_util.h" -/* - * we need to specify the vector length for our pcre_exec call. we only care +/* + * we need to specify the vector length for our pcre_exec call. we only care * about the first vector, which if the match is successful will include the * offset to the end of the full pattern match. If we decide to store other * matches, make *SURE* that this is a multiple of 3 as pcre requires it. */ #define SNORT_PCRE_OVECTOR_SIZE 3 -extern uint8_t DecodeBuffer[DECODE_BLEN]; -extern const uint8_t *doe_ptr; - void SnortPcreInit(char *, OptTreeNode *, int); void SnortPcreParse(char *, PcreData *, OptTreeNode *); void SnortPcreDump(PcreData *); @@ -170,19 +171,20 @@ return 0; /* Don't search again */ } - if (pcre->options & (SNORT_PCRE_HTTP_URI | SNORT_PCRE_HTTP_BODY | SNORT_PCRE_HTTP_HEADER | SNORT_PCRE_HTTP_METHOD | SNORT_PCRE_HTTP_COOKIE)) + if (pcre->options & ( SNORT_PCRE_URI_BUFS )) { return 0; } - pcre->options |= SNORT_PCRE_RELATIVE; + /* What's coming in has the absolute offset */ pcre->search_offset += search_offset; + return 1; /* Continue searcing */ } void SetupPcre(void) { - RegisterRuleOption("pcre", SnortPcreInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("pcre", SnortPcreInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("pcre", &pcrePerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -194,7 +196,7 @@ OptFpList *fpl; void *pcre_dup; - /* + /* * allocate the data structure for pcre */ pcre_data = (PcreData *) SnortAlloc(sizeof(PcreData)); @@ -241,6 +243,32 @@ return; } +static inline void ValidatePcreHttpContentModifiers(PcreData *pcre_data) +{ + if( pcre_data->options & SNORT_PCRE_RELATIVE ) + FatalError("%s(%d): PCRE unsupported configuration : both relative & uri options specified\n", + file_name, file_line); + + if( pcre_data->options & SNORT_PCRE_RAWBYTES ) + FatalError("%s(%d): PCRE unsupported configuration : both rawbytes & uri options specified\n", + file_name, file_line); + + if( (pcre_data->options & SNORT_PCRE_HTTP_URI) && + (pcre_data->options & SNORT_PCRE_HTTP_RAW_URI)) + FatalError("%s(%d): PCRE unsupported configuration : Cannot use http uri and raw uri modifiers for " + "the same content\n", file_name, file_line); + + if( (pcre_data->options & SNORT_PCRE_HTTP_HEADER) && + (pcre_data->options & SNORT_PCRE_HTTP_RAW_HEADER)) + FatalError("%s(%d): PCRE unsupported configuration : Cannot use http header and raw header modifiers for " + "the same content\n", file_name, file_line); + + if( (pcre_data->options & SNORT_PCRE_HTTP_COOKIE) && + (pcre_data->options & SNORT_PCRE_HTTP_RAW_COOKIE)) + FatalError("%s(%d): PCRE unsupported configuration : Cannot use http cookie and raw cookie modifiers for " + "the same content\n", file_name, file_line); +} + void SnortPcreParse(char *data, PcreData *pcre_data, OptTreeNode *otn) { const char *error; @@ -250,9 +278,9 @@ int erroffset; int compile_flags = 0; - if(data == NULL) + if(data == NULL) { - FatalError("%s (%d): pcre requires a regular expression\n", + FatalError("%s (%d): pcre requires a regular expression\n", file_name, file_line); } @@ -263,7 +291,7 @@ while (isspace((int)re[strlen(re)-1])) re[strlen(re)-1] = '\0'; while (isspace((int)*re)) re++; - if(*re == '!') { + if(*re == '!') { pcre_data->options |= SNORT_PCRE_INVERT; re++; while(isspace((int)*re)) re++; @@ -281,24 +309,24 @@ printf("It isn't \"\n"); goto syntax; } - + /* remove the last quote from the string */ re[strlen(re) - 1] = '\0'; - + /* 'm//' or just '//' */ - + if(*re == 'm') { re++; if(! *re) goto syntax; - + /* Space as a ending delimiter? Uh, no. */ if(isspace((int)*re)) goto syntax; /* using R would be bad, as it triggers RE */ - if(*re == 'R') goto syntax; + if(*re == 'R') goto syntax; delimit = *re; - } + } else if(*re != delimit) goto syntax; @@ -319,10 +347,10 @@ case 's': compile_flags |= PCRE_DOTALL; break; case 'm': compile_flags |= PCRE_MULTILINE; break; case 'x': compile_flags |= PCRE_EXTENDED; break; - - /* + + /* * these are pcre specific... don't work with perl - */ + */ case 'A': compile_flags |= PCRE_ANCHORED; break; case 'E': compile_flags |= PCRE_DOLLAR_ENDONLY; break; case 'G': compile_flags |= PCRE_UNGREEDY; break; @@ -338,6 +366,12 @@ case 'H': pcre_data->options |= SNORT_PCRE_HTTP_HEADER; break; case 'M': pcre_data->options |= SNORT_PCRE_HTTP_METHOD; break; case 'C': pcre_data->options |= SNORT_PCRE_HTTP_COOKIE; break; + case 'I': pcre_data->options |= SNORT_PCRE_HTTP_RAW_URI; break; + case 'D': pcre_data->options |= SNORT_PCRE_HTTP_RAW_HEADER; break; + case 'K': pcre_data->options |= SNORT_PCRE_HTTP_RAW_COOKIE; break; + case 'S': pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE; break; + case 'Y': pcre_data->options |= SNORT_PCRE_HTTP_STAT_MSG; break; + default: FatalError("%s (%d): unknown/extra pcre option encountered\n", file_name, file_line); @@ -345,15 +379,14 @@ opts++; } - if(pcre_data->options & SNORT_PCRE_RELATIVE && - pcre_data->options & (SNORT_PCRE_HTTP_URI | SNORT_PCRE_HTTP_BODY | SNORT_PCRE_HTTP_HEADER | SNORT_PCRE_HTTP_METHOD | SNORT_PCRE_HTTP_COOKIE)) - FatalError("%s(%d): PCRE unsupported configuration : both relative & uri options specified\n", file_name, file_line); + if(pcre_data->options & (SNORT_PCRE_URI_BUFS)) + ValidatePcreHttpContentModifiers(pcre_data); /* now compile the re */ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre: compiling %s\n", re);); pcre_data->re = pcre_compile(re, compile_flags, &error, &erroffset, NULL); - if(pcre_data->re == NULL) + if(pcre_data->re == NULL) { FatalError("%s(%d) : pcre compile of \"%s\" failed at offset " "%d : %s\n", file_name, file_line, re, erroffset, error); @@ -395,7 +428,7 @@ } else { - if (!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT) && + if (!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT) && ((ScPcreMatchLimit() != -1) || (ScPcreMatchLimitRecursion() != -1))) { pcre_data->pe = (pcre_extra *)SnortAlloc(sizeof(pcre_extra)); @@ -404,7 +437,7 @@ pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT; pcre_data->pe->match_limit = ScPcreMatchLimit(); } - + #ifdef PCRE_EXTRA_MATCH_LIMIT_RECURSION if (ScPcreMatchLimitRecursion() != -1) { @@ -415,9 +448,9 @@ } } - if(error != NULL) + if(error != NULL) { - FatalError("%s(%d) : pcre study failed : %s\n", file_name, + FatalError("%s(%d) : pcre study failed : %s\n", file_name, file_line, error); } @@ -430,7 +463,7 @@ syntax: if(free_me) free(free_me); - FatalError("%s Line %d => unable to parse pcre regex %s\n", + FatalError("%s Line %d => unable to parse pcre regex %s\n", file_name, file_line, data); } @@ -485,9 +518,9 @@ } } -/** +/** * Perform a search of the PCRE data. - * + * * @param pcre_data structure that options and patterns are passed in * @param buf buffer to search * @param len size of buffer @@ -507,7 +540,7 @@ int ovector[SNORT_PCRE_OVECTOR_SIZE]; int matched; int result; - + if(pcre_data == NULL || buf == NULL || len <= 0 @@ -534,7 +567,19 @@ if(result >= 0) { matched = 1; - *found_offset = ovector[1]; + /* From the PCRE man page: + * When a match is successful, information about captured substrings is returned in pairs of integers, + * starting at the beginning of ovector, and continuing up to two-thirds of its length at the most. + * The first element of a pair is set to the offset of the first character in a substring, and the + * second is set to the offset of the first character after the end of a substring. The first pair, + * ovector[0] and ovector[1], identify the portion of the subject string matched by the entire pattern. + * The next pair is used for the first capturing subpattern, and so on. The value returned by + * pcre_exec() is the number of pairs that have been set. If there are no capturing subpatterns, the + * return value from a successful match is 1, indicating that just the first pair of offsets has been set. + * + * In Snort's case, the ovector size only allows for the first pair and a single int for scratch space. + */ + *found_offset = ovector[1]; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Setting Doe_ptr and found_offset: %p %d\n", doe_ptr, found_offset);); @@ -550,7 +595,7 @@ } /* invert sense of match */ - if(pcre_data->options & SNORT_PCRE_INVERT) + if(pcre_data->options & SNORT_PCRE_INVERT) { matched = !matched; } @@ -566,7 +611,7 @@ int dsize; int length; /* length of the buffer pointed to by base_ptr */ int matched = 0; - extern HttpUri UriBufs[URI_COUNT]; + uint8_t rst_doe_flags = 1; DEBUG_WRAP(char *hexbuf;) PROFILE_VARS; @@ -578,9 +623,9 @@ PREPROC_PROFILE_END(pcrePerfStats); return DETECTION_OPTION_NO_MATCH; } - + /* This is the HTTP case */ - if(pcre_data->options & (SNORT_PCRE_HTTP_URI | SNORT_PCRE_HTTP_HEADER | SNORT_PCRE_HTTP_METHOD | SNORT_PCRE_HTTP_BODY | SNORT_PCRE_HTTP_COOKIE)) + if(pcre_data->options & SNORT_PCRE_URI_BUFS) { int i; for (i=0; i<p->uri_count; i++) @@ -607,6 +652,26 @@ if (!(pcre_data->options & SNORT_PCRE_HTTP_COOKIE)) continue; break; + case HTTP_BUFFER_RAW_URI: + if (!(pcre_data->options & SNORT_PCRE_HTTP_RAW_URI)) + continue; + break; + case HTTP_BUFFER_RAW_HEADER: + if(!(pcre_data->options & SNORT_PCRE_HTTP_RAW_HEADER)) + continue; + break; + case HTTP_BUFFER_RAW_COOKIE: + if (!(pcre_data->options & SNORT_PCRE_HTTP_RAW_COOKIE)) + continue; + break; + case HTTP_BUFFER_STAT_CODE: + if (!(pcre_data->options & SNORT_PCRE_HTTP_STAT_CODE)) + continue; + break; + case HTTP_BUFFER_STAT_MSG: + if (!(pcre_data->options & SNORT_PCRE_HTTP_STAT_MSG)) + continue; + break; default: /* Uh, what buffer is this */ PREPROC_PROFILE_END(pcrePerfStats); @@ -621,7 +686,7 @@ UriBufs[i].length, 0, &found_offset); - + PREPROC_PROFILE_END(pcrePerfStats); if(matched) { @@ -633,13 +698,30 @@ return DETECTION_OPTION_NO_MATCH; } /* end of the HTTP case */ - - if(p->packet_flags & PKT_ALT_DECODE && !(pcre_data->options & SNORT_PCRE_RAWBYTES)) + if( !(pcre_data->options & SNORT_PCRE_RAWBYTES)) { - dsize = p->alt_dsize; - start_ptr = DecodeBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "using alternative decode buffer in pcre!\n");); + if(Is_DetectFlag(FLAG_ALT_DETECT)) + { + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "using alternative detect buffer in pcre!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE)) + { + dsize = DecodeBuffer.len; + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "using alternative decode buffer in pcre!\n");); + } + else + { + if(IsLimitedDetect(p)) + dsize = p->alt_dsize; + else + dsize = p->dsize; + start_ptr = p->data; + } } else { @@ -655,15 +737,16 @@ { if(!inBounds(start_ptr, end_ptr, doe_ptr)) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre bounds check failed on a relative content match\n");); PREPROC_PROFILE_END(pcrePerfStats); return DETECTION_OPTION_NO_MATCH; } - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre ... checking relative offset\n");); base_ptr = doe_ptr; + rst_doe_flags = 0; } else { @@ -673,7 +756,7 @@ } length = end_ptr - base_ptr; - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre ... base: %p start: %p end: %p doe: %p length: %d\n", base_ptr, start_ptr, end_ptr, doe_ptr, length);); @@ -688,7 +771,7 @@ /* set the doe_ptr if we have a valid offset */ if(found_offset > 0) { - doe_ptr = (uint8_t *) base_ptr + found_offset; + UpdateDoePtr(((uint8_t *) base_ptr + found_offset), rst_doe_flags); } if (matched) diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pcre.h snort-2.9.2/src/detection-plugins/sp_pcre.h --- snort-2.8.5.2/src/detection-plugins/sp_pcre.h 2009-05-06 22:28:35.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pcre.h 2011-02-09 23:23:05.000000000 +0000 @@ -1,7 +1,7 @@ /* ** Copyright (C) 2003 Brian Caswell <bmc@snort.org> ** Copyright (C) 2003 Michael J. Pomraning <mjp@securepipe.com> -** Copyright (C) 2003-2009 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -37,6 +37,14 @@ #define SNORT_PCRE_HTTP_METHOD 0x80 /* Check HTTP method buffer */ #define SNORT_PCRE_HTTP_COOKIE 0x100 /* Check HTTP cookie buffer */ #define SNORT_PCRE_ANCHORED 0x200 +#define SNORT_PCRE_HTTP_RAW_URI 0x400 +#define SNORT_PCRE_HTTP_RAW_HEADER 0x800 +#define SNORT_PCRE_HTTP_RAW_COOKIE 0x1000 +#define SNORT_PCRE_HTTP_STAT_CODE 0x2000 +#define SNORT_PCRE_HTTP_STAT_MSG 0x4000 + +#define SNORT_PCRE_URI_BUFS (SNORT_PCRE_HTTP_URI | SNORT_PCRE_HTTP_BODY | SNORT_PCRE_HTTP_HEADER | SNORT_PCRE_HTTP_METHOD | SNORT_PCRE_HTTP_COOKIE | \ + SNORT_PCRE_HTTP_RAW_URI | SNORT_PCRE_HTTP_RAW_HEADER | SNORT_PCRE_HTTP_RAW_COOKIE | SNORT_PCRE_HTTP_STAT_CODE | SNORT_PCRE_HTTP_STAT_MSG) void SetupPcre(void); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pkt_data.c snort-2.9.2/src/detection-plugins/sp_pkt_data.c --- snort-2.8.5.2/src/detection-plugins/sp_pkt_data.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pkt_data.c 2011-06-08 00:33:10.000000000 +0000 @@ -0,0 +1,169 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_pkt_data + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#include <errno.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "snort_debug.h" +#include "util.h" +#include "mstring.h" + +#include "snort.h" +#include "profiler.h" +#include "sp_pkt_data.h" +#ifdef PERF_PROFILING +PreprocStats pktDataPerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +#include "detection_options.h" +#include "detection_util.h" + +extern char *file_name; /* this is the file name from rules.c, generally used + for error messages */ + +extern int file_line; /* this is the file line number from rules.c that is + used to indicate file lines for error messages */ + +static void PktDataInit(char *, OptTreeNode *, int); +void PktDataParse(char *, OptTreeNode *); +int PktDataEval(void *option_data, Packet *p); + +/**************************************************************************** + * + * Function: SetupPktData() + * + * Purpose: Load 'er up + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupPktData(void) +{ + /* map the keyword to an initialization/processing function */ + RegisterRuleOption("pkt_data", PktDataInit, NULL, OPT_TYPE_DETECTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("pkt_data", &pktDataPerfStats, 3, &ruleOTNEvalPerfStats); +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: pkt_data Setup\n");); +} + + +/**************************************************************************** + * + * Function: PktDataInit(char *, OptTreeNode *, int protocol) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * protocol => protocol the rule is on (we don't care in this case) + * + * Returns: void function + * + ****************************************************************************/ +static void PktDataInit(char *data, OptTreeNode *otn, int protocol) +{ + OptFpList *fpl; + + PktDataParse(data, otn); + + fpl = AddOptFuncToList(PktDataEval, otn); + fpl->type = RULE_OPTION_TYPE_PKT_DATA; + +} + + + +/**************************************************************************** + * + * Function: PktDataParse(char *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void PktDataParse(char *data, OptTreeNode *otn) +{ + if (!IsEmptyStr(data)) + { + FatalError("%s(%d): pkt_data takes no arguments\n", + file_name, file_line); + } + +} + + +/**************************************************************************** + * + * Function: PktDataEval(char *, OptTreeNode *, OptFpList *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: p => pointer to the decoded packet + * otn => pointer to the current rule's OTN + * fp_list => pointer to the function pointer list + * + * Returns: If the detection test fails, this function *must* return a zero! + * On success, it calls the next function in the detection list + * + ****************************************************************************/ +int PktDataEval(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_MATCH; + PROFILE_VARS; + + PREPROC_PROFILE_START(pktDataPerfStats); + + SetDoePtr(NULL, DOE_BUF_STD); + DetectFlag_Disable(FLAG_ALT_DETECT); + + PREPROC_PROFILE_END(pktDataPerfStats); + return rval; +} diff -Nru snort-2.8.5.2/src/detection-plugins/sp_pkt_data.h snort-2.9.2/src/detection-plugins/sp_pkt_data.h --- snort-2.8.5.2/src/detection-plugins/sp_pkt_data.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_pkt_data.h 2011-06-08 00:33:10.000000000 +0000 @@ -0,0 +1,27 @@ +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef __SP_PKT_DATA_H__ +#define __SP_PKT_DATA_H__ + +void SetupPktData(void); + +#endif diff -Nru snort-2.8.5.2/src/detection-plugins/sp_react.c snort-2.9.2/src/detection-plugins/sp_react.c --- snort-2.8.5.2/src/detection-plugins/sp_react.c 2009-08-10 20:41:44.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_react.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,111 +1,162 @@ /* $Id$ */ - -/* -** Copyright (C) 2002-2009 Sourcefire, Inc. -** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** Copyright (C) 2000,2001 Maciej Szarpak -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* Snort React Plugin by Maciej Szarpak, Warsaw University of Technology */ - -/* sp_react.c - * - * Purpose: - * - * React! Deny the access to some unsuitable web-sites (like porn sites) or - * close the offending connections. - * - * Arguments: - * - * This plugin can take two basic arguments: - * block => closes the connection and sends a suitable HTML page to the - * browser (if got tcp 80 port packet) - * warn => sends a HTML/JavaScript warning to the browser +/**************************************************************************** * - * The following additional arguments are valid for this option: - * msg => puts the msg option comment into the HTML page - * proxy <port_nr> => sends the respond code to the proxy port_nr + * Copyright (C) 2005-2011 Sourcefire, Inc. * - * Effect: + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Closes the connections by sending TCP RST packets (similar to resp option). - * If the connection uses http or proxy server ports a visible information - * to a browser user is send (HTML code). + ****************************************************************************/ + +// @file sp_react.c +// @author Russ Combs <rcombs@sourcefire.com> + +/* The original Snort React Plugin was contributed by Maciej Szarpak, Warsaw + * University of Technology. The module has been entirely rewritten by + * Sourcefire as part of the effort to overhaul active response. Some of the + * changes include: + * + * - elimination of unworkable warn mode + * - elimination of proxy port (rule header has ports) + * - integration with unified active response mechanism + * - queuing of rule option responses so at most one is issued + * - allow override by rule action when action is drop + * - addition of http headers to default response + * - added custom page option + * - and other stuff + * + * This version will send a web page to the client and then reset both + * ends of the session. The web page may be configured or the default + * may be used. The web page can have the default warning message + * inserted or the message from the rule. * + * If you wish to just reset the session, use the resp keyword instead. */ +#ifdef ENABLE_REACT + #ifdef HAVE_CONFIG_H #include "config.h" #endif -#ifdef ENABLE_REACT - #include <sys/types.h> +#include <sys/stat.h> + #include <stdlib.h> #include <string.h> #include <ctype.h> -#include <libnet.h> -#include "rules.h" +#include "sf_types.h" +#include "snort_debug.h" #include "decode.h" -#include "plugbase.h" +#include "encode.h" +#include "detection_options.h" #include "parser.h" -#include "debug.h" +#include "plugbase.h" #include "plugin_enum.h" +#include "profiler.h" +#include "active.h" +#include "rules.h" #include "sfhashfcn.h" #include "sp_react.h" - #include "snort.h" -#include "profiler.h" + #ifdef PERF_PROFILING -PreprocStats reactPerfStats; +static PreprocStats reactPerfStats; extern PreprocStats ruleOTNEvalPerfStats; #endif -#include "sfhashfcn.h" -#include "detection_options.h" +extern SnortConfig* snort_conf_for_parsing; -#define TCP_DATA_BUF 1024 +static const char* MSG_KEY = "<>"; -#define REACT_BLOCK 0x01 -#define REACT_WARN 0x02 +static const char* DEFAULT_HTTP = + "HTTP/1.1 403 Forbidden\r\n" + "Connection: close\r\n" + "Content-Type: text/html; charset=utf-8\r\n" + "Content-Length: %d\r\n" + "\r\n"; + +static const char* DEFAULT_HTML = + "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" + " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" + "<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">\r\n" + "<head>\r\n" + "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n" + "<title>Access Denied\r\n" + "\r\n" + "\r\n" + "

Access Denied

\r\n" + "

%s

\r\n" + "\r\n" + "\r\n"; + +static const char* DEFAULT_MSG = + "You are attempting to access a forbidden site.
" + "Consult your system administrator for details."; typedef struct _ReactData { - int reaction_flag; /* flexible reaction on alert */ - int proxy_port_nr; /* proxy TCP port */ - u_int html_resp_size; /* size of app html response */ - u_char *html_resp_buf; /* html response to send */ + uint32_t id; + int rule_msg; // 1=>use rule msg; 0=>use DEFAULT_MSG + ssize_t buf_len; // length of response + char* resp_buf; // response to send + const OptTreeNode* otn; } ReactData; -static void ReactInit(char *, OptTreeNode *, int); -static void ParseReact(char *, OptTreeNode *, ReactData *); -static int React(Packet *, RspFpList *); -static int SendTCP(u_long, u_long, u_short, u_short, int, int, u_char, const u_char *, - int); -static void ReactCleanup(int signal, void *data); +static int s_init = 1; +static int s_deprecated = 0; +static char* s_page = NULL; + +// When React_Init() is called the rule msg keyword may not have +// been processed. This necessitates two things: +// +// * A unique instance id is used in the hash in lieu of the +// message text. The id starts at 1 since 0 is reserved for +// the default msg. Assuming all rules have different msg +// strings, the id is a valid proxy. +// +// * React_Config() is installed to instantiate the page after +// rule parsing is complete (when for sure the msg is +// available). +// +// Ideally a separate rule configuration callback could be installed +// that would be called after all options are parsed and before the +// options are finalized. +static uint32_t s_id = 1; + +// callback functions +static void React_Init(char *, OptTreeNode *, int); +static void React_Config(int signal, void *data); +static void React_Cleanup(int signal, void *data); + +// core functions +static void React_GetPage(void); +static void React_Parse(char *, OptTreeNode *, ReactData *); +static int React_Queue(Packet*, void*); +static void React_Send(Packet*, void*); + +//-------------------------------------------------------------------- +// public functions void ReactFree(void *d) { ReactData *data = (ReactData *)d; - if (data->html_resp_buf) - free(data->html_resp_buf); + if (data->resp_buf) + free(data->resp_buf); free(data); } @@ -115,22 +166,25 @@ unsigned int i,j,k,l; ReactData *data = (ReactData *)d; - a = data->reaction_flag; - b = data->proxy_port_nr; - c = data->html_resp_size; + const char* s = s_page ? s_page : DEFAULT_HTML; + unsigned n = strlen(s); + + a = data->rule_msg; + b = n; + c = (data->rule_msg ? data->id : 0); mix(a,b,c); - for (i=0,j=0;ihtml_resp_size;i+=4) + for ( i=0,j=0; ihtml_resp_size - i; + k = n - i; if (k > 4) k=4; - + for (l=0;lhtml_resp_buf + i + l) << l*8; + tmp |= s[i + l] << l*8; } switch (j) @@ -174,501 +228,234 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - if (left->html_resp_size != right->html_resp_size) + if (left->buf_len != right->buf_len) return DETECTION_OPTION_NOT_EQUAL; - if (memcmp(left->html_resp_buf, right->html_resp_buf, left->html_resp_size) != 0) + if (memcmp(left->resp_buf, right->resp_buf, left->buf_len) != 0) return DETECTION_OPTION_NOT_EQUAL; - if (( left->reaction_flag == right->reaction_flag) && - ( left->proxy_port_nr == right->proxy_port_nr)) - { - return DETECTION_OPTION_EQUAL; - } - - return DETECTION_OPTION_NOT_EQUAL; -} -#endif /* ENABLE_REACT */ - -#if defined(ENABLE_REACT) || defined(ENABLE_RESPONSE) -#include -#include "util.h" - -int nd = -1; /* raw socket descriptor */ -static int nd_users = 0; /* reference count */ - -void RawSocket_Open () -{ - if ( ++nd_users == 1 ) /* need to open it only once */ - { - if((nd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) - { - FatalError("cannot open raw socket for libnet, exiting...\n"); - } - } -} + if (left->rule_msg != right->rule_msg) + return DETECTION_OPTION_NOT_EQUAL; -void RawSocket_Close () -{ - if ( nd_users > 0 && --nd_users == 0 ) - { - libnet_close_raw_sock(nd); - } + return DETECTION_OPTION_EQUAL; } -#endif -#ifdef ENABLE_REACT -/**************************************************************************** - * - * Function: SetupReact() - * - * Purpose: Flexible response plugin. Registers the configuration function - * and links it to a rule keyword. - * - * Arguments: None. - * - * Returns: void function - * - ****************************************************************************/ void SetupReact(void) { - -/* we need an empty plug otherwise. To avoid #ifdef in plugbase */ - - RegisterRuleOption("react", ReactInit, NULL, OPT_TYPE_ACTION); + RegisterRuleOption("react", React_Init, NULL, OPT_TYPE_ACTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("react", &reactPerfStats, 3, &ruleOTNEvalPerfStats); #endif - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: React Initialized!\n");); } +//-------------------------------------------------------------------- +// callback functions -/**************************************************************************** - * - * Function: ReactInit(char *, OptTreeNode *, int protocol) - * - * Purpose: React rule configuration function. Handles parsing the rule - * information and attaching the associated structures to the OTN. - * - * Arguments: data => rule arguments/data - * otn => pointer to the current rule option list node - * protocol => current rule protocol - * - * Returns: void function - * - ****************************************************************************/ -static void ReactInit(char *data, OptTreeNode *otn, int protocol) +static void React_Init(char *data, OptTreeNode *otn, int protocol) { - ReactData *idx; + ReactData* rd; void *idx_dup; - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"In ReactInit()\n");); + if ( otn->ds_list[PLUGIN_RESPONSE] ) + FatalError("%s(%d): Multiple response options in rule\n", + file_name, file_line); - if(protocol != IPPROTO_TCP) - { - FatalError("Line %s(%d): TCP Options on non-TCP rule\n", file_name, file_line); - } + if ( protocol != IPPROTO_TCP ) + FatalError("%s(%d): React options on non-TCP rule\n", + file_name, file_line); - /* If it hasn't been opened yet, there are no rules currently using this - * rule option, so on a reload, setting this during parsing won't step - * on runtime evaluation */ - RawSocket_Open(); - - // depending on reloads and ordering of inits/cleans, - // opening module may not be same as closing module. - AddFuncToCleanExitList(ReactCleanup, NULL); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"In React_Init()\n");); - if((idx = (ReactData *) calloc(sizeof(ReactData), sizeof(char))) == NULL) + if ( s_init ) { - FatalError("sp_react ReactInit() calloc failed!\n"); + AddFuncToCleanExitList(React_Cleanup, NULL); + AddFuncToRestartList(React_Cleanup, NULL); + + React_GetPage(); + + Active_SetEnabled(1); + s_init = 0; } /* parse the react keywords */ - ParseReact(data, otn, idx); + rd = SnortAlloc(sizeof(*rd)); + React_Parse(data, otn, rd); + rd->otn = otn; - if (add_detection_option(RULE_OPTION_TYPE_REACT, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) + if (add_detection_option(RULE_OPTION_TYPE_REACT, (void*)rd, &idx_dup) + == DETECTION_OPTION_EQUAL) { - free(idx); - idx = idx_dup; + free(rd); + rd = idx_dup; } - - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ - AddRspFuncToList(React, otn, (void *)idx); -} - + AddRspFuncToList(React_Queue, otn, (void*)rd); + AddFuncToPostConfigList(React_Config, rd); + // this prevents multiple response options in rule + otn->ds_list[PLUGIN_RESPONSE] = rd; +} -/**************************************************************************** - * - * Function: ParseReact(char *, OptTreeNode *) - * - * Purpose: React rule configuration function. Handles parsing the rule - * information. - * - * Arguments: data => rule arguments/data - * otn => pointer to the current rule option list node - * - * Returns: void function - * - ****************************************************************************/ -static void ParseReact(char *data, OptTreeNode *otn, ReactData *rd) +static void React_Cleanup(int signal, void* data) { - ReactData *idx; - char *tok; /* token buffer */ - u_int buf_size; - int ret; - - char tmp_buf1[] = "Snort

Snort!

Version "; - char tmp_buf2[] = "



You are not authorized to open this site!

"; - char tmp_buf3[] = "


Any questions?
"; - char tmp_buf4[]=""; - - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "In ParseReact()\n");); - - idx = rd; + if ( s_page ) + { + free(s_page); + s_page = NULL; + } + s_init = 1; +} - /* set the standard proxy port */ - idx->proxy_port_nr = 8080; +//-------------------------------------------------------------------- +// core functions - /* parse the react option keywords */ - while(isspace((int)*data)) data++; +static void React_GetPage (void) +{ + char* msg; + struct stat fs; + FILE* fd; + size_t n; - tok = strtok(data, ","); - while(tok) - { - if(!strcasecmp(tok, "block")) - idx->reaction_flag = REACT_BLOCK; - else if(!strcasecmp(tok, "warn")) -/* idx->reaction_flag = REACT_WARN*/; - else if(!strcasecmp(tok, "msg")) - if(otn->sigInfo.message == NULL) - FatalError( "%s(%d) => msg option missed or react " - "keyword placed before msg!\n", file_name, file_line); - else - idx->html_resp_size = 1; - else if(!strcasecmp(tok, "proxy")) - { - if(strlen(tok) > strlen("proxy")) - { - char *endp; + SnortConfig* sc = snort_conf_for_parsing; - tok = tok + 5; - - while(isspace((int)(*tok))) - tok++; - - idx->proxy_port_nr = strtoul(tok,&endp,10); - if(endp == tok) - { - FatalError("Can't parse the dang proxy option\n"); - } - } - else - { - FatalError("Can't parse the dang proxy option\n"); - } + if ( !sc ) + FatalError("react: %s(%d) Snort config for parsing is NULL.\n", + file_name, file_line); - /* make sure it's in bounds */ - if((idx->proxy_port_nr < 0) || (idx->proxy_port_nr >= MAXPORTS)) - { - FatalError("%s(%d): bad proxy port number: %d\n", file_name, file_line, idx->proxy_port_nr); - } - } - else - { - FatalError("%s(%d): invalid react modifier: %s\n", file_name, file_line, tok); - } - tok = strtok(NULL, ","); + if ( s_page || !sc->react_page ) return; - /* get rid of spaces */ - if(tok != NULL) - while(isspace((int)*tok)) tok++; - } + if ( stat(sc->react_page, &fs) ) + FatalError("react: %s(%d) can't stat react page file '%s'.\n", + file_name, file_line, sc->react_page); - /* test the basic modifier */ - if(idx->reaction_flag == 0) - FatalError("%s(%d): missing react basic modifier\n", file_name, file_line); - else - { - /* prepare the html response data */ - buf_size = 1; /* allocate one extra byte for '\0' */ - if(idx->reaction_flag == REACT_BLOCK) - { - /* count the respond buf size (max TCP_DATA_BUF) */ - buf_size += strlen(tmp_buf1) + strlen(tmp_buf2) + strlen(tmp_buf3) + strlen(VERSION); + s_page = SnortAlloc(fs.st_size+1); + fd = fopen(sc->react_page, "r"); - if(buf_size > TCP_DATA_BUF) - { - FatalError("%s(%d): invalid html response buffer size: %d\n", file_name, file_line, buf_size); - } - else - { - /* msg included */ - if((idx->html_resp_size == 1) && (buf_size + - strlen(otn->sigInfo.message) < TCP_DATA_BUF)) - { - buf_size += strlen(otn->sigInfo.message); - } - - /* create html response buffer */ - idx->html_resp_buf = (u_char *)SnortAlloc(sizeof(char) * buf_size); - - if (idx->html_resp_size == 1) - { - ret = SnortSnprintf((char *)idx->html_resp_buf, buf_size, - "%s%s%s%s%s", - tmp_buf1, VERSION, tmp_buf2, otn->sigInfo.message, tmp_buf3); - } - else - { - ret = SnortSnprintf((char *)idx->html_resp_buf, buf_size, - "%s%s%s%s", - tmp_buf1, VERSION, tmp_buf2, tmp_buf3); - } - - if (ret != SNORT_SNPRINTF_SUCCESS) - { - FatalError("%s(%d): SnortSnprintf failed\n", file_name, file_line); - } - } - } - else if(idx->reaction_flag == REACT_WARN) - { - /* count the respond buf size (max TCP_DATA_BUF) */ - buf_size += strlen(tmp_buf4) + strlen(tmp_buf5) + strlen(tmp_buf6) + strlen(VERSION); + if ( !fd ) + FatalError("react: %s(%d) can't open react page file '%s'.\n", + file_name, file_line, sc->react_page); - if(buf_size > TCP_DATA_BUF) - { - FatalError("%s(%d): invalid html response buffer size: %d\n", - file_name, file_line, buf_size); - } - else - { - /* msg included */ - if((idx->html_resp_size == 1) && (buf_size + - strlen(otn->sigInfo.message) < TCP_DATA_BUF)) - { - buf_size += strlen(otn->sigInfo.message); - } - - /* create html response buffer */ - idx->html_resp_buf = (u_char *)SnortAlloc(sizeof(char) * buf_size); - - if (idx->html_resp_size == 1) - { - ret = SnortSnprintf((char *)idx->html_resp_buf, buf_size, - "%s%s%s%s%s", - tmp_buf4, VERSION, tmp_buf5, otn->sigInfo.message, tmp_buf6); - } - else - { - ret = SnortSnprintf((char *)idx->html_resp_buf, buf_size, - "%s%s%s%s", - tmp_buf4, VERSION, tmp_buf5, tmp_buf6); - } - - if (ret != SNORT_SNPRINTF_SUCCESS) - { - FatalError("%s(%d): SnortSnprintf failed\n", file_name, file_line); - } - } - } + n = fread(s_page, 1, fs.st_size, fd); + fclose(fd); - /* set the html response buffer size */ - idx->html_resp_size = buf_size; - } + if ( n != (size_t)fs.st_size ) + FatalError("react: %s(%d) can't load react page file '%s'.\n", + file_name, file_line, sc->react_page); - return; + s_page[n] = '\0'; + msg = strstr(s_page, MSG_KEY); + if ( msg ) strncpy(msg, "%s", 2); } +//-------------------------------------------------------------------- - -/**************************************************************************** - * - * Function: React(Packet *p, OptTreeNode *otn_tmp) - * - * Purpose: React to hostile connection attempts according to reaction_flag - * - * Arguments: p => pointer to the current packet - * otn => pointer to the current rule option list node - * - * Returns: Always calls the next function (this one doesn't test the data, - * it just closes the connection...) - * - ***************************************************************************/ -static int React(Packet *p, RspFpList *fp_list) +static void React_Parse(char* data, OptTreeNode* otn, ReactData* rd) { - ReactData *idx; - int i; - PROFILE_VARS; + char* tok = NULL; - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"In React()\n");); - - if(!p->tcph) + if ( data ) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No TCP header ... leaving");); - return 1; - } + while(isspace((int)*data)) data++; - PREPROC_PROFILE_START(reactPerfStats); - - idx = (ReactData *)fp_list->params; - - if(idx == NULL) - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Nothing to do ... leaving");); - PREPROC_PROFILE_END(reactPerfStats); - return 1; + tok = strtok(data, ","); } - - /* check the reaction flag */ - if(idx->reaction_flag == REACT_BLOCK) + while(tok) { - /* send HTML page buffer to a rude browser user and close the connection */ - /* incoming */ - if((ntohs(p->tcph->th_sport)) == 80 || (ntohs(p->tcph->th_sport)) == idx->proxy_port_nr) + /* parse the react option keywords */ + if ( + !strncasecmp(tok, "proxy", 5) || + !strcasecmp(tok, "block") || + !strcasecmp(tok, "warn") ) { - for(i = 0; i < 5; i++) - { - SendTCP(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr, - p->tcph->th_sport, p->tcph->th_dport, - p->tcph->th_seq, htonl(ntohl(p->tcph->th_ack) + i), - TH_FIN, idx->html_resp_buf, idx->html_resp_size); - } - for(i = 0; i < 5; i++) + if ( !s_deprecated ) { - SendTCP(p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr, - p->tcph->th_dport, p->tcph->th_sport, - p->tcph->th_ack, htonl(ntohl(p->tcph->th_seq) + i), - TH_RST, idx->html_resp_buf, 0); + ParseWarning("proxy, block, and warn options are deprecated.\n"); + s_deprecated = 1; } } - /* outgoing */ - else if(ntohs(p->tcph->th_dport) == 80 || (ntohs(p->tcph->th_dport)) == idx->proxy_port_nr) + else if ( !strcasecmp(tok, "msg") ) { - for(i = 0; i < 5; i++) - { - SendTCP(p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr, - p->tcph->th_dport, p->tcph->th_sport, - p->tcph->th_ack, htonl(ntohl(p->tcph->th_seq) + i), - TH_FIN, idx->html_resp_buf, idx->html_resp_size); - SendTCP(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr, - p->tcph->th_sport, p->tcph->th_dport, - p->tcph->th_seq, htonl(ntohl(p->tcph->th_ack) + i), - TH_RST, idx->html_resp_buf, 0); - } + rd->rule_msg = 1; } else - /* reset the connection */ - { - for(i = 0; i < 5; i++) - { - SendTCP(p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr, - p->tcph->th_dport, p->tcph->th_sport, - p->tcph->th_ack, htonl(ntohl(p->tcph->th_seq) + i), - TH_RST, idx->html_resp_buf, 0); - SendTCP(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr, - p->tcph->th_sport, p->tcph->th_dport, - p->tcph->th_seq, htonl(ntohl(p->tcph->th_ack) + i), - TH_RST, idx->html_resp_buf, 0); - } - } - } - else if(idx->reaction_flag == REACT_WARN) - { - /* send HTML warning page buffer to a rude browser user */ - /* incoming */ - if((ntohs(p->tcph->th_sport)) == 80 || (ntohs(p->tcph->th_sport)) == idx->proxy_port_nr) - { - for(i = 0; i < 5; i++) - { - SendTCP(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr, - p->tcph->th_sport, p->tcph->th_dport, - p->tcph->th_seq, p->tcph->th_ack + i, - TH_URG, idx->html_resp_buf, idx->html_resp_size); - } - } - /* outgoing */ - else if(ntohs(p->tcph->th_dport) == 80 || (ntohs(p->tcph->th_dport)) == idx->proxy_port_nr) - { - for(i = 0; i < 5; i++) - { - SendTCP(p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr, - p->tcph->th_dport, p->tcph->th_sport, - p->tcph->th_ack, p->tcph->th_seq + i, - TH_URG, idx->html_resp_buf, idx->html_resp_size); - } - } - } - PREPROC_PROFILE_END(reactPerfStats); - return 1; -} + FatalError("%s(%d): invalid react option: %s\n", + file_name, file_line, tok); + tok = strtok(NULL, ","); + /* get rid of spaces */ + while ( tok && isspace((int)*tok) ) tok++; + } + rd->resp_buf = NULL; + rd->buf_len = 0; + rd->id = s_id++; +} +//-------------------------------------------------------------------- +// format response buffer -static int SendTCP(u_long saddr, u_long daddr, u_short sport, u_short dport, int seq, - int ack, u_char bits, const u_char *data_buf, int data_size) +static void React_Config (int unused, void* data) { - u_char *buf; - int sz = data_size + IP_H + TCP_H; + ReactData* rd = (ReactData*)data; + size_t body_len, head_len, total_len; + char dummy; - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"In SendTCP()\n");); + const char* head = DEFAULT_HTTP; + const char* body = s_page ? s_page : DEFAULT_HTML; - if((buf = malloc(sz)) == NULL) - { - perror("SendTCPRST: malloc"); - return -1; - } + const char* msg = rd->otn->sigInfo.message; + if ( !msg || !rd->rule_msg ) msg = DEFAULT_MSG; - memset(buf, 0, sz); + body_len = snprintf(&dummy, 1, body, msg); + head_len = snprintf(&dummy, 1, head, body_len); + total_len = head_len + body_len + 1; - libnet_build_ip( TCP_H /* Length of packet data */ - , 0xF4 /* IP tos */ - , (u_short) libnet_get_prand(PRu16) /* IP ID */ - , 0 /* Fragmentation flags and offset */ - , 64 /* TTL */ - , IPPROTO_TCP /* Protocol */ - , saddr /* Source IP Address */ - , daddr /* Destination IP Address */ - , NULL /* Pointer to packet data (or NULL) */ - , 0 /* Packet payload size */ - , buf /* Pointer to packet header memory */ - ); - - - libnet_build_tcp( ntohs(sport) /* Source port */ - , ntohs(dport) /* Destination port */ - , ntohl(seq) /* Sequence Number */ - , ntohl(ack) /* Acknowledgement Number */ - , bits /* Control bits */ - , 1024 /* Advertised Window Size */ - , 0 /* Urgent Pointer */ - , data_buf /* Pointer to packet data (or NULL) */ - , data_size /* Packet payload size */ - , buf + IP_H /* Pointer to packet header memory */ - ); - - libnet_do_checksum(buf, IPPROTO_TCP, sz - IP_H); - - if(libnet_write_ip(nd, buf, sz) < sz) - { - libnet_error(LIBNET_ERR_CRITICAL, "SendTCP: libnet_write_ip\n"); - return -1; - } + rd->resp_buf = (char*)SnortAlloc(total_len); - libnet_destroy_packet(&buf); + SnortSnprintf((char*)rd->resp_buf, head_len+1, head, body_len); + SnortSnprintf((char*)rd->resp_buf+head_len, body_len+1, body, msg); - return 0; + // set actual length + rd->resp_buf[total_len-1] = '\0'; + rd->buf_len = strlen(rd->resp_buf); +} + +//-------------------------------------------------------------------- + +static int React_Queue (Packet* p, void* pv) +{ + ReactData* rd = (ReactData*)pv; + PROFILE_VARS; + + PREPROC_PROFILE_START(reactPerfStats); + + if ( Active_IsRSTCandidate(p) ) + Active_QueueResponse(React_Send, rd); + Active_DropSession(); + + PREPROC_PROFILE_END(reactPerfStats); + return 0; } -static void ReactCleanup(int signal, void *data) +//-------------------------------------------------------------------- + +static void React_Send (Packet* p, void* pv) { - RawSocket_Close(); + ReactData* rd = (ReactData*)pv; + EncodeFlags df = (p->packet_flags & PKT_FROM_SERVER) ? ENC_FLAG_FWD : 0; + EncodeFlags rf = ENC_FLAG_SEQ | (ENC_FLAG_VAL & rd->buf_len); + PROFILE_VARS; + + PREPROC_PROFILE_START(reactPerfStats); + Active_IgnoreSession(p); + + Active_SendData(p, df, (uint8_t*)rd->resp_buf, rd->buf_len); + Active_SendReset(p, rf); + Active_SendReset(p, ENC_FLAG_FWD); + + PREPROC_PROFILE_END(reactPerfStats); } #endif /* ENABLE_REACT */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_react.h snort-2.9.2/src/detection-plugins/sp_react.h --- snort-2.8.5.2/src/detection-plugins/sp_react.h 2009-08-10 20:41:44.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_react.h 2011-02-09 23:23:05.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -30,10 +30,4 @@ int ReactCompare(void *l, void *r); #endif /* ENABLE_REACT */ -#if defined(ENABLE_REACT) || defined(ENABLE_RESPONSE) -extern int nd; /* libnet raw socket descriptor */ -void RawSocket_Open(); -void RawSocket_Close(); -#endif - #endif /* __SP_REACT_H__ */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_replace.c snort-2.9.2/src/detection-plugins/sp_replace.c --- snort-2.8.5.2/src/detection-plugins/sp_replace.c 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_replace.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -28,40 +28,46 @@ #include #endif -#include "bounds.h" -#include "checksum.h" -#include "debug.h" +#include "sf_types.h" +#include "snort_bounds.h" +#include "snort_debug.h" #include "decode.h" -#include "inline.h" #include "parser.h" #include "sp_replace.h" #include "snort.h" +#include "sfdaq.h" -//#define REPLACE_TEST #define MAX_PATTERN_SIZE 2048 extern int lastType; static PatternMatchData* Replace_Parse(char*, OptTreeNode*); -static void Replace_UpdateIP4Checksums(Packet*); -#ifdef SUP_IP6 -static void Replace_UpdateIP6Checksums(Packet*); -#endif void PayloadReplaceInit(char *data, OptTreeNode * otn, int protocol) { + static int warned = 0; PatternMatchData *idx; PatternMatchData *test_idx; -#ifndef REPLACE_TEST - if(!ScInlineMode()) + if( !ScInlineMode() ) return; -#endif + + if ( !DAQ_CanReplace() ) + { + if ( !warned ) + { + LogMessage("WARNING: payload replacements disabled because DAQ " + " can't replace packets.\n"); + warned = 1; + } + return; + } if ( lastType == PLUGIN_PATTERN_MATCH_URI ) { FatalError("%s(%d) => \"replace\" option is not supported " - "with uricontent, nor in conjunction with http_uri, " - "http_header, http_method http_cookie or " - "http_client_body modifiers.\n", + "with uricontent, nor in conjunction with http_uri, " + "http_header, http_method http_cookie," + "http_raw_uri, http_raw_header, or " + "http_raw_cookie modifiers.\n", file_name, file_line); } idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH]; @@ -75,12 +81,6 @@ test_idx = Replace_Parse(data, otn); - if (test_idx && test_idx->pattern_size != test_idx->replace_size) - { - FatalError("%s(%d) => The length of the replacement " - "string must be the same length as the content string.\n", - file_name, file_line); - } } static PatternMatchData * Replace_Parse(char *rule, OptTreeNode * otn) @@ -182,28 +182,28 @@ switch(*idx) { case '|': - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Got bar... ");); - + if(!literal) { - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "not in literal mode... ");); - + if(!hexmode) { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Entering hexmode\n");); hexmode = 1; } else { - - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Exiting hexmode\n");); - + hexmode = 0; pending = 0; } @@ -214,7 +214,7 @@ else { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "literal set, Clearing\n");); literal = 0; @@ -225,21 +225,21 @@ break; case '\\': - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Got literal char... ");); if(!literal) { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Setting literal\n");); - + literal = 1; } else { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); - + tmp_buf[dummy_size] = start_ptr[cnt]; literal = 0; dummy_size++; @@ -317,10 +317,10 @@ { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; - - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); - + literal = 0; } else @@ -365,7 +365,7 @@ file_name, file_line); } - ret = SafeMemcpy(ds_idx->replace_buf, tmp_buf, dummy_size, + ret = SafeMemcpy(ds_idx->replace_buf, tmp_buf, dummy_size, ds_idx->replace_buf, (ds_idx->replace_buf+dummy_size)); if (ret == SAFEMEM_ERROR) @@ -375,7 +375,7 @@ ds_idx->replace_size = dummy_size; - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "ds_idx (%p) replace_size(%d) replace_buf(%s)\n", ds_idx, ds_idx->replace_size, ds_idx->replace_buf);); @@ -411,22 +411,26 @@ r->depth = pmd->replace_depth; } -static INLINE void Replace_ApplyChange(Packet *p, Replacement* r) +static inline void Replace_ApplyChange(Packet *p, Replacement* r) { - int err = SafeMemcpy( + int err; + int rsize; + + if( (p->data + r->depth + r->size) >= (p->data + p->dsize)) + rsize = (p->dsize - r->depth); + else + rsize = r->size; + + err = SafeMemcpy( (void *)(p->data + r->depth), r->data, - r->size, p->data, (p->data + p->dsize) ); + rsize, p->data, (p->data + p->dsize) ); if ( err == SAFEMEM_ERROR ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Replace_Apply() => SafeMemcpy() failed\n");); return; } - -#ifdef REPLACE_TEST - printf("replaced: %s\n", r->data); -#endif } void Replace_ModifyPacket(Packet *p) @@ -440,140 +444,7 @@ { Replace_ApplyChange(p, rpl+n); } + p->packet_flags |= PKT_MODIFIED; num_rpl = 0; - - if(IS_IP4(p)) - { - Replace_UpdateIP4Checksums(p); - } -#ifdef SUP_IP6 - else - { - Replace_UpdateIP6Checksums(p); - } -#endif - -#ifdef GIDS - InlineReplace(); -#endif -} - -static void Replace_UpdateIP4Checksums(Packet* p) -{ - struct pseudoheader - { - uint32_t sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t len; - }; - - struct pseudoheader ph; - unsigned int ip_len; - unsigned int hlen; - -#ifdef SUP_IP6 - sfip_t *tmp; - - p->ip4h->ip_csum=0; - hlen = GET_IPH_HLEN(p) << 2; - ip_len=ntohs(p->ip4h->ip_len); - ip_len -= hlen; - p->ip4h->ip_csum = in_chksum_ip((u_short *)p->iph, hlen); - - tmp = GET_SRC_IP(p); - ph.sip = tmp->ip32[0]; - tmp = GET_DST_IP(p); - ph.dip = tmp->ip32[0]; -#else - /* calculate new checksum */ - ((IPHdr *)p->iph)->ip_csum=0; - hlen = IP_HLEN(p->iph) << 2; - ip_len=ntohs(p->iph->ip_len); - ip_len -= hlen; - ((IPHdr *)p->iph)->ip_csum = in_chksum_ip((u_short *)p->iph, hlen); - ph.sip = (uint32_t)(p->iph->ip_src.s_addr); - ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); -#endif - - if (p->tcph) - { - ((TCPHdr *)p->tcph)->th_sum = 0; - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.len = htons((u_short)ip_len); - ((TCPHdr *)p->tcph)->th_sum = - in_chksum_tcp((u_short *)&ph, (u_short *)(p->tcph), ip_len); - } - else if (p->udph) - { - ((UDPHdr *)p->udph)->uh_chk = 0; - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.len = htons((u_short)ip_len); - ((UDPHdr *)p->udph)->uh_chk = - in_chksum_udp((u_short *)&ph, (u_short *)(p->udph), ip_len); - } - else if (p->icmph) - { - ((ICMPHdr *)p->icmph)->csum = 0; - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.len = htons((u_short)ip_len); - ((ICMPHdr *)p->icmph)->csum = - in_chksum_icmp((uint16_t *)(p->icmph), ip_len); - } } -#ifdef SUP_IP6 -static void Replace_UpdateIP6Checksums(Packet* p) -{ - struct pseudoheader6 - { - struct in6_addr sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t len; - }; - struct pseudoheader6 ph6; - unsigned int ip_len; - unsigned int hlen; - sfip_t *tmp; - - hlen = GET_IPH_HLEN(p) << 2; - ip_len=ntohs(p->ip6h->len); - ip_len -= hlen; - - tmp = GET_SRC_IP(p); - memcpy(&ph6.sip, tmp->ip8, sizeof(struct in6_addr)); - tmp = GET_DST_IP(p); - memcpy(&ph6.dip, tmp->ip8, sizeof(struct in6_addr)); - - ph6.zero = 0; - ph6.protocol = GET_IPH_PROTO(p); - ph6.len = htons((u_short)ip_len); - - if (p->tcph) - { - ph6.protocol = IPPROTO_TCP; - ((TCPHdr *)p->tcph)->th_sum = 0; - ((TCPHdr *)p->tcph)->th_sum = - in_chksum_tcp6((u_short *)&ph6, (u_short *)(p->tcph), ip_len); - } - else if (p->udph) - { - ph6.protocol = IPPROTO_UDP; - ((UDPHdr *)p->udph)->uh_chk = 0; - ((UDPHdr *)p->udph)->uh_chk = - in_chksum_udp6((u_short *)&ph6, (u_short *)(p->udph), ip_len); - } - else if (p->icmph) - { - ph6.protocol = IPPROTO_ICMP; - ((ICMPHdr *)p->icmph)->csum = 0; - ((ICMPHdr *)p->icmph)->csum = - in_chksum_icmp6((uint16_t *)(p->icmph), ip_len); - } -} -#endif - diff -Nru snort-2.8.5.2/src/detection-plugins/sp_replace.h snort-2.9.2/src/detection-plugins/sp_replace.h --- snort-2.8.5.2/src/detection-plugins/sp_replace.h 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_replace.h 2011-06-08 00:33:10.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -31,17 +31,17 @@ extern void Replace_QueueChange(PatternMatchData*); extern void Replace_ModifyPacket(Packet*); -static INLINE void Replace_ResetOffset(PatternMatchData* pmd) +static inline void Replace_ResetOffset(PatternMatchData* pmd) { pmd->replace_depth = -1; } -static INLINE void Replace_StoreOffset(PatternMatchData* pmd, int detect_depth) +static inline void Replace_StoreOffset(PatternMatchData* pmd, int detect_depth) { pmd->replace_depth = detect_depth; } -static INLINE int Replace_OffsetStored(PatternMatchData* pmd) +static inline int Replace_OffsetStored(PatternMatchData* pmd) { return pmd->replace_depth >= 0; } diff -Nru snort-2.8.5.2/src/detection-plugins/sp_respond2.c snort-2.9.2/src/detection-plugins/sp_respond2.c --- snort-2.8.5.2/src/detection-plugins/sp_respond2.c 2009-08-10 20:41:45.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_respond2.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,1347 +0,0 @@ -/* $Id$ */ -/* -** Copyright (C) 2002-2004 Jeff Nathan -** Copyright (C) 1998-2002 Martin Roesch -** Copyright (C) 1999,2000,2001 Christian Lademann -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* Snort sp_respond2 Detection Plugin - * by Jeff Nathan - * Version 1.0.2 - * - * Purpose: - * - * Perform active response on packets matching conditions specified - * in Snort rules. - * - * - * Arguments: - * - * To enable link-layer response, specify the following in snort.conf - * config flexresp2_interface: - * - * To configure the number of TCP response attempts, specify the following in - * snort.conf (the maximum is 20) - * config flexresp2_attempts: - * - * To configure the response cache memcap, specify the following in snort.conf - * config flexresp2_memcap: - * - * To configure the number of rows in the response cache , specify the - * following in snort.conf - * config flexresp2_rows: - * - * Effect: - * - * Shutdown hostile network connections by falsifying TCP resets or ICMP - * unreachable packets - * - * - * Acknowledgements: - * - * Improvements inspired by Dug Song's tcpkill. Thanks Dug. - * - * - * Comments: - * - * sp_respond2 uses libdnet rather than libnet and supports link-layer - * injection so you can specify the network interface responses will be sent - * from (and bypass the kernel routing table). This allows multi-homed - * systems to use Snort's flexible response system (sp_respond was broken in - * this regard). - * - * Resetting TCP connections with a passive NIDS is depends on speed, - * and prediction. sp_respond2 attempts to brute force active response by - * trying to predict changes in the sequence number and ack number of - * an active connection while trying to shut it down. - * - * Finally, - * sp_respond2 does NOT utilize TCP flags to determine whether or not - * a packet should be considered valid. This is primarily due to - * inconsistencies in establishing TCP connections. Reference: - * http://www.securityfocus.com/archive/1/296122/2002-10-19/2002-10-25/2 - * - * - * Bugs: - * - * All software has bugs. When you find a bug read the BUGS document - * in the doc directory of the Snort source distribution for instructions - * on submitting a bug report. - * - * Enjoy, - * - * -Jeff - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef ENABLE_RESPONSE2 - -#include - -#include "decode.h" -#include "rules.h" -#include "plugbase.h" -#include "parser.h" -#include "debug.h" -#include "util.h" -#include "log.h" -#include "mstring.h" -#include "plugin_enum.h" -#include "snort.h" -#include "checksum.h" -#include "bounds.h" -#include "sfxhash.h" -#include "sp_respond.h" - -#define IPIDCOUNT 8192 /* number of randomly generated IP IDs */ -#define CACHETIME 2 /* dampening interval */ -#define MODNAME "sp_respond2" /* plugin name */ -#define DEFAULT_ROWS 1024 -#define DEFAULT_MEMCAP (1024 * 1024) - -#include "snort.h" -#include "profiler.h" -#ifdef PERF_PROFILING -PreprocStats respond2PerfStats; -extern PreprocStats ruleOTNEvalPerfStats; -#endif - -#include "sfhashfcn.h" -#include "detection_options.h" - -typedef struct _RespondData -{ - u_int response_flag; -} RespondData; - -/* response cache data structure */ -typedef struct _RESPKEY -{ - uint32_t sip; /* source IP */ - uint32_t dip; /* dest IP */ - uint16_t sport; /* source port/ICMP type */ - uint16_t dport; /* dest port/ICMP code */ - uint8_t proto; /* IP protocol */ - uint8_t _pad[3]; /* empty bits for word alignment */ -} RESPKEY; - -typedef struct _RESPOND2_CONFIG -{ - int rows; /* response cache size (in rows) */ - int memcap; /* response cache memcap */ - uint8_t respond_attempts; /* respond attempts per trigger */ - ip_t *rawdev; /* dnet(3) raw IP handle */ - eth_t *ethdev; /* dnet(3) ethernet device handle */ - rand_t *randh; /* dnet(3) rand handle */ -} RESPOND2_CONFIG; - - -extern SnortConfig *snort_conf_for_parsing; - -static void *ip_id_pool = NULL; /* random IP ID buffer */ -static uint32_t ip_id_iterator; /* consumed IP IDs */ - -static void *tcp_pkt = NULL; /* TCP packet memory placeholder */ -static void *icmp_pkt = NULL; /* ICMP packet memory placeholder */ - -static uint8_t link_offset; /* offset from L2 to L3 header */ -static uint8_t alignment; /* force alignment ?? */ - -SFXHASH *respcache = NULL; /* cache responses to prevent loops */ -static RESPKEY response; - -static RESPOND2_CONFIG *resp2_config = NULL; - - -/* API functions */ -static void RespondInit(char *data, OptTreeNode *otn, int protocol); -static void RespondCleanup(int signal, void *data); -static int ParseResponse2(char *type); - -/* CORE respond2 functions */ -static int Respond(Packet *p, RspFpList *fp_list); -static INLINE void SendReset(const int mode, Packet *p, RESPOND2_CONFIG *conf); -static INLINE void SendUnreach(const int code, Packet *p, - RESPOND2_CONFIG *conf); -static INLINE int IsRSTCandidate(Packet *p); -static INLINE int IsUNRCandidate(Packet *p); -static INLINE int IsLinkCandidate(Packet *p); -static INLINE uint16_t RandID(RESPOND2_CONFIG *conf); -static INLINE uint8_t CalcOriginalTTL(Packet *p); - -/* UTILITY functions */ -static void PrecacheTCP(void); -static void PrecacheICMP(void); -static void GenRandIPID(RESPOND2_CONFIG *conf); -static void SetLinkInfo(void); -static void SetRespAttempts(RESPOND2_CONFIG *conf); -static void SetRespCacheRows(RESPOND2_CONFIG *conf); -static void SetRespCacheMemcap(RESPOND2_CONFIG *conf); - -/* HASH functions */ -static int respcache_init(SFXHASH **cache, RESPOND2_CONFIG *conf); -static INLINE int dampen_response(Packet *p); -static INLINE int respkey_make(RESPKEY *hashkey, Packet *p); - - -/* ######## API section ######## */ -uint32_t RespondHash(void *d) -{ - uint32_t a,b,c; - RespondData *data = (RespondData *)d; - - a = data->response_flag; - b = RULE_OPTION_TYPE_RESPOND; - c = 0; - - final(a,b,c); - - return c; -} - -int RespondCompare(void *l, void *r) -{ - RespondData *left = (RespondData *)l; - RespondData *right = (RespondData *)r; - - if (!left || !right) - return DETECTION_OPTION_NOT_EQUAL; - - if (left->response_flag == right->response_flag) - { - return DETECTION_OPTION_EQUAL; - } - - return DETECTION_OPTION_NOT_EQUAL; -} - -/** - * Initialize respond2 plugin - * - * @return void function - */ -void SetupRespond(void) -{ - RegisterRuleOption("resp", RespondInit, NULL, OPT_TYPE_ACTION); -#ifdef PERF_PROFILING - RegisterPreprocessorProfile("resp2", &respond2PerfStats, 3, &ruleOTNEvalPerfStats); -#endif -} - - -/** - * Respond initialization function - * - * @param data argument passed to the resp keyword - * @param otn pointer to an OptTreeNode structure - * @param protocol Snort rule protocol (IP/TCP/UDP) - * - * @return void function - */ -static void RespondInit(char *data, OptTreeNode *otn, int protocol) -{ - RespondData *rd = NULL; - void *idx_dup; - - if (!(protocol & (IPPROTO_ICMP | IPPROTO_TCP | IPPROTO_UDP))) - FatalError("%s: %s(%d): Can't respond to IP protocol rules.\n", - MODNAME, file_name, file_line); - - rd = (RespondData *)SnortAlloc(sizeof(RespondData)); - - /* XXX XXX */ - if (resp2_config == NULL) - { - resp2_config = (RESPOND2_CONFIG *)SnortAlloc(sizeof(RESPOND2_CONFIG)); - SnortConfig *sc = snort_conf_for_parsing; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - GenRandIPID(resp2_config); /* generate random IP ID cache */ - SetLinkInfo(); /* setup link-layer pointer arithmetic info */ - SetRespAttempts(resp2_config); /* configure # of TCP attempts */ - SetRespCacheRows(resp2_config); /* configure # of rows in cache */ - SetRespCacheMemcap(resp2_config); /* configure response cache memcap */ - - if ((respcache_init(&respcache, resp2_config)) != 0) - FatalError("%s: Unable to allocate hash table memory.\n", MODNAME); - - /* Open raw socket or network device before Snort drops privileges */ - if (link_offset) - { - if (resp2_config->ethdev == NULL) /* open link-layer device */ - { - if ((resp2_config->ethdev = eth_open(sc->respond2_ethdev)) == NULL) - { - FatalError("%s: Unable to open link-layer device: %s.\n", - MODNAME, sc->respond2_ethdev); - } - } - - DEBUG_WRAP( - DebugMessage(DEBUG_PLUGIN, "%s: using link-layer " - "injection on interface %s\n", MODNAME, - sc->respond2_ethdev); - DebugMessage(DEBUG_PLUGIN, "%s: link_offset = %d\n", - MODNAME, link_offset); - - ); - } - else - { - if (resp2_config->rawdev == NULL) /* open raw device if necessary */ - { - if ((resp2_config->rawdev = ip_open()) == NULL) - FatalError("%s: Unable to open raw socket.\n", - MODNAME); - } - } - - DEBUG_WRAP( - DebugMessage(DEBUG_PLUGIN, "%s: respond_attempts = %d\n", - MODNAME, resp2_config->respond_attempts); - DebugMessage(DEBUG_PLUGIN, "Plugin: Respond is setup\n"); - ); - - AddFuncToCleanExitList(RespondCleanup, NULL); - AddFuncToRestartList(RespondCleanup, NULL); - } - - rd->response_flag = ParseResponse2(data); - - if (add_detection_option(RULE_OPTION_TYPE_RESPOND, (void *)rd, &idx_dup) == DETECTION_OPTION_EQUAL) - { - free(rd); - rd = idx_dup; - } - - AddRspFuncToList(Respond, otn, (void *)rd); - /* Restart and CleanExit function are identical */ -} - -void RespondFree (void* d) -{ - free(d); -} - -/** - * respond2 signal handler - * re-initializes packet memory and close device handles - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void RespondCleanup(int signal, void *data) -{ - if (resp2_config != NULL) - { - /* device and raw IP handles */ - if (resp2_config->rawdev != NULL) - resp2_config->rawdev = ip_close(resp2_config->rawdev); - - if (resp2_config->ethdev != NULL) - resp2_config->ethdev = eth_close(resp2_config->ethdev); - - if (resp2_config->randh != NULL) - resp2_config->randh = rand_close(resp2_config->randh); - - free(resp2_config); - resp2_config = NULL; - } - - /* free packet memory */ - if (tcp_pkt != NULL) - { - tcp_pkt -= alignment; - free(tcp_pkt); - tcp_pkt = NULL; - } - - if (icmp_pkt != NULL) - { - icmp_pkt -= alignment; - free(icmp_pkt); - icmp_pkt = NULL; - } - - /* free IP ID pool and close random handle */ - if (ip_id_pool != NULL) - { - free(ip_id_pool); - ip_id_pool = NULL; - /* reset iterator */ - ip_id_iterator = 0; - } - - /* destroy the response dampening hash table */ - if (respcache != NULL) - { - sfxhash_delete(respcache); - respcache = NULL; - } -} - - -/** - * Determine how to handle hostile connection attempts - * - * @param type string of comma-separated response modifiers - * - * @return integer describing the type of response action on a matching packet - */ -static int ParseResponse2(char *type) -{ - char **toks; - int response_flag = 0; - int num_toks; - static int make_tcp = 0; - static int make_icmp = 0; - int i; - - while (isspace((int) *type)) - type++; - - if (!type || !(*type)) - return 0; - - toks = mSplit(type, ",", 6, &num_toks, 0); - - if (num_toks < 1) - FatalError("%s (%d): Bad arguments to respond2: %s.\n", file_name, - file_line, type); - - i = 0; - while (i < num_toks) - { - if (!strcasecmp(toks[i], "reset_source")) - { - response_flag |= RESP_RST_SND; - if (!make_tcp) - make_tcp = 1; - i++; - } - else if (!strcasecmp(toks[i], "reset_dest")) - { - response_flag |= RESP_RST_RCV; - if (!make_tcp) - make_tcp = 1; - i++; - } - else if (!strcasecmp(toks[i], "reset_both")) - { - response_flag |= (RESP_RST_RCV | RESP_RST_SND); - if (!make_tcp) - make_tcp = 1; - i++; - } - else if (!strcasecmp(toks[i], "icmp_net")) - { - response_flag |= RESP_BAD_NET; - if (!make_icmp) - make_icmp = 1; - i++; - } - else if (!strcasecmp(toks[i], "icmp_host")) - { - response_flag |= RESP_BAD_HOST; - if (!make_icmp) - make_icmp = 1; - i++; - } - else if (!strcasecmp(toks[i], "icmp_port")) - { - response_flag |= RESP_BAD_PORT; - if (!make_icmp) - make_icmp = 1; - i++; - } - else if (!strcasecmp(toks[i], "icmp_all")) - { - response_flag |= (RESP_BAD_NET | RESP_BAD_HOST | RESP_BAD_PORT); - if (!make_icmp) - make_icmp = 1; - i++; - } - else - FatalError("%s: %s(%d): invalid response modifier: %s\n", - MODNAME, file_name, file_line, toks[i]); - } - - if (make_tcp) - PrecacheTCP(); - - if (make_icmp) - PrecacheICMP(); - - mSplitFree(&toks, num_toks); - - return response_flag; -} - - -/* ######## CORE respond2 section ######## */ - -/** - * Respond to hostile connection attempts - * - * @param p pointer to a Snort packet structure - * @param fp_list pointer to a response list node - * - * @return void function - */ -static int Respond(Packet *p, RspFpList *fp_list) -{ - RespondData *rd; - PROFILE_VARS; - - rd = (RespondData *)fp_list->params; - - if (p->iph == NULL) - return 0; - - /* check the dampen cache before responding */ - if ((dampen_response(p)) == 1) - return 0; - - PREPROC_PROFILE_START(respond2PerfStats); - - if (rd->response_flag) - { - /* if reset_both was used, receiver is reset first */ - if ((rd->response_flag & (RESP_RST_RCV | RESP_RST_SND)) && - IsRSTCandidate(p)) - { - SendReset(RESP_RST_RCV, p, resp2_config); - SendReset(RESP_RST_SND, p, resp2_config); - } - if ((rd->response_flag & RESP_RST_RCV) && IsRSTCandidate(p)) - SendReset(RESP_RST_RCV, p, resp2_config); - - if ((rd->response_flag & RESP_RST_SND) && IsRSTCandidate(p)) - SendReset(RESP_RST_SND, p, resp2_config); - - if (rd->response_flag & RESP_BAD_NET && IsUNRCandidate(p)) - SendUnreach(ICMP_UNREACH_NET, p, resp2_config); - - if (rd->response_flag & RESP_BAD_HOST && IsUNRCandidate(p)) - SendUnreach(ICMP_UNREACH_HOST, p, resp2_config); - - if (rd->response_flag & RESP_BAD_PORT && IsUNRCandidate(p)) - SendUnreach(ICMP_UNREACH_PORT, p, resp2_config); - } - PREPROC_PROFILE_END(respond2PerfStats); - return 1; /* injection functions do not return an error */ -} - - -/** - * TCP reset response function - * - * @param flag flag describing whom to respond to (sender/receiver) - * @param p Pointer to a Snort packet structure - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void SendReset(const int mode, Packet *p, RESPOND2_CONFIG *conf) -{ - size_t sz = IP_HDR_LEN + TCP_HDR_LEN; - ssize_t n; - int reversed; - uint32_t i, ack, seq; - uint16_t window, dsize; - EtherHdr *eh; - IPHdr *iph; - TCPHdr *tcp; -#if defined(DEBUG) - char *source, *dest; -#endif - - if(IS_IP6(p)) return; - - if (mode == RESP_RST_SND) - reversed = 1; - else - reversed = 0; - - iph = (IPHdr *)(tcp_pkt + link_offset); - tcp = (TCPHdr *)(tcp_pkt + IP_HDR_LEN + link_offset); - - if (link_offset) - { - if (!IsLinkCandidate(p)) - { - ErrorMessage("%s: link-layer response only works on Ethernet!\n" - "Remove \"config flexresp2_interface\" from snort.conf.\n", - MODNAME); - return; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: setting up link-layer " - "header on TCP packet: %p.\n.", MODNAME, p);); - - /* setup the Ethernet header */ - eh = (EtherHdr *)tcp_pkt; - if (reversed) - { - memcpy(eh->ether_src, p->eh->ether_dst, 6); - memcpy(eh->ether_dst, p->eh->ether_src, 6); - } - else - { - memcpy(eh->ether_src, p->eh->ether_src, 6); - memcpy(eh->ether_dst, p->eh->ether_dst, 6); - } - } - } - - /* save p->dsize */ - dsize = p->dsize; - - /* Reverse the source and destination IP addr for attack-response rules */ - if (reversed) - { -#ifdef SUP_IP6 - memcpy(&iph->ip_src.s_addr, &(GET_DST_IP(p))->ip32[0], 4); - memcpy(&iph->ip_dst.s_addr, &(GET_SRC_IP(p))->ip32[0], 4); -#else - iph->ip_src.s_addr = GET_DST_IP(p); - iph->ip_dst.s_addr = GET_SRC_IP(p); -#endif - - tcp->th_sport = p->tcph->th_dport; - tcp->th_dport = p->tcph->th_sport; - seq = ntohl(p->tcph->th_ack); - ack = ntohl(p->tcph->th_seq) + p->dsize; - } - else - { -#ifdef SUP_IP6 - memcpy(&iph->ip_src.s_addr, &(GET_SRC_IP(p))->ip32[0], 4); - memcpy(&iph->ip_dst.s_addr, &(GET_DST_IP(p))->ip32[0], 4); -#else - iph->ip_src.s_addr = GET_SRC_IP(p); - iph->ip_dst.s_addr = GET_DST_IP(p); -#endif - - tcp->th_sport = p->tcph->th_sport; - tcp->th_dport = p->tcph->th_dport; - seq = ntohl(p->tcph->th_seq); - ack = ntohl(p->tcph->th_ack) + p->dsize; - } - iph->ip_ttl = CalcOriginalTTL(p); - tcp->th_win = 0; - - /* save the window size for all calculations */ - window = ntohs(p->tcph->th_win); - - for (i = 0; i < conf->respond_attempts; i++) - { - if (link_offset) - iph->ip_id = RandID(resp2_config); - - /* As Dug Song pointed out, if you can't determine the rate of - * SEQ and ACK number consumption, do the next best thing and try to - * "land" a reset within the acceptable window of sequence numbers. - * - * sp_respond2 uses data sent in the offending packet and the window - * size of the offending packet to 'predict' an acceptable SEQ and - * ACK number. - * - * A minimum of four responses are sent per trigger using the - * following algorithm: - * - * (the numbers represent iterations through a loop starting at 0) - * - * 0: - * SEQ = seq - * ACK = ack + data - * - * 1: - * SEQ += data - * - * 2: - * SEQ += (data * 2) - * ACK += (data * 2) - * - * 3: - * SEQ += (data * 2) - * ACK += (data * 2) - * - * 4: - * SEQ += (data * 4) - * ACK += (data * 4) - * - * n: - * - * SEQ += (window / 2) - * ACK += (window / 2) - * - * - * I refer to the above as "sequence strafing", whereby sp_respond2 - * iteratively brute forces sequence and ack numbers into an - * acceptable window - */ - switch (i) - { - case 0: - break; - case 1: - seq += dsize; - break; - case 2: - seq += (dsize << 1); - ack += (dsize << 1); - break; - case 3: - seq += (dsize << 1); - ack += (dsize << 1); - break; - case 4: - seq += (dsize << 2); - ack += (dsize << 2); - break; - default: - seq += (window >> 1); - ack += (window >> 1); - break; - } - - tcp->th_seq = htonl(seq); - tcp->th_ack = htonl(ack); - - iph->ip_len = htons(sz); - ip_checksum(tcp_pkt + link_offset, sz); - -#if defined(DEBUG) - DEBUG_WRAP( -#ifndef SUP_IP6 - source = strdup(inet_ntoa(*(struct in_addr *)&iph->ip_src.s_addr)); - dest = strdup(inet_ntoa(*(struct in_addr *)&iph->ip_dst.s_addr)); -#else - source = ""; - dest = ""; -#endif - DebugMessage(DEBUG_PLUGIN, "%s: firing TCP response packet.\n", - MODNAME); - DebugMessage(DEBUG_PLUGIN, "%s:%u -> %s:%d\n(seq: %#lX " - "ack: %#lX win: %hu)\n\n", source, - ntohs(tcp->th_sport), dest, ntohs(tcp->th_dport), - ntohl(tcp->th_seq), ntohl(tcp->th_ack), - ntohs(tcp->th_win)); - - PrintNetData(stdout, (u_char *)tcp_pkt, sz); - //ClearDumpBuf(); - free(source); - free(dest); - ); -#endif /* defined(DEBUG) */ - - if (link_offset) - n = eth_send(conf->ethdev, tcp_pkt, sz + link_offset); - else - n = ip_send(conf->rawdev, tcp_pkt, sz); - - if (n < sz) - ErrorMessage("%s: failed to send TCP reset (%s).\n", MODNAME, - ((link_offset == 0) ? "raw socket" : "link-layer")); - } - return; -} - - -/** - * ICMP unreachable response function - * - * @param code ICMP unreachable type - * @param p Pointer to a Snort packet structure - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void SendUnreach(const int code, Packet *p, RESPOND2_CONFIG *conf) -{ - uint16_t payload_len; - size_t sz; - ssize_t n; - EtherHdr *eh; - IPHdr *iph; - ICMPHdr *icmph; -#if defined(DEBUG) - char *source, *dest, *icmp_rtype; -#endif - - if(IS_IP6(p)) return; - - /* only send ICMP port unreachable responses for TCP and UDP */ - if (GET_IPH_PROTO(p) == IPPROTO_ICMP && code == ICMP_UNREACH_PORT) - { - ErrorMessage("%s: ignoring icmp_port set on ICMP packet.\n", MODNAME); - return; - } - - iph = (IPHdr *)(icmp_pkt + link_offset); - icmph = (ICMPHdr *)(icmp_pkt + IP_HDR_LEN + link_offset); - -#ifdef SUP_IP6 - memcpy(&iph->ip_src.s_addr, &(GET_DST_IP(p))->ip32[0], 4); - memcpy(&iph->ip_dst.s_addr, &(GET_SRC_IP(p))->ip32[0], 4); -#else - iph->ip_src.s_addr = GET_DST_IP(p); - iph->ip_dst.s_addr = GET_SRC_IP(p); -#endif - iph->ip_ttl = CalcOriginalTTL(p); - - icmph->code = code; - - if (link_offset) - { - if (!IsLinkCandidate(p)) - { - ErrorMessage("%s: link-layer response only works on Ethernet!\n" - "Remove \"config flexresp2_interface\" from snort.conf.\n", - MODNAME); - return; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: setting up link-layer " - "header on ICMP packet: %p.\n.", MODNAME, p);); - - /* setup the Ethernet header */ - eh = (EtherHdr *)icmp_pkt; - memcpy(eh->ether_src, p->eh->ether_dst, 6); - memcpy(eh->ether_dst, p->eh->ether_src, 6); - - /* With a raw socket, the kernel automatically sets the IP ID when - * it's 0. With link-layer injection, an IP ID must be specified. - * A randomly generated IP ID is used here to evade fingerprinting. - */ - iph->ip_id = RandID(resp2_config); - } - } - - if ((payload_len = ntohs(GET_IPH_LEN(p)) - (GET_IPH_HLEN(p) << 2)) > 8) - payload_len = 8; - - memcpy((char *)icmph + ICMP_LEN_MIN, p->iph, (IP_HLEN(p->iph) << 2) - + payload_len); - - sz = IP_HDR_LEN + ICMP_LEN_MIN + (IP_HLEN(p->iph) << 2) + payload_len; - - iph->ip_len = htons(sz); - ip_checksum(icmp_pkt + link_offset, sz); - sz += link_offset; - -#ifdef DEBUG - DEBUG_WRAP( -#ifdef SUP_IP6 - source = strdup(sfip_ntoa(iph->ip_src.s_addr)); - dest = strdup(sfip_ntoa(iph->ip_dst.s_addr)); -#else - source = strdup(inet_ntoa(*(struct in_addr *)&iph->ip_src.s_addr)); - dest = strdup(inet_ntoa(*(struct in_addr *)&iph->ip_dst.s_addr)); -#endif - switch (code) - { - case RESP_BAD_NET: - icmp_rtype = "ICMP network unreachable"; - break; - case RESP_BAD_HOST: - icmp_rtype = "ICMP host unreachable"; - break; - case RESP_BAD_PORT: /* FALLTHROUGH */ - default: - icmp_rtype = "ICMP port unreachable"; - break; - } - DebugMessage(DEBUG_PLUGIN, "%s: firing ICMP response packet.\n", - MODNAME); - DebugMessage(DEBUG_PLUGIN, "%s -> %s (%s)\n\n", source, dest, - icmp_rtype); - PrintNetData(stdout, (u_char *)icmp_pkt, (const int)sz); - //ClearDumpBuf(); - free(source); - free(dest); - ); -#endif /* DEBUG */ - - if (link_offset) - n = eth_send(conf->ethdev, icmp_pkt, sz); - else - n = ip_send(conf->rawdev, icmp_pkt, sz); - - if (n < sz) - ErrorMessage("%s: failed to send ICMP unreachable (%s).\n", MODNAME, - ((link_offset == 0) ? "raw socket" : "link-layer")); - return; -} - - -/** - * Determine whether or not a TCP RST response can be sent - * - * @param p pointer to a Snort packet structure - * - * @return 1 on success, 0 on failure - */ -static INLINE int IsRSTCandidate(Packet *p) -{ - if (p->tcph != NULL) - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: got RST candidate\n", - MODNAME);); - return 1; - } - return 0; -} - - -/** - * Determine whether or not an ICMP Unreach response can be sent - * - * @param p pointer to a Snort packet structure - * - * @return 1 on success, 0 on failure - */ -static INLINE int IsUNRCandidate(Packet *p) -{ - if ((p->icmph == NULL) || (p->icmph->type == ICMP_ECHO) || - (p->icmph->type == ICMP_TIMESTAMP) || - (p->icmph->type == ICMP_INFO_REQUEST) || - (p->icmph->type == ICMP_ADDRESS)) - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: got Unreach candidate\n", - MODNAME);); - return 1; - } - return 0; -} - - -/** - * Determine if frame is IP encapsulated Ethernet - * - * @param p pointer to a Snort packet structure - * - * @return 1 on success, 0 on failure - */ -static INLINE int IsLinkCandidate(Packet *p) -{ - if (p->eh != NULL && ntohs(p->eh->ether_type) == ETHERNET_TYPE_IP) - { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: got Link candidate\n", - MODNAME);); - return 1; - } - return 0; -} - - -/** - * Generate a pool of random IP IDs at start-up. - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return random IP ID - */ -static INLINE uint16_t RandID(RESPOND2_CONFIG *conf) -{ - if (ip_id_iterator >= (IPIDCOUNT - 1)) - { - rand_add(conf->randh, ip_id_pool, sizeof(uint16_t) * IPIDCOUNT); - ip_id_iterator = 0; - } - return *(uint16_t *)(ip_id_pool + ip_id_iterator++); -} - - -/** - * Calculate original IP TTL - * - * @param p pointer to a Snort packet structure - * - * @return calculated original TTL - */ -static INLINE uint8_t CalcOriginalTTL(Packet *p) -{ - switch (p->iph->ip_ttl / 64) - { - case 3: - return 255; - case 2: - return 192; - case 1: - return 128; - default: - return 64; - } -} - - -/* ######## UTILITY section ######## */ - -/** - * Pre-cache TCP RST packet memory to improve response speed - * - * @return void function - */ -static void PrecacheTCP(void) -{ - EtherHdr *eth; - IPHdr *iph; - TCPHdr *tcp; - int sz; - - if (tcp_pkt == NULL) - { - /* allocates memory for the Ethernet header only when necessary */ - sz = alignment + link_offset + IP_HDR_LEN + TCP_HDR_LEN; - - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: allocating %d bytes in " - "PrecacheTCP().\n", MODNAME, sz);); - - tcp_pkt = SnortAlloc(sz); - - /* force alignment */ - tcp_pkt += alignment; - - if (link_offset) - { - eth = (EtherHdr *)tcp_pkt; - eth->ether_type = htons(ETH_TYPE_IP); - } - - /* points to the start of the IP header */ - iph = (IPHdr *)(tcp_pkt + link_offset); - SET_IP_VER(iph, 4); - SET_IP_HLEN(iph, (IP_HDR_LEN >> 2)); - iph->ip_proto = IPPROTO_TCP; - - /* points to the start of the TCP header */ - tcp = (TCPHdr *)(tcp_pkt + IP_HDR_LEN + link_offset); - tcp->th_flags = TH_RST|TH_ACK; - SET_TCP_OFFSET(tcp, (TCP_HDR_LEN >> 2)); - } -} - - -/** - * Pre-cache ICMP unreachable packet memory to improve response speed - * - * @return void function - */ -static void PrecacheICMP(void) -{ - EtherHdr *eth; - IPHdr *iph; - ICMPHdr *icmp; - int sz; - - if (icmp_pkt == NULL) - { - /* allocates memory for the Ethernet header only when necessary - * additional 68 bytes are allocated to accomodate an IP header with - * options -Jeff */ - sz = alignment + link_offset + IP_HDR_LEN + ICMP_LEN_MIN + 68; - - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: allocating %d bytes in " - "PrecacheICMP().\n", MODNAME, sz);); - - icmp_pkt = SnortAlloc(sz); - - /* force alignment */ - icmp_pkt += alignment; - - if (link_offset) - { - eth = (EtherHdr *)icmp_pkt; - eth->ether_type = htons(ETH_TYPE_IP); - } - - /* points to the start of the IP header */ - iph = (IPHdr *)(icmp_pkt + link_offset); - SET_IP_VER(iph, 4); - SET_IP_HLEN(iph, (IP_HDR_LEN >> 2)); - iph->ip_proto = IPPROTO_ICMP; - - /* points to the start of the ICMP header */ - icmp = (ICMPHdr *)(icmp_pkt + IP_HDR_LEN + link_offset); - icmp->type = ICMP_UNREACH; - } -} - - -/** - * Generate a pool of random IP IDs at start-up. - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void GenRandIPID(RESPOND2_CONFIG *conf) -{ - if ((conf->randh = rand_open()) == NULL) - FatalError("%s: Unable to open random device handle.\n", MODNAME); - - ip_id_pool = SnortAlloc(sizeof(uint16_t) * IPIDCOUNT); - rand_get(conf->randh, ip_id_pool, sizeof(uint16_t) * IPIDCOUNT); -} - - -/** - * Set link-layer offset - * - * @return void function - */ -static void SetLinkInfo(void) -{ - SnortConfig *sc = snort_conf_for_parsing; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - if (sc->respond2_link) - { - link_offset = ETH_HDR_LEN; - alignment = 2; - } - else - { - link_offset = 0; - alignment = 0; - } -} - - -/** - * Set number of responses per triggered event - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void SetRespAttempts(RESPOND2_CONFIG *conf) -{ - SnortConfig *sc = snort_conf_for_parsing; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - if ((sc->respond2_attempts > 4) && (sc->respond2_attempts < 21)) - conf->respond_attempts = sc->respond2_attempts; - else - conf->respond_attempts = 4; -} - - -/** - * Set number of rows in response cache hash table - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void SetRespCacheRows(RESPOND2_CONFIG *conf) -{ - SnortConfig *sc = snort_conf_for_parsing; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - conf->rows = DEFAULT_ROWS; - - if (sc->respond2_rows) - conf->rows = sc->respond2_rows; -} - - -/** - * Set memcap of response cache hash table - * - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return void function - */ -static void SetRespCacheMemcap(RESPOND2_CONFIG *conf) -{ - SnortConfig *sc = snort_conf_for_parsing; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - conf->memcap = DEFAULT_MEMCAP; - - if (sc->respond2_memcap) - conf->memcap = sc->respond2_memcap; -} - - -/* ######## HASH section ######## */ - -/** - * Initialize response cache at start-up. - * - * @param respcachep response cache pointer - * @param data pointer to a RESPOND2_CONFIG data structure - * - * @return 0 on success, 1 on error - */ -static int respcache_init(SFXHASH **cache, RESPOND2_CONFIG *conf) -{ - - if (conf->memcap <= (sizeof(time_t) + sizeof(response) + - sizeof(SFXHASH_NODE))) - { - /* without sufficient memory to store one node, return an error */ - return 1; - } - - if (conf->rows < 1) - return 1; - - *cache = sfxhash_new(conf->rows, - sizeof(response), /* size of hash key */ - sizeof(time_t), /* size of data */ - conf->memcap, - 1, /* auto recover nodes */ - NULL, - NULL, - 1); /* recycle old nodes */ - - if (*cache == NULL) - return 1; - - return 0; -} - - -/** - * normalize response packets for a hash lookup - * - * @param key pointer to hash key - * @param p pointer to a Snort packet structure - * - * @return 0 on success, 1 on error - */ -static INLINE int respkey_make(RESPKEY *hashkey, Packet *p) -{ - hashkey->sip = p->iph->ip_src.s_addr; - hashkey->dip = p->iph->ip_dst.s_addr; - hashkey->proto = p->iph->ip_proto; - switch (hashkey->proto) - { - case IPPROTO_ICMP: - hashkey->sport = p->icmph->type; - hashkey->dport = p->icmph->code; - break; - case IPPROTO_TCP: - hashkey->sport = p->tcph->th_sport; - hashkey->dport = p->tcph->th_dport; - break; - case IPPROTO_UDP: - hashkey->sport = p->udph->uh_sport; - hashkey->dport = p->udph->uh_dport; - break; - } - return 0; -} - - -/** - * dampen responses if they're occuring too quickly - * - * @param p pointer to a Snort packet structure - * - * @return 0 on success, 1 on error - */ -static INLINE int dampen_response(Packet *p) -{ - int ret; - time_t pkt_time = p->pkth->ts.tv_sec; - time_t *resp_time; - RESPKEY tmpkey; - - memset((void *)&tmpkey, 0, sizeof(response)); - - /* normalize the packet for a hash lookup */ - respkey_make(&tmpkey, p); - - /* sfxhash_add uses sfxhash_find internally, optimize with this in mind - * by always trying to add. If the key already exists, use its data. - */ - ret = sfxhash_add(respcache, (void *)&tmpkey, (void *)&pkt_time); - switch(ret) - { - case SFXHASH_OK: - ret = 0; - break; - case SFXHASH_NOMEM: - ret = 1; - break; - case SFXHASH_INTABLE: - resp_time = (time_t *)respcache->cnode->data; - if ((pkt_time - *resp_time) < CACHETIME) - { - /* dampen this response because sp_respond2 observed this - * response < CACHETIME seconds ago. - */ - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "%s: dampening " - "response\n", MODNAME);); - ret = 1; - } - else - { - /* sp_respond2 has sent this response > CACHETIME seconds - * ago. In this case, replace the hash data and proceed. - */ - - ret = 0; - if ((sfxhash_remove(respcache, (void *)&tmpkey)) != SFXHASH_OK) - ret = 1; - else if ((sfxhash_add(respcache, (void *)&tmpkey, - (void *)&pkt_time)) != SFXHASH_OK) - ret = 1; - } - break; - } - - return ret; -} -#endif /* ENABLE_RESPONSE2 */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_respond3.c snort-2.9.2/src/detection-plugins/sp_respond3.c --- snort-2.8.5.2/src/detection-plugins/sp_respond3.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_respond3.c 2011-06-08 00:33:10.000000000 +0000 @@ -0,0 +1,316 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License Version 2 as published by + * the Free Software Foundation. You may not use, modify or distribute this + * program under any other version of the GNU General Public License. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ +/* Snort sp_resp3 Detection Plugin + * + * Perform flexible response on packets matching conditions specified in Snort + * rules. + * + * Shutdown hostile network connections by injecting TCP resets or ICMP + * unreachable packets. + * + * flexresp3 is derived from flexresp and flexresp2. It includes all + * configuration options from those modules and has these differences: + * + * - injects packets with correct encapsulations (doesn't assume + * eth+ip+icmp/tcp). + * + * - uses the wire packet as a prototype, not the packet generating the alert + * (which may be reassembled or otherwise generated internally with only the + * headers required for logging). + * + * - queues the injection action so that it is taken only once after detection + * regardless of multiple resp3 rules firing. + * + * - uses the same encoding and injection mechanism as active_response and/or + * reject actions. + * + * - bypasses sequence strafing in inline mode. + * + * - if a resp3 rule is also a drop rule, the drop processing takes precedence. + */ + +// @file sp_respond3.c +// @author Russ Combs + +#ifdef ENABLE_RESPONSE3 + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_bounds.h" +#include "checksum.h" +#include "snort_debug.h" +#include "decode.h" +#include "encode.h" +#include "detection_options.h" +#include "log.h" +#include "mstring.h" +#include "parser.h" +#include "plugbase.h" +#include "plugin_enum.h" +#include "profiler.h" +#include "active.h" +#include "rules.h" +#include "sfhashfcn.h" +#include "sfxhash.h" +#include "snort.h" +#include "sp_respond.h" +#include "util.h" + +#define MOD_NAME "sp_resp3" /* plugin name */ + +#define RESP_RST_SND 0x01 +#define RESP_RST_RCV 0x02 +#define RESP_UNR_NET 0x04 +#define RESP_UNR_HOST 0x08 +#define RESP_UNR_PORT 0x10 + +#define RESP_RST (RESP_RST_SND|RESP_RST_RCV) +#define RESP_UNR (RESP_UNR_NET|RESP_UNR_HOST|RESP_UNR_PORT) + +#ifdef PERF_PROFILING +static PreprocStats resp3PerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +// instance data +typedef struct { + uint32_t mask; + uint32_t flags; +} Resp3_Data; + +static int s_init = 1; + +// callback functions +static void Resp3_Init(char* data, OptTreeNode*, int protocol); +static void Resp3_Cleanup(int signal, void* data); + +// core functions +static int Resp3_Parse(char* type); +static int Resp3_Queue(Packet*, void*); +static void Resp3_Send(Packet*, void*); + +//-------------------------------------------------------------------- +// public functions +// here we use the non '_' versions for consistency ... +uint32_t RespondHash(void* d) +{ + uint32_t a,b,c; + Resp3_Data* data = (Resp3_Data*)d; + + a = data->mask; + b = RULE_OPTION_TYPE_RESPOND; + c = 0; + + final(a,b,c); + + return c; +} + +int RespondCompare(void* l, void* r) +{ + Resp3_Data* left = (Resp3_Data*)l; + Resp3_Data* right = (Resp3_Data*)r; + + if (!left || !right) + return DETECTION_OPTION_NOT_EQUAL; + + if (left->mask == right->mask) + { + return DETECTION_OPTION_EQUAL; + } + + return DETECTION_OPTION_NOT_EQUAL; +} + +// and here we use the functional name for consistency ... +void SetupRespond(void) +{ + RegisterRuleOption("resp", Resp3_Init, NULL, OPT_TYPE_ACTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("resp3", &resp3PerfStats, 3, &ruleOTNEvalPerfStats); +#endif +} + +//-------------------------------------------------------------------- +// callback functions + +static void Resp3_Init(char* data, OptTreeNode* otn, int protocol) +{ + Resp3_Data* rd = NULL; + void* idx_dup; + + if ( otn->ds_list[PLUGIN_RESPONSE] ) + FatalError("%s(%d): Multiple response options in rule\n", + file_name, file_line); + + if ( s_init ) + { + AddFuncToCleanExitList(Resp3_Cleanup, NULL); + AddFuncToRestartList(Resp3_Cleanup, NULL); + + Active_SetEnabled(1); + s_init = 0; + } + + rd = (Resp3_Data*)SnortAlloc(sizeof(*rd)); + rd->mask = Resp3_Parse(data); + + if ( add_detection_option(RULE_OPTION_TYPE_RESPOND, rd, &idx_dup) + == DETECTION_OPTION_EQUAL) + { + free(rd); + rd = idx_dup; + } + // this prevents multiple response options in rule + otn->ds_list[PLUGIN_RESPONSE] = rd; + AddRspFuncToList(Resp3_Queue, otn, rd); +} + +static void Resp3_Cleanup(int signal, void* data) +{ + s_init = 1; +} + +//-------------------------------------------------------------------- +// core functions +// TBD conf parsing should be registered and distributed as well as rule +// option parsing + +static int Resp3_Parse(char* type) +{ + char* *toks; + uint32_t flags = 0; + int num_toks, i; + + if ( type ) + toks = mSplit(type, ",", 6, &num_toks, 0); + + i = 0; + while (i < num_toks) + { + if ( !strcasecmp(toks[i], "reset_source") || + !strcasecmp(toks[i], "rst_snd") ) + { + flags |= RESP_RST_SND; + i++; + } + else if ( !strcasecmp(toks[i], "reset_dest") || + !strcasecmp(toks[i], "rst_rcv") ) + { + flags |= RESP_RST_RCV; + i++; + } + else if ( !strcasecmp(toks[i], "reset_both") || + !strcasecmp(toks[i], "rst_all") ) + { + flags |= (RESP_RST_RCV | RESP_RST_SND); + i++; + } + else if (!strcasecmp(toks[i], "icmp_net")) + { + flags |= RESP_UNR_NET; + i++; + } + else if (!strcasecmp(toks[i], "icmp_host")) + { + flags |= RESP_UNR_HOST; + i++; + } + else if (!strcasecmp(toks[i], "icmp_port")) + { + flags |= RESP_UNR_PORT; + i++; + } + else if (!strcasecmp(toks[i], "icmp_all")) + { + flags |= (RESP_UNR_NET | RESP_UNR_HOST | RESP_UNR_PORT); + i++; + } + else + FatalError("%s: %s(%d): invalid resp modifier: %s\n", + MOD_NAME, file_name, file_line, toks[i]); + } + + mSplitFree(&toks, num_toks); + + if ( !flags ) + FatalError("%s: %s(%d): invalid resp configuration: %s\n", + MOD_NAME, file_name, file_line, "no response specified"); + + return flags; +} + +//-------------------------------------------------------------------- + +static int Resp3_Queue (Packet* p, void* pv) +{ + Resp3_Data* rd = (Resp3_Data*)pv; + PROFILE_VARS; + + PREPROC_PROFILE_START(resp3PerfStats); + rd->flags = 0; + + if ( Active_IsRSTCandidate(p) ) + rd->flags |= (rd->mask & RESP_RST); + + if ( Active_IsUNRCandidate(p) ) + rd->flags |= (rd->mask & RESP_UNR); + + if ( rd->flags ) + Active_QueueResponse(Resp3_Send, rd); + + PREPROC_PROFILE_END(resp3PerfStats); + return 0; +} + +//-------------------------------------------------------------------- + +static void Resp3_Send (Packet* p, void* pv) +{ + Resp3_Data* rd = (Resp3_Data*)pv; + PROFILE_VARS; + + PREPROC_PROFILE_START(resp3PerfStats); + Active_IgnoreSession(p); + + if ( rd->flags & RESP_RST_SND ) + Active_SendReset(p, 0); + + if ( rd->flags & RESP_RST_RCV ) + Active_SendReset(p, ENC_FLAG_FWD); + + if ( rd->flags & RESP_UNR_NET ) + Active_SendUnreach(p, ENC_UNR_NET); + + if ( rd->flags & RESP_UNR_HOST ) + Active_SendUnreach(p, ENC_UNR_HOST); + + if ( rd->flags & RESP_UNR_PORT ) + Active_SendUnreach(p, ENC_UNR_PORT); + + PREPROC_PROFILE_END(resp3PerfStats); +} + +#endif // ENABLE_RESPONSE3 + diff -Nru snort-2.8.5.2/src/detection-plugins/sp_respond.c snort-2.9.2/src/detection-plugins/sp_respond.c --- snort-2.8.5.2/src/detection-plugins/sp_respond.c 2009-08-10 20:41:45.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_respond.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,589 +0,0 @@ -/* $Id$ */ -/* -** Copyright (C) 2002-2009 Sourcefire, Inc. -** Copyright (C) 1998-2002 Martin Roesch -** Copyright (C) 1999,2000,2001 Christian Lademann -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* $Id$ */ - -/* - * CREDITS: - * - * The functionality presented here was inspired by - * the program "couic" by Michel Arboi - * -*/ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef ENABLE_RESPONSE -#include - -#include "decode.h" -#include "rules.h" -#include "plugbase.h" -#include "parser.h" -#include "debug.h" -#include "log.h" -#include "plugin_enum.h" -#include "snort.h" -#include "util.h" -#include "sp_respond.h" -#include "sp_react.h" - -#include "snort.h" -#include "profiler.h" -#ifdef PERF_PROFILING -PreprocStats respondPerfStats; -extern PreprocStats ruleOTNEvalPerfStats; -#endif - -#include "sfhashfcn.h" -#include "detection_options.h" - -typedef struct _RespondData -{ - u_int response_flag; -} RespondData; - -uint32_t RespondHash(void *d) -{ - uint32_t a,b,c; - RespondData *data = (RespondData *)d; - - a = data->response_flag; - b = RULE_OPTION_TYPE_RESPOND; - c = 0; - - final(a,b,c); - - return c; -} - -int RespondCompare(void *l, void *r) -{ - RespondData *left = (RespondData *)l; - RespondData *right = (RespondData *)r; - - if (!left || !right) - return DETECTION_OPTION_NOT_EQUAL; - - if (left->response_flag == right->response_flag) - { - return DETECTION_OPTION_EQUAL; - } - - return DETECTION_OPTION_NOT_EQUAL; -} - -static uint8_t ttl = 0; /* placeholder for randomly generated TTL */ - -static uint8_t *tcp_pkt = NULL; -static uint8_t *icmp_pkt = NULL; - -static void PrecacheTcp(void); -static void PrecacheIcmp(void); - -static void RespondInit(char *, OptTreeNode *, int ); -static void RespondCleanupFunction(int, void *); - -static int ParseResponse(char *); - -static int SendICMP_UNREACH(int, snort_ip_p, snort_ip_p, Packet *); -static int SendTCPRST(snort_ip_p, snort_ip_p, u_short, u_short, u_long, u_long, u_short, int); -static int Respond(Packet *, RspFpList *); - -/************************************************************************** - * - * Function: SetupRespond(); - * - * Purpose: Initialize repsond plugin - * - * Arguments: None. - * - * Returns: void - **************************************************************************/ - -void SetupRespond(void) -{ - RegisterRuleOption("resp", RespondInit, NULL, OPT_TYPE_ACTION); -#ifdef PERF_PROFILING - RegisterPreprocessorProfile("resp", &respondPerfStats, 3, &ruleOTNEvalPerfStats); -#endif - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: Respond Setup\n");); -} - -void RespondCleanupFunction(int signal, void *foo) -{ - RawSocket_Close(); - - if (tcp_pkt != NULL) - { - libnet_destroy_packet((u_char **)&tcp_pkt); - tcp_pkt = NULL; - } - - if (icmp_pkt != NULL) - { - libnet_destroy_packet((u_char **)&icmp_pkt); - icmp_pkt = NULL; - } -} - -void RespondInit(char *data, OptTreeNode *otn, int protocol) -{ - RespondData *rd; - void *idx_dup; - - if(protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && - protocol != IPPROTO_ICMP) - { - FatalError("%s(%d): Can't respond to IP protocol rules\n", - file_name, file_line); - } - - /* If it hasn't been opened yet, there are no rules currently using this - * rule option, so on a reload, setting this during parsing won't step - * on runtime evaluation */ - RawSocket_Open(); - - // depending on reloads and ordering of inits/cleans, - // opening module may not be same as closing module. - AddFuncToCleanExitList(RespondCleanupFunction, NULL); - - /* Same as above as far as reload goes */ - if (ttl == 0) - { - ttl = (uint8_t)libnet_get_prand(PR8); - if (ttl < 64) - ttl += 64; - } - - rd = (RespondData *)SnortAlloc(sizeof(RespondData)); - - rd->response_flag = ParseResponse(data); - - if (add_detection_option(RULE_OPTION_TYPE_RESPOND, (void *)rd, &idx_dup) == DETECTION_OPTION_EQUAL) - { - free(rd); - rd = idx_dup; - } - - AddRspFuncToList(Respond, otn, (void *)rd ); -} - -void RespondFree (void* d) -{ - free(d); -} - -/**************************************************************************** - * - * Function: ParseResponse(char *) - * - * Purpose: Figure out how to handle hostile connection attempts - * - * Arguments: type => string of comma-sepatared modifiers - * - * Returns: void function - * - ***************************************************************************/ -int ParseResponse(char *type) -{ - char *p; - int response_flag; - int make_tcp = 0; - int make_icmp = 0; - - while(isspace((int) *type)) - type++; - - if(!type || !(*type)) - return 0; - - response_flag = 0; - - p = strtok(type, ","); - while(p) - { - if(!strncasecmp(p, "rst_snd", 7)) - { - response_flag |= RESP_RST_SND; - make_tcp = 1; - } - else if(!strncasecmp(p, "rst_rcv", 7)) - { - response_flag |= RESP_RST_RCV; - make_tcp = 1; - } - else if(!strncasecmp(p, "rst_all", 7)) - { - response_flag |= (RESP_RST_SND | RESP_RST_RCV); - make_tcp = 1; - } - else if(!strncasecmp(p, "icmp_net", 8)) - { - response_flag |= RESP_BAD_NET; - make_icmp = 1; - } - else if(!strncasecmp(p, "icmp_host", 9)) - { - response_flag |= RESP_BAD_HOST; - make_icmp = 1; - } - else if(!strncasecmp(p, "icmp_port", 9)) - { - response_flag |= RESP_BAD_PORT; - make_icmp = 1; - } - else if(!strncasecmp(p, "icmp_all", 9)) - { - response_flag |= (RESP_BAD_NET | RESP_BAD_HOST | RESP_BAD_PORT); - make_icmp = 1; - } - else - { - FatalError("%s(%d): invalid response modifier: %s\n", file_name, - file_line, p); - } - - p = strtok(NULL, ","); - } - - if(make_tcp) - { - PrecacheTcp(); - } - - if(make_icmp) - { - /* someday came sooner than expected. -Jeff */ - PrecacheIcmp(); - } - - return response_flag; -} - - -void PrecacheTcp(void) -{ - int sz = IP_H + TCP_H + 1; /* extra octet required to avoid crash - why? */ - TCPHdr *tcphdr; - - if (tcp_pkt != NULL) - return; - - /* If it hasn't been alloced yet, there are no rules currently using this - * rule option, so on a reload, setting this during parsing won't step - * on runtime evaluation */ - if((tcp_pkt = calloc(sz, sizeof(uint8_t))) == NULL) - { - FatalError("PrecacheTCP() calloc failed!\n"); - } - - libnet_build_ip( TCP_H /* Length of packet data */ - , 0 /* IP tos */ - , (u_short) libnet_get_prand(PRu16) /* IP ID */ - , 0 /* Fragmentation flags and offset */ - , ttl /* TTL */ - , IPPROTO_TCP /* Protocol */ - , 0 /* Source IP Address */ - , 0 /* Destination IP Address */ - , NULL /* Pointer to packet data (or NULL) */ - , 0 /* Packet payload size */ - , tcp_pkt /* Pointer to packet header memory */ - ); - /* this call fails in libent1.0.x*/ - //libnet_build_tcp( 0 /* Source port */ - //, 0 /* Destination port */ - //, 0 /* Sequence Number */ - //, 0 /* Acknowledgement Number */ - //, TH_RST|TH_ACK /* Control bits */ - //, 0 /* Advertised Window Size */ - //, 0 /* Urgent Pointer */ - //, NULL /* Pointer to packet data (or NULL) */ - //, 0 /* Packet payload size */ - //, tcp_pkt + IP_H /* Pointer to packet header memory */ - //); - tcphdr = (TCPHdr*)(tcp_pkt + IP_H); - tcphdr->th_sport = 0; - tcphdr->th_dport = 0; - tcphdr->th_seq = 0; - tcphdr->th_ack = 0; - tcphdr->th_offx2 = 0x50; - tcphdr->th_flags = TH_RST|TH_ACK; - tcphdr->th_win = 0; - tcphdr->th_sum = 0; - tcphdr->th_urp = 0; - -} - -void PrecacheIcmp(void) -{ - int sz = IP_H + ICMP_UNREACH_H + 68; /* plan for IP options */ - - if (icmp_pkt != NULL) - return; - - /* If it hasn't been alloced yet, there are no rules currently using this - * rule option, so on a reload, setting this during parsing won't step - * on runtime evaluation */ - if((icmp_pkt = calloc(sz, sizeof(char))) == NULL) - { - FatalError("PrecacheIcmp() calloc failed!\n"); - } - - libnet_build_ip( ICMP_UNREACH_H /* Length of packet data */ - , 0 /* IP tos */ - , (u_short) libnet_get_prand(PRu16) /* IP ID */ - , 0 /* Fragmentation flags and offset */ - , ttl /* TTL */ - , IPPROTO_ICMP /* Protocol */ - , 0 /* Source IP Address */ - , 0 /* Destination IP Address */ - , NULL /* Pointer to packet data (or NULL) */ - , 0 /* Packet payload size */ - , icmp_pkt /* Pointer to packet header memory */ - ); - - libnet_build_icmp_unreach( 3 /* icmp type */ - , 0 /* icmp code */ - , 0 /* Original Length of packet data */ - , 0 /* Original IP tos */ - , 0 /* Original IP ID */ - , 0 /* Original Fragmentation flags and offset */ - , 0 /* Original TTL */ - , 0 /* Original Protocol */ - , 0 /* Original Source IP Address */ - , 0 /* Original Destination IP Address */ - , NULL /* Pointer to original packet data (or NULL) */ - , 0 /* Packet payload size (or 0) */ - , icmp_pkt + IP_H /* Pointer to packet header memory */ - ); - - return; -} - - -/**************************************************************************** - - * - * Function: Respond(Packet *p, RspFpList) - * - * Purpose: Respond to hostile connection attempts - * - * Arguments: - * - * Returns: void function - * - ***************************************************************************/ - -int Respond(Packet *p, RspFpList *fp_list) -{ - RespondData *rd; - PROFILE_VARS; - - rd = (RespondData *)fp_list->params; - - if(!IPH_IS_VALID(p)) - { - return 0; - } - - PREPROC_PROFILE_START(respondPerfStats); - - if(rd->response_flag) - { - if(rd->response_flag & (RESP_RST_SND | RESP_RST_RCV)) - { - if(GET_IPH_PROTO(p) == IPPROTO_TCP && p->tcph != NULL) - { - /* - ** This ensures that we don't reset packets that we just - ** spoofed ourselves, thus inflicting a self-induced DOS - ** attack. - ** - ** We still reset packets that may have the SYN set, though. - */ - if((p->tcph->th_flags & (TH_SYN | TH_RST)) != TH_RST) - { - if(rd->response_flag & RESP_RST_SND) - { - SendTCPRST(GET_DST_IP(p), - GET_SRC_IP(p), - p->tcph->th_dport, p->tcph->th_sport, - p->tcph->th_ack, - htonl(ntohl(p->tcph->th_seq) + p->dsize), - p->tcph->th_win,IS_IP4(p)); - } - - if(rd->response_flag & RESP_RST_RCV) - { - SendTCPRST(GET_SRC_IP(p), - GET_DST_IP(p), - p->tcph->th_sport, p->tcph->th_dport, - p->tcph->th_seq, - htonl(ntohl(p->tcph->th_ack) + p->dsize), - p->tcph->th_win,IS_IP4(p)); - } - } - } - } - - /* - ** We check that we only reset packets with an ICMP packet if it is - ** valid. This means that we don't reset ICMP error types and will - ** only reset ICMP query request. - */ - if((p->icmph == NULL) || - (p->icmph->type == ICMP_ECHO) || - (p->icmph->type == ICMP_TIMESTAMP) || - (p->icmph->type == ICMP_INFO_REQUEST) || - (p->icmph->type == ICMP_ADDRESS)) - { - if(rd->response_flag & RESP_BAD_NET) - SendICMP_UNREACH(ICMP_UNREACH_NET, GET_DST_IP(p), - GET_SRC_IP(p), p); - - if(rd->response_flag & RESP_BAD_HOST) - SendICMP_UNREACH(ICMP_UNREACH_HOST, GET_DST_IP(p), - GET_SRC_IP(p), p); - - if(rd->response_flag & RESP_BAD_PORT) - SendICMP_UNREACH(ICMP_UNREACH_PORT, GET_DST_IP(p), - GET_SRC_IP(p), p); - } - } - PREPROC_PROFILE_END(respondPerfStats); - return 1; /* always success */ -} - - -int SendICMP_UNREACH(int code, snort_ip_p saddr, snort_ip_p daddr, Packet * p) -{ - int payload_len, sz; - IPHdr *iph; - ICMPHdr *icmph; - - if(p == NULL) - return -1; - - /* don't send ICMP port unreachable errors in response to ICMP messages */ - if (GET_IPH_PROTO(p) == 1 && code == ICMP_UNREACH_PORT) - { - if (ScLogVerbose()) - { - ErrorMessage("ignoring icmp_port set on ICMP packet.\n"); - } - - return 0; - } - - iph = (IPHdr *) icmp_pkt; - icmph = (ICMPHdr *) (icmp_pkt + IP_H); - -#ifdef SUP_IP6 - if (IS_IP4(p)) - { - memcpy(&iph->ip_src.s_addr, &saddr->ip32[0], 4); - memcpy(&iph->ip_dst.s_addr, &daddr->ip32[0], 4); - } - -#else - iph->ip_src.s_addr = saddr; - iph->ip_dst.s_addr = daddr; -#endif - - icmph->code = code; - - if ((payload_len = ntohs(p->iph->ip_len) - (IP_HLEN(p->iph) << 2)) > 8) - payload_len = 8; - - memcpy((char *)icmph + ICMP_UNREACH_H, p->iph, (IP_HLEN(p->iph) << 2) - + payload_len); - - sz = IP_H + ICMP_UNREACH_H + (IP_HLEN(p->iph) << 2) + payload_len; - iph->ip_len = htons( (u_short) sz); - - libnet_do_checksum(icmp_pkt, IPPROTO_ICMP, sz - IP_H); - -#ifdef DEBUG - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "firing ICMP response packet\n");); - PrintNetData(stdout, icmp_pkt, sz); - //ClearDumpBuf(); -#endif - if(libnet_write_ip(nd, icmp_pkt, sz) < sz) - { - libnet_error(LIBNET_ERR_CRITICAL, "SendICMP_UNREACH: libnet_write_ip"); - return -1; - } - return 0; -} - - -int SendTCPRST(snort_ip_p saddr, snort_ip_p daddr, u_short sport, u_short dport, - u_long seq, u_long ack, u_short win, int ip4family) -{ - int sz = IP_H + TCP_H; - IPHdr *iph; - TCPHdr *tcph; - - iph = (IPHdr *) tcp_pkt; - tcph = (TCPHdr *) (tcp_pkt + IP_H); - -#ifdef SUP_IP6 - if (ip4family) - { - memcpy(&iph->ip_src.s_addr, &saddr->ip32[0], 4); - memcpy(&iph->ip_dst.s_addr, &daddr->ip32[0], 4); - } - -#else - iph->ip_src.s_addr = saddr; - iph->ip_dst.s_addr = daddr; -#endif - - tcph->th_sport = sport; - tcph->th_dport = dport; - tcph->th_seq = seq; - tcph->th_ack = ack; - tcph->th_win = 0; - - libnet_do_checksum(tcp_pkt, IPPROTO_TCP, sz - IP_H); - - DEBUG_WRAP( - PrintNetData(stdout, tcp_pkt, sz); - //ClearDumpBuf(); - DebugMessage(DEBUG_PLUGIN, "firing response packet\n"); - DebugMessage(DEBUG_PLUGIN, - "0x%lX:%u -> 0x%lX:%d (seq: 0x%lX ack: 0x%lX)\n", - saddr, sport, daddr, dport, seq, ack);); - - if(libnet_write_ip(nd, tcp_pkt, sz) < sz) - { - libnet_error(LIBNET_ERR_CRITICAL, "SendTCPRST: libnet_write_ip"); - return -1; - } - - return 0; -} -#endif /* ENABLE_RESPONSE */ - diff -Nru snort-2.8.5.2/src/detection-plugins/sp_respond.h snort-2.9.2/src/detection-plugins/sp_respond.h --- snort-2.8.5.2/src/detection-plugins/sp_respond.h 2009-08-10 20:41:45.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_respond.h 2011-02-09 23:23:05.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 1999,2000,2001 Christian Lademann ** @@ -20,19 +20,14 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* I N C L U D E S -**********************************************************/ - -/* D E F I N E S -************************************************************/ -#ifndef __RESPOND_H__ -#define __RESPOND_H__ +#ifndef __SP_RESPOND_H__ +#define __SP_RESPOND_H__ #ifdef ENABLE_RESPOND void SetupRespond(void); -void RespondFree(void* d); uint32_t RespondHash(void* d); int RespondCompare(void *l, void *r); -#endif /* ENABLE_RESPOND */ +#endif + +#endif -#endif /* __RESPOND_H__ */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_rpc_check.c snort-2.9.2/src/detection-plugins/sp_rpc_check.c --- snort-2.8.5.2/src/detection-plugins/sp_rpc_check.c 2009-05-06 22:28:37.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_rpc_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -32,10 +32,11 @@ #endif /* !WIN32 */ #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sfhashfcn.h" @@ -53,7 +54,7 @@ /* * This is driven by 64-bit Solaris which doesn't * define _LONG - * + * */ #ifndef IXDR_GET_LONG @@ -117,7 +118,7 @@ /**************************************************************************** - * + * * Function: SetupRpcCheck() * * Purpose: Register the rpc option keyword with its setup function @@ -130,7 +131,7 @@ void SetupRpcCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("rpc", RpcCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("rpc", RpcCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("rpc", &rpcCheckPerfStats, 3, &ruleOTNEvalPerfStats); @@ -141,7 +142,7 @@ /**************************************************************************** - * + * * Function: RpcCheckInit(char *, OptTreeNode *) * * Purpose: Parse the rpc keyword arguments and link the detection module @@ -162,7 +163,7 @@ file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_RPC_CHECK]) { FatalError("%s(%d): Multiple rpc options in rule\n", file_name, @@ -174,11 +175,11 @@ otn->ds_list[PLUGIN_RPC_CHECK] = (RpcCheckData *) SnortAlloc(sizeof(RpcCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseRpc(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckRpc, otn); fpl->type = RULE_OPTION_TYPE_RPC_CHECK; @@ -187,7 +188,7 @@ /**************************************************************************** - * + * * Function: ParseRpc(char *, OptTreeNode *) * * Purpose: Parse the RPC keyword's arguments @@ -222,9 +223,9 @@ { FatalError("%s(%d): Invalid applicaion number in rpc rule option\n",file_name,file_line); } - + if(*tmp == '\0') return; - + data=++tmp; if(*data != '*') { @@ -255,7 +256,7 @@ /**************************************************************************** - * + * * Function: CheckRpc(char *, OptTreeNode *) * * Purpose: Test if the packet RPC equals the rule option's rpc @@ -273,19 +274,19 @@ u_long xid, rpcvers, prog, vers, proc; enum msg_type direction; int rval = DETECTION_OPTION_NO_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS int i; #endif PROFILE_VARS; - if(!p->iph || (p->iph->ip_proto == IPPROTO_TCP && !p->tcph) - || (p->iph->ip_proto == IPPROTO_UDP && !p->udph)) + if(!p->iph_api || (IsTCP(p) && !p->tcph) + || (IsUDP(p) && !p->udph)) return 0; /* if error occured while ip header * was processed, return 0 automagically. */ PREPROC_PROFILE_START(rpcCheckPerfStats); - if(p->iph->ip_proto == IPPROTO_TCP) + if( IsTCP(p) ) { /* offset to rpc_msg */ c+=4; @@ -308,7 +309,7 @@ } } -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_PLUGIN,"<---xid---> <---dir---> <---rpc--->" " <---prog--> <---vers--> <---proc-->\n"); for(i=0; i<24; i++) diff -Nru snort-2.8.5.2/src/detection-plugins/sp_rpc_check.h snort-2.9.2/src/detection-plugins/sp_rpc_check.h --- snort-2.8.5.2/src/detection-plugins/sp_rpc_check.h 2009-05-06 22:28:37.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_rpc_check.h 2011-02-09 23:23:06.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_session.c snort-2.9.2/src/detection-plugins/sp_session.c --- snort-2.8.5.2/src/detection-plugins/sp_session.c 2009-08-10 20:41:45.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_session.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -22,15 +22,15 @@ /* Snort Session Logging Plugin */ -/* sp_session - * +/* sp_session + * * Purpose: * - * Drops data (printable or otherwise) into a SESSION file. Useful for + * Drops data (printable or otherwise) into a SESSION file. Useful for * logging user sessions (telnet, http, ftp, etc). * * Arguments: - * + * * This plugin can take two arguments: * printable => only log the "printable" ASCII characters. * all => log all traffic in the session, logging non-printable @@ -67,10 +67,11 @@ #include #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -121,7 +122,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (left->session_flag == right->session_flag) { return DETECTION_OPTION_EQUAL; @@ -132,7 +133,7 @@ /**************************************************************************** - * + * * Function: SetupSession() * * Purpose: Init the session plugin module. @@ -145,7 +146,7 @@ void SetupSession(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("session", SessionInit, NULL, OPT_TYPE_LOGGING); + RegisterRuleOption("session", SessionInit, NULL, OPT_TYPE_LOGGING, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("session", &sessionPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -154,7 +155,7 @@ /************************************************************************** - * + * * Function: SessionInit(char *, OptTreeNode *) * * Purpose: Initialize the sesion plugin, parsing the rule parameters and @@ -171,8 +172,8 @@ OptFpList *fpl; /* - * Theoretically we should only all this plugin to be used when there's a - * possibility of a session happening (i.e. TCP), but I get enough + * Theoretically we should only all this plugin to be used when there's a + * possibility of a session happening (i.e. TCP), but I get enough * requests that I'm going to pull the verifier so that things should work * for everyone */ @@ -182,7 +183,7 @@ file_name, file_line); }*/ - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_SESSION]) { FatalError("%s(%d): Multiple session options in rule\n", file_name, @@ -197,11 +198,11 @@ /* be sure to check that the protocol that is passed in matches the transport layer protocol that you're using for this rule! */ - /* this is where the keyword arguments are processed and placed into + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseSession(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(LogSessionData, otn); fpl->context = otn->ds_list[PLUGIN_SESSION]; @@ -211,7 +212,7 @@ /**************************************************************************** - * + * * Function: ParseSession(char *, OptTreeNode *) * * Purpose: Figure out how much of the session data we're collecting @@ -267,7 +268,7 @@ /**************************************************************************** - * + * * Function: LogSessionData(char *, OptTreeNode *) * * Purpose: Dumps the session data to the log file. @@ -288,8 +289,8 @@ PREPROC_PROFILE_START(sessionPerfStats); /* if there's data in this packet */ - if(p != NULL) - { + if(p != NULL) + { if((p->dsize != 0 && p->data != NULL) || p->frag_flag != 1) { session = OpenSessionFile(p); @@ -369,11 +370,11 @@ char session_file[STD_BUF]; /* name of session file */ #ifdef SUP_IP6 sfip_t *dst, *src; -#endif +#endif FILE *ret; - if(p->frag_flag) + if(p->frag_flag) { return NULL; } @@ -457,7 +458,7 @@ #endif } - + strncpy(filename, session_file, STD_BUF - 1); filename[STD_BUF - 1] = '\0'; diff -Nru snort-2.8.5.2/src/detection-plugins/sp_session.h snort-2.9.2/src/detection-plugins/sp_session.h --- snort-2.8.5.2/src/detection-plugins/sp_session.h 2009-05-06 22:28:37.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_session.h 2011-02-09 23:23:06.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_ack_check.c snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.c --- snort-2.8.5.2/src/detection-plugins/sp_tcp_ack_check.c 2009-05-06 22:28:37.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -28,11 +28,13 @@ #include #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -86,7 +88,7 @@ } /**************************************************************************** - * + * * Function: SetupTcpAckCheck() * * Purpose: Link the ack keyword to the initialization function @@ -99,7 +101,7 @@ void SetupTcpAckCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("ack", TcpAckCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("ack", TcpAckCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("ack", &tcpAckPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -108,7 +110,7 @@ /**************************************************************************** - * + * * Function: TcpAckCheckInit(char *, OptTreeNode *) * * Purpose: Attach the option data to the rule data struct and link in the @@ -129,7 +131,7 @@ FatalError("%s(%d) TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_ACK_CHECK]) { FatalError("%s(%d): Multiple TCP ack options in rule\n", file_name, @@ -141,11 +143,11 @@ otn->ds_list[PLUGIN_TCP_ACK_CHECK] = (TcpAckCheckData *) SnortAlloc(sizeof(TcpAckCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpAck(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckTcpAckEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_ACK; @@ -155,7 +157,7 @@ /**************************************************************************** - * + * * Function: ParseTcpAck(char *, OptTreeNode *) * * Purpose: Attach the option rule's argument to the data struct. @@ -190,7 +192,7 @@ /**************************************************************************** - * + * * Function: CheckTcpAckEq(char *, OptTreeNode *) * * Purpose: Check to see if the packet's TCP ack field is equal to the rule diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_ack_check.h snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.h --- snort-2.8.5.2/src/detection-plugins/sp_tcp_ack_check.h 2009-05-06 22:28:38.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.h 2011-02-09 23:23:06.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_flag_check.c snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.c --- snort-2.8.5.2/src/detection-plugins/sp_tcp_flag_check.c 2009-05-06 22:28:38.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -29,11 +29,13 @@ #include #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -55,7 +57,7 @@ typedef struct _TCPFlagCheckData { u_char mode; - u_char tcp_flags; + u_char tcp_flags; u_char tcp_mask; /* Mask to take away from the flags check */ } TCPFlagCheckData; @@ -99,7 +101,7 @@ void SetupTCPFlagCheck(void) { - RegisterRuleOption("flags", TCPFlagCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("flags", TCPFlagCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("flags", &tcpFlagsPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -117,7 +119,7 @@ FatalError("Line %s (%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_FLAG_CHECK]) { FatalError("%s(%d): Multiple TCP flags options in rule\n", file_name, @@ -149,7 +151,7 @@ * * Purpose: Figure out which TCP flags the current rule is interested in * - * Arguments: rule => the rule string + * Arguments: rule => the rule string * * Returns: void function * @@ -167,7 +169,7 @@ fptr = rule; /* make sure there is atleast a split pointer */ - if(fptr == NULL) + if(fptr == NULL) { FatalError("[!] Line %s (%d): Flags missing in TCP flag rule\n", file_name, file_line); } @@ -181,7 +183,7 @@ } /* find the end of the alert string */ - fend = fptr + strlen(fptr); + fend = fptr + strlen(fptr); idx->mode = M_NORMAL; /* this is the default, unless overridden */ @@ -224,18 +226,22 @@ break; case '1': /* reserved bit flags */ - idx->tcp_flags |= R_RES1; + case 'c': + case 'C': + idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */ break; case '2': /* reserved bit flags */ - idx->tcp_flags |= R_RES2; + case 'e': + case 'E': + idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */ break; case '!': /* not, fire if all flags specified are not present, other are don't care */ idx->mode = M_NOT; break; - case '*': /* star or any, fire if any flags specified are + case '*': /* star or any, fire if any flags specified are present, other are don't care */ idx->mode = M_ANY; break; @@ -248,7 +254,7 @@ break; default: FatalError("%s(%d): bad TCP flag = \"%c\"\n" - "Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan)," + "Valid otions: UAPRSFCE or 0 for NO flags (e.g. NULL scan)," " and !, + or * for modifiers\n", file_name, file_line, *fptr); } @@ -259,7 +265,7 @@ while(isspace((u_char) *fptr)) fptr++; - + /* create the mask portion now */ while(fptr < fend && comma_set == 1) { @@ -284,26 +290,30 @@ case 'P': idx->tcp_mask |= R_PSH; break; - + case 'a': case 'A': idx->tcp_mask |= R_ACK; break; - + case 'u': case 'U': idx->tcp_mask |= R_URG; break; - + case '1': /* reserved bit flags */ - idx->tcp_mask |= R_RES1; + case 'c': + case 'C': + idx->tcp_mask |= R_CWR; /* Congestion Window Reduced, RFC 3168 */ break; case '2': /* reserved bit flags */ - idx->tcp_mask |= R_RES2; + case 'e': + case 'E': + idx->tcp_mask |= R_ECE; /* ECN echo, RFC 3168 */ break; default: - FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n Valid otions: UAPRS12 \n", + FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n Valid otions: UAPRSFCE \n", file_name, file_line, *fptr); } @@ -325,13 +335,13 @@ PROFILE_VARS; PREPROC_PROFILE_START(tcpFlagsPerfStats); - + if(!p->tcph) { /* if error appeared when tcp header was processed, * test fails automagically */ PREPROC_PROFILE_END(tcpFlagsPerfStats); - return rval; + return rval; } /* the flags we really want to check are all the ones diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_flag_check.h snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.h --- snort-2.8.5.2/src/detection-plugins/sp_tcp_flag_check.h 2009-05-06 22:28:38.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_seq_check.c snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.c --- snort-2.8.5.2/src/detection-plugins/sp_tcp_seq_check.c 2009-05-06 22:28:38.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,14 @@ #include #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "snort.h" @@ -87,7 +89,7 @@ } /**************************************************************************** - * + * * Function: SetupTcpSeqCheck() * * Purpose: Link the seq keyword to the initialization function @@ -100,7 +102,7 @@ void SetupTcpSeqCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("seq", TcpSeqCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("seq", TcpSeqCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("seq", &tcpSeqPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -110,7 +112,7 @@ /**************************************************************************** - * + * * Function: TcpSeqCheckInit(char *, OptTreeNode *) * * Purpose: Attach the option data to the rule data struct and link in the @@ -130,7 +132,7 @@ FatalError("Line %s (%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_SEQ_CHECK]) { FatalError("%s(%d): Multiple TCP seq options in rule\n", file_name, @@ -142,11 +144,11 @@ otn->ds_list[PLUGIN_TCP_SEQ_CHECK] = (TcpSeqCheckData *) SnortAlloc(sizeof(TcpSeqCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpSeq(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckTcpSeqEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_SEQ; @@ -156,7 +158,7 @@ /**************************************************************************** - * + * * Function: ParseTcpSeq(char *, OptTreeNode *) * * Purpose: Attach the option rule's argument to the data struct. @@ -179,7 +181,7 @@ ds_ptr->tcp_seq = strtoul(data, ep, 0); ds_ptr->tcp_seq = htonl(ds_ptr->tcp_seq); - + if (add_detection_option(RULE_OPTION_TYPE_TCP_SEQ, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) { otn->ds_list[PLUGIN_TCP_SEQ_CHECK] = ds_ptr_dup; @@ -192,7 +194,7 @@ /**************************************************************************** - * + * * Function: CheckTcpSeqEq(char *, OptTreeNode *) * * Purpose: Check to see if the packet's TCP ack field is equal to the rule @@ -220,7 +222,7 @@ { rval = DETECTION_OPTION_MATCH; } -#ifdef DEBUG +#ifdef DEBUG_MSGS else { /* you can put debug comments here or not */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_seq_check.h snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.h --- snort-2.8.5.2/src/detection-plugins/sp_tcp_seq_check.h 2009-05-06 22:28:39.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_win_check.c snort-2.9.2/src/detection-plugins/sp_tcp_win_check.c --- snort-2.8.5.2/src/detection-plugins/sp_tcp_win_check.c 2009-05-06 22:28:39.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_win_check.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -32,12 +32,14 @@ #endif #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "snort.h" @@ -95,7 +97,7 @@ /**************************************************************************** - * + * * Function: SetupTcpWinCheck() * * Purpose: Associate the window keyword with TcpWinCheckInit @@ -108,7 +110,7 @@ void SetupTcpWinCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("window", TcpWinCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("window", TcpWinCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("window", &tcpWinPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -116,7 +118,7 @@ /**************************************************************************** - * + * * Function: TcpWinCheckInit(char *, OptTreeNode *) * * Purpose: Setup the window data struct and link the function into option @@ -133,27 +135,27 @@ OptFpList *fpl; if(protocol != IPPROTO_TCP) { - FatalError("%s(%d): TCP Options on non-TCP rule\n", + FatalError("%s(%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_WIN_CHECK]) { FatalError("%s(%d): Multiple TCP window options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_TCP_WIN_CHECK] = (TcpWinCheckData *) SnortAlloc(sizeof(TcpWinCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpWin(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(TcpWinCheckEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_WIN; @@ -163,10 +165,10 @@ /**************************************************************************** - * + * * Function: ParseTcpWin(char *, OptTreeNode *) * - * Purpose: Convert the tos option argument to data and plug it into the + * Purpose: Convert the tos option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -179,7 +181,9 @@ { TcpWinCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; - uint16_t win_size; + int win_size = 0; + char *endTok; + char *start; /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -194,28 +198,45 @@ if(data[0] == '!') { ds_ptr->not_flag = 1; + start = &data[1]; + } + else + { + start = &data[0]; } - if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL) + if(index(start, (int) 'x') == NULL && index(start, (int)'X') == NULL) { - win_size = atoi(data); + win_size = SnortStrtolRange(start, &endTok, 10, 0, UINT16_MAX); + if ((endTok == start) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'window' (not a " + "number?) \n", file_name, file_line, data); + } } else { - if(index(data,(int)'x')) + /* hex? */ + start = index(data,(int)'x'); + if(!start) { - win_size = (uint16_t) strtol((index(data, (int)'x')+1), NULL, 16); + start = index(data,(int)'X'); } - else + if (start) { - win_size = (uint16_t) strtol((index(data, (int)'X')+1), NULL, 16); + win_size = SnortStrtolRange(start+1, &endTok, 16, 0, UINT16_MAX); + } + if (!start || (endTok == start+1) || (*endTok != '\0')) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'window' (not a " + "number?) \n", file_name, file_line, data); } } - ds_ptr->tcp_win = htons(win_size); + ds_ptr->tcp_win = htons((uint16_t)win_size); -#ifdef DEBUG - printf("TCP Window set to 0x%X\n", ds_ptr->tcp_win); +#ifdef DEBUG_MSGS + DebugMessage(DEBUG_PLUGIN,"TCP Window set to 0x%X\n", ds_ptr->tcp_win); #endif if (add_detection_option(RULE_OPTION_TYPE_TCP_WIN, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -227,11 +248,11 @@ /**************************************************************************** - * + * * Function: TcpWinCheckEq(char *, OptTreeNode *) * * Purpose: Test the TCP header's window to see if its value is equal to the - * value in the rule. + * value in the rule. * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -255,7 +276,7 @@ { rval = DETECTION_OPTION_MATCH; } -#ifdef DEBUG +#ifdef DEBUG_MSGS else { /* you can put debug comments here or not */ diff -Nru snort-2.8.5.2/src/detection-plugins/sp_tcp_win_check.h snort-2.9.2/src/detection-plugins/sp_tcp_win_check.h --- snort-2.8.5.2/src/detection-plugins/sp_tcp_win_check.h 2009-05-06 22:28:39.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_tcp_win_check.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ttl_check.c snort-2.9.2/src/detection-plugins/sp_ttl_check.c --- snort-2.8.5.2/src/detection-plugins/sp_ttl_check.c 2009-05-06 22:28:39.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ttl_check.c 2011-06-08 00:33:10.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -27,9 +27,11 @@ #include #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "parser.h" #include "plugin_enum.h" @@ -50,6 +52,8 @@ #define TTL_CHECK_GT 2 #define TTL_CHECK_LT 3 #define TTL_CHECK_RG 4 +#define TTL_CHECK_GT_EQ 5 +#define TTL_CHECK_LT_EQ 6 typedef struct _TtlCheckData { @@ -63,7 +67,7 @@ int CheckTtl(void *option_data, Packet *p); /**************************************************************************** - * + * * Function: SetupTtlCheck() * * Purpose: Register the ttl option keyword with its setup function @@ -76,7 +80,7 @@ void SetupTtlCheck(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("ttl", TtlCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("ttl", TtlCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("ttl_check", &ttlCheckPerfStats, 3, &ruleOTNEvalPerfStats); #endif @@ -108,7 +112,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if ((left->ttl == right->ttl) && (left->h_ttl == right->h_ttl) && (left->oper == right->oper)) @@ -120,7 +124,7 @@ } /**************************************************************************** - * + * * Function: TtlCheckInit(char *, OptTreeNode *) * * Purpose: Parse the ttl keyword arguments and link the detection module @@ -134,7 +138,7 @@ ****************************************************************************/ void TtlCheckInit(char *data, OptTreeNode *otn, int protocol) { - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TTL_CHECK]) { FatalError("%s(%d): Multiple IP ttl options in rule\n", file_name, @@ -146,7 +150,7 @@ otn->ds_list[PLUGIN_TTL_CHECK] = (TtlCheckData *) SnortAlloc(sizeof(TtlCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTtl(data, otn); @@ -157,7 +161,7 @@ /**************************************************************************** - * + * * Function: ParseTtl(char *, OptTreeNode *) * * Purpose: Parse the TTL keyword's arguments @@ -174,36 +178,74 @@ TtlCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; char ttlrel; + char *endTok; + int ttl; + char *origData = data; + char *curPtr = data; + int equals_present = 0, rel_present =0; /* set the ds pointer to make it easier to reference the option's particular data struct */ ds_ptr = (TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK]; + if(data == NULL) + { + FatalError("%s(%d) => No arguments to 'ttl' \n" + , file_name, file_line); + } + while(isspace((int)*data)) data++; ttlrel = *data; + curPtr = data; switch (ttlrel) { case '-': ds_ptr->h_ttl = -1; /* leading dash flag */ + data++; + rel_present = 1; + break; case '>': case '<': + curPtr++; + while(isspace((int)*curPtr)) curPtr++; + if((*curPtr) == '=') + { + equals_present = 1; + data = curPtr; + } case '=': data++; + rel_present = 1; break; - default: + default: ttlrel = '='; } while(isspace((int)*data)) data++; - ds_ptr->ttl = atoi(data); + ttl = SnortStrtol(data, &endTok, 10); + /* next char after first number must either be - or NULL */ + if ((endTok == data) || ((*endTok != '-') && (*endTok != '\0'))) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'ttl' (not a " + "number?) \n", file_name, file_line, origData); + } - /* skip digit */ - while(isdigit((int)*data)) data++; - /* and spaces.. if any */ - while(isspace((int)*data)) data++; + if (ttl< 0 || ttl > 255) + { + FatalError("%s(%d) => Invalid number '%s' to 'ttl' (should be between 0 to " + "255) \n", file_name, file_line, origData); + } + ds_ptr->ttl = ttl; + + data = endTok; if (*data == '-') { + if(rel_present || (ds_ptr->h_ttl == -1 )) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'ttl' (not a " + "number?) \n", file_name, file_line, origData); + } data++; ttlrel = '-'; } @@ -211,11 +253,17 @@ { case '>': fpl = AddOptFuncToList(CheckTtl, otn); - ds_ptr->oper = TTL_CHECK_GT; + if(equals_present) + ds_ptr->oper = TTL_CHECK_GT_EQ; + else + ds_ptr->oper = TTL_CHECK_GT; break; - case '<': + case '<': fpl = AddOptFuncToList(CheckTtl, otn); - ds_ptr->oper = TTL_CHECK_LT; + if(equals_present) + ds_ptr->oper = TTL_CHECK_LT_EQ; + else + ds_ptr->oper = TTL_CHECK_LT; break; case '=': fpl = AddOptFuncToList(CheckTtl, otn); @@ -223,19 +271,35 @@ break; case '-': while(isspace((int)*data)) data++; - if (ds_ptr->h_ttl != -1 && atoi(data) == 0) + if (ds_ptr->h_ttl != -1) { - ds_ptr->h_ttl = 255; + if(*data=='\0') + { + ds_ptr->h_ttl = 255; + } + else + { + ttl = SnortStrtol(data, &endTok, 10); + if ((endTok == data) || (*endTok != '\0') || (ds_ptr->ttl > ttl)) + { + FatalError("%s(%d) => Invalid parameter '%s' to 'ttl' " + "(not a number or invalid range?) \n", file_name, file_line, origData); + } + if (ttl< 0 || ttl > 255) + { + FatalError("%s(%d) => Invalid number '%s' to 'ttl' (should be between 0 to " + "255) \n", file_name, file_line, origData); + } + if (ttl == 0) + ds_ptr->h_ttl = 255; + else + ds_ptr->h_ttl = ttl; + } } - else - { - ds_ptr->h_ttl = atoi(data); - } - /* sanity check.. */ - if (ds_ptr->h_ttl < ds_ptr->ttl) + else /* leading dash*/ { ds_ptr->h_ttl = ds_ptr->ttl; - ds_ptr->ttl = atoi(data); + ds_ptr->ttl = 0; } fpl = AddOptFuncToList(CheckTtl, otn); ds_ptr->oper = TTL_CHECK_RG; @@ -279,7 +343,7 @@ case TTL_CHECK_EQ: if (ttlCheckData->ttl == GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not equal to %d\n", @@ -290,7 +354,7 @@ case TTL_CHECK_GT: if (ttlCheckData->ttl < GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not greater than %d\n", @@ -301,7 +365,7 @@ case TTL_CHECK_LT: if (ttlCheckData->ttl > GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not less than %d\n", @@ -309,14 +373,37 @@ } #endif break; + case TTL_CHECK_GT_EQ: + if (ttlCheckData->ttl <= GET_IPH_TTL(p)) + rval = DETECTION_OPTION_MATCH; +#ifdef DEBUG_MSGS + else + { + DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not greater than or equal to %d\n", + ttlCheckData->ttl); + } +#endif + break; + case TTL_CHECK_LT_EQ: + if (ttlCheckData->ttl >= GET_IPH_TTL(p)) + rval = DETECTION_OPTION_MATCH; +#ifdef DEBUG_MSGS + else + { + DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not less than or equal to %d\n", + ttlCheckData->ttl); + } +#endif + break; + case TTL_CHECK_RG: if ((ttlCheckData->ttl <= GET_IPH_TTL(p)) && (ttlCheckData->h_ttl >= GET_IPH_TTL(p))) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { - DebugMessage(DEBUG_PLUGIN, "CheckTtlLT: Not Within the range %d - %d (%d)\n", + DebugMessage(DEBUG_PLUGIN, "CheckTtlLT: Not Within the range %d - %d (%d)\n", ttlCheckData->ttl, ttlCheckData->h_ttl, GET_IPH_TTL(p)); diff -Nru snort-2.8.5.2/src/detection-plugins/sp_ttl_check.h snort-2.9.2/src/detection-plugins/sp_ttl_check.h --- snort-2.8.5.2/src/detection-plugins/sp_ttl_check.h 2009-05-06 22:28:39.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_ttl_check.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/detection-plugins/sp_urilen_check.c snort-2.9.2/src/detection-plugins/sp_urilen_check.c --- snort-2.8.5.2/src/detection-plugins/sp_urilen_check.c 2009-05-06 22:28:40.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_urilen_check.c 2011-10-26 14:49:57.000000000 +0000 @@ -1,26 +1,25 @@ /* $Id */ -/* -** Copyright (C) 2005-2009 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if nto, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Bosotn, MA 02111-1307, USA. -*/ +/* + ** Copyright (C) 2005-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if nto, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Bosotn, MA 02111-1307, USA. + */ /* - * sp_urilen_check.c: Detection plugin to expose URI length to - * user rules. + * sp_urilen_check.c: Detection plugin to expose URI length to user rules. */ #ifdef HAVE_CONFIG_H @@ -31,14 +30,17 @@ #include #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "plugin_enum.h" #include "util.h" #include "sfhashfcn.h" +#include "mstring.h" #include "sp_urilen_check.h" @@ -51,8 +53,7 @@ #include "sfhashfcn.h" #include "detection_options.h" - -extern HttpUri UriBufs[URI_COUNT]; +#include "detection_util.h" void UriLenCheckInit( char*, OptTreeNode*, int ); void ParseUriLen( char*, OptTreeNode* ); @@ -69,7 +70,8 @@ mix(a,b,c); - a += RULE_OPTION_TYPE_URILEN; + a += data->uri_buf; + b += RULE_OPTION_TYPE_URILEN; final(a,b,c); @@ -84,9 +86,10 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - if ((left->urilen == right->urilen) && - (left->urilen2 == right->urilen2) && - (left->oper == right->oper)) + if ((left->urilen == right->urilen) + && (left->urilen2 == right->urilen2) + && (left->oper == right->oper) + && (left->uri_buf == right->uri_buf)) { return DETECTION_OPTION_EQUAL; } @@ -96,57 +99,53 @@ /* Called from plugbase to register any detection plugin keywords. -* + * * PARAMETERS: None. * * RETURNS: Nothing. */ -void -SetupUriLenCheck(void) +void SetupUriLenCheck(void) { - RegisterRuleOption("urilen", UriLenCheckInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("urilen", UriLenCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("urilen_check", &urilenCheckPerfStats, 3, &ruleOTNEvalPerfStats); #endif } -/* Parses the urilen rule arguments and attaches info to +/* Parses the urilen rule arguments and attaches info to * the rule data structure for later use. Attaches detection * function to OTN function list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Rule arguments * otnp: Pointer to the current rule option list node - * protocol: Pointer specified for the rule currently being parsed + * protocol: Pointer specified for the rule currently being parsed * * RETURNS: Nothing. */ -void -UriLenCheckInit( char* argp, OptTreeNode* otnp, int protocol ) +void UriLenCheckInit( char* argp, OptTreeNode* otnp, int protocol ) { - /* Sanity check(s) */ - if ( !otnp ) - return; - - /* Check if there have been multiple urilen options specified - * in the same rule. - */ - if ( otnp->ds_list[PLUGIN_URILEN_CHECK] ) - { - FatalError("%s(%d): Multiple urilen options in rule\n", - file_name, file_line ); - } - - otnp->ds_list[PLUGIN_URILEN_CHECK] = - (UriLenCheckData*) SnortAlloc(sizeof(UriLenCheckData)); + /* Sanity check(s) */ + if ( !otnp ) + return; + + /* Check if there have been multiple urilen options specified + * in the same rule. + */ + if ( otnp->ds_list[PLUGIN_URILEN_CHECK] ) + { + FatalError("%s(%d): Multiple urilen options in rule\n", + file_name, file_line ); + } - ParseUriLen( argp, otnp ); + otnp->ds_list[PLUGIN_URILEN_CHECK] = SnortAlloc(sizeof(UriLenCheckData)); + ParseUriLen( argp, otnp ); } /* Parses the urilen rule arguments and attaches the resulting - * parameters to the rule data structure. Based on arguments, + * parameters to the rule data structure. Based on arguments, * attaches the appropriate callback/processing function * to be used when the OTN is evaluated. * @@ -158,141 +157,178 @@ * * RETURNS: Nothing. */ -void -ParseUriLen( char* argp, OptTreeNode* otnp ) +void ParseUriLen( char* argp, OptTreeNode* otnp ) { OptFpList *fpl; - UriLenCheckData* datap = NULL; + UriLenCheckData* datap = (UriLenCheckData*)otnp->ds_list[PLUGIN_URILEN_CHECK]; void *datap_dup; - char* curp = NULL; - char* cur_tokenp = NULL; - char* endp = NULL; - int val; - - /* Get the Urilen parameter block */ - datap = (UriLenCheckData*) - otnp->ds_list[PLUGIN_URILEN_CHECK]; - - curp = argp; - - while(isspace((int)*curp)) - curp++; - - /* Parse the string */ - if(isdigit((int)*curp) && strchr(curp, '<') && strchr(curp, '>')) - { - cur_tokenp = strtok(curp, " <>"); - if(!cur_tokenp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - val = strtol(cur_tokenp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - datap->urilen = (unsigned short)val; - - cur_tokenp = strtok(NULL, " <>"); - if(!cur_tokenp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - val = strtol(cur_tokenp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } + char* curp = NULL; + char **toks; + int num_toks; + + toks = mSplit(argp, ",", 2, &num_toks, '\\'); + if (!num_toks) + { + FatalError("%s(%d): 'urilen' requires arguments.\n", + file_name, file_line); + } + + curp = toks[0]; + + /* Parse the string */ + if (isdigit((int)*curp) && strstr(curp, "<>")) + { + char **mtoks; + int num_mtoks; + char* endp = NULL; + long int val; + + mtoks = mSplit(curp, "<>", 2, &num_mtoks, '\\'); + if (num_mtoks != 2) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + val = strtol(mtoks[0], &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->urilen = (uint16_t)val; + + val = strtol(mtoks[1], &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->urilen2 = (uint16_t)val; + + if (datap->urilen2 < datap->urilen) + { + uint16_t tmp = datap->urilen; + datap->urilen = datap->urilen2; + datap->urilen2 = tmp; + } - datap->urilen2 = (unsigned short)val; - fpl = AddOptFuncToList(CheckUriLen, otnp ); datap->oper = URILEN_CHECK_RG; - if (add_detection_option(RULE_OPTION_TYPE_URILEN, (void *)datap, &datap_dup) == DETECTION_OPTION_EQUAL) + + mSplitFree(&mtoks, num_mtoks); + } + else + { + char* endp = NULL; + long int val; + + if(*curp == '>') + { + curp++; + datap->oper = URILEN_CHECK_GT; + } + else if(*curp == '<') + { + curp++; + datap->oper = URILEN_CHECK_LT; + } + else + { + datap->oper = URILEN_CHECK_EQ; + } + + while(isspace((int)*curp)) curp++; + + if (!*curp) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + val = strtol(curp, &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + if ((datap->oper == URILEN_CHECK_LT) && (val == 0)) { - otnp->ds_list[PLUGIN_URILEN_CHECK] = datap_dup; - free(datap); + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); } - fpl->type = RULE_OPTION_TYPE_URILEN; - fpl->context = otnp->ds_list[PLUGIN_URILEN_CHECK]; - return; - } - else if(*curp == '>') - { - curp++; - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_GT; - } - else if(*curp == '<') - { - curp++; - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_LT; - } - else - { - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_EQ; - } - - while(isspace((int)*curp)) curp++; - - val = strtol(curp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } + datap->urilen = (uint16_t)val; + } + + if (num_toks > 1) + { + if (!strcmp(toks[1], URI_LEN_BUF_NORM)) + datap->uri_buf = HTTP_BUFFER_URI; + else if (!strcmp(toks[1], URI_LEN_BUF_RAW)) + datap->uri_buf = HTTP_BUFFER_RAW_URI; + else + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + else + { + if (strchr(argp, ',')) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->uri_buf = HTTP_BUFFER_RAW_URI; + } + + mSplitFree(&toks, num_toks); + + fpl = AddOptFuncToList(CheckUriLen, otnp); + fpl->type = RULE_OPTION_TYPE_URILEN; - datap->urilen = (unsigned short)val; if (add_detection_option(RULE_OPTION_TYPE_URILEN, (void *)datap, &datap_dup) == DETECTION_OPTION_EQUAL) { otnp->ds_list[PLUGIN_URILEN_CHECK] = datap_dup; free(datap); } - fpl->type = RULE_OPTION_TYPE_URILEN; + fpl->context = otnp->ds_list[PLUGIN_URILEN_CHECK]; } -int -CheckUriLen(void *option_data, Packet *p) +int CheckUriLen(void *option_data, Packet *p) { - UriLenCheckData *urilenCheckData = (UriLenCheckData *)option_data; + UriLenCheckData *udata = (UriLenCheckData *)option_data; int rval = DETECTION_OPTION_NO_MATCH; + uint16_t uri_len = UriBufs[udata->uri_buf].length; PROFILE_VARS; PREPROC_PROFILE_START(urilenCheckPerfStats); - if ((p->packet_flags & PKT_REBUILT_STREAM) || ( !UriBufs[0].uri )) + if (!p->uri_count || !uri_len) { PREPROC_PROFILE_END(urilenCheckPerfStats); return rval; } - switch (urilenCheckData->oper) + switch (udata->oper) { case URILEN_CHECK_EQ: - if (urilenCheckData->urilen == UriBufs[0].length ) + if (udata->urilen == uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_GT: - if (urilenCheckData->urilen < UriBufs[0].length ) + if (udata->urilen < uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_LT: - if (urilenCheckData->urilen > UriBufs[0].length ) + if (udata->urilen > uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_RG: - if ((urilenCheckData->urilen <= UriBufs[0].length ) && - (urilenCheckData->urilen2 >= UriBufs[0].length )) + if ((udata->urilen <= uri_len) && (udata->urilen2 >= uri_len)) rval = DETECTION_OPTION_MATCH; break; default: diff -Nru snort-2.8.5.2/src/detection-plugins/sp_urilen_check.h snort-2.9.2/src/detection-plugins/sp_urilen_check.h --- snort-2.8.5.2/src/detection-plugins/sp_urilen_check.h 2009-05-06 22:28:40.000000000 +0000 +++ snort-2.9.2/src/detection-plugins/sp_urilen_check.h 2011-08-17 17:58:09.000000000 +0000 @@ -1,21 +1,21 @@ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ + ** Copyright (C) 2005-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ /* * sp_urilen_check.h: Structure definitions/function prototype(s) @@ -24,23 +24,28 @@ /* $Id */ -#ifndef SP_URILEN_CHECK_H -#define SP_URILEN_CHECK_H +#ifndef _SP_URILEN_CHECK_H_ +#define _SP_URILEN_CHECK_H_ + +#define URI_LEN_BUF_NORM "norm" +#define URI_LEN_BUF_RAW "raw" + +#define URILEN_CHECK_EQ 1 +#define URILEN_CHECK_GT 2 +#define URILEN_CHECK_LT 3 +#define URILEN_CHECK_RG 4 /* Structure stored in the rule OTN struct for use by URILEN * detection plugin code. */ typedef struct _UriLenCheckData { - int urilen; - int urilen2; + uint16_t urilen; + uint16_t urilen2; char oper; -} UriLenCheckData; + int uri_buf; -#define URILEN_CHECK_EQ 1 -#define URILEN_CHECK_GT 2 -#define URILEN_CHECK_LT 3 -#define URILEN_CHECK_RG 4 +} UriLenCheckData; /* * Structure stored in the rule OTN struct for use by URINORMLEN @@ -57,4 +62,4 @@ uint32_t UriLenCheckHash(void *d); int UriLenCheckCompare(void *l, void *r); -#endif /* SP_URILEN_CHECK_H */ +#endif /* _SP_URILEN_CHECK_H_ */ diff -Nru snort-2.8.5.2/src/detection_util.c snort-2.9.2/src/detection_util.c --- snort-2.8.5.2/src/detection_util.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection_util.c 2011-06-08 00:33:05.000000000 +0000 @@ -0,0 +1,187 @@ +/* + ** Copyright (C) 2002-2011 Sourcefire, Inc. + ** Copyright (C) 1998-2002 Martin Roesch + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include + +#include "detection_util.h" +#include "sfutil/sf_textlog.h" +#include "rules.h" +#include "snort.h" + + +uint8_t base64_decode_buf[DECODE_BLEN]; +uint32_t base64_decode_size; + +uint8_t mime_present; + +const uint8_t *doe_ptr; +uint8_t doe_buf_flags; +uint16_t detect_flags; + +HttpUri UriBufs[HTTP_BUFFER_MAX]; +DataPointer DetectBuffer; +DataPointer file_data_ptr; +DataBuffer DecodeBuffer; + +#ifdef DEBUG +const char* uri_buffer_name[HTTP_BUFFER_MAX] = +{ + "http_uri", + "http_raw_uri", + "http_header", + "http_raw_header", + "http_client_body", + "http_method", + "http_cookie", + "http_raw_cookie", + "http_stat_code", + "http_stat_msg" +}; +#endif + +static const char* rule_type[RULE_TYPE__MAX] = { + "none", "activate", "alert", "drop", "dynamic", + "log", "pass", "reject", "sdrop" +}; + +#define LOG_CHARS 16 + +static TextLog* tlog = NULL; +static unsigned nEvents = 0; + +static void LogBuffer (const char* s, const uint8_t* p, unsigned n) +{ + char hex[(3*LOG_CHARS)+1]; + char txt[LOG_CHARS+1]; + unsigned odx = 0, idx = 0, at = 0; + + if ( !p ) + return; + + if ( n > snort_conf->event_trace_max ) + n = snort_conf->event_trace_max; + + for ( idx = 0; idx < n; idx++) + { + uint8_t byte = p[idx]; + sprintf(hex + 3*odx, "%2.02X ", byte); + txt[odx++] = isprint(byte) ? byte : '.'; + + if ( odx == LOG_CHARS ) + { + txt[odx] = hex[3*odx] = '\0'; + TextLog_Print(tlog, "%s[%2u] %s %s\n", s, at, hex, txt); + at = idx + 1; + odx = 0; + } + } + if ( odx ) + { + txt[odx] = hex[3*odx] = '\0'; + TextLog_Print(tlog, "%s[%2u] %-48.48s %s\n", s, at, hex, txt); + } +} + +void EventTrace_Log (const Packet* p, OptTreeNode* otn, int action) +{ + int i; + const char* acts = (action < RULE_TYPE__MAX) ? rule_type[action] : "ERROR"; + + if ( !tlog ) + return; + + TextLog_Print(tlog, + "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", + event_id, otn->sigInfo.generator, + otn->sigInfo.id, otn->sigInfo.rev, acts + ); + TextLog_Print(tlog, + "Pkt=%lu, Sec=%u.%6u, Len=%u, Cap=%u\n", + pc.total_from_daq, p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, + p->pkth->pktlen, p->pkth->caplen + ); + TextLog_Print(tlog, + "Pkt Bits: Flags=0x%X, PP=0x%X, PPR=0x%X, Proto=0x%X" + ", Err=0x%X\n", + p->packet_flags, p->preprocessor_bits, p->preproc_reassembly_pkt_bits, + (unsigned)p->proto_bits, (unsigned)p->error_flags + ); + TextLog_Print(tlog, + "Pkt Cnts: Dsz=%u, Alt=%u, Bytes2Insp=%d" + ", NUri=%u, NHttp=%u\n", + (unsigned)p->dsize, (unsigned)p->alt_dsize, p->bytes_to_inspect, + (unsigned)p->uri_count, p->http_pipeline_count + ); + TextLog_Print(tlog, "Detect: DoeFlags=0x%X, DetectFlags=0x%X, DetBuf=%u, B64=%u\n", + doe_buf_flags, detect_flags, DetectBuffer.len, base64_decode_size + ); + LogBuffer("Decode", DecodeBuffer.data, DecodeBuffer.len); + LogBuffer("Detect", DetectBuffer.data, DetectBuffer.len); + LogBuffer("FileData", file_data_ptr.data, file_data_ptr.len); + LogBuffer("Base64", base64_decode_buf, base64_decode_size); + if(mime_present) + LogBuffer("Mime", file_data_ptr.data, file_data_ptr.len); + + for ( i = 0; i < HTTP_BUFFER_MAX; i++ ) + { + if ( 0 == UriBufs[i].length ) + continue; + + TextLog_Print(tlog, "%s[%u] = 0x%X\n", + uri_buffer_name[i], UriBufs[i].length, UriBufs[i].encode_type); + + LogBuffer(uri_buffer_name[i], UriBufs[i].uri, UriBufs[i].length); + } + nEvents++; +} + +void EventTrace_Init (void) +{ + if ( snort_conf->event_trace_max > 0 ) + { + time_t now = time(NULL); + const char* ts = ctime(&now); + + char buf[STD_BUF]; + const char* dir = snort_conf->log_dir ? snort_conf->log_dir : "."; + snprintf(buf, sizeof(buf), "%s/%s", dir, snort_conf->event_trace_file); + + tlog = TextLog_Init (buf, 128, 8*1024*1024); + TextLog_Print(tlog, "\nTrace started at %s", ts); + TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max); + } +} + +void EventTrace_Term (void) +{ + if ( tlog ) + { + time_t now = time(NULL); + const char* ts = ctime(&now); + TextLog_Print(tlog, "\nTraced %u events\n", nEvents); + TextLog_Print(tlog, "Trace stopped at %s", ts); + TextLog_Term(tlog); + } +} + diff -Nru snort-2.8.5.2/src/detection_util.h snort-2.9.2/src/detection_util.h --- snort-2.8.5.2/src/detection_util.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/detection_util.h 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,283 @@ +/* + ** Copyright (C) 2002-2011 Sourcefire, Inc. + ** Copyright (C) 1998-2002 Martin Roesch + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** Description + ** This file contains the utility functions used by rule options. + ** + */ + +#ifndef __DETECTION_UTIL_H__ +#define __DETECTION_UTIL_H__ + +#include "sf_types.h" +#include "decode.h" +#include "detect.h" +#include "snort.h" +#include "snort_debug.h" +#include "treenodes.h" + +#ifndef DECODE_BLEN +#define DECODE_BLEN 65535 + +#define MAX_URI 8192 + +typedef enum +{ + HTTP_BUFFER_URI, + HTTP_BUFFER_RAW_URI, + HTTP_BUFFER_HEADER, + HTTP_BUFFER_RAW_HEADER, + HTTP_BUFFER_CLIENT_BODY, + HTTP_BUFFER_METHOD, + HTTP_BUFFER_COOKIE, + HTTP_BUFFER_RAW_COOKIE, + HTTP_BUFFER_STAT_CODE, + HTTP_BUFFER_STAT_MSG, + HTTP_BUFFER_MAX +} HTTP_BUFFER; +#endif + +typedef enum { + FLAG_ALT_DECODE = 0x0001, + FLAG_ALT_DETECT = 0x0002, + FLAG_DETECT_ALL = 0xffff +} DetectFlagType; + +#define DOE_BUF_URI 0x01 +#define DOE_BUF_STD 0x02 + +#define HTTPURI_PIPELINE_REQ 0x01 + +#define HTTP_ENCODE_TYPE__UTF8_UNICODE 0x00000001 +#define HTTP_ENCODE_TYPE__DOUBLE_ENCODE 0x00000002 +#define HTTP_ENCODE_TYPE__NONASCII 0x00000004 +#define HTTP_ENCODE_TYPE__BASE36 0x00000008 +#define HTTP_ENCODE_TYPE__UENCODE 0x00000010 +#define HTTP_ENCODE_TYPE__BARE_BYTE 0x00000020 +#define HTTP_ENCODE_TYPE__IIS_UNICODE 0x00000040 +#define HTTP_ENCODE_TYPE__ASCII 0x00000080 + +typedef struct _HttpUri +{ + const uint8_t *uri; + uint16_t length; + uint32_t encode_type; +} HttpUri; + +typedef struct { + uint8_t *data; + uint16_t len; +} DataPointer; + + +typedef struct { + uint8_t data[DECODE_BLEN]; + uint16_t len; +} DataBuffer; + +extern uint8_t base64_decode_buf[DECODE_BLEN]; +extern uint32_t base64_decode_size; + +extern uint8_t mime_present; + +extern uint8_t doe_buf_flags; +extern const uint8_t *doe_ptr; + +extern uint16_t detect_flags; + +extern HttpUri UriBufs[HTTP_BUFFER_MAX]; +extern DataPointer DetectBuffer; +extern DataPointer file_data_ptr; +extern DataBuffer DecodeBuffer; + +const char* uri_buffer_name[HTTP_BUFFER_MAX]; + +#define SetDetectLimit(pktPtr, altLen) \ +{ \ + pktPtr->alt_dsize = altLen; \ +} + +#define IsLimitedDetect(pktPtr) (pktPtr->packet_flags & PKT_HTTP_DECODE) + +/* + * Function: setFileDataPtr + * + * Purpose: Sets the file data pointer used by + * file_data rule option. + * + * Arguments: ptr => pointer to the body data + * + * Returns: void + * + */ + +static inline void setFileDataPtr(uint8_t *ptr, uint16_t decode_size) +{ + file_data_ptr.data = ptr; + file_data_ptr.len = decode_size; +} + +/* + * Function: IsBase64DecodeBuf + * + * Purpose: Checks if there is base64 decoded buffer. + * + * Arguments: p => doe_ptr + * + * Returns: Returns 1 if there is base64 decoded data + * and if the doe_ptr is within the buffer. + * Returns 0 otherwise. + * + */ + +static inline int IsBase64DecodeBuf(const uint8_t *p) +{ + if( base64_decode_size && p ) + { + if ((p >= base64_decode_buf) && + (p < (base64_decode_buf + base64_decode_size))) + { + return 1; + } + else + return 0; + } + else + return 0; +} + +/* + * Function: SetDoePtr(const uint8_t *ptr, uint8_t type) + * + * Purpose: This function set the doe_ptr and sets the type of + * buffer to which doe_ptr points. + * + * Arguments: ptr => pointer + * type => type of buffer + * + * Returns: void + * +*/ + +static inline void SetDoePtr(const uint8_t *ptr, uint8_t type) +{ + doe_ptr = ptr; + doe_buf_flags = type; +} + +/* + * Function: UpdateDoePtr(const uint8_t *ptr, uint8_t update) + * + * Purpose: This function updates the doe_ptr and resets the type of + * buffer to which doe_ptr points based on the update value. + * + * Arguments: ptr => pointer + * update => reset the buf flag if update is not zero. + * + * Returns: void + * +*/ + +static inline void UpdateDoePtr(const uint8_t *ptr, uint8_t update) +{ + doe_ptr = ptr; + if(update) + doe_buf_flags = DOE_BUF_STD; +} + +void EventTrace_Init(void); +void EventTrace_Term(void); + +void EventTrace_Log(const Packet*, OptTreeNode*, int action); + +static inline int EventTrace_IsEnabled (void) +{ + return ( snort_conf->event_trace_max > 0 ); +} + +static inline void DetectFlag_Enable(DetectFlagType df) +{ + detect_flags |= df; +} + +static inline void DetectFlag_Disable(DetectFlagType df) +{ + detect_flags &= ~df; +} + +static inline int Is_DetectFlag(DetectFlagType df) +{ + return ( (detect_flags & df) != 0 ); +} + +static inline uint16_t Get_DetectFlags(void) +{ + return detect_flags; +} + +static inline void Reset_DetectFlags(uint16_t dflags) +{ + detect_flags = dflags; +} + +static inline int GetAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + if ( Is_DetectFlag(FLAG_ALT_DETECT) ) + { + *bufPtr = DetectBuffer.data; + *altLenPtr = DetectBuffer.len; + return 1; + } + + return 0; +} + +static inline void SetAltDetect(uint8_t *buf, uint16_t altLen) +{ + DetectFlag_Enable(FLAG_ALT_DETECT); + DetectBuffer.data = buf; + DetectBuffer.len = altLen; +} + +static inline void SetAltDecode(uint16_t altLen) +{ + DetectFlag_Enable(FLAG_ALT_DECODE); + DecodeBuffer.len = altLen; +} + +static inline void DetectReset(uint8_t *buf, uint16_t altLen) +{ + DetectBuffer.data = buf; + DetectBuffer.len = altLen; + + DetectFlag_Disable(FLAG_DETECT_ALL); + + /* Reset the values */ + + file_data_ptr.data = NULL; + file_data_ptr.len = 0; + base64_decode_size = 0; + doe_buf_flags = 0; + mime_present = 0; + DecodeBuffer.len = 0; +} + + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in --- snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,14 +44,29 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(noinst_libdir)" -noinst_libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(noinst_lib_LTLIBRARIES) lib_sfdynamic_preprocessor_example_la_LIBADD = nodist_lib_sfdynamic_preprocessor_example_la_OBJECTS = \ @@ -61,7 +78,7 @@ $(AM_CFLAGS) $(CFLAGS) \ $(lib_sfdynamic_preprocessor_example_la_LDFLAGS) $(LDFLAGS) -o \ $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -87,31 +104,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = -I../include INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -124,12 +141,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -137,20 +160,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -182,6 +212,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -194,6 +225,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -223,14 +255,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-preprocessor/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-preprocessor/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-preprocessor/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-preprocessor/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -248,23 +280,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-noinst_libLTLIBRARIES: $(noinst_lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(noinst_libdir)" || $(MKDIR_P) "$(DESTDIR)$(noinst_libdir)" - @list='$(noinst_lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(noinst_lib_LTLIBRARIES)'; test -n "$(noinst_libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(noinst_libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(noinst_libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(noinst_libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(noinst_libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(noinst_libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(noinst_libdir)"; \ + } uninstall-noinst_libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(noinst_lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(noinst_libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(noinst_libdir)/$$p"; \ + @list='$(noinst_lib_LTLIBRARIES)'; test -n "$(noinst_libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(noinst_libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(noinst_libdir)/$$f"; \ done clean-noinst_libLTLIBRARIES: @@ -304,45 +341,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -363,13 +404,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -402,6 +447,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -423,6 +469,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -431,18 +479,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -464,7 +522,7 @@ uninstall-am: uninstall-noinst_libLTLIBRARIES -.MAKE: install-am install-strip +.MAKE: all check install install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-libtool clean-local clean-noinst_libLTLIBRARIES ctags \ @@ -490,6 +548,7 @@ clean-local: rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h 2008-02-25 19:27:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * sf_preproc_info.h +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * sf_preproc_info.h + * + * Author: + * + * Steven A. Sturges + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c --- snort-2.8.5.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c 2009-10-20 13:56:12.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * spp_example.c +/**************************************************************************** * - * Copyright (C) 2006-2009 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * spp_example.c + * + * Author: + * + * Steven A. Sturges + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. @@ -32,11 +38,16 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "preprocids.h" #include "sf_snort_packet.h" #include "sf_dynamic_preproc_lib.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -58,8 +69,6 @@ tSfPolicyUserContextId ex_swap_config = NULL; #endif -extern DynamicPreprocessorData _dpd; - static void ExampleInit(char *); static void ExampleProcess(void *, void *); static ExampleConfig * ExampleParse(char *); @@ -79,7 +88,7 @@ ExampleReloadSwap, ExampleReloadSwapFree); #endif - DEBUG_WRAP(_dpd.debugMsg(DEBUG_PLUGIN, "Preprocessor: Example is setup\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: Example is setup\n");); } static void ExampleInit(char *args) @@ -103,21 +112,21 @@ /* Register the preprocessor function, Transport layer, ID 10000 */ _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000, PROTO_BIT__TCP | PROTO_BIT__UDP); - DEBUG_WRAP(_dpd.debugMsg(DEBUG_PLUGIN, "Preprocessor: Example is initialized\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: Example is initialized\n");); } static ExampleConfig * ExampleParse(char *args) { char *arg; char *argEnd; - unsigned long port; + long port; ExampleConfig *config = (ExampleConfig *)calloc(1, sizeof(ExampleConfig)); if (config == NULL) _dpd.fatalMsg("Could not allocate configuration struct.\n"); arg = strtok(args, " \t\n\r"); - if(!strcasecmp("port", arg)) + if(arg && !strcasecmp("port", arg)) { arg = strtok(NULL, "\t\n\r"); if (!arg) @@ -125,18 +134,19 @@ _dpd.fatalMsg("ExamplePreproc: Missing port\n"); } - port = strtoul(arg, &argEnd, 10); + port = strtol(arg, &argEnd, 10); if (port < 0 || port > 65535) { _dpd.fatalMsg("ExamplePreproc: Invalid port %d\n", port); } - config->portToCheck = port; + config->portToCheck = (u_int16_t)port; _dpd.logMsg(" Port: %d\n", config->portToCheck); } else { - _dpd.fatalMsg("ExamplePreproc: Invalid option %s\n", arg); + _dpd.fatalMsg("ExamplePreproc: Invalid option %s\n", + arg?arg:"(missing port)"); } return config; @@ -197,7 +207,7 @@ /* Register the preprocessor function, Transport layer, ID 10000 */ _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000, PROTO_BIT__TCP | PROTO_BIT__UDP); - DEBUG_WRAP(_dpd.debugMsg(DEBUG_PLUGIN, "Preprocessor: Example is initialized\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: Example is initialized\n");); } static int ExampleReloadSwapPolicyFree(tSfPolicyUserContextId config, tSfPolicyId policyId, void *data) diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h snort-2.9.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h 2008-02-25 19:27:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h 2011-02-09 23:23:07.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * detection_lib_meta.h +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * detection_lib_meta.h + * + * Author: + * + * Steven A. Sturges + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/Makefile.am snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.am --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/Makefile.am 2007-10-11 16:07:25.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.am 2011-06-08 00:33:10.000000000 +0000 @@ -7,11 +7,11 @@ noinst_lib_LTLIBRARIES = lib_sfdynamic_example_rule.la -lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic +lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic @XCCFLAGS@ BUILT_SOURCES = \ sfsnort_dynamic_detection_lib.c \ -sfsnort_dynamic_detection_lib.h +sfsnort_dynamic_detection_lib.h nodist_lib_sfdynamic_example_rule_la_SOURCES = \ sfsnort_dynamic_detection_lib.c \ diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/Makefile.in snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.in --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,14 +44,29 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(noinst_libdir)" -noinst_libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(noinst_lib_LTLIBRARIES) lib_sfdynamic_example_rule_la_LIBADD = nodist_lib_sfdynamic_example_rule_la_OBJECTS = \ @@ -60,7 +77,7 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) \ $(lib_sfdynamic_example_rule_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -86,31 +103,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = -I../include INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -123,12 +140,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -136,20 +159,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -181,6 +211,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -193,15 +224,16 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies noinst_libdir = ${exec_prefix}/lib/snort_dynamicrules noinst_lib_LTLIBRARIES = lib_sfdynamic_example_rule.la -lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic +lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic @XCCFLAGS@ BUILT_SOURCES = \ sfsnort_dynamic_detection_lib.c \ -sfsnort_dynamic_detection_lib.h +sfsnort_dynamic_detection_lib.h nodist_lib_sfdynamic_example_rule_la_SOURCES = \ sfsnort_dynamic_detection_lib.c \ @@ -226,14 +258,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-rule/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-rule/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-rule/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-examples/dynamic-rule/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -251,23 +283,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-noinst_libLTLIBRARIES: $(noinst_lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(noinst_libdir)" || $(MKDIR_P) "$(DESTDIR)$(noinst_libdir)" - @list='$(noinst_lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(noinst_lib_LTLIBRARIES)'; test -n "$(noinst_libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(noinst_libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(noinst_libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(noinst_libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(noinst_libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(noinst_libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(noinst_libdir)"; \ + } uninstall-noinst_libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(noinst_lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(noinst_libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(noinst_libdir)/$$p"; \ + @list='$(noinst_lib_LTLIBRARIES)'; test -n "$(noinst_libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(noinst_libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(noinst_libdir)/$$f"; \ done clean-noinst_libLTLIBRARIES: @@ -307,45 +344,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -366,13 +407,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -405,6 +450,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -426,6 +472,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -434,18 +482,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -467,7 +525,7 @@ uninstall-am: uninstall-noinst_libLTLIBRARIES -.MAKE: install-am install-strip +.MAKE: all check install install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-libtool clean-local clean-noinst_libLTLIBRARIES ctags \ @@ -493,6 +551,7 @@ clean-local: rm -f $(BUILT_SOURCES) + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/rules.c snort-2.9.2/src/dynamic-examples/dynamic-rule/rules.c --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/rules.c 2008-02-25 19:27:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/rules.c 2011-02-09 23:23:07.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * rules.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * rules.c + * + * Author: + * + * Steven A. Sturges + * * Description: * * This file is part of an example of a dynamically loadable rules library. diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/sid109.c snort-2.9.2/src/dynamic-examples/dynamic-rule/sid109.c --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/sid109.c 2008-02-25 19:27:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/sid109.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * sid109.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,13 +17,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Description: - * - * This file is part of an example of a dynamically loadable rules library. - * - * NOTES: - * - */ + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif #include "sf_snort_plugin_api.h" #include "sf_snort_packet.h" @@ -42,7 +37,7 @@ */ /* flow:established, from_server; */ -static FlowFlags sid109flow = +static FlowFlags sid109flow = { FLOW_ESTABLISHED|FLOW_TO_CLIENT }; @@ -56,7 +51,7 @@ }; /* content:"NetBus"; */ -static ContentInfo sid109content = +static ContentInfo sid109content = { (u_int8_t *)"NetBus", /* pattern to search for */ 0, /* depth */ @@ -65,10 +60,17 @@ NULL, /* holder for boyer/moore info */ NULL, /* holder for byte representation of "NetBus" */ 0, /* holder for length of byte representation */ - 0 /* holder of increment length */ + 0, /* holder of increment length */ + 0, /* holder for fp offset */ + 0, /* holder for fp length */ + 0, /* holder for fp only */ + NULL, // offset_refId + NULL, // depth_refId + NULL, // offset_location + NULL // depth_location }; -static RuleOption sid109option2 = +static RuleOption sid109option2 = { OPTION_TYPE_CONTENT, { @@ -108,14 +110,15 @@ ANY_PORT /* destination port(s) */ }, /* metadata */ - { + { 3, /* genid -- use 3 to distinguish a C rule */ 109, /* sigid */ 5, /* revision */ "misc-activity", /* classification */ 0, /* priority */ "BACKDOOR netbus active", /* message */ - sid109refs /* ptr to references */ + sid109refs, /* ptr to references */ + NULL /* Meta data */ }, sid109options, /* ptr to rule options */ NULL, /* Use internal eval func */ diff -Nru snort-2.8.5.2/src/dynamic-examples/dynamic-rule/sid637.c snort-2.9.2/src/dynamic-examples/dynamic-rule/sid637.c --- snort-2.8.5.2/src/dynamic-examples/dynamic-rule/sid637.c 2008-02-25 19:27:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/sid637.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,8 +1,6 @@ -/* - * sid637.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,13 +17,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Description: - * - * This file is part of an example of a dynamically loadable rules library. - * - * NOTES: - * - */ + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif #include "sf_snort_plugin_api.h" #include "sf_snort_packet.h" @@ -43,7 +38,7 @@ */ /* content:"|0A|help|0A|quite|0A|"; */ -static ContentInfo sid637content = +static ContentInfo sid637content = { (u_int8_t *)"|0A|help|0A|quite|0A|",/* pattern to search for */ 0, /* depth */ @@ -52,10 +47,17 @@ NULL, /* holder for boyer/moore info */ NULL, /* holder for byte representation of "\nhelp\nquite\n" */ 0, /* holder for length of byte representation */ - 0 /* holder of increment length */ + 0, /* holder of increment length */ + 0, /* holder for fp offset */ + 0, /* holder for fp length */ + 0, /* holder for fp only */ + NULL, // offset_refId + NULL, // depth_refId + NULL, // offset_location + NULL // depth_location }; -static RuleOption sid637option1 = +static RuleOption sid637option1 = { OPTION_TYPE_CONTENT, { @@ -94,14 +96,15 @@ ANY_PORT /* destination port(s) */ }, /* metadata */ - { + { 3, /* genid -- use 3 to distinguish a C rule */ 637, /* sigid */ 3, /* revision */ "attempted-recon", /* classification */ 0, /* priority */ "SCAN Webtrends Scanner UDP Probe", /* message */ - sid637refs /* ptr to references */ + sid637refs, /* ptr to references */ + NULL /* Meta data */ }, sid637options, /* ptr to rule options */ NULL, /* Use internal eval func */ diff -Nru snort-2.8.5.2/src/dynamic-examples/Makefile.am snort-2.9.2/src/dynamic-examples/Makefile.am --- snort-2.8.5.2/src/dynamic-examples/Makefile.am 2009-10-19 19:07:12.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -2,8 +2,8 @@ AUTOMAKE_OPTIONS=foreign no-dependencies BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -25,26 +25,36 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ include/sf_types.h \ - include/sfrt.h \ - include/sfrt.c \ - include/sfrt_dir.h \ - include/sfrt_dir.c \ - include/sfrt_trie.h \ - include/sfPolicyUserData.c \ - include/sfPolicyUserData.h \ - include/sfPolicy.h + include/sfrt.h \ + include/sfrt.c \ + include/sfrt_dir.h \ + include/sfrt_dir.c \ + include/sfrt_trie.h \ + include/sfPolicyUserData.c \ + include/sfPolicyUserData.h \ + include/sfPolicy.h \ + include/treenodes.h \ + include/signature.h \ + include/plugin_enum.h \ + include/obfuscation.h \ + include/rule_option_types.h \ + include/event.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ -e "s/->iph->ip_dst/->ip4_header->destination/" \ -e "s/->iph->/->ip4_header->/" \ -e "s/->iph$$/->ip4_header/" \ - -e "s/orig_iph/orig_ip4_header/" \ + -e "s/orig_iph/orig_ipv4h/" \ -e "s/ip_verhl/version_headerlength/" \ -e "s/ip_tos/type_service/" \ -e "s/ip_len/data_length/" \ @@ -74,6 +84,8 @@ sed_headers = \ sed -e "s/Packet /SFSnortPacket /" \ -e "s/decode\.h/sf_snort_packet.h/" \ + -e "/sfportobject\.h/d" \ + -e "s/PortObject \*/void */g" \ $$dst_header.new > $$dst_header massage_headers = \ @@ -116,14 +128,14 @@ fi replace_policy_globals = \ - if test -f $$dst_header; then \ - sed -e "/SharedObjectAddStarts/d" \ - -e "/SharedObjectAddEnds/d" \ + if test -f $$dst_header; then \ + sed -e "/SharedObjectAddStarts/d" \ + -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ - -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ - $$dst_header > $$dst_header.new; \ - mv $$dst_header.new $$dst_header; \ - fi + -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + $$dst_header > $$dst_header.new; \ + mv $$dst_header.new $$dst_header; \ + fi copy_headers = \ mkdir -p include; \ @@ -138,32 +150,66 @@ echo "Updating " $$dst_header; \ cp $$src_header $$dst_header; \ fi - + +sed_treenode_header = \ + sed -f $(srcdir)/../dynamic-preprocessors/treenodes.sed $$dst_header.new > $$dst_header + +copy_treenode_header = \ + mkdir -p include; \ + mkdir -p build; \ + if test -f $$dst_header; then \ + x=`diff $$src_header $$dst_header.new.new >> /dev/null`; \ + if test "$$x" != "0"; then \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi \ + else \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi + # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/profiler.h: $(srcdir)/../profiler.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/cpuclock.h: $(srcdir)/../cpuclock.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) - -include/bounds.h: $(srcdir)/../bounds.h + +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @src_header=$?; dst_header=$@; $(copy_headers) +include/obfuscation.h: $(srcdir)/../obfuscation.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/rule_option_types.h: $(srcdir)/../rule_option_types.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/event.h: $(srcdir)/../event.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfcontrol.h: $(srcdir)/../control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(srcdir)/../idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -178,6 +224,9 @@ @src_header=$?; dst_header=$@; $(copy_headers) include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h @src_header=$?; dst_header=$@; $(copy_headers) # From dynamic-plugins/sf_preproc_example @@ -226,10 +275,10 @@ include/sfPolicyUserData.c: $(srcdir)/../sfutil/sfPolicyUserData.c @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicyUserData.h: $(srcdir)/../sfutil/sfPolicyUserData.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) @@ -244,6 +293,9 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -254,11 +306,22 @@ include/str_search.h: $(srcdir)/../preprocessors/str_search.h @src_header=$?; dst_header=$@; $(massage_headers) -INCLUDES = @INCLUDES@ +include/treenodes.h: $(srcdir)/../treenodes.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/signature.h: $(srcdir)/../signature.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/plugin_enum.h: $(srcdir)/../plugin_enum.h + @src_header=$?; dst_header=$@; $(copy_headers) + +INCLUDES = @INCLUDES@ if HAVE_DYNAMIC_PLUGINS +if BUILD_DYNAMIC_EXAMPLES SUBDIRS = dynamic-preprocessor dynamic-rule endif +endif clean-local: rm -rf include build diff -Nru snort-2.8.5.2/src/dynamic-examples/Makefile.in snort-2.9.2/src/dynamic-examples/Makefile.in --- snort-2.8.5.2/src/dynamic-examples/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-examples/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -54,10 +57,38 @@ ps-recursive uninstall-recursive RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags DIST_SUBDIRS = dynamic-preprocessor dynamic-rule DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -67,31 +98,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = @INCLUDES@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -104,12 +135,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -117,20 +154,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -162,6 +206,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -174,12 +219,13 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -201,26 +247,36 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ include/sf_types.h \ - include/sfrt.h \ - include/sfrt.c \ - include/sfrt_dir.h \ - include/sfrt_dir.c \ - include/sfrt_trie.h \ - include/sfPolicyUserData.c \ - include/sfPolicyUserData.h \ - include/sfPolicy.h + include/sfrt.h \ + include/sfrt.c \ + include/sfrt_dir.h \ + include/sfrt_dir.c \ + include/sfrt_trie.h \ + include/sfPolicyUserData.c \ + include/sfPolicyUserData.h \ + include/sfPolicy.h \ + include/treenodes.h \ + include/signature.h \ + include/plugin_enum.h \ + include/obfuscation.h \ + include/rule_option_types.h \ + include/event.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ -e "s/->iph->ip_dst/->ip4_header->destination/" \ -e "s/->iph->/->ip4_header->/" \ -e "s/->iph$$/->ip4_header/" \ - -e "s/orig_iph/orig_ip4_header/" \ + -e "s/orig_iph/orig_ipv4h/" \ -e "s/ip_verhl/version_headerlength/" \ -e "s/ip_tos/type_service/" \ -e "s/ip_len/data_length/" \ @@ -250,6 +306,8 @@ sed_headers = \ sed -e "s/Packet /SFSnortPacket /" \ -e "s/decode\.h/sf_snort_packet.h/" \ + -e "/sfportobject\.h/d" \ + -e "s/PortObject \*/void */g" \ $$dst_header.new > $$dst_header massage_headers = \ @@ -292,14 +350,14 @@ fi replace_policy_globals = \ - if test -f $$dst_header; then \ - sed -e "/SharedObjectAddStarts/d" \ - -e "/SharedObjectAddEnds/d" \ + if test -f $$dst_header; then \ + sed -e "/SharedObjectAddStarts/d" \ + -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ - -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ - $$dst_header > $$dst_header.new; \ - mv $$dst_header.new $$dst_header; \ - fi + -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + $$dst_header > $$dst_header.new; \ + mv $$dst_header.new $$dst_header; \ + fi copy_headers = \ mkdir -p include; \ @@ -315,7 +373,26 @@ cp $$src_header $$dst_header; \ fi -@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = dynamic-preprocessor dynamic-rule +sed_treenode_header = \ + sed -f $(srcdir)/../dynamic-preprocessors/treenodes.sed $$dst_header.new > $$dst_header + +copy_treenode_header = \ + mkdir -p include; \ + mkdir -p build; \ + if test -f $$dst_header; then \ + x=`diff $$src_header $$dst_header.new.new >> /dev/null`; \ + if test "$$x" != "0"; then \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi \ + else \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi + +@BUILD_DYNAMIC_EXAMPLES_TRUE@@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = dynamic-preprocessor dynamic-rule all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -324,14 +401,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-examples/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-examples/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-examples/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -349,6 +426,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -363,7 +441,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -380,7 +458,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -388,7 +466,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -414,16 +492,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -431,14 +509,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -450,39 +528,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -503,29 +585,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -557,6 +654,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -576,6 +674,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -584,18 +684,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -616,8 +726,9 @@ uninstall-am: -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \ + ctags-recursive install install-am install-strip \ + tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am check check-am clean clean-generic clean-libtool \ @@ -635,7 +746,7 @@ # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @@ -650,15 +761,30 @@ include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) -include/bounds.h: $(srcdir)/../bounds.h +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @src_header=$?; dst_header=$@; $(copy_headers) +include/obfuscation.h: $(srcdir)/../obfuscation.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/rule_option_types.h: $(srcdir)/../rule_option_types.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/event.h: $(srcdir)/../event.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfcontrol.h: $(srcdir)/../control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(srcdir)/../idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -673,6 +799,9 @@ @src_header=$?; dst_header=$@; $(copy_headers) include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h @src_header=$?; dst_header=$@; $(copy_headers) # From dynamic-plugins/sf_preproc_example @@ -739,6 +868,9 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -749,8 +881,18 @@ include/str_search.h: $(srcdir)/../preprocessors/str_search.h @src_header=$?; dst_header=$@; $(massage_headers) +include/treenodes.h: $(srcdir)/../treenodes.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/signature.h: $(srcdir)/../signature.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/plugin_enum.h: $(srcdir)/../plugin_enum.h + @src_header=$?; dst_header=$@; $(copy_headers) + clean-local: rm -rf include build + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-plugins/attribute_table_api.h snort-2.9.2/src/dynamic-plugins/attribute_table_api.h --- snort-2.8.5.2/src/dynamic-plugins/attribute_table_api.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/attribute_table_api.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,21 @@ +#ifndef _SF_ATTRIBUTE_TABLE_API_H +#define _SF_ATTRIBUTE_TABLE_API_H +#ifdef TARGET_BASED + +typedef struct +{ + int (*addHost)(snort_ip_p ip); + //int (*delHost)(snort_ip_p ip); + int (*updateOs)(snort_ip_p ip, char *os, char *vendor, char *version, char *fragPolicy, char *streamPolicy); + int (*addService)(snort_ip_p ip, uint16_t port, const char *ipproto, char *protocol, char *application, char *version, uint32_t confidence); + int (*delService)(snort_ip_p ip, uint16_t port); + //int (*addClient)( snort_ip_p ip, char *ipproto, char *protocol, char *application, char *version, uint32_t confidence); + //int (*delClient)( snort_ip_p ip, char *ipproto, char *protocol, char *application); + +} HostAttributeTableApi; + +extern HostAttributeTableApi *AttributeTableAPI; + +#endif +#endif // _SF_ATTRIBUTE_TABLE_API_H + diff -Nru snort-2.8.5.2/src/dynamic-plugins/Makefile.am snort-2.9.2/src/dynamic-plugins/Makefile.am --- snort-2.8.5.2/src/dynamic-plugins/Makefile.am 2009-05-06 22:28:40.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -18,7 +18,8 @@ sp_preprocopt.c \ sp_preprocopt.h \ sf_convert_dynamic.c \ -sf_convert_dynamic.h +sf_convert_dynamic.h \ +attribute_table_api.h INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/src/dynamic-plugins/Makefile.in snort-2.9.2/src/dynamic-plugins/Makefile.in --- snort-2.8.5.2/src/dynamic-plugins/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,6 +44,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libdynamic_a_AR = $(AR) $(ARFLAGS) @@ -50,7 +53,7 @@ sp_dynamic.$(OBJEXT) sp_preprocopt.$(OBJEXT) \ sf_convert_dynamic.$(OBJEXT) libdynamic_a_OBJECTS = $(am_libdynamic_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -73,10 +76,38 @@ ps-recursive uninstall-recursive RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -86,31 +117,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -123,12 +154,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -136,20 +173,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -181,6 +225,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -193,6 +238,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -212,7 +258,8 @@ sp_preprocopt.c \ sp_preprocopt.h \ sf_convert_dynamic.c \ -sf_convert_dynamic.h +sf_convert_dynamic.h \ +attribute_table_api.h SUBDIRS = sf_engine sf_preproc_example all: all-recursive @@ -223,14 +270,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-plugins/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-plugins/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -248,6 +295,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -284,7 +332,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -301,7 +349,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -309,7 +357,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -335,16 +383,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -352,14 +400,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -371,39 +419,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -424,29 +476,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -476,6 +543,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -496,6 +564,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -504,18 +574,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -537,8 +617,8 @@ uninstall-am: -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ + install-am install-strip tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am check check-am clean clean-generic clean-libtool \ @@ -555,6 +635,7 @@ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_convert_dynamic.c snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.c --- snort-2.8.5.2/src/dynamic-plugins/sf_convert_dynamic.c 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,9 +22,14 @@ #ifdef DYNAMIC_PLUGIN +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_engine/sf_snort_plugin_api.h" #include "detection_options.h" #include "rules.h" +#include "treenodes.h" #include "plugbase.h" #include "sf_convert_dynamic.h" @@ -32,20 +37,24 @@ #include "sp_asn1_detect.h" #include "sp_byte_check.h" #include "sp_byte_jump.h" +#include "sp_byte_extract.h" #include "sp_clientserver.h" #include "sp_flowbits.h" #include "sp_isdataat.h" #include "sp_pattern_match.h" #include "sp_pcre.h" #include "sp_hdr_opt_wrap.h" +#include "sp_file_data.h" +#include "sp_pkt_data.h" +#include "sp_base64_decode.h" +#include "sp_base64_data.h" +#include "sp_preprocopt.h" extern void ParsePattern(char *, OptTreeNode *, int); // extern int PCRESetup(Rule *rule, PCREInfo *pcreInfo); extern void *pcreCompile(const char *pattern, int options, const char **errptr, int *erroffset, const unsigned char *tableptr); extern void *pcreStudy(const void *code, int options, const char **errptr); -extern void make_precomp(PatternMatchData * idx); -extern int uniSearchCI(const char *data, int dlen, PatternMatchData *pmd); extern int SnortPcre(void *option_data, Packet *p); extern int FlowBitsCheck(void *option_data, Packet *p); @@ -54,8 +63,13 @@ extern int ByteTest(void *option_data, Packet *p); extern int ByteJump(void *option_data, Packet *p); extern int IsDataAt(void *option_data, Packet *p); +extern int FileDataEval(void *option_data, Packet *p); +extern int PktDataEval(void *option_data, Packet *p); +extern int Base64DataEval(void *option_data, Packet *p); +extern int Base64DecodeEval(void *option_data, Packet *p) ; static int CheckConvertability(Rule *rule, OptTreeNode *otn); +static int ConvertPreprocessorOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertContentOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertPcreOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertFlowbitOption(Rule *rule, int index, OptTreeNode *otn); @@ -68,12 +82,20 @@ static int ConvertByteExtractOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertSetCursorOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertLoopOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertFileDataOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertPktDataOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertBase64DataOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertBase64DecodeOption(Rule *rule, int index, OptTreeNode *otn); -/* Use an array of callbacks to handle varying option types */ +/* Use an array of callbacks to handle varying option types + * + * NOTE: These MUST align with the values in DynamicOptionType enumeration + * found in sf_dynamic_define.h + */ static int (* OptionConverterArray[OPTION_TYPE_MAX]) (Rule *rule, int index, OptTreeNode *otn) = { - NULL, + ConvertPreprocessorOption, ConvertContentOption, ConvertPcreOption, ConvertFlowbitOption, @@ -85,7 +107,11 @@ ConvertByteJumpOption, ConvertByteExtractOption, ConvertSetCursorOption, - ConvertLoopOption + ConvertLoopOption, + ConvertFileDataOption, + ConvertPktDataOption, + ConvertBase64DataOption, + ConvertBase64DecodeOption }; /* Convert a dynamic rule to native rule structure. */ @@ -93,6 +119,8 @@ int ConvertDynamicRule(Rule *rule, OptTreeNode *otn) { unsigned int i; + tSfPolicyId policyId = 0; + RuleTreeNode *rtn = NULL; if (CheckConvertability(rule, otn) < 0) { @@ -103,20 +131,77 @@ { int ret; int optype = rule->options[i]->optionType; - if (optype < OPTION_TYPE_CONTENT || optype >= OPTION_TYPE_MAX) + if (optype < OPTION_TYPE_PREPROCESSOR || optype >= OPTION_TYPE_MAX) return -1; // Invalid option type - + ret = OptionConverterArray[optype](rule, i, otn); if (ret < 0) return -1; } - FinalizeContentUniqueness(otn); + if(otn->proto_nodes) + { + + for (policyId = 0; + policyId < otn->proto_node_num;policyId++) + { + rtn = otn->proto_nodes[policyId]; + if (!rtn) + { + continue; + } + + setParserPolicy(policyId); + + FinalizeContentUniqueness(otn); + } + } otn->sigInfo.shared = 0; return 1; } +/* A text-rule byte_extract option can only have NUM_BYTE_EXTRACT_VARS unique + variables. This function iterates through a Rule and counts the unique names. */ +static inline int CheckByteExtractVars(Rule *rule) +{ + unsigned int i, j, unique_names = 0; + char *names[NUM_BYTE_EXTRACT_VARS]; + + for (i = 0; i < rule->numOptions; i++) + { + ByteExtract *data; + int unique_name = 1; + + /* Only need byte_extract options */ + if (rule->options[i]->optionType != OPTION_TYPE_BYTE_EXTRACT) + continue; + + /* Check name against other unique names */ + data = rule->options[i]->option_u.byteExtract; + for (j = 0; j < unique_names; j++) + { + if (strcmp(names[j], data->refId) == 0) + { + unique_name = 0; + break; + } + } + + /* Add unique names to the array */ + if (unique_name) + { + if (unique_names == NUM_BYTE_EXTRACT_VARS) + return -1; /* Too many variables! */ + + names[unique_names] = data->refId; + unique_names++; + } + } + + return 0; +} + static int CheckConvertability(Rule *rule, OptTreeNode *otn) { /* We need to check for any conversion problems up-front. That way, @@ -141,19 +226,62 @@ switch (optype) { /* Option types not supported for conversion */ - case OPTION_TYPE_PREPROCESSOR: - case OPTION_TYPE_BYTE_EXTRACT: case OPTION_TYPE_SET_CURSOR: case OPTION_TYPE_LOOP: return -1; } } + /* Check for too many byte_extract variables. These can't be converted + because the detection plugin only supports a specific number per rule. */ + if (CheckByteExtractVars(rule) < 0) + return -1; + /* We're good! */ return 1; } /* Option-converting functions */ +static int ConvertPreprocessorOption(Rule *rule, int index, OptTreeNode *otn) +{ + PreprocessorOption *preprocOpt = rule->options[index]->option_u.preprocOpt; + PreprocessorOptionInfo *preprocOptInfo = SnortAlloc(sizeof(PreprocessorOptionInfo)); + OptFpList *fpl; + void *option_dup; + + preprocOptInfo->optionInit = preprocOpt->optionInit; + preprocOptInfo->optionEval = preprocOpt->optionEval; + preprocOptInfo->optionFpFunc = preprocOpt->optionFpFunc; + preprocOptInfo->data = preprocOpt->dataPtr; + + /* FreeOneRule() already calls the cleanup function. Left NULL here + to avoid a double-free. */ + preprocOptInfo->optionCleanup = NULL; + + preprocOptInfo->optionHash = NULL; + preprocOptInfo->optionKeyCompare = NULL; + preprocOptInfo->otnHandler = NULL; + + // Add to option chain with generic callback + fpl = AddOptFuncToList(PreprocessorOptionFunc, otn); + + /* + * attach custom info to the context node so that we can call each instance + * individually + */ + fpl->context = (void *) preprocOptInfo; + + if (add_detection_option(RULE_OPTION_TYPE_PREPROCESSOR, + (void *)preprocOptInfo, &option_dup) == DETECTION_OPTION_EQUAL) + { + PreprocessorRuleOptionsFreeFunc(preprocOptInfo); + fpl->context = preprocOptInfo = option_dup; + } + fpl->type = RULE_OPTION_TYPE_PREPROCESSOR; + + return 1; +} + static int ConvertContentOption(Rule *rule, int index, OptTreeNode *otn) { ContentInfo *content = rule->options[index]->option_u.content; @@ -177,9 +305,7 @@ } /* Allocate a new node, based on the type of content option. */ - if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_HEADER | - CONTENT_BUF_POST | CONTENT_BUF_METHOD | - CONTENT_BUF_COOKIE) ) + if ( content->flags & URI_CONTENT_BUFS ) { pmd = NewNode(otn, PLUGIN_PATTERN_MATCH_URI); ParsePattern(pattern, otn, PLUGIN_PATTERN_MATCH_URI); @@ -196,6 +322,22 @@ pmd->buffer_func = CHECK_AND_PATTERN_MATCH; } + /* Initialize var numbers */ + if (content->flags & CONTENT_RELATIVE) + { + pmd->distance_var = GetVarByName(content->offset_refId); + pmd->within_var = GetVarByName(content->depth_refId); + pmd->offset_var = -1; + pmd->depth_var = -1; + } + else + { + pmd->offset_var = GetVarByName(content->offset_refId); + pmd->depth_var = GetVarByName(content->depth_refId); + pmd->distance_var = -1; + pmd->within_var = -1; + } + /* Set URI buffer flags */ if (content->flags & CONTENT_BUF_URI) pmd->uri_buffer |= HTTP_SEARCH_URI; @@ -207,6 +349,16 @@ pmd->uri_buffer |= HTTP_SEARCH_METHOD; if (content->flags & CONTENT_BUF_COOKIE) pmd->uri_buffer |= HTTP_SEARCH_COOKIE; + if (content->flags & CONTENT_BUF_RAW_URI) + pmd->uri_buffer |= HTTP_SEARCH_RAW_URI; + if (content->flags & CONTENT_BUF_RAW_HEADER) + pmd->uri_buffer |= HTTP_SEARCH_RAW_HEADER; + if (content->flags & CONTENT_BUF_RAW_COOKIE) + pmd->uri_buffer |= HTTP_SEARCH_RAW_COOKIE; + if (content->flags & CONTENT_BUF_STAT_CODE) + pmd->uri_buffer |= HTTP_SEARCH_STAT_CODE; + if (content->flags & CONTENT_BUF_STAT_MSG) + pmd->uri_buffer |= HTTP_SEARCH_STAT_MSG; if (content->flags & CONTENT_BUF_RAW) @@ -239,7 +391,20 @@ } if (content->flags & CONTENT_FAST_PATTERN) - pmd->flags |= CONTENT_FAST_PATTERN; + pmd->fp = 1; + + /* Fast pattern only and specifying an offset and length are + * technically mutually exclusive - see + * detection-plugins/sp_pattern_match.c */ + if (content->flags & CONTENT_FAST_PATTERN_ONLY) + { + pmd->fp_only = 1; + } + else + { + pmd->fp_offset = content->fp_offset; + pmd->fp_length = content->fp_length; + } if (content->flags & NOT_FLAG) pmd->exception_flag = 1; @@ -322,6 +487,30 @@ if (pcre_info->flags & CONTENT_BUF_COOKIE) pcre_data->options |= SNORT_PCRE_HTTP_COOKIE; + if (pcre_info->flags & CONTENT_BUF_URI) + pcre_data->options |= SNORT_PCRE_HTTP_URI; + + if (pcre_info->flags & CONTENT_BUF_STAT_CODE) + pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE; + + if (pcre_info->flags & CONTENT_BUF_STAT_MSG) + pcre_data->options |= SNORT_PCRE_HTTP_STAT_MSG; + + if (pcre_info->flags & CONTENT_BUF_RAW_URI) + pcre_data->options |= SNORT_PCRE_HTTP_RAW_URI; + + if (pcre_info->flags & CONTENT_BUF_RAW_HEADER) + pcre_data->options |= SNORT_PCRE_HTTP_RAW_HEADER; + + if (pcre_info->flags & CONTENT_BUF_RAW_COOKIE) + pcre_data->options |= SNORT_PCRE_HTTP_RAW_COOKIE; + + if (pcre_info->flags & CONTENT_BUF_STAT_CODE) + pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE; + + if (pcre_info->flags & CONTENT_BUF_STAT_MSG) + pcre_data->options |= SNORT_PCRE_HTTP_STAT_MSG; + PcreCheckAnchored(pcre_data); /* Attach option to tree, checking for duplicate */ @@ -397,13 +586,12 @@ csdata->only_reassembled |= ONLY_STREAM; if (flow->flags & FLOW_ESTABLISHED) csdata->established = 1; - else - csdata->unestablished = 1; csdata->stateless = 0; + csdata->unestablished = 0; - otn->stateless = csdata->stateless; otn->established = csdata->established; - otn->unestablished = csdata->unestablished; + otn->stateless = 0; + otn->unestablished = 0; if (add_detection_option(RULE_OPTION_TYPE_FLOW, (void *)csdata, &dup) == DETECTION_OPTION_EQUAL) { @@ -414,6 +602,7 @@ fpl = AddOptFuncToList(CheckFlow, otn); fpl->type = RULE_OPTION_TYPE_FLOW; fpl->context = (void *)csdata; + otn->ds_list[PLUGIN_CLIENTSERVER] = (void *)csdata; return 1; } @@ -458,6 +647,7 @@ void *dup; data->offset = cursor->offset; + data->offset_var = GetVarByName(cursor->offset_refId); if (cursor->flags & CONTENT_RELATIVE) data->flags |= ISDATAAT_RELATIVE_FLAG; if (cursor->flags & CONTENT_BUF_RAW) @@ -508,7 +698,9 @@ byte_test->bytes_to_compare = byte->bytes; byte_test->cmp_value = byte->value; + byte_test->cmp_value_var = GetVarByName(byte->value_refId); byte_test->offset = byte->offset; + byte_test->offset_var = GetVarByName(byte->offset_refId); if (byte->flags & NOT_FLAG) byte_test->not_flag = 1; @@ -528,7 +720,7 @@ byte_test->endianess = BIG; else byte_test->endianess = LITTLE; - + if (byte->flags & EXTRACT_AS_DEC) byte_test->base = 10; if (byte->flags & EXTRACT_AS_OCT) @@ -538,7 +730,7 @@ fpl = AddOptFuncToList(ByteTest, otn); fpl->type = RULE_OPTION_TYPE_BYTE_TEST; - + if (add_detection_option(RULE_OPTION_TYPE_BYTE_TEST, (void *)byte_test, &idx_dup) == DETECTION_OPTION_EQUAL) { free(byte_test); @@ -562,6 +754,7 @@ byte_jump->bytes_to_grab = byte->bytes; byte_jump->offset = byte->offset; + byte_jump->offset_var = GetVarByName(byte->offset_refId); byte_jump->multiplier = byte->multiplier; byte_jump->post_offset = byte->post_offset; @@ -601,6 +794,63 @@ static int ConvertByteExtractOption(Rule *rule, int index, OptTreeNode *otn) { + ByteExtract *so_byte = rule->options[index]->option_u.byteExtract; + ByteExtractData *snort_byte = SnortAlloc(sizeof(ByteExtractData)); + OptFpList *fpl; + void *dup; + + /* Clear out sp_byte_extract.c's variable_names array if this is the first + byte_extract option in the rule. */ + ClearVarNames(otn->opt_func); + + /* Copy over the various struct members */ + snort_byte->bytes_to_grab = so_byte->bytes; + snort_byte->offset = so_byte->offset; + snort_byte->align = so_byte->align; + snort_byte->name = strdup(so_byte->refId); + + /* In an SO rule, setting multiplier to 0 means that the multiplier is + ignored. This is not the case in the text rule version of byte_extract. */ + if (so_byte->multiplier) + snort_byte->multiplier = so_byte->multiplier; + else + snort_byte->multiplier = 1; + + if (so_byte->flags & CONTENT_RELATIVE) + snort_byte->relative_flag = 1; + + if (so_byte->flags & EXTRACT_AS_STRING) + snort_byte->data_string_convert_flag = 1; + + if (so_byte->flags & BYTE_BIG_ENDIAN) + snort_byte->endianess = BIG; + else + snort_byte->endianess = LITTLE; + + if (so_byte->flags & EXTRACT_AS_HEX) + snort_byte->base = 16; + if (so_byte->flags & EXTRACT_AS_DEC) + snort_byte->base = 10; + if (so_byte->flags & EXTRACT_AS_OCT) + snort_byte->base = 8; + + snort_byte->var_number = AddVarNameToList(snort_byte); + snort_byte->byte_order_func = NULL; + + /* Add option to list */ + fpl = AddOptFuncToList(DetectByteExtract, otn); + fpl->type = RULE_OPTION_TYPE_BYTE_EXTRACT; + if (add_detection_option(RULE_OPTION_TYPE_BYTE_EXTRACT, (void *)snort_byte, &dup) == DETECTION_OPTION_EQUAL) + { + free(snort_byte->name); + free(snort_byte); + snort_byte = dup; + } + + fpl->context = (void *) snort_byte; + if (snort_byte->relative_flag) + fpl->isRelative = 1; + return 0; } @@ -614,4 +864,80 @@ return 0; } +static int ConvertFileDataOption(Rule *rule, int index, OptTreeNode *otn) +{ + CursorInfo *cursor = rule->options[index]->option_u.cursor; + FileData *data = (FileData *) SnortAlloc(sizeof(FileData)); + OptFpList *fpl; + void *dup; + + if (cursor->flags & BUF_FILE_DATA_MIME) + data->mime_decode_flag = 1; + else + data->mime_decode_flag = 0; + + if (add_detection_option(RULE_OPTION_TYPE_FILE_DATA, (void *)data, &dup) == DETECTION_OPTION_EQUAL) + { + free(data); + data = dup; + } + + fpl = AddOptFuncToList(FileDataEval, otn); + fpl->type = RULE_OPTION_TYPE_FILE_DATA; + fpl->context = (void *)data; + + return 1; +} + +static int ConvertPktDataOption(Rule *rule, int index, OptTreeNode *otn) +{ + OptFpList *fpl; + fpl = AddOptFuncToList(PktDataEval, otn); + fpl->type = RULE_OPTION_TYPE_PKT_DATA; + + return 1; +} + + +static int ConvertBase64DataOption(Rule *rule, int index, OptTreeNode *otn) +{ + OptFpList *fpl; + fpl = AddOptFuncToList(Base64DataEval, otn); + fpl->type = RULE_OPTION_TYPE_BASE64_DATA; + + return 1; +} + +static int ConvertBase64DecodeOption(Rule *rule, int index, OptTreeNode *otn) +{ + base64DecodeData *bData = rule->options[index]->option_u.bData; + Base64DecodeData *data = (Base64DecodeData *) SnortAlloc(sizeof(Base64DecodeData)); + OptFpList *fpl; + void *dup; + + if (bData->relative) + data->flags |= BASE64DECODE_RELATIVE_FLAG; + else + data->flags = 0; + + data->offset = bData->offset; + data->bytes_to_decode = bData->bytes; + + otn->ds_list[PLUGIN_BASE64_DECODE] = data; + + if (add_detection_option(RULE_OPTION_TYPE_BASE64_DECODE, (void *)data, &dup) == DETECTION_OPTION_EQUAL) + { + free(data); + data = dup; + } + + fpl = AddOptFuncToList(Base64DecodeEval, otn); + fpl->type = RULE_OPTION_TYPE_BASE64_DECODE; + fpl->context = (void *)data; + + if (data->flags & BASE64DECODE_RELATIVE_FLAG) + fpl->isRelative = 1; + return 1; +} + #endif /* DYNAMIC_PLUGIN */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_convert_dynamic.h snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.h --- snort-2.8.5.2/src/dynamic-plugins/sf_convert_dynamic.h 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.h 2011-02-09 23:23:08.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_common.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_common.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_common.h 2009-05-06 22:28:40.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_common.h 2011-10-26 18:28:52.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * */ #ifndef _SF_DYNAMIC_COMMON_H_ @@ -26,21 +26,42 @@ #include #endif +typedef enum { + SF_FLAG_ALT_DECODE = 0x0001, + SF_FLAG_ALT_DETECT = 0x0002, + SF_FLAG_DETECT_ALL = 0xffff +} SFDetectFlagType; + typedef void (*LogMsgFunc)(const char *, ...); -typedef void (*DebugMsgFunc)(int, char *, ...); -#ifdef HAVE_WCHAR_H -typedef void (*DebugWideMsgFunc)(int, wchar_t *, ...); +typedef void (*DebugMsgFunc)(uint64_t, char *, ...); +typedef int (*GetAltDetectFunc)(uint8_t **, uint16_t *); +typedef void (*SetAltDetectFunc)(uint8_t *,uint16_t ); +typedef int (*IsDetectFlagFunc)(SFDetectFlagType); +typedef void (*DetectFlagDisableFunc)(SFDetectFlagType); +#ifdef SF_WCHAR +#include +typedef void (*DebugWideMsgFunc)(uint64_t, wchar_t *, ...); #endif #define STD_BUF 1024 -#define MAX_URIINFOS 5 - -#define HTTP_BUFFER_URI 0 -#define HTTP_BUFFER_HEADER 1 -#define HTTP_BUFFER_CLIENT_BODY 2 -#define HTTP_BUFFER_METHOD 3 -#define HTTP_BUFFER_COOKIE 4 +#ifndef DECODE_BLEN +#define DECODE_BLEN 65535 +typedef enum +{ + HTTP_BUFFER_URI, + HTTP_BUFFER_RAW_URI, + HTTP_BUFFER_HEADER, + HTTP_BUFFER_RAW_HEADER, + HTTP_BUFFER_CLIENT_BODY, + HTTP_BUFFER_METHOD, + HTTP_BUFFER_COOKIE, + HTTP_BUFFER_RAW_COOKIE, + HTTP_BUFFER_STAT_CODE, + HTTP_BUFFER_STAT_MSG, + HTTP_BUFFER_MAX +} HTTP_BUFFER; +#endif typedef struct _UriInfo { @@ -50,4 +71,14 @@ } UriInfo; +typedef struct { + uint8_t *data; + uint16_t len; +} SFDataPointer; + +typedef struct { + uint8_t data[DECODE_BLEN]; + uint16_t len; +} SFDataBuffer; + #endif /* _SF_DYNAMIC_COMMON_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_define.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_define.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_define.h 2009-05-06 22:28:40.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_define.h 2011-06-08 00:33:10.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2007-2009 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * Author: Russ Combs * @@ -29,6 +29,9 @@ /* the OPTION_TYPE_* and FLOW_* values * are used as args to the hasFunc() * which replaces the prior has*Func()s. + * + * Try to add values to the end (just before OPTION_TYPE_MAX). Also, look + * at OptionConverterArray in sf_convert_dynamic.c to make sure types align. */ typedef enum { OPTION_TYPE_PREPROCESSOR, @@ -44,10 +47,15 @@ OPTION_TYPE_BYTE_EXTRACT, OPTION_TYPE_SET_CURSOR, OPTION_TYPE_LOOP, + OPTION_TYPE_FILE_DATA, + OPTION_TYPE_PKT_DATA, + OPTION_TYPE_BASE64_DATA, + OPTION_TYPE_BASE64_DECODE, OPTION_TYPE_MAX } DynamicOptionType; -#define FLOW_ESTABLISHED 0x0010 +// beware: these are redefined from sf_snort_packet.h FLAG_*! +#define FLOW_ESTABLISHED 0x0008 #define FLOW_FR_SERVER 0x0040 #define FLOW_TO_CLIENT 0x0040 /* Just for convenience */ #define FLOW_TO_SERVER 0x0080 @@ -58,8 +66,10 @@ #define SNORT_PCRE_OVERRIDE_MATCH_LIMIT 0x8000000 +#ifndef SO_PUBLIC #if defined _WIN32 || defined __CYGWIN__ -# if defined SF_SNORT_ENGINE_DLL || defined SF_SNORT_DETECTION_DLL || defined SF_SNORT_PREPROC_DLL +# if defined SF_SNORT_ENGINE_DLL || defined SF_SNORT_DETECTION_DLL || \ + defined SF_SNORT_PREPROC_DLL # ifdef __GNUC__ # define SO_PUBLIC __attribute__((dllexport)) # else @@ -74,7 +84,7 @@ # endif # define DLL_LOCAL #else -# ifdef HAVE_VISIBILITY +# ifdef SF_VISIBILITY # define SO_PUBLIC __attribute__ ((visibility("default"))) # define SO_PRIVATE __attribute__ ((visibility("hidden"))) # else @@ -82,6 +92,20 @@ # define SO_PRIVATE # endif #endif +#endif + +/* Parameters are rule info pointer, int to indicate URI or NORM, + * and list pointer */ +/* These need to match HTTP_SEARCH_xxx defined in sp_pattern_match.h + * for proper fast pattern match pattern selection */ +#define CONTENT_HTTP_URI 0x01 +#define CONTENT_HTTP_HEADER 0x04 +#define CONTENT_HTTP_CLIENT_BODY 0x10 +#define CONTENT_HTTP_METHOD 0x20 + +#define CONTENT_NORMAL 0x400 +#define CONTENT_HTTP (CONTENT_HTTP_URI|CONTENT_HTTP_HEADER|\ + CONTENT_HTTP_CLIENT_BODY|CONTENT_HTTP_METHOD) #endif /* _SF_DYNAMIC_DEFINE_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_detection.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_detection.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_detection.h 2009-05-06 22:28:41.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_detection.h 2011-02-09 23:23:08.000000000 +0000 @@ -15,7 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_engine.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_engine.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_engine.h 2009-07-07 15:37:04.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_engine.h 2011-11-21 20:15:24.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -24,10 +24,6 @@ #ifndef _SF_DYNAMIC_ENGINE_H_ #define _SF_DYNAMIC_ENGINE_H_ -#ifdef HAVE_CONFIG_H -#include -#endif - #ifndef WIN32 #include #else @@ -36,9 +32,8 @@ #include "sf_dynamic_define.h" #include "sf_dynamic_meta.h" -#include "sf_types.h" -/* specifies that a function does not return +/* specifies that a function does not return * used for quieting Visual Studio warnings */ #ifdef WIN32 @@ -61,40 +56,64 @@ * Fast Pattern Content information. */ typedef struct _FPContentInfo { - int length; char *content; + int length; + int offset; + int depth; char noCaseFlag; + char exception_flag; + char is_relative; + char fp; + char fp_only; + char uri_buffer; + uint16_t fp_offset; + uint16_t fp_length; + struct _FPContentInfo *next; + } FPContentInfo; -/* Parameters are rule info pointer, int to indicate URI or NORM, - * and list pointer */ -#define FASTPATTERN_NORMAL 0x01 -#define FASTPATTERN_URI 0x02 -typedef int (*GetFPContentFunction)(void *, int, FPContentInfo**, int); + +typedef int (*GetDynamicContentsFunction)(void *, int, FPContentInfo **); +typedef int (*GetDynamicPreprocOptFpContentsFunc)(void *, FPContentInfo **); typedef void (*RuleFreeFunc)(void *); /* ruleInfo is passed to OTNCheckFunction when the fast pattern matches. */ typedef int (*RegisterRule)( - u_int32_t, u_int32_t, void *, + uint32_t, uint32_t, void *, OTNCheckFunction, OTNHasFunction, - int, GetFPContentFunction, RuleFreeFunc + int, GetDynamicContentsFunction, RuleFreeFunc, + GetDynamicPreprocOptFpContentsFunc ); -typedef u_int32_t (*RegisterBit)(char *, int); -typedef int (*CheckFlowbit)(void *, int, u_int32_t); -typedef int (*DetectAsn1)(void *, void *, const u_int8_t *); -typedef int (*PreprocOptionEval)(void *p, const u_int8_t **cursor, void *dataPtr); +typedef uint32_t (*RegisterBit)(char *, int); +typedef void (*UnregisterBit)(char *, int); +typedef int (*CheckFlowbit)(void *, int, uint32_t); +typedef int (*DetectAsn1)(void *, void *, const uint8_t *); +typedef int (*PreprocOptionEval)(void *p, const uint8_t **cursor, void *dataPtr); typedef int (*PreprocOptionInit)(char *, char *, void **dataPtr); typedef void (*PreprocOptionCleanup)(void *dataPtr); +typedef int (*SfUnfold)(const uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +typedef int (*SfBase64Decode)(uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); #define PREPROC_OPT_EQUAL 0 #define PREPROC_OPT_NOT_EQUAL 1 -typedef u_int32_t (*PreprocOptionHash)(void *); +typedef uint32_t (*PreprocOptionHash)(void *); typedef int (*PreprocOptionKeyCompare)(void *, void *); +/* Function prototype for rule options that want to add patterns to the + * fast pattern matcher */ +typedef int (*PreprocOptionFastPatternFunc) + (void *rule_opt_data, int protocol, int direction, FPContentInfo **info); +typedef int (*PreprocOptionOtnHandler)(void *); +typedef int (*PreprocOptionByteOrderFunc)(void *, int32_t); + typedef int (*RegisterPreprocRuleOpt)( char *, PreprocOptionInit, PreprocOptionEval, - PreprocOptionCleanup, PreprocOptionHash, PreprocOptionKeyCompare); + PreprocOptionCleanup, PreprocOptionHash, PreprocOptionKeyCompare, + PreprocOptionOtnHandler, PreprocOptionFastPatternFunc); typedef int (*PreprocRuleOptInit)(void *); -typedef void (*SetRuleData)(void *, void *); -typedef void *(*GetRuleData)(void *); +typedef void (*SessionDataFree)(void *); +typedef int (*SetRuleData)(void *, void *, uint32_t, SessionDataFree); +typedef void *(*GetRuleData)(void *, uint32_t); +typedef void * (*AllocRuleData)(size_t); +typedef void (*FreeRuleData)(void *); /* Info Data passed to dynamic engine plugin must include: * version @@ -109,7 +128,7 @@ */ #include "sf_dynamic_common.h" -#define ENGINE_DATA_VERSION 5 +#define ENGINE_DATA_VERSION 6 typedef void *(*PCRECompileFunc)(const char *, int, const char **, int *, const unsigned char *); typedef void *(*PCREStudyFunc)(const void *, int, const char **); @@ -118,8 +137,12 @@ typedef struct _DynamicEngineData { int version; - u_int8_t *altBuffer; - UriInfo *uriBuffers[MAX_URIINFOS]; + + SFDataBuffer *altBuffer; + SFDataPointer *altDetect; + SFDataPointer *fileDataBuf; + UriInfo *uriBuffers[HTTP_BUFFER_MAX]; + RegisterRule ruleRegister; RegisterBit flowbitRegister; CheckFlowbit flowbitCheck; @@ -135,7 +158,7 @@ GetRuleData getRuleData; DebugMsgFunc debugMsg; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR DebugWideMsgFunc debugWideMsg; #endif @@ -145,9 +168,22 @@ PCRECompileFunc pcreCompile; PCREStudyFunc pcreStudy; PCREExecFunc pcreExec; + SfUnfold sfUnfold; + SfBase64Decode sfbase64decode; + GetAltDetectFunc GetAltDetect; + SetAltDetectFunc SetAltDetect; + IsDetectFlagFunc Is_DetectFlag; + DetectFlagDisableFunc DetectFlag_Disable; + + AllocRuleData allocRuleData; + FreeRuleData freeRuleData; + + UnregisterBit flowbitUnregister; } DynamicEngineData; +extern DynamicEngineData _ded; + /* Function prototypes for Dynamic Engine Plugins */ void CloseDynamicEngineLibs(void); void LoadAllDynamicEngineLibs(char *path); @@ -165,4 +201,17 @@ */ NORETURN void DynamicEngineFatalMessage(const char *format, ...); +typedef struct _PreprocessorOptionInfo +{ + PreprocOptionInit optionInit; + PreprocOptionEval optionEval; + PreprocOptionCleanup optionCleanup; + void *data; + PreprocOptionHash optionHash; + PreprocOptionKeyCompare optionKeyCompare; + PreprocOptionOtnHandler otnHandler; + PreprocOptionFastPatternFunc optionFpFunc; + +} PreprocessorOptionInfo; + #endif /* _SF_DYNAMIC_ENGINE_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_meta.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_meta.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_meta.h 2009-01-26 16:26:08.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_meta.h 2011-02-09 23:23:08.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_plugins.c snort-2.9.2/src/dynamic-plugins/sf_dynamic_plugins.c --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_plugins.c 2009-08-10 21:26:41.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_plugins.c 2011-11-21 20:15:24.000000000 +0000 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -27,7 +27,7 @@ #ifdef DYNAMIC_PLUGIN #ifdef HAVE_CONFIG_H -#include +#include "config.h" #endif #ifndef WIN32 @@ -52,7 +52,7 @@ /* Of course, WIN32 couldn't do things the unix way... * Define a few of these to get around portability issues. */ -#define getcwd _getcwd +#define getcwd _getcwd #ifndef PATH_MAX #define PATH_MAX MAX_PATH #endif @@ -62,10 +62,9 @@ #include "config.h" #include "decode.h" -#include "debug.h" +#include "encode.h" +#include "snort_debug.h" #include "detect.h" -extern u_int8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */ -extern HttpUri UriBufs[URI_COUNT]; /* detect.c */ #include "util.h" #include "snort.h" #include "sf_dynamic_engine.h" @@ -77,22 +76,27 @@ #include "event_queue.h" #include "plugbase.h" #include "sfthreshold.h" -#include "inline.h" +#include "active.h" #include "mstring.h" #include "sfsnprintfappend.h" #include "stream_api.h" #include "sf_iph.h" +#include "fpdetect.h" +#include "sfportobject.h" #include +#include "parser.h" +#include "event_wrapper.h" +#include "util.h" +#include "detection_util.h" +#include "sfcontrol_funcs.h" +#include "idle_processing_funcs.h" #ifdef TARGET_BASED #include "target-based/sftarget_protocol_reference.h" #include "target-based/sftarget_reader.h" #endif -extern SnortConfig *snort_conf; -extern SnortConfig *snort_conf_for_parsing; - -#ifndef DEBUG +#ifndef DEBUG_MSGS char *no_file = "unknown"; int no_line = 0; #endif @@ -146,7 +150,9 @@ void CloseDynamicLibrary(PluginHandle handle) { #ifndef WIN32 +# ifndef DISABLE_DLCLOSE_FOR_VALGRIND_TESTING dlclose(handle); +# endif #else FreeLibrary(handle); #endif @@ -341,12 +347,12 @@ if ( count == 0 ) { - LogMessage("Warning: No dynamic libraries found in directory %s!\n", path); + LogMessage("WARNING: No dynamic libraries found in directory %s.\n", path); } } else { - LogMessage("Warning: Directory %s does not exist!\n", path); + LogMessage("WARNING: Directory %s does not exist.\n", path); } #else /* Find all shared library files in path */ @@ -459,7 +465,7 @@ int testNum = 0; DynamicEnginePlugin *curPlugin = loadedEngines; CompatibilityFunc versFunc = NULL; - + while( curPlugin != NULL) { versFunc = (CompatibilityFunc)curPlugin->versCheck; @@ -468,19 +474,19 @@ { DynamicDetectionPlugin *lib = loadedDetectionPlugins; while( lib != NULL) - { - if (lib->metaData.type == TYPE_DETECTION) + { + if (lib->metaData.type == TYPE_DETECTION) { RequiredEngineLibFunc engineFunc; DynamicPluginMeta reqEngineMeta; - + engineFunc = (RequiredEngineLibFunc) getSymbol(lib->handle, "EngineVersion", &(lib->metaData), 1); if( engineFunc != NULL) { engineFunc(&reqEngineMeta); } testNum = versFunc(&curPlugin->metaData, &reqEngineMeta); - if( testNum ) + if( testNum ) { FatalError("Dynamic detection lib %s %d.%d isn't compatible with the current dynamic engine library " "%s %d.%d.\n" @@ -496,8 +502,8 @@ if( testNum ) break; curPlugin = curPlugin->next; } - - return(testNum); + + return(testNum); } int LoadDynamicEngineLib(char *library_name, int indent) @@ -511,7 +517,7 @@ #if 0 #ifdef SUP_IP6 LogMessage("%sDynamic engine will not be loaded since dynamic detection " - "libraries are not yet supported with IPv6.\n", + "libraries are not yet supported with IPv6.\n", indent?" ":""); return 0; #endif @@ -534,10 +540,10 @@ CloseDynamicLibrary(handle); LogMessage("failed, not an Engine\n"); return 0; - } - + } + AddEnginePlugin(handle, engineInit, compatFunc, &metaData); - + LogMessage("done\n"); return 0; } @@ -990,7 +996,7 @@ detectionLibOkay = 1; break; } - + /* Major match, minor must be >= */ if (!strcmp(plugin->metaData.uniqueName, reqEngineMeta.uniqueName) && plugin->metaData.major == reqEngineMeta.major && @@ -1034,7 +1040,7 @@ { if (plugin->initFunc(info)) { - FatalError("Failed to initialize dynamic engine: %s version %d.%d.%d\n", + FatalError("Failed to initialize dynamic engine: %s version %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, plugin->metaData.build); //return -1; @@ -1045,22 +1051,150 @@ return 0; } -void DynamicSetRuleData(void *p, void *data) +typedef struct _DynamicRuleSessionData +{ + uint32_t sid; + void *data; + SessionDataFree cleanupFunc; + struct _DynamicRuleSessionData *next; + +} DynamicRuleSessionData; + +static uint32_t so_rule_memory = 0; + +static void * DynamicRuleDataAlloc(size_t size) +{ + size_t alloc_size = size + sizeof(size_t); + size_t *ret; + + if ((ScSoRuleMemcap() > 0) + && (so_rule_memory + alloc_size) > ScSoRuleMemcap()) + { + ErrorMessage("SO rule memcap exceeded: Wanted to allocate " + "%u bytes (and %d overhead) with memcap: %u and " + "current memory: %u\n", (uint32_t)size, + (int)sizeof(size_t), ScSoRuleMemcap(), so_rule_memory); + return NULL; + } + + ret = (size_t *)SnortAlloc(alloc_size); + ret[0] = alloc_size; + so_rule_memory += alloc_size; + return (void *)&ret[1]; +} + +static void DynamicRuleDataFree(void *data) +{ + if (data != NULL) + { + size_t *alloc_data = (size_t *)data - 1; + size_t size = alloc_data[0]; + + /* Just in case of an an imbalance of DynamicRuleDataAlloc + * and this function are used */ + if (size >= so_rule_memory) + so_rule_memory = 0; + else + so_rule_memory -= size; + free(alloc_data); + } +} + +static void DynamicRuleDataFreeSession(void *data) +{ + DynamicRuleSessionData *drsd = (DynamicRuleSessionData *)data; + + while (drsd != NULL) + { + DynamicRuleSessionData *tmp = drsd; + drsd = drsd->next; + + if (tmp->data && tmp->cleanupFunc) + tmp->cleanupFunc(tmp->data); + DynamicRuleDataFree(tmp); + } +} + +int DynamicSetRuleData(void *p, void *data, uint32_t sid, SessionDataFree sdf) { Packet *pkt = (Packet *)p; - if (stream_api && pkt) + if (stream_api && pkt && pkt->ssnptr) { - stream_api->set_application_data(pkt->ssnptr, PP_RULES, data, &free); + DynamicRuleSessionData *head = + (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_SHARED_RULES); + DynamicRuleSessionData *tmp = head; + DynamicRuleSessionData *tail = NULL; + + /* Can't reset head without setting application data again which + * will free what's there already, so have to iterate to end of list + * Also need to iterate for duplicates */ + while (tmp != NULL) + { + if (tmp->sid == sid) + { + /* Not the same data */ + if (tmp->data != data) + { + /* Cleanup the old and replace with the new */ + if (tmp->data && tmp->cleanupFunc) + tmp->cleanupFunc(tmp->data); + tmp->data = data; + } + + tmp->cleanupFunc = sdf; + return 0; + } + + tail = tmp; + tmp = tmp->next; + } + + tmp = (DynamicRuleSessionData *)DynamicRuleDataAlloc(sizeof(DynamicRuleSessionData)); + if (tmp == NULL) + return -1; + + tmp->data = data; + tmp->sid = sid; + tmp->cleanupFunc = sdf; + + if (head == NULL) + { + if (stream_api->set_application_data(pkt->ssnptr, PP_SHARED_RULES, + (void *)tmp, DynamicRuleDataFreeSession) != 0) + { + DynamicRuleDataFree(tmp); + return -1; + } + } + else + { + tail->next = tmp; + } + + return 0; } + + return -1; } -void *DynamicGetRuleData(void *p) +void * DynamicGetRuleData(void *p, uint32_t sid) { Packet *pkt = (Packet *)p; - if (stream_api && pkt) + + if (stream_api && pkt && pkt->ssnptr) { - return stream_api->get_application_data(pkt->ssnptr, PP_RULES); + DynamicRuleSessionData *head = + (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_SHARED_RULES); + + while (head != NULL) + { + if (head->sid == sid) + return head->data; + + head = head->next; + } } + return NULL; } @@ -1138,14 +1272,22 @@ return pcre_exec((const pcre *)code, (const pcre_extra *)extra, subj, len, start, options, ovec, ovecsize); } +static int setFlowId(const void* p, uint32_t id) +{ + return DAQ_ModifyFlow(p, id); +} + int InitDynamicEngines(char *dynamic_rules_path) { int i; DynamicEngineData engineData; engineData.version = ENGINE_DATA_VERSION; - engineData.altBuffer = &DecodeBuffer[0]; - for (i=0;iinitFunc(info)) + int i = plugin->initFunc(info); + if (i) { - FatalError("Failed to initialize dynamic preprocessor: %s version %d.%d.%d\n", + FatalError("Failed to initialize dynamic preprocessor: %s version %d.%d.%d (%d)\n", plugin->metaData.uniqueName, plugin->metaData.major, - plugin->metaData.minor, plugin->metaData.build); + plugin->metaData.minor, plugin->metaData.build, i); //return -1; } @@ -1210,16 +1365,31 @@ /* Do this to avoid exposing Packet & PreprocessFuncNode from * snort to non-GPL code */ typedef void (*SnortPacketProcessFunc)(Packet *, void *); -void *AddPreprocessor(void (*func)(void *, void *), u_int16_t priority, - u_int32_t preproc_id, u_int32_t proto_mask) +void *AddPreprocessor(void (*pp_func)(void *, void *), uint16_t priority, + uint32_t preproc_id, uint32_t proto_mask) { - SnortPacketProcessFunc preprocessorFunc = (SnortPacketProcessFunc)func; + SnortPacketProcessFunc preprocessorFunc = (SnortPacketProcessFunc)pp_func; return (void *)AddFuncToPreprocList(preprocessorFunc, priority, preproc_id, proto_mask); } -void AddPreprocessorCheck(void (*func)(void)) +typedef void (*MetadataProcessFunc)(int, const uint8_t *); +void *AddMetaEval(void (*meta_eval_func)(int, const uint8_t *), uint16_t priority, + uint32_t preproc_id) +{ + MetadataProcessFunc metaEvalFunc = (MetadataProcessFunc)meta_eval_func; + return (void *)AddFuncToPreprocMetaEvalList(metaEvalFunc, priority, preproc_id); +} + +void *AddDetection(void (*det_func)(void *, void *), uint16_t priority, + uint32_t det_id, uint32_t proto_mask) +{ + SnortPacketProcessFunc detectionFunc = (SnortPacketProcessFunc)det_func; + return (void *)AddFuncToDetectionList(detectionFunc, priority, det_id, proto_mask); +} + +void AddPreprocessorCheck(void (*pp_chk_func)(void)) { - AddFuncToConfigCheckList(func); + AddFuncToConfigCheckList(pp_chk_func); } void DynamicDisableDetection(void *p) @@ -1237,19 +1407,29 @@ return Detect((Packet *)p); } -int DynamicSetPreprocessorBit(void *p, u_int32_t preprocId) +int DynamicSetPreprocessorBit(void *p, uint32_t preprocId) { return SetPreprocBit((Packet *)p, preprocId); } -int DynamicSetPreprocessorReassemblyPktBit(void *p, u_int32_t preprocId) +void DynamicDropReset(void *p) +{ + Active_DropSession(); +} + +void DynamicForceDropPacket(void *p) { - return SetPreprocReassemblyPktBit((Packet *)p, preprocId); + Active_ForceDropAction((Packet *)p); } -int DynamicDropInline(void *p) +void DynamicForceDropReset(void *p) { - return InlineDrop((Packet *)p); + Active_ForceDropResetAction((Packet *)p); +} + +void DynamicActiveSetEnabled(int on_off) +{ + Active_SetEnabled(on_off); } void *DynamicGetRuleClassByName(char *name) @@ -1262,7 +1442,7 @@ return (void *)ClassTypeLookupById(snort_conf, id); } -void DynamicRegisterPreprocessorProfile(char *keyword, void *stats, int layer, void *parent) +void DynamicRegisterPreprocessorProfile(const char *keyword, void *stats, int layer, void *parent) { #ifdef PERF_PROFILING RegisterPreprocessorProfile(keyword, (PreprocStats *)stats, layer, (PreprocStats *)parent); @@ -1294,7 +1474,7 @@ sfiph_build((Packet *)p, hdr, family); } -static INLINE void DynamicIP6SetCallbacks(void *p, int family, char orig) +static inline void DynamicIP6SetCallbacks(void *p, int family, char orig) { set_callbacks((Packet *)p, family, orig); } @@ -1320,15 +1500,127 @@ return getDefaultPolicy(); } +tSfPolicyId DynamicGetPolicyFromId(uint16_t id) +{ + return sfPolicyIdGetBinding(snort_conf->policy_config, id); +} + +void DynamicChangeRuntimePolicy(tSfPolicyId new_id, void *p) +{ + setRuntimePolicy(new_id); + ((Packet *)p)->configPolicyId = + snort_conf->targeted_policies[new_id]->configPolicyId; +} + +static void* DynamicEncodeNew (void) +{ + return (void*)Encode_New(); +} + +static void DynamicEncodeDelete (void *p) +{ + Encode_Delete((Packet*)p); +} + +static int DynamicEncodeFormat (uint32_t f, const void* p, void *c, int t) +{ + return Encode_Format(f, (Packet*)p, (Packet*)c, (PseudoPacketType)t); +} + +static void DynamicEncodeUpdate (void* p) +{ + Encode_Update((Packet*)p); +} + +void DynamicSendBlockResponseMsg(void *p, const uint8_t* buffer, uint32_t buffer_len) +{ + Packet *packet = (Packet *)p; + EncodeFlags df = (packet->packet_flags & PKT_FROM_SERVER) ? ENC_FLAG_FWD:0; + Active_SendData(packet, df, buffer, buffer_len); +} + void DynamicSetParserPolicy(tSfPolicyId id) { setParserPolicy(id); } + +void DynamicSetFileDataPtr(uint8_t *ptr, uint16_t decode_size) +{ + setFileDataPtr(ptr, decode_size); +} + +void DynamicDetectResetPtr(uint8_t *ptr, uint16_t decode_size) +{ + DetectReset(ptr, decode_size); +} + + +void DynamicSetAltDecode(uint16_t altLen) +{ + SetAltDecode(altLen); +} + int DynamicGetInlineMode(void) { return ScInlineMode(); } +long DynamicSnortStrtol(const char *nptr, char **endptr, int base) +{ + return SnortStrtol(nptr,endptr,base); +} + +unsigned long DynamicSnortStrtoul(const char *nptr, char **endptr, int base) +{ + return SnortStrtoul(nptr,endptr,base); +} + +const char *DynamicSnortStrnStr(const char *s, int slen, const char *accept) +{ + return SnortStrnStr(s, slen, accept); +} + + +const char *DynamicSnortStrcasestr(const char *s, int slen, const char *accept) +{ + return SnortStrcasestr(s, slen, accept); +} + +int DynamicSnortStrncpy(char *dst, const char *src, size_t dst_size) +{ + return SnortStrncpy(dst, src, dst_size); +} + +const char *DynamicSnortStrnPbrk(const char *s, int slen, const char *accept) +{ + return SnortStrnPbrk(s, slen, accept); +} + +int DynamicEvalRTN(void *rtn, void *p, int check_ports) +{ + return fpEvalRTN((RuleTreeNode *)rtn, (Packet *)p, check_ports); +} + +char *DynamicGetLogDirectory(void) +{ + return SnortStrdup(snort_conf->log_dir); +} + +uint32_t DynamicGetSnortInstance(void) +{ + return (snort_conf->event_log_id >> 16); +} + +bool DynamicIsPafEnabled(void) +{ + return ScPafEnabled(); +} + +int DynamicSnortIsStrEmpty(const char *s) +{ + return IsEmptyStr((char*)s); +} + int InitDynamicPreprocessors(void) { int i; @@ -1336,22 +1628,26 @@ preprocData.version = PREPROCESSOR_DATA_VERSION; preprocData.size = sizeof(DynamicPreprocessorData); - preprocData.altBuffer = &DecodeBuffer[0]; - preprocData.altBufferLen = DECODE_BLEN; - for (i=0;iinitFunc()) { ErrorMessage("Failed to initialize dynamic detection library: " - "%s version %d.%d.%d\n", + "%s version %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, @@ -1487,7 +1833,7 @@ { if (ruleDumpFunc()) { - LogMessage("Failed to dump the rules for Library %s %d.%d.%d\n", + LogMessage("Failed to dump the rules for Library %s %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, @@ -1573,7 +1919,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } void *GetNextDetectionPluginVersion(void *p) @@ -1594,7 +1940,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } void *GetNextPreprocessorPluginVersion(void *p) @@ -1615,7 +1961,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } DynamicPluginMeta *GetDetectionPluginMetaData(void *p) @@ -1625,7 +1971,7 @@ meta = &(lib->metaData); - return meta; + return meta; } DynamicPluginMeta *GetEnginePluginMetaData(void *p) @@ -1635,7 +1981,7 @@ meta = &(lib->metaData); - return meta; + return meta; } DynamicPluginMeta *GetPreprocessorPluginMetaData(void *p) @@ -1645,7 +1991,7 @@ meta = &(lib->metaData); - return meta; + return meta; } #endif /* DYNAMIC_PLUGIN */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_preprocessor.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_preprocessor.h --- snort-2.8.5.2/src/dynamic-plugins/sf_dynamic_preprocessor.h 2009-08-10 21:26:41.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_preprocessor.h 2011-11-21 20:15:24.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -24,19 +24,15 @@ #ifndef _SF_DYNAMIC_PREPROCESSOR_H_ #define _SF_DYNAMIC_PREPROCESSOR_H_ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #include -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR #include #endif #include "sf_dynamic_meta.h" #include "ipv6_port.h" -#include "sf_types.h" +#include "obfuscation.h" -/* specifies that a function does not return +/* specifies that a function does not return * used for quieting Visual Studio warnings */ #ifdef WIN32 @@ -64,15 +60,23 @@ #include "sf_dynamic_engine.h" #include "stream_api.h" #include "str_search.h" +#include "obfuscation.h" +#include "sfportobject.h" +#include "attribute_table_api.h" +#include "sfcontrol.h" +#include "idle_processing.h" #define MINIMUM_DYNAMIC_PREPROC_ID 10000 typedef void (*PreprocessorInitFunc)(char *); -typedef void * (*AddPreprocFunc)(void (*func)(void *, void *), u_int16_t, u_int32_t, u_int32_t); -typedef void (*AddPreprocExit)(void (*func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocRestart)(void (*func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocConfCheck)(void (*func) (void)); +typedef void * (*AddPreprocFunc)(void (*pp_func)(void *, void *), uint16_t, uint32_t, uint32_t); +typedef void * (*AddMetaEvalFunc)(void (*meta_eval_func)(int, const uint8_t *), uint16_t priority, uint32_t preproc_id); +typedef void (*AddPreprocExit)(void (*pp_exit_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocUnused)(void (*pp_unused_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocConfCheck)(void (*pp_conf_chk_func) (void)); typedef int (*AlertQueueAdd)(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, char *, void *); +typedef uint32_t (*GenSnortEvent)(Packet *p, uint32_t gid, uint32_t sid, uint32_t rev, + uint32_t classification, uint32_t priority, char *msg); #ifdef SNORT_RELOAD typedef void (*PreprocessorReloadFunc)(char *); typedef int (*PreprocessorReloadVerifyFunc)(void); @@ -81,9 +85,9 @@ #endif #ifndef SNORT_RELOAD -typedef void (*PreprocRegisterFunc)(char *, PreprocessorInitFunc); +typedef void (*PreprocRegisterFunc)(const char *, PreprocessorInitFunc); #else -typedef void (*PreprocRegisterFunc)(char *, PreprocessorInitFunc, +typedef void (*PreprocRegisterFunc)(const char *, PreprocessorInitFunc, PreprocessorReloadFunc, PreprocessorReloadSwapFunc, PreprocessorReloadSwapFreeFunc); @@ -91,27 +95,28 @@ typedef void (*AddPreprocReloadVerifyFunc)(PreprocessorReloadVerifyFunc); #endif typedef int (*ThresholdCheckFunc)(unsigned int, unsigned int, snort_ip_p, snort_ip_p, long); -typedef int (*InlineDropFunc)(void *); +typedef void (*InlineDropFunc)(void *); +typedef void (*ActiveEnableFunc)(int); typedef void (*DisableDetectFunc)(void *); -typedef int (*SetPreprocBitFunc)(void *, u_int32_t); +typedef int (*SetPreprocBitFunc)(void *, uint32_t); typedef int (*DetectFunc)(void *); typedef void *(*GetRuleInfoByNameFunc)(char *); typedef void *(*GetRuleInfoByIdFunc)(int); typedef int (*printfappendfunc)(char *, int, const char *, ...); typedef char ** (*TokenSplitFunc)(const char *, const char *, const int, int *, const char); typedef void (*TokenFreeFunc)(char ***, int); -typedef void (*AddPreprocProfileFunc)(char *, void *, int, void *); +typedef void (*AddPreprocProfileFunc)(const char *, void *, int, void *); typedef int (*ProfilingFunc)(void); typedef int (*PreprocessFunc)(void *); -typedef void (*PreprocStatsRegisterFunc)(char *, void (*func)(int)); -typedef void (*AddPreprocReset)(void (*func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocResetStats)(void (*func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocReassemblyPktFunc)(void * (*func)(void), u_int32_t); -typedef int (*SetPreprocReassemblyPktBitFunc)(void *, u_int32_t); +typedef void (*PreprocStatsRegisterFunc)(const char *, void (*pp_stats_func)(int)); +typedef void (*AddPreprocReset)(void (*pp_rst_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocResetStats)(void (*pp_rst_stats_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocReassemblyPktFunc)(void * (*pp_reass_pkt_func)(void), uint32_t); +typedef int (*SetPreprocReassemblyPktBitFunc)(void *, uint32_t); typedef void (*DisablePreprocessorsFunc)(void *); #ifdef TARGET_BASED -typedef int16_t (*FindProtocolReferenceFunc)(char *); -typedef int16_t (*AddProtocolReferenceFunc)(char *); +typedef int16_t (*FindProtocolReferenceFunc)(const char *); +typedef int16_t (*AddProtocolReferenceFunc)(const char *); typedef int (*IsAdaptiveConfiguredFunc)(tSfPolicyId, int); #endif #ifdef SUP_IP6 @@ -120,15 +125,57 @@ #define SET_CALLBACK_ICMP_ORIG 1 typedef void (*IP6SetCallbacksFunc)(void *, int, char); #endif -typedef void (*AddKeywordOverrideFunc)(char *, char *, PreprocOptionInit, PreprocOptionEval, PreprocOptionCleanup, PreprocOptionHash, PreprocOptionKeyCompare); +typedef void (*AddKeywordOverrideFunc)(char *, char *, PreprocOptionInit, + PreprocOptionEval, PreprocOptionCleanup, PreprocOptionHash, + PreprocOptionKeyCompare, PreprocOptionOtnHandler, + PreprocOptionFastPatternFunc); +typedef void (*AddKeywordByteOrderFunc)(char *, PreprocOptionByteOrderFunc); + +typedef int (*IsPreprocEnabledFunc)(uint32_t); -typedef int (*IsPreprocEnabledFunc)(u_int32_t); +typedef char * (*PortArrayFunc)(char *, PortObject *, int *); typedef int (*AlertQueueLog)(void *); -typedef void (*AlertQueueReset)(void); +typedef void (*AlertQueueControl)(void); // reset, push, and pop typedef tSfPolicyId (*GetPolicyFunc)(void); typedef void (*SetPolicyFunc)(tSfPolicyId); -typedef int (*GetInlineMode)(void); +typedef tSfPolicyId (*GetPolicyFromIdFunc)(uint16_t ); +typedef void (*ChangePolicyFunc)(tSfPolicyId, void *p); +typedef void (*SetFileDataPtrFunc)(uint8_t *,uint16_t ); +typedef void (*DetectResetFunc)(uint8_t *,uint16_t ); +typedef void (*SetAltDecodeFunc)(uint16_t ); +typedef void (*DetectFlagEnableFunc)(SFDetectFlagType); +typedef long (*DynamicStrtol)(const char *, char **, int); +typedef unsigned long(*DynamicStrtoul)(const char *, char **, int); +typedef const char* (*DynamicStrnStr)(const char *, int, const char *); +typedef const char* (*DynamicStrcasestr)(const char *, int, const char *); +typedef int (*DynamicStrncpy)(char *, const char *, size_t ); +typedef const char* (*DynamicStrnPbrk)(const char *, int , const char *); + +typedef int (*EvalRTNFunc)(void *rtn, void *p, int check_ports); + +typedef void* (*EncodeNew)(void); +typedef void (*EncodeDelete)(void*); +typedef void (*EncodeUpdate)(void*); +typedef int (*EncodeFormat)(uint32_t, const void*, void*, int); +typedef bool (*PafEnabledFunc)(void); + +typedef char* (*GetLogDirectory)(void); +typedef uint32_t (*GetSnortInstance)(void); + +typedef int (*ControlSocketRegisterHandlerFunc)(uint16_t, OOBPreControlFunc, IBControlFunc, + OOBPostControlFunc); + +typedef int (*RegisterIdleHandler)(IdleProcessingHandler); +typedef void (*DynamicSendBlockResponse)(void *packet, const uint8_t* buffer, uint32_t buffer_len); +typedef int (*DynamicSetFlowId)(const void* p, uint32_t id); + +typedef int (*DynamicIsStrEmpty)(const char * ); +typedef void (*AddPeriodicCheck)(void (*pp_check_func) (int, void *), void *arg, uint16_t, uint32_t, uint32_t); +typedef void (*AddPostConfigFuncs)(void (*pp_post_config_func) (void *), void *arg); + +#define ENC_DYN_FWD 0x80000000 +#define ENC_DYN_NET 0x10000000 /* Info Data passed to dynamic preprocessor plugin must include: * version @@ -142,9 +189,13 @@ typedef struct _DynamicPreprocessorData { int version; - u_int8_t *altBuffer; - unsigned int altBufferLen; - UriInfo *uriBuffers[MAX_URIINFOS]; + int size; + + SFDataBuffer *altBuffer; + SFDataPointer *altDetect; + SFDataPointer *fileDataBuf; + UriInfo *uriBuffers[HTTP_BUFFER_MAX]; + LogMsgFunc logMsg; LogMsgFunc errMsg; LogMsgFunc fatalMsg; @@ -152,7 +203,7 @@ PreprocRegisterFunc registerPreproc; AddPreprocFunc addPreproc; - AddPreprocRestart addPreprocRestart; + GetSnortInstance getSnortInstance; AddPreprocExit addPreprocExit; AddPreprocConfCheck addPreprocConfCheck; RegisterPreprocRuleOpt preprocOptRegister; @@ -161,10 +212,10 @@ void *totalPerfStats; AlertQueueAdd alertAdd; + GenSnortEvent genSnortEvent; ThresholdCheckFunc thresholdCheck; - - GetInlineMode inlineMode; - InlineDropFunc inlineDrop; + InlineDropFunc inlineDropAndReset; + ActiveEnableFunc activeSetEnabled; DetectFunc detect; DisableDetectFunc disableDetect; @@ -183,7 +234,7 @@ GetRuleInfoByNameFunc getRuleInfoByName; GetRuleInfoByIdFunc getRuleInfoById; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR DebugWideMsgFunc debugWideMsg; #endif @@ -191,13 +242,10 @@ char **debugMsgFile; int *debugMsgLine; - + PreprocStatsRegisterFunc registerPreprocStats; AddPreprocReset addPreprocReset; AddPreprocResetStats addPreprocResetStats; - AddPreprocReassemblyPktFunc addPreprocReassemblyPkt; - SetPreprocReassemblyPktBitFunc setPreprocReassemblyPktBit; - DisablePreprocessorsFunc disablePreprocessors; #ifdef SUP_IP6 @@ -206,7 +254,9 @@ #endif AlertQueueLog logAlerts; - AlertQueueReset resetAlerts; + AlertQueueControl resetAlerts; + AlertQueueControl pushAlerts; + AlertQueueControl popAlerts; #ifdef TARGET_BASED FindProtocolReferenceFunc findProtocolReference; @@ -215,17 +265,64 @@ #endif AddKeywordOverrideFunc preprocOptOverrideKeyword; + AddKeywordByteOrderFunc preprocOptByteOrderKeyword; IsPreprocEnabledFunc isPreprocEnabled; #ifdef SNORT_RELOAD AddPreprocReloadVerifyFunc addPreprocReloadVerify; #endif + PortArrayFunc portObjectCharPortArray; + GetPolicyFunc getRuntimePolicy; GetPolicyFunc getParserPolicy; GetPolicyFunc getDefaultPolicy; SetPolicyFunc setParserPolicy; - int size; + SetFileDataPtrFunc setFileDataPtr; + DetectResetFunc DetectReset; + SetAltDecodeFunc SetAltDecode; + GetAltDetectFunc GetAltDetect; + SetAltDetectFunc SetAltDetect; + IsDetectFlagFunc Is_DetectFlag; + DetectFlagDisableFunc DetectFlag_Disable; + DynamicStrtol SnortStrtol; + DynamicStrtoul SnortStrtoul; + DynamicStrnStr SnortStrnStr; + DynamicStrncpy SnortStrncpy; + DynamicStrnPbrk SnortStrnPbrk; + DynamicStrcasestr SnortStrcasestr; + EvalRTNFunc fpEvalRTN; + + ObfuscationApi *obApi; + + EncodeNew encodeNew; + EncodeDelete encodeDelete; + EncodeFormat encodeFormat; + EncodeUpdate encodeUpdate; + + AddPreprocFunc addDetect; + PafEnabledFunc isPafEnabled; + +#ifdef TARGET_BASED + HostAttributeTableApi *hostAttributeTableApi; +#endif + + GetLogDirectory getLogDirectory; + + ControlSocketRegisterHandlerFunc controlSocketRegisterHandler; + RegisterIdleHandler registerIdleHandler; + + GetPolicyFromIdFunc getPolicyFromId; + ChangePolicyFunc changeRuntimePolicy; + InlineDropFunc inlineForceDropPacket; + InlineDropFunc inlineForceDropAndReset; + DynamicIsStrEmpty SnortIsStrEmpty; + AddMetaEvalFunc addMetaEval; + DynamicSendBlockResponse dynamicSendBlockResponse; + DynamicSetFlowId dynamicSetFlowId; + AddPeriodicCheck addPeriodicCheck; + AddPostConfigFuncs addPostConfigFunc; + char **snort_conf_dir; } DynamicPreprocessorData; @@ -243,4 +340,6 @@ */ NORETURN void DynamicPreprocessorFatalMessage(const char *format, ...); +extern DynamicPreprocessorData _dpd; + #endif /* _SF_DYNAMIC_PREPROCESSOR_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/bmh.c snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/bmh.c 2009-01-26 16:26:09.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.c 2011-06-08 00:33:11.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * @@ -30,12 +30,15 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "bmh.h" #include "sf_dynamic_engine.h" -extern DynamicEngineData _ded; - HBM_STATIC int hbm_prepx (HBM_STRUCT *p, unsigned char * pat, int m, int nocase ) { @@ -43,24 +46,24 @@ unsigned char *t; if( !m ) return 0; if( !p ) return 0; - + p->P = pat; p->M = m; p->nocase = nocase; - + if( nocase ) /* convert to uppercase */ { t = (unsigned char*)malloc(m); if ( !t ) return 0; memcpy(t,pat,m); - + for(i=0;iPnc = t; - } + } else { p->Pnc = 0; @@ -68,18 +71,18 @@ /* Compute normal Boyer-Moore Bad Character Shift */ for(k = 0; k < 256; k++) p->bcShift[k] = m; - + if( nocase ) { - for(k = 0; k < m; k++) + for(k = 0; k < m; k++) p->bcShift[ p->Pnc[k] ] = m - k - 1; } else { - for(k = 0; k < m; k++) + for(k = 0; k < m; k++) p->bcShift[ p->P[k] ] = m - k - 1; } - + return 1; } @@ -97,7 +100,7 @@ DynamicEngineFatalMessage("Failed to allocate memory for pattern matching."); } - if( !hbm_prepx( p, pat, m, nocase) ) + if( !hbm_prepx( p, pat, m, nocase) ) { DynamicEngineFatalMessage("Error initializing pattern matching. Check arguments."); } @@ -142,40 +145,40 @@ } m1 = px->M-1; bcShift= px->bcShift; - + //printf("bmh_match: pattern=%.*s, %d bytes \n",px->M,pat,px->M); - t = text + m1; - et = text + n; + t = text + m1; + et = text + n; /* Handle 1 Byte patterns - it's a faster loop */ if( !m1 ) { if( !px->nocase ) { - for( ;tnocase ) - { + { /* Handle MultiByte Patterns */ while( t < et ) { /* Scan Loop - Bad Character Shift */ - do + do { t += bcShift[*t]; if( t >= et )return 0;; - t += (k=bcShift[*t]); + t += (k=bcShift[*t]); if( t >= et )return 0; } while( k ); @@ -201,21 +204,21 @@ NoMatch: t++; } - + } else /* NoCase - convert input string to upper case as we process it */ { - + /* Handle MultiByte Patterns */ while( t < et ) { /* Scan Loop - Bad Character Shift */ - do + do { t += bcShift[toupper(*t)]; if( t >= et )return 0;; - t += (k=bcShift[toupper(*t)]); + t += (k=bcShift[toupper(*t)]); if( t >= et )return 0; } while( k ); @@ -243,7 +246,7 @@ } } - + return 0; } diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/bmh.h snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/bmh.h 2009-01-26 16:26:09.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.h 2011-02-09 23:23:10.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_engine/examples/Makefile.in --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -176,14 +194,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/examples/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/examples/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/examples/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/examples/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -201,6 +219,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -230,13 +249,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -264,6 +287,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -282,6 +306,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -290,18 +316,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -335,6 +371,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c 2006-01-23 20:55:22.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c 2011-06-08 00:33:11.000000000 +0000 @@ -1,4 +1,28 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_dynamic_define.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_meta.h" #include "detection_lib_meta.h" @@ -8,12 +32,12 @@ extern Rule *rules[]; -DETECTION_LINKAGE int InitializeDetection() +DETECTION_LINKAGE int InitializeDetection(void) { return RegisterRules(rules); } -DETECTION_LINKAGE int DumpSkeletonRules() +DETECTION_LINKAGE int DumpSkeletonRules(void) { return DumpRules(DETECTION_LIB_NAME, rules); } diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h 2006-01-23 20:55:22.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h 2011-02-09 23:23:11.000000000 +0000 @@ -1,15 +1,36 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ #ifndef SFSNORT_DYNAMIC_DETECTION_LIB_H_ #define SFSNORT_DYNAMIC_DETECTION_LIB_H_ #ifdef WIN32 #ifdef SF_SNORT_DETECTION_DLL -#define DETECTION_LINKAGE __declspec(dllexport) +#define BUILDING_SO +#define DETECTION_LINKAGE SO_PUBLIC #else -#define DETECTION_LINKAGE __declspec(dllimport) +#define DETECTION_LINKAGE #endif #else /* WIN32 */ -#define DETECTION_LINKAGE -#endif /* WIN32 */ +#define DETECTION_LINKAGE SO_PUBLIC +#endif #endif /* SFSNORT_DYNAMIC_DETECTION_LIB_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/Makefile.am snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.am --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/Makefile.am 2009-05-06 22:28:43.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.am 2011-06-08 00:33:11.000000000 +0000 @@ -7,7 +7,7 @@ libdir = ${exec_prefix}/lib/snort_dynamicengine -libsf_engine_la_LDFLAGS = -module +libsf_engine_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ BUILT_SOURCES = \ sfhashfcn.c \ @@ -19,8 +19,9 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h nodist_libsf_engine_la_SOURCES = \ sfhashfcn.c \ @@ -32,13 +33,15 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h libsf_engine_la_SOURCES = \ bmh.c \ bmh.h \ sf_snort_detection_engine.c \ +sf_snort_detection_engine.h \ sf_snort_packet.h \ sf_snort_plugin_api.c \ sf_snort_plugin_api.h \ @@ -47,7 +50,9 @@ sf_snort_plugin_hdropts.c \ sf_snort_plugin_loop.c \ sf_snort_plugin_pcre.c \ -sf_snort_plugin_rc4.c +sf_snort_plugin_rc4.c \ +sf_decompression.c \ +sf_decompression.h copy_files = \ if test -f $$dst_file; then \ @@ -126,7 +131,7 @@ $(sed_ipv6_headers); \ fi -ipv6_port.h: ../../ipv6_port.h +ipv6_port.h: ../../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) sf_ip.h: ../../sfutil/sf_ip.h @@ -135,7 +140,7 @@ sf_ip.c: ../../sfutil/sf_ip.c @src_file=$?; dst_file=$@; $(copy_files) -debug.h: ../../debug.h +snort_debug.h: ../../snort_debug.h @src_file=$?; dst_file=$@; $(copy_debug_header) sfghash.h: ../../sfutil/sfghash.h @@ -159,7 +164,10 @@ sf_types.h: ../../sf_types.h @src_file=$?; dst_file=$@; $(copy_files) +sf_protocols.h: ../../sf_protocols.h + @src_file=$?; dst_file=$@; $(copy_files) + SUBDIRS = examples clean-local: - rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h debug.h debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h + rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h snort_debug.h snort_debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h sf_protocols.h diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.in --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,21 +44,36 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) libsf_engine_la_LIBADD = am_libsf_engine_la_OBJECTS = bmh.lo sf_snort_detection_engine.lo \ sf_snort_plugin_api.lo sf_snort_plugin_byte.lo \ sf_snort_plugin_content.lo sf_snort_plugin_hdropts.lo \ sf_snort_plugin_loop.lo sf_snort_plugin_pcre.lo \ - sf_snort_plugin_rc4.lo + sf_snort_plugin_rc4.lo sf_decompression.lo nodist_libsf_engine_la_OBJECTS = sfhashfcn.lo sfghash.lo \ sfprimetable.lo sf_ip.lo libsf_engine_la_OBJECTS = $(am_libsf_engine_la_OBJECTS) \ @@ -64,7 +81,7 @@ libsf_engine_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_engine_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -87,10 +104,38 @@ ps-recursive uninstall-recursive RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -100,31 +145,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -137,12 +182,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -150,20 +201,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -195,6 +253,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -207,11 +266,12 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_engine.la -libsf_engine_la_LDFLAGS = -module +libsf_engine_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ BUILT_SOURCES = \ sfhashfcn.c \ sfhashfcn.h \ @@ -222,8 +282,9 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h nodist_libsf_engine_la_SOURCES = \ sfhashfcn.c \ @@ -235,13 +296,15 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h libsf_engine_la_SOURCES = \ bmh.c \ bmh.h \ sf_snort_detection_engine.c \ +sf_snort_detection_engine.h \ sf_snort_packet.h \ sf_snort_plugin_api.c \ sf_snort_plugin_api.h \ @@ -250,7 +313,9 @@ sf_snort_plugin_hdropts.c \ sf_snort_plugin_loop.c \ sf_snort_plugin_pcre.c \ -sf_snort_plugin_rc4.c +sf_snort_plugin_rc4.c \ +sf_decompression.c \ +sf_decompression.h copy_files = \ if test -f $$dst_file; then \ @@ -339,14 +404,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-plugins/sf_engine/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -364,23 +429,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -422,7 +492,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -439,7 +509,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -447,7 +517,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -473,16 +543,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -490,14 +560,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -509,39 +579,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -562,29 +636,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -619,6 +708,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -640,6 +730,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -648,18 +740,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -681,8 +783,9 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \ + ctags-recursive install install-am install-strip \ + tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am check check-am clean clean-generic \ @@ -701,7 +804,7 @@ uninstall-libLTLIBRARIES -ipv6_port.h: ../../ipv6_port.h +ipv6_port.h: ../../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) sf_ip.h: ../../sfutil/sf_ip.h @@ -710,7 +813,7 @@ sf_ip.c: ../../sfutil/sf_ip.c @src_file=$?; dst_file=$@; $(copy_files) -debug.h: ../../debug.h +snort_debug.h: ../../snort_debug.h @src_file=$?; dst_file=$@; $(copy_debug_header) sfghash.h: ../../sfutil/sfghash.h @@ -734,8 +837,12 @@ sf_types.h: ../../sf_types.h @src_file=$?; dst_file=$@; $(copy_files) +sf_protocols.h: ../../sf_protocols.h + @src_file=$?; dst_file=$@; $(copy_files) + clean-local: - rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h debug.h debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h + rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h snort_debug.h snort_debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h sf_protocols.h + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_decompression.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_decompression.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,393 @@ +/* + * sf_decompression.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 3/8/2011 + * + * Implementation of Decompression API for Snort Plugins. + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef DECOMPRESS_UNIT_TEST +#include +#include +#include +#include + +#include "sf_decompression.h" +#else +#include + +#include "sf_snort_plugin_api.h" +#include "sf_decompression.h" +#include "sf_types.h" +#endif /* DECOMPRESS_UNIT_TEST */ + +/* Implementation-Specific Defines */ +#define DEFLATE_RAW_WBITS -15 +#define DEFLATE_ZLIB_WBITS 15 +#define GZIP_ZLIB_WBITS 31 + +/* Decompression state is defined here so that + dynamic plugins don't access it directly. */ +typedef struct decompress_state +{ + compression_type_t type; + uint32_t flags; + void *lib_info; + int lib_return; + bool deflate_initialized; +} decompress_state_t; + +/* Decompression state flags */ +#define SNORT_ZLIB_INIT_NEEDED 0x00000001 + +/* Zlib-specific init function */ +static inline decompress_state_t * SnortDecompressInitZlib(compression_type_t type) +{ + decompress_state_t *state = calloc(1, sizeof(decompress_state_t) ); + z_stream *zlib_stream = calloc(1, sizeof(z_stream) ); + + if (state == NULL || zlib_stream == NULL) + DynamicEngineFatalMessage("Unable to allocate memory in SnortDecompressInitZlib()\n"); + + /* Setup Zlib memory management callbacks */ + zlib_stream->zalloc = NULL; + zlib_stream->zfree = NULL; + zlib_stream->opaque = NULL; + + /* Fill out state object */ + state->type = type; + state->lib_info = (void *) zlib_stream; + + /* Can't call inflateInit() until there's some data */ + state->flags |= SNORT_ZLIB_INIT_NEEDED; + + return state; +} + +/* Zlib-specific Destroy function */ +static inline int SnortDecompressDestroyZlib(decompress_state_t *state) +{ + z_streamp zlib_stream = (z_streamp) state->lib_info; + int ret; + + if (zlib_stream == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + ret = inflateEnd(zlib_stream); + + free(zlib_stream); + free(state); + + if (ret == Z_OK) + return SNORT_DECOMPRESS_OK; + + /* XXX: Only other possibility is Z_STREAM_ERROR. + Can't set state->lib_ret because we just freed the state. */ + return SNORT_DECOMPRESS_ERROR; +} + +/* Zlib-specific Decompression function. */ +static inline int SnortDecompressZlib(decompress_state_t *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len) +{ + z_streamp zlib_stream = (z_streamp) state->lib_info; + int zlib_ret; + int snort_ret = SNORT_DECOMPRESS_OK; + + if (zlib_stream == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; // Uninitialized state object. + + /* The call to inflateInit() requires some data to be provided. + That's why the call isn't done in SnortDecompressInit(). */ + if (state->flags & SNORT_ZLIB_INIT_NEEDED) + { + if (input == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + + /* Deflate can be either raw or with a zlib header so we'll + * just use the normal inflateInit and if inflate fails, add + * a dummy zlib header. Just like Chrome and Firefox do. + * gzip decompression requires adding 16 to zlibs MAX_WBITS + */ + if (state->type == COMPRESSION_TYPE_DEFLATE) + zlib_ret = inflateInit(zlib_stream); + else + zlib_ret = inflateInit2(zlib_stream, GZIP_ZLIB_WBITS); + state->lib_return = zlib_ret; + + state->flags &= ~SNORT_ZLIB_INIT_NEEDED; + } + /* If input is NULL, just continue decompressing from the last spot. + This is how a caller would handle truncated output. */ + else if (input) + { + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + } + + zlib_stream->next_out = output; + zlib_stream->avail_out = output_bufsize; + + while (zlib_stream->avail_in > 0 && zlib_stream->avail_out > 0) + { + zlib_ret = inflate(zlib_stream, Z_SYNC_FLUSH); + + if ((zlib_ret == Z_DATA_ERROR) + && (state->type == COMPRESSION_TYPE_DEFLATE) + && (!state->deflate_initialized)) + { + /* Might not have zlib header - add one */ + static char zlib_header[2] = { 0x78, 0x01 }; + + inflateReset(zlib_stream); + zlib_stream->next_in = (Bytef *)zlib_header; + zlib_stream->avail_in = sizeof(zlib_header); + + zlib_ret = inflate(zlib_stream, Z_SYNC_FLUSH); + state->deflate_initialized = true; + + if (input) + { + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + } + } + + state->lib_return = zlib_ret; + + if (zlib_ret == Z_STREAM_END) + break; // Not an error, just hit the end of compressed data. + + if (zlib_ret != Z_OK) + { + snort_ret = SNORT_DECOMPRESS_BAD_DATA; + break; + } + } + + if ((zlib_stream->avail_in > 0 && zlib_stream->avail_out == 0) && + (snort_ret != SNORT_DECOMPRESS_BAD_DATA)) + { + snort_ret = SNORT_DECOMPRESS_OUTPUT_TRUNC; + } + + *output_len = output_bufsize - zlib_stream->avail_out; + + return snort_ret; +} + +/* This function initializes a Decompression API state object. + It must be called first when using decompression. + + Arguments: type => Type of decompression to use (gzip, deflate) + Returns: void pointer to decompression state object +*/ +ENGINE_LINKAGE void * SnortDecompressInit(compression_type_t type) +{ + decompress_state_t *state = NULL; + + switch (type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + state = SnortDecompressInitZlib(type); + break; + case COMPRESSION_TYPE_MAX: + default: + /* invalid type... */ + return NULL; + } + + return (void *) state; +} + +/* This function destroys a Decompression API state object. + + Arguments: void *s => state object allocated by SnortDecompressInit(). + Returns: SNORT_DECOMPRESS_OK on success, negative on error. +*/ +ENGINE_LINKAGE int SnortDecompressDestroy(void *s) +{ + decompress_state_t *state = s; + + if (state == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + switch (state->type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + return SnortDecompressDestroyZlib(state); + case COMPRESSION_TYPE_MAX: + default: + break; + } + + /* Bad type. Was this constructed outside of SnortDecompressInit()? */ + return SNORT_DECOMPRESS_BAD_ARGUMENT; +} + +/* This is the function that decompresses data. + + Arguments: + void *state => pointer to state object allocated by SnortDecompressInit(). + uint8_t *input => pointer to buffer that stores compressed data. + pass NULL to continue decompressing the previous input. + uint32_t input_len => length of input to decompress. + ignored if "input" is set to NULL. + uint8_t *output => pointer to buffer where decompressed output will be stored. + uint32_t output_bufsize => available space in output buffer. + uint32_t *output_len => gets set to the actual amount of output generated. + Returns: + SNORT_DECOMPRESS_OK: success + SNORT_DECOMPRESS_BAD_ARGUMENT: Bad arguments passed in. Could be null pointers, + uninitialized state objects. + SNORT_DECOMPRESS_BAD_DATA: Error decompressing the data. Could be corrupted + input, or the wrong compression type was set. + SNORT_DECOMPRESS_OUTPUT_TRUNC: Decompression was successful, but the output + buffer filled up. Call SnortDecompress() again + with NULL input after consuming the output. +*/ +ENGINE_LINKAGE int SnortDecompress(void *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len) +{ + decompress_state_t *internal_state; + + /* NULL "input" ptr is OK, it signals that we should continue decompressing the + last input. The caller should have consumed output and made more space. */ + if (state == NULL || output == NULL || output_len == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + internal_state = (decompress_state_t *) state; + + switch (internal_state->type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + return SnortDecompressZlib(internal_state, input, input_len, + output, output_bufsize, output_len); + case COMPRESSION_TYPE_MAX: + default: + break; + } + + return SNORT_DECOMPRESS_BAD_ARGUMENT; +} + + + +/* This section is a unit test meant to independently test the Decompression API. + Compile like so: + gcc -DDECOMPRESS_UNIT_TEST sf_decompression.c -o decompression_unit_test -lz + */ +#ifdef DECOMPRESS_UNIT_TEST +/* Driver program uses the Snort decompression API to read from a file and + spew decompressed data to stdout. */ +int main (int argc, char *argv[]) +{ + FILE *input; + void *zlib_state; + + uint8_t input_buffer[1024]; + uint8_t output_buffer[1024]; + size_t bytes_read; + compression_type_t type; + + if (argc != 3) + { + fprintf(stderr, "Usage: %s \n", argv[0]); + exit(-1); + } + + input = fopen(argv[1], "r"); + + if (strcmp(argv[2], "deflate")) + type = COMPRESSION_TYPE_DEFLATE; + else if (strcmp(argv[2], "gzip")) + type = COMPRESSION_TYPE_GZIP; + else + { + fprintf(stderr, "Invalid compression type: %s. Valid values are " + "\"deflate\" and \"gzip\".\n", argv[2]); + exit(1); + } + + /* Step 1: Init */ + zlib_state = SnortDecompressInit( type ); + if (zlib_state == NULL) + { + fprintf(stderr, "Some bad stuff happened and SnortInit() returned NULL.\n"); + exit(-1); + } + + /* Step 2: Iterate over your input and call SnortDecompress */ + bytes_read = fread(input_buffer, 1, sizeof(input_buffer), input); + while (bytes_read > 0) + { + uint32_t output_bufsize = sizeof(output_buffer); + uint32_t output_len; + int ret; + + ret = SnortDecompress(zlib_state, input_buffer, bytes_read, + output_buffer, output_bufsize, &output_len); + + fwrite(output_buffer, 1, output_len, stdout); + + while (ret == SNORT_DECOMPRESS_OUTPUT_TRUNC) + { + /* Subsequent calls use NULL to signify that we want to continue + decompressing the last input. */ + ret = SnortDecompress(zlib_state, NULL, 0, output_buffer, output_bufsize, &output_len); + fwrite(output_buffer, 1, output_len, stdout); + } + + /* Handle your return codes */ + switch(ret) + { + case SNORT_DECOMPRESS_BAD_DATA: + fprintf(stderr, "SnortDecompress() returned BAD_DATA!\n"); + break; + case SNORT_DECOMPRESS_BAD_ARGUMENT: + fprintf(stderr, "SnortDecompress() returned BAD_ARGUMENT!\n"); + break; + } + + /* Get more data! */ + bytes_read = fread(input_buffer, 1, sizeof(input_buffer), input); + } + + /* Step 3: Destroy! */ + SnortDecompressDestroy(zlib_state); + fclose(input); + + return 0; +} + +#endif /* DECOMPRESS_UNIT_TEST */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_decompression.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_decompression.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,93 @@ +/* + * sf_decompression.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 3/8/2011 + * + * Decompression API for Snort Plugins. + * + */ + +#ifndef SF_DECOMPRESSION_H +#define SF_DECOMPRESSION_H + +#include +#include "sf_snort_plugin_api.h" + +/* Types */ +typedef enum compression_type +{ + COMPRESSION_TYPE_DEFLATE = 1, + COMPRESSION_TYPE_GZIP, + COMPRESSION_TYPE_MAX +} compression_type_t; + +/* Return Codes */ +#define SNORT_DECOMPRESS_OK 0 +#define SNORT_DECOMPRESS_OUTPUT_TRUNC 1 +#define SNORT_DECOMPRESS_BAD_ARGUMENT (-1) +#define SNORT_DECOMPRESS_BAD_DATA (-2) +#define SNORT_DECOMPRESS_ERROR (-3) + + +/* API Functions */ + +/* This function initializes a Decompression API state object. + It must be called first when using decompression. + + Arguments: type => Type of decompression to use (gzip, deflate) + Returns: void pointer to decompression state object +*/ +ENGINE_LINKAGE void * SnortDecompressInit(compression_type_t type); + +/* This function destroys a Decompression API state object. + + Arguments: void *s => state object allocated by SnortDecompressInit(). + Returns: SNORT_DECOMPRESS_OK on success, negative on error. +*/ +ENGINE_LINKAGE int SnortDecompressDestroy(void *state); + +/* This is the function that decompresses data. + + Arguments: + void *state => pointer to state object allocated by SnortDecompressInit(). + uint8_t *input => pointer to buffer that stores compressed data. + pass NULL to continue decompressing the previous input. + uint32_t input_len => length of input to decompress. + ignored if "input" is set to NULL. + uint8_t *output => pointer to buffer where decompressed output will be stored. + uint32_t output_bufsize => available space in output buffer. + uint32_t *output_len => gets set to the actual amount of output generated. + Returns: + SNORT_DECOMPRESS_OK: success + SNORT_DECOMPRESS_BAD_ARGUMENT: Bad arguments passed in. Could be null pointers, + uninitialized state objects. + SNORT_DECOMPRESS_BAD_DATA: Error decompressing the data. Could be corrupted + input, or the wrong compression type was set. + SNORT_DECOMPRESS_OUTPUT_TRUNC: Decompression was successful, but the output + buffer filled up. Call SnortDecompress() again + with NULL input after consuming the output. +*/ +ENGINE_LINKAGE int SnortDecompress(void *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len); + + +#endif /* SF_DECOMPRESSION_H */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c 2009-10-12 16:39:08.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -25,8 +25,9 @@ * * Dyanmic Rule Engine */ + #ifdef HAVE_CONFIG_H -#include +#include "config.h" #endif #include @@ -34,17 +35,20 @@ #include #include #include -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_meta.h" #include "sf_dynamic_engine.h" #include "sfghash.h" #include "bmh.h" +#include "sf_snort_detection_engine.h" #define MAJOR_VERSION 1 -#define MINOR_VERSION 11 -#define BUILD_VERSION 17 +#define MINOR_VERSION 15 +#define BUILD_VERSION 18 #define DETECT_NAME "SF_SNORT_DETECTION_ENGINE" #ifdef WIN32 @@ -77,13 +81,6 @@ exit(1); } -extern int BoyerContentSetup(Rule *rule, ContentInfo *content); -extern int PCRESetup(Rule *rule, PCREInfo *pcreInfo); -extern int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData); -extern void ContentSetup(void); -extern int ByteExtractInitialize(Rule *rule, ByteExtract *extractData); -extern int LoopInfoInitialize(Rule *rule, LoopInfo *loopInfo); - ENGINE_LINKAGE int InitializeEngine(DynamicEngineData *ded) { int i; @@ -94,7 +91,10 @@ _ded.version = ded->version; _ded.altBuffer = ded->altBuffer; - for (i=0;ialtDetect; + _ded.fileDataBuf = ded->fileDataBuf; + + for (i=0;iuriBuffers[i]; } @@ -111,7 +111,7 @@ _ded.getRuleData = ded->getRuleData; _ded.debugMsg = ded->debugMsg; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR _ded.debugWideMsg = ded->debugWideMsg; #endif _ded.debugMsgFile = ded->debugMsgFile; @@ -120,6 +120,17 @@ _ded.pcreStudy = ded->pcreStudy; _ded.pcreCompile = ded->pcreCompile; _ded.pcreExec = ded->pcreExec; + _ded.sfUnfold = ded->sfUnfold; + _ded.sfbase64decode = ded->sfbase64decode; + _ded.GetAltDetect = ded->GetAltDetect; + _ded.SetAltDetect = ded->SetAltDetect; + _ded.Is_DetectFlag = ded->Is_DetectFlag; + _ded.DetectFlag_Disable = ded->DetectFlag_Disable; + + _ded.allocRuleData = ded->allocRuleData; + _ded.freeRuleData = ded->freeRuleData; + + _ded.flowbitUnregister = ded->flowbitUnregister; return 0; } @@ -207,48 +218,205 @@ return 0; } -static int GetFPContent(void *r, int buf, FPContentInfo** contents, int maxNumContents) +/* These are contents to be used for fast pattern consideration */ +static int GetDynamicContents(void *r, int type, FPContentInfo **contents) { Rule *rule = (Rule *)r; - int i, j = 0; RuleOption *option; - int numContents = 0; + FPContentInfo *tail = NULL; + int i = 0; + int base64_buf_flag = 0; + int mime_buf_flag = 0; - for (i=0,option = rule->options[i];option != NULL; option = rule->options[++i]) + if ((r == NULL) || (contents == NULL)) + return -1; + + *contents = NULL; + + for (i = 0, option = rule->options[i]; + option != NULL; + option = rule->options[++i]) { - if (option->optionType == OPTION_TYPE_CONTENT) + switch(option->optionType) { - if ((option->option_u.content->flags & CONTENT_FAST_PATTERN) && - (((option->option_u.content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD)) && (buf == FASTPATTERN_URI)) || - (!(option->option_u.content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD)) && (buf == FASTPATTERN_NORMAL)) )) - { - FPContentInfo *content = (FPContentInfo *)calloc(1, sizeof(FPContentInfo)); - if (content == NULL) + case OPTION_TYPE_CONTENT: + { + FPContentInfo *fp_content; + ContentInfo *content = option->option_u.content; + int flags = content->flags; + + switch (type) + { + case CONTENT_NORMAL: + if (!(flags & NORMAL_CONTENT_BUFS)) + continue; + else if(base64_buf_flag || mime_buf_flag) + continue; + break; + case CONTENT_HTTP: + base64_buf_flag = 0; + mime_buf_flag = 0; + if (!(flags & URI_CONTENT_BUFS) + || (!(flags & URI_FAST_PATTERN_BUFS))) + continue; + break; + default: + break; /* Just get them all */ + } + + fp_content = (FPContentInfo *)calloc(1, sizeof(FPContentInfo)); + if (fp_content == NULL) + DynamicEngineFatalMessage("Failed to allocate memory\n"); + + fp_content->length = content->patternByteFormLength; + fp_content->content = (char *)malloc(fp_content->length); + if (fp_content->content == NULL) + DynamicEngineFatalMessage("Failed to allocate memory\n"); + memcpy(fp_content->content, content->patternByteForm, fp_content->length); + fp_content->offset = content->offset; + fp_content->depth = content->depth; + if (content->flags & CONTENT_RELATIVE) + fp_content->is_relative = 1; + if (content->flags & CONTENT_NOCASE) + fp_content->noCaseFlag = 1; + if (content->flags & CONTENT_FAST_PATTERN) + fp_content->fp = 1; + if (content->flags & NOT_FLAG) + fp_content->exception_flag = 1; + if (content->flags & CONTENT_BUF_URI) + fp_content->uri_buffer |= CONTENT_HTTP_URI; + if (content->flags & CONTENT_BUF_HEADER) + fp_content->uri_buffer |= CONTENT_HTTP_HEADER; + if (content->flags & CONTENT_BUF_POST) + fp_content->uri_buffer |= CONTENT_HTTP_CLIENT_BODY; + + /* Fast pattern only and specifying an offset and length are + * technically mutually exclusive - see + * detection-plugins/sp_pattern_match.c */ + if (option->option_u.content->flags & CONTENT_FAST_PATTERN_ONLY) + { + fp_content->fp_only = 1; + } + else + { + fp_content->fp_offset = option->option_u.content->fp_offset; + fp_content->fp_length = option->option_u.content->fp_length; + } + + if (tail == NULL) + *contents = fp_content; + else + tail->next = fp_content; + + tail = fp_content; + } + break; + + case OPTION_TYPE_BASE64_DECODE: + base64_buf_flag =1; + continue; + + case OPTION_TYPE_FILE_DATA: { - DynamicEngineFatalMessage("Failed to allocate memory\n"); + CursorInfo *cursor = option->option_u.cursor; + if (cursor->flags & BUF_FILE_DATA_MIME) + { + mime_buf_flag = 1; + continue; + } } + break; - content->content = (char *)option->option_u.content->patternByteForm; - content->length = option->option_u.content->patternByteFormLength; - content->noCaseFlag = (char)(option->option_u.content->flags & CONTENT_NOCASE); + case OPTION_TYPE_PKT_DATA: + base64_buf_flag = 0; + mime_buf_flag = 0; + continue; + + case OPTION_TYPE_BASE64_DATA: + base64_buf_flag =1; + continue; - contents[j++] = content; - numContents++; - } + default: + continue; } - if (numContents >= maxNumContents) + } + + if (*contents == NULL) + return -1; + + return 0; +} + +static int GetDynamicPreprocOptFpContents(void *r, FPContentInfo **fp_contents) +{ + Rule *rule = (Rule *)r; + RuleOption *option; + FPContentInfo *tail = NULL; + int i = 0; + int direction = 0; + + if ((r == NULL) || (fp_contents == NULL)) + return -1; + + *fp_contents = NULL; + + /* Get flow direction */ + for (i = 0, option = rule->options[i]; + option != NULL; + option = rule->options[++i]) + { + if (option->optionType == OPTION_TYPE_FLOWFLAGS) + { + FlowFlags *fflags = option->option_u.flowFlags; + + if (fflags->flags & FLOW_FR_SERVER) + direction = FLAG_FROM_SERVER; + else if (fflags->flags & FLOW_FR_CLIENT) + direction = FLAG_FROM_CLIENT; + break; + } } - - return numContents; + + for (i = 0, option = rule->options[i]; + option != NULL; + option = rule->options[++i]) + { + if (option->optionType == OPTION_TYPE_PREPROCESSOR) + { + PreprocessorOption *preprocOpt = option->option_u.preprocOpt; + + if (preprocOpt->optionFpFunc != NULL) + { + FPContentInfo *tmp; + + if (preprocOpt->optionFpFunc(preprocOpt->dataPtr, + rule->ip.protocol, direction, &tmp) == 0) + { + if (tail == NULL) + *fp_contents = tmp; + else + tail->next = tmp; + + for (; tmp->next != NULL; tmp = tmp->next); + tail = tmp; + } + } + } + } + + if (*fp_contents == NULL) + return -1; + + return 0; } static int DecodeContentPattern(Rule *rule, ContentInfo *content) { int pat_len; - const u_int8_t *pat_begin = content->pattern; - const u_int8_t *pat_idx; - const u_int8_t *pat_end; + const uint8_t *pat_begin = content->pattern; + const uint8_t *pat_idx; + const uint8_t *pat_end; char tmp_buf[2048]; char *raw_idx; char *raw_end; @@ -304,7 +472,7 @@ if(!hex_len || hex_len % 2) { DynamicEngineFatalMessage("Content hexmode argument has invalid " - "number of hex digits for dynamic rule [%d:%d].\n", + "number of hex digits for dynamic rule [%d:%d].\n", rule->info.genID, rule->info.sigID); } @@ -368,8 +536,8 @@ pending--; if(raw_idx < raw_end) - { - tmp_buf[tmp_len] = (u_char) + { + tmp_buf[tmp_len] = (u_char) strtol(hex_encoded, (char **) NULL, 16)&0xFF; tmp_len++; @@ -393,7 +561,7 @@ "binary buffer for dynamic rule [%d:%d]? " "Valid hex values only please! " "(0x0 - 0xF) Position: %d\n", - (char) *pat_idx, (char) *pat_idx, + (char) *pat_idx, (char) *pat_idx, rule->info.genID, rule->info.sigID, char_count); } } @@ -431,7 +599,7 @@ else { DynamicEngineFatalMessage("character value out of range, try a " - "binary buffer for dynamic rule [%d:%d]\n", + "binary buffer for dynamic rule [%d:%d]\n", rule->info.genID, rule->info.sigID); } } @@ -444,9 +612,9 @@ pat_idx++; char_count++; } - + /* Now, tmp_buf contains the decoded ascii & raw binary from the patter */ - content->patternByteForm = (u_int8_t *)calloc(tmp_len, sizeof(u_int8_t)); + content->patternByteForm = (uint8_t *)calloc(tmp_len, sizeof(uint8_t)); if (content->patternByteForm == NULL) { DynamicEngineFatalMessage("Failed to allocate memory\n"); @@ -461,7 +629,7 @@ static unsigned int getNonRepeatingLength(char *data, int data_len) { int i, j; - + j = 0; for ( i = 1; i < data_len; i++ ) { @@ -479,15 +647,149 @@ return data_len; } +static int ValidateContentInfo(Rule *rule, ContentInfo *content, int fast_pattern) +{ + char *content_error = "WARNING: Invalid content option in shared " + "object rule: gid:%u, sid:%u : %s. Rule will not be registered.\n"; + + if (content->flags & CONTENT_FAST_PATTERN) + { + /* Can only use fast pattern once in the rule */ + if (fast_pattern) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Can only designate one content as a fast " + "pattern content"); + return -1; + } + + /* Can't use fast pattern flag with a relative + * negated content */ + if ((content->flags & NOT_FLAG) + && ((content->flags & CONTENT_RELATIVE) + || (content->offset != 0) || (content->depth != 0))) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Can not use a negated and relative or non-zero " + "offset/depth content as a fast pattern content"); + return -1; + } + + if ((content->flags & URI_CONTENT_BUFS) && !(content->flags & URI_FAST_PATTERN_BUFS)) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Can not use a cookie content/raw content/status code/status msg content as fast pattern"); + return -1; + } + } + + if (content->flags & CONTENT_FAST_PATTERN_ONLY) + { + /* Warn if both "only" and fast pattern length are used. + * The "only" flag will override */ + if ((content->fp_offset != 0) || (content->fp_length != 0)) + { + _ded.errMsg("WARNING: gid:%u, sid:%u. Fast pattern " + "\"only\" flag used in combination with a fast " + "pattern offset,length - honoring \"only\" flag " + "and ignoring fast pattern offset,length.\n", + rule->info.genID, rule->info.sigID); + + /* Don't disable rule */ + content->fp_offset = 0; + content->fp_length = 0; + } + + /* Fast pattern only contents can not be negated */ + if (content->flags & NOT_FLAG) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Fast pattern only contents cannot be " + "negated"); + return -1; + } + + /* Fast pattern only contents can not be relative or have an + * offset or depth */ + if ((content->flags & CONTENT_RELATIVE) + || (content->offset != 0) + || (content->depth != 0)) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Fast pattern only contents cannot be " + "relative or have non-zero offset/depth " + "content modifiers"); + return -1; + } + } + + /* If not a content fast pattern only and a fast pattern + * length is specified, make sure (offset + length) is + * less than or equal to total pattern length */ + if ((content->fp_offset != 0) || (content->fp_length != 0)) + { + if (content->fp_length == 0) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Fast pattern length cannot be zero"); + return -1; + } + + if ((int)content->patternByteFormLength < + (content->fp_offset + content->fp_length)) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Fast pattern offset and length cannot be " + "greater than the length of the pattern"); + return -1; + } + } + + /* Depth must not be less than the length of the pattern */ + if ((content->depth != 0) && + (content->depth < content->patternByteFormLength)) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Content depth cannot be less than the " + "length of the pattern"); + return -1; + } + + return 0; +} + + + +static int Base64DecodeInitialize(Rule *rule, base64DecodeData *content) +{ + char *content_error = "WARNING: Invalid base64decode option in shared " + "object rule: gid:%u, sid:%u : %s. Rule will not be registered.\n"; + + if( content->relative !=0 && content->relative !=1) + { + _ded.errMsg(content_error, + rule->info.genID, rule->info.sigID, + "Base64Decode relative flag needs to 0 or 1"); + } + + return 0; +} + int RegisterOneRule(Rule *rule, int registerRule) { int i; - int fpContentFlags = 0; + int contentFlags = 0; int result; RuleOption *option; - unsigned long longestContent = 0; - int longestContentIndex = -1; - + int fast_pattern = 0; for (i=0;rule->options[i] != NULL; i++) { @@ -506,27 +808,32 @@ content->incrementLength = getNonRepeatingLength((char *)content->patternByteForm, content->patternByteFormLength); - if (!(content->flags & NOT_FLAG)) + /* Content fast pattern only flag implies content fast pattern */ + if (content->flags & CONTENT_FAST_PATTERN_ONLY) + content->flags |= CONTENT_FAST_PATTERN; + + /* For ease of backwards compatibility with so rules that + * need to be compiled with earlier snort versions */ + if (content->fp_only) { - if (content->flags & CONTENT_FAST_PATTERN) - { - if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | - CONTENT_BUF_HEADER | CONTENT_BUF_METHOD)) - { - fpContentFlags |= FASTPATTERN_URI; - } - else - { - fpContentFlags |= FASTPATTERN_NORMAL; - } - } + content->flags |= CONTENT_FAST_PATTERN; + content->flags |= CONTENT_FAST_PATTERN_ONLY; + } - if (content->patternByteFormLength > longestContent) - { - longestContent = content->patternByteFormLength; - longestContentIndex = i; - } + if (content->flags & URI_CONTENT_BUFS) + contentFlags |= CONTENT_HTTP; + else + contentFlags |= CONTENT_NORMAL; + + if (ValidateContentInfo(rule, content, fast_pattern) != 0) + { + rule->initialized = 0; + FreeOneRule(rule); + return -1; } + + if (content->flags & CONTENT_FAST_PATTERN) + fast_pattern = 1; } break; case OPTION_TYPE_PCRE: @@ -538,6 +845,7 @@ if (PCRESetup(rule, pcre)) { rule->initialized = 0; + FreeOneRule(rule); return -1; } } @@ -562,6 +870,19 @@ { /* Don't initialize this rule */ rule->initialized = 0; + FreeOneRule(rule); + return result; + } + } + break; + case OPTION_TYPE_BASE64_DECODE: + { + base64DecodeData *optData = option->option_u.bData; + result = Base64DecodeInitialize(rule, optData); + if( result ) + { + rule->initialized = 0; + FreeOneRule(rule); return result; } } @@ -574,6 +895,7 @@ { /* Don't initialize this rule */ rule->initialized = 0; + FreeOneRule(rule); return result; } } @@ -586,6 +908,7 @@ { /* Don't initialize this rule */ rule->initialized = 0; + FreeOneRule(rule); return result; } loopInfo->initialized = 1; @@ -599,6 +922,7 @@ { /* Don't initialize this rule */ rule->initialized = 0; + FreeOneRule(rule); return -1; } } @@ -607,29 +931,41 @@ case OPTION_TYPE_BYTE_TEST: case OPTION_TYPE_BYTE_JUMP: - default: - /* nada */ + { + ByteData *byte = option->option_u.byte; + result = ByteDataInitialize(rule, byte); + + if (result) + { + rule->initialized = 0; + FreeOneRule(rule); + return -1; + } + } + break; - } - } - /* If no options were marked as the fast pattern, - * use the longest one we found. - */ - if ((fpContentFlags == 0) && (longestContentIndex != -1)) - { - option = rule->options[longestContentIndex]; - /* Just to be safe, make sure this is a content option */ - if (option->optionType == OPTION_TYPE_CONTENT) - { - ContentInfo *content = option->option_u.content; - - if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD)) - fpContentFlags |= FASTPATTERN_URI; - else - fpContentFlags |= FASTPATTERN_NORMAL; + case OPTION_TYPE_CURSOR: + { + CursorInfo *cursor = option->option_u.cursor; + result = CursorInfoInitialize(rule, cursor); + + if (result) + { + rule->initialized = 0; + FreeOneRule(rule); + return -1; + } + } - content->flags |= CONTENT_FAST_PATTERN; + break; + + case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: + default: + /* nada */ + break; } } @@ -649,15 +985,34 @@ if (registerRule) { /* Allocate an OTN and link it in with snort */ - if (_ded.ruleRegister(rule->info.sigID, - rule->info.genID, - (void *)rule, - &CheckRule, - &HasOption, - fpContentFlags, - &GetFPContent, - &FreeOneRule) == -1) + if (_ded.ruleRegister( + rule->info.sigID, + rule->info.genID, + (void *)rule, + &CheckRule, + &HasOption, + contentFlags, + &GetDynamicContents, + &FreeOneRule, + &GetDynamicPreprocOptFpContents) == -1) { + for (i = 0; rule->options[i] != NULL; i++) + { + option = rule->options[i]; + switch (option->optionType) + { + case OPTION_TYPE_FLOWBIT: + { + FlowBitsInfo *flowbits = option->option_u.flowBit; + _ded.flowbitUnregister(flowbits->flowBitsName, flowbits->operation); + } + break; + + default: + break; + } + } + return -1; } } @@ -736,12 +1091,29 @@ break; + case OPTION_TYPE_PREPROCESSOR: + { + PreprocessorOption *preprocOpt = + (PreprocessorOption *)option->option_u.preprocOpt; + + if (preprocOpt->dataPtr && preprocOpt->optionCleanup) + { + preprocOpt->optionCleanup(preprocOpt->dataPtr); + preprocOpt->dataPtr = NULL; + } + } + + break; + case OPTION_TYPE_HDR_CHECK: + case OPTION_TYPE_BASE64_DECODE: case OPTION_TYPE_ASN1: case OPTION_TYPE_FLOWBIT: - case OPTION_TYPE_PREPROCESSOR: case OPTION_TYPE_BYTE_TEST: case OPTION_TYPE_BYTE_JUMP: + case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: default: break; } @@ -810,6 +1182,9 @@ case FLOWBIT_ISNOTSET: fprintf(fp, "isnotset,"); break; + case FLOWBIT_TOGGLE: + fprintf(fp, "toggle,"); + break; case FLOWBIT_RESET: fprintf(fp, "reset; "); print_name = 0; @@ -885,7 +1260,7 @@ if ((strlen(_ded.dataDumpDirectory) + strlen(DIR_SEP) + strlen(rulesFileName) + strlen(".rules")) > PATH_MAX) return -1; - snprintf(ruleFile, PATH_MAX, "%s%s%s.rules", + snprintf(ruleFile, PATH_MAX, "%s%s%s.rules", _ded.dataDumpDirectory, DIR_SEP, rulesFileName); ruleFile[PATH_MAX] = '\0'; ruleFP = fopen(ruleFile, "w"); diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h 2011-06-08 00:33:11.000000000 +0000 @@ -0,0 +1,42 @@ +/* + * sf_snort_detection_engine.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 4/2011 + * + * Common definitions for the Dyanmic Rule Engine + */ + +#ifndef SF_SNORT_DETECTION_ENGINE__H +#define SF_SNORT_DETECTION_ENGINE__H + +int BoyerContentSetup(Rule *rule, ContentInfo *content); +int PCRESetup(Rule *rule, PCREInfo *pcreInfo); +int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData); +void ContentSetup(void); +int ByteExtractInitialize(Rule *rule, ByteExtract *extractData); +int LoopInfoInitialize(Rule *rule, LoopInfo *loopInfo); +int ByteDataInitialize(Rule *rule, ByteData *byte); +int CursorInfoInitialize(Rule *rule, CursorInfo *cursor); + + + +#endif /* SF_SNORT_DETECTION_ENGINE__H */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -30,10 +30,6 @@ #ifndef _SF_SNORT_PACKET_H_ #define _SF_SNORT_PACKET_H_ -#ifdef HAVE_CONFIG_H -#include -#endif - #ifndef WIN32 #include #include @@ -42,26 +38,39 @@ #include #endif +#include +#include + #include "sf_ip.h" +#include "sf_protocols.h" #define VLAN_HDR_LEN 4 +// for vrt backwards compatibility +#define pcap_header pkt_header + +typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type); + +typedef DAQ_PktHdr_t SFDAQ_PktHdr_t; + typedef struct _VlanHeader { - u_int16_t vth_pri_cfi_vlan; - u_int16_t vth_proto; /* protocol field... */ + uint16_t vth_pri_cfi_vlan; + uint16_t vth_proto; /* protocol field... */ } VlanHeader; //#define NO_NON_ETHER_DECODER #define ETHER_HDR_LEN 14 +#define ETHERNET_TYPE_IP 0x0800 +#define ETHERNET_TYPE_IPV6 0x86dd #define ETHERNET_TYPE_8021Q 0x8100 typedef struct _EtherHeader { - u_int8_t ether_destination[6]; - u_int8_t ether_source[6]; - u_int16_t ethernet_type; + uint8_t ether_destination[6]; + uint8_t ether_source[6]; + uint16_t ethernet_type; } EtherHeader; @@ -89,20 +98,21 @@ typedef struct _IPV4Header { - u_int8_t version_headerlength; - u_int8_t type_service; - u_int16_t data_length; - u_int16_t identifier; - u_int16_t offset; - u_int8_t time_to_live; - u_int8_t proto; - u_int16_t checksum; + uint8_t version_headerlength; + uint8_t type_service; + uint16_t data_length; + uint16_t identifier; + uint16_t offset; + uint8_t time_to_live; + uint8_t proto; + uint16_t checksum; struct in_addr source; struct in_addr destination; } IPV4Header; +#define MAX_LOG_FUNC 32 #define MAX_IP_OPTIONS 40 -#define MAX_IP6_EXTENSIONS 40 +#define MAX_IP6_EXTENSIONS 8 /* ip option codes */ #define IPOPTION_EOL 0x00 #define IPOPTION_NOP 0x01 @@ -117,9 +127,9 @@ typedef struct _IPOptions { - u_int8_t option_code; - u_int8_t length; - u_int8_t *option_data; + uint8_t option_code; + uint8_t length; + uint8_t *option_data; } IPOptions; @@ -127,15 +137,15 @@ typedef struct _TCPHeader { - u_int16_t source_port; - u_int16_t destination_port; - u_int32_t sequence; - u_int32_t acknowledgement; - u_int8_t offset_reserved; - u_int8_t flags; - u_int16_t window; - u_int16_t checksum; - u_int16_t urgent_pointer; + uint16_t source_port; + uint16_t destination_port; + uint32_t sequence; + uint32_t acknowledgement; + uint8_t offset_reserved; + uint8_t flags; + uint16_t window; + uint16_t checksum; + uint16_t urgent_pointer; } TCPHeader; #define TCPHEADER_FIN 0x01 @@ -144,8 +154,8 @@ #define TCPHEADER_PUSH 0x08 #define TCPHEADER_ACK 0x10 #define TCPHEADER_URG 0x20 -#define TCPHEADER_RES2 0x40 -#define TCPHEADER_RES1 0x80 +#define TCPHEADER_ECE 0x40 +#define TCPHEADER_CWR 0x80 #define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \ |TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG) @@ -170,28 +180,28 @@ typedef struct _UDPHeader { - u_int16_t source_port; - u_int16_t destination_port; - u_int16_t data_length; - u_int16_t checksum; + uint16_t source_port; + uint16_t destination_port; + uint16_t data_length; + uint16_t checksum; } UDPHeader; typedef struct _ICMPSequenceID { - u_int16_t id; - u_int16_t seq; + uint16_t id; + uint16_t seq; } ICMPSequenceID; typedef struct _ICMPHeader { - u_int8_t type; - u_int8_t code; - u_int16_t checksum; + uint8_t type; + uint8_t code; + uint16_t checksum; union { /* type 12 */ - u_int8_t parameter_problem_ptr; + uint8_t parameter_problem_ptr; /* type 5 */ struct in_addr gateway_addr; @@ -201,25 +211,25 @@ /* type 13, 14 */ ICMPSequenceID timestamp; - + /* type 15, 16 */ ICMPSequenceID info; - + int voidInfo; /* type 3/code=4 (Path MTU, RFC 1191) */ struct path_mtu { - u_int16_t voidInfo; - u_int16_t next_mtu; + uint16_t voidInfo; + uint16_t next_mtu; } path_mtu; /* type 9 */ - struct router_advertisement + struct router_advertisement { - u_int8_t number_addrs; - u_int8_t entry_size; - u_int16_t lifetime; + uint8_t number_addrs; + uint8_t entry_size; + uint16_t lifetime; } router_advertisement; } icmp_header_union; @@ -237,32 +247,32 @@ #define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size #define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime - union + union { /* timestamp */ - struct timestamp + struct timestamp { - u_int32_t orig; - u_int32_t receive; - u_int32_t transmit; + uint32_t orig; + uint32_t receive; + uint32_t transmit; } timestamp; - + /* IP header for unreach */ - struct ipv4_header + struct ipv4_header { IPV4Header *ip; /* options and then 64 bits of data */ } ipv4_header; - - /* Router Advertisement */ - struct router_address + + /* Router Advertisement */ + struct router_address { - u_int32_t addr; - u_int32_t preference; + uint32_t addr; + uint32_t preference; } router_address; /* type 17, 18 */ - u_int32_t mask; + uint32_t mask; char data[1]; @@ -292,57 +302,70 @@ #define ICMP_ADDRESS_REQUEST 17 /* Address Mask Request */ #define ICMP_ADDRESS_REPLY 18 /* Address Mask Reply */ -#define CHECKSUM_INVALID_IP 0x01 -#define CHECKSUM_INVALID_TCP 0x02 -#define CHECKSUM_INVALID_UDP 0x04 -#define CHECKSUM_INVALID_ICMP 0x08 -#define CHECKSUM_INVALID_IGMP 0x10 +#define INVALID_CHECKSUM_IP 0x01 +#define INVALID_CHECKSUM_TCP 0x02 +#define INVALID_CHECKSUM_UDP 0x04 +#define INVALID_CHECKSUM_ICMP 0x08 +#define INVALID_CHECKSUM_IGMP 0x10 +#define INVALID_CHECKSUM_ALL 0x1F +#define INVALID_TTL 0x20 typedef struct _IPv6Extension { - u_int8_t option_type; - const u_int8_t *option_data; + uint8_t option_type; + const uint8_t *option_data; } IP6Extension; typedef struct _IPv4Hdr { - u_int8_t ip_verhl; /* version & header length */ - u_int8_t ip_tos; /* type of service */ - u_int16_t ip_len; /* datagram length */ - u_int16_t ip_id; /* identification */ - u_int16_t ip_off; /* fragment offset */ - u_int8_t ip_ttl; /* time to live field */ - u_int8_t ip_proto; /* datagram protocol */ - u_int16_t ip_csum; /* checksum */ + uint8_t ip_verhl; /* version & header length */ + uint8_t ip_tos; /* type of service */ + uint16_t ip_len; /* datagram length */ + uint16_t ip_id; /* identification */ + uint16_t ip_off; /* fragment offset */ + uint8_t ip_ttl; /* time to live field */ + uint8_t ip_proto; /* datagram protocol */ + uint16_t ip_csum; /* checksum */ sfip_t ip_src; /* source IP */ sfip_t ip_dst; /* dest IP */ } IP4Hdr; +typedef struct _IP6RawHdr +{ + uint32_t vcl; // version, class, and label */ + uint16_t payload_len; // length of the payload */ + uint8_t next_header; // same values as ip4 protocol field + new ip6 values + uint8_t hop_limit; // same usage as ip4 ttl + + struct in6_addr src_addr; + struct in6_addr dst_addr; +} IP6RawHdr; + typedef struct _IPv6Hdr -{ - u_int32_t vcl; /* version, class, and label */ - u_int16_t len; /* length of the payload */ - u_int8_t next; /* next header +{ + uint32_t vcl; /* version, class, and label */ + uint16_t len; /* length of the payload */ + uint8_t next; /* next header * Uses the same flags as * the IPv4 protocol field */ - u_int8_t hop_lmt; /* hop limit */ + uint8_t hop_lmt; /* hop limit */ sfip_t ip_src; sfip_t ip_dst; -} IP6Hdr; +} IP6Hdr; -typedef struct _IP6FragHdr +typedef struct _IP6FragHdr { - u_int8_t ip6f_nxt; /* next header */ - u_int8_t ip6f_reserved; /* reserved field */ - u_int16_t ip6f_offlg; /* offset, reserved, and flag */ - u_int32_t ip6f_ident; /* identification */ + uint8_t ip6f_nxt; /* next header */ + uint8_t ip6f_reserved; /* reserved field */ + uint16_t ip6f_offlg; /* offset, reserved, and flag */ + uint32_t ip6f_ident; /* identification */ } IP6FragHdr; typedef struct _ICMP6 { - u_int8_t type; - u_int8_t code; - u_int16_t csum; + uint8_t type; + uint8_t code; + uint16_t csum; } ICMP6Hdr; @@ -360,76 +383,89 @@ /* IPHeader access calls */ -sfip_t * ip4_ret_src(struct _SFSnortPacket *); -sfip_t * ip4_ret_dst(struct _SFSnortPacket *); -u_int16_t ip4_ret_tos(struct _SFSnortPacket *); -u_int8_t ip4_ret_ttl(struct _SFSnortPacket *); -u_int16_t ip4_ret_len(struct _SFSnortPacket *); -u_int32_t ip4_ret_id(struct _SFSnortPacket *); -u_int8_t ip4_ret_proto(struct _SFSnortPacket *); -u_int16_t ip4_ret_off(struct _SFSnortPacket *); -u_int8_t ip4_ret_ver(struct _SFSnortPacket *); -u_int8_t ip4_ret_hlen(struct _SFSnortPacket *); - -sfip_t * orig_ip4_ret_src(struct _SFSnortPacket *); -sfip_t * orig_ip4_ret_dst(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_tos(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_ttl(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_len(struct _SFSnortPacket *); -u_int32_t orig_ip4_ret_id(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_proto(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_off(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_ver(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_hlen(struct _SFSnortPacket *); - -sfip_t * ip6_ret_src(struct _SFSnortPacket *); -sfip_t * ip6_ret_dst(struct _SFSnortPacket *); -u_int16_t ip6_ret_toc(struct _SFSnortPacket *); -u_int8_t ip6_ret_hops(struct _SFSnortPacket *); -u_int16_t ip6_ret_len(struct _SFSnortPacket *); -u_int32_t ip6_ret_id(struct _SFSnortPacket *); -u_int8_t ip6_ret_next(struct _SFSnortPacket *); -u_int16_t ip6_ret_off(struct _SFSnortPacket *); -u_int8_t ip6_ret_ver(struct _SFSnortPacket *); -u_int8_t ip6_ret_hlen(struct _SFSnortPacket *); - -sfip_t * orig_ip6_ret_src(struct _SFSnortPacket *); -sfip_t * orig_ip6_ret_dst(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_toc(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_hops(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_len(struct _SFSnortPacket *); -u_int32_t orig_ip6_ret_id(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_next(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_off(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_ver(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_hlen(struct _SFSnortPacket *); - -typedef struct _IPH_API -{ - sfip_t * (*iph_ret_src)(struct _SFSnortPacket *); - sfip_t * (*iph_ret_dst)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_tos)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_ttl)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_len)(struct _SFSnortPacket *); - u_int32_t (*iph_ret_id)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_proto)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_off)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_ver)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_hlen)(struct _SFSnortPacket *); - - sfip_t * (*orig_iph_ret_src)(struct _SFSnortPacket *); - sfip_t * (*orig_iph_ret_dst)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_tos)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_ttl)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_len)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_id)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_proto)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_off)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_ver)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_hlen)(struct _SFSnortPacket *); +sfip_t * ip4_ret_src(const struct _SFSnortPacket *); +sfip_t * ip4_ret_dst(const struct _SFSnortPacket *); +uint16_t ip4_ret_tos(const struct _SFSnortPacket *); +uint8_t ip4_ret_ttl(const struct _SFSnortPacket *); +uint16_t ip4_ret_len(const struct _SFSnortPacket *); +uint32_t ip4_ret_id(const struct _SFSnortPacket *); +uint8_t ip4_ret_proto(const struct _SFSnortPacket *); +uint16_t ip4_ret_off(const struct _SFSnortPacket *); +uint8_t ip4_ret_ver(const struct _SFSnortPacket *); +uint8_t ip4_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * orig_ip4_ret_src(const struct _SFSnortPacket *); +sfip_t * orig_ip4_ret_dst(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_tos(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_ttl(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_len(const struct _SFSnortPacket *); +uint32_t orig_ip4_ret_id(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_proto(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_off(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_ver(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * ip6_ret_src(const struct _SFSnortPacket *); +sfip_t * ip6_ret_dst(const struct _SFSnortPacket *); +uint16_t ip6_ret_toc(const struct _SFSnortPacket *); +uint8_t ip6_ret_hops(const struct _SFSnortPacket *); +uint16_t ip6_ret_len(const struct _SFSnortPacket *); +uint32_t ip6_ret_id(const struct _SFSnortPacket *); +uint8_t ip6_ret_next(const struct _SFSnortPacket *); +uint16_t ip6_ret_off(const struct _SFSnortPacket *); +uint8_t ip6_ret_ver(const struct _SFSnortPacket *); +uint8_t ip6_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * orig_ip6_ret_src(const struct _SFSnortPacket *); +sfip_t * orig_ip6_ret_dst(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_toc(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_hops(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_len(const struct _SFSnortPacket *); +uint32_t orig_ip6_ret_id(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_next(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_off(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_ver(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_hlen(const struct _SFSnortPacket *); + +typedef struct _IPH_API +{ + sfip_t * (*iph_ret_src)(const struct _SFSnortPacket *); + sfip_t * (*iph_ret_dst)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_len)(const struct _SFSnortPacket *); + uint32_t (*iph_ret_id)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_off)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *); + + sfip_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *); + sfip_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_id)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *); char version; } IPH_API; +typedef enum { + PSEUDO_PKT_IP, + PSEUDO_PKT_TCP, + PSEUDO_PKT_DCE_RPKT, + PSEUDO_PKT_SMB_SEG, + PSEUDO_PKT_DCE_SEG, + PSEUDO_PKT_DCE_FRAG, + PSEUDO_PKT_SMB_TRANS, + PSEUDO_PKT_PS, + PSEUDO_PKT_SDF, + PSEUDO_PKT_MAX +} PseudoPacketType; + #ifdef SUP_IP6 #include "ipv6_port.h" @@ -442,7 +478,7 @@ extern IPH_API ip4; extern IPH_API ip6; -#define iph_is_valid(p) (p->family != NO_IP) +#define iph_is_valid(p) ((p)->family != NO_IP) #define NO_IP 0 @@ -451,43 +487,55 @@ typedef struct _MplsHdr { - u_int32_t label; - u_int8_t exp; - u_int8_t bos; - u_int8_t ttl; + uint32_t label; + uint8_t exp; + uint8_t bos; + uint8_t ttl; } MplsHdr; +#define MAX_PROTO_LAYERS 32 + +typedef struct { + PROTO_ID proto_id; + uint16_t proto_length; + uint8_t* proto_start; +} ProtoLayer; + typedef struct _SFSnortPacket { - const struct pcap_pkthdr *pcap_header; /* Is this GPF'd? */ - const u_int8_t *pkt_data; + const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */ + const uint8_t *pkt_data; void *ether_arp_header; const EtherHeader *ether_header; const void *vlan_tag_header; void *ether_header_llc; void *ether_header_other; + const void *ppp_over_ether_header; const void *gre_header; - u_int32_t *mpls; + uint32_t *mpls; const IPV4Header *ip4_header, *orig_ip4_header; const IPV4Header *inner_ip4_header; const IPV4Header *outer_ip4_header; const TCPHeader *tcp_header, *orig_tcp_header; const UDPHeader *udp_header, *orig_udp_header; + const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */ + const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */ const ICMPHeader *icmp_header, *orig_icmp_header; - const u_int8_t *payload; - const u_int8_t *ip_payload; - const u_int8_t *outer_ip_payload; - const u_int8_t *ip_frag_start; - const u_int8_t *ip4_options_data; - const u_int8_t *tcp_options_data; + const uint8_t *payload; + const uint8_t *ip_payload; + const uint8_t *outer_ip_payload; + const uint8_t *ip_frag_start; + const uint8_t *ip4_options_data; + const uint8_t *tcp_options_data; void *stream_session_ptr; void *fragmentation_tracking_ptr; void *flow_ptr; void *stream_ptr; + void *policyEngineData; IP4Hdr *ip4h, *orig_ip4h; IP6Hdr *ip6h, *orig_ip6h; @@ -510,52 +558,57 @@ int outer_family; int number_bytes_to_check; - u_int32_t preprocessor_bit_mask; - u_int32_t preproc_reassembly_pkt_bit_mask; - //int ip_payload_length; //int ip_payload_offset; - u_int32_t pcap_cap_len; - u_int32_t http_pipeline_count; - u_int32_t flags; - u_int32_t proto_bits; - - u_int16_t payload_size; - u_int16_t ip_payload_size; - u_int16_t normalized_payload_size; - u_int16_t actual_ip_length; - u_int16_t outer_ip_payload_size; - - u_int16_t ip_fragment_offset; - u_int16_t ip_frag_length; - u_int16_t ip4_options_length; - u_int16_t tcp_options_length; - - u_int16_t src_port; - u_int16_t dst_port; - u_int16_t orig_src_port; - u_int16_t orig_dst_port; + uint32_t preprocessor_bit_mask; + uint32_t preproc_reassembly_pkt_bit_mask; + + uint32_t http_pipeline_count; + uint32_t flags; + uint16_t proto_bits; + + uint16_t payload_size; + uint16_t ip_payload_size; + uint16_t normalized_payload_size; + uint16_t actual_ip_length; + uint16_t outer_ip_payload_size; + + uint16_t ip_fragment_offset; + uint16_t ip_frag_length; + uint16_t ip4_options_length; + uint16_t tcp_options_length; + + uint16_t src_port; + uint16_t dst_port; + uint16_t orig_src_port; + uint16_t orig_dst_port; int16_t application_protocol_ordinal; - u_int8_t ip_fragmented; - u_int8_t ip_more_fragments; - u_int8_t ip_dont_fragment; - u_int8_t ip_reserved; - - u_int8_t num_uris; - u_int8_t checksums_invalid; - u_int8_t encapsulated; - - u_int8_t num_ip_options; - u_int8_t num_tcp_options; - u_int8_t num_ip6_extensions; - u_int8_t ip6_frag_extension; + uint8_t ip_fragmented; + uint8_t ip_more_fragments; + uint8_t ip_dont_fragment; + uint8_t ip_reserved; + + uint8_t num_uris; + uint8_t invalid_flags; + uint8_t encapsulated; + uint8_t GTPencapsulated; + + uint8_t num_ip_options; + uint8_t num_tcp_options; + uint8_t num_ip6_extensions; + uint8_t ip6_frag_extension; u_char ip_last_option_invalid_flag; u_char tcp_last_option_invalid_flag; + uint8_t next_layer_index; + + uint32_t xtradata_mask; + uint32_t per_packet_xtradata; + #ifndef NO_NON_ETHER_DECODER const void *fddi_header; void *fddi_saps; @@ -571,13 +624,15 @@ void *pflog2_header; void *pflog3_header; +#ifdef DLT_LINUX_SLL const void *sll_header; +#endif +#ifdef DLT_IEEE802_11 const void *wifi_header; - const void *ppp_over_ether_header; - +#endif const void *ether_eapol_header; const void *eapol_headear; - const u_int8_t *eapol_type; + const uint8_t *eapol_type; void *eapol_key; #endif @@ -585,16 +640,29 @@ TCPOptions tcp_options[MAX_TCP_OPTIONS]; IP6Extension ip6_extensions[MAX_IP6_EXTENSIONS]; + const IP6RawHdr* raw_ip6_header; + ProtoLayer proto_layers[MAX_PROTO_LAYERS]; + + PseudoPacketType pseudo_type; + uint16_t max_payload; + + + /**policyId provided in configuration file. Used for correlating configuration + * with event output + */ + uint16_t configPolicyId; + } SFSnortPacket; #define PKT_ZERO_LEN offsetof(SFSnortPacket, ip_options) -#define PROTO_BIT__IP 0x00000001 -#define PROTO_BIT__ARP 0x00000002 -#define PROTO_BIT__TCP 0x00000004 -#define PROTO_BIT__UDP 0x00000008 -#define PROTO_BIT__ICMP 0x00000010 -#define PROTO_BIT__ALL 0xffffffff +#define PROTO_BIT__IP 0x0001 +#define PROTO_BIT__ARP 0x0002 +#define PROTO_BIT__TCP 0x0004 +#define PROTO_BIT__UDP 0x0008 +#define PROTO_BIT__ICMP 0x0010 +#define PROTO_BIT__TEREDO 0x0020 +#define PROTO_BIT__ALL 0xffff #define IsIP(p) (IPH_IS_VALID(p)) #define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP)) @@ -612,38 +680,93 @@ ((tcp_header)->offset_reserved = \ (unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4))) -#define FLAG_REBUILT_FRAG 0x00000001 -#define FLAG_REBUILT_STREAM 0x00000002 -#define FLAG_STREAM_UNEST_UNI 0x00000004 -#define FLAG_STREAM_UNEST_BI 0x00000008 -#define FLAG_STREAM_EST 0x00000010 -#define FLAG_FROM_SERVER 0x00000040 -#define FLAG_FROM_CLIENT 0x00000080 -#define FLAG_HTTP_DECODE 0x00000100 -#define FLAG_STREAM_INSERT 0x00000400 -#define FLAG_ALT_DECODE 0x00000800 -#define FLAG_STREAM_TWH 0x00001000 -#define FLAG_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */ -#define FLAG_PASS_RULE 0x00004000 /* this packet has matched a pass rule */ -#define FLAG_NO_DETECT 0x00008000 /* this packet should not be preprocessed */ -#define FLAG_PREPROC_RPKT 0x00010000 /* set in original packet to indicate a preprocessor - * has a reassembled packet */ -#define FLAG_DCE_RPKT 0x00020000 /* this is a DCE/RPC reassembled packet */ -#define FLAG_IP_RULE 0x00040000 /* this packet being evaluated against an ip rule */ +#define BIT(i) (0x1 << (i-1)) + + +// beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! +#define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */ +#define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */ +#define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and + * we've only seen traffic in one direction */ +#define FLAG_STREAM_EST 0x00000008 /* is from an established stream */ + +#define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */ +#define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */ +#define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server + side of a connection (TCP) */ +#define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client + side of a connection (TCP) */ + +#define FLAG_PDU_HEAD 0x00000100 /* start of PDU */ +#define FLAG_PDU_TAIL 0x00000200 /* end of PDU */ +#define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */ + /* don't alert if "next layer" is invalid. */ +#define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */ + +#define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */ +#define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */ +#define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */ + /* or pipeline http requests */ +#define FLAG_PAYLOAD_OBFUSCATE 0x00008000 + +#define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */ +#define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */ +#define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */ #define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */ -#define FLAG_SMB_SEG 0x00100000 /* this is an SMB desegmented packet */ -#define FLAG_DCE_SEG 0x00200000 /* this is a DCE/RPC desegmented packet */ -#define FLAG_DCE_FRAG 0x00400000 /* this is a DCE/RPC defragmented packet */ -#define FLAG_SMB_TRANS 0x00800000 /* this is an SMB Transact reassembled packet */ -#define FLAG_DCE_PKT 0x01000000 /* this is a DCE packet processed by DCE/RPC preprocessor */ - -#define FLAG_STATELESS 0x10000000 /* Packet has matched a stateless rule */ -#define FLAG_INLINE_DROP 0x20000000 -#define FLAG_OBFUSCATED 0x40000000 /* this packet has been obfuscated */ -#define FLAG_LOGGED 0x80000000 /* this packet has been logged */ +#define FLAG_LOGGED 0x00100000 /* this packet has been logged */ +#define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */ +#define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */ +#ifdef NORMALIZER +#define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */ +#endif + +// neither of these flags will be set for (full) retransmissions or non-data segments +// a partial overlap results in out of sequence condition +// out of sequence condition is sticky +#define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */ +#define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */ +#define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */ + +// 0x0F800000 are available + +#define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL) + +#define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD) #define SFTARGET_UNKNOWN_PROTOCOL -1 +static inline int PacketWasCooked(const SFSnortPacket* p) +{ + return ( p->flags & FLAG_PSEUDO ) != 0; +} + +static inline void SetLogFuncs(SFSnortPacket *p, uint32_t id, uint8_t per_packet) +{ + if(!id) + return; + if(per_packet) + p->per_packet_xtradata |= BIT(id); + else + p->xtradata_mask |= BIT(id); +} + +#ifdef ENABLE_PAF +static inline int PacketHasFullPDU (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL ); +} + +static inline int PacketHasStartOfPDU (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_PDU_HEAD) != 0 ); +} + +static inline int PacketHasPAFPayload (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_REBUILT_STREAM) || PacketHasFullPDU(p) ); +} +#endif + #endif /* _SF_SNORT_PACKET_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -25,12 +25,49 @@ * * Dyanmic Rule Engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sf_snort_detection_engine.h" +#include "sfghash.h" +#define BLEN 65535 + +const uint8_t base64decodebuf[BLEN]; +uint32_t base64decodesize; -/* Need access to the snort-isms that were passed to the engine */ -extern DynamicEngineData _ded; + +int CursorInfoInitialize(Rule *rule, CursorInfo *cursor) +{ + void *memoryLocation; + + /* Initialize byte_extract pointers */ + if (cursor->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + cursor->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, cursor->offset_refId); + if (memoryLocation) + { + cursor->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + cursor->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + return 0; +} /* * Get the start and end of the buffer, as divined by the packet flags. @@ -40,18 +77,31 @@ * return 1 if successful * return < 0 if unsuccessful */ -ENGINE_LINKAGE int getBuffer(void *packet, int flags, const u_int8_t **start, const u_int8_t **end) +ENGINE_LINKAGE int getBuffer(void *packet, int flags, const uint8_t **start, const uint8_t **end) { SFSnortPacket *p = (SFSnortPacket *)packet; - if ((flags & CONTENT_BUF_NORMALIZED) && (p->flags & FLAG_ALT_DECODE)) + + if ((flags & CONTENT_BUF_NORMALIZED) && (_ded.Is_DetectFlag(SF_FLAG_DETECT_ALL))) { - *start = _ded.altBuffer; - *end = *start + p->normalized_payload_size; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + *start = _ded.altDetect->data; + *end = *start + _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + *start = _ded.altBuffer->data; + *end = *start + _ded.altBuffer->len; + } + } else if ((flags & CONTENT_BUF_RAW) || (flags & CONTENT_BUF_NORMALIZED)) { *start = p->payload; - *end = *start + p->payload_size; + if(p->normalized_payload_size) + *end = *start + p->normalized_payload_size; + else + *end = *start + p->payload_size; } else if (flags & CONTENT_BUF_URI) { @@ -113,6 +163,69 @@ return CONTENT_TYPE_MISMATCH; } } + else if (flags & CONTENT_BUF_RAW_URI) + { + if (p->flags & FLAG_HTTP_DECODE) + { + *start = _ded.uriBuffers[HTTP_BUFFER_RAW_URI]->uriBuffer; + *end = *start + _ded.uriBuffers[HTTP_BUFFER_RAW_URI]->uriLength; + } + else + { + return CONTENT_TYPE_MISMATCH; + } + } + else if (flags & CONTENT_BUF_RAW_HEADER) + { + if (p->flags & FLAG_HTTP_DECODE) + { + *start = _ded.uriBuffers[HTTP_BUFFER_RAW_HEADER]->uriBuffer; + *end = *start + _ded.uriBuffers[HTTP_BUFFER_RAW_HEADER]->uriLength; + } + else + { + return CONTENT_TYPE_MISMATCH; + } + } + + else if (flags & CONTENT_BUF_RAW_COOKIE) + { + if (p->flags & FLAG_HTTP_DECODE) + { + *start = _ded.uriBuffers[HTTP_BUFFER_RAW_COOKIE]->uriBuffer; + *end = *start + _ded.uriBuffers[HTTP_BUFFER_RAW_COOKIE]->uriLength; + } + else + { + return CONTENT_TYPE_MISMATCH; + } + } + + else if (flags & CONTENT_BUF_STAT_CODE) + { + if (p->flags & FLAG_HTTP_DECODE) + { + *start = _ded.uriBuffers[HTTP_BUFFER_STAT_CODE]->uriBuffer; + *end = *start + _ded.uriBuffers[HTTP_BUFFER_STAT_CODE]->uriLength; + } + else + { + return CONTENT_TYPE_MISMATCH; + } + } + + else if (flags & CONTENT_BUF_STAT_MSG) + { + if (p->flags & FLAG_HTTP_DECODE) + { + *start = _ded.uriBuffers[HTTP_BUFFER_STAT_MSG]->uriBuffer; + *end = *start + _ded.uriBuffers[HTTP_BUFFER_STAT_MSG]->uriLength; + } + else + { + return CONTENT_TYPE_MISMATCH; + } + } else { return CONTENT_TYPE_MISSING; @@ -122,7 +235,7 @@ } -int checkCursorSimple(const u_int8_t *cursor, int flags, const u_int8_t *start, const u_int8_t *end, int offset) +int checkCursorSimple(const uint8_t *cursor, int flags, const uint8_t *start, const uint8_t *end, int offset) { if ( cursor == NULL || !(flags & CONTENT_RELATIVE) ) cursor = start; @@ -134,10 +247,10 @@ } /* Returns one if cursor is within the buffer */ -int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor) +int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -146,15 +259,15 @@ if ( ret < 0 ) { return ret; - } - + } + return checkCursorSimple(cursor, flags, start, end, offset); } -int setCursorInternal(void *p, int flags, int offset, const u_int8_t **cursor) +int setCursorInternal(void *p, int flags, int offset, const uint8_t **cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -168,7 +281,7 @@ if ( ret < 0 ) { return ret; - } + } if ( flags & JUMP_FROM_BEGINNING ) { @@ -204,23 +317,23 @@ /* API FUNCTIONS */ -/* +/* * Check cursor function - * + * * p: packet data structure, same as the one found in snort. * cursorInfo: data defined in the detection plugin for this rule cursor option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CURSOR_IN_BOUNDS - if content specifier is found within buffer - * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer - * + * CURSOR_IN_BOUNDS - if content specifier is found within buffer + * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer + * * Notes: * Since we are checking the cursor position within a buffer, relativity is assumed. * To check absolute position within a buffer, a NULL pointer can be passed in. @@ -233,30 +346,36 @@ * normalized(alt-decode) * raw * uri - * + * */ -ENGINE_LINKAGE int checkCursor(void *p, CursorInfo* cursorInfo, const u_int8_t *cursor) +ENGINE_LINKAGE int checkCursor(void *p, CursorInfo* cursorInfo, const uint8_t *cursor) { + /* Get byte_extracted offset if present */ + if (cursorInfo->offset_location) + { + cursorInfo->offset = *cursorInfo->offset_location; + } + return checkCursorInternal(p, cursorInfo->flags, cursorInfo->offset, cursor); } -/* +/* * Set cursor function - * + * * p: packet data structure, same as the one found in snort. * cursorInfo: data defined in the detection plugin for this rule cursor option * cursor: updated to point to offset bytes after the buffer start * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CURSOR_IN_BOUNDS - if content specifier is found within buffer - * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer - * + * CURSOR_IN_BOUNDS - if content specifier is found within buffer + * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer + * * Notes: * * Currently support: @@ -266,38 +385,38 @@ * normalized(alt-decode) * raw * uri - * + * */ -ENGINE_LINKAGE int setCursor(void *p, CursorInfo* cursorInfo, const u_int8_t **cursor) +ENGINE_LINKAGE int setCursor(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) { return setCursorInternal(p, cursorInfo->flags, cursorInfo->offset, cursor); } -ENGINE_LINKAGE void setTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor) +ENGINE_LINKAGE void setTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor) { *temp_cursor = *cursor; } -ENGINE_LINKAGE void revertTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor) +ENGINE_LINKAGE void revertTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor) { *cursor = *temp_cursor; } -/* +/* * Check flow function - * + * * p: packet data structure, same as the one found in snort. * flowFlags: data defined in the detection plugin for this rule option * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if packet flow matches rule - * RULE_NOMATCH - if packet flow does not match rule - * + * RULE_NOMATCH - if packet flow does not match rule + * */ ENGINE_LINKAGE int checkFlow(void *p, FlowFlags *flowFlags) { @@ -323,21 +442,21 @@ return RULE_MATCH; } -/* +/* * Process flowbits function - * + * * p: packet data structure, same as the one found in snort. * flowBits: data defined in the detection plugin for this rule option * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if flowbit operation succeeded - * RULE_NOMATCH - if flowbit operation failed - * + * RULE_NOMATCH - if flowbit operation failed + * */ ENGINE_LINKAGE int processFlowbits(void *p, FlowBitsInfo *flowBits) { @@ -349,24 +468,24 @@ } -/* +/* * Detect ASN1 function - * + * * p: packet data structure, same as the one found in snort. * asn1: data defined in the detection plugin for this rule option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * RULE_MATCH - if asn1 specifier is found within buffer - * RULE_NOMATCH - if asn1 specifier is not found within buffer - * + * RULE_MATCH - if asn1 specifier is found within buffer + * RULE_NOMATCH - if asn1 specifier is not found within buffer + * */ -ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const u_int8_t *cursor) +ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const uint8_t *cursor) { /* asn1Detect returns non-zero if the options matched. */ if (_ded.asn1Detect(p, (void *) asn1, cursor)) @@ -375,53 +494,186 @@ return RULE_NOMATCH; } -/* +ENGINE_LINKAGE int fileData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) +{ + int retVal = RULE_NOMATCH; + SFSnortPacket *sp = (SFSnortPacket *) p; + + if((sp->payload_size == 0) || (_ded.fileDataBuf->data == NULL) || (_ded.fileDataBuf->len == 0) ) + { + return RULE_NOMATCH; + } + _ded.SetAltDetect(_ded.fileDataBuf->data, _ded.fileDataBuf->len); + retVal = setCursor(p, cursorInfo, cursor); + + if( retVal > RULE_NOMATCH) + return RULE_MATCH; + + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + + return retVal; +} + +ENGINE_LINKAGE int pktData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) +{ + int retVal = RULE_NOMATCH; + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + cursorInfo->flags |= JUMP_FROM_BEGINNING; + retVal=setCursor(p, cursorInfo, cursor); + + return retVal; +} + +ENGINE_LINKAGE int base64Data(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) +{ + int retVal = RULE_NOMATCH; + SFSnortPacket *sp = (SFSnortPacket *) p; + + if((sp->payload_size == 0) || !base64decodesize ) + return retVal; + + _ded.SetAltDetect((uint8_t *)base64decodebuf, (uint16_t)base64decodesize); + retVal = setCursor(p, cursorInfo, cursor); + + if( retVal > RULE_NOMATCH) + return RULE_MATCH; + + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + return retVal; +} + + + + +ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const uint8_t *cursor) +{ + const uint8_t *start; + const uint8_t *end; + int ret; + const uint8_t base64_encodebuf[BLEN]; + uint32_t base64_encodesize = 0; + SFSnortPacket *sp = (SFSnortPacket *) p; + + ret = getBuffer(sp, CONTENT_BUF_RAW, &start, &end); + + if ( ret < 0 ) + { + return ret; + } + + + if(data->relative ) + { + if(cursor) + { + start = cursor; + } + } + start = start + data->offset; + + if( start > end ) + return RULE_NOMATCH; + + if(_ded.sfUnfold(start, end-start, (uint8_t *)base64_encodebuf, sizeof(base64_encodebuf), &base64_encodesize) != 0) + { + return RULE_NOMATCH; + } + + if (data->bytes && (base64_encodesize > data->bytes)) + { + base64_encodesize = data->bytes; + } + + if(_ded.sfbase64decode((uint8_t *)base64_encodebuf, base64_encodesize, (uint8_t *)base64decodebuf, BLEN, &base64decodesize) != 0) + { + return RULE_NOMATCH; + } + + + return RULE_MATCH; +} + +ENGINE_LINKAGE int isDetectFlag(SFDetectFlagType df) +{ + return _ded.Is_DetectFlag(df); +} + +ENGINE_LINKAGE void detectFlagDisable(SFDetectFlagType df) +{ + _ded.DetectFlag_Disable(df); +} + +ENGINE_LINKAGE int getAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + return _ded.GetAltDetect(bufPtr, altLenPtr); +} + +ENGINE_LINKAGE void setAltDetect(uint8_t *buf, uint16_t altLen) +{ + _ded.SetAltDetect(buf, altLen); +} + +/* * Store Rule Specific session data - * + * * p: packet data structure, same as the one found in snort. * rule_data: data to store in the session * - * Returns: + * Returns: * nothing * */ -ENGINE_LINKAGE void storeRuleData(void *p, void *rule_data) +ENGINE_LINKAGE int storeRuleData(void *p, void *rule_data, + uint32_t sid, SessionDataFree sdf) { - _ded.setRuleData(p, rule_data); + if ( _ded.setRuleData(p, rule_data, sid, sdf) != 0 ) + return RULE_NOMATCH; + + return RULE_MATCH; } -/* +/* * Retrieve Rule Specific session data - * + * * p: packet data structure, same as the one found in snort. * - * Returns: + * Returns: * pointer to rule specific session data, NULL if none available * */ -ENGINE_LINKAGE void *getRuleData(void *p) +ENGINE_LINKAGE void *getRuleData(void *p, uint32_t sid) { - return _ded.getRuleData(p); + return _ded.getRuleData(p, sid); } -/* +ENGINE_LINKAGE void * allocRuleData(size_t size) +{ + return _ded.allocRuleData(size); +} + +ENGINE_LINKAGE void freeRuleData(void *data) +{ + _ded.freeRuleData(data); +} + +/* * Preprocessor Defined Detection - * + * * p: packet data structure, same as the one found in snort. * preprocOpt: data defined in the detection plugin for this rule preprocessor specific option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if preprocessor indicates match * RULE_NOMATCH - if preprocessor indicates no match - * + * */ -ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const u_int8_t **cursor) +ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const uint8_t **cursor) { PreprocOptionEval evalFunc = (PreprocOptionEval)preprocOpt->optionEval; @@ -468,7 +720,13 @@ */ relative = option->option_u.loop->cursorAdjust->flags & CONTENT_RELATIVE; break; + case OPTION_TYPE_BASE64_DECODE: + relative = option->option_u.bData->relative; + break; case OPTION_TYPE_HDR_CHECK: + case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: case OPTION_TYPE_PREPROCESSOR: /* Never relative */ break; @@ -477,34 +735,34 @@ return relative; } -/* +/* * ruleMatch - * + * * p: packet data structure, same as the one found in snort. * options: NULL terminated list of rule options * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * RULE_MATCH - if asn1 specifier is found within buffer - * RULE_NOMATCH - if asn1 specifier is not found within buffer - * + * RULE_MATCH - if asn1 specifier is found within buffer + * RULE_NOMATCH - if asn1 specifier is not found within buffer + * */ -int ruleMatchInternal(SFSnortPacket *p, Rule* rule, u_int32_t optIndex, const u_int8_t **cursor) +int ruleMatchInternal(SFSnortPacket *p, Rule* rule, uint32_t optIndex, const uint8_t **cursor) { - const u_int8_t *thisCursor = NULL, *startCursor = NULL; - const u_int8_t *tmpCursor = NULL; + const uint8_t *thisCursor = NULL, *startCursor = NULL; + const uint8_t *tmpCursor = NULL; int retVal = RULE_NOMATCH; - u_int32_t notFlag = 0; + uint32_t notFlag = 0; int thisType; ContentInfo *thisContentInfo = NULL; int startAdjust = 0; - u_int32_t origFlags = 0; + uint32_t origFlags = 0; int32_t origOffset = 0; - u_int32_t origDepth = 0; + uint32_t origDepth = 0; int continueLoop = 1; PCREInfo *thisPCREInfo = NULL; @@ -577,6 +835,22 @@ retVal = setCursor(p, rule->options[optIndex]->option_u.cursor, &thisCursor); notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; break; + case OPTION_TYPE_FILE_DATA: + retVal = fileData(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; + case OPTION_TYPE_PKT_DATA: + retVal = pktData(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; + case OPTION_TYPE_BASE64_DATA: + retVal = base64Data(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; + case OPTION_TYPE_BASE64_DECODE: + retVal = base64Decode(p, rule->options[optIndex]->option_u.bData, thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; case OPTION_TYPE_HDR_CHECK: retVal = checkHdrOpt(p, rule->options[optIndex]->option_u.hdrData); notFlag = rule->options[optIndex]->option_u.hdrData->flags & NOT_FLAG; @@ -682,7 +956,7 @@ /* And only if the next option is relative */ if (!isRelativeOption(rule->options[optIndex+1])) { - /* Match failed, next option is not relative. + /* Match failed, next option is not relative. * We're done. */ retVal = nestedRetVal; break; @@ -751,6 +1025,11 @@ */ retVal = RULE_NOMATCH; } + else if (nestedRetVal > RULE_MATCH) + { + /* Propigate "no alert" values back up the chain */ + retVal = nestedRetVal; + } break; } else diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -29,10 +29,6 @@ #ifndef SF_SNORT_PLUGIN_API_H_ #define SF_SNORT_PLUGIN_API_H_ -#ifdef HAVE_CONFIG_H -#include -#endif - #include "pcre.h" #include "stdio.h" @@ -59,14 +55,16 @@ # ifdef SF_SNORT_ENGINE_DLL # define ENGINE_LINKAGE SO_PUBLIC # else -# define ENGINE_LINKAGE +# define ENGINE_LINKAGE # endif #else /* WIN32 */ # define ENGINE_LINKAGE SO_PUBLIC #endif -#define RULE_MATCH 1 #define RULE_NOMATCH 0 +#define RULE_MATCH 1 +#define RULE_NOALERT 2 +#define RULE_FAILED_BIT 3 #define RULE_DIRECTIONAL 0 #define RULE_BIDIRECTIONAL 1 @@ -96,21 +94,33 @@ #define CONTENT_BUF_HEADER 0x2000 #define CONTENT_BUF_METHOD 0x4000 #define CONTENT_BUF_COOKIE 0x8000 +#define CONTENT_BUF_RAW_URI 0x10000 +#define CONTENT_BUF_RAW_HEADER 0x20000 +#define CONTENT_BUF_RAW_COOKIE 0x40000 +#define CONTENT_BUF_STAT_CODE 0x80000 +#define CONTENT_BUF_STAT_MSG 0x40 + +/* This option implies the fast pattern flag */ +#define CONTENT_FAST_PATTERN_ONLY 0x80 #define BYTE_LITTLE_ENDIAN 0x0000 #define BYTE_BIG_ENDIAN 0x1000 -#define EXTRACT_AS_BYTE 0x010000 -#define EXTRACT_AS_STRING 0x020000 #define EXTRACT_AS_DEC 0x100000 #define EXTRACT_AS_OCT 0x200000 #define EXTRACT_AS_HEX 0x400000 #define EXTRACT_AS_BIN 0x800000 +#define EXTRACT_AS_BYTE 0x20000000 +#define EXTRACT_AS_STRING 0x40000000 #define JUMP_FROM_BEGINNING 0x01000000 #define JUMP_ALIGN 0x02000000 -#define NOT_FLAG 0x10000000 +#define BUF_FILE_DATA 0x04000000 +#define BUF_FILE_DATA_MIME 0x08000000 +#define BUF_BASE64_DECODE 0x10000000 + +#define NOT_FLAG 0x80000000 #define CHECK_EQ 0 #define CHECK_NEQ 1 @@ -124,22 +134,39 @@ #define CHECK_ATLEASTONE 9 #define CHECK_NONE 10 +#define NORMAL_CONTENT_BUFS ( CONTENT_BUF_NORMALIZED | CONTENT_BUF_RAW ) +#define URI_CONTENT_BUFS ( CONTENT_BUF_URI | CONTENT_BUF_POST \ + | CONTENT_BUF_COOKIE | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD \ + | CONTENT_BUF_RAW_URI | CONTENT_BUF_RAW_HEADER | CONTENT_BUF_RAW_COOKIE \ + | CONTENT_BUF_STAT_CODE | CONTENT_BUF_STAT_MSG ) +#define URI_FAST_PATTERN_BUFS ( CONTENT_BUF_URI | CONTENT_BUF_HEADER \ + | CONTENT_BUF_POST ) + typedef struct _ContentInfo { - const u_int8_t *pattern; - u_int32_t depth; + const uint8_t *pattern; + uint32_t depth; int32_t offset; - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t flags; /* must include a CONTENT_BUF_X */ void *boyer_ptr; - u_int8_t *patternByteForm; - u_int32_t patternByteFormLength; - u_int32_t incrementLength; + uint8_t *patternByteForm; + uint32_t patternByteFormLength; + uint32_t incrementLength; + uint16_t fp_offset; + uint16_t fp_length; + uint8_t fp_only; + char *offset_refId; /* To match up with a DynamicElement refId */ + char *depth_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; + uint32_t *depth_location; } ContentInfo; typedef struct _CursorInfo { int32_t offset; - u_int32_t flags; /* specify one of CONTENT_BUF_X */ + uint32_t flags; /* specify one of CONTENT_BUF_X */ + char *offset_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; } CursorInfo; /* @@ -159,12 +186,12 @@ char *expr; void *compiled_expr; void *compiled_extra; - u_int32_t compile_flags; - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t compile_flags; + uint32_t flags; /* must include a CONTENT_BUF_X */ int32_t offset; } PCREInfo; -#define FLOWBIT_SET 0x01 +#define FLOWBIT_SET 0x01 #define FLOWBIT_UNSET 0x02 #define FLOWBIT_TOGGLE 0x04 #define FLOWBIT_ISSET 0x08 @@ -175,35 +202,40 @@ typedef struct _FlowBitsInfo { char *flowBitsName; - u_int8_t operation; - u_int32_t id; - u_int32_t flags; + uint8_t operation; + uint32_t id; + uint32_t flags; } FlowBitsInfo; typedef struct _ByteData { - u_int32_t bytes; /* Number of bytes to extract */ - u_int32_t op; /* Type of byte comparison, for checkValue */ - u_int32_t value; /* Value to compare value against, for checkValue, or extracted value */ + uint32_t bytes; /* Number of bytes to extract */ + uint32_t op; /* Type of byte comparison, for checkValue */ + uint32_t value; /* Value to compare value against, for checkValue, or extracted value */ int32_t offset; /* Offset from cursor */ - u_int32_t multiplier; /* Used for byte jump -- 32bits is MORE than enough */ - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t multiplier; /* Used for byte jump -- 32bits is MORE than enough */ + uint32_t flags; /* must include a CONTENT_BUF_X */ int32_t post_offset;/* Use for byte jump -- adjust cusor by this much after the jump */ + char *offset_refId; /* To match up with a DynamicElement refId */ + char *value_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; + uint32_t *value_location; } ByteData; typedef struct _ByteExtract { - u_int32_t bytes; /* Number of bytes to extract */ + uint32_t bytes; /* Number of bytes to extract */ int32_t offset; /* Offset from cursor */ - u_int32_t multiplier; /* Multiply value by this (similar to byte jump) */ - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t multiplier; /* Multiply value by this (similar to byte jump) */ + uint32_t flags; /* must include a CONTENT_BUF_X */ char *refId; /* To match up with a DynamicElement refId */ void *memoryLocation; /* Location to store the data extracted */ + uint8_t align; /* Align to 2 or 4 bit boundary after extraction */ } ByteExtract; typedef struct _FlowFlags { - u_int32_t flags; /* FLOW_* values */ + uint32_t flags; /* FLOW_* values */ } FlowFlags; @@ -219,7 +251,7 @@ unsigned int max_length; int offset; int offset_type; - u_int32_t flags; + uint32_t flags; } Asn1Context; #define IP_HDR_ID 0x0001 /* IP Header ID */ @@ -246,11 +278,11 @@ typedef struct _HdrOptCheck { - u_int16_t hdrField; /* Field to check */ - u_int32_t op; /* Type of comparison */ - u_int32_t value; /* Value to compare value against */ - u_int32_t mask_value; /* bits of value to ignore */ - u_int32_t flags; + uint16_t hdrField; /* Field to check */ + uint32_t op; /* Type of comparison */ + uint32_t value; /* Value to compare value against */ + uint32_t mask_value; /* bits of value to ignore */ + uint32_t flags; } HdrOptCheck; #define DYNAMIC_TYPE_INT_STATIC 1 @@ -273,23 +305,32 @@ DynamicElement *start; /* Starting value of FOR loop (i=start) */ DynamicElement *end; /* Ending value of FOR loop (i OP end) */ DynamicElement *increment; /* Increment value of FOR loop (i+= increment) */ - u_int32_t op; /* Type of comparison for loop termination */ + uint32_t op; /* Type of comparison for loop termination */ CursorInfo *cursorAdjust; /* How to move cursor each iteration of loop */ struct _Rule *subRule; /* Pointer to SubRule & options to evaluate within * the loop */ - u_int8_t initialized; /* Loop initialized properly (safeguard) */ - u_int32_t flags; /* can be used to negate loop results, specifies + uint8_t initialized; /* Loop initialized properly (safeguard) */ + uint32_t flags; /* can be used to negate loop results, specifies * relative. */ } LoopInfo; +typedef struct _base64DecodeData +{ + uint32_t bytes; + uint32_t offset; + uint8_t relative; +}base64DecodeData; + typedef struct _PreprocessorOption { const char *optionName; const char *optionParameters; - u_int32_t flags; + uint32_t flags; PreprocOptionInit optionInit; PreprocOptionEval optionEval; void *dataPtr; + PreprocOptionFastPatternFunc optionFpFunc; + PreprocOptionCleanup optionCleanup; } PreprocessorOption; typedef struct _RuleOption @@ -308,13 +349,14 @@ Asn1Context *asn1; HdrOptCheck *hdrData; LoopInfo *loop; + base64DecodeData *bData; PreprocessorOption *preprocOpt; } option_u; } RuleOption; typedef struct _IPInfo { - u_int8_t protocol; + uint8_t protocol; char * src_addr; char * src_port; /* 0 for non TCP/UDP */ char direction; /* non-zero is bi-directional */ @@ -337,11 +379,11 @@ typedef struct _RuleInformation { - u_int32_t genID; - u_int32_t sigID; - u_int32_t revision; + uint32_t genID; + uint32_t sigID; + uint32_t revision; char *classification; /* String format of classification name */ - u_int32_t priority; + uint32_t priority; char *message; RuleReference **references; /* NULL terminated array of references */ RuleMetaData **meta; /* NULL terminated array of references */ @@ -353,13 +395,13 @@ { IPInfo ip; RuleInformation info; - + RuleOption **options; /* NULL terminated array of RuleOption union */ ruleEvalFunc evalFunc; char initialized; /* Rule Initialized, used internally */ - u_int32_t numOptions; /* Rule option count, used internally */ + uint32_t numOptions; /* Rule option count, used internally */ char noAlert; /* Flag with no alert, used internally */ void *ruleData; /* Hash table for dynamic data pointers */ @@ -369,32 +411,43 @@ ENGINE_LINKAGE int RegisterRules(Rule **rules); ENGINE_LINKAGE int DumpRules(char *rulesFileName, Rule **rules); -ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const u_int8_t **cursor); +ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const uint8_t **cursor); ENGINE_LINKAGE int checkFlow(void *p, FlowFlags *flowFlags); -ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const u_int8_t *cursor); +ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const uint8_t *cursor); ENGINE_LINKAGE int processFlowbits(void *p, FlowBitsInfo *flowBits); -ENGINE_LINKAGE int getBuffer(void *p, int flags, const u_int8_t **start, const u_int8_t **end); -ENGINE_LINKAGE int setCursor(void *p, CursorInfo *cursorInfo, const u_int8_t **cursor); -ENGINE_LINKAGE int checkCursor(void *p, CursorInfo *cursorInfo, const u_int8_t *cursor); -ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, u_int32_t value, const u_int8_t *cursor); +ENGINE_LINKAGE int getBuffer(void *p, int flags, const uint8_t **start, const uint8_t **end); +ENGINE_LINKAGE int setCursor(void *p, CursorInfo *cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int fileData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int pktData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int base64Data(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const uint8_t *cursor); +ENGINE_LINKAGE int checkCursor(void *p, CursorInfo *cursorInfo, const uint8_t *cursor); +ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, uint32_t value, const uint8_t *cursor); /* Same as extractValue plus checkValue */ -ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const u_int8_t *cursor); +ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const uint8_t *cursor); /* Same as extractValue plus setCursor */ -ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const u_int8_t **cursor); -ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre, const u_int8_t **cursor); -ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const u_int8_t *cursor); +ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const uint8_t **cursor); +ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre, const uint8_t **cursor); +ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const uint8_t *cursor); ENGINE_LINKAGE int checkHdrOpt(void *p, HdrOptCheck *optData); -ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const u_int8_t **cursor); -ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const u_int8_t **cursor); -ENGINE_LINKAGE void setTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor); -ENGINE_LINKAGE void revertTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor); +ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const uint8_t **cursor); +ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const uint8_t **cursor); +ENGINE_LINKAGE void setTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor); +ENGINE_LINKAGE void revertTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor); ENGINE_LINKAGE int ruleMatch(void *p, Rule *rule); ENGINE_LINKAGE int MatchDecryptedRC4( - const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, - u_int8_t *plain_data, u_int16_t datalen + const uint8_t *key, uint16_t keylen, const uint8_t *encrypted_data, + uint8_t *plain_data, uint16_t datalen ); -ENGINE_LINKAGE void storeRuleData(void *p, void *rule_data); -ENGINE_LINKAGE void *getRuleData(void *p); +ENGINE_LINKAGE int storeRuleData(void *, void *, uint32_t, SessionDataFree); +ENGINE_LINKAGE void *getRuleData(void *, uint32_t); +ENGINE_LINKAGE void *allocRuleData(size_t); +ENGINE_LINKAGE void freeRuleData(void *); + +ENGINE_LINKAGE int isDetectFlag(SFDetectFlagType df); +ENGINE_LINKAGE void detectFlagDisable(SFDetectFlagType df); +ENGINE_LINKAGE int getAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr); +ENGINE_LINKAGE void setAltDetect(uint8_t *buf, uint16_t altLen); ENGINE_LINKAGE int pcreExecWrapper(const PCREInfo *pcre_info, const char *buf, int len, int start_offset, int options, int *ovector, int ovecsize); diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,29 +26,87 @@ * * Byte operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include + +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" +#include "sfghash.h" +#include "sf_snort_detection_engine.h" -extern int checkCursorSimple(const u_int8_t *cursor, int flags, const u_int8_t *start, const u_int8_t *end, int offset); -extern int setCursorInternal(void *p, int flags, int offset, const u_int8_t **cursor); +extern int checkCursorSimple(const uint8_t *cursor, int flags, const uint8_t *start, const uint8_t *end, int offset); +extern int setCursorInternal(void *p, int flags, int offset, const uint8_t **cursor); #define BYTE_STRING_LEN 11 + +int ByteDataInitialize(Rule *rule, ByteData *byte) +{ + void *memoryLocation; + + /* Initialize byte_extract pointers */ + if (byte->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->offset_refId); + if (memoryLocation) + { + byte->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + if (byte->value_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->value_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->value_refId); + if (memoryLocation) + { + byte->value_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->value_refId, rule->info.genID, rule->info.sigID); + } + } + + return 0; +} + /* * extract byte value from data * * Return 1 if successfully extract value. * Return < 0 if fail to extract value. */ -int extractValueInternal(void *p, ByteData *byteData, u_int32_t *value, const u_int8_t *cursor) +int extractValueInternal(void *p, ByteData *byteData, uint32_t *value, const uint8_t *cursor) { char byteArray[BYTE_STRING_LEN]; - u_int32_t i; + uint32_t i; char *endPtr; - u_int32_t extracted = 0; + uint32_t extracted = 0; int base = 10; - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -57,7 +115,17 @@ if ( ret < 0 ) { return ret; - } + } + + /* Check for byte_extract variables and use them if present. */ + if (byteData->offset_location) + { + byteData->offset = *byteData->offset_location; + } + if (byteData->value_location) + { + byteData->value = *byteData->value_location; + } /* Check the start location */ if (checkCursorSimple(cursor, byteData->flags, start, end, byteData->offset) <= 0) @@ -72,9 +140,9 @@ { cursor = start; } - + if (byteData->flags & EXTRACT_AS_BYTE) - { + { if ( byteData->bytes != 1 && byteData->bytes != 2 && byteData->bytes != 4 ) { return -5; /* We only support 1, 2, or 4 bytes */ @@ -91,13 +159,13 @@ } } else - { + { for (i = 0; i < byteData->bytes; i++) { extracted |= *(cursor + byteData->offset + i) << 8*i; } } - + *value = extracted; return 1; } @@ -123,7 +191,7 @@ byteArray[i] = *(cursor + byteData->offset + i); } byteArray[i] = '\0'; - + extracted = strtoul(byteArray, &endPtr, base); if (endPtr == &byteArray[0]) @@ -141,23 +209,33 @@ * Return 1 if success * Return 0 if can't extract. */ -ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const u_int8_t *cursor) +ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const uint8_t *cursor) { ByteData byteData; int ret; - u_int32_t extracted = 0; - u_int32_t *location = (u_int32_t *)byteExtract->memoryLocation; + uint32_t extracted = 0; + uint32_t *location = (uint32_t *)byteExtract->memoryLocation; byteData.bytes = byteExtract->bytes; byteData.flags = byteExtract->flags; byteData.multiplier = byteExtract->multiplier; byteData.offset = byteExtract->offset; - byteData.op = 0; /* Not used */ - byteData.value = 0; /* Not used */ + + /* The following fields are not used, but must be zeroed out. */ + byteData.op = 0; + byteData.value = 0; + byteData.offset_refId = 0; + byteData.value_refId = 0; + byteData.offset_location = 0; + byteData.value_location = 0; ret = extractValueInternal(p, &byteData, &extracted, cursor); if (ret > 0) { + if ((byteExtract->align == 2) || (byteExtract->align == 4)) + { + extracted = extracted + byteExtract->align - (extracted % byteExtract->align); + } *location = extracted; } @@ -170,7 +248,7 @@ * Return 1 if check is true (e.g. value > byteData.value) * Return 0 if check is not true. */ -ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, u_int32_t value, const u_int8_t *cursor) +ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, uint32_t value, const uint8_t *cursor) { switch (byteData->op) { @@ -226,10 +304,10 @@ * Return 1 if check is true (e.g. value > byteData.value) * Return 0 if check is not true. */ -ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const u_int8_t *cursor) +ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const uint8_t *cursor) { int ret; - u_int32_t value; + uint32_t value; SFSnortPacket *sp = (SFSnortPacket *) p; ret = extractValueInternal(sp, byteData, &value, cursor); @@ -238,7 +316,7 @@ return 0; ret = checkValue(sp, byteData, value, cursor); - + return ret; } @@ -249,11 +327,11 @@ * Return 0 if cursor out of bounds * Return < 0 if error */ -ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const u_int8_t **cursor) +ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const uint8_t **cursor) { int ret; - u_int32_t readValue; - u_int32_t jumpValue; + uint32_t readValue; + uint32_t jumpValue; SFSnortPacket *sp = (SFSnortPacket *) p; ret = extractValueInternal(sp, byteData, &readValue, *cursor); @@ -282,6 +360,6 @@ jumpValue += byteData->post_offset; ret = setCursorInternal(sp, byteData->flags, jumpValue, cursor); - + return ret; } diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * Steve Sturges @@ -27,26 +27,34 @@ * * Content operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ctype.h" +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sfghash.h" +#include "sf_snort_detection_engine.h" #include "bmh.h" -extern DynamicEngineData _ded; /* sf_detection_engine.c */ -extern int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor); +extern int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor); -static const u_int8_t *_buffer_end = NULL; -static const u_int8_t *_alt_buffer_end = NULL; -static const u_int8_t *_uri_buffer_end = NULL; +static const uint8_t *_buffer_end = NULL; +static const uint8_t *_alt_buffer_end = NULL; +static const uint8_t *_uri_buffer_end = NULL; +static const uint8_t *_alt_detect_end = NULL; void ContentSetup(void) { _buffer_end = NULL; _alt_buffer_end = NULL; _uri_buffer_end = NULL; + _alt_detect_end = NULL; } /* @@ -57,15 +65,17 @@ */ int BoyerContentSetup(Rule *rule, ContentInfo *content) { + void *memoryLocation; + /* XXX: need to precompile the B-M stuff */ - + if( !content->patternByteForm || !content->patternByteFormLength ) return 0; - + content->boyer_ptr = hbm_prep(content->patternByteForm, - content->patternByteFormLength, + content->patternByteFormLength, content->flags & CONTENT_NOCASE); - + if( !content->boyer_ptr ) { /* error doing compilation. */ @@ -74,29 +84,70 @@ return -1; } + /* Initialize byte_extract pointers */ + if (content->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->offset_refId); + if (memoryLocation) + { + content->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + if (content->depth_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->depth_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->depth_refId); + if (memoryLocation) + { + content->depth_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->depth_refId, rule->info.genID, rule->info.sigID); + } + } + return 0; } -/* +/* * Content Option processing function - * + * * p: packet data structure, same as the one found in snort. * content: data defined in the detection plugin for this rule content option * cursor: updated to point the 1st byte after the match * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CONTENT_MATCH - if content specifier is found within buffer - * CONTENT_NOMATCH - if content specifier is not found within buffer - * + * CONTENT_MATCH - if content specifier is found within buffer + * CONTENT_NOMATCH - if content specifier is not found within buffer + * * Notes: - * For multiple URI buffers, we scan each buffer, if any one of them + * For multiple URI buffers, we scan each buffer, if any one of them * contains the content we return a match. This is essentially an OR * operation. * @@ -110,29 +161,44 @@ * raw * uri * post - * + * */ -ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const u_int8_t **cursor) +ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const uint8_t **cursor) { - const u_int8_t * q = NULL; - const u_int8_t * buffer_start; - const u_int8_t * buffer_end = NULL; + const uint8_t * q = NULL; + const uint8_t * buffer_start = NULL; + const uint8_t * buffer_end = NULL; u_int buffer_len; int length; int i; char relative = 0; SFSnortPacket *sp = (SFSnortPacket *) p; + /* This content is only used for fast pattern matching and + * should not be evaluated */ + if (content->flags & CONTENT_FAST_PATTERN_ONLY) + return CONTENT_MATCH; + if (content->flags & CONTENT_RELATIVE) { if( !cursor || !(*cursor) ) { return CONTENT_NOMATCH; - } + } relative = 1; } - if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD | CONTENT_BUF_COOKIE)) + /* Check for byte_extract variables and use them if present. */ + if (content->offset_location) + { + content->offset = *content->offset_location; + } + if (content->depth_location) + { + content->depth = *content->depth_location; + } + + if (content->flags & URI_CONTENT_BUFS) { for (i=0; inum_uris; i++) { @@ -158,6 +224,26 @@ if (!(content->flags & CONTENT_BUF_COOKIE)) continue; /* Go to next, not looking at COOKIE buffer */ break; + case HTTP_BUFFER_RAW_URI: + if (!(content->flags & CONTENT_BUF_RAW_URI)) + continue; /* Go to next, not looking at RAW URI buffer */ + break; + case HTTP_BUFFER_RAW_HEADER: + if (!(content->flags & CONTENT_BUF_RAW_HEADER)) + continue; /* Go to next, not looking at RAW HEADER buffer */ + break; + case HTTP_BUFFER_RAW_COOKIE: + if (!(content->flags & CONTENT_BUF_RAW_COOKIE)) + continue; /* Go to next, not looking at RAW COOKIE buffer */ + break; + case HTTP_BUFFER_STAT_CODE: + if (!(content->flags & CONTENT_BUF_STAT_CODE)) + continue; /* Go to next, not looking at STAT CODE buffer */ + break; + case HTTP_BUFFER_STAT_MSG: + if (!(content->flags & CONTENT_BUF_STAT_MSG)) + continue; /* Go to next, not looking at STAT MSG buffer */ + break; default: /* Uh, what buffer is this? */ return CONTENT_NOMATCH; @@ -188,7 +274,7 @@ { continue; } - + /* Don't bother looking deeper than depth */ if ( content->depth != 0 && content->depth < buffer_len ) { @@ -221,20 +307,38 @@ return CONTENT_NOMATCH; } - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - if (_alt_buffer_end) + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) { - buffer_end = _alt_buffer_end; + if (_alt_detect_end) + { + buffer_end = _alt_detect_end; + } + else + { + buffer_end = _ded.altDetect->data + _ded.altDetect->len; + } } - else - { - buffer_end = _ded.altBuffer + sp->normalized_payload_size; + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + if (_alt_buffer_end) + { + buffer_end = _alt_buffer_end; + } + else + { + buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + } } } else { - if (_buffer_end) + if(sp->normalized_payload_size) + { + buffer_end = sp->payload + sp->normalized_payload_size; + } + else if (_buffer_end) { buffer_end = _buffer_end; } @@ -247,22 +351,41 @@ } else { - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer + content->offset; - if (_alt_buffer_end) + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) { - buffer_end = _alt_buffer_end; + buffer_start = _ded.altDetect->data + content->offset; + if (_alt_detect_end) + { + buffer_end = _alt_detect_end; + } + else + { + buffer_end = _ded.altDetect->data + _ded.altDetect->len; + } } - else + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { - buffer_end = _ded.altBuffer + sp->normalized_payload_size; + buffer_start = _ded.altBuffer->data + content->offset; + if (_alt_buffer_end) + { + buffer_end = _alt_buffer_end; + } + else + { + buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + } } } else { buffer_start = sp->payload + content->offset; - if (_buffer_end) + if(sp->normalized_payload_size) + { + buffer_end = sp->payload + sp->normalized_payload_size; + } + else if (_buffer_end) { buffer_end = _buffer_end; } @@ -291,7 +414,11 @@ { if (content->flags & CONTENT_END_BUFFER) { - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _alt_detect_end = q; + } + else if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { _alt_buffer_end = q; } diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,12 +26,16 @@ * * Header Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" #include "ipv6_port.h" - -extern DynamicEngineData _ded; /* sf_detection_engine.c */ +#include "sf_snort_detection_engine.h" int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData) { @@ -46,7 +50,7 @@ _ded.errMsg("Invalid operator for Check Header IP Options: %d " "for dynamic rule [%d:%d].\n" "Must be either CHECK_EQ (option present) or " - "CHECK_NEQ (not present).\n", + "CHECK_NEQ (not present).\n", optData->op, rule->info.genID, rule->info.sigID); retVal = -1; } @@ -58,7 +62,7 @@ _ded.errMsg("Invalid operator for Check Header IP Options: %d " "for dynamic rule [%d:%d].\n" "Must be either CHECK_EQ (option present) or " - "CHECK_NEQ (not present).\n", + "CHECK_NEQ (not present).\n", optData->op, rule->info.genID, rule->info.sigID); retVal = -1; } @@ -78,7 +82,7 @@ return retVal; } -int checkBits(u_int32_t value, u_int32_t op, u_int32_t bits) +int checkBits(uint32_t value, uint32_t op, uint32_t bits) { switch (op) { @@ -102,7 +106,7 @@ return RULE_NOMATCH; } -int checkOptions(u_int32_t value, int op, IPOptions options[], int numOptions) +int checkOptions(uint32_t value, int op, IPOptions options[], int numOptions) { int found = 0; int i; @@ -137,7 +141,7 @@ return RULE_NOMATCH; } -int checkField(int op, u_int32_t value1, u_int32_t value2) +int checkField(int op, uint32_t value1, uint32_t value2) { switch (op) { @@ -192,7 +196,7 @@ * 1 or 2 bytes, converted to host byte order, * and placed in a 4 byte value for easy comparison */ - u_int32_t value = 0; + uint32_t value = 0; if ((optData->hdrField & IP_HDR_OPTCHECK_MASK) && (!pkt->ip4_header)) return RULE_NOMATCH; @@ -209,7 +213,7 @@ { /* IP Header Checks */ case IP_HDR_ID: - value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((u_int16_t)GET_IPH_ID(pkt)); + value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt)); break; case IP_HDR_PROTO: value = pkt->ip4_header->proto; diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,19 +26,23 @@ * * Loop Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sfghash.h" #include "sf_dynamic_engine.h" - -extern DynamicEngineData _ded; +#include "sf_snort_detection_engine.h" /* From sf_snort_plugin_api.c -- not exported from shared lib, * but available to other code within the shared lib. */ extern int RegisterOneRule(Rule *rule, int registerRule); -extern int ruleMatchInternal(SFSnortPacket *p, Rule* rule, u_int32_t optIndex, const u_int8_t **cursor); +extern int ruleMatchInternal(SFSnortPacket *p, Rule* rule, uint32_t optIndex, const uint8_t **cursor); /* Initialize a byteExtract structure. */ int ByteExtractInitialize(Rule *rule, ByteExtract *extractData) @@ -68,7 +72,7 @@ //return -1; } - memoryLocation = calloc(sizeof(u_int32_t), 1); + memoryLocation = calloc(sizeof(uint32_t), 1); if (memoryLocation == NULL) { DynamicEngineFatalMessage("Failed to allocate memory\n"); @@ -94,7 +98,7 @@ if (!rule->ruleData) { - DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n", + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", element->refId, rule->info.genID, rule->info.sigID); } @@ -109,7 +113,7 @@ else { element->data.dynamicInt = NULL; - DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n", + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", element->refId, rule->info.genID, rule->info.sigID); //return -1; } @@ -161,28 +165,28 @@ } -/* +/* * Get buffer size remaining - * + * * p: packet data structure, same as the one found in snort. * flags: defines what kind of content buffer to look at * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : size of buffer remaining * = 0 : no buffer remaining * < 0 : error * */ -int getSizeRemaining(void *p, u_int32_t flags, const u_int8_t *cursor) +int getSizeRemaining(void *p, uint32_t flags, const uint8_t *cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; SFSnortPacket *sp = (SFSnortPacket *) p; int ret; int size; - ret = getBuffer((void *)sp, (int)flags, (const u_int8_t **)&start, (const u_int8_t **)&end); + ret = getBuffer((void *)sp, (int)flags, (const uint8_t **)&start, (const uint8_t **)&end); if ( ret < 0 ) return 0; @@ -202,14 +206,14 @@ return size; } -/* +/* * Get maximum loop iterations possible - * + * * p: packet data structure, same as the one found in snort. * loop: structure that defines buffer via flags, and has cursor increment * cursor: current position within buffer * - * Returns: + * Returns: * >= 0 : calculated max possible loop count * < 0 : error * @@ -220,7 +224,7 @@ * a cursor of NULL means look at the whole buffer. * */ -int32_t getLoopLimit(void *p, LoopInfo *loop, const u_int8_t *cursor) +int32_t getLoopLimit(void *p, LoopInfo *loop, const uint8_t *cursor) { int32_t loop_max; int size; @@ -241,7 +245,7 @@ return loop_max & 0xFFFF; } -int checkLoopEnd(u_int32_t op, int32_t index, int32_t end) +int checkLoopEnd(uint32_t op, int32_t index, int32_t end) { switch (op) { @@ -292,10 +296,10 @@ } /* Function to evaluate a loop (ie, a series of nested options) */ -ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const u_int8_t **cursor) +ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const uint8_t **cursor) { - const u_int8_t *startingCursor; - const u_int8_t *tmpCursor; + const uint8_t *startingCursor; + const uint8_t *tmpCursor; int32_t i; int32_t startValue; int32_t endValue; @@ -316,7 +320,7 @@ startValue = loop->start->data.staticInt; else startValue = *(loop->start->data.dynamicInt); - + if (loop->end->dynamicType == DYNAMIC_TYPE_INT_STATIC) endValue = loop->end->data.staticInt; else diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,15 +26,21 @@ * * PCRE operations for dynamic rule engine */ -#include "debug.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "pcre.h" +#include "sf_types.h" +#include "snort_debug.h" +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sf_snort_detection_engine.h" /* Need access to the snort-isms that were passed to the engine */ -extern DynamicEngineData _ded; /* sf_detection_engine.c */ -extern int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor); - +extern int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor); int PCRESetup(Rule *rule, PCREInfo *pcreInfo) { @@ -115,17 +121,17 @@ return matched; } -/* - * we need to specify the vector length for our pcre_exec call. we only care +/* + * we need to specify the vector length for our pcre_exec call. we only care * about the first vector, which if the match is successful will include the * offset to the end of the full pattern match. If we decide to store other * matches, make *SURE* that this is a multiple of 3 as pcre requires it. */ #define SNORT_PCRE_OVECTOR_SIZE 3 -/** +/** * Perform a search of the PCRE data. - * + * * @param pcre_data structure that options and patterns are passed in * @param buf buffer to search * @param len size of buffer @@ -145,7 +151,7 @@ int ovector[SNORT_PCRE_OVECTOR_SIZE]; int matched; int result; - + if(pcre_info == NULL || buf == NULL || len <= 0 @@ -159,7 +165,7 @@ } *found_offset = -1; - + result = _ded.pcreExec(pcre_info->compiled_expr, /* result of pcre_compile() */ pcre_info->compiled_extra, /* result of pcre_study() */ buf, /* the subject string */ @@ -185,7 +191,7 @@ if (found_offset) { - *found_offset = ovector[1]; + *found_offset = ovector[1]; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Setting buffer and found_offset: %p %d\n", buf, found_offset);); @@ -194,10 +200,10 @@ return matched; } -ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre_info, const u_int8_t **cursor) +ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre_info, const uint8_t **cursor) { - const u_int8_t *buffer_start; - const u_int8_t *buffer_end; + const uint8_t *buffer_start; + const uint8_t *buffer_end; int buffer_len; int pcre_offset; int pcre_found; @@ -220,7 +226,7 @@ relative = 1; } - if (pcre_info->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD | CONTENT_BUF_COOKIE)) + if (pcre_info->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD | CONTENT_BUF_COOKIE | CONTENT_BUF_RAW_URI | CONTENT_BUF_RAW_HEADER |CONTENT_BUF_RAW_COOKIE | CONTENT_BUF_STAT_CODE | CONTENT_BUF_STAT_MSG)) { int i; for (i=0; inum_uris; i++) @@ -247,11 +253,31 @@ if (!(pcre_info->flags & CONTENT_BUF_COOKIE)) continue; /* Go to next, not looking at COOKIE buffer */ break; + case HTTP_BUFFER_RAW_URI: + if (!(pcre_info->flags & CONTENT_BUF_RAW_URI)) + continue; + break; + case HTTP_BUFFER_RAW_HEADER: + if (!(pcre_info->flags & CONTENT_BUF_RAW_HEADER)) + continue; + break; + case HTTP_BUFFER_RAW_COOKIE: + if (!(pcre_info->flags & CONTENT_BUF_RAW_COOKIE)) + continue; + break; + case HTTP_BUFFER_STAT_CODE: + if (!(pcre_info->flags & CONTENT_BUF_STAT_CODE)) + continue; + break; + case HTTP_BUFFER_STAT_MSG: + if (!(pcre_info->flags & CONTENT_BUF_STAT_MSG)) + continue; + break; default: /* Uh, what buffer is this? */ return CONTENT_NOMATCH; } - + if (!_ded.uriBuffers[i]->uriBuffer || (_ded.uriBuffers[i]->uriLength == 0)) continue; @@ -270,7 +296,6 @@ { buffer_start = _ded.uriBuffers[i]->uriBuffer; buffer_len = _ded.uriBuffers[i]->uriLength; - buffer_end = buffer_start + buffer_len; } pcre_found = pcre_test(pcre_info, (const char *)buffer_start, buffer_len, 0, &pcre_offset); @@ -293,30 +318,52 @@ return RULE_NOMATCH; } - if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer; - buffer_end = buffer_start + sp->normalized_payload_size; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + buffer_start = _ded.altDetect->data; + buffer_end = buffer_start + _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + buffer_start = _ded.altBuffer->data; + buffer_end = buffer_start + _ded.altBuffer->len; + } } else { buffer_start = sp->payload; - buffer_end = buffer_start + sp->payload_size; + if(sp->normalized_payload_size) + buffer_end = buffer_start + sp->normalized_payload_size; + else + buffer_end = buffer_start + sp->payload_size; } buffer_start = *cursor; buffer_len = buffer_end - buffer_start; } else { - if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer; - buffer_len = sp->normalized_payload_size; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + buffer_start = _ded.altDetect->data; + buffer_len = _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + buffer_start = _ded.altBuffer->data; + buffer_len = _ded.altBuffer->len; + } } else { buffer_start = sp->payload; - buffer_len = sp->payload_size; + if(sp->normalized_payload_size) + buffer_len = sp->normalized_payload_size; + else + buffer_len = sp->payload_size; } buffer_end = buffer_start + buffer_len; } diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c --- snort-2.8.5.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c 2011-06-08 00:33:11.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2006-2009 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * Author: Lurene Grunier * Andy Mullican @@ -26,15 +26,17 @@ * * RC4 Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sfghash.h" #include "sf_dynamic_engine.h" -extern DynamicEngineData _ded; - - #define BYTESWAP(x,y) tmp = x; x = y; y = tmp; /* Artificially limit decrypted data size to 1024, for now */ @@ -42,11 +44,11 @@ /* Decode RC4 data. Return 1 if data matches decoded data. */ int MatchDecryptedRC4( - const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, + const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, u_int8_t *match_data, u_int16_t datalen ) { u_int16_t i; - u_int8_t t, tmp; + u_int8_t t, tmp; static char decrypted_data[MAX_DATA_LEN]; u_int8_t s[256] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_preproc_example/Makefile.in --- snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -176,14 +194,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_preproc_example/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-plugins/sf_preproc_example/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-plugins/sf_preproc_example/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-plugins/sf_preproc_example/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -201,6 +219,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -230,13 +249,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -264,6 +287,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -282,6 +306,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -290,18 +316,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -335,6 +371,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c --- snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c 2009-08-11 21:27:33.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2005-2009 Sourcefire, Inc. + ** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,18 +18,24 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#include +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "sf_dynamic_define.h" #include "sf_preproc_info.h" #include "sf_snort_packet.h" #include "sf_dynamic_preproc_lib.h" #include "sf_dynamic_meta.h" #include "sf_dynamic_preprocessor.h" #include "sf_dynamic_common.h" -#include "sf_dynamic_define.h" -#include -#include -#include -#include -#include DynamicPreprocessorData _dpd; @@ -49,104 +55,23 @@ exit(1); } + PREPROC_LINKAGE int InitializePreprocessor(DynamicPreprocessorData *dpd) { - int i; if (dpd->version < PREPROCESSOR_DATA_VERSION) { + printf("ERROR version %d < %d\n", dpd->version, + PREPROCESSOR_DATA_VERSION); return -1; } if (dpd->size != sizeof(DynamicPreprocessorData)) { - return -1; - } - - - _dpd.version = dpd->version; - _dpd.size = dpd->size; - _dpd.altBuffer = dpd->altBuffer; - _dpd.altBufferLen = dpd->altBufferLen; - for (i=0;iuriBuffers[i]; + printf("ERROR size %d != %u\n", dpd->size, (unsigned)sizeof(*dpd)); + return -2; } - _dpd.logMsg = dpd->logMsg; - _dpd.errMsg = dpd->errMsg; - _dpd.fatalMsg = dpd->fatalMsg; - _dpd.debugMsg = dpd->debugMsg; - - _dpd.registerPreproc = dpd->registerPreproc; - _dpd.addPreproc = dpd->addPreproc; - _dpd.addPreprocRestart = dpd->addPreprocRestart; - _dpd.addPreprocExit = dpd->addPreprocExit; - _dpd.addPreprocConfCheck = dpd->addPreprocConfCheck; - _dpd.preprocOptRegister = dpd->preprocOptRegister; - _dpd.addPreprocProfileFunc = dpd->addPreprocProfileFunc; - _dpd.profilingPreprocsFunc = dpd->profilingPreprocsFunc; - _dpd.totalPerfStats = dpd->totalPerfStats; - - _dpd.alertAdd = dpd->alertAdd; - _dpd.thresholdCheck = dpd->thresholdCheck; - - _dpd.inlineMode = dpd->inlineMode; - _dpd.inlineDrop = dpd->inlineDrop; - - _dpd.detect = dpd->detect; - _dpd.disableDetect = dpd->disableDetect; - _dpd.disableAllDetect = dpd->disableAllDetect; - _dpd.setPreprocBit = dpd->setPreprocBit; - - _dpd.streamAPI = dpd->streamAPI; - _dpd.searchAPI = dpd->searchAPI; - - _dpd.config_file = dpd->config_file; - _dpd.config_line = dpd->config_line; - _dpd.printfappend = dpd->printfappend; - _dpd.tokenSplit = dpd->tokenSplit; - _dpd.tokenFree = dpd->tokenFree; - - _dpd.getRuleInfoByName = dpd->getRuleInfoByName; - _dpd.getRuleInfoById = dpd->getRuleInfoById; - - _dpd.preprocess = dpd->preprocess; - - _dpd.debugMsgFile = dpd->debugMsgFile; - _dpd.debugMsgLine = dpd->debugMsgLine; - - _dpd.registerPreprocStats = dpd->registerPreprocStats; - _dpd.addPreprocReset = dpd->addPreprocReset; - _dpd.addPreprocResetStats = dpd->addPreprocResetStats; - _dpd.addPreprocReassemblyPkt = dpd->addPreprocReassemblyPkt; - _dpd.setPreprocReassemblyPktBit = dpd->setPreprocReassemblyPktBit; - _dpd.disablePreprocessors = dpd->disablePreprocessors; - -#ifdef SUP_IP6 - _dpd.ip6Build = dpd->ip6Build; - _dpd.ip6SetCallbacks = dpd->ip6SetCallbacks; -#endif - - _dpd.logAlerts = dpd->logAlerts; - _dpd.resetAlerts = dpd->resetAlerts; - -#ifdef TARGET_BASED - _dpd.findProtocolReference = dpd->findProtocolReference; - _dpd.addProtocolReference = dpd->addProtocolReference; - _dpd.isAdaptiveConfigured = dpd->isAdaptiveConfigured; -#endif - - _dpd.preprocOptOverrideKeyword = dpd->preprocOptOverrideKeyword; - _dpd.isPreprocEnabled = dpd->isPreprocEnabled; - -#ifdef SNORT_RELOAD - _dpd.addPreprocReloadVerify = dpd->addPreprocReloadVerify; -#endif - - _dpd.getRuntimePolicy = dpd->getRuntimePolicy; - _dpd.getParserPolicy = dpd->getParserPolicy; - _dpd.getDefaultPolicy = dpd->getDefaultPolicy; - _dpd.setParserPolicy = dpd->setParserPolicy; + _dpd = *dpd; DYNAMIC_PREPROC_SETUP(); return 0; } @@ -162,7 +87,3 @@ return 0; } -/* Variables to check type of InitializeEngine and LibVersion */ -//PREPROC_LINKAGE InitEngineLibFunc initEngineFunc = &InitializeEngine; -//PREPROC_LINKAGE LibVersionFunc libVersionFunc = &LibVersion; - diff -Nru snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h --- snort-2.8.5.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h 2009-05-06 22:28:45.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h 2011-02-09 23:23:12.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/dynamic-plugins/sp_dynamic.c snort-2.9.2/src/dynamic-plugins/sp_dynamic.c --- snort-2.8.5.2/src/dynamic-plugins/sp_dynamic.c 2009-08-11 21:27:33.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sp_dynamic.c 2011-11-21 20:15:24.000000000 +0000 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -57,12 +57,14 @@ #endif #include +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "bitop_funcs.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_dynamic.h" @@ -73,6 +75,9 @@ #include "sf_convert_dynamic.h" #include "sfhashfcn.h" #include "sp_preprocopt.h" +#include "sfutil/sf_base64decode.h" +#include "detection_util.h" +#include "stream_api.h" #include "snort.h" #include "profiler.h" @@ -83,10 +88,9 @@ #endif extern const unsigned int giFlowbitSize; -extern SnortConfig *snort_conf_for_parsing; extern SFGHASH *flowbits_hash; extern SF_QUEUE *flowbits_bit_queue; -extern u_int32_t flowbits_count; +extern uint32_t flowbits_count; extern int flowbits_toggle; extern volatile int snort_initializing; extern DynamicRuleNode *dynamic_rules; @@ -96,48 +100,48 @@ void DynamicParse(char *, OptTreeNode *); int DynamicCheck(void *option_data, Packet *p); -u_int32_t DynamicRuleHash(void *d) +uint32_t DynamicRuleHash(void *d) { - u_int32_t a,b,c; + uint32_t a,b,c; DynamicData *dynData = (DynamicData *)d; #if (defined(__ia64) || defined(__amd64) || defined(_LP64)) { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ - ptr = (u_int64_t)dynData->contextData; + uint64_t ptr; /* Addresses are 64bits */ + ptr = (uint64_t)dynData->contextData; a = (ptr << 32) & 0XFFFFFFFF; b = (ptr & 0xFFFFFFFF); - - ptr = (u_int64_t)dynData->checkFunction; + + ptr = (uint64_t)dynData->checkFunction; c = (ptr << 32) & 0XFFFFFFFF; - + mix (a,b,c); - + a += (ptr & 0xFFFFFFFF); - ptr = (u_int64_t)dynData->hasOptionFunction; + ptr = (uint64_t)dynData->hasOptionFunction; b += (ptr << 32) & 0XFFFFFFFF; c += (ptr & 0xFFFFFFFF); - ptr = (u_int64_t)dynData->fastPatternContents; + ptr = (uint64_t)dynData->getDynamicContents; a += (ptr << 32) & 0XFFFFFFFF; b += (ptr & 0xFFFFFFFF); - c += dynData->fpContentFlags; + c += dynData->contentFlags; mix (a,b,c); - + a += RULE_OPTION_TYPE_DYNAMIC; } #else { - a = (u_int32_t)dynData->contextData; - b = (u_int32_t)dynData->checkFunction; - c = (u_int32_t)dynData->hasOptionFunction; + a = (uint32_t)dynData->contextData; + b = (uint32_t)dynData->checkFunction; + c = (uint32_t)dynData->hasOptionFunction; mix(a,b,c); - a += (u_int32_t)dynData->fastPatternContents; - b += dynData->fpContentFlags; + a += (uint32_t)dynData->getDynamicContents; + b += dynData->contentFlags; c += RULE_OPTION_TYPE_DYNAMIC; } #endif @@ -158,8 +162,8 @@ if ((left->contextData == right->contextData) && (left->checkFunction == right->checkFunction) && (left->hasOptionFunction == right->hasOptionFunction) && - (left->fastPatternContents == right->fastPatternContents) && - (left->fpContentFlags == right->fpContentFlags)) + (left->getDynamicContents == right->getDynamicContents) && + (left->contentFlags == right->contentFlags)) { return DETECTION_OPTION_EQUAL; } @@ -168,7 +172,7 @@ } /**************************************************************************** - * + * * Function: SetupDynamic() * * Purpose: Load it up @@ -181,7 +185,7 @@ void SetupDynamic(void) { /* map the keyword to an initialization/processing function */ - RegisterRuleOption("dynamic", DynamicInit, NULL, OPT_TYPE_DETECTION); + RegisterRuleOption("dynamic", DynamicInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("dynamic_rule", &dynamicRuleEvalPerfStats, 3, &ruleOTNEvalPerfStats); @@ -191,10 +195,10 @@ /**************************************************************************** - * + * * Function: DynamicInit(char *, OptTreeNode *) * - * Purpose: Configuration function. Handles parsing the rule + * Purpose: Configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -229,7 +233,7 @@ } /**************************************************************************** - * + * * Function: DynamicCheck(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -240,7 +244,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int DynamicCheck(void *option_data, Packet *p) @@ -262,7 +266,7 @@ if (result) { PREPROC_PROFILE_END(dynamicRuleEvalPerfStats); - return DETECTION_OPTION_MATCH; + return result; } /* Detection failed */ @@ -285,8 +289,8 @@ } /**************************************************************************** - * - * Function: RegisterDynamicRule(u_int32_t, u_int32_t, char *, void *, + * + * Function: RegisterDynamicRule(uint32_t, uint32_t, char *, void *, * OTNCheckFunction, int, GetFPContentFunction) * * Purpose: A dynamically loaded detection engine library can use this @@ -296,32 +300,31 @@ * check the rule. * * Arguments: sid => Signature ID - * gid => Generator ID + * gid => Generator ID * info => context specific data * chkFunc => Function to call to check if the rule matches * has*Funcs => Functions used to categorize this rule - * fpContentFlags => Flags indicating which Fast Pattern Contents - * are available - * fpFunc => Function to call to get list of fast pattern contents + * contentFlags => Flags indicating which contents are available + * contentsFunc => Function to call to get list of rule contents * * Returns: 0 on success * ****************************************************************************/ int RegisterDynamicRule( - u_int32_t sid, - u_int32_t gid, + uint32_t sid, + uint32_t gid, void *info, OTNCheckFunction chkFunc, OTNHasFunction hasFunc, - int fpContentFlags, - GetFPContentFunction fpFunc, - RuleFreeFunc freeFunc + int contentFlags, + GetDynamicContentsFunction contentsFunc, + RuleFreeFunc freeFunc, + GetDynamicPreprocOptFpContentsFunc preprocFpFunc ) { DynamicData *dynData; struct _OptTreeNode *otn = NULL; OptFpList *idx; /* index pointer */ - OptFpList *prev = NULL; OptFpList *fpl; char done_once = 0; void *option_dup; @@ -355,9 +358,10 @@ node->rule = (Rule *)info; node->chkFunc = chkFunc; node->hasFunc = hasFunc; - node->fpContentFlags = fpContentFlags; - node->fpFunc = fpFunc; + node->contentFlags = contentFlags; + node->contentsFunc = contentsFunc; node->freeFunc = freeFunc; + node->preprocFpContentsFunc = preprocFpFunc; } /* Get OTN/RTN from SID */ @@ -370,7 +374,7 @@ } else { -#ifndef SOURCEFIRE +#ifndef SOURCEFIRE LogMessage("DynamicPlugin: Rule [%u:%u] not enabled in " "configuration, rule will not be used.\n", gid, sid); #endif @@ -391,27 +395,25 @@ /* allocate the data structure and attach it to the * rule's data struct list */ - dynData = (DynamicData *) SnortAlloc(sizeof(DynamicData)); - - if(dynData == NULL) - { - FatalError("DynamicPlugin: Unable to allocate Dynamic data node for rule [%u:%u]\n", - gid, sid); - } - + dynData = (DynamicData *)SnortAlloc(sizeof(DynamicData)); dynData->contextData = info; dynData->checkFunction = chkFunc; dynData->hasOptionFunction = hasFunc; - dynData->fastPatternContents = fpFunc; - dynData->fpContentFlags = fpContentFlags; + dynData->getDynamicContents = contentsFunc; + dynData->contentFlags = contentFlags; + dynData->getPreprocFpContents = preprocFpFunc; while (otn) { + OptFpList *prev = NULL; + otn->ds_list[PLUGIN_DYNAMIC] = (void *)dynData; /* And add this function into the tail of the list */ fpl = AddOptFuncToList(DynamicCheck, otn); fpl->context = dynData; + fpl->type = RULE_OPTION_TYPE_DYNAMIC; + if (done_once == 0) { if (add_detection_option(RULE_OPTION_TYPE_DYNAMIC, @@ -420,7 +422,7 @@ free(dynData); fpl->context = dynData = option_dup; } - fpl->type = RULE_OPTION_TYPE_DYNAMIC; + done_once = 1; } @@ -489,15 +491,6 @@ break; - case OPTION_TYPE_PREPROCESSOR: - { - PreprocessorOption *preprocOpt = option->option_u.preprocOpt; - if (DynamicPreprocRuleOptInit(preprocOpt) == -1) - continue; - } - - break; - default: break; } @@ -505,7 +498,8 @@ RegisterDynamicRule(node->rule->info.sigID, node->rule->info.genID, (void *)node->rule, node->chkFunc, node->hasFunc, - node->fpContentFlags, node->fpFunc, node->freeFunc); + node->contentFlags, node->contentsFunc, + node->freeFunc, node->preprocFpContentsFunc); } snort_conf_for_parsing = NULL; @@ -518,6 +512,7 @@ { PreprocessorOption *preprocOpt = (PreprocessorOption *)opt; PreprocOptionInit optionInit; + PreprocOptionOtnHandler otnHandler; char *option_name = NULL; char *option_params = NULL; char *tmp; @@ -531,7 +526,10 @@ result = GetPreprocessorRuleOptionFuncs((char *)preprocOpt->optionName, &preprocOpt->optionInit, - &preprocOpt->optionEval); + &preprocOpt->optionEval, + &otnHandler, + &preprocOpt->optionFpFunc, + &preprocOpt->optionCleanup); if (!result) return -1; @@ -563,9 +561,9 @@ return 0; } -u_int32_t DynamicFlowbitRegister(char *name, int op) +uint32_t DynamicFlowbitRegister(char *name, int op) { - u_int32_t retFlowId; /* ID */ + uint32_t retFlowId; /* ID */ int hashRet; FLOWBITS_OBJECT *flowbits_item; @@ -575,18 +573,18 @@ flowbits_item = sfghash_find(flowbits_hash, name); - if (flowbits_item != NULL) + if (flowbits_item != NULL) { retFlowId = flowbits_item->id; } else { - flowbits_item = + flowbits_item = (FLOWBITS_OBJECT *)SnortAlloc(sizeof(FLOWBITS_OBJECT)); if (sfqueue_count(flowbits_bit_queue) > 0) { - retFlowId = (u_int32_t)(uintptr_t)sfqueue_remove(flowbits_bit_queue); + retFlowId = (uint32_t)(uintptr_t)sfqueue_remove(flowbits_bit_queue); flowbits_item->id = retFlowId; } else @@ -595,7 +593,7 @@ flowbits_item->id = flowbits_count; hashRet = sfghash_add(flowbits_hash, name, flowbits_item); - if (hashRet != SFGHASH_OK) + if (hashRet != SFGHASH_OK) { FatalError("Could not add flowbits key (%s) to hash.\n", name); } @@ -613,21 +611,72 @@ flowbits_item->toggle = flowbits_toggle; flowbits_item->types |= op; + switch (op) + { + case FLOWBITS_SET: + case FLOWBITS_UNSET: + case FLOWBITS_TOGGLE: + case FLOWBITS_RESET: + flowbits_item->set++; + break; + case FLOWBITS_ISSET: + case FLOWBITS_ISNOTSET: + flowbits_item->isset++; + break; + default: + break; + } return retFlowId; } -int DynamicFlowbitCheck(void *pkt, int op, u_int32_t id) +void DynamicFlowbitUnregister(char *name, int op) +{ + FLOWBITS_OBJECT *flowbits_item; + + /* Auto init hash table and queue */ + if (flowbits_hash == NULL) + return; + + flowbits_item = sfghash_find(flowbits_hash, name); + if (flowbits_item == NULL) + return; + + switch (op) + { + case FLOWBITS_SET: + case FLOWBITS_UNSET: + case FLOWBITS_TOGGLE: + case FLOWBITS_RESET: + if (flowbits_item->set == 0) + return; + flowbits_item->set--; + break; + + case FLOWBITS_ISSET: + case FLOWBITS_ISNOTSET: + if (flowbits_item->isset == 0) + return; + flowbits_item->isset--; + break; + + default: + break; + } +} + +int DynamicFlowbitCheck(void *pkt, int op, uint32_t id) { StreamFlowData *flowdata; Packet *p = (Packet *)pkt; int result = 0; - flowdata = GetFlowbitsData(p); + if ((stream_api == NULL) || (p->ssnptr == NULL)) + return 0; + + flowdata = stream_api->get_flow_data(p); if (!flowdata) - { return 0; - } switch(op) { @@ -687,20 +736,51 @@ } -int DynamicAsn1Detect(void *pkt, void *ctxt, const u_int8_t *cursor) +int DynamicAsn1Detect(void *pkt, void *ctxt, const uint8_t *cursor) { Packet *p = (Packet *) pkt; - ASN1_CTXT *c = (ASN1_CTXT *) ctxt; - + ASN1_CTXT *c = (ASN1_CTXT *) ctxt; + /* Call same detection function that snort calls */ return Asn1DoDetect(p->data, p->dsize, c, cursor); } -static INLINE int DynamicHasOption( +int DynamicsfUnfold(const uint8_t *inbuf, uint32_t insize, uint8_t *outbuf, uint32_t outsize, uint32_t *read) +{ + return sf_unfold_header(inbuf, insize, outbuf, outsize, read, 0, 0); +} + +int Dynamicsfbase64decode(uint8_t *inbuf, uint32_t insize, uint8_t *outbuf, uint32_t outsize, uint32_t *read) +{ + return sf_base64decode(inbuf, insize, outbuf, outsize, read); +} + +int DynamicGetAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + return GetAltDetect(bufPtr, altLenPtr); +} + +void DynamicSetAltDetect(uint8_t *buf, uint16_t altLen) +{ + SetAltDetect(buf, altLen); +} + +int DynamicIsDetectFlag(SFDetectFlagType df) +{ + return Is_DetectFlag((DetectFlagType)df); +} + +void DynamicDetectFlagDisable(SFDetectFlagType df) +{ + DetectFlag_Disable((DetectFlagType)df); +} + + +static inline int DynamicHasOption( OptTreeNode *otn, DynamicOptionType optionType, int flowFlag ) { DynamicData *dynData; - + dynData = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; if (!dynData) { diff -Nru snort-2.8.5.2/src/dynamic-plugins/sp_dynamic.h snort-2.9.2/src/dynamic-plugins/sp_dynamic.h --- snort-2.8.5.2/src/dynamic-plugins/sp_dynamic.h 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sp_dynamic.h 2011-11-21 20:15:24.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -32,13 +32,16 @@ #include "sf_engine/sf_snort_plugin_api.h" #include "detection-plugins/sp_pattern_match.h" +extern char *snort_conf_dir; + typedef struct _DynamicData { void *contextData; OTNCheckFunction checkFunction; OTNHasFunction hasOptionFunction; - int fpContentFlags; - GetFPContentFunction fastPatternContents; + int contentFlags; + GetDynamicContentsFunction getDynamicContents; + GetDynamicPreprocOptFpContentsFunc getPreprocFpContents; PatternMatchData *pmds; } DynamicData; @@ -46,14 +49,15 @@ void SetupDynamic(void); int RegisterDynamicRule( - u_int32_t gid, - u_int32_t sid, + uint32_t gid, + uint32_t sid, void *info, OTNCheckFunction, OTNHasFunction, - int fpContentFlags, - GetFPContentFunction, - RuleFreeFunc freeFunc + int contentFlags, + GetDynamicContentsFunction, + RuleFreeFunc freeFunc, + GetDynamicPreprocOptFpContentsFunc ); typedef struct _DynamicRuleNode @@ -61,10 +65,11 @@ Rule *rule; OTNCheckFunction chkFunc; OTNHasFunction hasFunc; - int fpContentFlags; - GetFPContentFunction fpFunc; + int contentFlags; + GetDynamicContentsFunction contentsFunc; int converted; RuleFreeFunc freeFunc; + GetDynamicPreprocOptFpContentsFunc preprocFpContentsFunc; struct _DynamicRuleNode *next; } DynamicRuleNode; @@ -76,16 +81,24 @@ #endif int DynamicPreprocRuleOptInit(void *); -u_int32_t DynamicFlowbitRegister(char *name, int op); -int DynamicFlowbitCheck(void *pkt, int op, u_int32_t id); -int DynamicAsn1Detect(void *pkt, void *ctxt, const u_int8_t *cursor); +uint32_t DynamicFlowbitRegister(char *name, int op); +void DynamicFlowbitUnregister(char *name, int op); +int DynamicFlowbitCheck(void *pkt, int op, uint32_t id); +int DynamicAsn1Detect(void *pkt, void *ctxt, const uint8_t *cursor); +int DynamicsfUnfold(const uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +int Dynamicsfbase64decode(uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +int DynamicGetAltDetect(uint8_t **, uint16_t *); +void DynamicSetAltDetect(uint8_t *, uint16_t ); +int DynamicIsDetectFlag(SFDetectFlagType); +void DynamicDetectFlagDisable(SFDetectFlagType); + int DynamicHasFlow(OptTreeNode *otn); int DynamicHasFlowbit(OptTreeNode *otn); int DynamicHasContent(OptTreeNode *otn); int DynamicHasByteTest(OptTreeNode *otn); int DynamicHasPCRE(OptTreeNode *otn); -u_int32_t DynamicRuleHash(void *d); +uint32_t DynamicRuleHash(void *d); int DynamicRuleCompare(void *l, void *r); #endif /* __SP_DYNAMIC_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sp_preprocopt.c snort-2.9.2/src/dynamic-plugins/sp_preprocopt.c --- snort-2.8.5.2/src/dynamic-plugins/sp_preprocopt.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sp_preprocopt.c 2011-11-21 20:15:24.000000000 +0000 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -55,10 +55,12 @@ #endif #include +#include "sf_types.h" #include "plugbase.h" #include "rules.h" +#include "treenodes.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "sf_dynamic_engine.h" @@ -69,23 +71,14 @@ #include "snort.h" #include "profiler.h" #include "util.h" +#include "parser.h" +#include "detection_util.h" #ifdef PERF_PROFILING PreprocStats preprocRuleOptionPerfStats; #endif -extern const u_int8_t *doe_ptr; -extern SnortConfig *snort_conf_for_parsing; - -typedef struct _PreprocessorOptionInfo -{ - PreprocOptionInit optionInit; - PreprocOptionEval optionEval; - PreprocOptionCleanup optionCleanup; - void *data; - PreprocOptionHash optionHash; - PreprocOptionKeyCompare optionKeyCompare; -} PreprocessorOptionInfo; +extern const uint8_t *doe_ptr; SFGHASH * PreprocessorRuleOptionsNew(void) { @@ -113,13 +106,16 @@ sfghash_delete(preproc_rule_options); } -int RegisterPreprocessorRuleOption(char *optionName, - PreprocOptionInit initFunc, - PreprocOptionEval evalFunc, - PreprocOptionCleanup cleanupFunc, - PreprocOptionHash hashFunc, - PreprocOptionKeyCompare keyCompareFunc - ) +int RegisterPreprocessorRuleOption( + char *optionName, + PreprocOptionInit initFunc, + PreprocOptionEval evalFunc, + PreprocOptionCleanup cleanupFunc, + PreprocOptionHash hashFunc, + PreprocOptionKeyCompare keyCompareFunc, + PreprocOptionOtnHandler otnHandler, + PreprocOptionFastPatternFunc fpFunc + ) { int ret; PreprocessorOptionInfo *optionInfo; @@ -153,18 +149,27 @@ optionInfo->optionCleanup = cleanupFunc; optionInfo->optionHash = hashFunc; optionInfo->optionKeyCompare = keyCompareFunc; + optionInfo->optionFpFunc = fpFunc; + optionInfo->otnHandler = otnHandler; ret = sfghash_add(p->preproc_rule_options, optionName, optionInfo); if (ret != SFGHASH_OK) { - FatalError("Failed to initialize Preprocessor Rule Option '%s'\n"); + FatalError("Failed to initialize Preprocessor Rule Option '%s'\n", + optionName); } return 0; } int GetPreprocessorRuleOptionFuncs( - char *optionName, PreprocOptionInit* initFunc, PreprocOptionEval* evalFunc) + char *optionName, + PreprocOptionInit* initFunc, + PreprocOptionEval* evalFunc, + PreprocOptionOtnHandler* otnHandler, + PreprocOptionFastPatternFunc* fpFunc, + PreprocOptionCleanup* cleanupFunc + ) { PreprocessorOptionInfo *optionInfo; SnortConfig *sc = snort_conf_for_parsing; @@ -193,20 +198,23 @@ *initFunc = (PreprocOptionInit)optionInfo->optionInit; *evalFunc = (PreprocOptionEval)optionInfo->optionEval; + *fpFunc = (PreprocOptionFastPatternFunc)optionInfo->optionFpFunc; + *otnHandler = (PreprocOptionOtnHandler)optionInfo->otnHandler; + *cleanupFunc = (PreprocOptionCleanup)optionInfo->optionCleanup; return 1; } -u_int32_t PreprocessorRuleOptionHash(void *d) +uint32_t PreprocessorRuleOptionHash(void *d) { - u_int32_t a,b,c; + uint32_t a,b,c; PreprocessorOptionInfo *option_data = (PreprocessorOptionInfo *)d; - + #if (defined(__ia64) || defined(__amd64) || defined(_LP64)) { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ + uint64_t ptr; /* Addresses are 64bits */ if (option_data->optionHash != NULL) { @@ -215,18 +223,18 @@ } else { - ptr = (u_int64_t)option_data->data; + ptr = (uint64_t)option_data->data; a = (ptr << 32) & 0XFFFFFFFF; b = (ptr & 0xFFFFFFFF); } - ptr = (u_int64_t)option_data->optionInit; + ptr = (uint64_t)option_data->optionInit; c = (ptr << 32) & 0XFFFFFFFF; mix(a,b,c); a += (ptr & 0xFFFFFFFF); /* mix in the last half of optionInit */ - ptr = (u_int64_t)option_data->optionEval; + ptr = (uint64_t)option_data->optionEval; b += (ptr << 32) & 0XFFFFFFFF; c += (ptr & 0xFFFFFFFF); @@ -236,16 +244,16 @@ if (option_data->optionHash != NULL) a = option_data->optionHash(option_data->data); else - a = (u_int32_t)option_data->data; + a = (uint32_t)option_data->data; - b = (u_int32_t)option_data->optionInit; - c = (u_int32_t)option_data->optionEval; + b = (uint32_t)option_data->optionInit; + c = (uint32_t)option_data->optionEval; mix(a,b,c); #endif a += RULE_OPTION_TYPE_PREPROCESSOR; final(a,b,c); - + return c; } @@ -253,7 +261,7 @@ { PreprocessorOptionInfo *left = (PreprocessorOptionInfo *)l; PreprocessorOptionInfo *right = (PreprocessorOptionInfo *)r; - + if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; @@ -272,7 +280,7 @@ return DETECTION_OPTION_EQUAL; } } - + return DETECTION_OPTION_NOT_EQUAL; } @@ -280,27 +288,34 @@ int PreprocessorOptionFunc(void *option_data, Packet *p) { PreprocessorOptionInfo *optionInfo = (PreprocessorOptionInfo *)option_data; - const u_int8_t *cursor = doe_ptr; - int success; + const uint8_t *cursor = doe_ptr; + int rval; PROFILE_VARS; PREPROC_PROFILE_START(preprocRuleOptionPerfStats); // Call eval function - success = optionInfo->optionEval(p, &cursor, optionInfo->data); + rval = optionInfo->optionEval(p, &cursor, optionInfo->data); if ( cursor ) - doe_ptr = cursor; - - // If successful, call next function in chain - if ( success ) - { - PREPROC_PROFILE_END(preprocRuleOptionPerfStats); - return DETECTION_OPTION_MATCH; - } + SetDoePtr(cursor, DOE_BUF_STD); + // return the value from the preprocessor function PREPROC_PROFILE_END(preprocRuleOptionPerfStats); - return DETECTION_OPTION_NO_MATCH; + return rval; +} + +int GetPreprocFastPatterns(void *data, int proto, int direction, FPContentInfo **fp_contents) +{ + PreprocessorOptionInfo *info = (PreprocessorOptionInfo *)data; + + if ((data == NULL) || (fp_contents == NULL)) + return -1; + + if (info->optionFpFunc != NULL) + return info->optionFpFunc(info->data, proto, direction, fp_contents); + + return -1; } int AddPreprocessorRuleOption(char *optionName, OptTreeNode *otn, void *data, PreprocOptionEval evalFunc) @@ -323,7 +338,7 @@ return 0; optionInfo = sfghash_find(p->preproc_rule_options, optionName); - + if (!optionInfo) return 0; @@ -385,13 +400,17 @@ free(keyword_plus_option); } -void RegisterPreprocessorRuleOptionOverride(char *keyword, char *option, - PreprocOptionInit initFunc, - PreprocOptionEval evalFunc, - PreprocOptionCleanup cleanupFunc, - PreprocOptionHash hashFunc, - PreprocOptionKeyCompare keyCompareFunc - ) +void RegisterPreprocessorRuleOptionOverride( + char *keyword, + char *option, + PreprocOptionInit initFunc, + PreprocOptionEval evalFunc, + PreprocOptionCleanup cleanupFunc, + PreprocOptionHash hashFunc, + PreprocOptionKeyCompare keyCompareFunc, + PreprocOptionOtnHandler otnHandler, + PreprocOptionFastPatternFunc fpFunc + ) { int ret; char *keyword_plus_option; @@ -401,7 +420,7 @@ SnortSnprintf(keyword_plus_option, name_len, "%s %s", keyword, option); ret = RegisterPreprocessorRuleOption(keyword_plus_option, initFunc, evalFunc, - cleanupFunc, hashFunc, keyCompareFunc); + cleanupFunc, hashFunc, keyCompareFunc, otnHandler, fpFunc); /* Hash table allocs and manages keys internally */ free(keyword_plus_option); @@ -412,4 +431,9 @@ RegisterOverrideKeyword(keyword, option, &PreprocessorRuleOptionOverrideFunc); } +void RegisterPreprocessorRuleOptionByteOrder(char *keyword, PreprocOptionByteOrderFunc boo_func) +{ + RegisterByteOrderKeyword(keyword, boo_func); +} + #endif /* DYNAMIC_PLUGIN */ diff -Nru snort-2.8.5.2/src/dynamic-plugins/sp_preprocopt.h snort-2.9.2/src/dynamic-plugins/sp_preprocopt.h --- snort-2.8.5.2/src/dynamic-plugins/sp_preprocopt.h 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-plugins/sp_preprocopt.h 2011-11-21 20:15:24.000000000 +0000 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -37,27 +37,41 @@ PreprocOptionEval evalFunc, PreprocOptionCleanup cleanupFunc, PreprocOptionHash hashFunc, - PreprocOptionKeyCompare keyCompareFunc + PreprocOptionKeyCompare keyCompareFunc, + PreprocOptionOtnHandler otnHandler, + PreprocOptionFastPatternFunc fpFunc ); + void RegisterPreprocessorRuleOptionOverride( char *keyword, char *option, PreprocOptionInit initFunc, PreprocOptionEval evalFunc, PreprocOptionCleanup cleanupFunc, PreprocOptionHash hashFunc, - PreprocOptionKeyCompare keyCompareFunc + PreprocOptionKeyCompare keyCompareFunc, + PreprocOptionOtnHandler otnHandler, + PreprocOptionFastPatternFunc fpFunc ); + int GetPreprocessorRuleOptionFuncs( char *optionName, PreprocOptionInit* initFunc, - PreprocOptionEval* evalFunc + PreprocOptionEval* evalFunc, + PreprocOptionOtnHandler* otnHandler, + PreprocOptionFastPatternFunc* fpFunc, + PreprocOptionCleanup* cleanupFunc ); + +void RegisterPreprocessorRuleOptionByteOrder(char *keyword, PreprocOptionByteOrderFunc bo_func); + int AddPreprocessorRuleOption(char *, OptTreeNode *, void *, PreprocOptionEval); -u_int32_t PreprocessorRuleOptionHash(void *d); +uint32_t PreprocessorRuleOptionHash(void *d); int PreprocessorRuleOptionCompare(void *l, void *r); void PreprocessorRuleOptionsFreeFunc(void *); +int GetPreprocFastPatterns(void *, int, int, FPContentInfo **); +int PreprocessorOptionFunc(void *option_data, Packet *p); #endif /* __SP_PREPROCOPT_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc.c 2009-05-06 22:28:46.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,408 +0,0 @@ -/* - * dcerpc.c - * - * Copyright (C) 2006-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * - */ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include - -#ifdef HAVE_WCHAR_H -#include -#endif - -#include "debug.h" -#include "sf_snort_packet.h" -#include "bounds.h" - -#include "smb_structs.h" -#include "snort_dcerpc.h" -#include "dcerpc_util.h" -#include "dcerpc.h" - -#define SEG_BUF_SIZE 100000 - -typedef enum _DCERPC_FragType -{ - DCERPC_FRAG_TYPE__FULL, - DCERPC_FRAG_TYPE__FRAG, - DCERPC_FRAG_TYPE__LAST, - DCERPC_FRAG_TYPE__ERROR - -} DCERPC_FragType; - -extern DCERPC *_dcerpc; -extern SFSnortPacket *_dcerpc_pkt; -extern uint8_t *dce_reassembly_buf; -extern uint16_t dce_reassembly_buf_size; -extern SFSnortPacket *real_dce_mock_pkt; -extern DceRpcConfig *dcerpc_eval_config; - -/* Check to see if we have a full DCE/RPC fragment - * Guarantees: - * There is enough data to slap header on and grab fields from - * Is most likely a DCE/RPC packet - * DCE/RPC fragment length is greater than the size of request header - * DCE/RPC fragment length is less than or equal to size of data remaining - */ -int IsCompleteDCERPCMessage(const uint8_t *data, uint16_t size) -{ - const DCERPC_HDR *dcerpc; - uint16_t frag_length; - - if (size < sizeof(DCERPC_REQ)) - return 0; - - /* Check to see if this is a valid DCE/RPC packet */ - dcerpc = (const DCERPC_HDR *) data; - - /* Check for version and packet type - mark as DCERPC session */ - if ((dcerpc->version != 5) || - ((dcerpc->packet_type != DCERPC_REQUEST) && (dcerpc->packet_type != DCERPC_BIND))) - { - return 0; - } - - frag_length = dcerpc_ntohs(dcerpc->byte_order, dcerpc->frag_length); - - if (frag_length < sizeof(DCERPC_REQ)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Error: DCERPC frag length <= size of request header.\n");); - return 0; - } - - /* Wait until we have the whole DCE/RPC message */ - if ( frag_length > size ) - return 0; - - return 1; -} - -/* Return 1 if successfully parsed at least one message */ -int ProcessDCERPCMessage(const uint8_t *smb_hdr, uint16_t smb_hdr_len, const uint8_t *data, uint16_t size) -{ - uint16_t current_size = size; - const uint8_t *current_data = data; - uint16_t opnum = 0; - DCERPC_Buffer *sbuf; - - if (_dcerpc->trans == DCERPC_TRANS_TYPE__DCERPC) - sbuf = &_dcerpc->tcp_seg_buf; - else - sbuf = &_dcerpc->smb_seg_buf; - - if (!DCERPC_BufferIsEmpty(sbuf)) - { - if (DCERPC_BufferAddData(_dcerpc, sbuf, current_data, current_size) == -1) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to add data to seg buf\n");); - _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; - DCERPC_BufferFreeData(sbuf); - return -1; - } - - if (!IsCompleteDCERPCMessage(sbuf->data, sbuf->len)) - return DCERPC_SEGMENTED; - - current_data = sbuf->data; - current_size = sbuf->len; - } - else if (!IsCompleteDCERPCMessage(current_data, current_size)) - { - if (DCERPC_BufferAddData(_dcerpc, sbuf, current_data, current_size) == -1) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to add data to seg buf\n");); - _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; - DCERPC_BufferFreeData(sbuf); - return -1; - } - - return DCERPC_SEGMENTED; - } - - /* Check fragmentation - got at least one full fragment */ - while (current_size > 0) - { - const DCERPC_HDR *dcerpc = (DCERPC_HDR *) current_data; - uint16_t frag_length = dcerpc_ntohs(dcerpc->byte_order, dcerpc->frag_length); - DCERPC_FragType frag_type = DCERPC_FRAG_TYPE__FULL; - - if (dcerpc->packet_type != DCERPC_REQUEST) - return DCERPC_FULL_FRAGMENT; - - if (current_size >= sizeof(DCERPC_REQ)) - { - DCERPC_REQ *dce_req = (DCERPC_REQ *)current_data; - opnum = dce_req->opnum; - } - - if (frag_length > sizeof(DCERPC_REQ)) - { - frag_type = DCERPC_Fragmentation(current_data, (uint16_t)current_size, frag_length); - if (frag_type == DCERPC_FRAG_TYPE__LAST) - { - ReassembleDCERPCRequest(smb_hdr, smb_hdr_len, current_data); - - if (!DCERPC_BufferIsEmpty(sbuf)) - DCERPC_BufferEmpty(sbuf); - - if (!DCERPC_BufferIsEmpty(&_dcerpc->dce_frag_buf)) - DCERPC_BufferEmpty(&_dcerpc->dce_frag_buf); - - return DCERPC_FRAG_REASSEMBLED; - } - else if (frag_type == DCERPC_FRAG_TYPE__ERROR) - { - return -1; - } - } - - if (frag_type == DCERPC_FRAG_TYPE__FULL) - return DCERPC_FULL_FRAGMENT; - - current_size -= frag_length; - current_data += frag_length; - - /* see if we have another full fragment in this packet */ - if (!IsCompleteDCERPCMessage(current_data, current_size)) - break; - } - - if (!DCERPC_BufferIsEmpty(sbuf)) - { - if (current_size != 0) - { - int status = SafeMemmove(sbuf->data, current_data, current_size, - sbuf->data, sbuf->data + sbuf->size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to move data in seg buf\n");); - _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; - DCERPC_BufferFreeData(sbuf); - return -1; - } - - sbuf->len = current_size; - } - else - { - DCERPC_BufferEmpty(sbuf); - } - } - else if (current_size != 0) - { - if (DCERPC_BufferAddData(_dcerpc, sbuf, current_data, current_size) == -1) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to add data to seg buf\n");); - _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; - DCERPC_BufferFreeData(sbuf); - return -1; - } - } - - if (dcerpc_eval_config->reassemble_increment) - DCERPC_EarlyFragReassemble(_dcerpc, smb_hdr, smb_hdr_len, opnum); - - return DCERPC_FRAGMENT; -} - - -/* - Return 0 if not fragmented OR if fragmented and not last fragment - Return 1 if fragmented and last fragment - */ - - -int DCERPC_Fragmentation(const uint8_t *data, uint16_t data_size, uint16_t frag_length) -{ - DCERPC_HDR *dcerpc_hdr; - DCERPC_Buffer *buf = &_dcerpc->dce_frag_buf; - - if (data_size <= sizeof(DCERPC_REQ)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Error: Not a DCERPC request.\n");); - return DCERPC_FRAG_TYPE__ERROR; - } - - dcerpc_hdr = (DCERPC_HDR *) data; - - if ((dcerpc_hdr->flags & DCERPC_FIRST_FRAG) && - (dcerpc_hdr->flags & DCERPC_LAST_FRAG)) - { - if (!DCERPC_BufferIsEmpty(buf)) - DCERPC_BufferFreeData(buf); - - return DCERPC_FRAG_TYPE__FULL; - } - - if (frag_length <= sizeof(DCERPC_REQ)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Invalid frag length in DCERPC request.\n");); - return DCERPC_FRAG_TYPE__ERROR; - } - - frag_length -= sizeof(DCERPC_REQ); - data += sizeof(DCERPC_REQ); - data_size -= sizeof(DCERPC_REQ); - - if (frag_length > dcerpc_eval_config->max_frag_size) - frag_length = dcerpc_eval_config->max_frag_size; - - if (DCERPC_BufferAddData(_dcerpc, buf, data, frag_length) == -1) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to add data to frag buf\n");); - _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; - DCERPC_BufferFreeData(buf); - return DCERPC_FRAG_TYPE__ERROR; - } - - if (dcerpc_eval_config->debug_print) - PrintBuffer("DCE/RPC current frag reassembly buffer", buf->data, buf->len); - - if (dcerpc_hdr->flags & DCERPC_LAST_FRAG) - return DCERPC_FRAG_TYPE__LAST; - - return DCERPC_FRAG_TYPE__FRAG; -} - -void ReassembleDCERPCRequest(const uint8_t *smb_hdr, uint16_t smb_hdr_len, const uint8_t *data) -{ - int pkt_len; - DCERPC_REQ fake_req; - unsigned int dcerpc_req_len = sizeof(DCERPC_REQ); - int status; - uint16_t data_len = 0; - DCERPC_Buffer *buf = &_dcerpc->dce_frag_buf; - - /* Make sure we have room to fit into buffer */ - if (smb_hdr != NULL) - pkt_len = sizeof(NBT_HDR) + smb_hdr_len + dcerpc_req_len + buf->len; - else - pkt_len = dcerpc_req_len + buf->len; - - if (pkt_len > dce_reassembly_buf_size) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Reassembled DCE/RPC packet " - "greater than %d bytes, skipping.\n", dce_reassembly_buf_size)); - - /* just shorten it - don't want to lose all of - * this information */ - buf->len = dce_reassembly_buf_size - (pkt_len - buf->len); - } - - /* Mock up header */ - status = SafeMemcpy(&fake_req, data, dcerpc_req_len, - &fake_req, (uint8_t *)&fake_req + dcerpc_req_len); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " - "skipping DCERPC reassembly.\n")); - - DCERPC_BufferFreeData(buf); - return; - } - - fake_req.dcerpc_hdr.frag_length = - dcerpc_htons(fake_req.dcerpc_hdr.byte_order, dcerpc_req_len + buf->len); - fake_req.dcerpc_hdr.flags |= (DCERPC_FIRST_FRAG | DCERPC_LAST_FRAG); - fake_req.alloc_hint = dcerpc_htonl(fake_req.dcerpc_hdr.byte_order, buf->len); - - if (smb_hdr != NULL) - { - status = SafeMemcpy(dce_reassembly_buf, _dcerpc_pkt->payload, sizeof(NBT_HDR), - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " - "skipping DCERPC reassembly.\n");); - - DCERPC_BufferFreeData(buf); - return; - } - - data_len += sizeof(NBT_HDR); - - status = SafeMemcpy(dce_reassembly_buf + data_len, - smb_hdr, smb_hdr_len, - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " - "skipping DCERPC reassembly.\n");); - - DCERPC_BufferFreeData(buf); - return; - } - - data_len += smb_hdr_len; - } - - status = SafeMemcpy(dce_reassembly_buf + data_len, - &fake_req, dcerpc_req_len, - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " - "skipping DCERPC reassembly.\n");); - - DCERPC_BufferFreeData(buf); - return; - } - - data_len += dcerpc_req_len; - - /* Copy data into buffer */ - status = SafeMemcpy(dce_reassembly_buf + data_len, buf->data, buf->len, - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC data, " - "skipping DCERPC reassembly.\n");); - - DCERPC_BufferFreeData(buf); - return; - } - - data_len += buf->len; - - if (dcerpc_eval_config->debug_print) - { - PrintBuffer("DCE/RPC reassembled request", - (uint8_t *)dce_reassembly_buf, data_len); - } - - /* create pseudo packet */ - real_dce_mock_pkt = DCERPC_SetPseudoPacket(_dcerpc_pkt, dce_reassembly_buf, data_len); - if (real_dce_mock_pkt == NULL) - { - DCERPC_BufferFreeData(buf); - return; - } -} - - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_config.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_config.c 2009-05-06 22:28:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_config.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,453 +0,0 @@ -/* - * dcerpc_config.c - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Parses the configuration data. - * - * Arguments: - * - * This plugin takes port list(s) representing the TCP ports that the - * user is interested in having decoded. It is of the format - * - * ports smb { port1 [port2 ...] } - * ports dcerpc { port1 [port2 ...] } - * - * where smb is used to specify the ports for SMB over NetBios/TCP - * or raw SMB, and dcerpc is used to specify raw DCE/RPC. - * - */ - -#include -#include -#include - -#include "sf_snort_plugin_api.h" -#include "snort_dcerpc.h" -#include "smb_structs.h" -#include "smb_andx_decode.h" -#include "smb_file_decode.h" - -#include "profiler.h" - -/* - * The definition of the configuration separators in the snort.conf - * configure line. - */ -#define CONF_SEPARATORS " \t\n\r" - - -/* - * Port list delimiters - */ -#define START_PORT_LIST "{" -#define END_PORT_LIST "}" - -/* - * Configuration options - */ -#define OPT_PORTS "ports" -#define OPT_SMB_PORTS "smb" -#define OPT_RPC_PORTS "dcerpc" -#define OPT_AUTODETECT "autodetect" -#define OPT_DISABLE_SMB_FRAG "disable_smb_frag" -#define OPT_DISABLE_DCERPC_FRAG "disable_dcerpc_frag" -#define OPT_PRINT_DEBUG "debug_print" -#define OPT_MAX_FRAG_SIZE "max_frag_size" -#define OPT_MEMCAP "memcap" -#define OPT_ALERT_MEMCAP "alert_memcap" -#define OPT_REASSEMBLE_INCREMENT "reassemble_increment" - -#define PORT_STR_LEN 512 - -enum e_transport_type -{ - TRANS_SMB = 1, - TRANS_RPC = 2 -}; - -/* - * Function: InitializeDefaultSMBConfig() - * - * Purpose: Sets the default configuration for the SMB preprocessor. - * - * Arguments: None - * - * Returns: void - * - */ -static void InitializeDefaultSMBConfig(DceRpcConfig *config) -{ - if (config == NULL) - return; - - config->max_frag_size = DEFAULT_MAX_FRAG_SIZE; - config->memcap = DEFAULT_MEMCAP * 1024; - - memset(config->SMBPorts, 0, sizeof(config->SMBPorts)); - memset(config->DCERPCPorts, 0, sizeof(config->DCERPCPorts)); - - config->SMBPorts[PORT_INDEX(139)] |= CONV_PORT(139); - config->SMBPorts[PORT_INDEX(445)] |= CONV_PORT(445); - config->DCERPCPorts[PORT_INDEX(135)] |= CONV_PORT(135); -} - -/* - * Function: SmbSetPorts(int type) - * - * Purpose: Reads the list of port numbers from the argument string and - * parses them into the port list data struct - * - * Arguments: portlist => argument list - * - * Returns: int indicating error - * - */ -int SMBSetPorts(DceRpcConfig *config, int type, char *ErrorString, int ErrStrLen) -{ - int isReset = 0; - char *token = strtok(NULL, CONF_SEPARATORS); - char *transportType = "SMB"; - char *ports = NULL; - int portsSize = 0; - char portstr[PORT_STR_LEN]; - - portstr[PORT_STR_LEN - 1] = '\0'; - - if (token == NULL) - { - snprintf(ErrorString, ErrStrLen, "DCE/RPC - invalid port list\n"); - return -1; - } - - switch (type) - { - case TRANS_SMB: - ports = config->SMBPorts; - portsSize = sizeof(config->SMBPorts); - transportType = "SMB"; - break; - case TRANS_RPC: - ports = config->DCERPCPorts; - portsSize = sizeof(config->DCERPCPorts); - transportType = "DCE/RPC"; - break; - default: - snprintf(ErrorString, ErrStrLen, "Invalid type %d.", type); - return -1; - } - - if (strcmp(token , START_PORT_LIST)) - { - snprintf(ErrorString, ErrStrLen, "Invalid token %s." - "Missing port list delimiter, expecting '{'.\n", token); - return -1; - } - - token = strtok(NULL, CONF_SEPARATORS); - - if (token == NULL) - { - snprintf(ErrorString, ErrStrLen, "DCE/RPC - invalid port list\n"); - return -1; - } - - if ( !strcmp(token,END_PORT_LIST) ) - { - DynamicPreprocessorFatalMessage("ERROR %s(%d) => Empty port list.\n", - *_dpd.config_file, *_dpd.config_line); - } - - while (token && strcmp(token,END_PORT_LIST)) - { - if(isdigit((int)token[0])) - { - char *num_p = NULL; /* used to determine last position in string */ - long t_num; - - t_num = strtol(token, &num_p, 10); - - if(*num_p != '\0') - { - DynamicPreprocessorFatalMessage("ERROR %s(%d) => Port Number invalid format: %s\n", - *_dpd.config_file, *_dpd.config_line, token); - } - else if(t_num < 0 || t_num > MAXPORTS-1) - { - DynamicPreprocessorFatalMessage("ERROR %s(%d) => Port Number out of range: %ld\n", - *_dpd.config_file, *_dpd.config_line, t_num); - } - - /* user specified a legal port number and it should override the default - port list, so reset it unless already done */ - if(!isReset) - { - memset(ports, 0, portsSize); - portstr[0] = '\0'; - isReset = 1; - } - - /* mark this port as being interesting using some portscan2-type voodoo, - and also add it to the port list string while we're at it so we can - later print out all the ports with a single LogMessage() */ - ports[PORT_INDEX(t_num)] |= CONV_PORT(t_num); - - snprintf(portstr + strlen(portstr), PORT_STR_LEN - strlen(portstr), "%s ", token); - - if (portstr[PORT_STR_LEN - 1] != '\0') - { - DynamicPreprocessorFatalMessage("%s(%d) => Too many ports as of port %ld.\n", - *_dpd.config_file, *_dpd.config_line, t_num); - } - } - else - { - DynamicPreprocessorFatalMessage("ERROR %s(%d) => Non-numeric port number: %s\n", - *_dpd.config_file, *_dpd.config_line, token); - } - token = strtok(NULL, CONF_SEPARATORS); - } - - /* print out final port list */ - _dpd.logMsg(" Ports to decode %s: %s\n", transportType, portstr); - - return 0; -} - - -/* - * Function: DCERPCProcessConf(char *) - * - * Purpose: Reads the list of port numbers from the argument string and - * parses them into the port list data struct - * - * Arguments: portlist => argument list - * - * Returns: int indicating error - * - */ -int DCERPCProcessConf(DceRpcConfig *config, char *pcToken, char *ErrorString, int ErrStrLen) -{ - int iRet = 0; - int iTokens = 0; - - if (config == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) DceRpc config is NULL.\n", - __FILE__, __LINE__); - } - - /* Initialize the defaults */ - InitializeDefaultSMBConfig(config); - - _dpd.logMsg("DCE/RPC Decoder config:\n"); - - while(pcToken != NULL) - { - /* - * Show that we at least got one token - */ - iTokens = 1; - - /* - * Search for configuration keywords - */ - if ( !strcasecmp(pcToken, OPT_PORTS) ) - { - /* Next should be smb or dcerpc, then the actual ports. - * ie, ports smb { 139 } - * ie, ports dcerpc { 135 } - */ - pcToken = strtok(NULL, CONF_SEPARATORS); - if (!pcToken) - { - snprintf(ErrorString, ErrStrLen, "Missing tokens from port list\n"); - return -1; - } - - if ( !strcasecmp(pcToken, OPT_SMB_PORTS) ) - { - iRet = SMBSetPorts(config, TRANS_SMB, ErrorString, ErrStrLen); - } - else if (!strcasecmp(pcToken, OPT_RPC_PORTS)) - { - iRet = SMBSetPorts(config, TRANS_RPC, ErrorString, ErrStrLen); - } - else - { - snprintf(ErrorString, ErrStrLen, - "Invalid SMB transport specification: %s. " - "Should be 'smb' or 'dcerpc'\n", pcToken); - return -1; - } - - if (iRet) - return iRet; - } - else if ( !strcasecmp(pcToken, OPT_REASSEMBLE_INCREMENT) ) - { - pcToken = strtok(NULL, CONF_SEPARATORS); - if (pcToken == NULL || !isdigit((int)pcToken[0])) - { - snprintf(ErrorString, ErrStrLen, - "Increment must be an integer\n"); - return -1; - } - - config->reassemble_increment = atoi(pcToken); - - if ((config->reassemble_increment < 0) || - (config->reassemble_increment > 65535)) - { - snprintf(ErrorString, ErrStrLen, - "Increment must be an integer\n"); - return -1; - } - } - else if ( !strcasecmp(pcToken, OPT_DISABLE_SMB_FRAG) ) - { - config->disable_smb_fragmentation = 1; - } - else if ( !strcasecmp(pcToken, OPT_DISABLE_DCERPC_FRAG) ) - { - config->disable_dcerpc_fragmentation = 1; - } - else if ( !strcasecmp(pcToken, OPT_AUTODETECT) ) - { - config->autodetect = 1; - } - else if ( !strcasecmp(pcToken, OPT_PRINT_DEBUG) ) - { - config->debug_print = 1; - } - else if ( !strcasecmp(pcToken, OPT_MAX_FRAG_SIZE) ) - { - int max_frag_size; - - pcToken = strtok(NULL, CONF_SEPARATORS); - - if (pcToken == NULL || !isdigit((int)pcToken[0])) - { - snprintf(ErrorString, ErrStrLen, - "Frag size must be an integer between 0 and 65535\n"); - return -1; - } - - max_frag_size = atoi(pcToken); - - if (max_frag_size < 0 || max_frag_size > 65535) - { - snprintf(ErrorString, ErrStrLen, - "Frag size must be an integer between 0 and 65535\n"); - return -1; - } - - if ( max_frag_size == 0 ) - { - max_frag_size = DEFAULT_MAX_FRAG_SIZE; - _dpd.logMsg(" WARNING: Invalid max frag size - setting to default.\n"); - } - else if ( max_frag_size > MAX_MAX_FRAG_SIZE ) - { - max_frag_size = MAX_MAX_FRAG_SIZE; - _dpd.logMsg(" WARNING: Max frag size exceeded - setting to maximum.\n"); - } - - config->max_frag_size = max_frag_size; - } - else if ( !strcasecmp(pcToken, OPT_MEMCAP) ) - { - int memcap; - - pcToken = strtok(NULL, CONF_SEPARATORS); - - if (pcToken == NULL || !isdigit((int)pcToken[0])) - { - snprintf(ErrorString, ErrStrLen, - "Frag size must be an integer between 0 and 4194303\n"); - return -1; - } - - memcap = atoi(pcToken); - - if (memcap < 0 || memcap > 4194303) - { - snprintf(ErrorString, ErrStrLen, - "Frag size must be an integer between 0 and 4194303\n"); - return -1; - } - - if ( memcap == 0 ) - { - memcap = DEFAULT_MEMCAP; - _dpd.logMsg(" WARNING: Invalid memcap - setting to default.\n"); - } - else if ( memcap > DEFAULT_MEMCAP ) - { - memcap = DEFAULT_MEMCAP; - _dpd.logMsg(" WARNING: Memcap exceeded - setting to maximum.\n"); - } - - config->memcap = memcap * 1024; - } - else if ( !strcasecmp(pcToken, OPT_ALERT_MEMCAP) ) - { - config->alert_memcap = 1; - } - /* - * Invalid configuration keyword - */ - else - { - snprintf(ErrorString, ErrStrLen, - "Invalid configuration token '%s'.\n", pcToken); - - return -1; - } - - pcToken = strtok(NULL, CONF_SEPARATORS); - } - - /* - * If there are not any tokens to the configuration, then - * we let the user know and log the error. return non-fatal - * error. - */ - if(!iTokens) - { - snprintf(ErrorString, ErrStrLen, - "No tokens to 'dcerpc' configuration."); - - return -1; - } - - _dpd.logMsg(" Autodetect ports %s\n", config->autodetect ? "ENABLED" : "DISABLED"); - _dpd.logMsg(" SMB fragmentation %s\n", config->disable_smb_fragmentation ? "DISABLED" : "ENABLED"); - _dpd.logMsg(" DCE/RPC fragmentation %s\n", config->disable_dcerpc_fragmentation ? "DISABLED" : "ENABLED"); - _dpd.logMsg(" Max Frag Size: %u bytes\n", config->max_frag_size); - _dpd.logMsg(" Memcap: %lu KB\n", config->memcap/1024); - _dpd.logMsg(" Alert if memcap exceeded %s\n", config->alert_memcap ? "ENABLED" : "DISABLED"); - if (config->reassemble_increment == 0) - _dpd.logMsg(" Reassembly increment: DISABLED\n"); - else - _dpd.logMsg(" Reassembly increment: %u\n", config->reassemble_increment); - - return 0; -} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc.h 2009-05-06 22:28:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,128 +0,0 @@ -/* - * dcerpc.h - * - * Copyright (C) 2006-2009 Sourcefire, Inc. - * Andrew Mullican - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Declares routines that handle decoding DCERPC packets. - * - * - */ -#ifndef _DCERPC_H_ -#define _DCERPC_H_ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef WIN32 -#pragma pack(push,dce_hdrs,1) -#else -#pragma pack(1) -#endif - -#define DCERPC_SEGMENTED 1 -#define DCERPC_FULL_FRAGMENT 2 -#define DCERPC_FRAG_REASSEMBLED 3 -#define DCERPC_FRAGMENT 4 - -typedef struct dcerpc_hdr -{ - uint8_t version; - uint8_t version_minor; - uint8_t packet_type; - uint8_t flags; - uint8_t byte_order; - uint8_t floating_point; - uint16_t padding; - - uint16_t frag_length; - uint16_t auth_length; - uint32_t call_id; - -} DCERPC_HDR; - -typedef struct dcerpc_req -{ - DCERPC_HDR dcerpc_hdr; - uint32_t alloc_hint; - uint16_t context_id; - uint16_t opnum; - -} DCERPC_REQ; - -/* Packet types */ -#define DCERPC_REQUEST 0 -#define DCERPC_BIND 11 - -/* Packet flags */ -#define DCERPC_FIRST_FRAG 0x01 -#define DCERPC_LAST_FRAG 0x02 - -#define DCERPC_FRAG_ALLOC 2 - -/* PIPE function */ -#define DCERPC_PIPE 0x0026 - -#define DCERPC_BYTE_ORDER(byte_order_flag) ((uint8_t)byte_order_flag & 0xF0) >> 4 - -#ifdef WORDS_BIGENDIAN - -#define dcerpc_ntohs(byte_order_flag, value) \ -(DCERPC_BYTE_ORDER(byte_order_flag) == 0 ? (uint16_t)(value) : \ - (((uint16_t)(value) & 0xff00) >> 8) | (((uint16_t)(value) & 0x00ff) << 8)) - -#define dcerpc_ntohl(byte_order_flag, value) \ -(DCERPC_BYTE_ORDER(byte_order_flag) == 0 ? (uint32_t)(value) : \ - (((uint32_t)(value) & 0xff000000) >> 24) | (((uint32_t)(value) & 0x00ff0000) >> 8) | \ - (((uint32_t)(value) & 0x0000ff00) << 8) | (((uint32_t)(value) & 0x000000ff) << 24)) - -#else - -#define dcerpc_ntohs(byte_order_flag, value) \ -(DCERPC_BYTE_ORDER(byte_order_flag) == 1 ? (uint16_t)(value) : \ - (((uint16_t)(value) & 0xff00) >> 8) | (((uint16_t)(value) & 0x00ff) << 8)) - -#define dcerpc_ntohl(byte_order_flag, value) \ -(DCERPC_BYTE_ORDER(byte_order_flag) == 1 ? (uint32_t)(value) : \ - (((uint32_t)(value) & 0xff000000) >> 24) | (((uint32_t)(value) & 0x00ff0000) >> 8) | \ - (((uint32_t)(value) & 0x0000ff00) << 8) | (((uint32_t)(value) & 0x000000ff) << 24)) - -#endif /* WORDS_BIGENDIAN */ - -#define dcerpc_htons dcerpc_ntohs -#define dcerpc_htonl dcerpc_ntohl - - -int IsCompleteDCERPCMessage(const uint8_t *, uint16_t); -int ProcessDCERPCMessage(const uint8_t *, uint16_t, const uint8_t *, uint16_t); - -void ReassembleDCERPCRequest(const uint8_t *, uint16_t, const uint8_t *); -int DCERPC_Fragmentation(const uint8_t *, uint16_t, uint16_t); - - -#ifdef WIN32 -#pragma pack(pop,dce_hdrs) -#else -#pragma pack() -#endif - -#endif /* _DCERPC_H_ */ - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.c 2009-05-06 22:28:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -/* - * dcerpc_util.c - * - * Copyright (C) 2006-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Contains utility functions. - * - */ - -#include -#include - -#include "snort_dcerpc.h" -#include "dcerpc_util.h" -#include "bounds.h" - - -void DCERPC_GenerateAlert(dcerpc_event_e event, char *msg) -{ - _dpd.alertAdd(GENERATOR_DCERPC, event, 1, 0, 3, msg, 0); -} - -/* Print out given buffer in hex and ascii, for debugging */ -void PrintBuffer(const char * title, const uint8_t *buf, uint16_t buf_len) -{ - uint16_t i, j = 0; - - printf("%s\n", title); - - for ( i = 0; i < buf_len; i+=16 ) - { - printf("%.4x ", i); - for ( j = 0; j < (buf_len-i) && j < 16; j++ ) - { - printf("%.2x ", *(buf+i+j)); - if ( (j+1)%8 == 0 ) - printf(" "); - } - if ( j != 16 ) - printf(" "); - for ( ; j < 16; j++ ) - printf(" "); - printf(" "); - for ( j = 0; j < (buf_len-i) && j < 16; j++ ) - { - if ( isascii((int)*(buf+i+j)) && isprint((int)*(buf+i+j)) ) - printf("%c", *(buf+i+j)); - else - printf("."); - if ( (j+1)%8 == 0 ) - printf(" "); - if ( (j+1)%16 == 0 ) - printf("\n"); - } - } - if ( j != 16 ) - printf("\n"); -} - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.h 2009-05-06 22:28:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/dcerpc_util.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -/* - * dcerpc_util.h - * - * Copyright (C) 2006-2009 Sourcefire, Inc. - * Andrew Mullican - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Declares routines for utility functions. - * - * - */ -#ifndef _DCERPC_UTIL_H_ -#define _DCERPC_UTIL_H_ - -#include "debug.h" -#include "snort_dcerpc.h" - -/* Needs to match what is in generators.h */ -#define GENERATOR_DCERPC 130 - - -/* Events for DCERPC */ -typedef enum _dcerpc_event_e -{ - DCERPC_EVENT_MEMORY_OVERFLOW = 1 - -} dcerpc_event_e; - -typedef struct _DCERPC_Buffer -{ - uint8_t *data; - uint16_t len; - uint16_t size; - -} DCERPC_Buffer; - - -#define DCERPC_EVENT_MEMORY_OVERFLOW_STR "(dcerpc) Maximum memory usage reached" - - -void DCERPC_GenerateAlert(dcerpc_event_e event, char *msg); -void PrintBuffer(const char * title, const uint8_t *buf, uint16_t buf_len); - -#endif /* _DCERPC_UTIL_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dcerpc/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/Makefile.am 2009-05-06 22:28:46.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -## $Id -AUTOMAKE_OPTIONS=foreign no-dependencies - -INCLUDES = -I../include - -libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor - -lib_LTLIBRARIES = libsf_dcerpc_preproc.la - -libsf_dcerpc_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_dcerpc_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -libsf_dcerpc_preproc_la_SOURCES = \ -dcerpc.c \ -dcerpc.h \ -dcerpc_util.c \ -dcerpc_util.h \ -dcerpc_config.c \ -sf_preproc_info.h \ -smb_andx_decode.c \ -smb_andx_decode.h \ -smb_andx_structs.h \ -smb_file_decode.c \ -smb_file_decode.h \ -smb_file_structs.h \ -smb_structs.h \ -snort_dcerpc.c \ -snort_dcerpc.h \ -spp_dcerpc.c \ -spp_dcerpc.h \ -sf_preproc_info.h - -EXTRA_DIST = \ -sf_dcerpc.dsp - -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: - $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES - -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dcerpc/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/Makefile.in 1970-01-01 00:00:00.000000000 +0000 @@ -1,516 +0,0 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/dynamic-preprocessors/dcerpc -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ - $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; -am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_dcerpc_preproc_la_LIBADD = -am_libsf_dcerpc_preproc_la_OBJECTS = dcerpc.lo dcerpc_util.lo \ - dcerpc_config.lo smb_andx_decode.lo smb_file_decode.lo \ - snort_dcerpc.lo spp_dcerpc.lo -nodist_libsf_dcerpc_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo -libsf_dcerpc_preproc_la_OBJECTS = \ - $(am_libsf_dcerpc_preproc_la_OBJECTS) \ - $(nodist_libsf_dcerpc_preproc_la_OBJECTS) -libsf_dcerpc_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(libsf_dcerpc_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ -SOURCES = $(libsf_dcerpc_preproc_la_SOURCES) \ - $(nodist_libsf_dcerpc_preproc_la_SOURCES) -DIST_SOURCES = $(libsf_dcerpc_preproc_la_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -ECHO = @ECHO@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ -GREP = @GREP@ -INCLUDES = -I../include -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LIBOBJS = @LIBOBJS@ -LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ -LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ -LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ -LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ -LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ -LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ -LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAINT = @MAINT@ -MAKEINFO = @MAKEINFO@ -MKDIR_P = @MKDIR_P@ -OBJEXT = @OBJEXT@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -YACC = @YACC@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -extra_incl = @extra_incl@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor -libexecdir = @libexecdir@ -localedir = @localedir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -AUTOMAKE_OPTIONS = foreign no-dependencies -lib_LTLIBRARIES = libsf_dcerpc_preproc.la -libsf_dcerpc_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_dcerpc_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -libsf_dcerpc_preproc_la_SOURCES = \ -dcerpc.c \ -dcerpc.h \ -dcerpc_util.c \ -dcerpc_util.h \ -dcerpc_config.c \ -sf_preproc_info.h \ -smb_andx_decode.c \ -smb_andx_decode.h \ -smb_andx_structs.h \ -smb_file_decode.c \ -smb_file_decode.h \ -smb_file_structs.h \ -smb_structs.h \ -snort_dcerpc.c \ -snort_dcerpc.h \ -spp_dcerpc.c \ -spp_dcerpc.h \ -sf_preproc_info.h - -EXTRA_DIST = \ -sf_dcerpc.dsp - -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libsf_dcerpc_preproc.la: $(libsf_dcerpc_preproc_la_OBJECTS) $(libsf_dcerpc_preproc_la_DEPENDENCIES) - $(libsf_dcerpc_preproc_la_LINK) -rpath $(libdir) $(libsf_dcerpc_preproc_la_OBJECTS) $(libsf_dcerpc_preproc_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c $< - -.c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: - $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ - fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(LTLIBRARIES) all-local -installdirs: - for dir in "$(DESTDIR)$(libdir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - -install-dvi: install-dvi-am - -install-exec-am: install-libLTLIBRARIES - -install-html: install-html-am - -install-info: install-info-am - -install-man: - -install-pdf: install-pdf-am - -install-ps: install-ps-am - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-libLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-libLTLIBRARIES install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-libLTLIBRARIES - - -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: - $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES - -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp snort-2.9.2/src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp 2009-05-06 22:28:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp 1970-01-01 00:00:00.000000000 +0000 @@ -1,243 +0,0 @@ -# Microsoft Developer Studio Project File - Name="sf_dcerpc" - Package Owner=<4> -# Microsoft Developer Studio Generated Build File, Format Version 6.00 -# ** DO NOT EDIT ** - -# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 - -CFG=sf_dcerpc - Win32 IPv6 Debug -!MESSAGE This is not a valid makefile. To build this project using NMAKE, -!MESSAGE use the Export Makefile command and run -!MESSAGE -!MESSAGE NMAKE /f "sf_dcerpc.mak". -!MESSAGE -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "sf_dcerpc.mak" CFG="sf_dcerpc - Win32 IPv6 Debug" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "sf_dcerpc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "sf_dcerpc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "sf_dcerpc - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "sf_dcerpc - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE - -# Begin Project -# PROP AllowPerConfigDependencies 0 -# PROP Scc_ProjName "" -# PROP Scc_LocalPath "" -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "sf_dcerpc - Win32 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir "Release" -# PROP BASE Intermediate_Dir "Release" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir "Release" -# PROP Intermediate_Dir "Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /c -# SUBTRACT CPP /X -# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 - -!ELSEIF "$(CFG)" == "sf_dcerpc - Win32 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir "Debug" -# PROP BASE Intermediate_Dir "Debug" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir "Debug" -# PROP Intermediate_Dir "Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X -# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept - -!ELSEIF "$(CFG)" == "sf_dcerpc - Win32 IPv6 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir "sf_dcerpc___Win32_IPv6_Debug" -# PROP BASE Intermediate_Dir "sf_dcerpc___Win32_IPv6_Debug" -# PROP BASE Ignore_Export_Lib 0 -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir "IPv6_Debug" -# PROP Intermediate_Dir "IPv6_Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /GZ /c -# SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X -# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept - -!ELSEIF "$(CFG)" == "sf_dcerpc - Win32 IPv6 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir "sf_dcerpc___Win32_IPv6_Release" -# PROP BASE Intermediate_Dir "sf_dcerpc___Win32_IPv6_Release" -# PROP BASE Ignore_Export_Lib 0 -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir "IPv6_Release" -# PROP Intermediate_Dir "IPv6_Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /c -# SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /c -# SUBTRACT CPP /X -# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 - -!ENDIF - -# Begin Target - -# Name "sf_dcerpc - Win32 Release" -# Name "sf_dcerpc - Win32 Debug" -# Name "sf_dcerpc - Win32 IPv6 Debug" -# Name "sf_dcerpc - Win32 IPv6 Release" -# Begin Group "Source Files" - -# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" -# Begin Source File - -SOURCE=.\dcerpc.c -# End Source File -# Begin Source File - -SOURCE=.\dcerpc_config.c -# End Source File -# Begin Source File - -SOURCE=.\dcerpc_util.c -# End Source File -# Begin Source File - -SOURCE=..\include\sf_dynamic_preproc_lib.c -# End Source File -# Begin Source File - -SOURCE=..\include\sfPolicyUserData.c -# End Source File -# Begin Source File - -SOURCE=.\smb_andx_decode.c -# End Source File -# Begin Source File - -SOURCE=.\smb_file_decode.c -# End Source File -# Begin Source File - -SOURCE=.\snort_dcerpc.c -# End Source File -# Begin Source File - -SOURCE=.\spp_dcerpc.c -# End Source File -# End Group -# Begin Group "Header Files" - -# PROP Default_Filter "h;hpp;hxx;hm;inl" -# Begin Source File - -SOURCE=.\dcerpc.h -# End Source File -# Begin Source File - -SOURCE=.\dcerpc_util.h -# End Source File -# Begin Source File - -SOURCE=.\sf_preproc_info.h -# End Source File -# Begin Source File - -SOURCE=.\smb_andx_decode.h -# End Source File -# Begin Source File - -SOURCE=.\smb_andx_structs.h -# End Source File -# Begin Source File - -SOURCE=.\smb_file_decode.h -# End Source File -# Begin Source File - -SOURCE=.\smb_file_structs.h -# End Source File -# Begin Source File - -SOURCE=.\smb_structs.h -# End Source File -# Begin Source File - -SOURCE=.\snort_dcerpc.h -# End Source File -# Begin Source File - -SOURCE=.\spp_dcerpc.h -# End Source File -# End Group -# Begin Group "Resource Files" - -# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" -# End Group -# End Target -# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/sf_preproc_info.h 2009-08-10 20:41:46.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,43 +0,0 @@ -/* - * sf_preproc_info.h - * - * Copyright (C) 2006-2009 Sourcefire, Inc. - * Andrew Mullican - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Standard dynamic preprocessor include file. - * - * - */ -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 5 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_DCERPC (IPV6)" -#else -#define PREPROC_NAME "SF_DCERPC" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupDCERPC -extern void SetupDCERPC(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.c 2009-05-06 22:28:48.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,1077 +0,0 @@ -/* - * smb_andx_decode.c - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * This performs the decoding of SMB AndX commands. - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#ifdef HAVE_WCHAR_H -#include -#endif -#include - -#include "debug.h" -#include "bounds.h" - -#include "snort_dcerpc.h" -#include "smb_structs.h" -#include "smb_andx_structs.h" -#include "smb_andx_decode.h" -#include "dcerpc_util.h" -#include "dcerpc.h" - -#define FIELD_ACCT_NAME 0 -#define FIELD_PRIM_DOMAIN 1 -#define SESS_AUTH_FIELD(i) ((i == FIELD_ACCT_NAME) ? "AccountName" : ((i == FIELD_PRIM_DOMAIN) ? "PrimaryDomain" : "Unknown")) - -#define FIELD_NATIVE_OS 0 -#define FIELD_NATIVE_LANMAN 1 -#define SESS_NATIVE_FIELD(i) ((i == FIELD_NATIVE_OS) ? "NativeOS" : ((i == FIELD_NATIVE_LANMAN) ? "NativeLanMan" : "Unknown")) - -/* Externs */ -extern DCERPC *_dcerpc; -extern SFSnortPacket *_dcerpc_pkt; -extern uint8_t *dce_reassembly_buf; -extern uint16_t dce_reassembly_buf_size; -extern SFSnortPacket *real_dce_mock_pkt; -extern DceRpcConfig *dcerpc_eval_config; - -static int GetSMBStringLength(uint8_t *data, uint16_t data_size, int unicode); - -#ifdef DEBUG_DCERPC_PRINT -static void PrintSMBString(char *pre, uint8_t *str, uint16_t str_len, int unicode); -#endif - -/* smb_data is guaranteed to be at least an SMB_WRITEX_REQ length away from writeX - * if it's farther it's because there was padding */ -void ReassembleSMBWriteX(uint8_t *smb_hdr, uint16_t smb_hdr_len) -{ - SMB_WRITEX_REQ *write_andx; - int pkt_len; - int status; - uint16_t data_len = 0; - DCERPC_Buffer *buf = &_dcerpc->smb_seg_buf; - - pkt_len = sizeof(NBT_HDR) + smb_hdr_len + buf->len; - - /* Make sure we have room to fit into reassembly buffer */ - if (pkt_len > dce_reassembly_buf_size) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Reassembled SMB packet greater " - "than %d bytes, skipping.", dce_reassembly_buf_size);); - - /* just shorten it - don't want to lose all of - * this information */ - buf->len = dce_reassembly_buf_size - (pkt_len - buf->len); - } - - /* Copy headers into buffer */ - /* SMB Header */ - status = SafeMemcpy(dce_reassembly_buf, _dcerpc_pkt->payload, sizeof(NBT_HDR) + smb_hdr_len, - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "SMB header too big: %u, " - "skipping SMB reassembly.", dce_reassembly_buf_size);); - - DCERPC_BufferFreeData(buf); - return; - } - - write_andx = (SMB_WRITEX_REQ *)((uint8_t *)dce_reassembly_buf + sizeof(NBT_HDR) + sizeof(SMB_HDR)); - write_andx->remaining = smb_htons(buf->len); - write_andx->dataLength = smb_htons(buf->len); - write_andx->dataOffset = smb_htons(smb_hdr_len); - write_andx->andXCommand = 0xFF; - write_andx->andXOffset = 0x0000; - - data_len = sizeof(NBT_HDR) + smb_hdr_len; - - status = SafeMemcpy(dce_reassembly_buf + data_len, buf->data, buf->len, - dce_reassembly_buf + data_len, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "SMB fragments too big: %u, " - "skipping SMB reassembly.", dce_reassembly_buf_size);); - - DCERPC_BufferFreeData(buf); - return; - } - - data_len += buf->len; - - /* create pseudo packet */ - real_dce_mock_pkt = DCERPC_SetPseudoPacket(_dcerpc_pkt, dce_reassembly_buf, data_len); - if (real_dce_mock_pkt == NULL) - { - DCERPC_BufferFreeData(buf); - return; - } - - if (dcerpc_eval_config->debug_print) - { - PrintBuffer("SMB desegmented", - (uint8_t *)dce_reassembly_buf, data_len); - } -} - -/* IPC$ has to occur at the end of this path - path_len should include null termination */ -static int IsIPC(uint8_t *path, int path_len, uint32_t isUnicode) -{ - const uint8_t ipc[] = {'I', 'P', 'C', '$', '\0'}; - const uint16_t ipc_len = 5; - const uint8_t unicode_ipc[] = {'I', '\0', 'P', '\0', 'C', '\0', '$', '\0', '\0', '\0'}; - const uint16_t unicode_ipc_len = 10; - - if (isUnicode) - { - if (path_len < unicode_ipc_len) - return 0; - - /* go to end of path then back up the length of the - * unicode_ipc string */ - path = (path + path_len) - unicode_ipc_len; - - if (memcmp(path, unicode_ipc, unicode_ipc_len) == 0) - return 1; - } - else - { - if (path_len < ipc_len) - return 0; - - /* go to end of path and back up the length of the - * ipc string */ - path = (path + path_len) - ipc_len; - - if (memcmp(path, ipc, ipc_len) == 0) - return 1; - } - - return 0; -} - -/* returns -1 if not null terminated - * returns -2 for other error - * otherwise returns length of null terminated string - * including null terminating bytes - */ -static int GetSMBStringLength(uint8_t *data, uint16_t data_size, int unicode) -{ - uint16_t size_left; - - if (data == NULL) - return -2; - - size_left = data_size; - - if (unicode) - { - while (size_left >= sizeof(uni_char_t)) - { - size_left -= sizeof(uni_char_t); - - if (*((uni_char_t *)data) == 0x0000) - { - return (int)(data_size - size_left); - } - - data += sizeof(uni_char_t); - } - } - else - { - while (size_left >= sizeof(char)) - { - size_left -= sizeof(char); - - if (*((char *)data) == 0x00) - { - return (int)(data_size - size_left); - } - - data += sizeof(char); - } - } - - return -1; -} - -#ifdef DEBUG_DCERPC_PRINT -static void PrintSMBString(char *pre, uint8_t *str, uint16_t str_len, int unicode) -{ - if (pre == NULL || str == NULL || str_len == 0) - return; - - printf("%s", pre); - - if (unicode) - { - int i = 0; - - while (i < str_len) - { - printf("%c", str[i]); - i += sizeof(uni_char_t); - } - } - else - { - printf("%.*s", str_len, str); - } - - printf("\n"); -} -#endif - -int SkipBytes(uint8_t *data, uint16_t size) -{ - uint16_t i = 0; - - while ( i < size && *data != 0 ) - { - data++; - i++; - } - - return i; -} - -int SkipBytesWide(uint8_t *data, uint16_t size) -{ - uint16_t i = 0; - - /* Check against size-1 in case someone is screwing with us and giving - us an odd number of bytes for 2-byte Unicode. */ - while ( i < (size - 1) && *data != 0 ) - { - data += 2; - i += 2; - } - - return i; -} - - -int ProcessSMBTreeConnXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_TREE_CONNECTX_REQ *treeConnX; - uint16_t byteCount; - uint8_t *tree_data; - uint16_t tree_data_len; - uint8_t *passwd_ptr; - uint16_t passwd_len; - uint8_t *path_ptr; - int path_len; - uint8_t *service_ptr; - int service_len; - int is_ipc; - - if ( size <= sizeof(SMB_TREE_CONNECTX_REQ) ) - { - return 0; - } - - treeConnX = (SMB_TREE_CONNECTX_REQ *)data; - - size -= sizeof(SMB_TREE_CONNECTX_REQ); - tree_data = data + sizeof(SMB_TREE_CONNECTX_REQ); - - byteCount = smb_ntohs(treeConnX->byteCount); - tree_data_len = byteCount; - passwd_len = smb_ntohs(treeConnX->passwdLen); - - /* Sanity check */ - if ( byteCount > size || passwd_len >= byteCount) - return 0; - - passwd_ptr = tree_data; - tree_data += passwd_len; - tree_data_len -= passwd_len; - - /* Get path */ - path_len = GetSMBStringLength(tree_data, tree_data_len, HAS_UNICODE_STRINGS(smbHdr)); - if (path_len == -1 || path_len == tree_data_len) - return 0; - - path_ptr = tree_data; - - is_ipc = IsIPC(tree_data, path_len, HAS_UNICODE_STRINGS(smbHdr)); - - if (is_ipc && _dcerpc->smb_state == STATE_START) - { - _dcerpc->smb_state = STATE_GOT_TREE_CONNECT; - } - - tree_data += path_len; - tree_data_len -= path_len; - - /* Service field is ALWAYS ascii */ - service_len = GetSMBStringLength(tree_data, tree_data_len, 0); - if (service_len == -1) - return 0; - - service_ptr = tree_data; - - /* there shouldn't be any more data */ - if (tree_data + service_len != tree_data + tree_data_len) - return 0; - -#ifdef DEBUG_DCERPC_PRINT - /* Password data - * it seems like the password length has to be an odd number - * This passwd will always be ASCII -- equiv of - * CaseInsensitivePasswd field from SessSetupAndX message */ - if (passwd_len > 0) - printf("Password: %02.*X\n", passwd_len, passwd_ptr); - - if (path_len > 0) - PrintSMBString("Path: ", path_ptr, path_len, HAS_UNICODE_STRINGS(smbHdr)); - - /* Service field is ALWAYS ascii */ - if (service_len > 0) - PrintSMBString("Service: ", service_ptr, service_len, 0); -#endif - - /* put tree_data at end of this request for comparing - * against andXOffset */ - tree_data += tree_data_len; - - /* Handle next andX command in this packet */ - if (treeConnX->andXCommand != SMB_NONE) - { - uint16_t andXOffset = smb_ntohs(treeConnX->andXOffset); - uint8_t *next_command; - uint16_t data_left_len; - - if ( andXOffset >= total_size ) - return 0; - - next_command = (uint8_t *)smbHdr + andXOffset; - - /* Make sure we don't backtrack or look at the same data again */ - if (next_command < tree_data) - return 0; - - /* Skip header, get size of remaining data */ - data_left_len = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(treeConnX->andXCommand, smbHdr, next_command, - data_left_len, total_size); - } - - return 0; -} - - -int ProcessSMBNTCreateX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_NTCREATEX_REQ *ntCreateX; - uint16_t byteCount; - uint8_t *nt_create_data; - uint16_t nt_create_data_len; - uint8_t *file_name_ptr; - int file_name_len; - - if ( size <= sizeof(SMB_NTCREATEX_REQ) ) - { - return 0; - } - - ntCreateX = (SMB_NTCREATEX_REQ *)data; - - size -= sizeof(SMB_NTCREATEX_REQ); - - byteCount = smb_ntohs(ntCreateX->byteCount); - - if (byteCount > size) - return 0; - - nt_create_data = data + sizeof(SMB_NTCREATEX_REQ); - nt_create_data_len = byteCount; - - /* Appears to be a pad in there to word-align if unicode */ - if (HAS_UNICODE_STRINGS(smbHdr)) - { - nt_create_data++; - nt_create_data_len--; - } - - /* note that the file name length in the header does not seem - * to be used by the server */ - file_name_len = GetSMBStringLength(nt_create_data, nt_create_data_len, - HAS_UNICODE_STRINGS(smbHdr)); - - if (file_name_len == -1) - return 0; - - file_name_ptr = nt_create_data; - - /* there shouldn't be any more data */ - if (nt_create_data + file_name_len != nt_create_data + nt_create_data_len) - return 0; - - if ( _dcerpc->smb_state == STATE_GOT_TREE_CONNECT ) - _dcerpc->smb_state = STATE_GOT_NTCREATE; - -#ifdef DEBUG_DCERPC_PRINT - PrintSMBString("Create/Open: ", file_name_ptr, file_name_len, HAS_UNICODE_STRINGS(smbHdr)); -#endif - - /* put nt_create_data at end of this request for comparing - * against andXOffset */ - nt_create_data += nt_create_data_len; - - /* Handle next andX command in this packet */ - if (ntCreateX->andXCommand != SMB_NONE) - { - uint16_t andXOffset = smb_ntohs(ntCreateX->andXOffset); - uint8_t *next_command; - uint16_t data_left_len; - - if ( andXOffset >= total_size ) - return 0; - - next_command = (uint8_t *)smbHdr + andXOffset; - - /* Make sure we don't backtrack or look at the same data again */ - if (next_command < nt_create_data) - return 0; - - /* Skip header, get size of remaining data */ - data_left_len = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(ntCreateX->andXCommand, smbHdr, next_command, - data_left_len, total_size); - } - - return 0; -} - -int ProcessSMBWriteX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_WRITEX_REQ *writeX; - uint8_t *writeX_data; - uint16_t writeX_data_len; - uint16_t writeX_byte_count; - uint16_t data_offset; - uint16_t padding; - - /* Only process WriteAndX packet if it is part of a DCE/RPC session */ - if ( _dcerpc->smb_state != STATE_GOT_NTCREATE ) - { - return 0; - } - - if ( size <= sizeof(SMB_WRITEX_REQ) ) - { - return 0; - } - - writeX = (SMB_WRITEX_REQ *)data; - data_offset = smb_ntohs(writeX->dataOffset); - - if ( data_offset >= total_size ) - { - return 0; - } - - writeX_data = (uint8_t *)smbHdr + data_offset; - writeX_data_len = smb_ntohs(writeX->dataLength); - writeX_byte_count = smb_ntohs(writeX->byteCount); - - /* byte count is always greater than or equal to data length and - * accounts for extra padding at end of header and before actual data */ - if (writeX_data_len > writeX_byte_count) - return 0; - - padding = writeX_byte_count - writeX_data_len; - - /* data_offset put us somewhere before the end of the header and padding */ - if (writeX_data < (uint8_t *)writeX + sizeof(SMB_WRITEX_REQ) + padding) - return 0; - - /* data_offset + data_len will put us past end of packet */ - if (writeX_data + writeX_data_len > (uint8_t *)smbHdr + total_size) - return 0; - -#ifdef DEBUG_DCERPC_PRINT - if (writeX_data_len > 0) - printf("WriteAndX data: %02.*X\n", writeX_data_len, writeX_data); -#endif - - if (writeX_data_len > 0) - { - uint16_t smb_hdr_len = writeX_data - (uint8_t *)smbHdr; - DCERPC_Buffer *sbuf = &_dcerpc->smb_seg_buf; - int status = ProcessDCERPCMessage((uint8_t *)smbHdr, smb_hdr_len, writeX_data, writeX_data_len); - - if (status == -1) - return -1; - - if ((status == DCERPC_FULL_FRAGMENT) && !DCERPC_BufferIsEmpty(sbuf)) - { - ReassembleSMBWriteX((uint8_t *)smbHdr, smb_hdr_len); - DCERPC_BufferFreeData(sbuf); - } - else if ((status == DCERPC_SEGMENTED) && dcerpc_eval_config->reassemble_increment) - { - _dcerpc->num_inc_reass++; - if (dcerpc_eval_config->reassemble_increment == _dcerpc->num_inc_reass) - { - _dcerpc->num_inc_reass = 0; - ReassembleSMBWriteX((uint8_t *)smbHdr, smb_hdr_len); - } - } - } - - /* put dce_data at end of this request for comparing - * against andXOffset */ - writeX_data += writeX_data_len; - - /* Handle next andX command in this packet */ - if (writeX->andXCommand != SMB_NONE) - { - uint16_t andXOffset = smb_ntohs(writeX->andXOffset); - uint8_t *next_command; - uint16_t data_left_len; - - if ( andXOffset >= total_size ) - return 0; - - next_command = (uint8_t *)smbHdr + andXOffset; - - /* Make sure we don't backtrack or look at the same data again */ - if (next_command < writeX_data) - return 0; - - /* Skip WriteX header, get size of remaining data */ - data_left_len = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(writeX->andXCommand, smbHdr, next_command, - data_left_len, total_size); - } - - return 0; -} - -int ProcessSMBTransaction(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_TRANS_REQ *trans; - uint8_t *dcerpc_data; - uint16_t dcerpc_data_len; - uint16_t data_offset; - - /* Only process Trans packet if we think it is part of a DCE/RPC session - NTCREATE state is when we get the bind packet - IS_DCERPC is when we get a request packet - */ - if ( _dcerpc->smb_state != STATE_GOT_NTCREATE ) - { - return 0; - } - - /* We got a Tree Connect followed by a NTCreate, followed by Trans. - Assume DCE/RPC */ - _dcerpc->state = STATE_IS_DCERPC; - - if ( size <= sizeof(SMB_TRANS_REQ) ) - { - return 0; - } - - trans = (SMB_TRANS_REQ *)data; - data_offset = smb_ntohs(trans->dataOffset); - dcerpc_data = (uint8_t *)smbHdr + data_offset; - - if ( data_offset >= total_size ) - return 0; - - /* offset didn't put us after header - * TODO Account for transaction name length - seems like - * for unicode strings there is an extra byte of padding - * after byteCount before name starts */ - if (dcerpc_data < (uint8_t *)trans + sizeof(SMB_TRANS_REQ)) - return 0; - - dcerpc_data_len = smb_ntohs(trans->totalDataCount); - - /* make sure data length doesn't put us past end of packet */ - if (dcerpc_data + dcerpc_data_len > (uint8_t *)smbHdr + total_size) - return 0; - - if (dcerpc_data_len > 0) - ProcessDCERPCMessage((uint8_t *)smbHdr, - (uint16_t)(dcerpc_data - (uint8_t *)smbHdr), - dcerpc_data, dcerpc_data_len); - -#ifdef DEBUG_DCERPC_PRINT - printf("Trans data: %02.*X\n", dcerpc_data_len, dcerpc_data); -#endif - - return 0; -} - -int ProcessSMBReadX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_READX_REQ *readX; - - if ( size < sizeof(SMB_READX_REQ) ) - { - return 0; - } - - readX = (SMB_READX_REQ *)data; - data += sizeof(SMB_READX_REQ); - - /* Handle next andX command in this packet */ - if (readX->andXCommand != SMB_NONE) - { - uint16_t andXOffset = smb_ntohs(readX->andXOffset); - uint8_t *next_command; - uint16_t data_left_len; - - if ( andXOffset >= total_size ) - return 0; - - next_command = (uint8_t *)smbHdr + andXOffset; - - /* Make sure we don't backtrack or look at the same data again */ - if (next_command < data) - return 0; - - /* Skip ReadX header, get size of remaining data */ - data_left_len = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(readX->andXCommand, smbHdr, next_command, - data_left_len, total_size); - } - - return 0; -} - - -#ifdef UNUSED_SMB_COMMAND - -int ProcessSMBSetupXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - int extraIndex = 0; - SMB_SESS_SETUPX_REQ_HDR *sess_setupx_req_hdr; - - /* Ptr to first null terminated data element */ - unsigned char wordCount; - /* Skip the common header portion, wordCount byte + parameter bytes * 2 */ - unsigned char *smb_data; - short byteCount = 0, extraBytes = 0; - int skipBytes = 1; - - int passwdLen = 0; - char unicodePasswd = 0; - - if ( size <= sizeof(SMB_SESS_SETUPX_REQ_HDR) ) - { - return 0; - } - - sess_setupx_req_hdr = (SMB_SESS_SETUPX_REQ_HDR *)data; - wordCount = sess_setupx_req_hdr->wordCount; - - switch (wordCount) - { - case 10: - { - /* Old session setup andx */ - SMB_SESS_SETUPX_REQ_AUTH_OLD *sess_setupx_auth = - (SMB_SESS_SETUPX_REQ_AUTH_OLD *) - (data + sizeof(SMB_SESS_SETUPX_REQ_HDR)); - passwdLen = smb_ntohs(sess_setupx_auth->passwdLen); - byteCount = extraBytes = smb_ntohs(sess_setupx_auth->byteCount); - smb_data = data + sizeof(SMB_SESS_SETUPX_REQ_HDR) + - sizeof(SMB_SESS_SETUPX_REQ_AUTH_OLD); - } - break; - case 12: - { - /* Extended Security session setup andx */ - SMB_SESS_SETUPX_REQ_AUTH_NTLM12 *sess_setupx_auth = - (SMB_SESS_SETUPX_REQ_AUTH_NTLM12 *) - (data + sizeof(SMB_SESS_SETUPX_REQ_HDR)); - passwdLen = 0; /* Its a blob */ - byteCount = extraBytes = smb_ntohs(sess_setupx_auth->byteCount); - skipBytes = smb_ntohs(sess_setupx_auth->secBlobLength); - smb_data = data + sizeof(SMB_SESS_SETUPX_REQ_HDR) + - sizeof(SMB_SESS_SETUPX_REQ_AUTH_NTLM12); - } - break; - case 13: - { - /* Non-Extended Security session setup andx */ - SMB_SESS_SETUPX_REQ_AUTH_NTLM12_NOEXT *sess_setupx_auth = - (SMB_SESS_SETUPX_REQ_AUTH_NTLM12_NOEXT *) - (data + sizeof(SMB_SESS_SETUPX_REQ_HDR)); - if (sess_setupx_auth->passwdLen) - { - passwdLen = smb_ntohs(sess_setupx_auth->passwdLen); - unicodePasswd = 1; - } - else if (sess_setupx_auth->iPasswdLen) - { - passwdLen = smb_ntohs(sess_setupx_auth->iPasswdLen); - } - byteCount = extraBytes = smb_ntohs(sess_setupx_auth->byteCount); - smb_data = data + sizeof(SMB_SESS_SETUPX_REQ_HDR) + - sizeof(SMB_SESS_SETUPX_REQ_AUTH_NTLM12_NOEXT); - } - break; - default: - return -1; - break; - } - - size -= sizeof(SMB_SESS_SETUPX_REQ_HDR); - - /* Password data */ - if (passwdLen) - { - int i=0; - if ( unicodePasswd ) - { -#ifdef DEBUG_DCERPC_PRINT - /* UNICODE Password */ - wprintf(L"Case Sensitive Password: %.*s\n", passwdLen, smb_data); -#endif - /* Skip past the password -- no terminating NULL */ - smb_data += passwdLen; - extraBytes -= passwdLen; - - /* Jump past the pad that re-aligns the next fields */ - if (HAS_UNICODE_STRINGS(smbHdr)) - { - smb_data += 1; - extraBytes -= 1; - } - } - else - { -#ifdef DEBUG_DCERPC_PRINT - /* ASCII Password */ - printf("Case Insensitive Password: %.*s\n", passwdLen, smb_data); -#endif - /* Skip past the password -- no terminating NULL */ - smb_data += passwdLen; - extraBytes -= passwdLen; - - /* Jump past the pad that re-aligns the next fields -- pad - * is present when ascii password is an even # of bytes. */ - if (HAS_UNICODE_STRINGS(smbHdr) && - (passwdLen %2 == 0)) - { - smb_data += 1; - extraBytes -= 1; - } - } - - for (i=0;i<2;i++) - { - skipBytes = 1; - if (HAS_UNICODE_STRINGS(smbHdr)) - { - if (*smb_data != '\0') - { -#ifdef DEBUG_DCERPC_PRINT - printf("%s: ", SESS_AUTH_FIELD(extraIndex)); - wprintf(L"%s\n", smb_data); -#endif - skipBytes = SkipBytesWide(smb_data, size) + 2; - } - } - else - { - if (*smb_data != '\0') - { -#ifdef DEBUG_DCERPC_PRINT - printf("%s: %s\n", SESS_AUTH_FIELD(extraIndex), smb_data); -#endif - skipBytes = SkipBytes(smb_data, size) + 1; - } - } - extraIndex++; - smb_data += skipBytes; - extraBytes -= skipBytes; - } - } - else - { -#ifdef DEBUG_DCERPC_PRINT - /* The security blob... */ - int i; - printf("Security blob... "); - for (i=0;i 0) - { - skipBytes = 1; - if (HAS_UNICODE_STRINGS(smbHdr)) - { - if (*smb_data != '\0') - { -#ifdef DEBUG_DCERPC_PRINT - printf("%s: ", SESS_NATIVE_FIELD(extraIndex)); - wprintf(L"%s\n", smb_data); -#endif - skipBytes = wcslen(smb_data) + 1; - } - skipBytes *= 2; - } - else - { - if (*smb_data != '\0') - { -#ifdef DEBUG_DCERPC_PRINT - printf("%s: %s\n", SESS_NATIVE_FIELD(extraIndex), smb_data); -#endif - skipBytes = strlen(smb_data) + 1; - } - } - extraIndex++; - smb_data += skipBytes; - extraBytes -= skipBytes; - } - - /* Handle next andX command in this packet */ - if (sess_setupx_req_hdr->andXCommand != SMB_NONE) - { - uint16_t data_size; - uint16_t andXOffset = smb_ntohs(sess_setupx_req_hdr->andXOffset); - - if ( andXOffset >= total_size ) - return 0; - - /* Make sure we don't backtrack or look at the same data again */ - if ( andXOffset <= (data - (uint8_t *)smbHdr) ) - return 0; - - /* Skip header, get size of remaining data */ - data_size = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(sess_setupx_req_hdr->andXCommand, smbHdr, - (uint8_t *)smbHdr + smb_ntohs(sess_setupx_req_hdr->andXOffset), data_size, total_size); - } - - return 0; -} - - -int ProcessSMBLogoffXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_LOGOFFX_REQ *logoffX; - int byteCount; - - if (byteCount > 0) - { - return -1; - } - - if ( size < sizeof(SMB_LOGOFFX_REQ) ) - { - return 0; - } - - logoffX = (SMB_LOGOFFX_REQ *)data; - byteCount = smb_ntohs(logoffX->byteCount); - - /* Handle next andX command in this packet */ - if (logoffX->andXCommand != SMB_NONE) - { - uint16_t data_size; - uint16_t andXOffset = smb_ntohs(logoffX->andXOffset); - - if ( andXOffset >= total_size ) - return 0; - - /* Make sure we don't backtrack or look at the same data again */ - if ( andXOffset <= (data - (uint8_t *)smbHdr) ) - return 0; - - /* Skip header, get size of remaining data */ - data_size = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(logoffX->andXCommand, smbHdr, - (uint8_t *)smbHdr + smb_ntohs(logoffX->andXOffset), data_size, total_size); - } - - return 0; -} - - - - -int ProcessSMBLockingX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size) -{ - SMB_LOCKINGX_REQ *lockingX; - unsigned char *smb_data; - uint16_t numUnlocks; - uint16_t numLocks; - int lockRangeSize; - - if ( size < sizeof(SMB_LOCKINGX_REQ) ) - { - return 0; - } - - lockingX = (SMB_LOCKINGX_REQ *)data; - smb_data = data + sizeof(SMB_LOCKINGX_REQ); - numUnlocks = smb_ntohs(lockingX->numUnlocks); - numLocks = smb_ntohs(lockingX->numLocks); - - if (lockingX->lockType & LOCKINGX_LARGE_FILES) - { - lockRangeSize = sizeof(SMB_LARGEFILE_LOCKINGX_RANGE); -#ifdef DEBUG_DCERPC_PRINT - if (numUnlocks > 0) - { - int i; - printf("Unlocking PIDs: "); - for (i=0;ipid); - } - printf("\n"); - } - - if (numLocks > 0) - { - int i; - printf("Locking PIDs: "); - for (i=0;ipid); - } - printf("\n"); - } -#endif - } - else - { - lockRangeSize = sizeof(SMB_LOCKINGX_RANGE); -#ifdef DEBUG_DCERPC_PRINT - if (numUnlocks > 0) - { - printf("Unlocking PIDs: "); - for (i=0;ipid); - } - printf("\n"); - } - - if (numLocks > 0) - { - printf("Locking PIDs: "); - for (i=0;ipid); - } - printf("\n"); - } -#endif - } - - /* Handle next andX command in this packet */ - if (lockingX->andXCommand != SMB_NONE) - { - uint16_t data_size; - uint16_t andXOffset = smb_ntohs(lockingX->andXOffset); - - if ( andXOffset >= total_size ) - return 0; - - /* Make sure we don't backtrack or look at the same data again */ - if ( andXOffset <= (data - (uint8_t *)smbHdr) ) - return 0; - - /* Skip header, get size of remaining data */ - data_size = total_size - andXOffset; - - /* Next block is at smbHdr + smb_ntohs(sess_setupx_req->andXOffset) */ - return ProcessNextSMBCommand(lockingX->andXCommand, smbHdr, - (uint8_t *)smbHdr + smb_ntohs(lockingX->andXOffset), data_size, total_size); - } - - return 0; -} - - - -#endif /* UNUSED_SMB_COMMAND */ - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.h 2009-05-06 22:28:48.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_decode.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,44 +0,0 @@ -/* - * smb_andx_decode.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Declares routines that handle decoding SMB AndX commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SMB_ANDX_DECODE_H_ -#define _SMB_ANDX_DECODE_H_ - -typedef unsigned short uni_char_t; - -int ProcessSMBSetupXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBTreeConnXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBNTCreateX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBLogoffXReq(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBReadX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBWriteX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBLockingX(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -int ProcessSMBTransaction(SMB_HDR *smbHdr, uint8_t *data, uint16_t size, uint16_t total_size); -void ReassembleSMBWriteX(uint8_t *, uint16_t); - -#endif /* _SMB_ANDX_DECODE_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_structs.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_structs.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_andx_structs.h 2009-05-06 22:28:48.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_andx_structs.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,243 +0,0 @@ -/* - * smb_andx_structs.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * - * Description: - * - * Defines data structures representing SMB commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SMB_ANDX_STRUCTS_H_ -#define _SMB_ANDX_STRUCTS_H_ - -#include "smb_structs.h" - -#ifdef WIN32 -#pragma pack(push,smb_hdrs,1) -#else -#pragma pack(1) -#endif - -typedef struct sess_setupx_req_hdr -{ - uint8_t wordCount; /* Count of parameter words */ - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t maxBufSize; - uint16_t maxMPXCount; - uint16_t vcNumber; - uint32_t sessionKey; -} SMB_SESS_SETUPX_REQ_HDR; - -typedef struct sess_setupx_req_auth_old -{ - uint16_t passwdLen; - uint32_t reserved2; - uint16_t byteCount; -} SMB_SESS_SETUPX_REQ_AUTH_OLD; - -typedef struct sess_setupx_req_auth_ntlm12 -{ - uint16_t secBlobLength; - uint32_t reserved2; - uint32_t capabilities; - uint16_t byteCount; -} SMB_SESS_SETUPX_REQ_AUTH_NTLM12; - -typedef struct sess_setupx_req_auth_ntlm12_noext -{ - uint16_t iPasswdLen; - uint16_t passwdLen; - uint32_t reserved2; - uint32_t capabilities; - uint16_t byteCount; -} SMB_SESS_SETUPX_REQ_AUTH_NTLM12_NOEXT; - -typedef struct tree_connx_req_hdr -{ - uint8_t wordCount; /* Count of parameter words */ - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t flags; - uint16_t passwdLen; - uint16_t byteCount; -} SMB_TREE_CONNECTX_REQ; - -typedef struct logoffx_req_hdr -{ - uint8_t wordCount; /* Count of parameter words */ - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t byteCount; /* Should be 0 */ -} SMB_LOGOFFX_REQ; - -typedef struct ntcreatex_req_hdr -{ - uint8_t wordCount; /* Count of parameter words */ - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint8_t reserved2; - uint16_t nameLength; - uint32_t flags; - - uint32_t rootDirFid; - SMB_ACCESS_MASK desiredAccess; - SMB_LARGE_INTEGER allocationSize; - - uint32_t extFileAttributes; - uint32_t shareAccess; - uint32_t createDisposition; - uint32_t createOptions; - uint32_t impersonationLevel; - - uint8_t securityFlags; - uint16_t byteCount; - -} SMB_NTCREATEX_REQ; - -typedef struct readx_hdr -{ - uint8_t wordCount; - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t fid; - uint32_t offset; - - uint16_t maxCount; - uint16_t minCount; - uint32_t maxCountHigh; - - uint16_t remaining; - uint32_t highOffset; - uint16_t byteCount; - -} SMB_READX_REQ; - -typedef struct lockingx_hdr -{ - uint8_t wordCount; - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t fid; - uint8_t lockType; - uint8_t oplockLevel; - uint32_t timeout; - - uint16_t numUnlocks; - uint16_t numLocks; - - uint16_t byteCount; - -} SMB_LOCKINGX_REQ; - -#define LOCKINGX_SHARED_LOCK 0x01 -#define LOCKINGX_OPLOCK_RELEASE 0x02 -#define LOCKINGX_CHANGE_LOCKTYPE 0x04 -#define LOCKINGX_CANCEL_LOCK 0x08 -#define LOCKINGX_LARGE_FILES 0x10 - -typedef struct lockingx_range -{ - uint16_t pid; - uint32_t offset; - uint32_t length; -} SMB_LOCKINGX_RANGE; - -typedef struct largefile_lockingx_range -{ - uint16_t pid; - uint16_t pad; - - uint32_t offsetHigh; - uint32_t offsetLow; - uint32_t lengthHigh; - uint32_t lengthLow; -} SMB_LARGEFILE_LOCKINGX_RANGE; - -typedef struct writex_hdr -{ - uint8_t wordCount; - uint8_t andXCommand; - uint8_t andXReserved; - uint16_t andXOffset; - - uint16_t fid; - uint32_t offset; - uint32_t reserved; - - uint16_t writeMode; - - uint16_t remaining; - uint16_t dataLengthHigh; - uint16_t dataLength; - uint16_t dataOffset; - uint32_t highOffset; - uint16_t byteCount; - -} SMB_WRITEX_REQ; - -typedef struct trans_hdr -{ - uint8_t wordCount; - uint16_t totalParamCount; - uint16_t totalDataCount; - uint16_t maxParamCount; - uint16_t maxDataCount; - uint8_t maxSetupCount; - uint8_t transReserved; - - uint16_t flags; - uint32_t timeout; - uint16_t reserved; - - uint16_t parameterCount; - uint16_t parameterOffset; - uint16_t dataCount; - uint16_t dataOffset; - uint8_t setupCount; - uint8_t reserved2; - uint16_t function; - uint16_t fid; - uint16_t byteCount; - -} SMB_TRANS_REQ; - -#ifdef WIN32 -#pragma pack(pop,smb_hdrs) -#else -#pragma pack() -#endif - -#endif /* _SMB_ANDX_STRUCTS_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.c 2009-05-06 22:28:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,129 +0,0 @@ -/* - * smb_file_decode.c - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * This performs the decoding of SMB AndX commands. - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ - -#ifdef UNUSED_SMB_COMMAND - -#include "sf_snort_packet.h" - -#include "smb_structs.h" -#include "smb_file_structs.h" - -#include "smb_file_decode.h" - -int ProcessSMBEcho(SMB_HDR *smbHdr, uint8_t *data, uint16_t size) -{ - //unsigned char *smb_data = data + sizeof(SMB_ECHO_REQ); - -#ifdef DEBUG_DCERPC_PRINT - SMB_ECHO_REQ *echoReq = (SMB_ECHO_REQ *)data; - printf("Echo %d bytes, %d times: ", extraBytes, smb_ntohs(echoReq->echoCount)); - -#if 0 - { - int i; - for (i=0;iwordCount != 3) || - (closeReq->byteCount != 0)) - { - return -1; - } - -#ifdef DEBUG_DCERPC_PRINT - printf("Closing file FID: %x, WriteTime %s", smb_ntohs(closeReq->fid), - ctime(&timeVal)); - if (smbHdr->command == SMB_COM_CLOSE_AND_TREE_DISC) - { - printf("and disconnecting from tree"); - } - printf ("\n"); -#endif - - return 0; -} - -int ProcessSMBSeek(SMB_HDR *smbHdr, uint8_t *data, uint16_t size) -{ - SMB_SEEK_REQ *seekReq = (SMB_SEEK_REQ *)data; - - if ((seekReq->wordCount != 4) || - (seekReq->byteCount != 0)) - { - return -1; - } -#ifdef DEBUG_DCERPC_PRINT - printf("Seeking file FID: %x, Mode: %d Offset %d\n", smb_ntohs(seekReq->fid), - smb_ntohs(seekReq->mode), smb_ntohl(seekReq->offset)); -#endif - return 0; -} - - -int ProcessSMBFlush(SMB_HDR *smbHdr, uint8_t *data, uint16_t size) -{ - SMB_FLUSH_REQ *flushReq = (SMB_FLUSH_REQ *)data; - - if ((flushReq->wordCount != 1) || - (flushReq->byteCount != 0)) - { - return -1; - } -#ifdef DEBUG_DCERPC_PRINT - printf("Flushing file FID: %x\n", smb_ntohs(flushReq->fid)); -#endif - return 0; -} - -int ProcessSMBNoParams(SMB_HDR *smbHdr, uint8_t *data, uint16_t size) -{ - SMB_TREE_DISCONNECT_REQ *disconnect = (SMB_TREE_DISCONNECT_REQ *)data; - - if ((disconnect->wordCount != 0) || - (disconnect->byteCount != 0)) - { - return -1; - } - - return 0; -} - -#endif /* UNUSED_SMB_COMMAND */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.h 2009-05-06 22:28:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_decode.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -/* - * smb_file_decode.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * Declares routines that handle decoding SMB File commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SMB_FILE_DECODE_H_ -#define _SMB_FILE_DECODE_H_ - -int ProcessSMBEcho(SMB_HDR *smbHdr, uint8_t *data, uint16_t size); -int ProcessSMBClose(SMB_HDR *smbHdr, uint8_t *data, uint16_t size); -int ProcessSMBSeek(SMB_HDR *smbHdr, uint8_t *data, uint16_t size); -int ProcessSMBFlush(SMB_HDR *smbHdr, uint8_t *data, uint16_t size); -int ProcessSMBNoParams(SMB_HDR *smbHdr, uint8_t *data, uint16_t size); - -#endif /* _SMB_FILE_DECODE_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_structs.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_structs.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_file_structs.h 2009-05-06 22:28:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_file_structs.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,81 +0,0 @@ -/* - * smb_file_structs.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * - * Description: - * - * Defines data structures representing SMB commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SMB_FILE_STRUCTS_H_ -#define _SMB_FILE_STRUCTS_H_ - -#ifdef WIN32 -#pragma pack(push,smb_hdrs,1) -#endif - -typedef struct echo_req_hdr -{ - uint8_t wordCount; /* Count of parameter words */ - uint8_t echoCount; - - uint16_t byteCount; /* Should be 0 */ -} SMB_ECHO_REQ; - -typedef struct close_hdr -{ - uint8_t wordCount; - uint16_t fid; - SMB_UTIME lastWriteTime; - uint16_t byteCount; -} SMB_CLOSE_REQ; - -typedef struct seek_hdr -{ - uint8_t wordCount; - uint16_t fid; - uint16_t mode; - uint32_t offset; - uint16_t byteCount; -} SMB_SEEK_REQ; - -typedef struct flush_hdr -{ - uint8_t wordCount; - uint16_t fid; - uint16_t byteCount; -} SMB_FLUSH_REQ; - -typedef struct tree_disconnect_hdr -{ - uint8_t wordCount; - uint16_t byteCount; -} SMB_TREE_DISCONNECT_REQ; - - - -#ifdef WIN32 -#pragma pack(pop,smb_hdrs) -#endif - -#endif /* _SMB_FILE_STRUCTS_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_structs.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_structs.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/smb_structs.h 2009-05-06 22:28:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/smb_structs.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,328 +0,0 @@ - -/* - * smb_structs.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * - * Description: - * - * Defines data structures representing SMB commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SMB_STRUCTS_H_ -#define _SMB_STRUCTS_H_ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef WIN32 -#pragma pack(push,smb_hdrs,1) -#else -#pragma pack(1) -#endif - - -/* NBT SMB info */ -#define SMB_NTTRANSCREATE 0x01 -#define SMB_TRANS2OPEN 0x00 -#define SMB_SESSION 0x00 -#define SMB_SESSIONREQ 0x81 -#define SMB_NONE 0xff - -#define SMB_COM_CREATE_DIRECTORY 0x00 -#define SMB_COM_DELETE_DIRECTORY 0x01 -#define SMB_COM_OPEN 0x02 -#define SMB_COM_CREATE 0x03 -#define SMB_COM_CLOSE 0x04 -#define SMB_COM_FLUSH 0x05 -#define SMB_COM_DELETE 0x06 -#define SMB_COM_RENAME 0x07 -#define SMB_COM_QUERY_INFORMATION 0x08 -#define SMB_COM_SET_INFORMATION 0x09 -#define SMB_COM_READ 0x0A -#define SMB_COM_WRITE 0x0B -#define SMB_COM_LOCK_BYTE_RANGE 0x0C -#define SMB_COM_UNLOCK_BYTE_RANGE 0x0D -#define SMB_COM_CREATE_TEMPORARY 0x0E -#define SMB_COM_CREATE_NEW 0x0F -#define SMB_COM_CHECK_DIRECTORY 0x10 -#define SMB_COM_PROCESS_EXIT 0x11 -#define SMB_COM_SEEK 0x12 -#define SMB_COM_LOCK_AND_READ 0x13 -#define SMB_COM_WRITE_AND_UNLOCK 0x14 -#define SMB_COM_READ_RAW 0x1A -#define SMB_COM_READ_MPX 0x1B -#define SMB_COM_READ_MPX_SECONDARY 0x1C -#define SMB_COM_WRITE_RAW 0x1D -#define SMB_COM_WRITE_MPX 0x1E -#define SMB_COM_WRITE_MPX_SECONDARY 0x1F -#define SMB_COM_WRITE_COMPLETE 0x20 -#define SMB_COM_QUERY_SERVER 0x21 -#define SMB_COM_SET_INFORMATION2 0x22 -#define SMB_COM_QUERY_INFORMATION2 0x23 -#define SMB_COM_LOCKING_ANDX 0x24 -#define SMB_COM_TRANSACTION 0x25 -#define SMB_COM_TRANSACTION_SECONDARY 0x26 -#define SMB_COM_IOCTL 0x27 -#define SMB_COM_IOCTL_SECONDARY 0x28 -#define SMB_COM_COPY 0x29 -#define SMB_COM_MOVE 0x2A -#define SMB_COM_ECHO 0x2B -#define SMB_COM_WRITE_AND_CLOSE 0x2C -#define SMB_COM_OPEN_ANDX 0x2D -#define SMB_COM_READ_ANDX 0x2E -#define SMB_COM_WRITE_ANDX 0x2F -#define SMB_COM_NEW_FILE_SIZE 0x30 -#define SMB_COM_CLOSE_AND_TREE_DISC 0x31 -#define SMB_COM_TRANSACTION2 0x32 -#define SMB_COM_TRANSACTION2_SECONDARY 0x33 -#define SMB_COM_FIND_CLOSE2 0x34 -#define SMB_COM_FIND_NOTIFY_CLOSE 0x35 -/* Used by Xenix/Unix 0x60 - 0x6E */ -#define SMB_COM_TREE_CONNECT 0x70 -#define SMB_COM_TREE_DISCONNECT 0x71 -#define SMB_COM_NEGOTIATE 0x72 -#define SMB_COM_SESSION_SETUP_ANDX 0x73 -#define SMB_COM_LOGOFF_ANDX 0x74 -#define SMB_COM_TREE_CONNECT_ANDX 0x75 -#define SMB_COM_QUERY_INFORMATION_DISK 0x80 -#define SMB_COM_SEARCH 0x81 -#define SMB_COM_FIND 0x82 -#define SMB_COM_FIND_UNIQUE 0x83 -#define SMB_COM_FIND_CLOSE 0x84 -#define SMB_COM_NT_TRANSACT 0xA0 -#define SMB_COM_NT_TRANSACT_SECONDARY 0xA1 -#define SMB_COM_NT_CREATE_ANDX 0xA2 -#define SMB_COM_NT_CANCEL 0xA4 -#define SMB_COM_NT_RENAME 0xA5 -#define SMB_COM_OPEN_PRINT_FILE 0xC0 -#define SMB_COM_WRITE_PRINT_FILE 0xC1 -#define SMB_COM_CLOSE_PRINT_FILE 0xC2 -#define SMB_COM_GET_PRINT_QUEUE 0xC3 -#define SMB_COM_READ_BULK 0xD8 -#define SMB_COM_WRITE_BULK 0xD9 -#define SMB_COM_WRITE_BULK_DATA 0xDA - -typedef struct nbt_hdr -{ - uint8_t type; - uint8_t flags; - uint16_t length; -} NBT_HDR; - -typedef struct { - uint32_t LowPart; - int32_t HighPart; -} SMB_LARGE_INTEGER; // 64 bits of data - -typedef uint32_t SMB_UTIME; -typedef uint32_t SMB_ACCESS_MASK; - -typedef struct smb_hdr -{ - uint8_t protocol[4]; /* Should always be 0xff,SMB */ - uint8_t command; /* Command code */ - - union - { - /* 32 Bits */ - struct { - uint8_t errClass; /* Error class */ - uint8_t reserved; /* Should be 0 */ - uint16_t err; /* Error code */ - } dosErr; - uint32_t ntErrCode; /* 32-bit Error code */ - } status; - - uint8_t flags; /* Flags */ - uint16_t flags2; /* 8 bits weren't enough */ - - union - { - uint16_t pad[6]; /* Make this 12 bytes long */ - struct - { - uint16_t pidHigh; /* Upper 16 bits of PID */ - uint32_t unused; - uint32_t unusedToo; - } extra; - } extended; - - uint16_t tid; /* Tree ID */ - uint16_t pid; /* Process ID */ - uint16_t uid; /* User ID */ - uint16_t mid; /* Multiplex ID */ -} SMB_HDR; - -typedef struct smb_neg_prot_hdr -{ - /* The SMB data portion starts at smb_hdr + 32 */ - uint8_t wordCount; /* Should be 0 */ - uint16_t byteCount; /* Number of data bytes */ - - /* dialect array */ - /* format is (0x02, NULL-term string) */ -} SMB_NEG_PROT_HDR; - -typedef struct transaction2_hdr -{ - uint8_t wordCount; - uint16_t totalParameterCount; - uint16_t totalDataCount; - uint16_t maxParameterCount; - uint16_t maxDataCount; - uint8_t maxSetupCount; - uint8_t reserved; - uint16_t flags; - - uint32_t timeout; - uint16_t reserved2; - - uint16_t parameterCount; - uint16_t parameterOffset; - uint16_t dataCount; - uint16_t dataOffset; - - uint8_t setupCount; - uint8_t reserved3; - -} SMB_TRANSACTION2_REQ; - -typedef struct transaction2_secondary_hdr -{ - uint8_t wordCount; - uint16_t totalParameterCount; - uint16_t totalDataCount; - - uint16_t parameterCount; - uint16_t parameterOffset; - uint16_t parameterDisplacement; - uint16_t dataCount; - uint16_t dataOffset; - uint16_t dataDisplacement; - - uint16_t fid; - - uint16_t byteCount; - -} SMB_TRANSACTION2_SECONDARY_REQ; - -typedef struct nttransact_hdr -{ - uint8_t wordCount; - uint8_t maxSetupCount; - uint16_t reserved; - uint32_t totalParameterCount; - uint32_t totalDataCount; - uint32_t maxParameterCount; - uint32_t maxDataCount; - - uint32_t parameterCount; - uint32_t parameterOffset; - uint32_t dataCount; - uint32_t dataOffset; - - uint8_t setupCount; - uint16_t function; - uint8_t buffer; /* Pad */ - -} SMB_NTTRANSACT_REQ; - -typedef struct nttransact_secondary_hdr -{ - uint8_t wordCount; - uint8_t reserved[3]; - uint32_t totalParameterCount; - uint32_t totalDataCount; - - uint32_t parameterCount; - uint32_t parameterOffset; - uint32_t parameterDisplacement; - uint32_t dataCount; - uint32_t dataOffset; - uint32_t dataDisplacement; - - uint8_t reserved1; - - uint16_t byteCount; - -} SMB_NTTRANSACT_SECONDARY_REQ; - -typedef struct nttransact_create_hdr -{ - uint32_t flags; - uint32_t rootDirFid; - SMB_ACCESS_MASK desiredAccess; - SMB_LARGE_INTEGER allocationSize; - - uint32_t extFileAttributes; - uint32_t shareAccess; - uint32_t createDisposition; - uint32_t createOptions; - - uint32_t securityDescriptorLength; - uint32_t eaLength; - uint32_t nameLength; - uint32_t impersonationLevel; - - uint8_t securityFlags; - -} SMB_NTTRANSACT_CREATE_REQ; - -#ifdef WIN32 -#pragma pack(pop,smb_hdrs) -#else -#pragma pack() -#endif - -/* from snort_smb.c */ -int ProcessNextSMBCommand(uint8_t command, SMB_HDR *smbHdr, - uint8_t *data, uint16_t data_size, uint16_t size); - -/* - * Grumble, grumble... - * - * Since IBM/Micrsoft decided to put SMBs out on the wire in - * little endian order, the htonX & ntohX ops convert on the - * wrong architectures -- ie, we need no conversion on little - * endian. So, use these for SMB... - */ - -#ifdef WORDS_BIGENDIAN -#define smb_htons(A) ((((uint16_t)(A) & 0xff00) >> 8) | (((uint16_t)(A) & 0x00ff) << 8)) -#define smb_htonl(A) ((((uint32_t)(A) & 0xff000000) >> 24) | (((uint32_t)(A) & 0x00ff0000) >> 8) | (((uint32_t)(A) & 0x0000ff00) << 8) | (((uint32_t)(A) & 0x000000ff) << 24)) -#define smb_ntohs smb_htons -#define smb_ntohl smb_htonl -#define IS_LITTLE_ENDIAN 0 -#else -#define smb_htons(A) (A) -#define smb_htonl(A) (A) -#define smb_ntohs(A) (A) -#define smb_ntohl(A) (A) -#define IS_LITTLE_ENDIAN 1 -#endif - -#define HAS_UNICODE_STRINGS(smbHdr) (smb_ntohs(smbHdr->flags2) & 0x8000) - -#endif /* _SMB_STRUCTS_H_ */ - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.c 2009-08-10 20:41:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,1039 +0,0 @@ -/* - * snort_dcerpc.c - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * This performs the DCERPC decoding. - * - * Arguments: - * - * Effect: - * - * None - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#include -#include - -#include "debug.h" -#include "snort_dcerpc.h" -#include "smb_structs.h" -#include "smb_andx_decode.h" -#include "smb_file_decode.h" -#include "dcerpc.h" -#include "dcerpc_util.h" -#include "bounds.h" -#include "sf_snort_packet.h" -#include "sf_types.h" - -#include "profiler.h" -#ifdef PERF_PROFILING -extern PreprocStats dcerpcPerfStats; -extern PreprocStats dcerpcDetectPerfStats; -extern PreprocStats dcerpcIgnorePerfStats; -#endif - -uint32_t _total_memory = 0; - -#ifdef TARGET_BASED -DCERPC_ProtoIds _dce_proto_ids; -#endif - -/* Session structure */ -DCERPC *_dcerpc; -/* Save packet so we don't have to pass it around */ -SFSnortPacket *_dcerpc_pkt; - -uint8_t *dce_reassembly_buf = NULL; -const uint16_t dce_reassembly_buf_size = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); - -/* this is used to store one of the below */ -SFSnortPacket *real_dce_mock_pkt = NULL; - -SFSnortPacket *dce_mock_pkt = NULL; -const uint16_t dce_mock_pkt_payload_len = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); -#ifdef SUP_IP6 -SFSnortPacket *dce_mock_pkt_6 = NULL; -const uint16_t dce_mock_pkt_6_payload_len = IP_MAXPKT - (IP6_HDR_LEN + TCP_HDR_LEN); -#endif - -extern tSfPolicyUserContextId dcerpc_config; -extern DceRpcConfig *dcerpc_eval_config; - -static DCERPC_TransType DCERPC_AutoDetect(SFSnortPacket *, const uint8_t *, uint16_t); -static void DCERPC_DataFree(DCERPC *); -static int ProcessRawDCERPC(SFSnortPacket *, const uint8_t *, uint16_t); -static int ProcessRawSMB(SFSnortPacket *, const uint8_t *, uint16_t); -static DCERPC_TransType DCERPC_GetTransport(SFSnortPacket *, char *); - -void DCERPC_BufferReassemble(DCERPC_Buffer *sbuf) -{ - uint16_t len; - int status; - - if (DCERPC_BufferIsEmpty(sbuf)) - return; - - len = sbuf->len; - - /* Copy data into buffer */ - if (len > dce_reassembly_buf_size) - len = dce_reassembly_buf_size; - - status = SafeMemcpy(dce_reassembly_buf, sbuf->data, len, - dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); - - if (status != SAFEMEM_SUCCESS) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC data, " - "skipping DCERPC reassembly.\n");); - return; - } - - if (dcerpc_eval_config->debug_print) - { - PrintBuffer("DCE/RPC reassembled fragment", - (uint8_t *)dce_reassembly_buf, (uint16_t)len); - } - - /* create pseudo packet */ - real_dce_mock_pkt = DCERPC_SetPseudoPacket(_dcerpc_pkt, dce_reassembly_buf, len); -} - -void DCERPC_EarlyFragReassemble(DCERPC *dce_ssn_data, const uint8_t *smb_hdr, - uint16_t smb_hdr_len, uint16_t opnum) -{ - dce_ssn_data->num_inc_reass++; - if (dcerpc_eval_config->reassemble_increment == dce_ssn_data->num_inc_reass) - { - dce_ssn_data->num_inc_reass = 0; - - if (!DCERPC_BufferIsEmpty(&dce_ssn_data->dce_frag_buf)) - { - DCERPC_REQ fake_req; - - memset(&fake_req, 0, sizeof(DCERPC_REQ)); - - fake_req.dcerpc_hdr.version = 5; - fake_req.dcerpc_hdr.flags = 0x03; - fake_req.dcerpc_hdr.byte_order = 0x10; - fake_req.opnum = opnum; - - /* Create a reassembly packet but don't free buffers */ - ReassembleDCERPCRequest(smb_hdr, smb_hdr_len, (uint8_t *)&fake_req); - } - } -} - -void * DCERPC_GetReassemblyPkt(void) -{ - if (real_dce_mock_pkt != NULL) - return (void *)real_dce_mock_pkt; - - return NULL; -} - -SFSnortPacket * DCERPC_SetPseudoPacket(SFSnortPacket *p, const uint8_t *data, uint16_t data_len) -{ - SFSnortPacket *ret_pkt = dce_mock_pkt; - uint16_t payload_len = dce_mock_pkt_payload_len; - uint16_t ip_len; - int result; - int vlanHeaderLen = 0; - -#ifdef SUP_IP6 - if (p->family == AF_INET) - { - IP_COPY_VALUE(ret_pkt->inner_ip4h.ip_src, (&p->ip4h->ip_src)); - IP_COPY_VALUE(ret_pkt->inner_ip4h.ip_dst, (&p->ip4h->ip_dst)); - - //((IPV4Header *)ret_pkt->ip4h)->source.s_addr = p->ip4h->ip_src.ip32[0]; - //((IPV4Header *)ret_pkt->ip4h)->destination.s_addr = p->ip4h->ip_dst.ip32[0]; - } - else - { - ret_pkt = dce_mock_pkt_6; - - IP_COPY_VALUE(ret_pkt->inner_ip6h.ip_src, (&p->ip6h->ip_src)); - IP_COPY_VALUE(ret_pkt->inner_ip6h.ip_dst, (&p->ip6h->ip_dst)); - - payload_len = dce_mock_pkt_6_payload_len; - } - - ret_pkt->family = p->family; - -#else - ((IPV4Header *)ret_pkt->ip4_header)->source.s_addr = p->ip4_header->source.s_addr; - ((IPV4Header *)ret_pkt->ip4_header)->destination.s_addr = p->ip4_header->destination.s_addr; -#endif - - ((TCPHeader *)ret_pkt->tcp_header)->source_port = p->tcp_header->source_port; - ((TCPHeader *)ret_pkt->tcp_header)->destination_port = p->tcp_header->destination_port; - ret_pkt->src_port = p->src_port; - ret_pkt->dst_port = p->dst_port; - ret_pkt->proto_bits = p->proto_bits; - - if (p->ether_header != NULL) - { - result = SafeMemcpy((void *)((EtherHeader *)ret_pkt->ether_header)->ether_source, - (void *)p->ether_header->ether_source, - (size_t)6, - (void *)ret_pkt->ether_header->ether_source, - (void *)((uint8_t *)ret_pkt->ether_header->ether_source + 6)); - - if (result != SAFEMEM_SUCCESS) - return NULL; - - result = SafeMemcpy((void *)((EtherHeader *)ret_pkt->ether_header)->ether_destination, - (void *)p->ether_header->ether_destination, - (size_t)6, - (void *)ret_pkt->ether_header->ether_destination, - (void *)((uint8_t *)ret_pkt->ether_header->ether_destination + 6)); - - if (result != SAFEMEM_SUCCESS) - return NULL; - - ((EtherHeader *)ret_pkt->ether_header)->ethernet_type = ((EtherHeader *)p->ether_header)->ethernet_type; - - if (((EtherHeader *)p->ether_header)->ethernet_type == htons(ETHERNET_TYPE_8021Q)) - { - result = SafeMemcpy((void *)ret_pkt->vlan_tag_header, - (void *)p->vlan_tag_header, - (size_t)VLAN_HDR_LEN, - (void *)ret_pkt->vlan_tag_header, - (void *)((uint8_t *)ret_pkt->vlan_tag_header + VLAN_HDR_LEN)); - - if (result != SAFEMEM_SUCCESS) - return NULL; - - vlanHeaderLen = VLAN_HDR_LEN; - } - } - - if (data_len > payload_len) - data_len = payload_len; - - result = SafeMemcpy((void *)ret_pkt->payload, (void *)data, (size_t)data_len, - (void *)ret_pkt->payload, - (void *)((uint8_t *)ret_pkt->payload + payload_len)); - - if (result != SAFEMEM_SUCCESS) - return NULL; - - ret_pkt->payload_size = data_len; - - ((struct pcap_pkthdr *)ret_pkt->pcap_header)->caplen = - ret_pkt->payload_size + IP_HDR_LEN + TCP_HDR_LEN + ETHER_HDR_LEN + vlanHeaderLen; - ((struct pcap_pkthdr *)ret_pkt->pcap_header)->len = ret_pkt->pcap_header->caplen; - ((struct pcap_pkthdr *)ret_pkt->pcap_header)->ts.tv_sec = p->pcap_header->ts.tv_sec; - ((struct pcap_pkthdr *)ret_pkt->pcap_header)->ts.tv_usec = p->pcap_header->ts.tv_usec; - - ip_len = (uint16_t)(ret_pkt->payload_size + IP_HDR_LEN + TCP_HDR_LEN); -#ifdef SUP_IP6 - if (p->family == AF_INET) - { - ret_pkt->ip4h->ip_len = ((IPV4Header *)ret_pkt->ip4_header)->data_length = htons(ip_len); - } - else - { - ip_len = (uint16_t)(ret_pkt->payload_size + IP6_HDR_LEN + TCP_HDR_LEN); - ret_pkt->ip6h->len = htons(ip_len); - } -#else - ((IPV4Header *)ret_pkt->ip4_header)->data_length = htons(ip_len); -#endif - - ret_pkt->flags = FLAG_STREAM_EST; - ret_pkt->flags |= FLAG_FROM_CLIENT; - ret_pkt->flags |= FLAG_DCE_RPKT; - ret_pkt->stream_session_ptr = p->stream_session_ptr; - - /* Set bit in wire packet to indicate a reassembled packet needs to - * be detected upon */ - _dpd.setPreprocReassemblyPktBit(_dcerpc_pkt, PP_DCERPC); - - return ret_pkt; -} - -void DCERPC_InitPacket(void) -{ - /* Alloc for global reassembly buffers */ - dce_reassembly_buf = (uint8_t *)calloc(1, dce_reassembly_buf_size); - if (dce_reassembly_buf == NULL) - { - DynamicPreprocessorFatalMessage("Failed to allocate memory for " - "reassembly packet\n"); - } - - /* Alloc for mock packets */ - dce_mock_pkt = (SFSnortPacket *)calloc(1, sizeof(SFSnortPacket)); - if (dce_mock_pkt == NULL) - { - DynamicPreprocessorFatalMessage("Failed to allocate memory for " - "mock packet\n"); - } - - dce_mock_pkt->pcap_header = calloc(1, sizeof(struct pcap_pkthdr) + - ETHER_HDR_LEN + - SUN_SPARC_TWIDDLE + IP_MAXPKT + VLAN_HDR_LEN); - if (dce_mock_pkt->pcap_header == NULL) - { - DynamicPreprocessorFatalMessage("Failed to allocate memory " - "for mock pcap header\n"); - } - - dce_mock_pkt->pkt_data = - ((uint8_t *)dce_mock_pkt->pcap_header) + sizeof(struct pcap_pkthdr); - dce_mock_pkt->vlan_tag_header = - (void *)((uint8_t *)dce_mock_pkt->pkt_data + SUN_SPARC_TWIDDLE); - dce_mock_pkt->ether_header = - (void *)((uint8_t *)dce_mock_pkt->vlan_tag_header + VLAN_HDR_LEN); - dce_mock_pkt->ip4_header = - (IPV4Header *)((uint8_t *)dce_mock_pkt->ether_header + ETHER_HDR_LEN); - dce_mock_pkt->tcp_header = - (TCPHeader *)((uint8_t *)dce_mock_pkt->ip4_header + IP_HDR_LEN); - - dce_mock_pkt->payload = (uint8_t *)dce_mock_pkt->tcp_header + TCP_HDR_LEN; - - ((EtherHeader *)dce_mock_pkt->ether_header)->ethernet_type = htons(0x0800); - SET_IP4_VER((IPV4Header *)dce_mock_pkt->ip4_header, 0x4); - SET_IP4_HLEN((IPV4Header *)dce_mock_pkt->ip4_header, 0x5); - ((IPV4Header *)dce_mock_pkt->ip4_header)->proto = IPPROTO_TCP; - ((IPV4Header *)dce_mock_pkt->ip4_header)->time_to_live = 0xF0; - ((IPV4Header *)dce_mock_pkt->ip4_header)->type_service = 0x10; - - SET_TCP_HDR_OFFSET((TCPHeader *)dce_mock_pkt->tcp_header, 0x5); - ((TCPHeader *)dce_mock_pkt->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; - -#ifdef SUP_IP6 - _dpd.ip6Build((void *)dce_mock_pkt, dce_mock_pkt->ip4_header, AF_INET); - - /* Same thing as above, but for the IPv6-enabled packet */ - dce_mock_pkt_6 = (SFSnortPacket *)calloc(1, sizeof(SFSnortPacket)); - if (dce_mock_pkt_6 == NULL) - { - DynamicPreprocessorFatalMessage("Failed to allocate memory for " - "mock IPv6 packet\n"); - } - - dce_mock_pkt_6->pcap_header = calloc(1, sizeof(struct pcap_pkthdr) + - ETHER_HDR_LEN + - SUN_SPARC_TWIDDLE + IP_MAXPKT + VLAN_HDR_LEN); - if (dce_mock_pkt_6 == NULL) - { - DynamicPreprocessorFatalMessage("Failed to allocate memory for " - "mock IPv6 pcap header\n"); - } - - dce_mock_pkt_6->pkt_data = - ((uint8_t *)dce_mock_pkt_6->pcap_header) + sizeof(struct pcap_pkthdr); - - dce_mock_pkt_6->vlan_tag_header = - (void *)((uint8_t *)dce_mock_pkt_6->pkt_data + SUN_SPARC_TWIDDLE); - dce_mock_pkt_6->ether_header = - (void *)((uint8_t *)dce_mock_pkt_6->vlan_tag_header + VLAN_HDR_LEN); - dce_mock_pkt_6->ip4_header = - (IPV4Header *)((uint8_t *)dce_mock_pkt_6->ether_header + ETHER_HDR_LEN); - dce_mock_pkt_6->tcp_header = - (TCPHeader *)((uint8_t *)dce_mock_pkt_6->ip4_header + IP6_HEADER_LEN); - - dce_mock_pkt_6->payload = (uint8_t *)dce_mock_pkt_6->tcp_header + TCP_HDR_LEN; - - ((EtherHeader *)dce_mock_pkt_6->ether_header)->ethernet_type = htons(0x0800); - SET_IP4_VER((IPV4Header *)dce_mock_pkt_6->ip4_header, 0x4); - SET_IP4_HLEN((IPV4Header *)dce_mock_pkt_6->ip4_header, 0x5); - ((IPV4Header *)dce_mock_pkt_6->ip4_header)->type_service = 0x10; - dce_mock_pkt_6->inner_ip6h.next = ((IPV4Header *)dce_mock_pkt_6->ip4_header)->proto = IPPROTO_TCP; - dce_mock_pkt_6->inner_ip6h.hop_lmt = ((IPV4Header *)dce_mock_pkt_6->ip4_header)->time_to_live = 0xF0; - dce_mock_pkt_6->inner_ip6h.len = IP6_HEADER_LEN >> 2; - - _dpd.ip6SetCallbacks((void *)dce_mock_pkt_6, AF_INET6, SET_CALLBACK_IP); - dce_mock_pkt_6->ip6h = &dce_mock_pkt_6->inner_ip6h; - dce_mock_pkt_6->ip4h = &dce_mock_pkt_6->inner_ip4h; - - SET_TCP_HDR_OFFSET((TCPHeader *)dce_mock_pkt_6->tcp_header, 0x5); - ((TCPHeader *)dce_mock_pkt_6->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; -#endif -} - - -static int ProcessRawSMB(SFSnortPacket *p, const uint8_t *data, uint16_t size) -{ - /* Must remember to convert stuff to host order before using it... */ - SMB_HDR *smbHdr; - uint16_t nbt_data_size; - uint8_t *smb_command; - uint16_t smb_data_size; - - while (size > 0) - { - NBT_HDR *nbt_hdr; - - /* Check for size enough for NBT_HDR and SMB_HDR */ - if ( size <= (sizeof(NBT_HDR) + sizeof(SMB_HDR)) ) - { - /* Not enough data */ - return 0; - } - - nbt_hdr = (NBT_HDR *)data; - nbt_data_size = ntohs(nbt_hdr->length); - if (nbt_data_size > (size - sizeof(NBT_HDR))) - nbt_data_size = size - sizeof(NBT_HDR); - - smbHdr = (SMB_HDR *)(data + sizeof(NBT_HDR)); - smb_command = (uint8_t *)smbHdr + sizeof(SMB_HDR); - smb_data_size = nbt_data_size - sizeof(SMB_HDR); - - if (memcmp(smbHdr->protocol, "\xffSMB", 4) != 0) - { - /* Not an SMB request, nothing really to do here... */ - return 0; - } - - ProcessNextSMBCommand(smbHdr->command, smbHdr, smb_command, smb_data_size, nbt_data_size); - - size -= (sizeof(NBT_HDR) + nbt_data_size); - data += (sizeof(NBT_HDR) + nbt_data_size); - } - - return 1; -} - -static int ProcessRawDCERPC(SFSnortPacket *p, const uint8_t *data, uint16_t size) -{ - DCERPC_Buffer *sbuf = &_dcerpc->tcp_seg_buf; - int status = ProcessDCERPCMessage(NULL, 0, data, size); - - if (status == -1) - return -1; - - if ((status == DCERPC_FULL_FRAGMENT) && !DCERPC_BufferIsEmpty(sbuf)) - { - DCERPC_BufferReassemble(sbuf); - DCERPC_BufferEmpty(sbuf); - } - else if ((status == DCERPC_SEGMENTED) && dcerpc_eval_config->reassemble_increment) - { - _dcerpc->num_inc_reass++; - if (dcerpc_eval_config->reassemble_increment == _dcerpc->num_inc_reass) - { - _dcerpc->num_inc_reass = 0; - DCERPC_BufferReassemble(sbuf); - } - } - - return 1; -} - -/* - * Free SMB-specific related to this session - * - * @param v pointer to SMB session structure - * - * @return none - */ -void DCERPC_SessionFree(void * v) -{ - DCERPC *x = (DCERPC *) v; - DceRpcConfig *pPolicyConfig = NULL; - - if (x == NULL) - return; - - pPolicyConfig = (DceRpcConfig *)sfPolicyUserDataGet(x->config, x->policy_id); - - if (pPolicyConfig != NULL) - { - pPolicyConfig->ref_count--; - if ((pPolicyConfig->ref_count == 0) && - (x->config != dcerpc_config)) - { - sfPolicyUserDataClear (x->config, x->policy_id); - free(pPolicyConfig); - - /* No more outstanding configs - free the config array */ - if (sfPolicyUserPolicyGetActive(x->config) == 0) - DceRpcFreeConfig(x->config); - } - } - - DCERPC_DataFree(x); - free(x); -} - -static void DCERPC_DataFree(DCERPC *dssn) -{ - DCERPC_BufferFreeData(&dssn->smb_seg_buf); - DCERPC_BufferFreeData(&dssn->tcp_seg_buf); - DCERPC_BufferFreeData(&dssn->dce_frag_buf); -} - -static DCERPC_TransType DCERPC_AutoDetect(SFSnortPacket *p, const uint8_t *data, uint16_t size) -{ - NBT_HDR *nbtHdr; - SMB_HDR *smbHdr; - DCERPC_HDR *dcerpc; - - if ( !dcerpc_eval_config->autodetect ) - { - return DCERPC_TRANS_TYPE__NONE; - } - - if ( size > (sizeof(NBT_HDR) + sizeof(SMB_HDR)) ) - { - /* See if this looks like SMB */ - smbHdr = (SMB_HDR *) (data + sizeof(NBT_HDR)); - - if (memcmp(smbHdr->protocol, "\xffSMB", 4) == 0) - { - /* Do an extra check on NetBIOS header, which should be valid for both - NetBIOS and raw SMB */ - nbtHdr = (NBT_HDR *)data; - - if (nbtHdr->type == SMB_SESSION ) - { - return DCERPC_TRANS_TYPE__SMB; - } - } - } - - /* Might be DCE/RPC */ - /* Make sure it's a reasonable size */ - if (size > sizeof(DCERPC_REQ)) - { - dcerpc = (DCERPC_HDR *) data; - - /* Minimal DCE/RPC check - check for version and request */ - if ((dcerpc->version == 5) && - ((dcerpc->packet_type == DCERPC_REQUEST) || (dcerpc->packet_type == DCERPC_BIND))) - { - return DCERPC_TRANS_TYPE__DCERPC; - } - } - - return DCERPC_TRANS_TYPE__NONE; -} - -/* For Target based ************************************************************* - * - * (1) If a protocol for the session is already identified and not ones DCE/RPC is - * interested in, DCE/RPC should leave it alone and return without processing. - * (2) If a protocol for the session is already identified and is one that DCE/RPC is - * interested in, decode it. - * (3) If the protocol for the session is not already identified and the preprocessor - * is configured to detect on one of the packet ports or can autodetect it, - * decode the packet. - * - * Returns a transport type - none type if app id already set to something other - * than DCE/RPC or SMB or if not configured or autodetect fails. - */ -static DCERPC_TransType DCERPC_GetTransport(SFSnortPacket *p, char *autodetected) -{ -#ifdef TARGET_BASED - int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); - - *autodetected = 0; - - if (app_id != 0) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id: %u.\n", app_id);); - - if (app_id == _dce_proto_ids.dcerpc) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is " - "set to \"%s\".\n", DCE_PROTO_REF_STR__DCERPC);); - - return DCERPC_TRANS_TYPE__DCERPC; - } - else if (app_id == _dce_proto_ids.nbss) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is " - "set to \"%s or %s\".\n", - DCE_PROTO_REF_STR__SMB, DCE_PROTO_REF_STR__NBSS);); - - return DCERPC_TRANS_TYPE__SMB; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is " - "set to something not DCE/RPC or SMB.\n");); - - return DCERPC_TRANS_TYPE__NONE; - } - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: Unknown protocol for " - "this session. See if we're configured or can autodetect.\n");); - - if (((p->flags & FLAG_FROM_CLIENT) && - (dcerpc_eval_config->SMBPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) || - ((p->flags & FLAG_FROM_SERVER) && - (dcerpc_eval_config->SMBPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port)))) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: SMB port is configured. " - "Set protocol to NBSS/SMB for session.\n");); - - return DCERPC_TRANS_TYPE__SMB; - } - else if (((p->flags & FLAG_FROM_CLIENT) && - (dcerpc_eval_config->DCERPCPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) || - ((p->flags & FLAG_FROM_SERVER) && - (dcerpc_eval_config->DCERPCPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port)))) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: DCE/RPC port is configured. " - "Set protocol to DCE/RPC for session.\n");); - - return DCERPC_TRANS_TYPE__DCERPC; - } - else if (dcerpc_eval_config->autodetect) - { - DCERPC_TransType trans = DCERPC_AutoDetect(p, p->payload, p->payload_size); - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: Autodetecting ... \n");); - - switch (trans) - { - case DCERPC_TRANS_TYPE__DCERPC: - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, - "DCE/RPC: Target-based: Autodetected DCE/RPC. Set " - "protocol to DCE/RPC for session.\n");); - - break; - - case DCERPC_TRANS_TYPE__SMB: - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, - "DCE/RPC: Target-based: Autodetected SMB. Set " - "protocol to SMB for session.\n");); - - break; - - case DCERPC_TRANS_TYPE__NONE: - default: - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, - "DCE/RPC: Target-based: Unable to autodetect.\n");); - - return DCERPC_TRANS_TYPE__NONE; - } - - *autodetected = 1; - - return trans; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: No configured ports " - "and autodetect not enabled. Return unhappy and weepy.\n");); - } - } -#else - *autodetected = 0; - - /* check the port list */ - if (((p->flags & FLAG_FROM_CLIENT) && - (dcerpc_eval_config->SMBPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) || - ((p->flags & FLAG_FROM_SERVER) && - (dcerpc_eval_config->SMBPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port)))) - { - return DCERPC_TRANS_TYPE__SMB; - } - else if (((p->flags & FLAG_FROM_CLIENT) && - (dcerpc_eval_config->DCERPCPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) || - ((p->flags & FLAG_FROM_SERVER) && - (dcerpc_eval_config->DCERPCPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port)))) - { - return DCERPC_TRANS_TYPE__DCERPC; - } - else if (dcerpc_eval_config->autodetect) - { - DCERPC_TransType trans = DCERPC_AutoDetect(p, p->payload, p->payload_size); - *autodetected = 1; - - return trans; - } -#endif /* TARGET_BASED */ - - return DCERPC_TRANS_TYPE__NONE; -} - -int DCERPCDecode(void *pkt) -{ - SFSnortPacket *p = (SFSnortPacket *) pkt; - DCERPC *x = NULL; - DCERPC_TransType trans = DCERPC_TRANS_TYPE__NONE; - tSfPolicyId policy_id = _dpd.getRuntimePolicy(); - DceRpcConfig *pPolicyConfig = NULL; - - real_dce_mock_pkt = NULL; - - sfPolicyUserPolicySet (dcerpc_config, policy_id); - pPolicyConfig = (DceRpcConfig *)sfPolicyUserDataGetCurrent(dcerpc_config); - dcerpc_eval_config = pPolicyConfig; - - x = (DCERPC *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCERPC); - if (x != NULL) - dcerpc_eval_config = (DceRpcConfig *)sfPolicyUserDataGet(x->config, x->policy_id); - - if (dcerpc_eval_config == NULL) - return 0; - - if (x == NULL) - { - char autodetected = 0; - - trans = DCERPC_GetTransport(p, &autodetected); - if (trans == DCERPC_TRANS_TYPE__NONE) - return 0; - - x = (DCERPC *)calloc(1, sizeof(DCERPC)); - if ( x == NULL ) - { - DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate for SMB session data\n", - _dpd.config_file, _dpd.config_line); - } - else - { - x->policy_id = policy_id; - x->config = dcerpc_config; - pPolicyConfig->ref_count++; - - _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_DCERPC, - (void *)x, &DCERPC_SessionFree); - } - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Created new session\n");); - - x->trans = trans; - if (autodetected) - x->autodetected = 1; - - if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) != SSN_DIR_SERVER) - { - _dpd.streamAPI->set_reassembly(p->stream_session_ptr, STREAM_FLPOLICY_FOOTPRINT, - SSN_DIR_SERVER, STREAM_FLPOLICY_SET_ABSOLUTE); - } - - if (p->flags & FLAG_FROM_SERVER) - { - _dpd.streamAPI->response_flush_stream(p); - return 0; - } - - if (p->flags & FLAG_STREAM_INSERT) - return 0; - } - else if (x->no_inspect) - { - return 0; - } - else if (p->flags & FLAG_FROM_SERVER) - { - _dpd.streamAPI->response_flush_stream(p); - return 0; - } - else if ((p->flags & FLAG_FROM_CLIENT) && !(p->flags & FLAG_REBUILT_STREAM)) - { - /* Should be doing reassembly at this point */ - return 0; - } - - _dcerpc = x; - _dcerpc_pkt = p; - - switch (_dcerpc->trans) - { - case DCERPC_TRANS_TYPE__SMB: - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Decoding SMB packet\n");); - ProcessRawSMB(p, p->payload, p->payload_size); - break; - case DCERPC_TRANS_TYPE__DCERPC: - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Decoding DCE/RPC packet\n");); - ProcessRawDCERPC(p, p->payload, p->payload_size); - break; - default: - /* Shouldn't get here. Just adding action for default case */ - return 0; - } - - if (_dcerpc->fragmentation & SUSPEND_FRAGMENTATION) - { - DCERPC_DataFree(_dcerpc); - _dcerpc->no_inspect = 1; - } - - /* If it's an autodetected session, still let other preprocessors - * look at it */ - if (_dcerpc->autodetected) - return 0; - - return 1; -} - -void DCERPC_Exit(void) -{ - if (dce_reassembly_buf != NULL) - free((void *)dce_reassembly_buf); - - if (dce_mock_pkt != NULL) - { - if (dce_mock_pkt->pcap_header != NULL) - free((void *)dce_mock_pkt->pcap_header); - - free((void *)dce_mock_pkt); - } -#ifdef SUP_IP6 - if (dce_mock_pkt_6 != NULL) - { - if (dce_mock_pkt_6->pcap_header != NULL) - free((void *)dce_mock_pkt_6->pcap_header); - - free((void *)dce_mock_pkt_6); - } -#endif - -#ifdef PERF_PROFILING -#ifdef DEBUG_DCERPC_PRINT - printf("SMB Debug\n"); - printf(" Number of packets seen: %u\n", dcerpcPerfStats.checks); - printf(" Number of packets ignored: %d\n", dcerpcIgnorePerfStats.checks); -#endif -#endif -} - - -int ProcessNextSMBCommand(uint8_t command, SMB_HDR *smbHdr, - uint8_t *data, uint16_t size, uint16_t total_size) -{ - switch (command) - { - case SMB_COM_TREE_CONNECT_ANDX: - return ProcessSMBTreeConnXReq(smbHdr, data, size, total_size); - case SMB_COM_NT_CREATE_ANDX: - return ProcessSMBNTCreateX(smbHdr, data, size, total_size); - case SMB_COM_WRITE_ANDX: - return ProcessSMBWriteX(smbHdr, data, size, total_size); - case SMB_COM_TRANSACTION: - return ProcessSMBTransaction(smbHdr, data, size, total_size); - case SMB_COM_READ_ANDX: - return ProcessSMBReadX(smbHdr, data, size, total_size); - -#ifdef UNUSED_SMB_COMMAND - - case SMB_COM_SESSION_SETUP_ANDX: - return ProcessSMBSetupXReq(smbHdr, data, size, total_size); - case SMB_COM_LOGOFF_ANDX: - return ProcessSMBLogoffXReq(smbHdr, data, size, total_size); - case SMB_COM_READ_ANDX: - return ProcessSMBReadX(smbHdr, data, size, total_size); - case SMB_COM_LOCKING_ANDX: - return ProcessSMBLockingX(smbHdr, data, size, total_size); - - case SMB_COM_NEGOTIATE: - return ProcessSMBNegProtReq(smbHdr, data, size, total_size); - case SMB_COM_TRANSACTION2: - return ProcessSMBTransaction2(smbHdr, data, size, total_size); - case SMB_COM_TRANSACTION2_SECONDARY: - return ProcessSMBTransaction2Secondary(smbHdr, data, size, total_size); - case SMB_COM_NT_TRANSACT: - return ProcessSMBNTTransact(smbHdr, data, size, total_size); - case SMB_COM_NT_TRANSACT_SECONDARY: - return ProcessSMBNTTransactSecondary(smbHdr, data, size, total_size); - case SMB_COM_TRANSACTION_SECONDARY: - break; - - case SMB_COM_ECHO: - return ProcessSMBEcho(smbHdr, data, size, total_size); - case SMB_COM_SEEK: - return ProcessSMBSeek(smbHdr, data, size, total_size); - case SMB_COM_FLUSH: - return ProcessSMBFlush(smbHdr, data, size, total_size); - case SMB_COM_CLOSE: - case SMB_COM_CLOSE_AND_TREE_DISC: - return ProcessSMBClose(smbHdr, data, size, total_size); - case SMB_COM_TREE_DISCONNECT: - case SMB_COM_NT_CANCEL: - return ProcessSMBNoParams(smbHdr, data, size, total_size); -#endif - default: -#ifdef DEBUG_DCERPC_PRINT - printf("====> Unprocessed command 0x%02x <==== \n", command); -#endif - break; - } - - return 0; -} - -int DCERPC_BufferAddData(DCERPC *dce_ssn, DCERPC_Buffer *sbuf, const uint8_t *data, uint16_t data_size) -{ - int status; - - if ((sbuf == NULL) || (data == NULL)) - return -1; - - if (data_size == 0) - return 0; - - if ((sbuf == &dce_ssn->smb_seg_buf) && dcerpc_eval_config->disable_smb_fragmentation) - return 0; - else if (dcerpc_eval_config->disable_dcerpc_fragmentation) - return 0; - - if (sbuf->data == NULL) - { - uint16_t alloc_size = data_size; - - if (dce_ssn->fragmentation & SUSPEND_FRAGMENTATION) - return -1; - - /* Add a minimum size so we don't have to realloc as often */ - if (alloc_size < DCERPC_MIN_SEG_ALLOC_SIZE) - alloc_size = DCERPC_MIN_SEG_ALLOC_SIZE; - - if (DCERPC_IsMemcapExceeded(alloc_size)) - return -1; - - sbuf->data = (uint8_t *)calloc(alloc_size, 1); - if (sbuf->data == NULL) - DynamicPreprocessorFatalMessage("Failed to allocate space for TCP seg buf\n"); - - _total_memory += alloc_size; - sbuf->size = alloc_size; - } - else - { - uint16_t buf_size_left = sbuf->size - sbuf->len; - - if (data_size > buf_size_left) - { - uint16_t alloc_size = data_size - buf_size_left; - uint8_t *tmp_data; - - if (dce_ssn->fragmentation & SUSPEND_FRAGMENTATION) - return -1; - - if (alloc_size < DCERPC_MIN_SEG_ALLOC_SIZE) - alloc_size = DCERPC_MIN_SEG_ALLOC_SIZE; - - if ((USHRT_MAX - sbuf->size) < alloc_size) - alloc_size = USHRT_MAX - sbuf->size; - - if (alloc_size == 0) - return -1; - - if (DCERPC_IsMemcapExceeded(alloc_size)) - return -1; - - tmp_data = (uint8_t *)realloc(sbuf->data, sbuf->size + alloc_size); - if (tmp_data == NULL) - DynamicPreprocessorFatalMessage("Failed to allocate space for TCP seg buf\n"); - - sbuf->data = tmp_data; - - _total_memory += alloc_size; - sbuf->size += alloc_size; - - /* This would be because of potential overflow */ - if (sbuf->len + data_size > sbuf->size) - data_size = sbuf->size - sbuf->len; - } - } - - status = SafeMemcpy(sbuf->data + sbuf->len, data, data_size, - sbuf->data + sbuf->len, sbuf->data + sbuf->size); - - if (status != SAFEMEM_SUCCESS) - return -1; - - sbuf->len += data_size; - - return 0; -} - -void DCERPC_BufferFreeData(DCERPC_Buffer *sbuf) -{ - if (sbuf == NULL) - return; - - if (sbuf->data != NULL) - { - if (_total_memory > sbuf->size) - _total_memory -= sbuf->size; - else - _total_memory = 0; - - free(sbuf->data); - - sbuf->data = NULL; - sbuf->len = 0; - sbuf->size = 0; - } -} - -int DCERPC_IsMemcapExceeded(uint16_t alloc_size) -{ - if ((alloc_size + _total_memory) > ((DceRpcConfig *)sfPolicyUserDataGetDefault(dcerpc_config))->memcap) - { - if (dcerpc_eval_config->alert_memcap) - { - DCERPC_GenerateAlert(DCERPC_EVENT_MEMORY_OVERFLOW, - DCERPC_EVENT_MEMORY_OVERFLOW_STR); - } - - return 1; - } - - return 0; -} - -static int DceFreeConfigPolicy( - tSfPolicyUserContextId config, - tSfPolicyId policyId, - void* pData - ) -{ - DceRpcConfig *pPolicyConfig = (DceRpcConfig *)pData; - - //do any housekeeping before freeing DceRpcConfig - - sfPolicyUserDataClear (config, policyId); - free(pPolicyConfig); - return 0; -} - -void DceRpcFreeConfig(tSfPolicyUserContextId config) -{ - if (config == NULL) - return; - - sfPolicyUserDataIterate (config, DceFreeConfigPolicy); - sfPolicyConfigDelete(config); -} - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.h 2009-05-06 22:28:50.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/snort_dcerpc.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,177 +0,0 @@ -/* - * snort_dcerpc.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * - * Description: - * - * Declares external routines that handle decoding SMB commands - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ -#ifndef _SNORT_SMB_H_ -#define _SNORT_SMB_H_ - -#include "sf_snort_packet.h" -#include "sf_dynamic_preprocessor.h" -#include "dcerpc_util.h" -#include "debug.h" -#include "bounds.h" -#include "sfPolicy.h" -#include "sfPolicyUserData.h" - -#ifdef TARGET_BASED -typedef struct _DCERPC_ProtoIds -{ - int16_t dcerpc; - int16_t nbss; - -} DCERPC_ProtoIds; - -#define DCE_PROTO_REF_STR__DCERPC "dcerpc" -#define DCE_PROTO_REF_STR__SMB "smb" -#define DCE_PROTO_REF_STR__NBSS "netbios-ssn" /* This seems to be the name for SMB */ -#endif /* TARGET_BASED */ - -#ifdef WIN32 -#pragma pack(push,snort_smb_hdrs,1) -#endif - -/* Default maximum frag size, in bytes */ -#define DEFAULT_MAX_FRAG_SIZE 3000 -#define MAX_MAX_FRAG_SIZE 5840 - -/* Default maximum memory use, in KB */ -#define DEFAULT_MEMCAP 100000 - -#define SMB_FRAGMENTATION 0x0001 /* SMB fragmentation */ -#define RPC_FRAGMENTATION 0x0002 /* DCE/RPC fragmentation */ -#define SUSPEND_FRAGMENTATION 0x0004 /* Memcap reached, don't try to do more */ - -#define DCERPC_MIN_SEG_ALLOC_SIZE 100 - -#define STATE_START 0 -#define STATE_GOT_TREE_CONNECT 1 -#define STATE_GOT_NTCREATE 2 /* Or got SMB Open */ -#define STATE_IS_DCERPC 3 /* Valid DCE/RPC session */ - -#define MAX_PORT_INDEX 65536 / 8 - -/* Convert port value into an index for the dns_config.ports array */ -#define PORT_INDEX(port) port / 8 - -/* Convert port value into a value for bitwise operations */ -#define CONV_PORT(port) 1 << (port % 8) - -typedef struct _DceRpcConfig -{ - char SMBPorts[MAX_PORT_INDEX]; - char DCERPCPorts[MAX_PORT_INDEX]; - uint16_t max_frag_size; - uint32_t memcap; - uint8_t debug_print; - uint8_t alert_memcap; - uint8_t autodetect; - uint8_t disable_smb_fragmentation; - uint8_t disable_dcerpc_fragmentation; - int reassemble_increment; - - int ref_count; - -} DceRpcConfig; - -typedef enum _DCERPC_TransType -{ - DCERPC_TRANS_TYPE__NONE = 0, - DCERPC_TRANS_TYPE__SMB, - DCERPC_TRANS_TYPE__DCERPC - -} DCERPC_TransType; - -typedef struct _DCERPC -{ - uint8_t state; - uint8_t smb_state; - uint8_t fragmentation; - DCERPC_Buffer dce_frag_buf; - DCERPC_Buffer smb_seg_buf; - DCERPC_Buffer tcp_seg_buf; - - int num_inc_reass; - char autodetected; - - DCERPC_TransType trans; - int no_inspect; - - tSfPolicyId policy_id; - tSfPolicyUserContextId config; - -} DCERPC; - -#ifdef WIN32 -#pragma pack(pop,snort_smb_hdrs,1) -#endif - -int DCERPCProcessConf(DceRpcConfig *, char *pcToken, char *ErrorString, int ErrStrLen); -int DCERPCDecode(void *p); -void DCERPC_InitPacket(void); -SFSnortPacket * DCERPC_SetPseudoPacket(SFSnortPacket *p, const uint8_t *data, uint16_t data_len); -void * DCERPC_GetReassemblyPkt(void); -void DCERPC_Exit(void); -void DCERPC_EarlyFragReassemble(DCERPC *, const uint8_t *, uint16_t, uint16_t); -void DCERPC_BufferReassemble(DCERPC_Buffer *); - -void DCERPC_BufferFreeData(DCERPC_Buffer *); -int DCERPC_BufferAddData(DCERPC *, DCERPC_Buffer *, const uint8_t *, uint16_t); -int DCERPC_BufferAlloc(DCERPC_Buffer *, uint16_t); -int DCERPC_IsMemcapExceeded(uint16_t); -void DceRpcFreeConfig(tSfPolicyUserContextId); - -static INLINE int DCERPC_BufferIsEmpty(DCERPC_Buffer *); -static INLINE void DCERPC_BufferEmpty(DCERPC_Buffer *); - -static INLINE int DCERPC_BufferIsEmpty(DCERPC_Buffer *sbuf) -{ - if ((sbuf == NULL) || - (sbuf->data == NULL) || - (sbuf->len == 0) || - (sbuf->size == 0)) - { - return 1; - } - - return 0; -} - -static INLINE void DCERPC_BufferEmpty(DCERPC_Buffer *sbuf) -{ - if (sbuf == NULL) - return; - - sbuf->len = 0; -} - - -#define GENERATOR_SMB 125 -extern DynamicPreprocessorData _dpd; - -#endif /* _SNORT_SMB_H_ */ - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.c snort-2.9.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.c 2009-10-02 20:29:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,574 +0,0 @@ -/* - * spp_dcerpc.c - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * This file initializes DCERPC as a Snort preprocessor. - * - * This file registers the DCERPC initialization function, - * adds the DCERPC function into the preprocessor list, reads - * the user configuration in the snort.conf file, and prints out - * the configuration that is read. - * - * In general, this file is a wrapper to DCERPC preproc functionality, - * by interfacing with the Snort preprocessor functions. The rest - * of DCERPC should be separate from the preprocessor hooks. - * - * The DCERPC preprocessor parses DCERPC requests from remote machines by - * layering SMB and DCERPC data structures over the data stream and extracting - * various pieces of information. - * - * Arguments: - * - * This plugin takes port list(s) representing the TCP ports that the - * user is interested in having decoded. It is of the format - * - * ports nbt { port1 [port2 ...] } - * ports raw { port1 [port2 ...] } - * - * where nbt & raw are used to specify the ports for SMB over NetBios/TCP - * and raw SMB, respectively. - * - * Effect: - * - * None - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ - -#include -#include -#include -#include - -#ifdef HAVE_STRINGS_H -#include -#endif - -#include "debug.h" - -#include "preprocids.h" -#include "sf_snort_packet.h" - -#include "profiler.h" - -#include "snort_dcerpc.h" - -#ifdef PERF_PROFILING -PreprocStats dcerpcPerfStats; -PreprocStats dcerpcDetectPerfStats; -#endif - -#include "sf_types.h" - -/* - * The length of the error string buffer. - */ -#define ERRSTRLEN 1000 - -/* - * The definition of the configuration separators in the snort.conf - * configure line. - */ -#define CONF_SEPARATORS " \t\n\r" - -tSfPolicyUserContextId dcerpc_config = NULL; -DceRpcConfig *dcerpc_eval_config = NULL; - -void DCERPCInit(char *); -void ProcessDCERPCPacket(void *, void *); -static void DCERPCCleanExitFunction(int, void *); -static void DCERPCReset(int, void *); -static void DCERPCResetStats(int, void *); -static void _addPortsToStream5Filter(DceRpcConfig *, tSfPolicyId); -#ifdef TARGET_BASED -static void _addServicesToStream5Filter(tSfPolicyId); -extern DCERPC_ProtoIds _dce_proto_ids; -#endif -static void DCERPCCheckConfig(void); - -#ifdef SNORT_RELOAD -static tSfPolicyUserContextId dcerpc_swap_config = NULL; -static void DCERPCReload(char *); -static int DCERPCVerifyReload(void); -static void * DCERPCReloadSwap(void); -static void DCERPCReloadSwapFree(void *); -#endif - - -/* - * Function: SetupDCERPC() - * - * Purpose: Registers the preprocessor keyword and initialization - * function into the preprocessor list. - * - * Arguments: None. - * - * Returns: void function - * - */ -void SetupDCERPC(void) -{ - /* link the preprocessor keyword to the init function in - the preproc list */ -#ifndef SNORT_RELOAD - _dpd.registerPreproc("dcerpc", DCERPCInit); -#else - _dpd.registerPreproc("dcerpc", DCERPCInit, DCERPCReload, - DCERPCReloadSwap, DCERPCReloadSwapFree); -#endif - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"Preprocessor: DCERPC in setup...\n");); -} - - -/* - * Function: DCERPCInit(char *) - * - * Purpose: Processes the args sent to the preprocessor, sets up the - * port list, links the processing function into the preproc - * function list - * - * Arguments: args => ptr to argument string - * - * Returns: void function - * - */ -void DCERPCInit(char *args) -{ - tSfPolicyId policy_id = _dpd.getParserPolicy(); - char ErrorString[ERRSTRLEN]; - int iErrStrLen = ERRSTRLEN - 1; - char *token = strtok(args, CONF_SEPARATORS); - DceRpcConfig *pPolicyConfig = NULL; - - ErrorString[ERRSTRLEN - 1] = '\0'; - - if (dcerpc_config == NULL) - { - //create a context - dcerpc_config = sfPolicyConfigCreate(); - if (dcerpc_config == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Could not allocate memory " - "for dcerpc preprocessor configuration.\n"); - } - - if (_dpd.streamAPI == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => dcerpc: Stream5 must be enabled.\n", - *_dpd.config_file, *_dpd.config_line); - } - -#ifdef PERF_PROFILING - _dpd.addPreprocProfileFunc("dcerpc", &dcerpcPerfStats, 0, _dpd.totalPerfStats); -#endif - -#ifdef TARGET_BASED - _dce_proto_ids.dcerpc = _dpd.findProtocolReference(DCE_PROTO_REF_STR__DCERPC); - if (_dce_proto_ids.dcerpc == SFTARGET_UNKNOWN_PROTOCOL) - _dce_proto_ids.dcerpc = _dpd.addProtocolReference(DCE_PROTO_REF_STR__DCERPC); - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"DCE/RPC: Target-based: Proto id for %s: %u.\n", - DCE_PROTO_REF_STR__DCERPC, _dce_proto_ids.dcerpc);); - - /* smb and netbios-ssn refer to the same thing */ - _dce_proto_ids.nbss = _dpd.findProtocolReference(DCE_PROTO_REF_STR__NBSS); - if (_dce_proto_ids.nbss == SFTARGET_UNKNOWN_PROTOCOL) - _dce_proto_ids.nbss = _dpd.addProtocolReference(DCE_PROTO_REF_STR__NBSS); - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"DCE/RPC: Target-based: Proto id for %s: %u.\n", - DCE_PROTO_REF_STR__NBSS, _dce_proto_ids.nbss);); -#endif - - /* Init reassembly packet */ - DCERPC_InitPacket(); - - _dpd.addPreprocExit(DCERPCCleanExitFunction, NULL, PRIORITY_LAST, PP_DCERPC); - _dpd.addPreprocReset(DCERPCReset, NULL, PRIORITY_LAST, PP_DCERPC); - _dpd.addPreprocResetStats(DCERPCResetStats, NULL, PRIORITY_LAST, PP_DCERPC); - _dpd.addPreprocConfCheck(DCERPCCheckConfig); - } - - if ((policy_id != _dpd.getDefaultPolicy()) - && (sfPolicyUserDataGetDefault(dcerpc_config) == NULL)) - { - DynamicPreprocessorFatalMessage("%s(%d) => Must configure dcerpc in " - "default policy if using in other policies.\n", - *_dpd.config_file, *_dpd.config_line); - } - - sfPolicyUserPolicySet (dcerpc_config, policy_id); - pPolicyConfig = (DceRpcConfig *)sfPolicyUserDataGetCurrent(dcerpc_config); - if (pPolicyConfig != NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Can only configure dcerpc " - "preprocessor once.\n", *_dpd.config_file, *_dpd.config_line); - } - - if (_dpd.isPreprocEnabled(PP_DCE2)) - { - DynamicPreprocessorFatalMessage("%s(%d) => dcerpc: Only one DCE/RPC preprocessor can be configured.\n", - *_dpd.config_file, *_dpd.config_line); - } - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"Preprocessor: DCERPC Initialized\n");); - - pPolicyConfig = (DceRpcConfig *)calloc(1, sizeof(DceRpcConfig)); - if (pPolicyConfig == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Could not allocate memory " - "for dcerpc preprocessor configuration.\n"); - } - - sfPolicyUserDataSetCurrent(dcerpc_config, pPolicyConfig); - - /* Parse configuration */ - if (DCERPCProcessConf(pPolicyConfig, token, ErrorString, iErrStrLen)) - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *_dpd.config_file, *_dpd.config_line, ErrorString); - - /* Set the preprocessor function into the function list */ - _dpd.addPreproc(ProcessDCERPCPacket, PRIORITY_APPLICATION, PP_DCERPC, PROTO_BIT__TCP); - _dpd.addPreprocReassemblyPkt(DCERPC_GetReassemblyPkt, PP_DCERPC); - - _addPortsToStream5Filter(pPolicyConfig, policy_id); - -#ifdef TARGET_BASED - _addServicesToStream5Filter(policy_id); -#endif -} - -#if 0 -static void DCERPC_DisableDetect(SFSnortPacket *p) -{ - _dpd.disableAllDetect(p); - - _dpd.setPreprocBit(p, PP_SFPORTSCAN); - _dpd.setPreprocBit(p, PP_PERFMONITOR); - _dpd.setPreprocBit(p, PP_STREAM5); -} -#endif - -static void DCERPC_DisablePreprocessors(SFSnortPacket *p) -{ - _dpd.disablePreprocessors(p); - - _dpd.setPreprocBit(p, PP_SFPORTSCAN); - _dpd.setPreprocBit(p, PP_PERFMONITOR); - _dpd.setPreprocBit(p, PP_STREAM5); -} - - -/* - * Function: ProcessDCERPCPacket(void *) - * - * Purpose: Inspects the packet's payload for fragment records and - * converts them into one infragmented record. - * - * Arguments: p => pointer to the current packet data struct - * - * Returns: void function - * - */ -void ProcessDCERPCPacket(void *pkt, void *context) -{ - SFSnortPacket *p = (SFSnortPacket *)pkt; - uint32_t session_flags = 0; - PROFILE_VARS; - - /* no data to inspect */ - if (p->payload_size == 0) - return; - - /* check to make sure we're talking TCP and that the TWH has already - completed before processing anything */ - if(!IsTCP(p)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"It isn't TCP session traffic\n");); - return; - } - - if (p->stream_session_ptr == NULL) - return; - - session_flags = _dpd.streamAPI->get_session_flags(p->stream_session_ptr); - - if (session_flags & SSNFLAG_MIDSTREAM) - return; - - if (!(session_flags & SSNFLAG_ESTABLISHED)) - return; - - PREPROC_PROFILE_START(dcerpcPerfStats); - - if (DCERPCDecode(p)) - DCERPC_DisablePreprocessors(p); - - PREPROC_PROFILE_END(dcerpcPerfStats); -} - -/* - * Function: DCERPCCleanExitFunction(int, void *) - * - * Purpose: This function gets called when Snort is exiting, if there's - * any cleanup that needs to be performed (e.g. closing files) - * it should be done here. - * - * Arguments: signal => the code of the signal that was issued to Snort - * data => any arguments or data structs linked to this - * function when it was registered, may be - * needed to properly exit - * - * Returns: void function - */ -static void DCERPCCleanExitFunction(int signal, void *data) -{ - DCERPC_Exit(); - - if (dcerpc_config != NULL) - { - DceRpcFreeConfig(dcerpc_config); - dcerpc_config = NULL; - } -} - -static void DCERPCReset(int signal, void *data) -{ - return; -} - -static void DCERPCResetStats(int signal, void *data) -{ - return; -} - -static void _addPortsToStream5Filter(DceRpcConfig *config, tSfPolicyId policy_id) -{ - unsigned int portNum; - - if (config == NULL) - return; - - //smb ports - for (portNum = 0; portNum < MAXPORTS; portNum++) - { - if(config->SMBPorts[(portNum/8)] & (1<<(portNum%8))) - { - //Add port the port. Only TCP port is used - _dpd.streamAPI->set_port_filter_status - (IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); - } - } - - //dcerpc ports - for (portNum = 0; portNum < MAXPORTS; portNum++) - { - if(config->DCERPCPorts[(portNum/8)] & (1<<(portNum%8))) - { - //Add port the port. Only TCP port is used - _dpd.streamAPI->set_port_filter_status - (IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); - } - } -} -#ifdef TARGET_BASED -static void _addServicesToStream5Filter(tSfPolicyId policy_id) -{ - _dpd.streamAPI->set_service_filter_status - (_dce_proto_ids.dcerpc, PORT_MONITOR_SESSION, policy_id, 1); - - _dpd.streamAPI->set_service_filter_status - (_dce_proto_ids.nbss, PORT_MONITOR_SESSION, policy_id, 1); -} -#endif - -static int DCERPCCheckPolicyConfig( - tSfPolicyUserContextId config, - tSfPolicyId policyId, - void* pData - ) -{ - _dpd.setParserPolicy(policyId); - if (!_dpd.isPreprocEnabled(PP_STREAM5)) - DynamicPreprocessorFatalMessage("dcerpc: Stream5 must be enabled.\n"); - - return 0; -} - -static void DCERPCCheckConfig(void) -{ - sfPolicyUserDataIterate (dcerpc_config, DCERPCCheckPolicyConfig); -} - -#ifdef SNORT_RELOAD -static void DCERPCReload(char *args) -{ - tSfPolicyId policy_id = _dpd.getParserPolicy(); - char ErrorString[ERRSTRLEN]; - int iErrStrLen = ERRSTRLEN - 1; - char *token = strtok(args, CONF_SEPARATORS); - DceRpcConfig * pPolicyConfig = NULL; - - ErrorString[ERRSTRLEN - 1] = '\0'; - - if (dcerpc_swap_config == NULL) - { - //create a context - dcerpc_swap_config = sfPolicyConfigCreate(); - if (dcerpc_swap_config == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Could not allocate memory " - "for dcerpc preprocessor configuration.\n"); - } - - if (_dpd.streamAPI == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => dcerpc: Stream5 must be enabled.\n", - *_dpd.config_file, *_dpd.config_line); - } - - _dpd.addPreprocReloadVerify(DCERPCVerifyReload); - } - - if ((policy_id != _dpd.getDefaultPolicy()) - && (sfPolicyUserDataGetDefault(dcerpc_swap_config) == NULL)) - { - DynamicPreprocessorFatalMessage("%s(%d) => Must configure dcerpc in " - "default policy if using in other policies.\n", - *_dpd.config_file, *_dpd.config_line); - } - - sfPolicyUserPolicySet (dcerpc_swap_config, policy_id); - pPolicyConfig = (DceRpcConfig *)sfPolicyUserDataGetCurrent(dcerpc_swap_config); - if (pPolicyConfig != NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Can only configure dcerpc " - "preprocessor once.\n", *_dpd.config_file, *_dpd.config_line); - } - - if (_dpd.isPreprocEnabled(PP_DCE2)) - { - DynamicPreprocessorFatalMessage("%s(%d) => dcerpc: Only one DCE/RPC preprocessor can be configured.\n", - *_dpd.config_file, *_dpd.config_line); - } - - DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,"Preprocessor: DCERPC Initialized\n");); - - pPolicyConfig = (DceRpcConfig *)calloc(1, sizeof(DceRpcConfig)); - if (pPolicyConfig == NULL) - { - DynamicPreprocessorFatalMessage("%s(%d) => Could not allocate memory " - "for dcerpc preprocessor configuration.\n"); - } - - sfPolicyUserDataSetCurrent(dcerpc_swap_config, pPolicyConfig); - - /* Parse configuration */ - if (DCERPCProcessConf(pPolicyConfig, token, ErrorString, iErrStrLen)) - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *_dpd.config_file, *_dpd.config_line, ErrorString); - - _dpd.addPreproc(ProcessDCERPCPacket, PRIORITY_APPLICATION, PP_DCERPC, PROTO_BIT__TCP); - -#ifdef TARGET_BASED - _addServicesToStream5Filter(policy_id); -#endif - - _addPortsToStream5Filter(pPolicyConfig, policy_id); -} - -static int DCERPCVerifyReload(void) -{ - DceRpcConfig *config = NULL; - DceRpcConfig *configNext = NULL; - - if (dcerpc_config != NULL) - { - config = (DceRpcConfig *)sfPolicyUserDataGet(dcerpc_config, _dpd.getDefaultPolicy()); - } - - if (dcerpc_swap_config != NULL) - { - configNext = (DceRpcConfig *)sfPolicyUserDataGet(dcerpc_swap_config, _dpd.getDefaultPolicy()); - } - - if ((configNext == NULL) || (config == NULL)) - { - return 0; - } - - if (!_dpd.isPreprocEnabled(PP_STREAM5)) - DynamicPreprocessorFatalMessage("dcerpc: Stream5 must be enabled.\n"); - - if (configNext->memcap != config->memcap) - { - _dpd.errMsg("DCERPC reload: Changing the memcap requires a restart.\n"); - DceRpcFreeConfig(dcerpc_swap_config); - dcerpc_swap_config = NULL; - return -1; - } - - return 0; -} - -static int DceRPCReloadSwapPolicy( - tSfPolicyUserContextId config, - tSfPolicyId policyId, - void* pData - ) -{ - DceRpcConfig *pPolicyConfig = (DceRpcConfig *)pData; - - //do any housekeeping before freeing DceRpcConfig - if (pPolicyConfig->ref_count == 0) - { - sfPolicyUserDataClear (config, policyId); - free(pPolicyConfig); - } - return 0; -} - -static void * DCERPCReloadSwap(void) -{ - tSfPolicyUserContextId old_config = dcerpc_config; - - if (dcerpc_swap_config == NULL) - return NULL; - - dcerpc_config = dcerpc_swap_config; - dcerpc_swap_config = NULL; - - sfPolicyUserDataIterate (old_config, DceRPCReloadSwapPolicy); - - if (sfPolicyUserPolicyGetActive(old_config) != 0) - return (void *)old_config; - - return NULL; -} - -static void DCERPCReloadSwapFree(void *data) -{ - if (data == NULL) - return; - - DceRpcFreeConfig((tSfPolicyUserContextId)data); -} -#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.h snort-2.9.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.h 2009-05-06 22:28:50.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc/spp_dcerpc.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -/* - * spp_dcerpc.h - * - * Copyright (C) 2004-2009 Sourcefire, Inc. - * Steven A. Sturges - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Description: - * - * This file defines the publicly available functions for the SMB - * functionality for Snort. - * - * NOTES: - * - 08.12.04: Initial Development. SAS - * - */ - -#ifndef __SPP_DCERPC_H__ -#define __SPP_DCERPC_H__ - -void SetupDCERPC(void); - -#endif /* __SPP_DCERPC_H__ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c 2009-07-07 15:37:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -27,6 +27,11 @@ * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_cl.h" #include "snort_dce2.h" #include "dce2_list.h" @@ -37,7 +42,7 @@ #include "dce2_event.h" #include "dcerpc.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #include "profiler.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" @@ -50,7 +55,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; extern char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX]; @@ -121,7 +125,7 @@ static void DCE2_ClFragReassemble(DCE2_SsnData*, DCE2_ClActTracker *, const DceRpcClHdr *); static void DCE2_ClResetFragTracker(DCE2_ClFragTracker *); -static INLINE void DCE2_ClSetRdata(DCE2_ClActTracker *, const DceRpcClHdr *, uint8_t *, uint16_t); +static inline void DCE2_ClSetRdata(DCE2_ClActTracker *, const DceRpcClHdr *, uint8_t *, uint16_t); /* Callbacks */ static int DCE2_ClFragCompare(const void *, const void *); @@ -172,7 +176,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ClSetRdata(DCE2_ClActTracker *at, const DceRpcClHdr *pkt_cl_hdr, +static inline void DCE2_ClSetRdata(DCE2_ClActTracker *at, const DceRpcClHdr *pkt_cl_hdr, uint8_t *cl_ptr, uint16_t stub_len) { DCE2_ClFragTracker *ft = &at->frag_tracker; @@ -392,7 +396,7 @@ * Pointer to the connectionless header in the packet. * * Returns: - * DCE2_ClActTracker * + * DCE2_ClActTracker * * A valid pointer to an activity tracker on success. * NULL on error. * @@ -413,7 +417,7 @@ { /* Create a new activity tracker list */ clt->act_trackers = DCE2_ListNew(DCE2_LIST_TYPE__SPLAYED, DCE2_UuidCompare, - DCE2_ClActDataFree, DCE2_ClActKeyFree, + DCE2_ClActDataFree, DCE2_ClActKeyFree, DCE2_LIST_FLAG__NO_DUPS, DCE2_MEM_TYPE__CL_ACT); if (clt->act_trackers == NULL) return NULL; @@ -513,7 +517,7 @@ at->seq_num = seq_num; at->seq_num_invalid = 0; - /* If there are any fragments, the new sequence number invalidates + /* If there are any fragments, the new sequence number invalidates * all of the frags that might be currently stored. */ DCE2_ClResetFragTracker(&at->frag_tracker); } @@ -634,7 +638,7 @@ /* Create new list if we don't have one already */ ft->frags = DCE2_ListNew(DCE2_LIST_TYPE__SORTED, DCE2_ClFragCompare, DCE2_ClFragDataFree, NULL, DCE2_LIST_FLAG__NO_DUPS | DCE2_LIST_FLAG__INS_TAIL, - DCE2_MEM_TYPE__CL_FRAG); + DCE2_MEM_TYPE__CL_FRAG); if (ft->frags == NULL) { @@ -940,7 +944,7 @@ /******************************************************************** * Function: DCE2_ClCleanTracker() * - * Destroys all the activity tracker list, which cleans out and + * Destroys all the activity tracker list, which cleans out and * frees all data associated with each activity tracker in the * list. * @@ -977,7 +981,7 @@ static void DCE2_ClActDataFree(void *data) { DCE2_ClActTracker *at = (DCE2_ClActTracker *)data; - + if (at == NULL) return; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h 2009-01-26 16:26:13.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h 2011-02-09 23:23:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c 2009-10-02 20:29:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,9 +23,14 @@ * Sets appropriate data for use with the preprocessor rule options. * * 8/17/2008 - Initial implementation ... Todd Wease - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_co.h" #include "dce2_tcp.h" #include "dce2_smb.h" @@ -54,7 +59,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; extern char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX]; @@ -121,33 +125,35 @@ const DceRpcCoHdr *, const uint8_t *, uint16_t); static void DCE2_CoHandleFrag(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *, const uint8_t *, uint16_t); -static INLINE DCE2_Ret DCE2_CoHandleSegmentation(DCE2_CoSeg *, const uint8_t *, - uint16_t, uint16_t, uint16_t *); +static inline DCE2_Ret DCE2_CoHandleSegmentation( + DCE2_CoSeg *, const uint8_t *, uint16_t, uint16_t, uint16_t *, int); static void DCE2_CoReassemble(DCE2_SsnData *, DCE2_CoTracker *, DCE2_CoRpktType); -static INLINE void DCE2_CoFragReassemble(DCE2_SsnData *, DCE2_CoTracker *); -static INLINE void DCE2_CoSegReassemble(DCE2_SsnData *, DCE2_CoTracker *); +static inline void DCE2_CoFragReassemble(DCE2_SsnData *, DCE2_CoTracker *); +static inline void DCE2_CoSegReassemble(DCE2_SsnData *, DCE2_CoTracker *); static DCE2_Ret DCE2_CoSetIface(DCE2_SsnData *, DCE2_CoTracker *, uint16_t); static int DCE2_CoCtxCompare(const void *, const void *); static void DCE2_CoCtxFree(void *); -static INLINE void DCE2_CoSetRopts(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *); -static INLINE void DCE2_CoSetRdata(DCE2_SsnData *, DCE2_CoTracker *, uint8_t *, uint16_t); -static INLINE void DCE2_CoResetFragTracker(DCE2_CoFragTracker *); -static INLINE void DCE2_CoResetTracker(DCE2_CoTracker *); -static INLINE void DCE2_CoResetForMissedPkts(DCE2_CoTracker *); -static INLINE DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *); -static INLINE int DCE2_CoAutodetect(const uint8_t *, uint16_t); -static INLINE void DCE2_CoEraseCtxIds(DCE2_CoTracker *); -static INLINE void DCE2_CoSegAlert(DCE2_SsnData *, DCE2_CoTracker *, DCE2_Event); -static INLINE SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *, const uint8_t *, uint32_t); -static INLINE DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *, DCE2_BufType); +static inline void DCE2_CoSetRopts(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *); +static inline void DCE2_CoSetRdata(DCE2_SsnData *, DCE2_CoTracker *, uint8_t *, uint16_t); +static inline void DCE2_CoResetFragTracker(DCE2_CoFragTracker *); +static inline void DCE2_CoResetTracker(DCE2_CoTracker *); +static inline void DCE2_CoResetForMissedPkts(DCE2_CoTracker *); +static inline DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *); +static inline int DCE2_CoAutodetect(const uint8_t *, uint16_t); +static inline void DCE2_CoEraseCtxIds(DCE2_CoTracker *); +static inline void DCE2_CoSegAlert(DCE2_SsnData *, DCE2_CoTracker *, DCE2_Event); +static inline SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *, const uint8_t *, uint32_t); +static inline DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *, DCE2_BufType); static SFSnortPacket * DCE2_CoGetRpkt(DCE2_SsnData *, DCE2_CoTracker *, DCE2_CoRpktType, DCE2_RpktType *); -static INLINE DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *, DCE2_CoTracker *); -static INLINE DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *, DCE2_CoFragTracker *); -static INLINE int DCE2_CoIsSegBuf(DCE2_SsnData *, DCE2_CoTracker *, const uint8_t *); +static inline DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *, DCE2_CoTracker *); +static inline DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *, DCE2_CoFragTracker *); +static inline int DCE2_CoIsSegBuf(DCE2_SsnData *, DCE2_CoTracker *, const uint8_t *); static void DCE2_CoEarlyReassemble(DCE2_SsnData *, DCE2_CoTracker *); static DCE2_Ret DCE2_CoSegEarlyRequest(DCE2_CoTracker *, const uint8_t *, uint32_t); +static int DCE2_CoGetAuthLen(DCE2_SsnData *, const DceRpcCoHdr *, + const uint8_t *, uint16_t); /******************************************************************** * Function: DCE2_CoInitRdata() @@ -190,16 +196,16 @@ * Arguments: * DCE2_CoTracker * * Pointer to the relevant connection-oriented tracker. - * uint8_t * + * uint8_t * * Pointer to the place in the reassembly packet where the * header starts. - * uint16_t + * uint16_t * The length of the stub data. * * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSetRdata(DCE2_SsnData *sd, DCE2_CoTracker *cot, +static inline void DCE2_CoSetRdata(DCE2_SsnData *sd, DCE2_CoTracker *cot, uint8_t *co_ptr, uint16_t stub_len) { DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)co_ptr; @@ -303,7 +309,7 @@ { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Not enough data in packet for CO header.\n")); - DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used); + DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used, 1); /* Just break out of loop in case early detect is enabled */ break; @@ -322,7 +328,7 @@ /* Set frag length so we don't have to check it again in seg code */ seg->frag_len = frag_len; - DCE2_CoHandleSegmentation(seg, data_ptr, data_len, frag_len, &data_used); + DCE2_CoHandleSegmentation(seg, data_ptr, data_len, frag_len, &data_used, 1); break; } @@ -335,10 +341,15 @@ * since we'll detect on reassembled */ if (!DCE2_GcDceDefrag() || ((num_frags == 1) && !co_reassembled)) DCE2_Detect(sd); + + /* Reset if this is a last frag */ + if (DceRpcCoLastFrag((DceRpcCoHdr *)frag_ptr)) + num_frags = 0; } else /* We've already buffered data */ { uint16_t data_used; + int append = 0; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Segmentation buffer has %u bytes\n", DCE2_BufferLength(seg->buf))); @@ -346,7 +357,8 @@ /* Need more data to get header */ if (DCE2_BufferLength(seg->buf) < sizeof(DceRpcCoHdr)) { - status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used); + append = 1; + status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used, append); /* Still not enough for header */ if (status != DCE2_RET__SUCCESS) @@ -357,8 +369,21 @@ if (DCE2_CoHdrChecks(sd, cot, (DceRpcCoHdr *)DCE2_BufferData(seg->buf)) != DCE2_RET__SUCCESS) { - DCE2_BufferEmpty(seg->buf); - return; + int data_back; + DCE2_BufferEmpty(seg->buf); + /* Move back to original packet header */ + data_back = -data_used; + DCE2_MOVE(data_ptr, data_len, data_back); + /*Check the original packet*/ + if (DCE2_CoHdrChecks(sd, cot, (DceRpcCoHdr *)data_ptr) != DCE2_RET__SUCCESS) + return; + else + { + /*Only use the original packet, ignore the data in seg_buffer*/ + num_frags = 0; + continue; + } + } seg->frag_len = DceRpcCoFragLen((DceRpcCoHdr *)DCE2_BufferData(seg->buf)); @@ -367,7 +392,7 @@ /* Need more data for full pdu */ if (DCE2_BufferLength(seg->buf) < seg->frag_len) { - status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, seg->frag_len, &data_used); + status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, seg->frag_len, &data_used, append); /* Still not enough */ if (status != DCE2_RET__SUCCESS) @@ -376,8 +401,16 @@ DCE2_MOVE(data_ptr, data_len, data_used); } + /* Do this before calling DCE2_CoSegDecode since it will empty + * seg buffer */ + if (DceRpcCoLastFrag((DceRpcCoHdr *)seg->buf->data)) + num_frags = 0; + /* Got the full DCE/RPC pdu. Need to create new packet before decoding */ DCE2_CoSegDecode(sd, cot, seg); + + if ( !data_used ) + break; } } @@ -389,7 +422,7 @@ * Function: DCE2_CoHandleSegmentation() * * Wrapper around DCE2_HandleSegmentation() to allocate a new - * buffer object if necessary. + * buffer object if necessary. * * Arguments: * DCE2_CoSeg * @@ -405,6 +438,8 @@ * Pointer to basically a return value for the amount of * data in the packet that was actually used for * desegmentation. + * int + * bool is true if we must append. * * Returns: * DCE2_Ret @@ -417,11 +452,14 @@ * i.e. the need length was met. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_CoHandleSegmentation(DCE2_CoSeg *seg, const uint8_t *data_ptr, - uint16_t data_len, uint16_t need_len, uint16_t *data_used) +static inline DCE2_Ret DCE2_CoHandleSegmentation( + DCE2_CoSeg *seg, const uint8_t *data_ptr, + uint16_t data_len, uint16_t need_len, + uint16_t *data_used, int append) { DCE2_Ret status; PROFILE_VARS; + uint32_t offset; PREPROC_PROFILE_START(dce2_pstat_co_seg); @@ -446,7 +484,10 @@ DCE2_BufferSetMinAllocSize(seg->buf, need_len); } - status = DCE2_HandleSegmentation(seg->buf, data_ptr, data_len, need_len, data_used); + offset = DCE2_GetWriteOffset(need_len, append); + + status = DCE2_HandleSegmentation( + seg->buf, data_ptr, data_len, offset, need_len, data_used); PREPROC_PROFILE_END(dce2_pstat_co_seg); @@ -481,7 +522,9 @@ if (frag_len < sizeof(DceRpcCoHdr)) { - if (!DCE2_SsnAutodetected(sd)) + /* Assume we autodetected incorrectly or that DCE/RPC is not running + * over the SMB named pipe */ + if (!DCE2_SsnAutodetected(sd) && (sd->trans != DCE2_TRANS_TYPE__SMB)) { if (is_seg_buf) DCE2_CoSegAlert(sd, cot, DCE2_EVENT__CO_FLEN_LT_HDR); @@ -494,7 +537,7 @@ if (DceRpcCoVersMaj(co_hdr) != DCERPC_PROTO_MAJOR_VERS__5) { - if (!DCE2_SsnAutodetected(sd)) + if (!DCE2_SsnAutodetected(sd) && (sd->trans != DCE2_TRANS_TYPE__SMB)) { if (is_seg_buf) DCE2_CoSegAlert(sd, cot, DCE2_EVENT__CO_BAD_MAJ_VERSION); @@ -507,7 +550,7 @@ if (DceRpcCoVersMin(co_hdr) != DCERPC_PROTO_MINOR_VERS__0) { - if (!DCE2_SsnAutodetected(sd)) + if (!DCE2_SsnAutodetected(sd) && (sd->trans != DCE2_TRANS_TYPE__SMB)) { if (is_seg_buf) DCE2_CoSegAlert(sd, cot, DCE2_EVENT__CO_BAD_MIN_VERSION); @@ -520,7 +563,7 @@ if (pdu_type >= DCERPC_PDU_TYPE__MAX) { - if (!DCE2_SsnAutodetected(sd)) + if (!DCE2_SsnAutodetected(sd) && (sd->trans != DCE2_TRANS_TYPE__SMB)) { if (is_seg_buf) DCE2_CoSegAlert(sd, cot, DCE2_EVENT__CO_BAD_PDU_TYPE); @@ -545,7 +588,7 @@ (pdu_type == DCERPC_PDU_TYPE__REQUEST) && ((int)frag_len < ((int)cot->max_xmit_frag - DCE2_MAX_XMIT_SIZE_FUZZ))) { - /* If client needs to fragment the DCE/RPC request, it shouldn't be less than the + /* If client needs to fragment the DCE/RPC request, it shouldn't be less than the * maximum xmit size negotiated. Only if it's not a last fragment. Make this alert * only if it is considerably less - have seen legitimate fragments that are just * slightly less the negotiated fragment size. */ @@ -568,7 +611,7 @@ * Main processing for the DCE/RPC pdu types. Most are not * implemented as, currently, they are not necessary and only * stats are kept for them. Important are the bind, alter context - * and request. + * and request. * * Arguments: * DCE2_SsnData * @@ -702,6 +745,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_CoEraseCtxIds(cot); break; @@ -803,6 +848,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: /* Windows will not accept more than one bind */ if (!DCE2_ListIsEmpty(cot->ctx_ids)) { @@ -817,6 +864,7 @@ break; case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_22: if (cot->got_bind) return; @@ -826,7 +874,7 @@ case DCE2_POLICY__SAMBA_3_0_20: /* Accepts multiple binds */ break; - + default: DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Invalid policy: %d", @@ -883,6 +931,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: /* Windows will not accept an alter context before * bind and will bind_nak it */ if (DCE2_ListIsEmpty(cot->ctx_ids)) @@ -898,6 +948,7 @@ break; case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_22: case DCE2_POLICY__SAMBA_3_0_20: /* Nothing for Samba */ @@ -1052,9 +1103,10 @@ switch (policy) { - case DCE2_POLICY__SAMBA_3_0_20: - case DCE2_POLICY__SAMBA_3_0_22: case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: /* Samba only ever looks at one context item. Not sure * if this is an alertable offense */ return; @@ -1232,6 +1284,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if (ctx_node->state == DCE2_CO_CTX_STATE__REJECTED) break; @@ -1246,9 +1300,10 @@ break; - case DCE2_POLICY__SAMBA_3_0_20: - case DCE2_POLICY__SAMBA_3_0_22: case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: /* Samba actually alters the context. Windows keeps the old */ if (ctx_node->state != DCE2_CO_CTX_STATE__REJECTED) { @@ -1294,7 +1349,7 @@ * If it's a first/last fragment, set relevant rule option * data and return. If it's a true fragment, do some target * based futzing to set the right opnum and context id for - * the to be reassembled packet. + * the to be reassembled packet. * * Arguments: * DCE2_SsnData * @@ -1332,9 +1387,15 @@ switch (policy) { - case DCE2_POLICY__SAMBA_3_0_20: - case DCE2_POLICY__SAMBA_3_0_22: + /* After 3.0.37 up to 3.5.2 byte order of stub data is always + * interpreted as little endian */ case DCE2_POLICY__SAMBA: + cot->data_byte_order = DCERPC_BO_FLAG__LITTLE_ENDIAN; + break; + + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: cot->data_byte_order = DceRpcCoByteOrder(co_hdr); break; @@ -1346,7 +1407,10 @@ DCE2_MOVE(frag_ptr, frag_len, req_size); /* If for some reason we had some fragments queued */ - if (DceRpcCoFirstFrag(co_hdr) && !DCE2_BufferIsEmpty(cot->frag_tracker.cli_frag_buf)) + if ( + DceRpcCoFirstFrag(co_hdr) && + !DceRpcCoLastFrag(co_hdr) && + !DCE2_BufferIsEmpty(cot->frag_tracker.cli_frag_buf)) { DCE2_CoFragReassemble(sd, cot); DCE2_BufferEmpty(cot->frag_tracker.cli_frag_buf); @@ -1360,21 +1424,29 @@ if (DceRpcCoFirstFrag(co_hdr) && DceRpcCoLastFrag(co_hdr)) { + int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "First and last fragment.\n")); + if (auth_len == -1) + return; DCE2_CoSetRopts(sd, cot, co_hdr); } else { DCE2_CoFragTracker *ft = &cot->frag_tracker; - uint16_t auth_len = DceRpcCoAuthLen(co_hdr); + int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len); dce2_stats.co_req_fragments++; +#ifdef DEBUG_MSGS DCE2_DEBUG_CODE(DCE2_DEBUG__CO, if (DceRpcCoFirstFrag(co_hdr)) DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "First fragment.\n")); else if (DceRpcCoLastFrag(co_hdr)) DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Last fragment.\n")); else DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Middle fragment.\n")); DCE2_PrintPktData(frag_ptr, frag_len);); +#endif + + if (auth_len == -1) + return; if (DCE2_BufferIsEmpty(ft->cli_frag_buf)) { @@ -1415,13 +1487,16 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__SAMBA: - case DCE2_POLICY__SAMBA_3_0_20: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: if (DceRpcCoLastFrag(co_hdr)) ft->opnum = cot->opnum; break; case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if (DceRpcCoFirstFrag(co_hdr)) ft->opnum = cot->opnum; break; @@ -1440,6 +1515,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if (DceRpcCoFirstFrag(co_hdr)) { ft->ctx_id = cot->ctx_id; @@ -1454,8 +1531,9 @@ break; case DCE2_POLICY__SAMBA: - case DCE2_POLICY__SAMBA_3_0_20: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: if (DceRpcCoLastFrag(co_hdr)) { ft->ctx_id = cot->ctx_id; @@ -1470,38 +1548,15 @@ break; } - /* Don't want to include authentication data in fragment */ - if (auth_len != 0) - { - DceRpcCoAuthVerifier *auth_hdr; - - auth_len += sizeof(DceRpcCoAuthVerifier); - - /* This means the auth len was bogus */ - if (auth_len > frag_len) - { - DCE2_Alert(sd, DCE2_EVENT__CO_FLEN_LT_SIZE, dce2_pdu_types[DceRpcCoPduType(co_hdr)], - frag_len, auth_len); - return; - } - - auth_hdr = (DceRpcCoAuthVerifier *)(frag_ptr + (frag_len - auth_len)); - auth_len += DceRpcCoAuthPad(auth_hdr); - - /* This means the auth pad len was bogus */ - if (auth_len > frag_len) - { - DCE2_Alert(sd, DCE2_EVENT__CO_FLEN_LT_SIZE, dce2_pdu_types[DceRpcCoPduType(co_hdr)], - frag_len, auth_len); - return; - } - } - DCE2_CoSetRopts(sd, cot, co_hdr); /* If we're configured to do defragmentation */ if (DCE2_GcDceDefrag()) - DCE2_CoHandleFrag(sd, cot, co_hdr, frag_ptr, (uint16_t)(frag_len - auth_len)); + { + /* Don't want to include authentication data in fragment */ + DCE2_CoHandleFrag(sd, cot, co_hdr, frag_ptr, + (uint16_t)(frag_len - (uint16_t)auth_len)); + } } } @@ -1547,9 +1602,13 @@ switch (policy) { - case DCE2_POLICY__SAMBA_3_0_20: - case DCE2_POLICY__SAMBA_3_0_22: case DCE2_POLICY__SAMBA: + cot->data_byte_order = DCERPC_BO_FLAG__LITTLE_ENDIAN; + break; + + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: cot->data_byte_order = DceRpcCoByteOrder(co_hdr); break; @@ -1774,7 +1833,7 @@ if (DceRpcCoLastFrag(co_hdr) || (DCE2_BufferLength(frag_buf) == max_frag_data)) mflag = DCE2_BUFFER_MIN_ADD_FLAG__IGNORE; - status = DCE2_BufferAddData(frag_buf, frag_ptr, frag_len, mflag); + status = DCE2_BufferAddData(frag_buf, frag_ptr, frag_len, 0, mflag); if (status != DCE2_RET__SUCCESS) { @@ -1829,7 +1888,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoFragReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline void DCE2_CoFragReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) { DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__FRAG); } @@ -1850,7 +1909,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSegReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline void DCE2_CoSegReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) { DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__SEG); } @@ -1888,6 +1947,9 @@ rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type); if (rpkt == NULL) { + DCE2_Log(DCE2_LOG_TYPE__ERROR, + "%s(%d) Could not create DCE/RPC frag reassembled packet.\n", + __FILE__, __LINE__); PREPROC_PROFILE_END(dce2_pstat_co_reass); return; } @@ -1979,9 +2041,9 @@ /******************************************************************** * Function: DCE2_CoSetIface() * - * Sets the interface UUID for the rules options. Looks in the + * Sets the interface UUID for the rules options. Looks in the * context id list. If nothing found there, it looks in the pending - * list (in case we never saw the server response because of + * list (in case we never saw the server response because of * missed packets) to see if something is there. * * Arguments: @@ -2147,7 +2209,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetFragTracker(DCE2_CoFragTracker *ft) +static inline void DCE2_CoResetFragTracker(DCE2_CoFragTracker *ft) { if (ft == NULL) return; @@ -2175,7 +2237,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetTracker(DCE2_CoTracker *cot) +static inline void DCE2_CoResetTracker(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2202,7 +2264,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetForMissedPkts(DCE2_CoTracker *cot) +static inline void DCE2_CoResetForMissedPkts(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2217,7 +2279,7 @@ /******************************************************************** * Function: DCE2_CoCleanTracker() * - * Destroys all dynamically allocated data associated with + * Destroys all dynamically allocated data associated with * connection-oriented tracker. * * Arguments: @@ -2267,13 +2329,13 @@ * uint16_t * Remaining length of the packet data. * - * Returns: + * Returns: * int * 1 if successfully autodetected * 0 if unsuccessful * ********************************************************************/ -static INLINE int DCE2_CoAutodetect(const uint8_t *data_ptr, uint16_t data_len) +static inline int DCE2_CoAutodetect(const uint8_t *data_ptr, uint16_t data_len) { if (data_len >= sizeof(DceRpcCoHdr)) { @@ -2304,7 +2366,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoEraseCtxIds(DCE2_CoTracker *cot) +static inline void DCE2_CoEraseCtxIds(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2332,14 +2394,14 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSegAlert(DCE2_SsnData *sd, DCE2_CoTracker *cot, DCE2_Event event) +static inline void DCE2_CoSegAlert(DCE2_SsnData *sd, DCE2_CoTracker *cot, DCE2_Event event) { SFSnortPacket *rpkt; DCE2_Buffer *buf; DceRpcCoHdr *co_hdr; uint16_t frag_len; DceRpcPduType pdu_type; - + if (DCE2_SsnFromClient(sd->wire_pkt)) buf = cot->cli_seg.buf; else @@ -2425,7 +2487,7 @@ * NULL on error. * ********************************************************************/ -static INLINE SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *sd, +static inline SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *sd, const uint8_t *data_ptr, uint32_t data_len) { SFSnortPacket *rpkt = NULL; @@ -2492,7 +2554,7 @@ * We were able to allocate and initialize new lists. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *cot) +static inline DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *cot) { if (cot == NULL) return DCE2_RET__ERROR; @@ -2706,7 +2768,7 @@ DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)seg_data; /* Don't use it if it's not a request and therefore doesn't - * belong with the frag data. This is an insanity check - + * belong with the frag data. This is an insanity check - * shouldn't have seg data that's not a request if there are * frags queued up */ if (DceRpcCoPduType(co_hdr) != DCERPC_PDU_TYPE__REQUEST) @@ -2801,7 +2863,11 @@ rpkt = DCE2_CoGetSegRpkt(sd, DCE2_BufferData(seg->buf), DCE2_BufferLength(seg->buf)); PREPROC_PROFILE_END(dce2_pstat_co_reass); - /* Done with this data */ + // FIXTHIS - don't toss data until success response to + // allow for retransmission of last segment of pdu. if + // we don't do it here 2 things break: + // (a) we can't alert on this packet; and + // (b) subsequent pdus aren't desegmented correctly. DCE2_BufferEmpty(seg->buf); if (rpkt == NULL) @@ -2838,7 +2904,6 @@ return; } - /* All is good. Decode the pdu */ DCE2_CoDecode(sd, cot, frag_ptr, frag_len); @@ -2869,7 +2934,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSetRopts(DCE2_SsnData *sd, DCE2_CoTracker *cot, const DceRpcCoHdr *co_hdr) +static inline void DCE2_CoSetRopts(DCE2_SsnData *sd, DCE2_CoTracker *cot, const DceRpcCoHdr *co_hdr) { DCE2_CoFragTracker *ft = &cot->frag_tracker; int opnum = (ft->opnum != DCE2_SENTINEL) ? ft->opnum : cot->opnum; @@ -2909,7 +2974,7 @@ * given the transport and buffer type. * ********************************************************************/ -static INLINE DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *sd, DCE2_BufType btype) +static inline DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *sd, DCE2_BufType btype) { DCE2_RpktType rtype = DCE2_RPKT_TYPE__NULL; @@ -2932,7 +2997,6 @@ __FILE__, __LINE__, btype); break; } - break; case DCE2_TRANS_TYPE__TCP: @@ -2954,7 +3018,6 @@ __FILE__, __LINE__, btype); break; } - break; default: @@ -2963,7 +3026,6 @@ __FILE__, __LINE__, sd->trans); break; } - return rtype; } @@ -2987,7 +3049,7 @@ * 0 if the pointer is not within a segmentation buffer. * ********************************************************************/ -static INLINE int DCE2_CoIsSegBuf(DCE2_SsnData *sd, DCE2_CoTracker *cot, const uint8_t *ptr) +static inline int DCE2_CoIsSegBuf(DCE2_SsnData *sd, DCE2_CoTracker *cot, const uint8_t *ptr) { DCE2_Buffer *seg_buf; @@ -3012,7 +3074,7 @@ /******************************************************************** * Function: DCE2_CoSegEarlyRequest() * - * Used to set rule option data if we are doing an early + * Used to set rule option data if we are doing an early * reassembly on data in the segmentation buffer. If we are * taking directly from the segmentation buffer, none of the * rule option data will be set since processing doesn't get to @@ -3028,7 +3090,7 @@ * * Returns: * DCE2_Ret - * DCE2_RET__SUCCESS if there is enough data in buffer to + * DCE2_RET__SUCCESS if there is enough data in buffer to * set rule option data and we should continue processing. * DCE2_RET__ERROR if there is not enough data in segmentation * buffer to set rule option data and we should not @@ -3063,7 +3125,7 @@ cot->opnum = DceRpcCoOpnum(co_hdr, rhdr); cot->ctx_id = DceRpcCoCtxId(co_hdr, rhdr); cot->call_id = DceRpcCoCallId(co_hdr); - + return DCE2_RET__SUCCESS; } @@ -3083,7 +3145,7 @@ * Pointer to client or server segmenation buffer. * ********************************************************************/ -static INLINE DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *sd, DCE2_CoTracker *cot) { if (DCE2_SsnFromServer(sd->wire_pkt)) return &cot->srv_seg; @@ -3107,7 +3169,7 @@ * Pointer to client or server fragmentation buffer. * ********************************************************************/ -static INLINE DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *sd, DCE2_CoFragTracker *ft) +static inline DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *sd, DCE2_CoFragTracker *ft) { if (DCE2_SsnFromServer(sd->wire_pkt)) return ft->srv_frag_buf; @@ -3115,3 +3177,41 @@ return ft->cli_frag_buf; } +static int DCE2_CoGetAuthLen(DCE2_SsnData *sd, const DceRpcCoHdr *co_hdr, + const uint8_t *frag_ptr, uint16_t frag_len) +{ + DceRpcCoAuthVerifier *auth_hdr; + uint16_t auth_len = DceRpcCoAuthLen(co_hdr); + + if (auth_len == 0) + return 0; + + auth_len += sizeof(DceRpcCoAuthVerifier); + + /* This means the auth len was bogus */ + if (auth_len > frag_len) + { + DCE2_Alert(sd, DCE2_EVENT__CO_FLEN_LT_SIZE, dce2_pdu_types[DceRpcCoPduType(co_hdr)], + frag_len, auth_len); + return -1; + } + + auth_hdr = (DceRpcCoAuthVerifier *)(frag_ptr + (frag_len - auth_len)); + if (DceRpcCoAuthLevel(auth_hdr) == DCERPC_CO_AUTH_LEVEL__PKT_PRIVACY) + { + /* Data is encrypted - don't inspect */ + return -1; + } + + auth_len += DceRpcCoAuthPad(auth_hdr); + + /* This means the auth pad len was bogus */ + if (auth_len > frag_len) + { + DCE2_Alert(sd, DCE2_EVENT__CO_FLEN_LT_SIZE, dce2_pdu_types[DceRpcCoPduType(co_hdr)], + frag_len, auth_len); + return -1; + } + + return (int)auth_len; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h 2011-02-09 23:23:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -81,7 +81,7 @@ DCE2_CoFragTracker frag_tracker; int max_xmit_frag; /* The maximum negotiated size of a client request */ - int data_byte_order; /* Set in bind or alter context */ + int data_byte_order; /* Depending on policy is from bind or request */ int ctx_id; /* The current context id of the request */ int opnum; /* The current opnum of the request */ int call_id; /* The current call id of the request */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c 2009-10-02 20:29:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * **************************************************************************** * Parses and processes configuration set in snort.conf. - * + * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ @@ -27,6 +27,7 @@ #include "config.h" #endif +#include "sf_types.h" #include "dce2_config.h" #include "dce2_utils.h" #include "dce2_list.h" @@ -64,23 +65,19 @@ static const uint16_t DCE2_PORTS_SMB__DEFAULT[] = {139, 445}; static const uint16_t DCE2_PORTS_TCP__DEFAULT[] = {135}; static const uint16_t DCE2_PORTS_UDP__DEFAULT[] = {135}; -static const uint16_t DCE2_PORTS_HTTP_PROXY__DEFAULT[] = {80}; +//static const uint16_t DCE2_PORTS_HTTP_PROXY__DEFAULT[] = {80}; static const uint16_t DCE2_PORTS_HTTP_SERVER__DEFAULT[] = {593}; static char dce2_config_error[1024]; /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Macros ********************************************************************/ #define DCE2_GOPT__MEMCAP "memcap" #define DCE2_GOPT__DISABLE_DEFRAG "disable_defrag" #define DCE2_GOPT__MAX_FRAG_LEN "max_frag_len" #define DCE2_GOPT__REASSEMBLE_THRESHOLD "reassemble_threshold" +#define DCE2_GOPT__DISABLED "disabled" #define DCE2_GOPT__EVENTS "events" #define DCE2_GARG__EVENTS_NONE "none" @@ -98,14 +95,17 @@ #define DCE2_SARG__POLICY_WINXP "WinXP" #define DCE2_SARG__POLICY_WINVISTA "WinVista" #define DCE2_SARG__POLICY_WIN2003 "Win2003" +#define DCE2_SARG__POLICY_WIN2008 "Win2008" +#define DCE2_SARG__POLICY_WIN7 "Win7" #define DCE2_SARG__POLICY_SAMBA "Samba" +#define DCE2_SARG__POLICY_SAMBA_3_0_37 "Samba-3.0.37" /* Samba version 3.0.37 and previous */ #define DCE2_SARG__POLICY_SAMBA_3_0_22 "Samba-3.0.22" /* Samba version 3.0.22 and previous */ #define DCE2_SARG__POLICY_SAMBA_3_0_20 "Samba-3.0.20" /* Samba version 3.0.20 and previous */ #define DCE2_SOPT__DETECT "detect" #define DCE2_SOPT__AUTODETECT "autodetect" #define DCE2_SARG__DETECT_NONE "none" -#define DCE2_SARG__DETECT_SMB "smb" +#define DCE2_SARG__DETECT_SMB "smb" #define DCE2_SARG__DETECT_TCP "tcp" #define DCE2_SARG__DETECT_UDP "udp" #define DCE2_SARG__DETECT_HTTP_PROXY "rpc-over-http-proxy" @@ -119,6 +119,15 @@ #define DCE2_SMB_MAX_CHAIN__DEFAULT 3 #define DCE2_SMB_MAX_CHAIN__MAX 255 /* uint8_t is used to store value */ +#define DCE2_SOPT__VALID_SMB_VERSIONS "valid_smb_versions" +#define DCE2_SARG__VALID_SMB_VERSIONS_V1 "v1" +#define DCE2_SARG__VALID_SMB_VERSIONS_V2 "v2" +#define DCE2_SARG__VALID_SMB_VERSIONS_ALL "all" + +#define DCE2_SOPT__SMB2_MAX_COMPOUND "smb2_max_compound" +#define DCE2_SMB2_MAX_COMPOUND__DEFAULT 3 +#define DCE2_SMB2_MAX_COMPOUND__MAX 255 /* uint8_t is used to store value */ + /*** Don't increase max memcap number or it will overflow ***/ #define DCE2_MEMCAP__MIN 1024 /* 1 MB min */ #define DCE2_MEMCAP__MAX ((4 * 1024 * 1024) - 1) /* ~ 4 GB max */ @@ -148,7 +157,8 @@ DCE2_GC_OPT_FLAG__DISABLE_DEFRAG = 0x0004, DCE2_GC_OPT_FLAG__MAX_FRAG_LEN = 0x0008, DCE2_GC_OPT_FLAG__EVENTS = 0x0010, - DCE2_GC_OPT_FLAG__REASSEMBLE_THRESHOLD = 0x0020 + DCE2_GC_OPT_FLAG__REASSEMBLE_THRESHOLD = 0x0020, + DCE2_GC_OPT_FLAG__DISABLED = 0x0040 } DCE2_GcOptFlag; @@ -173,7 +183,9 @@ DCE2_SC_OPT_FLAG__AUTODETECT = 0x0010, DCE2_SC_OPT_FLAG__NO_AUTODETECT_HTTP_PROXY_PORTS = 0x0020, DCE2_SC_OPT_FLAG__SMB_INVALID_SHARES = 0x0040, - DCE2_SC_OPT_FLAG__SMB_MAX_CHAIN = 0x0080 + DCE2_SC_OPT_FLAG__SMB_MAX_CHAIN = 0x0080, + DCE2_SC_OPT_FLAG__VALID_SMB_VERSIONS = 0x0100, + DCE2_SC_OPT_FLAG__SMB2_MAX_COMPOUND = 0x0200 } DCE2_ScOptFlag; @@ -206,14 +218,14 @@ ********************************************************************/ static void DCE2_GcInitConfig(DCE2_GlobalConfig *gc); static DCE2_Ret DCE2_GcParseConfig(DCE2_GlobalConfig *, char *); -static INLINE DCE2_GcOptFlag DCE2_GcParseOption(char *, char *, int *); +static inline DCE2_GcOptFlag DCE2_GcParseOption(char *, char *, int *); static DCE2_Ret DCE2_GcParseMemcap(DCE2_GlobalConfig *, char **, char *); static DCE2_Ret DCE2_GcParseMaxFrag(DCE2_GlobalConfig *, char **, char *); static DCE2_Ret DCE2_GcParseEvents(DCE2_GlobalConfig *, char **, char *); -static INLINE void DCE2_GcSetEvent(DCE2_GlobalConfig *, DCE2_EventFlag); -static INLINE void DCE2_GcClearEvent(DCE2_GlobalConfig *, DCE2_EventFlag); -static INLINE void DCE2_GcClearAllEvents(DCE2_GlobalConfig *); -static INLINE DCE2_EventFlag DCE2_GcParseEvent(char *, char *, int *); +static inline void DCE2_GcSetEvent(DCE2_GlobalConfig *, DCE2_EventFlag); +static inline void DCE2_GcClearEvent(DCE2_GlobalConfig *, DCE2_EventFlag); +static inline void DCE2_GcClearAllEvents(DCE2_GlobalConfig *); +static inline DCE2_EventFlag DCE2_GcParseEvent(char *, char *, int *); static DCE2_Ret DCE2_GcParseReassembleThreshold(DCE2_GlobalConfig *, char **, char *); static void DCE2_GcPrintConfig(const DCE2_GlobalConfig *); static void DCE2_GcError(const char *, ...); @@ -221,13 +233,19 @@ static DCE2_Ret DCE2_ScInitConfig(DCE2_ServerConfig *); static DCE2_Ret DCE2_ScInitPortArray(DCE2_ServerConfig *, DCE2_DetectFlag, int); static DCE2_Ret DCE2_ScParseConfig(DCE2_Config *, DCE2_ServerConfig *, char *, DCE2_Queue *); -static INLINE DCE2_ScOptFlag DCE2_ScParseOption(char *, char *, int *); +static inline DCE2_ScOptFlag DCE2_ScParseOption(char *, char *, int *); static DCE2_Ret DCE2_ScParsePolicy(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseDetect(DCE2_ServerConfig *, char **, char *, int); -static INLINE DCE2_DetectFlag DCE2_ScParseDetectType(char *, char *, int *); -static INLINE void DCE2_ScResetPortsArrays(DCE2_ServerConfig *, int); +static inline DCE2_DetectFlag DCE2_ScParseDetectType(char *, char *, int *); +static inline void DCE2_ScResetPortsArrays(DCE2_ServerConfig *, int); static DCE2_Ret DCE2_ScParseSmbShares(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseSmbMaxChain(DCE2_ServerConfig *, char **, char *); +static DCE2_Ret DCE2_ScParseSmb2MaxCompound(DCE2_ServerConfig *, char **, char *); +static DCE2_Ret DCE2_ScParseValidSmbVersions(DCE2_ServerConfig *, char **, char *); +static inline DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion(char *, char *, int *); +static inline void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); +static inline void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); +static inline void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *); static DCE2_Ret DCE2_ScAddToRoutingTable(DCE2_Config *, DCE2_ServerConfig *, DCE2_Queue *); static int DCE2_ScSmbShareCompare(const void *, const void *); static void DCE2_ScSmbShareFree(void *); @@ -401,6 +419,10 @@ return DCE2_RET__ERROR; break; + case DCE2_GC_OPT_FLAG__DISABLED: + gc->disabled = 1; + break; + default: return DCE2_RET__ERROR; } @@ -465,7 +487,7 @@ * been configured. * ********************************************************************/ -static INLINE DCE2_GcOptFlag DCE2_GcParseOption(char *opt_start, char *opt_end, int *opt_mask) +static inline DCE2_GcOptFlag DCE2_GcParseOption(char *opt_start, char *opt_end, int *opt_mask) { DCE2_GcOptFlag opt_flag = DCE2_GC_OPT_FLAG__NULL; size_t opt_len = opt_end - opt_start; @@ -495,6 +517,11 @@ { opt_flag = DCE2_GC_OPT_FLAG__REASSEMBLE_THRESHOLD; } + else if (opt_len == strlen(DCE2_GOPT__DISABLED) && + strncasecmp(DCE2_GOPT__DISABLED, opt_start, opt_len) == 0) + { + opt_flag = DCE2_GC_OPT_FLAG__DISABLED; + } else { DCE2_GcError("Invalid option: \"%.*s\"", opt_len, opt_start); @@ -778,7 +805,7 @@ * Function: DCE2_GcParseEvent() * * Parses event type and returns flag indication the type of event. - * Checks and sets a bit in a mask to prevent multiple + * Checks and sets a bit in a mask to prevent multiple * configurations of the same event type. * * Arguments: @@ -799,9 +826,9 @@ * configuration of event type. * ********************************************************************/ -static INLINE DCE2_EventFlag DCE2_GcParseEvent(char *start, char *end, int *emask) +static inline DCE2_EventFlag DCE2_GcParseEvent(char *start, char *end, int *emask) { - int eflag = DCE2_EVENT_FLAG__NULL; + DCE2_EventFlag eflag = DCE2_EVENT_FLAG__NULL; size_t event_len = end - start; if (event_len == strlen(DCE2_GARG__EVENTS_NONE) && @@ -841,7 +868,7 @@ return DCE2_EVENT_FLAG__NULL; } - if (DCE2_CheckAndSetMask(eflag, emask) != DCE2_RET__SUCCESS) + if (DCE2_CheckAndSetMask((int)eflag, emask) != DCE2_RET__SUCCESS) { DCE2_GcError("Event type \"%.*s\" cannot be specified more than once", event_len, start); @@ -866,7 +893,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcSetEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) +static inline void DCE2_GcSetEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) { gc->event_mask |= eflag; } @@ -886,7 +913,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcClearEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) +static inline void DCE2_GcClearEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) { gc->event_mask &= ~eflag; } @@ -903,7 +930,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcClearAllEvents(DCE2_GlobalConfig *gc) +static inline void DCE2_GcClearAllEvents(DCE2_GlobalConfig *gc) { gc->event_mask = DCE2_EVENT_FLAG__NULL; } @@ -971,6 +998,8 @@ /* Set defaults */ sc->policy = DCE2_POLICY__WINXP; sc->smb_max_chain = DCE2_SMB_MAX_CHAIN__DEFAULT; + sc->smb2_max_compound = DCE2_SMB2_MAX_COMPOUND__DEFAULT; + sc->valid_smb_versions_mask = DCE2_VALID_SMB_VERSION_FLAG__ALL; sc->autodetect_http_proxy_ports = DCE2_CS__ENABLED; /* Add default detect ports */ @@ -1451,6 +1480,16 @@ return DCE2_RET__ERROR; break; + case DCE2_SC_OPT_FLAG__SMB2_MAX_COMPOUND: + if (DCE2_ScParseSmb2MaxCompound(sc, &ptr, end) != DCE2_RET__SUCCESS) + return DCE2_RET__ERROR; + break; + + case DCE2_SC_OPT_FLAG__VALID_SMB_VERSIONS: + if (DCE2_ScParseValidSmbVersions(sc, &ptr, end) != DCE2_RET__SUCCESS) + return DCE2_RET__ERROR; + break; + case DCE2_SC_OPT_FLAG__DEFAULT: case DCE2_SC_OPT_FLAG__NET: DCE2_ScError("\"%s\" or \"%s\" must be the first " @@ -1522,7 +1561,7 @@ * been configured. * ********************************************************************/ -static INLINE DCE2_ScOptFlag DCE2_ScParseOption(char *opt_start, char *opt_end, int *opt_mask) +static inline DCE2_ScOptFlag DCE2_ScParseOption(char *opt_start, char *opt_end, int *opt_mask) { DCE2_ScOptFlag opt_flag = DCE2_SC_OPT_FLAG__NULL; size_t opt_len = opt_end - opt_start; @@ -1567,6 +1606,11 @@ { opt_flag = DCE2_SC_OPT_FLAG__SMB_MAX_CHAIN; } + else if (opt_len == strlen(DCE2_SOPT__SMB2_MAX_COMPOUND) && + strncasecmp(DCE2_SOPT__SMB2_MAX_COMPOUND, opt_start, opt_len) == 0) + { + opt_flag = DCE2_SC_OPT_FLAG__SMB2_MAX_COMPOUND; + } else { DCE2_ScError("Invalid option: \"%.*s\"", opt_len, opt_start); @@ -1665,11 +1709,26 @@ { sc->policy = DCE2_POLICY__WIN2003; } + else if (policy_len == strlen(DCE2_SARG__POLICY_WIN2008) && + strncasecmp(DCE2_SARG__POLICY_WIN2008, policy_start, policy_len) == 0) + { + sc->policy = DCE2_POLICY__WIN2008; + } + else if (policy_len == strlen(DCE2_SARG__POLICY_WIN7) && + strncasecmp(DCE2_SARG__POLICY_WIN7, policy_start, policy_len) == 0) + { + sc->policy = DCE2_POLICY__WIN7; + } else if (policy_len == strlen(DCE2_SARG__POLICY_SAMBA) && strncasecmp(DCE2_SARG__POLICY_SAMBA, policy_start, policy_len) == 0) { sc->policy = DCE2_POLICY__SAMBA; } + else if (policy_len == strlen(DCE2_SARG__POLICY_SAMBA_3_0_37) && + strncasecmp(DCE2_SARG__POLICY_SAMBA_3_0_37, policy_start, policy_len) == 0) + { + sc->policy = DCE2_POLICY__SAMBA_3_0_37; + } else if (policy_len == strlen(DCE2_SARG__POLICY_SAMBA_3_0_22) && strncasecmp(DCE2_SARG__POLICY_SAMBA_3_0_22, policy_start, policy_len) == 0) { @@ -1981,7 +2040,7 @@ /******************************************************************** * Function: DCE2_ScResetPortArrays() * - * Clears all of the port bits in the specified port array masks + * Clears all of the port bits in the specified port array masks * for the passed in server configuration. * * Arguments: @@ -1994,7 +2053,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ScResetPortsArrays(DCE2_ServerConfig *sc, int autodetect) +static inline void DCE2_ScResetPortsArrays(DCE2_ServerConfig *sc, int autodetect) { if (!autodetect) { @@ -2038,7 +2097,7 @@ * already been configured. * ********************************************************************/ -static INLINE DCE2_DetectFlag DCE2_ScParseDetectType(char *start, char *end, int *dmask) +static inline DCE2_DetectFlag DCE2_ScParseDetectType(char *start, char *end, int *dmask) { DCE2_DetectFlag dflag = DCE2_DETECT_FLAG__NULL; size_t dtype_len = end - start; @@ -2115,7 +2174,6 @@ { DCE2_WordListState state = DCE2_WORD_LIST_STATE__START; char *share_start = *ptr; - char last_char = 0; int one_share = 0; int quote = 0; @@ -2142,7 +2200,7 @@ } else if (DCE2_IsGraphChar(c)) { - /* Only one event */ + /* Only one share */ share_start = *ptr; one_share = 1; state = DCE2_WORD_LIST_STATE__WORD; @@ -2329,7 +2387,6 @@ return DCE2_RET__ERROR; } - last_char = c; (*ptr)++; } @@ -2386,6 +2443,331 @@ } /******************************************************************** + * Function: DCE2_ScParseSmb2MaxCompound() + * + * Parses the argument to the smb2 max compound option. + * + * Arguments: + * DCE2_ServerConfig * + * Pointer to a server configuration structure. + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the smb max chain argument. + * char * + * Pointer to the end of the configuration line. + * + * Returns: + * DCE2_Ret + * DCE2_RET__SUCCESS if we were able to successfully parse the + * argument to the smb2 max compound option. + * DCE2_RET__ERROR if an error occured in parsing the smb2 max + * compound argument. + * + ********************************************************************/ +static DCE2_Ret DCE2_ScParseSmb2MaxCompound(DCE2_ServerConfig *sc, char **ptr, char *end) +{ + DCE2_Ret status; + uint8_t compound_len; + + status = DCE2_ParseValue(ptr, end, &compound_len, DCE2_INT_TYPE__UINT8); + if (status != DCE2_RET__SUCCESS) + { + DCE2_ScError("Error parsing \"%s\". Value must be between 0 and %u inclusive", + DCE2_SOPT__SMB2_MAX_COMPOUND, UINT8_MAX); + return DCE2_RET__ERROR; + } + + sc->smb2_max_compound = compound_len; + + return DCE2_RET__SUCCESS; +} + +/******************************************************************** + * Function: DCE2_ScParseValidSmbVersions() + * + * Parses the version types for the valid smb versions option and + * adds to server configuration. + * + * Arguments: + * DCE2_GlobalConfig * + * Pointer to the global configuration structure. + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing. + * char * + * Pointer to the end of the configuration line. + * + * Returns: + * DCE2_Ret + * DCE2_RET__SUCCESS if we were able to successfully parse the + * valid smb versions + * DCE2_RET__ERROR if an error occured in parsing. + * + ********************************************************************/ +static DCE2_Ret DCE2_ScParseValidSmbVersions(DCE2_ServerConfig *sc, char **ptr, char *end) +{ + DCE2_WordListState state = DCE2_WORD_LIST_STATE__START; + char *version_start = *ptr; + char last_char = 0; + int one_version = 0; + int version_mask = 0; + + DCE2_ScClearAllValidSmbVersionFlags(sc); + + while (*ptr < end) + { + char c = **ptr; + + if (state == DCE2_WORD_LIST_STATE__END) + break; + + switch (state) + { + case DCE2_WORD_LIST_STATE__START: + if (DCE2_IsWordChar(c, DCE2_WORD_CHAR_POSITION__START)) + { + /* Only one valid smb version */ + version_start = *ptr; + one_version = 1; + state = DCE2_WORD_LIST_STATE__WORD; + } + else if (DCE2_IsListStartChar(c)) + { + state = DCE2_WORD_LIST_STATE__WORD_START; + } + else if (!DCE2_IsSpaceChar(c)) + { + DCE2_ScError("Invalid \"%s\" syntax: \"%s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, *ptr); + return DCE2_RET__ERROR; + } + + break; + + case DCE2_WORD_LIST_STATE__WORD_START: + if (DCE2_IsWordChar(c, DCE2_WORD_CHAR_POSITION__START)) + { + version_start = *ptr; + state = DCE2_WORD_LIST_STATE__WORD; + } + else if (!DCE2_IsSpaceChar(c)) + { + DCE2_ScError("Invalid \"%s\" syntax: \"%s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, *ptr); + return DCE2_RET__ERROR; + } + + break; + + case DCE2_WORD_LIST_STATE__WORD: + if (!DCE2_IsWordChar(c, DCE2_WORD_CHAR_POSITION__MIDDLE)) + { + DCE2_ValidSmbVersionFlag vflag; + + if (!DCE2_IsWordChar(last_char, DCE2_WORD_CHAR_POSITION__END)) + { + DCE2_ScError("Invalid \"%s\" argument: \"%.*s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, + *ptr - version_start, version_start); + return DCE2_RET__ERROR; + } + + + vflag = DCE2_ScParseValidSmbVersion(version_start, *ptr, &version_mask); + switch (vflag) + { + case DCE2_VALID_SMB_VERSION_FLAG__NULL: + return DCE2_RET__ERROR; + + case DCE2_VALID_SMB_VERSION_FLAG__ALL: + if (!one_version) + { + DCE2_ScError("Valid smb version \"%s\" cannot be " + "configured in a list", DCE2_SARG__VALID_SMB_VERSIONS_ALL); + return DCE2_RET__ERROR; + } + + DCE2_ScSetValidSmbVersion(sc, vflag); + break; + + default: + DCE2_ScSetValidSmbVersion(sc, vflag); + break; + } + + if (one_version) + return DCE2_RET__SUCCESS; + + state = DCE2_WORD_LIST_STATE__WORD_END; + continue; + } + + break; + + case DCE2_WORD_LIST_STATE__WORD_END: + if (DCE2_IsListEndChar(c)) + { + state = DCE2_WORD_LIST_STATE__END; + } + else if (DCE2_IsListSepChar(c)) + { + state = DCE2_WORD_LIST_STATE__WORD_START; + } + else if (!DCE2_IsSpaceChar(c)) + { + DCE2_ScError("Invalid \"%s\" syntax: \"%s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, *ptr); + return DCE2_RET__ERROR; + } + + break; + + default: + DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Invalid valid " + "smb versions state: %d", __FILE__, __LINE__, state); + return DCE2_RET__ERROR; + } + + last_char = c; + (*ptr)++; + } + + if (state != DCE2_WORD_LIST_STATE__END) + { + DCE2_ScError("Invalid \"%s\" syntax: \"%s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, *ptr); + return DCE2_RET__ERROR; + } + + return DCE2_RET__SUCCESS; +} + +/******************************************************************** + * Function: DCE2_ScParseValidSmbVersion() + * + * Parses smb version and returns flag indication the smb version. + * Checks and sets a bit in a mask to prevent multiple + * configurations of the same event type. + * + * Arguments: + * char * + * Pointer to the first character of the smb version name. + * char * + * Pointer to the byte after the last character of + * the smb version name. + * int + * Pointer to the current valid smb versions mask. Contains + * bits set for each smb version that has already been + * configured. Mask is checked and updated for new version. + * + * Returns: + * DCE2_ValidSmbVersionFlag + * Flag indicating the smb version. + * DCE2_VALID_SMB_VERSION_FLAG__NULL if no version or multiple + * configuration of smb version. + * + ********************************************************************/ +static inline DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion( + char *start, char *end, int *vmask) +{ + DCE2_ValidSmbVersionFlag vflag = DCE2_VALID_SMB_VERSION_FLAG__NULL; + size_t version_len = end - start; + + if (version_len == strlen(DCE2_SARG__VALID_SMB_VERSIONS_V1) && + strncasecmp(DCE2_SARG__VALID_SMB_VERSIONS_V1, start, version_len) == 0) + { + vflag = DCE2_VALID_SMB_VERSION_FLAG__V1; + } + else if (version_len == strlen(DCE2_SARG__VALID_SMB_VERSIONS_V2) && + strncasecmp(DCE2_SARG__VALID_SMB_VERSIONS_V2, start, version_len) == 0) + { + vflag = DCE2_VALID_SMB_VERSION_FLAG__V2; + } + else if (version_len == strlen(DCE2_SARG__VALID_SMB_VERSIONS_ALL) && + strncasecmp(DCE2_SARG__VALID_SMB_VERSIONS_ALL, start, version_len) == 0) + { + vflag = DCE2_VALID_SMB_VERSION_FLAG__ALL; + } + else + { + DCE2_ScError("Invalid \"%s\" argument: \"%.*s\"", + DCE2_SOPT__VALID_SMB_VERSIONS, version_len, start); + return DCE2_VALID_SMB_VERSION_FLAG__NULL; + } + + if (DCE2_CheckAndSetMask((int)vflag, vmask) != DCE2_RET__SUCCESS) + { + DCE2_ScError("Valid smb version \"%.*s\" cannot be specified more than once", + version_len, start); + return DCE2_VALID_SMB_VERSION_FLAG__NULL; + } + + return vflag; +} + +/********************************************************************* + * Function: DCE2_ScSetValidSmbVersion() + * + * Sets the valid smb version the user will allow during processing + * in the server configuration valid smb versions mask. + * + * Arguments: + * DCE2_ServerConfig * + * Pointer to server config structure. + * DCE2_ValidSmbVersionFlag + * The smb version flag to set. + * + * Returns: None + * + *********************************************************************/ +static inline void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *sc, + DCE2_ValidSmbVersionFlag vflag) +{ + sc->valid_smb_versions_mask |= vflag; +} + +/********************************************************************* + * Function: DCE2_ScClearValidSmbVersion() + * + * Sets the bit associated with the smb version flag passed in for + * the server configuration valid smb versions mask. + * + * Arguments: + * DCE2_ServerConfig * + * Pointer to server config structure. + * DCE2_ValidSmbVersionFlag + * The smb version flag to clear. + * + * Returns: None + * + *********************************************************************/ +static inline void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *sc, + DCE2_ValidSmbVersionFlag vflag) +{ + sc->valid_smb_versions_mask &= ~vflag; +} + +/********************************************************************* + * Function: DCE2_ScClearAllValidSmbVersionFlags() + * + * Clears all of the bits in the server configuration smb + * valid versions mask. + * + * Arguments: + * DCE2_ServerConfig * + * Pointer to server config structure. + * + * Returns: None + * + *********************************************************************/ +static inline void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *sc) +{ + sc->valid_smb_versions_mask = DCE2_VALID_SMB_VERSION_FLAG__NULL; +} + +/******************************************************************** * Function: DCE2_ScAddToRoutingTable() * * Adds the server configuration to the appropriate routing table @@ -2499,7 +2881,7 @@ return DCE2_RET__ERROR; } - /* This is a count of the number of pointers or references to this + /* This is a count of the number of pointers or references to this * server configuration in the routing tables. */ sc->ref_count++; } @@ -2636,7 +3018,7 @@ /********************************************************************* * Function: DCE2_ScSmbShareFree() * - * Callback to the list used to hold the invalid smb shares for + * Callback to the list used to hold the invalid smb shares for * freeing the shares. * * Arguments: @@ -2681,6 +3063,10 @@ _dpd.logMsg("DCE/RPC 2 Preprocessor Configuration\n"); _dpd.logMsg(" Global Configuration\n"); + if(gc->disabled) + { + _dpd.logMsg(" DCE/RPC 2 Preprocessor: INACTIVE\n"); + } _dpd.logMsg(" DCE/RPC Defragmentation: %s\n", gc->dce_defrag == DCE2_CS__ENABLED ? "Enabled" : "Disabled"); if ((gc->dce_defrag == DCE2_CS__ENABLED) && (gc->max_frag_len != DCE2_SENTINEL)) @@ -2773,7 +3159,7 @@ snprintf(tmp_net, sizeof(tmp_net), "%s/%u ", ip_addr, prefix); tmp_net[sizeof(tmp_net) - 1] = '\0'; - if (strlen(nets) + strlen(tmp_net) >= sizeof(nets)) + if ((strlen(nets) + strlen(tmp_net)) >= sizeof(nets)) { _dpd.logMsg("%s\n", nets); snprintf(nets, sizeof(nets), " %s", tmp_net); @@ -2806,9 +3192,18 @@ case DCE2_POLICY__WIN2003: policy = DCE2_SARG__POLICY_WIN2003; break; + case DCE2_POLICY__WIN2008: + policy = DCE2_SARG__POLICY_WIN2008; + break; + case DCE2_POLICY__WIN7: + policy = DCE2_SARG__POLICY_WIN7; + break; case DCE2_POLICY__SAMBA: policy = DCE2_SARG__POLICY_SAMBA; break; + case DCE2_POLICY__SAMBA_3_0_37: + policy = DCE2_SARG__POLICY_SAMBA_3_0_37; + break; case DCE2_POLICY__SAMBA_3_0_22: policy = DCE2_SARG__POLICY_SAMBA_3_0_22; break; @@ -2863,7 +3258,7 @@ /* Ascii string will be NULL terminated. Also alloc enough for space. * Note that if share is longer than the size of the buffer it will be - * put into, it will be truncated */ + * put into, it will be truncated */ tmp_share_len = strlen(share->ascii_str) + 2; tmp_share = (char *)DCE2_Alloc(tmp_share_len, DCE2_MEM_TYPE__CONFIG); if (tmp_share == NULL) @@ -2876,7 +3271,7 @@ snprintf(tmp_share, tmp_share_len, "%s ", share->ascii_str); tmp_share[tmp_share_len - 1] = '\0'; - if (strlen(share_str) + strlen(tmp_share) >= sizeof(share_str)) + if ((strlen(share_str) + strlen(tmp_share)) >= sizeof(share_str)) { _dpd.logMsg("%s\n", share_str); snprintf(share_str, sizeof(share_str), " %s", tmp_share); @@ -2940,7 +3335,10 @@ pps[3].port_array = sc->http_server_ports; pps[4].port_array = sc->http_proxy_ports; - _dpd.logMsg(" Detect ports\n"); + if (_dpd.isPafEnabled()) + _dpd.logMsg(" Detect ports (PAF)\n"); + else + _dpd.logMsg(" Detect ports\n"); } else { @@ -2950,7 +3348,10 @@ pps[3].port_array = sc->auto_http_server_ports; pps[4].port_array = sc->auto_http_proxy_ports; - _dpd.logMsg(" Autodetect ports\n"); + if (_dpd.isPafEnabled()) + _dpd.logMsg(" Autodetect ports (PAF)\n"); + else + _dpd.logMsg(" Autodetect ports\n"); } for (pps_idx = 0; pps_idx < sizeof(pps) / sizeof(DCE2_PrintPortsStruct); pps_idx++) @@ -3005,7 +3406,7 @@ tmp_port[sizeof(tmp_port) - 1] = '\0'; } - if (strlen(ports) + strlen(tmp_port) >= sizeof(ports)) + if ((strlen(ports) + strlen(tmp_port)) >= sizeof(ports)) { _dpd.logMsg("%s\n", ports); snprintf(ports, sizeof(ports), " %s", tmp_port); @@ -3277,7 +3678,7 @@ "%s(%d) Failed to allocate memory for IP structure.", __FILE__, __LINE__); return DCE2_RET__ERROR; - } + } memcpy((void *)ip_copy, (void *)&ip, sizeof(sfip_t)); @@ -3321,7 +3722,7 @@ "%s(%d) Failed to allocate memory for IP structure.", __FILE__, __LINE__); return DCE2_RET__ERROR; - } + } memcpy((void *)ip_copy, (void *)&ip, sizeof(sfip_t)); @@ -3496,7 +3897,7 @@ /******************************************************************** * Function: DCE2_ParsePortList() * - * Parses a port list and adds bits associated with the ports + * Parses a port list and adds bits associated with the ports * parsed to a bit array. * * Arguments: @@ -3692,7 +4093,7 @@ * Function: DCE2_ParseValue() * * Parses what should be an integer value and stores in memory - * passed in as an argument. This function will parse positive + * passed in as an argument. This function will parse positive * and negative values and decimal, octal or hexidecimal. The * positive and negative modifiers can only be used with * decimal values. @@ -3994,7 +4395,7 @@ /******************************************************************** * Function: DCE2_GcError() * - * Formats errors related to global configuration and puts in + * Formats errors related to global configuration and puts in * global error buffer. * * Arguments: @@ -4112,7 +4513,7 @@ ********************************************************************/ static int DCE2_FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -4147,10 +4548,10 @@ * Arguments: * void * * Pointer to server configuration. - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_ServerConfigCleanup(void *data) { DCE2_ServerConfig *sc = (DCE2_ServerConfig *)data; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h 2009-05-06 22:28:51.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * **************************************************************************** * Provides convenience functions for parsing and querying configuration. - * + * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ @@ -76,7 +76,10 @@ DCE2_POLICY__WINXP, DCE2_POLICY__WINVISTA, DCE2_POLICY__WIN2003, + DCE2_POLICY__WIN2008, + DCE2_POLICY__WIN7, DCE2_POLICY__SAMBA, + DCE2_POLICY__SAMBA_3_0_37, DCE2_POLICY__SAMBA_3_0_22, DCE2_POLICY__SAMBA_3_0_20 @@ -107,6 +110,15 @@ } DCE2_EventFlag; +typedef enum _DCE2_ValidSmbVersionFlag +{ + DCE2_VALID_SMB_VERSION_FLAG__NULL = 0x0000, + DCE2_VALID_SMB_VERSION_FLAG__V1 = 0x0001, + DCE2_VALID_SMB_VERSION_FLAG__V2 = 0x0002, + DCE2_VALID_SMB_VERSION_FLAG__ALL = 0xffff + +} DCE2_ValidSmbVersionFlag; + /* Whether an option is on or off: CS - configuration switch */ typedef enum _DCE2_CS { @@ -194,6 +206,7 @@ /* Global configuration struct */ typedef struct _DCE2_GlobalConfig { + int disabled; uint32_t memcap; int event_mask; DCE2_CS dce_defrag; @@ -231,7 +244,9 @@ DCE2_CS autodetect_http_proxy_ports; uint8_t smb_max_chain; + uint8_t smb2_max_compound; DCE2_List *smb_invalid_shares; + int valid_smb_versions_mask; /* Used when freeing from routing table */ uint32_t ref_count; @@ -255,38 +270,40 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE uint32_t DCE2_GcMemcap(void); -static INLINE int DCE2_GcMaxFrag(void); -static INLINE uint16_t DCE2_GcMaxFragLen(void); -static INLINE int DCE2_GcAlertOnEvent(DCE2_EventFlag); -static INLINE int DCE2_GcReassembleEarly(void); -static INLINE uint16_t DCE2_GcReassembleThreshold(void); -static INLINE DCE2_CS DCE2_GcDceDefrag(void); -static INLINE DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *); -static INLINE int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); -static INLINE int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); -static INLINE DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *); -static INLINE uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *); -static INLINE DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *); - -static INLINE int DCE2_IsPortSet(const uint8_t *, const uint16_t); -static INLINE void DCE2_SetPort(uint8_t *, const uint16_t); -static INLINE void DCE2_SetPortRange(uint8_t *, uint16_t, uint16_t); -static INLINE void DCE2_ClearPorts(uint8_t *); - -static INLINE int DCE2_IsWordChar(const char, const DCE2_WordCharPosition); -static INLINE int DCE2_IsGraphChar(const char); -static INLINE int DCE2_IsQuoteChar(const char); -static INLINE int DCE2_IsListSepChar(const char); -static INLINE int DCE2_IsOptEndChar(const char); -static INLINE int DCE2_IsSpaceChar(const char); -static INLINE int DCE2_IsConfigEndChar(const char); -static INLINE int DCE2_IsPortChar(const char); -static INLINE int DCE2_IsPortRangeChar(const char); -static INLINE int DCE2_IsListStartChar(const char); -static INLINE int DCE2_IsListEndChar(const char); -static INLINE int DCE2_IsIpChar(const char); -static INLINE DCE2_Ret DCE2_CheckAndSetMask(int, int *); +static inline uint32_t DCE2_GcMemcap(void); +static inline int DCE2_GcMaxFrag(void); +static inline uint16_t DCE2_GcMaxFragLen(void); +static inline int DCE2_GcAlertOnEvent(DCE2_EventFlag); +static inline int DCE2_GcReassembleEarly(void); +static inline uint16_t DCE2_GcReassembleThreshold(void); +static inline DCE2_CS DCE2_GcDceDefrag(void); +static inline DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *); +static inline int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); +static inline int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); +static inline DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *); +static inline DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScIsValidSmbVersion(const DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); + +static inline int DCE2_IsPortSet(const uint8_t *, const uint16_t); +static inline void DCE2_SetPort(uint8_t *, const uint16_t); +static inline void DCE2_SetPortRange(uint8_t *, uint16_t, uint16_t); +static inline void DCE2_ClearPorts(uint8_t *); + +static inline int DCE2_IsWordChar(const char, const DCE2_WordCharPosition); +static inline int DCE2_IsGraphChar(const char); +static inline int DCE2_IsQuoteChar(const char); +static inline int DCE2_IsListSepChar(const char); +static inline int DCE2_IsOptEndChar(const char); +static inline int DCE2_IsSpaceChar(const char); +static inline int DCE2_IsConfigEndChar(const char); +static inline int DCE2_IsPortChar(const char); +static inline int DCE2_IsPortRangeChar(const char); +static inline int DCE2_IsListStartChar(const char); +static inline int DCE2_IsListEndChar(const char); +static inline int DCE2_IsIpChar(const char); +static inline DCE2_Ret DCE2_CheckAndSetMask(int, int *); /******************************************************************** * Public function prototypes @@ -321,7 +338,7 @@ * The memcap configured for the preprocessor. * ********************************************************************/ -static INLINE uint32_t DCE2_GcMemcap(void) +static inline uint32_t DCE2_GcMemcap(void) { return dce2_eval_config->gconfig->memcap; } @@ -340,7 +357,7 @@ * 0 if it was not configured. * ********************************************************************/ -static INLINE int DCE2_GcMaxFrag(void) +static inline int DCE2_GcMaxFrag(void) { if (dce2_eval_config->gconfig->max_frag_len != DCE2_SENTINEL) return 1; return 0; @@ -362,7 +379,7 @@ * UINT16_MAX if not configured. * ********************************************************************/ -static INLINE uint16_t DCE2_GcMaxFragLen(void) +static inline uint16_t DCE2_GcMaxFragLen(void) { if (DCE2_GcMaxFrag()) return (uint16_t)dce2_eval_config->gconfig->max_frag_len; @@ -386,7 +403,7 @@ * Zero if we are not configured to alert on this event type. * ********************************************************************/ -static INLINE int DCE2_GcAlertOnEvent(DCE2_EventFlag eflag) +static inline int DCE2_GcAlertOnEvent(DCE2_EventFlag eflag) { return dce2_eval_config->gconfig->event_mask & eflag; } @@ -407,7 +424,7 @@ * defragmentation. * ********************************************************************/ -static INLINE DCE2_CS DCE2_GcDceDefrag(void) +static inline DCE2_CS DCE2_GcDceDefrag(void) { return dce2_eval_config->gconfig->dce_defrag; } @@ -426,7 +443,7 @@ * 0 if it was not configured. * ********************************************************************/ -static INLINE int DCE2_GcReassembleEarly(void) +static inline int DCE2_GcReassembleEarly(void) { if (dce2_eval_config->gconfig->reassemble_threshold > 0) return 1; @@ -449,7 +466,7 @@ * UINT16_MAX if not configured. * ********************************************************************/ -static INLINE uint16_t DCE2_GcReassembleThreshold(void) +static inline uint16_t DCE2_GcReassembleThreshold(void) { if (DCE2_GcReassembleEarly()) return dce2_eval_config->gconfig->reassemble_threshold; @@ -472,7 +489,7 @@ * DCE2_POLICY__NONE if a NULL pointer is passed in. * ********************************************************************/ -static INLINE DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *sc) +static inline DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *sc) { if (sc == NULL) return DCE2_POLICY__NONE; return sc->policy; @@ -501,7 +518,7 @@ * is NULL. * *********************************************************************/ -static INLINE int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, +static inline int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, const DCE2_TransType ttype) { const uint8_t *port_array; @@ -556,7 +573,7 @@ * is NULL. * *********************************************************************/ -static INLINE int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, +static inline int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, const DCE2_TransType ttype) { const uint8_t *port_array; @@ -608,7 +625,7 @@ * rpc over http proxy ports. * ********************************************************************/ -static INLINE DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *sc) +static inline DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *sc) { if (sc == NULL) return DCE2_CS__ENABLED; return sc->autodetect_http_proxy_ports; @@ -630,7 +647,7 @@ * 0 is returned if the server configuration passed in is NULL. * ********************************************************************/ -static INLINE uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *sc) +static inline uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *sc) { if (sc == NULL) return 0; return sc->smb_max_chain; @@ -654,12 +671,58 @@ * configuration passed in is NULL. * ********************************************************************/ -static INLINE DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *sc) +static inline DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *sc) { if (sc == NULL) return NULL; return sc->smb_invalid_shares; } +/******************************************************************** + * Function: DCE2_ScSmb2MaxChain() + * + * Convenience function to get the SMB maximum amount of command + * compounding allowed. A value of 0 means unlimited. + * + * Arguments: + * const DCE2_ServerConfig * + * Pointer to the server configuration to check. + * + * Returns: + * uint8_t + * The value for the maximum amount of command compounding. + * 0 is returned if the server configuration passed in is NULL. + * + ********************************************************************/ +static inline uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *sc) +{ + if (sc == NULL) return 0; + return sc->smb2_max_compound; +} + +/******************************************************************** + * Function: DCE2_ScIsValidSmbVersion() + * + * Convenience function to check if an smb version flag is set. + * + * Arguments: + * const DCE2_ServerConfig * + * Pointer to the server configuration to check. + * const DCE2_ValidSmbVersionFlag + * The version flag to test + * + * Returns: + * int + * non-zero if the flag is set + * 0 if the flag is not set + * + ********************************************************************/ +static inline uint8_t DCE2_ScIsValidSmbVersion( + const DCE2_ServerConfig *sc, DCE2_ValidSmbVersionFlag vflag) +{ + if (sc == NULL) return 0; + return sc->valid_smb_versions_mask & vflag; +} + /********************************************************************* * Function: DCE2_IsPortSet() * @@ -678,7 +741,7 @@ * Zero if the port is not set. * *********************************************************************/ -static INLINE int DCE2_IsPortSet(const uint8_t *port_array, const uint16_t port) +static inline int DCE2_IsPortSet(const uint8_t *port_array, const uint16_t port) { return port_array[(port / 8)] & (1 << (port % 8)); } @@ -697,7 +760,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_SetPort(uint8_t *port_array, const uint16_t port) +static inline void DCE2_SetPort(uint8_t *port_array, const uint16_t port) { port_array[(port / 8)] |= (1 << (port % 8)); } @@ -719,7 +782,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_SetPortRange(uint8_t *port_array, uint16_t lo_port, uint16_t hi_port) +static inline void DCE2_SetPortRange(uint8_t *port_array, uint16_t lo_port, uint16_t hi_port) { unsigned int i; @@ -746,7 +809,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ClearPorts(uint8_t *port_array) +static inline void DCE2_ClearPorts(uint8_t *port_array) { memset(port_array, 0, DCE2_PORTS__MAX_INDEX); } @@ -771,7 +834,7 @@ * 0 if not a valid word character. * ********************************************************************/ -static INLINE int DCE2_IsWordChar(const char c, const DCE2_WordCharPosition pos) +static inline int DCE2_IsWordChar(const char c, const DCE2_WordCharPosition pos) { if (pos == DCE2_WORD_CHAR_POSITION__START) { @@ -814,7 +877,7 @@ * 0 if not a valid list separator character. * ********************************************************************/ -static INLINE int DCE2_IsListSepChar(const char c) +static inline int DCE2_IsListSepChar(const char c) { if (c == DCE2_CFG_TOK__LIST_SEP) return 1; return 0; @@ -836,7 +899,7 @@ * 0 if not a valid option end character. * ********************************************************************/ -static INLINE int DCE2_IsOptEndChar(const char c) +static inline int DCE2_IsOptEndChar(const char c) { if (c == DCE2_CFG_TOK__OPT_SEP) return 1; return 0; @@ -858,7 +921,7 @@ * 0 if not a valid space character. * ********************************************************************/ -static INLINE int DCE2_IsSpaceChar(const char c) +static inline int DCE2_IsSpaceChar(const char c) { if (isspace((int)c)) return 1; return 0; @@ -881,7 +944,7 @@ * 0 if not a valid end of configuration character. * ********************************************************************/ -static INLINE int DCE2_IsConfigEndChar(const char c) +static inline int DCE2_IsConfigEndChar(const char c) { if (c == DCE2_CFG_TOK__END) return 1; return 0; @@ -903,7 +966,7 @@ * 0 if not a valid port character. * ********************************************************************/ -static INLINE int DCE2_IsPortChar(const char c) +static inline int DCE2_IsPortChar(const char c) { if (isdigit((int)c)) return 1; return 0; @@ -925,7 +988,7 @@ * 0 if not a valid port range character. * ********************************************************************/ -static INLINE int DCE2_IsPortRangeChar(const char c) +static inline int DCE2_IsPortRangeChar(const char c) { if (c == DCE2_CFG_TOK__PORT_RANGE) return 1; return 0; @@ -948,7 +1011,7 @@ * 0 if not a valid DCE/RPC opnum character. * ********************************************************************/ -static INLINE int DCE2_IsOpnumChar(const char c) +static inline int DCE2_IsOpnumChar(const char c) { if (isdigit((int)c)) return 1; return 0; @@ -970,7 +1033,7 @@ * 0 if not a valid DCE/RPC opnum range character. * ********************************************************************/ -static INLINE int DCE2_IsOpnumRangeChar(const char c) +static inline int DCE2_IsOpnumRangeChar(const char c) { if (c == DCE2_CFG_TOK__OPNUM_RANGE) return 1; return 0; @@ -992,7 +1055,7 @@ * 0 if not a valid start of list character. * ********************************************************************/ -static INLINE int DCE2_IsListStartChar(const char c) +static inline int DCE2_IsListStartChar(const char c) { if (c == DCE2_CFG_TOK__LIST_START) return 1; return 0; @@ -1014,7 +1077,7 @@ * 0 if not a valid end of list character. * ********************************************************************/ -static INLINE int DCE2_IsListEndChar(const char c) +static inline int DCE2_IsListEndChar(const char c) { if (c == DCE2_CFG_TOK__LIST_END) return 1; return 0; @@ -1036,7 +1099,7 @@ * 0 if not a valid quote character. * ********************************************************************/ -static INLINE int DCE2_IsQuoteChar(const char c) +static inline int DCE2_IsQuoteChar(const char c) { if (c == DCE2_CFG_TOK__QUOTE) return 1; return 0; @@ -1058,7 +1121,7 @@ * 0 if not a valid IP character. * ********************************************************************/ -static INLINE int DCE2_IsIpChar(const char c) +static inline int DCE2_IsIpChar(const char c) { if (isxdigit((int)c) || (c == DCE2_CFG_TOK__IP6_TET_SEP) || @@ -1088,7 +1151,7 @@ * 0 if not a valid graphical character. * ********************************************************************/ -static INLINE int DCE2_IsGraphChar(const char c) +static inline int DCE2_IsGraphChar(const char c) { if (!DCE2_IsListStartChar(c) && !DCE2_IsListEndChar(c) && !DCE2_IsQuoteChar(c) && !DCE2_IsListSepChar(c) && @@ -1102,7 +1165,7 @@ * Function: DCE2_CheckAndSetMask() * * Checks to see if a flag passed in is already set in the mask - * passed in. If it is, error is returned. If it is not, the + * passed in. If it is, error is returned. If it is not, the * flag is set in the mask. * * Arguments: @@ -1117,7 +1180,7 @@ * DCE2_RET__SUCCESS if the flag is not already set in the mask. * *********************************************************************/ -static INLINE DCE2_Ret DCE2_CheckAndSetMask(int flag, int *mask) +static inline DCE2_Ret DCE2_CheckAndSetMask(int flag, int *mask) { if (*mask & flag) return DCE2_RET__ERROR; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c 2009-05-06 22:28:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,21 +16,29 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides functions for debugging the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STDINT_H +#include +#endif /* HAVE_CONFIG_H */ -#include "dce2_debug.h" -#include "dce2_utils.h" -#include "sf_types.h" #include #include #include #include +#include "sf_types.h" +#include "dce2_debug.h" +#include "dce2_utils.h" + /******************************************************************** * Function: DCE2_GetDebugLevel() * @@ -60,7 +68,7 @@ { char *endptr; - debug_level = strtoul(value, &endptr, 0); + debug_level = _dpd.SnortStrtoul(value, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Log(DCE2_LOG_TYPE__WARN, diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h 2009-05-06 22:28:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h 2011-07-13 22:44:51.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides macros and functions for debugging the preprocessor. * If Snort is not configured to do debugging, macros are empty. * @@ -27,8 +27,6 @@ #ifndef _DCE2_DEBUG_H_ #define _DCE2_DEBUG_H_ -#include "debug.h" -#include "sf_types.h" #include /******************************************************************** @@ -54,6 +52,7 @@ #define DCE2_DEBUG__MEMORY 0x00000040 #define DCE2_DEBUG__HTTP 0x00000080 #define DCE2_DEBUG__CL 0x00000100 +#define DCE2_DEBUG__PAF 0x00000200 #define DCE2_DEBUG__ALL 0xffffffff #define DCE2_DEBUG__START_MSG "DCE/RPC Start ********************************************" @@ -62,10 +61,14 @@ #ifdef DEBUG #include #define DCE2_ASSERT(code) assert(code) +#else +#define DCE2_ASSERT(code) +#endif + +#ifdef DEBUG_MSGS #define DCE2_DEBUG_VAR(code) code #define DCE2_DEBUG_CODE(level, code) { if (DCE2_DebugThis(level)) { code } } #else -#define DCE2_ASSERT(code) #define DCE2_DEBUG_VAR(code) #define DCE2_DEBUG_CODE(level, code) #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,13 +16,18 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Handles processing of events generated by the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_event.h" #include "dce2_memory.h" #include "dce2_config.h" @@ -44,15 +49,12 @@ static char dce2_event_bufs[DCE2_EVENT__MAX][256]; /* Used to hold event information */ static DCE2_EventNode dce2_events[DCE2_EVENT__MAX]; -/* Used for matching a command string to a command code */ -char *dce2_smb_coms[256]; /* Used for matching a pdu string to a pdu type */ char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX]; /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /****************************************************************** @@ -61,10 +63,10 @@ * Initializes global data. * * Arguments: None - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_EventsInit(void) { DCE2_Event event; @@ -95,32 +97,32 @@ { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_ID, - "SMB - Bad SMB Id (not \\xffSMB)" + "SMB - Bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_WCT, - "SMB - %s: Bad word count: %u" + "SMB - Bad word count or structure size: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_BCC, - "SMB - %s: Bad byte count: %u" + "SMB - Bad byte count: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_FORMAT, - "SMB - %s: Bad format type: %u" + "SMB - Bad format type: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_OFF, - "SMB - %s: Bad offset: %p not between %p and %p" + "SMB - Bad offset: %p not between %p and %p" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_ZERO, - "SMB - %s: Zero total data count" + "SMB - Zero total data count" }, { DCE2_EVENT_FLAG__SMB, @@ -130,47 +132,47 @@ { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_COM, - "SMB - %s: Remaining NetBIOS data length (%u) less than command length (%u)" + "SMB - Remaining NetBIOS data length (%u) less than command length (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_BCC, - "SMB - %s: Remaining NetBIOS data length (%u) less than command byte count (%u)" + "SMB - Remaining NetBIOS data length (%u) less than command byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_DSIZE, - "SMB - %s: Remaining NetBIOS data length (%u) less than command data size (%u)" + "SMB - Remaining NetBIOS data length (%u) less than command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - "SMB - %s: Remaining total data count (%u) less than this command data size (%u)" + "SMB - Remaining total data count (%u) less than this command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DSENT_GT_TDCNT, - "SMB - %s: Total data sent (%u) greater than command total data expected (%u)" + "SMB - Total data sent (%u) greater than command total data expected (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BCC_LT_DSIZE, - "SMB - %s: Byte count (%u) less than command data size (%u)" + "SMB - Byte count (%u) less than command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_DSIZE, - "SMB - %s: Invalid command data size (%u) for byte count (%u)" + "SMB - Invalid command data size (%u) for byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS, - "SMB - %s: Excessive Tree Connect requests (>%u) with pending Tree Connect responses" + "SMB - Excessive Tree Connect requests (>%u) with pending Tree Connect responses" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_READS, - "SMB - %s: Excessive Read requests (>%u) with pending Read responses" + "SMB - Excessive Read requests (>%u) with pending Read responses" }, { DCE2_EVENT_FLAG__SMB, @@ -190,17 +192,17 @@ { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_SS_LOGOFF, - "SMB - Chained login followed by logoff" + "SMB - Chained/Compounded login followed by logoff" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_TC_TDIS, - "SMB - Chained tree connect followed by tree disconnect" + "SMB - Chained/Compounded tree connect followed by tree disconnect" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE, - "SMB - Chained open pipe followed by close pipe" + "SMB - Chained/Compounded open pipe followed by close pipe" }, { DCE2_EVENT_FLAG__SMB, @@ -297,12 +299,32 @@ DCE2_EVENT__CL_BAD_SEQ_NUM, "Connection-less DCE/RPC - %s: Bad sequence number" }, + { + DCE2_EVENT_FLAG__SMB, + DCE2_EVENT__SMB_V1, + "SMB - Invalid SMB version 1 seen" + }, + { + DCE2_EVENT_FLAG__SMB, + DCE2_EVENT__SMB_V2, + "SMB - Invalid SMB version 2 seen" + }, + { + DCE2_EVENT_FLAG__SMB, + DCE2_EVENT__SMB_INVALID_BINDING, + "SMB - Invalid user, tree connect, file binding" + }, + { + DCE2_EVENT_FLAG__SMB, + DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING, + "SMB - Excessive command compounding (>%u)" + }, }; snprintf(gname, sizeof(gname) - 1, "(%s) ", DCE2_GNAME); gname[sizeof(gname) - 1] = '\0'; - for (event = 0; event < DCE2_EVENT__MAX; event++) + for (event = DCE2_EVENT__NO_EVENT; event < DCE2_EVENT__MAX; event++) { int size = strlen(gname) + strlen(events[event].format) + 1; @@ -333,88 +355,6 @@ dce2_events[event].event = events[event].event; } - for (i = 0; i < (sizeof(dce2_smb_coms) / sizeof(char *)); i++) - { - char *com; - - switch (i) - { - case SMB_COM_OPEN: - com = "Open"; - break; - case SMB_COM_CLOSE: - com = "Close"; - break; - case SMB_COM_READ: - com = "Read"; - break; - case SMB_COM_WRITE: - com = "Write"; - break; - case SMB_COM_READ_BLOCK_RAW: - com = "Read Block Raw"; - break; - case SMB_COM_WRITE_BLOCK_RAW: - com = "Write Block Raw"; - break; - case SMB_COM_WRITE_COMPLETE: - com = "Write Complete"; - break; - case SMB_COM_TRANS: - com = "Transaction"; - break; - case SMB_COM_TRANS_SEC: - com = "Transaction Secondary"; - break; - case SMB_COM_WRITE_AND_CLOSE: - com = "Write and Close"; - break; - case SMB_COM_OPEN_ANDX: - com = "Open AndX"; - break; - case SMB_COM_READ_ANDX: - com = "Read AndX"; - break; - case SMB_COM_WRITE_ANDX: - com = "Write AndX"; - break; - case SMB_COM_NT_CREATE_ANDX: - com = "Nt Create AndX"; - break; - case SMB_COM_TREE_CON: - com = "Tree Connect"; - break; - case SMB_COM_TREE_DIS: - com = "Tree Disconnect"; - break; - case SMB_COM_NEGPROT: - com = "Negotiate Protocol"; - break; - case SMB_COM_SESS_SETUP_ANDX: - com = "Session Setup AndX"; - break; - case SMB_COM_LOGOFF_ANDX: - com = "Logoff AndX"; - break; - case SMB_COM_TREE_CON_ANDX: - com = "Tree Connect AndX"; - break; - case SMB_COM_RENAME: - com = "Rename"; - break; - default: - com = "Unknown SMB command"; - break; - } - - dce2_smb_coms[i] = (char *)DCE2_Alloc(strlen(com) + 1, DCE2_MEM_TYPE__INIT); - strncpy(dce2_smb_coms[i], com, strlen(com)); - dce2_smb_coms[i][strlen(com)] = '\0'; -#ifdef DCE2_EVENT_PRINT_DEBUG - printf("%s\n", dce2_smb_coms[i]); -#endif - } - for (i = 0; i < (sizeof(dce2_pdu_types) / sizeof(char *)); i++) { char *type; @@ -514,10 +454,10 @@ * The event type that was triggered. * ... * The arguments to the format for the event. - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_Alert(DCE2_SsnData *sd, DCE2_Event e, ...) { va_list ap; @@ -556,10 +496,10 @@ * Frees any global data that was dynamically allocated. * * Arguments: None - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_EventsFree(void) { unsigned int i; @@ -573,15 +513,6 @@ } } - for (i = 0; i < (sizeof(dce2_smb_coms) / sizeof(char *)); i++) - { - if (dce2_smb_coms[i] != NULL) - { - DCE2_Free((void *)dce2_smb_coms[i], strlen(dce2_smb_coms[i]) + 1, DCE2_MEM_TYPE__INIT); - dce2_smb_coms[i] = NULL; - } - } - for (i = 0; i < (sizeof(dce2_pdu_types) / sizeof(char *)); i++) { if (dce2_pdu_types[i] != NULL) diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h 2009-05-06 22:28:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Handles processing of events generated by the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease @@ -28,7 +28,7 @@ #include "dce2_session.h" #include "dce2_config.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_types.h" /******************************************************************** @@ -89,6 +89,10 @@ DCE2_EVENT__CL_BAD_PDU_TYPE, DCE2_EVENT__CL_DATA_LT_HDR, DCE2_EVENT__CL_BAD_SEQ_NUM, + DCE2_EVENT__SMB_V1, + DCE2_EVENT__SMB_V2, + DCE2_EVENT__SMB_INVALID_BINDING, + DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING, DCE2_EVENT__MAX } DCE2_Event; @@ -114,7 +118,7 @@ /******************************************************************** * Inline Function Prototypes ********************************************************************/ -static INLINE int DCE2_SsnAlerted(DCE2_SsnData *, DCE2_Event); +static inline int DCE2_SsnAlerted(DCE2_SsnData *, DCE2_Event); /****************************************************************** * Function: DCE2_SsnAlerted() @@ -127,7 +131,7 @@ * The session data structure. * DCE2_Event * The event to check for. - * + * * Returns: * int * 1 if we have already alerted for this event type on this @@ -135,8 +139,8 @@ * 0 if we have not alerted for this event type on this * session. * - ******************************************************************/ -static INLINE int DCE2_SsnAlerted(DCE2_SsnData *sd, DCE2_Event e) + ******************************************************************/ +static inline int DCE2_SsnAlerted(DCE2_SsnData *sd, DCE2_Event e) { if (sd->alert_mask & (1 << e)) return 1; return 0; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c 2009-05-06 22:28:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,11 +18,16 @@ * **************************************************************************** * Provides session handling of an RPC over HTTP transport. - * + * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_http.h" #include "snort_dce2.h" #include "dce2_co.h" @@ -34,7 +39,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /******************************************************************** @@ -74,7 +78,7 @@ /******************************************************************** * Function: DCE2_HttpProxySsnInit() * - * Wrapper around main session data initialization. Adds + * Wrapper around main session data initialization. Adds * statistical info for a proxy specific rpc over http session. * * Arguments: None @@ -100,7 +104,7 @@ /******************************************************************** * Function: DCE2_HttpServerSsnInit() * - * Wrapper around main session data initialization. Adds + * Wrapper around main session data initialization. Adds * statistical info for a server specific rpc over http session. * * Arguments: None diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h 2009-01-26 16:26:13.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h 2011-06-08 00:33:11.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,9 +18,9 @@ * **************************************************************************** * Provides session handling of an RPC over HTTP transport. - * + * * 8/17/2008 - Initial implementation ... Todd Wease - * + * ****************************************************************************/ #ifndef _DCE2_HTTP_H_ @@ -65,9 +65,9 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *); -static INLINE DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *); -static INLINE int DCE2_HttpDecode(const SFSnortPacket *); +static inline DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *); +static inline DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *); +static inline int DCE2_HttpDecode(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -95,7 +95,7 @@ * DCE2_TRANS_TYPE__NONE if a proxy is not autodetected. * ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *p) { const char *buf = NULL; int buf_len = 0; @@ -141,7 +141,7 @@ * DCE2_TRANS_TYPE__NONE if a server is not autodetected. * ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *p) { if (DCE2_SsnFromClient(p)) return DCE2_TRANS_TYPE__NONE; @@ -172,7 +172,7 @@ * Zero if the packet was not http_inspect decoded * ********************************************************************/ -static INLINE int DCE2_HttpDecode(const SFSnortPacket *p) +static inline int DCE2_HttpDecode(const SFSnortPacket *p) { return p->flags & FLAG_HTTP_DECODE; } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c 2009-01-26 16:05:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c 2011-06-08 00:33:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,14 +16,19 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides list, queue and stack data structures and methods for use * with the preprocessor. - * + * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_list.h" #include "dce2_memory.h" #include "dce2_debug.h" @@ -108,7 +113,7 @@ * * Returns: * void * - * If the key is found, the data associated with the node + * If the key is found, the data associated with the node * is returned. * NULL is returned if the item cannot be found given the key. * @@ -249,7 +254,7 @@ * in the list and no duplicates are allowed. * DCE2_RET__SUCCESS if a new node with key and data is * successfully inserted into the list. - * DCE2_RET__ERROR if memory cannot be allocated for the + * DCE2_RET__ERROR if memory cannot be allocated for the * new node or a NULL list object was passed in. * ********************************************************************/ @@ -329,7 +334,7 @@ /******************************************************************** * Function: DCE2_ListRemove() * - * Removes the node in the list with the specified key. If + * Removes the node in the list with the specified key. If * data free and key free functions were given with the creation * of the list object, they are called with the data and key * respectively. @@ -369,7 +374,7 @@ return DCE2_RET__ERROR; } } - + if (n == NULL) return DCE2_RET__ERROR; @@ -381,7 +386,7 @@ n->prev->next = n->next; if (n->next != NULL) n->next->prev = n->prev; - + if (list->key_free != NULL) list->key_free(n->key); @@ -432,7 +437,7 @@ * * Increments the current pointer in the list to the next node in * the list and returns the data associated with it. This in - * combination with DCE2_ListFirst is useful in a for loop to + * combination with DCE2_ListFirst is useful in a for loop to * iterate over the items in a list. * * Arguments: @@ -503,7 +508,7 @@ * * Puts the current pointer in the list to the previous node in * the list and returns the data associated with it. This in - * combination with DCE2_ListLast is useful in a for loop to + * combination with DCE2_ListLast is useful in a for loop to * iterate over the items in a list in backwards order. * * Arguments: @@ -574,7 +579,7 @@ list->current->prev->next = list->current->next; if (list->current->next != NULL) list->current->next->prev = list->current->prev; - + if (list->key_free != NULL) list->key_free(list->current->key); @@ -942,7 +947,7 @@ * * Increments the current pointer in the queue to the next node in * the queue and returns the data associated with it. This in - * combination with DCE2_QueueFirst is useful in a for loop to + * combination with DCE2_QueueFirst is useful in a for loop to * iterate over the items in a queue. * * Arguments: @@ -1007,7 +1012,7 @@ * * Puts the current pointer in the queue to the previous node in * the queue and returns the data associated with it. This in - * combination with DCE2_QueueLast is useful in a for loop to + * combination with DCE2_QueueLast is useful in a for loop to * iterate over the items in a queue in backwards order. * * Arguments: @@ -1261,7 +1266,7 @@ * * Increments the current pointer in the stack to the next node in * the stack and returns the data associated with it. This in - * combination with DCE2_StackFirst is useful in a for loop to + * combination with DCE2_StackFirst is useful in a for loop to * iterate over the items in a stack. * * Arguments: @@ -1326,7 +1331,7 @@ * * Puts the current pointer in the stack to the previous node in * the stack and returns the data associated with it. This in - * combination with DCE2_StackLast is useful in a for loop to + * combination with DCE2_StackLast is useful in a for loop to * iterate over the items in a stack in backwards order. * * Arguments: @@ -1418,7 +1423,7 @@ * Function: DCE2_CQueueNew() * * Creates and initializes a new circular queue object. The - * circular queue uses a fixed size array and uses indexes to + * circular queue uses a fixed size array and uses indexes to * indicate the start and end of the queue. This type of * queue can become full since it is a fixed size. Used for * performance reasons since new nodes do not need to be @@ -1446,7 +1451,7 @@ DCE2_CQueue * DCE2_CQueueNew(int size, DCE2_CQueueDataFree df, DCE2_MemType mtype) { DCE2_CQueue *cqueue; - + if (size <= 0) return NULL; @@ -1595,7 +1600,7 @@ * * Increments the current index in the queue to the next node in * the queue and returns the data associated with it. This in - * combination with DCE2_CQueueFirst is useful in a for loop to + * combination with DCE2_CQueueFirst is useful in a for loop to * iterate over the items in a queue. * * Arguments: @@ -1691,7 +1696,7 @@ * Function: DCE2_CStackNew() * * Creates and initializes a new static sized stack object. The - * static stack uses a fixed size array and uses indexes to + * static stack uses a fixed size array and uses indexes to * indicate the start and end of the stack. This type of * stack can become full since it is a fixed size. Used for * performance reasons since new nodes do not need to be @@ -1888,7 +1893,7 @@ * * Increments the current index in the stack to the next node in * the stack and returns the data associated with it. This in - * combination with DCE2_CStackFirst is useful in a for loop to + * combination with DCE2_CStackFirst is useful in a for loop to * iterate over the items in a stack. * * Arguments: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h 2009-05-06 22:28:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h 2011-06-08 00:33:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,10 +16,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides list, queue and stack data structures and methods for use * with the preprocessor. - * + * * 8/17/2008 - Initial implementation ... Todd Wease * ****************************************************************************/ @@ -30,7 +30,7 @@ #include "dce2_memory.h" #include "dce2_utils.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Enumerations @@ -78,7 +78,7 @@ DCE2_ListKeyCompare compare; DCE2_ListDataFree data_free; DCE2_ListKeyFree key_free; - DCE2_ListFlags flags; + int flags; struct _DCE2_ListNode *head; struct _DCE2_ListNode *tail; struct _DCE2_ListNode *current; @@ -173,7 +173,7 @@ void * DCE2_ListLast(DCE2_List *); void * DCE2_ListPrev(DCE2_List *); void DCE2_ListRemoveCurrent(DCE2_List *); -static INLINE int DCE2_ListIsEmpty(DCE2_List *); +static inline int DCE2_ListIsEmpty(DCE2_List *); void DCE2_ListEmpty(DCE2_List *); void DCE2_ListDestroy(DCE2_List *); @@ -184,7 +184,7 @@ void * DCE2_QueueNext(DCE2_Queue *); void * DCE2_QueueLast(DCE2_Queue *); void * DCE2_QueuePrev(DCE2_Queue *); -static INLINE int DCE2_QueueIsEmpty(DCE2_Queue *); +static inline int DCE2_QueueIsEmpty(DCE2_Queue *); void DCE2_QueueEmpty(DCE2_Queue *); void DCE2_QueueDestroy(DCE2_Queue *); @@ -195,7 +195,7 @@ void * DCE2_StackNext(DCE2_Stack *); void * DCE2_StackLast(DCE2_Stack *); void * DCE2_StackPrev(DCE2_Stack *); -static INLINE int DCE2_StackIsEmpty(DCE2_Stack *); +static inline int DCE2_StackIsEmpty(DCE2_Stack *); void DCE2_StackEmpty(DCE2_Stack *); void DCE2_StackDestroy(DCE2_Stack *); @@ -204,7 +204,7 @@ void * DCE2_CQueueDequeue(DCE2_CQueue *); void * DCE2_CQueueFirst(DCE2_CQueue *); void * DCE2_CQueueNext(DCE2_CQueue *); -static INLINE int DCE2_CQueueIsEmpty(DCE2_CQueue *); +static inline int DCE2_CQueueIsEmpty(DCE2_CQueue *); void DCE2_CQueueEmpty(DCE2_CQueue *); void DCE2_CQueueDestroy(DCE2_CQueue *); @@ -214,7 +214,7 @@ void * DCE2_CStackTop(DCE2_CStack *); void * DCE2_CStackFirst(DCE2_CStack *); void * DCE2_CStackNext(DCE2_CStack *); -static INLINE int DCE2_CStackIsEmpty(DCE2_CStack *); +static inline int DCE2_CStackIsEmpty(DCE2_CStack *); void DCE2_CStackEmpty(DCE2_CStack *); void DCE2_CStackDestroy(DCE2_CStack *); @@ -235,7 +235,7 @@ * 0 if the list has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_ListIsEmpty(DCE2_List *list) +static inline int DCE2_ListIsEmpty(DCE2_List *list) { if (list == NULL) return 1; if (list->num_nodes == 0) return 1; @@ -259,7 +259,7 @@ * 0 if the queue has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_QueueIsEmpty(DCE2_Queue *queue) +static inline int DCE2_QueueIsEmpty(DCE2_Queue *queue) { if (queue == NULL) return 1; if (queue->num_nodes == 0) return 1; @@ -283,7 +283,7 @@ * 0 if the stack has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_StackIsEmpty(DCE2_Stack *stack) +static inline int DCE2_StackIsEmpty(DCE2_Stack *stack) { if (stack == NULL) return 1; if (stack->num_nodes == 0) return 1; @@ -307,7 +307,7 @@ * 0 if the queue has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_CQueueIsEmpty(DCE2_CQueue *cqueue) +static inline int DCE2_CQueueIsEmpty(DCE2_CQueue *cqueue) { if (cqueue == NULL) return 1; if (cqueue->num_nodes == 0) return 1; @@ -331,7 +331,7 @@ * 0 if the stack has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_CStackIsEmpty(DCE2_CStack *cstack) +static inline int DCE2_CStackIsEmpty(DCE2_CStack *cstack) { if (cstack == NULL) return 1; if (cstack->num_nodes == 0) return 1; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c 2009-01-26 16:05:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,10 +16,15 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_memory.h" #include "dce2_utils.h" #include "dce2_config.h" @@ -483,9 +488,6 @@ DCE2_UnRegMem(size, mtype); free(mem); - - if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP) - dce2_mem_state = DCE2_MEM_STATE__OKAY; } /******************************************************************** diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h 2009-01-26 16:26:13.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h 2011-06-08 00:33:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,8 +23,6 @@ #ifndef _DCE2_MEMORY_H_ #define _DCE2_MEMORY_H_ -#include "sf_types.h" - /******************************************************************** * Enumerations ********************************************************************/ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,502 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "dce2_utils.h" +#include "dce2_session.h" +#include "dce2_smb.h" +#include "snort_dce2.h" +#include "includes/dcerpc.h" +#include "includes/smb.h" + +#ifdef ENABLE_PAF + +#define DCE2_SMB_PAF_SHIFT(x64, x8) { x64 <<= 8; x64 |= (uint64_t)x8; } + +extern DCE2_ProtoIds dce2_proto_ids; + +// Enumerations for PAF states +typedef enum _DCE2_PafSmbStates +{ + DCE2_PAF_SMB_STATES__0 = 0, // NetBIOS type + DCE2_PAF_SMB_STATES__1, // Added bit of NetBIOS length + DCE2_PAF_SMB_STATES__2, // First byte of NetBIOS length + DCE2_PAF_SMB_STATES__3, // Second byte of NetBIOS length + // Junk states + DCE2_PAF_SMB_STATES__4, // 0xff + DCE2_PAF_SMB_STATES__5, // 'S' + DCE2_PAF_SMB_STATES__6, // 'M' + DCE2_PAF_SMB_STATES__7 // 'B' + +} DCE2_PafSmbStates; + +typedef enum _DCE2_PafTcpStates +{ + DCE2_PAF_TCP_STATES__0 = 0, + DCE2_PAF_TCP_STATES__1, + DCE2_PAF_TCP_STATES__2, + DCE2_PAF_TCP_STATES__3, + DCE2_PAF_TCP_STATES__4, // Byte order + DCE2_PAF_TCP_STATES__5, + DCE2_PAF_TCP_STATES__6, + DCE2_PAF_TCP_STATES__7, + DCE2_PAF_TCP_STATES__8, // First byte of fragment length + DCE2_PAF_TCP_STATES__9 // Second byte of fragment length + +} DCE2_PafTcpStates; + + +// State tracker for DCE/RPC over SMB PAF +typedef struct _DCE2_PafSmbState +{ + DCE2_PafSmbStates state; + uint64_t nb_hdr; // Enough for NetBIOS header and 4 bytes SMB header + +} DCE2_PafSmbState; + +// State tracker for DCE/RPC over TCP PAF +typedef struct _DCE2_PafTcpState +{ + DCE2_PafTcpStates state; + DceRpcBoFlag byte_order; + uint16_t frag_len; + +} DCE2_PafTcpState; + + +// Local function prototypes +static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static PAF_Status DCE2_SmbPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); +static PAF_Status DCE2_TcpPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); + + +/********************************************************************* + * Function: DCE2_PafSmbIsValidNetbiosHdr() + * + * Purpose: Validates that the NetBIOS header is valid. If in + * junk states, header type must be Session Message. + * + * Arguments: + * uint32_t - the 4 bytes of the NetBIOS header + * bool - whether we're in a junk data state or not + * + * Returns: + * bool - true if valid, false if not + * + *********************************************************************/ +static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) +{ + uint8_t type = (uint8_t)(nb_hdr >> 24); + uint8_t bit = (uint8_t)((nb_hdr & 0x00ff0000) >> 16); + + if (junk) + { + if (type != NBSS_SESSION_TYPE__MESSAGE) + return false; + } + else + { + switch (type) + { + case NBSS_SESSION_TYPE__MESSAGE: + case NBSS_SESSION_TYPE__REQUEST: + case NBSS_SESSION_TYPE__POS_RESPONSE: + case NBSS_SESSION_TYPE__NEG_RESPONSE: + case NBSS_SESSION_TYPE__RETARGET_RESPONSE: + case NBSS_SESSION_TYPE__KEEP_ALIVE: + break; + default: + return false; + } + } + + if ((bit != 0x00) && (bit != 0x01)) + return false; + + return true; +} + +/********************************************************************* + * Function: DCE2_SmbPaf() + * + * Purpose: The DCE/RPC over SMB PAF callback. + * Inspects a byte at a time changing state and shifting + * bytes onto the 64bit nb_hdr member. At state 3 + * determines if NetBIOS header is valid and if so sets + * flush point. If not valid goes to states 4-7 where + * there is the possibility that junk data was inserted + * before request/response. Needs to validate SMB ID at + * this point. At state 7 determines if NetBIOS header + * is valid and that the SMB ID is present. Stays in + * state 7 until this is the case. + * + * Arguments: + * void * - stream5 session pointer + * void ** - SMB state tracking structure + * const uint8_t * - payload data to inspect + * uint32_t - length of payload data + * uint32_t - flags to check whether client or server + * uint32_t * - pointer to set flush point + * + * Returns: + * PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise + * + *********************************************************************/ +PAF_Status DCE2_SmbPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + DCE2_PafSmbState *ss = *(DCE2_PafSmbState **)user; + uint32_t n = 0; + PAF_Status ps = PAF_SEARCH; + uint32_t nb_hdr; + uint32_t nb_len; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\nIn DCE2_SmbPaf: %u bytes of data\n", len)); + +#ifdef DEBUG_MSGS + if (flags & FLAG_FROM_CLIENT) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Client\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Server\n")); +#endif + + if (ss == NULL) + { + // beware - we allocate here but s5 calls free() directly + // so no pointers allowed + ss = calloc(1, sizeof(DCE2_PafSmbState)); + + if (ss == NULL) + return PAF_ABORT; + + *user = ss; + } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ss->state)); + + while (n < len) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); + +#ifdef DEBUG_MSGS + if (isprint(data[n])) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, " : %c\n", data[n])); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\n")); +#endif + + switch (ss->state) + { + case DCE2_PAF_SMB_STATES__0: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 0\n")); + ss->nb_hdr = (uint64_t)data[n]; + ss->state++; + break; + case DCE2_PAF_SMB_STATES__3: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 3\n")); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + if (DCE2_PafSmbIsValidNetbiosHdr((uint32_t)ss->nb_hdr, false)) + { + nb_hdr = htonl((uint32_t)ss->nb_hdr); + nb_len = NbssLen((const NbssHdr *)&nb_hdr); + *fp = (nb_len + sizeof(NbssHdr) + n) - ss->state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush " + "point for non-junk data: %u\n\n", *fp)); + ss->state = DCE2_PAF_SMB_STATES__0; + return PAF_FLUSH; + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid NetBIOS header - " + "entering junk data states.\n")); + ss->state++; + break; + case DCE2_PAF_SMB_STATES__7: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 7\n")); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + + if (!DCE2_PafSmbIsValidNetbiosHdr((uint32_t)(ss->nb_hdr >> 32), true)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid NetBIOS header - " + "staying in State 7.\n")); + break; + } + if ((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid SMB ID - " + "staying in State 7.\n")); + break; + } + + nb_hdr = htonl((uint32_t)(ss->nb_hdr >> 32)); + nb_len = NbssLen((const NbssHdr *)&nb_hdr); + *fp = (nb_len + sizeof(NbssHdr) + n) - ss->state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush point " + "for junk data: %u\n\n", *fp)); + ss->state = DCE2_PAF_SMB_STATES__0; + return PAF_FLUSH; + default: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State %u\n", ss->state)); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + ss->state++; + break; + } + + n++; + } + + return ps; +} + +/********************************************************************* + * Function: DCE2_TcpPaf() + * + * Purpose: The DCE/RPC over TCP PAF callback. + * Inspects a byte at a time changing state. At state 4 + * gets byte order of PDU. At states 8 and 9 gets + * fragment length and sets flush point if no more data. + * Otherwise accumulates flush points because there can + * be multiple PDUs in a single TCP segment (evasion case). + * + * Arguments: + * void * - stream5 session pointer + * void ** - TCP state tracking structure + * const uint8_t * - payload data to inspect + * uint32_t - length of payload data + * uint32_t - flags to check whether client or server + * uint32_t * - pointer to set flush point + * + * Returns: + * PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise + * + *********************************************************************/ +PAF_Status DCE2_TcpPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + DCE2_PafTcpState *ds = *(DCE2_PafTcpState **)user; + uint32_t n = 0; + int start_state; + PAF_Status ps = PAF_SEARCH; + uint32_t tmp_fp = 0; + DCE2_SsnData *sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(ssn, PP_DCE2); + int num_requests = 0; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\nIn DCE2_TcpPaf: %u bytes of data\n", len)); + + if (sd == NULL) + { + // Need packet to see if it's an autodetect port then do an autodetect + // if autodetect port and not autodetected + // return PAF_ABORT + + bool cont = false; + +#ifdef TARGET_BASED + if (_dpd.isAdaptiveConfigured(_dpd.getRuntimePolicy(), 0)) + { + int16_t proto_id = _dpd.streamAPI->get_application_protocol_id(ssn); + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "No session data - checking adaptive " + "to see if it's DCE/RPC.\n")); + + if (proto_id == dce2_proto_ids.dcerpc) + cont = true; + } + else + { +#endif + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "No session data - autodetecting\n")); + + if (len >= sizeof(DceRpcCoHdr)) + { + DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)data; + + if ((DceRpcCoVersMaj(co_hdr) == DCERPC_PROTO_MAJOR_VERS__5) && + (DceRpcCoVersMin(co_hdr) == DCERPC_PROTO_MINOR_VERS__0) && + ((DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND) || + (DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND_ACK)) && + (DceRpcCoFragLen(co_hdr) >= sizeof(DceRpcCoHdr))) + { + cont = true; + } + } + else if ((*data == DCERPC_PROTO_MAJOR_VERS__5) && (flags & FLAG_FROM_CLIENT)) + { + cont = true; + } +#ifdef TARGET_BASED + } +#endif + + if (!cont) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Couldn't autodetect - aborting\n")); + return PAF_ABORT; + } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Autodetected!\n")); + } + + if (ds == NULL) + { + // beware - we allocate here but s5 calls free() directly + // so no pointers allowed + ds = calloc(1, sizeof(DCE2_PafTcpState)); + + if (ds == NULL) + return PAF_ABORT; + + *user = ds; + } + +#ifdef DEBUG_MSGS + if (flags & FLAG_FROM_CLIENT) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Client\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Server\n")); +#endif + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ds->state)); + start_state = (uint8_t)ds->state; // determines how many bytes already looked at + + while (n < len) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); + +#ifdef DEBUG_MSGS + if (isprint(data[n])) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, " : %c\n", data[n])); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\n")); +#endif + + switch (ds->state) + { + case DCE2_PAF_TCP_STATES__4: // Get byte order + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 4\n")); + ds->byte_order = DceRpcByteOrder(data[n]); + ds->state++; +#ifdef DEBUG_MSGS + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got byte order: Little endian\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got byte order: Big endian\n")); +#endif + break; + case DCE2_PAF_TCP_STATES__8: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 8\n")); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Getting first byte of frag length\n")); + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + ds->frag_len = data[n]; + else + ds->frag_len = data[n] << 8; + ds->state++; + break; + case DCE2_PAF_TCP_STATES__9: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 9\n")); + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + ds->frag_len |= data[n] << 8; + else + ds->frag_len |= data[n]; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Getting second byte of frag length\n")); + + /* If we get a bad frag length abort */ + if (ds->frag_len < sizeof(DceRpcCoHdr)) + return PAF_ABORT; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got frag_len: %u\n", ds->frag_len)); + + /* Increment n here so we can continue */ + n += ds->frag_len - (uint8_t)ds->state; + num_requests++; + /* Might have multiple PDUs in one segment. If the last PDU is partial, + * flush just before it */ + if ((num_requests == 1) || (n <= len)) + tmp_fp += ds->frag_len; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Requests: %u\n", num_requests)); + ds->state = DCE2_PAF_TCP_STATES__0; + continue; // we incremented n already + default: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State %u\n", ds->state)); + ds->state++; + break; + } + + n++; + } + + if (tmp_fp != 0) + { + *fp = tmp_fp - start_state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush point: %u\n", *fp)); + return PAF_FLUSH; + } + + return ps; +} + +#endif // ENABLE_PAF + +/********************************************************************* + * Function: DCE2_PafRegister() + * + * Purpose: Registers callbacks for interested ports. SMB and TCP + * ports are mutually exclusive so only one or the other + * will be registered for any given port. + * + * Arguments: + * uint16_t - port to register + * tSfPolicyId - the policy to register for + * DCE2_TransType - the type of DCE/RPC transport to register for. + * + * Returns: + * int - 0 for success. + * + *********************************************************************/ +int DCE2_PafRegister(uint16_t port, tSfPolicyId pid, DCE2_TransType trans) +{ +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) + return 0; + + //DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + // "%s: policy %u, port %u\n", __FUNCTION__, pid, port);); + + switch (trans) + { + case DCE2_TRANS_TYPE__SMB: + _dpd.streamAPI->register_paf_cb(pid, port, 0, DCE2_SmbPaf, true); + _dpd.streamAPI->register_paf_cb(pid, port, 1, DCE2_SmbPaf, true); + break; + case DCE2_TRANS_TYPE__TCP: + _dpd.streamAPI->register_paf_cb(pid, port, 0, DCE2_TcpPaf, true); + _dpd.streamAPI->register_paf_cb(pid, port, 1, DCE2_TcpPaf, true); + break; + default: + DCE2_Die("Invalid transport type sent to paf registration function"); + break; + } +#endif + + return 0; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,32 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef __DCE2_PAF_H__ +#define __DCE2_PAF_H__ + +#include "sfPolicy.h" +#include "sf_types.h" +#include "stream_api.h" +#include "dce2_utils.h" + +int DCE2_PafRegister(uint16_t, tSfPolicyId, DCE2_TransType); + +#endif /* __DCE2_PAF_H__ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c 2009-05-06 22:28:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_roptions.h" #include "dce2_memory.h" #include "dcerpc.h" @@ -29,16 +38,9 @@ #include "sf_dynamic_preprocessor.h" #include "stream_api.h" #include "sf_dynamic_engine.h" +#include "sf_snort_plugin_api.h" #include "sfhashfcn.h" #include "profiler.h" -#include -#include -#include - -/******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; /******************************************************************** * Macros @@ -52,6 +54,7 @@ #define DCE2_ROPT__STUB_DATA "dce_stub_data" #define DCE2_ROPT__BYTE_TEST "byte_test" /* Override keyword */ #define DCE2_ROPT__BYTE_JUMP "byte_jump" /* Override keyword */ +#define DCE2_ROPT__BYTE_EXTRACT "byte_extract" /* Override keyword */ #define DCE2_RARG__LT '<' #define DCE2_RARG__EQ '=' @@ -65,6 +68,7 @@ #define DCE2_RARG__ALIGN "align" #define DCE2_RARG__POST_OFFSET "post_offset" #define DCE2_RARG__DCE_OVERRIDE "dce" +#define DCE2_RARG__DCE_BYTEORDER "dce" #define DCE2_IFACE__MIN_ARGS 1 #define DCE2_IFACE__MAX_ARGS 3 @@ -89,7 +93,8 @@ ********************************************************************/ typedef enum _DCE2_IfOp { - DCE2_IF_OP__LT = 1, + DCE2_IF_OP__NONE = 0, + DCE2_IF_OP__LT, DCE2_IF_OP__EQ, DCE2_IF_OP__GT, DCE2_IF_OP__NE @@ -98,7 +103,8 @@ typedef enum _DCE2_BtOp { - DCE2_BT_OP__LT = 1, + DCE2_BT_OP__NONE = 0, + DCE2_BT_OP__LT, DCE2_BT_OP__EQ, DCE2_BT_OP__GT, DCE2_BT_OP__AND, @@ -135,7 +141,7 @@ int iface_vers_maj; int iface_vers_min; DCE2_IfOp operator; - int any_frag; + int any_frag; } DCE2_IfaceData; @@ -190,9 +196,9 @@ static int DCE2_IfaceInit(char *, char *, void **); static int DCE2_OpnumInit(char *, char *, void **); static void DCE2_ParseOpnumList(char **, char *, uint8_t *); -static INLINE void DCE2_OpnumSet(uint8_t *, const uint16_t); -static INLINE void DCE2_OpnumSetRange(uint8_t *, uint16_t, uint16_t); -static INLINE int DCE2_OpnumIsSet(const uint8_t *, const uint16_t, const uint16_t, const uint16_t); +static inline void DCE2_OpnumSet(uint8_t *, const uint16_t); +static inline void DCE2_OpnumSetRange(uint8_t *, uint16_t, uint16_t); +static inline int DCE2_OpnumIsSet(const uint8_t *, const uint16_t, const uint16_t, const uint16_t); static int DCE2_StubDataInit(char *, char *, void **); static int DCE2_ByteTestInit(char *, char *, void **); static int DCE2_ByteJumpInit(char *, char *, void **); @@ -214,8 +220,10 @@ static int DCE2_OpnumKeyCompare(void *, void *); static int DCE2_ByteTestKeyCompare(void *, void *); static int DCE2_ByteJumpKeyCompare(void *, void *); -static INLINE int DCE2_RoptDoEval(SFSnortPacket *); +static inline int DCE2_RoptDoEval(SFSnortPacket *); static NORETURN void DCE2_RoptError(const char *, ...); +static inline void * DCE2_AllocFp(uint32_t); +static int DCE2_IfaceAddFastPatterns(void *, int, int, FPContentInfo **); /******************************************************************** * Function: @@ -230,16 +238,19 @@ void DCE2_RegRuleOptions(void) { _dpd.preprocOptRegister(DCE2_ROPT__IFACE, DCE2_IfaceInit, DCE2_IfaceEval, - DCE2_IfaceCleanup, DCE2_IfaceHash, DCE2_IfaceKeyCompare); + DCE2_IfaceCleanup, DCE2_IfaceHash, DCE2_IfaceKeyCompare, + NULL, DCE2_IfaceAddFastPatterns); _dpd.preprocOptRegister(DCE2_ROPT__OPNUM, DCE2_OpnumInit, DCE2_OpnumEval, - DCE2_OpnumCleanup, DCE2_OpnumHash, DCE2_OpnumKeyCompare); - _dpd.preprocOptRegister(DCE2_ROPT__STUB_DATA, DCE2_StubDataInit, DCE2_StubDataEval, NULL, NULL, NULL); + DCE2_OpnumCleanup, DCE2_OpnumHash, DCE2_OpnumKeyCompare, NULL, NULL); + _dpd.preprocOptRegister(DCE2_ROPT__STUB_DATA, DCE2_StubDataInit, + DCE2_StubDataEval, NULL, NULL, NULL, NULL, NULL); _dpd.preprocOptOverrideKeyword(DCE2_ROPT__BYTE_TEST, DCE2_RARG__DCE_OVERRIDE, - DCE2_ByteTestInit, DCE2_ByteTestEval, DCE2_ByteTestCleanup, - DCE2_ByteTestHash, DCE2_ByteTestKeyCompare); + DCE2_ByteTestInit, DCE2_ByteTestEval, DCE2_ByteTestCleanup, + DCE2_ByteTestHash, DCE2_ByteTestKeyCompare, NULL, NULL); _dpd.preprocOptOverrideKeyword(DCE2_ROPT__BYTE_JUMP, DCE2_RARG__DCE_OVERRIDE, - DCE2_ByteJumpInit, DCE2_ByteJumpEval, DCE2_ByteJumpCleanup, - DCE2_ByteJumpHash, DCE2_ByteJumpKeyCompare); + DCE2_ByteJumpInit, DCE2_ByteJumpEval, DCE2_ByteJumpCleanup, + DCE2_ByteJumpHash, DCE2_ByteJumpKeyCompare, NULL, NULL); + _dpd.preprocOptByteOrderKeyword(DCE2_RARG__DCE_BYTEORDER, DCE2_GetByteOrder); } /******************************************************************** @@ -249,7 +260,7 @@ * * XXX Connectionless uses a 32bit version, connection-oriented * a 16bit major version and 16bit minor version. Not likely to - * need to support versions greater than 65535, but may need to + * need to support versions greater than 65535, but may need to * support minor version. * * Arguments: @@ -279,11 +290,11 @@ iface_data = (DCE2_IfaceData *)DCE2_Alloc(sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); if (iface_data == NULL) { - DCE2_Die("%s(%d) Failed to allocate memory for iface data structure.", - __FILE__, __LINE__); + DCE2_Die("%s(%d) Failed to allocate memory for iface data structure.", + __FILE__, __LINE__); } - iface_data->operator = DCE2_SENTINEL; + iface_data->operator = DCE2_IF_OP__NONE; /* Must have arguments */ if (DCE2_IsEmptyStr(args)) @@ -298,7 +309,7 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } do @@ -320,7 +331,7 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s.", - DCE2_ROPT__IFACE, token); + DCE2_ROPT__IFACE, token); } switch (*token) @@ -349,16 +360,16 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Cannot configure interface " - "version more than once.", DCE2_ROPT__IFACE); + "version more than once.", DCE2_ROPT__IFACE); } token++; - iface_data->iface_vers = strtoul(token, &endptr, 10); + iface_data->iface_vers = _dpd.SnortStrtoul(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s.", - DCE2_ROPT__IFACE, token); + DCE2_ROPT__IFACE, token); } switch (iface_data->operator) @@ -368,14 +379,14 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Interface version " - "cannot be less than zero.", DCE2_ROPT__IFACE); + "cannot be less than zero.", DCE2_ROPT__IFACE); } else if (iface_data->iface_vers > (UINT16_MAX + 1)) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Interface version " - "cannot be greater than %u.", - DCE2_ROPT__IFACE, UINT16_MAX); + "cannot be greater than %u.", + DCE2_ROPT__IFACE, UINT16_MAX); } break; @@ -386,8 +397,8 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Interface version " - "cannot be greater than %u.", - DCE2_ROPT__IFACE, UINT16_MAX); + "cannot be greater than %u.", + DCE2_ROPT__IFACE, UINT16_MAX); } break; @@ -397,8 +408,8 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Interface version " - "cannot be greater than %u.", - DCE2_ROPT__IFACE, UINT16_MAX); + "cannot be greater than %u.", + DCE2_ROPT__IFACE, UINT16_MAX); } break; @@ -406,7 +417,7 @@ default: /* Shouldn't get here */ DCE2_Die("%s(%d) Invalid operator: %d", - __FILE__, __LINE__, iface_data->operator); + __FILE__, __LINE__, iface_data->operator); break; } @@ -423,8 +434,8 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Cannot configure " - "\"%s\" more than once.", - DCE2_ROPT__IFACE, DCE2_RARG__ANY_FRAG); + "\"%s\" more than once.", + DCE2_ROPT__IFACE, DCE2_RARG__ANY_FRAG); } if (strcasecmp(token, DCE2_RARG__ANY_FRAG) == 0) @@ -435,7 +446,7 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s.", - DCE2_ROPT__IFACE, token); + DCE2_ROPT__IFACE, token); } any_frag = 1; @@ -484,7 +495,7 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } /* Cut into pieces separated by '-' */ @@ -493,7 +504,7 @@ { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } do @@ -505,14 +516,14 @@ case 0: { unsigned long int time_low; - + if (strlen(if_hex) != DCE2_IFACE__TIME_LOW_LEN) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid uuid.", DCE2_ROPT__IFACE); } - - time_low = strtoul(if_hex, &endptr, 16); + + time_low = _dpd.SnortStrtoul(if_hex, &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -533,8 +544,8 @@ DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid uuid.", DCE2_ROPT__IFACE); } - - time_mid = strtoul(if_hex, &endptr, 16); + + time_mid = _dpd.SnortStrtoul(if_hex, &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -556,8 +567,8 @@ DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid uuid.", DCE2_ROPT__IFACE); } - - time_high = strtoul(if_hex, &endptr, 16); + + time_high = _dpd.SnortStrtoul(if_hex, &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -581,7 +592,7 @@ } /* Work backwards */ - clock_seq_low = strtoul(&if_hex[2], &endptr, 16); + clock_seq_low = _dpd.SnortStrtoul(&if_hex[2], &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -590,10 +601,10 @@ iface_data->iface.clock_seq_low = (uint8_t)clock_seq_low; - /* Set third byte to null so we can strtoul the first part */ + /* Set third byte to null so we can _dpd.SnortStrtoul the first part */ if_hex[2] = '\x00'; - clock_seq_and_reserved = strtoul(if_hex, &endptr, 16); + clock_seq_and_reserved = _dpd.SnortStrtoul(if_hex, &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -602,7 +613,7 @@ iface_data->iface.clock_seq_and_reserved = (uint8_t)clock_seq_and_reserved; } - + break; case 4: @@ -617,11 +628,11 @@ /* Walk back a byte at a time - 2 hex digits */ for (i = DCE2_IFACE__NODE_LEN - 2, j = sizeof(iface_data->iface.node) - 1; - (i >= 0) && (j >= 0); - i -= 2, j--) + (i >= 0) && (j >= 0); + i -= 2, j--) { - /* Only giving strtoul 1 byte */ - iface_data->iface.node[j] = (uint8_t)strtoul(&if_hex[i], &endptr, 16); + /* Only giving _dpd.SnortStrtoul 1 byte */ + iface_data->iface.node[j] = (uint8_t)_dpd.SnortStrtoul(&if_hex[i], &endptr, 16); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)iface_data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); @@ -657,6 +668,122 @@ } } +static inline void * DCE2_AllocFp(uint32_t size) +{ + void *mem = calloc(1, (size_t)size); + if (mem == NULL) + { + DCE2_Die("%s(%d) Out of memory!", __FILE__, __LINE__); + } + + return mem; +} + +static int DCE2_IfaceAddFastPatterns(void *rule_opt_data, int protocol, + int direction, FPContentInfo **info) +{ + DCE2_IfaceData *iface_data = (DCE2_IfaceData *)rule_opt_data; + + if ((rule_opt_data == NULL) || (info == NULL)) + return -1; + + if ((protocol != IPPROTO_TCP) && (protocol != IPPROTO_UDP)) + return -1; + + if (protocol == IPPROTO_TCP) + { + FPContentInfo *tcp_fp = (FPContentInfo *)DCE2_AllocFp(sizeof(FPContentInfo)); + char *client_fp = "\x05\x00\x00"; + char *server_fp = "\x05\x00\x02"; + char *no_dir_fp = "\x05\x00"; + + switch (direction) + { + case FLAG_FROM_CLIENT: + tcp_fp->content = (char *)DCE2_AllocFp(3); + memcpy(tcp_fp->content, client_fp, 3); + tcp_fp->length = 3; + break; + + case FLAG_FROM_SERVER: + tcp_fp->content = (char *)DCE2_AllocFp(3); + memcpy(tcp_fp->content, server_fp, 3); + tcp_fp->length = 3; + break; + + default: + tcp_fp->content = (char *)DCE2_AllocFp(2); + memcpy(tcp_fp->content, no_dir_fp, 2); + tcp_fp->length = 2; + break; + } + + *info = tcp_fp; + } + else + { + //DCE2_IfaceData *iface_data = (DCE2_IfaceData *)rule_opt_data; + FPContentInfo *big_fp = (FPContentInfo *)DCE2_AllocFp(sizeof(FPContentInfo)); + FPContentInfo *little_fp = (FPContentInfo *)DCE2_AllocFp(sizeof(FPContentInfo)); + char *big_content = (char *)DCE2_AllocFp(sizeof(Uuid)); + char *little_content = (char *)DCE2_AllocFp(sizeof(Uuid)); + uint32_t time32; + uint16_t time16; + int index = 0; + + time32 = DceRpcNtohl(&iface_data->iface.time_low, + DCERPC_BO_FLAG__BIG_ENDIAN); + memcpy(&big_content[index], &time32, sizeof(uint32_t)); + time32 = DceRpcNtohl(&iface_data->iface.time_low, + DCERPC_BO_FLAG__LITTLE_ENDIAN); + memcpy(&little_content[index], &time32, sizeof(uint32_t)); + index += sizeof(uint32_t); + + time16 = DceRpcNtohs(&iface_data->iface.time_mid, + DCERPC_BO_FLAG__BIG_ENDIAN); + memcpy(&big_content[index], &time16, sizeof(uint16_t)); + time16 = DceRpcNtohs(&iface_data->iface.time_mid, + DCERPC_BO_FLAG__LITTLE_ENDIAN); + memcpy(&little_content[index], &time16, sizeof(uint16_t)); + index += sizeof(uint16_t); + + time16 = DceRpcNtohs(&iface_data->iface.time_high_and_version, + DCERPC_BO_FLAG__BIG_ENDIAN); + memcpy(&big_content[index], &time16, sizeof(uint16_t)); + time16 = DceRpcNtohs(&iface_data->iface.time_high_and_version, + DCERPC_BO_FLAG__LITTLE_ENDIAN); + memcpy(&little_content[index], &time16, sizeof(uint16_t)); + index += sizeof(uint16_t); + + big_content[index] = iface_data->iface.clock_seq_and_reserved; + little_content[index] = iface_data->iface.clock_seq_and_reserved; + index += sizeof(uint8_t); + + big_content[index] = iface_data->iface.clock_seq_low; + little_content[index] = iface_data->iface.clock_seq_low; + index += sizeof(uint8_t); + + memcpy(&big_content[index], iface_data->iface.node, 6); + memcpy(&little_content[index], iface_data->iface.node, 6); + + big_fp->content = big_content; + big_fp->length = sizeof(Uuid); + little_fp->content = little_content; + little_fp->length = sizeof(Uuid); + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Iface: %s\nBig endian: %s\n, Little endian: %s\n", + DCE2_UuidToStr(&iface_data->iface, DCERPC_BO_FLAG__NONE), + DCE2_UuidToStr((Uuid *)big_fp->content, DCERPC_BO_FLAG__NONE), + DCE2_UuidToStr((Uuid *)little_fp->content, DCERPC_BO_FLAG__NONE));); + + big_fp->next = little_fp; + *info = big_fp; + } + + return 0; +} + /******************************************************************** * Function: * @@ -683,7 +810,7 @@ if (DCE2_IsEmptyStr(args)) { DCE2_RoptError("\"%s\" rule option: No arguments. Must supply " - "the value of the opnum.", DCE2_ROPT__OPNUM); + "the value of the opnum.", DCE2_ROPT__OPNUM); } /* Include NULL byte for parsing */ @@ -714,7 +841,7 @@ if (odata == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for opnum data.", - __FILE__, __LINE__); + __FILE__, __LINE__); } odata->odata.type = DCE2_OPNUM_TYPE__SINGLE; @@ -732,7 +859,7 @@ if (odata == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for opnum data.", - __FILE__, __LINE__); + __FILE__, __LINE__); } odata->mask = (uint8_t *)DCE2_Alloc(mask_size, DCE2_MEM_TYPE__ROPTION); @@ -740,7 +867,7 @@ { DCE2_Free((void *)odata, sizeof(DCE2_OpnumMultiple), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) Failed to allocate memory for opnum data.", - __FILE__, __LINE__); + __FILE__, __LINE__); } odata->odata.type = DCE2_OPNUM_TYPE__MULTIPLE; @@ -795,7 +922,7 @@ else if (!DCE2_IsSpaceChar(c)) { DCE2_RoptError("\"%s\" rule option: Invalid opnum list: %s.", - DCE2_ROPT__OPNUM, *ptr); + DCE2_ROPT__OPNUM, *ptr); } break; @@ -804,12 +931,12 @@ if (!DCE2_IsOpnumChar(c)) { DCE2_Ret status = DCE2_GetValue(lo_start, *ptr, &lo_opnum, - 0, DCE2_INT_TYPE__UINT16, 10); + 0, DCE2_INT_TYPE__UINT16, 10); if (status != DCE2_RET__SUCCESS) { DCE2_RoptError("\"%s\" rule option: Invalid opnum: %.*s", - DCE2_ROPT__OPNUM, *ptr - lo_start, lo_start); + DCE2_ROPT__OPNUM, *ptr - lo_start, lo_start); } if (DCE2_IsOpnumRangeChar(c)) @@ -845,12 +972,12 @@ if (!DCE2_IsOpnumChar(c)) { DCE2_Ret status = DCE2_GetValue(hi_start, *ptr, &hi_opnum, - 0, DCE2_INT_TYPE__UINT16, 10); + 0, DCE2_INT_TYPE__UINT16, 10); if (status != DCE2_RET__SUCCESS) { DCE2_RoptError("\"%s\" rule option: Invalid opnum: %.*s", - DCE2_ROPT__OPNUM, *ptr - hi_start, hi_start); + DCE2_ROPT__OPNUM, *ptr - hi_start, hi_start); } DCE2_OpnumSetRange(opnum_mask, lo_opnum, hi_opnum); @@ -873,14 +1000,14 @@ else if (!DCE2_IsSpaceChar(c)) { DCE2_RoptError("\"%s\" rule option: Invalid opnum list: %s.", - DCE2_ROPT__OPNUM, *ptr); + DCE2_ROPT__OPNUM, *ptr); } break; default: DCE2_Die("%s(%d) Invalid opnum list state: %d", - __FILE__, __LINE__, state); + __FILE__, __LINE__, state); break; } @@ -890,7 +1017,7 @@ if (state != DCE2_OPNUM_LIST_STATE__END) { DCE2_RoptError("\"%s\" rule option: Invalid opnum list: %s", - DCE2_ROPT__OPNUM, *ptr); + DCE2_ROPT__OPNUM, *ptr); } } @@ -904,8 +1031,8 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_OpnumIsSet(const uint8_t *opnum_mask, const uint16_t opnum_lo, - const uint16_t opnum_hi, const uint16_t opnum) +static inline int DCE2_OpnumIsSet(const uint8_t *opnum_mask, const uint16_t opnum_lo, + const uint16_t opnum_hi, const uint16_t opnum) { uint16_t otmp = opnum - opnum_lo; @@ -925,7 +1052,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_OpnumSet(uint8_t *opnum_mask, const uint16_t opnum) +static inline void DCE2_OpnumSet(uint8_t *opnum_mask, const uint16_t opnum) { opnum_mask[(opnum / 8)] |= (1 << (opnum % 8)); } @@ -940,7 +1067,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_OpnumSetRange(uint8_t *opnum_mask, uint16_t lo_opnum, uint16_t hi_opnum) +static inline void DCE2_OpnumSetRange(uint8_t *opnum_mask, uint16_t lo_opnum, uint16_t hi_opnum) { uint16_t i; @@ -974,7 +1101,7 @@ if (!DCE2_IsEmptyStr(args)) { DCE2_RoptError("\"%s\" rule option: This option has no arguments.", - DCE2_ROPT__STUB_DATA); + DCE2_ROPT__STUB_DATA); } /* Set it to something even though we don't need it */ @@ -1006,10 +1133,10 @@ if (bt_data == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for byte test data structure.", - __FILE__, __LINE__); + __FILE__, __LINE__); } - bt_data->operator = DCE2_SENTINEL; + bt_data->operator = DCE2_BT_OP__NONE; /* Must have arguments */ if (DCE2_IsEmptyStr(args)) @@ -1024,7 +1151,7 @@ { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } do @@ -1036,22 +1163,22 @@ if (tok_num == 1) /* Number of bytes to convert */ { char *endptr; - unsigned long int num_bytes = strtoul(token, &endptr, 10); + unsigned long int num_bytes = _dpd.SnortStrtoul(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid number of bytes to " - "convert: %s. Should be one of 1, 2 or 4.", - DCE2_ROPT__BYTE_TEST, token); + "convert: %s. Should be one of 1, 2 or 4.", + DCE2_ROPT__BYTE_TEST, token); } if ((num_bytes != 1) && (num_bytes != 2) && (num_bytes != 4)) { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid number of bytes to " - "convert: %s. Should be one of 1, 2 or 4.", - DCE2_ROPT__BYTE_TEST, token); + "convert: %s. Should be one of 1, 2 or 4.", + DCE2_ROPT__BYTE_TEST, token); } bt_data->num_bytes = num_bytes; @@ -1063,7 +1190,7 @@ { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s", - DCE2_ROPT__BYTE_TEST, token); + DCE2_ROPT__BYTE_TEST, token); } /* If two bytes first must be '!' */ @@ -1073,7 +1200,7 @@ { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s", - DCE2_ROPT__BYTE_TEST, token); + DCE2_ROPT__BYTE_TEST, token); } else { @@ -1103,21 +1230,21 @@ default: DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s", - DCE2_ROPT__BYTE_TEST, token); + DCE2_ROPT__BYTE_TEST, token); break; } } else if (tok_num == 3) /* Value to compare to */ { char *endptr; - unsigned long int value = strtoul(token, &endptr, 10); + unsigned long int value = _dpd.SnortStrtoul(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (value > UINT32_MAX)) { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid compare value: %s. Must be " - "between 0 and %u inclusive.", - DCE2_ROPT__BYTE_TEST, token, UINT32_MAX); + "between 0 and %u inclusive.", + DCE2_ROPT__BYTE_TEST, token, UINT32_MAX); } bt_data->value = value; @@ -1125,15 +1252,15 @@ else if (tok_num == 4) /* Offset in packet data */ { char *endptr; - long int offset = strtol(token, &endptr, 10); + long int offset = _dpd.SnortStrtol(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || - (offset > (long int)UINT16_MAX) || (offset < (-1 * (long int)UINT16_MAX))) + (offset > (long int)UINT16_MAX) || (offset < (-1 * (long int)UINT16_MAX))) { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid offset: %s. Must be " - "between -%u and %u inclusive.", - DCE2_ROPT__BYTE_TEST, token, UINT16_MAX, UINT16_MAX); + "between -%u and %u inclusive.", + DCE2_ROPT__BYTE_TEST, token, UINT16_MAX, UINT16_MAX); } bt_data->offset = offset; @@ -1147,8 +1274,8 @@ { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Can't configure \"%s\" " - "more than once.", - DCE2_ROPT__BYTE_TEST, DCE2_RARG__RELATIVE); + "more than once.", + DCE2_ROPT__BYTE_TEST, DCE2_RARG__RELATIVE); } bt_data->relative = 1; @@ -1157,7 +1284,7 @@ { DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s.", - DCE2_ROPT__BYTE_TEST, token); + DCE2_ROPT__BYTE_TEST, token); } } else @@ -1203,7 +1330,7 @@ if (bj_data == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for byte jump data structure.", - __FILE__, __LINE__); + __FILE__, __LINE__); } bj_data->multiplier = DCE2_SENTINEL; @@ -1221,7 +1348,7 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } do @@ -1233,22 +1360,22 @@ if (tok_num == 1) /* Number of bytes to convert */ { char *endptr; - unsigned long int num_bytes = strtoul(token, &endptr, 10); + unsigned long int num_bytes = _dpd.SnortStrtoul(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid number of bytes to " - "convert: %s. Should be one of 1, 2 or 4.", - DCE2_ROPT__BYTE_JUMP, token); + "convert: %s. Should be one of 1, 2 or 4.", + DCE2_ROPT__BYTE_JUMP, token); } if ((num_bytes != 4) && (num_bytes != 2) && (num_bytes != 1)) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid number of bytes to " - "convert: %s. Should be one of 1, 2 or 4.", - DCE2_ROPT__BYTE_JUMP, token); + "convert: %s. Should be one of 1, 2 or 4.", + DCE2_ROPT__BYTE_JUMP, token); } bj_data->num_bytes = num_bytes; @@ -1256,15 +1383,15 @@ else if (tok_num == 2) /* Offset in packet data */ { char *endptr; - long int offset = strtol(token, &endptr, 10); + long int offset = _dpd.SnortStrtol(token, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || - (offset > (long int)UINT16_MAX) || (offset < (-1 * (long int)UINT16_MAX))) + (offset > (long int)UINT16_MAX) || (offset < (-1 * (long int)UINT16_MAX))) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid offset: %s. Must be " - "between -%u and %u inclusive.", - DCE2_ROPT__BYTE_JUMP, token, UINT16_MAX, UINT16_MAX); + "between -%u and %u inclusive.", + DCE2_ROPT__BYTE_JUMP, token, UINT16_MAX, UINT16_MAX); } bj_data->offset = offset; @@ -1279,7 +1406,7 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_Die("%s(%d) strtok_r() returned NULL when string argument " - "was not NULL.", __FILE__, __LINE__); + "was not NULL.", __FILE__, __LINE__); } if (strcasecmp(arg, DCE2_RARG__RELATIVE) == 0) @@ -1289,8 +1416,8 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Can't configure \"%s\" " - "more than once.", - DCE2_ROPT__BYTE_TEST, DCE2_RARG__RELATIVE); + "more than once.", + DCE2_ROPT__BYTE_TEST, DCE2_RARG__RELATIVE); } bj_data->relative = 1; @@ -1301,8 +1428,8 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Can't configure \"%s\" " - "more than once.", - DCE2_ROPT__BYTE_TEST, DCE2_RARG__ALIGN); + "more than once.", + DCE2_ROPT__BYTE_TEST, DCE2_RARG__ALIGN); } bj_data->align = 1; @@ -1316,26 +1443,26 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Can't configure \"%s\" " - "more than once.", - DCE2_ROPT__BYTE_TEST, DCE2_RARG__MULTIPLIER); + "more than once.", + DCE2_ROPT__BYTE_TEST, DCE2_RARG__MULTIPLIER); } arg = strtok_r(NULL, DCE2_RTOKEN__ARG_SEP, &argptr); if (arg == NULL) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); - DCE2_RoptError("\"%s\" rule option: \"%s\" requires an argument.", - DCE2_ROPT__BYTE_JUMP, DCE2_RARG__MULTIPLIER); + DCE2_RoptError("\"%s\" rule option: \"%s\" requires an argument.", + DCE2_ROPT__BYTE_JUMP, DCE2_RARG__MULTIPLIER); } - multiplier = strtoul(arg, &endptr, 10); + multiplier = _dpd.SnortStrtoul(arg, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || - (multiplier <= 1) || (multiplier > UINT16_MAX)) + (multiplier <= 1) || (multiplier > UINT16_MAX)) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid multiplier: %s. " - "Must be between 2 and %u inclusive.", - DCE2_ROPT__BYTE_JUMP, arg, UINT16_MAX); + "Must be between 2 and %u inclusive.", + DCE2_ROPT__BYTE_JUMP, arg, UINT16_MAX); } bj_data->multiplier = multiplier; @@ -1349,8 +1476,8 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Can't configure \"%s\" " - "more than once.", - DCE2_ROPT__BYTE_TEST, DCE2_RARG__POST_OFFSET); + "more than once.", + DCE2_ROPT__BYTE_TEST, DCE2_RARG__POST_OFFSET); } arg = strtok_r(NULL, DCE2_RTOKEN__ARG_SEP, &argptr); @@ -1358,17 +1485,17 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: \"%s\" requires an argument.", - DCE2_ROPT__BYTE_JUMP, DCE2_RARG__POST_OFFSET); + DCE2_ROPT__BYTE_JUMP, DCE2_RARG__POST_OFFSET); } - post_offset = strtol(arg, &endptr, 10); + post_offset = _dpd.SnortStrtol(arg, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || - (post_offset > (long int)UINT16_MAX) || (post_offset < (-1 * (long int)UINT16_MAX))) + (post_offset > (long int)UINT16_MAX) || (post_offset < (-1 * (long int)UINT16_MAX))) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid post offset " - "value: %s. Must be between -%u to %u inclusive", - DCE2_ROPT__BYTE_JUMP, arg, UINT16_MAX, UINT16_MAX); + "value: %s. Must be between -%u to %u inclusive", + DCE2_ROPT__BYTE_JUMP, arg, UINT16_MAX, UINT16_MAX); } bj_data->post_offset = post_offset; @@ -1378,7 +1505,7 @@ { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); DCE2_RoptError("\"%s\" rule option: Invalid argument: %s.", - DCE2_ROPT__BYTE_JUMP, arg); + DCE2_ROPT__BYTE_JUMP, arg); } } else @@ -1416,55 +1543,61 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_IfaceData *iface_data; - int ret = 0; + int ret = RULE_NOMATCH; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__IFACE)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Evaluating \"%s\" rule option.\n", DCE2_ROPT__IFACE)); if (!DCE2_RoptDoEval(p)) - return 0; + return RULE_NOMATCH; - sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); + sd = (DCE2_SsnData *) + _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; } ropts = &sd->ropts; if (ropts->first_frag == DCE2_SENTINEL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "First frag not set - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "First frag not set - not evaluating.\n")); + return RULE_NOMATCH; } iface_data = (DCE2_IfaceData *)data; if (iface_data == NULL) - return 0; + return RULE_NOMATCH; if (!iface_data->any_frag && !ropts->first_frag) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, - "Not a first fragment and rule set to only look at first fragment.\n")); + "Not a first fragment and rule set to only look at " + "first fragment.\n")); - return 0; + return RULE_NOMATCH; } /* Compare the uuid */ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Comparing \"%s\" to \"%s\"\n", - DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE), - DCE2_UuidToStr(&iface_data->iface, DCERPC_BO_FLAG__NONE))); + DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE), + DCE2_UuidToStr(&iface_data->iface, DCERPC_BO_FLAG__NONE))); if (DCE2_UuidCompare((void *)&ropts->iface, (void *)&iface_data->iface) != 0) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Uuids don't match\n")); - return 0; + return RULE_NOMATCH; } - if ((int)iface_data->operator == DCE2_SENTINEL) + if (iface_data->operator == DCE2_IF_OP__NONE) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__IFACE)); - return 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Match\n", DCE2_ROPT__IFACE)); + return RULE_MATCH; } switch (iface_data->operator) @@ -1473,12 +1606,12 @@ if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj < iface_data->iface_vers_maj) - ret = 1; + ret = RULE_MATCH; } else { if (ropts->iface_vers < iface_data->iface_vers) - ret = 1; + ret = RULE_MATCH; } break; @@ -1487,12 +1620,12 @@ if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj == iface_data->iface_vers_maj) - ret = 1; + ret = RULE_MATCH; } else { if (ropts->iface_vers == iface_data->iface_vers) - ret = 1; + ret = RULE_MATCH; } break; @@ -1501,12 +1634,12 @@ if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj > iface_data->iface_vers_maj) - ret = 1; + ret = RULE_MATCH; } else { if (ropts->iface_vers > iface_data->iface_vers) - ret = 1; + ret = RULE_MATCH; } break; @@ -1515,18 +1648,18 @@ if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj != iface_data->iface_vers_maj) - ret = 1; + ret = RULE_MATCH; } else { if (ropts->iface_vers != iface_data->iface_vers) - ret = 1; + ret = RULE_MATCH; } break; default: - break; + break; } return ret; @@ -1549,50 +1682,59 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__OPNUM)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Evaluating \"%s\" rule option.\n", DCE2_ROPT__OPNUM)); if (!DCE2_RoptDoEval(p)) - return 0; + return RULE_NOMATCH; - sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); + sd = (DCE2_SsnData *) + _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; } ropts = &sd->ropts; if (ropts->opnum == DCE2_SENTINEL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Opnum not set - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Opnum not set - not evaluating.\n")); + return RULE_NOMATCH; } switch (opnum_data->type) { case DCE2_OPNUM_TYPE__SINGLE: - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Rule opnum: %u, ropts opnum: %u\n", - ((DCE2_OpnumSingle *)opnum_data)->opnum, ropts->opnum)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Rule opnum: %u, ropts opnum: %u\n", + ((DCE2_OpnumSingle *)opnum_data)->opnum, ropts->opnum)); if (ropts->opnum == ((DCE2_OpnumSingle *)opnum_data)->opnum) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__OPNUM)); - return 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Match\n", DCE2_ROPT__OPNUM)); + return RULE_MATCH; } break; case DCE2_OPNUM_TYPE__MULTIPLE: - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Multiple opnums: ropts opnum: %u\n", ropts->opnum)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Multiple opnums: ropts opnum: %u\n", ropts->opnum)); { DCE2_OpnumMultiple *omult = (DCE2_OpnumMultiple *)opnum_data; - if (DCE2_OpnumIsSet(omult->mask, omult->opnum_lo, omult->opnum_hi, (uint16_t)ropts->opnum)) + if (DCE2_OpnumIsSet(omult->mask, omult->opnum_lo, + omult->opnum_hi, (uint16_t)ropts->opnum)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__OPNUM)); - return 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Match\n", DCE2_ROPT__OPNUM)); + return RULE_MATCH; } } @@ -1600,14 +1742,15 @@ default: DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Invalid opnum type: %d", - __FILE__, __LINE__, opnum_data->type); + "%s(%d) Invalid opnum type: %d", + __FILE__, __LINE__, opnum_data->type); break; } - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail\n", DCE2_ROPT__OPNUM)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Fail\n", DCE2_ROPT__OPNUM)); - return 0; + return RULE_NOMATCH; } /******************************************************************** @@ -1626,28 +1769,32 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__STUB_DATA)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Evaluating \"%s\" rule option.\n", DCE2_ROPT__STUB_DATA)); if (!DCE2_RoptDoEval(p)) - return 0; + return RULE_NOMATCH; sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; } ropts = &sd->ropts; if (ropts->stub_data != NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Setting cursor to stub data: %p.\n", ropts->stub_data)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Setting cursor to stub data: %p.\n", ropts->stub_data)); *cursor = ropts->stub_data; - return 1; + _dpd.SetAltDetect((uint8_t *)ropts->stub_data, (uint16_t)(p->payload_size - (ropts->stub_data - p->payload))); + return RULE_MATCH; } - - return 0; + + return RULE_NOMATCH; } /******************************************************************** @@ -1666,59 +1813,79 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteTestData *bt_data; + const uint8_t *start_ptr; + uint16_t dsize; const uint8_t *bt_ptr; uint32_t pkt_value; DceRpcBoFlag byte_order; - int ret = 0; + int ret = RULE_NOMATCH; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_TEST)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_TEST)); if (*cursor == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Cursor is NULL - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Cursor is NULL - not evaluating.\n")); + return RULE_NOMATCH; } if (!DCE2_RoptDoEval(p)) - return 0; + return RULE_NOMATCH; sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; } ropts = &sd->ropts; if ((ropts->data_byte_order == DCE2_SENTINEL) || - (ropts->hdr_byte_order == DCE2_SENTINEL)) + (ropts->hdr_byte_order == DCE2_SENTINEL)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Data byte order or header byte order not set " - "in rule options - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Data byte order or header byte order not set " + "in rule options - not evaluating.\n")); + return RULE_NOMATCH; } bt_data = (DCE2_ByteTestData *)data; if (bt_data == NULL) - return 0; + return RULE_NOMATCH; + + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _dpd.GetAltDetect((uint8_t **)&start_ptr, &dsize); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else + { + start_ptr = p->payload; + dsize = p->payload_size; + } /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bt_data->relative) { - if ((bt_data->offset < 0) && (*cursor + bt_data->offset) < p->payload) + if ((bt_data->offset < 0) && (*cursor + bt_data->offset) < start_ptr) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset is negative and puts cursor before beginning " + "of payload - not evaluating.\n")); + return RULE_NOMATCH; } - if ((*cursor + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) + if ((*cursor + bt_data->offset + bt_data->num_bytes) > (start_ptr + dsize)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset plus number of bytes to read puts cursor past " + "end of payload - not evaluating.\n")); + return RULE_NOMATCH; } bt_ptr = *cursor + bt_data->offset; @@ -1727,35 +1894,42 @@ { if (bt_data->offset < 0) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative but is not relative - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset is negative but is not relative - " + "not evaluating.\n")); + return RULE_NOMATCH; } - else if ((p->payload + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) + else if ((start_ptr + bt_data->offset + bt_data->num_bytes) > (start_ptr + dsize)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset plus number of bytes to read puts cursor past " + "end of payload - not evaluating.\n")); + return RULE_NOMATCH; } - bt_ptr = p->payload + bt_data->offset; + bt_ptr = start_ptr + bt_data->offset; } /* Determine which byte order to use */ if (ropts->stub_data == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. Setting byte order to that of the header.\n")); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Stub data is NULL. Setting byte order to that " + "of the header.\n")); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else if (bt_ptr < ropts->stub_data) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, - "Reading data in the header. Setting byte order to that of the header.\n")); + "Reading data in the header. Setting byte order " + "to that of the header.\n")); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, - "Reading data in the stub. Setting byte order to that of the stub data.\n")); + "Reading data in the stub. Setting byte order " + "to that of the stub data.\n")); byte_order = (DceRpcBoFlag)ropts->data_byte_order; } @@ -1764,25 +1938,31 @@ { case 1: pkt_value = *((uint8_t *)bt_ptr); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 1 byte: %u.\n", pkt_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 1 byte: %u.\n", pkt_value)); break; case 2: pkt_value = DceRpcNtohs((uint16_t *)bt_ptr, byte_order); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 2 bytes: %u.\n", pkt_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 2 bytes: %u.\n", pkt_value)); break; case 4: pkt_value = DceRpcNtohl((uint32_t *)bt_ptr, byte_order); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 4 bytes: %u.\n", pkt_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 4 bytes: %u.\n", pkt_value)); break; default: - return 0; + return RULE_NOMATCH; } /* Invert the return value if necessary */ if (bt_data->invert) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Applying not flag.\n")); - ret ^= 1; + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } switch (bt_data->operator) @@ -1790,9 +1970,13 @@ case DCE2_BT_OP__LT: if (pkt_value < bt_data->value) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Packet value (%u) < Option value (%u).\n", - pkt_value, bt_data->value)); - ret ^= 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Packet value (%u) < Option value (%u).\n", + pkt_value, bt_data->value)); + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } break; @@ -1800,9 +1984,13 @@ case DCE2_BT_OP__EQ: if (pkt_value == bt_data->value) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Packet value (%u) == Option value (%u).\n", - pkt_value, bt_data->value)); - ret ^= 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Packet value (%u) == Option value (%u).\n", + pkt_value, bt_data->value)); + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } break; @@ -1810,9 +1998,13 @@ case DCE2_BT_OP__GT: if (pkt_value > bt_data->value) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Packet value (%u) > Option value (%u).\n", - pkt_value, bt_data->value)); - ret ^= 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Packet value (%u) > Option value (%u).\n", + pkt_value, bt_data->value)); + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } break; @@ -1820,9 +2012,13 @@ case DCE2_BT_OP__AND: if (pkt_value & bt_data->value) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Packet value (%08x) & Option value (%08x).\n", - pkt_value, bt_data->value)); - ret ^= 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Packet value (%08x) & Option value (%08x).\n", + pkt_value, bt_data->value)); + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } break; @@ -1830,25 +2026,31 @@ case DCE2_BT_OP__XOR: if (pkt_value ^ bt_data->value) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Packet value (%08x) ^ Option value (%08x).\n", - pkt_value, bt_data->value)); - ret ^= 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Packet value (%08x) ^ Option value (%08x).\n", + pkt_value, bt_data->value)); + if (ret == RULE_MATCH) + ret = RULE_NOMATCH; + else + ret = RULE_MATCH; } break; default: - return 0; + return RULE_NOMATCH; } -#ifdef DEBUG - if (ret) +#ifdef DEBUG_MSGS + if (ret == RULE_MATCH) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Match.\n", DCE2_ROPT__BYTE_TEST)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Match.\n", DCE2_ROPT__BYTE_TEST)); } else { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail.\n", DCE2_ROPT__BYTE_TEST)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Fail.\n", DCE2_ROPT__BYTE_TEST)); } #endif @@ -1871,58 +2073,78 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteJumpData *bj_data; + const uint8_t *start_ptr; + uint16_t dsize; const uint8_t *bj_ptr; uint32_t jmp_value; DceRpcBoFlag byte_order; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_JUMP)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_JUMP)); if (*cursor == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Cursor is NULL - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Cursor is NULL - not evaluating.\n")); + return RULE_NOMATCH; } if (!DCE2_RoptDoEval(p)) - return 0; + return RULE_NOMATCH; sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; } ropts = &sd->ropts; if ((ropts->data_byte_order == DCE2_SENTINEL) || - (ropts->hdr_byte_order == DCE2_SENTINEL)) + (ropts->hdr_byte_order == DCE2_SENTINEL)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Data byte order or header byte order not set " - "in rule options - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Data byte order or header byte order not set " + "in rule options - not evaluating.\n")); + return RULE_NOMATCH; } bj_data = (DCE2_ByteJumpData *)data; if (bj_data == NULL) - return 0; + return RULE_NOMATCH; + + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _dpd.GetAltDetect((uint8_t **)&start_ptr, &dsize); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else + { + start_ptr = p->payload; + dsize = p->payload_size; + } /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bj_data->relative) { - if ((bj_data->offset < 0) && (*cursor + bj_data->offset) < p->payload) + if ((bj_data->offset < 0) && (*cursor + bj_data->offset) < start_ptr) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset is negative and puts cursor before beginning " + "of payload - not evaluating.\n")); + return RULE_NOMATCH; } - if ((*cursor + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) + if ((*cursor + bj_data->offset + bj_data->num_bytes) > (start_ptr + dsize)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset plus number of bytes to read puts cursor past " + "end of payload - not evaluating.\n")); + return RULE_NOMATCH; } bj_ptr = *cursor + bj_data->offset; @@ -1931,35 +2153,41 @@ { if (bj_data->offset < 0) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative but is not relative - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset is negative but is not relative - " + "not evaluating.\n")); + return RULE_NOMATCH; } - else if ((p->payload + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) + else if ((start_ptr + bj_data->offset + bj_data->num_bytes) > (start_ptr + dsize)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " - "of payload - not evaluating.\n")); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Offset plus number of bytes to read puts cursor past " + "end of payload - not evaluating.\n")); + return RULE_NOMATCH; } - bj_ptr = p->payload + bj_data->offset; + bj_ptr = start_ptr + bj_data->offset; } /* Determine which byte order to use */ if (ropts->stub_data == NULL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. Setting byte order to that of the header.\n")); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. " + "Setting byte order to that of the header.\n")); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else if (bj_ptr < ropts->stub_data) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, - "Reading data in the header. Setting byte order to that of the header.\n")); + "Reading data in the header. Setting byte order " + "to that of the header.\n")); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, - "Reading data in the stub. Setting byte order to that of the stub data.\n")); + "Reading data in the stub. Setting byte order " + "to that of the stub data.\n")); byte_order = (DceRpcBoFlag)ropts->data_byte_order; } @@ -1968,15 +2196,18 @@ { case 1: jmp_value = *((uint8_t *)bj_ptr); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 1 byte: %u.\n", jmp_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 1 byte: %u.\n", jmp_value)); break; case 2: jmp_value = DceRpcNtohs((uint16_t *)bj_ptr, byte_order); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 2 bytes: %u.\n", jmp_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 2 bytes: %u.\n", jmp_value)); break; case 4: jmp_value = DceRpcNtohl((uint32_t *)bj_ptr, byte_order); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Got 4 bytes: %u.\n", jmp_value)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Got 4 bytes: %u.\n", jmp_value)); break; default: return 0; @@ -1984,34 +2215,38 @@ if (bj_data->multiplier != DCE2_SENTINEL) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Applying multiplier: %u * %u = %u.\n", - jmp_value, bj_data->multiplier, - jmp_value * bj_data->multiplier)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Applying multiplier: %u * %u = %u.\n", + jmp_value, bj_data->multiplier, + jmp_value * bj_data->multiplier)); jmp_value *= bj_data->multiplier; } if (bj_data->align && (jmp_value & 3)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Aligning to 4 byte boundary: %u => %u.\n", - jmp_value, jmp_value + (4 - (jmp_value & 3)))); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Aligning to 4 byte boundary: %u => %u.\n", + jmp_value, jmp_value + (4 - (jmp_value & 3)))); jmp_value += (4 - (jmp_value & 3)); } bj_ptr += bj_data->num_bytes + jmp_value + bj_data->post_offset; - if ((bj_ptr < p->payload) || (bj_ptr >= (p->payload + p->payload_size))) + if ((bj_ptr < start_ptr) || (bj_ptr >= (start_ptr + dsize))) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail. Jump puts us past end of payload.\n", - DCE2_ROPT__BYTE_JUMP)); - return 0; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Fail. Jump puts us past end of payload.\n", + DCE2_ROPT__BYTE_JUMP)); + return RULE_NOMATCH; } *cursor = bj_ptr; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Match.\n", DCE2_ROPT__BYTE_JUMP)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "\"%s\" Match.\n", DCE2_ROPT__BYTE_JUMP)); - return 1; + return RULE_MATCH; } /******************************************************************** @@ -2024,15 +2259,15 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_RoptDoEval(SFSnortPacket *p) +static inline int DCE2_RoptDoEval(SFSnortPacket *p) { if ((p->payload_size == 0) || - (p->stream_session_ptr == NULL) || - (!IsTCP(p) && !IsUDP(p))) + (p->stream_session_ptr == NULL) || + (!IsTCP(p) && !IsUDP(p))) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No payload or no session pointer or " - "not TCP or UDP - not evaluating.\n")); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "No payload or no " + "session pointer or not TCP or UDP - not evaluating.\n")); return 0; } @@ -2055,7 +2290,7 @@ return; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, - "Cleaning Iface data: %u bytes.\n", sizeof(DCE2_IfaceData))); + "Cleaning Iface data: %u bytes.\n", sizeof(DCE2_IfaceData))); DCE2_Free(data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION); } @@ -2080,8 +2315,9 @@ switch (odata->type) { case DCE2_OPNUM_TYPE__SINGLE: - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, "Cleaning Single opnum data: %u bytes.\n", - sizeof(DCE2_OpnumSingle))); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, + "Cleaning Single opnum data: %u bytes.\n", + sizeof(DCE2_OpnumSingle))); DCE2_Free((void *)odata, sizeof(DCE2_OpnumSingle), DCE2_MEM_TYPE__ROPTION); @@ -2091,15 +2327,16 @@ { DCE2_OpnumMultiple *omult = (DCE2_OpnumMultiple *)odata; - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, "Cleaning Multiple opnum data: %u bytes.\n", - sizeof(DCE2_OpnumMultiple) + omult->mask_size)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, + "Cleaning Multiple opnum data: %u bytes.\n", + sizeof(DCE2_OpnumMultiple) + omult->mask_size)); if (omult->mask != NULL) DCE2_Free((void *)omult->mask, omult->mask_size, DCE2_MEM_TYPE__ROPTION); DCE2_Free((void *)omult, sizeof(DCE2_OpnumMultiple), DCE2_MEM_TYPE__ROPTION); } - + break; default: @@ -2123,7 +2360,8 @@ return; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, - "Cleaning ByteTest data: %u bytes.\n", sizeof(DCE2_ByteTestData))); + "Cleaning ByteTest data: %u bytes.\n", + sizeof(DCE2_ByteTestData))); DCE2_Free(data, sizeof(DCE2_ByteTestData), DCE2_MEM_TYPE__ROPTION); } @@ -2144,7 +2382,8 @@ return; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MEMORY, - "Cleaning ByteJump data: %u bytes.\n", sizeof(DCE2_ByteJumpData))); + "Cleaning ByteJump data: %u bytes.\n", + sizeof(DCE2_ByteJumpData))); DCE2_Free(data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); } @@ -2177,9 +2416,9 @@ mix(a, b, c); a += (iface_data->iface.node[2] << 24) | - (iface_data->iface.node[3] << 16) | - (iface_data->iface.node[4] << 8) | - (iface_data->iface.node[5]); + (iface_data->iface.node[3] << 16) | + (iface_data->iface.node[4] << 8) | + (iface_data->iface.node[5]); b += iface_data->iface_vers; c += iface_data->iface_vers_maj; @@ -2253,7 +2492,7 @@ default: DCE2_Die("%s(%d) Invalid opnum type: %d", - __FILE__, __LINE__, odata->type); + __FILE__, __LINE__, odata->type); break; } @@ -2289,7 +2528,7 @@ c += bt_data->relative; final(a, b, c); - + return c; } @@ -2344,11 +2583,11 @@ return PREPROC_OPT_NOT_EQUAL; if ((DCE2_UuidCompare(&left->iface, &right->iface) == 0) && - (left->iface_vers == right->iface_vers) && - (left->iface_vers_maj == right->iface_vers_maj) && - (left->iface_vers_min == right->iface_vers_min) && - (left->operator == right->operator) && - (left->any_frag == right->any_frag)) + (left->iface_vers == right->iface_vers) && + (left->iface_vers_maj == right->iface_vers_maj) && + (left->iface_vers_min == right->iface_vers_min) && + (left->operator == right->operator) && + (left->any_frag == right->any_frag)) { return PREPROC_OPT_EQUAL; } @@ -2398,8 +2637,8 @@ DCE2_OpnumMultiple *rmult = (DCE2_OpnumMultiple *)right; if ((lmult->mask_size != rmult->mask_size) || - (lmult->opnum_lo != rmult->opnum_lo) || - (lmult->opnum_hi != rmult->opnum_hi)) + (lmult->opnum_lo != rmult->opnum_lo) || + (lmult->opnum_hi != rmult->opnum_hi)) { return PREPROC_OPT_NOT_EQUAL; } @@ -2415,7 +2654,7 @@ default: DCE2_Die("%s(%d) Invalid opnum type: %d", - __FILE__, __LINE__, left->type); + __FILE__, __LINE__, left->type); break; } @@ -2441,11 +2680,11 @@ return PREPROC_OPT_NOT_EQUAL; if ((left->num_bytes == right->num_bytes) && - (left->value == right->value) && - (left->invert == right->invert) && - (left->operator == right->operator) && - (left->offset == right->offset) && - (left->relative == right->relative)) + (left->value == right->value) && + (left->invert == right->invert) && + (left->operator == right->operator) && + (left->offset == right->offset) && + (left->relative == right->relative)) { return PREPROC_OPT_EQUAL; } @@ -2472,10 +2711,10 @@ return PREPROC_OPT_NOT_EQUAL; if ((left->num_bytes == right->num_bytes) && - (left->offset == right->offset) && - (left->relative == right->relative) && - (left->multiplier == right->multiplier) && - (left->align == right->align)) + (left->offset == right->offset) && + (left->relative == right->relative) && + (left->multiplier == right->multiplier) && + (left->align == right->align)) { return PREPROC_OPT_EQUAL; } @@ -2503,17 +2742,17 @@ } else { - printf("Iface: %s\n", DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE)); + printf("Iface: %s\n", DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE)); printf("Iface version: %u\n", ropts->iface_vers_maj); } if (ropts->opnum == DCE2_SENTINEL) printf("Opnum: unset\n"); else printf("Opnum: %u\n", ropts->opnum); printf("Header byte order: %s\n", - ropts->hdr_byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN ? "little endian" : - (ropts->hdr_byte_order == DCERPC_BO_FLAG__BIG_ENDIAN ? "big endian" : "unset")); + ropts->hdr_byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN ? "little endian" : + (ropts->hdr_byte_order == DCERPC_BO_FLAG__BIG_ENDIAN ? "big endian" : "unset")); printf("Data byte order: %s\n", - ropts->data_byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN ? "little endian" : - (ropts->data_byte_order == DCERPC_BO_FLAG__BIG_ENDIAN ? "big endian" : "unset")); + ropts->data_byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN ? "little endian" : + (ropts->data_byte_order == DCERPC_BO_FLAG__BIG_ENDIAN ? "big endian" : "unset")); if (ropts->stub_data != NULL) printf("Stub data: %p\n", ropts->stub_data); else printf("Stub data: NULL\n"); } @@ -2544,6 +2783,89 @@ buf[sizeof(buf) - 1] = '\0'; DCE2_Die("%s(%d): %s Please consult documentation.", - *_dpd.config_file, *_dpd.config_line, buf); + *_dpd.config_file, *_dpd.config_line, buf); } + +/********************************** + * Function: DCE2_GetByteOrder() + * + * Gets the byte order needed for a byte_test, byte_jump, or byte_extract. + * + * Arguments: + * Packet * + * packet being evaluated + * int32_t + * offset into the packet payload where the rule will be evaluated. + * calling function is responsible for checking that the offset is in-bounds. + * + * Returns: + * DCE2_SENTINEL (-1) if byte order not set, or otherwise not evaluating + * BIG (0) if byte order is big-endian + * LITTLE (1) if byte order is little-endian + * + **********************************/ +#define BIG 0 +#define LITTLE 1 +int DCE2_GetByteOrder(void *data, int32_t offset) +{ + DCE2_SsnData *sd; + DCE2_Roptions *ropts; + DceRpcBoFlag byte_order; + const uint8_t *data_ptr; + SFSnortPacket *p = (SFSnortPacket *)data; + + if (p == NULL) + return -1; + + sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); + if (sd == NULL) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "No session data - not evaluating.\n")); + return -1; + } + + ropts = &sd->ropts; + + if ((ropts->data_byte_order == DCE2_SENTINEL) || + (ropts->hdr_byte_order == DCE2_SENTINEL)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Data byte order or header byte order not set " + "in rule options - not evaluating.\n")); + return -1; + } + + /* Determine which byte order to use */ + data_ptr = p->payload + offset; + + if (ropts->stub_data == NULL) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. " + "Setting byte order to that of the header.\n")); + byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; + } + else if (data_ptr < ropts->stub_data) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Reading data in the header. Setting byte order " + "to that of the header.\n")); + byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; + } + else + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, + "Reading data in the stub. Setting byte order " + "to that of the stub data.\n")); + byte_order = (DceRpcBoFlag)ropts->data_byte_order; + } + + /* Return ints, since this enum doesn't exist back in Snort-land. */ + if (byte_order == DCERPC_BO_FLAG__BIG_ENDIAN) + return BIG; + if (byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + return LITTLE; + + return -1; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h 2009-01-26 18:54:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h 2011-02-09 23:23:14.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -57,6 +57,7 @@ ********************************************************************/ void DCE2_RegRuleOptions(void); void DCE2_PrintRoptions(DCE2_Roptions *); +int DCE2_GetByteOrder(void *, int32_t); #endif /* _DCE2_ROPTIONS_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h 2009-05-06 22:28:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h 2011-06-08 00:33:12.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_SESSION_H_ @@ -33,11 +33,6 @@ #include "sf_dynamic_preprocessor.h" /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Enumerations ********************************************************************/ typedef enum _DCE2_SsnFlag @@ -82,34 +77,34 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE int DCE2_SsnIsEstablished(const SFSnortPacket *); -static INLINE int DCE2_SsnIsMidstream(const SFSnortPacket *); -static INLINE void DCE2_SsnSetAppData(const SFSnortPacket *, void *, StreamAppDataFree); -static INLINE void * DCE2_SsnGetAppData(const SFSnortPacket *); -static INLINE int DCE2_SsnGetReassembly(const SFSnortPacket *); -static INLINE void DCE2_SsnSetReassembly(const SFSnortPacket *); -static INLINE int DCE2_SsnIsRebuilt(const SFSnortPacket *); -static INLINE int DCE2_SsnIsStreamInsert(const SFSnortPacket *); -static INLINE void DCE2_SsnFlush(SFSnortPacket *); -static INLINE int DCE2_SsnFromServer(const SFSnortPacket *); -static INLINE int DCE2_SsnFromClient(const SFSnortPacket *); -static INLINE int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *); -static INLINE int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *); -static INLINE void DCE2_SsnSetMissedPkts(DCE2_SsnData *); -static INLINE int DCE2_SsnMissedPkts(DCE2_SsnData *); -static INLINE void DCE2_SsnClearMissedPkts(DCE2_SsnData *); -static INLINE void DCE2_SsnSetSeenClient(DCE2_SsnData *); -static INLINE int DCE2_SsnSeenClient(DCE2_SsnData *); -static INLINE void DCE2_SsnSetSeenServer(DCE2_SsnData *); -static INLINE int DCE2_SsnSeenServer(DCE2_SsnData *); -static INLINE void DCE2_SsnSetAutodetected(DCE2_SsnData *, const SFSnortPacket *); -static INLINE int DCE2_SsnAutodetected(DCE2_SsnData *); -static INLINE int DCE2_SsnAutodetectDir(DCE2_SsnData *); -static INLINE void DCE2_SsnSetNoInspect(DCE2_SsnData *); -static INLINE int DCE2_SsnNoInspect(DCE2_SsnData *sd); +static inline int DCE2_SsnIsEstablished(const SFSnortPacket *); +static inline int DCE2_SsnIsMidstream(const SFSnortPacket *); +static inline void DCE2_SsnSetAppData(const SFSnortPacket *, void *, StreamAppDataFree); +static inline void * DCE2_SsnGetAppData(const SFSnortPacket *); +static inline int DCE2_SsnGetReassembly(const SFSnortPacket *); +static inline void DCE2_SsnSetReassembly(const SFSnortPacket *); +static inline int DCE2_SsnIsRebuilt(const SFSnortPacket *); +static inline int DCE2_SsnIsStreamInsert(const SFSnortPacket *); +static inline void DCE2_SsnFlush(SFSnortPacket *); +static inline int DCE2_SsnFromServer(const SFSnortPacket *); +static inline int DCE2_SsnFromClient(const SFSnortPacket *); +static inline int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *); +static inline int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *); +static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *); +static inline int DCE2_SsnMissedPkts(DCE2_SsnData *); +static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *); +static inline void DCE2_SsnSetSeenClient(DCE2_SsnData *); +static inline int DCE2_SsnSeenClient(DCE2_SsnData *); +static inline void DCE2_SsnSetSeenServer(DCE2_SsnData *); +static inline int DCE2_SsnSeenServer(DCE2_SsnData *); +static inline void DCE2_SsnSetAutodetected(DCE2_SsnData *, const SFSnortPacket *); +static inline int DCE2_SsnAutodetected(DCE2_SsnData *); +static inline int DCE2_SsnAutodetectDir(DCE2_SsnData *); +static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *); +static inline int DCE2_SsnNoInspect(DCE2_SsnData *sd); -static INLINE uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *); -static INLINE uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd); +static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *); +static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd); /******************************************************************** * Function: DCE2_SsnIsEstablished() @@ -124,7 +119,7 @@ * zero if the session is not established. * ********************************************************************/ -static INLINE int DCE2_SsnIsEstablished(const SFSnortPacket *p) +static inline int DCE2_SsnIsEstablished(const SFSnortPacket *p) { return _dpd.streamAPI->get_session_flags (p->stream_session_ptr) & SSNFLAG_ESTABLISHED; @@ -144,7 +139,7 @@ * zero if the session was not picked up midstream. * ********************************************************************/ -static INLINE int DCE2_SsnIsMidstream(const SFSnortPacket *p) +static inline int DCE2_SsnIsMidstream(const SFSnortPacket *p) { return _dpd.streamAPI->get_session_flags (p->stream_session_ptr) & SSNFLAG_MIDSTREAM; @@ -167,7 +162,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetAppData(const SFSnortPacket *p, void *data, StreamAppDataFree sdfree) +static inline void DCE2_SsnSetAppData(const SFSnortPacket *p, void *data, StreamAppDataFree sdfree) { _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_DCE2, data, sdfree); } @@ -184,7 +179,7 @@ * void * - the data stored on the session. * ********************************************************************/ -static INLINE void * DCE2_SsnGetAppData(const SFSnortPacket *p) +static inline void * DCE2_SsnGetAppData(const SFSnortPacket *p) { return _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); } @@ -202,7 +197,7 @@ * SSN_DIR_NONE, SSN_DIR_CLIENT, SSN_DIR_SERVER or SSN_DIR_BOTH * ********************************************************************/ -static INLINE int DCE2_SsnGetReassembly(const SFSnortPacket *p) +static inline int DCE2_SsnGetReassembly(const SFSnortPacket *p) { return (int)_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr); } @@ -220,7 +215,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetReassembly(const SFSnortPacket *p) +static inline void DCE2_SsnSetReassembly(const SFSnortPacket *p) { _dpd.streamAPI->set_reassembly(p->stream_session_ptr, STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); @@ -240,7 +235,7 @@ * zero if the packet is not stream reassembled. * ********************************************************************/ -static INLINE int DCE2_SsnIsRebuilt(const SFSnortPacket *p) +static inline int DCE2_SsnIsRebuilt(const SFSnortPacket *p) { return p->flags & FLAG_REBUILT_STREAM; } @@ -259,7 +254,7 @@ * zero if the packet is not stream inserted. * ********************************************************************/ -static INLINE int DCE2_SsnIsStreamInsert(const SFSnortPacket *p) +static inline int DCE2_SsnIsStreamInsert(const SFSnortPacket *p) { return p->flags & FLAG_STREAM_INSERT; } @@ -276,7 +271,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnFlush(SFSnortPacket *p) +static inline void DCE2_SsnFlush(SFSnortPacket *p) { _dpd.streamAPI->response_flush_stream(p); } @@ -285,7 +280,7 @@ * Function: DCE2_SsnFromServer() * * Purpose: Returns whether or not this packet is from - * the server. + * the server. * * Arguments: * SFSnortPacket * - pointer to packet @@ -295,7 +290,7 @@ * zero if the packet is not from the server. * ********************************************************************/ -static INLINE int DCE2_SsnFromServer(const SFSnortPacket *p) +static inline int DCE2_SsnFromServer(const SFSnortPacket *p) { return p->flags & FLAG_FROM_SERVER; } @@ -304,7 +299,7 @@ * Function: DCE2_SsnFromClient() * * Purpose: Returns whether or not this packet is from - * the client. + * the client. * * Arguments: * SFSnortPacket * - pointer to packet @@ -314,7 +309,7 @@ * zero if the packet is not from the client. * ********************************************************************/ -static INLINE int DCE2_SsnFromClient(const SFSnortPacket *p) +static inline int DCE2_SsnFromClient(const SFSnortPacket *p) { return p->flags & FLAG_FROM_CLIENT; } @@ -334,7 +329,7 @@ * SSN_MISSING_BOTH or SSN_MISSING_NONE * ********************************************************************/ -static INLINE int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *p) +static inline int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *p) { return _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); } @@ -354,7 +349,7 @@ * SSN_MISSING_BOTH or SSN_MISSING_NONE * ********************************************************************/ -static INLINE int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *p) +static inline int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *p) { return _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_SERVER); } @@ -370,7 +365,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetMissedPkts(DCE2_SsnData *sd) +static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__MISSED_PKTS; } @@ -389,7 +384,7 @@ * zero if no packets were missed * ********************************************************************/ -static INLINE int DCE2_SsnMissedPkts(DCE2_SsnData *sd) +static inline int DCE2_SsnMissedPkts(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__MISSED_PKTS; } @@ -406,7 +401,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnClearMissedPkts(DCE2_SsnData *sd) +static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *sd) { sd->flags &= ~DCE2_SSN_FLAG__MISSED_PKTS; } @@ -423,7 +418,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetSeenClient(DCE2_SsnData *sd) +static inline void DCE2_SsnSetSeenClient(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__SEEN_CLIENT; } @@ -442,7 +437,7 @@ * zero if we haven't seen the client * ********************************************************************/ -static INLINE int DCE2_SsnSeenClient(DCE2_SsnData *sd) +static inline int DCE2_SsnSeenClient(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__SEEN_CLIENT; } @@ -459,7 +454,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetSeenServer(DCE2_SsnData *sd) +static inline void DCE2_SsnSetSeenServer(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__SEEN_SERVER; } @@ -478,7 +473,7 @@ * zero if we haven't seen the server * ********************************************************************/ -static INLINE int DCE2_SsnSeenServer(DCE2_SsnData *sd) +static inline int DCE2_SsnSeenServer(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__SEEN_SERVER; } @@ -495,7 +490,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetAutodetected(DCE2_SsnData *sd, const SFSnortPacket *p) +static inline void DCE2_SsnSetAutodetected(DCE2_SsnData *sd, const SFSnortPacket *p) { sd->flags |= DCE2_SSN_FLAG__AUTODETECTED; sd->autodetect_dir = p->flags & (FLAG_FROM_CLIENT | FLAG_FROM_SERVER); @@ -514,7 +509,7 @@ * zero if session was not autodetected * ********************************************************************/ -static INLINE int DCE2_SsnAutodetected(DCE2_SsnData *sd) +static inline int DCE2_SsnAutodetected(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__AUTODETECTED; } @@ -533,7 +528,7 @@ * zero if session was not autodetected * ********************************************************************/ -static INLINE int DCE2_SsnAutodetectDir(DCE2_SsnData *sd) +static inline int DCE2_SsnAutodetectDir(DCE2_SsnData *sd) { return sd->autodetect_dir; } @@ -550,7 +545,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnClearAutodetected(DCE2_SsnData *sd) +static inline void DCE2_SsnClearAutodetected(DCE2_SsnData *sd) { sd->flags &= ~DCE2_SSN_FLAG__AUTODETECTED; sd->autodetect_dir = 0; @@ -566,7 +561,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SsnSetNoInspect(DCE2_SsnData *sd) +static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__NO_INSPECT; } @@ -581,7 +576,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SsnNoInspect(DCE2_SsnData *sd) +static inline int DCE2_SsnNoInspect(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__NO_INSPECT; } @@ -599,7 +594,7 @@ * uint16_t - the number of overlapped bytes * ********************************************************************/ -static INLINE uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *sd) +static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *sd) { if ((sd->cli_overlap_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) { @@ -625,7 +620,7 @@ * uint16_t - the number of overlapped bytes * ********************************************************************/ -static INLINE uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd) +static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd) { if ((sd->cli_missed_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,13 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifdef HAVE_CONFIG_H #include "config.h" #endif +#include "sf_types.h" #include "dce2_smb.h" #include "dce2_tcp.h" #include "dce2_co.h" @@ -38,7 +39,7 @@ #include "sf_snort_packet.h" #include "sf_types.h" #include "profiler.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_dynamic_preprocessor.h" #ifndef WIN32 @@ -54,8 +55,6 @@ * Extern variables ********************************************************************/ extern DCE2_Stats dce2_stats; -extern DynamicPreprocessorData _dpd; -extern char *dce2_smb_coms[]; extern uint8_t dce2_smb_rbuf[]; #ifdef PERF_PROFILING @@ -82,6 +81,7 @@ static DCE2_Ret DCE2_NbssHdrChecks(DCE2_SmbSsnData *, const NbssHdr *); static DCE2_Ret DCE2_SmbHdrChecks(DCE2_SmbSsnData *, const SmbNtHdr *); static int DCE2_SmbInspect(DCE2_SmbSsnData *, const SmbNtHdr *); +static uint32_t DCE2_IgnoreJunkData(const uint8_t *, uint16_t, uint32_t); static void DCE2_SmbProcessData(DCE2_SmbSsnData *, const uint8_t *, uint32_t); static void DCE2_SmbHandleCom(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); @@ -111,18 +111,18 @@ static int DCE2_SmbGetComSize(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbCommon *, const int); static int DCE2_SmbGetBcc(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbCommon *, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *, const uint32_t, +static inline DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *, const uint8_t *, const uint8_t *, +static inline DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *, const uint8_t *, const uint8_t *, const uint32_t, const int); -static INLINE void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); +static inline void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); -static INLINE void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *, uint16_t, uint16_t, uint16_t, int); -static INLINE DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *); +static inline void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *, uint16_t, uint16_t, uint16_t, int); +static inline DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *); static void DCE2_SmbChained(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbAndXCommon *, const int, const uint8_t *, uint32_t); @@ -148,20 +148,20 @@ const uint16_t, const uint16_t); static void DCE2_SmbRemoveFid(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const uint16_t); -static INLINE DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *, const SmbNtHdr *, +static inline DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *, const SmbNtHdr *, DCE2_SmbFidNode *, const uint16_t); -static INLINE void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *, const SmbNtHdr *); -static INLINE DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *, const SmbNtHdr *); -static INLINE DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *, DCE2_SmbPMNode *, const uint8_t *, +static inline void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *, const SmbNtHdr *); +static inline DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *, const SmbNtHdr *); +static inline DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *, DCE2_SmbPMNode *, const uint8_t *, uint16_t, uint16_t); static void DCE2_SmbQueueTmpFid(DCE2_SmbSsnData *); static void DCE2_SmbInsertFidNode(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const uint16_t, DCE2_SmbFidTrackerNode *); -static INLINE void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *); -static INLINE void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *); -static INLINE void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *); +static inline void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *); +static inline void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *); +static inline void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *); static int DCE2_SmbUTFCompare(const void *, const void *); static int DCE2_SmbUTPtreeCompare(const void *, const void *); @@ -172,15 +172,15 @@ static void DCE2_SmbFidTrackerDataFree(void *); static void DCE2_SmbPMDataFree(void *); -static INLINE void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *); +static inline void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *); static void DCE2_SmbSetMissedFids(DCE2_SmbSsnData *); -static INLINE DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *, const uint8_t *, uint16_t, uint32_t, uint16_t *); -static INLINE int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *, const uint8_t *); -static INLINE void DCE2_SmbSegAlert(DCE2_SmbSsnData *, DCE2_Event); -static INLINE int DCE2_SmbIsRawData(DCE2_SmbSsnData *); +static inline DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *, const uint8_t *, uint16_t, uint32_t, uint16_t *, int); +static inline int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *, const uint8_t *); +static inline void DCE2_SmbSegAlert(DCE2_SmbSsnData *, DCE2_Event); +static inline int DCE2_SmbIsRawData(DCE2_SmbSsnData *); -static INLINE DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *); -static INLINE uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *); +static inline DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *); +static inline uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *); /******************************************************************** * Function: @@ -436,6 +436,7 @@ uint32_t nb_len; uint16_t data_used; uint32_t nb_need; + DCE2_Ret nb_ret; /* Not enough data for NetBIOS header ... add data to segmentation buffer */ if (data_len < nb_hdr_need) @@ -443,7 +444,7 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Data len(%u) < NetBIOS SS header(%u). " "Queueing data.\n", data_len, nb_hdr_need)); - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used, 1); return; } @@ -452,11 +453,26 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "NetBIOS SS len: %u\n", nb_len)); /* Only look at session messages - these contain SMBs */ - if (DCE2_NbssHdrChecks(ssd, (NbssHdr *)data_ptr) != DCE2_RET__SUCCESS) + nb_ret = DCE2_NbssHdrChecks(ssd, (NbssHdr *)data_ptr); + if (nb_ret != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a NetBIOS Session Message.\n")); - *ignore_bytes = nb_need; + if (nb_ret == DCE2_RET__IGNORE) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Valid NetBIOS header " + "type so ignoring NetBIOS length bytes.\n")); + *ignore_bytes = nb_need; + } + else // nb_ret == DCE2_RET__ERROR, i.e. invalid NetBIOS type + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a valid NetBIOS " + "header type so trying to find \\xffSMB to " + "determine how many bytes to ignore.\n")); + + *ignore_bytes = DCE2_IgnoreJunkData(data_ptr, data_len, nb_need); + } + dce2_stats.smb_ignored_bytes += *ignore_bytes; continue; } @@ -471,7 +487,7 @@ "Queueing data.\n", data_len, smb_hdr_need)); seg->nb_len = nb_len; - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used, 1); return; } @@ -516,7 +532,7 @@ "Queueing data.\n", data_len, nb_len)); seg->nb_len = nb_len; - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used, 1); return; } @@ -531,6 +547,8 @@ const NbssHdr *nb_hdr; uint16_t data_used; uint32_t nb_need; + int append = 0; + DCE2_Ret nb_ret; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Segmentation handling => current buffer " "length: %u\n", DCE2_BufferLength(seg->buf))); @@ -541,7 +559,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), nb_hdr_need)); - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used); + append = 1; + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; @@ -552,11 +571,26 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "SEG: NetBIOS SS len: %u\n", seg->nb_len)); /* Only look at session messages - these contain SMBs */ - if (DCE2_NbssHdrChecks(ssd, (NbssHdr *)DCE2_BufferData(seg->buf)) != DCE2_RET__SUCCESS) + nb_ret = DCE2_NbssHdrChecks(ssd, (NbssHdr *)DCE2_BufferData(seg->buf)); + if (nb_ret != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a NetBIOS Session Message.\n")); - *ignore_bytes = seg->nb_len; + if (nb_ret == DCE2_RET__IGNORE) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Valid NetBIOS header " + "type so ignoring NetBIOS length bytes.\n")); + *ignore_bytes = seg->nb_len; + } + else // nb_ret == DCE2_RET__ERROR, i.e. invalid NetBIOS type + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a valid NetBIOS " + "header type so trying to find \\xffSMB to " + "determine how many bytes to ignore.\n")); + + *ignore_bytes = DCE2_IgnoreJunkData(data_ptr, data_len, seg->nb_len); + } + dce2_stats.smb_ignored_bytes += *ignore_bytes; DCE2_BufferEmpty(seg->buf); continue; @@ -573,14 +607,14 @@ { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header + SMB header(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), smb_hdr_need)); - - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used); + append = 1; + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; /* Reset nb_hdr since the seg buffer probably needed to be realloc'ed */ - nb_hdr = (NbssHdr *)DCE2_BufferData(seg->buf); + nb_hdr = (NbssHdr *)DCE2_BufferData(seg->buf); /* We've got the SMB header */ DCE2_MOVE(data_ptr, data_len, data_used); @@ -615,7 +649,7 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header + seg->nb_len(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), seg->nb_len)); - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used); + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; @@ -630,6 +664,62 @@ } /******************************************************************** + * Function: DCE2_IgnoreJunkData() + * + * Purpose: + * An evasion technique can be to put a bunch of junk data before + * the actual SMB request and it seems the MS implementation has + * no problem with it and seems to just ignore the data. This + * function attempts to move past all the junk to get to the + * actual NetBIOS message request. + * + * Arguments: + * const uint8_t * - pointer to the current position in the data + * being inspected + * uint16_t - the amount of data left to look at + * uint32_t - the amount of data to ignore if there doesn't seem + * to be any junk data. Just use the length as if the bad + * NetBIOS header was good. + * + * Returns: + * uint32_t - the amount of bytes to ignore as junk. + * + ********************************************************************/ +static uint32_t DCE2_IgnoreJunkData(const uint8_t *data_ptr, uint16_t data_len, + uint32_t assumed_nb_len) +{ + const uint8_t *tmp_ptr = data_ptr; + uint32_t ignore_bytes = 0; + + /* Try to find \xffSMB and go back 8 bytes to beginning + * of what should be a Netbios header with type Session + * Message (\x00) - do appropriate buffer checks to make + * sure the index is in bounds. Ignore all intervening + * bytes */ + + while ((tmp_ptr + sizeof(uint32_t)) <= (data_ptr + data_len)) + { + if (SmbId((SmbNtHdr *)tmp_ptr) == DCE2_SMB_ID) + break; + tmp_ptr++; + } + + if ((tmp_ptr + sizeof(uint32_t)) > (data_ptr + data_len)) + { + ignore_bytes = data_len; + } + else + { + if ((tmp_ptr - sizeof(NbssHdr)) > data_ptr) + ignore_bytes = (tmp_ptr - data_ptr) - sizeof(NbssHdr); + else /* Just ignore whatever the bad NB header had as a length */ + ignore_bytes = assumed_nb_len; + } + + return ignore_bytes; +} + +/******************************************************************** * Function: * * Purpose: @@ -671,8 +761,9 @@ switch (policy) { case DCE2_POLICY__SAMBA: - case DCE2_POLICY__SAMBA_3_0_20: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_20: return 0; default: @@ -862,7 +953,7 @@ alert = 1; break; } - + break; case SMB_COM_LOGOFF_ANDX: @@ -1353,7 +1444,7 @@ if (alert) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_WCT, dce2_smb_coms[com], wct); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_WCT, wct); return -1; } @@ -1591,7 +1682,7 @@ if (alert) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_BCC, dce2_smb_coms[com], bcc); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_BCC, bcc); return -1; } @@ -1608,13 +1699,12 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t com_len, const int smb_com) { if (nb_len < com_len) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_COM, - dce2_smb_coms[smb_com], nb_len, com_len); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_COM, nb_len, com_len); return DCE2_RET__ERROR; } @@ -1632,13 +1722,12 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t bcc, const int smb_com) { if (nb_len < bcc) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_BCC, - dce2_smb_coms[smb_com], nb_len, bcc); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_BCC, nb_len, bcc); return DCE2_RET__ERROR; } @@ -1656,20 +1745,18 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t dsize, const uint16_t bcc, const int smb_com) { if (nb_len < dsize) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_DSIZE, - dce2_smb_coms[smb_com], nb_len, dsize); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_NB_LT_DSIZE, nb_len, dsize); return DCE2_RET__ERROR; } else if (bcc < dsize) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BCC_LT_DSIZE, - dce2_smb_coms[smb_com], bcc, dsize); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BCC_LT_DSIZE, bcc, dsize); return DCE2_RET__ERROR; } @@ -1687,19 +1774,19 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *ssd, const uint16_t dcnt, +static inline DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *ssd, const uint16_t dcnt, const uint16_t total_dcnt, const int smb_com) { if (total_dcnt < dcnt) { DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - dce2_smb_coms[smb_com], (int)total_dcnt, (int)dcnt); + (int)total_dcnt, (int)dcnt); return DCE2_RET__ERROR; } else if (total_dcnt == 0) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_ZERO, dce2_smb_coms[smb_com]); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_ZERO); return DCE2_RET__ERROR; } @@ -1721,7 +1808,7 @@ * DCE2_RET__ERROR - Offset is bad. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *ssd, const uint8_t *off_ptr, +static inline DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *ssd, const uint8_t *off_ptr, const uint8_t *start_bound, const uint32_t length, const int smb_com) { @@ -1730,8 +1817,8 @@ if ((off_ptr < start_bound) || (off_ptr > (start_bound + length))) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_OFF, dce2_smb_coms[smb_com], - off_ptr, start_bound, start_bound + length); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_OFF, off_ptr, + start_bound, start_bound + length); return DCE2_RET__ERROR; } @@ -1826,7 +1913,7 @@ else DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_NBSS_TYPE); - break; + return DCE2_RET__ERROR; } return DCE2_RET__IGNORE; @@ -2009,6 +2096,8 @@ case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: case DCE2_POLICY__WIN2003: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: /* Windows responds to a chained LogoffAndX => SessionSetupAndX with a * word count 3 LogoffAndX without the chained SessionSetupAndX */ if (SmbWct((SmbCommon *)andx) == 3) @@ -2064,7 +2153,7 @@ is_ipc = (int)(uintptr_t)DCE2_CQueueDequeue(ssd->tc_queue); if (is_ipc != DCE2_TC__IPC) return DCE2_RET__SUCCESS; - + /* Didn't get a positive response */ if (SmbError(smb_hdr)) return DCE2_RET__SUCCESS; @@ -2098,7 +2187,7 @@ /* Have at least 4 bytes */ /* If unicode flag is set, strings, except possibly the service string - * are going to be unicode. The NT spec specifies that unicode strings + * are going to be unicode. The NT spec specifies that unicode strings * must be word aligned with respect to the beginning of the SMB and that for * type-prefixed strings (this case), the padding byte is found after the * type format byte */ @@ -2106,7 +2195,7 @@ /* This byte will realign things. */ if (*nb_ptr != SMB_FMT__ASCII) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, dce2_smb_coms[smb_com], *nb_ptr); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, *nb_ptr); return DCE2_RET__ERROR; } @@ -2134,6 +2223,8 @@ case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: case DCE2_POLICY__WIN2003: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if (bs_count > 3) { /* Alert */ @@ -2225,7 +2316,7 @@ { /* No space left in queue - way too many tree connects at once */ DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS, - dce2_smb_coms[SmbCom(smb_hdr)], DCE2_TC__QUEUE_SIZE); + DCE2_TC__QUEUE_SIZE); } } } @@ -2350,7 +2441,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, +static inline void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, const uint8_t *nb_ptr, uint32_t nb_len) { DCE2_List *share_list = DCE2_ScSmbInvalidShares(ssd->sd.sconfig); @@ -2385,7 +2476,7 @@ /* Test for share match */ for (i = 0; i < share_str_len; i++) { - /* All share strings should have been converted to upper case and + /* All share strings should have been converted to upper case and * should include null terminating bytes */ if ((nb_ptr[i] != share_str[i]) && (nb_ptr[i] != tolower((int)share_str[i]))) break; @@ -2790,7 +2881,7 @@ if (*nb_ptr != SMB_FMT__DATA_BLOCK) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, dce2_smb_coms[smb_com], *nb_ptr); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, *nb_ptr); return; } @@ -2805,8 +2896,7 @@ if (dsize != (bcc - 3)) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, - dce2_smb_coms[smb_com], dsize, bcc); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, dsize, bcc); } if (!DCE2_QueueIsEmpty(ssd->ft_queue)) @@ -2908,7 +2998,7 @@ if (ssd->br.total_count - dsize < 0) { DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - dce2_smb_coms[smb_com], (int)ssd->br.total_count, (int)dsize); + (int)ssd->br.total_count, (int)dsize); ssd->br.total_count = 0; } @@ -2980,8 +3070,7 @@ if ((dsize + 1) != bcc) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, - dce2_smb_coms[smb_com], dsize, bcc); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, dsize, bcc); } /* Move past pad */ @@ -3002,6 +3091,27 @@ * Returns: * ********************************************************************/ +// the s_* are introduced to avoid having to make lots of changes +// to pass these values from DCE2_SmbWriteAndX() to the callers of +// DCE2_HandleSegmentation(). Should be refactored on rewrite. +static uint16_t s_remain = 0; +static uint32_t s_offset = 0; + +// if we return zero here, it means to append to the +// buffer when DCE2_BufferAddData() is called. +uint16_t DCE2_GetWriteOffset (uint32_t total, int append) +{ + // in header or segment with header + if ( append ) + return 0; + + // calc offset from remaining bytes and pdu total + if ( s_remain > 0 && total >= s_remain ) + return ((uint16_t)(total - s_remain)); + + // this is what was done originally + return 0; +} static void DCE2_SmbWriteAndX(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, const uint8_t *nb_ptr, uint32_t nb_len) { @@ -3072,8 +3182,14 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Request fid: 0x%04x\n", fid)); + s_remain = SmbLm10_WriteAndXReqRemaining((SmbLm10_WriteAndXReq *)andx); + s_offset = SmbLm10_WriteAndXReqOffset((SmbLm10_WriteAndXReq *)andx); + DCE2_WriteCoProcess(ssd, smb_hdr, fid, nb_ptr, dsize); + s_remain = 0; + s_offset = 0; + DCE2_MOVE(nb_ptr, nb_len, dsize); } else @@ -3095,7 +3211,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, +static inline DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, DCE2_SmbFidNode *fid_node, const uint16_t total_dcnt) { DCE2_SmbPMNode *pm_node = NULL; @@ -3174,7 +3290,7 @@ } DCE2_DEBUG_CODE(DCE2_DEBUG__SMB, - if (pm_node == NULL) printf("Failed to insert pm_node\n");); + if (pm_node == NULL) printf("Failed to insert pm_node\n");); PREPROC_PROFILE_END(dce2_pstat_smb_trans); @@ -3191,7 +3307,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *ssd, DCE2_SmbPMNode *pm_node, +static inline DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *ssd, DCE2_SmbPMNode *pm_node, const uint8_t *data_ptr, uint16_t data_len, uint16_t data_disp) { DCE2_Ret status; @@ -3225,12 +3341,12 @@ return DCE2_RET__ERROR; } - /* XXX Maybe this is alertable since this is overwriting previously written data + /* XXX Maybe this is alertable since this is overwriting previously written data * and servers don't seem to ever respond */ if (data_disp < DCE2_BufferLength(pm_node->buf)) DCE2_BufferSetLength(pm_node->buf, data_disp); - status = DCE2_BufferAddData(pm_node->buf, data_ptr, data_len, + status = DCE2_BufferAddData(pm_node->buf, data_ptr, data_len, 0, DCE2_BUFFER_MIN_ADD_FLAG__IGNORE); if (status != DCE2_RET__SUCCESS) @@ -3256,7 +3372,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) +static inline DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) { DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbPMNode *pm_node = NULL; @@ -3290,6 +3406,7 @@ break; case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: if ((ssd->pm_node.mid != DCE2_SENTINEL) && (ssd->pm_node.mid == (int)mid)) { @@ -3303,6 +3420,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if ((ssd->pm_node.pid != DCE2_SENTINEL) && (ssd->pm_node.pid == (int)pid) && (ssd->pm_node.mid != DCE2_SENTINEL) && (ssd->pm_node.mid == (int)mid)) { @@ -3347,7 +3466,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) +static inline void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) { DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); uint16_t pid = SmbPid(smb_hdr); @@ -3376,6 +3495,7 @@ break; case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: if ((ssd->pm_node.mid != DCE2_SENTINEL) && (ssd->pm_node.mid == (int)mid)) { DCE2_SmbCleanPMNode(&ssd->pm_node); @@ -3388,6 +3508,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if ((ssd->pm_node.pid != DCE2_SENTINEL) && (ssd->pm_node.pid == (int)pid) && (ssd->pm_node.mid != DCE2_SENTINEL) && (ssd->pm_node.mid == (int)mid)) { @@ -3593,7 +3715,7 @@ if ((ddisp + dcnt) > total_dcnt) { DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_DSENT_GT_TDCNT, - dce2_smb_coms[smb_com], ddisp + dcnt, total_dcnt); + ddisp + dcnt, total_dcnt); return; } @@ -3692,7 +3814,7 @@ /* XXX This really isn't the proper alert. Create a new alert for this. * Total data count mismatch or something */ DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - dce2_smb_coms[smb_com], (int)pm_node->total_dcnt, (int)total_dcnt); + (int)pm_node->total_dcnt, (int)total_dcnt); return; } @@ -3700,7 +3822,7 @@ if ((ddisp + dcnt) > total_dcnt) { DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - dce2_smb_coms[smb_com], (int)total_dcnt, (int)(ddisp + dcnt)); + (int)total_dcnt, (int)(ddisp + dcnt)); return; } @@ -3808,7 +3930,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *ssd, uint16_t uid, +static inline void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *ssd, uint16_t uid, uint16_t tid, uint16_t fid, int smb_com) { if (ssd == NULL) @@ -3841,7 +3963,7 @@ /* No space left in queue - way too many reads at once. Not a memory * issue because no memory is alloced on insertion */ DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_EXCESSIVE_READS, - dce2_smb_coms[smb_com], DCE2_READ__QUEUE_SIZE); + DCE2_READ__QUEUE_SIZE); DCE2_Free((void *)fid_node, sizeof(DCE2_SmbFidNode), DCE2_MEM_TYPE__SMB_FID); @@ -3864,7 +3986,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *ssd) +static inline DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *ssd) { DCE2_SmbFidNode *fid_node = NULL; uint16_t uid, tid, fid; @@ -4051,7 +4173,7 @@ if (*nb_ptr != SMB_FMT__DATA_BLOCK) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, dce2_smb_coms[smb_com], *nb_ptr); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, *nb_ptr); return; } @@ -4066,8 +4188,7 @@ if (dsize != (bcc - 3)) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, - dce2_smb_coms[smb_com], dsize, bcc); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_INVALID_DSIZE, dsize, bcc); } if ((dsize != 0) && (ft_node != NULL)) @@ -4125,7 +4246,7 @@ if (*nb_ptr != SMB_FMT__ASCII) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, dce2_smb_coms[smb_com], *nb_ptr); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, *nb_ptr); return; } @@ -4161,7 +4282,7 @@ if ((nb_len > 0) && (*nb_ptr != SMB_FMT__ASCII)) { - DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, dce2_smb_coms[smb_com], *nb_ptr); + DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_FORMAT, *nb_ptr); return; } } @@ -4289,6 +4410,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; @@ -4304,6 +4426,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: { DCE2_Ret status = DCE2_SmbTreeConnect(ssd, smb_hdr, nb_ptr, nb_len); @@ -4331,6 +4454,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4349,6 +4473,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_SmbOpen(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4367,6 +4493,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4382,6 +4509,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: if (DCE2_SsnFromClient(ssd->sd.wire_pkt) && open_chain) DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE); @@ -4428,6 +4556,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4460,6 +4589,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINVISTA: case DCE2_POLICY__WINXP: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if (SmbType(smb_hdr) == SMB_TYPE__RESPONSE) { uint16_t uid = SmbUid(smb_hdr); @@ -4484,6 +4615,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4511,6 +4643,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbSessSetupAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4526,6 +4659,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; @@ -4533,7 +4667,7 @@ default: break; } - + break; case SMB_COM_TREE_DIS: @@ -4541,6 +4675,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4558,6 +4693,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_SmbOpen(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4572,6 +4709,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbOpenAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4587,6 +4725,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4602,6 +4741,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: if (open_chain) DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE); @@ -4632,6 +4772,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: if (DCE2_SsnFromClient(ssd->sd.wire_pkt) && open_chain) DCE2_SmbQueueTmpFid(ssd); @@ -4649,6 +4790,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4673,6 +4815,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbSessSetupAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4688,6 +4831,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; @@ -4695,7 +4839,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -4703,6 +4847,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: { DCE2_Ret status; @@ -4729,6 +4874,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "OpenAndX => TreeConnectAndX\n")); DCE2_SmbTreeConnectAndX(ssd, smb_hdr, nb_ptr, nb_len); @@ -4747,6 +4893,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4762,6 +4909,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbOpenAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4777,6 +4925,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4792,6 +4941,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: if (open_chain) DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE); @@ -4809,6 +4959,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbQueueTmpFid(ssd); DCE2_SmbWrite(ssd, smb_hdr, nb_ptr, nb_len); @@ -4825,6 +4976,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4849,6 +5001,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbSessSetupAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4863,13 +5016,14 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; default: break; } - + break; case SMB_COM_TREE_CON: @@ -4877,6 +5031,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: { DCE2_Ret status; @@ -4903,6 +5058,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "OpenAndX => TreeConnectAndX\n")); DCE2_SmbTreeConnectAndX(ssd, smb_hdr, nb_ptr, nb_len); @@ -4920,6 +5076,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4934,6 +5091,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbOpenAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4949,6 +5107,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -4963,6 +5122,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: if (open_chain) DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE); DCE2_SmbClose(ssd, smb_hdr, nb_ptr, nb_len, open_chain); @@ -4979,6 +5139,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbQueueTmpFid(ssd); DCE2_SmbWrite(ssd, smb_hdr, nb_ptr, nb_len); @@ -4995,6 +5156,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5019,6 +5181,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbSessSetupAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5034,6 +5197,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; @@ -5041,7 +5205,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -5049,6 +5213,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: { DCE2_Ret status = DCE2_SmbTreeConnect(ssd, smb_hdr, nb_ptr, nb_len); @@ -5073,6 +5238,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbTreeConnectAndX(ssd, smb_hdr, nb_ptr, nb_len); if (SmbType(smb_hdr) == SMB_TYPE__REQUEST) @@ -5090,6 +5256,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbOpenAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5105,6 +5272,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5128,6 +5296,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_SmbWriteAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5142,6 +5312,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbWrite(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5159,6 +5330,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_SmbRead(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5173,11 +5346,14 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: case DCE2_POLICY__WIN2000: case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5201,6 +5377,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbSessSetupAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5215,19 +5392,21 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbLogoffAndX(ssd, smb_hdr, nb_ptr, nb_len, ssx_chained); break; default: break; } - + break; case SMB_COM_TREE_CON: switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: { DCE2_Ret status = DCE2_SmbTreeConnect(ssd, smb_hdr, nb_ptr, nb_len); if ((SmbType(smb_hdr) == SMB_TYPE__REQUEST) && @@ -5250,6 +5429,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbTreeConnectAndX(ssd, smb_hdr, nb_ptr, nb_len); if (SmbType(smb_hdr) == SMB_TYPE__REQUEST) ssd->chained_tc = 1; @@ -5265,6 +5445,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbTreeDisconnect(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5278,6 +5459,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbOpenAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5291,6 +5473,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbNtCreateAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5304,6 +5487,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: if (open_chain) DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE); DCE2_SmbClose(ssd, smb_hdr, nb_ptr, nb_len, open_chain); @@ -5320,6 +5504,7 @@ { case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: DCE2_SmbWrite(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5334,6 +5519,7 @@ switch (DCE2_ScPolicy(ssd->sd.sconfig)) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: DCE2_SmbReadAndX(ssd, smb_hdr, nb_ptr, nb_len); break; @@ -5377,7 +5563,7 @@ if (dsize != 0) DCE2_CoProcess(&ssd->sd, &ft_node->co_tracker, nb_ptr, dsize); - + if (!ft_node->used) ft_node->used = 1; } @@ -5503,6 +5689,7 @@ switch (policy) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__WIN2000: /* Removing uid invalidates any fid that was created with it */ if ((ssd->sst.ft_node.fid_node.fid != DCE2_SENTINEL) && @@ -5545,13 +5732,15 @@ PREPROC_PROFILE_END(dce2_pstat_smb_uid); return; } - - /* Fall through for Windows 2000 since we're keeping a pipe tree for it + + /* Fall through for Windows 2000 since we're keeping a pipe tree for it * for use with a first request/write */ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: { DCE2_SmbPipeTree *ptree = &ssd->sst.ptree; @@ -5685,6 +5874,7 @@ { case DCE2_POLICY__WIN2000: case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: if ((ssd->sst.ft_node.fid_node.fid != DCE2_SENTINEL) && @@ -5712,12 +5902,14 @@ return; } - /* Fall through for Windows 2000 since we're keeping a pipe tree for it + /* Fall through for Windows 2000 since we're keeping a pipe tree for it * for use with a first request/write */ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: { DCE2_SmbPipeTree *ptree = &ssd->sst.ptree; @@ -5772,6 +5964,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if ((ptree->ut_node.uid != DCE2_SENTINEL) && (ptree->ut_node.tid != DCE2_SENTINEL) && (ptree->ut_node.uid == (int)uid) && (ptree->ut_node.tid == (int)tid)) { @@ -5804,7 +5998,7 @@ static void DCE2_SmbInsertFid(DCE2_SmbSsnData *ssd, const uint16_t uid, const uint16_t tid, const uint16_t fid) { - const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); + const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbUTNode *ut_node; DCE2_SmbFidTrackerNode *ft_node; PROFILE_VARS; @@ -5816,6 +6010,7 @@ case DCE2_POLICY__WIN2000: case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: /* Assume uid is ok since fid is added on server response */ /* Tid should have already been validated */ @@ -5873,6 +6068,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: ut_node = DCE2_SmbFindUTNode(ssd, uid, tid); if (ut_node == NULL) { @@ -6037,7 +6234,7 @@ static void DCE2_SmbInsertFidNode(DCE2_SmbSsnData *ssd, const uint16_t uid, const uint16_t tid, const uint16_t fid, DCE2_SmbFidTrackerNode *ft_node) { - const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); + const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbUTNode *ut_node; DCE2_SmbFidTrackerNode *tmp_ft_node; PROFILE_VARS; @@ -6055,6 +6252,7 @@ case DCE2_POLICY__WIN2000: case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: /* Assume uid is ok since fid is added on server response */ /* Tid should have already been validated */ @@ -6091,7 +6289,7 @@ return; } - /* Need to copy data from passed in ft node into new ft node for + /* Need to copy data from passed in ft node into new ft node for * Windows 2000 */ tmp_ft_node = (DCE2_SmbFidTrackerNode *) DCE2_Alloc(sizeof(DCE2_SmbFidTrackerNode), DCE2_MEM_TYPE__SMB_FID); @@ -6114,6 +6312,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: ut_node = DCE2_SmbFindUTNode(ssd, uid, tid); if (ut_node == NULL) { @@ -6223,6 +6423,7 @@ switch (policy) { case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: /* Only uid used to create fid can be used to make a request */ if ((ssd->sst.ft_node.fid_node.fid != DCE2_SENTINEL) && (ssd->sst.ft_node.fid_node.uid != DCE2_SENTINEL) && @@ -6270,7 +6471,7 @@ return NULL; } - /* Just return this fid node if we're not Win2000 or we've already + /* Just return this fid node if we're not Win2000 or we've already * used this fid once */ if ((policy != DCE2_POLICY__WIN2000) || ft_node->used) { @@ -6290,6 +6491,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: ut_node = DCE2_SmbFindUTNode(ssd, uid, tid); if (ut_node == NULL) { @@ -6355,6 +6558,7 @@ case DCE2_POLICY__WIN2000: case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: case DCE2_POLICY__SAMBA: if ((ssd->sst.ft_node.fid_node.fid != DCE2_SENTINEL) && (ssd->sst.ft_node.fid_node.fid == (int)fid)) @@ -6377,6 +6581,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: ut_node = DCE2_SmbFindUTNode(ssd, uid, tid); if (ut_node == NULL) { @@ -6413,7 +6619,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *ft_node) +static inline void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *ft_node) { PROFILE_VARS; @@ -6445,7 +6651,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *ut_node) +static inline void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *ut_node) { if (ut_node == NULL) return; @@ -6476,7 +6682,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *pm_node) +static inline void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *pm_node) { PROFILE_VARS; @@ -6576,6 +6782,7 @@ return 0; case DCE2_POLICY__SAMBA: + case DCE2_POLICY__SAMBA_3_0_37: /* Only uses mid */ if (pm_a->mid == pm_b->mid) return 0; @@ -6586,6 +6793,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: /* Uses both pid and mid */ if ((pm_a->pid == pm_b->pid) && (pm_a->mid == pm_b->mid)) return 0; @@ -6656,7 +6865,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *ssd) +static inline void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *ssd) { if (ssd == NULL) return; @@ -8153,7 +8362,7 @@ * Function: DCE2_SmbHandleSegmentation() * * Wrapper around DCE2_HandleSegmentation() to allocate a new - * buffer object if necessary. + * buffer object if necessary. * * Arguments: * DCE2_SmbSeg * @@ -8169,6 +8378,8 @@ * Pointer to basically a return value for the amount of * data in the packet that was actually used for * desegmentation. + * int + * bool is true if we must append. * * Returns: * DCE2_Ret @@ -8181,11 +8392,14 @@ * i.e. the need length was met. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *seg, const uint8_t *data_ptr, - uint16_t data_len, uint32_t need_len, uint16_t *data_used) +static inline DCE2_Ret DCE2_SmbHandleSegmentation( + DCE2_SmbSeg *seg, const uint8_t *data_ptr, + uint16_t data_len, uint32_t need_len, + uint16_t *data_used, int append) { DCE2_Ret status; PROFILE_VARS; + uint32_t offset; PREPROC_PROFILE_START(dce2_pstat_smb_seg); @@ -8210,7 +8424,10 @@ DCE2_BufferSetMinAllocSize(seg->buf, need_len); } - status = DCE2_HandleSegmentation(seg->buf, data_ptr, data_len, need_len, data_used); + offset = DCE2_GetWriteOffset(need_len, append); + + status = DCE2_HandleSegmentation( + seg->buf, data_ptr, data_len, offset, need_len, data_used); PREPROC_PROFILE_END(dce2_pstat_smb_seg); @@ -8231,7 +8448,7 @@ * Pointer to client or server segmenation buffer. * ********************************************************************/ -static INLINE DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *ssd) +static inline DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *ssd) { if (DCE2_SsnFromServer(ssd->sd.wire_pkt)) return &ssd->srv_seg; @@ -8255,7 +8472,7 @@ * Pointer to the client or server ignore bytes. * ********************************************************************/ -static INLINE uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *ssd) +static inline uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *ssd) { if (DCE2_SsnFromServer(ssd->sd.wire_pkt)) return &ssd->srv_ignore_bytes; @@ -8272,7 +8489,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *ssd, const uint8_t *ptr) +static inline int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *ssd, const uint8_t *ptr) { DCE2_Buffer *seg_buf; @@ -8304,7 +8521,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbSegAlert(DCE2_SmbSsnData *ssd, DCE2_Event event) +static inline void DCE2_SmbSegAlert(DCE2_SmbSsnData *ssd, DCE2_Event event) { SFSnortPacket *rpkt; DCE2_Buffer *buf; @@ -8377,7 +8594,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SmbIsRawData(DCE2_SmbSsnData *ssd) +static inline int DCE2_SmbIsRawData(DCE2_SmbSsnData *ssd) { if (ssd->br.smb_com == DCE2_SENTINEL) return 0; @@ -8412,7 +8629,7 @@ if (nb_len > ssd->br.total_count) { DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, - dce2_smb_coms[ssd->br.smb_com], (int)ssd->br.total_count, (int)nb_len); + (int)ssd->br.total_count, (int)nb_len); ssd->br.total_count = 0; } @@ -8473,6 +8690,7 @@ nb_len = rpkt->payload_size; dce2_stats.smb_seg_reassembled++; + DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(rpkt->payload, rpkt->payload_size);); } if (DCE2_SmbIsRawData(ssd)) @@ -8517,6 +8735,7 @@ case DCE2_POLICY__WIN2000: case DCE2_POLICY__SAMBA_3_0_20: case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: /* Only uid used to create fid can be used to make a request */ if ((ssd->sst.ft_node.fid_node.fid != DCE2_SENTINEL) && (ssd->sst.ft_node.fid_node.uid != DCE2_SENTINEL)) @@ -8539,6 +8758,8 @@ case DCE2_POLICY__WIN2003: case DCE2_POLICY__WINXP: case DCE2_POLICY__WINVISTA: + case DCE2_POLICY__WIN2008: + case DCE2_POLICY__WIN7: if ((ssd->sst.ptree.ut_node.uid != DCE2_SENTINEL) && (ssd->sst.ptree.ut_node.tid != DCE2_SENTINEL)) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_SMB_H_ @@ -30,7 +30,7 @@ #include "smb.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Macros @@ -99,7 +99,7 @@ int tid; DCE2_List *tids; - /* Co trackers for fids created on session using + /* Co trackers for fids created on session using * only IPC tids - specific for Samba and Win2000 */ DCE2_SmbFidTrackerNode ft_node; DCE2_List *fts; @@ -132,7 +132,7 @@ /* Client can send multiple tree connects before server responses. * Since for a Tree Connect we rely on the client to determine if * the tree will be IPC$ upon acceptance by server, we need to - * queue them up */ + * queue them up */ DCE2_CQueue *tc_queue; DCE2_SmbBlockRaw br; @@ -177,7 +177,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -202,7 +202,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(NbssHdr)) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c 2009-01-26 16:05:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_stats.h" #include "dce2_utils.h" #include "dce2_memory.h" @@ -35,7 +40,7 @@ /******************************************************************** * Private function prototypes ********************************************************************/ -static INLINE void DCE2_CreateTransStr(char **, DCE2_TransType, char *); +static inline void DCE2_CreateTransStr(char **, DCE2_TransType, char *); /******************************************************************** * Function: @@ -128,7 +133,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_CreateTransStr(char **trans_buf, DCE2_TransType ttype, char *trans_str) +static inline void DCE2_CreateTransStr(char **trans_buf, DCE2_TransType ttype, char *trans_str) { if ((trans_buf == NULL) || (trans_str == NULL)) return; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h 2011-02-09 23:23:15.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c 2009-05-06 22:28:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_tcp.h" #include "snort_dce2.h" #include "dce2_co.h" @@ -31,7 +36,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /******************************************************************** diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h 2009-01-26 16:07:13.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_TCP_H_ @@ -29,7 +29,7 @@ #include "dcerpc.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Structures @@ -44,7 +44,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -68,7 +68,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(DceRpcCoHdr)) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c 2009-01-26 16:26:14.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_udp.h" #include "snort_dce2.h" #include "dce2_cl.h" @@ -59,7 +64,7 @@ /******************************************************************** * Function: DCE2_UdpProcess() * - * Purpose: Main entry point for DCE/RPC over UDP processing. + * Purpose: Main entry point for DCE/RPC over UDP processing. * * Arguments: * DCE2_UdpSsnData * - a pointer to the data structure associated diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h 2009-01-26 16:07:14.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_UDP_H_ @@ -30,7 +30,7 @@ #include "dcerpc.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Structures @@ -45,7 +45,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -69,7 +69,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(DceRpcClHdr)) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c 2009-01-26 18:54:52.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,26 +16,27 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "dce2_utils.h" #include "dce2_debug.h" #include "dce2_config.h" #include "snort_dce2.h" #include "sf_types.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Function: * * Purpose: @@ -80,8 +81,10 @@ * Returns: * ********************************************************************/ -DCE2_Ret DCE2_BufferAddData(DCE2_Buffer *buf, const uint8_t *data, - uint32_t data_len, DCE2_BufferMinAddFlag mflag) +DCE2_Ret DCE2_BufferAddData( + DCE2_Buffer *buf, const uint8_t *data, + uint32_t data_len, uint32_t offset, + DCE2_BufferMinAddFlag mflag) { DCE2_Ret status; @@ -92,9 +95,12 @@ if (data_len == 0) return DCE2_RET__SUCCESS; + if ( !offset ) + offset = DCE2_BufferLength(buf); + if (buf->data == NULL) { - uint32_t size = data_len; + uint32_t size = offset + data_len; if ((size < buf->min_add_size) && (mflag == DCE2_BUFFER_MIN_ADD_FLAG__USE)) size = buf->min_add_size; @@ -105,10 +111,10 @@ buf->size = size; } - else if ((buf->len + data_len) > buf->size) + else if ((offset + data_len) > buf->size) { uint8_t *tmp; - uint32_t new_size = buf->len + data_len; + uint32_t new_size = offset + data_len; if (((new_size - buf->size) < buf->min_add_size) && (mflag == DCE2_BUFFER_MIN_ADD_FLAG__USE)) new_size += buf->min_add_size; @@ -121,7 +127,7 @@ buf->size = new_size; } - status = DCE2_Memcpy(buf->data + buf->len, data, data_len, buf->data, buf->data + buf->size); + status = DCE2_Memcpy(buf->data + offset, data, data_len, buf->data, buf->data + buf->size); if (status != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, @@ -129,7 +135,7 @@ return DCE2_RET__ERROR; } - buf->len += data_len; + buf->len = offset + data_len; return DCE2_RET__SUCCESS; } @@ -271,8 +277,10 @@ * Returns: * ********************************************************************/ -DCE2_Ret DCE2_HandleSegmentation(DCE2_Buffer *seg_buf, const uint8_t *data_ptr, - uint16_t data_len, uint32_t need_len, uint16_t *data_used) +DCE2_Ret DCE2_HandleSegmentation( + DCE2_Buffer *seg_buf, const uint8_t *data_ptr, + uint16_t data_len, uint32_t offset, + uint32_t need_len, uint16_t *data_used) { uint32_t copy_len; DCE2_Ret status; @@ -286,11 +294,15 @@ /* Don't need anything - call it desegmented. Really return * an error - this shouldn't happen */ - if (need_len == 0) + if (need_len == 0 ) return DCE2_RET__ERROR; + /* Need to append, instead of jump when offset is malformed*/ + if (( !offset )|| (offset > DCE2_BufferLength(seg_buf))) + offset = DCE2_BufferLength(seg_buf); + /* Already have enough data for need */ - if (DCE2_BufferLength(seg_buf) >= need_len) + if (offset >= need_len) return DCE2_RET__SUCCESS; /* No data and need length > 0 - must still be segmented */ @@ -298,11 +310,13 @@ return DCE2_RET__SEG; /* Already know that need length is greater than buffer length */ - copy_len = need_len - DCE2_BufferLength(seg_buf); + copy_len = need_len - offset; if (copy_len > data_len) copy_len = data_len; - status = DCE2_BufferAddData(seg_buf, data_ptr, copy_len, DCE2_BUFFER_MIN_ADD_FLAG__USE); + status = DCE2_BufferAddData( + seg_buf, data_ptr, copy_len, offset, DCE2_BUFFER_MIN_ADD_FLAG__USE); + if (status != DCE2_RET__SUCCESS) return DCE2_RET__ERROR; @@ -408,9 +422,9 @@ * Returns: * ********************************************************************/ -const char * DCE2_UuidToStr(const Uuid *uuid, int byte_order) +const char * DCE2_UuidToStr(const Uuid *uuid, DceRpcBoFlag byte_order) { -#define UUID_BUF_SIZE 50 +#define UUID_BUF_SIZE 50 static char uuid_buf1[UUID_BUF_SIZE]; static char uuid_buf2[UUID_BUF_SIZE]; static int buf_num = 0; @@ -441,6 +455,7 @@ return uuid_buf; } +#ifdef DEBUG_MSGS /******************************************************************** * Function: DCE2_PrintPktData() * @@ -559,4 +574,4 @@ printf("\n"); } - +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h 2009-05-06 22:28:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ @@ -26,11 +26,11 @@ #include "dce2_debug.h" #include "dce2_memory.h" #include "dcerpc.h" -#include "sf_types.h" +//#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" -#include "bounds.h" +//#include "snort_debug.h" +#include "snort_bounds.h" /******************************************************************** * Macros @@ -40,9 +40,6 @@ #define DCE2_MOVE(data_ptr, data_len, amount) \ { data_ptr = (uint8_t *)data_ptr + (amount); data_len -= (amount); } -#define DCE2_PKT_SIZE (ETHER_HDR_LEN + SUN_SPARC_TWIDDLE + IP_MAXPKT + VLAN_HDR_LEN) -#define DCE2_PKTH_SIZE (sizeof(struct pcap_pkthdr) + DCE2_PKT_SIZE) - /******************************************************************** * Enumerations ********************************************************************/ @@ -114,34 +111,38 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE int DCE2_BufferIsEmpty(DCE2_Buffer *); -static INLINE void DCE2_BufferEmpty(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferSize(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferLength(DCE2_Buffer *); -static INLINE void DCE2_BufferSetLength(DCE2_Buffer *, uint32_t); -static INLINE uint8_t * DCE2_BufferData(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *); -static INLINE void DCE2_BufferSetMinAllocSize(DCE2_Buffer *, uint32_t); - -static INLINE char * DCE2_PruneWhiteSpace(char *); -static INLINE int DCE2_IsEmptyStr(char *); -static INLINE DCE2_Ret DCE2_Memcpy(void *, const void *, uint32_t, const void *, const void *); -static INLINE DCE2_Ret DCE2_Memmove(void *, const void *, uint32_t, const void *, const void *); -static INLINE int DCE2_UuidCompare(const void *, const void *); -static INLINE void DCE2_CopyUuid(Uuid *, const Uuid *, const int); +static inline int DCE2_BufferIsEmpty(DCE2_Buffer *); +static inline void DCE2_BufferEmpty(DCE2_Buffer *); +static inline uint32_t DCE2_BufferSize(DCE2_Buffer *); +static inline uint32_t DCE2_BufferLength(DCE2_Buffer *); +static inline void DCE2_BufferSetLength(DCE2_Buffer *, uint32_t); +static inline uint8_t * DCE2_BufferData(DCE2_Buffer *); +static inline uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *); +static inline void DCE2_BufferSetMinAllocSize(DCE2_Buffer *, uint32_t); + +static inline char * DCE2_PruneWhiteSpace(char *); +static inline int DCE2_IsEmptyStr(char *); +static inline DCE2_Ret DCE2_Memcpy(void *, const void *, uint32_t, const void *, const void *); +static inline DCE2_Ret DCE2_Memmove(void *, const void *, uint32_t, const void *, const void *); +static inline int DCE2_UuidCompare(const void *, const void *); +static inline void DCE2_CopyUuid(Uuid *, const Uuid *, const DceRpcBoFlag); /******************************************************************** * Public function prototypes ********************************************************************/ DCE2_Buffer * DCE2_BufferNew(uint32_t, uint32_t, DCE2_MemType); -DCE2_Ret DCE2_BufferAddData(DCE2_Buffer *, const uint8_t *, uint32_t, DCE2_BufferMinAddFlag); +DCE2_Ret DCE2_BufferAddData( + DCE2_Buffer*, const uint8_t*, uint32_t len, uint32_t offset, DCE2_BufferMinAddFlag); DCE2_Ret DCE2_BufferMoveData(DCE2_Buffer *, uint32_t, const uint8_t *, uint32_t); void DCE2_BufferDestroy(DCE2_Buffer *); -DCE2_Ret DCE2_HandleSegmentation(DCE2_Buffer *, const uint8_t *, uint16_t, uint32_t, uint16_t *); +uint16_t DCE2_GetWriteOffset(uint32_t total, int header); +DCE2_Ret DCE2_HandleSegmentation( + DCE2_Buffer*, const uint8_t*, uint16_t len, uint32_t offset, + uint32_t need_len, uint16_t* copied); NORETURN void DCE2_Die(const char *, ...); void DCE2_Log(DCE2_LogType, const char *, ...); -const char * DCE2_UuidToStr(const Uuid *, int); +const char * DCE2_UuidToStr(const Uuid *, DceRpcBoFlag); void DCE2_PrintPktData(const uint8_t *, const uint16_t); /********************************************************************* @@ -160,7 +161,7 @@ * 0 if not considered empty * *********************************************************************/ -static INLINE int DCE2_BufferIsEmpty(DCE2_Buffer *buf) +static inline int DCE2_BufferIsEmpty(DCE2_Buffer *buf) { if (buf == NULL) return 1; if ((buf->data == NULL) || (buf->len == 0)) return 1; @@ -180,7 +181,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_BufferEmpty(DCE2_Buffer *buf) +static inline void DCE2_BufferEmpty(DCE2_Buffer *buf) { if (buf == NULL) return; buf->len = 0; @@ -201,7 +202,7 @@ * object is NULL. * *********************************************************************/ -static INLINE uint32_t DCE2_BufferSize(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferSize(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->size; @@ -223,7 +224,7 @@ * if buffer object is NULL. * *********************************************************************/ -static INLINE uint32_t DCE2_BufferLength(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferLength(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->len; @@ -241,7 +242,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_BufferSetLength(DCE2_Buffer *buf, uint32_t len) +static inline void DCE2_BufferSetLength(DCE2_Buffer *buf, uint32_t len) { if (buf == NULL) return; if (len > buf->size) buf->len = buf->size; @@ -264,19 +265,19 @@ * buffer object is NULL. * *********************************************************************/ -static INLINE uint8_t * DCE2_BufferData(DCE2_Buffer *buf) +static inline uint8_t * DCE2_BufferData(DCE2_Buffer *buf) { if (buf == NULL) return NULL; return buf->data; } -static INLINE uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->min_add_size; } -static INLINE void DCE2_BufferSetMinAllocSize(DCE2_Buffer *buf, uint32_t size) +static inline void DCE2_BufferSetMinAllocSize(DCE2_Buffer *buf, uint32_t size) { if (buf == NULL) return; buf->min_add_size = size; @@ -289,7 +290,7 @@ * Prunes whitespace surrounding string. * String must be 0 terminated. * - * Arguments: + * Arguments: * char * * NULL terminated string to prune. * int @@ -303,7 +304,7 @@ * argument are replaced by NULL bytes. * ********************************************************************/ -static INLINE char * DCE2_PruneWhiteSpace(char *str) +static inline char * DCE2_PruneWhiteSpace(char *str) { char *end; @@ -339,7 +340,7 @@ * 0 otherwise * ********************************************************************/ -static INLINE int DCE2_IsEmptyStr(char *str) +static inline int DCE2_IsEmptyStr(char *str) { char *end; @@ -369,7 +370,7 @@ * DCE2_RET__SUCCESS - memcpy succeeded * ********************************************************************/ -static INLINE DCE2_Ret DCE2_Memcpy(void *dst, const void *src, uint32_t len, +static inline DCE2_Ret DCE2_Memcpy(void *dst, const void *src, uint32_t len, const void *dst_start, const void *dst_end) { if (SafeMemcpy(dst, src, (size_t)len, dst_start, dst_end) != SAFEMEM_SUCCESS) @@ -390,7 +391,7 @@ * DCE2_RET__SUCCESS - memmove succeeded * ********************************************************************/ -static INLINE DCE2_Ret DCE2_Memmove(void *dst, const void *src, uint32_t len, +static inline DCE2_Ret DCE2_Memmove(void *dst, const void *src, uint32_t len, const void *dst_start, const void *dst_end) { if (SafeMemmove(dst, src, (size_t)len, dst_start, dst_end) != SAFEMEM_SUCCESS) @@ -409,7 +410,7 @@ * Returns: * *********************************************************************/ -static INLINE int DCE2_UuidCompare(const void *data1, const void *data2) +static inline int DCE2_UuidCompare(const void *data1, const void *data2) { const Uuid *uuid1 = (Uuid *)data1; const Uuid *uuid2 = (Uuid *)data2; @@ -438,17 +439,17 @@ * order specified. * * Arguments: - * Uuid * + * Uuid * * Pointer to uuid to copy to. - * Uuid * + * Uuid * * Pointer to uuid to copy from. - * const int + * const int * The byte order to use. * * Returns: None * *********************************************************************/ -static INLINE void DCE2_CopyUuid(Uuid *dst_uuid, const Uuid *pkt_uuid, const int byte_order) +static inline void DCE2_CopyUuid(Uuid *dst_uuid, const Uuid *pkt_uuid, const DceRpcBoFlag byte_order) { dst_uuid->time_low = DceRpcNtohl(&pkt_uuid->time_low, byte_order); dst_uuid->time_mid = DceRpcNtohs(&pkt_uuid->time_mid, byte_order); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h 2009-05-06 22:28:55.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef DCERPC_H @@ -27,9 +27,6 @@ #include "config.h" /* For WORDS_BIGENDIAN */ #endif -#include "debug.h" /* For INLINE */ -#include "sf_types.h" - /******************************************************************** * Enumerations ********************************************************************/ @@ -72,7 +69,7 @@ } DceRpcPduType; -/* Version 4 is for Connectionless +/* Version 4 is for Connectionless * Version 5 is for Connection oriented */ typedef enum _DceRpcProtoMajorVers { @@ -172,6 +169,17 @@ } DceRpcCoBindNakReason; +typedef enum _DceRpcCoAuthLevelType +{ + DCERPC_CO_AUTH_LEVEL__NONE = 1, + DCERPC_CO_AUTH_LEVEL__CONNECT, + DCERPC_CO_AUTH_LEVEL__CALL, + DCERPC_CO_AUTH_LEVEL__PKT, + DCERPC_CO_AUTH_LEVEL__PKT_INTEGRITY, + DCERPC_CO_AUTH_LEVEL__PKT_PRIVACY + +} DceRpcCoAuthLevelType; + /******************************************************************** * Structures ********************************************************************/ @@ -462,7 +470,7 @@ typedef struct _DceRpcCoShutdown { // nothing - + } DceRpcCoShutdown; #endif @@ -516,51 +524,52 @@ /******************************************************************** * Inline functions prototypes ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcByteOrder(const uint8_t); -static INLINE uint16_t DceRpcNtohs(const uint16_t *, const DceRpcBoFlag); -static INLINE uint16_t DceRpcHtons(const uint16_t *, const DceRpcBoFlag); -static INLINE uint32_t DceRpcNtohl(const uint32_t *, const DceRpcBoFlag); -static INLINE uint32_t DceRpcHtonl(const uint32_t *, const DceRpcBoFlag); +static inline DceRpcBoFlag DceRpcByteOrder(const uint8_t); +static inline uint16_t DceRpcNtohs(const uint16_t *, const DceRpcBoFlag); +static inline uint16_t DceRpcHtons(const uint16_t *, const DceRpcBoFlag); +static inline uint32_t DceRpcNtohl(const uint32_t *, const DceRpcBoFlag); +static inline uint32_t DceRpcHtonl(const uint32_t *, const DceRpcBoFlag); /* Connectionless */ -static INLINE uint8_t DceRpcClRpcVers(const DceRpcClHdr *); -static INLINE DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *); -static INLINE uint32_t DceRpcClIfaceVers(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClOpnum(const DceRpcClHdr *); -static INLINE uint32_t DceRpcClSeqNum(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClFragNum(const DceRpcClHdr *); -static INLINE int DceRpcClFragFlag(const DceRpcClHdr *); -static INLINE int DceRpcClLastFrag(const DceRpcClHdr *); -static INLINE int DceRpcClFirstFrag(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClLen(const DceRpcClHdr *); -static INLINE int DceRpcClFrag(const DceRpcClHdr *); +static inline uint8_t DceRpcClRpcVers(const DceRpcClHdr *); +static inline DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *); +static inline uint32_t DceRpcClIfaceVers(const DceRpcClHdr *); +static inline uint16_t DceRpcClOpnum(const DceRpcClHdr *); +static inline uint32_t DceRpcClSeqNum(const DceRpcClHdr *); +static inline uint16_t DceRpcClFragNum(const DceRpcClHdr *); +static inline int DceRpcClFragFlag(const DceRpcClHdr *); +static inline int DceRpcClLastFrag(const DceRpcClHdr *); +static inline int DceRpcClFirstFrag(const DceRpcClHdr *); +static inline uint16_t DceRpcClLen(const DceRpcClHdr *); +static inline int DceRpcClFrag(const DceRpcClHdr *); /* Connection oriented */ -static INLINE uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *); -static INLINE uint8_t DceRpcCoVersMin(const DceRpcCoHdr *); -static INLINE DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *); -static INLINE int DceRpcCoFirstFrag(const DceRpcCoHdr *); -static INLINE int DceRpcCoLastFrag(const DceRpcCoHdr *); -static INLINE int DceRpcCoObjectFlag(const DceRpcCoHdr *); -static INLINE DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoFragLen(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *); -static INLINE uint32_t DceRpcCoCallId(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoCtxId(const DceRpcCoHdr *, const DceRpcCoRequest *); -static INLINE uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *, const DceRpcCoResponse *); -static INLINE uint16_t DceRpcCoOpnum(const DceRpcCoHdr *, const DceRpcCoRequest *); -static INLINE uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *, const DceRpcCoBind *); -static INLINE uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *, const DceRpcCoBindAck *); -static INLINE uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *); -static INLINE uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *); -static INLINE const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *, const DceRpcCoBindAck *); -static INLINE uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *); -static INLINE uint16_t DceRpcCoContRes(const DceRpcCoHdr *, const DceRpcCoContResult *); -static INLINE uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *); +static inline uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *); +static inline uint8_t DceRpcCoVersMin(const DceRpcCoHdr *); +static inline DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *); +static inline int DceRpcCoFirstFrag(const DceRpcCoHdr *); +static inline int DceRpcCoLastFrag(const DceRpcCoHdr *); +static inline int DceRpcCoObjectFlag(const DceRpcCoHdr *); +static inline DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoFragLen(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *); +static inline uint32_t DceRpcCoCallId(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoCtxId(const DceRpcCoHdr *, const DceRpcCoRequest *); +static inline uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *, const DceRpcCoResponse *); +static inline uint16_t DceRpcCoOpnum(const DceRpcCoHdr *, const DceRpcCoRequest *); +static inline uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *, const DceRpcCoBind *); +static inline uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *, const DceRpcCoBindAck *); +static inline uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *); +static inline uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *); +static inline const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *); +static inline uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *, const DceRpcCoBindAck *); +static inline uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *); +static inline uint16_t DceRpcCoContRes(const DceRpcCoHdr *, const DceRpcCoContResult *); +static inline uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *); +static inline uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *); /******************************************************************** * Function: @@ -572,7 +581,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcByteOrder(const uint8_t value) +static inline DceRpcBoFlag DceRpcByteOrder(const uint8_t value) { if ((value & 0x10) >> 4) return DCERPC_BO_FLAG__LITTLE_ENDIAN; @@ -590,7 +599,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcNtohs(const uint16_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint16_t DceRpcNtohs(const uint16_t *ptr, const DceRpcBoFlag bo_flag) { uint16_t value; @@ -626,7 +635,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcHtons(const uint16_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint16_t DceRpcHtons(const uint16_t *ptr, const DceRpcBoFlag bo_flag) { return DceRpcNtohs(ptr, bo_flag); } @@ -641,7 +650,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcNtohl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint32_t DceRpcNtohl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) { uint32_t value; @@ -679,7 +688,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcHtonl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint32_t DceRpcHtonl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) { return DceRpcNtohl(ptr, bo_flag); } @@ -694,7 +703,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcClRpcVers(const DceRpcClHdr *cl) +static inline uint8_t DceRpcClRpcVers(const DceRpcClHdr *cl) { return cl->rpc_vers; } @@ -709,7 +718,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcClPduType(const DceRpcClHdr *cl) +static inline uint8_t DceRpcClPduType(const DceRpcClHdr *cl) { return cl->ptype; } @@ -724,7 +733,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *cl) +static inline DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *cl) { return DceRpcByteOrder(cl->drep[0]); } @@ -739,7 +748,7 @@ * Returns: * ********************************************************************/ -static INLINE const Uuid * DceRpcClIface(const DceRpcClHdr *cl) +static inline const Uuid * DceRpcClIface(const DceRpcClHdr *cl) { return &cl->if_id; } @@ -754,7 +763,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcClIfaceVers(const DceRpcClHdr *cl) +static inline uint32_t DceRpcClIfaceVers(const DceRpcClHdr *cl) { return DceRpcNtohl(&cl->if_vers, DceRpcClByteOrder(cl)); } @@ -769,7 +778,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClOpnum(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClOpnum(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->opnum, DceRpcClByteOrder(cl)); } @@ -784,7 +793,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcClSeqNum(const DceRpcClHdr *cl) +static inline uint32_t DceRpcClSeqNum(const DceRpcClHdr *cl) { return DceRpcNtohl(&cl->seqnum, DceRpcClByteOrder(cl)); } @@ -799,7 +808,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClFragNum(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClFragNum(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->fragnum, DceRpcClByteOrder(cl)); } @@ -814,7 +823,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFragFlag(const DceRpcClHdr *cl) +static inline int DceRpcClFragFlag(const DceRpcClHdr *cl) { return cl->flags1 & DCERPC_CL_FLAGS1__FRAG; } @@ -829,7 +838,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClLastFrag(const DceRpcClHdr *cl) +static inline int DceRpcClLastFrag(const DceRpcClHdr *cl) { return cl->flags1 & DCERPC_CL_FLAGS1__LASTFRAG; } @@ -844,7 +853,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFirstFrag(const DceRpcClHdr *cl) +static inline int DceRpcClFirstFrag(const DceRpcClHdr *cl) { return (DceRpcClFragFlag(cl) && (DceRpcClFragNum(cl) == 0)); } @@ -859,7 +868,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClLen(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClLen(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->len, DceRpcClByteOrder(cl)); } @@ -874,7 +883,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFrag(const DceRpcClHdr *cl) +static inline int DceRpcClFrag(const DceRpcClHdr *cl) { if (DceRpcClFragFlag(cl)) { @@ -897,7 +906,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *co) +static inline uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *co) { return co->pversion.major; } @@ -912,7 +921,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoVersMin(const DceRpcCoHdr *co) +static inline uint8_t DceRpcCoVersMin(const DceRpcCoHdr *co) { return co->pversion.minor; } @@ -927,9 +936,9 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *co) +static inline DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *co) { - return co->ptype; + return (DceRpcPduType)co->ptype; } /******************************************************************** @@ -942,7 +951,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoFirstFrag(const DceRpcCoHdr *co) +static inline int DceRpcCoFirstFrag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__FIRST_FRAG; } @@ -957,7 +966,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoLastFrag(const DceRpcCoHdr *co) +static inline int DceRpcCoLastFrag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__LAST_FRAG; } @@ -972,7 +981,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoObjectFlag(const DceRpcCoHdr *co) +static inline int DceRpcCoObjectFlag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__OBJECT_UUID; } @@ -987,7 +996,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *co) +static inline DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *co) { return DceRpcByteOrder(co->packed_drep[0]); } @@ -1002,7 +1011,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoFragLen(const DceRpcCoHdr *co) +static inline uint16_t DceRpcCoFragLen(const DceRpcCoHdr *co) { return DceRpcNtohs(&co->frag_length, DceRpcCoByteOrder(co)); } @@ -1017,7 +1026,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *co) +static inline uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *co) { return DceRpcNtohs(&co->auth_length, DceRpcCoByteOrder(co)); } @@ -1032,7 +1041,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcCoCallId(const DceRpcCoHdr *co) +static inline uint32_t DceRpcCoCallId(const DceRpcCoHdr *co) { return DceRpcNtohl(&co->call_id, DceRpcCoByteOrder(co)); } @@ -1047,7 +1056,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoOpnum(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) +static inline uint16_t DceRpcCoOpnum(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) { return DceRpcNtohs(&cor->opnum, DceRpcCoByteOrder(co)); } @@ -1062,7 +1071,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoCtxId(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) +static inline uint16_t DceRpcCoCtxId(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) { return DceRpcNtohs(&cor->context_id, DceRpcCoByteOrder(co)); } @@ -1077,7 +1086,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *co, const DceRpcCoResponse *cor) +static inline uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *co, const DceRpcCoResponse *cor) { return DceRpcNtohs(&cor->context_id, DceRpcCoByteOrder(co)); } @@ -1092,7 +1101,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *co, const DceRpcCoBind *cob) +static inline uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *co, const DceRpcCoBind *cob) { return DceRpcNtohs(&cob->max_xmit_frag, DceRpcCoByteOrder(co)); } @@ -1107,7 +1116,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) +static inline uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) { return DceRpcNtohs(&coba->max_recv_frag, DceRpcCoByteOrder(co)); } @@ -1122,7 +1131,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *cob) +static inline uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *cob) { return cob->n_context_elem; } @@ -1137,7 +1146,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return DceRpcNtohs(&coce->p_cont_id, DceRpcCoByteOrder(co)); } @@ -1152,7 +1161,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *coce) +static inline uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *coce) { return coce->n_transfer_syn; } @@ -1167,7 +1176,7 @@ * Returns: * ********************************************************************/ -static INLINE const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *coce) +static inline const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *coce) { return &coce->abstract_syntax.if_uuid; } @@ -1182,7 +1191,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return (uint16_t)(DceRpcNtohl(&coce->abstract_syntax.if_version, DceRpcCoByteOrder(co)) & 0x0000ffff); } @@ -1197,7 +1206,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return (uint16_t)(DceRpcNtohl(&coce->abstract_syntax.if_version, DceRpcCoByteOrder(co)) >> 16); } @@ -1212,7 +1221,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) +static inline uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) { return DceRpcNtohs(&coba->sec_addr_len, DceRpcCoByteOrder(co)); } @@ -1227,7 +1236,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *cocrl) +static inline uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *cocrl) { return cocrl->n_results; } @@ -1242,7 +1251,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContRes(const DceRpcCoHdr *co, const DceRpcCoContResult *cocr) +static inline uint16_t DceRpcCoContRes(const DceRpcCoHdr *co, const DceRpcCoContResult *cocr) { return DceRpcNtohs(&cocr->result, DceRpcCoByteOrder(co)); } @@ -1257,10 +1266,25 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *coav) +static inline uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *coav) { return coav->auth_pad_length; } +/******************************************************************** + * Function: + * + * Purpose: + * + * Arguments: + * + * Returns: + * + ********************************************************************/ +static inline uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *coav) +{ + return coav->auth_level; +} + #endif /* DCERPC_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h 2009-05-06 22:28:56.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ @@ -27,7 +27,7 @@ #include "config.h" /* For WORDS_BIGENDIAN */ #endif -#include "debug.h" /* For INLINE */ +#include "snort_debug.h" /* For inline */ #include "sf_types.h" /******************************************************************** @@ -87,7 +87,7 @@ * NULL terminated ASCII strings unless Unicode is specified * in the NT LM 1.0 SMB header in which case they are NULL * terminated unicode strings - */ + */ #define SMB_FMT__DATA_BLOCK 1 #define SMB_FMT__ASCII 4 @@ -664,13 +664,13 @@ bit0 = 1, exclusive search bits supported */ uint16_t smb_bcc; /* min value = 3 */ #if 0 - uint8_t smb_nativefs[]; /* native file system for this connection */ + uint8_t smb_nativefs[]; /* native file system for this connection */ #endif } SmbLm21_TreeConnectAndXResp; /******************************************************************** - * Tree Disconnect :: smb_com = SMB_COM_TREE_DIS + * Tree Disconnect :: smb_com = SMB_COM_TREE_DIS * ********************************************************************/ typedef struct _SmbCore_TreeDisconnectReq /* smb_wct = 0 */ @@ -1363,82 +1363,82 @@ /******************************************************************** * Inline functions prototypes ********************************************************************/ -static INLINE uint32_t NbssLen(const NbssHdr *); -static INLINE uint8_t NbssType(const NbssHdr *); -static INLINE uint16_t SmbNtohs(const uint16_t *); -static INLINE uint32_t SmbNtohl(const uint32_t *); -static INLINE uint16_t SmbHtons(const uint16_t *); -static INLINE uint32_t SmbHtonl(const uint32_t *); +static inline uint32_t NbssLen(const NbssHdr *); +static inline uint8_t NbssType(const NbssHdr *); +static inline uint16_t SmbNtohs(const uint16_t *); +static inline uint32_t SmbNtohl(const uint32_t *); +static inline uint16_t SmbHtons(const uint16_t *); +static inline uint32_t SmbHtonl(const uint32_t *); -static INLINE uint32_t SmbId(const SmbNtHdr *); -static INLINE uint32_t SmbNtStatus(const SmbNtHdr *); -static INLINE int SmbError(const SmbNtHdr *); -static INLINE int SmbType(const SmbNtHdr *); -static INLINE uint8_t SmbCom(const SmbNtHdr *); -static INLINE int SmbUnicode(const SmbNtHdr *); -static INLINE uint16_t SmbUid(const SmbNtHdr *); -static INLINE uint16_t SmbTid(const SmbNtHdr *); -static INLINE uint16_t SmbPid(const SmbNtHdr *); -static INLINE uint16_t SmbMid(const SmbNtHdr *); +static inline uint32_t SmbId(const SmbNtHdr *); +static inline uint32_t SmbNtStatus(const SmbNtHdr *); +static inline int SmbError(const SmbNtHdr *); +static inline int SmbType(const SmbNtHdr *); +static inline uint8_t SmbCom(const SmbNtHdr *); +static inline int SmbUnicode(const SmbNtHdr *); +static inline uint16_t SmbUid(const SmbNtHdr *); +static inline uint16_t SmbTid(const SmbNtHdr *); +static inline uint16_t SmbPid(const SmbNtHdr *); +static inline uint16_t SmbMid(const SmbNtHdr *); -static INLINE uint8_t SmbWct(const SmbCommon *); -static INLINE uint16_t SmbBcc(const uint8_t *, uint16_t); -static INLINE uint8_t SmbAndXCom2(const SmbAndXCommon *); -static INLINE uint16_t SmbAndXOff2(const SmbAndXCommon *); -static INLINE uint8_t SmbEmptyComWct(const SmbEmptyCom *); -static INLINE uint16_t SmbEmptyComBcc(const SmbEmptyCom *); +static inline uint8_t SmbWct(const SmbCommon *); +static inline uint16_t SmbBcc(const uint8_t *, uint16_t); +static inline uint8_t SmbAndXCom2(const SmbAndXCommon *); +static inline uint16_t SmbAndXOff2(const SmbAndXCommon *); +static inline uint8_t SmbEmptyComWct(const SmbEmptyCom *); +static inline uint16_t SmbEmptyComBcc(const SmbEmptyCom *); -static INLINE uint16_t SmbGet16(const uint8_t *); -static INLINE uint32_t SmbGet32(const uint8_t *); +static inline uint16_t SmbGet16(const uint8_t *); +static inline uint32_t SmbGet32(const uint8_t *); -static INLINE uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *); +static inline uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *); -static INLINE uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *); -static INLINE uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *); +static inline uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *); +static inline uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *); -static INLINE uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *); +static inline uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *); -static INLINE uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *); +static inline uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *); -static INLINE uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *); +static inline uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *); -static INLINE uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *); -static INLINE uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *); +static inline uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *); +static inline uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *); -static INLINE uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *); +static inline uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *); -static INLINE uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *); +static inline uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *); -static INLINE uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *); -static INLINE uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *); -static INLINE uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *); +static inline uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *); +static inline uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *); +static inline uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *); +static inline uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *); /******************************************************************** * Function: @@ -1450,7 +1450,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t NbssLen(const NbssHdr *nb) +static inline uint32_t NbssLen(const NbssHdr *nb) { /* Treat first bit of flags as the upper byte to length */ return ((nb->flags & 0x01) << 16) | ntohs(nb->length); @@ -1466,7 +1466,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t NbssType(const NbssHdr *nb) +static inline uint8_t NbssType(const NbssHdr *nb) { return nb->type; } @@ -1481,7 +1481,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbNtohs(const uint16_t *ptr) +static inline uint16_t SmbNtohs(const uint16_t *ptr) { uint16_t value; @@ -1511,7 +1511,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbNtohl(const uint32_t *ptr) +static inline uint32_t SmbNtohl(const uint32_t *ptr) { uint32_t value; @@ -1543,7 +1543,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbHtons(const uint16_t *ptr) +static inline uint16_t SmbHtons(const uint16_t *ptr) { return SmbNtohs(ptr); } @@ -1558,7 +1558,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbHtonl(const uint32_t *ptr) +static inline uint32_t SmbHtonl(const uint32_t *ptr) { return SmbNtohl(ptr); } @@ -1573,7 +1573,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbId(const SmbNtHdr *hdr) +static inline uint32_t SmbId(const SmbNtHdr *hdr) { #ifdef WORDS_MUSTALIGN uint8_t *idf = (uint8_t *)hdr->smb_idf; @@ -1593,7 +1593,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbNtStatus(const SmbNtHdr *hdr) +static inline uint32_t SmbNtStatus(const SmbNtHdr *hdr) { return SmbNtohl(&hdr->smb_status.smb_nt_status); } @@ -1608,7 +1608,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbError(const SmbNtHdr *hdr) +static inline int SmbError(const SmbNtHdr *hdr) { if (SmbNtohs(&hdr->smb_flg2) & SMB_FLG2__NT_CODES) { @@ -1654,7 +1654,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbType(const SmbNtHdr *hdr) +static inline int SmbType(const SmbNtHdr *hdr) { if (hdr->smb_flg & SMB_FLG__TYPE) return SMB_TYPE__RESPONSE; @@ -1672,7 +1672,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbCom(const SmbNtHdr *hdr) +static inline uint8_t SmbCom(const SmbNtHdr *hdr) { return hdr->smb_com; } @@ -1687,7 +1687,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbUnicode(const SmbNtHdr *hdr) +static inline int SmbUnicode(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_flg2) & SMB_FLG2__UNICODE; } @@ -1702,7 +1702,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbUid(const SmbNtHdr *hdr) +static inline uint16_t SmbUid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_uid); } @@ -1717,7 +1717,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbTid(const SmbNtHdr *hdr) +static inline uint16_t SmbTid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_tid); } @@ -1732,7 +1732,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbPid(const SmbNtHdr *hdr) +static inline uint16_t SmbPid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_pid); } @@ -1747,7 +1747,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbMid(const SmbNtHdr *hdr) +static inline uint16_t SmbMid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_mid); } @@ -1762,7 +1762,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbWct(const SmbCommon *hdr) +static inline uint8_t SmbWct(const SmbCommon *hdr) { return hdr->smb_wct; } @@ -1777,7 +1777,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbBcc(const uint8_t *ptr, uint16_t com_size) +static inline uint16_t SmbBcc(const uint8_t *ptr, uint16_t com_size) { /* com_size must be at least the size of the command encasing */ if (com_size < sizeof(SmbEmptyCom)) @@ -1796,7 +1796,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbAndXCom2(const SmbAndXCommon *andx) +static inline uint8_t SmbAndXCom2(const SmbAndXCommon *andx) { return andx->smb_com2; } @@ -1811,7 +1811,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbAndXOff2(const SmbAndXCommon *andx) +static inline uint16_t SmbAndXOff2(const SmbAndXCommon *andx) { return SmbNtohs(&andx->smb_off2); } @@ -1826,7 +1826,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbEmptyComWct(const SmbEmptyCom *ec) +static inline uint8_t SmbEmptyComWct(const SmbEmptyCom *ec) { return ec->smb_wct; } @@ -1841,7 +1841,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbEmptyComBcc(const SmbEmptyCom *ec) +static inline uint16_t SmbEmptyComBcc(const SmbEmptyCom *ec) { return SmbNtohs(&ec->smb_bcc); } @@ -1856,7 +1856,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbGet16(const uint8_t *ptr) +static inline uint16_t SmbGet16(const uint8_t *ptr) { return SmbNtohs((uint16_t *)ptr); } @@ -1871,7 +1871,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbGet32(const uint8_t *ptr) +static inline uint32_t SmbGet32(const uint8_t *ptr) { return SmbNtohl((uint32_t *)ptr); } @@ -1886,7 +1886,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *tcx) +static inline uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *tcx) { return SmbNtohs(&tcx->smb_spasslen); } @@ -1901,7 +1901,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *open) +static inline uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *open) { return SmbNtohs(&open->smb_fid); } @@ -1916,7 +1916,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *openx) +static inline uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *openx) { return SmbNtohs(&openx->smb_fid); } @@ -1931,7 +1931,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *ntx) +static inline uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *ntx) { return SmbNtohs(&ntx->smb_fid); } @@ -1946,7 +1946,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *close) +static inline uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *close) { return SmbNtohs(&close->smb_fid); } @@ -1961,7 +1961,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *write) +static inline uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *write) { return SmbNtohs(&write->smb_fid); } @@ -1976,7 +1976,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *wc) +static inline uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *wc) { return SmbNtohs(&wc->smb_fid); } @@ -1991,7 +1991,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *wc) +static inline uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *wc) { return SmbNtohs(&wc->smb_count); } @@ -2006,7 +2006,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_fid); } @@ -2021,7 +2021,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_doff); } @@ -2036,7 +2036,37 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqRemaining(const SmbLm10_WriteAndXReq *writex) +{ + return SmbNtohs(&writex->smb_countleft); +} + +/******************************************************************** + * Function: + * + * Purpose: + * + * Arguments: + * + * Returns: + * + ********************************************************************/ +static inline uint32_t SmbLm10_WriteAndXReqOffset(const SmbLm10_WriteAndXReq *writex) +{ + return SmbNtohl(&writex->smb_offset); +} + +/******************************************************************** + * Function: + * + * Purpose: + * + * Arguments: + * + * Returns: + * + ********************************************************************/ +static inline uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_dsize); } @@ -2051,7 +2081,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_setup1); } @@ -2067,7 +2097,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_setup2); } @@ -2082,7 +2112,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_dsoff); } @@ -2097,7 +2127,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_tdscnt); } @@ -2112,7 +2142,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_dscnt); } @@ -2127,7 +2157,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dsoff); } @@ -2142,7 +2172,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_tdscnt); } @@ -2157,7 +2187,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dscnt); } @@ -2172,7 +2202,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dsdisp); } @@ -2187,7 +2217,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_droff); } @@ -2202,7 +2232,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_tdrcnt); } @@ -2217,7 +2247,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_drcnt); } @@ -2232,7 +2262,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_drdisp); } @@ -2247,7 +2277,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *trans) +static inline uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *trans) { return SmbNtohs(&trans->smb_prcnt); } @@ -2262,7 +2292,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *read) +static inline uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *read) { return SmbNtohs(&read->smb_fid); } @@ -2277,7 +2307,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *readx) +static inline uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *readx) { return SmbNtohs(&readx->smb_fid); } @@ -2292,7 +2322,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *readx) +static inline uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *readx) { return SmbNtohs(&readx->smb_doff); } @@ -2307,7 +2337,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *readx) +static inline uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *readx) { return SmbNtohs(&readx->smb_dsize); } @@ -2322,7 +2352,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_tcount); } @@ -2337,7 +2367,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_fid); } @@ -2352,7 +2382,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_doff); } @@ -2367,7 +2397,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_dsize); } @@ -2382,7 +2412,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *rbr) +static inline uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *rbr) { return SmbNtohs(&rbr->smb_fid); } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/Makefile.am 2009-05-06 22:28:50.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,26 +1,23 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I$(srcdir)/includes +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_dce2_preproc.la -libsf_dce2_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - +libsf_dce2_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_dce2_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_dce2_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfPolicyUserData.c +endif libsf_dce2_preproc_la_SOURCES = \ includes/dcerpc.h \ @@ -58,28 +55,12 @@ dce2_cl.h \ dce2_http.c \ dce2_http.h \ -sf_preproc_info.h +dce2_paf.c \ +dce2_paf.h EXTRA_DIST = \ sf_dce2.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f *~ sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,29 +44,47 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_dce2_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_dce2_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_dce2_preproc_la_OBJECTS = dce2_debug.lo dce2_utils.lo \ dce2_list.lo dce2_memory.lo dce2_stats.lo dce2_event.lo \ dce2_config.lo dce2_roptions.lo spp_dce2.lo snort_dce2.lo \ dce2_smb.lo dce2_tcp.lo dce2_co.lo dce2_udp.lo dce2_cl.lo \ - dce2_http.lo -nodist_libsf_dce2_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sf_ip.lo sfrt.lo sfrt_dir.lo sfPolicyUserData.lo + dce2_http.lo dce2_paf.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dce2_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_dce2_preproc_la_OBJECTS = $(am_libsf_dce2_preproc_la_OBJECTS) \ $(nodist_libsf_dce2_preproc_la_OBJECTS) libsf_dce2_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_dce2_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -91,31 +111,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I$(srcdir)/includes +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -128,12 +148,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -141,20 +167,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -186,6 +219,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -198,24 +232,19 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_dce2_preproc.la -libsf_dce2_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - -nodist_libsf_dce2_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +libsf_dce2_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_dce2_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dce2_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_dce2_preproc_la_SOURCES = \ includes/dcerpc.h \ @@ -253,13 +282,13 @@ dce2_cl.h \ dce2_http.c \ dce2_http.h \ -sf_preproc_info.h +dce2_paf.c \ +dce2_paf.h EXTRA_DIST = \ sf_dce2.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -267,14 +296,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc2/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc2/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc2/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/dcerpc2/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -292,23 +321,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -337,6 +371,21 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -348,45 +397,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -407,26 +460,28 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -446,14 +501,14 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -467,6 +522,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -475,18 +532,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -511,8 +578,8 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -525,26 +592,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f *~ sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp 2009-05-06 22:28:54.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_dce2 - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dce2 - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_dce2___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dce2 - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_dce2___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /FR /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF @@ -188,6 +188,10 @@ # End Source File # Begin Source File +SOURCE=.\dce2_paf.c +# End Source File +# Begin Source File + SOURCE=.\dce2_roptions.c # End Source File # Begin Source File @@ -224,11 +228,11 @@ # End Source File # Begin Source File -SOURCE=..\include\sfPolicyUserData.c +SOURCE=..\include\sf_ip.c # End Source File # Begin Source File -SOURCE=..\include\sf_ip.c +SOURCE=..\include\sfPolicyUserData.c # End Source File # Begin Source File @@ -288,6 +292,10 @@ # End Source File # Begin Source File +SOURCE=.\dce2_paf.h +# End Source File +# Begin Source File + SOURCE=.\dce2_roptions.h # End Source File # Begin Source File diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h 2009-08-10 20:41:47.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -/**************************************************************************** - * Copyright (C) 2006-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - **************************************************************************** - * Description: - * - * Standard dynamic preprocessor include file. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 0 -#define BUILD_VERSION 2 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_DCERPC2 (IPV6)" -#else -#define PREPROC_NAME "SF_DCERPC2" -#endif - -#define DYNAMIC_PREPROC_SETUP DCE2_RegisterPreprocessor -extern void DCE2_RegisterPreprocessor(void); - -#endif /* SF_PREPROC_INFO_H */ - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,15 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_dce2.h" #include "dce2_config.h" #include "dce2_utils.h" @@ -39,43 +45,23 @@ #include "sfrt.h" #include "profiler.h" #include "sfPolicy.h" -#include /******************************************************************** * Global variables ********************************************************************/ -SFSnortPacket *dce2_smb_seg_rpkt = NULL; -SFSnortPacket *dce2_smb_trans_rpkt = NULL; -SFSnortPacket *dce2_smb_co_cli_seg_rpkt = NULL; -SFSnortPacket *dce2_smb_co_srv_seg_rpkt = NULL; -SFSnortPacket *dce2_smb_co_cli_frag_rpkt = NULL; -SFSnortPacket *dce2_smb_co_srv_frag_rpkt = NULL; -SFSnortPacket *dce2_tcp_co_seg_rpkt = NULL; -SFSnortPacket *dce2_tcp_co_cli_frag_rpkt = NULL; -SFSnortPacket *dce2_tcp_co_srv_frag_rpkt = NULL; -SFSnortPacket *dce2_udp_cl_frag_rpkt = NULL; -#ifdef SUP_IP6 -SFSnortPacket *dce2_smb_seg_rpkt6 = NULL; -SFSnortPacket *dce2_smb_trans_rpkt6 = NULL; -SFSnortPacket *dce2_smb_co_cli_seg_rpkt6 = NULL; -SFSnortPacket *dce2_smb_co_srv_seg_rpkt6 = NULL; -SFSnortPacket *dce2_smb_co_cli_frag_rpkt6 = NULL; -SFSnortPacket *dce2_smb_co_srv_frag_rpkt6 = NULL; -SFSnortPacket *dce2_tcp_co_seg_rpkt6 = NULL; -SFSnortPacket *dce2_tcp_co_cli_frag_rpkt6 = NULL; -SFSnortPacket *dce2_tcp_co_srv_frag_rpkt6 = NULL; -SFSnortPacket *dce2_udp_cl_frag_rpkt6 = NULL; -#endif DCE2_CStack *dce2_pkt_stack = NULL; DCE2_ProtoIds dce2_proto_ids; +static SFSnortPacket* dce2_rpkt[DCE2_RPKT_TYPE__MAX] = { + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL +}; + static int dce2_detected = 0; /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_MemState dce2_mem_state; extern DCE2_Stats dce2_stats; @@ -105,15 +91,6 @@ static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *, SFSnortPacket *); static void DCE2_SetNoInspect(DCE2_SsnData *); -static void DCE2_InitTcpRpkt(SFSnortPacket *); -static void DCE2_InitUdpRpkt(SFSnortPacket *); -static void DCE2_InitCommonRpkt(SFSnortPacket *); -#ifdef SUP_IP6 -static void DCE2_InitTcp6Rpkt(SFSnortPacket *p); -static void DCE2_InitUdp6Rpkt(SFSnortPacket *p); -static void DCE2_InitCommonRpkt6(SFSnortPacket *); -#endif -static SFSnortPacket * DCE2_AllocPkt(void); static void DCE2_SsnFree(void *); /********************************************************************* @@ -163,7 +140,7 @@ case DCE2_TRANS_TYPE__NONE: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to look at this traffic " - "or unable to autodetect - not inspecting.\n")); + "or unable to autodetect - not inspecting.\n")); return NULL; default: @@ -216,12 +193,34 @@ if (!DCE2_SsnIsRebuilt(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet - flushing.\n")); - DCE2_SsnFlush(p); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet.\n")); if (DCE2_SsnIsStreamInsert(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); +#if 0 +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); + //DCE2_SsnFlush(p); // No need to flush since this is first data packet? + } +#endif + +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); + return NULL; + } + } + else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_SERVER)) + || (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_CLIENT)) + || (rs_dir == SSN_DIR_BOTH)) + { + /* Reassembly was already set for this session, but stream + * decided not to use the packet so it's probably not good */ return NULL; } } @@ -278,15 +277,26 @@ } else if (IsTCP(p) && !DCE2_SsnIsRebuilt(p)) { - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet - flushing opposite direction.\n")); - DCE2_SsnFlush(p); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n")); if (DCE2_SsnIsStreamInsert(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); - PREPROC_PROFILE_END(dce2_pstat_session); - return DCE2_RET__NOT_INSPECTED; +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); + DCE2_SsnFlush(p); + } + +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); + PREPROC_PROFILE_END(dce2_pstat_session); + return DCE2_RET__NOT_INSPECTED; + } } else { @@ -331,7 +341,7 @@ return DCE2_RET__NOT_INSPECTED; } - p->flags |= FLAG_DCE_PKT; + p->flags |= FLAG_ALLOW_MULTIPLE_DETECT; dce2_detected = 0; PREPROC_PROFILE_END(dce2_pstat_session); @@ -363,10 +373,14 @@ if (!dce2_detected) DCE2_Detect(sd); + DCE2_ResetRopts(&sd->ropts); DCE2_PopPkt(); if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP) + { DCE2_SetNoInspect(sd); + dce2_mem_state = DCE2_MEM_STATE__OKAY; + } if (DCE2_SsnAutodetected(sd)) return DCE2_RET__NOT_INSPECTED; @@ -439,6 +453,9 @@ if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd)) { +#if 0 + // This code should be obsoleted by the junk data check in dce2_smb.c + /* Check to make sure we can continue processing */ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { @@ -454,6 +471,7 @@ return DCE2_RET__NOT_INSPECTED; } +#endif DCE2_SsnSetSeenClient(sd); @@ -465,6 +483,9 @@ } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { +#if 0 + // This code should be obsoleted by the junk data check in dce2_smb.c + /* Check to make sure we can continue processing */ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { @@ -480,6 +501,7 @@ return DCE2_RET__NOT_INSPECTED; } +#endif DCE2_SsnSetSeenServer(sd); @@ -505,6 +527,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, next seq: %u\n", sd->cli_seq, sd->cli_nseq)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", + pkt_seq, pkt_seq + p->payload_size)); } else { @@ -515,6 +539,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, next seq: %u\n", sd->srv_seq, sd->srv_nseq)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", + pkt_seq, pkt_seq + p->payload_size)); } *overlap_bytes = 0; @@ -535,26 +561,29 @@ * reassembly on both sides and not looking at non-reassembled packets * Actually this can happen if the stream seg list is empty */ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, next seq: %u\n", - pkt_seq, pkt_seq + p->payload_size)); + pkt_seq, pkt_seq + p->payload_size)); if (DCE2_SsnMissedPkts(sd)) DCE2_SsnClearMissedPkts(sd); /* Do what we can and take the difference and only inspect what we * haven't already inspected */ - if ((pkt_seq + p->payload_size) > *ssn_nseq) + if ((pkt_seq + p->payload_size) > *ssn_nseq + || (pkt_seq + p->payload_size < pkt_seq)) { *overlap_bytes = (uint16_t)(*ssn_nseq - pkt_seq); dce2_stats.overlapped_bytes += *overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, - "Setting overlap bytes: %u\n", *overlap_bytes)); + "Setting overlap bytes: %u\n", *overlap_bytes)); } else { return DCE2_RET__NOT_INSPECTED; } } + + DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(p->payload, p->payload_size);); } else if (DCE2_SsnMissedPkts(sd)) { @@ -572,14 +601,10 @@ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); + "not inspecting\n")); *ssn_seq = pkt_seq; - *ssn_nseq = pkt_seq; + *ssn_nseq = pkt_seq + p->payload_size; return DCE2_RET__NOT_INSPECTED; } @@ -593,9 +618,6 @@ *ssn_seq = pkt_seq; *ssn_nseq = pkt_seq + p->payload_size; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", - *ssn_seq, *ssn_nseq)); } return DCE2_RET__SUCCESS; @@ -620,7 +642,7 @@ * * Returns: * DCE2_TransType - * DCE2_TRANS_TYPE__NONE if a transport could not be + * DCE2_TRANS_TYPE__NONE if a transport could not be * determined or target based labeled the session as * traffic we are not interested in. * DCE2_TRANS_TYPE__SMB if the traffic is determined to be @@ -900,399 +922,16 @@ *********************************************************************/ void DCE2_InitRpkts(void) { + int i; dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, NULL, DCE2_MEM_TYPE__INIT); + if (dce2_pkt_stack == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for packet stack.", __FILE__, __LINE__); } - - dce2_smb_seg_rpkt = DCE2_AllocPkt(); - if (dce2_smb_seg_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_seg_rpkt); - - dce2_smb_trans_rpkt = DCE2_AllocPkt(); - if (dce2_smb_trans_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_trans_rpkt); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_trans_rpkt->payload, FLAG_FROM_CLIENT); - - dce2_smb_co_cli_seg_rpkt = DCE2_AllocPkt(); - if (dce2_smb_co_cli_seg_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_co_cli_seg_rpkt); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_cli_seg_rpkt->payload, FLAG_FROM_CLIENT); - - dce2_smb_co_srv_seg_rpkt = DCE2_AllocPkt(); - if (dce2_smb_co_srv_seg_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_co_srv_seg_rpkt); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_srv_seg_rpkt->payload, FLAG_FROM_SERVER); - - dce2_smb_co_cli_frag_rpkt = DCE2_AllocPkt(); - if (dce2_smb_co_cli_frag_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_co_cli_frag_rpkt); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_cli_frag_rpkt->payload, FLAG_FROM_CLIENT); - DCE2_CoInitRdata((uint8_t *)dce2_smb_co_cli_frag_rpkt->payload + DCE2_MOCK_HDR_LEN__SMB_CLI, - FLAG_FROM_CLIENT); - - dce2_smb_co_srv_frag_rpkt = DCE2_AllocPkt(); - if (dce2_smb_co_srv_frag_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_smb_co_srv_frag_rpkt); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_srv_frag_rpkt->payload, FLAG_FROM_SERVER); - DCE2_CoInitRdata((uint8_t *)dce2_smb_co_srv_frag_rpkt->payload + DCE2_MOCK_HDR_LEN__SMB_SRV, - FLAG_FROM_SERVER); - - dce2_tcp_co_seg_rpkt = DCE2_AllocPkt(); - if (dce2_tcp_co_seg_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_tcp_co_seg_rpkt); - - dce2_tcp_co_cli_frag_rpkt = DCE2_AllocPkt(); - if (dce2_tcp_co_cli_frag_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_tcp_co_cli_frag_rpkt); - DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_cli_frag_rpkt->payload, FLAG_FROM_CLIENT); - - dce2_tcp_co_srv_frag_rpkt = DCE2_AllocPkt(); - if (dce2_tcp_co_srv_frag_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcpRpkt(dce2_tcp_co_srv_frag_rpkt); - DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_srv_frag_rpkt->payload, FLAG_FROM_SERVER); - - dce2_udp_cl_frag_rpkt = DCE2_AllocPkt(); - if (dce2_udp_cl_frag_rpkt == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitUdpRpkt(dce2_udp_cl_frag_rpkt); - DCE2_ClInitRdata((uint8_t *)dce2_udp_cl_frag_rpkt->payload); - -#ifdef SUP_IP6 - dce2_smb_seg_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_seg_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_seg_rpkt6); - - dce2_smb_trans_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_trans_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_trans_rpkt6); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_trans_rpkt6->payload, FLAG_FROM_CLIENT); - - dce2_smb_co_cli_seg_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_co_cli_seg_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_co_cli_seg_rpkt6); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_cli_seg_rpkt6->payload, FLAG_FROM_CLIENT); - - dce2_smb_co_srv_seg_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_co_srv_seg_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_co_srv_seg_rpkt6); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_srv_seg_rpkt6->payload, FLAG_FROM_SERVER); - - dce2_smb_co_cli_frag_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_co_cli_frag_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_co_cli_frag_rpkt6); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_cli_frag_rpkt6->payload, FLAG_FROM_CLIENT); - DCE2_CoInitRdata((uint8_t *)dce2_smb_co_cli_frag_rpkt6->payload + DCE2_MOCK_HDR_LEN__SMB_CLI, - FLAG_FROM_CLIENT); - - dce2_smb_co_srv_frag_rpkt6 = DCE2_AllocPkt(); - if (dce2_smb_co_srv_frag_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_smb_co_srv_frag_rpkt6); - DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_srv_frag_rpkt6->payload, FLAG_FROM_SERVER); - DCE2_CoInitRdata((uint8_t *)dce2_smb_co_srv_frag_rpkt6->payload + DCE2_MOCK_HDR_LEN__SMB_SRV, - FLAG_FROM_SERVER); - - dce2_tcp_co_seg_rpkt6 = DCE2_AllocPkt(); - if (dce2_tcp_co_seg_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_tcp_co_seg_rpkt6); - - dce2_tcp_co_cli_frag_rpkt6 = DCE2_AllocPkt(); - if (dce2_tcp_co_cli_frag_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_tcp_co_cli_frag_rpkt6); - DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_cli_frag_rpkt6->payload, FLAG_FROM_CLIENT); - - dce2_tcp_co_srv_frag_rpkt6 = DCE2_AllocPkt(); - if (dce2_tcp_co_srv_frag_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitTcp6Rpkt(dce2_tcp_co_srv_frag_rpkt6); - DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_srv_frag_rpkt6->payload, FLAG_FROM_SERVER); - - dce2_udp_cl_frag_rpkt6 = DCE2_AllocPkt(); - if (dce2_udp_cl_frag_rpkt6 == NULL) - { - DCE2_Die("%s(%d) Failed to allocate memory for reassembly packet.", - __FILE__, __LINE__); - } - - DCE2_InitUdp6Rpkt(dce2_udp_cl_frag_rpkt6); - DCE2_ClInitRdata((uint8_t *)dce2_udp_cl_frag_rpkt6->payload); -#endif -} - -/********************************************************************* - * Function: DCE2_InitTcpRpkt() - * - * Purpose: Allocate and initialize reassembly packet for TCP. - * - * Arguments: None - * - * Returns: None - * - *********************************************************************/ -static void DCE2_InitTcpRpkt(SFSnortPacket *p) -{ - DCE2_InitCommonRpkt(p); - - ((IPV4Header *)p->ip4_header)->proto = IPPROTO_TCP; - p->tcp_header = (TCPHeader *)((uint8_t *)p->ip4_header + IP_HDR_LEN); - SET_TCP_HDR_OFFSET((TCPHeader *)p->tcp_header, 0x5); - ((TCPHeader *)p->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; - p->payload = (uint8_t *)p->tcp_header + TCP_HDR_LEN; - -#ifdef SUP_IP6 - _dpd.ip6Build((void *)p, p->ip4_header, AF_INET); -#endif -} - -/********************************************************************* - * Function: DCE2_InitUdpRpkt() - * - * Purpose: Allocate and initialize reassembly packet for UDP. - * - * Arguments: None - * - * Returns: None - * - *********************************************************************/ -void DCE2_InitUdpRpkt(SFSnortPacket *p) -{ - DCE2_InitCommonRpkt(p); - - ((IPV4Header *)p->ip4_header)->proto = IPPROTO_UDP; - p->udp_header = (UDPHeader *)((uint8_t *)p->ip4_header + IP_HDR_LEN); - p->payload = (uint8_t *)p->udp_header + UDP_HDR_LEN; - -#ifdef SUP_IP6 - _dpd.ip6Build((void *)p, p->ip4_header, AF_INET); -#endif -} - -/********************************************************************* - * Function: DCE2_InitCommonRpkt() - * - * Purpose: Initializes fields common to both UDP and TCP. - * - * Arguments: - * SFSnortPacket * - the packet to initialize - * - * Returns: None - * - *********************************************************************/ -static void DCE2_InitCommonRpkt(SFSnortPacket *p) -{ - p->pkt_data = ((uint8_t *)p->pcap_header) + sizeof(struct pcap_pkthdr); - - p->vlan_tag_header = (void *)((uint8_t *)p->pkt_data + SUN_SPARC_TWIDDLE); - p->ether_header = (void *)((uint8_t *)p->vlan_tag_header + VLAN_HDR_LEN); - - ((EtherHeader *)p->ether_header)->ethernet_type = htons(0x0800); - - p->ip4_header = (IPV4Header *)((uint8_t *)p->ether_header + ETHER_HDR_LEN); - SET_IP4_VER((IPV4Header *)p->ip4_header, 0x4); - SET_IP4_HLEN((IPV4Header *)p->ip4_header, 0x5); - ((IPV4Header *)p->ip4_header)->time_to_live = 0xF0; - ((IPV4Header *)p->ip4_header)->type_service = 0x10; -} - -#ifdef SUP_IP6 -/********************************************************************* - * Function: DCE2_InitTcp6Rpkt() - * - * Purpose: Allocate and initialize reassembly packet for IPv6 TCP. - * - * Arguments: None - * - * Returns: None - * - *********************************************************************/ -static void DCE2_InitTcp6Rpkt(SFSnortPacket *p) -{ - DCE2_InitCommonRpkt6(p); - - p->inner_ip6h.next = ((IPV4Header *)p->ip4_header)->proto = IPPROTO_TCP; - p->tcp_header = (TCPHeader *)((uint8_t *)p->ip4_header + IP6_HEADER_LEN); - SET_TCP_HDR_OFFSET((TCPHeader *)p->tcp_header, 0x5); - ((TCPHeader *)p->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; - - p->payload = (uint8_t *)p->tcp_header + TCP_HDR_LEN; -} - -/********************************************************************* - * Function: DCE2_InitUdp6Rpkt() - * - * Purpose: Allocate and initialize reassembly packet for IPv6 UDP. - * - * Arguments: None - * - * Returns: None - * - *********************************************************************/ -static void DCE2_InitUdp6Rpkt(SFSnortPacket *p) -{ - DCE2_InitCommonRpkt6(p); - - p->inner_ip6h.next = ((IPV4Header *)p->ip4_header)->proto = IPPROTO_UDP; - p->udp_header = (UDPHeader *)((uint8_t *)p->ip4_header + IP6_HEADER_LEN); - p->payload = (uint8_t *)p->udp_header + UDP_HDR_LEN; -} - -/********************************************************************* - * Function: DCE2_InitCommonRpkt6() - * - * Purpose: Initializes fields common to both IPv6 UDP and TCP. - * - * Arguments: - * SFSnortPacket * - the packet to initialize - * - * Returns: None - * - *********************************************************************/ -static void DCE2_InitCommonRpkt6(SFSnortPacket *p) -{ - p->pkt_data = ((uint8_t *)p->pcap_header) + sizeof(struct pcap_pkthdr); - - p->vlan_tag_header = - (void *)((uint8_t *)p->pkt_data + SUN_SPARC_TWIDDLE); - p->ether_header = - (void *)((uint8_t *)p->vlan_tag_header + VLAN_HDR_LEN); - - ((EtherHeader *)p->ether_header)->ethernet_type = htons(0x0800); - - p->ip4_header = (IPV4Header *)((uint8_t *)p->ether_header + ETHER_HDR_LEN); - SET_IP4_VER((IPV4Header *)p->ip4_header, 0x4); - SET_IP4_HLEN((IPV4Header *)p->ip4_header, 0x5); - ((IPV4Header *)p->ip4_header)->type_service = 0x10; - p->inner_ip6h.hop_lmt = ((IPV4Header *)p->ip4_header)->time_to_live = 0xF0; - p->inner_ip6h.len = IP6_HEADER_LEN >> 2; - - _dpd.ip6SetCallbacks((void *)p, AF_INET6, SET_CALLBACK_IP); - p->ip6h = &p->inner_ip6h; - p->ip4h = &p->inner_ip4h; -} -#endif - -/********************************************************************* - * Function: DCE2_AllocPkt() - * - * Purpose: Allocates a packet struct. - * - * Arguments: None - * - * Returns: - * SFSnortPacket * - the packet to allocated - * - *********************************************************************/ -static SFSnortPacket * DCE2_AllocPkt(void) -{ - SFSnortPacket *p = (SFSnortPacket *)DCE2_Alloc(sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - - if (p == NULL) - return NULL; - - p->pcap_header = (struct pcap_pkthdr *)DCE2_Alloc(DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - - if (p->pcap_header == NULL) - { - DCE2_Free((void *)p, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - return NULL; - } - - return p; + for ( i = 0; i < DCE2_RPKT_TYPE__MAX; i++ ) + dce2_rpkt[i] = _dpd.encodeNew(); } /********************************************************************* @@ -1303,164 +942,105 @@ * Arguments: * SFSnortPacket * - pointer to packet off wire * const uint8_t * - pointer to data to attach to reassembly packet - * uint16_t - length of data + * uint16_t - length of data * * Returns: * SFSnortPacket * - pointer to reassembly packet * *********************************************************************/ + SFSnortPacket * DCE2_GetRpkt(const SFSnortPacket *wire_pkt, DCE2_RpktType rpkt_type, const uint8_t *data, uint32_t data_len) { - SFSnortPacket *rpkt; - uint16_t caplen, ip_len, payload_len; DCE2_Ret status; + SFSnortPacket *rpkt; + uint16_t payload_len = 0; uint16_t data_overhead = 0; - int rpkt_flag; - int vlanHeaderLen = 0; + + rpkt = dce2_rpkt[rpkt_type]; switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) - rpkt = dce2_smb_seg_rpkt; - else - rpkt = dce2_smb_seg_rpkt6; -#else - rpkt = dce2_smb_seg_rpkt; -#endif - rpkt_flag = FLAG_SMB_SEG; + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_SEG); break; case DCE2_RPKT_TYPE__SMB_TRANS: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) - rpkt = dce2_smb_trans_rpkt; - else - rpkt = dce2_smb_trans_rpkt6; -#else - rpkt = dce2_smb_trans_rpkt; -#endif + // TBD these memset()s could be encapsulated by the various + // init functions which should also return the data_overhead. + // Better still pass in rpkt and let the init function update + // payload, etc. Also, some memsets could probably be avoided + // by explicitly setting the unitialized header fields. + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_TRANS); data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; - - rpkt_flag = FLAG_SMB_TRANS; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); break; case DCE2_RPKT_TYPE__SMB_CO_SEG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); + + if (DCE2_SsnFromClient(wire_pkt)) { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_seg_rpkt; - else - rpkt = dce2_smb_co_srv_seg_rpkt; + data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); } else { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_seg_rpkt6; - else - rpkt = dce2_smb_co_srv_seg_rpkt6; - } -#else - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_seg_rpkt; - else - rpkt = dce2_smb_co_srv_seg_rpkt; -#endif - if (DCE2_SsnFromClient(wire_pkt)) - data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; - else data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV; - - rpkt_flag = FLAG_DCE_SEG; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); + } break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); + + if (DCE2_SsnFromClient(wire_pkt)) { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_frag_rpkt; - else - rpkt = dce2_smb_co_srv_frag_rpkt; + data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); + DCE2_CoInitRdata((uint8_t *)rpkt->payload + + DCE2_MOCK_HDR_LEN__SMB_CLI, FLAG_FROM_CLIENT); } else { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_frag_rpkt6; - else - rpkt = dce2_smb_co_srv_frag_rpkt6; - } -#else - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_smb_co_cli_frag_rpkt; - else - rpkt = dce2_smb_co_srv_frag_rpkt; -#endif - if (DCE2_SsnFromClient(wire_pkt)) - data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; - else data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV; - - rpkt_flag = FLAG_DCE_FRAG; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); + DCE2_CoInitRdata((uint8_t *)rpkt->payload + + DCE2_MOCK_HDR_LEN__SMB_SRV, FLAG_FROM_SERVER); + } break; case DCE2_RPKT_TYPE__TCP_CO_SEG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) - rpkt = dce2_tcp_co_seg_rpkt; - else - rpkt = dce2_tcp_co_seg_rpkt6; -#else - rpkt = dce2_tcp_co_seg_rpkt; -#endif - rpkt_flag = FLAG_DCE_SEG; + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); break; case DCE2_RPKT_TYPE__TCP_CO_FRAG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); + + if (DCE2_SsnFromClient(wire_pkt)) { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_tcp_co_cli_frag_rpkt; - else - rpkt = dce2_tcp_co_srv_frag_rpkt; + data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); } else { - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_tcp_co_cli_frag_rpkt6; - else - rpkt = dce2_tcp_co_srv_frag_rpkt6; - } -#else - if (DCE2_SsnFromClient(wire_pkt)) - rpkt = dce2_tcp_co_cli_frag_rpkt; - else - rpkt = dce2_tcp_co_srv_frag_rpkt; -#endif - if (DCE2_SsnFromClient(wire_pkt)) - data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; - else data_overhead = DCE2_MOCK_HDR_LEN__CO_SRV; - - rpkt_flag = FLAG_DCE_FRAG; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); + } break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) - rpkt = dce2_udp_cl_frag_rpkt; - else - rpkt = dce2_udp_cl_frag_rpkt6; -#else - rpkt = dce2_udp_cl_frag_rpkt; -#endif + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); data_overhead = DCE2_MOCK_HDR_LEN__CL; - - rpkt_flag = FLAG_DCE_FRAG; + memset((void*)rpkt->payload, 0, data_overhead); + DCE2_ClInitRdata((uint8_t *)rpkt->payload); break; default: @@ -1470,163 +1050,15 @@ return NULL; } -#ifdef SUP_IP6 - if (IS_IP4(wire_pkt)) - { - if (wire_pkt->tcp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP_HDR_LEN + TCP_HDR_LEN; - ip_len = (uint16_t)(IP_HDR_LEN + TCP_HDR_LEN); - payload_len = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); - } - else if (wire_pkt->udp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN; - ip_len = (uint16_t)(IP_HDR_LEN + UDP_HDR_LEN); - payload_len = IP_MAXPKT - (IP_HDR_LEN + UDP_HDR_LEN); - } - else - { - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Not a TCP or UDP packet.", - __FILE__, __LINE__); - return NULL; - } - } - else - { - if (wire_pkt->tcp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP6_HDR_LEN + TCP_HDR_LEN; - ip_len = (uint16_t)(IP6_HDR_LEN + TCP_HDR_LEN); - payload_len = IP_MAXPKT - (IP6_HDR_LEN + TCP_HDR_LEN); - } - else if (wire_pkt->udp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP6_HDR_LEN + UDP_HDR_LEN; - ip_len = (uint16_t)(IP6_HDR_LEN + UDP_HDR_LEN); - payload_len = IP_MAXPKT - (IP6_HDR_LEN + UDP_HDR_LEN); - } - else - { - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Not a TCP or UDP packet.", - __FILE__, __LINE__); - return NULL; - } - } -#else - if (wire_pkt->tcp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP_HDR_LEN + TCP_HDR_LEN; - ip_len = (uint16_t)(IP_HDR_LEN + TCP_HDR_LEN); - payload_len = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); - } - else if (wire_pkt->udp_header != NULL) - { - caplen = ETHER_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN; - ip_len = (uint16_t)(IP_HDR_LEN + UDP_HDR_LEN); - payload_len = IP_MAXPKT - (IP_HDR_LEN + UDP_HDR_LEN); - } - else - { - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Not a TCP or UDP packet.", - __FILE__, __LINE__); - return NULL; - } -#endif - -#ifdef SUP_IP6 - if (wire_pkt->family == AF_INET) - { - IP_COPY_VALUE(rpkt->inner_ip4h.ip_src, (&wire_pkt->ip4h->ip_src)); - IP_COPY_VALUE(rpkt->inner_ip4h.ip_dst, (&wire_pkt->ip4h->ip_dst)); - - ((IPV4Header *)rpkt->ip4_header)->source.s_addr = wire_pkt->ip4h->ip_src.ip32[0]; - ((IPV4Header *)rpkt->ip4_header)->destination.s_addr = wire_pkt->ip4h->ip_dst.ip32[0]; - } - else - { - IP_COPY_VALUE(rpkt->inner_ip6h.ip_src, (&wire_pkt->ip6h->ip_src)); - IP_COPY_VALUE(rpkt->inner_ip6h.ip_dst, (&wire_pkt->ip6h->ip_dst)); - } - - rpkt->family = wire_pkt->family; - -#else - ((IPV4Header *)rpkt->ip4_header)->source.s_addr = wire_pkt->ip4_header->source.s_addr; - ((IPV4Header *)rpkt->ip4_header)->destination.s_addr = wire_pkt->ip4_header->destination.s_addr; -#endif - - if (wire_pkt->tcp_header != NULL) - { - ((TCPHeader *)rpkt->tcp_header)->source_port = wire_pkt->tcp_header->source_port; - ((TCPHeader *)rpkt->tcp_header)->destination_port = wire_pkt->tcp_header->destination_port; - } - else - { - ((UDPHeader *)rpkt->udp_header)->source_port = wire_pkt->udp_header->source_port; - ((UDPHeader *)rpkt->udp_header)->destination_port = wire_pkt->udp_header->destination_port; - } - - rpkt->src_port = wire_pkt->src_port; - rpkt->dst_port = wire_pkt->dst_port; - rpkt->proto_bits = wire_pkt->proto_bits; - - if (wire_pkt->ether_header != NULL) - { - status = DCE2_Memcpy((void *)((EtherHeader *)rpkt->ether_header)->ether_source, - (void *)wire_pkt->ether_header->ether_source, - (size_t)6, - (void *)rpkt->ether_header->ether_source, - (void *)((uint8_t *)rpkt->ether_header->ether_source + 6)); - - if (status != DCE2_RET__SUCCESS) - { - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Failed to copy ether source into reassembly packet.", - __FILE__, __LINE__); - return NULL; - } - - status = DCE2_Memcpy((void *)((EtherHeader *)rpkt->ether_header)->ether_destination, - (void *)wire_pkt->ether_header->ether_destination, - (size_t)6, - (void *)rpkt->ether_header->ether_destination, - (void *)((uint8_t *)rpkt->ether_header->ether_destination + 6)); - - if (status != DCE2_RET__SUCCESS) - { - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Failed to copy ether dest into reassembly packet.", - __FILE__, __LINE__); - return NULL; - } - - ((EtherHeader *)rpkt->ether_header)->ethernet_type = ((EtherHeader *)wire_pkt->ether_header)->ethernet_type; - - if (((EtherHeader *)wire_pkt->ether_header)->ethernet_type == htons(ETHERNET_TYPE_8021Q)) - { - status = SafeMemcpy((void *)rpkt->vlan_tag_header, - (void *)wire_pkt->vlan_tag_header, - (size_t)VLAN_HDR_LEN, - (void *)rpkt->vlan_tag_header, - (void *)((uint8_t *)rpkt->vlan_tag_header + VLAN_HDR_LEN)); - - if (status != SAFEMEM_SUCCESS) - return NULL; - - vlanHeaderLen = VLAN_HDR_LEN; - } - } + payload_len = rpkt->max_payload; if ((data_len + data_overhead) > payload_len) data_len = payload_len - data_overhead; - status = DCE2_Memcpy((void *)(rpkt->payload + data_overhead), (void *)data, (size_t)data_len, - (void *)rpkt->payload, - (void *)((uint8_t *)rpkt->payload + payload_len)); + status = DCE2_Memcpy( + (void *)(rpkt->payload + data_overhead), + (void *)data, (size_t)data_len, (void *)rpkt->payload, + (void *)((uint8_t *)rpkt->payload + payload_len)); if (status != DCE2_RET__SUCCESS) { @@ -1637,31 +1069,25 @@ } rpkt->payload_size = (uint16_t)(data_overhead + data_len); + _dpd.encodeUpdate(rpkt); - if (IsUDP(((SFSnortPacket *)wire_pkt))) - ((UDPHeader *)rpkt->udp_header)->data_length = ntohs((uint16_t)(rpkt->payload_size + UDP_HDR_LEN)); - - ((struct pcap_pkthdr *)rpkt->pcap_header)->caplen = caplen + rpkt->payload_size + vlanHeaderLen; - ((struct pcap_pkthdr *)rpkt->pcap_header)->len = rpkt->pcap_header->caplen; - ((struct pcap_pkthdr *)rpkt->pcap_header)->ts.tv_sec = wire_pkt->pcap_header->ts.tv_sec; - ((struct pcap_pkthdr *)rpkt->pcap_header)->ts.tv_usec = wire_pkt->pcap_header->ts.tv_usec; - - ip_len += rpkt->payload_size; #ifdef SUP_IP6 if (wire_pkt->family == AF_INET) - rpkt->ip4h->ip_len = ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len); + { + rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; + } else - rpkt->ip6h->len = htons(ip_len); -#else - ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len); + { + IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header; + if ( ip6h ) rpkt->ip6h->len = ip6h->payload_len; + } #endif - rpkt->flags = FLAG_STREAM_EST; + rpkt->flags |= (FLAG_STREAM_EST | FLAG_ALLOW_MULTIPLE_DETECT); if (DCE2_SsnFromClient(wire_pkt)) rpkt->flags |= FLAG_FROM_CLIENT; else rpkt->flags |= FLAG_FROM_SERVER; - rpkt->flags |= (rpkt_flag | FLAG_DCE_PKT); rpkt->stream_session_ptr = wire_pkt->stream_session_ptr; return rpkt; @@ -1683,7 +1109,6 @@ int hdr_overhead = 0; const uint8_t *pkt_data_end; const uint8_t *payload_end; - uint16_t ip_len; DCE2_Ret status; if ((rpkt == NULL) || (data == NULL) || (data_len == 0)) @@ -1700,7 +1125,6 @@ hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV; - break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: @@ -1708,7 +1132,6 @@ hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV; - break; case DCE2_RPKT_TYPE__TCP_CO_FRAG: @@ -1716,7 +1139,6 @@ hdr_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__CO_SRV; - break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: @@ -1730,7 +1152,7 @@ if (rpkt->payload_size < hdr_overhead) return DCE2_RET__ERROR; - pkt_data_end = rpkt->pkt_data + DCE2_PKT_SIZE; + pkt_data_end = rpkt->pkt_data + rpkt->max_payload; payload_end = rpkt->payload + rpkt->payload_size; if ((payload_end + data_len) > pkt_data_end) @@ -1748,29 +1170,24 @@ } rpkt->payload_size += (uint16_t)data_len; - - if (IsUDP(rpkt)) - ((UDPHeader *)rpkt->udp_header)->data_length = ntohs((uint16_t)(rpkt->payload_size + UDP_HDR_LEN)); - - ((struct pcap_pkthdr *)rpkt->pcap_header)->caplen += data_len; - ((struct pcap_pkthdr *)rpkt->pcap_header)->len = rpkt->pcap_header->caplen; + // there is room for optimization here since the update was done + // earlier - that my be eliminated, but only in this case one + // approach is to move the updates to push pkt - but don't want + // to update non-dce2 pseudo pkts; perhaps a flag check there + // will suffice. + _dpd.encodeUpdate(rpkt); #ifdef SUP_IP6 if (rpkt->family == AF_INET) { - ip_len = (uint16_t)(ntohs(rpkt->ip4h->ip_len) + data_len); - rpkt->ip4h->ip_len = ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len); + rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; } else { - ip_len = (uint16_t)(ntohs(rpkt->ip6h->len) + data_len); - rpkt->ip6h->len = htons(ip_len); + IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header; + if ( ip6h ) rpkt->ip6h->len = ip6h->payload_len; } -#else - ip_len = (uint16_t)(ntohs(rpkt->ip4_header->data_length) + data_len); - ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len); #endif - return DCE2_RET__SUCCESS; } @@ -1794,8 +1211,10 @@ PREPROC_PROFILE_START(dce2_pstat_log); + _dpd.pushAlerts(); _dpd.logAlerts((void *)top_pkt); _dpd.resetAlerts(); + _dpd.popAlerts(); PREPROC_PROFILE_END(dce2_pstat_log); } @@ -1832,8 +1251,10 @@ return; } + _dpd.pushAlerts(); _dpd.logAlerts((void *)pop_pkt); _dpd.resetAlerts(); + _dpd.popAlerts(); PREPROC_PROFILE_END(dce2_pstat_log); } @@ -1869,7 +1290,9 @@ PREPROC_PROFILE_START(dce2_pstat_detect); + _dpd.pushAlerts(); _dpd.detect(top_pkt); + _dpd.popAlerts(); PREPROC_PROFILE_END(dce2_pstat_detect); @@ -1888,24 +1311,24 @@ * Returns: * *********************************************************************/ +// TBD this function could be called on the actual rpkt +// to very easily get the exact available payload space and +// then truncate the data as needed. That avoids the calculations +// here which inevitably include tacit assumptions about the +// rpkt which may not be true (nor future proof). uint16_t DCE2_GetRpktMaxData(DCE2_SsnData *sd, DCE2_RpktType rtype) { const SFSnortPacket *p = sd->wire_pkt; uint16_t overhead; -#ifndef SUP_IP6 - overhead = IP_HDR_LEN; -#else - if (IS_IP4(p)) - overhead = IP_HDR_LEN; - else - overhead = IP6_HDR_LEN; -#endif + uint8_t* base, *last; + int n = p->next_layer_index - 1; + if ( n < 2 ) return 0; - if (IsTCP(((SFSnortPacket *)p))) - overhead += TCP_HDR_LEN; - else - overhead += UDP_HDR_LEN; + base = p->proto_layers[1].proto_start; + last = p->proto_layers[n].proto_start + p->proto_layers[n].proto_length; + + overhead = last - base; switch (rtype) { @@ -1918,7 +1341,6 @@ overhead += DCE2_MOCK_HDR_LEN__SMB_CLI; else overhead += DCE2_MOCK_HDR_LEN__SMB_SRV; - break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: @@ -1926,7 +1348,6 @@ overhead += DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; else overhead += DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV; - break; case DCE2_RPKT_TYPE__TCP_CO_SEG: @@ -1937,7 +1358,6 @@ overhead += DCE2_MOCK_HDR_LEN__CO_CLI; else overhead += DCE2_MOCK_HDR_LEN__CO_SRV; - break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: @@ -1950,7 +1370,6 @@ __FILE__, __LINE__, rtype); return 0; } - return (IP_MAXPKT - overhead); } @@ -1960,159 +1379,28 @@ * Purpose: * * Arguments: - * + * * Returns: * - ******************************************************************/ + ******************************************************************/ void DCE2_FreeGlobals(void) { + int i; + if (dce2_pkt_stack != NULL) { DCE2_CStackDestroy(dce2_pkt_stack); dce2_pkt_stack = NULL; } - if (dce2_smb_seg_rpkt != NULL) + for ( i = 0; i < DCE2_RPKT_TYPE__MAX; i++ ) { - DCE2_Free((void *)dce2_smb_seg_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_seg_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_seg_rpkt = NULL; - } - - if (dce2_smb_trans_rpkt != NULL) - { - DCE2_Free((void *)dce2_smb_trans_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_trans_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_trans_rpkt = NULL; - } - - if (dce2_smb_co_cli_seg_rpkt != NULL) - { - DCE2_Free((void *)dce2_smb_co_cli_seg_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_cli_seg_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_cli_seg_rpkt = NULL; - } - - if (dce2_smb_co_srv_seg_rpkt != NULL) - { - DCE2_Free((void *)dce2_smb_co_srv_seg_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_srv_seg_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_srv_seg_rpkt = NULL; - } - - if (dce2_smb_co_cli_frag_rpkt != NULL) - { - DCE2_Free((void *)dce2_smb_co_cli_frag_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_cli_frag_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_cli_frag_rpkt = NULL; - } - - if (dce2_smb_co_srv_frag_rpkt != NULL) - { - DCE2_Free((void *)dce2_smb_co_srv_frag_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_srv_frag_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_srv_frag_rpkt = NULL; - } - - if (dce2_tcp_co_seg_rpkt != NULL) - { - DCE2_Free((void *)dce2_tcp_co_seg_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_seg_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_seg_rpkt = NULL; - } - - if (dce2_tcp_co_cli_frag_rpkt != NULL) - { - DCE2_Free((void *)dce2_tcp_co_cli_frag_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_cli_frag_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_cli_frag_rpkt = NULL; - } - - if (dce2_tcp_co_srv_frag_rpkt != NULL) - { - DCE2_Free((void *)dce2_tcp_co_srv_frag_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_srv_frag_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_srv_frag_rpkt = NULL; - } - - if (dce2_udp_cl_frag_rpkt != NULL) - { - DCE2_Free((void *)dce2_udp_cl_frag_rpkt->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_udp_cl_frag_rpkt, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_udp_cl_frag_rpkt = NULL; - } - -#ifdef SUP_IP6 - if (dce2_smb_seg_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_seg_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_seg_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_seg_rpkt6 = NULL; - } - - if (dce2_smb_trans_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_trans_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_trans_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_trans_rpkt6 = NULL; - } - - if (dce2_smb_co_cli_seg_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_co_cli_seg_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_cli_seg_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_cli_seg_rpkt6 = NULL; - } - - if (dce2_smb_co_srv_seg_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_co_srv_seg_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_srv_seg_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_srv_seg_rpkt6 = NULL; - } - - if (dce2_smb_co_cli_frag_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_co_cli_frag_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_cli_frag_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_cli_frag_rpkt6 = NULL; - } - - if (dce2_smb_co_srv_frag_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_smb_co_srv_frag_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_smb_co_srv_frag_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_smb_co_srv_frag_rpkt6 = NULL; - } - - if (dce2_tcp_co_seg_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_tcp_co_seg_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_seg_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_seg_rpkt6 = NULL; - } - - if (dce2_tcp_co_cli_frag_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_tcp_co_cli_frag_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_cli_frag_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_cli_frag_rpkt6 = NULL; - } - - if (dce2_tcp_co_srv_frag_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_tcp_co_srv_frag_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_tcp_co_srv_frag_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_tcp_co_srv_frag_rpkt6 = NULL; - } - - if (dce2_udp_cl_frag_rpkt6 != NULL) - { - DCE2_Free((void *)dce2_udp_cl_frag_rpkt6->pcap_header, DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); - DCE2_Free((void *)dce2_udp_cl_frag_rpkt6, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); - dce2_udp_cl_frag_rpkt6 = NULL; + if ( dce2_rpkt[i] != NULL ) + { + _dpd.encodeDelete(dce2_rpkt[i]); + dce2_rpkt[i] = NULL; + } } -#endif DCE2_EventsFree(); } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h 2009-05-06 22:28:55.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _SNORT_DCE2_H_ @@ -27,7 +27,7 @@ #include "dce2_session.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Macros @@ -47,7 +47,8 @@ DCE2_RPKT_TYPE__SMB_CO_FRAG, DCE2_RPKT_TYPE__TCP_CO_SEG, DCE2_RPKT_TYPE__TCP_CO_FRAG, - DCE2_RPKT_TYPE__UDP_CL_FRAG + DCE2_RPKT_TYPE__UDP_CL_FRAG, + DCE2_RPKT_TYPE__MAX } DCE2_RpktType; @@ -77,8 +78,8 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE void DCE2_ResetRopts(DCE2_Roptions *); -static INLINE void DCE2_DisableDetect(SFSnortPacket *); +static inline void DCE2_ResetRopts(DCE2_Roptions *); +static inline void DCE2_DisableDetect(SFSnortPacket *); /******************************************************************** * Function: @@ -90,7 +91,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ResetRopts(DCE2_Roptions *ropts) +static inline void DCE2_ResetRopts(DCE2_Roptions *ropts) { ropts->first_frag = DCE2_SENTINEL; ropts->opnum = DCE2_SENTINEL; @@ -109,11 +110,12 @@ * Returns: * *********************************************************************/ -static INLINE void DCE2_DisableDetect(SFSnortPacket *p) +static inline void DCE2_DisableDetect(SFSnortPacket *p) { _dpd.disableAllDetect(p); _dpd.setPreprocBit(p, PP_SFPORTSCAN); _dpd.setPreprocBit(p, PP_PERFMONITOR); + _dpd.setPreprocBit(p, PP_SDF); } #endif /* _SNORT_DCE2_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c 2009-10-02 20:29:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,10 +17,16 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_dce2.h" +#include "sf_preproc_info.h" #include "dce2_memory.h" #include "dce2_list.h" #include "dce2_utils.h" @@ -28,6 +34,7 @@ #include "dce2_roptions.h" #include "dce2_stats.h" #include "dce2_event.h" +#include "dce2_paf.h" #include "snort_dce2.h" #include "preprocids.h" #include "profiler.h" @@ -75,10 +82,20 @@ extern DCE2_Stats dce2_stats; extern DCE2_Memory dce2_memory; extern char **dce2_trans_strs; -extern DynamicPreprocessorData _dpd; extern DCE2_CStack *dce2_pkt_stack; extern DCE2_ProtoIds dce2_proto_ids; +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 3; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DCERPC2 (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DCERPC2"; +#endif + +#define DCE2_RegisterPreprocessor DYNAMIC_PREPROC_SETUP + /******************************************************************** * Macros ********************************************************************/ @@ -123,6 +140,11 @@ static void DCE2_ReloadSwapFree(void *); #endif +#ifdef ENABLE_PAF +static void DCE2_AddPortsToPaf(DCE2_Config *, tSfPolicyId); +static void DCE2_ScAddPortsToPaf(void *); +#endif + /******************************************************************** * Function: DCE2_RegisterPreprocessor() * @@ -162,6 +184,13 @@ DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; + if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) + { + DCE2_Die("%s(%d) \"%s\" configuration: " + "Stream5 must be enabled with TCP and UDP tracking.", + *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + } + if (dce2_config == NULL) { dce2_config = sfPolicyConfigCreate(); @@ -176,15 +205,8 @@ DCE2_StatsInit(); DCE2_EventsInit(); - if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) - { - DCE2_Die("%s(%d) \"%s\" configuration: Stream5 must be enabled with " - "TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } - /* Initialize reassembly packet */ - DCE2_InitRpkts(); + DCE2_InitRpkts(); _dpd.addPreprocConfCheck(DCE2_CheckConfig); _dpd.registerPreprocStats(DCE2_GNAME, DCE2_PrintStats); @@ -251,8 +273,16 @@ /* Parse configuration args */ DCE2_GlobalConfigure(pCurrentPolicyConfig, args); + if (policy_id != 0) + pCurrentPolicyConfig->gconfig->memcap = pDefaultPolicyConfig->gconfig->memcap; + + if ( pCurrentPolicyConfig->gconfig->disabled ) + return; + + /* Register callbacks */ - _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); + _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, + PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); #ifdef TARGET_BASED _dpd.streamAPI->set_service_filter_status @@ -261,9 +291,6 @@ _dpd.streamAPI->set_service_filter_status (dce2_proto_ids.nbss, PORT_MONITOR_SESSION, policy_id, 1); #endif - - if (policy_id != 0) - pCurrentPolicyConfig->gconfig->memcap = pDefaultPolicyConfig->gconfig->memcap; } /********************************************************************* @@ -298,26 +325,21 @@ static int DCE2_CheckConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { DCE2_Config *pPolicyConfig = (DCE2_Config *)pData; DCE2_ServerConfig *dconfig; + if ( pPolicyConfig->gconfig->disabled ) + return 0; + _dpd.setParserPolicy(policyId); + // config_file/config_line are not set here if (!_dpd.isPreprocEnabled(PP_STREAM5)) { - DCE2_Die("%s(%d) \"%s\" configuration: Stream5 must be enabled with " - "TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } - - if (_dpd.isPreprocEnabled(PP_DCERPC)) - { - DCE2_Die("%s(%d) \"%s\" configuration: Only one DCE/RPC preprocessor " - "can be configured.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + DCE2_Die("Stream5 must be enabled with TCP and UDP tracking."); } dconfig = pPolicyConfig->dconfig; @@ -332,6 +354,8 @@ DCE2_ScCheckTransports(pPolicyConfig); } + DCE2_AddPortsToPaf(pPolicyConfig, policyId); + /* Register routing table memory */ if (pPolicyConfig->sconfigs != NULL) DCE2_RegMem(sfrt_usage(pPolicyConfig->sconfigs), DCE2_MEM_TYPE__RT); @@ -361,21 +385,21 @@ * * Arguments: * void * - pointer to packet structure - * void * - pointer to context + * void * - pointer to context * * Returns: None * *********************************************************************/ static void DCE2_Main(void *pkt, void *context) { - SFSnortPacket *p = (SFSnortPacket *)pkt; + SFSnortPacket *p = (SFSnortPacket *)pkt; PROFILE_VARS; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__START_MSG)); sfPolicyUserPolicySet (dce2_config, _dpd.getRuntimePolicy()); -#ifdef DEBUG +#ifdef DEBUG_MSGS if (DCE2_SsnFromServer(p)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from server.\n")); @@ -439,10 +463,10 @@ * * Arguments: * int - whether Snort is exiting or not - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_PrintStats(int exiting) { _dpd.logMsg("dcerpc2 Preprocessor Statistics\n"); @@ -977,7 +1001,7 @@ _dpd.logMsg(" SMB other command responses: "STDu64"\n", dce2_stats.smb_other_resp); } -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.smb_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.smb_total_max); @@ -1004,7 +1028,7 @@ _dpd.logMsg(" Total sessions: "STDu64"\n", dce2_stats.tcp_sessions); _dpd.logMsg(" Packet stats\n"); _dpd.logMsg(" Packets: "STDu64"\n", dce2_stats.tcp_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.tcp_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.tcp_total_max); @@ -1019,7 +1043,7 @@ _dpd.logMsg(" Total sessions: "STDu64"\n", dce2_stats.udp_sessions); _dpd.logMsg(" Packet stats\n"); _dpd.logMsg(" Packets: "STDu64"\n", dce2_stats.udp_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.udp_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.udp_total_max); @@ -1040,7 +1064,7 @@ _dpd.logMsg(" Server packets: "STDu64"\n", dce2_stats.http_server_pkts); if (dce2_stats.http_proxy_sessions > 0) _dpd.logMsg(" Proxy packets: "STDu64"\n", dce2_stats.http_proxy_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.http_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.http_total_max); @@ -1109,7 +1133,7 @@ } _dpd.logMsg(" Client seg reassembled: "STDu64"\n", dce2_stats.co_cli_seg_reassembled); _dpd.logMsg(" Server seg reassembled: "STDu64"\n", dce2_stats.co_srv_seg_reassembled); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current segmentation buffering: %u\n", dce2_memory.co_seg); _dpd.logMsg(" Maximum segmentation buffering: %u\n", dce2_memory.co_seg_max); @@ -1159,7 +1183,7 @@ _dpd.logMsg(" Reassembled: "STDu64"\n", dce2_stats.cl_frag_reassembled); if (dce2_stats.cl_max_seqnum > 0) _dpd.logMsg(" Max seq num: "STDu64"\n", dce2_stats.cl_max_seqnum); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current activity tracker: %u\n", dce2_memory.cl_act); _dpd.logMsg(" Maximum activity tracker: %u\n", dce2_memory.cl_act_max); @@ -1175,7 +1199,7 @@ if (exiting) DCE2_StatsFree(); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg("\n"); _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.total); @@ -1201,10 +1225,10 @@ * Arguments: * int - signal that caused the reset * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_Reset(int signal, void *data) { if (!DCE2_CStackIsEmpty(dce2_pkt_stack)) @@ -1225,10 +1249,10 @@ * Arguments: * int - signal that caused function to be called * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_ResetStats(int signal, void *data) { DCE2_StatsInit(); @@ -1242,12 +1266,12 @@ * Arguments: * int - signal that caused Snort to exit * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_CleanExit(int signal, void *data) -{ +{ DCE2_FreeConfigs(dce2_config); dce2_config = NULL; @@ -1271,25 +1295,24 @@ DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; + if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) + { + DCE2_Die("%s(%d) \"%s\" configuration: " + "Stream5 must be enabled with TCP and UDP tracking.", + *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + } + if (dce2_swap_config == NULL) { //create a context dce2_swap_config = sfPolicyConfigCreate(); - + if (dce2_swap_config == NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Could not allocate memory " "configuration.\n", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } - - if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) - { - DCE2_Die("%s(%d) \"%s\" configuration: Stream5 must be enabled with " - "TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } - _dpd.addPreprocReloadVerify(DCE2_ReloadVerify); } @@ -1313,13 +1336,19 @@ DCE2_RegRuleOptions(); - pCurrentPolicyConfig = (DCE2_Config *)DCE2_Alloc(sizeof(DCE2_Config), DCE2_MEM_TYPE__CONFIG); + pCurrentPolicyConfig = (DCE2_Config *)DCE2_Alloc(sizeof(DCE2_Config), + DCE2_MEM_TYPE__CONFIG); + sfPolicyUserDataSetCurrent(dce2_swap_config, pCurrentPolicyConfig); /* Parse configuration args */ DCE2_GlobalConfigure(pCurrentPolicyConfig, args); - _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); + if ( pCurrentPolicyConfig->gconfig->disabled ) + return; + + _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, + PROTO_BIT__TCP | PROTO_BIT__UDP); #ifdef TARGET_BASED _dpd.streamAPI->set_service_filter_status @@ -1365,7 +1394,7 @@ static int DCE2_ReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1375,9 +1404,16 @@ //do any housekeeping before freeing DCE2_Config - if (swap_config == NULL) + if ( swap_config == NULL || swap_config->gconfig->disabled ) return 0; + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DCE2_Die("%s(%d) \"%s\" configuration: " + "Stream5 must be enabled with TCP and UDP tracking.", + *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + } + dconfig = swap_config->dconfig; if (dconfig == NULL) @@ -1390,6 +1426,8 @@ DCE2_ScCheckTransports(swap_config); } + DCE2_AddPortsToPaf(swap_config, policyId); + /* Register routing table memory */ if (swap_config->sconfigs != NULL) DCE2_RegMem(sfrt_usage(swap_config->sconfigs), DCE2_MEM_TYPE__RT); @@ -1425,20 +1463,6 @@ if ((dce2_swap_config == NULL) || (dce2_config == NULL)) return 0; - if (!_dpd.isPreprocEnabled(PP_STREAM5)) - { - DCE2_Die("%s(%d) \"%s\" configuration: Stream5 must be enabled with " - "TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } - - if (_dpd.isPreprocEnabled(PP_DCERPC)) - { - DCE2_Die("%s(%d) \"%s\" configuration: Only one DCE/RPC preprocessor " - "can be configured.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } - if (sfPolicyUserDataIterate(dce2_swap_config, DCE2_ReloadVerifyPolicy) != 0) return -1; @@ -1447,7 +1471,7 @@ static int DCE2_ReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1499,3 +1523,81 @@ } #endif +#ifdef ENABLE_PAF + +// Used for iterate function below since we can't pass it +static tSfPolicyId dce2_paf_tmp_policy_id = 0; + +/********************************************************************* + * Function: DCE2_AddPortsToPaf() + * + * Add detect and autodetect ports to stream5 paf + * + * Arguments: + * DCE2_Config * + * Pointer to configuration structure. + * + * Returns: None + * + *********************************************************************/ +static void DCE2_AddPortsToPaf(DCE2_Config *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + dce2_paf_tmp_policy_id = policy_id; + + DCE2_ScAddPortsToPaf(config->dconfig); + + if (config->sconfigs != NULL) + sfrt_iterate(config->sconfigs, DCE2_ScAddPortsToPaf); + + dce2_paf_tmp_policy_id = 0; +} + +static void DCE2_ScAddPortsToPaf(void *data) +{ + DCE2_ServerConfig *sc = (DCE2_ServerConfig *)data; + unsigned int port; + tSfPolicyId policy_id = dce2_paf_tmp_policy_id; + + if (data == NULL) + return; + + for (port = 0; port < DCE2_PORTS__MAX; port++) + { + if (DCE2_IsPortSet(sc->smb_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__SMB); + } + + if (DCE2_IsPortSet(sc->auto_smb_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__SMB); + } + + if (DCE2_IsPortSet(sc->tcp_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__TCP); + } + + if (DCE2_IsPortSet(sc->auto_tcp_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__TCP); + } + +#if 0 + if (DCE2_IsPortSet(sc->http_proxy_ports, (uint16_t)port)) + { + /* TODO Implement PAF registration and callback. */ + } + + if (DCE2_IsPortSet(sc->http_server_ports, (uint16_t)port)) + { + /* TODO Implement PAF registration and callback. */ + } +#endif + } +} +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h --- snort-2.8.5.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h 2009-01-26 16:26:14.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h 2011-02-09 23:23:16.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2009 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_map.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.c --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_map.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,151 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Tables for DNP3 function & indicator definitions + * + */ + +#include +#include +#include "dnp3_map.h" + +/* Name/value pair struct */ +typedef struct _dnp3_map_t +{ + char *name; + uint16_t value; +} dnp3_map_t; + +/* Mapping of name -> function code for "dnp3_func" option. */ +static dnp3_map_t func_map[] = +{ + {"confirm", 0}, + {"read", 1}, + {"write", 2}, + {"select", 3}, + {"operate", 4}, + {"direct_operate", 5}, + {"direct_operate_nr", 6}, + {"immed_freeze", 7}, + {"immed_freeze_nr", 8}, + {"freeze_clear", 9}, + {"freeze_clear_nr", 10}, + {"freeze_at_time", 11}, + {"freeze_at_time_nr", 12}, + {"cold_restart", 13}, + {"warm_restart", 14}, + {"initialize_data", 15}, + {"initialize_appl", 16}, + {"start_appl", 17}, + {"stop_appl", 18}, + {"save_config", 19}, + {"enable_unsolicited", 20}, + {"disable_unsolicited", 21}, + {"assign_class", 22}, + {"delay_measure", 23}, + {"record_current_time", 24}, + {"open_file", 25}, + {"close_file", 26}, + {"delete_file", 27}, + {"get_file_info", 28}, + {"authenticate_file", 29}, + {"abort_file", 30}, + {"activate_config", 31}, + {"authenticate_req", 32}, + {"authenticate_err", 33}, + {"response", 129}, + {"unsolicited_response", 130}, + {"authenticate_resp", 131} +}; + +/* Mapping of name -> indication bit for "dnp3_ind" option. */ +static dnp3_map_t indication_map[] = +{ + /* The order is strange, but this is the order in which the spec + lists them. */ + {"all_stations", 0x0100}, + {"class_1_events", 0x0200}, + {"class_2_events", 0x0400}, + {"class_3_events", 0x0800}, + {"need_time", 0x1000}, + {"local_control", 0x2000}, + {"device_trouble", 0x4000}, + {"device_restart", 0x8000}, + {"no_func_code_support", 0x0001}, + {"object_unknown", 0x0002}, + {"parameter_error", 0x0004}, + {"event_buffer_overflow", 0x0008}, + {"already_executing", 0x0010}, + {"config_corrupt", 0x0020}, + {"reserved_2", 0x0040}, + {"reserved_1", 0x0080}, +}; + +int DNP3FuncIsDefined(uint16_t code) +{ + size_t num_funcs = sizeof(func_map) / sizeof(func_map[0]); + size_t i; + int func_is_defined = 0; + + /* Check to see if code is higher than all codes in func map */ + if (code > func_map[num_funcs-1].value) + return func_is_defined; + + for (i = 0; i < num_funcs; i++) + { + /* This short-circuit check assumes that the function map remains + in-order. */ + if (code <= func_map[i].value) + break; + } + + if (code == func_map[i].value) + func_is_defined = 1; + + return func_is_defined; +} + +int DNP3FuncStrToCode(char *name) +{ + size_t num_funcs = sizeof(func_map) / sizeof(func_map[0]); + size_t i; + + for (i = 0; i < num_funcs; i++) + { + if (strcmp(name, func_map[i].name) == 0) + return func_map[i].value; + } + + return -1; +} + +int DNP3IndStrToCode(char *name) +{ + size_t num_indications = sizeof(indication_map) / sizeof(indication_map[0]); + size_t i; + + for (i = 0; i < num_indications; i++) + { + if (strcmp(name, indication_map[i].name) == 0) + return indication_map[i].value; + } + + return -1; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_map.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.h --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_map.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,50 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Tables for DNP3 function & indicator definitions + * + */ + +#ifndef DNP3_MAP__H +#define DNP3_MAP__H + +#include + +/* Check if "code" is in the function map. + * + * Returns: 1 on success, 0 on failure. + */ +int DNP3FuncIsDefined(uint16_t code); + +/* Return the DNP3 function code corresponding to "name". + * + * Returns: integer + * -1 on failure + */ +int DNP3FuncStrToCode(char *name); + +/* Return the DNP3 indication code corresponding to "name". + * + * Returns: integer + * -1 on failure + */ +int DNP3IndStrToCode(char *name); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,169 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol Aware Flushing (PAF) code for DNP3 preprocessor. + * + */ + +#include "spp_dnp3.h" +#include "dnp3_paf.h" +#include "sf_dynamic_preprocessor.h" + +/* Forward declarations */ +int DNP3PafRegister(uint16_t port, tSfPolicyId policy_id); +PAF_Status DNP3Paf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp); + +/* State-tracking structs */ +typedef enum _dnp3_paf_state +{ + DNP3_PAF_STATE__START_1 = 0, + DNP3_PAF_STATE__START_2, + DNP3_PAF_STATE__LENGTH, + DNP3_PAF_STATE__SET_FLUSH +} dnp3_paf_state_t; + +typedef struct _dnp3_paf_data +{ + dnp3_paf_state_t state; + uint8_t dnp3_length; + uint16_t real_length; +} dnp3_paf_data_t; + +int DNP3PafRegister(uint16_t port, tSfPolicyId policy_id) +{ + if (!_dpd.isPafEnabled()) + return 0; + + _dpd.streamAPI->register_paf_cb(policy_id, port, 0, DNP3Paf, true); + _dpd.streamAPI->register_paf_cb(policy_id, port, 1, DNP3Paf, true); + + return 0; +} + +/* Function: DNP3Paf() + + Purpose: DNP3 PAF callback. + Statefully inspects DNP3 traffic from the start of a session, + Reads up until the length octet is found, then sets a flush point. + The flushed PDU is a DNP3 Link Layer frame, the preprocessor + handles reassembly of frames into Application Layer messages. + + Arguments: + void * - stream5 session pointer + void ** - DNP3 state tracking structure + const uint8_t * - payload data to inspect + uint32_t - length of payload data + uint32_t - flags to check whether client or server + uint32_t * - pointer to set flush point + + Returns: + PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise +*/ + +PAF_Status DNP3Paf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + dnp3_paf_data_t *pafdata = *(dnp3_paf_data_t **)user; + uint32_t bytes_processed = 0; + + /* Allocate state object if it doesn't exist yet. */ + if (pafdata == NULL) + { + pafdata = calloc(1, sizeof(dnp3_paf_data_t)); + if (pafdata == NULL) + return PAF_ABORT; + + *user = pafdata; + } + + /* Process this packet 1 byte at a time */ + while (bytes_processed < len) + { + uint16_t user_data = 0; + uint16_t num_crcs = 0; + + switch (pafdata->state) + { + /* Check the Start bytes. If they are not \x05\x64, don't advance state. + Could be out of sync, junk data between frames, mid-stream pickup, etc. */ + case DNP3_PAF_STATE__START_1: + if (((uint8_t) *(data + bytes_processed)) == 0x05) + pafdata->state++; + break; + + case DNP3_PAF_STATE__START_2: + if (((uint8_t) *(data + bytes_processed)) == 0x64) + pafdata->state++; + else + pafdata->state = DNP3_PAF_STATE__START_1; + break; + + /* Read the length. */ + case DNP3_PAF_STATE__LENGTH: + pafdata->dnp3_length = (uint8_t) *(data + bytes_processed); + + /* DNP3 length only counts non-CRC octets following the + length field itself. Each CRC is two octets. One follows + the headers, a CRC is inserted for every 16 octets of user data, + plus a CRC for the last bit of user data (< 16 octets) */ + + if (pafdata->dnp3_length < DNP3_HEADER_REMAINDER_LEN) + { + /* XXX: Can we go about raising decoder alerts & dropping + packets within PAF? */ + return PAF_ABORT; + } + + user_data = pafdata->dnp3_length - DNP3_HEADER_REMAINDER_LEN; + num_crcs = 1 + (user_data/16) + (user_data % 16? 1 : 0); + pafdata->real_length = pafdata->dnp3_length + (2*num_crcs); + + pafdata->state++; + break; + + /* Set the flush point. */ + case DNP3_PAF_STATE__SET_FLUSH: + *fp = pafdata->real_length + bytes_processed; + pafdata->state = DNP3_PAF_STATE__START_1; + return PAF_FLUSH; + } + + bytes_processed++; + } + + return PAF_SEARCH; +} + +/* Take a DNP3 config + Snort policy, iterate through ports, register PAF callback. */ +int DNP3AddPortsToPaf(dnp3_config_t *config, tSfPolicyId policy_id) +{ + unsigned int i; + + for (i = 0; i < MAX_PORTS; i++) + { + if (config->ports[PORT_INDEX(i)] & CONV_PORT(i)) + { + DNP3PafRegister((uint16_t) i, policy_id); + } + } + + return DNP3_OK; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,33 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol Aware Flushing (PAF) code for DNP3 preprocessor. + * + */ + +#ifndef DNP3_PAF__H +#define DNP3_PAF__H + +#include "spp_dnp3.h" +#include "stream_api.h" + +int DNP3AddPortsToPaf(dnp3_config_t *config, tSfPolicyId policy_id); + +#endif /* DNP3_PAF__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,442 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#include +#include + +#include "spp_dnp3.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "snort_bounds.h" + +#include "dnp3_map.h" +#include "dnp3_reassembly.h" +#include "dnp3_roptions.h" + +/* Minimum length of DNP3 "len" field in order to get a transport header. */ +#define DNP3_MIN_TRANSPORT_LEN 6 + +/* CRC look-up table, for computeCRC() below */ +static uint16_t crcLookUpTable[256] = +{ + 0x0000, 0x365E, 0x6CBC, 0x5AE2, 0xD978, 0xEF26, 0xB5C4, 0x839A, + 0xFF89, 0xC9D7, 0x9335, 0xA56B, 0x26F1, 0x10AF, 0x4A4D, 0x7C13, + 0xB26B, 0x8435, 0xDED7, 0xE889, 0x6B13, 0x5D4D, 0x07AF, 0x31F1, + 0x4DE2, 0x7BBC, 0x215E, 0x1700, 0x949A, 0xA2C4, 0xF826, 0xCE78, + 0x29AF, 0x1FF1, 0x4513, 0x734D, 0xF0D7, 0xC689, 0x9C6B, 0xAA35, + 0xD626, 0xE078, 0xBA9A, 0x8CC4, 0x0F5E, 0x3900, 0x63E2, 0x55BC, + 0x9BC4, 0xAD9A, 0xF778, 0xC126, 0x42BC, 0x74E2, 0x2E00, 0x185E, + 0x644D, 0x5213, 0x08F1, 0x3EAF, 0xBD35, 0x8B6B, 0xD189, 0xE7D7, + 0x535E, 0x6500, 0x3FE2, 0x09BC, 0x8A26, 0xBC78, 0xE69A, 0xD0C4, + 0xACD7, 0x9A89, 0xC06B, 0xF635, 0x75AF, 0x43F1, 0x1913, 0x2F4D, + 0xE135, 0xD76B, 0x8D89, 0xBBD7, 0x384D, 0x0E13, 0x54F1, 0x62AF, + 0x1EBC, 0x28E2, 0x7200, 0x445E, 0xC7C4, 0xF19A, 0xAB78, 0x9D26, + 0x7AF1, 0x4CAF, 0x164D, 0x2013, 0xA389, 0x95D7, 0xCF35, 0xF96B, + 0x8578, 0xB326, 0xE9C4, 0xDF9A, 0x5C00, 0x6A5E, 0x30BC, 0x06E2, + 0xC89A, 0xFEC4, 0xA426, 0x9278, 0x11E2, 0x27BC, 0x7D5E, 0x4B00, + 0x3713, 0x014D, 0x5BAF, 0x6DF1, 0xEE6B, 0xD835, 0x82D7, 0xB489, + 0xA6BC, 0x90E2, 0xCA00, 0xFC5E, 0x7FC4, 0x499A, 0x1378, 0x2526, + 0x5935, 0x6F6B, 0x3589, 0x03D7, 0x804D, 0xB613, 0xECF1, 0xDAAF, + 0x14D7, 0x2289, 0x786B, 0x4E35, 0xCDAF, 0xFBF1, 0xA113, 0x974D, + 0xEB5E, 0xDD00, 0x87E2, 0xB1BC, 0x3226, 0x0478, 0x5E9A, 0x68C4, + 0x8F13, 0xB94D, 0xE3AF, 0xD5F1, 0x566B, 0x6035, 0x3AD7, 0x0C89, + 0x709A, 0x46C4, 0x1C26, 0x2A78, 0xA9E2, 0x9FBC, 0xC55E, 0xF300, + 0x3D78, 0x0B26, 0x51C4, 0x679A, 0xE400, 0xD25E, 0x88BC, 0xBEE2, + 0xC2F1, 0xF4AF, 0xAE4D, 0x9813, 0x1B89, 0x2DD7, 0x7735, 0x416B, + 0xF5E2, 0xC3BC, 0x995E, 0xAF00, 0x2C9A, 0x1AC4, 0x4026, 0x7678, + 0x0A6B, 0x3C35, 0x66D7, 0x5089, 0xD313, 0xE54D, 0xBFAF, 0x89F1, + 0x4789, 0x71D7, 0x2B35, 0x1D6B, 0x9EF1, 0xA8AF, 0xF24D, 0xC413, + 0xB800, 0x8E5E, 0xD4BC, 0xE2E2, 0x6178, 0x5726, 0x0DC4, 0x3B9A, + 0xDC4D, 0xEA13, 0xB0F1, 0x86AF, 0x0535, 0x336B, 0x6989, 0x5FD7, + 0x23C4, 0x159A, 0x4F78, 0x7926, 0xFABC, 0xCCE2, 0x9600, 0xA05E, + 0x6E26, 0x5878, 0x029A, 0x34C4, 0xB75E, 0x8100, 0xDBE2, 0xEDBC, + 0x91AF, 0xA7F1, 0xFD13, 0xCB4D, 0x48D7, 0x7E89, 0x246B, 0x1235 +}; + +/* Append a DNP3 Transport segment to the reassembly buffer. + + Returns: + DNP3_OK: Segment queued successfully. + DNP3_FAIL: Data copy failed. Segment did not fit in reassembly buffer. +*/ +static int DNP3QueueSegment(dnp3_reassembly_data_t *rdata, char *buf, uint16_t buflen) +{ + if (rdata == NULL || buf == NULL) + return DNP3_FAIL; + + /* At first I was afraid, but we checked for DNP3_MAX_TRANSPORT_LEN earlier. */ + if (buflen + rdata->buflen > DNP3_BUFFER_SIZE) + return DNP3_FAIL; + + memcpy((rdata->buffer + rdata->buflen), buf, (size_t) buflen); + + rdata->buflen += buflen; + return DNP3_OK; +} + +/* Reset a DNP3 reassembly buffer */ +static void DNP3ReassemblyReset(dnp3_reassembly_data_t *rdata) +{ + rdata->buflen = 0; + rdata->state = DNP3_REASSEMBLY_STATE__IDLE; + rdata->last_seq = 0; +} + +/* DNP3 Transport-Layer reassembly state machine. + + Arguments: + rdata: DNP3 reassembly state object. + buf: DNP3 Transport Layer segment + buflen: Length of Transport Layer segment. + + Returns: + DNP3_FAIL: Segment was discarded. + DNP3_OK: Segment was queued. +*/ +static int DNP3ReassembleTransport(dnp3_reassembly_data_t *rdata, char *buf, uint16_t buflen) +{ + dnp3_transport_header_t *trans_header; + + if (rdata == NULL || buf == NULL || buflen < sizeof(dnp3_transport_header_t) || + (buflen > DNP3_MAX_TRANSPORT_LEN)) + { + return DNP3_FAIL; + } + + /* Take the first byte as a transport header, cut it off of the buffer. */ + trans_header = (dnp3_transport_header_t *)buf; + buf += sizeof(dnp3_transport_header_t); + buflen -= sizeof(dnp3_transport_header_t); + + + /* If the previously-existing state was DONE, we need to reset it back + to IDLE. */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + DNP3ReassemblyReset(rdata); + + switch (rdata->state) + { + case DNP3_REASSEMBLY_STATE__IDLE: + /* Discard any non-first segment. */ + if ( DNP3_TRANSPORT_FIR(trans_header->control) == 0 ) + return DNP3_FAIL; + + /* Reset the buffer & queue the first segment */ + DNP3ReassemblyReset(rdata); + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if ( DNP3_TRANSPORT_FIN(trans_header->control) ) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + else + rdata->state = DNP3_REASSEMBLY_STATE__ASSEMBLY; + + break; + + case DNP3_REASSEMBLY_STATE__ASSEMBLY: + /* Reset if the FIR flag is set. */ + if ( DNP3_TRANSPORT_FIR(trans_header->control) ) + { + DNP3ReassemblyReset(rdata); + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if (DNP3_TRANSPORT_FIN(trans_header->control)) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + + /* Raise an alert so it's clear the buffer was reset. + Could signify device trouble. */ + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED, + 1, 0, 3, DNP3_REASSEMBLY_BUFFER_CLEARED_STR, 0); + } + else + { + /* Same seq but FIN is set. Discard segment, BUT finish reassembly. */ + if ((DNP3_TRANSPORT_SEQ(trans_header->control) == rdata->last_seq) && + (DNP3_TRANSPORT_FIN(trans_header->control))) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_SEGMENT, + 1, 0, 3, DNP3_DROPPED_SEGMENT_STR, 0); + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + return DNP3_FAIL; + } + + /* Discard any other segments without the correct sequence. */ + if (DNP3_TRANSPORT_SEQ(trans_header->control) != + ((rdata->last_seq + 1) % 0x40 )) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_SEGMENT, + 1, 0, 3, DNP3_DROPPED_SEGMENT_STR, 0); + return DNP3_FAIL; + } + + /* Otherwise, queue it up! */ + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if (DNP3_TRANSPORT_FIN(trans_header->control)) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + else + rdata->state = DNP3_REASSEMBLY_STATE__ASSEMBLY; + } + + break; + + case DNP3_REASSEMBLY_STATE__DONE: + break; + } + + /* Set the Alt Decode buffer. This must be done during preprocessing + in order to stop the Fast Pattern matcher from using raw packet data + to evaluate the longest content in a rule. */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + { + uint8_t *alt_buf = _dpd.altBuffer->data; + uint16_t alt_len = sizeof(_dpd.altBuffer->data); + int ret; + + ret = SafeMemcpy((void *)alt_buf, + (const void *)rdata->buffer, + (size_t)rdata->buflen, + (const void *)alt_buf, + (const void *)(alt_buf + alt_len)); + + if (ret == SAFEMEM_SUCCESS) + _dpd.SetAltDecode(alt_len); + } + + return DNP3_OK; +} + +/* Check for reserved application-level function codes. */ +static void DNP3CheckReservedFunction(dnp3_session_data_t *session) +{ + if ( DNP3FuncIsDefined( (uint16_t)session->func) ) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_RESERVED_FUNCTION, + 1, 0, 3, DNP3_RESERVED_FUNCTION_STR, 0); + } +} + +/* Decode a DNP3 Application-layer Fragment, fill out the relevant session data + for rule option evaluation. */ +static int DNP3ProcessApplication(dnp3_session_data_t *session) +{ + dnp3_reassembly_data_t *rdata = NULL; + + if (session == NULL) + return DNP3_FAIL; + + /* Master and Outstation use slightly different Application-layer headers. + Only the outstation sends Internal Indications. */ + if (session->direction == DNP3_CLIENT) + { + dnp3_app_request_header_t *request = NULL; + rdata = &(session->client_rdata); + + if (rdata->buflen < sizeof(dnp3_app_request_header_t)) + return DNP3_FAIL; /* TODO: Preprocessor Alert */ + + request = (dnp3_app_request_header_t *)(rdata->buffer); + + session->func = request->function; + } + else if (session->direction == DNP3_SERVER) + { + dnp3_app_response_header_t *response = NULL; + rdata = &(session->server_rdata); + + if (rdata->buflen < sizeof(dnp3_app_response_header_t)) + return DNP3_FAIL; /* TODO: Preprocessor Alert */ + + response = (dnp3_app_response_header_t *)(rdata->buffer); + + session->func = response->function; + session->indications = ntohs(response->indications); + } + + DNP3CheckReservedFunction(session); + + return DNP3_OK; +} + +/* Check a CRC in a single block. */ +/* This code is mostly lifted from the example in the DNP3 spec. */ + +static inline void computeCRC(unsigned char data, uint16_t *crcAccum) +{ + *crcAccum = + (*crcAccum >> 8) ^ crcLookUpTable[(*crcAccum ^ data) & 0xFF]; +} + +static int DNP3CheckCRC(unsigned char *buf, uint16_t buflen) +{ + uint16_t idx; + uint16_t crc = 0; + + /* Compute check code for data in received block */ + for (idx = 0; idx < buflen-2; idx++) + computeCRC(buf[idx], &crc); + crc = ~crc; /* Invert */ + + /* Check CRC at end of block */ + if (buf[idx++] == (unsigned char)crc && + buf[idx] == (unsigned char)(crc >> 8)) + return DNP3_OK; + else + return DNP3_FAIL; +} + +/* Check CRCs in a Link-Layer Frame, then fill a buffer containing just the user data */ +static int DNP3CheckRemoveCRC(dnp3_config_t *config, uint8_t *pdu_start, + uint16_t pdu_length, char *buf, uint16_t *buflen) +{ + char *cursor; + uint16_t bytes_left; + + /* Check Header CRC */ + if ((config->check_crc) && + (DNP3CheckCRC((unsigned char*)pdu_start, sizeof(dnp3_link_header_t)+2) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + cursor = (char *)pdu_start + sizeof(dnp3_link_header_t) + 2; + bytes_left = pdu_length - sizeof(dnp3_link_header_t) - 2; + *buflen = 0; + + /* Process whole 16-byte chunks (plus 2-byte CRC) */ + while (bytes_left > 18) + { + if ((config->check_crc) && (DNP3CheckCRC((unsigned char*)cursor, 18) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + memcpy((buf + *buflen), cursor, 16); + *buflen += 16; + cursor += 18; + bytes_left -= 18; + } + /* Process leftover chunk, under 16 bytes */ + if (bytes_left > 2) + { + if ((config->check_crc) && (DNP3CheckCRC((unsigned char*)cursor, bytes_left) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + memcpy((buf + *buflen), cursor, (bytes_left - 2)); + *buflen += (bytes_left - 2); + cursor += bytes_left; + bytes_left = 0; + } + + return DNP3_OK; +} + +static int DNP3CheckReservedAddrs(dnp3_link_header_t *link) +{ + int bad_addr = 0; + + if ((link->src >= DNP3_MIN_RESERVED_ADDR) && (link->src <= DNP3_MAX_RESERVED_ADDR)) + bad_addr = 1; + + else if ((link->dest >= DNP3_MIN_RESERVED_ADDR) && (link->dest <= DNP3_MAX_RESERVED_ADDR)) + bad_addr = 1; + + if (bad_addr) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_RESERVED_ADDRESS, 1, 0, 3, + DNP3_RESERVED_ADDRESS_STR, 0); + return DNP3_FAIL; + } + + return DNP3_OK; +} + +/* Main DNP3 Reassembly function. Moved here to avoid circular dependency between + spp_dnp3 and dnp3_reassembly. */ +int DNP3FullReassembly(dnp3_config_t *config, dnp3_session_data_t *session, SFSnortPacket *packet, uint8_t *pdu_start, uint16_t pdu_length) +{ + char buf[256]; + uint16_t buflen; + dnp3_link_header_t *link; + dnp3_reassembly_data_t *rdata; + + if (pdu_length < (sizeof(dnp3_link_header_t) + sizeof(dnp3_transport_header_t) + 2)) + return DNP3_FAIL; + + if (session->direction == DNP3_CLIENT) + rdata = &(session->client_rdata); + else + rdata = &(session->server_rdata); + + /* Step 1: Decode header and skip to data */ + link = (dnp3_link_header_t *) pdu_start; + + if (link->len < DNP3_MIN_TRANSPORT_LEN) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_FRAME, 1, 0, 3, + DNP3_DROPPED_FRAME_STR, 0); + return DNP3_FAIL; + } + + /* Check reserved addresses */ + if ( DNP3CheckReservedAddrs(link) == DNP3_FAIL ) + return DNP3_FAIL; + + /* XXX: NEED TO TRACK SEPARATE DNP3 SESSIONS OVER SINGLE TCP SESSION */ + + /* Step 2: Remove CRCs */ + if ( DNP3CheckRemoveCRC(config, pdu_start, pdu_length, buf, &buflen) == DNP3_FAIL ) + return DNP3_FAIL; + + /* Step 3: Queue user data in frame for Transport-Layer reassembly */ + if (DNP3ReassembleTransport(rdata, buf, buflen) == DNP3_FAIL) + return DNP3_FAIL; + + /* Step 4: Decode Application-Layer */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + { + int ret = DNP3ProcessApplication(session); + + /* To support multiple PDUs in UDP, we're going to call Detect() + on each individual PDU. The AltDecode buffer was set earlier. */ + if ((ret == DNP3_OK) && (packet->udp_header)) + _dpd.detect(packet); + else + return ret; + } + + return DNP3_OK; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,35 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifndef DNP3_REASSEMBLY__H +#define DNP3_REASSEMBLY__H + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "spp_dnp3.h" + + +int DNP3FullReassembly(dnp3_config_t *config, dnp3_session_data_t *session, SFSnortPacket *packet, uint8_t *pdu_start, uint16_t pdu_length); + +#endif /* DNP3_REASSEMBLY__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,575 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for the DNP3 preprocessor + * + */ + +#include + +#include "sf_types.h" +#include "sf_snort_plugin_api.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "mempool.h" + +#include "spp_dnp3.h" +#include "dnp3_map.h" +#include "dnp3_roptions.h" + +/* Object decoding constants */ +#define DNP3_OBJ_HDR_MIN_LEN 3 /* group, var, qualifier */ +#define DNP3_OBJ_QUAL_PREFIX(x) ((x & 0x70) >> 4) +#define DNP3_OBJ_QUAL_RANGE(x) (x & 0x0F) + +/* Object header prefix codes */ +#define DNP3_PREFIX_NO_PREFIX 0x00 +#define DNP3_PREFIX_1OCT_INDEX 0x01 +#define DNP3_PREFIX_2OCT_INDEX 0x02 +#define DNP3_PREFIX_4OCT_INDEX 0x03 +#define DNP3_PREFIX_1OCT_SIZE 0x04 +#define DNP3_PREFIX_2OCT_SIZE 0x05 +#define DNP3_PREFIX_4OCT_SIZE 0x06 +#define DNP3_PREFIX_RESERVED 0x07 + +/* Object header range specifiers -- 0x0A & 0x0C-0x0F are reserved */ +#define DNP3_RANGE_1OCT_INDICES 0x00 +#define DNP3_RANGE_2OCT_INDICES 0x01 +#define DNP3_RANGE_4OCT_INDICES 0x02 +#define DNP3_RANGE_1OCT_ADDRESSES 0x03 +#define DNP3_RANGE_2OCT_ADDRESSES 0x04 +#define DNP3_RANGE_4OCT_ADDRESSES 0x05 +#define DNP3_RANGE_NO_RANGE 0x06 +#define DNP3_RANGE_1OCT_COUNT 0x07 +#define DNP3_RANGE_2OCT_COUNT 0x08 +#define DNP3_RANGE_4OCT_COUNT 0x09 +#define DNP3_RANGE_VARIABLE 0x0B + +typedef enum _dnp3_option_type_t +{ + DNP3_FUNC = 0, + DNP3_OBJ, + DNP3_IND, + DNP3_DATA +} dnp3_option_type_t; + +typedef struct _dnp3_option_data_t +{ + dnp3_option_type_t type; + uint16_t arg; +} dnp3_option_data_t; + +/* Parsing functions */ +int DNP3FuncInit(char *name, char *params, void **data) +{ + char *endptr; + dnp3_option_data_t *dnp3_data; + long func_code; + + if (name == NULL || params == NULL || data == NULL) + return 0; + + if (strcmp(name, DNP3_FUNC_NAME) != 0) + return 0; + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + if (isdigit(params[0])) + { + /* Function code given as integer */ + func_code = _dpd.SnortStrtol(params, &endptr, 10); + if ((func_code > 255) || (func_code < 0) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_func requires a " + "number beween 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + else + { + func_code = DNP3FuncStrToCode(params); + + if (func_code == -1) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_func requires a " + "number beween 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + + dnp3_data->type = DNP3_FUNC; + dnp3_data->arg = (uint16_t) func_code; + + *data = (void *)dnp3_data; + + return 1; +} + +NORETURN static inline void DNP3ObjError(void) +{ + DynamicPreprocessorFatalMessage("%s(%d) dnp3_obj requires two arguments," + "where each argument is a number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); +} + +int DNP3ObjInit(char *name, char *params, void **data) +{ + char *endptr, *token, *saveptr; + dnp3_option_data_t *dnp3_data; + unsigned int obj_group, obj_var; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, DNP3_OBJ_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for dnp3_obj. " + "dnp3_obj requires two arguments, where each argument is a number " + "between 0 and 255.\n", *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + token = strtok_r(params, ",", &saveptr); + if (token == NULL) + DNP3ObjError(); + + /* First token: object group */ + obj_group = _dpd.SnortStrtoul(token, &endptr, 10); + if ((obj_group > 255) || (*endptr != '\0')) + DNP3ObjError(); + + token = strtok_r(NULL, ",", &saveptr); + if (token == NULL) + DNP3ObjError(); + + /* Second token: object var */ + obj_var = _dpd.SnortStrtoul(token, &endptr, 10); + if ((obj_var > 255) || (*endptr != '\0')) + DNP3ObjError(); + + /* pack the two arguments into one uint16_t */ + dnp3_data->type = DNP3_OBJ; + dnp3_data->arg = ((obj_group << 8) | (obj_var)); + + *data = dnp3_data; + + return 1; +} + +int DNP3IndInit(char *name, char *params, void **data) +{ + dnp3_option_data_t *dnp3_data; + char *token, *saveptr; + uint16_t flags = 0; + + if (name == NULL || params == NULL || data == NULL) + return 0; + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + token = strtok_r(params, ",", &saveptr); + + while (token != NULL) + { + int flag = DNP3IndStrToCode(token); + + if (flag == -1) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_ind requires a " + "valid indication flag name. '%s' is invalid.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + flags |= (uint16_t) flag; + token = strtok_r(NULL, ",", &saveptr); + } + + if (flags == 0) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_ind requires a " + "valid indication flag name. No flags were given.\n", + *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data->type = DNP3_IND; + dnp3_data->arg = flags; + + *data = (void *)dnp3_data; + + return 1; +} + +int DNP3DataInit(char *name, char *params, void **data) +{ + dnp3_option_data_t *dnp3_data; + + if (name == NULL || data == NULL) + return 0; + + /* nothing to parse. */ + if (params) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_data does not take " + "any arguments.\n", *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_data data structure.\n", __FILE__, __LINE__); + } + + dnp3_data->type = DNP3_DATA; + dnp3_data->arg = 0; + + *data = (void *)dnp3_data; + + return 1; +} + +/* Evaluation functions */ +int DNP3FuncEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + rdata = &(session_data->client_rdata); + else + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + if (session_data->func == rule_data->arg) + return RULE_MATCH; + + return RULE_NOMATCH; +} + +static int DNP3DecodeObject(uint8_t *buf, uint16_t buflen, uint8_t rule_group, uint8_t rule_var) +{ + uint8_t group, var; + + /* XXX: uncomment these when fixing the below TODO regarding multiple objects + uint8_t qualifier, prefix_size, prefix_code, range_specifier; + uint32_t begin, end, num_objects; + */ + + if (buf == NULL || buflen < DNP3_OBJ_HDR_MIN_LEN) + return RULE_NOMATCH; + + /* Decode group */ + group = *buf; + buf++; + buflen--; + + /* Decode var */ + var = *buf; + buf++; + buflen--; + + /* Match the rule option here, quit decoding if we found the right header. */ + if ((group == rule_group) && (var == rule_var)) + return RULE_MATCH; + +/* TODO: Implement matching with multiple objects in a Request/Response. */ +#if 0 + /* Decode qualifier */ + qualifier = *buf; + prefix_code = DNP3_OBJ_QUAL_PREFIX(qualifier); + range_specifier = DNP3_OBJ_QUAL_RANGE(qualifier); + buf++; + buflen--; + + /* The size of object prefixes depends on the prefix code */ + switch (prefix_code) + { + case DNP3_PREFIX_NO_PREFIX: + prefix_size = 0; + break; + + case DNP3_PREFIX_1OCT_INDEX: + case DNP3_PREFIX_1OCT_SIZE: + prefix_size = 1; + break; + + case DNP3_PREFIX_2OCT_INDEX: + case DNP3_PREFIX_2OCT_SIZE: + prefix_size = 2; + break; + + case DNP3_PREFIX_4OCT_INDEX: + case DNP3_PREFIX_4OCT_SIZE: + prefix_size = 4; + break; + + default: + /* TODO: Preprocessor alert on reserved value */ + return DNP3_FAIL; + } + + /* Decoding of the range field depends on the Range Specifier */ + switch (range_specifier) + { + case DNP3_RANGE_1OCT_INDICES: + if (buflen < 2) + return DNP3_FAIL; + + /* Decode 8-bit indices for object prefixes */ + begin = *(uint8_t *)buf++; + end = *(uint8_t *)buf++; + buflen -= 2; + + /* Check that indices make sense */ + if (begin > end) + return DNP3_FAIL; /* TODO: Preprocessor alert */ + + num_objects = end - begin + 1; + break; + + case DNP3_RANGE_2OCT_INDICES: + if (buflen < 2) + return DNP3_FAIL; + + /* Decode 8-bit indices for object prefixes */ + begin = *(uint16_t *)buf++; + end = *(uint16_t *)buf++; + buflen -= 2; + + /* Check that indices make sense */ + if (begin > end) + return DNP3_FAIL; /* TODO: Preprocessor alert */ + + num_objects = end - begin + 1; + break; + + case DNP3_RANGE_4OCT_INDICES: + case DNP3_RANGE_1OCT_ADDRESSES: + case DNP3_RANGE_2OCT_ADDRESSES: + case DNP3_RANGE_4OCT_ADDRESSES: + case DNP3_RANGE_NO_RANGE: + case DNP3_RANGE_1OCT_COUNT: + case DNP3_RANGE_2OCT_COUNT: + case DNP3_RANGE_4OCT_COUNT: + case DNP3_RANGE_VARIABLE: + default: + } +#endif /* 0 */ + + return RULE_NOMATCH; +} + +int DNP3ObjEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + uint8_t group, var; + uint8_t *obj_buffer; + uint16_t obj_buflen; + size_t header_size; + int rval = RULE_NOMATCH; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + { + rdata = &(session_data->client_rdata); + header_size = sizeof(dnp3_app_request_header_t); + } + else + { + rdata = &(session_data->server_rdata); + header_size = sizeof(dnp3_app_response_header_t); + } + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + /* Skip over the App request/response header. + They are different sizes, depending on whether it is a request or response! */ + if (rdata->buflen < header_size) + return RULE_NOMATCH; + + obj_buffer = (uint8_t *)rdata->buffer + header_size; + obj_buflen = rdata->buflen - header_size; + + /* Rule parsing code combined our two arguments into a single uint16_t */ + group = (rule_data->arg >> 8); + var = (rule_data->arg & 0x00FF); + + rval = DNP3DecodeObject(obj_buffer, obj_buflen, group, var); + + return rval; +} + +int DNP3IndEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + /* Internal Indications only apply to DNP3 responses, not requests. */ + if (session_data->direction == DNP3_CLIENT) + return RULE_NOMATCH; + + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + if (session_data->indications & rule_data->arg) + return RULE_MATCH; + + return RULE_NOMATCH; +} + +int DNP3DataEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + rdata = &(session_data->client_rdata); + else + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + /* Set the cursor to the reassembled Application-layer buffer */ + *cursor = (uint8_t *)rdata->buffer; + _dpd.SetAltDetect((uint8_t *)rdata->buffer, rdata->buflen); + + return RULE_MATCH; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,48 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for the DNP3 preprocessor + * + */ + +#ifndef DNP3_ROPTIONS__H +#define DNP3_ROPTIONS__H + +#include + +/* option names */ +#define DNP3_FUNC_NAME "dnp3_func" +#define DNP3_OBJ_NAME "dnp3_obj" +#define DNP3_IND_NAME "dnp3_ind" +#define DNP3_DATA_NAME "dnp3_data" + +/* Rule registration functions */ +int DNP3FuncInit(char *name, char *params, void **data); +int DNP3ObjInit(char *name, char *params, void **data); +int DNP3IndInit(char *name, char *params, void **data); +int DNP3DataInit(char *name, char *params, void **data); + +/* Rule evaluation functions */ +int DNP3FuncEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3ObjEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3IndEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3DataEval(void *raw_packet, const uint8_t **cursor, void *data); + +#endif /* DNP3_ROPTIONS__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,38 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_dnp3_preproc.la + +libsf_dnp3_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_dnp3_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_dnp3_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c \ +../include/mempool.c \ +../include/sf_sdlist.c +endif + +libsf_dnp3_preproc_la_SOURCES = \ +spp_dnp3.c \ +spp_dnp3.h \ +dnp3_paf.c \ +dnp3_paf.h \ +dnp3_reassembly.c \ +dnp3_reassembly.h \ +dnp3_roptions.c \ +dnp3_roptions.h \ +dnp3_map.c \ +dnp3_map.h + +EXTRA_DIST = \ +sf_dnp3.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -0,0 +1,566 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/dnp3 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_dnp3_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_dnp3_preproc_la_OBJECTS = spp_dnp3.lo dnp3_paf.lo \ + dnp3_reassembly.lo dnp3_roptions.lo dnp3_map.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dnp3_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo +libsf_dnp3_preproc_la_OBJECTS = $(am_libsf_dnp3_preproc_la_OBJECTS) \ + $(nodist_libsf_dnp3_preproc_la_OBJECTS) +libsf_dnp3_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_dnp3_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_dnp3_preproc_la_SOURCES) \ + $(nodist_libsf_dnp3_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_dnp3_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_dnp3_preproc.la +libsf_dnp3_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_dnp3_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dnp3_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c + +libsf_dnp3_preproc_la_SOURCES = \ +spp_dnp3.c \ +spp_dnp3.h \ +dnp3_paf.c \ +dnp3_paf.h \ +dnp3_reassembly.c \ +dnp3_reassembly.h \ +dnp3_roptions.c \ +dnp3_roptions.h \ +dnp3_map.c \ +dnp3_map.h + +EXTRA_DIST = \ +sf_dnp3.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dnp3/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/dnp3/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_dnp3_preproc.la: $(libsf_dnp3_preproc_la_OBJECTS) $(libsf_dnp3_preproc_la_DEPENDENCIES) + $(libsf_dnp3_preproc_la_LINK) -rpath $(libdir) $(libsf_dnp3_preproc_la_OBJECTS) $(libsf_dnp3_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp snort-2.9.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,243 @@ +# Microsoft Developer Studio Project File - Name="sf_dnp3" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_dnp3 - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_dnp3.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_dnp3.mak" CFG="sf_dnp3 - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_dnp3 - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_dnp3 - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_dnp3___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_dnp3___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_dnp3___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_dnp3___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_dnp3 - Win32 Release" +# Name "sf_dnp3 - Win32 Debug" +# Name "sf_dnp3 - Win32 IPv6 Debug" +# Name "sf_dnp3 - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\dnp3_map.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_paf.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_reassembly.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_dnp3.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\dnp3_map.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_paf.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_reassembly.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_roptions.h +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist_types.h +# End Source File +# Begin Source File + +SOURCE=.\spp_dnp3.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,912 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" +#include "mempool.h" + +#include "preprocids.h" +#include "spp_dnp3.h" +#include "sf_preproc_info.h" + +#include "dnp3_paf.h" +#include "dnp3_reassembly.h" +#include "dnp3_roptions.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats dnp3PerfStats; +#endif + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DNP3 (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DNP3"; +#endif + +#define SetupDNP3 DYNAMIC_PREPROC_SETUP + +/* Preprocessor config objects */ +static tSfPolicyUserContextId dnp3_context_id = NULL; +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId dnp3_swap_context_id = NULL; +#endif +static dnp3_config_t *dnp3_eval_config = NULL; + +static MemPool *dnp3_mempool = NULL; + + +/* Target-based app ID */ +#ifdef TARGET_BASED +int16_t dnp3_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* Prototypes */ +static void DNP3Init(char *argp); +static void DNP3OneTimeInit(void); +static dnp3_config_t * DNP3PerPolicyInit(tSfPolicyUserContextId); +static void DNP3RegisterPerPolicyCallbacks(dnp3_config_t *); + +static void ProcessDNP3(void *, void *); + +#ifdef SNORT_RELOAD +static void DNP3Reload(char *); +static int DNP3ReloadVerify(void); +static void * DNP3ReloadSwap(void); +static void DNP3ReloadSwapFree(void *); +#endif + +static void _addPortsToStream5Filter(dnp3_config_t *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void DNP3FreeConfig(tSfPolicyUserContextId context_id); +static void FreeDNP3Data(void *); +static void DNP3CheckConfig(void); +static void DNP3CleanExit(int, void *); + +static void ParseDNP3Args(dnp3_config_t *config, char *args); +static void PrintDNP3Config(dnp3_config_t *config); + +static int DNP3PortCheck(dnp3_config_t *config, SFSnortPacket *packet); +static MemBucket * DNP3CreateSessionData(SFSnortPacket *); + +/* Default memcap is defined as MAX_TCP_SESSIONS * .05 * 20 bytes */ +#define DNP3_DEFAULT_MEMCAP (256 * 1024) + +/* Register init callback */ +void SetupDNP3(void) +{ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("dnp3", DNP3Init); +#else + _dpd.registerPreproc("dnp3", DNP3Init, DNP3Reload, + DNP3ReloadSwap, DNP3ReloadSwapFree); +#endif +} + +/* Allocate memory for preprocessor config, parse the args, set up callbacks */ +static void DNP3Init(char *argp) +{ + int first_init = 0; + dnp3_config_t *dnp3_policy = NULL; + + if (dnp3_context_id == NULL) + { + first_init = 1; + DNP3OneTimeInit(); + } + + dnp3_policy = DNP3PerPolicyInit(dnp3_context_id); + + ParseDNP3Args(dnp3_policy, argp); + + PrintDNP3Config(dnp3_policy); + + DNP3RegisterPerPolicyCallbacks(dnp3_policy); +} + +static inline void DNP3OneTimeInit() +{ + /* context creation & error checking */ + dnp3_context_id = sfPolicyConfigCreate(); + if (dnp3_context_id == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory for " + "DNP3 config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor " + "must be enabled.\n"); + } + + /* callback registration */ + _dpd.addPreprocConfCheck(DNP3CheckConfig); + _dpd.addPreprocExit(DNP3CleanExit, NULL, PRIORITY_LAST, PP_DNP3); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("dnp3", (void *)&dnp3PerfStats, 0, _dpd.totalPerfStats); +#endif + + /* Set up target-based app id */ +#ifdef TARGET_BASED + dnp3_app_id = _dpd.findProtocolReference("dnp3"); + if (dnp3_app_id == SFTARGET_UNKNOWN_PROTOCOL) + dnp3_app_id = _dpd.addProtocolReference("dnp3"); +#endif +} + +/* Responsible for allocating a DNP3 policy. Never returns NULL. */ +static inline dnp3_config_t * DNP3PerPolicyInit(tSfPolicyUserContextId context_id) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + dnp3_config_t *dnp3_policy = NULL; + + /* Check for existing policy & bail if found */ + sfPolicyUserPolicySet(context_id, policy_id); + dnp3_policy = (dnp3_config_t *)sfPolicyUserDataGetCurrent(context_id); + if (dnp3_policy != NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): DNP3 preprocessor can only be " + "configured once.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* Allocate new policy */ + dnp3_policy = (dnp3_config_t *)calloc(1, sizeof(dnp3_config_t)); + if (!dnp3_policy) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "dnp3 preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(context_id, dnp3_policy); + + return dnp3_policy; +} + +static void DNP3RegisterPerPolicyCallbacks(dnp3_config_t *dnp3_policy) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + + /* Callbacks should be avoided if the preproc is disabled. */ + if (dnp3_policy->disabled) + return; + + _dpd.addPreproc(ProcessDNP3, PRIORITY_APPLICATION, PP_DNP3, PROTO_BIT__TCP|PROTO_BIT__UDP); + _addPortsToStream5Filter(dnp3_policy, policy_id); +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif + DNP3AddPortsToPaf(dnp3_policy, policy_id); + + _dpd.preprocOptRegister(DNP3_FUNC_NAME, DNP3FuncInit, DNP3FuncEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_OBJ_NAME, DNP3ObjInit, DNP3ObjEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_IND_NAME, DNP3IndInit, DNP3IndEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_DATA_NAME, DNP3DataInit, DNP3DataEval, free, NULL, NULL, NULL, NULL); +} + +static void ParseSinglePort(dnp3_config_t *config, char *token) +{ + /* single port number */ + char *endptr; + unsigned long portnum = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((*endptr != '\0') || (portnum >= MAX_PORTS)) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad dnp3 port number: %s\n" + "Port number must be an integer between 0 and 65535.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + /* Good port number! */ + config->ports[PORT_INDEX(portnum)] |= CONV_PORT(portnum); +} + +static void ParseDNP3Args(dnp3_config_t *config, char *args) +{ + char *saveptr; + char *token; + + /* Set defaults */ + config->memcap = DNP3_DEFAULT_MEMCAP; + config->ports[PORT_INDEX(DNP3_PORT)] |= CONV_PORT(DNP3_PORT); + config->check_crc = 0; + + /* No arguments? Stick with defaults. */ + if (args == NULL) + return; + + token = strtok_r(args, " ,", &saveptr); + while (token != NULL) + { + if (strcmp(token, DNP3_PORTS_KEYWORD) == 0) + { + unsigned nPorts = 0; + + /* Un-set the default port */ + config->ports[PORT_INDEX(DNP3_PORT)] = 0; + + /* Parse ports */ + token = strtok_r(NULL, " ,", &saveptr); + + if (token == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Missing argument for " + "DNP3 preprocessor 'ports' option.\n", + *_dpd.config_file, *_dpd.config_line); + } + + if (isdigit(token[0])) + { + ParseSinglePort(config, token); + nPorts++; + } + else if (*token == '{') + { + /* list of ports */ + token = strtok_r(NULL, " ,", &saveptr); + while (token != NULL && *token != '}') + { + ParseSinglePort(config, token); + nPorts++; + token = strtok_r(NULL, " ,", &saveptr); + } + } + + else + { + nPorts = 0; + } + if ( nPorts == 0 ) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'ports' argument: '%s'\n" + "Argument to DNP3 'ports' must be an integer, or a list " + "enclosed in { } braces.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + } + else if (strcmp(token, DNP3_MEMCAP_KEYWORD) == 0) + { + uint32_t memcap; + char *endptr; + + /* Parse memcap */ + token = strtok_r(NULL, " ", &saveptr); + + /* In a multiple policy scenario, the memcap from the default policy + overrides the memcap in any targeted policies. */ + if (_dpd.getParserPolicy() != _dpd.getDefaultPolicy()) + { + dnp3_config_t *default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id, + _dpd.getDefaultPolicy()); + + config->memcap = default_config->memcap; + } + else + { + if (token == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Missing argument for DNP3 " + "preprocessor 'memcap' option.\n", + *_dpd.config_file, *_dpd.config_line); + } + + memcap = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((token[0] == '-') || (*endptr != '\0') || + (memcap < MIN_DNP3_MEMCAP) || (memcap > MAX_DNP3_MEMCAP)) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'memcap' argument: %s\n" + "Argument to DNP3 'memcap' must be an integer between " + "%d and %d.\n", *_dpd.config_file, *_dpd.config_line, + token, MIN_DNP3_MEMCAP, MAX_DNP3_MEMCAP); + } + + config->memcap = memcap; + } + } + else if (strcmp(token, DNP3_CHECK_CRC_KEYWORD) == 0) + { + /* Parse check_crc */ + config->check_crc = 1; + } + else if (strcmp(token, DNP3_DISABLED_KEYWORD) == 0) + { + /* TODO: if disabled, check that no other stuff is turned on except memcap */ + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to parse dnp3 argument: " + "%s\n", *_dpd.config_file, *_dpd.config_line, token); + } + token = strtok_r(NULL, " ,", &saveptr); + } +} + +/* Print a DNP3 config */ +static void PrintDNP3Config(dnp3_config_t *config) +{ + int index, newline = 1; + + if (config == NULL) + return; + + _dpd.logMsg("DNP3 config: \n"); + + if (config->disabled) + _dpd.logMsg(" DNP3: INACTIVE\n"); + + _dpd.logMsg(" Memcap: %d\n", config->memcap); + _dpd.logMsg(" Check Link-Layer CRCs: %s\n", + config->check_crc ? + "ENABLED":"DISABLED"); + + _dpd.logMsg(" Ports:\n"); + + /* Loop through port array & print, 5 ports per line */ + for (index = 0; index < MAX_PORTS; index++) + { + if (config->ports[PORT_INDEX(index)] & CONV_PORT(index)) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++) % 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); +} + +static int DNP3ProcessUDP(dnp3_config_t *dnp3_eval_config, + dnp3_session_data_t *sessp, SFSnortPacket *packetp) +{ + /* Possibly multiple PDUs in this UDP payload. + Split up and process individually. */ + + uint16_t bytes_processed = 0; + int truncated_pdu = 0; + + while (bytes_processed < packetp->payload_size) + { + uint8_t dnp3_length; + uint8_t *pdu_start; + uint16_t user_data, num_crcs, pdu_length; + + pdu_start = (uint8_t *)(packetp->payload + bytes_processed); + + /* Alert and stop if (a) there's not enough data to read a length, or + (b) the start bytes are not 0x0564 */ + /* XXX: DEFINE MAGIC NUMBERS */ + if ((packetp->payload_size - bytes_processed < 3) || + ((*pdu_start != 0x05) || (*(pdu_start+1) != 0x64))) + { + truncated_pdu = 1; + break; + } + + /* Read the length. DNP3 length only counts non-CRC octets + that follow the length field itself. Each CRC is two octets. + One follows the header, then one CRC follows every 16 bytes + of user data. */ + + dnp3_length = (uint8_t) *(packetp->payload + bytes_processed + 2); + + if (dnp3_length < DNP3_HEADER_REMAINDER_LEN) + { + truncated_pdu = 1; + break; + } + + /* Calculate the actual length of data to inspect */ + user_data = dnp3_length - DNP3_HEADER_REMAINDER_LEN; + num_crcs = 1 + (user_data/16) + (user_data % 16? 1 : 0); + pdu_length = 3 + dnp3_length + (2*num_crcs); + + if (bytes_processed + pdu_length > packetp->payload_size) + { + truncated_pdu = 1; + break; + } + + DNP3FullReassembly(dnp3_eval_config, sessp, packetp, pdu_start, + pdu_length); + + bytes_processed += pdu_length; + } + + if (truncated_pdu) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_FRAME, 1, 0, 3, + DNP3_DROPPED_FRAME_STR, 0); + } + + /* All detection was done when DNP3FullReassembly() called Detect() + on the reassembled PDUs. Clear the flag to avoid double alerts + on the last PDU. */ + _dpd.DetectReset((uint8_t *)packetp->payload, packetp->payload_size); + + return DNP3_OK; +} + +/* Main runtime entry point */ +static void ProcessDNP3(void *ipacketp, void *contextp) +{ + SFSnortPacket *packetp = (SFSnortPacket *)ipacketp; + MemBucket *tmp_bucket = NULL; + dnp3_session_data_t *sessp = NULL; + PROFILE_VARS; + + /* Sanity checks. Should this preprocessor run? */ + if (( !packetp ) || + ( !packetp->payload ) || + ( !packetp->payload_size ) || + ( !IPH_IS_VALID(packetp) ) || + ( !packetp->tcp_header && !packetp->udp_header )) + { + return; + } + + /* If TCP, require that PAF flushes full PDUs first. */ + if (packetp->tcp_header && !PacketHasFullPDU(packetp)) + return; + + PREPROC_PROFILE_START(dnp3PerfStats); + + /* When pipelined DNP3 PDUs appear in a single TCP segment or UDP packet, + the detection engine caches the results of the rule options after + evaluating on the first PDU. Setting this flag stops the caching. */ + packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT; + + /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */ + dnp3_eval_config = sfPolicyUserDataGetCurrent(dnp3_context_id); + + /* Look for a previously-allocated session data. */ + tmp_bucket = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_DNP3); + + if (tmp_bucket == NULL) + { + /* No existing session. Check those ports. */ + if (DNP3PortCheck(dnp3_eval_config, packetp) != DNP3_OK) + { + PREPROC_PROFILE_END(dnp3PerfStats); + return; + } + + /* Create session data and attach it to the Stream5 session */ + tmp_bucket = DNP3CreateSessionData(packetp); + + if (tmp_bucket == NULL) + { + /* Mempool was full, don't process this session. */ + static unsigned int times_mempool_alloc_failed = 0; + + /* Print a message, but only every 1000 times. + Don't want to flood the log if there's a lot of DNP3 traffic. */ + if (times_mempool_alloc_failed % 1000) + { + _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n"); + } + times_mempool_alloc_failed++; + + PREPROC_PROFILE_END(dnp3PerfStats); + return; + } + } + + sessp = (dnp3_session_data_t *) tmp_bucket->data; + + /* Set reassembly direction */ + if (packetp->flags & FLAG_FROM_CLIENT) + sessp->direction = DNP3_CLIENT; + else + sessp->direction = DNP3_SERVER; + + /* Do preprocessor-specific detection stuff here */ + if (packetp->tcp_header) + { + /* Single PDU. PAF already split them up into separate pseudo-packets. */ + DNP3FullReassembly(dnp3_eval_config, sessp, packetp, + (uint8_t *)packetp->payload, packetp->payload_size); + } + else if (packetp->udp_header) + { + DNP3ProcessUDP(dnp3_eval_config, sessp, packetp); + } + + /* That's the end! */ + PREPROC_PROFILE_END(dnp3PerfStats); +} + +/* Check ports & services */ +static int DNP3PortCheck(dnp3_config_t *config, SFSnortPacket *packet) +{ +#ifdef TARGET_BASED + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + + /* call to get_application_protocol_id gave an error */ + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + return DNP3_FAIL; + + /* this is positively identified as something non-dnp3 */ + if (app_id && (app_id != dnp3_app_id)) + return DNP3_FAIL; + + /* this is identified as dnp3 */ + if (app_id == dnp3_app_id) + return DNP3_OK; + + /* fall back to port check */ +#endif + + if (config->ports[PORT_INDEX(packet->src_port)] & CONV_PORT(packet->src_port)) + return DNP3_OK; + + if (config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port)) + return DNP3_OK; + + return DNP3_FAIL; +} + +static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet) +{ + MemBucket *tmp_bucket = NULL; + dnp3_session_data_t *data = NULL; + + /* Sanity Check */ + if (!packet || !packet->stream_session_ptr) + return NULL; + + /* data = (dnp3_session_data_t *)calloc(1, sizeof(dnp3_session_data_t)); */ + + tmp_bucket = mempool_alloc(dnp3_mempool); + if (!tmp_bucket) + return NULL; + + data = (dnp3_session_data_t *)tmp_bucket->data; + + if (!data) + return NULL; + + /* Attach to Stream5 session */ + _dpd.streamAPI->set_application_data(packet->stream_session_ptr, PP_DNP3, + tmp_bucket, FreeDNP3Data); + + /* Not sure when this reference counting stuff got added to the old preprocs */ + data->policy_id = _dpd.getRuntimePolicy(); + data->context_id = dnp3_context_id; + ((dnp3_config_t *)sfPolicyUserDataGetCurrent(dnp3_context_id))->ref_count++; + + return tmp_bucket; +} + + +/* Reload functions */ +#ifdef SNORT_RELOAD +/* Almost like DNP3Init, but not quite. */ +static void DNP3Reload(char *args) +{ + dnp3_config_t *dnp3_policy = NULL; + + if (dnp3_swap_context_id == NULL) + { + dnp3_swap_context_id = sfPolicyConfigCreate(); + if (dnp3_swap_context_id == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for DNP3 config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor " + "must be enabled.\n"); + } + } + + dnp3_policy = DNP3PerPolicyInit(dnp3_swap_context_id); + + ParseDNP3Args(dnp3_policy, args); + + PrintDNP3Config(dnp3_policy); + + DNP3RegisterPerPolicyCallbacks(dnp3_policy); + + _dpd.addPreprocReloadVerify(DNP3ReloadVerify); +} + +/* Check that Stream5 is still running, and that the memcap didn't change. */ +static int DNP3ReloadVerify(void) +{ + dnp3_config_t *current_default_config, *new_default_config; + + if ((dnp3_context_id == NULL) || (dnp3_swap_context_id == NULL)) + return 0; + + current_default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id, _dpd.getDefaultPolicy()); + + new_default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_swap_context_id, _dpd.getDefaultPolicy()); + + /* Sanity check. Shouldn't be possible. */ + if (current_default_config == NULL) + return 0; + + if (new_default_config == NULL) + { + DynamicPreprocessorFatalMessage("DNP3 reload: Changing the DNP3 configuration " + "requires a restart.\n"); + } + + /* Did memcap change? */ + if (current_default_config->memcap != new_default_config->memcap) + { + DynamicPreprocessorFatalMessage("DNP3 reload: Changing the DNP3 memcap " + "requires a restart.\n"); + } + + /* Did stream5 get turned off? */ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor must be enabled.\n"); + } + + return 0; +} + +static int DNP3FreeUnusedConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *dnp3_config = (dnp3_config_t *)data; + + /* do any housekeeping before freeing dnp3 config */ + if (dnp3_config->ref_count == 0) + { + sfPolicyUserDataClear(context_id, policy_id); + free(dnp3_config); + } + + return 0; +} + +static void * DNP3ReloadSwap(void) +{ + tSfPolicyUserContextId old_context_id = dnp3_context_id; + + if (dnp3_swap_context_id == NULL) + return NULL; + + dnp3_context_id = dnp3_swap_context_id; + dnp3_swap_context_id = NULL; + + sfPolicyUserDataIterate(old_context_id, DNP3FreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_context_id) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_context_id; + } + + return NULL; +} + +static void DNP3ReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + DNP3FreeConfig( (tSfPolicyUserContextId)data ); +} +#endif + +/* Stream5 filter functions */ +static void _addPortsToStream5Filter(dnp3_config_t *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + if (_dpd.streamAPI) + { + int portNum; + + for (portNum = 0; portNum < MAX_PORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status( + IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + _dpd.streamAPI->set_port_filter_status( + IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + } + +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(dnp3_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int DNP3FreeConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *dnp3_config = (dnp3_config_t *)data; + + /* do any housekeeping before freeing dnp3_config */ + + sfPolicyUserDataClear(context_id, policy_id); + free(dnp3_config); + return 0; +} + +static void DNP3FreeConfig(tSfPolicyUserContextId context_id) +{ + if (context_id == NULL) + return; + + sfPolicyUserDataIterate(context_id, DNP3FreeConfigPolicy); + sfPolicyConfigDelete(context_id); +} + +static int DNP3IsEnabled(tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, void *data) +{ + dnp3_config_t *config = (dnp3_config_t *)data; + + if ((data == NULL) || config->disabled) + return 0; + + return 1; +} + +/* Check an individual policy */ +static int DNP3CheckPolicyConfig( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *config = (dnp3_config_t *)data; + + _dpd.setParserPolicy(policy_id); + + /* In a multiple-policy setting, the preprocessor can be turned on in + a "disabled" state. In this case, we don't require Stream5. */ + if (config->disabled) + return 0; + + /* Otherwise, require Stream5. */ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("DNP3CheckPolicyConfig(): " + "The Stream preprocessor must be enabled.\n"); + } + return 0; +} + +/* Check configs & set up mempool. + Mempool stuff is in this function because we want to parse & check *ALL* + of the configs before allocating a mempool. */ +static void DNP3CheckConfig(void) +{ + unsigned int max_sessions; + + /* Get default configuration */ + dnp3_config_t *default_config = + (dnp3_config_t *)sfPolicyUserDataGetDefault(dnp3_context_id); + + /* Check all individual configurations */ + sfPolicyUserDataIterate(dnp3_context_id, DNP3CheckPolicyConfig); + + /* Set up MemPool, but only if a config exists that's not "disabled". */ + if (sfPolicyUserDataIterate(dnp3_context_id, DNP3IsEnabled) == 0) + return; + + max_sessions = default_config->memcap / sizeof(dnp3_session_data_t); + + dnp3_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + if (mempool_init(dnp3_mempool, max_sessions, sizeof(dnp3_session_data_t)) != 0) + { + DynamicPreprocessorFatalMessage("Unable to allocate DNP3 mempool.\n"); + } +} + +static void DNP3CleanExit(int signal, void *data) +{ + if (dnp3_context_id != NULL) + { + DNP3FreeConfig(dnp3_context_id); + dnp3_context_id = NULL; + } + + if ((dnp3_mempool) && (mempool_destroy(dnp3_mempool) == 0)) + { + free(dnp3_mempool); + dnp3_mempool = 0; + } +} + +static void FreeDNP3Data(void *bucket) +{ + MemBucket *tmp_bucket = (MemBucket *)bucket; + dnp3_session_data_t *session; + dnp3_config_t *config = NULL; + + if ((tmp_bucket == NULL) || (tmp_bucket->data == NULL)) + return; + + session = tmp_bucket->data; + + if (session->context_id != NULL) + { + config = (dnp3_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id); + } + + if (config != NULL) + { + config->ref_count--; + if ((config->ref_count == 0) && + (session->context_id != dnp3_context_id)) + { + sfPolicyUserDataClear(session->context_id, session->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(session->context_id) == 0) + { + /* No more outstanding configs - free the config array */ + DNP3FreeConfig(session->context_id); + } + } + } + + mempool_free(dnp3_mempool, tmp_bucket); +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h --- snort-2.8.5.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,185 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifndef SPP_DNP3_H +#define SPP_DNP3_H + +#include "config.h" +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +/* GIDs, SIDs, Messages */ +#define GENERATOR_SPP_DNP3 145 + +#define DNP3_BAD_CRC 1 +#define DNP3_DROPPED_FRAME 2 +#define DNP3_DROPPED_SEGMENT 3 +#define DNP3_REASSEMBLY_BUFFER_CLEARED 4 +#define DNP3_RESERVED_ADDRESS 5 +#define DNP3_RESERVED_FUNCTION 6 + +#define DNP3_BAD_CRC_STR "(spp_dnp3): DNP3 Link-Layer Frame contains bad CRC." +#define DNP3_DROPPED_FRAME_STR "(spp_dnp3): DNP3 Link-Layer Frame was dropped." +#define DNP3_DROPPED_SEGMENT_STR "(spp_dnp3): DNP3 Transport-Layer Segment was dropped during reassembly." +#define DNP3_REASSEMBLY_BUFFER_CLEARED_STR "(spp_dnp3): DNP3 Reassembly Buffer was cleared without reassembling a complete message." +#define DNP3_RESERVED_ADDRESS_STR "(spp_dnp3): DNP3 Link-Layer Frame uses a reserved address." +#define DNP3_RESERVED_FUNCTION_STR "(spp_dnp3): DNP3 Application-Layer Fragment uses a reserved function code." + +#define MAX_PORTS 65536 + +/* Default DNP3 port */ +#define DNP3_PORT 20000 + +/* Memcap limits. */ +#define MIN_DNP3_MEMCAP 4144 +#define MAX_DNP3_MEMCAP (100 * 1024 * 1024) + +/* Convert port value into an index for the dnp3_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* Packet directions */ +#define DNP3_CLIENT 0 +#define DNP3_SERVER 1 + +/* Session data flags */ +#define DNP3_FUNC_RULE_FIRED 0x0001 +#define DNP3_OBJ_RULE_FIRED 0x0002 +#define DNP3_IND_RULE_FIRED 0x0004 +#define DNP3_DATA_RULE_FIRED 0x0008 + +/* DNP3 minimum length: start (2 octets) + len (1 octet) */ +#define DNP3_MIN_LEN 3 +#define DNP3_LEN_OFFSET 2 + +/* Length of the rest of a DNP3 link-layer header: ctrl + src + dest */ +#define DNP3_HEADER_REMAINDER_LEN 5 + +/* Reassembly data types moved here to avoid circular dependency + with dnp3_sesion_data_t */ +#define DNP3_BUFFER_SIZE 2048 +typedef enum _dnp3_reassembly_state_t +{ + DNP3_REASSEMBLY_STATE__IDLE = 0, + DNP3_REASSEMBLY_STATE__ASSEMBLY, + DNP3_REASSEMBLY_STATE__DONE +} dnp3_reassembly_state_t; + +typedef struct _dnp3_reassembly_data_t +{ + char buffer[DNP3_BUFFER_SIZE]; + uint16_t buflen; + dnp3_reassembly_state_t state; + uint8_t last_seq; +} dnp3_reassembly_data_t; + + +/* DNP3 preprocessor configuration */ +typedef struct _dnp3_config +{ + uint32_t memcap; + char ports[MAX_PORTS/8]; + uint8_t check_crc; + int disabled; + + int ref_count; +} dnp3_config_t; + +/* DNP3 session data */ +typedef struct _dnp3_session_data +{ + /* Fields for rule option matching. */ + uint8_t direction; + uint8_t func; + uint8_t obj_group; + uint8_t obj_var; + uint16_t indications; + uint16_t flags; + + /* Reassembly stuff */ + dnp3_reassembly_data_t client_rdata; + dnp3_reassembly_data_t server_rdata; + + tSfPolicyId policy_id; + tSfPolicyUserContextId context_id; +} dnp3_session_data_t; + + +/* DNP3 header structures */ +typedef struct _dnp3_link_header_t +{ + uint16_t start; + uint8_t len; + uint8_t ctrl; + uint16_t dest; + uint16_t src; +} dnp3_link_header_t; + +#define DNP3_TRANSPORT_FIN(x) (x & 0x80) +#define DNP3_TRANSPORT_FIR(x) (x & 0x40) +#define DNP3_TRANSPORT_SEQ(x) (x & 0x3F) +#define DNP3_MAX_TRANSPORT_LEN 250 +typedef struct _dnp3_transport_header_t +{ + uint8_t control; +} dnp3_transport_header_t; + + +/* Yep, the locations of FIR and FIN are switched at this layer... */ +#define DNP3_APP_FIR(x) (x & 0x80) +#define DNP3_APP_FIN(x) (x & 0x40) +#define DNP3_APP_SEQ(x) (x & 0x0F) +typedef struct _dnp3_app_request_header_t +{ + uint8_t control; + uint8_t function; +} dnp3_app_request_header_t; + +typedef struct _dnp3_app_response_header_t +{ + uint8_t control; + uint8_t function; + uint16_t indications; +} dnp3_app_response_header_t; + +#define DNP3_CHECK_CRC_KEYWORD "check_crc" +#define DNP3_PORTS_KEYWORD "ports" +#define DNP3_MEMCAP_KEYWORD "memcap" +#define DNP3_DISABLED_KEYWORD "disabled" + +#define DNP3_OK 1 +#define DNP3_FAIL (-1) + +#ifdef WORDS_BIGENDIAN +#define DNP3_MIN_RESERVED_ADDR 0xF0FF +#define DNP3_MAX_RESERVED_ADDR 0xFBFF +#else +#define DNP3_MIN_RESERVED_ADDR 0xFFF0 +#define DNP3_MAX_RESERVED_ADDR 0xFFFB +#endif + +#endif /* SPP_DNP3_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/dns/Makefile.am 2009-05-06 22:28:56.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,38 +1,28 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_dns_preproc.la -libsf_dns_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +libsf_dns_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_dns_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_dns_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_dns_preproc_la_SOURCES = \ spp_dns.c \ -spp_dns.h \ -sf_preproc_info.h +spp_dns.h EXTRA_DIST = \ sf_dns.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/dns/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,25 +44,42 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_dns_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_dns_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_dns_preproc_la_OBJECTS = spp_dns.lo -nodist_libsf_dns_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dns_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_dns_preproc_la_OBJECTS = $(am_libsf_dns_preproc_la_OBJECTS) \ $(nodist_libsf_dns_preproc_la_OBJECTS) libsf_dns_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_dns_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -87,31 +106,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -124,12 +143,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -137,20 +162,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -182,6 +214,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -194,29 +227,25 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_dns_preproc.la -libsf_dns_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_dns_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +libsf_dns_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_dns_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dns_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_dns_preproc_la_SOURCES = \ spp_dns.c \ -spp_dns.h \ -sf_preproc_info.h +spp_dns.h EXTRA_DIST = \ sf_dns.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -224,14 +253,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dns/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/dns/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dns/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/dns/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -249,23 +278,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -294,6 +328,12 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -305,45 +345,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -364,26 +408,28 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -403,14 +449,14 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -424,6 +470,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -432,18 +480,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -468,8 +526,8 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -482,17 +540,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/sf_dns.dsp snort-2.9.2/src/dynamic-preprocessors/dns/sf_dns.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/dns/sf_dns.dsp 2009-05-06 22:28:56.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/sf_dns.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_dns - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dns - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_dns___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dns - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_dns___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/dns/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/dns/sf_preproc_info.h 2009-08-10 20:41:48.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -/* Copyright (C) 2005-2009 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 3 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_DNS (IPV6)" -#else -#define PREPROC_NAME "SF_DNS" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupDNS -extern void SetupDNS(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/spp_dns.c snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.c --- snort-2.8.5.2/src/dynamic-preprocessors/dns/spp_dns.c 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2006-2009 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -28,7 +28,7 @@ * * Alert for DNS client rdata buffer overflow. * Alert for Obsolete or Experimental RData types (per RFC 1035) - * + * */ #ifdef HAVE_CONFIG_H @@ -39,13 +39,14 @@ #include #endif +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "sf_snort_plugin_api.h" #include "preprocids.h" -#include "debug.h" +#include "snort_debug.h" #include "spp_dns.h" +#include "sf_preproc_info.h" #include #include @@ -64,11 +65,23 @@ #include "sf_types.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" +#include "snort_bounds.h" #ifdef TARGET_BASED int16_t dns_app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 4; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DNS (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DNS"; +#endif + +#define SetupDNS DYNAMIC_PREPROC_SETUP + /* * Generator id. Define here the same as the official registry * in generators.h @@ -84,7 +97,7 @@ static void FreeDNSSessionData( void* ); static void ParseDNSArgs(DNSConfig *, u_char*); static void ProcessDNS( void*, void* ); -static INLINE int CheckDNSPort(DNSConfig *, uint16_t); +static inline int CheckDNSPort(DNSConfig *, uint16_t); static void DNSReset(int, void *); static void DNSResetStats(int, void *); static void _addPortsToStream5Filter(DNSConfig *, tSfPolicyId); @@ -107,8 +120,6 @@ #define DNS_RR_PTR 0xC0 -extern DynamicPreprocessorData _dpd; - static tSfPolicyUserContextId dns_config = NULL; DNSConfig *dns_eval_config = NULL; @@ -125,13 +136,13 @@ * to corresponding preprocessor initialization function. * * PARAMETERS: None. - * + * * RETURNS: Nothing. * */ void SetupDNS(void) { - /* Link preprocessor keyword to initialization function + /* Link preprocessor keyword to initialization function * in the preprocessor list. */ #ifndef SNORT_RELOAD _dpd.registerPreproc( "dns", DNSInit ); @@ -143,13 +154,13 @@ /* Initializes the DNS preprocessor module and registers * it in the preprocessor list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Pointer to argument string to process for config * data. * - * RETURNS: Nothing. + * RETURNS: Nothing. */ static void DNSInit( char* argp ) { @@ -205,7 +216,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "DNS configuration.\n"); } - + sfPolicyUserDataSetCurrent(dns_config, pPolicyConfig); ParseDNSArgs(pPolicyConfig, (u_char *)argp); @@ -217,13 +228,13 @@ #endif } -/* Parses and processes the configuration arguments +/* Parses and processes the configuration arguments * supplied in the DNS preprocessor rule. * - * PARAMETERS: + * PARAMETERS: * * argp: Pointer to string containing the config arguments. - * + * * RETURNS: Nothing. */ static void ParseDNSArgs(DNSConfig *config, u_char* argp) @@ -234,53 +245,53 @@ if (config == NULL) return; - + /* Set up default port to listen on */ config->ports[ PORT_INDEX( DNS_PORT ) ] |= CONV_PORT(DNS_PORT); - + /* Sanity check(s) */ if ( !argp ) { PrintDNSConfig(config); return; } - + argcpyp = strdup( (char*) argp ); - + if ( !argcpyp ) { DynamicPreprocessorFatalMessage("Could not allocate memory to parse DNS options.\n"); return; } - + cur_tokenp = strtok( argcpyp, " "); - + while ( cur_tokenp ) { if ( !strcmp( cur_tokenp, DNS_PORTS_KEYWORD )) { - /* If the user specified ports, remove 'DNS_PORT' for now since + /* If the user specified ports, remove 'DNS_PORT' for now since * it now needs to be set explicitely. */ config->ports[ PORT_INDEX( DNS_PORT ) ] = 0; - + /* Eat the open brace. */ cur_tokenp = strtok( NULL, " "); if (( !cur_tokenp ) || ( strcmp(cur_tokenp, "{" ))) { DynamicPreprocessorFatalMessage("%s(%d) Bad value specified for %s. Must start " - "with '{' and be space separated.\n", + "with '{' and be space seperated.\n", *(_dpd.config_file), *(_dpd.config_line), DNS_PORTS_KEYWORD); //free(argcpyp); //return; } - + cur_tokenp = strtok( NULL, " "); while (( cur_tokenp ) && strcmp(cur_tokenp, "}" )) { if ( !isdigit( (int)cur_tokenp[0] )) { - DynamicPreprocessorFatalMessage("%s(%d) Bad port %s.\n", + DynamicPreprocessorFatalMessage("%s(%d) Bad port %s.\n", *(_dpd.config_file), *(_dpd.config_line), cur_tokenp ); //free(argcpyp); //return; @@ -288,7 +299,7 @@ else { port = atoi( cur_tokenp ); - if( port < 0 || port > MAX_PORTS ) + if( port < 0 || port > MAX_PORTS ) { DynamicPreprocessorFatalMessage("%s(%d) Port value illegitimate: %s\n", *(_dpd.config_file), *(_dpd.config_line), @@ -296,10 +307,10 @@ //free(argcpyp); //return; } - + config->ports[ PORT_INDEX( port ) ] |= CONV_PORT(port); } - + cur_tokenp = strtok( NULL, " "); } } @@ -326,16 +337,16 @@ DynamicPreprocessorFatalMessage("Invalid argument: %s\n", cur_tokenp); return; } - + cur_tokenp = strtok( NULL, " " ); } - + PrintDNSConfig(config); free(argcpyp); } -/* Display the configuration for the DNS preprocessor. - * +/* Display the configuration for the DNS preprocessor. + * * PARAMETERS: None. * * RETURNS: Nothing. @@ -346,11 +357,11 @@ if (config == NULL) return; - + _dpd.logMsg("DNS config: \n"); #if 0 - _dpd.logMsg(" Autodetection: %s\n", - config->autodetect ? + _dpd.logMsg(" Autodetection: %s\n", + config->autodetect ? "ENABLED":"DISABLED"); #endif _dpd.logMsg(" DNS Client rdata txt Overflow Alert: %s\n", @@ -362,10 +373,10 @@ _dpd.logMsg(" Experimental DNS RR Types Alert: %s\n", config->enabled_alerts & DNS_ALERT_EXPERIMENTAL_TYPES ? "ACTIVE" : "INACTIVE" ); - + /* Printing ports */ - _dpd.logMsg(" Ports:"); - for(index = 0; index < MAX_PORTS; index++) + _dpd.logMsg(" Ports:"); + for(index = 0; index < MAX_PORTS; index++) { if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) { @@ -375,9 +386,9 @@ _dpd.logMsg("\n"); } -/* Retrieves the DNS data block registered with the stream +/* Retrieves the DNS data block registered with the stream * session associated w/ the current packet. If none exists, - * allocates it and registers it with the stream API. + * allocates it and registers it with the stream API. * * PARAMETERS: * @@ -423,21 +434,21 @@ memset(dnsSessionData, 0, sizeof(DNSSessionData)); return dnsSessionData; } - + /* More Sanity check(s) */ if ( !p->stream_session_ptr ) { return NULL; } - + dnsSessionData = calloc( 1, sizeof( DNSSessionData )); - + if ( !dnsSessionData ) return NULL; - + /*Register the new DNS data block in the stream session. */ - _dpd.streamAPI->set_application_data( - p->stream_session_ptr, + _dpd.streamAPI->set_application_data( + p->stream_session_ptr, PP_DNS, dnsSessionData, FreeDNSSessionData ); return dnsSessionData; @@ -446,7 +457,7 @@ /* Registered as a callback with the DNS data when they are * added to the stream session. Called by stream when a * session is about to be destroyed to free that data. - * + * * PARAMETERS: * * application_data: Pointer to the DNS data @@ -471,7 +482,7 @@ * RETURNS: DNS_TRUE, if the port is indeed an DNS server port. * DNS_FALSE, otherwise. */ -static INLINE int CheckDNSPort(DNSConfig *config, uint16_t port) +static inline int CheckDNSPort(DNSConfig *config, uint16_t port) { return config->ports[PORT_INDEX(port)] & CONV_PORT(port); } @@ -720,7 +731,7 @@ } break; } - + /* Go to the next portion of the name */ dnsSessionData->curr_txt.name_state = DNS_RESP_STATE_NAME_SIZE; } @@ -848,7 +859,7 @@ return bytes_unused; } } - + switch (dnsSessionData->curr_rec_state) { case DNS_RESP_STATE_RR_TYPE: @@ -906,7 +917,7 @@ while (dnsSessionData->bytes_seen_curr_rec < 4) { dnsSessionData->bytes_seen_curr_rec++; - dnsSessionData->curr_rr.ttl |= + dnsSessionData->curr_rr.ttl |= (uint8_t)*data << (4-dnsSessionData->bytes_seen_curr_rec)*8; data++; bytes_unused--; @@ -1042,7 +1053,7 @@ } break; } - + /* Go to the next portion of the name */ dnsSessionData->curr_txt.name_state = DNS_RESP_STATE_RR_NAME_SIZE; } @@ -1168,7 +1179,7 @@ } /* Print out the header (but only once -- when we're ready to parse the Questions */ -#ifdef DEBUG +#ifdef DEBUG_MSGS if ((dnsSessionData->curr_rec_state == DNS_RESP_STATE_Q_NAME) && (dnsSessionData->curr_rec == 0)) { @@ -1206,7 +1217,7 @@ dnsSessionData->curr_q.dns_class); ); dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_NAME; - dnsSessionData->curr_rec++; + dnsSessionData->curr_rec++; } if (bytes_unused > 0) { @@ -1242,7 +1253,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS ANSWER RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1298,7 +1309,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS AUTH RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1354,7 +1365,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS ADDITONAL RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1400,12 +1411,12 @@ return; } -/* Main runtime entry point for DNS preprocessor. - * Analyzes DNS packets for anomalies/exploits. - * +/* Main runtime entry point for DNS preprocessor. + * Analyzes DNS packets for anomalies/exploits. + * * PARAMETERS: * - * p: Pointer to current packet to process. + * p: Pointer to current packet to process. * context: Pointer to context block, not used. * * RETURNS: Nothing. @@ -1416,7 +1427,7 @@ uint8_t src = 0; uint8_t dst = 0; uint8_t known_port = 0; - uint8_t direction = 0; + uint8_t direction = 0; SFSnortPacket* p; #ifdef TARGET_BASED int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; @@ -1431,7 +1442,7 @@ return; dns_eval_config = config; - + p = (SFSnortPacket*) packetPtr; /* check if we have data to work with */ @@ -1440,7 +1451,7 @@ /* Attempt to get a previously allocated DNS block. If none exists, * allocate and register one with the stream layer. */ - dnsSessionData = _dpd.streamAPI->get_application_data( + dnsSessionData = _dpd.streamAPI->get_application_data( p->stream_session_ptr, PP_DNS ); if (dnsSessionData == NULL) @@ -1486,7 +1497,7 @@ return; } } - + /* For TCP, do a few extra checks... */ if (p->tcp_header) { @@ -1523,7 +1534,7 @@ } /* Get the direction of the packet. */ - direction = ( (p->flags & FLAG_FROM_SERVER ) ? + direction = ( (p->flags & FLAG_FROM_SERVER ) ? DNS_DIR_FROM_SERVER : DNS_DIR_FROM_CLIENT ); } else if (p->udp_header) @@ -1546,13 +1557,13 @@ } PREPROC_PROFILE_START(dnsPerfStats); - + /* Check the stream session. If it does not currently * have our DNS data-block attached, create one. */ if (dnsSessionData == NULL) dnsSessionData = GetDNSSessionData(p, config); - + if ( !dnsSessionData ) { /* Could not get/create the session data for this packet. */ @@ -1571,7 +1582,7 @@ { ParseDNSResponseMessage(p, dnsSessionData); } - + PREPROC_PROFILE_END(dnsPerfStats); } @@ -1615,7 +1626,7 @@ static int DnsFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1705,7 +1716,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "DNS configuration.\n"); } - + sfPolicyUserDataSetCurrent(dns_swap_config, pPolicyConfig); ParseDNSArgs(pPolicyConfig, (u_char *)argp); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/dns/spp_dns.h snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.h --- snort-2.8.5.2/src/dynamic-preprocessors/dns/spp_dns.h 2009-05-06 22:28:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.h 2011-02-09 23:23:17.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2006-2009 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,12 +1,12 @@ /* * ftp_bounce_lookup.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -60,7 +64,7 @@ */ int ftp_bounce_lookup_init(BOUNCE_LOOKUP **BounceLookup) { - KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPBounceTo); + KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPBounceTo); *BounceLookup = km; if(*BounceLookup == NULL) { @@ -104,21 +108,21 @@ /* * Function: ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, - * char *ip, int len, + * char *ip, int len, * FTP_BOUNCE_TO *BounceTo) - * + * * Purpose: Add a bounce configuration to the list. IP is stored * in dot notation order. When the lookup happens, we * compare up to len bytes of the address. * * Arguments: BounceLookup => a pointer to the lookup structure - * IP => the ftp bounce address + * IP => the ftp bounce address * BounceTo => a pointer to the bounce configuration structure * * Returns: int => return code indicating error or success * */ -int ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, +int ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, FTP_BOUNCE_TO *BounceTo) { int iRet; @@ -167,7 +171,7 @@ * */ FTP_BOUNCE_TO *ftp_bounce_lookup_find( - BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, int *iError ) + BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, int *iError ) { FTP_BOUNCE_TO *BounceTo = NULL; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h 2011-02-09 23:23:17.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftp_bounce_lookup.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h 2011-02-09 23:23:17.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftp_client.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,12 +1,12 @@ /* * ftp_cmd_lookup.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -60,7 +64,7 @@ */ int ftp_cmd_lookup_init(CMD_LOOKUP **CmdLookup) { - KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPCMDConf); + KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPCMDConf); *CmdLookup = km; if(*CmdLookup == NULL) { @@ -104,9 +108,9 @@ /* * Function: ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, - * char *ip, int len, + * char *ip, int len, * FTP_CMD_CONF *FTPCmd) - * + * * Purpose: Add a cmd configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -122,7 +126,7 @@ * Returns: int => return code indicating error or success * */ -int ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, +int ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, FTP_CMD_CONF *FTPCmd) { int iRet; @@ -171,7 +175,7 @@ * matching IP if found, NULL otherwise. * */ -FTP_CMD_CONF *ftp_cmd_lookup_find(CMD_LOOKUP *CmdLookup, +FTP_CMD_CONF *ftp_cmd_lookup_find(CMD_LOOKUP *CmdLookup, const char *cmd, int len, int *iError) { FTP_CMD_CONF *FTPCmd = NULL; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h 2011-02-09 23:23:17.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftp_cmd_lookup.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_eo_events.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_eo.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c 2009-05-06 22:28:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_eo_log.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton @@ -23,13 +23,13 @@ * * Description: * - * This file contains the event output functionality that + * This file contains the event output functionality that * FTPTelnet uses to log events and data associated with * the events. * * Log events, retrieve events, and select events that HttpInspect * generates. - * + * * Logging Events: * Since the object behind this is no memset()s, we have to rely on the * stack interface to make sure we don't log the same event twice. So @@ -44,6 +44,10 @@ */ #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_si.h" #include "ftpp_eo.h" #include "ftpp_eo_events.h" @@ -64,7 +68,7 @@ * Any time that a new client event is added, we have to * add the event id and the priority here. If you want to * change either of those characteristics, you have to change - * them here. + * them here. */ static FTPP_EVENT_INFO ftp_event_info[FTP_EO_EVENT_NUM] = { { FTP_EO_TELNET_CMD, @@ -202,9 +206,9 @@ type->id; telnet_event_info[TELNET_EO_AYT_OVERFLOW].priority = type->priority; - telnet_event_info[TELNET_EO_SB_NO_SE].classification = + telnet_event_info[TELNET_EO_SB_NO_SE].classification = type->id; - telnet_event_info[TELNET_EO_SB_NO_SE].priority= + telnet_event_info[TELNET_EO_SB_NO_SE].priority= type->priority; } log_initialized = 1; @@ -314,7 +318,7 @@ gen_events.events = (FTPP_EVENT *)&(telnet_events->events); gen_events.stack = (int *)&(telnet_events->stack); gen_events.stack_count = telnet_events->stack_count; - event_info = &telnet_event_info[iEvent]; + event_info = &telnet_event_info[iEvent]; iRet = ftpp_eo_event_log(&gen_events, event_info, iEvent, data, free_data); @@ -362,7 +366,7 @@ gen_events.events = (FTPP_EVENT *)&(ftp_events->events); gen_events.stack = (int *)&(ftp_events->stack); gen_events.stack_count = ftp_events->stack_count; - event_info = &ftp_event_info[iEvent]; + event_info = &ftp_event_info[iEvent]; iRet = ftpp_eo_event_log(&gen_events, event_info, iEvent, data, free_data); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h 2009-05-06 22:28:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_eo_log.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h 2009-01-26 16:26:16.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_include.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton @@ -32,13 +32,13 @@ #ifndef __FTP_INCLUDE_H__ #define __FTP_INCLUDE_H__ +#include "sf_types.h" #include "sf_ip.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #define GENERATOR_SPP_FTPP_FTP 125 #define GENERATOR_SPP_FTPP_TELNET 126 -extern DynamicPreprocessorData _dpd; #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h 2009-01-26 16:26:16.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_return_codes.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c 2009-08-10 20:41:48.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,12 +1,12 @@ /* * ftpp_si.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -27,8 +27,8 @@ * This file contains functions to select server configurations * and begin the FTPTelnet process. * - * The Session Inspection Module interfaces with the Stream Inspection - * Module and the User Interface Module to select the appropriate + * The Session Inspection Module interfaces with the Stream Inspection + * Module and the User Interface Module to select the appropriate * FTPTelnet configuration and in the case of stateful inspection the * Session Inspection Module retrieves the user-data from the Stream * Module. For stateless inspection, the Session Inspection Module uses @@ -47,6 +47,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_return_codes.h" #include "ftpp_ui_config.h" #include "ftpp_ui_client_lookup.h" @@ -96,9 +100,9 @@ * Function: TelnetFreeSession(void *preproc_session) * * Purpose: This function frees the data that is associated with a session. - * + * * Arguments: preproc_session => pointer to the session to free - * + * * Returns: None */ static void TelnetFreeSession(void *preproc_session) @@ -135,13 +139,13 @@ * initialized for a new Session. I've tried to keep this to * a minimum, so we don't have to worry about initializing big * structures. - * + * * Arguments: Session => pointer to the session to reset - * + * * Returns: int => return code indicating error or success * */ -static INLINE int TelnetResetSession(TELNET_SESSION *Session) +static inline int TelnetResetSession(TELNET_SESSION *Session) { Session->ft_ssn.proto = FTPP_SI_PROTO_TELNET; Session->telnet_conf = NULL; @@ -256,7 +260,7 @@ return FTPP_SUCCESS; } - + /* * Function: TelnetSessionInspection(Packet *p, @@ -342,10 +346,10 @@ #endif /* - * We get the server configuration and the session structure differently - * depending on what type of inspection we are doing. In the case of + * We get the server configuration and the session structure differently + * depending on what type of inspection we are doing. In the case of * stateful processing, we may get the session structure from the Stream - * Reassembly module (which includes the server configuration) or the + * Reassembly module (which includes the server configuration) or the * structure will be allocated and added to the stream pointer for the * rest of the session. * @@ -377,7 +381,7 @@ * the packet is a server response packet. * * Arguments: p => pointer to the Packet - * + * * Returns: int => return code indicating the mode * */ @@ -385,8 +389,8 @@ { if (p->payload_size >= 3) { - if (isdigit(p->payload[0]) && - isdigit(p->payload[1]) && + if (isdigit(p->payload[0]) && + isdigit(p->payload[1]) && isdigit(p->payload[2]) ) { return FTPP_SI_SERVER_MODE; @@ -400,9 +404,9 @@ } /* - * Function: FTPInitConf(Packet *p, FTPTELNET_GLOBAL_CONF *GlobalConf, - * FTP_CLIENT_PROTO_CONF **ClientConf, - * FTP_SERVER_PROTO_CONF **ServerConf, + * Function: FTPInitConf(Packet *p, FTPTELNET_GLOBAL_CONF *GlobalConf, + * FTP_CLIENT_PROTO_CONF **ClientConf, + * FTP_SERVER_PROTO_CONF **ServerConf, * FTPP_SI_INPUT *SiInput, int *piInspectMode) * * Purpose: When a session is initialized, we must select the appropriate @@ -410,8 +414,8 @@ * on the source and destination ports. * * IMPORTANT NOTE: - * We should check to make sure that there are some unique configurations, - * otherwise we can just default to the global default and work some magic + * We should check to make sure that there are some unique configurations, + * otherwise we can just default to the global default and work some magic * that way. * * Arguments: p => pointer to the Packet/Session @@ -422,13 +426,13 @@ * config so we can set it. * SiInput => pointer to the packet info * piInspectMode => pointer so we can set the inspection mode - * + * * Returns: int => return code indicating error or success * */ -static int FTPInitConf(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf, - FTP_CLIENT_PROTO_CONF **ClientConf, - FTP_SERVER_PROTO_CONF **ServerConf, +static int FTPInitConf(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf, + FTP_CLIENT_PROTO_CONF **ClientConf, + FTP_SERVER_PROTO_CONF **ServerConf, FTPP_SI_INPUT *SiInput, int *piInspectMode) { FTP_CLIENT_PROTO_CONF *ClientConfSip; @@ -462,14 +466,14 @@ sip = ntohl(sip); dip = ntohl(dip); #endif - + /* * We find the client configurations for both the source and dest IPs. * There should be a check on the global configuration to see if there * is at least one unique client configuration. If there isn't then we * assume the global client configuration. */ - ClientConfDip = ftpp_ui_client_lookup_find(GlobalConf->client_lookup, + ClientConfDip = ftpp_ui_client_lookup_find(GlobalConf->client_lookup, #ifdef SUP_IP6 &dip, #else @@ -501,7 +505,7 @@ * is at least one unique client configuration. If there isn't then we * assume the global client configuration. */ - ServerConfDip = ftpp_ui_server_lookup_find(GlobalConf->server_lookup, + ServerConfDip = ftpp_ui_server_lookup_find(GlobalConf->server_lookup, #ifdef SUP_IP6 &dip, #else @@ -534,8 +538,8 @@ * is a sort of problem. We don't know which side is the client and which * side is the server so we have to assume one. * - * In stateful processing, we only do this stage on the startup of a - * session, so we can still assume that the initial packet is the client + * In stateful processing, we only do this stage on the startup of a + * session, so we can still assume that the initial packet is the client * talking. */ iServerDip = PortMatch((PROTO_CONF*)ServerConfDip, SiInput->dport); @@ -562,16 +566,16 @@ if (app_id == ftp_app_id || app_id == 0) { #endif - + /* - * We check for the case where both SIP and DIP + * We check for the case where both SIP and DIP * appear to be servers. In this case, we assume server * and process that way. */ if(iServerSip && iServerDip) { /* - * We check for the case where both SIP and DIP + * We check for the case where both SIP and DIP * appear to be servers. In this case, we look at * the first few bytes of the packet to try to * determine direction -- 3 digits indicate server @@ -583,7 +587,7 @@ * a server response mid-stream. */ *piInspectMode = FTPGetPacketDir(p); - if (*piInspectMode == FTPP_SI_SERVER_MODE) + if (*piInspectMode == FTPP_SI_SERVER_MODE) { /* Packet is from server --> src is Server */ *ClientConf = ClientConfDip; @@ -670,7 +674,7 @@ *ServerConf = NULL; break; } - + return iRet; } @@ -678,9 +682,9 @@ * Function: FTPFreeSession(void *preproc_session) * * Purpose: This function frees the data that is associated with a session. - * + * * Arguments: preproc_session => pointer to the session to free - * + * * Returns: None */ static void FTPFreeSession(void *preproc_session) @@ -718,14 +722,14 @@ * initialized for a new Session. I've tried to keep this to * a minimum, so we don't have to worry about initializing big * structures. - * + * * Arguments: FtpSession => pointer to the session to reset * first => indicator whether this is a new conf - * + * * Returns: int => return code indicating error or success * */ -static INLINE int FTPResetSession(FTP_SESSION *FtpSession) +static inline int FTPResetSession(FTP_SESSION *FtpSession) { FtpSession->ft_ssn.proto = FTPP_SI_PROTO_FTP; @@ -874,7 +878,7 @@ return FTPP_SUCCESS; } - + /* * Function: FTPSessionInspection(Packet *p, @@ -910,10 +914,10 @@ int iRet; /* - * We get the server configuration and the session structure differently - * depending on what type of inspection we are doing. In the case of + * We get the server configuration and the session structure differently + * depending on what type of inspection we are doing. In the case of * stateful processing, we may get the session structure from the Stream - * Reassembly module (which includes the server configuration) or the + * Reassembly module (which includes the server configuration) or the * structure will be allocated and added to the stream pointer for the * rest of the session. * diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h 2009-05-06 22:28:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_si.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,12 +1,12 @@ /* * ftpp_ui_client_lookup.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -104,9 +108,9 @@ /* * Function: ftpp_ui_client_lookup_add(CLIENT_LOOKUP *ClientLookup, - * char *ip, int len, + * char *ip, int len, * FTP_CLIENT_PROTO_CONF *ClientConf) - * + * * Purpose: Add a client configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -116,16 +120,16 @@ * * Arguments: ClientLookup => a pointer to the lookup structure * IP => the ftp client address - * len => Length of the address + * len => Length of the address * ClientConf => a pointer to the client configuration structure * * Returns: int => return code indicating error or success * */ int ftpp_ui_client_lookup_add( - CLIENT_LOOKUP *ClientLookup, + CLIENT_LOOKUP *ClientLookup, sfip_t* Ip, FTP_CLIENT_PROTO_CONF *ClientConf -) +) { int iRet; @@ -182,7 +186,7 @@ * */ -FTP_CLIENT_PROTO_CONF *ftpp_ui_client_lookup_find(CLIENT_LOOKUP *ClientLookup, +FTP_CLIENT_PROTO_CONF *ftpp_ui_client_lookup_find(CLIENT_LOOKUP *ClientLookup, snort_ip_p Ip, int *iError) { FTP_CLIENT_PROTO_CONF *ClientConf = NULL; @@ -214,7 +218,7 @@ } #if 0 -/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with +/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with * a callback function but does not support getFirst, getNext operations. */ /* @@ -301,11 +305,11 @@ return ClientConf; } -#endif +#endif -/**Free pData buffer, which may be referenced multiple times. ReferenceCount - * is the number of times the buffer is referenced. For freeing the buffer, - * we just decrement referenceCount till it reaches 0, at which time the +/**Free pData buffer, which may be referenced multiple times. ReferenceCount + * is the number of times the buffer is referenced. For freeing the buffer, + * we just decrement referenceCount till it reaches 0, at which time the * buffer is also freed. */ static void clientConfFree(void *pData) diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h 2009-01-26 16:26:16.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h 2011-02-09 23:23:18.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_ui_client_lookup.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c 2009-05-06 22:28:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_ui_config.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton @@ -42,6 +42,10 @@ #include #endif +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_return_codes.h" #include "ftpp_ui_client_lookup.h" #include "ftpp_ui_server_lookup.h" @@ -88,7 +92,7 @@ * of FTPTelnet, you must change this function. * * Arguments: GlobalConf => pointer to the global configuration structure - * + * * Returns: int => return code indicating error or success * */ @@ -147,7 +151,7 @@ return FTPP_SUCCESS; } - + /* * Function: ftpp_ui_config_reset_telnet_proto(TELNET_PROTO_CONF *TelnetConf) * diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2009-05-06 22:28:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2011-06-08 00:33:13.000000000 +0000 @@ -1,12 +1,12 @@ /* * ftpp_ui_config.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -44,6 +44,7 @@ #include "hi_util_kmap.h" #include "ipv6_port.h" #include "sfrt.h" +#include "snort_bounds.h" /* * Defines @@ -116,7 +117,7 @@ * * If you need to check validity for a server that uses the TZ format, * use the following: - * + * * cmd_validity MDTM < [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string > * * Format uses the following: @@ -216,7 +217,7 @@ PROTO_CONF proto_ports; char *serverAddr; - + unsigned int def_max_param_len; unsigned int max_cmd_len; @@ -229,10 +230,10 @@ int data_chan; /**Counts references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When reference count reaches 0, then this - * data structure should be freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When reference count reaches 0, then this + * data structure should be freed. + */ int referenceCount; } FTP_SERVER_PROTO_CONF; @@ -266,10 +267,10 @@ BOUNCE_LOOKUP *bounce_lookup; /**Counts references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When reference count reaches 0, then this - * data structure should be freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When reference count reaches 0, then this + * data structure should be freed. + */ int referenceCount; } FTP_CLIENT_PROTO_CONF; @@ -289,7 +290,7 @@ int ayt_threshold; char detect_anomalies; - + } TELNET_PROTO_CONF; /* @@ -312,7 +313,7 @@ uint32_t ref_count; -} FTPTELNET_GLOBAL_CONF; +} FTPTELNET_GLOBAL_CONF; /* diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,10 +1,10 @@ /* * ftpp_ui_server_lookup.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -36,6 +36,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -101,9 +105,9 @@ /* * Function: ftpp_ui_server_lookup_add(SERVER_LOOKUP *ServerLookup, - * char *ip, int len, + * char *ip, int len, * FTP_SERVER_PROTO_CONF *ServerConf) - * + * * Purpose: Add a server configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -113,14 +117,14 @@ * * Arguments: ServerLookup => a pointer to the lookup structure * IP => the ftp server address - * len => Length of the address + * len => Length of the address * ServerConf => a pointer to the server configuration structure * * Returns: int => return code indicating error or success * */ int ftpp_ui_server_lookup_add( - SERVER_LOOKUP *ServerLookup, sfip_t* Ip, FTP_SERVER_PROTO_CONF *ServerConf ) + SERVER_LOOKUP *ServerLookup, sfip_t* Ip, FTP_SERVER_PROTO_CONF *ServerConf ) { int iRet; @@ -163,7 +167,7 @@ */ FTP_SERVER_PROTO_CONF *ftpp_ui_server_lookup_find( SERVER_LOOKUP *ServerLookup, snort_ip_p Ip, int *iError -) +) { FTP_SERVER_PROTO_CONF *ServerConf = NULL; @@ -198,14 +202,14 @@ * all elements. * * @param ServerLookup => a pointer to the lookup structure - * @param userfunc => user defined callback function + * @param userfunc => user defined callback function * @param iError => a pointer to an error code * * @returns iError => return code indicating error or success * */ void ftpp_ui_server_iterate( - SERVER_LOOKUP *ServerLookup, + SERVER_LOOKUP *ServerLookup, sfrt_iterator_callback userfunc, int *iError ) @@ -227,7 +231,7 @@ } #if 0 -/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with +/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with * a callback function but does not support getFirst, getNext operations. */ @@ -315,11 +319,11 @@ return ServerConf; } -#endif +#endif -/**Free pData buffer, which may be referenced multiple times. ReferenceCount - * is the number of times the buffer is referenced. For freeing the buffer, - * we just decrement referenceCount till it reaches 0, at which time the +/**Free pData buffer, which may be referenced multiple times. ReferenceCount + * is the number of times the buffer is referenced. For freeing the buffer, + * we just decrement referenceCount till it reaches 0, at which time the * buffer is also freed. */ static void serverConfFree(void *pData) diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h 2009-01-26 16:26:17.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h 2011-02-09 23:23:19.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftpp_ui_server_lookup.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Kevin Liu * diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h 2009-01-26 16:26:15.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h 2011-02-09 23:23:17.000000000 +0000 @@ -1,7 +1,7 @@ /* * ftp_server.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c 2009-05-06 22:28:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* * * kmap.c - a generic map library - maps key + data pairs -* -* Uses Lexical Keyword Trie +* +* Uses Lexical Keyword Trie * The tree uses linked lists to build the finite automata * * MapKeyFind(): Performs a setwise strcmp() equivalant. @@ -36,7 +36,7 @@ * and independent of the number of keys in the table. * May use more memory than a hash table, depends. * Memory is allocated as needed, so none is wasted. -* +* * Author: Marc Norton * */ @@ -45,12 +45,16 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "hi_util_xmalloc.h" //#define MEMASSERT(p) if(!p){printf("KMAP-No Memory: File: %s Line:%d!\n",__FILE__,__LINE__);exit(0);} -#define MEMASSERT(p) +#define MEMASSERT(p) #define LOWERCASE tolower /* @@ -59,11 +63,11 @@ static void * s_malloc( int n ) { void * p; - + p = xmalloc( n ); - + MEMASSERT(p); - + return p; } @@ -80,13 +84,13 @@ KMAP * KMapNew( KMapUserFreeFunc userfree ) { KMAP * km = (KMAP*) s_malloc( sizeof(KMAP) ); - + if( !km ) return 0; - - memset(km, 0, sizeof(KMAP)); - + + memset(km, 0, sizeof(KMAP)); + km->userfree = userfree; - + return km; } /* @@ -103,7 +107,7 @@ static int KMapFreeNodeList(KMAP * km ) { KEYNODE * k, *kold; - + for( k=km->keylist; k; ) { if( k->key ) @@ -112,13 +116,13 @@ } if( km->userfree && k->userdata ) { - km->userfree( k->userdata ); + km->userfree( k->userdata ); } kold = k; k = k->next; s_free(kold); } - + return 0; } /* @@ -130,14 +134,14 @@ { KMapFreeNode( km, r->sibling ); } - + if( r->child ) { KMapFreeNode( km, r->child ); } - + s_free( r ); -} +} /* * Free the KMAP and all of it's memory and nodes */ @@ -145,20 +149,20 @@ { KMAPNODE * r; int i; - + /* Free the tree - on root node at a time */ for(i=0;i<256;i++) { r = km->root[i]; if( r ) - { - KMapFreeNode(km,r); + { + KMapFreeNode(km,r); } } - + /* Free the node list */ KMapFreeNodeList( km ); - + s_free(km); } @@ -168,24 +172,24 @@ static KEYNODE * KMapAddKeyNode(KMAP * km,void * key, int n, void * userdata ) { KEYNODE * knode = (KEYNODE*) s_malloc( sizeof(KEYNODE) ); - - if( !knode || n < 0 ) + + if( !knode || n < 0 ) return 0; - - memset(knode, 0, sizeof(KEYNODE) ); - + + memset(knode, 0, sizeof(KEYNODE) ); + knode->key = (unsigned char*)s_malloc(n); // Alloc the key space - if( !knode->key ) + if( !knode->key ) { free(knode); return 0; } - + memcpy(knode->key,key,n); // Copy the key knode->nkey = n; knode->userdata = userdata; - - if( km->keylist ) // Insert at front of list + + if( km->keylist ) // Insert at front of list { knode->next = km->keylist; km->keylist = knode; @@ -194,7 +198,7 @@ { km->keylist = knode; } - + return knode; } /* @@ -203,14 +207,14 @@ static KMAPNODE * KMapCreateNode(KMAP * km) { KMAPNODE * mn=(KMAPNODE*)s_malloc( sizeof(KMAPNODE) ); - + if(!mn) return NULL; - + memset(mn,0,sizeof(KMAPNODE)); - + km->nchars++; - + return mn; } @@ -233,26 +237,26 @@ unsigned char *P = (unsigned char *)key; KMAPNODE *root; unsigned char xkey[256]; - + if( n <= 0 ) { n = strlen( (char*) key ); if( n > (int)sizeof(xkey) ) return -99; } - + if( km->nocase ) { for(i=0;iroot[ *P ] ) { @@ -261,13 +265,13 @@ return -1; km->root[ *P ] = root; root->nodechar = *P; - + }else{ - + root = km->root[ *P ]; } - - /* Walk exisitng Patterns */ + + /* Walk exisitng Patterns */ while( n ) { if( root->nodechar == *P ) @@ -277,12 +281,12 @@ n--; if( n && root->child ) { - root=root->child; + root=root->child; } else /* cannot continue */ { type = 0; /* Expand the tree via the child */ - break; + break; } } else @@ -294,13 +298,13 @@ else /* cannot continue */ { type = 1; /* Expand the tree via the sibling */ - break; + break; } } } - - - /* + + + /* * Add the next char of the Keyword, if any */ if( n ) @@ -308,7 +312,7 @@ if( type == 0 ) { /* - * Start with a new child to finish this Keyword + * Start with a new child to finish this Keyword */ //printf("added child branch nodechar = %c \n",*P); root->child= KMapCreateNode( km ); @@ -320,9 +324,9 @@ n--; } else - { + { /* - * Start a new sibling bracnch to finish this Keyword + * Start a new sibling bracnch to finish this Keyword */ //printf("added sibling branch nodechar = %c \n",*P); root->sibling= KMapCreateNode( km ); @@ -334,7 +338,7 @@ n--; } } - + /* * Finish the keyword as child nodes */ @@ -349,24 +353,24 @@ P++; n--; } - - /* - * Iteration support - Add this key/data to the linked list - * This allows us to do a findfirst/findnext search of + + /* + * Iteration support - Add this key/data to the linked list + * This allows us to do a findfirst/findnext search of * all map nodes. */ if( root->knode ) /* Already present */ return 1; - + root->knode = KMapAddKeyNode( km, key, ksize, userdata ); if( !root->knode ) return -1; - + return 0; } /* -* Exact Keyword Match - unique keys, with just one piece of +* Exact Keyword Match - unique keys, with just one piece of * 'userdata' , for multiple entries, we could use a list * of 'userdata' nodes. */ @@ -376,27 +380,27 @@ KMAPNODE * root; unsigned char xkey[256]; int i; - + if( n <= 0 ) { n = strlen( (char*)key ); if( n > (int)sizeof(xkey) ) return 0; - + } if( ks->nocase ) { for(i=0;iroot[ *T ]; if( !root ) return NULL; - + while( n ) { if( root->nodechar == *T ) @@ -405,11 +409,11 @@ n--; if( n && root->child ) { - root = root->child; + root = root->child; } else /* cannot continue -- match is over */ { - break; + break; } } else @@ -420,17 +424,17 @@ } else /* cannot continue */ { - break; + break; } } } - + if( !n ) { if (root && root->knode) return root->knode->userdata; /* success */ } - + return NULL; } /* @@ -439,12 +443,12 @@ KEYNODE * KMapFindFirstKey( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext; } /* @@ -453,12 +457,12 @@ void * KMapFindFirst( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext->userdata; } /* @@ -468,12 +472,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext; } /* @@ -483,12 +487,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext->userdata; } @@ -504,18 +508,18 @@ char str[80]; str[79] = '\0'; - + printf("usage: kmap nkeys (default=10)\n\n"); - + km = KMapNew( free ); /* use 'free' to free 'userdata' */ - + KMapSetNoCase(km,1); //need to add xlat.... - + if( argc > 1 ) { n = atoi(argv[1]); } - + for(i=1;i<=n;i++) { snprintf(str, sizeof(str) - 1, "KeyWord%d",i); @@ -523,7 +527,7 @@ printf("Adding Key=%s\n",str); } printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars); - + printf("\nKey Find test...\n"); for(i=1;i<=n;i++) { @@ -532,7 +536,7 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + KMapSetNoCase(km,0); // this should fail all key searches printf("\nKey Find test2...\n"); for(i=1;i<=n;i++) @@ -542,19 +546,19 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + printf("\nKey FindFirst/Next test...\n"); for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) ) printf("data=%s\n",p); - + printf("\nKey FindFirst/Next test done.\n"); - + KMapDelete( km ); - + printf("xmem: %u bytes\n",xmalloc_bytes()); - + printf("normal pgm finish.\n"); - + return 0; } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h 2009-01-26 16:26:17.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h 2011-02-09 23:23:19.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c 2009-05-06 22:28:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c 2011-06-08 00:33:13.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** util.c */ @@ -28,6 +28,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + //#define MDEBUG static unsigned msize=0; @@ -78,14 +82,14 @@ msize -= *q; free(q); - + #else - + free(p); #endif - + } void xshowmem(void) @@ -102,7 +106,7 @@ data_size = strlen(str) + 1; data = (char *)xmalloc(data_size); - + if(data == NULL) { return NULL; diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h 2009-05-06 22:28:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h 2011-02-09 23:23:19.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * */ #ifndef __HI_UTIL_XMALLOC_H__ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/Makefile.am 2009-05-06 22:28:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,27 +1,23 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I./includes +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ftptelnet_preproc.la -libsf_ftptelnet_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - +libsf_ftptelnet_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_ftptelnet_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ftptelnet_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfPolicyUserData.c +endif libsf_ftptelnet_preproc_la_SOURCES = \ ftp_bounce_lookup.c \ @@ -55,32 +51,11 @@ snort_ftptelnet.c \ snort_ftptelnet.h \ spp_ftptelnet.c \ -spp_ftptelnet.h \ -sf_preproc_info.h +spp_ftptelnet.h EXTRA_DIST = \ sf_ftptelnet.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c - -DIST_SUBDIRS = . - diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -33,7 +35,6 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/dynamic-preprocessors/ftptelnet -SUBDIRS = DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ @@ -43,23 +44,41 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ftptelnet_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ftptelnet_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ftptelnet_preproc_la_OBJECTS = ftp_bounce_lookup.lo \ ftp_cmd_lookup.lo ftpp_eo_log.lo ftpp_si.lo \ ftpp_ui_client_lookup.lo ftpp_ui_config.lo \ ftpp_ui_server_lookup.lo hi_util_kmap.lo hi_util_xmalloc.lo \ pp_ftp.lo pp_telnet.lo snort_ftptelnet.lo spp_ftptelnet.lo -nodist_libsf_ftptelnet_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sf_ip.lo sfrt.lo sfrt_dir.lo sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ftptelnet_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ftptelnet_preproc_la_OBJECTS = \ $(am_libsf_ftptelnet_preproc_la_OBJECTS) \ $(nodist_libsf_ftptelnet_preproc_la_OBJECTS) @@ -67,7 +86,7 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(libsf_ftptelnet_preproc_la_LDFLAGS) \ $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -82,15 +101,6 @@ SOURCES = $(libsf_ftptelnet_preproc_la_SOURCES) \ $(nodist_libsf_ftptelnet_preproc_la_SOURCES) DIST_SOURCES = $(libsf_ftptelnet_preproc_la_SOURCES) -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-dvi-recursive install-exec-recursive \ - install-html-recursive install-info-recursive \ - install-pdf-recursive install-ps-recursive install-recursive \ - installcheck-recursive installdirs-recursive pdf-recursive \ - ps-recursive uninstall-recursive -RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ - distclean-recursive maintainer-clean-recursive ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -103,31 +113,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I./includes +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -140,12 +150,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -153,20 +169,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -198,6 +221,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -210,24 +234,19 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ftptelnet_preproc.la -libsf_ftptelnet_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - -nodist_libsf_ftptelnet_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +libsf_ftptelnet_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_ftptelnet_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ftptelnet_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ftptelnet_preproc_la_SOURCES = \ ftp_bounce_lookup.c \ @@ -261,15 +280,12 @@ snort_ftptelnet.c \ snort_ftptelnet.h \ spp_ftptelnet.c \ -spp_ftptelnet.h \ -sf_preproc_info.h +spp_ftptelnet.h EXTRA_DIST = \ sf_ftptelnet.dsp -DIST_SUBDIRS = . -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-recursive +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -277,14 +293,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ftptelnet/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/ftptelnet/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ftptelnet/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/ftptelnet/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -302,23 +318,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -347,139 +368,75 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || eval $$failcom; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -$(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || eval $$failcom; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ - if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - empty_fix=.; \ - else \ - include_option=--include; \ - empty_fix=; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -500,52 +457,36 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || $(MKDIR_P) "$(distdir)/$$subdir" \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ - am__remove_distdir=: \ - am__skip_length_check=: \ - distdir) \ - || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-recursive +check: check-am all-am: Makefile $(LTLIBRARIES) all-local -installdirs: installdirs-recursive -installdirs-am: +installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-recursive +installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ @@ -557,108 +498,100 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-recursive +clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am -distclean: distclean-recursive +distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags -dvi: dvi-recursive +dvi: dvi-am dvi-am: -html: html-recursive +html: html-am -info: info-recursive +html-am: + +info: info-am info-am: install-data-am: -install-dvi: install-dvi-recursive +install-dvi: install-dvi-am + +install-dvi-am: install-exec-am: install-libLTLIBRARIES -install-html: install-html-recursive +install-html: install-html-am + +install-html-am: -install-info: install-info-recursive +install-info: install-info-am + +install-info-am: install-man: -install-pdf: install-pdf-recursive +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am -install-ps: install-ps-recursive +install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-recursive +maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-recursive +mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool -pdf: pdf-recursive +pdf: pdf-am pdf-am: -ps: ps-recursive +ps: ps-am ps-am: uninstall-am: uninstall-libLTLIBRARIES -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: install-am install-strip -.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ - all all-am all-local check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-local ctags \ - ctags-recursive distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-libLTLIBRARIES install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \ - uninstall-libLTLIBRARIES - - -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2004-2009 Sourcefire, Inc. + ** Copyright (C) 2004-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,15 +18,15 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* pp_ftp.c - * +/* pp_ftp.c + * * Purpose: FTP sessions contain commands and responses. Certain * commands are vectors of attack. This module checks * those FTP client commands and their parameter values, as * well as the server responses per the configuration. * * Arguments: None - * + * * Effect: Alerts may be raised * * Comments: @@ -63,7 +63,7 @@ #include "ftp_cmd_lookup.h" #include "ftp_bounce_lookup.h" //#include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" //#include "plugbase.h" @@ -74,9 +74,13 @@ #ifdef SUP_IP6 #include "ipv6_port.h" #endif + +#ifdef TARGET_BASED +extern int16_t ftp_data_app_id; +#endif /* * Used to keep track of pipelined commands and the last one - * that resulted in a + * that resulted in a */ static int ftp_cmd_pipe_index = 0; @@ -103,14 +107,14 @@ * Returns: int => return code indicating error or success * */ -int getIP(const int type, const char **ip_start, const char *last_char, char term_char, +int getIP(const int type, const char **ip_start, const char *last_char, char *term_char, snort_ip *ipRet, uint16_t *portRet) { uint32_t ip=0; uint16_t port=0; int octet=0; const char *this_param = *ip_start; - + do { int value = 0; @@ -183,7 +187,7 @@ * Returns: int => return code indicating error or success */ static int getIP959( - const char **ip_start, const char *last_char, char term_char, + const char **ip_start, const char *last_char, char *term_char, snort_ip *ipRet, uint16_t *portRet ) { @@ -204,7 +208,7 @@ this_param++; } while ((this_param < last_char) && (*this_param != ',') && - (*this_param != term_char)); + (strchr(term_char, *this_param) == NULL)); if (value > 0xFF) { return FTPP_INVALID_ARG; @@ -218,10 +222,10 @@ port = (port << 8) + value; } - if (*this_param != term_char) + if (strchr(term_char, *this_param) == NULL) this_param++; octet++; - } while ((this_param < last_char) && (*this_param != term_char) ); + } while ((this_param < last_char) && (strchr(term_char, *this_param) == NULL)); if (octet != 6) { @@ -253,13 +257,13 @@ * af (address family) is the IP version. h# and p# are in network * byte order (high byte first). * - * This function is called for the LPSV response as well, which + * This function is called for the LPSV response as well, which * has this format: * * 228 (af,hal,h1,h2,h3,h4...,pal,p1,p2...) */ static int getIP1639 ( - const char **ip_start, const char *last_char, char term_char, + const char **ip_start, const char *last_char, char *term_char, snort_ip* ipRet, uint16_t *portRet ) { @@ -295,7 +299,7 @@ { uint32_t ip4_addr = 0; int n; - for ( n = 0; n < 4; n++ ) + for ( n = 0; n < 4; n++ ) ip4_addr = (ip4_addr << 8) | bytes[n+2]; #ifdef SUP_IP6 /* don't call sfip_set_raw() on raw bytes @@ -377,7 +381,7 @@ } static int getIP2428 ( - const char **ip_start, const char *last_char, char term_char, + const char **ip_start, const char *last_char, char *term_char, snort_ip* ipRet, uint16_t *portRet, FTP_PARAM_TYPE ftyp ) { @@ -448,19 +452,19 @@ } if ( ftyp == e_int && fieldMask == 4 ) - /* FIXTHIS: do we need to check for bounce if addr present? */ + /* TBD: do we need to check for bounce if addr present? */ return FTPP_SUCCESS; - + if ( ftyp == e_extd_host_port && fieldMask == 7 ) return FTPP_SUCCESS; - + return FTPP_INVALID_ARG; } static int getFTPip( FTP_PARAM_TYPE ftyp, const char **ip_start, const char *last_char, - char term_char, snort_ip *ipRet, uint16_t *portRet -) + char *term_char, snort_ip *ipRet, uint16_t *portRet +) { if ( ftyp == e_host_port ) { @@ -692,7 +696,7 @@ this_param++; } while ((this_param < end) && - (*this_param != ' ')); + (*this_param != '\n')); if (numPercents >= MAX_PERCENT_SIGNS) { @@ -801,7 +805,7 @@ uint16_t port=0; int ret = getFTPip( - ThisFmt->type, &this_param, end, ' ', &ipAddr, &port + ThisFmt->type, &this_param, end, " \n", &ipAddr, &port ); switch (ret) { @@ -819,9 +823,9 @@ break; } - if ( ThisFmt->type == e_extd_host_port && !IS_SET(ipAddr) ) + if ( ThisFmt->type == e_extd_host_port && !IP_IS_SET(ipAddr) ) { - // actually, we expect no addr in 229 responses, which is + // actually, we expect no addr in 229 responses, which is // understood to be server address, so we set that here #ifdef SUP_IP6 ipAddr = *GET_SRC_IP(p); @@ -859,7 +863,7 @@ } } } - + /* Alert on invalid IP address for PORT */ if (alert) { @@ -937,6 +941,9 @@ if (!params_begin && !ThisFmt->next_param_fmt && ThisFmt->optional_fmt) return FTPP_SUCCESS; /* no param is allowed in this case */ + if (!params_begin && (ThisFmt->next_param_fmt && ThisFmt->next_param_fmt->type == e_strformat)) + return FTPP_SUCCESS; /* string format check of non existent param */ + if (!params_begin) return FTPP_INVALID_ARG; @@ -1008,7 +1015,11 @@ } } } - + else if ((iRet != FTPP_SUCCESS) && (!ThisFmt->next_param_fmt) && + this_param) + { + iRet = FTPP_SUCCESS; + } if (iRet == FTPP_SUCCESS) { ThisFmt->next_param = this_param; @@ -1021,7 +1032,7 @@ * * Purpose: Initializes the state machine for checking an FTP packet. * Does normalization checks. - * + * * Arguments: Session => Pointer to session info * p => pointer to the current packet struct * iMode => Mode indicating server or client checks @@ -1056,8 +1067,8 @@ } } return iRet; } - - if (p->flags & FLAG_ALT_DECODE) + + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { /* Normalized data will always be in decode buffer */ if ( ((Session->client_conf->telnet_cmds.alert) && @@ -1070,7 +1081,7 @@ return FTPP_ALERT; /* Nothing else to do since we alerted */ } - read_ptr = _dpd.altBuffer; + read_ptr = _dpd.altBuffer->data; } if (iMode == FTPP_SI_CLIENT_MODE) @@ -1113,7 +1124,7 @@ int iRet = FTPP_SUCCESS; FTPTELNET_GLOBAL_CONF *global_conf = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGet(Session->global_conf, Session->policy_id); - if (Session->server_conf->data_chan) + //if (Session->server_conf->data_chan) { if (rsp_code == 226) { @@ -1143,17 +1154,20 @@ * a pair of ()s. Find the left (, and use same * means to find IP/Port as is done for the PORT * command. */ - while ((*ip_begin != '(') && - (ip_begin < req->param_end)) + if (req->param_size != 0) { - ip_begin++; + while ((ip_begin < req->param_end) && + (*ip_begin != '(')) + { + ip_begin++; + } } if (ip_begin < req->param_end) { FTP_PARAM_TYPE ftyp = /* e_int is used in lieu of adding a new value to the - * enum because this case doesn't correspond to a + * enum because this case doesn't correspond to a * validation config option; it could effectively be * replaced with an additional bool arg to getFTPip() that * differentiated between commands and responses, but @@ -1163,18 +1177,43 @@ ip_begin++; iRet = getFTPip( - ftyp, &ip_begin, req->param_end, ')', &ipAddr, &port + ftyp, &ip_begin, req->param_end, ")", &ipAddr, &port ); if (iRet == FTPP_SUCCESS) { + if (!IP_IS_SET(ipAddr)) + IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); + else + { #ifdef SUP_IP6 - Session->serverIP = ipAddr; + Session->serverIP = ipAddr; #else - Session->serverIP = htonl(ipAddr); + Session->serverIP = htonl(ipAddr); #endif + } Session->serverPort = port; - IP_CLEAR(Session->clientIP); + IP_COPY_VALUE(Session->clientIP, GET_DST_IP(p)); Session->clientPort = 0; + if (Session->server_conf->data_chan) + { + /* Call into Streams to mark data channel as something + * to ignore. */ + _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + PP_FTPTELNET, SSN_DIR_BOTH, + 0 /* Not permanent */ ); + } +#ifdef TARGET_BASED + else + { + /* Call into Streams to mark data channel as ftp-data */ + _dpd.streamAPI->set_application_protocol_id_expected(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + ftp_data_app_id, PP_FTPTELNET, NULL, NULL); + } +#endif } } else @@ -1201,6 +1240,43 @@ Session->data_chan_state &= ~DATA_CHAN_PORT_CMD_ISSUED; Session->data_chan_state |= DATA_CHAN_PORT_CMD_ACCEPT; Session->data_chan_index = -1; + if (IP_IS_SET(Session->clientIP)) + { + /* This means we're not in passive mode. */ + /* Server is listening/sending from its own IP, + * FTP Port -1 */ + /* Client IP, Port specified via PORT command */ + IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); + + /* Can't necessarily guarantee this, especially + * in the case of a proxy'd connection where the + * data channel might not be on port 20 (or server + * port-1). Comment it out for now. + */ + /* + Session->serverPort = ntohs(p->tcph->th_sport) -1; + */ + if (Session->server_conf->data_chan) + { + /* Call into Streams to mark data channel as something + * to ignore. */ + _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + PP_FTPTELNET, SSN_DIR_BOTH, + 0 /* Not permanent */ ); + } +#ifdef TARGET_BASED + else + { + /* Call into Streams to mark data channel as ftp-data */ + _dpd.streamAPI->set_application_protocol_id_expected(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + ftp_data_app_id, PP_FTPTELNET, NULL, NULL); + } +#endif + } } else if (ftp_cmd_pipe_index == Session->data_chan_index) { @@ -1220,49 +1296,6 @@ { Session->data_chan_state &= ~DATA_CHAN_XFER_CMD_ISSUED; Session->data_chan_state = DATA_CHAN_XFER_STARTED; - if (!IS_SET(Session->serverIP)) - { - /* This means we're not in passive mode. */ - /* Server is listening/sending from its own IP, - * FTP Port -1 */ - /* Client IP, Port specified via PORT command */ -#ifdef SUP_IP6 - IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); -#else - Session->serverIP = p->ip4_header->source.s_addr; -#endif - - /* Can't necessarily guarantee this, especially - * in the case of a proxy'd connection where the - * data channel might not be on port 20 (or server - * port-1). Comment it out for now. - */ - /* - Session->serverPort = ntohs(p->tcph->th_sport) -1; - */ - } - if (!IS_SET(Session->clientIP)) - { - /* This means we're in passive mode. */ - /* Server info is known. */ - /* Client IP is known from response packet, but - * port is unknown */ -#ifdef SUP_IP6 - IP_COPY_VALUE(Session->clientIP, GET_DST_IP(p)); -#else - Session->clientIP = p->ip4_header->destination.s_addr; -#endif - } - if (Session->server_conf->data_chan) - { - /* Call into Streams to mark data channel as something - * to ignore. */ - _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), - Session->clientPort, IP_ARG(Session->serverIP), - Session->serverPort, - GET_IPH_PROTO(p), SSN_DIR_BOTH, - 0 /* Not permanent */ ); - } } /* Clear the session info for next transfer --> * reset host/port */ @@ -1290,7 +1323,7 @@ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); } - DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "FTP stream is now TLS encrypted\n");); } break; @@ -1305,7 +1338,7 @@ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); } - DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "FTP stream is now SSL encrypted\n");); } break; @@ -1333,8 +1366,8 @@ * Function: check_ftp(FTP_SESSION *Session, Packet *p, int iMode) * * Purpose: Handle some trivial validation checks of an FTP packet. Namely, - * check argument length and some protocol enforcement. - * + * check argument length and some protocol enforcement. + * * Wishful: This results in exposing the FTP command (and looking * at the results) to the rules layer. * @@ -1371,8 +1404,9 @@ const unsigned char *read_ptr; const unsigned char *end = p->payload + p->payload_size; - if (p->flags & FLAG_ALT_DECODE) - end = _dpd.altBuffer + p->normalized_payload_size; + + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + end = _dpd.altBuffer->data + _dpd.altBuffer->len; if (iMode == FTPP_SI_CLIENT_MODE) { @@ -1394,9 +1428,9 @@ /* Starts at the beginning of the buffer/line, * so next up is a command */ read_ptr = (const unsigned char *)req->pipeline_req; - + /* but first we ignore leading white space */ - while ( (read_ptr < end) && + while ( (read_ptr < end) && (iMode == FTPP_SI_CLIENT_MODE) && isspace(*read_ptr) ) read_ptr++; @@ -1495,7 +1529,7 @@ } else { - /* + /* * Check the list of valid FTP commands as * supplied in ftpssn. */ @@ -1602,8 +1636,8 @@ isdigit(*(resp_begin+1)) && isdigit(*(resp_begin+2)) ) { - rsp_code = ( (*(resp_begin) - '0') * 100 + - (*(resp_begin+1) - '0') * 10 + + rsp_code = ( (*(resp_begin) - '0') * 100 + + (*(resp_begin+1) - '0') * 10 + (*(resp_begin+2) - '0') ); if (rsp_code == ftpssn->server.response.state) { @@ -1635,8 +1669,8 @@ isdigit(*(resp_begin+1)) && isdigit(*(resp_begin+2)) ) { - int resp_code = ( (*(resp_begin) - '0') * 100 + - (*(resp_begin+1) - '0') * 10 + + int resp_code = ( (*(resp_begin) - '0') * 100 + + (*(resp_begin+1) - '0') * 10 + (*(resp_begin+2) - '0') ); if (resp_code == ftpssn->server.response.state) { @@ -1672,7 +1706,7 @@ } /* If there is anything left... */ - + if (read_ptr < end) { /* Look for an LF --> implies no parameters/message */ @@ -1688,7 +1722,7 @@ "Missing LF from end of FTP command\n");); } else - { + { /* Now grab the command parameters/response message */ if (read_ptr < end) { @@ -1727,7 +1761,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Missing LF from end of FTP command sans params\n");); } - + /* Set the pointer for the next request/response * in the pipeline. */ if (read_ptr < end) @@ -1749,7 +1783,7 @@ "FTP response: code: %.*s : M len %d : M %.*s\n", req->cmd_size, req->cmd_begin, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ @@ -1771,7 +1805,7 @@ "FTP response: continuation of code: %d : M len %d : M %.*s\n", ftpssn->server.response.state, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ @@ -1785,7 +1819,7 @@ "FTP response: final continue of code: %.*s : M len %d : " "M %.*s\n", req->cmd_size, req->cmd_begin, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h 2009-01-26 16:26:17.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h 2011-02-09 23:23:19.000000000 +0000 @@ -1,7 +1,7 @@ /* * pp_ftp.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * * This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2009-05-06 22:29:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2009 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch * * This program is free software; you can redistribute it and/or modify @@ -21,10 +21,10 @@ /* Snort Preprocessor for Telnet Negotiation Normalization*/ /* $Id$ */ -/* pp_telnet.c - * - * Purpose: Telnet sessions can contain telnet negotiation strings - * that can disrupt pattern matching. This plugin detects +/* pp_telnet.c + * + * Purpose: Telnet sessions can contain telnet negotiation strings + * that can disrupt pattern matching. This plugin detects * negotiation strings in stream and "normalizes" them much like * the http_decode preprocessor normalizes encoded URLs * @@ -33,7 +33,7 @@ * http://www.iana.org/assignments/telnet-options * * Arguments: None - * + * * Effect: The telnet nogiation data is removed from the payload * * Comments: @@ -55,8 +55,7 @@ #include "ftpp_eo_log.h" #include "pp_telnet.h" #include "ftpp_return_codes.h" -//#include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" #define NUL 0x00 @@ -69,8 +68,6 @@ */ #define CONSECUTIVE_8BIT_THRESHOLD 3 -//extern uint8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */ - /* * Function: normalize_telnet(Packet *) * @@ -79,7 +76,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -91,12 +88,12 @@ int ret = FTPP_NORMALIZED; const unsigned char *read_ptr, *sb_start = NULL; int saw_ayt = 0; - const unsigned char *start = _dpd.altBuffer; /* decode.c */ + const unsigned char *start = _dpd.altBuffer->data; unsigned char *write_ptr; const unsigned char *end; int normalization_required = 0; int consec_8bit_chars = 0; - + /* Telnet commands are handled in here. * They can be 2 bytes long -- ie, IAC NOP, IAC AYT, etc. * Sub-negotiation strings are at least 4 bytes, IAC SB x IAC SE */ @@ -106,11 +103,11 @@ tnssn->consec_ayt = 0; return FTPP_SUCCESS; } - + /* setup the pointers */ read_ptr = p->payload; end = p->payload + p->payload_size; - + /* look to see if we have any telnet negotiaion codes in the payload */ while(!normalization_required && (read_ptr < end)) { @@ -160,10 +157,10 @@ consec_8bit_chars = 0; } } - + read_ptr++; } - + if(!normalization_required) { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Nothing to process!\n");); @@ -171,25 +168,25 @@ tnssn->consec_ayt = 0; return FTPP_SUCCESS; } - + /* * if we found telnet negotiation strings OR backspace characters, * we're going to have to normalize the data * * Note that this is always ( now: 2002-08-12 ) done to a * alternative data buffer. - */ + */ /* rewind the data stream to p->data */ read_ptr = p->payload; - - /* setup for overwriting the negotaiation strings with + + /* setup for overwriting the negotaiation strings with * the follow-on data - */ + */ write_ptr = (unsigned char *) _dpd.altBuffer; - + /* walk thru the remainder of the packet */ while((read_ptr < end) && - (write_ptr < ((unsigned char *) _dpd.altBuffer) + _dpd.altBufferLen)) + (write_ptr < ((unsigned char *) _dpd.altBuffer->data) + sizeof(_dpd.altBuffer->data))) { saw_ayt = 0; /* if the following byte isn't a subnegotiation initialization */ @@ -224,7 +221,7 @@ { /* Go to previous char */ write_ptr--; - + if ((*write_ptr == CR) && ((*(write_ptr+1) == NUL) || (*(write_ptr+1) == LF)) ) { @@ -361,7 +358,7 @@ } break; } - + /* find the end of the subneg -- this handles when there are * embedded IAC IACs within a sub negotiation. Just looking * for the TNC_SE could cause problems. Similarly, just looking @@ -399,13 +396,13 @@ continue; } - + /* Okay, found the IAC SE -- move past it */ if (read_ptr < end) { read_ptr += 2; } - + if (tnssn && iMode == FTPP_SI_CLIENT_MODE) tnssn->consec_ayt = 0; } @@ -413,9 +410,9 @@ { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "overwriting %2X(%c) with %2X(%c)\n", - (unsigned char)(*write_ptr&0xFF), *write_ptr, + (unsigned char)(*write_ptr&0xFF), *write_ptr, (unsigned char)(*read_ptr & 0xFF), *read_ptr);); - + /* overwrite the negotiation bytes with the follow-on bytes */ switch(* ((unsigned char *)(read_ptr))) { @@ -432,19 +429,17 @@ *write_ptr++ = *read_ptr++; break; } - + if (tnssn && iMode == FTPP_SI_CLIENT_MODE) tnssn->consec_ayt = 0; } } - - p->flags |= FLAG_ALT_DECODE; - - p->normalized_payload_size = write_ptr - start; - - /* DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + + _dpd.SetAltDecode((uint16_t)(write_ptr - start)); + + /* DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Converted buffer after telnet normalization:\n"); - PrintNetData(stdout, (char *) _dpd.altBuffer, p->normalized_payload_size);); + PrintNetData(stdout, (char *) _dpd.altBuffer->data, _dpd.altBuffer->len);); */ return ret; } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h 2009-05-06 22:29:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h 2011-02-09 23:23:20.000000000 +0000 @@ -1,7 +1,7 @@ /* * pp_telnet.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * * This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp 2009-05-06 22:29:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 IPv6 Release" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ftptelnet___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /D "DYNAMIC_PLUGIN" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 IPv6 Debug" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ftptelnet___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /D "DYNAMIC_PLUGIN" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ENDIF @@ -212,11 +212,11 @@ # End Source File # Begin Source File -SOURCE=..\include\sfPolicyUserData.c +SOURCE=..\include\sf_ip.c # End Source File # Begin Source File -SOURCE=..\include\sf_ip.c +SOURCE=..\include\sfPolicyUserData.c # End Source File # Begin Source File diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h 2009-05-06 22:29:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -/**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#include "spp_ftptelnet.h" - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 2 -#define BUILD_VERSION 12 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_FTPTELNET (IPV6)" -#else -#define PREPROC_NAME "SF_FTPTELNET" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupFTPTelnet - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2009-10-02 20:29:57.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,12 +1,12 @@ /* * snort_ftptelnet.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -37,7 +37,7 @@ * very detailed configuration parameters for each specified FTP client, * to provide detailed control over an internal network and robust control * of the external network. - * + * * The main functions of note are: * - FTPTelnetSnortConf() the configuration portion * - SnortFTPTelnet() the actual normalization & inspection @@ -48,6 +48,8 @@ * */ +#define _GNU_SOURCE + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -70,21 +72,10 @@ #include #endif - -//#include "snort.h" -//#include "detect.h" -//#include "decode.h" -//#include "log.h" -//#include "event.h" -//#include "generators.h" -#include "debug.h" -//#include "plugbase.h" -//#include "util.h" -//#include "event_queue.h" -//#include "mstring.h" - #define BUF_SIZE 1024 +#include "sf_types.h" +#include "snort_debug.h" #include "ftpp_return_codes.h" #include "ftpp_ui_config.h" #include "ftpp_ui_client_lookup.h" @@ -96,11 +87,11 @@ #include "pp_telnet.h" #include "pp_ftp.h" #include "snort_ftptelnet.h" -#include "sf_types.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" #include "stream_api.h" #include "profiler.h" +#include "sf_snort_plugin_api.h" #ifdef PERF_PROFILING extern PreprocStats ftpPerfStats; @@ -111,8 +102,6 @@ extern tSfPolicyUserContextId ftp_telnet_config; -//extern uint8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */ - /* * GLOBAL subkeyword values */ @@ -226,11 +215,11 @@ * * 2. Overrides CWD pathname to 256 characters * - * alt_max_param_len 256 { CWD } + * alt_max_param_len 256 { CWD } * * 3. Overrides PWD & SYST to no parameters * - * alt_max_param_len 0 { PWD SYST } + * alt_max_param_len 0 { PWD SYST } * */ @@ -261,18 +250,18 @@ * The default FTP server configuration for FTP command validation. * Most of this comes from RFC 959, with additional commands being * drawn from other RFCs/Internet Drafts that are in use. - * + * * Any of the below can be overridden in snort.conf. - * + * * This is here to eliminate most of it from snort.conf to * avoid an ugly configuration file. The default_max_param_len * is somewhat arbitrary, but is taken from the majority of * the snort FTP rules that limit parameter size to 100 * characters, as of 18 Sep 2004. - * + * * The data_chan_cmds, data_xfer_cmds are used to track open * data channel connections. - * + * * The login_cmds and dir_cmds are used to track state of username * and current directory. */ @@ -286,7 +275,7 @@ "ftp_cmds { USER PASS ACCT CWD CDUP SMNT QUIT REIN TYPE STRU" " MODE RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR" " DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } " - "ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } " + "ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } " "ftp_cmds { PORT PASV LPRT LPSV EPRT EPSV } " "ftp_cmds { FEAT OPTS } " "ftp_cmds { MDTM REST SIZE MLST MLSD } " @@ -338,7 +327,7 @@ char *maxToken = NULL; static tSfPolicyId ftp_current_policy = 0; -static void _addPortsToStream5(char *, tSfPolicyId); +static void _addPortsToStream5(char *, tSfPolicyId, int); static void _addFtpServerConfPortsToStream5(void *); char *NextToken(char *delimiters) @@ -440,7 +429,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessInspectType(FTPTELNET_CONF_OPT *ConfOpt, * char *ErrorString, int ErrStrLen) * @@ -491,7 +480,7 @@ } /* - * Function: ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, + * Function: ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, * char *ErrorString, int ErrStrLen) * * Purpose: This is where we process the global configuration for FTPTelnet. @@ -519,7 +508,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -int ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, +int ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) { FTPTELNET_CONF_OPT *ConfOpt; @@ -561,7 +550,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -625,7 +614,7 @@ return FTPP_FATAL_ERR; } - + /* Unset the defaults */ for (iPort = 0;iPortports[iPort] = 0; @@ -678,7 +667,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessTelnetAYTThreshold(TELNET_PROTO_CONF *TelnetConf, * char *ErrorString, int ErrStrLen) * @@ -766,7 +755,7 @@ } _dpd.logMsg("%s\n", buf); - + _dpd.logMsg(" Are You There Threshold: %d\n", TelnetConf->ayt_threshold); _dpd.logMsg(" Normalize: %s\n", TelnetConf->normalize ? "YES" : "NO"); @@ -876,7 +865,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -927,7 +916,7 @@ char *ErrorString, int ErrStrLen) { #ifdef SUP_IP6 - if(sfip_pton(addrString, ipAddr) != SFIP_SUCCESS) + if(sfip_pton(addrString, ipAddr) != SFIP_SUCCESS) #else *ipAddr = inet_addr(addrString); if (*ipAddr == INADDR_NONE) @@ -1024,7 +1013,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1138,7 +1127,7 @@ * */ static int ProcessFTPDataChanCmdsList(FTP_SERVER_PROTO_CONF *ServerConf, - char *confOption, + char *confOption, char *ErrorString, int ErrStrLen) { FTP_CMD_CONF *FTPCmd = NULL; @@ -1164,7 +1153,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1270,7 +1259,7 @@ * */ static int ProcessFTPDirCmdsList(FTP_SERVER_PROTO_CONF *ServerConf, - char *confOption, + char *confOption, char *ErrorString, int ErrStrLen) { FTP_CMD_CONF *FTPCmd = NULL; @@ -1298,7 +1287,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1324,7 +1313,7 @@ } strcpy(FTPCmd->cmd_name, cmd); - + FTPCmd->max_param_len = ServerConf->def_max_param_len; ftp_cmd_lookup_add(ServerConf->cmd_lookup, cmd, @@ -1451,7 +1440,7 @@ DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory\n", *(_dpd.config_file), *(_dpd.config_line)); } - + memcpy(ThisFmt->choices, choices, sizeof(FTP_PARAM_FMT *) * numChoices); } } @@ -1805,7 +1794,7 @@ DynamicPreprocessorFatalMessage("%s(%d) => Can't do memcpy - index out of range \n", *(_dpd.config_file), *(_dpd.config_line)); - memcpy(tmpChoices, ThisFmt->choices, + memcpy(tmpChoices, ThisFmt->choices, sizeof(FTP_PARAM_FMT*) * ThisFmt->numChoices); } NextFmt = (FTP_PARAM_FMT *)calloc(1, sizeof(FTP_PARAM_FMT)); @@ -1904,7 +1893,7 @@ { char* end = index(++fmt, *F_LITERAL); int len = end ? end - fmt : 0; - + if ( len < 1 ) { snprintf( @@ -1953,7 +1942,7 @@ return DoNextFormat(NextFmt, 0, ErrorString, ErrStrLen); } -/* +/* * Function: ProcessFTPCmdValidity(FTP_SERVER_PROTO_CONF *ServerConf, * char *ErrorString, int ErrStrLen) * @@ -2182,7 +2171,7 @@ } -/* +/* * Function: ProcessFTPMaxRespLen(FTP_CLIENT_PROTO_CONF *ClientConf, * char *ErrorString, int ErrStrLen) * @@ -2214,7 +2203,7 @@ return FTPP_FATAL_ERR; } - max_resp_len = strtol(pcToken, &pcEnd, 10); + max_resp_len = _dpd.SnortStrtol(pcToken, &pcEnd, 10); /* * Let's check to see if the entire string was valid. @@ -2235,7 +2224,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ParseBounceTo(char *token, FTP_BOUNCE_TO*) * * Purpose: Extract the IP address, masking bits (CIDR format), and @@ -2270,11 +2259,16 @@ #ifdef SUP_IP6 memcpy(&bounce->ip, &tmp_ip, sizeof(sfip_t)); #else + if (tmp_ip.family != AF_INET) + { + _dpd.tokenFree(&toks, num_toks); + return FTPP_INVALID_ARG; + } bounce->ip = ntohl(tmp_ip.ip32[0]); bounce->relevant_bits = tmp_ip.bits; #endif - port_lo = strtol(toks[1], &endptr, 10); + port_lo = _dpd.SnortStrtol(toks[1], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (port_lo < 0) || (port_lo >= MAXPORTS)) { @@ -2286,7 +2280,7 @@ if (num_toks == 3) { - long int port_hi = strtol(toks[2], &endptr, 10); + long int port_hi = _dpd.SnortStrtol(toks[2], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (port_hi < 0) || (port_hi >= MAXPORTS)) @@ -2311,7 +2305,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessFTPAlowBounce(FTP_CLIENT_PROTO_CONF *ClientConf, * char *ErrorString, int ErrStrLen) * @@ -2376,7 +2370,7 @@ "Failed to allocate memory for Bounce"); return FTPP_FATAL_ERR; } - + iRet = ParseBounceTo(pcToken, newBounce); if (iRet) { @@ -2451,7 +2445,7 @@ } _dpd.logMsg(" FTP Client: %s\n", client); - + PrintConfOpt(&ClientConf->bounce, " Check for Bounce Attacks"); PrintConfOpt(&ClientConf->telnet_cmds, " Check for Telnet Cmds"); PrintConfOpt(&ClientConf->ignore_telnet_erase_cmds, " Ignore Telnet Cmd Operations"); @@ -2594,7 +2588,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -2701,7 +2695,7 @@ } //ConfigParseResumePtr = pIpAddressList+strlen(pIpAddressList); - + pIpAddressList2 = strdup(pIpAddressList); if (!pIpAddressList2) { @@ -2714,9 +2708,9 @@ - for (client = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); - client; - client = strtok_r(NULL, CONF_SEPARATORS, &brkt)) + for (client = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); + client; + client = strtok_r(NULL, CONF_SEPARATORS, &brkt)) { if (sfip_pton(client, &ipAddr) != SFIP_SUCCESS) @@ -2746,7 +2740,7 @@ /* ** allocate the memory for the client configuration */ - if (firstIpAddress) + if (firstIpAddress) { // Write this IP into the buffer for printing snprintf(client_list, STD_BUF, "%s", client); @@ -2785,7 +2779,7 @@ //no IP address was found snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); - + retVal = FTPP_INVALID_ARG; goto _return; } @@ -2860,6 +2854,7 @@ */ static int PrintFTPServerConf(char * server, FTP_SERVER_PROTO_CONF *ServerConf) { + const char* spaf = ""; char buf[BUF_SIZE+1]; int iCtr; int iRet; @@ -2876,10 +2871,15 @@ printedFTPHeader = 1; } +#ifdef ENABLE_PAF + if ( _dpd.isPafEnabled() ) + spaf = " (PAF)"; +#endif + _dpd.logMsg(" FTP Server: %s\n", server); memset(buf, 0, BUF_SIZE+1); - snprintf(buf, BUF_SIZE, " Ports: "); + snprintf(buf, BUF_SIZE, " Ports%s: ", spaf); /* * Print out all the applicable ports. @@ -2893,7 +2893,7 @@ } _dpd.logMsg("%s\n", buf); - + PrintConfOpt(&ServerConf->telnet_cmds, " Check for Telnet Cmds"); PrintConfOpt(&ServerConf->ignore_telnet_erase_cmds, " Ignore Telnet Cmd Operations"); _dpd.logMsg(" Identify open data channels: %s\n", @@ -3067,7 +3067,7 @@ { if (data_chan_configured && ServerConf->data_chan == 0) { - snprintf(ErrorString, ErrStrLen, "Both 'data_chan' and " + snprintf(ErrorString, ErrStrLen, "Both 'data_chan' and " "'ignore_data_chan' configured with conflicting options."); return FTPP_FATAL_ERR; } @@ -3115,7 +3115,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -3223,7 +3223,7 @@ //list begin didn't match so this must be an IP address pIpAddressList = server; } - + ConfigParseResumePtr = pIpAddressList+strlen(pIpAddressList); pIpAddressList2 = strdup(pIpAddressList); @@ -3236,9 +3236,9 @@ goto _return; } - for (server = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); - server; - server = strtok_r(NULL, CONF_SEPARATORS, &brkt)) + for (server = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); + server; + server = strtok_r(NULL, CONF_SEPARATORS, &brkt)) { if (sfip_pton(server, &ipAddr) != SFIP_SUCCESS) { @@ -3265,7 +3265,7 @@ ipAddr.ip.u6_addr32[0] = ntohl(ipAddr.ip.u6_addr32[0]); } - if (firstIpAddress) + if (firstIpAddress) { /* Write this IP into the buffer for printing */ snprintf(server_list, STD_BUF, "%s", server); @@ -3299,14 +3299,14 @@ } ftpp_ui_config_add_ftp_server(GlobalConf, &ipAddr, new_server_conf); - + //create a reference new_server_conf->referenceCount++; } if (firstIpAddress) { - //no IP address was found + //no IP address was found snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); @@ -3365,9 +3365,9 @@ * the specific server configuration. Quick hack/trick here: reset * the end of the client string to a conf separator, then call strtok. * That will reset strtok's internal pointer to the next token after - * the client name, which is what we're expecting it to be. + * the client name, which is what we're expecting it to be. */ - if (ConfigParseResumePtr < maxToken) + if (ConfigParseResumePtr < maxToken) { /* only if there is data after the server/client name */ if (ip_list) @@ -3405,7 +3405,7 @@ } /* - * Function: PrintGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) + * Function: PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) * * Purpose: Prints the FTPTelnet preprocessor global configuration * @@ -3415,7 +3415,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -int PrintGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) +int PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) { _dpd.logMsg("FTPTelnet Config:\n"); @@ -3470,7 +3470,7 @@ static int FTPTelnetFreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -3525,7 +3525,7 @@ * Purpose: This checks that the FTP configuration provided has * options for CMDs that make sense: * -- check if max_len == 0 & there is a cmd_validity - * + * * Arguments: serverConf => pointer to Server Configuration * * Returns: 0 => no errors @@ -3537,7 +3537,7 @@ FTP_CMD_CONF *cmdConf; int iRet =0; int config_error = 0; - + cmdConf = ftp_cmd_lookup_first(serverConf->cmd_lookup, &iRet); while (cmdConf && (iRet == FTPP_SUCCESS)) { @@ -3552,7 +3552,7 @@ config_error = 1; } cmdConf = ftp_cmd_lookup_next(serverConf->cmd_lookup, &iRet); - } + } return config_error; } @@ -3561,7 +3561,7 @@ * Function: FTPTelnetCheckFTPServerConfigs(void) * * Purpose: This checks that the FTP server configurations are reasonable - * + * * Arguments: None * * Returns: None @@ -3599,7 +3599,7 @@ * * Purpose: This checks that the FTP configuration provided includes * the default configurations for Server & Client. - * + * * Arguments: None * * Returns: None @@ -3652,7 +3652,7 @@ static int FTPConfigCheckPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -3675,30 +3675,30 @@ * * Purpose: This is the routine that logs FTP/Telnet Preprocessor (FTPP) * alerts through Snort. - * + * * Every Session gets looked at for any logged events, and if * there are events to be logged then we select the one with the * highest priority. - * + * * We use a generic event structure that we set for each different * event structure. This way we can use the same code for event * logging regardless of what type of event strucure we are dealing * with. - * + * * The important things to know about this function is how to work * with the event queue. The number of unique events is contained * in the stack_count variable. So we loop through all the unique * events and find which one has the highest priority. During this * loop, we also re-initialize the individual event counts for the * next iteration, saving us time in a separate initialization phase. - * + * * After we've iterated through all the events and found the one * with the highest priority, we then log that event through snort. - * + * * We've mapped the FTPTelnet and the Snort alert IDs together, so * we can access them directly instead of having a more complex * mapping function. - * + * * Arguments: GenEvents => pointer a list of events * iGenerator => Generator ID (Telnet or FTP) * @@ -3706,7 +3706,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogFTPPEvents(FTPP_GEN_EVENTS *GenEvents, +static inline int LogFTPPEvents(FTPP_GEN_EVENTS *GenEvents, int iGenerator) { FTPP_EVENT *OrigEvent; @@ -3802,14 +3802,14 @@ * Purpose: This is the routine that logs FTP alerts through Snort. * It maps the event into a generic event and calls * LOGFTPPEvents(). - * + * * Arguments: FtpSession => pointer the session structure * * Returns: int => an error code integer (0 = success, * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogFTPEvents(FTP_SESSION *FtpSession) +static inline int LogFTPEvents(FTP_SESSION *FtpSession) { FTPP_GEN_EVENTS GenEvents; int iGenerator; @@ -3834,14 +3834,14 @@ * Purpose: This is the routine that logs Telnet alerts through Snort. * It maps the event into a generic event and calls * LOGFTPPEvents(). - * + * * Arguments: TelnetSession => pointer the session structure * * Returns: int => an error code integer (0 = success, * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogTelnetEvents(TELNET_SESSION *TelnetSession) +static inline int LogTelnetEvents(TELNET_SESSION *TelnetSession) { FTPP_GEN_EVENTS GenEvents; int iGenerator; @@ -3865,7 +3865,7 @@ * Purpose: This is the routine sets the source and destination IP * address and port pairs so as to determine the direction * of the FTP or telnet connection. - * + * * Arguments: SiInput => pointer the session input structure * p => pointer to the packet structure * @@ -3873,7 +3873,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int SetSiInput(FTPP_SI_INPUT *SiInput, SFSnortPacket *p) +static inline int SetSiInput(FTPP_SI_INPUT *SiInput, SFSnortPacket *p) { IP_COPY_VALUE(SiInput->sip, GET_SRC_IP(p)); IP_COPY_VALUE(SiInput->dip, GET_DST_IP(p)); @@ -3910,7 +3910,7 @@ * * Purpose: This is the routine that directly performs the rules checking * for each of the FTP & telnet preprocessing modules. - * + * * Arguments: p => pointer to the packet structure * * Returns: None @@ -3957,7 +3957,7 @@ * * Purpose: This is the routine that handles the protocol layer checks * for telnet. - * + * * Arguments: GlobalConf => pointer the global configuration * p => pointer to the packet structure * iInspectMode => indicator whether this is a client or server @@ -4020,6 +4020,15 @@ return FTPP_SUCCESS; } +static inline int InspectClientPacket (SFSnortPacket* p) +{ +#ifdef ENABLE_PAF + if ( _dpd.isPafEnabled() ) + return PacketHasPAFPayload(p); +#endif + + return !(p->flags & FLAG_STREAM_INSERT); +} /* * Function: SnortFTP(FTPTELNET_GLOBAL_CONF *GlobalConf, * Packet *p, @@ -4027,7 +4036,7 @@ * * Purpose: This is the routine that handles the protocol layer checks * for FTP. - * + * * Arguments: GlobalConf => pointer the global configuration * p => pointer to the packet structure * iInspectMode => indicator whether this is a client or server @@ -4043,14 +4052,14 @@ int iRet; PROFILE_VARS; - if (!FTPSession || + if (!FTPSession || FTPSession->server_conf == NULL || FTPSession->client_conf == NULL) { return FTPP_INVALID_SESSION; } - if (!GlobalConf->check_encrypted_data && + if (!GlobalConf->check_encrypted_data && ((FTPSession->encr_state == AUTH_TLS_ENCRYPTED) || (FTPSession->encr_state == AUTH_SSL_ENCRYPTED) || (FTPSession->encr_state == AUTH_UNKNOWN_ENCRYPTED)) ) @@ -4062,14 +4071,19 @@ if (iInspectMode == FTPP_SI_SERVER_MODE) { - /* Force flush of client side of stream */ DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Server packet: %.*s\n", p->payload_size, p->payload)); - _dpd.streamAPI->response_flush_stream(p); + +#ifdef ENABLE_PAF + // FIXTHIS breaks target-based non-standard ports + //if ( !_dpd.isPafEnabled() ) +#endif + /* Force flush of client side of stream */ + _dpd.streamAPI->response_flush_stream(p); } else { - if (p->flags & FLAG_STREAM_INSERT) + if ( !InspectClientPacket(p) ) { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Client packet will be reassembled\n")); @@ -4148,7 +4162,7 @@ sfPolicyUserPolicySet (ftp_telnet_config, policy_id); GlobalConf = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(ftp_telnet_config); - + /* * Set up the FTPP_SI_INPUT pointer. This is what the session_inspection() * routines use to determine client and server traffic. Plus, this makes @@ -4226,7 +4240,7 @@ * FTPTelnet PACKET FLOW:: * * Determine Proto Module:: - * The Session Inspection Module retrieves the appropriate + * The Session Inspection Module retrieves the appropriate * configuration for sessions, and takes care of the stateless * vs. stateful processing in order to do this. Once this module * does it's magic, we're ready for the primetime. This means @@ -4235,7 +4249,7 @@ * Proto Specific Module:: * This is where we normalize the data. The Protocol specific module * handles what type of normalization to do (telnet, ftp) and does - * protocl related checks. + * protocol related checks. * */ if (ft_ssn == NULL) @@ -4286,7 +4300,7 @@ /**************************************************************************** - * + * * Function: FTPPBounce(void *pkt, uint8_t **cursor, void **dataPtr) * * Purpose: Use this function to perform the particular detection routine @@ -4309,13 +4323,23 @@ const char *this_param = *(const char **)cursor; int dsize; - int use_alt_buffer = p->flags & FLAG_ALT_DECODE; - if(use_alt_buffer) + // TBD SUP_IP6 support + if ( !p->ip4_header ) + return 0; + + if(_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + dsize = _dpd.altDetect->len; + start_ptr = (char *) _dpd.altDetect->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { - dsize = p->normalized_payload_size; - start_ptr = (char *) _dpd.altBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dsize = _dpd.altBuffer->len; + start_ptr = (char *) _dpd.altBuffer->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } @@ -4335,7 +4359,7 @@ base_ptr = start_ptr; while (isspace((int)*this_param) && (this_param < end_ptr)) this_param++; - + do { int value = 0; @@ -4346,7 +4370,7 @@ { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] ftpbounce non digit char failed..\n");); - return 0; + return RULE_NOMATCH; } value = value * 10 + (*this_param - '0'); @@ -4360,7 +4384,7 @@ { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] ftpbounce value > 256 ..\n");); - return 0; + return RULE_NOMATCH; } if (octet < 4) @@ -4379,28 +4403,28 @@ { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] ftpbounce insufficient data ..\n");); - return 0; + return RULE_NOMATCH; } if (ip != ntohl(p->ip4_header->source.s_addr)) { /* Bounce attempt -- IPs not equal */ - return 1; + return RULE_MATCH; } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "PORT command not being used in bounce\n");); - return 0; + return RULE_NOMATCH; } - + /* Never reached */ - return 0; + return RULE_NOMATCH; } #endif /* DYNAMIC_PLUGIN */ -/** Add ports configured for http preprocessor to stream5 port filtering so that if +/** Add ports configured for http preprocessor to stream5 port filtering so that if * any_any rules are being ignored them the the packet still reaches http-inspect. * * For ports in global_server configuration, server_lookup and server_lookupIpv6, @@ -4416,8 +4440,8 @@ /* For the server callback */ ftp_current_policy = policy_id; - _addPortsToStream5(config->telnet_config->proto_ports.ports, policy_id); - _addPortsToStream5(config->default_ftp_server->proto_ports.ports, policy_id); + _addPortsToStream5(config->telnet_config->proto_ports.ports, policy_id, 0); + _addPortsToStream5(config->default_ftp_server->proto_ports.ports, policy_id, 1); ftpp_ui_server_iterate(config->server_lookup, _addFtpServerConfPortsToStream5, &i); } @@ -4425,10 +4449,41 @@ static void _addFtpServerConfPortsToStream5(void *pData) { FTP_SERVER_PROTO_CONF *pConf = (FTP_SERVER_PROTO_CONF *)pData; - _addPortsToStream5(pConf->proto_ports.ports, ftp_current_policy); + _addPortsToStream5(pConf->proto_ports.ports, ftp_current_policy, 1); } -static void _addPortsToStream5(char *ports, tSfPolicyId policy_id) +#ifdef ENABLE_PAF +// flush at last line feed in payload +// preproc will deal with any pipelined commands +static PAF_Status ftp_paf ( + void* ssn, void** pv, const uint8_t* data, uint32_t len, + uint32_t flags, uint32_t* fp) +{ +#ifdef HAVE_MEMRCHR + uint8_t* lf = memrchr(data, '\n', len); +#else + uint32_t n = len; + uint8_t* lf = NULL, * tmp = (uint8_t*) data; + + while ( (tmp = memchr(tmp, '\n', n)) ) + { + lf = tmp++; + n = len - (tmp - data); + } +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s[%d] '%*.*s'\n", __FUNCTION__, len, len, len, data)); + + if ( !lf ) + return PAF_SEARCH; + + *fp = lf - data + 1; + return PAF_FLUSH; +} +#endif + +static void _addPortsToStream5(char *ports, tSfPolicyId policy_id, int ftp) { unsigned int i; @@ -4439,6 +4494,14 @@ //Add port the port _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)i, PORT_MONITOR_SESSION, policy_id, 1); + +#ifdef ENABLE_PAF + if ( ftp && _dpd.isPafEnabled() ) + { + _dpd.streamAPI->register_paf_cb(policy_id, (uint16_t)i, true, ftp_paf, false); + _dpd.streamAPI->register_paf_cb(policy_id, (uint16_t)i, false, ftp_paf, false); + } +#endif } } } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h 2009-07-07 15:37:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h 2011-06-08 00:33:14.000000000 +0000 @@ -1,7 +1,7 @@ /* * snort_ftptelnet.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton @@ -74,10 +74,10 @@ void FTPTelnetCheckFTPServerConfigs(FTPTELNET_GLOBAL_CONF *); void _FTPTelnetAddPortsOfInterest(FTPTELNET_GLOBAL_CONF *, tSfPolicyId); -int ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *, char *, int); +int ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessTelnetConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessFTPClientConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessFTPServerConf(FTPTELNET_GLOBAL_CONF *, char *, int); -int PrintGlobalConf(FTPTELNET_GLOBAL_CONF *); +int PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *); int FTPTelnetCheckConfigs( void* , tSfPolicyId ); #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c 2009-10-02 20:29:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,12 +1,12 @@ /* * spp_ftptelnet.c * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton * Kevin Liu - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -48,10 +48,8 @@ #include "config.h" #endif -//#include "decode.h" -//#include "plugbase.h" -#include "debug.h" -//#include "util.h" +#include "sf_types.h" +#include "snort_debug.h" #include "ftpp_ui_config.h" #ifdef CLIENT_READY @@ -59,16 +57,26 @@ #include "ftp_norm.h" #endif #include "snort_ftptelnet.h" +#include "spp_ftptelnet.h" +#include "sf_preproc_info.h" #include "profiler.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" -#ifdef DYNAMIC_PLUGIN -//#include "dynamic-plugins/sp_preprocopt.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 2; +const int BUILD_VERSION = 13; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_FTPTELNET (IPV6)"; +#else +const char *PREPROC_NAME = "SF_FTPTELNET"; #endif +#define SetupFTPTelnet DYNAMIC_PREPROC_SETUP + + /* * Defines for preprocessor initialization */ @@ -104,6 +112,7 @@ #ifdef TARGET_BASED int16_t ftp_app_id = 0; +int16_t ftp_data_app_id = 0; int16_t telnet_app_id = 0; #endif @@ -251,6 +260,7 @@ { /* Find and store the application ID for FTP & Telnet */ ftp_app_id = _dpd.addProtocolReference("ftp"); + ftp_data_app_id = _dpd.addProtocolReference("ftp-data"); telnet_app_id = _dpd.addProtocolReference("telnet"); } #endif @@ -266,7 +276,7 @@ pPolicyConfig = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(ftp_telnet_config); if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) { DynamicPreprocessorFatalMessage("%s(%d) Must configure the " "ftptelnet global configuration first.\n", @@ -289,16 +299,17 @@ if (iRet == 0) { - iRet = ProcessGlobalConf(pPolicyConfig, + iRet = ProcessFTPGlobalConf(pPolicyConfig, ErrorString, iErrStrLen); if (iRet == 0) { - PrintGlobalConf(pPolicyConfig); + PrintFTPGlobalConf(pPolicyConfig); /* Add FTPTelnet into the preprocessor list */ _dpd.addPreproc(FTPTelnetChecks, PRIORITY_APPLICATION, PP_FTPTELNET, PROTO_BIT__TCP); - _dpd.preprocOptRegister("ftp.bounce", &FTPPBounceInit, &FTPPBounceEval, NULL, NULL, NULL); + _dpd.preprocOptRegister("ftp.bounce", &FTPPBounceInit, &FTPPBounceEval, + NULL, NULL, NULL, NULL, NULL); #ifdef TARGET_BASED if (_dpd.streamAPI != NULL) @@ -356,7 +367,7 @@ */ if(*ErrorString) { - _dpd.errMsg("WARNING: %s(%d) => %s\n", + _dpd.errMsg("WARNING: %s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } } @@ -367,7 +378,7 @@ */ if(*ErrorString) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } else @@ -377,12 +388,12 @@ */ if(iRet == -2) { - DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", + DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", *(_dpd.config_file), *(_dpd.config_line)); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -485,7 +496,7 @@ if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) { DynamicPreprocessorFatalMessage("%s(%d) Must configure the " "ftptelnet global configuration first.\n", @@ -508,16 +519,17 @@ if (iRet == 0) { - iRet = ProcessGlobalConf(pPolicyConfig, + iRet = ProcessFTPGlobalConf(pPolicyConfig, ErrorString, iErrStrLen); if (iRet == 0) { - PrintGlobalConf(pPolicyConfig); + PrintFTPGlobalConf(pPolicyConfig); /* Add FTPTelnet into the preprocessor list */ _dpd.addPreproc(FTPTelnetChecks, PRIORITY_APPLICATION, PP_FTPTELNET, PROTO_BIT__TCP); - _dpd.preprocOptRegister("ftp.bounce", &FTPPBounceInit, &FTPPBounceEval, NULL, NULL, NULL); + _dpd.preprocOptRegister("ftp.bounce", &FTPPBounceInit, &FTPPBounceEval, + NULL, NULL, NULL, NULL, NULL); } } } @@ -564,7 +576,7 @@ */ if(*ErrorString) { - _dpd.errMsg("WARNING: %s(%d) => %s\n", + _dpd.errMsg("WARNING: %s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } } @@ -575,7 +587,7 @@ */ if(*ErrorString) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } else @@ -585,12 +597,12 @@ */ if(iRet == -2) { - DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", + DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", *(_dpd.config_file), *(_dpd.config_line)); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -600,7 +612,7 @@ static int FtpTelnetReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -620,7 +632,7 @@ static int FtpTelnetReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h --- snort-2.8.5.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h 2009-05-06 22:29:01.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h 2011-02-09 23:23:20.000000000 +0000 @@ -1,7 +1,7 @@ /* * spp_ftptelnet.h * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges * Daniel J. Roelker * Marc A. Norton diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_config.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,1009 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 7/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include +#include +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "gtp_config.h" +#include "spp_gtp.h" +#include "gtp_debug.h" + +#define METHOD_NOT_FOUND (-1) +/* + * Default GTP port + */ +#define GTP_C_PORT (2123) +#define GTP_C_PORT_V0 (3386) + +/* + * Keyword strings for parsing configuration options. + */ +#define GTP_PORTS_KEYWORD "ports" + +#define GTP_CONFIG_SECTION_SEPERATORS ",;" +#define GTP_CONFIG_VALUE_SEPERATORS " " + +/* + * Message type defined + */ + +static GTP_MsgType GTPv0_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + {4, 1, "node_alive_request"}, + {5, 1, "node_alive_response"}, + {6, 1, "redirection_request"}, + {7, 1, "redirection_response"}, + + {16, 1,"create_pdp_context_request"}, + {17, 1,"create_pdp_context_response"}, + {18, 1,"update_pdp_context_request"}, + {19, 1,"update_pdp_context_response"}, + {20, 1,"delete_pdp_context_request"}, + {21, 1,"delete_pdp_context_response"}, + {22, 1,"create_aa_pdp_context_request"}, + {23, 1,"create_aa_pdp_context_response"}, + {24, 1,"delete_aa_pdp_context_request"}, + {25, 1,"delete_aa_pdp_context_response"}, + {26, 1,"error_indication"}, + {27, 1,"pdu_notification_request"}, + {28, 1,"pdu_notification_response"}, + {29, 1,"pdu_notification_reject_request"}, + {30, 1,"pdu_notification_reject_response"}, + + {32, 1,"send_routing_info_request"}, + {33, 1,"send_routing_info_response"}, + {34, 1,"failure_report_request"}, + {35, 1,"failure_report_response"}, + {36, 1,"note_ms_present_request"}, + {37, 1,"note_ms_present_response"}, + + {48, 1,"identification_request"}, + {49, 1,"identification_response"}, + {50, 1,"sgsn_context_request"}, + {51, 1,"sgsn_context_response"}, + {52, 1,"sgsn_context_ack"}, + + {240, 1,"data_record_transfer_request"}, + {241, 1,"data_record_transfer_response"}, + + {255, 1,"pdu"}, + {0, 0, NULL} +}; + +static GTP_MsgType GTPv1_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + {4, 1, "node_alive_request"}, + {5, 1, "node_alive_response"}, + {6, 1, "redirection_request"}, + {7, 1, "redirection_response"}, + + {16, 1,"create_pdp_context_request"}, + {17, 1,"create_pdp_context_response"}, + {18, 1,"update_pdp_context_request"}, + {19, 1,"update_pdp_context_response"}, + {20, 1,"delete_pdp_context_request"}, + {21, 1,"delete_pdp_context_response"}, + {22, 1,"init_pdp_context_activation_request"}, + {23, 1,"init_pdp_context_activation_response"}, + + {26, 1,"error_indication"}, + {27, 1,"pdu_notification_request"}, + {28, 1,"pdu_notification_response"}, + {29, 1,"pdu_notification_reject_request"}, + {30, 1,"pdu_notification_reject_response"}, + {31, 1,"supported_ext_header_notification"}, + {32, 1,"send_routing_info_request"}, + {33, 1,"send_routing_info_response"}, + {34, 1,"failure_report_request"}, + {35, 1,"failure_report_response"}, + {36, 1,"note_ms_present_request"}, + {37, 1,"note_ms_present_response"}, + + {48, 1,"identification_request"}, + {49, 1,"identification_response"}, + {50, 1,"sgsn_context_request"}, + {51, 1,"sgsn_context_response"}, + {52, 1,"sgsn_context_ack"}, + {53, 1,"forward_relocation_request"}, + {54, 1,"forward_relocation_response"}, + {55, 1,"forward_relocation_complete"}, + {56, 1,"relocation_cancel_request"}, + {57, 1,"relocation_cancel_response"}, + {58, 1,"forward_srns_contex"}, + {59, 1,"forward_relocation_complete_ack"}, + {60, 1,"forward_srns_contex_ack"}, + + {70, 1,"ran_info_relay"}, + + {96, 1,"mbms_notification_request"}, + {97, 1,"mbms_notification_response"}, + {98, 1,"mbms_notification_reject_request"}, + {99, 1,"mbms_notification_reject_response"}, + {100,1,"create_mbms_context_request"}, + {101,1,"create_mbms_context_response"}, + {102,1,"update_mbms_context_request"}, + {103,1,"update_mbms_context_response"}, + {104,1,"delete_mbms_context_request"}, + {105,1,"delete_mbms_context_response"}, + + {112,1,"mbms_register_request"}, + {113,1,"mbms_register_response"}, + {114,1,"mbms_deregister_request"}, + {115,1,"mbms_deregister_response"}, + {116,1,"mbms_session_start_request"}, + {117,1,"mbms_session_start_response"}, + {118,1,"mbms_session_stop_request"}, + {119,1,"mbms_session_stop_response"}, + {120,1,"mbms_session_update_request"}, + {121,1,"mbms_session_update_response"}, + + {128, 1,"ms_info_change_request"}, + {129, 1,"ms_info_change_response"}, + + {240, 1,"data_record_transfer_request"}, + {241, 1,"data_record_transfer_response"}, + + {254, 1,"end_marker"}, + {255, 1,"pdu"}, + {0, 0, NULL} +}; + +static GTP_MsgType GTPv2_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + + {32, 1,"create_session_request"}, + {33, 1,"create_session_response"}, + {34, 1,"modify_bearer_request"}, + {35, 1,"modify_bearer_response"}, + {36, 1,"delete_session_request"}, + {37, 1,"delete_session_response"}, + {38, 1,"change_notification_request"}, + {39, 1,"change_notification_response"}, + + {64, 1,"modify_bearer_command"}, + {65, 1,"modify_bearer_failure_indication"}, + {66, 1,"delete_bearer_command"}, + {67, 1,"delete_bearer_failure_indication"}, + {68, 1,"bearer_resource_command"}, + {69, 1,"bearer_resource_failure_indication"}, + {70, 1,"downlink_failure_indication"}, + {71, 1,"trace_session_activation"}, + {72, 1,"trace_session_deactivation"}, + {73, 1,"stop_paging_indication"}, + + {95, 1,"create_bearer_request"}, + {96, 1,"create_bearer_response"}, + {97, 1,"update_bearer_request"}, + {98, 1,"update_bearer_response"}, + {99, 1,"delete_bearer_request"}, + {100,1,"delete_bearer_response"}, + {101,1,"delete_pdn_request"}, + {102,1,"delete_pdn_response"}, + + {128, 1,"identification_request"}, + {129, 1,"identification_response"}, + {130, 1,"sgsn_context_request"}, + {131, 1,"sgsn_context_response"}, + {132, 1,"sgsn_context_ack"}, + {133, 1,"forward_relocation_request"}, + {134, 1,"forward_relocation_response"}, + {135, 1,"forward_relocation_complete"}, + {136, 1,"forward_relocation_complete_ack"}, + {137, 1,"forward_access"}, + {138, 1,"forward_access_ack"}, + {139, 1,"relocation_cancel_request"}, + {140, 1,"relocation_cancel_response"}, + {141, 1,"configuration_transfer_tunnel"}, + + {149, 1,"detach"}, + {150, 1,"detach_ack"}, + {151, 1,"cs_paging"}, + {152, 1,"ran_info_relay"}, + {153, 1,"alert_mme"}, + {154, 1,"alert_mme_ack"}, + {155, 1,"ue_activity"}, + {156, 1,"ue_activity_ack"}, + + {160,1,"create_forward_tunnel_request"}, + {161,1,"create_forward_tunnel_response"}, + {162, 1,"suspend"}, + {163, 1,"suspend_ack"}, + {164, 1,"resume"}, + {165, 1,"resume_ack"}, + {166,1,"create_indirect_forward_tunnel_request"}, + {167,1,"create_indirect_forward_tunnel_response"}, + {168,1,"delete_indirect_forward_tunnel_request"}, + {169,1,"delete_indirect_forward_tunnel_response"}, + {170,1,"release_access_bearer_request"}, + {171,1,"release_access_bearer_response"}, + + {176,1,"downlink_data"}, + {177,1,"downlink_data_ack"}, + + {179,1,"pgw_restart"}, + {180,1,"pgw_restart_ack"}, + + {200,1,"update_pdn_request"}, + {201,1,"update_pdn_response"}, + + {211,1,"modify_access_bearer_request"}, + {212,1,"modify_access_bearer_response"}, + + {231,1,"mbms_session_start_request"}, + {232,1,"mbms_session_start_response"}, + {233,1,"mbms_session_update_request"}, + {234,1,"mbms_session_update_response"}, + {235,1,"mbms_session_stop_request"}, + {236,1,"mbms_session_stop_response"}, + + {0, 0, NULL} +}; + +/* + * Information elements defined + */ + +static GTP_InfoElement GTPv0_InfoElements[] = +{ + {1, 1, "cause", 2}, + {2, 1, "imsi", 9}, + {3, 1, "rai", 7}, + {4, 1, "tlli", 5}, + {5, 1, "p_tmsi", 5}, + {6, 1, "qos", 4}, + + {8, 1, "recording_required", 2}, + {9, 1, "authentication", 29}, + + {11, 1, "map_cause", 2}, + {12, 1, "p_tmsi_sig", 4}, + {13, 1, "ms_validated", 2}, + {14, 1, "recovery", 2}, + {15, 1, "selection_mode", 2}, + {16, 1, "flow_label_data_1", 3}, + {17, 1, "flow_label_signalling", 3}, + {18, 1, "flow_label_data_2", 4}, + {19, 1, "ms_unreachable", 2}, + + {127, 1, "charge_id", 5}, + {128, 1, "end_user_address", 0}, + {129, 1, "mm_context", 0}, + {130, 1, "pdp_context", 0}, + {131, 1, "apn", 0}, + {132, 1, "protocol_config", 0}, + {133, 1, "gsn", 0}, + {134, 1, "msisdn", 0}, + + {251, 1, "charging_gateway_addr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + +static GTP_InfoElement GTPv1_InfoElements[] = +{ + {1, 1, "cause", 2}, + {2, 1, "imsi", 9}, + {3, 1, "rai", 7}, + {4, 1, "tlli", 5}, + {5, 1, "p_tmsi", 5}, + + {8, 1, "recording_required", 2}, + {9, 1, "authentication", 29}, + + {11, 1, "map_cause", 2}, + {12, 1, "p_tmsi_sig", 4}, + {13, 1, "ms_validated", 2}, + {14, 1, "recovery", 2}, + {15, 1, "selection_mode", 2}, + {16, 1, "teid_1", 5}, + {17, 1, "teid_control", 5}, + {18, 1, "teid_2", 6}, + {19, 1, "teardown_ind", 2}, + {20, 1, "nsapi", 2}, + {21, 1, "ranap", 2}, + {22, 1, "rab_context", 10}, + {23, 1, "radio_priority_sms", 2}, + {24, 1, "radio_priority", 2}, + {25, 1, "packet_flow_id", 3}, + {26, 1, "charging_char", 3}, + {27, 1, "trace_ref", 3}, + {28, 1, "trace_type", 3}, + {29, 1, "ms_unreachable", 2}, + + {127, 1, "charge_id", 5}, + {128, 1, "end_user_address", 0}, + {129, 1, "mm_context", 0}, + {130, 1, "pdp_context", 0}, + {131, 1, "apn", 0}, + {132, 1, "protocol_config", 0}, + {133, 1, "gsn", 0}, + {134, 1, "msisdn", 0}, + {135, 1, "qos", 0}, + {136, 1, "authentication_qu", 0}, + {137, 1, "tft", 0}, + {138, 1, "target_id", 0}, + {139, 1, "utran_trans", 0}, + {140, 1, "rab_setup", 0}, + {141, 1, "ext_header", 0}, + {142, 1, "trigger_id", 0}, + {143, 1, "omc_id", 0}, + {144, 1, "ran_trans", 0}, + {145, 1, "pdp_context_pri", 0}, + {146, 1, "addi_rab_setup", 0}, + {147, 1, "sgsn_number", 0}, + {148, 1, "common_flag", 0}, + {149, 1, "apn_restriction", 0}, + {150, 1, "radio_priority_lcs", 4}, + {151, 1, "rat_type", 0}, + {152, 1, "user_loc_info", 0}, + {153, 1, "ms_time_zone", 0}, + {154, 1, "imei_sv", 0}, + {155, 1, "camel", 0}, + {156, 1, "mbms_ue_context", 0}, + {157, 1, "tmp_mobile_group_id", 0}, + {158, 1, "rim_routing_addr", 0}, + {159, 1, "mbms_config", 0}, + {160, 1, "mbms_service_area", 0}, + {161, 1, "src_rnc_pdcp", 0}, + {162, 1, "addi_trace_info", 0}, + {163, 1, "hop_counter", 0}, + {164, 1, "plmn_id", 0}, + {165, 1, "mbms_session_id", 0}, + {166, 1, "mbms_2g3g_indicator", 0}, + {167, 1, "enhanced_nsapi", 0}, + {168, 1, "mbms_session_duration", 0}, + {169, 1, "addi_mbms_trace_info", 0}, + {170, 1, "mbms_session_repetition_num", 0}, + {171, 1, "mbms_time_to_data", 0}, + + {173, 1, "bss", 0}, + {174, 1, "cell_id", 0}, + {175, 1, "pdu_num", 0}, + {177, 1, "mbms_bearer_capab", 0}, + {178, 1, "rim_routing_disc", 0}, + {179, 1, "list_pfc", 0}, + {180, 1, "ps_xid", 0}, + {181, 1, "ms_info_change_report", 4}, + {182, 1, "direct_tunnel_flags", 0}, + {183, 1, "correlation_id", 0}, + {184, 1, "bearer_control_mode", 0}, + {185, 1, "mbms_flow_id", 0}, + {186, 1, "mbms_ip_multicast", 0}, + {187, 1, "mbms_distribution_ack", 4}, + {188, 1, "reliable_inter_rat_handover", 0}, + {189, 1, "rfsp_index", 0}, + {190, 1, "fqdn", 0}, + {191, 1, "evolved_allocation1", 0}, + {192, 1, "evolved_allocation2", 0}, + {193, 1, "extended_flags", 0}, + {194, 1, "uci", 0}, + {195, 1, "csg_info", 0}, + {196, 1, "csg_id", 0}, + {197, 1, "cmi", 4}, + {198, 1, "apn_ambr", 0}, + {199, 1, "ue_network", 0}, + {200, 1, "ue_ambr", 0}, + {201, 1, "apn_ambr_nsapi", 0}, + {202, 1, "ggsn_backoff_timer", 0}, + {203, 1, "signalling_priority_indication", 0}, + {204, 1, "signalling_priority_indication_nsapi", 0}, + {205, 1, "high_bitrate", 4}, + {206, 1, "max_mbr", 0}, + + {251, 1, "charging_gateway_addr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + +static GTP_InfoElement GTPv2_InfoElements[] = +{ + {1, 1, "imsi", 0}, + {2, 1, "cause", 0}, + {3, 1, "recovery", 0}, + + {71, 1, "apn", 0}, + {72, 1, "ambr", 0}, + {73, 1, "ebi", 0}, + {74, 1, "ip_addr", 0}, + {75, 1, "mei", 0}, + {76, 1, "msisdn", 0}, + {77, 1, "indication", 0}, + {78, 1, "pco", 0}, + {79, 1, "paa", 0}, + {80, 1, "bearer_qos", 0}, + {81, 1, "flow_qos", 0}, + {82, 1, "rat_type", 0}, + {83, 1, "serving_network", 0}, + {84, 1, "bearer_tft", 0}, + {85, 1, "tad", 0}, + {86, 1, "uli", 0}, + {87, 1, "f_teid", 0}, + {88, 1, "tmsi", 0}, + {89, 1, "cn_id", 0}, + {90, 1, "s103pdf", 0}, + {91, 1, "s1udf", 0}, + {92, 1, "delay_value", 0}, + {93, 1, "bearer_context", 0}, + {94, 1, "charging_id", 0}, + {95, 1, "charging_char", 0}, + {96, 1, "trace_info", 0}, + {97, 1, "bearer_flag", 0}, + + {99, 1, "pdn_type", 0}, + {100, 1, "pti", 0}, + {101, 1, "drx_parameter", 0}, + + {103, 1, "gsm_key_tri", 0}, + {104, 1, "umts_key_cipher_quin", 0}, + {105, 1, "gsm_key_cipher_quin", 0}, + {106, 1, "umts_key_quin", 0}, + {107, 1, "eps_quad", 0}, + {108, 1, "umts_key_quad_quin", 0}, + {109, 1, "pdn_connection", 0}, + {110, 1, "pdn_number", 0}, + {111, 1, "p_tmsi", 0}, + {112, 1, "p_tmsi_sig", 0}, + {113, 1, "hop_counter", 0}, + {114, 1, "ue_time_zone", 0}, + {115, 1, "trace_ref", 0}, + {116, 1, "complete_request_msg", 0}, + {117, 1, "guti", 0}, + {118, 1, "f_container", 0}, + {119, 1, "f_cause", 0}, + {120, 1, "plmn_id", 0}, + {121, 1, "target_id", 0}, + + {123, 1, "packet_flow_id", 0}, + {124, 1, "rab_contex", 0}, + {125, 1, "src_rnc_pdcp", 0}, + {126, 1, "udp_src_port", 0}, + {127, 1, "apn_restriction", 0}, + {128, 1, "selection_mode", 0}, + {129, 1, "src_id", 0}, + + {131, 1, "change_report_action", 0}, + {132, 1, "fq_csid", 0}, + {133, 1, "channel", 0}, + {134, 1, "emlpp_pri", 0}, + {135, 1, "node_type", 0}, + {136, 1, "fqdn", 0}, + {137, 1, "ti", 0}, + {138, 1, "mbms_session_duration", 0}, + {139, 1, "mbms_service_area", 0}, + {140, 1, "mbms_session_id", 0}, + {141, 1, "mbms_flow_id", 0}, + {142, 1, "mbms_ip_multicast", 0}, + {143, 1, "mbms_distribution_ack", 0}, + {144, 1, "rfsp_index", 0}, + {145, 1, "uci", 0}, + {146, 1, "csg_info", 0}, + {147, 1, "csg_id", 0}, + {148, 1, "cmi", 0}, + {149, 1, "service_indicator", 0}, + {150, 1, "detach_type", 0}, + {151, 1, "ldn", 0}, + {152, 1, "node_feature", 0}, + {153, 1, "mbms_time_to_transfer", 0}, + {154, 1, "throttling", 0}, + {155, 1, "arp", 0}, + {156, 1, "epc_timer", 0}, + {157, 1, "signalling_priority_indication", 0}, + {158, 1, "tmgi", 0}, + {159, 1, "mm_srvcc", 0}, + {160, 1, "flags_srvcc", 0}, + {161, 1, "mmbr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + + +/* + * Function prototype(s) + */ +static void InitGTPInfoElementTable(GTPConfig *); +static void DisplayGTPConfig(GTPConfig *); +static void GTP_ParsePortList(char **, uint8_t *); + +/* Update the information elements table for one GTP version. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * GTP_InfoElement *: Information elements + * uint8_t: version number for information elements + * + * RETURNS: Nothing. + */ + +static void UpdateGTPInfoElementTable(GTPConfig *config, GTP_InfoElement *InfoElements, uint8_t version) +{ + int i = 0; + + while(NULL != InfoElements[i].name) + { + config->infoElementTable[version][InfoElements[i].type] = &InfoElements[i]; + i++; + } +} + +/* Update the information elements table for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ + +static void InitGTPInfoElementTable(GTPConfig *config) +{ + + GTP_InfoElement *InfoElements; + + + InfoElements = GTPv0_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 0); + + InfoElements = GTPv1_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 1); + + InfoElements = GTPv2_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 2); + +} + +/* Update the message types table for one GTP version. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * GTP_MsgType *: message types + * uint8_t: version number for message types + * + * RETURNS: Nothing. + */ + +static void UpdateGTPMsgTypeTable(GTPConfig *config, GTP_MsgType *MsgTypes, uint8_t version) +{ + int i = 0; + + while(NULL != MsgTypes[i].name) + { + config->msgTypeTable[version][MsgTypes[i].type] = &MsgTypes[i]; + gtp_stats.msgTypeTable[version][MsgTypes[i].type] = &MsgTypes[i]; + i++; + } +} + +/* Update the message types table for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ + +static void InitGTPMsgTypeTable(GTPConfig *config) +{ + + GTP_MsgType *MsgTypes; + + + MsgTypes = GTPv0_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 0); + + MsgTypes = GTPv1_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 1); + + MsgTypes = GTPv2_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 2); + +} + +#ifdef DEBUG_MSGS +/* Display the message types for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayMsgTypes(GTPConfig *config) +{ + int i, j; + + _dpd.logMsg(" Supported message types:\n"); + + for(i = 0; i < MAX_GTP_TYPE_CODE + 1; i++) + { + _dpd.logMsg("\t%3d ", i); + for (j = 0; j < MAX_GTP_VERSION_CODE + 1; j++) + { + if (config->msgTypeTable[j][i]) + { + _dpd.logMsg("%40s ", config->msgTypeTable[j][i]->name); + } + else + _dpd.logMsg("%40s ", "N/A"); + + } + _dpd.logMsg("\n"); + } +} +/* Display the information element for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayInfoElements(GTPConfig *config) +{ + int i, j; + + _dpd.logMsg(" Supported information elements:\n"); + + for(i = 0; i < MAX_GTP_IE_CODE + 1; i++) + { + _dpd.logMsg("\t%3d ", i); + for (j = 0; j < MAX_GTP_VERSION_CODE + 1 ; j++) + { + if (config->infoElementTable[j][i]) + _dpd.logMsg(" %40s ", config->infoElementTable[j][i]->name); + else + _dpd.logMsg(" %40s ", "N/A"); + + } + _dpd.logMsg("\n"); + } +} +#endif + +/* Display the configuration for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayGTPConfig(GTPConfig *config) +{ + int index; + int newline; + + if (config == NULL) + return; + + _dpd.logMsg("GTP config: \n"); + + /* Traverse list, printing ports, 5 per line */ + newline = 1; + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAXPORTS; index++) + { + if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++)% 5) ) + _dpd.logMsg("\n"); + } + } + _dpd.logMsg("\n"); + DEBUG_WRAP(DisplayMsgTypes(config)); + DEBUG_WRAP(DisplayInfoElements(config)); + +} + + +/******************************************************************** + * Function: GTP_ParsePortList() + * + * Parses a port list and adds bits associated with the ports + * parsed to a bit array. + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the IP list. + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * GTP_Ret + * GTP_SUCCESS if we were able to successfully parse the + * port list. + * GTP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static void GTP_ParsePortList(char **ptr, uint8_t *port_array) +{ + long int port = -1; + char* cur_tokenp = *ptr; + /* If the user specified ports, remove GTP_C_PORT for now since + * it now needs to be set explicitly. */ + port_array[ PORT_INDEX( GTP_C_PORT ) ] = 0; + port_array[ PORT_INDEX( GTP_C_PORT_V0 ) ] = 0; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port configurations: %s\n",*ptr );); + + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + while (( cur_tokenp ) && ( 0 != strncmp (cur_tokenp, "}", 2 ))) + { + char *endStr = NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port token: %s\n",cur_tokenp );); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + + port = _dpd.SnortStrtol( cur_tokenp, &endStr, 10); + + if (*endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_PORTS_KEYWORD, 1, MAXPORTS-1); + } + + if ((port < 0 || port > MAXPORTS-1) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_PORTS_KEYWORD, 1, MAXPORTS-1); + } + port_array[ PORT_INDEX( port ) ] |= CONV_PORT(port); + + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + if ( -1 == port) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No ports specified.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + *ptr = cur_tokenp; +} + +/* Parses and processes the configuration arguments + * supplied in the GTP preprocessor rule. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + */ +void ParseGTPArgs(GTPConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (NULL == config) + return; + + /* Set up default port to listen on */ + config->ports[ PORT_INDEX( GTP_C_PORT ) ] |= CONV_PORT(GTP_C_PORT); + config->ports[ PORT_INDEX( GTP_C_PORT_V0 ) ] |= CONV_PORT(GTP_C_PORT_V0); + + InitGTPInfoElementTable(config); + InitGTPMsgTypeTable(config); + + /* Sanity check(s) */ + if (NULL == argp) + { + DisplayGTPConfig(config); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse GTP options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP configurations: %s\n",argcpyp );); + + cur_sectionp = strtok_r( argcpyp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, GTP_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, GTP_PORTS_KEYWORD )) + { + GTP_ParsePortList(&cur_tokenp, config->ports); + + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => To many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Arguments token: %s\n",cur_sectionp );); + } + + DisplayGTPConfig(config); + free(argcpyp); +} + +/* Search the message type information + * + * PARAMETERS: + * + * uint8_t: version number for the message type + * char* the message type name + * + * RETURNS: + * + * GTP_MsgType*: the message type, NULL if not found + */ + +GTP_MsgType* GetMsgTypeByName(uint8_t version, char *name) +{ + int i = 0; + GTP_MsgType *MsgTypes; + + switch (version) + { + case 0: + MsgTypes = GTPv0_MsgTypes; + break; + case 1: + MsgTypes = GTPv1_MsgTypes; + break; + case 2: + MsgTypes = GTPv2_MsgTypes; + break; + default: + return NULL; + } + + while(NULL != MsgTypes[i].name) + { + if ( MsgTypes[i].isKeyword + &&(strlen(MsgTypes[i].name) == strlen(name)) + && (0 == strncmp(MsgTypes[i].name, name, strlen(name)))) + return (&(MsgTypes[i])); + i++; + } + + return NULL; +} + + +/* Search the information element information + * + * PARAMETERS: + * + * uint8_t: version number for information elements + * char* the information element name + * + * RETURNS: + * + * GTP_InfoElement*: the information element, NULL if not found + */ +GTP_InfoElement* GetInfoElementByName(uint8_t version, char *name) +{ + int i = 0; + GTP_InfoElement *InfoElements; + + switch (version) + { + case 0: + InfoElements = GTPv0_InfoElements; + break; + case 1: + InfoElements = GTPv1_InfoElements; + break; + case 2: + InfoElements = GTPv2_InfoElements; + break; + default: + return NULL; + } + + while(NULL != InfoElements[i].name) + { + if (InfoElements[i].isKeyword + && (strlen(InfoElements[i].name) == strlen(name)) + && (0 == strncmp(InfoElements[i].name, name, strlen(name)))) + return (&InfoElements[i]); + i++; + } + + return NULL; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_config.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,101 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 8/1/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _GTP_CONFIG_H_ +#define _GTP_CONFIG_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_debug.h" + +#define GTP_NAME "gtp" + +#define MAX_GTP_TYPE_CODE (255) +#define MIN_GTP_TYPE_CODE (0) +#define MAX_GTP_IE_CODE (255) +#define MIN_GTP_IE_CODE (0) +#define MAX_GTP_VERSION_CODE (2) +#define MIN_GTP_VERSION_CODE (0) + +/* + * Message type + */ +typedef struct _GTP_MsgType +{ + uint8_t type; /* the message type*/ + uint8_t isKeyword; /*whether the name can be used as keyword*/ + char *name; /*name of the type*/ + +}GTP_MsgType; + + +/* + * Information elements + */ +typedef struct _GTP_InfoElement +{ + uint8_t type; /* the IE type*/ + uint8_t isKeyword; /*whether the name can be used as keyword*/ + char *name; /*name of the IE*/ + uint16_t length; /* the length of IE; if 0, means variable length*/ + +}GTP_InfoElement; + + +/* + * One of these structures is kept for each configured + * server port. + */ +typedef struct _gtpPortlistNode +{ + uint16_t server_port; + struct _gtpPortlistNode* nextp; +} GTPPortNode; + +/* + * GTP preprocessor configuration. + * + * ports: Which ports to check for GTP messages + * infoElementTable: information elements table, for quick retrieve + * msgTypeTable: message type table, for quick retrieve + */ +typedef struct _gtpConfig +{ + + uint8_t ports[MAXPORTS/8]; + GTP_InfoElement* infoElementTable[MAX_GTP_VERSION_CODE + 1 ][MAX_GTP_IE_CODE + 1]; + GTP_MsgType *msgTypeTable[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + int ref_count; + +} GTPConfig; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void ParseGTPArgs(GTPConfig *, u_char*); +GTP_MsgType* GetMsgTypeByName(uint8_t, char *); +GTP_InfoElement* GetInfoElementByName(uint8_t, char *); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_debug.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_debug.h --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_debug.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_debug.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 8/17/2008 - Initial implementation ... Todd Wease + * + ****************************************************************************/ + +#ifndef _GTP_DEBUG_H_ +#define _GTP_DEBUG_H_ + +#include +#include "snort_debug.h" + +/******************************************************************** + * Macros + ********************************************************************/ + +#define GTP_DEBUG__START_MSG "GTP Start ********************************************" +#define GTP_DEBUG__END_MSG "GTP End **********************************************" + +#endif /* _GTP_DEBUG_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_parser.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.c --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_parser.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,576 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 7/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifndef HAVE_PARSER_H +#include +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "gtp_parser.h" +#include "spp_gtp.h" +#include "gtp_config.h" + + +#ifdef WIN32 +#pragma pack(push,gtp_hdrs,1) +#else +#pragma pack(1) +#endif + +/* GTP basic Header */ +typedef struct _GTP_C_Hdr +{ + uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */ + uint8_t type; /* message type */ + uint16_t length; /* length */ + +} GTP_C_Hdr; + + +typedef struct _GTP_C_Hdr_v0 +{ + GTP_C_Hdr hdr; + uint16_t sequence_num; + uint16_t flow_lable; + uint64_t tid; + +} GTP_C_Hdr_v0; + +/* GTP Information element Header */ +typedef struct _GTP_IE_Hdr +{ + uint8_t type; + uint16_t length; /* length */ + +} GTP_IE_Hdr; + + +#ifdef WIN32 +#pragma pack(pop,gtp_hdrs) +#else +#pragma pack() +#endif + +/* This table stores all the information elements in a packet + * To save memory, only one table for all packets, because we inspect + * one packet at a time + * The information in the table might from previous packet, + * use msg_id to find out whether the information is current. + * */ +GTP_IEData gtp_ies[MAX_GTP_IE_CODE + 1]; + +#define GTP_HEADER_LEN_V0 (20) +#define GTP_HEADER_LEN_V1 (12) +#define GTP_HEADER_LEN_V2 (8) +#define GTP_HEADER_LEN_EPC_V2 (12) +#define GTP_LENGTH_OFFSET_V0 (GTP_HEADER_LEN_V0) +#define GTP_LENGTH_OFFSET_V1 (8) +#define GTP_LENGTH_OFFSET_V2 (4) + +#define GTP_MIN_HEADER_LEN (8) + +static int gtp_processInfoElements(GTPMsg *msg, const char *, uint16_t ); + +/*Because different GTP versions have different format, + * they are processed separately*/ +static int gtp_parse_v0(GTPMsg *msg, const char *,uint16_t ); +static int gtp_parse_v1(GTPMsg *msg, const char *, uint16_t ); +static int gtp_parse_v2(GTPMsg *msg, const char *, uint16_t ); + +#ifdef DEBUG_MSGS +/*Display the content*/ +static void convertToHex( char *output, int outputSize, const char *input, int inputSize) +{ + int i = 0; + int length; + int numBytesInLine = 0; + int totalBytes = outputSize; + char *buf_ptr = output; + + while ((i < inputSize)&&(totalBytes > 0)) + { + length = snprintf(buf_ptr, totalBytes, "%.2x ", (uint8_t)input[i]); + buf_ptr += length; + totalBytes -= length; + if (totalBytes < 0) + break; + numBytesInLine += length; + + if (numBytesInLine > 80) + { + snprintf(buf_ptr++, totalBytes, "\n"); + totalBytes--; + numBytesInLine = 0; + } + i++; + } + return; +} +/* Display the information elements*/ +static void printInfoElements(GTP_IEData *info_elements, GTPMsg *msg) +{ + int i ; + + for (i=0; i < MAX_GTP_IE_CODE + 1; i++) + { + char buf[STD_BUF]; + if (info_elements[i].msg_id == msg->msg_id) + { + convertToHex( (char *)buf, sizeof(buf), + msg->gtp_header + info_elements[i].shift, info_elements[i].length); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Info type: %.3d, content: %s\n", i, buf);); + } + } +} +#endif + + +/******************************************************************** + * Function: gtp_processInfoElements() + * + * Process information elements + * + * Arguments: + * GTPMsg *: the GTP message + * + * char * + * Pointer to the current position in the GTP message. + * + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * GTP_Ret + * GTP_SUCCESS if we were able to successfully parse the + * port list. + * GTP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static int gtp_processInfoElements(GTPMsg *msg, const char *buff, uint16_t len ) +{ + char *start; + uint8_t type; + int32_t unprocessed_len; + uint8_t previous_type; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Information elements: length: %d\n", + len);); + + start = (char *)buff; + previous_type = (uint8_t) *start; + unprocessed_len = len; + + while ( unprocessed_len > 0) + { + GTP_InfoElement* ie; + uint16_t length; + + type = *start; + + if(previous_type > type) + { + ALERT(GTP_EVENT_OUT_OF_ORDER_IE,GTP_EVENT_OUT_OF_ORDER_IE_STR); + } + + ie = gtp_eval_config->infoElementTable[msg->version][type]; + + if ( NULL == ie ) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported Information elements!\n");); + gtp_stats.unknownIEs++; + return GTP_FAILURE; + } + + /*For fixed length, use the table*/ + if (ie->length) + { + length = ie->length; + } + else /*For variable length, use the length field*/ + { + GTP_IE_Hdr *ieHdr; + /*check the length before reading*/ + if (sizeof(*ieHdr) > (unsigned) unprocessed_len) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + } + ieHdr = (GTP_IE_Hdr *)start; + length = ntohs(ieHdr->length); + /*Check the length */ + if (length > UINT16_MAX - GTP_MIN_HEADER_LEN - sizeof(*ieHdr)) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + } + + if (msg->version == 2) + length += 4; + else + length += 3; + } + + if (length > unprocessed_len ) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + + } + + /*Combine the same information element type into one buffer*/ + if ((previous_type == type) && (msg->info_elements[type].msg_id == msg->msg_id)) + { + msg->info_elements[type].length += length; + } + else + { + msg->info_elements[type].length = length; + msg->info_elements[type].shift = start - msg->gtp_header; + msg->info_elements[type].msg_id = msg->msg_id; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP information element: %s(%d), length: %d\n", + ie->name, ie->type, length)); + start += length; + unprocessed_len -= length; + previous_type = type; + + } + DEBUG_WRAP(printInfoElements(msg->info_elements, msg);); + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v0() + * + * process the GTP v0 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * Bits + *Octets 8 7 6 5 4 3 2 1 + *1 Version PT 1 1 1 SNN + *2 Message Type + *3-4 Length + *5-6 Sequence Number + *7-8 Flow Label + *9 SNDCP N-PDULLC Number + *10 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *11 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *12 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *13-20 TID + * + ********************************************************************/ + +static int gtp_parse_v0(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This is a GTP v0 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + msg->header_len = GTP_HEADER_LEN_V0; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V0)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V0, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v1() + * + * process the GTP v1 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * + * Octets 8 7 6 5 4 3 2 1 + * 1 Version PT (*) E S PN + * 2 Message Type + * 3 Length (1st Octet) + * 4 Length (2nd Octet) + * 5 Tunnel Endpoint Identifier (1st Octet) + * 6 Tunnel Endpoint Identifier (2nd Octet) + * 7 Tunnel Endpoint Identifier (3rd Octet) + * 8 Tunnel Endpoint Identifier (4th Octet) + * 9 Sequence Number (1st Octet) + * 10 Sequence Number (2nd Octet) + * 11 N-PDU Number + * 12 Next Extension Header Type + ********************************************************************/ +static int gtp_parse_v1(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + uint8_t next_hdr_type; + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This ia a GTP v1 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + /*Check the length based on optional fields and extension header*/ + if (hdr->flag & 0x07) + { + + msg->header_len = GTP_HEADER_LEN_V1; + /*Check optional fields*/ + if (gtp_len < msg->header_len) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + next_hdr_type = *(buff + msg->header_len - 1); + + /*Check extension headers*/ + while (next_hdr_type) + { + /*check length before reading data, at lease 4 bytes per extension header*/ + if (gtp_len < msg->header_len + 4) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + /*Extension header length is a unit of 4 octets*/ + msg->header_len += *(buff + msg->header_len) * 4; + + /*check length before reading data*/ + if (gtp_len < msg->header_len) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + next_hdr_type = *(buff + msg->header_len - 1); + } + } + else + msg->header_len = GTP_HEADER_LEN_V1; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V1)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V1, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v2() + * + * process the GTP v2 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * + *Octets 8 7 6 5 4 3 2 1 + *1 Version P T Spare Spare Spare + *2 Message Type + *3 Message Length (1st Octet) + *4 Message Length (2nd Octet) + *m to k(m+3) If T flag is set to 1, then TEID shall be placed into octets 5-8. + * Otherwise, TEID field is not present at all. + *n to (n+2) Sequence Number + *(n+3) Spare + ********************************************************************/ +static int gtp_parse_v2(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This ia a GTP v2 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + if (hdr->flag & 0x8) + msg->header_len = GTP_HEADER_LEN_EPC_V2; + else + msg->header_len = GTP_HEADER_LEN_V2; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V2)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V2, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse() + * + * The main entry for parser: process the gtp messages. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + ********************************************************************/ +int gtp_parse(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + + int status; + GTP_C_Hdr *hdr; + GTP_MsgType *msgType; + + /*Initialize key values*/ + + status = GTP_SUCCESS; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Start parsing...\n")); + + hdr = (GTP_C_Hdr *) buff; + + /*Check the length*/ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Basic header length: %d\n", GTP_MIN_HEADER_LEN)); + if (gtp_len < GTP_MIN_HEADER_LEN) + return GTP_FAILURE; + + /*The first 3 bits are version number*/ + msg->version = (hdr->flag & 0xE0) >> 5; + msg->msg_type = hdr->type; + msg->gtp_header = (char *)buff; + + if (msg->version > MAX_GTP_VERSION_CODE) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP version: %d!\n",msg->version);); + return GTP_FAILURE; + } + /*Check whether this is GTP or GTP', Exit if GTP'*/ + if (!(hdr->flag & 0x10)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP'!\n");); + return GTP_FAILURE; + } + + msgType = gtp_eval_config->msgTypeTable[msg->version][msg->msg_type]; + + if ( NULL == msgType ) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP message type: %d!\n",msg->msg_type);); + gtp_stats.unknownTypes++; + return GTP_FAILURE; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP version: %d, message type: %s(%d)\n", + msg->version, msgType->name, msg->msg_type)); + } + + gtp_stats.messages[msg->version][msg->msg_type]++; + /* We only care about control types*/ + if ( hdr->type == 255) + return GTP_FAILURE; + + switch (msg->version) + { + case 0: /*GTP v0*/ + + status = gtp_parse_v0(msg, buff, gtp_len); + break; + case 1: /*GTP v1*/ + + status = gtp_parse_v1(msg, buff, gtp_len); + break; + + case 2:/*GTP v2 */ + status = gtp_parse_v2(msg, buff, gtp_len); + + break; + default: + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol version.\n");); + return GTP_FAILURE; + + } + + /*Parse information elements*/ + if ((msg->header_len < gtp_len)&& (GTP_SUCCESS == status)) + { + msg->info_elements = gtp_ies; + buff += msg->header_len; + status = gtp_processInfoElements(msg, buff, (uint16_t)(gtp_len - msg->header_len)); + } + return status; +} +/******************************************************************** + * Function: gtp_cleanInfoElements() + * + * Clean up the shared information elements table + * + * Arguments: + * None + * + * Returns: + * None + ********************************************************************/ + +void gtp_cleanInfoElements(void) +{ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Cleaned total bytes %d, length %d.\n", + (MAX_GTP_IE_CODE + 1) * sizeof(GTP_IEData), sizeof(gtp_ies));); + memset(gtp_ies, 0, sizeof(gtp_ies)); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_parser.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.h --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_parser.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,36 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _GTP_PARSER_H_ +#define _GTP_PARSE_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_debug.h" +#include "spp_gtp.h" + +int gtp_parse(GTPMsg *, const char *, uint16_t); +void gtp_cleanInfoElements(void); +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_roptions.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.c --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_roptions.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,540 @@ +/**************************************************************************** + * Copyright (C) 20011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * This processes the rule options for this preprocessor + * + * Author: Hui Cao + * Date: 07-25-2011 + ****************************************************************************/ + +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "gtp_roptions.h" +#include "spp_gtp.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "sf_dynamic_engine.h" +#include "sf_snort_plugin_api.h" +#include "sfhashfcn.h" +#include "profiler.h" +#include "gtp_debug.h" +#include "gtp_config.h" +#include "treenodes.h" + +#define GTP_ROPT__TYPE "gtp_type" +#define GTP_ROPT__IE "gtp_info" +#define GTP_ROPT__VERSION "gtp_version" + +#define GTP_VERSION_0_FLAG (0x01) +#define GTP_VERSION_1_FLAG (0x02) +#define GTP_VERSION_2_FLAG (0x04) + +#define GTP_VERSION_ALL_FLAG (GTP_VERSION_0_FLAG|GTP_VERSION_1_FLAG|GTP_VERSION_2_FLAG) + +/******************************************************************** + * Private function prototypes + ********************************************************************/ +static int GTP_TypeInit(char *, char *, void **); +static int GTP_TypeEval(void *, const uint8_t **, void *); +static int GTP_IEInit(char *, char *, void **); +static int GTP_IEEval(void *, const uint8_t **, void *); +static int GTP_VersionInit(char *, char *, void **); +static int GTP_VersionEval(void *, const uint8_t **, void *); + +static inline int GTP_RoptDoEval(SFSnortPacket *p) +{ + if ((p->payload_size == 0) || + (p->stream_session_ptr == NULL) || + (!IsUDP(p))) + { + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload or no " + "session pointer or not TCP or UDP - not evaluating.\n")); + return 0; + } + + return 1; +} + +/*gtp type can be numbers*/ +static bool GTP_AddTypeByNumer(GTP_TypeRuleOptData *sdata, char *tok) +{ + char *endStr = NULL; + unsigned long gtpType; + + gtpType = _dpd.SnortStrtoul(tok, &endStr, 10); + + if ( *endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + } + + if ((gtpType > MAX_GTP_TYPE_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP type: %d.\n",gtpType)); + + sdata->types[gtpType] = GTP_VERSION_ALL_FLAG; + + return true; +} + +/*gtp type can be names*/ +static bool GTP_AddTypeByKeword(GTP_TypeRuleOptData *sdata, char *name) +{ + GTP_MsgType *msgType; + int i; + bool found = false; + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + if (NULL != (msgType = GetMsgTypeByName((uint8_t)i, name))) + { + sdata->types[msgType->type] |= 1 << i; + found = true; + } + } + return found; +} + +/* Parsing for the rule option */ +static int GTP_TypeInit(char *name, char *params, void **data) +{ + char *nextPara = NULL; + char *tok; + GTP_TypeRuleOptData *sdata; + + if (strcasecmp(name, GTP_ROPT__TYPE) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to gtp_type keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to gtp_type keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + sdata = (GTP_TypeRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + while (NULL != tok) + { + + bool found; + + if ( isdigit(*tok)) + { + found = GTP_AddTypeByNumer(sdata, tok); + + } + else /*check keyword*/ + { + found = GTP_AddTypeByKeword(sdata, tok); + + } + + if (! found ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + + } + tok = strtok_r(NULL, ", ", &nextPara); + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_TypeEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + GTP_TypeRuleOptData *sdata = (GTP_TypeRuleOptData *)data; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__TYPE)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "GTP type in packet: %d \n", ropts->gtp_type)); + + /*Match the GTP type*/ + if ((1 << ropts->gtp_version) & sdata->types[ropts->gtp_type]) + return RULE_MATCH; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/*gtp information element can be number*/ +static bool GTP_AddInfoElementByNumer(GTP_InfoRuleOptData *sdata, char *tok) +{ + char *end = NULL; + unsigned long gtpIE; + int i; + + gtpIE = _dpd.SnortStrtoul(tok, &end, 10); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP information element: %d.\n",gtpIE)); + + if ( *end) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + } + + if ((gtpIE > MAX_GTP_IE_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d," + "OR a correct name.\n ", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + } + + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + sdata->types[i] = (uint8_t)gtpIE; + } + + return true; + +} + +/*gtp information element can be name*/ +static bool GTP_AddInfoElementByKeyword(GTP_InfoRuleOptData *sdata, char *name) +{ + + int i; + bool found = false; + GTP_InfoElement* infoElement; + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + if (NULL != (infoElement = GetInfoElementByName((uint8_t)i, name))) + { + sdata->types[i] = infoElement->type; + found = true; + } + } + return found; +} + +/* Parsing for the rule option */ +static int GTP_IEInit(char *name, char *params, void **data) +{ + char *nextPara = NULL; + char *tok; + GTP_InfoRuleOptData *sdata; + bool found = false; + + + if (strcasecmp(name, GTP_ROPT__IE) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__IE); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__IE); + } + sdata = (GTP_InfoRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + if ( isdigit(*tok)) + { + found = GTP_AddInfoElementByNumer(sdata, tok); + + } + else + { + found = GTP_AddInfoElementByKeyword(sdata, tok); + + } + + if (! found ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + + } + + + if (!_dpd.SnortIsStrEmpty(nextPara)) + { + /* Must have only 1 argument*/ + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + GTP_ROPT__IE, *(_dpd.config_file), *(_dpd.config_line)); + + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_IEEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + GTP_InfoRuleOptData *ie; + uint8_t ieType; + GTP_IEData *ieData; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__IE)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (NULL == ropts->gtp_infoElements) + return RULE_NOMATCH; + + /*Match the status code*/ + ie = (GTP_InfoRuleOptData *)data; + ieType = ie->types[ropts->gtp_version]; + if (!ieType) + { + return RULE_NOMATCH; + } + + ieData = &ropts->gtp_infoElements[ieType]; + + /*if the data is up to date*/ + if (ieData->msg_id == ropts->msg_id) + { + *cursor = ieData->shift + (uint8_t *)ropts->gtp_header; + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Setting cursor to IE data: %p.\n", *cursor)); + /*Limit the length*/ + _dpd.SetAltDetect((uint8_t *)*cursor, ieData->length); + return RULE_MATCH; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/* Parsing for the rule option */ +static int GTP_VersionInit(char *name, char *params, void **data) +{ + char *end = NULL; + char *nextPara = NULL; + char *tok; + uint8_t *sdata; + unsigned long gtpVersion; + + if (strcasecmp(name, GTP_ROPT__VERSION) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__VERSION); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__VERSION); + } + + sdata = (uint8_t *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + + gtpVersion = _dpd.SnortStrtoul(tok, &end, 10); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP version: %d.\n",gtpVersion)); + if ( *end) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__VERSION, MIN_GTP_VERSION_CODE, MAX_GTP_VERSION_CODE); + } + if ((gtpVersion > MAX_GTP_VERSION_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d\n ", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__VERSION, MIN_GTP_VERSION_CODE, MAX_GTP_VERSION_CODE); + } + *sdata = (uint8_t) gtpVersion; + + if (!_dpd.SnortIsStrEmpty(nextPara)) + { + /* Must have only 1 argument*/ + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has only one argument.\n", + GTP_ROPT__IE, *(_dpd.config_file), *(_dpd.config_line)); + + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_VersionEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + + uint8_t version = *((uint8_t *)data); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__VERSION)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + /*Match the status code*/ + + if (version == ropts->gtp_version) + { + return RULE_MATCH; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/******************************************************************** + * Function: GTP_RegRuleOptions + * + * Purpose: Register rule options + * + * Arguments: void + * + * Returns: void + * + ********************************************************************/ +void GTP_RegRuleOptions(void) +{ + _dpd.preprocOptRegister(GTP_ROPT__TYPE, GTP_TypeInit, GTP_TypeEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(GTP_ROPT__IE, GTP_IEInit, GTP_IEEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(GTP_ROPT__VERSION, GTP_VersionInit, GTP_VersionEval, + free, NULL, NULL, NULL, NULL); +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_roptions.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.h --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/gtp_roptions.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,86 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * This processes the rule options for this preprocessor + * + * Author: Hui Cao + * Date: 07-25-2011 + ****************************************************************************/ + +#ifndef _GTP_ROPTIONS_H_ +#define _GTP_ROPTIONS_H_ + +#include "gtp_config.h" + + + +/******************************************************************** + * Structures + ********************************************************************/ +typedef struct _GTP_IEData +{ + uint16_t length; /*length of the data*/ + uint16_t shift; /*shift relative to the header*/ + uint32_t msg_id; /* used to associate to current msg */ + +}GTP_IEData; + +typedef struct _GTP_Roptions +{ + + /* gtp_type data*/ + uint8_t gtp_type; + /* gtp_version data*/ + uint8_t gtp_version; + char *gtp_header; + uint32_t msg_id; /* used to associate to current msg */ + /* gtp ie data */ + GTP_IEData *gtp_infoElements; + +} GTP_Roptions; + +/*For every value types[i], the bit mask show the version to be applied + * bit 1 is for version 0, + * bit 2 is for version 1, + * bit 3 is for version 2 + * */ +typedef struct _GTP_TypeRuleOptData +{ + /*Total 256 types*/ + uint8_t types[MAX_GTP_TYPE_CODE + 1]; +} GTP_TypeRuleOptData; + +/* + * byte 0 is for version 0, + * byte 1 is for version 1, + * byte 2 is for version 2 + * */ +typedef struct _GTP_InfoRuleOptData +{ + uint8_t types[MAX_GTP_VERSION_CODE + 1]; +} GTP_InfoRuleOptData; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void GTP_RegRuleOptions(void); + + +#endif /* _GTP_ROPTIONS_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/Makefile.am snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,35 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_gtp_preproc.la + +libsf_gtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_gtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_gtp_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif + +libsf_gtp_preproc_la_SOURCES = \ +spp_gtp.c \ +spp_gtp.h \ +gtp_config.c \ +gtp_config.h \ +gtp_parser.c \ +gtp_parser.h \ +gtp_roptions.c \ +gtp_roptions.h \ +gtp_debug.h + +EXTRA_DIST = \ +sf_gtp.dsp + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/Makefile.in snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -0,0 +1,556 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/gtp +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_gtp_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_gtp_preproc_la_OBJECTS = spp_gtp.lo gtp_config.lo \ + gtp_parser.lo gtp_roptions.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_gtp_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_gtp_preproc_la_OBJECTS = $(am_libsf_gtp_preproc_la_OBJECTS) \ + $(nodist_libsf_gtp_preproc_la_OBJECTS) +libsf_gtp_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_gtp_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_gtp_preproc_la_SOURCES) \ + $(nodist_libsf_gtp_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_gtp_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_gtp_preproc.la +libsf_gtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_gtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_gtp_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_gtp_preproc_la_SOURCES = \ +spp_gtp.c \ +spp_gtp.h \ +gtp_config.c \ +gtp_config.h \ +gtp_parser.c \ +gtp_parser.h \ +gtp_roptions.c \ +gtp_roptions.h \ +gtp_debug.h + +EXTRA_DIST = \ +sf_gtp.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/gtp/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/gtp/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_gtp_preproc.la: $(libsf_gtp_preproc_la_OBJECTS) $(libsf_gtp_preproc_la_DEPENDENCIES) + $(libsf_gtp_preproc_la_LINK) -rpath $(libdir) $(libsf_gtp_preproc_la_OBJECTS) $(libsf_gtp_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp snort-2.9.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,231 @@ +# Microsoft Developer Studio Project File - Name="sf_gtp" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_gtp - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_gtp.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_gtp.mak" CFG="sf_gtp - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_gtp - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_gtp - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_gtp___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_gtp___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_gtp___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_gtp___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_gtp - Win32 Release" +# Name "sf_gtp - Win32 Debug" +# Name "sf_gtp - Win32 IPv6 Debug" +# Name "sf_gtp - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\gtp_config.c +# End Source File +# Begin Source File + +SOURCE=.\gtp_parser.c +# End Source File +# Begin Source File + +SOURCE=.\gtp_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_gtp.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\gtp_config.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_debug.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_parser.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\spp_gtp.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/spp_gtp.c snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.c --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/spp_gtp.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,774 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * GTP preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 07-15-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_gtp.h" +#include "gtp_config.h" +#include "gtp_roptions.h" +#include "gtp_parser.h" + +#include +#include +#include +#include +#ifndef WIN32 +#include +#include +#endif +#include +#include + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats gtpPerfStats; +#endif + +#include "sf_types.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_GTP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_GTP"; +#endif + +#define SetupGTP DYNAMIC_PREPROC_SETUP + +#ifdef TARGET_BASED +int16_t gtp_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* + * Session state flags for GTPData::state_flags + */ + +#define GTP_FLG_REASSEMBLY_SET (0x20000) +/* + * Function prototype(s) + */ +GTPData * GTPGetNewSession(SFSnortPacket *, tSfPolicyId); +static void GTPInit( char* ); +static void GTPCheckConfig(void); +static void FreeGTPData( void* ); +static inline int GTP_Process(SFSnortPacket *, GTPData*); +static void GTPmain( void*, void* ); +static inline int CheckGTPPort( uint16_t ); +static void GTPFreeConfig(tSfPolicyUserContextId); +static void _addPortsToStream5Filter(GTPConfig *, tSfPolicyId); +static void GTP_PrintStats(int); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void GTPCleanExit(int, void *); + +/******************************************************************** + * Global variables + ********************************************************************/ +uint32_t numSessions = 0; +GTP_Stats gtp_stats; +GTPConfig *gtp_eval_config; +tSfPolicyUserContextId gtp_config; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId gtp_swap_config = NULL; +static void GTPReload(char *); +static int GTPReloadVerify(void); +static void * GTPReloadSwap(void); +static void GTPReloadSwapFree(void *); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupGTP(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "gtp", GTPInit ); +#else + _dpd.registerPreproc("gtp", GTPInit, GTPReload, + GTPReloadSwap, GTPReloadSwapFree); +#endif +} + +/* Initializes the GTP preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for config data. + * + * RETURNS: Nothing. + */ +static void GTPInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + GTPConfig *pDefaultPolicyConfig = NULL; + GTPConfig *pPolicyConfig = NULL; + + + if (gtp_config == NULL) + { + /*create a context*/ + gtp_config = sfPolicyConfigCreate(); + if (gtp_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for GTP config.\n"); + } + + _dpd.addPreprocConfCheck(GTPCheckConfig); + _dpd.registerPreprocStats(GTP_NAME, GTP_PrintStats); + _dpd.addPreprocExit(GTPCleanExit, NULL, PRIORITY_LAST, PP_GTP); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("gtp", (void *)>pPerfStats, 0, _dpd.totalPerfStats); +#endif + +#ifdef TARGET_BASED + gtp_app_id = _dpd.findProtocolReference("gtp"); + if (gtp_app_id == SFTARGET_UNKNOWN_PROTOCOL) + gtp_app_id = _dpd.addProtocolReference("gtp"); + +#endif + } + + sfPolicyUserPolicySet (gtp_config, policy_id); + pDefaultPolicyConfig = (GTPConfig *)sfPolicyUserDataGetDefault(gtp_config); + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGetCurrent(gtp_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("GTP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (GTPConfig *)calloc(1, sizeof(GTPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "GTP preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(gtp_config, pPolicyConfig); + + GTP_RegRuleOptions(); + + ParseGTPArgs(pPolicyConfig, (u_char *)argp); + + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( GTPmain, PRIORITY_APPLICATION, PP_GTP, PROTO_BIT__UDP ); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/********************************************************************* + * Main entry point for GTP processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * int - GTP_SUCCESS + * GTP_FAILURE + * + *********************************************************************/ +static inline int GTP_Process(SFSnortPacket *p, GTPData* sessp) +{ + int status; + char* gtp_buff = (char*) p->payload; + static uint32_t msgId = 0; + + GTP_Roptions *pRopts; + GTPMsg gtpMsg; + + pRopts = &(sessp->ropts); + + memset(>pMsg, 0, GTPMSG_ZERO_LEN); + + /* msg_id is used to associate message with information elements + * If msg_id matches, the information element in the info_elements + * belongs to the message + * Using msg_id avoids initializing info_elements for every message + * Tabled based info_elements improves information element search performance */ + + /* To avoid id overlap, clean table when msgId resets*/ + if ( msgId == 0) + gtp_cleanInfoElements(); + gtpMsg.msg_id = ++msgId; + + + status = gtp_parse(>pMsg, gtp_buff, p->payload_size); + + /*Update the session data*/ + pRopts->gtp_type = gtpMsg.msg_type; + pRopts->gtp_version = gtpMsg.version; + pRopts->gtp_infoElements = gtpMsg.info_elements; + pRopts->gtp_header = gtpMsg.gtp_header; + pRopts->msg_id = gtpMsg.msg_id; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message version: %d\n", + gtpMsg.version)); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message type: %d\n", + gtpMsg.msg_type)); + + return status; +} +/* Main runtime entry point for GTP preprocessor. + * Analyzes GTP packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void GTPmain( void* ipacketp, void* contextp ) +{ + GTPData* sessp = NULL; + uint8_t source = 0; + uint8_t dest = 0; + + SFSnortPacket* packetp; +#ifdef TARGET_BASED + int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__START_MSG)); + + packetp = (SFSnortPacket*) ipacketp; + sfPolicyUserPolicySet (gtp_config, policy_id); + + /* Make sure this preprocessor should run. */ + if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size )) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + return; + } + else if (!IsUDP(packetp)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not UDP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + return; + } + + PREPROC_PROFILE_START(gtpPerfStats); + + gtp_eval_config = sfPolicyUserDataGetCurrent(gtp_config); + + /* Attempt to get a previously allocated GTP block. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_GTP); + if (sessp != NULL) + { + gtp_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id); + + } + + if (sessp == NULL) + { + /* If not doing autodetection, check the ports to make sure this is + * running on an GTP port, otherwise no need to examine the traffic. + */ +#ifdef TARGET_BASED + app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr); + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + else if (app_id && (app_id != gtp_app_id)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + else if (!app_id) + { +#endif + source = (uint8_t)CheckGTPPort( packetp->src_port ); + dest = (uint8_t)CheckGTPPort( packetp->dst_port ); + + if ( !source && !dest ) + { + /* Not one of the ports we care about. */ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP ports - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } +#ifdef TARGET_BASED + } +#endif + /* Check the stream session. If it does not currently + * have our GTP data-block attached, create one. + */ + sessp = GTPGetNewSession(packetp, policy_id); + + if ( !sessp ) + { + /* Could not get/create the session data for this packet. */ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Create session error - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + } + + + /* We're interested in this session. Turn on stream reassembly. */ + if ( !(sessp->state_flags & GTP_FLG_REASSEMBLY_SET )) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); + sessp->state_flags |= GTP_FLG_REASSEMBLY_SET; + } + /* + * Start process PAYLOAD + */ + GTP_Process(packetp,sessp); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + +} + +/********************************************************************** + * Retrieves the GTP data block registered with the stream + * session associated w/ the current packet. If none exists, + * allocates it and registers it with the stream API. + * + * Arguments: + * + * packetp: Pointer to the packet from which/in which to + * retrieve/store the GTP data block. + * + * RETURNS: Pointer to an GTP data block, upon success. + * NULL, upon failure. + **********************************************************************/ +GTPData * GTPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id) +{ + GTPData* datap = NULL; + + /* Sanity check(s) */ + assert( packetp ); + if ( !packetp->stream_session_ptr ) + { + return NULL; + } + + datap = (GTPData *)calloc(1, sizeof(GTPData)); + + if ( !datap ) + return NULL; + + /*Register the new GTP data block in the stream session. */ + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, + PP_GTP, datap, FreeGTPData ); + + datap->policy_id = policy_id; + datap->config = gtp_config; + ((GTPConfig *)sfPolicyUserDataGetCurrent(gtp_config))->ref_count++; + + gtp_stats.sessions++; + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Number of sessions created: %u\n", gtp_stats.sessions)); + + return datap; +} + + +/*********************************************************************** + * Registered as a callback with our GTP data blocks when + * they are added to the underlying stream session. Called + * by the stream preprocessor when a session is about to be + * destroyed. + * + * PARAMETERS: + * + * idatap: Pointer to the moribund data. + * + * RETURNS: Nothing. + ***********************************************************************/ +static void FreeGTPData( void* idatap ) +{ + GTPData *ssn = (GTPData *)idatap; + GTPConfig *config = NULL; + + if (ssn == NULL) + return; + if (numSessions > 0) + numSessions--; + + /*Clean the configuration data*/ + if (ssn->config != NULL) + { + config = (GTPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); + } + + if (config == NULL) + { + free(ssn); + return; + } + + config->ref_count--; + if ((config->ref_count == 0) && (ssn->config != gtp_config)) + { + sfPolicyUserDataClear (ssn->config, ssn->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(ssn->config) == 0) + { + /* No more outstanding configs - free the config array */ + GTPFreeConfig(ssn->config); + } + + } + + free(ssn); +} +/* ********************************************************************** + * Validates given port as an GTP server port. + * + * PARAMETERS: + * + * port: Port to validate. + * + * RETURNS: GTP_TRUE, if the port is indeed an GTP server port. + * GTP_FALSE, otherwise. + ***********************************************************************/ +static inline int CheckGTPPort( uint16_t port ) +{ + if ( gtp_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) + { + return GTP_TRUE; + } + + return GTP_FALSE; +} + +/* ********************************************************************** + * Add ports in the configuration to stream5 filter. + * + * PARAMETERS: + * + * GTPConfig: configuration to be used. + * tSfPolicyId: policy ID + * + * RETURNS: None + ***********************************************************************/ + +static void _addPortsToStream5Filter(GTPConfig *config, tSfPolicyId policy_id) +{ + int portNum; + + assert(config); + assert(_dpd.streamAPI); + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + +} +#ifdef TARGET_BASED + +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(gtp_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif +static int GTPCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + _dpd.setParserPolicy(policyId); + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("GTPCheckPolicyConfig(): The Stream preprocessor must be enabled.\n"); + } + return 0; +} +void GTPCheckConfig(void) +{ + sfPolicyUserDataIterate (gtp_config, GTPCheckPolicyConfig); +} + + +static void GTPCleanExit(int signal, void *data) +{ + if (gtp_config != NULL) + { + GTPFreeConfig(gtp_config); + gtp_config = NULL; + } +} + +static int GTPFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + GTPConfig *pPolicyConfig = (GTPConfig *)pData; + + //do any housekeeping before freeing GTPConfig + + sfPolicyUserDataClear (config, policyId); + + free(pPolicyConfig); + + return 0; +} + +void GTPFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, GTPFreeConfigPolicy); + sfPolicyConfigDelete(config); +} + +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void GTP_PrintStats(int exiting) +{ + int i, j; + _dpd.logMsg("GTP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions: "STDu64"\n", gtp_stats.sessions); + if (gtp_stats.sessions < 1) + return; + + if (gtp_stats.events > 0) + _dpd.logMsg(" Preprocessor events: "STDu64"\n", gtp_stats.events); + + _dpd.logMsg(" Total reserved messages: "STDu64"\n", gtp_stats.unknownTypes); + _dpd.logMsg(" Packets with reserved information elements: "STDu64"\n", gtp_stats.unknownIEs); + + for (i = 0; i < MAX_GTP_VERSION_CODE + 1; i++ ) + { + uint64_t total_msgs = 0; + DEBUG_WRAP(_dpd.logMsg(" Messages of version %d:\n", i);); + for(j = 0; j < MAX_GTP_TYPE_CODE + 1; j++) + { + GTP_MsgType *msg = gtp_stats.msgTypeTable[i][j]; + if ( msg && msg->name) + { + DEBUG_WRAP(_dpd.logMsg("%39s: "STDu64"\n", msg->name, gtp_stats.messages[i][j]);); + } + total_msgs += gtp_stats.messages[i][j]; + + } + if (total_msgs > 0) + _dpd.logMsg(" Total messages of version %d: %u\n", i, total_msgs); + } +} +#ifdef SNORT_RELOAD +static void GTPReload(char *args) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + GTPConfig * pPolicyConfig = NULL; + + if (gtp_swap_config == NULL) + { + //create a context + gtp_swap_config = sfPolicyConfigCreate(); + if (gtp_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for GTP config.\n"); + } + + } + + sfPolicyUserPolicySet (gtp_swap_config, policy_id); + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGetCurrent(gtp_swap_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("GTP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (GTPConfig *)calloc(1, sizeof(GTPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "GTP preprocessor configuration.\n"); + } + sfPolicyUserDataSetCurrent(gtp_swap_config, pPolicyConfig); + + GTP_RegRuleOptions(); + + ParseGTPArgs(pPolicyConfig, (u_char *)args); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( GTPmain, PRIORITY_APPLICATION, PP_GTP, PROTO_BIT__UDP ); + _dpd.addPreprocReloadVerify(GTPReloadVerify); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int GTPReloadVerify(void) +{ + GTPConfig * pPolicyConfig = NULL; + GTPConfig * pCurrentConfig = NULL; + + if (gtp_swap_config == NULL) + return 0; + + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGet(gtp_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + if (gtp_config != NULL) + { + pCurrentConfig = (GTPConfig *)sfPolicyUserDataGet(gtp_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + + return 0; +} + +static int GTPFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + GTPConfig *pPolicyConfig = (GTPConfig *)pData; + + //do any housekeeping before freeing GTPConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + free(pPolicyConfig); + } + return 0; +} + +static void * GTPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = gtp_config; + + if (gtp_swap_config == NULL) + return NULL; + + gtp_config = gtp_swap_config; + gtp_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, GTPFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void GTPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + GTPFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/gtp/spp_gtp.h snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.h --- snort-2.8.5.2/src/dynamic-preprocessors/gtp/spp_gtp.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,130 @@ +/* $Id */ + +/* +** Copyright (C) 2011-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * spp_gtp.h: Definitions, structs, function prototype(s) for + * the GTP preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_GTP_H +#define SPP_GTP_H +#include +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_roptions.h" + + +/* Convert port value into an index for the gtp_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* + * Boolean values. + */ +#define GTP_TRUE (1) +#define GTP_FALSE (0) + +/* + * Error codes. + */ +#define GTP_SUCCESS (1) +#define GTP_FAILURE (0) + + +/* + * Per-session data block containing current state + * of the GTP preprocessor for the session. + * + * state_flags: Bit vector describing the current state of the + * session. + */ +typedef struct _gtpData +{ + + uint32_t state_flags; + GTP_Roptions ropts; + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} GTPData; + +typedef struct _GTPMsg +{ + uint8_t version; + uint8_t msg_type; + uint16_t msg_length; + uint16_t header_len; + char *gtp_header; + GTP_IEData *info_elements; + /* nothing after this point is zeroed ...*/ + uint32_t msg_id; /*internal state, new msg will have a new id*/ + +} GTPMsg; + +#define GTPMSG_ZERO_LEN offsetof(GTPMsg, msg_id) + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_GTP 143 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_GTP, x, 1, 0, 3, y, 0 ); gtp_stats.events++; } + +/* + * GTP preprocessor alert types. + */ +#define GTP_EVENT_BAD_MSG_LEN (1) +#define GTP_EVENT_BAD_IE_LEN (2) +#define GTP_EVENT_OUT_OF_ORDER_IE (3) +/* + * GTP preprocessor alert strings. + */ +#define GTP_EVENT_BAD_MSG_LEN_STR "(spp_gtp) Message length is invalid" +#define GTP_EVENT_BAD_IE_LEN_STR "(spp_gtp) Information element length is invalid" +#define GTP_EVENT_OUT_OF_ORDER_IE_STR "(spp_gtp) Information elements are out of order" + +typedef struct _GTP_Stats +{ + uint64_t sessions; + uint64_t events; + uint64_t unknownTypes; + uint64_t unknownIEs; + uint64_t messages[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + GTP_MsgType *msgTypeTable[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + +} GTP_Stats; + +extern GTP_Stats gtp_stats; +extern GTPConfig *gtp_eval_config; +extern tSfPolicyUserContextId gtp_config; + +/* Prototypes for public interface */ +void SetupGTP(void); + +#endif /* SPP_GTP_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_config.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,626 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * imap_config.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * Handle configuration of the IMAP preprocessor + * + * Entry point functions: + * + * IMAP_ParseArgs() + * + ***************************************************************************/ + +#include +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicy.h" + + +/* Global variable to hold configuration */ +extern IMAPConfig **imap_config; + +extern const IMAPToken imap_known_cmds[]; + +/* Private functions */ +static int ProcessPorts(IMAPConfig *, char *, int); +static int ProcessImapMemcap(IMAPConfig *, char *, int); +static int ProcessDecodeDepth(IMAPConfig *, char *, int, char *, DecodeType); + +/* + * Function: IMAP_ParseArgs(char *) + * + * Purpose: Process the preprocessor arguments from the rules file and + * initialize the preprocessor's data struct. This function doesn't + * have to exist if it makes sense to parse the args in the init + * function. + * + * Arguments: args => argument list + * + * Returns: void function + * + */ +void IMAP_ParseArgs(IMAPConfig *config, char *args) +{ + int ret = 0; + char *arg; + char errStr[ERRSTRLEN]; + int errStrLen = ERRSTRLEN; + + if ((config == NULL) || (args == NULL)) + return; + + config->ports[IMAP_DEFAULT_SERVER_PORT / 8] |= 1 << (IMAP_DEFAULT_SERVER_PORT % 8); + config->memcap = DEFAULT_IMAP_MEMCAP; + config->b64_depth = DEFAULT_DEPTH; + config->qp_depth = DEFAULT_DEPTH; + config->uu_depth = DEFAULT_DEPTH; + config->bitenc_depth = DEFAULT_DEPTH; + config->max_depth = MIN_DEPTH; + + *errStr = '\0'; + + arg = strtok(args, CONF_SEPARATORS); + + while ( arg != NULL ) + { + if ( !strcasecmp(CONF_PORTS, arg) ) + { + ret = ProcessPorts(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_IMAP_MEMCAP, arg) ) + { + ret = ProcessImapMemcap(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } + else if ( !strcasecmp(CONF_DISABLED, arg) ) + { + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Unknown IMAP configuration option %s\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if (ret == -1) + { + /* + ** Fatal Error, log error and exit. + */ + if (*errStr) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + *(_dpd.config_file), *(_dpd.config_line), errStr); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* Get next token */ + arg = strtok(NULL, CONF_SEPARATORS); + } + +} + +int IMAP_IsDecodingEnabled(IMAPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + +} + +void IMAP_CheckConfig(IMAPConfig *pPolicyConfig, tSfPolicyUserContextId context) +{ + int max = -1; + IMAPConfig *defaultConfig = + (IMAPConfig *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_IMAP_MEMCAP; + + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; + + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: uu_decode_depth value %d in the non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line),pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: bitenc_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + } +} + +void IMAP_PrintConfig(IMAPConfig *config) +{ + int i; + int j = 0; + char buf[8192]; + + if (config == NULL) + return; + + memset(&buf[0], 0, sizeof(buf)); + + _dpd.logMsg("IMAP Config:\n"); + + if(config->disabled) + _dpd.logMsg(" IMAP: INACTIVE\n"); + + snprintf(buf, sizeof(buf) - 1, " Ports: "); + + for (i = 0; i < 65536; i++) + { + if (config->ports[i / 8] & (1 << (i % 8))) + { + j++; + _dpd.printfappend(buf, sizeof(buf) - 1, "%d ", i); + if(!(j%10)) + _dpd.printfappend(buf, sizeof(buf) - 1, "\n "); + } + } + + _dpd.logMsg("%s\n", buf); + + + _dpd.logMsg(" IMAP Memcap: %u\n", + config->memcap); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + +} + +/* +** NAME +** ProcessPorts:: +*/ +/** +** Process the port list. +** +** This configuration is a list of valid ports and is ended by a +** delimiter. +** +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessPorts(IMAPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *pcToken; + char *pcEnd; + int iPort; + int iEndPorts = 0; + int num_ports = 0; + + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(!pcToken) + { + snprintf(ErrorString, ErrStrLen, "Invalid port list format."); + return -1; + } + + if(strcmp(CONF_START_LIST, pcToken)) + { + snprintf(ErrorString, ErrStrLen, + "Must start a port list with the '%s' token.", CONF_START_LIST); + + return -1; + } + + /* Since ports are specified, clear default ports */ + config->ports[IMAP_DEFAULT_SERVER_PORT / 8] &= ~(1 << (IMAP_DEFAULT_SERVER_PORT % 8)); + + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) + { + if(!strcmp(CONF_END_LIST, pcToken)) + { + iEndPorts = 1; + break; + } + + iPort = strtol(pcToken, &pcEnd, 10); + + /* + ** Validity check for port + */ + if(*pcEnd) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number."); + + return -1; + } + + if(iPort < 0 || iPort > MAXPORTS-1) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number. Must be between 0 and 65535."); + + return -1; + } + + config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; + } + + if(!iEndPorts) + { + snprintf(ErrorString, ErrStrLen, + "Must end '%s' configuration with '%s'.", + CONF_PORTS, CONF_END_LIST); + + return -1; + } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "IMAP: Empty port list not allowed."); + return -1; + } + + return 0; +} + +static int ProcessImapMemcap(IMAPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t imap_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option 'memcap'."); + return -1; + } + imap_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option 'memcap'."); + return -1; + } + + if (imap_memcap < MIN_IMAP_MEMCAP || imap_memcap > MAX_IMAP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_IMAP_MEMCAP, MAX_IMAP_MEMCAP); + return -1; + } + + config->memcap = imap_memcap; + return 0; +} + + +static int ProcessDecodeDepth(IMAPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for IMAP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => IMAP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_config.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,107 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * + * imap_config.h + * + * Author: Bhagyashree Bantwal + * + ***************************************************************************/ + +#ifndef __IMAP_CONFIG_H__ +#define __IMAP_CONFIG_H__ + +#include "sfPolicyUserData.h" +#define CONF_SEPARATORS " \t\n\r" +#define CONF_PORTS "ports" +#define CONF_IMAP_MEMCAP "memcap" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_DISABLED "disabled" +#define CONF_START_LIST "{" +#define CONF_END_LIST "}" + +/*These are temporary values*/ + +#define DEFAULT_IMAP_MEMCAP 838860 +#define DEFAULT_DEPTH 1464 +#define MAX_IMAP_MEMCAP 104857600 +#define MIN_IMAP_MEMCAP 3276 +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 +#define IMAP_DEFAULT_SERVER_PORT 143 /* IMAP normally runs on port 143 */ + +#define ERRSTRLEN 512 + +typedef struct _IMAPSearch +{ + char *name; + int name_len; + +} IMAPSearch; + +typedef struct _IMAPToken +{ + char *name; + int name_len; + int search_id; + +} IMAPToken; + +typedef struct _IMAPCmdConfig +{ + char alert; /* 1 if alert when seen */ + char normalize; /* 1 if we should normalize this command */ + int max_line_len; /* Max length of this particular command */ + +} IMAPCmdConfig; + +typedef struct _IMAPConfig +{ + char ports[8192]; + uint32_t memcap; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + IMAPToken *cmds; + IMAPSearch *cmd_search; + void *cmd_search_mpse; + int num_cmds; + int disabled; + + int ref_count; + +} IMAPConfig; + +/* Function prototypes */ +void IMAP_ParseArgs(IMAPConfig *, char *); +void IMAP_PrintConfig(IMAPConfig *config); + +void IMAP_CheckConfig(IMAPConfig *, tSfPolicyUserContextId); +int IMAP_IsDecodingEnabled(IMAPConfig *); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_log.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.c --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_log.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,111 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * imap_log.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file handles IMAP alerts. + * + * Entry point functions: + * + * IMAP_GenerateAlert() + * + * + **************************************************************************/ + +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "imap_config.h" +#include "imap_log.h" +#include "snort_imap.h" +#include "sf_dynamic_preprocessor.h" + +extern IMAPConfig *imap_eval_config; +extern IMAP *imap_ssn; + +char imap_event[IMAP_EVENT_MAX][EVENT_STR_LEN]; + + +void IMAP_GenerateAlert(int event, char *format, ...) +{ + va_list ap; + + /* Only log a specific alert once per session */ + if (imap_ssn->alert_mask & (1 << event)) + { +#ifdef DEBUG_MSGS + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Already alerted on: %s - " + "ignoring event.\n", imap_event[event]);); +#endif + return; + } + + /* set bit for this alert so we don't alert on again + * in this session */ + imap_ssn->alert_mask |= (1 << event); + + va_start(ap, format); + + imap_event[event][0] = '\0'; + vsnprintf(&imap_event[event][0], EVENT_STR_LEN - 1, format, ap); + imap_event[event][EVENT_STR_LEN - 1] = '\0'; + + _dpd.alertAdd(GENERATOR_SPP_IMAP, event, 1, 0, 3, &imap_event[event][0], 0); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP Alert generated: %s\n", imap_event[event]);); + + va_end(ap); +} + +void IMAP_DecodeAlert(void) +{ + switch( imap_ssn->decode_state->decode_type ) + { + case DECODE_B64: + IMAP_GenerateAlert(IMAP_B64_DECODING_FAILED, "%s", IMAP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + IMAP_GenerateAlert(IMAP_QP_DECODING_FAILED, "%s", IMAP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + IMAP_GenerateAlert(IMAP_UU_DECODING_FAILED, "%s", IMAP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + IMAP_GenerateAlert(IMAP_BITENC_DECODING_FAILED, "%s", IMAP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_log.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.h --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_log.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,65 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * imap_log.h + * + * Author: Bhagyashree Bantwal + * + **************************************************************************/ + +#ifndef __IMAP_LOG_H__ +#define __IMAP_LOG_H__ + + +#define GENERATOR_SPP_IMAP 141 + +/* Events for IMAP */ +#define IMAP_UNKNOWN_CMD 1 +#define IMAP_UNKNOWN_RESP 2 +#define IMAP_MEMCAP_EXCEEDED 3 +#define IMAP_B64_DECODING_FAILED 4 +#define IMAP_QP_DECODING_FAILED 5 +#define IMAP_BITENC_DECODING_FAILED 6 +#define IMAP_UU_DECODING_FAILED 7 + +#define IMAP_EVENT_MAX 8 + +/* Messages for each event */ +#define IMAP_UNKNOWN_CMD_STR "(IMAP) Unknown IMAP4 command" +#define IMAP_UNKNOWN_RESP_STR "(IMAP) Unknown IMAP4 response" +#define IMAP_MEMCAP_EXCEEDED_STR "(IMAP) No memory available for decoding. Memcap exceeded" +#define IMAP_B64_DECODING_FAILED_STR "(IMAP) Base64 Decoding failed." +#define IMAP_QP_DECODING_FAILED_STR "(IMAP) Quoted-Printable Decoding failed." +#define IMAP_BITENC_DECODING_FAILED_STR "(IMAP) 7bit/8bit/binary/text Extraction failed." +#define IMAP_UU_DECODING_FAILED_STR "(IMAP) Unix-to-Unix Decoding failed." + +#define EVENT_STR_LEN 256 + + +/* Function prototypes */ +void IMAP_GenerateAlert(int, char *, ...); +void IMAP_DecodeAlert(void); + + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_util.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.c --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_util.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.c 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,180 @@ +/* + * imap_util.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file contains IMAP helper functions. + * + * Entry point functions: + * + * safe_strchr() + * safe_strstr() + * copy_to_space() + * safe_sscanf() + * + * + */ + +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" + +#include "snort_imap.h" +#include "imap_util.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "Unified2_common.h" + +extern IMAP *imap_ssn; + +void IMAP_GetEOL(const uint8_t *ptr, const uint8_t *end, + const uint8_t **eol, const uint8_t **eolm) +{ + const uint8_t *tmp_eol; + const uint8_t *tmp_eolm; + + /* XXX maybe should fatal error here since none of these + * pointers should be NULL */ + if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) + return; + + tmp_eol = (uint8_t *)memchr(ptr, '\n', end - ptr); + if (tmp_eol == NULL) + { + tmp_eol = end; + tmp_eolm = end; + } + else + { + /* end of line marker (eolm) should point to marker and + * end of line (eol) should point to end of marker */ + if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) + { + tmp_eolm = tmp_eol - 1; + } + else + { + tmp_eolm = tmp_eol; + } + + /* move past newline */ + tmp_eol++; + } + + *eol = tmp_eol; + *eolm = tmp_eolm; +} + +void IMAP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; + + if(imap_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(imap_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(imap_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(imap_ssn->decode_state->bitenc_state.depth > -1) + { + imap_ssn->decode_state->decode_type = DECODE_BITENC; + return; + } + + return; +} + + +#ifdef DEBUG_MSGS +char imap_print_buffer[65537]; + +const char * IMAP_PrintBuffer(SFSnortPacket *p) +{ + const uint8_t *ptr = NULL; + int len = 0; + int iorig, inew; + + ptr = p->payload; + len = p->payload_size; + + for (iorig = 0, inew = 0; iorig < len; iorig++, inew++) + { + if ((isascii((int)ptr[iorig]) && isprint((int)ptr[iorig])) || (ptr[iorig] == '\n')) + { + imap_print_buffer[inew] = ptr[iorig]; + } + else if (ptr[iorig] == '\r' && + ((iorig + 1) < len) && (ptr[iorig + 1] == '\n')) + { + iorig++; + imap_print_buffer[inew] = '\n'; + } + else if (isspace((int)ptr[iorig])) + { + imap_print_buffer[inew] = ' '; + } + else + { + imap_print_buffer[inew] = '.'; + } + } + + imap_print_buffer[inew] = '\0'; + + return &imap_print_buffer[0]; +} +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_util.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.h --- snort-2.8.5.2/src/dynamic-preprocessors/imap/imap_util.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,43 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************* + * + * imap_util.h + * + * Author: Bhagyashree Bantwal + * + *************************************************************************/ + +#ifndef __IMAP_UTIL_H__ +#define __IMAP_UTIL_H__ + +#include "sf_snort_packet.h" + +void IMAP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); +void IMAP_DecodeType(const char *start, int length); + +#ifdef DEBUG_MSGS +const char * IMAP_PrintBuffer(SFSnortPacket *); +#endif + +#endif /* __IMAP_UTIL_H__ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/Makefile.am snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/imap/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,41 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_imap_preproc.la + +libsf_imap_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_imap_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_imap_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/sf_base64decode.c \ +../include/util_unfold.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif + +libsf_imap_preproc_la_SOURCES = \ +imap_config.c \ +imap_config.h \ +imap_log.c \ +imap_log.h \ +imap_util.c \ +imap_util.h \ +snort_imap.c \ +snort_imap.h \ +spp_imap.c \ +spp_imap.h + +EXTRA_DIST = \ +sf_imap.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/Makefile.in snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/imap/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -0,0 +1,580 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/imap +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_imap_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_imap_preproc_la_OBJECTS = imap_config.lo imap_log.lo \ + imap_util.lo snort_imap.lo spp_imap.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_imap_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_imap_preproc_la_OBJECTS = $(am_libsf_imap_preproc_la_OBJECTS) \ + $(nodist_libsf_imap_preproc_la_OBJECTS) +libsf_imap_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_imap_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_imap_preproc_la_SOURCES) \ + $(nodist_libsf_imap_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_imap_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_imap_preproc.la +libsf_imap_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_imap_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_imap_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_imap_preproc_la_SOURCES = \ +imap_config.c \ +imap_config.h \ +imap_log.c \ +imap_log.h \ +imap_util.c \ +imap_util.h \ +snort_imap.c \ +snort_imap.h \ +spp_imap.c \ +spp_imap.h + +EXTRA_DIST = \ +sf_imap.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/imap/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/imap/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_imap_preproc.la: $(libsf_imap_preproc_la_OBJECTS) $(libsf_imap_preproc_la_DEPENDENCIES) + $(libsf_imap_preproc_la_LINK) -rpath $(libdir) $(libsf_imap_preproc_la_OBJECTS) $(libsf_imap_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/sf_imap.dsp snort-2.9.2/src/dynamic-preprocessors/imap/sf_imap.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/imap/sf_imap.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/sf_imap.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,252 @@ +# Microsoft Developer Studio Project File - Name="sf_imap" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_imap - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_imap.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_imap.mak" CFG="sf_imap - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_imap - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_imap - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_IMAP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_IMAP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_imap___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_imap___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_imap___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_imap___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_IMAP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# SUBTRACT LINK32 /pdb:none + +!ENDIF + +# Begin Target + +# Name "sf_imap - Win32 Release" +# Name "sf_imap - Win32 Debug" +# Name "sf_imap - Win32 IPv6 Debug" +# Name "sf_imap - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\imap_config.c +# End Source File +# Begin Source File + +SOURCE=.\imap_log.c +# End Source File +# Begin Source File + +SOURCE=.\imap_util.c +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\snort_imap.c +# End Source File +# Begin Source File + +SOURCE=.\spp_imap.c +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\imap_config.h +# End Source File +# Begin Source File + +SOURCE=.\imap_log.h +# End Source File +# Begin Source File + +SOURCE=.\imap_util.h +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=.\snort_imap.h +# End Source File +# Begin Source File + +SOURCE=.\spp_imap.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/snort_imap.c snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.c --- snort-2.8.5.2/src/dynamic-preprocessors/imap/snort_imap.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,1730 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * snort_imap.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file handles IMAP protocol checking and normalization. + * + * Entry point functions: + * + * SnortIMAP() + * IMAP_Init() + * IMAP_Free() + * + **************************************************************************/ + + +/* Includes ***************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include +#include + +#include "sf_types.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "imap_util.h" +#include "imap_log.h" + +#include "sf_snort_packet.h" +#include "stream_api.h" +#include "snort_debug.h" +#include "profiler.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "ssl.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#ifdef DEBUG_MSGS +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Externs ****************************************************************/ + +#ifdef PERF_PROFILING +extern PreprocStats imapDetectPerfStats; +extern int imapDetectCalled; +#endif + +extern tSfPolicyUserContextId imap_config; +extern IMAPConfig *imap_eval_config; +extern MemPool *imap_mempool; + +#ifdef DEBUG_MSGS +extern char imap_print_buffer[]; +#endif + +/**************************************************************************/ + + +/* Globals ****************************************************************/ + +const IMAPToken imap_known_cmds[] = +{ + {"APPEND", 6, CMD_APPEND}, + {"AUTHENTICATE", 12, CMD_AUTHENTICATE}, + {"CAPABILITY", 10, CMD_CAPABILITY}, + {"CHECK", 5, CMD_CHECK}, + {"CLOSE", 5, CMD_CLOSE}, + {"COMPARATOR", 10, CMD_COMPARATOR}, + {"COMPRESS", 8, CMD_COMPRESS}, + {"CONVERSIONS", 11, CMD_CONVERSIONS}, + {"COPY", 4, CMD_COPY}, + {"CREATE", 6, CMD_CREATE}, + {"DELETE", 6, CMD_DELETE}, + {"DELETEACL", 9, CMD_DELETEACL}, + {"DONE", 4, CMD_DONE}, + {"EXAMINE", 7, CMD_EXAMINE}, + {"EXPUNGE", 7, CMD_EXPUNGE}, + {"FETCH", 5, CMD_FETCH}, + {"GETACL", 6, CMD_GETACL}, + {"GETMETADATA", 11, CMD_GETMETADATA}, + {"GETQUOTA", 8, CMD_GETQUOTA}, + {"GETQUOTAROOT", 12, CMD_GETQUOTAROOT}, + {"IDLE", 4, CMD_IDLE}, + {"LIST", 4, CMD_LIST}, + {"LISTRIGHTS", 10, CMD_LISTRIGHTS}, + {"LOGIN", 5, CMD_LOGIN}, + {"LOGOUT", 6, CMD_LOGOUT}, + {"LSUB", 4, CMD_LSUB}, + {"MYRIGHTS", 8, CMD_MYRIGHTS}, + {"NOOP", 4, CMD_NOOP}, + {"NOTIFY", 6, CMD_NOTIFY}, + {"RENAME", 6, CMD_RENAME}, + {"SEARCH", 6, CMD_SEARCH}, + {"SELECT", 6, CMD_SELECT}, + {"SETACL", 6, CMD_SETACL}, + {"SETMETADATA", 11, CMD_SETMETADATA}, + {"SETQUOTA", 8, CMD_SETQUOTA}, + {"SORT", 4, CMD_SORT}, + {"STARTTLS", 8, CMD_STARTTLS}, + {"STATUS", 6, CMD_STATUS}, + {"STORE", 5, CMD_STORE}, + {"SUBSCRIBE", 9, CMD_SUBSCRIBE}, + {"THREAD", 6, CMD_THREAD}, + {"UID", 3, CMD_UID}, + {"UNSELECT", 8, CMD_UNSELECT}, + {"UNSUBSCRIBE", 11, CMD_UNSUBSCRIBE}, + {"X", 1, CMD_X}, + {NULL, 0, 0} +}; + +const IMAPToken imap_resps[] = +{ + {"CAPABILITY", 10, RESP_CAPABILITY}, + {"LIST", 4, RESP_LIST}, + {"LSUB", 4, RESP_LSUB}, + {"STATUS", 6, RESP_STATUS}, + {"SEARCH", 6, RESP_SEARCH}, + {"FLAGS", 5, RESP_FLAGS}, + {"EXISTS", 6, RESP_EXISTS}, + {"RECENT", 6, RESP_RECENT}, + {"EXPUNGE", 7, RESP_EXPUNGE}, + {"FETCH", 5, RESP_FETCH}, + {"BAD", 3, RESP_BAD}, + {"BYE", 3, RESP_BYE}, + {"NO", 2, RESP_NO}, + {"OK", 2, RESP_OK}, + {"PREAUTH", 7, RESP_PREAUTH}, + {"ENVELOPE", 8, RESP_ENVELOPE}, + {"UID", 3, RESP_UID}, + {NULL, 0, 0} +}; + +const IMAPToken imap_hdrs[] = +{ + {"Content-type:", 13, HDR_CONTENT_TYPE}, + {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {NULL, 0, 0} +}; + +const IMAPToken imap_data_end[] = +{ + {"\r\n.\r\n", 5, DATA_END_1}, + {"\n.\r\n", 4, DATA_END_2}, + {"\r\n.\n", 4, DATA_END_3}, + {"\n.\n", 3, DATA_END_4}, + {NULL, 0, 0} +}; + +IMAP *imap_ssn = NULL; +IMAP imap_no_session; +IMAPPcre mime_boundary_pcre; +char imap_normalizing; +IMAPSearchInfo imap_search_info; + +#ifdef DEBUG_MSGS +uint64_t imap_session_counter = 0; +#endif + +#ifdef TARGET_BASED +int16_t imap_proto_id; +#endif + +void *imap_resp_search_mpse = NULL; +IMAPSearch imap_resp_search[RESP_LAST]; + +void *imap_hdr_search_mpse = NULL; +IMAPSearch imap_hdr_search[HDR_LAST]; + +void *imap_data_search_mpse = NULL; +IMAPSearch imap_data_end_search[DATA_END_LAST]; + +IMAPSearch *imap_current_search = NULL; + + +/**************************************************************************/ + + +/* Private functions ******************************************************/ + +static int IMAP_Setup(SFSnortPacket *p, IMAP *ssn); +static void IMAP_ResetState(void); +static void IMAP_SessionFree(void *); +static void IMAP_NoSessionFree(void); +static int IMAP_GetPacketDirection(SFSnortPacket *, int); +static void IMAP_ProcessClientPacket(SFSnortPacket *); +static void IMAP_ProcessServerPacket(SFSnortPacket *); +static void IMAP_DisableDetect(SFSnortPacket *); +static const uint8_t * IMAP_HandleCommand(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleData(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleHeader(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleDataBody(SFSnortPacket *, const uint8_t *, const uint8_t *); +static int IMAP_SearchStrFound(void *, void *, int, void *, void *); + +static int IMAP_BoundaryStrFound(void *, void *, int , void *, void *); +static int IMAP_GetBoundary(const char *, int); + +static int IMAP_Inspect(SFSnortPacket *); + +/**************************************************************************/ + +static void SetImapBuffers(IMAP *ssn) +{ + if ((ssn != NULL) && (ssn->decode_state == NULL) + && (!IMAP_IsDecodingEnabled(imap_eval_config))) + { + MemBucket *bkt = mempool_alloc(imap_mempool); + + if (bkt != NULL) + { + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); + if( ssn->decode_state != NULL ) + { + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, imap_eval_config->max_depth, + imap_eval_config->b64_depth, imap_eval_config->qp_depth, + imap_eval_config->uu_depth, imap_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(imap_mempool, bkt); + } + } + else + { + IMAP_GenerateAlert(IMAP_MEMCAP_EXCEEDED, "%s", IMAP_MEMCAP_EXCEEDED_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "No memory available for decoding. Memcap exceeded \n");); + } + } +} + +void IMAP_InitCmds(IMAPConfig *config) +{ + const IMAPToken *tmp; + + if (config == NULL) + return; + + /* add one to CMD_LAST for NULL entry */ + config->cmds = (IMAPToken *)calloc(CMD_LAST + 1, sizeof(IMAPToken)); + if (config->cmds == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + for (tmp = &imap_known_cmds[0]; tmp->name != NULL; tmp++) + { + config->cmds[tmp->search_id].name_len = tmp->name_len; + config->cmds[tmp->search_id].search_id = tmp->search_id; + config->cmds[tmp->search_id].name = strdup(tmp->name); + + if (config->cmds[tmp->search_id].name == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* initialize memory for command searches */ + config->cmd_search = (IMAPSearch *)calloc(CMD_LAST, sizeof(IMAPSearch)); + if (config->cmd_search == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + config->num_cmds = CMD_LAST; +} + + +/* + * Initialize IMAP searches + * + * @param none + * + * @return none + */ +void IMAP_SearchInit(void) +{ + const char *error; + int erroffset; + const IMAPToken *tmp; + + /* Response search */ + imap_resp_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_resp_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "response search.\n"); + } + + for (tmp = &imap_resps[0]; tmp->name != NULL; tmp++) + { + imap_resp_search[tmp->search_id].name = tmp->name; + imap_resp_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_resp_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_resp_search_mpse); + + /* Header search */ + imap_hdr_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_hdr_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "header search.\n"); + } + + for (tmp = &imap_hdrs[0]; tmp->name != NULL; tmp++) + { + imap_hdr_search[tmp->search_id].name = tmp->name; + imap_hdr_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_hdr_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_hdr_search_mpse); + + /* Data end search */ + imap_data_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_data_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "data search.\n"); + } + + for (tmp = &imap_data_end[0]; tmp->name != NULL; tmp++) + { + imap_data_end_search[tmp->search_id].name = tmp->name; + imap_data_end_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_data_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_data_search_mpse); + + + /* create regex for finding boundary string - since it can be cut across multiple + * lines, a straight search won't do. Shouldn't be too slow since it will most + * likely only be acting on a small portion of data */ + //"^content-type:\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //"^\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //mime_boundary_pcre.re = pcre_compile("^.*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + //mime_boundary_pcre.re = pcre_compile("boundary(?:\n|\r\n)?=(?:\n|\r\n)?\"?([^\\s\"]+)\"?", + mime_boundary_pcre.re = pcre_compile("boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + PCRE_CASELESS | PCRE_DOTALL, + &error, &erroffset, NULL); + if (mime_boundary_pcre.re == NULL) + { + DynamicPreprocessorFatalMessage("Failed to compile pcre regex for getting boundary " + "in a multipart IMAP message: %s\n", error); + } + + mime_boundary_pcre.pe = pcre_study(mime_boundary_pcre.re, 0, &error); + + if (error != NULL) + { + DynamicPreprocessorFatalMessage("Failed to study pcre regex for getting boundary " + "in a multipart IMAP message: %s\n", error); + } +} + +/* + * Initialize run-time boundary search + */ +static int IMAP_BoundarySearchInit(void) +{ + if (imap_ssn->mime_boundary.boundary_search != NULL) + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + + imap_ssn->mime_boundary.boundary_search = _dpd.searchAPI->search_instance_new(); + + if (imap_ssn->mime_boundary.boundary_search == NULL) + return -1; + + _dpd.searchAPI->search_instance_add(imap_ssn->mime_boundary.boundary_search, + imap_ssn->mime_boundary.boundary, + imap_ssn->mime_boundary.boundary_len, BOUNDARY); + + _dpd.searchAPI->search_instance_prep(imap_ssn->mime_boundary.boundary_search); + + return 0; +} + + + +/* + * Reset IMAP session state + * + * @param none + * + * @return none + */ +static void IMAP_ResetState(void) +{ + if (imap_ssn->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + imap_ssn->mime_boundary.boundary_search = NULL; + } + + imap_ssn->state = STATE_UNKNOWN; + imap_ssn->data_state = STATE_DATA_INIT; + imap_ssn->state_flags = 0; + imap_ssn->body_read = imap_ssn->body_len = 0; + ClearEmailDecodeState(imap_ssn->decode_state); + memset(&imap_ssn->mime_boundary, 0, sizeof(IMAPMimeBoundary)); +} + + +/* + * Given a server configuration and a port number, we decide if the port is + * in the IMAP server port list. + * + * @param port the port number to compare with the configuration + * + * @return integer + * @retval 0 means that the port is not a server port + * @retval !0 means that the port is a server port + */ +int IMAP_IsServer(uint16_t port) +{ + if (imap_eval_config->ports[port / 8] & (1 << (port % 8))) + return 1; + + return 0; +} + +static IMAP * IMAP_GetNewSession(SFSnortPacket *p, tSfPolicyId policy_id) +{ + IMAP *ssn; + IMAPConfig *pPolicyConfig = NULL; + + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Creating new session data structure\n");); + + ssn = (IMAP *)calloc(1, sizeof(IMAP)); + if (ssn == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate IMAP session data\n"); + } + + imap_ssn = ssn; + SetImapBuffers(ssn); + + _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_IMAP, + ssn, &IMAP_SessionFree); + + if (p->flags & SSNFLAG_MIDSTREAM) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got midstream packet - " + "setting state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + +#ifdef DEBUG_MSGS + imap_session_counter++; + ssn->session_number = imap_session_counter; +#endif + + if (p->stream_session_ptr != NULL) + { + /* check to see if we're doing client reassembly in stream */ + if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) & SSN_DIR_CLIENT) + ssn->reassembling = 1; + + if(!ssn->reassembling) + { + _dpd.streamAPI->set_reassembly(p->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_CLIENT, STREAM_FLPOLICY_SET_ABSOLUTE); + ssn->reassembling = 1; + } + } + + ssn->body_read = ssn->body_len = 0; + + ssn->policy_id = policy_id; + ssn->config = imap_config; + pPolicyConfig->ref_count++; + + return ssn; +} + + +/* + * Do first-packet setup + * + * @param p standard Packet structure + * + * @return none + */ +static int IMAP_Setup(SFSnortPacket *p, IMAP *ssn) +{ + int flags = 0; + int pkt_dir; + + if (p->stream_session_ptr != NULL) + { + /* set flags to session flags */ + flags = _dpd.streamAPI->get_session_flags(p->stream_session_ptr); + } + + /* Figure out direction of packet */ + pkt_dir = IMAP_GetPacketDirection(p, flags); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Session number: "STDu64"\n", ssn->session_number);); + + /* Check to see if there is a reassembly gap. If so, we won't know + * what state we're in when we get the _next_ reassembled packet */ + if ((pkt_dir != IMAP_PKT_FROM_SERVER) && + (p->flags & FLAG_REBUILT_STREAM)) + { + int missing_in_rebuilt = + _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); + + if (ssn->session_flags & IMAP_FLAG_NEXT_STATE_UNKNOWN) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found gap in previous reassembly buffer - " + "set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags &= ~IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + + if (missing_in_rebuilt == SSN_MISSING_BOTH) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets before and after " + "in reassembly buffer - set state to unknown and " + "next state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags |= IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_BEFORE) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets before " + "in reassembly buffer - set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_AFTER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets after " + "in reassembly buffer - set next state to unknown\n");); + ssn->session_flags |= IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + } + + return pkt_dir; +} + +/* + * Determine packet direction + * + * @param p standard Packet structure + * + * @return none + */ +static int IMAP_GetPacketDirection(SFSnortPacket *p, int flags) +{ + int pkt_direction = IMAP_PKT_FROM_UNKNOWN; + + if (flags & SSNFLAG_MIDSTREAM) + { + if (IMAP_IsServer(p->src_port) && + !IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (!IMAP_IsServer(p->src_port) && + IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + } + else + { + if (p->flags & FLAG_FROM_SERVER) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (p->flags & FLAG_FROM_CLIENT) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + + /* if direction is still unknown ... */ + if (pkt_direction == IMAP_PKT_FROM_UNKNOWN) + { + if (IMAP_IsServer(p->src_port) && + !IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (!IMAP_IsServer(p->src_port) && + IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + } + } + + return pkt_direction; +} + + +/* + * Free IMAP-specific related to this session + * + * @param v pointer to IMAP session structure + * + * + * @return none + */ +static void IMAP_SessionFree(void *session_data) +{ + IMAP *imap = (IMAP *)session_data; +#ifdef SNORT_RELOAD + IMAPConfig *pPolicyConfig = NULL; +#endif + + if (imap == NULL) + return; + +#ifdef SNORT_RELOAD + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGet(imap->config, imap->policy_id); + + if (pPolicyConfig != NULL) + { + pPolicyConfig->ref_count--; + if ((pPolicyConfig->ref_count == 0) && + (imap->config != imap_config)) + { + sfPolicyUserDataClear (imap->config, imap->policy_id); + IMAP_FreeConfig(pPolicyConfig); + + /* No more outstanding policies for this config */ + if (sfPolicyUserPolicyGetActive(imap->config) == 0) + IMAP_FreeConfigs(imap->config); + } + } +#endif + + if (imap->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap->mime_boundary.boundary_search); + imap->mime_boundary.boundary_search = NULL; + } + + if(imap->decode_state != NULL) + { + mempool_free(imap_mempool, imap->decode_bkt); + free(imap->decode_state); + } + + free(imap); +} + + +static void IMAP_NoSessionFree(void) +{ + if (imap_no_session.mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap_no_session.mime_boundary.boundary_search); + imap_no_session.mime_boundary.boundary_search = NULL; + } +} + +static int IMAP_FreeConfigsPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *pPolicyConfig = (IMAPConfig *)pData; + + //do any housekeeping before freeing IMAPConfig + sfPolicyUserDataClear (config, policyId); + IMAP_FreeConfig(pPolicyConfig); + + return 0; +} + +void IMAP_FreeConfigs(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, IMAP_FreeConfigsPolicy); + sfPolicyConfigDelete(config); +} + +void IMAP_FreeConfig(IMAPConfig *config) +{ + if (config == NULL) + return; + + if (config->cmds != NULL) + { + IMAPToken *tmp = config->cmds; + + for (; tmp->name != NULL; tmp++) + free(tmp->name); + + free(config->cmds); + } + + if (config->cmd_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(config->cmd_search_mpse); + + if (config->cmd_search != NULL) + free(config->cmd_search); + + free(config); +} + + +/* + * Free anything that needs it before shutting down preprocessor + * + * @param none + * + * @return none + */ +void IMAP_Free(void) +{ + IMAP_NoSessionFree(); + + IMAP_FreeConfigs(imap_config); + imap_config = NULL; + + if (imap_resp_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_resp_search_mpse); + + if (imap_hdr_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_hdr_search_mpse); + + if (imap_data_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_data_search_mpse); + + if (mime_boundary_pcre.re ) + pcre_free(mime_boundary_pcre.re); + + if (mime_boundary_pcre.pe ) + pcre_free(mime_boundary_pcre.pe); +} + + +/* + * Callback function for string search + * + * @param id id in array of search strings from imap_config.cmds + * @param index index in array of search strings from imap_config.cmds + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int IMAP_SearchStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int search_id = (int)(uintptr_t)id; + + imap_search_info.id = search_id; + imap_search_info.index = index; + imap_search_info.length = imap_current_search[search_id].name_len; + + /* Returning non-zero stops search, which is okay since we only look for one at a time */ + return 1; +} + +/* + * Callback function for boundary search + * + * @param id id in array of search strings + * @param index index in array of search strings + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int IMAP_BoundaryStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int boundary_id = (int)(uintptr_t)id; + + imap_search_info.id = boundary_id; + imap_search_info.index = index; + imap_search_info.length = imap_ssn->mime_boundary.boundary_len; + + return 1; +} + +static int IMAP_GetBoundary(const char *data, int data_len) +{ + int result; + int ovector[9]; + int ovecsize = 9; + const char *boundary; + int boundary_len; + int ret; + char *mime_boundary; + int *mime_boundary_len; + + + mime_boundary = &imap_ssn->mime_boundary.boundary[0]; + mime_boundary_len = &imap_ssn->mime_boundary.boundary_len; + + /* result will be the number of matches (including submatches) */ + result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, + data, data_len, 0, 0, ovector, ovecsize); + if (result < 0) + return -1; + + result = pcre_get_substring(data, ovector, result, 1, &boundary); + if (result < 0) + return -1; + + boundary_len = strlen(boundary); + if (boundary_len > MAX_BOUNDARY_LEN) + { + /* XXX should we alert? breaking the law of RFC */ + boundary_len = MAX_BOUNDARY_LEN; + } + + mime_boundary[0] = '-'; + mime_boundary[1] = '-'; + ret = SafeMemcpy(mime_boundary + 2, boundary, boundary_len, + mime_boundary + 2, mime_boundary + 2 + MAX_BOUNDARY_LEN); + + pcre_free_substring(boundary); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *mime_boundary_len = 2 + boundary_len; + mime_boundary[*mime_boundary_len] = '\0'; + + return 0; +} + + +/* + * Handle COMMAND state + * + * @param p standard Packet structure + * @param ptr pointer into p->payload buffer to start looking at data + * @param end points to end of p->payload buffer + * + * @return pointer into p->payload where we stopped looking at data + * will be end of line or end of packet + */ +static const uint8_t * IMAP_HandleCommand(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *eol; /* end of line */ + const uint8_t *eolm; /* end of line marker */ + int cmd_line_len; + int cmd_found; + + /* get end of line and end of line marker */ + IMAP_GetEOL(ptr, end, &eol, &eolm); + + /* calculate length of command line */ + cmd_line_len = eol - ptr; + + /* TODO If the end of line marker coincides with the end of payload we can't be + * sure that we got a command and not a substring which we could tell through + * inspection of the next packet. Maybe a command pending state where the first + * char in the next packet is checked for a space and end of line marker */ + + /* do not confine since there could be space chars before command */ + imap_current_search = &imap_eval_config->cmd_search[0]; + cmd_found = _dpd.searchAPI->search_instance_find + (imap_eval_config->cmd_search_mpse, (const char *)ptr, + eolm - ptr, 0, IMAP_SearchStrFound); + + /* if command not found, alert and move on */ + if (!cmd_found) + { + IMAP_GenerateAlert(IMAP_UNKNOWN_CMD, "%s", IMAP_UNKNOWN_CMD_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "No known command found\n");); + + return eol; + } + + /* At this point we have definitely found a legitimate command */ + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "%s\n", imap_eval_config->cmds[imap_search_info.id].name);); + + return eol; +} + + +static const uint8_t * IMAP_HandleData(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *data_end_marker = NULL; + const uint8_t *data_end = NULL; + int data_end_found; + + /* if we've just entered the data state, check for a dot + end of line + * if found, no data */ + if ((imap_ssn->data_state == STATE_DATA_INIT) || + (imap_ssn->data_state == STATE_DATA_UNKNOWN)) + { + if ((ptr < end) && (*ptr == '.')) + { + const uint8_t *eol = NULL; + const uint8_t *eolm = NULL; + + IMAP_GetEOL(ptr, end, &eol, &eolm); + + /* this means we got a real end of line and not just end of payload + * and that the dot is only char on line */ + if ((eolm != end) && (eolm == (ptr + 1))) + { + /* if we're normalizing and not ignoring data copy data end marker + * and dot to alt buffer */ + + IMAP_ResetState(); + + return eol; + } + } + + if (imap_ssn->data_state == STATE_DATA_INIT) + imap_ssn->data_state = STATE_DATA_HEADER; + + /* XXX A line starting with a '.' that isn't followed by a '.' is + * deleted (RFC 821 - 4.5.2. TRANSPARENCY). If data starts with + * '. text', i.e a dot followed by white space then text, some + * servers consider it data header and some data body. + * Postfix and Qmail will consider the start of data: + * . text\r\n + * . text\r\n + * to be part of the header and the effect will be that of a + * folded line with the '.' deleted. Exchange will put the same + * in the body which seems more reasonable. */ + } + + /* get end of data body + * TODO check last bytes of previous packet to see if we had a partial + * end of data */ + imap_current_search = &imap_data_end_search[0]; + data_end_found = _dpd.searchAPI->search_instance_find + (imap_data_search_mpse, (const char *)ptr, end - ptr, + 0, IMAP_SearchStrFound); + + if (data_end_found > 0) + { + data_end_marker = ptr + imap_search_info.index; + data_end = data_end_marker + imap_search_info.length; + } + else + { + data_end_marker = data_end = end; + } + + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + + if ((imap_ssn->data_state == STATE_DATA_HEADER) || + (imap_ssn->data_state == STATE_DATA_UNKNOWN)) + { +#ifdef DEBUG_MSGS + if (imap_ssn->data_state == STATE_DATA_HEADER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA UNKNOWN STATE ~~~~~~~~~~~~~~~~~~~~~\n");); + } +#endif + + ptr = IMAP_HandleHeader(p, ptr, data_end_marker); + if (ptr == NULL) + return NULL; + + } + + /* now we shouldn't have to worry about copying any data to the alt buffer + * only mime headers if we find them and only if we're ignoring data */ + + while ((ptr != NULL) && (ptr < data_end_marker)) + { + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( imap_ssn->state_flags & IMAP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + _dpd.setFileDataPtr(imap_ssn->decode_state->decodePtr, (uint16_t)imap_ssn->decode_state->decoded_bytes); + _dpd.detect(p); + imap_ssn->state_flags &= ~IMAP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(imap_ssn->decode_state); + p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + } + switch (imap_ssn->data_state) + { + case STATE_MIME_HEADER: + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "MIME HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = IMAP_HandleHeader(p, ptr, data_end_marker); + break; + case STATE_DATA_BODY: + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA BODY STATE ~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = IMAP_HandleDataBody(p, ptr, data_end_marker); + break; + } + } + + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(imap_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(imap_ssn->decode_state->decodePtr, (uint16_t)imap_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(imap_ssn->decode_state); + } + + /* if we got the data end reset state, otherwise we're probably still in the data + * to expect more data in next packet */ + if (data_end_marker != end) + { + IMAP_ResetState(); + } + + return data_end; +} + + +/* + * Handle Headers - Data or Mime + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * IMAP_HandleHeader(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *colon; + const uint8_t *content_type_ptr = NULL; + const uint8_t *cont_trans_enc = NULL; + int header_found; + int ret; + const uint8_t *start_hdr; + + start_hdr = ptr; + + /* if we got a content-type in a previous packet and are + * folding, the boundary still needs to be checked for */ + if (imap_ssn->state_flags & IMAP_FLAG_IN_CONTENT_TYPE) + content_type_ptr = ptr; + + if (imap_ssn->state_flags & IMAP_FLAG_IN_CONT_TRANS_ENC) + cont_trans_enc = ptr; + + while (ptr < data_end_marker) + { + IMAP_GetEOL(ptr, data_end_marker, &eol, &eolm); + + /* got a line with only end of line marker should signify end of header */ + if (eolm == ptr) + { + /* reset global header state values */ + imap_ssn->state_flags &= + ~(IMAP_FLAG_FOLDING | IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_DATA_HEADER_CONT + | IMAP_FLAG_IN_CONT_TRANS_ENC ); + + imap_ssn->data_state = STATE_DATA_BODY; + + /* if no headers, treat as data */ + if (ptr == start_hdr) + return eolm; + else + return eol; + } + + /* if we're not folding, see if we should interpret line as a data line + * instead of a header line */ + if (!(imap_ssn->state_flags & (IMAP_FLAG_FOLDING | IMAP_FLAG_DATA_HEADER_CONT))) + { + char got_non_printable_in_header_name = 0; + + /* if we're not folding and the first char is a space or + * colon, it's not a header */ + if (isspace((int)*ptr) || *ptr == ':') + { + imap_ssn->data_state = STATE_DATA_BODY; + return ptr; + } + + /* look for header field colon - if we're not folding then we need + * to find a header which will be all printables (except colon) + * followed by a colon */ + colon = ptr; + while ((colon < eolm) && (*colon != ':')) + { + if (((int)*colon < 33) || ((int)*colon > 126)) + got_non_printable_in_header_name = 1; + + colon++; + } + + /* If the end on line marker and end of line are the same, assume + * header was truncated, so stay in data header state */ + if ((eolm != eol) && + ((colon == eolm) || got_non_printable_in_header_name)) + { + /* no colon or got spaces in header name (won't be interpreted as a header) + * assume we're in the body */ + imap_ssn->state_flags &= + ~(IMAP_FLAG_FOLDING | IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_DATA_HEADER_CONT + |IMAP_FLAG_IN_CONT_TRANS_ENC); + + imap_ssn->data_state = STATE_DATA_BODY; + + return ptr; + } + + if(tolower((int)*ptr) == 'c') + { + imap_current_search = &imap_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (imap_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, IMAP_SearchStrFound); + + /* Headers must start at beginning of line */ + if ((header_found > 0) && (imap_search_info.index == 0)) + { + switch (imap_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (imap_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + imap_search_info.length; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONTENT_TYPE; + } + + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + imap_search_info.length; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONT_TRANS_ENC; + break; + + default: + break; + } + } + } + else if(tolower((int)*ptr) == 'e') + { + if((eolm - ptr) >= 9) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONT_TRANS_ENC; + } + } + } + } + else + { + imap_ssn->state_flags &= ~IMAP_FLAG_DATA_HEADER_CONT; + } + + + /* check for folding + * if char on next line is a space and not \n or \r\n, we are folding */ + if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) + { + if ((eol < (data_end_marker - 1)) && (eol[0] != '\r') && (eol[1] != '\n')) + { + imap_ssn->state_flags |= IMAP_FLAG_FOLDING; + } + else + { + imap_ssn->state_flags &= ~IMAP_FLAG_FOLDING; + } + } + else if (eol != eolm) + { + imap_ssn->state_flags &= ~IMAP_FLAG_FOLDING; + } + + /* check if we're in a content-type header and not folding. if so we have the whole + * header line/lines for content-type - see if we got a multipart with boundary + * we don't check each folded line, but wait until we have the complete header + * because boundary=BOUNDARY can be split across mulitple folded lines before + * or after the '=' */ + if ((imap_ssn->state_flags & + (IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_FOLDING)) == IMAP_FLAG_IN_CONTENT_TYPE) + { + /* we got the full content-type header - look for boundary string */ + ret = IMAP_GetBoundary((const char *)content_type_ptr, eolm - content_type_ptr); + if (ret != -1) + { + ret = IMAP_BoundarySearchInit(); + if (ret != -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got mime boundary: %s\n", + imap_ssn->mime_boundary.boundary);); + + imap_ssn->state_flags |= IMAP_FLAG_GOT_BOUNDARY; + } + } + + imap_ssn->state_flags &= ~IMAP_FLAG_IN_CONTENT_TYPE; + content_type_ptr = NULL; + } + else if ((imap_ssn->state_flags & + (IMAP_FLAG_IN_CONT_TRANS_ENC | IMAP_FLAG_FOLDING)) == IMAP_FLAG_IN_CONT_TRANS_ENC) + { + /* Check for Encoding Type */ + if( (!IMAP_IsDecodingEnabled(imap_eval_config)) && (imap_ssn->decode_state != NULL)) + { + IMAP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + imap_ssn->state_flags |= IMAP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( imap_ssn->decode_state->decoded_bytes ) + imap_ssn->state_flags |= IMAP_FLAG_MULTIPLE_EMAIL_ATTACH; + } + imap_ssn->state_flags &= ~IMAP_FLAG_IN_CONT_TRANS_ENC; + + cont_trans_enc = NULL; + } + + /* if state was unknown, at this point assume we know */ + if (imap_ssn->data_state == STATE_DATA_UNKNOWN) + imap_ssn->data_state = STATE_DATA_HEADER; + + ptr = eol; + + if (ptr == data_end_marker) + imap_ssn->state_flags |= IMAP_FLAG_DATA_HEADER_CONT; + } + + return ptr; +} + + +/* + * Handle DATA_BODY state + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * IMAP_HandleDataBody(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + int boundary_found = 0; + const uint8_t *boundary_ptr = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; + + if ( imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; + /* look for boundary */ + if (imap_ssn->state_flags & IMAP_FLAG_GOT_BOUNDARY) + { + boundary_found = _dpd.searchAPI->search_instance_find + (imap_ssn->mime_boundary.boundary_search, (const char *)ptr, + data_end_marker - ptr, 0, IMAP_BoundaryStrFound); + + if (boundary_found > 0) + { + boundary_ptr = ptr + imap_search_info.index; + + /* should start at beginning of line */ + if ((boundary_ptr == ptr) || (*(boundary_ptr - 1) == '\n')) + { + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *tmp; + + if (imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + { + attach_end = boundary_ptr-1; + imap_ssn->state_flags &= ~IMAP_FLAG_EMAIL_ATTACH; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, imap_ssn->decode_state) != DECODE_SUCCESS ) + { + IMAP_DecodeAlert(); + } + } + } + + + /* Check for end boundary */ + tmp = boundary_ptr + imap_search_info.length; + if (((tmp + 1) < data_end_marker) && (tmp[0] == '-') && (tmp[1] == '-')) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Mime boundary end found: %s--\n", + (char *)imap_ssn->mime_boundary.boundary);); + + /* no more MIME */ + imap_ssn->state_flags &= ~IMAP_FLAG_GOT_BOUNDARY; + + /* free boundary search */ + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + imap_ssn->mime_boundary.boundary_search = NULL; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Mime boundary found: %s\n", + (char *)imap_ssn->mime_boundary.boundary);); + + imap_ssn->data_state = STATE_MIME_HEADER; + } + + /* get end of line - there could be spaces after boundary before eol */ + IMAP_GetEOL(boundary_ptr + imap_search_info.length, data_end_marker, &eol, &eolm); + + return eol; + } + } + } + + if ( imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + { + attach_end = data_end_marker; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, imap_ssn->decode_state) != DECODE_SUCCESS ) + { + IMAP_DecodeAlert(); + } + } + } + + return data_end_marker; +} + + +/* + * Process client packet + * + * @param packet standard Packet structure + * + * @return none + */ +static void IMAP_ProcessClientPacket(SFSnortPacket *p) +{ + const uint8_t *ptr = p->payload; + const uint8_t *end = p->payload + p->payload_size; + + ptr = IMAP_HandleCommand(p, ptr, end); + + +} + + + +/* + * Process server packet + * + * @param packet standard Packet structure + * + */ +static void IMAP_ProcessServerPacket(SFSnortPacket *p) +{ + int resp_found; + const uint8_t *ptr; + const uint8_t *end; + const uint8_t *data_end; + const uint8_t *eolm; + const uint8_t *eol; + int resp_line_len; + const char *tmp = NULL; + uint8_t *body_start, *body_end; + char *eptr; + uint32_t len = 0; + + body_start = body_end = NULL; + + ptr = p->payload; + end = p->payload + p->payload_size; + + while (ptr < end) + { + if(imap_ssn->state == STATE_DATA) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");); + if( imap_ssn->body_len > imap_ssn->body_read) + { + + len = imap_ssn->body_len - imap_ssn->body_read ; + if( (uint32_t)(end - ptr) < len ) + { + data_end = end; + len = data_end - ptr; + } + else + data_end = ptr + len; + + ptr = IMAP_HandleData(p, ptr, data_end); + + if( ptr < data_end) + len = len - (data_end - ptr); + + imap_ssn->body_read += len; + + continue; + } + else + { + imap_ssn->body_len = imap_ssn->body_read = 0; + IMAP_ResetState(); + } + } + IMAP_GetEOL(ptr, end, &eol, &eolm); + + resp_line_len = eol - ptr; + + /* Check for response code */ + imap_current_search = &imap_resp_search[0]; + resp_found = _dpd.searchAPI->search_instance_find + (imap_resp_search_mpse, (const char *)ptr, + resp_line_len, 0, IMAP_SearchStrFound); + + if (resp_found > 0) + { + const uint8_t *cmd_start = ptr + imap_search_info.index; + switch (imap_search_info.id) + { + case RESP_FETCH: + imap_ssn->body_len = imap_ssn->body_read = 0; + imap_ssn->state = STATE_DATA; + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "BODY"); + if(tmp != NULL) + imap_ssn->state = STATE_DATA; + else + { + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "RFC822"); + if(tmp != NULL) + imap_ssn->state = STATE_DATA; + else + imap_ssn->state = STATE_UNKNOWN; + } + break; + default: + break; + } + + if(imap_ssn->state == STATE_DATA) + { + body_start = (uint8_t *)memchr((char *)ptr, '{', (eol - ptr)); + if( body_start == NULL ) + { + imap_ssn->state = STATE_UNKNOWN; + } + else + { + if( (body_start + 1) < (uint8_t *)eol ) + { + len = (uint32_t)_dpd.SnortStrtoul((const char *)(body_start + 1), &eptr, 10); + if (*eptr != '}') + { + imap_ssn->state = STATE_UNKNOWN; + } + else + imap_ssn->body_len = len; + + len = 0; + } + else + imap_ssn->state = STATE_UNKNOWN; + + } + } + + } + else + { + if ( (*ptr != '*') && (*ptr !='+') && (*ptr != '\r') && (*ptr != '\n') ) + { + IMAP_GenerateAlert(IMAP_UNKNOWN_RESP, "%s", IMAP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Server response not found\n");); + } + + } + + + ptr = eol; + + } + + return; +} + +/* For Target based + * If a protocol for the session is already identified and not one IMAP is + * interested in, IMAP should leave it alone and return without processing. + * If a protocol for the session is already identified and is one that IMAP is + * interested in, decode it. + * If the protocol for the session is not already identified and the preprocessor + * is configured to detect on one of the packet ports, detect. + * Returns 0 if we should not inspect + * 1 if we should continue to inspect + */ +static int IMAP_Inspect(SFSnortPacket *p) +{ +#ifdef TARGET_BASED + /* IMAP could be configured to be stateless. If stream isn't configured, assume app id + * will never be set and just base inspection on configuration */ + if (p->stream_session_ptr == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: No stream session.\n");); + + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: Configured for this " + "traffic, so let's inspect.\n");); + return 1; + } + } + else + { + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); + + if (app_id != 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: App id: %u.\n", app_id);); + + if (app_id == imap_proto_id) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: App id is " + "set to \"%s\".\n", IMAP_PROTO_REF_STR);); + return 1; + } + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: Unknown protocol for " + "this session. See if we're configured.\n");); + + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: IMAP port is configured.");); + return 1; + } + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP,"IMAP: Target-based: Not inspecting ...\n");); + +#else + /* Make sure it's traffic we're interested in */ + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + return 1; + +#endif /* TARGET_BASED */ + + return 0; +} + +/* + * Entry point to snort preprocessor for each packet + * + * @param packet standard Packet structure + * + * @return none + */ +void SnortIMAP(SFSnortPacket *p) +{ + int detected = 0; + int pkt_dir; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + + PROFILE_VARS; + + + imap_ssn = (IMAP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_IMAP); + if (imap_ssn != NULL) + imap_eval_config = (IMAPConfig *)sfPolicyUserDataGet(imap_ssn->config, imap_ssn->policy_id); + else + imap_eval_config = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + + if (imap_eval_config == NULL) + return; + + if (imap_ssn == NULL) + { + if (!IMAP_Inspect(p)) + return; + + imap_ssn = IMAP_GetNewSession(p, policy_id); + if (imap_ssn == NULL) + return; + } + + pkt_dir = IMAP_Setup(p, imap_ssn); + + if (pkt_dir == IMAP_PKT_FROM_CLIENT) + { + IMAP_ProcessClientPacket(p); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP client packet\n");); + } + else + { +#ifdef DEBUG_MSGS + if (pkt_dir == IMAP_PKT_FROM_SERVER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP server packet\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP packet NOT from client or server! " + "Processing as a server packet\n");); + } +#endif + + if (p->flags & FLAG_STREAM_INSERT) + { + /* Packet will be rebuilt, so wait for it */ + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Client packet will be reassembled\n")); + return; + } + else if (imap_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) + { + /* If this isn't a reassembled packet and didn't get + * inserted into reassembly buffer, there could be a + * problem. If we miss syn or syn-ack that had window + * scaling this packet might not have gotten inserted + * into reassembly buffer because it fell outside of + * window, because we aren't scaling it */ + imap_ssn->session_flags |= IMAP_FLAG_GOT_NON_REBUILT; + imap_ssn->state = STATE_UNKNOWN; + } + else if (imap_ssn->reassembling && (imap_ssn->session_flags & IMAP_FLAG_GOT_NON_REBUILT)) + { + /* This is a rebuilt packet. If we got previous packets + * that were not rebuilt, state is going to be messed up + * so set state to unknown. It's likely this was the + * beginning of the conversation so reset state */ + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got non-rebuilt packets before " + "this rebuilt packet\n");); + + imap_ssn->state = STATE_UNKNOWN; + imap_ssn->session_flags &= ~IMAP_FLAG_GOT_NON_REBUILT; + } + /* Process as a server packet */ + IMAP_ProcessServerPacket(p); + } + + + PREPROC_PROFILE_START(imapDetectPerfStats); + + detected = _dpd.detect(p); + +#ifdef PERF_PROFILING + imapDetectCalled = 1; +#endif + + PREPROC_PROFILE_END(imapDetectPerfStats); + + /* Turn off detection since we've already done it. */ + IMAP_DisableDetect(p); + + if (detected) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP vulnerability detected\n");); + } +} + +static void IMAP_DisableDetect(SFSnortPacket *p) +{ + _dpd.disableAllDetect(p); + + _dpd.setPreprocBit(p, PP_SFPORTSCAN); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + _dpd.setPreprocBit(p, PP_STREAM5); + _dpd.setPreprocBit(p, PP_SDF); +} + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/snort_imap.h snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.h --- snort-2.8.5.2/src/dynamic-preprocessors/imap/snort_imap.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,265 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * **************************************************************************/ + +/************************************************************************** + * + * snort_imap.h + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file defines everything specific to the IMAP preprocessor. + * + **************************************************************************/ + +#ifndef __IMAP_H__ +#define __IMAP_H__ + + +/* Includes ***************************************************************/ + +#include + +#include "sf_snort_packet.h" +#include "imap_config.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "mempool.h" +#include "sf_email_attach_decode.h" + +#ifdef DEBUG +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Defines ****************************************************************/ + +/* Direction packet is coming from, if we can figure it out */ +#define IMAP_PKT_FROM_UNKNOWN 0 +#define IMAP_PKT_FROM_CLIENT 1 +#define IMAP_PKT_FROM_SERVER 2 + +#define SEARCH_CMD 0 +#define SEARCH_RESP 1 +#define SEARCH_HDR 2 +#define SEARCH_DATA_END 3 +#define NUM_SEARCHES 4 + +#define BOUNDARY 0 + +#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */ + +#define STATE_DATA 0 /* Data state */ +#define STATE_UNKNOWN 1 + +#define STATE_DATA_INIT 0 +#define STATE_DATA_HEADER 1 /* Data header section of data state */ +#define STATE_DATA_BODY 2 /* Data body section of data state */ +#define STATE_MIME_HEADER 3 /* MIME header section within data section */ +#define STATE_DATA_UNKNOWN 4 + +/* state flags */ +#define IMAP_FLAG_FOLDING 0x00000001 +#define IMAP_FLAG_IN_CONTENT_TYPE 0x00000002 +#define IMAP_FLAG_GOT_BOUNDARY 0x00000004 +#define IMAP_FLAG_DATA_HEADER_CONT 0x00000008 +#define IMAP_FLAG_IN_CONT_TRANS_ENC 0x00000010 +#define IMAP_FLAG_EMAIL_ATTACH 0x00000020 +#define IMAP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000040 + +/* session flags */ +#define IMAP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 +#define IMAP_FLAG_GOT_NON_REBUILT 0x00000008 + +#define IMAP_SSL_ERROR_FLAGS (SSL_BOGUS_HS_DIR_FLAG | \ + SSL_BAD_VER_FLAG | \ + SSL_BAD_TYPE_FLAG | \ + SSL_UNKNOWN_FLAG) + +/* Maximum length of header chars before colon, based on Exim 4.32 exploit */ +#define MAX_HEADER_NAME_LEN 64 + +#define IMAP_PROTO_REF_STR "imap" + +/**************************************************************************/ + + +/* Data structures ********************************************************/ + +typedef enum _IMAPCmdEnum +{ + CMD_APPEND = 0, + CMD_AUTHENTICATE, + CMD_CAPABILITY, + CMD_CHECK, + CMD_CLOSE, + CMD_COMPARATOR, + CMD_COMPRESS, + CMD_CONVERSIONS, + CMD_COPY, + CMD_CREATE, + CMD_DELETE, + CMD_DELETEACL, + CMD_DONE, + CMD_EXAMINE, + CMD_EXPUNGE, + CMD_FETCH, + CMD_GETACL, + CMD_GETMETADATA, + CMD_GETQUOTA, + CMD_GETQUOTAROOT, + CMD_IDLE, + CMD_LIST, + CMD_LISTRIGHTS, + CMD_LOGIN, + CMD_LOGOUT, + CMD_LSUB, + CMD_MYRIGHTS, + CMD_NOOP, + CMD_NOTIFY, + CMD_RENAME, + CMD_SEARCH, + CMD_SELECT, + CMD_SETACL, + CMD_SETMETADATA, + CMD_SETQUOTA, + CMD_SORT, + CMD_STARTTLS, + CMD_STATUS, + CMD_STORE, + CMD_SUBSCRIBE, + CMD_THREAD, + CMD_UID, + CMD_UNSELECT, + CMD_UNSUBSCRIBE, + CMD_X, + CMD_LAST + +} IMAPCmdEnum; + +typedef enum _IMAPRespEnum +{ + RESP_CAPABILITY = 0, + RESP_LIST, + RESP_LSUB, + RESP_STATUS, + RESP_SEARCH, + RESP_FLAGS, + RESP_EXISTS, + RESP_RECENT, + RESP_EXPUNGE, + RESP_FETCH, + RESP_BAD, + RESP_BYE, + RESP_NO, + RESP_OK, + RESP_PREAUTH, + RESP_ENVELOPE, + RESP_UID, + RESP_LAST + +} IMAPRespEnum; + +typedef enum _IMAPHdrEnum +{ + HDR_CONTENT_TYPE = 0, + HDR_CONT_TRANS_ENC, + HDR_LAST + +} IMAPHdrEnum; + +typedef enum _IMAPDataEndEnum +{ + DATA_END_1 = 0, + DATA_END_2, + DATA_END_3, + DATA_END_4, + DATA_END_LAST + +} IMAPDataEndEnum; + +typedef struct _IMAPSearchInfo +{ + int id; + int index; + int length; + +} IMAPSearchInfo; + +typedef struct _IMAPMimeBoundary +{ + char boundary[2 + MAX_BOUNDARY_LEN + 1]; /* '--' + MIME boundary string + '\0' */ + int boundary_len; + void *boundary_search; + +} IMAPMimeBoundary; + +typedef struct _IMAPPcre +{ + pcre *re; + pcre_extra *pe; + +} IMAPPcre; + +typedef struct _IMAP +{ + int state; + int data_state; + int state_flags; + int session_flags; + int alert_mask; + int reassembling; + uint32_t body_len; + uint32_t body_read; +#ifdef DEBUG_MSGS + uint64_t session_number; +#endif + + MemBucket *decode_bkt; + IMAPMimeBoundary mime_boundary; + Email_DecodeState *decode_state; + + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} IMAP; + + +/**************************************************************************/ + + +/* Function prototypes ****************************************************/ + +void IMAP_InitCmds(IMAPConfig *config); +void IMAP_SearchInit(void); +void IMAP_Free(void); +void SnortIMAP(SFSnortPacket *); +int IMAP_IsServer(uint16_t); +void IMAP_FreeConfig(IMAPConfig *); +void IMAP_FreeConfigs(tSfPolicyUserContextId); + +/**************************************************************************/ + +#endif /* __IMAP_H__ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/spp_imap.c snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.c --- snort-2.8.5.2/src/dynamic-preprocessors/imap/spp_imap.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,670 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * spp_imap.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file initializes IMAP as a Snort preprocessor. + * + * This file registers the IMAP initialization function, + * adds the IMAP function into the preprocessor list. + * + * In general, this file is a wrapper to IMAP functionality, + * by interfacing with the Snort preprocessor functions. The rest + * of IMAP should be separate from the preprocessor hooks. + * + **************************************************************************/ + +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_imap.h" +#include "sf_preproc_info.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "imap_log.h" + +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats imapPerfStats; +PreprocStats imapDetectPerfStats; +int imapDetectCalled = 0; +#endif + +#include "sf_types.h" +#include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_IMAP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_IMAP"; +#endif + +#define SetupIMAP DYNAMIC_PREPROC_SETUP + +MemPool *imap_mempool = NULL; + +tSfPolicyUserContextId imap_config = NULL; +IMAPConfig *imap_eval_config = NULL; + +extern IMAP imap_no_session; +extern int16_t imap_proto_id; + +static void IMAPInit(char *); +static void IMAPDetect(void *, void *context); +static void IMAPCleanExitFunction(int, void *); +static void IMAPResetFunction(int, void *); +static void IMAPResetStatsFunction(int, void *); +static void _addPortsToStream5Filter(IMAPConfig *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif +static void IMAPCheckConfig(void); + +#ifdef SNORT_RELOAD +tSfPolicyUserContextId imap_swap_config = NULL; +static void IMAPReload(char *); +static int IMAPReloadVerify(void); +static void * IMAPReloadSwap(void); +static void IMAPReloadSwapFree(void *); +#endif + + +/* + * Function: SetupIMAP() + * + * Purpose: Registers the preprocessor keyword and initialization + * function into the preprocessor list. This is the function that + * gets called from InitPreprocessors() in plugbase.c. + * + * Arguments: None. + * + * Returns: void function + * + */ +void SetupIMAP(void) +{ + /* link the preprocessor keyword to the init function in the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("imap", IMAPInit); +#else + _dpd.registerPreproc("imap", IMAPInit, IMAPReload, + IMAPReloadSwap, IMAPReloadSwapFree); +#endif +} + + +/* + * Function: IMAPInit(char *) + * + * Purpose: Calls the argument parsing function, performs final setup on data + * structs, links the preproc function into the function list. + * + * Arguments: args => ptr to argument string + * + * Returns: void function + * + */ +static void IMAPInit(char *args) +{ + IMAPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + IMAPConfig * pPolicyConfig = NULL; + + if (imap_config == NULL) + { + //create a context + imap_config = sfPolicyConfigCreate(); + if (imap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + /* Initialize the searches not dependent on configuration. + * headers, reponsed, data, mime boundary regular expression */ + IMAP_SearchInit(); + + /* zero out static IMAP global used for stateless IMAP or if there + * is no session pointer */ + memset(&imap_no_session, 0, sizeof(IMAP)); + + /* Put the preprocessor function into the function list */ + /* _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP);*/ + _dpd.addPreprocExit(IMAPCleanExitFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocReset(IMAPResetFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocResetStats(IMAPResetStatsFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocConfCheck(IMAPCheckConfig); + +#ifdef TARGET_BASED + imap_proto_id = _dpd.findProtocolReference(IMAP_PROTO_REF_STR); + if (imap_proto_id == SFTARGET_UNKNOWN_PROTOCOL) + imap_proto_id = _dpd.addProtocolReference(IMAP_PROTO_REF_STR); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP,"IMAP: Target-based: Proto id for %s: %u.\n", + IMAP_PROTO_REF_STR, imap_proto_id);); +#endif + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("imap", (void*)&imapPerfStats, 0, _dpd.totalPerfStats); +#endif + } + + sfPolicyUserPolicySet (imap_config, policy_id); + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("Can only configure IMAP preprocessor once.\n"); + } + + pPolicyConfig = (IMAPConfig *)calloc(1, sizeof(IMAPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(imap_config, pPolicyConfig); + + IMAP_InitCmds(pPolicyConfig); + IMAP_ParseArgs(pPolicyConfig, args); + + IMAP_CheckConfig(pPolicyConfig, imap_config); + IMAP_PrintConfig(pPolicyConfig); + + if(pPolicyConfig->disabled) + return; + + _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/* + * Function: IMAPDetect(void *, void *) + * + * Purpose: Perform the preprocessor's intended function. This can be + * simple (statistics collection) or complex (IP defragmentation) + * as you like. Try not to destroy the performance of the whole + * system by trying to do too much.... + * + * Arguments: p => pointer to the current packet data struct + * + * Returns: void function + * + */ +static void IMAPDetect(void *pkt, void *context) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + if ((p->payload_size == 0) || !IsTCP(p) || (p->payload == NULL)) + return; + + PREPROC_PROFILE_START(imapPerfStats); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP Start (((((((((((((((((((((((((((((((((((((((\n");); + + sfPolicyUserPolicySet (imap_config, policy_id); + + SnortIMAP(p); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP End )))))))))))))))))))))))))))))))))))))))))\n\n");); + + PREPROC_PROFILE_END(imapPerfStats); +#ifdef PERF_PROFILING + if (PROFILING_PREPROCS && imapDetectCalled) + { + imapPerfStats.ticks -= imapDetectPerfStats.ticks; + /* And Reset ticks to 0 */ + imapDetectPerfStats.ticks = 0; + imapDetectCalled = 0; + } +#endif + +} + + +/* + * Function: IMAPCleanExitFunction(int, void *) + * + * Purpose: This function gets called when Snort is exiting, if there's + * any cleanup that needs to be performed (e.g. closing files) + * it should be done here. + * + * Arguments: signal => the code of the signal that was issued to Snort + * data => any arguments or data structs linked to this + * function when it was registered, may be + * needed to properly exit + * + * Returns: void function + */ +static void IMAPCleanExitFunction(int signal, void *data) +{ + IMAP_Free(); + if (mempool_destroy(imap_mempool) == 0) + { + free(imap_mempool); + imap_mempool = NULL; + } + +} + + +static void IMAPResetFunction(int signal, void *data) +{ + return; +} + +static void IMAPResetStatsFunction(int signal, void *data) +{ + return; +} + +static void _addPortsToStream5Filter(IMAPConfig *config, tSfPolicyId policy_id) +{ + unsigned int portNum; + + if (config == NULL) + return; + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, + PORT_MONITOR_SESSION, policy_id, 1); + } + } +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(imap_proto_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int IMAPEnableDecoding(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + IMAPConfig *context = (IMAPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(!IMAP_IsDecodingEnabled(context)) + return 1; + + return 0; +} + +static int IMAPCheckPolicyConfig( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *context = (IMAPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + /* In a multiple-policy setting, the IMAP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + return 0; +} + +static void IMAPCheckConfig(void) +{ + + IMAPConfig *defaultConfig = + (IMAPConfig *)sfPolicyUserDataGetDefault(imap_config); + + sfPolicyUserDataIterate (imap_config, IMAPCheckPolicyConfig); + + if (sfPolicyUserDataIterate(imap_config, IMAPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("IMAP: Must configure a default " + "configuration if you want to imap decoding.\n"); + } + + encode_depth = defaultConfig->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = defaultConfig->memcap / (2 * encode_depth ); + + imap_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(imap_mempool, max_sessions, + (2 * encode_depth )) != 0) + { + DynamicPreprocessorFatalMessage("IMAP: Could not allocate IMAP mempool.\n"); + } + } + + +} + +#ifdef SNORT_RELOAD +static void IMAPReload(char *args) +{ + IMAPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + IMAPConfig *pPolicyConfig = NULL; + + if (imap_swap_config == NULL) + { + //create a context + imap_swap_config = sfPolicyConfigCreate(); + if (imap_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + _dpd.addPreprocReloadVerify(IMAPReloadVerify); + } + + sfPolicyUserPolicySet (imap_swap_config, policy_id); + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_swap_config); + + if (pPolicyConfig != NULL) + DynamicPreprocessorFatalMessage("Can only configure IMAP preprocessor once.\n"); + + pPolicyConfig = (IMAPConfig *)calloc(1, sizeof(IMAPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(imap_swap_config, pPolicyConfig); + + IMAP_InitCmds(pPolicyConfig); + IMAP_ParseArgs(pPolicyConfig, args); + + IMAP_CheckConfig(pPolicyConfig, imap_swap_config); + IMAP_PrintConfig(pPolicyConfig); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int IMAPReloadVerify(void) +{ + IMAPConfig *config = NULL; + IMAPConfig *configNext = NULL; + + if (imap_swap_config == NULL) + return 0; + + if (imap_config != NULL) + { + config = (IMAPConfig *)sfPolicyUserDataGet(imap_config, _dpd.getDefaultPolicy()); + } + + configNext = (IMAPConfig *)sfPolicyUserDataGet(imap_swap_config, _dpd.getDefaultPolicy()); + + if (config == NULL) + { + return 0; + } + + if (imap_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("IMAP reload: Changing the IMAP configuration requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("IMAP reload: Changing the memcap requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("IMAP reload: Changing the b64_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("IMAP reload: Changing the qp_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("IMAP reload: Changing the bitenc_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("IMAP reload: Changing the uu_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + + } + else if(configNext != NULL) + { + if (sfPolicyUserDataIterate(imap_swap_config, IMAPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + + encode_depth = configNext->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = configNext->memcap / ( 2 * encode_depth); + + imap_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(imap_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("IMAP: Could not allocate IMAP mempool.\n"); + } + } + + } + + + if ( configNext->disabled ) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + return 0; +} + +static int IMAPReloadSwapPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *pPolicyConfig = (IMAPConfig *)pData; + + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + IMAP_FreeConfig(pPolicyConfig); + } + + return 0; +} + +static void * IMAPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = imap_config; + + if (imap_swap_config == NULL) + return NULL; + + imap_config = imap_swap_config; + imap_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, IMAPReloadSwapPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + IMAP_FreeConfigs(old_config); + + return NULL; +} + +static void IMAPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + IMAP_FreeConfigs((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/imap/spp_imap.h snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.h --- snort-2.8.5.2/src/dynamic-preprocessors/imap/spp_imap.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,37 @@ + +/* + * spp_imap.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file defines the publicly available functions for the IMAP + * functionality for Snort. + * + */ + +#ifndef __SPP_IMAP_H__ +#define __SPP_IMAP_H__ + +void SetupIMAP(void); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/Makefile.am snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/libs/Makefile.am 2007-11-15 18:00:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.am 2011-06-08 00:33:14.000000000 +0000 @@ -5,5 +5,17 @@ ssl.c \ ssl.h \ sfparser.c \ -sfcommon.h +sfcommon.h \ +sf_preproc_info.h \ +snort_preproc.pc.in +if HAVE_DYNAMIC_PLUGINS + +if SO_WITH_STATIC_LIB + +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = snort_preproc.pc + +endif + +endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/Makefile.in snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/libs/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -13,10 +14,12 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -32,7 +35,8 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/dynamic-preprocessors/libs -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + $(srcdir)/snort_preproc.pc.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ $(top_srcdir)/configure.in @@ -40,11 +44,35 @@ $(ACLOCAL_M4) mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = +CONFIG_CLEAN_FILES = snort_preproc.pc +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = DIST_SOURCES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(pkgconfigdir)" +DATA = $(pkgconfig_DATA) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -55,31 +83,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +120,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +139,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +191,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +204,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -170,8 +213,12 @@ ssl.c \ ssl.h \ sfparser.c \ -sfcommon.h +sfcommon.h \ +sf_preproc_info.h \ +snort_preproc.pc.in +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@pkgconfigdir = $(libdir)/pkgconfig +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@pkgconfig_DATA = snort_preproc.pc all: all-am .SUFFIXES: @@ -179,14 +226,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/libs/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/libs/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/libs/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/libs/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -204,12 +251,35 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +snort_preproc.pc: $(top_builddir)/config.status $(srcdir)/snort_preproc.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs +install-pkgconfigDATA: $(pkgconfig_DATA) + @$(NORMAL_INSTALL) + test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \ + done + +uninstall-pkgconfigDATA: + @$(NORMAL_UNINSTALL) + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(pkgconfigdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(pkgconfigdir)" && rm -f $$files tags: TAGS TAGS: @@ -233,20 +303,27 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am -all-am: Makefile +all-am: Makefile $(DATA) installdirs: + for dir in "$(DESTDIR)$(pkgconfigdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: install-am install-exec: install-exec-am install-data: install-data-am @@ -267,6 +344,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -285,26 +363,38 @@ html: html-am +html-am: + info: info-am info-am: -install-data-am: +install-data-am: install-pkgconfigDATA install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -323,7 +413,7 @@ ps-am: -uninstall-am: +uninstall-am: uninstall-pkgconfigDATA .MAKE: install-am install-strip @@ -333,10 +423,12 @@ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + install-pdf-am install-pkgconfigDATA install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + uninstall uninstall-am uninstall-pkgconfigDATA + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/sfcommon.h snort-2.9.2/src/dynamic-preprocessors/libs/sfcommon.h --- snort-2.8.5.2/src/dynamic-preprocessors/libs/sfcommon.h 2009-05-06 22:29:02.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfcommon.h 2011-06-08 00:33:14.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2007-2009 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,8 +21,8 @@ #ifndef DYN_PP_PARSER_H #define DYN_PP_PARSER_H -#include "sf_types.h" -#include "debug.h" +#include "snort_bounds.h" +#include "snort_debug.h" #define SFP_MIN_ERR_STR 128 @@ -41,9 +41,9 @@ typedef char SFP_errstr_t[SFP_MIN_ERR_STR + 1]; -static INLINE char *SFP_GET_ERR(SFP_errstr_t err) +static inline char *SFP_GET_ERR(SFP_errstr_t err) { - return (char*)err; + return (char*)err; } SFP_ret_t SFP_ports(ports_tbl_t ports, char *str, SFP_errstr_t errstr); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp snort-2.9.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp 2009-05-06 22:29:02.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp 2011-10-26 18:28:52.000000000 +0000 @@ -37,15 +37,16 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_MBCS" /D "_LIB" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "_LIB" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -60,15 +61,16 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_LIB" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\\" /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -83,15 +85,16 @@ # PROP BASE Output_Dir "sfdynamic_preproc_libs___Win32_IPv6_Debug" # PROP BASE Intermediate_Dir "sfdynamic_preproc_libs___Win32_IPv6_Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_LIB" /D "_DEBUG" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_LIB" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -106,15 +109,16 @@ # PROP BASE Output_Dir "sfdynamic_preproc_libs___Win32_IPv6_Release" # PROP BASE Intermediate_Dir "sfdynamic_preproc_libs___Win32_IPv6_Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "_LIB" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_LIB" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/sfparser.c snort-2.9.2/src/dynamic-preprocessors/libs/sfparser.c --- snort-2.8.5.2/src/dynamic-preprocessors/libs/sfparser.c 2009-05-06 22:29:03.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfparser.c 2011-06-08 00:33:14.000000000 +0000 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2007-2009 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -27,6 +27,7 @@ #include #include #include +#include "sf_types.h" #include "sfcommon.h" #include "ctype.h" @@ -38,7 +39,7 @@ /* tok exceeded errstr. Overwrite trailing characters for \ * printability */ \ strcpy(((char*)errstr) + SFP_MIN_ERR_STR-4, "..."); \ - } + } #define CLR_ERR() ((char*)errstr)[0] = 0; @@ -48,10 +49,10 @@ char end_brace_found = 0; char port_found = 0; - if(!str) + if(!str) { SET_ERR("%s", "Invalid pointer"); - return SFP_ERROR; + return SFP_ERROR; } if((tok = strtok_r(str, " ", &saveptr)) == NULL) @@ -61,7 +62,7 @@ } /* This string had better start with a '{' and end with a '}', or else! */ - if(strcmp(tok, "{")) + if(strcmp(tok, "{")) { SET_ERR("Malformed port list: %s. Expecting a leading '{ '", tok); return SFP_ERROR; @@ -85,7 +86,7 @@ end_brace_found = 1; continue; } - + errno = 0; port = strtol(tok, &port_end, 10); if((port_end == tok) || @@ -104,7 +105,7 @@ port_tbl[ PORT_INDEX(port) ] |= CONV_PORT(port); port_found = 1; - } + } if(!end_brace_found) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/libs/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/libs/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sf_preproc_info.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,42 @@ +/* + * sf_preproc_info.h + * + * Copyright (C) 2006-2011 Sourcefire,Inc + * Steven A. Sturges + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Description: + * + * This file is part of the dynamically loadable preprocessor library. The + * items must be globally defined within the source file of a given + * preprocessor. + * + * NOTES: + * + */ +#ifndef SF_PREPROC_INFO_H_ +#define SF_PREPROC_INFO_H_ + +extern const int MAJOR_VERSION; +extern const int MINOR_VERSION; +extern const int BUILD_VERSION; +extern const char *PREPROC_NAME; + +extern void DYNAMIC_PREPROC_SETUP(void); + +#endif /* SF_PREPROC_INFO_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in snort-2.9.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in --- snort-2.8.5.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,18 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +libdir=@libdir@ +package=@PACKAGE@ +includedir=@includedir@ +datarootdir=@datarootdir@ +datadir=@datadir@ +mandir=@infodir@ +infodir=@infodir@ + +Name: Snort +Description: Snort dynamic preprocessors +URL: www.snort.org +Version: @VERSION@ +Libs: -L${libdir}/${package}/dynamic_preproc -lsf_dynamic_preproc +Cflags: -I${includedir}/${package}/dynamic_preproc @CONFIGFLAGS@ @CCONFIGFLAGS@ @ICONFIGFLAGS@ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/ssl.c snort-2.9.2/src/dynamic-preprocessors/libs/ssl.c --- snort-2.8.5.2/src/dynamic-preprocessors/libs/ssl.c 2009-05-06 22:29:03.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/ssl.c 2011-02-09 23:23:21.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 1998-2009 Sourcefire, Inc. + * Copyright (C) 1998-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,9 +23,9 @@ * ssl.c * 10/09/07 */ -#ifdef HAVE_CONFIG_H -#include -#endif +#ifdef HAVE_CONFIG_H +#include +#endif #ifndef WIN32 #include @@ -70,7 +70,7 @@ return SSL_BAD_VER_FLAG; } -static uint32_t SSL_decode_handshake_v3(const uint8_t *pkt , uint32_t size, +static uint32_t SSL_decode_handshake_v3(const uint8_t *pkt , int size, uint32_t cur_flags, uint32_t pkt_flags) { SSL_handshake_t *handshake; @@ -80,7 +80,7 @@ while (size > 0) { - if (size < SSL_HS_PAYLOAD_OFFSET) + if (size < (int)SSL_HS_PAYLOAD_OFFSET) { retval |= SSL_TRUNCATED_FLAG; break; @@ -99,32 +99,25 @@ * It was written this way for performance */ hs_len = THREE_BYTE_LEN(handshake->length); - if(size < hs_len) - { - retval |= SSL_TRUNCATED_FLAG; - break; - } - switch(handshake->type) { case SSL_HS_CHELLO: + if(pkt_flags & FLAG_FROM_SERVER) + retval |= SSL_BOGUS_HS_DIR_FLAG; + else + retval |= SSL_CLIENT_HELLO_FLAG | SSL_CUR_CLIENT_HELLO_FLAG; + /* This type of record contains a version string. */ /* Make sure there is room for a version. */ - if(size < sizeof(uint16_t)) + if (size < (int)sizeof(uint16_t)) { retval |= SSL_TRUNCATED_FLAG; break; } hello = (SSL_handshake_hello_t *)handshake; - retval |= SSL_decode_version_v3(hello->major, hello->minor); - if(pkt_flags & FLAG_FROM_SERVER) - retval |= SSL_BOGUS_HS_DIR_FLAG; - else - retval |= SSL_CLIENT_HELLO_FLAG | SSL_CUR_CLIENT_HELLO_FLAG; - /* Compare version of record with version of handshake */ if((cur_flags & SSL_VERFLAGS) != (retval & SSL_VERFLAGS)) retval |= SSL_BAD_VER_FLAG; @@ -132,22 +125,21 @@ break; case SSL_HS_SHELLO: + if(pkt_flags & FLAG_FROM_SERVER) + retval |= SSL_SERVER_HELLO_FLAG | SSL_CUR_SERVER_HELLO_FLAG; + else + retval |= SSL_BOGUS_HS_DIR_FLAG; + /* This type of record contains a version string. */ - if(size < sizeof(uint16_t)) + if (size < (int)sizeof(uint16_t)) { retval |= SSL_TRUNCATED_FLAG; break; } hello = (SSL_handshake_hello_t *)handshake; - retval |= SSL_decode_version_v3(hello->major, hello->minor); - if(pkt_flags & FLAG_FROM_SERVER) - retval |= SSL_SERVER_HELLO_FLAG | SSL_CUR_SERVER_HELLO_FLAG; - else - retval |= SSL_BOGUS_HS_DIR_FLAG; - /* Compare version of record with version of handshake */ if((cur_flags & SSL_VERFLAGS) != (retval & SSL_VERFLAGS)) retval |= SSL_BAD_VER_FLAG; @@ -199,19 +191,22 @@ pkt += hs_len; } + if (size < 0) + retval |= SSL_TRUNCATED_FLAG; + return retval; } -static uint32_t SSL_decode_v3(const uint8_t *pkt, uint32_t size, uint32_t pkt_flags) +static uint32_t SSL_decode_v3(const uint8_t *pkt, int size, uint32_t pkt_flags) { SSL_record_t *record; uint32_t retval = 0; - uint32_t reclen; + uint16_t reclen; int ccs = 0; /* Set if we see a Change Cipher Spec and reset after the next record */ while(size > 0) { - if(size < SSL_REC_PAYLOAD_OFFSET) + if (size < (int)SSL_REC_PAYLOAD_OFFSET) { retval |= SSL_TRUNCATED_FLAG; break; @@ -221,25 +216,17 @@ pkt += SSL_REC_PAYLOAD_OFFSET; size -= SSL_REC_PAYLOAD_OFFSET; - reclen = ntohs(record->length); - - if (size < reclen) - { - if (record->type != SSL_APPLICATION_REC) - retval |= SSL_TRUNCATED_FLAG; - - break; - } - retval |= SSL_decode_version_v3(record->major, record->minor); + reclen = ntohs(record->length); + switch (record->type) { case SSL_CHANGE_CIPHER_REC: retval |= SSL_CHANGE_CIPHER_FLAG; /* If there is another record, mark it as possibly encrypted */ - if((size - reclen) > 0) + if((size - (int)reclen) > 0) retval |= SSL_POSSIBLY_ENC_FLAG; ccs = 1; @@ -255,7 +242,8 @@ * record should be encrypted */ if(!(retval & SSL_CHANGE_CIPHER_FLAG)) { - retval |= SSL_decode_handshake_v3(pkt, reclen, retval, pkt_flags); + int hsize = size < (int)reclen ? size : (int)reclen; + retval |= SSL_decode_handshake_v3(pkt, hsize, retval, pkt_flags); } else if (ccs) { @@ -287,13 +275,16 @@ pkt += reclen; } + if (size < 0) + retval |= SSL_TRUNCATED_FLAG; + if(!(retval & SSL_VERFLAGS) || (retval & SSL_BAD_VER_FLAG)) return retval | SSL_UNKNOWN_FLAG; return retval; } -static uint32_t SSL_decode_v2(const uint8_t *pkt, uint32_t size, uint32_t pkt_flags) +static uint32_t SSL_decode_v2(const uint8_t *pkt, int size, uint32_t pkt_flags) { uint16_t reclen; SSLv2_chello_t *chello; @@ -313,15 +304,6 @@ * with the length */ reclen = ntohs(record->length) & 0x7fff; - /* Validate length */ - if(size < (uint32_t)(reclen + 2)) /* 2 is for the size of the length field */ - { - /* reclen is too long for the packet, but the packet is large enough - * for our purposes. Don't return */ - retval |= SSL_TRUNCATED_FLAG; - break; - } - switch(record->type) { case SSL_V2_CHELLO: @@ -330,7 +312,7 @@ else retval |= SSL_CLIENT_HELLO_FLAG | SSL_CUR_CLIENT_HELLO_FLAG ; - if(size < sizeof(SSLv2_chello_t)) + if (size < (int)sizeof(SSLv2_chello_t)) { retval |= SSL_TRUNCATED_FLAG | SSL_UNKNOWN_FLAG; break; @@ -352,7 +334,7 @@ else retval |= SSL_SERVER_HELLO_FLAG | SSL_CUR_SERVER_HELLO_FLAG; - if(size < sizeof(SSLv2_shello_t)) + if (size < (int)sizeof(SSLv2_shello_t)) { retval |= SSL_TRUNCATED_FLAG | SSL_UNKNOWN_FLAG; break; @@ -380,10 +362,13 @@ pkt += (reclen + 2); } + if (size < 0) + retval |= SSL_TRUNCATED_FLAG; + return retval | SSL_VER_SSLV2_FLAG; } -uint32_t SSL_decode(const uint8_t *pkt, uint32_t size, uint32_t pkt_flags) +uint32_t SSL_decode(const uint8_t *pkt, int size, uint32_t pkt_flags) { SSL_record_t *record; uint16_t reclen; @@ -392,7 +377,7 @@ if(!pkt || !size) return SSL_ARG_ERROR_FLAG; - if(size < SSL_REC_PAYLOAD_OFFSET) + if (size < (int)SSL_REC_PAYLOAD_OFFSET) return SSL_TRUNCATED_FLAG | SSL_UNKNOWN_FLAG; /* Determine the protocol type. */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/libs/ssl.h snort-2.9.2/src/dynamic-preprocessors/libs/ssl.h --- snort-2.8.5.2/src/dynamic-preprocessors/libs/ssl.h 2009-05-06 22:29:03.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/libs/ssl.h 2011-02-09 23:23:21.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 1998-2009 Sourcefire, Inc. + * Copyright (C) 1998-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -195,6 +195,6 @@ SSL_BAD_VER_FLAG | SSL_BAD_TYPE_FLAG | \ SSL_TRAILING_GARB_FLAG | SSL_UNKNOWN_FLAG)) -uint32_t SSL_decode(const uint8_t *pkt, uint32_t size, uint32_t pktflags); +uint32_t SSL_decode(const uint8_t *pkt, int size, uint32_t pktflags); #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/Makefile.am snort-2.9.2/src/dynamic-preprocessors/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/Makefile.am 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -1,9 +1,88 @@ ## $Id$ AUTOMAKE_OPTIONS=foreign no-dependencies +INCLUDES = -I${top_builddir}/src/dynamic-preprocessors/include -I${top_srcdir}/src/dynamic-preprocessors/libs + +if HAVE_DYNAMIC_PLUGINS + +if SO_WITH_STATIC_LIB + +preproclibdir=$(pkglibdir)/dynamic_preproc + +preproclib_LTLIBRARIES = libsf_dynamic_preproc.la +libsf_dynamic_preproc_la_CFLAGS = -fPIC -DPIC +libsf_dynamic_preproc_la_LDFLAGS = -static + +nodist_libsf_dynamic_preproc_la_SOURCES = \ +include/sf_dynamic_preproc_lib.c \ +include/sf_ip.c \ +include/sfrt.c \ +include/sfrt_dir.c \ +include/sfrt_flat.c \ +include/sfrt_flat_dir.c \ +include/segment_mem.c \ +include/mempool.c \ +include/sf_sdlist.c \ +include/sfPolicyUserData.c \ +include/util_unfold.c \ +include/sf_base64decode.c \ +include/sf_email_attach_decode.c + +libsf_dynamic_preproc_la_SOURCES = \ +libs/ssl.c \ +libs/sfparser.c + +preprocdir=$(pkgincludedir)/dynamic_preproc + +nodist_preproc_HEADERS = \ +libs/ssl.h \ +libs/sfcommon.h \ +libs/sf_preproc_info.h \ +include/sf_snort_packet.h \ +include/sf_protocols.h \ +include/sf_snort_plugin_api.h \ +include/sf_decompression.h \ +include/sfPolicyUserData.h \ +include/snort_debug.h \ +include/snort_bounds.h \ +include/cpuclock.h \ +include/profiler.h \ +include/bitop.h \ +include/mempool.h \ +include/sf_sdlist_types.h \ +include/sf_ip.h \ +include/sfrt_flat.h \ +include/sfrt_flat_dir.h \ +include/segment_mem.h \ +include/sf_dynamic_common.h \ +include/sf_dynamic_engine.h \ +include/sf_dynamic_define.h \ +include/sf_dynamic_meta.h \ +include/sf_dynamic_preprocessor.h \ +include/sf_dynamic_preproc_lib.h \ +include/ipv6_port.h \ +include/sfPolicy.h \ +include/sfrt.h \ +include/sfrt_dir.h \ +include/sfrt_trie.h \ +include/obfuscation.h \ +include/stream_api.h \ +include/str_search.h \ +include/preprocids.h \ +include/attribute_table_api.h \ +include/sfcontrol.h \ +include/idle_processing.h + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/build install-preproclibLTLIBRARIES + +endif + +endif + BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -25,7 +104,9 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ + include/sf_decompression.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ @@ -34,10 +115,37 @@ include/sfrt.c \ include/sfrt_dir.h \ include/sfrt_dir.c \ + include/sfrt_flat.h \ + include/sfrt_flat.c \ + include/sfrt_flat_dir.h \ + include/sfrt_flat_dir.c \ include/sfrt_trie.h \ + include/segment_mem.h \ + include/segment_mem.c \ + include/mempool.h \ + include/mempool.c \ + include/sf_sdlist.h \ + include/sf_sdlist_types.h \ + include/sf_sdlist.c \ include/sfPolicyUserData.c \ include/sfPolicyUserData.h \ - include/sfPolicy.h + include/sfPolicy.h \ + include/util_unfold.h \ + include/util_unfold.c \ + include/sf_base64decode.h \ + include/sf_base64decode.c \ + include/sf_email_attach_decode.h \ + include/sf_email_attach_decode.c \ + include/treenodes.h \ + include/signature.h \ + include/plugin_enum.h \ + include/obfuscation.h \ + include/rule_option_types.h \ + include/event.h \ + include/Unified2_common.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -73,7 +181,10 @@ sed_headers = \ sed -e "s/Packet /SFSnortPacket /" \ + -e "s/SnortPktHdr /SFSnortPktHdr /" \ -e "s/decode\.h/sf_snort_packet.h/" \ + -e "/sfportobject\.h/d" \ + -e "s/PortObject \*/void */g" \ $$dst_header.new > $$dst_header massage_headers = \ @@ -115,16 +226,28 @@ $(sed_debug_header); \ fi +copy_error_message = \ + if test -f $$dst_header; then \ + sed -e "s/ErrorMessage/_dpd.errMsg/" \ + -e "s/LogMessage /_dpd.logMsg /" \ + -e "/util.h/d" \ + $$dst_header > $$dst_header.new; \ + mv $$dst_header.new $$dst_header; \ + fi + + + replace_policy_globals = \ if test -f $$dst_header; then \ sed -e "/SharedObjectAddStarts/d" \ -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + -e "s/SnortStrnStr/_dpd.SnortStrnStr/" \ $$dst_header > $$dst_header.new; \ mv $$dst_header.new $$dst_header; \ fi - + copy_headers = \ mkdir -p include; \ mkdir -p build; \ @@ -138,32 +261,60 @@ echo "Updating " $$dst_header; \ cp $$src_header $$dst_header; \ fi - + +sed_treenode_header = \ + sed -f $(srcdir)/treenodes.sed $$dst_header.new > $$dst_header + +copy_treenode_header = \ + mkdir -p include; \ + mkdir -p build; \ + if test -f $$dst_header; then \ + x=`diff $$src_header $$dst_header.new.new >> /dev/null`; \ + if test "$$x" != "0"; then \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi \ + else \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi + # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/profiler.h: $(srcdir)/../profiler.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/cpuclock.h: $(srcdir)/../cpuclock.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) - -include/bounds.h: $(srcdir)/../bounds.h + +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @src_header=$?; dst_header=$@; $(copy_headers) +include/obfuscation.h: $(srcdir)/../obfuscation.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/rule_option_types.h: $(srcdir)/../rule_option_types.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/event.h: $(srcdir)/../event.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -178,7 +329,10 @@ @src_header=$?; dst_header=$@; $(copy_headers) include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h - @src_header=$?; dst_header=$@; $(copy_headers) + @src_header=$?; dst_header=$@; $(massage_headers) + +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(massage_headers) # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @@ -220,19 +374,73 @@ include/sfrt_dir.c: $(srcdir)/../sfutil/sfrt_dir.c @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.h: $(srcdir)/../sfutil/sfrt_flat.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.c: $(srcdir)/../sfutil/sfrt_flat.c + @src_header=$?; dst_header=$@; $(copy_headers) +include/sfrt_flat_dir.h: $(srcdir)/../sfutil/sfrt_flat_dir.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.c: $(srcdir)/../sfutil/sfrt_flat_dir.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sfrt_trie.h: $(srcdir)/../sfutil/sfrt_trie.h @src_header=$?; dst_header=$@; $(copy_headers) +include/segment_mem.c: $(srcdir)/../sfutil/segment_mem.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/segment_mem.h: $(srcdir)/../sfutil/segment_mem.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/mempool.h: $(srcdir)/../mempool.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/mempool.c: $(srcdir)/../mempool.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist.h: $(srcdir)/../sf_sdlist.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist_types.h: $(srcdir)/../sf_sdlist_types.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist.c: $(srcdir)/../sf_sdlist.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + include/sfPolicyUserData.c: $(srcdir)/../sfutil/sfPolicyUserData.c @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicyUserData.h: $(srcdir)/../sfutil/sfPolicyUserData.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + +include/util_unfold.h: $(srcdir)/../sfutil/util_unfold.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/util_unfold.c: $(srcdir)/../sfutil/util_unfold.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_base64decode.h: $(srcdir)/../sfutil/sf_base64decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_base64decode.c: $(srcdir)/../sfutil/sf_base64decode.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.h: $(srcdir)/../sfutil/sf_email_attach_decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.c: $(srcdir)/../sfutil/sf_email_attach_decode.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/Unified2_common.h: $(srcdir)/../sfutil/Unified2_common.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_engine/examples include/sfsnort_dynamic_detection_lib.c: $(srcdir)/../dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -244,9 +452,15 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_decompression.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_decompression.h + @src_header=$?; dst_header=$@; $(copy_headers) + # Stream API/String Searching, massage it to use SFSnortPacket include/stream_api.h: $(srcdir)/../preprocessors/stream_api.h @src_header=$?; dst_header=$@; $(massage_headers) @@ -254,10 +468,27 @@ include/str_search.h: $(srcdir)/../preprocessors/str_search.h @src_header=$?; dst_header=$@; $(massage_headers) -INCLUDES = @INCLUDES@ +include/treenodes.h: $(srcdir)/../treenodes.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/signature.h: $(srcdir)/../signature.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/plugin_enum.h: $(srcdir)/../plugin_enum.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfcontrol.h: $(top_srcdir)/src/control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(top_srcdir)/src/idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + +if WANT_SF_SAAC +RZB_SAAC_DIR=rzb_saac +endif if HAVE_DYNAMIC_PLUGINS -SUBDIRS = libs ftptelnet smtp ssh dcerpc dns ssl dcerpc2 +SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 $(RZB_SAAC_DIR) endif clean-local: @@ -265,7 +496,8 @@ EXTRA_DIST = \ dynamic_preprocessors.dsp \ -sf_dynamic_initialize/sf_dynamic_initialize.dsp +sf_dynamic_initialize/sf_dynamic_initialize.dsp \ +treenodes.sed if HAVE_DYNAMIC_PLUGINS srcinstdir = $(exec_prefix)/src/snort_dynamicsrc @@ -280,21 +512,39 @@ include/sf_dynamic_preproc_lib.c \ include/sf_ip.h \ include/sf_snort_packet.h \ +include/sf_protocols.h \ include/sf_snort_plugin_api.h \ +include/sf_decompression.h \ include/sf_types.h \ include/sfsnort_dynamic_detection_lib.h \ include/sfsnort_dynamic_detection_lib.c \ include/pcap_pkthdr32.h \ include/str_search.h \ include/stream_api.h \ -include/debug.h \ +include/snort_debug.h \ include/profiler.h \ include/sfghash.h \ include/sfhashfcn.h \ include/bitop.h \ include/preprocids.h \ include/sfPolicyUserData.h \ -include/sfPolicyUserData.c +include/util_unfold.h \ +include/util_unfold.c \ +include/sf_base64decode.h \ +include/sf_base64decode.c \ +include/sf_email_attach_decode.h \ +include/sf_email_attach_decode.c \ +include/treenodes.h \ +include/signature.h \ +include/plugin_enum.h \ +include/sfPolicyUserData.c \ +include/obfuscation.h \ +include/rule_option_types.h \ +include/event.h \ +include/Unified2_common.h \ +include/attribute_table_api.h \ +include/sfcontrol.h \ +include/idle_processing.h install-data-local: @for f in $(exported_files); do \ @@ -317,6 +567,6 @@ ## Make the install directory. $(mkinstalldirs) $(DESTDIR)$(srcinstdir); \ ## Actually install the file. - $(RM) -f $(DESTDIR)$(srcinstdir)/$$truefile; \ + rm -f $(DESTDIR)$(srcinstdir)/$$truefile; \ done endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/Makefile.in snort-2.9.2/src/dynamic-preprocessors/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/Makefile.in 2011-12-07 19:23:18.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -13,10 +14,13 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,10 +45,73 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(preproclibdir)" \ + "$(DESTDIR)$(preprocdir)" +LTLIBRARIES = $(preproclib_LTLIBRARIES) +libsf_dynamic_preproc_la_LIBADD = +am__libsf_dynamic_preproc_la_SOURCES_DIST = libs/ssl.c libs/sfparser.c +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@am_libsf_dynamic_preproc_la_OBJECTS = libsf_dynamic_preproc_la-ssl.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfparser.lo +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_libsf_dynamic_preproc_la_OBJECTS = libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_ip.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_dir.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_flat.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_flat_dir.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-segment_mem.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-mempool.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_sdlist.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfPolicyUserData.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-util_unfold.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_base64decode.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_email_attach_decode.lo +libsf_dynamic_preproc_la_OBJECTS = \ + $(am_libsf_dynamic_preproc_la_OBJECTS) \ + $(nodist_libsf_dynamic_preproc_la_OBJECTS) +libsf_dynamic_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) \ + $(libsf_dynamic_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@am_libsf_dynamic_preproc_la_rpath = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ -rpath \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ $(preproclibdir) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = -SOURCES = -DIST_SOURCES = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_dynamic_preproc_la_SOURCES) \ + $(nodist_libsf_dynamic_preproc_la_SOURCES) +DIST_SOURCES = $(am__libsf_dynamic_preproc_la_SOURCES_DIST) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ install-dvi-recursive install-exec-recursive \ @@ -52,12 +119,42 @@ install-pdf-recursive install-ps-recursive install-recursive \ installcheck-recursive installdirs-recursive pdf-recursive \ ps-recursive uninstall-recursive +HEADERS = $(nodist_preproc_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = libs ftptelnet smtp ssh dcerpc dns ssl dcerpc2 +DIST_SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf \ + sip reputation gtp modbus dnp3 rzb_saac DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -67,31 +164,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = @INCLUDES@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I${top_builddir}/src/dynamic-preprocessors/include -I${top_srcdir}/src/dynamic-preprocessors/libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -104,12 +201,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -117,20 +220,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -162,6 +272,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -174,12 +285,76 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preproclibdir = $(pkglibdir)/dynamic_preproc +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preproclib_LTLIBRARIES = libsf_dynamic_preproc.la +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_CFLAGS = -fPIC -DPIC +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_LDFLAGS = -static +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_libsf_dynamic_preproc_la_SOURCES = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preproc_lib.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_ip.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_dir.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat_dir.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/segment_mem.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/mempool.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_sdlist.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicyUserData.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/util_unfold.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_base64decode.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_email_attach_decode.c + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_SOURCES = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/ssl.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sfparser.c + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preprocdir = $(pkgincludedir)/dynamic_preproc +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_preproc_HEADERS = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/ssl.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sfcommon.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sf_preproc_info.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_snort_packet.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_protocols.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_snort_plugin_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_decompression.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicyUserData.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/snort_debug.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/snort_bounds.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/cpuclock.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/profiler.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/bitop.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/mempool.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_sdlist_types.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_ip.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat_dir.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/segment_mem.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_common.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_engine.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_define.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_meta.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preprocessor.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preproc_lib.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/ipv6_port.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicy.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_dir.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_trie.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/obfuscation.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/stream_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/str_search.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/preprocids.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/attribute_table_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfcontrol.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/idle_processing.h + BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -201,7 +376,9 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ + include/sf_decompression.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ @@ -210,10 +387,37 @@ include/sfrt.c \ include/sfrt_dir.h \ include/sfrt_dir.c \ + include/sfrt_flat.h \ + include/sfrt_flat.c \ + include/sfrt_flat_dir.h \ + include/sfrt_flat_dir.c \ include/sfrt_trie.h \ + include/segment_mem.h \ + include/segment_mem.c \ + include/mempool.h \ + include/mempool.c \ + include/sf_sdlist.h \ + include/sf_sdlist_types.h \ + include/sf_sdlist.c \ include/sfPolicyUserData.c \ include/sfPolicyUserData.h \ - include/sfPolicy.h + include/sfPolicy.h \ + include/util_unfold.h \ + include/util_unfold.c \ + include/sf_base64decode.h \ + include/sf_base64decode.c \ + include/sf_email_attach_decode.h \ + include/sf_email_attach_decode.c \ + include/treenodes.h \ + include/signature.h \ + include/plugin_enum.h \ + include/obfuscation.h \ + include/rule_option_types.h \ + include/event.h \ + include/Unified2_common.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -249,7 +453,10 @@ sed_headers = \ sed -e "s/Packet /SFSnortPacket /" \ + -e "s/SnortPktHdr /SFSnortPktHdr /" \ -e "s/decode\.h/sf_snort_packet.h/" \ + -e "/sfportobject\.h/d" \ + -e "s/PortObject \*/void */g" \ $$dst_header.new > $$dst_header massage_headers = \ @@ -291,12 +498,22 @@ $(sed_debug_header); \ fi +copy_error_message = \ + if test -f $$dst_header; then \ + sed -e "s/ErrorMessage/_dpd.errMsg/" \ + -e "s/LogMessage /_dpd.logMsg /" \ + -e "/util.h/d" \ + $$dst_header > $$dst_header.new; \ + mv $$dst_header.new $$dst_header; \ + fi + replace_policy_globals = \ if test -f $$dst_header; then \ sed -e "/SharedObjectAddStarts/d" \ -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + -e "s/SnortStrnStr/_dpd.SnortStrnStr/" \ $$dst_header > $$dst_header.new; \ mv $$dst_header.new $$dst_header; \ fi @@ -315,10 +532,31 @@ cp $$src_header $$dst_header; \ fi -@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = libs ftptelnet smtp ssh dcerpc dns ssl dcerpc2 +sed_treenode_header = \ + sed -f $(srcdir)/treenodes.sed $$dst_header.new > $$dst_header + +copy_treenode_header = \ + mkdir -p include; \ + mkdir -p build; \ + if test -f $$dst_header; then \ + x=`diff $$src_header $$dst_header.new.new >> /dev/null`; \ + if test "$$x" != "0"; then \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi \ + else \ + echo "Updating " $$dst_header; \ + cp $$src_header $$dst_header.new; \ + $(sed_treenode_header); \ + fi + +@WANT_SF_SAAC_TRUE@RZB_SAAC_DIR = rzb_saac +@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 $(RZB_SAAC_DIR) EXTRA_DIST = \ dynamic_preprocessors.dsp \ -sf_dynamic_initialize/sf_dynamic_initialize.dsp +sf_dynamic_initialize/sf_dynamic_initialize.dsp \ +treenodes.sed @HAVE_DYNAMIC_PLUGINS_TRUE@srcinstdir = $(exec_prefix)/src/snort_dynamicsrc @HAVE_DYNAMIC_PLUGINS_TRUE@exported_files = \ @@ -331,38 +569,57 @@ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_dynamic_preproc_lib.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_ip.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_snort_packet.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_protocols.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_snort_plugin_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_decompression.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_types.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfsnort_dynamic_detection_lib.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfsnort_dynamic_detection_lib.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/pcap_pkthdr32.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/str_search.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/stream_api.h \ -@HAVE_DYNAMIC_PLUGINS_TRUE@include/debug.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/snort_debug.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/profiler.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfghash.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfhashfcn.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/bitop.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/preprocids.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfPolicyUserData.h \ -@HAVE_DYNAMIC_PLUGINS_TRUE@include/sfPolicyUserData.c +@HAVE_DYNAMIC_PLUGINS_TRUE@include/util_unfold.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/util_unfold.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_base64decode.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_base64decode.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_email_attach_decode.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_email_attach_decode.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/treenodes.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/signature.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/plugin_enum.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sfPolicyUserData.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/obfuscation.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/rule_option_types.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/event.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/Unified2_common.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/attribute_table_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sfcontrol.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/idle_processing.h all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive .SUFFIXES: +.SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -380,12 +637,126 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-preproclibLTLIBRARIES: $(preproclib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(preproclibdir)" || $(MKDIR_P) "$(DESTDIR)$(preproclibdir)" + @list='$(preproclib_LTLIBRARIES)'; test -n "$(preproclibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(preproclibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(preproclibdir)"; \ + } + +uninstall-preproclibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(preproclib_LTLIBRARIES)'; test -n "$(preproclibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(preproclibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(preproclibdir)/$$f"; \ + done + +clean-preproclibLTLIBRARIES: + -test -z "$(preproclib_LTLIBRARIES)" || rm -f $(preproclib_LTLIBRARIES) + @list='$(preproclib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_dynamic_preproc.la: $(libsf_dynamic_preproc_la_OBJECTS) $(libsf_dynamic_preproc_la_DEPENDENCIES) + $(libsf_dynamic_preproc_la_LINK) $(am_libsf_dynamic_preproc_la_rpath) $(libsf_dynamic_preproc_la_OBJECTS) $(libsf_dynamic_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +libsf_dynamic_preproc_la-ssl.lo: libs/ssl.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-ssl.lo `test -f 'libs/ssl.c' || echo '$(srcdir)/'`libs/ssl.c + +libsf_dynamic_preproc_la-sfparser.lo: libs/sfparser.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfparser.lo `test -f 'libs/sfparser.c' || echo '$(srcdir)/'`libs/sfparser.c + +libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo: include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo `test -f 'include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`include/sf_dynamic_preproc_lib.c + +libsf_dynamic_preproc_la-sf_ip.lo: include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_ip.lo `test -f 'include/sf_ip.c' || echo '$(srcdir)/'`include/sf_ip.c + +libsf_dynamic_preproc_la-sfrt.lo: include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt.lo `test -f 'include/sfrt.c' || echo '$(srcdir)/'`include/sfrt.c + +libsf_dynamic_preproc_la-sfrt_dir.lo: include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_dir.lo `test -f 'include/sfrt_dir.c' || echo '$(srcdir)/'`include/sfrt_dir.c + +libsf_dynamic_preproc_la-sfrt_flat.lo: include/sfrt_flat.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_flat.lo `test -f 'include/sfrt_flat.c' || echo '$(srcdir)/'`include/sfrt_flat.c + +libsf_dynamic_preproc_la-sfrt_flat_dir.lo: include/sfrt_flat_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_flat_dir.lo `test -f 'include/sfrt_flat_dir.c' || echo '$(srcdir)/'`include/sfrt_flat_dir.c + +libsf_dynamic_preproc_la-segment_mem.lo: include/segment_mem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-segment_mem.lo `test -f 'include/segment_mem.c' || echo '$(srcdir)/'`include/segment_mem.c + +libsf_dynamic_preproc_la-mempool.lo: include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-mempool.lo `test -f 'include/mempool.c' || echo '$(srcdir)/'`include/mempool.c + +libsf_dynamic_preproc_la-sf_sdlist.lo: include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_sdlist.lo `test -f 'include/sf_sdlist.c' || echo '$(srcdir)/'`include/sf_sdlist.c + +libsf_dynamic_preproc_la-sfPolicyUserData.lo: include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfPolicyUserData.lo `test -f 'include/sfPolicyUserData.c' || echo '$(srcdir)/'`include/sfPolicyUserData.c + +libsf_dynamic_preproc_la-util_unfold.lo: include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-util_unfold.lo `test -f 'include/util_unfold.c' || echo '$(srcdir)/'`include/util_unfold.c + +libsf_dynamic_preproc_la-sf_base64decode.lo: include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_base64decode.lo `test -f 'include/sf_base64decode.c' || echo '$(srcdir)/'`include/sf_base64decode.c + +libsf_dynamic_preproc_la-sf_email_attach_decode.lo: include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_email_attach_decode.lo `test -f 'include/sf_email_attach_decode.c' || echo '$(srcdir)/'`include/sf_email_attach_decode.c mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs +install-nodist_preprocHEADERS: $(nodist_preproc_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(preprocdir)" || $(MKDIR_P) "$(DESTDIR)$(preprocdir)" + @list='$(nodist_preproc_HEADERS)'; test -n "$(preprocdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(preprocdir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(preprocdir)" || exit $$?; \ + done + +uninstall-nodist_preprocHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(nodist_preproc_HEADERS)'; test -n "$(preprocdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(preprocdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(preprocdir)" && rm -f $$files # This directory's subdirectories are mostly independent; you can cd # into them and run `make' without going through this Makefile. @@ -394,7 +765,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -411,7 +782,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -419,7 +790,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -445,16 +816,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -462,14 +833,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -481,39 +852,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -534,29 +909,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -564,9 +954,14 @@ check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-recursive -all-am: Makefile +@HAVE_DYNAMIC_PLUGINS_FALSE@all-local: +@SO_WITH_STATIC_LIB_FALSE@all-local: +all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local installdirs: installdirs-recursive installdirs-am: + for dir in "$(DESTDIR)$(preproclibdir)" "$(DESTDIR)$(preprocdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-recursive install-exec: install-exec-recursive @@ -588,6 +983,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -597,11 +993,13 @@ @HAVE_DYNAMIC_PLUGINS_FALSE@install-data-local: clean: clean-recursive -clean-am: clean-generic clean-libtool clean-local mostlyclean-am +clean-am: clean-generic clean-libtool clean-local \ + clean-preproclibLTLIBRARIES mostlyclean-am distclean: distclean-recursive -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-tags +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags dvi: dvi-recursive @@ -609,26 +1007,39 @@ html: html-recursive +html-am: + info: info-recursive info-am: -install-data-am: install-data-local +install-data-am: install-data-local install-nodist_preprocHEADERS \ + install-preproclibLTLIBRARIES install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -637,7 +1048,8 @@ mostlyclean: mostlyclean-recursive -mostlyclean-am: mostlyclean-generic mostlyclean-libtool +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf: pdf-recursive @@ -647,28 +1059,38 @@ ps-am: -uninstall-am: uninstall-local +uninstall-am: uninstall-local uninstall-nodist_preprocHEADERS \ + uninstall-preproclibLTLIBRARIES -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \ + ctags-recursive install install-am install-strip \ + tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ - all all-am check check-am clean clean-generic clean-libtool \ - clean-local ctags ctags-recursive distclean distclean-generic \ + all all-am all-local check check-am clean clean-generic \ + clean-libtool clean-local clean-preproclibLTLIBRARIES ctags \ + ctags-recursive distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-data-local install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-local + install-info install-info-am install-man \ + install-nodist_preprocHEADERS install-pdf install-pdf-am \ + install-preproclibLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am uninstall-local \ + uninstall-nodist_preprocHEADERS \ + uninstall-preproclibLTLIBRARIES + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@all-local: $(LTLIBRARIES) +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ $(MAKE) DESTDIR=`pwd`/build install-preproclibLTLIBRARIES # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @@ -683,15 +1105,24 @@ include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) -include/bounds.h: $(srcdir)/../bounds.h +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @src_header=$?; dst_header=$@; $(copy_headers) +include/obfuscation.h: $(srcdir)/../obfuscation.h + @src_header=$?; dst_header=$@; $(massage_headers) + +include/rule_option_types.h: $(srcdir)/../rule_option_types.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/event.h: $(srcdir)/../event.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -706,7 +1137,10 @@ @src_header=$?; dst_header=$@; $(copy_headers) include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h - @src_header=$?; dst_header=$@; $(copy_headers) + @src_header=$?; dst_header=$@; $(massage_headers) + +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(massage_headers) # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @@ -749,9 +1183,42 @@ include/sfrt_dir.c: $(srcdir)/../sfutil/sfrt_dir.c @src_header=$?; dst_header=$@; $(copy_headers) +include/sfrt_flat.h: $(srcdir)/../sfutil/sfrt_flat.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.c: $(srcdir)/../sfutil/sfrt_flat.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.h: $(srcdir)/../sfutil/sfrt_flat_dir.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.c: $(srcdir)/../sfutil/sfrt_flat_dir.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sfrt_trie.h: $(srcdir)/../sfutil/sfrt_trie.h @src_header=$?; dst_header=$@; $(copy_headers) +include/segment_mem.c: $(srcdir)/../sfutil/segment_mem.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/segment_mem.h: $(srcdir)/../sfutil/segment_mem.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/mempool.h: $(srcdir)/../mempool.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/mempool.c: $(srcdir)/../mempool.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist.h: $(srcdir)/../sf_sdlist.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist_types.h: $(srcdir)/../sf_sdlist_types.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/sf_sdlist.c: $(srcdir)/../sf_sdlist.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + include/sfPolicyUserData.c: $(srcdir)/../sfutil/sfPolicyUserData.c @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) @@ -761,6 +1228,27 @@ include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) +include/util_unfold.h: $(srcdir)/../sfutil/util_unfold.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/util_unfold.c: $(srcdir)/../sfutil/util_unfold.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_base64decode.h: $(srcdir)/../sfutil/sf_base64decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_base64decode.c: $(srcdir)/../sfutil/sf_base64decode.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.h: $(srcdir)/../sfutil/sf_email_attach_decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.c: $(srcdir)/../sfutil/sf_email_attach_decode.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/Unified2_common.h: $(srcdir)/../sfutil/Unified2_common.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_engine/examples include/sfsnort_dynamic_detection_lib.c: $(srcdir)/../dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -772,9 +1260,15 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_decompression.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_decompression.h + @src_header=$?; dst_header=$@; $(copy_headers) + # Stream API/String Searching, massage it to use SFSnortPacket include/stream_api.h: $(srcdir)/../preprocessors/stream_api.h @src_header=$?; dst_header=$@; $(massage_headers) @@ -782,6 +1276,21 @@ include/str_search.h: $(srcdir)/../preprocessors/str_search.h @src_header=$?; dst_header=$@; $(massage_headers) +include/treenodes.h: $(srcdir)/../treenodes.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/signature.h: $(srcdir)/../signature.h + @src_header=$?; dst_header=$@; $(copy_treenode_header) + +include/plugin_enum.h: $(srcdir)/../plugin_enum.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfcontrol.h: $(top_srcdir)/src/control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(top_srcdir)/src/idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + clean-local: rm -rf include build @@ -797,8 +1306,9 @@ @HAVE_DYNAMIC_PLUGINS_TRUE@ @for f in $(exported_files); do \ @HAVE_DYNAMIC_PLUGINS_TRUE@ truefile=`echo $$f | sed -e "s/.*\///"`; \ @HAVE_DYNAMIC_PLUGINS_TRUE@ $(mkinstalldirs) $(DESTDIR)$(srcinstdir); \ -@HAVE_DYNAMIC_PLUGINS_TRUE@ $(RM) -f $(DESTDIR)$(srcinstdir)/$$truefile; \ +@HAVE_DYNAMIC_PLUGINS_TRUE@ rm -f $(DESTDIR)$(srcinstdir)/$$truefile; \ @HAVE_DYNAMIC_PLUGINS_TRUE@ done + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/Makefile.am snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,34 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_modbus_preproc.la + +libsf_modbus_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_modbus_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_modbus_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif + +libsf_modbus_preproc_la_SOURCES = \ +spp_modbus.c \ +spp_modbus.h \ +modbus_decode.c \ +modbus_decode.h \ +modbus_roptions.c \ +modbus_roptions.h \ +modbus_paf.c \ +modbus_paf.h + +EXTRA_DIST = \ +sf_modbus.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/Makefile.in snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.in 2011-12-07 19:23:19.000000000 +0000 @@ -0,0 +1,556 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/modbus +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_modbus_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_modbus_preproc_la_OBJECTS = spp_modbus.lo modbus_decode.lo \ + modbus_roptions.lo modbus_paf.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_modbus_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_modbus_preproc_la_OBJECTS = \ + $(am_libsf_modbus_preproc_la_OBJECTS) \ + $(nodist_libsf_modbus_preproc_la_OBJECTS) +libsf_modbus_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_modbus_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_modbus_preproc_la_SOURCES) \ + $(nodist_libsf_modbus_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_modbus_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_modbus_preproc.la +libsf_modbus_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_modbus_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_modbus_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_modbus_preproc_la_SOURCES = \ +spp_modbus.c \ +spp_modbus.h \ +modbus_decode.c \ +modbus_decode.h \ +modbus_roptions.c \ +modbus_roptions.h \ +modbus_paf.c \ +modbus_paf.h + +EXTRA_DIST = \ +sf_modbus.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/modbus/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/modbus/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_modbus_preproc.la: $(libsf_modbus_preproc_la_OBJECTS) $(libsf_modbus_preproc_la_DEPENDENCIES) + $(libsf_modbus_preproc_la_LINK) -rpath $(libdir) $(libsf_modbus_preproc_la_OBJECTS) $(libsf_modbus_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_decode.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.c --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_decode.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,428 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#include "modbus_decode.h" + +/* Modbus Function Codes */ +#define MODBUS_FUNC_READ_COILS 0x01 +#define MODBUS_FUNC_READ_DISCRETE_INPUTS 0x02 +#define MODBUS_FUNC_READ_HOLDING_REGISTERS 0x03 +#define MODBUS_FUNC_READ_INPUT_REGISTERS 0x04 +#define MODBUS_FUNC_WRITE_SINGLE_COIL 0x05 +#define MODBUS_FUNC_WRITE_SINGLE_REGISTER 0x06 +#define MODBUS_FUNC_READ_EXCEPTION_STATUS 0x07 +#define MODBUS_FUNC_DIAGNOSTICS 0x08 +#define MODBUS_FUNC_GET_COMM_EVENT_COUNTER 0x0B +#define MODBUS_FUNC_GET_COMM_EVENT_LOG 0x0C +#define MODBUS_FUNC_WRITE_MULTIPLE_COILS 0x0F +#define MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS 0x10 +#define MODBUS_FUNC_REPORT_SLAVE_ID 0x11 +#define MODBUS_FUNC_READ_FILE_RECORD 0x14 +#define MODBUS_FUNC_WRITE_FILE_RECORD 0x15 +#define MODBUS_FUNC_MASK_WRITE_REGISTER 0x16 +#define MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS 0x17 +#define MODBUS_FUNC_READ_FIFO_QUEUE 0x18 +#define MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT 0x2B +#define MODBUS_SUB_FUNC_CANOPEN 0x0D +#define MODBUS_SUB_FUNC_READ_DEVICE_ID 0x0E + + +/* Other defines */ +#define MODBUS_PROTOCOL_ID 0 +#define MODBUS_BYTE_COUNT_SIZE 1 +#define MODBUS_FILE_RECORD_SUB_REQUEST_SIZE 7 +#define MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET 5 +#define MODBUS_READ_DEVICE_ID_HEADER_LEN 6 +#define MODBUS_READ_DEVICE_ID_NUM_OBJ_OFFSET 5 + +/* Modbus data structures */ +typedef struct _modbus_header +{ + /* MBAP Header */ + uint16_t transaction_id; + uint16_t protocol_id; + uint16_t length; + uint8_t unit_id; + + /* PDU Start */ + uint8_t function_code; +} modbus_header_t; + + +static void ModbusCheckRequestLengths(modbus_session_data_t *session, SFSnortPacket *packet) +{ + uint16_t modbus_payload_len = packet->payload_size - MODBUS_MIN_LEN; + uint8_t tmp_count; + int check_passed = 0; + + switch (session->func) + { + case MODBUS_FUNC_READ_COILS: + case MODBUS_FUNC_READ_DISCRETE_INPUTS: + case MODBUS_FUNC_READ_HOLDING_REGISTERS: + case MODBUS_FUNC_READ_INPUT_REGISTERS: + case MODBUS_FUNC_WRITE_SINGLE_COIL: + case MODBUS_FUNC_WRITE_SINGLE_REGISTER: + case MODBUS_FUNC_DIAGNOSTICS: + if (modbus_payload_len == 4) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_EXCEPTION_STATUS: + case MODBUS_FUNC_GET_COMM_EVENT_COUNTER: + case MODBUS_FUNC_GET_COMM_EVENT_LOG: + case MODBUS_FUNC_REPORT_SLAVE_ID: + if (modbus_payload_len == 0) + check_passed = 1; + break; + + case MODBUS_FUNC_WRITE_MULTIPLE_COILS: + case MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 5) /* start addr + quantity + byte count */ + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN + 5); + if (modbus_payload_len == tmp_count + 5) + check_passed = 1; + } + break; + + case MODBUS_FUNC_MASK_WRITE_REGISTER: + if (modbus_payload_len == 6) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 8) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN + 8); /* byte count */ + if (modbus_payload_len == 9 + tmp_count) + check_passed = 1; + } + break; + + + case MODBUS_FUNC_READ_FIFO_QUEUE: + if (modbus_payload_len == 2) + check_passed = 1; + break; + + case MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT: + if (modbus_payload_len >= 1) + { + uint8_t mei_type = *(packet->payload + MODBUS_MIN_LEN); + + /* MEI Type 0x0E is covered under the Modbus spec as + "Read Device Identification". Type 0x0D is defined in + the spec as "CANopen General Reference Request and Response PDU" + and falls outside the scope of the Modbus preprocessor. + + Other values are reserved. + */ + if ((mei_type == 0x0E) && modbus_payload_len == 3) + check_passed = 1; + } + break; + + + case MODBUS_FUNC_READ_FILE_RECORD: + /* Modbus read file record request contains a byte count, followed + by a set of 7-byte sub-requests. */ + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if ((tmp_count == modbus_payload_len - 1) && + (tmp_count % MODBUS_FILE_RECORD_SUB_REQUEST_SIZE == 0)) + { + check_passed = 1; + } + } + break; + + case MODBUS_FUNC_WRITE_FILE_RECORD: + /* Modbus write file record request contains a byte count, followed + by a set of sub-requests that contain a 7-byte header and a + variable amount of data. */ + + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if (tmp_count == modbus_payload_len - 1) + { + uint16_t bytes_processed = 0; + + while (bytes_processed < (uint16_t)tmp_count) + { + uint16_t record_length = 0; + + /* Check space for sub-request header info */ + if ((modbus_payload_len - bytes_processed) < + MODBUS_FILE_RECORD_SUB_REQUEST_SIZE) + break; + + /* Extract record length. */ + record_length = *(packet->payload + MODBUS_MIN_LEN + + MODBUS_BYTE_COUNT_SIZE + bytes_processed + + MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET); + + record_length = record_length << 8; + + record_length |= *(packet->payload + MODBUS_MIN_LEN + + MODBUS_BYTE_COUNT_SIZE + bytes_processed + + MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET + 1); + + /* Jump over record data. */ + bytes_processed += MODBUS_FILE_RECORD_SUB_REQUEST_SIZE + + 2*record_length; + + if (bytes_processed == (uint16_t)tmp_count) + check_passed = 1; + } + } + } + break; + + default: /* Don't alert if we couldn't check the length. */ + check_passed = 1; + break; + } + + if (!check_passed) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } +} + +static void ModbusCheckResponseLengths(modbus_session_data_t *session, SFSnortPacket *packet) +{ + uint16_t modbus_payload_len = packet->payload_size - MODBUS_MIN_LEN; + uint8_t tmp_count; + int check_passed = 0; + + switch (session->func) + { + case MODBUS_FUNC_READ_COILS: + case MODBUS_FUNC_READ_DISCRETE_INPUTS: + case MODBUS_FUNC_GET_COMM_EVENT_LOG: + case MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); /* byte count */ + if (modbus_payload_len == 1 + tmp_count) + check_passed = 1; + } + break; + + case MODBUS_FUNC_READ_HOLDING_REGISTERS: + case MODBUS_FUNC_READ_INPUT_REGISTERS: + if (modbus_payload_len >= 1) + { + /* count of 2-byte registers*/ + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if (modbus_payload_len == 1 + 2*tmp_count) + check_passed = 1; + } + break; + + case MODBUS_FUNC_WRITE_SINGLE_COIL: + case MODBUS_FUNC_WRITE_SINGLE_REGISTER: + case MODBUS_FUNC_DIAGNOSTICS: + case MODBUS_FUNC_GET_COMM_EVENT_COUNTER: + case MODBUS_FUNC_WRITE_MULTIPLE_COILS: + case MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len == 4) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_EXCEPTION_STATUS: + if (modbus_payload_len == 1) + check_passed = 1; + break; + + case MODBUS_FUNC_MASK_WRITE_REGISTER: + if (modbus_payload_len == 6) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_FIFO_QUEUE: + if (modbus_payload_len >= 2) + { + uint16_t tmp_count_16; + + /* This function uses a 2-byte byte count!! */ + tmp_count_16 = *(uint16_t *)(packet->payload + MODBUS_MIN_LEN); + tmp_count_16 = ntohs(tmp_count_16); + if (modbus_payload_len == 2 + tmp_count_16) + check_passed = 1; + } + break; + + case MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT: + if (modbus_payload_len >= MODBUS_READ_DEVICE_ID_HEADER_LEN) + { + uint8_t mei_type = *(packet->payload + MODBUS_MIN_LEN); + uint8_t num_objects = *(packet->payload + MODBUS_MIN_LEN + + MODBUS_READ_DEVICE_ID_NUM_OBJ_OFFSET); + uint16_t offset; + uint8_t i; + + /* MEI Type 0x0E is covered under the Modbus spec as + "Read Device Identification". Type 0x0D is defined in + the spec as "CANopen General Reference Request and Response PDU" + and falls outside the scope of the Modbus preprocessor. + + Other values are reserved. + */ + + if (mei_type == MODBUS_SUB_FUNC_CANOPEN) + check_passed = 1; + + if (mei_type != MODBUS_SUB_FUNC_READ_DEVICE_ID) + break; + + /* Loop through sub-requests, make sure that the lengths inside + don't violate our total Modbus PDU size. */ + + offset = MODBUS_READ_DEVICE_ID_HEADER_LEN; + for (i = 0; i < num_objects; i++) + { + uint8_t sub_request_data_len; + + /* Sub request starts with 2 bytes, type + len */ + if (offset + 2 > modbus_payload_len) + break; + + /* Length is second byte in sub-request */ + sub_request_data_len = *(packet->payload + MODBUS_MIN_LEN + + offset + 1); + + /* Set offset to byte after sub-request */ + offset += (2 + sub_request_data_len); + } + + if ((i == num_objects) && (offset == modbus_payload_len)) + check_passed = 1; + } + break; + + /* Cannot check this response, as it is device specific. */ + case MODBUS_FUNC_REPORT_SLAVE_ID: + + /* Cannot check these responses, as their sizes depend on the corresponding + requests. Can re-visit if we bother with request/response tracking. */ + case MODBUS_FUNC_READ_FILE_RECORD: + case MODBUS_FUNC_WRITE_FILE_RECORD: + + default: /* Don't alert if we couldn't check the lengths. */ + check_passed = 1; + break; + } + + if (!check_passed) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } +} + +static void ModbusCheckReservedFuncs(modbus_header_t *header, SFSnortPacket *packet) +{ + switch (header->function_code) + { + /* Reserved function codes */ + case MODBUS_FUNC_DIAGNOSTICS: + /* Only some sub-functions are reserved here. */ + { + uint16_t sub_func; + + if (packet->payload_size < MODBUS_MIN_LEN+2) + break; + + sub_func = *((uint16_t *)(packet->payload + MODBUS_MIN_LEN)); + sub_func = ntohs(sub_func); + + if ((sub_func == 19) || (sub_func >= 21)) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_RESERVED_FUNCTION, + 1, 0, 3, MODBUS_RESERVED_FUNCTION_STR, 0); + } + } + break; + case 0x09: + case 0x0A: + case 0x0D: + case 0x0E: + case 0x29: + case 0x2A: + case 0x5A: + case 0x5B: + case 0x7D: + case 0x7E: + case 0x7F: + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_RESERVED_FUNCTION, 1, 0, 3, + MODBUS_RESERVED_FUNCTION_STR, 0); + break; + } +} + +int ModbusDecode(modbus_config_t *config, SFSnortPacket *packet) +{ + modbus_session_data_t *session; + modbus_header_t *header; + + if (packet->payload_size < MODBUS_MIN_LEN) + return MODBUS_FAIL; + + session = (modbus_session_data_t *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_MODBUS); + + /* Lay the header struct over the payload */ + header = (modbus_header_t *) packet->payload; + + /* The protocol ID field should read 0x0000 for Modbus. It allows for + multiplexing with some other protocols over serial line. */ + if (header->protocol_id != MODBUS_PROTOCOL_ID) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_PROTO_ID, 1, 0, 3, + MODBUS_BAD_PROTO_ID_STR, 0); + return MODBUS_FAIL; + } + + /* Set the session data. + Normally we'd need to swap byte order, but these are 8-bit fields. */ + session->unit = header->unit_id; + session->func = header->function_code; + + /* Check for reserved function codes */ + ModbusCheckReservedFuncs(header, packet); + + /* Read the Modbus payload and check lengths against the expected length for + each function. */ + if (packet->flags & FLAG_FROM_CLIENT) + ModbusCheckRequestLengths(session, packet); + else + ModbusCheckResponseLengths(session, packet); + + return MODBUS_OK; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_decode.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.h --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_decode.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,49 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifndef MODBUS_DECODE_H +#define MODBUS_DECODE_H + +#include + +#include "spp_modbus.h" +#include "sf_snort_plugin_api.h" + +/* Need 8 bytes for MBAP Header + Function Code */ +#define MODBUS_MIN_LEN 8 + +/* GIDs, SIDs, and Strings */ +#define GENERATOR_SPP_MODBUS 144 + +#define MODBUS_BAD_LENGTH 1 +#define MODBUS_BAD_PROTO_ID 2 +#define MODBUS_RESERVED_FUNCTION 3 + +#define MODBUS_BAD_LENGTH_STR "(spp_modbus): Length in Modbus MBAP header does not match the length needed for the given Modbus function." +#define MODBUS_BAD_PROTO_ID_STR "(spp_modbus): Modbus protocol ID is non-zero." +#define MODBUS_RESERVED_FUNCTION_STR "(spp_modbus): Reserved Modbus function code in use." + +int ModbusDecode(modbus_config_t *config, SFSnortPacket *packet); + +#endif /* MODBUS_DECODE_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_paf.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.c --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_paf.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,138 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. + * + */ + +#include "spp_modbus.h" +#include "modbus_decode.h" +#include "modbus_paf.h" +#include "sf_dynamic_preprocessor.h" + +/* Defines */ +#define MODBUS_MIN_HDR_LEN 2 /* Enough for Unit ID + Function */ +#define MODBUS_MAX_HDR_LEN 254 /* Max PDU size is 260, 6 bytes already seen */ + + +int ModbusPafRegister(uint16_t port, tSfPolicyId policy_id) +{ + if (!_dpd.isPafEnabled()) + return 0; + + _dpd.streamAPI->register_paf_cb(policy_id, port, 0, ModbusPaf, true); + _dpd.streamAPI->register_paf_cb(policy_id, port, 1, ModbusPaf, true); + + return 0; +} + + +/* Function: ModbusPaf() + + Purpose: Modbus/TCP PAF callback. + Statefully inspects Modbus traffic from the start of a session, + Reads up until the length octet is found, then sets a flush point. + + Arguments: + void * - stream5 session pointer + void ** - Modbus state tracking structure + const uint8_t * - payload data to inspect + uint32_t - length of payload data + uint32_t - flags to check whether client or server + uint32_t * - pointer to set flush point + + Returns: + PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise +*/ + +PAF_Status ModbusPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + modbus_paf_data_t *pafdata = *(modbus_paf_data_t **)user; + uint32_t bytes_processed = 0; + + /* Allocate state object if it doesn't exist yet. */ + if (pafdata == NULL) + { + pafdata = calloc(1, sizeof(modbus_paf_data_t)); + if (pafdata == NULL) + return PAF_ABORT; + + *user = pafdata; + } + + /* Process this packet 1 byte at a time */ + while (bytes_processed < len) + { + switch (pafdata->state) + { + /* Skip the Transaction & Protocol IDs */ + case MODBUS_PAF_STATE__TRANS_ID_1: + case MODBUS_PAF_STATE__TRANS_ID_2: + case MODBUS_PAF_STATE__PROTO_ID_1: + case MODBUS_PAF_STATE__PROTO_ID_2: + pafdata->state++; + break; + + /* Read length 1 byte at a time, in case a TCP segment is sent + * with only 5 bytes from the MBAP header */ + case MODBUS_PAF_STATE__LENGTH_1: + pafdata->modbus_length |= ( *(data + bytes_processed) << 8 ); + pafdata->state++; + break; + + case MODBUS_PAF_STATE__LENGTH_2: + pafdata->modbus_length |= *(data + bytes_processed); + pafdata->state++; + break; + + case MODBUS_PAF_STATE__SET_FLUSH: + if ((pafdata->modbus_length < MODBUS_MIN_HDR_LEN) || + (pafdata->modbus_length > MODBUS_MAX_HDR_LEN)) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } + + *fp = pafdata->modbus_length + bytes_processed; + pafdata->state = MODBUS_PAF_STATE__TRANS_ID_1; + pafdata->modbus_length = 0; + return PAF_FLUSH; + } + + bytes_processed++; + } + + return PAF_SEARCH; +} + +/* Take a Modbus config + Snort policy, iterate through ports, register PAF callback */ +void ModbusAddPortsToPaf(modbus_config_t *config, tSfPolicyId policy_id) +{ + unsigned int i; + + for (i = 0; i < MAX_PORTS; i++) + { + if (config->ports[PORT_INDEX(i)] & CONV_PORT(i)) + { + ModbusPafRegister((uint16_t) i, policy_id); + } + } +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_paf.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.h --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_paf.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,53 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. + * + */ + +#ifndef MODBUS_PAF__H +#define MODBUS_PAF__H + +#include "spp_modbus.h" +#include "stream_api.h" + +typedef enum _modbus_paf_state +{ + MODBUS_PAF_STATE__TRANS_ID_1 = 0, + MODBUS_PAF_STATE__TRANS_ID_2, + MODBUS_PAF_STATE__PROTO_ID_1, + MODBUS_PAF_STATE__PROTO_ID_2, + MODBUS_PAF_STATE__LENGTH_1, + MODBUS_PAF_STATE__LENGTH_2, + MODBUS_PAF_STATE__SET_FLUSH +} modbus_paf_state_t; + +typedef struct _modbus_paf_data +{ + modbus_paf_state_t state; + uint16_t modbus_length; +} modbus_paf_data_t; + +void ModbusAddPortsToPaf(modbus_config_t *config, tSfPolicyId policy_id); +int ModbusPafRegister(uint16_t port, tSfPolicyId policy_id); +PAF_Status ModbusPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp); + +#endif /* MODBUS_PAF__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_roptions.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.c --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_roptions.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,249 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for Modbus preprocessor + * + */ + +#include + +#include "sf_types.h" +#include "sf_snort_plugin_api.h" +#include "sf_dynamic_preprocessor.h" +#include "spp_modbus.h" +#include "modbus_decode.h" +#include "modbus_roptions.h" + +/* Mapping of name -> function code for 'modbus_func' option. */ +static modbus_func_map_t func_map[] = +{ + {"read_coils", 1}, + {"read_discrete_inputs", 2}, + {"read_holding_registers", 3}, + {"read_input_registers", 4}, + {"write_single_coil", 5}, + {"write_single_register", 6}, + {"read_exception_status", 7}, + {"diagnostics", 8}, + {"get_comm_event_counter", 11}, + {"get_comm_event_log", 12}, + {"write_multiple_coils", 15}, + {"write_multiple_registers", 16}, + {"report_slave_id", 17}, + {"read_file_record", 20}, + {"write_file_record", 21}, + {"mask_write_register", 22}, + {"read_write_multiple_registers", 23}, + {"read_fifo_queue", 24}, + {"encapsulated_interface_transport", 43} +}; + +int ModbusFuncInit(char *name, char *params, void **data) +{ + char *endptr; + modbus_option_data_t *modbus_data; + unsigned int func_code = 0; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, MODBUS_FUNC_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for modbus_func. " + "modbus_func requires a number between 0 and 255, or a valid function " + "name.\n", *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_func data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + if (isdigit(params[0])) + { + /* Function code given as integer */ + func_code = _dpd.SnortStrtoul(params, &endptr, 10); + if ((func_code > 255) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_func requires a " + "number between 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + else + { + /* Check the argument against the map in modbus_roptions.h */ + size_t i; + int parse_success = 0; + for (i = 0; i < (sizeof(func_map) / sizeof(modbus_func_map_t)); i++) + { + if (strcmp(params, func_map[i].name) == 0) + { + parse_success = 1; + func_code = func_map[i].func; + break; + } + } + + if (!parse_success) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_func requires a " + "number between 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + + modbus_data->type = MODBUS_FUNC; + modbus_data->arg = (uint8_t) func_code; + + *data = (void *)modbus_data; + + return 1; +} + +int ModbusUnitInit(char *name, char *params, void **data) +{ + char *endptr; + modbus_option_data_t *modbus_data; + unsigned int unit_code; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, MODBUS_UNIT_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for modbus_unit. " + "modbus_unit requires a number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_unit data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + unit_code = _dpd.SnortStrtoul(params, &endptr, 10); + if ((unit_code > 255) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_unit requires a " + "number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); + } + + modbus_data->type = MODBUS_UNIT; + modbus_data->arg = (uint8_t) unit_code; + + *data = (void *)modbus_data; + + return 1; +} + +int ModbusDataInit(char *name, char *params, void **data) +{ + modbus_option_data_t *modbus_data; + + if (strcmp(name, MODBUS_DATA_NAME) != 0) + return 0; + + /* Nothing to parse. */ + if (params) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_data does not take " + "any arguments.\n", *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_data data structure.\n", __FILE__, __LINE__); + } + + modbus_data->type = MODBUS_DATA; + modbus_data->arg = 0; + + *data = (void *)modbus_data; + + return 1; +} + +/* Modbus rule evaluation callback. */ +int ModbusRuleEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + modbus_option_data_t *rule_data = (modbus_option_data_t *)data; + modbus_session_data_t *session_data; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (!PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + session_data = (modbus_session_data_t *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_MODBUS); + + if ((packet->payload_size == 0 ) || (session_data == NULL)) + { + return RULE_NOMATCH; + } + + + switch (rule_data->type) + { + case MODBUS_FUNC: + if (session_data->func == rule_data->arg) + return RULE_MATCH; + break; + + case MODBUS_UNIT: + if (session_data->unit == rule_data->arg) + return RULE_MATCH; + break; + + case MODBUS_DATA: + /* XXX: If a PDU contains only the MBAP + Function, should this + option fail or set the cursor to the end of the payload? */ + if (packet->payload_size < MODBUS_MIN_LEN) + return RULE_NOMATCH; + + /* Modbus data is always directly after the function code. */ + *cursor = (const uint8_t *) (packet->payload + MODBUS_MIN_LEN); + _dpd.SetAltDetect((uint8_t *)*cursor, (uint16_t)(packet->payload_size - MODBUS_MIN_LEN)); + + return RULE_MATCH; + } + + return RULE_NOMATCH; +} + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_roptions.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.h --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/modbus_roptions.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,60 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for Modbus preprocessor. + * + */ + +#ifndef MODBUS_ROPTIONS_H +#define MODBUS_ROPTIONS_H + +#include + +#define MODBUS_FUNC_NAME "modbus_func" +#define MODBUS_UNIT_NAME "modbus_unit" +#define MODBUS_DATA_NAME "modbus_data" + +/* Data types */ +typedef enum _modbus_option_type_t +{ + MODBUS_FUNC = 0, + MODBUS_UNIT, + MODBUS_DATA +} modbus_option_type_t; + +typedef struct _modbus_option_data_t +{ + modbus_option_type_t type; + uint16_t arg; +} modbus_option_data_t; + +typedef struct _modbus_func_map_t +{ + char *name; + uint8_t func; +} modbus_func_map_t; + +int ModbusFuncInit(char *name, char *params, void **data); +int ModbusUnitInit(char *name, char *params, void **data); +int ModbusDataInit(char *name, char *params, void **data); + +int ModbusRuleEval(void *raw_packet, const uint8_t **cursor, void *data); + +#endif /* MODBUS_ROPTIONS_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp snort-2.9.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,215 @@ +# Microsoft Developer Studio Project File - Name="sf_modbus" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_modbus - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_modbus.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_modbus.mak" CFG="sf_modbus - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_modbus - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_modbus - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_modbus___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_modbus___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_modbus___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_modbus___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_modbus - Win32 Release" +# Name "sf_modbus - Win32 Debug" +# Name "sf_modbus - Win32 IPv6 Debug" +# Name "sf_modbus - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\modbus_decode.c +# End Source File +# Begin Source File + +SOURCE=.\modbus_paf.c +# End Source File +# Begin Source File + +SOURCE=.\modbus_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_modbus.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\modbus_decode.h +# End Source File +# Begin Source File + +SOURCE=.\modbus_paf.h +# End Source File +# Begin Source File + +SOURCE=.\modbus_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\spp_modbus.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/spp_modbus.c snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.c --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/spp_modbus.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,661 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_modbus.h" +#include "sf_preproc_info.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats modbusPerfStats; +#endif + +#include "sf_types.h" + +#include "modbus_decode.h" +#include "modbus_roptions.h" +#include "modbus_paf.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_MODBUS (IPV6)"; +#else +const char *PREPROC_NAME = "SF_MODBUS"; +#endif + +#define SetupModbus DYNAMIC_PREPROC_SETUP + +/* Preprocessor config objects */ +static tSfPolicyUserContextId modbus_context_id = NULL; +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId modbus_swap_context_id = NULL; +#endif +static modbus_config_t *modbus_eval_config = NULL; + + +/* Target-based app ID */ +#ifdef TARGET_BASED +int16_t modbus_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* Prototypes */ +static void ModbusInit(char *argp); +static void ModbusOneTimeInit(void); +static modbus_config_t * ModbusPerPolicyInit(tSfPolicyUserContextId); + +static void ProcessModbus(void *, void *); + +#ifdef SNORT_RELOAD +static void ModbusReload(char *); +static int ModbusReloadVerify(void); +static void * ModbusReloadSwap(void); +static void ModbusReloadSwapFree(void *); +#endif + +static void _addPortsToStream5Filter(modbus_config_t *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void ModbusFreeConfig(tSfPolicyUserContextId context_id); +static void FreeModbusData(void *); +static void ModbusCheckConfig(void); +static void ModbusCleanExit(int, void *); + +static void ParseModbusArgs(modbus_config_t *config, char *args); +static void ModbusPrintConfig(modbus_config_t *config); + +static int ModbusPortCheck(modbus_config_t *config, SFSnortPacket *packet); +static modbus_session_data_t * ModbusCreateSessionData(SFSnortPacket *); + +/* Register init callback */ +void SetupModbus(void) +{ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("modbus", ModbusInit); +#else + _dpd.registerPreproc("modbus", ModbusInit, ModbusReload, + ModbusReloadSwap, ModbusReloadSwapFree); +#endif +} + +/* Allocate memory for preprocessor config, parse the args, set up callbacks */ +static void ModbusInit(char *argp) +{ + modbus_config_t *modbus_policy = NULL; + + if (modbus_context_id == NULL) + { + ModbusOneTimeInit(); + } + + modbus_policy = ModbusPerPolicyInit(modbus_context_id); + + ParseModbusArgs(modbus_policy, argp); + + /* Can't add ports until they've been parsed... */ + ModbusAddPortsToPaf(modbus_policy, _dpd.getParserPolicy()); + + ModbusPrintConfig(modbus_policy); +} + +static inline void ModbusOneTimeInit() +{ + /* context creation & error checking */ + modbus_context_id = sfPolicyConfigCreate(); + if (modbus_context_id == NULL) + { + _dpd.fatalMsg("%s(%d) Failed to allocate memory for " + "Modbus config.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (_dpd.streamAPI == NULL) + { + _dpd.fatalMsg("%s(%d) SetupModbus(): The Stream preprocessor " + "must be enabled.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* callback registration */ + _dpd.addPreprocConfCheck(ModbusCheckConfig); + _dpd.addPreprocExit(ModbusCleanExit, NULL, PRIORITY_LAST, PP_MODBUS); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("modbus", (void *)&modbusPerfStats, 0, _dpd.totalPerfStats); +#endif + + /* Set up target-based app id */ +#ifdef TARGET_BASED + modbus_app_id = _dpd.findProtocolReference("modbus"); + if (modbus_app_id == SFTARGET_UNKNOWN_PROTOCOL) + modbus_app_id = _dpd.addProtocolReference("modbus"); +#endif +} + +/* Responsible for allocating a Modbus policy. Never returns NULL. */ +static inline modbus_config_t * ModbusPerPolicyInit(tSfPolicyUserContextId context_id) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + modbus_config_t *modbus_policy = NULL; + + /* Check for existing policy & bail if found */ + sfPolicyUserPolicySet(context_id, policy_id); + modbus_policy = (modbus_config_t *)sfPolicyUserDataGetCurrent(context_id); + if (modbus_policy != NULL) + { + _dpd.fatalMsg("%s(%d) Modbus preprocessor can only be " + "configured once.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* Allocate new policy */ + modbus_policy = (modbus_config_t *)calloc(1, sizeof(modbus_config_t)); + if (!modbus_policy) + { + _dpd.fatalMsg("%s(%d) Could not allocate memory for " + "modbus preprocessor configuration.\n" + , *_dpd.config_file, *_dpd.config_line); + } + + sfPolicyUserDataSetCurrent(context_id, modbus_policy); + + /* Register callbacks that are done for each policy */ + _dpd.addPreproc(ProcessModbus, PRIORITY_APPLICATION, PP_MODBUS, PROTO_BIT__TCP); + _addPortsToStream5Filter(modbus_policy, policy_id); +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif + + /* Add preprocessor rule options here */ + /* _dpd.preprocOptRegister("foo_bar", FOO_init, FOO_rule_eval, free, NULL, NULL, NULL, NULL); */ + _dpd.preprocOptRegister("modbus_func", ModbusFuncInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("modbus_unit", ModbusUnitInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("modbus_data", ModbusDataInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + + return modbus_policy; +} + +static void ParseSinglePort(modbus_config_t *config, char *token) +{ + /* single port number */ + char *endptr; + unsigned long portnum = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((*endptr != '\0') || (portnum >= MAX_PORTS)) + { + _dpd.fatalMsg("%s(%d) Bad modbus port number: %s\n" + "Port number must be an integer between 0 and 65535.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + /* Good port number! */ + config->ports[PORT_INDEX(portnum)] |= CONV_PORT(portnum); +} + +static void ParseModbusArgs(modbus_config_t *config, char *args) +{ + char *saveptr; + char *token; + + /* Set default port */ + config->ports[PORT_INDEX(MODBUS_PORT)] |= CONV_PORT(MODBUS_PORT); + + /* No args? Stick to the default. */ + if (args == NULL) + return; + + token = strtok_r(args, " ", &saveptr); + while (token != NULL) + { + if (strcmp(token, "ports") == 0) + { + unsigned nPorts = 0; + + /* Un-set the default port */ + config->ports[PORT_INDEX(MODBUS_PORT)] = 0; + + /* Parse ports */ + token = strtok_r(NULL, " ", &saveptr); + + if (token == NULL) + { + _dpd.fatalMsg("%s(%d) Missing argument for Modbus preprocessor " + "'ports' option.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (isdigit(token[0])) + { + ParseSinglePort(config, token); + nPorts++; + } + + else if (*token == '{') + { + /* list of ports */ + token = strtok_r(NULL, " ", &saveptr); + while (token != NULL && *token != '}') + { + ParseSinglePort(config, token); + nPorts++; + token = strtok_r(NULL, " ", &saveptr); + } + } + + else + { + nPorts = 0; + } + if ( nPorts == 0 ) + { + _dpd.fatalMsg("%s(%d) Bad Modbus 'ports' argument: '%s'\n" + "Argument to Modbus 'ports' must be an integer, or a list " + "enclosed in { } braces.\n", *_dpd.config_file, *_dpd.config_line, token); + } + } + else + { + _dpd.fatalMsg("%s(%d) Failed to parse modbus argument: %s\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + token = strtok_r(NULL, " ", &saveptr); + } + +} + +/* Print a Modbus config */ +static void ModbusPrintConfig(modbus_config_t *config) +{ + int index; + int newline = 1; + + if (config == NULL) + return; + + _dpd.logMsg("Modbus config: \n"); + _dpd.logMsg(" Ports:\n"); + + /* Loop through port array & print, 5 ports per line */ + for (index = 0; index < MAX_PORTS; index++) + { + if (config->ports[PORT_INDEX(index)] & CONV_PORT(index)) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++) % 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); +} + +/* Main runtime entry point */ +static void ProcessModbus(void *ipacketp, void *contextp) +{ + SFSnortPacket *packetp = (SFSnortPacket *)ipacketp; + modbus_session_data_t *sessp; + PROFILE_VARS; + + /* Sanity checks. Should this preprocessor run? */ + if (( !packetp ) || + ( !packetp->payload ) || + ( !packetp->payload_size ) || + ( !IPH_IS_VALID(packetp) ) || + ( !packetp->tcp_header )) + { + return; + } + + PREPROC_PROFILE_START(modbusPerfStats); + + /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */ + modbus_eval_config = sfPolicyUserDataGetCurrent(modbus_context_id); + + /* Look for a previously-allocated session data. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_MODBUS); + + if (sessp == NULL) + { + /* No existing session. Check those ports. */ + if (ModbusPortCheck(modbus_eval_config, packetp) != MODBUS_OK) + { + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + } + + if ( !PacketHasFullPDU(packetp) ) + { + /* If a packet is rebuilt, but not a full PDU, then it's garbage that + got flushed at the end of a stream. */ + if ( packetp->flags & (FLAG_REBUILT_STREAM|FLAG_PDU_HEAD) ) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } + + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + + if (sessp == NULL) + { + /* Create session data and attach it to the Stream5 session */ + sessp = ModbusCreateSessionData(packetp); + + if ( !sessp ) + { + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + } + + /* When pipelined Modbus PDUs appear in a single TCP segment, the + detection engine caches the results of the rule options after + evaluating on the first PDU. Setting this flag stops the caching. */ + packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT; + + /* Do preprocessor-specific detection stuff here */ + ModbusDecode(modbus_eval_config, packetp); + + /* That's the end! */ + PREPROC_PROFILE_END(modbusPerfStats); +} + +/* Check ports & services */ +static int ModbusPortCheck(modbus_config_t *config, SFSnortPacket *packet) +{ +#ifdef TARGET_BASED + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + + /* call to get_application_protocol_id gave an error */ + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + return MODBUS_FAIL; + + /* this is positively identified as something non-modbus */ + if (app_id && (app_id != modbus_app_id)) + return MODBUS_FAIL; + + /* this is identified as modbus */ + if (app_id == modbus_app_id) + return MODBUS_OK; + + /* fall back to port check */ +#endif + + if (config->ports[PORT_INDEX(packet->src_port)] & CONV_PORT(packet->src_port)) + return MODBUS_OK; + + if (config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port)) + return MODBUS_OK; + + return MODBUS_FAIL; +} + +static modbus_session_data_t * ModbusCreateSessionData(SFSnortPacket *packet) +{ + modbus_session_data_t *data = NULL; + + /* Sanity Check */ + if (!packet || !packet->stream_session_ptr) + return NULL; + + data = (modbus_session_data_t *)calloc(1, sizeof(modbus_session_data_t)); + + if (!data) + return NULL; + + /* Attach to Stream5 session */ + _dpd.streamAPI->set_application_data(packet->stream_session_ptr, PP_MODBUS, + data, FreeModbusData); + + /* Not sure when this reference counting stuff got added to the old preprocs */ + data->policy_id = _dpd.getRuntimePolicy(); + data->context_id = modbus_context_id; + ((modbus_config_t *)sfPolicyUserDataGetCurrent(modbus_context_id))->ref_count++; + + return data; +} + + +/* Reload functions */ +#ifdef SNORT_RELOAD +/* Almost like ModbusInit, but not quite. */ +static void ModbusReload(char *args) +{ + modbus_config_t *modbus_policy = NULL; + + if (modbus_swap_context_id == NULL) + { + modbus_swap_context_id = sfPolicyConfigCreate(); + if (modbus_swap_context_id == NULL) + { + _dpd.fatalMsg("Failed to allocate memory " + "for Modbus config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + _dpd.fatalMsg("SetupModbus(): The Stream preprocessor " + "must be enabled.\n"); + } + } + + modbus_policy = ModbusPerPolicyInit(modbus_swap_context_id); + + ParseModbusArgs(modbus_policy, args); + + /* Can't add ports until they've been parsed... */ + ModbusAddPortsToPaf(modbus_policy, _dpd.getParserPolicy()); + + ModbusPrintConfig(modbus_policy); + + _dpd.addPreprocReloadVerify(ModbusReloadVerify); +} + +static int ModbusReloadVerify(void) +{ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + _dpd.fatalMsg("SetupModbus(): The Stream preprocessor must be enabled.\n"); + } + + return 0; +} + +static int ModbusFreeUnusedConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + modbus_config_t *modbus_config = (modbus_config_t *)data; + + /* do any housekeeping before freeing modbus config */ + if (modbus_config->ref_count == 0) + { + sfPolicyUserDataClear(context_id, policy_id); + free(modbus_config); + } + + return 0; +} + +static void * ModbusReloadSwap(void) +{ + tSfPolicyUserContextId old_context_id = modbus_context_id; + + if (modbus_swap_context_id == NULL) + return NULL; + + modbus_context_id = modbus_swap_context_id; + modbus_swap_context_id = NULL; + + sfPolicyUserDataIterate(old_context_id, ModbusFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_context_id) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_context_id; + } + + return NULL; +} + +static void ModbusReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + ModbusFreeConfig( (tSfPolicyUserContextId)data ); +} +#endif + +/* Stream5 filter functions */ +static void _addPortsToStream5Filter(modbus_config_t *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + if (_dpd.streamAPI) + { + int portNum; + + for (portNum = 0; portNum < MAX_PORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status( + IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + } + +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(modbus_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int ModbusFreeConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + modbus_config_t *modbus_config = (modbus_config_t *)data; + + /* do any housekeeping before freeing modbus_config */ + + sfPolicyUserDataClear(context_id, policy_id); + free(modbus_config); + return 0; +} + +static void ModbusFreeConfig(tSfPolicyUserContextId context_id) +{ + if (context_id == NULL) + return; + + sfPolicyUserDataIterate(context_id, ModbusFreeConfigPolicy); + sfPolicyConfigDelete(context_id); +} + +static int ModbusCheckPolicyConfig( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + _dpd.setParserPolicy(policy_id); + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + _dpd.fatalMsg("%s(%d) ModbusCheckPolicyConfig(): The Stream preprocessor " + "must be enabled.\n", *_dpd.config_file, *_dpd.config_line); + } + return 0; +} + +static void ModbusCheckConfig(void) +{ + sfPolicyUserDataIterate(modbus_context_id, ModbusCheckPolicyConfig); +} + +static void ModbusCleanExit(int signal, void *data) +{ + if (modbus_context_id != NULL) + { + ModbusFreeConfig(modbus_context_id); + modbus_context_id = NULL; + } +} + +static void FreeModbusData(void *data) +{ + modbus_session_data_t *session = (modbus_session_data_t *)data; + modbus_config_t *config = NULL; + + if (session == NULL) + return; + + if (session->context_id != NULL) + { + config = (modbus_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id); + } + + if (config != NULL) + { + config->ref_count--; + if ((config->ref_count == 0) && + (session->context_id != modbus_context_id)) + { + sfPolicyUserDataClear(session->context_id, session->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(session->context_id) == 0) + { + /* No more outstanding configs - free the config array */ + ModbusFreeConfig(session->context_id); + } + } + } +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/modbus/spp_modbus.h snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.h --- snort-2.8.5.2/src/dynamic-preprocessors/modbus/spp_modbus.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,73 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifndef SPP_MODBUS_H +#define SPP_MODBUS_H + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#define MAX_PORTS 65536 + +/* Default MODBUS port */ +#define MODBUS_PORT 502 + +/* Convert port value into an index for the modbus_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* Session data flags */ +#define MODBUS_FUNC_RULE_FIRED 0x0001 +#define MODBUS_UNIT_RULE_FIRED 0x0002 +#define MODBUS_DATA_RULE_FIRED 0x0004 + +/* Modbus preprocessor configuration */ +typedef struct _modbus_config +{ + char ports[MAX_PORTS/8]; + + int ref_count; +} modbus_config_t; + +/* Modbus session data */ +typedef struct _modbus_session_data +{ + uint8_t func; + uint8_t unit; + uint16_t flags; + + tSfPolicyId policy_id; + tSfPolicyUserContextId context_id; +} modbus_session_data_t; + +#define MODBUS_PORTS_KEYWORD "ports" +#define MODBUS_MEMCAP_KEYWORD "memcap" + +#define MODBUS_OK 1 +#define MODBUS_FAIL (-1) + +#endif /* SPP_MODBUS_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/Makefile.am snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/pop/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,41 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_pop_preproc.la + +libsf_pop_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_pop_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_pop_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/util_unfold.c \ +../include/sf_base64decode.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif + +libsf_pop_preproc_la_SOURCES = \ +pop_config.c \ +pop_config.h \ +pop_log.c \ +pop_log.h \ +pop_util.c \ +pop_util.h \ +snort_pop.c \ +snort_pop.h \ +spp_pop.c \ +spp_pop.h + +EXTRA_DIST = \ +sf_pop.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/Makefile.in snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/pop/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -0,0 +1,580 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/pop +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_pop_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_pop_preproc_la_OBJECTS = pop_config.lo pop_log.lo pop_util.lo \ + snort_pop.lo spp_pop.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_pop_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_pop_preproc_la_OBJECTS = $(am_libsf_pop_preproc_la_OBJECTS) \ + $(nodist_libsf_pop_preproc_la_OBJECTS) +libsf_pop_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_pop_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_pop_preproc_la_SOURCES) \ + $(nodist_libsf_pop_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_pop_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_pop_preproc.la +libsf_pop_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_pop_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_pop_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_pop_preproc_la_SOURCES = \ +pop_config.c \ +pop_config.h \ +pop_log.c \ +pop_log.h \ +pop_util.c \ +pop_util.h \ +snort_pop.c \ +snort_pop.h \ +spp_pop.c \ +spp_pop.h + +EXTRA_DIST = \ +sf_pop.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/pop/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/pop/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_pop_preproc.la: $(libsf_pop_preproc_la_OBJECTS) $(libsf_pop_preproc_la_DEPENDENCIES) + $(libsf_pop_preproc_la_LINK) -rpath $(libdir) $(libsf_pop_preproc_la_OBJECTS) $(libsf_pop_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_config.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,630 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * pop_config.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * Handle configuration of the POP preprocessor + * + * Entry point functions: + * + * POP_ParseArgs() + * + ***************************************************************************/ + +#include +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicy.h" + + +/* Global variable to hold configuration */ +extern POPConfig **pop_config; + +extern const POPToken pop_known_cmds[]; + +/* Private functions */ +static int ProcessPorts(POPConfig *, char *, int); +static int ProcessPopMemcap(POPConfig *, char *, int); +static int ProcessDecodeDepth(POPConfig *, char *, int, char *, DecodeType); + +/* + * Function: POP_ParseArgs(char *) + * + * Purpose: Process the preprocessor arguments from the rules file and + * initialize the preprocessor's data struct. This function doesn't + * have to exist if it makes sense to parse the args in the init + * function. + * + * Arguments: args => argument list + * + * Returns: void function + * + */ +void POP_ParseArgs(POPConfig *config, char *args) +{ + int ret = 0; + char *arg; + char errStr[ERRSTRLEN]; + int errStrLen = ERRSTRLEN; + + if ((config == NULL) || (args == NULL)) + return; + + config->ports[POP_DEFAULT_SERVER_PORT / 8] |= 1 << (POP_DEFAULT_SERVER_PORT % 8); + config->memcap = DEFAULT_POP_MEMCAP; + config->b64_depth = DEFAULT_DEPTH; + config->qp_depth = DEFAULT_DEPTH; + config->uu_depth = DEFAULT_DEPTH; + config->bitenc_depth = DEFAULT_DEPTH; + config->max_depth = MIN_DEPTH; + + *errStr = '\0'; + + arg = strtok(args, CONF_SEPARATORS); + + while ( arg != NULL ) + { + if ( !strcasecmp(CONF_PORTS, arg) ) + { + ret = ProcessPorts(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_POP_MEMCAP, arg) ) + { + ret = ProcessPopMemcap(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } + else if ( !strcasecmp(CONF_DISABLED, arg) ) + { + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Unknown POP configuration option %s\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if (ret == -1) + { + /* + ** Fatal Error, log error and exit. + */ + if (*errStr) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + *(_dpd.config_file), *(_dpd.config_line), errStr); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* Get next token */ + arg = strtok(NULL, CONF_SEPARATORS); + } + +} + +int POP_IsDecodingEnabled(POPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + +} + +void POP_CheckConfig(POPConfig *pPolicyConfig, tSfPolicyUserContextId context) +{ + int max = -1; + POPConfig *defaultConfig = + (POPConfig *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_POP_MEMCAP; + + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; + + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: uu_decode_depth value %d in the non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line),pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: bitenc_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + } +} + +void POP_PrintConfig(POPConfig *config) +{ + int i; + int j = 0; + char buf[8192]; + + if (config == NULL) + return; + + memset(&buf[0], 0, sizeof(buf)); + + _dpd.logMsg("POP Config:\n"); + + if(config->disabled) + _dpd.logMsg(" POP: INACTIVE\n"); + + snprintf(buf, sizeof(buf) - 1, " Ports: "); + + for (i = 0; i < 65536; i++) + { + if (config->ports[i / 8] & (1 << (i % 8))) + { + j++; + _dpd.printfappend(buf, sizeof(buf) - 1, "%d ", i); + if(!(j%10)) + _dpd.printfappend(buf, sizeof(buf) - 1, "\n "); + } + } + + _dpd.logMsg("%s\n", buf); + + + _dpd.logMsg(" POP Memcap: %u\n", + config->memcap); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + +} + +/* +** NAME +** ProcessPorts:: +*/ +/** +** Process the port list. +** +** This configuration is a list of valid ports and is ended by a +** delimiter. +** +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessPorts(POPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *pcToken; + char *pcEnd; + int iPort; + int iEndPorts = 0; + int num_ports = 0; + + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(!pcToken) + { + snprintf(ErrorString, ErrStrLen, "Invalid port list format."); + return -1; + } + + if(strcmp(CONF_START_LIST, pcToken)) + { + snprintf(ErrorString, ErrStrLen, + "Must start a port list with the '%s' token.", CONF_START_LIST); + + return -1; + } + + /* Since ports are specified, clear default ports */ + config->ports[POP_DEFAULT_SERVER_PORT / 8] &= ~(1 << (POP_DEFAULT_SERVER_PORT % 8)); + + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) + { + if(!strcmp(CONF_END_LIST, pcToken)) + { + iEndPorts = 1; + break; + } + + iPort = strtol(pcToken, &pcEnd, 10); + + /* + ** Validity check for port + */ + if(*pcEnd) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number."); + + return -1; + } + + if(iPort < 0 || iPort > MAXPORTS-1) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number. Must be between 0 and 65535."); + + return -1; + } + + config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; + } + + if(!iEndPorts) + { + snprintf(ErrorString, ErrStrLen, + "Must end '%s' configuration with '%s'.", + CONF_PORTS, CONF_END_LIST); + + return -1; + } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "POP: Empty port list not allowed."); + return -1; + } + + return 0; +} + +static int ProcessPopMemcap(POPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t pop_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option 'memcap'."); + return -1; + } + pop_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option 'memcap'."); + return -1; + } + + if (pop_memcap < MIN_POP_MEMCAP || pop_memcap > MAX_POP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_POP_MEMCAP, MAX_POP_MEMCAP); + return -1; + } + + config->memcap = pop_memcap; + return 0; +} + + +static int ProcessDecodeDepth(POPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for POP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => POP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_config.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,107 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * + * pop_config.h + * + * Author: Bhagyashree Bantwal + * + ***************************************************************************/ + +#ifndef __POP_CONFIG_H__ +#define __POP_CONFIG_H__ + +#include "sfPolicyUserData.h" +#define CONF_SEPARATORS " \t\n\r" +#define CONF_PORTS "ports" +#define CONF_POP_MEMCAP "memcap" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_DISABLED "disabled" +#define CONF_START_LIST "{" +#define CONF_END_LIST "}" + +/*These are temporary values*/ + +#define DEFAULT_POP_MEMCAP 838860 +#define DEFAULT_DEPTH 1464 +#define MAX_POP_MEMCAP 104857600 +#define MIN_POP_MEMCAP 3276 +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 +#define POP_DEFAULT_SERVER_PORT 110 /* POP normally runs on port 110 */ + +#define ERRSTRLEN 512 + +typedef struct _POPSearch +{ + char *name; + int name_len; + +} POPSearch; + +typedef struct _POPToken +{ + char *name; + int name_len; + int search_id; + +} POPToken; + +typedef struct _POPCmdConfig +{ + char alert; /* 1 if alert when seen */ + char normalize; /* 1 if we should normalize this command */ + int max_line_len; /* Max length of this particular command */ + +} POPCmdConfig; + +typedef struct _POPConfig +{ + char ports[8192]; + uint32_t memcap; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + POPToken *cmds; + POPSearch *cmd_search; + void *cmd_search_mpse; + int num_cmds; + int disabled; + + int ref_count; + +} POPConfig; + +/* Function prototypes */ +void POP_ParseArgs(POPConfig *, char *); +void POP_PrintConfig(POPConfig *config); + +void POP_CheckConfig(POPConfig *, tSfPolicyUserContextId); +int POP_IsDecodingEnabled(POPConfig *); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_log.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.c --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_log.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,111 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * pop_log.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file handles POP alerts. + * + * Entry point functions: + * + * POP_GenerateAlert() + * + * + **************************************************************************/ + +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "pop_config.h" +#include "pop_log.h" +#include "snort_pop.h" +#include "sf_dynamic_preprocessor.h" + +extern POPConfig *pop_eval_config; +extern POP *pop_ssn; + +char pop_event[POP_EVENT_MAX][EVENT_STR_LEN]; + + +void POP_GenerateAlert(int event, char *format, ...) +{ + va_list ap; + + /* Only log a specific alert once per session */ + if (pop_ssn->alert_mask & (1 << event)) + { +#ifdef DEBUG_MSGS + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Already alerted on: %s - " + "ignoring event.\n", pop_event[event]);); +#endif + return; + } + + /* set bit for this alert so we don't alert on again + * in this session */ + pop_ssn->alert_mask |= (1 << event); + + va_start(ap, format); + + pop_event[event][0] = '\0'; + vsnprintf(&pop_event[event][0], EVENT_STR_LEN - 1, format, ap); + pop_event[event][EVENT_STR_LEN - 1] = '\0'; + + _dpd.alertAdd(GENERATOR_SPP_POP, event, 1, 0, 3, &pop_event[event][0], 0); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP Alert generated: %s\n", pop_event[event]);); + + va_end(ap); +} + +void POP_DecodeAlert(void) +{ + switch( pop_ssn->decode_state->decode_type ) + { + case DECODE_B64: + POP_GenerateAlert(POP_B64_DECODING_FAILED, "%s", POP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + POP_GenerateAlert(POP_QP_DECODING_FAILED, "%s", POP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + POP_GenerateAlert(POP_UU_DECODING_FAILED, "%s", POP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + POP_GenerateAlert(POP_BITENC_DECODING_FAILED, "%s", POP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_log.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.h --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_log.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,65 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * pop_log.h + * + * Author: Bhagyashree Bantwal + * + **************************************************************************/ + +#ifndef __POP_LOG_H__ +#define __POP_LOG_H__ + + +#define GENERATOR_SPP_POP 142 + +/* Events for POP */ +#define POP_UNKNOWN_CMD 1 +#define POP_UNKNOWN_RESP 2 +#define POP_MEMCAP_EXCEEDED 3 +#define POP_B64_DECODING_FAILED 4 +#define POP_QP_DECODING_FAILED 5 +#define POP_BITENC_DECODING_FAILED 6 +#define POP_UU_DECODING_FAILED 7 + +#define POP_EVENT_MAX 8 + +/* Messages for each event */ +#define POP_UNKNOWN_CMD_STR "(POP) Unknown POP3 command" +#define POP_UNKNOWN_RESP_STR "(POP) Unknown POP3 response" +#define POP_MEMCAP_EXCEEDED_STR "(POP) No memory available for decoding. Memcap exceeded" +#define POP_B64_DECODING_FAILED_STR "(POP) Base64 Decoding failed." +#define POP_QP_DECODING_FAILED_STR "(POP) Quoted-Printable Decoding failed." +#define POP_BITENC_DECODING_FAILED_STR "(POP) 7bit/8bit/binary/text Extraction failed." +#define POP_UU_DECODING_FAILED_STR "(POP) Unix-to-Unix Decoding failed." + +#define EVENT_STR_LEN 256 + + +/* Function prototypes */ +void POP_GenerateAlert(int, char *, ...); +void POP_DecodeAlert(void); + + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_util.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.c --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_util.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.c 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,180 @@ +/* + * pop_util.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file contains POP helper functions. + * + * Entry point functions: + * + * safe_strchr() + * safe_strstr() + * copy_to_space() + * safe_sscanf() + * + * + */ + +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" + +#include "snort_pop.h" +#include "pop_util.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "Unified2_common.h" + +extern POP *pop_ssn; + +void POP_GetEOL(const uint8_t *ptr, const uint8_t *end, + const uint8_t **eol, const uint8_t **eolm) +{ + const uint8_t *tmp_eol; + const uint8_t *tmp_eolm; + + /* XXX maybe should fatal error here since none of these + * pointers should be NULL */ + if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) + return; + + tmp_eol = (uint8_t *)memchr(ptr, '\n', end - ptr); + if (tmp_eol == NULL) + { + tmp_eol = end; + tmp_eolm = end; + } + else + { + /* end of line marker (eolm) should point to marker and + * end of line (eol) should point to end of marker */ + if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) + { + tmp_eolm = tmp_eol - 1; + } + else + { + tmp_eolm = tmp_eol; + } + + /* move past newline */ + tmp_eol++; + } + + *eol = tmp_eol; + *eolm = tmp_eolm; +} + +void POP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; + + if(pop_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(pop_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(pop_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(pop_ssn->decode_state->bitenc_state.depth > -1) + { + pop_ssn->decode_state->decode_type = DECODE_BITENC; + return; + } + + return; +} + + +#ifdef DEBUG_MSGS +char pop_print_buffer[65537]; + +const char * POP_PrintBuffer(SFSnortPacket *p) +{ + const uint8_t *ptr = NULL; + int len = 0; + int iorig, inew; + + ptr = p->payload; + len = p->payload_size; + + for (iorig = 0, inew = 0; iorig < len; iorig++, inew++) + { + if ((isascii((int)ptr[iorig]) && isprint((int)ptr[iorig])) || (ptr[iorig] == '\n')) + { + pop_print_buffer[inew] = ptr[iorig]; + } + else if (ptr[iorig] == '\r' && + ((iorig + 1) < len) && (ptr[iorig + 1] == '\n')) + { + iorig++; + pop_print_buffer[inew] = '\n'; + } + else if (isspace((int)ptr[iorig])) + { + pop_print_buffer[inew] = ' '; + } + else + { + pop_print_buffer[inew] = '.'; + } + } + + pop_print_buffer[inew] = '\0'; + + return &pop_print_buffer[0]; +} +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_util.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.h --- snort-2.8.5.2/src/dynamic-preprocessors/pop/pop_util.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,43 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************* + * + * pop_util.h + * + * Author: Bhagyashree Bantwal + * + *************************************************************************/ + +#ifndef __POP_UTIL_H__ +#define __POP_UTIL_H__ + +#include "sf_snort_packet.h" + +void POP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); +void POP_DecodeType(const char *start, int length); + +#ifdef DEBUG_MSGS +const char * POP_PrintBuffer(SFSnortPacket *); +#endif + +#endif /* __POP_UTIL_H__ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/sf_pop.dsp snort-2.9.2/src/dynamic-preprocessors/pop/sf_pop.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/pop/sf_pop.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/sf_pop.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,260 @@ +# Microsoft Developer Studio Project File - Name="sf_pop" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_pop - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_pop.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_pop.mak" CFG="sf_pop - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_pop - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_pop - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_POP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_POP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_pop___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_pop___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_pop___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_pop___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_POP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# SUBTRACT LINK32 /pdb:none + +!ENDIF + +# Begin Target + +# Name "sf_pop - Win32 Release" +# Name "sf_pop - Win32 Debug" +# Name "sf_pop - Win32 IPv6 Debug" +# Name "sf_pop - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=.\pop_config.c +# End Source File +# Begin Source File + +SOURCE=.\pop_log.c +# End Source File +# Begin Source File + +SOURCE=.\pop_util.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\snort_pop.c +# End Source File +# Begin Source File + +SOURCE=.\spp_pop.c +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=.\pop_config.h +# End Source File +# Begin Source File + +SOURCE=.\pop_log.h +# End Source File +# Begin Source File + +SOURCE=.\pop_util.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=.\snort_pop.h +# End Source File +# Begin Source File + +SOURCE=.\spp_pop.h +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/snort_pop.c snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.c --- snort-2.8.5.2/src/dynamic-preprocessors/pop/snort_pop.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,1660 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * snort_pop.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file handles POP protocol checking and normalization. + * + * Entry point functions: + * + * SnortPOP() + * POP_Init() + * POP_Free() + * + **************************************************************************/ + + +/* Includes ***************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include +#include + +#include "sf_types.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "pop_util.h" +#include "pop_log.h" + +#include "sf_snort_packet.h" +#include "stream_api.h" +#include "snort_debug.h" +#include "profiler.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "ssl.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#ifdef DEBUG_MSGS +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Externs ****************************************************************/ + +#ifdef PERF_PROFILING +extern PreprocStats popDetectPerfStats; +extern int popDetectCalled; +#endif + +extern tSfPolicyUserContextId pop_config; +extern POPConfig *pop_eval_config; +extern MemPool *pop_mempool; + +#ifdef DEBUG_MSGS +extern char pop_print_buffer[]; +#endif + +/**************************************************************************/ + + +/* Globals ****************************************************************/ + +const POPToken pop_known_cmds[] = +{ + {"APOP", 4, CMD_APOP}, + {"AUTH", 4, CMD_AUTH}, + {"CAPA", 4, CMD_CAPA}, + {"DELE", 4, CMD_DELE}, + {"LIST", 4, CMD_LIST}, + {"NOOP", 4, CMD_NOOP}, + {"PASS", 4, CMD_PASS}, + {"QUIT", 4, CMD_QUIT}, + {"RETR", 4, CMD_RETR}, + {"RSET", 4, CMD_RSET}, + {"STAT", 4, CMD_STAT}, + {"STLS", 4, CMD_STLS}, + {"TOP", 3, CMD_TOP}, + {"UIDL", 4, CMD_UIDL}, + {"USER", 4, CMD_USER}, + {NULL, 0, 0} +}; + +const POPToken pop_resps[] = +{ + {"+OK", 3, RESP_OK}, /* SUCCESS */ + {"-ERR", 4, RESP_ERR}, /* FAILURE */ + {NULL, 0, 0} +}; + +const POPToken pop_hdrs[] = +{ + {"Content-type:", 13, HDR_CONTENT_TYPE}, + {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {NULL, 0, 0} +}; + +const POPToken pop_data_end[] = +{ + {"\r\n.\r\n", 5, DATA_END_1}, + {"\n.\r\n", 4, DATA_END_2}, + {"\r\n.\n", 4, DATA_END_3}, + {"\n.\n", 3, DATA_END_4}, + {NULL, 0, 0} +}; + +POP *pop_ssn = NULL; +POP pop_no_session; +POPPcre mime_boundary_pcre; +char pop_normalizing; +POPSearchInfo pop_search_info; + +#ifdef DEBUG_MSGS +uint64_t pop_session_counter = 0; +#endif + +#ifdef TARGET_BASED +int16_t pop_proto_id; +#endif + +void *pop_resp_search_mpse = NULL; +POPSearch pop_resp_search[RESP_LAST]; + +void *pop_hdr_search_mpse = NULL; +POPSearch pop_hdr_search[HDR_LAST]; + +void *pop_data_search_mpse = NULL; +POPSearch pop_data_end_search[DATA_END_LAST]; + +POPSearch *pop_current_search = NULL; + + +/**************************************************************************/ + + +/* Private functions ******************************************************/ + +static int POP_Setup(SFSnortPacket *p, POP *ssn); +static void POP_ResetState(void); +static void POP_SessionFree(void *); +static void POP_NoSessionFree(void); +static int POP_GetPacketDirection(SFSnortPacket *, int); +static void POP_ProcessClientPacket(SFSnortPacket *); +static void POP_ProcessServerPacket(SFSnortPacket *); +static void POP_DisableDetect(SFSnortPacket *); +static const uint8_t * POP_HandleCommand(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleData(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleHeader(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleDataBody(SFSnortPacket *, const uint8_t *, const uint8_t *); +static int POP_SearchStrFound(void *, void *, int, void *, void *); + +static int POP_BoundaryStrFound(void *, void *, int , void *, void *); +static int POP_GetBoundary(const char *, int); + +static int POP_Inspect(SFSnortPacket *); + +/**************************************************************************/ + +static void SetPopBuffers(POP *ssn) +{ + if ((ssn != NULL) && (ssn->decode_state == NULL) + && (!POP_IsDecodingEnabled(pop_eval_config))) + { + MemBucket *bkt = mempool_alloc(pop_mempool); + + if (bkt != NULL) + { + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); + if( ssn->decode_state != NULL ) + { + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, pop_eval_config->max_depth, + pop_eval_config->b64_depth, pop_eval_config->qp_depth, + pop_eval_config->uu_depth, pop_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(pop_mempool, bkt); + } + } + else + { + POP_GenerateAlert(POP_MEMCAP_EXCEEDED, "%s", POP_MEMCAP_EXCEEDED_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "No memory available for decoding. Memcap exceeded \n");); + } + } +} + +void POP_InitCmds(POPConfig *config) +{ + const POPToken *tmp; + + if (config == NULL) + return; + + /* add one to CMD_LAST for NULL entry */ + config->cmds = (POPToken *)calloc(CMD_LAST + 1, sizeof(POPToken)); + if (config->cmds == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + for (tmp = &pop_known_cmds[0]; tmp->name != NULL; tmp++) + { + config->cmds[tmp->search_id].name_len = tmp->name_len; + config->cmds[tmp->search_id].search_id = tmp->search_id; + config->cmds[tmp->search_id].name = strdup(tmp->name); + + if (config->cmds[tmp->search_id].name == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* initialize memory for command searches */ + config->cmd_search = (POPSearch *)calloc(CMD_LAST, sizeof(POPSearch)); + if (config->cmd_search == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + config->num_cmds = CMD_LAST; +} + + +/* + * Initialize POP searches + * + * @param none + * + * @return none + */ +void POP_SearchInit(void) +{ + const char *error; + int erroffset; + const POPToken *tmp; + + /* Response search */ + pop_resp_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_resp_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "response search.\n"); + } + + for (tmp = &pop_resps[0]; tmp->name != NULL; tmp++) + { + pop_resp_search[tmp->search_id].name = tmp->name; + pop_resp_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_resp_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_resp_search_mpse); + + /* Header search */ + pop_hdr_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_hdr_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "header search.\n"); + } + + for (tmp = &pop_hdrs[0]; tmp->name != NULL; tmp++) + { + pop_hdr_search[tmp->search_id].name = tmp->name; + pop_hdr_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_hdr_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_hdr_search_mpse); + + /* Data end search */ + pop_data_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_data_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "data search.\n"); + } + + for (tmp = &pop_data_end[0]; tmp->name != NULL; tmp++) + { + pop_data_end_search[tmp->search_id].name = tmp->name; + pop_data_end_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_data_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_data_search_mpse); + + + /* create regex for finding boundary string - since it can be cut across multiple + * lines, a straight search won't do. Shouldn't be too slow since it will most + * likely only be acting on a small portion of data */ + //"^content-type:\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //"^\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //mime_boundary_pcre.re = pcre_compile("^.*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + //mime_boundary_pcre.re = pcre_compile("boundary(?:\n|\r\n)?=(?:\n|\r\n)?\"?([^\\s\"]+)\"?", + mime_boundary_pcre.re = pcre_compile("boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + PCRE_CASELESS | PCRE_DOTALL, + &error, &erroffset, NULL); + if (mime_boundary_pcre.re == NULL) + { + DynamicPreprocessorFatalMessage("Failed to compile pcre regex for getting boundary " + "in a multipart POP message: %s\n", error); + } + + mime_boundary_pcre.pe = pcre_study(mime_boundary_pcre.re, 0, &error); + + if (error != NULL) + { + DynamicPreprocessorFatalMessage("Failed to study pcre regex for getting boundary " + "in a multipart POP message: %s\n", error); + } +} + +/* + * Initialize run-time boundary search + */ +static int POP_BoundarySearchInit(void) +{ + if (pop_ssn->mime_boundary.boundary_search != NULL) + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + + pop_ssn->mime_boundary.boundary_search = _dpd.searchAPI->search_instance_new(); + + if (pop_ssn->mime_boundary.boundary_search == NULL) + return -1; + + _dpd.searchAPI->search_instance_add(pop_ssn->mime_boundary.boundary_search, + pop_ssn->mime_boundary.boundary, + pop_ssn->mime_boundary.boundary_len, BOUNDARY); + + _dpd.searchAPI->search_instance_prep(pop_ssn->mime_boundary.boundary_search); + + return 0; +} + + + +/* + * Reset POP session state + * + * @param none + * + * @return none + */ +static void POP_ResetState(void) +{ + if (pop_ssn->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + pop_ssn->mime_boundary.boundary_search = NULL; + } + + pop_ssn->state = STATE_UNKNOWN; + pop_ssn->data_state = STATE_DATA_INIT; + pop_ssn->state_flags = 0; + ClearEmailDecodeState(pop_ssn->decode_state); + memset(&pop_ssn->mime_boundary, 0, sizeof(POPMimeBoundary)); +} + + +/* + * Given a server configuration and a port number, we decide if the port is + * in the POP server port list. + * + * @param port the port number to compare with the configuration + * + * @return integer + * @retval 0 means that the port is not a server port + * @retval !0 means that the port is a server port + */ +int POP_IsServer(uint16_t port) +{ + if (pop_eval_config->ports[port / 8] & (1 << (port % 8))) + return 1; + + return 0; +} + +static POP * POP_GetNewSession(SFSnortPacket *p, tSfPolicyId policy_id) +{ + POP *ssn; + POPConfig *pPolicyConfig = NULL; + + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Creating new session data structure\n");); + + ssn = (POP *)calloc(1, sizeof(POP)); + if (ssn == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate POP session data\n"); + } + + pop_ssn = ssn; + SetPopBuffers(ssn); + + _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_POP, + ssn, &POP_SessionFree); + + if (p->flags & SSNFLAG_MIDSTREAM) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got midstream packet - " + "setting state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + +#ifdef DEBUG_MSGS + pop_session_counter++; + ssn->session_number = pop_session_counter; +#endif + + if (p->stream_session_ptr != NULL) + { + /* check to see if we're doing client reassembly in stream */ + if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) & SSN_DIR_CLIENT) + ssn->reassembling = 1; + + if(!ssn->reassembling) + { + _dpd.streamAPI->set_reassembly(p->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_CLIENT, STREAM_FLPOLICY_SET_ABSOLUTE); + ssn->reassembling = 1; + } + } + + ssn->policy_id = policy_id; + ssn->config = pop_config; + pPolicyConfig->ref_count++; + + return ssn; +} + + +/* + * Do first-packet setup + * + * @param p standard Packet structure + * + * @return none + */ +static int POP_Setup(SFSnortPacket *p, POP *ssn) +{ + int flags = 0; + int pkt_dir; + + if (p->stream_session_ptr != NULL) + { + /* set flags to session flags */ + flags = _dpd.streamAPI->get_session_flags(p->stream_session_ptr); + } + + /* Figure out direction of packet */ + pkt_dir = POP_GetPacketDirection(p, flags); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Session number: "STDu64"\n", ssn->session_number);); + + /* Check to see if there is a reassembly gap. If so, we won't know + * what state we're in when we get the _next_ reassembled packet */ + if ((pkt_dir != POP_PKT_FROM_SERVER) && + (p->flags & FLAG_REBUILT_STREAM)) + { + int missing_in_rebuilt = + _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); + + if (ssn->session_flags & POP_FLAG_NEXT_STATE_UNKNOWN) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found gap in previous reassembly buffer - " + "set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags &= ~POP_FLAG_NEXT_STATE_UNKNOWN; + } + + if (missing_in_rebuilt == SSN_MISSING_BOTH) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets before and after " + "in reassembly buffer - set state to unknown and " + "next state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags |= POP_FLAG_NEXT_STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_BEFORE) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets before " + "in reassembly buffer - set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_AFTER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets after " + "in reassembly buffer - set next state to unknown\n");); + ssn->session_flags |= POP_FLAG_NEXT_STATE_UNKNOWN; + } + } + + return pkt_dir; +} + +/* + * Determine packet direction + * + * @param p standard Packet structure + * + * @return none + */ +static int POP_GetPacketDirection(SFSnortPacket *p, int flags) +{ + int pkt_direction = POP_PKT_FROM_UNKNOWN; + + if (flags & SSNFLAG_MIDSTREAM) + { + if (POP_IsServer(p->src_port) && + !POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (!POP_IsServer(p->src_port) && + POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + } + else + { + if (p->flags & FLAG_FROM_SERVER) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (p->flags & FLAG_FROM_CLIENT) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + + /* if direction is still unknown ... */ + if (pkt_direction == POP_PKT_FROM_UNKNOWN) + { + if (POP_IsServer(p->src_port) && + !POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (!POP_IsServer(p->src_port) && + POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + } + } + + return pkt_direction; +} + + +/* + * Free POP-specific related to this session + * + * @param v pointer to POP session structure + * + * + * @return none + */ +static void POP_SessionFree(void *session_data) +{ + POP *pop = (POP *)session_data; +#ifdef SNORT_RELOAD + POPConfig *pPolicyConfig = NULL; +#endif + + if (pop == NULL) + return; + +#ifdef SNORT_RELOAD + pPolicyConfig = (POPConfig *)sfPolicyUserDataGet(pop->config, pop->policy_id); + + if (pPolicyConfig != NULL) + { + pPolicyConfig->ref_count--; + if ((pPolicyConfig->ref_count == 0) && + (pop->config != pop_config)) + { + sfPolicyUserDataClear (pop->config, pop->policy_id); + POP_FreeConfig(pPolicyConfig); + + /* No more outstanding policies for this config */ + if (sfPolicyUserPolicyGetActive(pop->config) == 0) + POP_FreeConfigs(pop->config); + } + } +#endif + + if (pop->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop->mime_boundary.boundary_search); + pop->mime_boundary.boundary_search = NULL; + } + + if(pop->decode_state != NULL) + { + mempool_free(pop_mempool, pop->decode_bkt); + free(pop->decode_state); + } + + free(pop); +} + + +static void POP_NoSessionFree(void) +{ + if (pop_no_session.mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop_no_session.mime_boundary.boundary_search); + pop_no_session.mime_boundary.boundary_search = NULL; + } +} + +static int POP_FreeConfigsPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *pPolicyConfig = (POPConfig *)pData; + + //do any housekeeping before freeing POPConfig + sfPolicyUserDataClear (config, policyId); + POP_FreeConfig(pPolicyConfig); + + return 0; +} + +void POP_FreeConfigs(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, POP_FreeConfigsPolicy); + sfPolicyConfigDelete(config); +} + +void POP_FreeConfig(POPConfig *config) +{ + if (config == NULL) + return; + + if (config->cmds != NULL) + { + POPToken *tmp = config->cmds; + + for (; tmp->name != NULL; tmp++) + free(tmp->name); + + free(config->cmds); + } + + if (config->cmd_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(config->cmd_search_mpse); + + if (config->cmd_search != NULL) + free(config->cmd_search); + + free(config); +} + + +/* + * Free anything that needs it before shutting down preprocessor + * + * @param none + * + * @return none + */ +void POP_Free(void) +{ + POP_NoSessionFree(); + + POP_FreeConfigs(pop_config); + pop_config = NULL; + + if (pop_resp_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_resp_search_mpse); + + if (pop_hdr_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_hdr_search_mpse); + + if (pop_data_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_data_search_mpse); + + if (mime_boundary_pcre.re ) + pcre_free(mime_boundary_pcre.re); + + if (mime_boundary_pcre.pe ) + pcre_free(mime_boundary_pcre.pe); +} + + +/* + * Callback function for string search + * + * @param id id in array of search strings from pop_config.cmds + * @param index index in array of search strings from pop_config.cmds + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int POP_SearchStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int search_id = (int)(uintptr_t)id; + + pop_search_info.id = search_id; + pop_search_info.index = index; + pop_search_info.length = pop_current_search[search_id].name_len; + + /* Returning non-zero stops search, which is okay since we only look for one at a time */ + return 1; +} + + +/* + * Callback function for boundary search + * + * @param id id in array of search strings + * @param index index in array of search strings + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int POP_BoundaryStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int boundary_id = (int)(uintptr_t)id; + + pop_search_info.id = boundary_id; + pop_search_info.index = index; + pop_search_info.length = pop_ssn->mime_boundary.boundary_len; + + return 1; +} + +static int POP_GetBoundary(const char *data, int data_len) +{ + int result; + int ovector[9]; + int ovecsize = 9; + const char *boundary; + int boundary_len; + int ret; + char *mime_boundary; + int *mime_boundary_len; + + + mime_boundary = &pop_ssn->mime_boundary.boundary[0]; + mime_boundary_len = &pop_ssn->mime_boundary.boundary_len; + + /* result will be the number of matches (including submatches) */ + result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, + data, data_len, 0, 0, ovector, ovecsize); + if (result < 0) + return -1; + + result = pcre_get_substring(data, ovector, result, 1, &boundary); + if (result < 0) + return -1; + + boundary_len = strlen(boundary); + if (boundary_len > MAX_BOUNDARY_LEN) + { + /* XXX should we alert? breaking the law of RFC */ + boundary_len = MAX_BOUNDARY_LEN; + } + + mime_boundary[0] = '-'; + mime_boundary[1] = '-'; + ret = SafeMemcpy(mime_boundary + 2, boundary, boundary_len, + mime_boundary + 2, mime_boundary + 2 + MAX_BOUNDARY_LEN); + + pcre_free_substring(boundary); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *mime_boundary_len = 2 + boundary_len; + mime_boundary[*mime_boundary_len] = '\0'; + + return 0; +} + + +/* + * Handle COMMAND state + * + * @param p standard Packet structure + * @param ptr pointer into p->payload buffer to start looking at data + * @param end points to end of p->payload buffer + * + * @return pointer into p->payload where we stopped looking at data + * will be end of line or end of packet + */ +static const uint8_t * POP_HandleCommand(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *eol; /* end of line */ + const uint8_t *eolm; /* end of line marker */ + int cmd_line_len; + int cmd_found; + + /* get end of line and end of line marker */ + POP_GetEOL(ptr, end, &eol, &eolm); + + /* calculate length of command line */ + cmd_line_len = eol - ptr; + + /* TODO If the end of line marker coincides with the end of payload we can't be + * sure that we got a command and not a substring which we could tell through + * inspection of the next packet. Maybe a command pending state where the first + * char in the next packet is checked for a space and end of line marker */ + + /* do not confine since there could be space chars before command */ + pop_current_search = &pop_eval_config->cmd_search[0]; + cmd_found = _dpd.searchAPI->search_instance_find + (pop_eval_config->cmd_search_mpse, (const char *)ptr, + eolm - ptr, 0, POP_SearchStrFound); + + /* see if we actually found a command and not a substring */ + if (cmd_found > 0) + { + const uint8_t *tmp = ptr; + const uint8_t *cmd_start = ptr + pop_search_info.index; + const uint8_t *cmd_end = cmd_start + pop_search_info.length; + + /* move past spaces up until start of command */ + while ((tmp < cmd_start) && isspace((int)*tmp)) + tmp++; + + /* if not all spaces before command, we found a + * substring */ + if (tmp != cmd_start) + cmd_found = 0; + + /* if we're before the end of line marker and the next + * character is not whitespace, we found a substring */ + if ((cmd_end < eolm) && !isspace((int)*cmd_end)) + cmd_found = 0; + + /* there is a chance that end of command coincides with the end of payload + * in which case, it could be a substring, but for now, we will treat it as found */ + } + + /* if command not found, alert and move on */ + if (!cmd_found) + { + POP_GenerateAlert(POP_UNKNOWN_CMD, "%s", POP_UNKNOWN_CMD_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "No known command found\n");); + + return eol; + } + + /* At this point we have definitely found a legitimate command */ + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "%s\n", pop_eval_config->cmds[pop_search_info.id].name);); + +/* switch (pop_search_info.id) + { + case CMD_USER: + case CMD_PASS: + case CMD_RSET: + case CMD_QUIT: + case CMD_RETR: + break; + + default: + break; + }*/ + + return eol; +} + + +static const uint8_t * POP_HandleData(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *data_end_marker = NULL; + const uint8_t *data_end = NULL; + int data_end_found; + + /* if we've just entered the data state, check for a dot + end of line + * if found, no data */ + if ((pop_ssn->data_state == STATE_DATA_INIT) || + (pop_ssn->data_state == STATE_DATA_UNKNOWN)) + { + if ((ptr < end) && (*ptr == '.')) + { + const uint8_t *eol = NULL; + const uint8_t *eolm = NULL; + + POP_GetEOL(ptr, end, &eol, &eolm); + + /* this means we got a real end of line and not just end of payload + * and that the dot is only char on line */ + if ((eolm != end) && (eolm == (ptr + 1))) + { + /* if we're normalizing and not ignoring data copy data end marker + * and dot to alt buffer */ + + POP_ResetState(); + + return eol; + } + } + + if (pop_ssn->data_state == STATE_DATA_INIT) + pop_ssn->data_state = STATE_DATA_HEADER; + + /* XXX A line starting with a '.' that isn't followed by a '.' is + * deleted (RFC 821 - 4.5.2. TRANSPARENCY). If data starts with + * '. text', i.e a dot followed by white space then text, some + * servers consider it data header and some data body. + * Postfix and Qmail will consider the start of data: + * . text\r\n + * . text\r\n + * to be part of the header and the effect will be that of a + * folded line with the '.' deleted. Exchange will put the same + * in the body which seems more reasonable. */ + } + + /* get end of data body + * TODO check last bytes of previous packet to see if we had a partial + * end of data */ + pop_current_search = &pop_data_end_search[0]; + data_end_found = _dpd.searchAPI->search_instance_find + (pop_data_search_mpse, (const char *)ptr, end - ptr, + 0, POP_SearchStrFound); + + if (data_end_found > 0) + { + data_end_marker = ptr + pop_search_info.index; + data_end = data_end_marker + pop_search_info.length; + } + else + { + data_end_marker = data_end = end; + } + + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + + if ((pop_ssn->data_state == STATE_DATA_HEADER) || + (pop_ssn->data_state == STATE_DATA_UNKNOWN)) + { +#ifdef DEBUG_MSGS + if (pop_ssn->data_state == STATE_DATA_HEADER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA UNKNOWN STATE ~~~~~~~~~~~~~~~~~~~~~\n");); + } +#endif + + ptr = POP_HandleHeader(p, ptr, data_end_marker); + if (ptr == NULL) + return NULL; + + } + + /* now we shouldn't have to worry about copying any data to the alt buffer + * only mime headers if we find them and only if we're ignoring data */ + + while ((ptr != NULL) && (ptr < data_end_marker)) + { + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( pop_ssn->state_flags & POP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + _dpd.setFileDataPtr(pop_ssn->decode_state->decodePtr, (uint16_t)pop_ssn->decode_state->decoded_bytes); + _dpd.detect(p); + pop_ssn->state_flags &= ~POP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(pop_ssn->decode_state); + p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + } + switch (pop_ssn->data_state) + { + case STATE_MIME_HEADER: + DEBUG_WRAP(DebugMessage(DEBUG_POP, "MIME HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleHeader(p, ptr, data_end_marker); + break; + case STATE_DATA_BODY: + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA BODY STATE ~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleDataBody(p, ptr, data_end_marker); + break; + } + } + + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(pop_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(pop_ssn->decode_state->decodePtr, (uint16_t)pop_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(pop_ssn->decode_state); + } + + /* if we got the data end reset state, otherwise we're probably still in the data + * to expect more data in next packet */ + if (data_end_marker != end) + { + POP_ResetState(); + } + + return data_end; +} + + +/* + * Handle Headers - Data or Mime + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * POP_HandleHeader(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *colon; + const uint8_t *content_type_ptr = NULL; + const uint8_t *cont_trans_enc = NULL; + int header_found; + int ret; + const uint8_t *start_hdr; + + start_hdr = ptr; + + /* if we got a content-type in a previous packet and are + * folding, the boundary still needs to be checked for */ + if (pop_ssn->state_flags & POP_FLAG_IN_CONTENT_TYPE) + content_type_ptr = ptr; + + if (pop_ssn->state_flags & POP_FLAG_IN_CONT_TRANS_ENC) + cont_trans_enc = ptr; + + while (ptr < data_end_marker) + { + POP_GetEOL(ptr, data_end_marker, &eol, &eolm); + + /* got a line with only end of line marker should signify end of header */ + if (eolm == ptr) + { + /* reset global header state values */ + pop_ssn->state_flags &= + ~(POP_FLAG_FOLDING | POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_DATA_HEADER_CONT + | POP_FLAG_IN_CONT_TRANS_ENC ); + + pop_ssn->data_state = STATE_DATA_BODY; + + /* if no headers, treat as data */ + if (ptr == start_hdr) + return eolm; + else + return eol; + } + + /* if we're not folding, see if we should interpret line as a data line + * instead of a header line */ + if (!(pop_ssn->state_flags & (POP_FLAG_FOLDING | POP_FLAG_DATA_HEADER_CONT))) + { + char got_non_printable_in_header_name = 0; + + /* if we're not folding and the first char is a space or + * colon, it's not a header */ + if (isspace((int)*ptr) || *ptr == ':') + { + pop_ssn->data_state = STATE_DATA_BODY; + return ptr; + } + + /* look for header field colon - if we're not folding then we need + * to find a header which will be all printables (except colon) + * followed by a colon */ + colon = ptr; + while ((colon < eolm) && (*colon != ':')) + { + if (((int)*colon < 33) || ((int)*colon > 126)) + got_non_printable_in_header_name = 1; + + colon++; + } + + /* If the end on line marker and end of line are the same, assume + * header was truncated, so stay in data header state */ + if ((eolm != eol) && + ((colon == eolm) || got_non_printable_in_header_name)) + { + /* no colon or got spaces in header name (won't be interpreted as a header) + * assume we're in the body */ + pop_ssn->state_flags &= + ~(POP_FLAG_FOLDING | POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_DATA_HEADER_CONT + |POP_FLAG_IN_CONT_TRANS_ENC); + + pop_ssn->data_state = STATE_DATA_BODY; + + return ptr; + } + + if(tolower((int)*ptr) == 'c') + { + pop_current_search = &pop_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (pop_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, POP_SearchStrFound); + + /* Headers must start at beginning of line */ + if ((header_found > 0) && (pop_search_info.index == 0)) + { + switch (pop_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (pop_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + pop_search_info.length; + pop_ssn->state_flags |= POP_FLAG_IN_CONTENT_TYPE; + } + + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + pop_search_info.length; + pop_ssn->state_flags |= POP_FLAG_IN_CONT_TRANS_ENC; + break; + + default: + break; + } + } + } + else if(tolower((int)*ptr) == 'e') + { + if((eolm - ptr) >= 9) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + pop_ssn->state_flags |= POP_FLAG_IN_CONT_TRANS_ENC; + } + } + } + } + else + { + pop_ssn->state_flags &= ~POP_FLAG_DATA_HEADER_CONT; + } + + + /* check for folding + * if char on next line is a space and not \n or \r\n, we are folding */ + if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) + { + if ((eol < (data_end_marker - 1)) && (eol[0] != '\r') && (eol[1] != '\n')) + { + pop_ssn->state_flags |= POP_FLAG_FOLDING; + } + else + { + pop_ssn->state_flags &= ~POP_FLAG_FOLDING; + } + } + else if (eol != eolm) + { + pop_ssn->state_flags &= ~POP_FLAG_FOLDING; + } + + /* check if we're in a content-type header and not folding. if so we have the whole + * header line/lines for content-type - see if we got a multipart with boundary + * we don't check each folded line, but wait until we have the complete header + * because boundary=BOUNDARY can be split across mulitple folded lines before + * or after the '=' */ + if ((pop_ssn->state_flags & + (POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_FOLDING)) == POP_FLAG_IN_CONTENT_TYPE) + { + /* we got the full content-type header - look for boundary string */ + ret = POP_GetBoundary((const char *)content_type_ptr, eolm - content_type_ptr); + if (ret != -1) + { + ret = POP_BoundarySearchInit(); + if (ret != -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got mime boundary: %s\n", + pop_ssn->mime_boundary.boundary);); + + pop_ssn->state_flags |= POP_FLAG_GOT_BOUNDARY; + } + } + + pop_ssn->state_flags &= ~POP_FLAG_IN_CONTENT_TYPE; + content_type_ptr = NULL; + } + else if ((pop_ssn->state_flags & + (POP_FLAG_IN_CONT_TRANS_ENC | POP_FLAG_FOLDING)) == POP_FLAG_IN_CONT_TRANS_ENC) + { + /* Check for Content-Transfer-Encoding : */ + if( (!POP_IsDecodingEnabled(pop_eval_config)) && (pop_ssn->decode_state != NULL)) + { + POP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + pop_ssn->state_flags |= POP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( pop_ssn->decode_state->decoded_bytes ) + pop_ssn->state_flags |= POP_FLAG_MULTIPLE_EMAIL_ATTACH; + } + pop_ssn->state_flags &= ~POP_FLAG_IN_CONT_TRANS_ENC; + + cont_trans_enc = NULL; + } + + /* if state was unknown, at this point assume we know */ + if (pop_ssn->data_state == STATE_DATA_UNKNOWN) + pop_ssn->data_state = STATE_DATA_HEADER; + + ptr = eol; + + if (ptr == data_end_marker) + pop_ssn->state_flags |= POP_FLAG_DATA_HEADER_CONT; + } + + return ptr; +} + + +/* + * Handle DATA_BODY state + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * POP_HandleDataBody(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + int boundary_found = 0; + const uint8_t *boundary_ptr = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; + + if ( pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; + /* look for boundary */ + if (pop_ssn->state_flags & POP_FLAG_GOT_BOUNDARY) + { + boundary_found = _dpd.searchAPI->search_instance_find + (pop_ssn->mime_boundary.boundary_search, (const char *)ptr, + data_end_marker - ptr, 0, POP_BoundaryStrFound); + + if (boundary_found > 0) + { + boundary_ptr = ptr + pop_search_info.index; + + /* should start at beginning of line */ + if ((boundary_ptr == ptr) || (*(boundary_ptr - 1) == '\n')) + { + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *tmp; + + if (pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + { + attach_end = boundary_ptr-1; + pop_ssn->state_flags &= ~POP_FLAG_EMAIL_ATTACH; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, pop_ssn->decode_state) != DECODE_SUCCESS ) + { + POP_DecodeAlert(); + } + } + } + + + /* Check for end boundary */ + tmp = boundary_ptr + pop_search_info.length; + if (((tmp + 1) < data_end_marker) && (tmp[0] == '-') && (tmp[1] == '-')) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Mime boundary end found: %s--\n", + (char *)pop_ssn->mime_boundary.boundary);); + + /* no more MIME */ + pop_ssn->state_flags &= ~POP_FLAG_GOT_BOUNDARY; + + /* free boundary search */ + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + pop_ssn->mime_boundary.boundary_search = NULL; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Mime boundary found: %s\n", + (char *)pop_ssn->mime_boundary.boundary);); + + pop_ssn->data_state = STATE_MIME_HEADER; + } + + /* get end of line - there could be spaces after boundary before eol */ + POP_GetEOL(boundary_ptr + pop_search_info.length, data_end_marker, &eol, &eolm); + + return eol; + } + } + } + + if ( pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + { + attach_end = data_end_marker; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, pop_ssn->decode_state) != DECODE_SUCCESS ) + { + POP_DecodeAlert(); + } + } + } + + return data_end_marker; +} + + +/* + * Process client packet + * + * @param packet standard Packet structure + * + * @return none + */ +static void POP_ProcessClientPacket(SFSnortPacket *p) +{ + const uint8_t *ptr = p->payload; + const uint8_t *end = p->payload + p->payload_size; + + ptr = POP_HandleCommand(p, ptr, end); + + +} + + + +/* + * Process server packet + * + * @param packet standard Packet structure + * + */ +static void POP_ProcessServerPacket(SFSnortPacket *p) +{ + int resp_found; + const uint8_t *ptr; + const uint8_t *end; + const uint8_t *eolm; + const uint8_t *eol; + int resp_line_len; + const char *tmp = NULL; + + ptr = p->payload; + end = p->payload + p->payload_size; + + while (ptr < end) + { + if(pop_ssn->state == STATE_DATA) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleData(p, ptr, end); + continue; + } + POP_GetEOL(ptr, end, &eol, &eolm); + + resp_line_len = eol - ptr; + + /* Check for response code */ + pop_current_search = &pop_resp_search[0]; + resp_found = _dpd.searchAPI->search_instance_find + (pop_resp_search_mpse, (const char *)ptr, + resp_line_len, 1, POP_SearchStrFound); + + if (resp_found > 0) + { + const uint8_t *cmd_start = ptr + pop_search_info.index; + switch (pop_search_info.id) + { + case RESP_OK: + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "octets"); + if(tmp != NULL) + pop_ssn->state = STATE_DATA; + else + pop_ssn->state = STATE_UNKNOWN; + break; + + default: + break; + } + + } + else + { + if(*ptr == '+' ) + { + POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response description\n");); + } + + } + + ptr = eol; + + } + + return; +} + +/* For Target based + * If a protocol for the session is already identified and not one POP is + * interested in, POP should leave it alone and return without processing. + * If a protocol for the session is already identified and is one that POP is + * interested in, decode it. + * If the protocol for the session is not already identified and the preprocessor + * is configured to detect on one of the packet ports, detect. + * Returns 0 if we should not inspect + * 1 if we should continue to inspect + */ +static int POP_Inspect(SFSnortPacket *p) +{ +#ifdef TARGET_BASED + /* POP could be configured to be stateless. If stream isn't configured, assume app id + * will never be set and just base inspection on configuration */ + if (p->stream_session_ptr == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: No stream session.\n");); + + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: Configured for this " + "traffic, so let's inspect.\n");); + return 1; + } + } + else + { + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); + + if (app_id != 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: App id: %u.\n", app_id);); + + if (app_id == pop_proto_id) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: App id is " + "set to \"%s\".\n", POP_PROTO_REF_STR);); + return 1; + } + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: Unknown protocol for " + "this session. See if we're configured.\n");); + + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: POP port is configured.");); + return 1; + } + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_POP,"POP: Target-based: Not inspecting ...\n");); + +#else + /* Make sure it's traffic we're interested in */ + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + return 1; + +#endif /* TARGET_BASED */ + + return 0; +} + +/* + * Entry point to snort preprocessor for each packet + * + * @param packet standard Packet structure + * + * @return none + */ +void SnortPOP(SFSnortPacket *p) +{ + int detected = 0; + int pkt_dir; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + + PROFILE_VARS; + + + pop_ssn = (POP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_POP); + if (pop_ssn != NULL) + pop_eval_config = (POPConfig *)sfPolicyUserDataGet(pop_ssn->config, pop_ssn->policy_id); + else + pop_eval_config = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + + if (pop_eval_config == NULL) + return; + + if (pop_ssn == NULL) + { + if (!POP_Inspect(p)) + return; + + pop_ssn = POP_GetNewSession(p, policy_id); + if (pop_ssn == NULL) + return; + } + + pkt_dir = POP_Setup(p, pop_ssn); + + if (pkt_dir == POP_PKT_FROM_CLIENT) + { + POP_ProcessClientPacket(p); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP client packet\n");); + } + else + { +#ifdef DEBUG_MSGS + if (pkt_dir == POP_PKT_FROM_SERVER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP server packet\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP packet NOT from client or server! " + "Processing as a server packet\n");); + } +#endif + + if (p->flags & FLAG_STREAM_INSERT) + { + /* Packet will be rebuilt, so wait for it */ + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Client packet will be reassembled\n")); + return; + } + else if (pop_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) + { + /* If this isn't a reassembled packet and didn't get + * inserted into reassembly buffer, there could be a + * problem. If we miss syn or syn-ack that had window + * scaling this packet might not have gotten inserted + * into reassembly buffer because it fell outside of + * window, because we aren't scaling it */ + pop_ssn->session_flags |= POP_FLAG_GOT_NON_REBUILT; + pop_ssn->state = STATE_UNKNOWN; + } + else if (pop_ssn->reassembling && (pop_ssn->session_flags & POP_FLAG_GOT_NON_REBUILT)) + { + /* This is a rebuilt packet. If we got previous packets + * that were not rebuilt, state is going to be messed up + * so set state to unknown. It's likely this was the + * beginning of the conversation so reset state */ + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got non-rebuilt packets before " + "this rebuilt packet\n");); + + pop_ssn->state = STATE_UNKNOWN; + pop_ssn->session_flags &= ~POP_FLAG_GOT_NON_REBUILT; + } + /* Process as a server packet */ + POP_ProcessServerPacket(p); + } + + + PREPROC_PROFILE_START(popDetectPerfStats); + + detected = _dpd.detect(p); + +#ifdef PERF_PROFILING + popDetectCalled = 1; +#endif + + PREPROC_PROFILE_END(popDetectPerfStats); + + /* Turn off detection since we've already done it. */ + POP_DisableDetect(p); + + if (detected) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP vulnerability detected\n");); + } +} + +static void POP_DisableDetect(SFSnortPacket *p) +{ + _dpd.disableAllDetect(p); + + _dpd.setPreprocBit(p, PP_SFPORTSCAN); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + _dpd.setPreprocBit(p, PP_STREAM5); + _dpd.setPreprocBit(p, PP_SDF); +} + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/snort_pop.h snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.h --- snort-2.8.5.2/src/dynamic-preprocessors/pop/snort_pop.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,218 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * **************************************************************************/ + +/************************************************************************** + * + * snort_pop.h + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file defines everything specific to the POP preprocessor. + * + **************************************************************************/ + +#ifndef __POP_H__ +#define __POP_H__ + + +/* Includes ***************************************************************/ + +#include + +#include "sf_snort_packet.h" +#include "pop_config.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "mempool.h" +#include "sf_email_attach_decode.h" + +#ifdef DEBUG +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Defines ****************************************************************/ + +/* Direction packet is coming from, if we can figure it out */ +#define POP_PKT_FROM_UNKNOWN 0 +#define POP_PKT_FROM_CLIENT 1 +#define POP_PKT_FROM_SERVER 2 + +#define SEARCH_CMD 0 +#define SEARCH_RESP 1 +#define SEARCH_HDR 2 +#define SEARCH_DATA_END 3 +#define NUM_SEARCHES 4 + +#define BOUNDARY 0 + +#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */ + +#define STATE_DATA 0 /* Data state */ +#define STATE_UNKNOWN 1 + +#define STATE_DATA_INIT 0 +#define STATE_DATA_HEADER 1 /* Data header section of data state */ +#define STATE_DATA_BODY 2 /* Data body section of data state */ +#define STATE_MIME_HEADER 3 /* MIME header section within data section */ +#define STATE_DATA_UNKNOWN 4 + +/* state flags */ +#define POP_FLAG_FOLDING 0x00000001 +#define POP_FLAG_IN_CONTENT_TYPE 0x00000002 +#define POP_FLAG_GOT_BOUNDARY 0x00000004 +#define POP_FLAG_DATA_HEADER_CONT 0x00000008 +#define POP_FLAG_IN_CONT_TRANS_ENC 0x00000010 +#define POP_FLAG_EMAIL_ATTACH 0x00000020 +#define POP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000040 + +/* session flags */ +#define POP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 +#define POP_FLAG_GOT_NON_REBUILT 0x00000008 + +#define POP_SSL_ERROR_FLAGS (SSL_BOGUS_HS_DIR_FLAG | \ + SSL_BAD_VER_FLAG | \ + SSL_BAD_TYPE_FLAG | \ + SSL_UNKNOWN_FLAG) + +/* Maximum length of header chars before colon, based on Exim 4.32 exploit */ +#define MAX_HEADER_NAME_LEN 64 + +#define POP_PROTO_REF_STR "pop" + +/**************************************************************************/ + + +/* Data structures ********************************************************/ + +typedef enum _POPCmdEnum +{ + CMD_APOP = 0, + CMD_AUTH, + CMD_CAPA, + CMD_DELE, + CMD_LIST, + CMD_NOOP, + CMD_PASS, + CMD_QUIT, + CMD_RETR, + CMD_RSET, + CMD_STAT, + CMD_STLS, + CMD_TOP, + CMD_UIDL, + CMD_USER, + CMD_LAST + +} POPCmdEnum; + +typedef enum _POPRespEnum +{ + RESP_OK = 0, + RESP_ERR, + RESP_LAST + +} POPRespEnum; + +typedef enum _POPHdrEnum +{ + HDR_CONTENT_TYPE = 0, + HDR_CONT_TRANS_ENC, + HDR_LAST + +} POPHdrEnum; + +typedef enum _POPDataEndEnum +{ + DATA_END_1 = 0, + DATA_END_2, + DATA_END_3, + DATA_END_4, + DATA_END_LAST + +} POPDataEndEnum; + +typedef struct _POPSearchInfo +{ + int id; + int index; + int length; + +} POPSearchInfo; + +typedef struct _POPMimeBoundary +{ + char boundary[2 + MAX_BOUNDARY_LEN + 1]; /* '--' + MIME boundary string + '\0' */ + int boundary_len; + void *boundary_search; + +} POPMimeBoundary; + +typedef struct _POPPcre +{ + pcre *re; + pcre_extra *pe; + +} POPPcre; + +typedef struct _POP +{ + int state; + int data_state; + int state_flags; + int session_flags; + int alert_mask; + int reassembling; +#ifdef DEBUG_MSGS + uint64_t session_number; +#endif + + MemBucket *decode_bkt; + POPMimeBoundary mime_boundary; + Email_DecodeState *decode_state; + + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} POP; + + +/**************************************************************************/ + + +/* Function prototypes ****************************************************/ + +void POP_InitCmds(POPConfig *config); +void POP_SearchInit(void); +void POP_Free(void); +void SnortPOP(SFSnortPacket *); +int POP_IsServer(uint16_t); +void POP_FreeConfig(POPConfig *); +void POP_FreeConfigs(tSfPolicyUserContextId); + +/**************************************************************************/ + +#endif /* __POP_H__ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/spp_pop.c snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.c --- snort-2.8.5.2/src/dynamic-preprocessors/pop/spp_pop.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,670 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * spp_pop.c + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file initializes POP as a Snort preprocessor. + * + * This file registers the POP initialization function, + * adds the POP function into the preprocessor list. + * + * In general, this file is a wrapper to POP functionality, + * by interfacing with the Snort preprocessor functions. The rest + * of POP should be separate from the preprocessor hooks. + * + **************************************************************************/ + +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_pop.h" +#include "sf_preproc_info.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "pop_log.h" + +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats popPerfStats; +PreprocStats popDetectPerfStats; +int popDetectCalled = 0; +#endif + +#include "sf_types.h" +#include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_POP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_POP"; +#endif + +#define SetupPOP DYNAMIC_PREPROC_SETUP + +MemPool *pop_mempool = NULL; + +tSfPolicyUserContextId pop_config = NULL; +POPConfig *pop_eval_config = NULL; + +extern POP pop_no_session; +extern int16_t pop_proto_id; + +static void POPInit(char *); +static void POPDetect(void *, void *context); +static void POPCleanExitFunction(int, void *); +static void POPResetFunction(int, void *); +static void POPResetStatsFunction(int, void *); +static void _addPortsToStream5Filter(POPConfig *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif +static void POPCheckConfig(void); + +#ifdef SNORT_RELOAD +tSfPolicyUserContextId pop_swap_config = NULL; +static void POPReload(char *); +static int POPReloadVerify(void); +static void * POPReloadSwap(void); +static void POPReloadSwapFree(void *); +#endif + + +/* + * Function: SetupPOP() + * + * Purpose: Registers the preprocessor keyword and initialization + * function into the preprocessor list. This is the function that + * gets called from InitPreprocessors() in plugbase.c. + * + * Arguments: None. + * + * Returns: void function + * + */ +void SetupPOP(void) +{ + /* link the preprocessor keyword to the init function in the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("pop", POPInit); +#else + _dpd.registerPreproc("pop", POPInit, POPReload, + POPReloadSwap, POPReloadSwapFree); +#endif +} + + +/* + * Function: POPInit(char *) + * + * Purpose: Calls the argument parsing function, performs final setup on data + * structs, links the preproc function into the function list. + * + * Arguments: args => ptr to argument string + * + * Returns: void function + * + */ +static void POPInit(char *args) +{ + POPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + POPConfig * pPolicyConfig = NULL; + + if (pop_config == NULL) + { + //create a context + pop_config = sfPolicyConfigCreate(); + if (pop_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + /* Initialize the searches not dependent on configuration. + * headers, reponsed, data, mime boundary regular expression */ + POP_SearchInit(); + + /* zero out static POP global used for stateless POP or if there + * is no session pointer */ + memset(&pop_no_session, 0, sizeof(POP)); + + /* Put the preprocessor function into the function list */ + /* _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP);*/ + _dpd.addPreprocExit(POPCleanExitFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocReset(POPResetFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocResetStats(POPResetStatsFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocConfCheck(POPCheckConfig); + +#ifdef TARGET_BASED + pop_proto_id = _dpd.findProtocolReference(POP_PROTO_REF_STR); + if (pop_proto_id == SFTARGET_UNKNOWN_PROTOCOL) + pop_proto_id = _dpd.addProtocolReference(POP_PROTO_REF_STR); + + DEBUG_WRAP(DebugMessage(DEBUG_POP,"POP: Target-based: Proto id for %s: %u.\n", + POP_PROTO_REF_STR, pop_proto_id);); +#endif + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("pop", (void*)&popPerfStats, 0, _dpd.totalPerfStats); +#endif + } + + sfPolicyUserPolicySet (pop_config, policy_id); + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("Can only configure POP preprocessor once.\n"); + } + + pPolicyConfig = (POPConfig *)calloc(1, sizeof(POPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(pop_config, pPolicyConfig); + + POP_InitCmds(pPolicyConfig); + POP_ParseArgs(pPolicyConfig, args); + + POP_CheckConfig(pPolicyConfig, pop_config); + POP_PrintConfig(pPolicyConfig); + + if(pPolicyConfig->disabled) + return; + + _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/* + * Function: POPDetect(void *, void *) + * + * Purpose: Perform the preprocessor's intended function. This can be + * simple (statistics collection) or complex (IP defragmentation) + * as you like. Try not to destroy the performance of the whole + * system by trying to do too much.... + * + * Arguments: p => pointer to the current packet data struct + * + * Returns: void function + * + */ +static void POPDetect(void *pkt, void *context) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + if ((p->payload_size == 0) || !IsTCP(p) || (p->payload == NULL)) + return; + + PREPROC_PROFILE_START(popPerfStats); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP Start (((((((((((((((((((((((((((((((((((((((\n");); + + sfPolicyUserPolicySet (pop_config, policy_id); + + SnortPOP(p); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP End )))))))))))))))))))))))))))))))))))))))))\n\n");); + + PREPROC_PROFILE_END(popPerfStats); +#ifdef PERF_PROFILING + if (PROFILING_PREPROCS && popDetectCalled) + { + popPerfStats.ticks -= popDetectPerfStats.ticks; + /* And Reset ticks to 0 */ + popDetectPerfStats.ticks = 0; + popDetectCalled = 0; + } +#endif + +} + + +/* + * Function: POPCleanExitFunction(int, void *) + * + * Purpose: This function gets called when Snort is exiting, if there's + * any cleanup that needs to be performed (e.g. closing files) + * it should be done here. + * + * Arguments: signal => the code of the signal that was issued to Snort + * data => any arguments or data structs linked to this + * function when it was registered, may be + * needed to properly exit + * + * Returns: void function + */ +static void POPCleanExitFunction(int signal, void *data) +{ + POP_Free(); + if (mempool_destroy(pop_mempool) == 0) + { + free(pop_mempool); + pop_mempool = NULL; + } + +} + + +static void POPResetFunction(int signal, void *data) +{ + return; +} + +static void POPResetStatsFunction(int signal, void *data) +{ + return; +} + +static void _addPortsToStream5Filter(POPConfig *config, tSfPolicyId policy_id) +{ + unsigned int portNum; + + if (config == NULL) + return; + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, + PORT_MONITOR_SESSION, policy_id, 1); + } + } +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(pop_proto_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int POPEnableDecoding(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + POPConfig *context = (POPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(!POP_IsDecodingEnabled(context)) + return 1; + + return 0; +} + +static int POPCheckPolicyConfig( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *context = (POPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + /* In a multiple-policy setting, the POP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + return 0; +} + +static void POPCheckConfig(void) +{ + + POPConfig *defaultConfig = + (POPConfig *)sfPolicyUserDataGetDefault(pop_config); + + sfPolicyUserDataIterate (pop_config, POPCheckPolicyConfig); + + if (sfPolicyUserDataIterate(pop_config, POPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("POP: Must configure a default " + "configuration if you want to pop decoding.\n"); + } + + encode_depth = defaultConfig->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = defaultConfig->memcap / (2 * encode_depth ); + + pop_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(pop_mempool, max_sessions, + (2 * encode_depth )) != 0) + { + DynamicPreprocessorFatalMessage("POP: Could not allocate POP mempool.\n"); + } + } + + +} + +#ifdef SNORT_RELOAD +static void POPReload(char *args) +{ + POPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + POPConfig *pPolicyConfig = NULL; + + if (pop_swap_config == NULL) + { + //create a context + pop_swap_config = sfPolicyConfigCreate(); + if (pop_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + _dpd.addPreprocReloadVerify(POPReloadVerify); + } + + sfPolicyUserPolicySet (pop_swap_config, policy_id); + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_swap_config); + + if (pPolicyConfig != NULL) + DynamicPreprocessorFatalMessage("Can only configure POP preprocessor once.\n"); + + pPolicyConfig = (POPConfig *)calloc(1, sizeof(POPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(pop_swap_config, pPolicyConfig); + + POP_InitCmds(pPolicyConfig); + POP_ParseArgs(pPolicyConfig, args); + + POP_CheckConfig(pPolicyConfig, pop_swap_config); + POP_PrintConfig(pPolicyConfig); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int POPReloadVerify(void) +{ + POPConfig *config = NULL; + POPConfig *configNext = NULL; + + if (pop_swap_config == NULL) + return 0; + + if (pop_config != NULL) + { + config = (POPConfig *)sfPolicyUserDataGet(pop_config, _dpd.getDefaultPolicy()); + } + + configNext = (POPConfig *)sfPolicyUserDataGet(pop_swap_config, _dpd.getDefaultPolicy()); + + if (config == NULL) + { + return 0; + } + + if (pop_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("POP reload: Changing the POP configuration requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("POP reload: Changing the memcap requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("POP reload: Changing the b64_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("POP reload: Changing the qp_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("POP reload: Changing the bitenc_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("POP reload: Changing the uu_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + + } + else if(configNext != NULL) + { + if (sfPolicyUserDataIterate(pop_swap_config, POPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + + encode_depth = configNext->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = configNext->memcap / ( 2 * encode_depth); + + pop_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(pop_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("POP: Could not allocate POP mempool.\n"); + } + } + + } + + + if ( configNext->disabled ) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + return 0; +} + +static int POPReloadSwapPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *pPolicyConfig = (POPConfig *)pData; + + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + POP_FreeConfig(pPolicyConfig); + } + + return 0; +} + +static void * POPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = pop_config; + + if (pop_swap_config == NULL) + return NULL; + + pop_config = pop_swap_config; + pop_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, POPReloadSwapPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + POP_FreeConfigs(old_config); + + return NULL; +} + +static void POPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + POP_FreeConfigs((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/pop/spp_pop.h snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.h --- snort-2.8.5.2/src/dynamic-preprocessors/pop/spp_pop.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,37 @@ + +/* + * spp_pop.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * Author: Bhagyashree Bantwal + * + * Description: + * + * This file defines the publicly available functions for the POP + * functionality for Snort. + * + */ + +#ifndef __SPP_POP_H__ +#define __SPP_POP_H__ + +void SetupPOP(void); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/Makefile.am snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.am 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,61 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_reputation_preproc.la + +libsf_reputation_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_reputation_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_reputation_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfrt_flat.c \ +../include/sfrt_flat_dir.c \ +../include/segment_mem.c \ +../include/sfPolicyUserData.c +endif + +if HAVE_SHARED_REP +libsf_reputation_preproc_la_SOURCES = \ +spp_reputation.c \ +spp_reputation.h \ +reputation_config.c \ +reputation_config.h \ +reputation_utils.c \ +reputation_utils.h \ +reputation_debug.h \ +./shmem/sflinux_helpers.c \ +./shmem/sflinux_helpers.h \ +./shmem/shmem_common.h \ +./shmem/shmem_config.h \ +./shmem/shmem_config.c \ +./shmem/shmem_datamgmt.h \ +./shmem/shmem_datamgmt.c \ +./shmem/shmem_lib.h \ +./shmem/shmem_lib.c \ +./shmem/shmem_mgmt.h \ +./shmem/shmem_mgmt.c +else +libsf_reputation_preproc_la_SOURCES = \ +spp_reputation.c \ +spp_reputation.h \ +reputation_config.c \ +reputation_config.h \ +reputation_utils.c \ +reputation_utils.h \ +reputation_debug.h +endif + + +EXTRA_DIST = \ +sf_reputation.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/Makefile.in snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -0,0 +1,631 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/reputation +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_reputation_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am__libsf_reputation_preproc_la_SOURCES_DIST = spp_reputation.c \ + spp_reputation.h reputation_config.c reputation_config.h \ + reputation_utils.c reputation_utils.h reputation_debug.h \ + ./shmem/sflinux_helpers.c ./shmem/sflinux_helpers.h \ + ./shmem/shmem_common.h ./shmem/shmem_config.h \ + ./shmem/shmem_config.c ./shmem/shmem_datamgmt.h \ + ./shmem/shmem_datamgmt.c ./shmem/shmem_lib.h \ + ./shmem/shmem_lib.c ./shmem/shmem_mgmt.h ./shmem/shmem_mgmt.c +@HAVE_SHARED_REP_FALSE@am_libsf_reputation_preproc_la_OBJECTS = \ +@HAVE_SHARED_REP_FALSE@ spp_reputation.lo reputation_config.lo \ +@HAVE_SHARED_REP_FALSE@ reputation_utils.lo +@HAVE_SHARED_REP_TRUE@am_libsf_reputation_preproc_la_OBJECTS = \ +@HAVE_SHARED_REP_TRUE@ spp_reputation.lo reputation_config.lo \ +@HAVE_SHARED_REP_TRUE@ reputation_utils.lo sflinux_helpers.lo \ +@HAVE_SHARED_REP_TRUE@ shmem_config.lo shmem_datamgmt.lo \ +@HAVE_SHARED_REP_TRUE@ shmem_lib.lo shmem_mgmt.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_reputation_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo sfrt_flat.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt_flat_dir.lo segment_mem.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_reputation_preproc_la_OBJECTS = \ + $(am_libsf_reputation_preproc_la_OBJECTS) \ + $(nodist_libsf_reputation_preproc_la_OBJECTS) +libsf_reputation_preproc_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsf_reputation_preproc_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_reputation_preproc_la_SOURCES) \ + $(nodist_libsf_reputation_preproc_la_SOURCES) +DIST_SOURCES = $(am__libsf_reputation_preproc_la_SOURCES_DIST) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_reputation_preproc.la +libsf_reputation_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_reputation_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_reputation_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_flat.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_flat_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/segment_mem.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +@HAVE_SHARED_REP_FALSE@libsf_reputation_preproc_la_SOURCES = \ +@HAVE_SHARED_REP_FALSE@spp_reputation.c \ +@HAVE_SHARED_REP_FALSE@spp_reputation.h \ +@HAVE_SHARED_REP_FALSE@reputation_config.c \ +@HAVE_SHARED_REP_FALSE@reputation_config.h \ +@HAVE_SHARED_REP_FALSE@reputation_utils.c \ +@HAVE_SHARED_REP_FALSE@reputation_utils.h \ +@HAVE_SHARED_REP_FALSE@reputation_debug.h + +@HAVE_SHARED_REP_TRUE@libsf_reputation_preproc_la_SOURCES = \ +@HAVE_SHARED_REP_TRUE@spp_reputation.c \ +@HAVE_SHARED_REP_TRUE@spp_reputation.h \ +@HAVE_SHARED_REP_TRUE@reputation_config.c \ +@HAVE_SHARED_REP_TRUE@reputation_config.h \ +@HAVE_SHARED_REP_TRUE@reputation_utils.c \ +@HAVE_SHARED_REP_TRUE@reputation_utils.h \ +@HAVE_SHARED_REP_TRUE@reputation_debug.h \ +@HAVE_SHARED_REP_TRUE@./shmem/sflinux_helpers.c \ +@HAVE_SHARED_REP_TRUE@./shmem/sflinux_helpers.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_common.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_config.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_config.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_datamgmt.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_datamgmt.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_lib.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_lib.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_mgmt.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_mgmt.c + +EXTRA_DIST = \ +sf_reputation.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/reputation/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/reputation/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_reputation_preproc.la: $(libsf_reputation_preproc_la_OBJECTS) $(libsf_reputation_preproc_la_DEPENDENCIES) + $(libsf_reputation_preproc_la_LINK) -rpath $(libdir) $(libsf_reputation_preproc_la_OBJECTS) $(libsf_reputation_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sflinux_helpers.lo: ./shmem/sflinux_helpers.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sflinux_helpers.lo `test -f './shmem/sflinux_helpers.c' || echo '$(srcdir)/'`./shmem/sflinux_helpers.c + +shmem_config.lo: ./shmem/shmem_config.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_config.lo `test -f './shmem/shmem_config.c' || echo '$(srcdir)/'`./shmem/shmem_config.c + +shmem_datamgmt.lo: ./shmem/shmem_datamgmt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_datamgmt.lo `test -f './shmem/shmem_datamgmt.c' || echo '$(srcdir)/'`./shmem/shmem_datamgmt.c + +shmem_lib.lo: ./shmem/shmem_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_lib.lo `test -f './shmem/shmem_lib.c' || echo '$(srcdir)/'`./shmem/shmem_lib.c + +shmem_mgmt.lo: ./shmem/shmem_mgmt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_mgmt.lo `test -f './shmem/shmem_mgmt.c' || echo '$(srcdir)/'`./shmem/shmem_mgmt.c + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfrt_flat.lo: ../include/sfrt_flat.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_flat.lo `test -f '../include/sfrt_flat.c' || echo '$(srcdir)/'`../include/sfrt_flat.c + +sfrt_flat_dir.lo: ../include/sfrt_flat_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_flat_dir.lo `test -f '../include/sfrt_flat_dir.c' || echo '$(srcdir)/'`../include/sfrt_flat_dir.c + +segment_mem.lo: ../include/segment_mem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o segment_mem.lo `test -f '../include/segment_mem.c' || echo '$(srcdir)/'`../include/segment_mem.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_config.c snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,1423 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 6/7/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include +#include +#include +#include "sf_snort_packet.h" +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "reputation_config.h" +#include "spp_reputation.h" +#include "reputation_debug.h" +#include "reputation_utils.h" +#ifdef SHARED_REP +#include "./shmem/shmem_mgmt.h" +#include +#endif +enum +{ + IP_INSERT_SUCCESS = 0, + IP_INVALID, + IP_INSERT_FAILURE, + IP_INSERT_DUPLICATE, + IP_MEM_ALLOC_FAILURE +}; + + +/* + * Default values for configurable parameters. + */ +#define REPUTATION_DEFAULT_MEMCAP 500 /*Mega bytes*/ +#define REPUTATION_DEFAULT_REFRESH_PERIOD 60 /*60 seconds*/ + + +/* + * Min/Max values for each configurable parameter. + */ +#define MIN_MEMCAP 1 +#define MAX_MEMCAP 4095 +#define MIN_SHARED_MEM_REFRESH_PERIOD 1 +#define MAX_SHARED_MEM_REFRESH_PERIOD UINT32_MAX + +#define MAX_ADDR_LINE_LENGTH 8192 + +/* + * Keyword strings for parsing configuration options. + */ +#define REPUTATION_MEMCAP_KEYWORD "memcap" +#define REPUTATION_SCANLOCAL_KEYWORD "scan_local" +#define REPUTATION_BLACKLIST_KEYWORD "blacklist" +#define REPUTATION_WHITELIST_KEYWORD "whitelist" +#define REPUTATION_PRIORITY_KEYWORD "priority" +#define REPUTATION_NESTEDIP_KEYWORD "nested_ip" +#define REPUTATION_SHAREMEM_KEYWORD "shared_mem" +#define REPUTATION_SHAREDREFRESH_KEYWORD "shared_refresh" + +#define REPUTATION_CONFIG_SECTION_SEPERATORS ",;" +#define REPUTATION_CONFIG_VALUE_SEPERATORS " " +#define REPUTATION_SEPARATORS " \t\r\n" + + +static bw_list black = {BLACKLISTED}; +static bw_list white = {WHITELISTED}; + +static char *black_info = REPUTATION_BLACKLIST_KEYWORD; +static char *white_info = REPUTATION_WHITELIST_KEYWORD; + +char* NestedIPKeyword[] = +{ + "inner", + "outer", + "both", + NULL +}; + +#define MAX_MSGS_TO_PRINT 20 + +static unsigned long total_duplicates; +static unsigned long total_invalids; + +void **IPtables; +table_flat_t *emptyIPtables; +#ifdef SHARED_REP +ReputationConfig *reputation_shmem_config; +#endif +/* + * Function prototype(s) + */ +static void IpListInit(uint32_t,ReputationConfig *config); +static void LoadListFile(char *filename, INFO info, ReputationConfig *config); +static void DisplayIPlistStats(ReputationConfig *); +static void DisplayReputationConfig(ReputationConfig *); + +/* ******************************************************************** + * Function: estimateSizeFromEntries + * + * Estimate the memory segment size based on number of entries and memcap. + * + * Arguments: + * + * uint32_t num_entries: number of entries. + * uint32_t the memcap value set in configuration + * + * RETURNS: estimated memory size. + *********************************************************************/ +uint32_t estimateSizeFromEntries(uint32_t num_entries, uint32_t memcap) +{ + uint64_t size; + uint64_t sizeFromEntries; + + /*memcap value is in Megabytes*/ + size = memcap << 20; + + if (size > UINT32_MAX) + size = UINT32_MAX; + + /*Worst case, 15k ~ 2^14 per entry, plus one Megabytes for empty table*/ + if (num_entries > ((UINT32_MAX - (1 << 20))>> 14)) + sizeFromEntries = UINT32_MAX; + else + sizeFromEntries = (num_entries << 14) + (1 << 20); + + if (size > sizeFromEntries) + { + size = sizeFromEntries; + } + + return (uint32_t) size; +} +#ifdef SHARED_REP +/**************************************************************************** + * + * Function: CheckIPlistDir() + * + * Purpose: We only check if IP list directory exist and + * readable + * Arguments: None. + * + * Returns: + * 0 : fail + * 1 : success + * + ****************************************************************************/ +static int CheckIPlistDir(char *path) +{ + struct stat st; + + if (path == NULL) + return 0; + + if (stat(path, &st) == -1) + return 0; + + if (!S_ISDIR(st.st_mode) || (access(path, R_OK) == -1)) + { + return 0; + } + return 1; +} + +/* ******************************************************************** + * Function: LoadFileIntoShmem + * + * Call back function for shared memory + * This is called when new files in the list + * Arguments: + * + * void* ptrSegment: start of shared memory segment. + * ShmemDataFileList** file_list: the list of whitelist/blacklist files + * int num_files: number of files + * + * RETURNS: + * 0: success + * other value fails + *********************************************************************/ + +int LoadFileIntoShmem(void* ptrSegment, ShmemDataFileList** file_list, int num_files) +{ + table_flat_t *table; + int i; + MEM_OFFSET black_ptr; + MEM_OFFSET white_ptr; + uint8_t *base; + + segment_meminit((uint8_t*)ptrSegment, reputation_shmem_config->memsize); + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + table = sfrt_flat_new(DIR_8x16, IPv6, reputation_shmem_config->numEntries, reputation_shmem_config->memcap); +#else + table = sfrt_flat_new(DIR_8x4, IPv4, reputation_shmem_config->numEntries, reputation_load_config->memcap); + +#endif + if (table == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + reputation_shmem_config->iplist = table; + base = (uint8_t *)ptrSegment; + + black_ptr = segment_malloc(sizeof(bw_list)); + white_ptr = segment_malloc(sizeof(bw_list)); + *((bw_list *)&base[black_ptr]) = black; + *((bw_list *)&base[white_ptr]) = white; + + reputation_shmem_config->memCapReached = false; + + /*Reset the log message count*/ + total_duplicates = 0; + for (i = 0; i < num_files; i++) + { + if (BLACK_LIST == file_list[i]->filetype) + LoadListFile(file_list[i]->filename,black_ptr, reputation_shmem_config); + else if (WHITE_LIST == file_list[i]->filetype) + LoadListFile(file_list[i]->filename,white_ptr, reputation_shmem_config); + + } + + _dpd.logMsg(" Reputation Preprocessor shared memory summary:\n"); + DisplayIPlistStats(reputation_shmem_config); + return 0; +} + +/* ******************************************************************** + * Function: GetSegmentSizeFromFileList + * + * Call back function for shared memory + * This is called when new files in the list + * + * Arguments: + * + * ShmemDataFileList** file_list: the list of whitelist/blacklist files + * int num_files: number of files + * + * RETURNS: + * uint32_t: segment size + *********************************************************************/ +uint32_t GetSegmentSizeFromFileList(ShmemDataFileList** file_list, int file_count) +{ + int numlines; + int totalLines = 0; + int i; + + if (file_count == 0) + { + return ZEROSEG; + } + for (i = 0; i < file_count; i++) + { + errno = 0; + numlines = numLinesInFile(file_list[i]->filename); + if ((0 == numlines) && (0 != errno)) + { + char errBuf[STD_BUF]; +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage( "Unable to open address file %s, Error: %s\n", + file_list[i]->filename, errBuf); + } + + if (totalLines + numlines < totalLines) + { + DynamicPreprocessorFatalMessage("Too many entries.\n"); + } + + totalLines += numlines; + } + + if (totalLines == 0) + { + return ZEROSEG; + } + reputation_shmem_config->numEntries = totalLines + 1; + + reputation_shmem_config->memsize = estimateSizeFromEntries(reputation_shmem_config->numEntries, reputation_shmem_config->memcap); + return reputation_shmem_config->memsize; +} + +/* ******************************************************************** + * Function: InitPerProcessZeroSegment + * + * Call back function for shared memory + * This is called during initialization + * + * Arguments: + * + * void*** data_ptr: (output) the address of shared memory address + * + * RETURNS: + * uint32_t: segment size + *********************************************************************/ +int InitPerProcessZeroSegment(void*** data_ptr) +{ + /*The size of empty segment is 1 Megabytes*/ + size_t size = 1; + long maxEntries = 1; + static bool initiated = false; + + if (true == initiated) + { + *data_ptr = (void **)&emptyIPtables; + return 0; + } + reputation_shmem_config->emptySegment = malloc(size*1024*1024); + segment_meminit((uint8_t*) reputation_shmem_config->emptySegment, size*1024*1024); + + initiated = true; + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + emptyIPtables = sfrt_flat_new(DIR_8x16, IPv6, maxEntries, size); +#else + emptyIPtables = sfrt_flat_new(DIR_8x4, IPv4, maxEntries, size); + +#endif + if (emptyIPtables == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + *data_ptr = (void **)&emptyIPtables; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, " Total memory " + "allocated for empty table: %d bytes\n", + sfrt_flat_usage(emptyIPtables));); + return 0; +} + +/* ******************************************************************** + * Function: initShareMemory + * + * Initialize for shared memory + * This is called during initialization + * + * Arguments: + * + * ReputationConfig *config: the configure file + * + * RETURNS: + * 1: success + *********************************************************************/ +void initShareMemory(void *conf) +{ + int segment_number; + uint32_t snortID; + ReputationConfig *config = (ReputationConfig *)conf; + + reputation_shmem_config = config; + if (InitShmemDataMgmtFunctions(InitPerProcessZeroSegment, + GetSegmentSizeFromFileList,LoadFileIntoShmem)) + { + DynamicPreprocessorFatalMessage("Unable to initialize DataManagement functions\n"); + + } + /*use snort instance ID to designate server (writer)*/ + snortID = _dpd.getSnortInstance(); + if (SHMEM_SERVER_ID_1 == snortID) + { + if ((segment_number = InitShmemWriter(snortID,IPREP,GROUP_0,NUMA_0, + config->sharedMem.path, &IPtables,config->sharedMem.updateInterval)) == NO_ZEROSEG) + { + DynamicPreprocessorFatalMessage("Unable to init share memory writer\n"); + + } + } + else + { + if ((segment_number = InitShmemReader(snortID,IPREP,GROUP_0,NUMA_0, + config->sharedMem.path, &IPtables,config->sharedMem.updateInterval)) == NO_ZEROSEG) + { + DynamicPreprocessorFatalMessage("Unable to init share memory reader\n"); + + } + } + +} +#endif +/* ******************************************************************** + * Function: DisplayIPlistStats + * + * Display the statistics for the Reputation iplist table. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * + * RETURNS: Nothing. + *********************************************************************/ +static void DisplayIPlistStats(ReputationConfig *config) +{ + /*Print out the summary*/ + reputation_stats.memoryAllocated = sfrt_flat_usage(config->iplist); + _dpd.logMsg(" Reputation total memory usage: %u bytes\n", + reputation_stats.memoryAllocated); + config->numEntries = sfrt_flat_num_entries(config->iplist); + _dpd.logMsg(" Reputation total entries loaded: %u, invalid: %u, re-defined: %u\n", + config->numEntries,total_invalids,total_duplicates); +} +/* ******************************************************************** + * Function: DisplayReputationConfig + * + * Display the configuration for the Reputation preprocessor. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * + * RETURNS: Nothing. + *********************************************************************/ +static void DisplayReputationConfig(ReputationConfig *config) +{ + + if (config == NULL) + return; + + _dpd.logMsg(" Memcap: %d %s \n", + config->memcap, + config->memcap + == REPUTATION_DEFAULT_MEMCAP ? + "(Default) M bytes" : "M bytes" ); + _dpd.logMsg(" Scan local network: %s\n", + config->scanlocal ? + "ENABLED":"DISABLED (Default)"); + _dpd.logMsg(" Reputation priority: %s \n", + config->priority + == WHITELISTED? + REPUTATION_WHITELIST_KEYWORD "(Default)" : REPUTATION_BLACKLIST_KEYWORD ); + _dpd.logMsg(" Nested IP: %s %s \n", + NestedIPKeyword[config->nestedIP], + config->nestedIP + == INNER? + "(Default)" : "" ); + if (config->sharedMem.path) + { + _dpd.logMsg(" Shared memory supported, Update directory: %s\n", + config->sharedMem.path ); + _dpd.logMsg(" Shared memory refresh period: %d %s \n", + config->sharedMem.updateInterval, + config->sharedMem.updateInterval + == REPUTATION_DEFAULT_REFRESH_PERIOD ? + "(Default) seconds" : "seconds" ); + } + else + { + _dpd.logMsg(" Shared memory is Not supported.\n"); + + } + _dpd.logMsg("\n"); +} + + + +/******************************************************************** + * Function: IpListInit + * + * Initiate an iplist table + * + * Arguments: + * Reputation_Config * + * The configuration to use. + * + * Returns: None + * + ********************************************************************/ + +static void IpListInit(uint32_t maxEntries, ReputationConfig *config) +{ + uint8_t *base; + + if (config->iplist == NULL) + { + uint32_t mem_size; + mem_size = estimateSizeFromEntries(maxEntries, config->memcap); + config->localSegment = malloc(mem_size); + segment_meminit((uint8_t*)config->localSegment,mem_size); + base = (uint8_t *)config->localSegment; + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + config->iplist = sfrt_flat_new(DIR_8x16, IPv6, maxEntries, config->memcap); +#else + config->iplist = sfrt_flat_new(DIR_8x4, IPv4, maxEntries, config->memcap); + +#endif + config->local_black_ptr = segment_malloc(sizeof(bw_list)); + config->local_white_ptr = segment_malloc(sizeof(bw_list)); + + *((bw_list *)&base[config->local_black_ptr]) = black; + *((bw_list *)&base[config->local_white_ptr]) = white; + + if (config->iplist == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + return; + } + } +} + +/******************************************************************** + * Function: AddIPtoList + * + * Add ip address to config file + * + * Arguments: + * sfip_t *: ip address + * void *: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * IP_INSERT_SUCCESS=0, + * IP_INSERT_FAILURE, + * IP_INSERT_DUPLICATE + * + ********************************************************************/ + +static int AddIPtoList(sfip_t *ipAddr,INFO info, ReputationConfig *config) +{ + int iRet; + int iFinalRet = IP_INSERT_SUCCESS; + /*This variable is used to check whether a more generic address + * overrides specific address + */ + uint32_t usageBeforeAdd; + uint32_t usageAfterAdd; + +#ifndef SUP_IP6 + if (ipAddr->family == AF_INET6) + { + return RT_INSERT_FAILURE; + } +#endif + if (ipAddr->family == AF_INET) + { + ipAddr->ip32[0] = ntohl(ipAddr->ip32[0]); + } + else if (ipAddr->family == AF_INET6) + { + int i; + for(i = 0; i < 4 ; i++) + ipAddr->ip32[i] = ntohl(ipAddr->ip32[i]); + } +#ifdef DEBUG_MSGS + + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + DebugMessage(DEBUG_REPUTATION, "Find address before insert: %s \n",sfip_to_str(ipAddr) ); + + } + else + { + DebugMessage(DEBUG_REPUTATION, "Can't find address before insert: %s \n",sfip_to_str(ipAddr) ); + + } +#endif + + usageBeforeAdd = sfrt_flat_usage(config->iplist); + + /*Check whether the same or more generic address is already in the table*/ + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + iFinalRet = IP_INSERT_DUPLICATE; + } + + +#ifdef SUP_IP6 + iRet = sfrt_flat_insert((void *)ipAddr, (unsigned char)ipAddr->bits, info, RT_FAVOR_TIME, config->iplist); +#else + iRet = sfrt_flat_insert((void *)&(ipAddr->ip.u6_addr32[0]), (unsigned char)ipAddr->bits, info, RT_FAVOR_TIME, config->iplist); +#endif + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Unused memory: %d \n",segment_unusedmem());); + + + if (RT_SUCCESS == iRet) + { + totalNumEntries++; +#ifdef DEBUG_MSGS + + DebugMessage(DEBUG_REPUTATION, "Number of entries input: %d, in table: %d \n", + totalNumEntries,sfrt_flat_num_entries(config->iplist) ); + DebugMessage(DEBUG_REPUTATION, "Memory allocated: %d \n",sfrt_flat_usage(config->iplist) ); + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + DebugMessage(DEBUG_REPUTATION, "Find address after insert: %s \n",sfip_to_str(ipAddr) ); + + } +#endif + } + else if (MEM_ALLOC_FAILURE == iRet) + { + iFinalRet = IP_MEM_ALLOC_FAILURE; + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, sfip_to_str(ipAddr) );); + } + else + { + iFinalRet = IP_INSERT_FAILURE; + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, sfip_to_str(ipAddr) );); + + } + + usageAfterAdd = sfrt_flat_usage(config->iplist); + /*Compare in the same scale*/ + if (usageAfterAdd > (config->memcap << 20)) + { + iFinalRet = IP_MEM_ALLOC_FAILURE; + } + /*Check whether there a more specific address will be overridden*/ + if (usageBeforeAdd > usageAfterAdd ) + { + iFinalRet = IP_INSERT_DUPLICATE; + } + + return iFinalRet; + +} + +/******************************************************************** + * Function: + * + * Load one IP list file + * + * Arguments: + * char *: the line to be processed + * void *: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * IP_INSERT_SUCCESS, + * IP_INSERT_FAILURE, + * IP_INSERT_DUPLICATE + * + ********************************************************************/ + +static int ProcessLine(char *line, INFO info, ReputationConfig *config) +{ + sfip_t ipAddr; + char *lineBuff; + char *nextBuff; + char *arg = NULL; + + if (!line) + return IP_INSERT_SUCCESS; + lineBuff = strdup(line); + if (NULL == lineBuff) + return IP_MEM_ALLOC_FAILURE; + if((arg = strtok_r(lineBuff, REPUTATION_SEPARATORS, &nextBuff)) != NULL) + { + int iRet; + if (Reputation_IsEmptyStr(arg)) + { + free(lineBuff); + return IP_INSERT_SUCCESS; + } + + if(sfip_pton(arg, &ipAddr) != SFIP_SUCCESS) + { + free(lineBuff); + return IP_INVALID; + + } + iRet = AddIPtoList(&ipAddr, info, config); + if( IP_INSERT_SUCCESS != iRet) + { + free(lineBuff); + return iRet; + } + if ((arg = strtok_r(nextBuff, REPUTATION_SEPARATORS, &nextBuff)) != NULL) + { + if (!Reputation_IsEmptyStr(arg)) + { + free(lineBuff); + return IP_INSERT_FAILURE; + } + } + + } + free(lineBuff); + return IP_INSERT_SUCCESS; +} + +/******************************************************************** + * Function: UpdatePathToFile + * + * Update the patch to file, if using relative patch + * The relative path is based on config file directory + * + * Arguments: + * fullfilename: file name string + * info: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * 1 successful + * 0 fail + * + ********************************************************************/ + +static int UpdatePathToFile(char *full_path_filename, unsigned int max_size, char *filename) +{ + char *snort_conf_dir = *(_dpd.snort_conf_dir); + + if (!snort_conf_dir || !(*snort_conf_dir) || !full_path_filename || !filename) + { + DynamicPreprocessorFatalMessage(" %s(%d) => can't create path.\n", + *(_dpd.config_file), *(_dpd.config_line)); + return 0; + } + /*filename is too long*/ + if (max_size < strlen(filename) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => the file name length %u is longer than allowed %u.\n", + *(_dpd.config_file), *(_dpd.config_line), strlen(filename), max_size); + return 0; + } + /* + * If an absolute path is specified, then use that. + */ +#ifndef WIN32 + if(filename[0] == '/') + { + snprintf(full_path_filename, max_size, "%s", filename); + } + else + { + /* + ** Set up the file name directory + */ + if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '/') + { + snprintf(full_path_filename,max_size, + "%s%s", snort_conf_dir, filename); + } + else + { + snprintf(full_path_filename, max_size, + "%s/%s", snort_conf_dir, filename); + } + } +#else + if(strlen(filename)>3 && filename[1]==':' && filename[2]=='\\') + { + snprintf(full_path_filename, max_size, "%s", filename); + } + else + { + /* + ** Set up the file name directory + */ + if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '\\' || + snort_conf_dir[strlen(snort_conf_dir) - 1] == '/' ) + { + snprintf(full_path_filename,max_size, + "%s%s", snort_conf_dir, filename); + } + else + { + snprintf(full_path_filename, max_size, + "%s\\%s", snort_conf_dir, filename); + } + } +#endif + return 1; +} + +/******************************************************************** + * Function: GetListInfo + * + * Get information about the file + * + * Arguments: + * + * info: information about the file. + * + * Returns: + * None + * + ********************************************************************/ + +static char* GetListInfo(INFO info) +{ + uint8_t *base; + bw_list *info_value; + base = (uint8_t *)segment_basePtr(); + info_value = (bw_list *)(&base[info]); + if (!info_value) + return NULL; + switch(info_value->isBlack) + { + case DECISION_NULL: + return NULL; + break; + case BLACKLISTED: + return black_info; + break; + case WHITELISTED: + return white_info; + break; + default: + return NULL; + } + return NULL; +} +/******************************************************************** + * Function: LoadListFile + * + * Load one IP list file + * + * Arguments: + * filename: file name string + * info: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * None + * + ********************************************************************/ + +static void LoadListFile(char *filename, INFO info, ReputationConfig *config) +{ + + char list_buf[MAX_ADDR_LINE_LENGTH+1]; + char full_path_filename[PATH_MAX+1]; + char *lb = list_buf; + int addrline = 0; + FILE *fp = NULL; + char *cmt = NULL; + char *list_info; + + /*entries processing statistics*/ + unsigned int num_duplicates = 0; /*number of duplicates in this file*/ + unsigned int num_invalids = 0; /*number of invalid entries in this file*/ + unsigned int num_loaded_before = 0; /*number of valid entries loaded */ + + if ((NULL == filename)||(0 == info)|| (NULL == config)||config->memCapReached) + return; + + UpdatePathToFile(full_path_filename, PATH_MAX, filename); + + list_info = GetListInfo(info); + + if (!list_info) + return; + + _dpd.logMsg(" Processing %s file %s\n", list_info, full_path_filename); + + if((fp = fopen(full_path_filename, "r")) == NULL) + { + char errBuf[STD_BUF]; +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage("%s(%d) => Unable to open address file %s, Error: %s\n", + *(_dpd.config_file), *(_dpd.config_line), full_path_filename, errBuf); + } + + num_loaded_before = sfrt_flat_num_entries(config->iplist); + while((fgets(lb, MAX_ADDR_LINE_LENGTH, fp)) != NULL) + { + int iRet; + addrline++; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",lb );); + /* remove comments */ + if((cmt = strchr(lb, '#')) != NULL) + { + *cmt = '\0'; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",lb );); + /* process the line */ + iRet = ProcessLine(lb, info, config); + + if (IP_INSERT_SUCCESS == iRet) + { + continue; + } + else if (IP_INSERT_FAILURE == iRet) + { + if (num_invalids++ < MAX_MSGS_TO_PRINT) + { + _dpd.errMsg(" (%d) => Can't insert IP Address: %s", + addrline, lb); + } + } + else if (IP_INVALID == iRet) + { + if (num_invalids++ < MAX_MSGS_TO_PRINT) + { + _dpd.errMsg(" (%d) => Invalid IP Address: %s", + addrline, lb); + } + } + + else if (IP_MEM_ALLOC_FAILURE == iRet) + { + _dpd.logMsg("WARNING: %s(%d) => Memcap %u Mbytes reached when inserting IP Address: %s.", + full_path_filename, addrline, config->memcap,lb); + config->memCapReached = true; + break; + } + else if (IP_INSERT_DUPLICATE == iRet) + { + if (num_duplicates++ < MAX_MSGS_TO_PRINT) + { + _dpd.logMsg(" (%d) => Re-defined address: %s", + addrline, lb ); + } + + } + + lb = list_buf; + } + + total_duplicates += num_duplicates; + total_invalids += num_invalids; + /*Print out the summary*/ + if (num_invalids > MAX_MSGS_TO_PRINT) + _dpd.logMsg(" Additional address is invalid but not printed.\n"); + if (num_duplicates > MAX_MSGS_TO_PRINT) + _dpd.logMsg(" Additional address has been redefined but not printed.\n"); + + _dpd.logMsg(" Reputation entries loaded: %u, invalid: %u, re-defined: %u (from file %s)\n", + sfrt_flat_num_entries(config->iplist)- num_loaded_before,num_invalids,num_duplicates, + full_path_filename); + + fclose(fp); + +} + +/******************************************************************** + * Function: Reputation_FreeConfig + * + * Frees a reputation configuration + * + * Arguments: + * Reputation_Config * + * The configuration to free. + * + * Returns: None + * + ********************************************************************/ +void Reputation_FreeConfig (ReputationConfig *config) +{ + + if (config == NULL) + return; + + + if (config->emptySegment != NULL) + { + free(config->emptySegment); + } + + if (config->localSegment != NULL) + { + free(config->localSegment); + } + + if(config->sharedMem.path) + free(config->sharedMem.path); + free(config); +} + + +/********************************************************************* + * Function: EstimateNumEntries + * + * First pass to decide iplist table size. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: int. estimated number of Entries based on number of lines + *********************************************************************/ +int EstimateNumEntries(ReputationConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + int totalLines = 0; + + + /*Default values*/ + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + return 0; + } + + cur_sectionp = strtok_r( argcpyp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + char* next_tokenp = NULL; + char* cur_tokenp = strtok_r( cur_sectionp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + if ( !strcmp( cur_tokenp, REPUTATION_MEMCAP_KEYWORD )) + { + int value; + char *endStr = NULL; + + cur_tokenp = strtok_r(next_tokenp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_MEMCAP_KEYWORD); + } + + value = _dpd.SnortStrtol( cur_tokenp, &endStr, 10); + + if (( *endStr) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_MEMCAP_KEYWORD, MIN_MEMCAP, MAX_MEMCAP); + } + + if (value < MIN_MEMCAP || value > MAX_MEMCAP) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_MEMCAP_KEYWORD, MIN_MEMCAP, MAX_MEMCAP); + } + config->memcap = (uint32_t) value; + + } + else if ( !strcmp( cur_tokenp, REPUTATION_BLACKLIST_KEYWORD ) + ||!strcmp( cur_tokenp, REPUTATION_WHITELIST_KEYWORD )) + { + int numlines; + char full_path_filename[PATH_MAX+1]; + cur_tokenp = strtok_r( next_tokenp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Check list size %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + errno = 0; + UpdatePathToFile(full_path_filename,PATH_MAX, cur_tokenp); + numlines = numLinesInFile(full_path_filename); + if ((0 == numlines) && (0 != errno)) + { + char errBuf[STD_BUF]; + +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage("%s(%d) => Unable to open address file %s, Error: %s\n", + *(_dpd.config_file), *(_dpd.config_line), full_path_filename, errBuf); + } + + if (totalLines + numlines < totalLines) + { + DynamicPreprocessorFatalMessage("%s(%d) => Too many entries in one file.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + totalLines += numlines; + + } +#ifdef SHARED_REP + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREMEM_KEYWORD )) + { + + if (Reputation_IsEmptyStr(next_tokenp)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s," + " please specify a path\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_SHAREMEM_KEYWORD); + } + + if (!CheckIPlistDir(next_tokenp)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Can't find or access the path: %s\n", + *(_dpd.config_file), *(_dpd.config_line), next_tokenp); + } + + config->sharedMem.path = strdup( (char*) next_tokenp ); + + if ( !config->sharedMem.path ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + + } + + config->sharedMem.updateInterval = REPUTATION_DEFAULT_REFRESH_PERIOD; + + } +#endif + + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + } + + free(argcpyp); + return totalLines; +} + +/********************************************************************* + * Function: ParseReputationArgs + * + * Parses and processes the configuration arguments + * supplied in the Reputation preprocessor rule. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + *********************************************************************/ +void ParseReputationArgs(ReputationConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (config == NULL) + return; + + _dpd.logMsg("Reputation config: \n"); + + /*Default values*/ + config->memcap = REPUTATION_DEFAULT_MEMCAP; + config->priority = WHITELISTED; + config->nestedIP = INNER; + config->localSegment = NULL; + config->emptySegment = NULL; + config->memsize = 0; + config->memCapReached = false; + + /* Sanity check(s) */ + if ( !argp ) + { + _dpd.logMsg("WARNING: Can't find any whitelist/blacklist entries. " + "Reputation Preprocessor disabled.\n"); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",argcpyp );); + + /*We need to parse the memcap, numEntries earlier, then create iplist table*/ + + config->numEntries = EstimateNumEntries(config, argp ); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Estimated number of entries: %d\n",config->numEntries );); + + if ((config->numEntries <= 0) && (!config->sharedMem.path)) + { + _dpd.logMsg("WARNING: Can't find any whitelist/blacklist entries. " + "Reputation Preprocessor disabled.\n"); + free(argcpyp); + return; + } + if (!config->sharedMem.path) + IpListInit(config->numEntries + 1,config); + + cur_sectionp = strtok_r( argcpyp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + /*Reset the log message count*/ + total_duplicates = 0; + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, REPUTATION_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, REPUTATION_SCANLOCAL_KEYWORD )) + { + config->scanlocal = 1; + } + else if ( !strcmp( cur_tokenp, REPUTATION_MEMCAP_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + /* processed before */ + } + else if ( !strcmp( cur_tokenp, REPUTATION_BLACKLIST_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Loading blacklist from %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + if (!config->sharedMem.path) + LoadListFile(cur_tokenp, config->local_black_ptr, config); + else + { + _dpd.logMsg("WARNING: %s(%d) => List file %s is not loaded " + "when using shared memory.\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + } + } + + else if ( !strcmp( cur_tokenp, REPUTATION_WHITELIST_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Loading whitelist from %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (!config->sharedMem.path) + LoadListFile(cur_tokenp, config->local_white_ptr, config); + else + { + _dpd.logMsg("WARNING: %s(%d) => List file %s is not loaded " + "when using shared memory.\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + } + } + else if ( !strcmp( cur_tokenp, REPUTATION_PRIORITY_KEYWORD )) + { + + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + if (!cur_tokenp) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_PRIORITY_KEYWORD); + return; + } + + if((strlen(REPUTATION_BLACKLIST_KEYWORD) == strlen (cur_tokenp)) + && !strcmp(REPUTATION_BLACKLIST_KEYWORD,cur_tokenp)) + { + config->priority = BLACKLISTED; + } + else if((strlen(REPUTATION_WHITELIST_KEYWORD) == strlen (cur_tokenp)) + && !strcmp(REPUTATION_WHITELIST_KEYWORD,cur_tokenp)) + { + config->priority = WHITELISTED; + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s for %s," + " Use [%s] or [%s]\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp, + REPUTATION_PRIORITY_KEYWORD, + REPUTATION_BLACKLIST_KEYWORD, REPUTATION_WHITELIST_KEYWORD); + return; + } + + } + else if ( !strcmp( cur_tokenp, REPUTATION_NESTEDIP_KEYWORD )) + { + int i = 0; + char NestIPKeyworBuff[STD_BUF]; + NestIPKeyworBuff[0] = '\0'; + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + if (!cur_tokenp) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_NESTEDIP_KEYWORD); + return; + } + while(NULL != NestedIPKeyword[i]) + { + if((strlen(NestedIPKeyword[i]) == strlen (cur_tokenp)) + && !strcmp(NestedIPKeyword[i],cur_tokenp)) + { + config->nestedIP = (NestedIP) i; + break; + } + _dpd.printfappend(NestIPKeyworBuff, STD_BUF, "[%s] ", NestedIPKeyword[i] ); + i++; + } + if (NULL == NestedIPKeyword[i]) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s for %s, use %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp, + REPUTATION_NESTEDIP_KEYWORD, NestIPKeyworBuff); + return; + } + + } +#ifdef SHARED_REP + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREMEM_KEYWORD )) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + /* processed before */ + } + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREDREFRESH_KEYWORD )) + { + unsigned long value; + char *endStr = NULL; + + if (!config->sharedMem.path) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Specify option '%s' when using option '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREMEM_KEYWORD, REPUTATION_SHAREDREFRESH_KEYWORD); + } + cur_tokenp = strtok(NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_SHAREDREFRESH_KEYWORD); + } + + value = _dpd.SnortStrtoul( cur_tokenp, &endStr, 10); + + if ( *endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %u and %u.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREDREFRESH_KEYWORD, + MIN_SHARED_MEM_REFRESH_PERIOD, MAX_SHARED_MEM_REFRESH_PERIOD); + } + + if (value < MIN_SHARED_MEM_REFRESH_PERIOD || value > MAX_SHARED_MEM_REFRESH_PERIOD + || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %u and %u.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREDREFRESH_KEYWORD, MIN_SHARED_MEM_REFRESH_PERIOD, + MAX_SHARED_MEM_REFRESH_PERIOD); + } + config->sharedMem.updateInterval = (uint32_t) value; + + } +#endif + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Too many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + } + DisplayIPlistStats(config); + DisplayReputationConfig(config); + free(argcpyp); +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_config.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,102 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 6/11/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _REPUTATION_CONFIG_H_ +#define _REPUTATION_CONFIG_H_ +#include "sf_types.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "reputation_debug.h" +#include "sf_ip.h" +#include "sfrt_flat.h" + +#define REPUTATION_NAME "reputation" + +typedef enum _NestedIP +{ + INNER, + OUTER, + BOTH +}NestedIP; + +typedef struct _SharedMem +{ + char *path; + uint32_t updateInterval; +}SharedMem; + + +typedef enum _IPdecision +{ + DECISION_NULL , + BLACKLISTED , + WHITELISTED +}IPdecision; + +/* + * Reputation preprocessor configuration. + * + * memcap: the memcap for IP table. + * numEntries: number of entries in the table + * scanlocal: to scan local network + * prioirity: the priority of whitelist, blacklist + * nestedIP: which IP address to use when IP encapsulation + * iplist: the IP table + * ref_count: reference account + */ +typedef struct _reputationConfig +{ + uint32_t memcap; + int numEntries; + uint8_t scanlocal; + IPdecision priority; + NestedIP nestedIP; + MEM_OFFSET local_black_ptr; + MEM_OFFSET local_white_ptr; + void *emptySegment; + void *localSegment; + SharedMem sharedMem; + int segment_version; + uint32_t memsize; + bool memCapReached; + table_flat_t *iplist; + int ref_count; + +} ReputationConfig; + + + +typedef struct { + IPdecision isBlack; +} bw_list; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void Reputation_FreeConfig(ReputationConfig *); +void ParseReputationArgs(ReputationConfig *, u_char*); +void initShareMemory(void *config); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_debug.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_debug.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_debug.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_debug.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,44 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 6/11/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _REPUTATION_DEBUG_H_ +#define _REPUTATION_DEBUG_H_ + +#include +#include "sfPolicyUserData.h" + +/******************************************************************** + * Macros + ********************************************************************/ +#define DEBUG_REPUTATION 0x00000020 /* 16 */ + + +#define REPUTATION_DEBUG__START_MSG "REPUTATION Start ********************************************" +#define REPUTATION_DEBUG__END_MSG "REPUTATION End **********************************************" + + +#endif /* _REPUTATION_DEBUG_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_utils.c snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_utils.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,101 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 6/11/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "reputation_utils.h" +#include +#include + +#define MAX_ADDR_LINE_LENGTH 8192 + +/******************************************************************** + * Function: Reputation_IsEmptyStr() + * + * Checks if string is NULL, empty or just spaces. + * String must be 0 terminated. + * + * Arguments: + * char * - string to check + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +int Reputation_IsEmptyStr(char *str) +{ + char *end; + + if (str == NULL) + return 1; + + end = str + strlen(str); + + while ((str < end) && isspace((int)*str)) + str++; + + if (str == end) + return 1; + + return 0; +} + +/******************************************************************** + * Function: numLinesInFile() + * + * Number of lines in the file + * + * Arguments: + * fname: file name + * + * Returns: + * uint32_t number of lines + * + ********************************************************************/ +int numLinesInFile(char *fname) +{ + FILE *fp; + uint32_t numlines = 0; + char buf[MAX_ADDR_LINE_LENGTH]; + + fp = fopen(fname, "rb"); + + if (NULL == fp) + return 0; + + while((fgets(buf, MAX_ADDR_LINE_LENGTH, fp)) != NULL) + { + if (buf[0] != '#') + { + numlines++; + if (numlines == INT_MAX) + return INT_MAX; + } + } + + fclose(fp); + return numlines; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_utils.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/reputation_utils.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,33 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 6/11/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef REPUTATION_UTILS_H_ +#define REPUTATION_UTILS_H_ +#include "sf_ip.h" +#include "sf_snort_packet.h" +#include +int Reputation_IsEmptyStr(char *); +int numLinesInFile(char *fname); +#endif /* REPUTATION_UTILS_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp snort-2.9.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,255 @@ +# Microsoft Developer Studio Project File - Name="sf_reputation" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_reputation - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_reputation.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_reputation.mak" CFG="sf_reputation - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_reputation - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_reputation - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_reputation___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_reputation___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_reputation___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_reputation___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_reputation - Win32 Release" +# Name "sf_reputation - Win32 Debug" +# Name "sf_reputation - Win32 IPv6 Debug" +# Name "sf_reputation - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=.\reputation_config.c +# End Source File +# Begin Source File + +SOURCE=.\reputation_utils.c +# End Source File +# Begin Source File + +SOURCE=..\include\segment_mem.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_dir.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat_dir.c +# End Source File +# Begin Source File + +SOURCE=.\spp_reputation.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\reputation_config.h +# End Source File +# Begin Source File + +SOURCE=.\reputation_debug.h +# End Source File +# Begin Source File + +SOURCE=.\reputation_utils.h +# End Source File +# Begin Source File + +SOURCE=..\include\segment_mem.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat.h +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat_dir.h +# End Source File +# Begin Source File + +SOURCE=.\spp_reputation.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,62 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file sflinux_helpers.c +// @author Pramod Chandrashekar + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "shmem_common.h" + +int CheckNumaNodes() +{ + char filename[1024]; + int num_nodes = 0; + struct dirent *de; + DIR *dir; + + snprintf(filename, sizeof(filename), "/sys/devices/system/node"); + + if ((dir = opendir(filename))) + { + while ((de = readdir(dir))) + { + if (!de->d_name || strncmp(de->d_name, "node", 4) != 0) + continue; + num_nodes++; + } + } + closedir(dir); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Number of numa nodes is %d\n",num_nodes);); + + return num_nodes; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,31 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file sflinux_helpers.h +// @author Pramod Chandrashekar + +#ifndef _SFLINUX_HELPERS_H_ +#define _SFLINUX_HELPERS_H_ + +int CheckNumaNodes(void); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,39 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_common.h +// @author Pramod Chandrashekar + +#ifndef _SHMEMCOMMON_H_ +#define _SHMEMCOMMON_H_ +#include "sf_types.h" +#include "snort_debug.h" +#include "../reputation_debug.h" + +#define IPREP 0 + +#define BLACK_LIST 1 +#define WHITE_LIST 2 + +#define VERSION_FILENAME "IPRVersion.dat" + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,143 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_config.c +// @author Pramod Chandrashekar + +#include +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" + +#include "sflinux_helpers.h" +#include "shmem_config.h" + +static const char* const MODULE_NAME ="SharedMemConfig"; + +ShmemUserInfo *shmusr_ptr = NULL; +ShmemDataMgmtFunctions *dmfunc_ptr = NULL; + +static DatasetInfo dataset_names[] = +{ + { "SFIPReputation.rt", IPREP } +}; + +static void ConstructSegmentNames (int dataset, int group_id, int numa_node) +{ + int i; + + snprintf(shmusr_ptr->mgmtSeg, sizeof(shmusr_ptr->mgmtSeg), + "%s.%d.%d",SHMEM_MGMT,group_id,numa_node); + + for (i=0; idataSeg[i], sizeof(shmusr_ptr->dataSeg[0]), + "%s.%d.%d.%d",dataset_names[dataset].name,group_id,numa_node,i); +} + +int InitShmemUser ( + uint32_t instance_num, int instance_type, int dataset, + int group_id, int numa_node, const char* path, uint16_t instance_polltime) +{ + int rval = SF_EINVAL, num_nodes; + + if ( + (instance_num >= MAX_INSTANCES) || + (instance_type != READ && instance_type != WRITE) || + (dataset != IPREP) || !path || !instance_polltime ) + goto exit; + + if ((shmusr_ptr = calloc(1, sizeof(*shmusr_ptr))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to allocate memory for configuration data");); + goto exit; + } + + shmusr_ptr->instance_num = instance_num; + shmusr_ptr->instance_type = instance_type; + shmusr_ptr->dataset = dataset; + shmusr_ptr->group_id = group_id; + shmusr_ptr->instance_polltime = instance_polltime; + + num_nodes = CheckNumaNodes(); + if (numa_node > num_nodes) + numa_node = NUMA_0; + + shmusr_ptr->numa_node = numa_node; + strncpy(shmusr_ptr->path,path,sizeof(shmusr_ptr->path)); + shmusr_ptr->path[sizeof(shmusr_ptr->path)-1] = '\0'; + ConstructSegmentNames(dataset,group_id,numa_node); + + return SF_SUCCESS; + +exit: + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Error in setting config");); + return rval; +} + +int InitShmemDataMgmtFunctions ( + CreateMallocZero create_malloc_zero, + GetDataSize get_data_size, + LoadData load_data) +{ + if ((dmfunc_ptr = (ShmemDataMgmtFunctions*) + malloc(sizeof(ShmemDataMgmtFunctions))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not allocate memory for Shmem Datamanagement function list");); + return SF_EINVAL; + } + dmfunc_ptr->CreatePerProcessZeroSegment = create_malloc_zero; + dmfunc_ptr->GetSegmentSize = get_data_size; + dmfunc_ptr->LoadShmemData = load_data; + + return SF_SUCCESS; +} + +void FreeShmemUser() +{ + if (shmusr_ptr) + free(shmusr_ptr); +} + +void FreeShmemDataMgmtFunctions() +{ + if (dmfunc_ptr) + free(dmfunc_ptr); +} + +void PrintConfig() +{ + int i; + + _dpd.logMsg("Instance number %u:",shmusr_ptr->instance_num); + _dpd.logMsg("Instance type %d:",shmusr_ptr->instance_type); + _dpd.logMsg("Instance datatype %d:",shmusr_ptr->dataset); + _dpd.logMsg("Instance Group ID %d:",shmusr_ptr->group_id); + _dpd.logMsg("Instance Numa node %d:",shmusr_ptr->numa_node); + _dpd.logMsg("Instance Poll time %d:",shmusr_ptr->instance_polltime); + _dpd.logMsg("Data Path is %s:",shmusr_ptr->path); + + for (i=0; idataSeg[i]); +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,113 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_config.h +// @author Pramod Chandrashekar + +#ifndef _SHMEMCFG_H_ +#define _SHMEMCFG_H_ + +#include + +#include "shmem_datamgmt.h" //defines shmemdata filelist +#include "shmem_common.h" + +#define SHMEM_MGMT "SFShmemMgmt" + +#define MAX_SEGMENTS 2 +#define MAX_INSTANCES 50 + +#define WRITE 0 +#define READ 1 + +#define SERVER 0 +#define CLIENT1 1 +#define CLIENT2 2 + +#define STARTUP 1 +#define RELOAD 0 + +#define ACTIVE 1 +#define INACTIVE 0 + +#define NO_DATASEG -1 +#define NO_ZEROSEG -2 +#define UNMAP_OLDSEG -3 +#define NO_FILE -4 +#define ZEROSEG 100 + +#define NUMA_0 0 +#define NUMA_1 1 + +#define GROUP_0 0 + +#define SLEEP_TIME 2 // in micro seconds + +#define TBMAP 99 +#define UNUSED_TIMEOUT 5 //this number is multiplied with outofband check time to determine timeout. +#define OUT_OF_BAND_CHEK_TIME 10 + +typedef struct shmemUserInfo { + uint32_t instance_num; //unique ID for each snort instance + int instance_type; // READ or WRITE + int dataset; // IPRep + int group_id; // 0,1... + int numa_node; + char mgmtSeg[MAX_NAME]; + char dataSeg[MAX_SEGMENTS][MAX_NAME]; + char path[MAX_NAME]; + uint16_t instance_polltime; +}ShmemUserInfo; + +typedef struct +{ + const char *const name; + const uint32_t type; +} DatasetInfo; + +typedef struct shmemDataManagmentFunctions { + int (*CreatePerProcessZeroSegment)(void*** data_ptr); + uint32_t (*GetSegmentSize)(ShmemDataFileList** file_list, int file_count); + int (*LoadShmemData)(void* data_ptr, ShmemDataFileList** file_list, int file_count); +} ShmemDataMgmtFunctions; + +typedef int (*CreateMallocZero)(void***); +typedef uint32_t (*GetDataSize)(ShmemDataFileList**, int); +typedef int (*LoadData)(void*,ShmemDataFileList**,int); + +extern ShmemDataMgmtFunctions *dmfunc_ptr; +extern ShmemUserInfo *shmusr_ptr; + +void PrintConfig(void); + +int InitShmemUser( + uint32_t instance_num, int instance_type, int dataset, int group_id, + int numa_node, const char* path, uint16_t instance_polltime); + +int InitShmemDataMgmtFunctions( + CreateMallocZero create_malloc_zero, GetDataSize get_data_size, + LoadData load_data); + +void FreeShmemUser(void); +void FreeShmemDataMgmtFunctions(void); +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,226 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_datamgmt.c +// @author Pramod Chandrashekar + +#include +#include +#include +#include + +#include "shmem_config.h" +#include "shmem_common.h" + +static const char* const MODULE_NAME = "ShmemFileMgmt"; + +// FIXTHIS eliminate these globals +ShmemDataFileList **filelist_ptr = NULL; +int file_count = 0; + +static int StringCompare(const void *elem1, const void *elem2) +{ + ShmemDataFileList * const *a = elem1; + ShmemDataFileList * const *b = elem2; + + return strcmp((*a)->filename,(*b)->filename); +} + +static int AllocShmemDataFileList() +{ + if ((filelist_ptr = (ShmemDataFileList**) + realloc(filelist_ptr,(file_count + FILE_LIST_BUCKET_SIZE)* + sizeof(ShmemDataFileList*))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot allocate memory to store shmem data files\n");); + return SF_ENOMEM; + } + return SF_SUCCESS; +} + +static void FreeShmemDataFileListFiles() +{ + int i; + + if (!filelist_ptr) + return; + + for(i = 0; i < file_count; i++) + { + free(filelist_ptr[i]->filename); + free(filelist_ptr[i]); + } + file_count = 0; +} + +static int ReadShmemDataFiles() +{ + char filename[PATH_MAX]; + struct dirent *de; + DIR *dd; + int max_files = MAX_FILES; + char *ext_end = NULL; + int type = 0; + int counter = 0; + int startup = 1; + + FreeShmemDataFileListFiles(); + + if ((dd = opendir(shmusr_ptr->path)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not open %s to read IPRep data files\n",shmusr_ptr->path);); + return SF_EINVAL; + } + while ((de = readdir(dd)) != NULL && max_files) + { + //DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Files are %s\n",de->d_name);); + if (strstr(de->d_name, ".blf") || strstr(de->d_name, ".wlf")) + { + //no need to check for NULL, established there is a period in strstr + ext_end = (char*)strrchr(de->d_name,'.'); + + if (strncmp(ext_end,".blf",4) == 0) + type = BLACK_LIST; + else if (strncmp(ext_end,".wlf",4) == 0) + type = WHITE_LIST; + + if (type == 0) continue; + + counter++; + + if (startup || counter == FILE_LIST_BUCKET_SIZE) + { + startup=0; + counter=0; + if (AllocShmemDataFileList()) + return SF_ENOMEM; + } + + if ((filelist_ptr[file_count] = (ShmemDataFileList*) + malloc(sizeof(ShmemDataFileList))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot allocate memory to store file information\n");); + return SF_ENOMEM; + } + snprintf(filename, sizeof(filename), "%s/%s", shmusr_ptr->path,de->d_name); + filelist_ptr[file_count]->filename = strdup(filename); + filelist_ptr[file_count]->filetype = type; + max_files--; + file_count++; + type = 0; + } + } + closedir(dd); + return SF_SUCCESS; +} + +int GetSortedListOfShmemDataFiles() +{ + int rval; + + if ((rval = ReadShmemDataFiles()) != SF_SUCCESS) + return rval; + + qsort(filelist_ptr,file_count,sizeof(*filelist_ptr),StringCompare); + return rval; +} + +//valid version values are 1 through UINT_MAX +int GetLatestShmemDataSetVersionOnDisk(uint32_t* shmemVersion) +{ + unsigned long tmpVersion; + FILE *fp; + char line[PATH_MAX]; + char version_file[PATH_MAX]; + const char *const key = "VERSION"; + char* keyend_ptr = NULL; + + snprintf(version_file, sizeof(version_file), + "%s/%s",shmusr_ptr->path,VERSION_FILENAME); + + if ((fp = fopen(version_file, "r")) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Error opening file at: %s\n", version_file);); + return NO_FILE; + } + + while (fgets(line,sizeof(line),fp)) + { + char *strptr; + if ( !strncmp(line,"#",1) ) + continue; + if ( (strptr = strstr(line, key )) && (strptr == line) ) + { + keyend_ptr = line; + keyend_ptr += strlen(key) + 1; + tmpVersion = strtoul(keyend_ptr,NULL,0); + break; + } + } + + if (!keyend_ptr) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Invalid file format %s\n", version_file);); + return NO_FILE; + } + + if (tmpVersion > UINT_MAX) //someone tampers with the file + *shmemVersion = 1; + else + *shmemVersion = (uint32_t)tmpVersion; + + fclose(fp); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "version information being returned is %u\n", *shmemVersion);); + + return SF_SUCCESS; +} + +void PrintDataFiles() +{ + int i; + + if (file_count) + { + for (i=0;ifilename, filelist_ptr[i]->filetype);); + } + } + return; +} + +void FreeShmemDataFileList() +{ + FreeShmemDataFileListFiles(); + free(filelist_ptr); + return; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,55 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_datamgmt.h +// @author Pramod Chandrashekar + +#ifndef _SHMEM_DMGMT_H_ +#define _SHMEM_DMGMT_H_ + +#include + +#define SF_EINVAL 1 +#define SF_SUCCESS 0 +#define SF_ENOMEM 2 +#define SF_EEXIST 3 + +#define MAX_NAME 1024 +#define MAX_FILES 1024 + +#define FILE_LIST_BUCKET_SIZE 100 + +typedef struct _FileList +{ + char* filename; + int filetype; +} ShmemDataFileList; + +extern ShmemDataFileList** filelist_ptr; +extern int file_count; + +int GetSortedListOfShmemDataFiles(void); +int GetLatestShmemDataSetVersionOnDisk(uint32_t* shmemVersion); +void FreeShmemDataFileList(void); +void PrintDataFiles(void); +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,142 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_lib.c +// @author Pramod Chandrashekar + +#include +#include + +#include +#include +#include + +#include "shmem_mgmt.h" +#include "shmem_lib.h" + +static const char* const MODULE_NAME = "ShmemLib"; + +static int ShmemOpen(const char *shmemName, uint32_t size, int mode) +{ + int fd, flags; + mode_t prev_mask; + + if (mode == WRITE) + flags = (O_CREAT | O_RDWR); + else if (mode == READ) + flags = O_RDWR; + else + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Invalid mode specified\n");); + return -1; + } + + prev_mask = umask(0); + + if ( (fd = shm_open(shmemName, flags, + (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) )) == -1 ) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to open shared memory\n");); + umask(prev_mask); + return -1; + } + + umask(prev_mask); + + if (ftruncate(fd, size) == -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to open shared memory\n");); + return -1; + } + _dpd.logMsg(" Reputation Preprocessor: Size of shared memory segment %s is %u\n", shmemName, size); + + return fd; +} + +static void *ShmemMMap (int fd, uint32_t size) +{ + void *shmem_ptr; + + if ((shmem_ptr = mmap(0, size,(PROT_READ | PROT_WRITE),MAP_SHARED,fd,0)) + == MAP_FAILED ) + return NULL; + + return shmem_ptr; +} + +int ShmemExists(const char *shmemName) +{ + int fd; + + if ((fd = shm_open(shmemName,(O_RDWR),(S_IRUSR))) < 0 ) + return 0; + + close(fd); + return SF_EEXIST; +} + +void ShmemUnlink(const char *shmemName) +{ + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unlinking segment %\n",shmemName);); + shm_unlink(shmemName); +} + +void ShmemDestroy(const char *shmemName) +{ + ShmemUnlink(shmemName); + unlink(shmemName); + _dpd.logMsg(" Reputation Preprocessor: %s is freed\n", shmemName); +} + +void* ShmemMap(const char* segment_name, uint32_t size, int mode) +{ + int fd = 0; + void *shmem_ptr = NULL; + + if ((mode == WRITE) && ShmemExists(segment_name)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot create shared memory segment %s, already exists\n", + segment_name);); + mode = READ; + } + if ((fd = ShmemOpen(segment_name,size,mode)) == -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to open shm %s\n",segment_name);); + return NULL; + } + + if ((shmem_ptr = ShmemMMap(fd,size)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to mmmap %s\n",segment_name);); + } + close(fd); + + return shmem_ptr; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,36 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_lib.h +// @author Pramod Chandrashekar + +#ifndef _SHMEMLIB_H_ +#define _SHMEMLIB_H_ + +#include + +int ShmemExists(const char *shmemName); +void* ShmemMap(const char* segment_name, uint32_t size, int mode); +void ShmemUnlink(const char *shmemName); +void ShmemDestroy(const char *shmemName); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,601 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_mgmt.c +// @author Pramod Chandrashekar + +#include "shmem_lib.h" +#include "shmem_mgmt.h" + +#include + +ShmemMgmtData* mgmt_ptr = NULL; +void* zeroseg_ptr = NULL; +unsigned int usec = SLEEP_TIME; + +static const char* const MODULE_NAME = "SharedMemMgmt"; + +static void SetShmemMgmtVariables(int value, uint32_t instance_num) +{ + int i; + + mgmt_ptr->instance[instance_num].active = value; + mgmt_ptr->instance[instance_num].version = 0; + mgmt_ptr->instance[instance_num].activeSegment = NO_DATASEG; + mgmt_ptr->instance[instance_num].prevSegment = NO_DATASEG; + mgmt_ptr->instance[instance_num].updateTime = time(NULL); + mgmt_ptr->instance[instance_num].shmemCurrPtr = zeroseg_ptr; + mgmt_ptr->instance[instance_num].shmemZeroPtr = zeroseg_ptr; + + for (i=0; iinstance[instance_num].shmemSegActiveFlag[i] = 0; + + for (i=0; iinstance[instance_num].shmemSegmentPtr[i] = zeroseg_ptr; +} + +static void InitShmemDataSegmentMgmtVariables() +{ + int i; + mgmt_ptr->activeSegment = NO_DATASEG; + + for (i=0; isegment[i].version = 0; + mgmt_ptr->segment[i].active = 0; + mgmt_ptr->segment[i].size = 0; + } +} + +int MapShmemMgmt() +{ + uint32_t nBytes = sizeof(ShmemMgmtData); + int mgmtExists; + + if (!(mgmtExists = ShmemExists(shmusr_ptr->mgmtSeg))) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No Shmem mgmt segment present\n");); + if (shmusr_ptr->instance_type == READ) + return SF_EINVAL; + } + + if ((mgmt_ptr = (ShmemMgmtData *) + ShmemMap(shmusr_ptr->mgmtSeg,nBytes,shmusr_ptr->instance_type)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to create shmem mgmt segment\n");); + return SF_EINVAL; + } + + if (shmusr_ptr->instance_type == WRITE && !mgmtExists) + InitShmemDataSegmentMgmtVariables(); + + return SF_SUCCESS; +} + +static void DoHeartbeat() +{ + uint32_t instance_num = shmusr_ptr->instance_num; + if (mgmt_ptr) + { + mgmt_ptr->instance[instance_num].updateTime = time(NULL); + } + return; +} + +void ForceShutdown() +{ + int currActiveSegment; + _dpd.logMsg(" Repuation Preprocessor: Shared memory is disabled. \n"); + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; + + if ((currActiveSegment = + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment) >= 0) + { + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment = NO_DATASEG; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActiveSegment] = 0; + } + return; +} + +//client side calls for shared memory +int CheckForSharedMemSegment() +{ + void *shmem_ptr = NULL; + int currActive = NO_DATASEG, newSegment = NO_DATASEG; + uint32_t size = 0; + + if (!mgmt_ptr) + { + if (MapShmemMgmt()) + return newSegment; + + SetShmemMgmtVariables(ACTIVE,shmusr_ptr->instance_num); + } + + if (!mgmt_ptr->instance[shmusr_ptr->instance_num].active) + goto exit; + + if ((currActive = mgmt_ptr->activeSegment) >= 0) + { + if ( mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment != currActive && + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] != TBMAP ) + { + //new segment available and not mapped already + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] = TBMAP; + + if ((size = mgmt_ptr->segment[currActive].size) != 0) + { + if ((shmem_ptr = ShmemMap(shmusr_ptr->dataSeg[currActive],size,READ)) != NULL) + { + //Store Data segment pointer for instance + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[currActive] = shmem_ptr; + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shmem ptr for segment %d is %p\n",currActive,shmem_ptr);); + newSegment = currActive; + } + else + { + currActive = NO_DATASEG; + } + } + else + { + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] = 0; + } + } + } + else if (mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment >= 0) + { + ForceShutdown(); + goto exit; + } + + DoHeartbeat(); + +exit: + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "new segment being returned is %d\n", newSegment);); + return newSegment; +} + +int InitShmemReader ( + uint32_t instance_num, int dataset, int group_id, + int numa_node, const char* path, void*** data_ptr, + uint16_t instance_polltime) +{ + int segment_number = NO_ZEROSEG; + if (InitShmemUser(instance_num,READ,dataset,group_id,numa_node,path,instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize config data \n");); + return segment_number; + } + if (dmfunc_ptr->CreatePerProcessZeroSegment(data_ptr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize zero segment\n");); + return segment_number; + } + + zeroseg_ptr = *data_ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Address of zero segment is %p\n",zeroseg_ptr);); + + if ((segment_number = CheckForSharedMemSegment() ) >=0) + { + SwitchToActiveSegment(segment_number,data_ptr); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Switched to segment %d\n",segment_number);); + } + return segment_number; +} + +static int FindFirstUnusedShmemSegment() +{ + int i; + for (i=0; isegment[i].active != 1) + return i; + } + return NO_DATASEG; +} + +static int FindActiveSharedMemDataSegmentVersion() +{ + if (mgmt_ptr->activeSegment < 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment does not exist\n");); + return 0; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment is %d and current version is %u\n", + mgmt_ptr->activeSegment,mgmt_ptr->segment[mgmt_ptr->activeSegment].version);); + + return mgmt_ptr->segment[mgmt_ptr->activeSegment].version; +} + +static int MapShmemDataSegmentForWriter(uint32_t size, uint32_t disk_version, int *mode) +{ + int available_segment = NO_DATASEG; + uint32_t active_version = 0; + void* shmem_ptr = NULL; + *mode = WRITE; + + if ((active_version = FindActiveSharedMemDataSegmentVersion()) == disk_version ) + { + if ((available_segment = mgmt_ptr->activeSegment) >= 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Attaching to segment %d\n", available_segment);); + *mode = READ; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No active segment to attach to\n");); + goto exit; + } + } + + if (*mode == WRITE) + { + if ((available_segment = FindFirstUnusedShmemSegment()) < 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No more segments available, all are in use\n");); + goto exit; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shared memory segment %d will be initialized\n",available_segment);); + } + + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[available_segment] = TBMAP; + + if ((shmem_ptr = ShmemMap(shmusr_ptr->dataSeg[available_segment],size,*mode)) != NULL) + { + //store data segment pointer for instance + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[available_segment] = shmem_ptr; + } + else + { + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[available_segment] = 0; + available_segment = NO_DATASEG; + } + +exit: + return available_segment; +} + +static void ShutdownSegment(int32_t segment_num) +{ + mgmt_ptr->segment[segment_num].active = 0; + mgmt_ptr->segment[segment_num].version = 0; + + munmap(mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num], + mgmt_ptr->segment[segment_num].size); + ShmemDestroy(shmusr_ptr->dataSeg[segment_num]); + + mgmt_ptr->segment[segment_num].size = 0; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num] = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; +} + +// writer side +static int InitSharedMemDataSegmentForWriter(uint32_t size, uint32_t disk_version) +{ + int segment_num = NO_DATASEG, mode = -1; + int rval; + + if ((segment_num = MapShmemDataSegmentForWriter(size,disk_version,&mode)) < 0) + goto exit; + + if (mode == WRITE) + { + if ((rval = dmfunc_ptr->LoadShmemData((void *)( + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num]), + filelist_ptr,file_count)) != SF_SUCCESS) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Loading file into shared memory failed\n");); + ShutdownSegment(segment_num); + segment_num = NO_DATASEG; + goto exit; + } + mgmt_ptr->segment[segment_num].size = size; + + if (mgmt_ptr->activeSegment != segment_num) + mgmt_ptr->activeSegment = segment_num; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment is %d\n",mgmt_ptr->activeSegment);); + + mgmt_ptr->segment[segment_num].active = 1; + mgmt_ptr->segment[segment_num].version = disk_version; + ManageUnusedSegments(); + } +exit: + return segment_num; +} + + +int LoadSharedMemDataSegmentForWriter(int startup) +{ + int segment_num = NO_DATASEG, retval = -1; + uint32_t size = 0; + uint32_t disk_version = 0, shmem_version = 0; + + shmem_version = FindActiveSharedMemDataSegmentVersion(); + + //if version file is not present(open source user), increment version and reload. + if ((retval = GetLatestShmemDataSetVersionOnDisk(&disk_version)) == SF_SUCCESS) + { + if (disk_version > 0) + { + if ((shmem_version == disk_version) && !startup) + goto exit; + } + else + { + goto force_shutdown; + } + } + else + { + disk_version = shmem_version + 1; + if (disk_version == 0) disk_version++; + } + + if (GetSortedListOfShmemDataFiles()) + goto exit; + +#ifdef DEBUG_MSGS + PrintDataFiles(); +#endif + if ((size = dmfunc_ptr->GetSegmentSize(filelist_ptr, file_count)) != ZEROSEG) + { + segment_num = InitSharedMemDataSegmentForWriter(size,disk_version); + goto exit; + } + +force_shutdown: + //got back zero which means its time to shutdown shared memory + mgmt_ptr->activeSegment = NO_DATASEG; + ForceShutdown(); + +exit: + return segment_num; +} + +int InitShmemWriter( + uint32_t instance_num, int dataset, int group_id, + int numa_node, const char* path, void*** data_ptr, + uint16_t instance_polltime) +{ + int segment_number = NO_ZEROSEG; + + if (InitShmemUser(instance_num,WRITE,dataset,group_id,numa_node,path,instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize shmem writer config\n");); + goto exit; + } + + if (dmfunc_ptr->CreatePerProcessZeroSegment(data_ptr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize zero segment\n");); + goto cleanup_exit; + } + + zeroseg_ptr = *data_ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Address of zero segment is %p\n",zeroseg_ptr);); + + if (MapShmemMgmt()) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize shared memory management segment\n");); + FreeShmemDataFileList(); + goto cleanup_exit; + } + + ManageUnusedSegments(); + SetShmemMgmtVariables(ACTIVE,shmusr_ptr->instance_num); + + //valid segments are 0 through N + if ((segment_number = LoadSharedMemDataSegmentForWriter(STARTUP)) >= 0) + SwitchToActiveSegment(segment_number,data_ptr); //pointer switch + + goto exit; + +cleanup_exit: + FreeShmemUser(); + +exit: + return segment_number; +} + +//switch to active DB +void SwitchToActiveSegment(int segment_num, void*** data_ptr) +{ + if (segment_num < 0) + return; + + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num]; + + *data_ptr = (void *)(&mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr); + + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment = + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Prev segment has been set to %d\n", + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment);); + + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment = segment_num; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[segment_num] = 1; +} + +void UnmapInactiveSegments() +{ + int i, segment_num; + for (i=0; iinstance[shmusr_ptr->instance_num].activeSegment) + { + if (shmusr_ptr->instance_type != WRITE) + { + if ((segment_num = mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment) != NO_DATASEG) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unmapping segment %d which has address %p and size %u\n", + segment_num,mgmt_ptr->instance[shmusr_ptr->instance_num]. + shmemSegmentPtr[segment_num],mgmt_ptr->segment[segment_num].size);); + + munmap(mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num], + mgmt_ptr->segment[segment_num].size); + ShmemUnlink(shmusr_ptr->dataSeg[segment_num]); + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment = NO_DATASEG; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[i] = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; + } + } + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[i] = 0; + } + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment for instance %u is %d\n", + shmusr_ptr->instance_num,mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment);); + return; +} + +static void ExpireTimedoutInstances() +{ + int i; + time_t current_time = time(NULL); + + for(i=0; iinstance[i].active) + { + if ((current_time - mgmt_ptr->instance[i].updateTime) > + (UNUSED_TIMEOUT * shmusr_ptr->instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Instance %d has expired, last update %jd and current time is %jd\n", + i,(intmax_t)mgmt_ptr->instance[i].updateTime,(intmax_t)current_time);); + SetShmemMgmtVariables(INACTIVE,i); + } + } + } + return; +} + +//WRITER only +int ManageUnusedSegments() +{ + uint32_t j,in_use = 0; + int i; + DoHeartbeat(); //writer heartbeat + ExpireTimedoutInstances(); + for (i=0; iinstance[j].active) + { + if (mgmt_ptr->instance[j].shmemSegActiveFlag[i]) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Instance %u is still using segment %d\n",j,i);); + in_use++; + } + } + } + if (!in_use) + { + if (mgmt_ptr && mgmt_ptr->segment[i].active && (mgmt_ptr->activeSegment != i)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shutting down segment %d\n",i);); + ShutdownSegment(i); + } + } + in_use = 0; + } + return SF_SUCCESS; +} + +int ShutdownSharedMemory() +{ + if (mgmt_ptr) + SetShmemMgmtVariables(INACTIVE,shmusr_ptr->instance_num); + + FreeShmemUser(); + FreeShmemDataMgmtFunctions(); + FreeShmemDataFileList(); + + return SF_SUCCESS; +} + +void PrintShmemMgmtInfo() +{ + uint32_t i = 0; + + if ( !mgmt_ptr ) + return; + + for (i=0; iinstance[i].active) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "instance:%u address:%p updateTime:%jd\n", + i, (void *)mgmt_ptr->instance[i].shmemCurrPtr, + (intmax_t)mgmt_ptr->instance[i].updateTime);); + } + } + for (i=0; isegment[i].active) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "segment:%u active:%d version:%u\n", + i,mgmt_ptr->segment[i].active,mgmt_ptr->segment[i].version);); + } + } + + if (mgmt_ptr->activeSegment != NO_DATASEG) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "active segment:%d\n",mgmt_ptr->activeSegment);); + } +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,74 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_mgmt.h +// @author Pramod Chandrashekar + +#ifndef _SHMEMMGMT_H_ +#define _SHMEMMGMT_H_ + +#include +#include +#include "shmem_config.h" + +typedef struct _shmemInstance { + int active; + uint32_t version; + time_t updateTime; + int activeSegment; + int prevSegment; + int shmemSegActiveFlag[MAX_SEGMENTS]; + void* shmemSegmentPtr[MAX_SEGMENTS]; + void* shmemCurrPtr; + void* shmemZeroPtr; +} shmemInstance; + +typedef struct _shmemSegment { + int active; + uint32_t version; + uint32_t size; +} shmemSegment; + +typedef struct _shmemMgmtData { + shmemInstance instance[MAX_INSTANCES]; + shmemSegment segment[MAX_SEGMENTS]; + int activeSegment; +} ShmemMgmtData; + +extern void *zeroseg_ptr; + +//reader +int InitShmemReader(uint32_t instance_num, int dataset, int group_id, int numa_node, + const char* path, void*** data_ptr, uint16_t instance_polltime); +int CheckForSharedMemSegment(void); +//writer +int InitShmemWriter(uint32_t instance_num, int dataset, int group_id, int numa_node, + const char* path, void*** data_ptr, uint16_t instance_polltime); +int LoadSharedMemDataSegmentForWriter(int startup); +void SwitchToActiveSegment(int segment_num,void*** data_ptr); +void UnmapInactiveSegments(void); +int ManageUnusedSegments(void); +int ShutdownSharedMemory(void); +void PrintShmemMgmtInfo(void); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/spp_reputation.c snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.c --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/spp_reputation.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,789 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * Reputation preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 06-01-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_reputation.h" +#include "reputation_config.h" +#include "reputation_utils.h" + +#include +#include +#include +#include +#ifndef WIN32 +#include +#include +#endif +#include +#include +#ifdef SHARED_REP +#include "./shmem/shmem_mgmt.h" +#endif +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats reputationPerfStats; +#endif + + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_REPUTATION (IPV6)"; +#else +const char *PREPROC_NAME = "SF_REPUTATION"; +#endif + +#define SetupReputation DYNAMIC_PREPROC_SETUP + + +/* + * Function prototype(s) + */ +static void ReputationInit( char* ); +static void ReputationCheckConfig(void); +static inline void ReputationProcess(SFSnortPacket *); +static void ReputationMain( void*, void* ); +static void ReputationFreeConfig(tSfPolicyUserContextId); +static void ReputationPrintStats(int); +static void ReputationCleanExit(int, void *); + +#ifdef SHARED_REP +typedef enum +{ + NO_SWITCH, + SWITCHING, + SWITCHED +}Swith_State; +static int switch_state = NO_SWITCH; +int available_segment = NO_DATASEG; +static void ReputationMaintenanceCheck(int, void *); +#endif +/******************************************************************** + * Global variables + ********************************************************************/ +int totalNumEntries = 0; +Reputation_Stats reputation_stats; +ReputationConfig *reputation_eval_config; +tSfPolicyUserContextId reputation_config; +ReputationConfig *pDefaultPolicyConfig = NULL; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId reputation_swap_config = NULL; +static void ReputationReload(char *); +static void * ReputationReloadSwap(void); +static void ReputationReloadSwapFree(void *); +static int ReputationReloadVerify(void); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupReputation(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "reputation", ReputationInit ); +#else + _dpd.registerPreproc("reputation", ReputationInit, ReputationReload, + ReputationReloadSwap, ReputationReloadSwapFree); +#endif +} +#ifdef SHARED_REP +static int Reputation_PreControl(uint16_t type, const uint8_t *data, uint32_t length, void **new_config) +{ + int segment_version = NO_DATASEG; + + ReputationConfig *pDefaultPolicyConfig = NULL; + ReputationConfig *nextConfig = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + + if (!pDefaultPolicyConfig) + { + *new_config = NULL; + return -1; + } + + nextConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + + if (!nextConfig) + { + *new_config = NULL; + return -1; + } + nextConfig->segment_version = segment_version; + nextConfig->memcap = pDefaultPolicyConfig->memcap; + reputation_shmem_config = nextConfig; + + if ((segment_version = LoadSharedMemDataSegmentForWriter(RELOAD)) >= 0) + { + *new_config = nextConfig; + nextConfig->segment_version = segment_version; + _dpd.logMsg("***Received segment %d\n", + segment_version); + } + else + { + *new_config = NULL; + free(nextConfig); + return -1; + } + return 0; +} + +static int Reputation_Control(uint16_t type, void *new_config, void **old_config) +{ + ReputationConfig *config = (ReputationConfig *) new_config; + + if (NULL != config) + { + SwitchToActiveSegment(config->segment_version, &IPtables); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION,"***Switched to segment %d\n", + config->segment_version)); + *old_config = config; + return 0; + } + return -1; +} + +static void Reputation_PostControl(uint16_t type, void *old_config) +{ + ReputationConfig *config = (ReputationConfig *) old_config; + ReputationConfig *pDefaultPolicyConfig = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + + if (!pDefaultPolicyConfig) + { + return; + } + + UnmapInactiveSegments(); + + pDefaultPolicyConfig->memCapReached = config->memCapReached; + pDefaultPolicyConfig->segment_version = config->segment_version; + pDefaultPolicyConfig->memsize = config->memsize; + pDefaultPolicyConfig->numEntries = config->numEntries; + pDefaultPolicyConfig->iplist = config->iplist; + reputation_shmem_config = pDefaultPolicyConfig; + free(config); + +} +static void ReputationShmemReaderUpdate(void) +{ + if (SWITCHING == switch_state) + { + SwitchToActiveSegment(available_segment, &IPtables); + switch_state = SWITCHED; + } +} +static void ReputationMaintenanceCheck(int signal, void *data) +{ + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation Preprocessor Maintenance!\n");); + PrintShmemMgmtInfo(); + if (SHMEM_SERVER_ID_1 == _dpd.getSnortInstance()) + { + ManageUnusedSegments(); + if (SWITCHED == switch_state) + { + _dpd.logMsg("***Instance %d switched to segment_version %d\n", + _dpd.getSnortInstance(), available_segment); + UnmapInactiveSegments(); + switch_state = NO_SWITCH; + } + } + else + { + if ((NO_SWITCH == switch_state)&&((available_segment = CheckForSharedMemSegment()) >= 0)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION,"***Switched to segment_version %d ",available_segment);); + switch_state = SWITCHING; + + } + if (SWITCHED == switch_state) + { + _dpd.logMsg("***Instance %d switched to segment_version %d\n", + _dpd.getSnortInstance(), available_segment); + UnmapInactiveSegments(); + switch_state = NO_SWITCH; + } + } +} + +#endif + +/* Initializes the Reputation preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for configuration data. + * + * RETURNS: Nothing. + */ +static void ReputationInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + ReputationConfig *pDefaultPolicyConfig = NULL; + ReputationConfig *pPolicyConfig = NULL; + + + if (reputation_config == NULL) + { + /*create a context*/ + reputation_config = sfPolicyConfigCreate(); + if (reputation_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for Reputation config.\n"); + } + + _dpd.addPreprocConfCheck(ReputationCheckConfig); + _dpd.registerPreprocStats(REPUTATION_NAME, ReputationPrintStats); + _dpd.addPreprocExit(ReputationCleanExit, NULL, PRIORITY_LAST, PP_REPUTATION); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("reputation", (void *)&reputationPerfStats, 0, _dpd.totalPerfStats); +#endif + + } + + sfPolicyUserPolicySet (reputation_config, policy_id); + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("Reputation preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "Reputation preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(reputation_config, pPolicyConfig); + + ParseReputationArgs(pPolicyConfig, (u_char *)argp); +#ifdef SHARED_REP + if (pPolicyConfig->sharedMem.path) + { + _dpd.addPeriodicCheck(ReputationMaintenanceCheck,NULL, PRIORITY_FIRST, PP_REPUTATION, pPolicyConfig->sharedMem.updateInterval); + + /*Only writer or server has control channel*/ + if (SHMEM_SERVER_ID_1 == _dpd.getSnortInstance()) + { + _dpd.controlSocketRegisterHandler(CS_TYPE_REPUTATION_SHAREMEM, + &Reputation_PreControl, &Reputation_Control, &Reputation_PostControl); + } + _dpd.registerIdleHandler(&ReputationShmemReaderUpdate); + + } +#endif + + if ((0 == pPolicyConfig->numEntries)&&(!pPolicyConfig->sharedMem.path)) + { + return; + } + + if (policy_id != 0) + pPolicyConfig->memcap = pDefaultPolicyConfig->memcap; + + if (!pPolicyConfig->sharedMem.path && pPolicyConfig->localSegment) + IPtables = &pPolicyConfig->localSegment; + + _dpd.addPreproc( ReputationMain, PRIORITY_FIRST, PP_REPUTATION, PROTO_BIT__IP ); +#ifdef SHARED_REP + if (pPolicyConfig->sharedMem.path) + _dpd.addPostConfigFunc(initShareMemory, pPolicyConfig); +#endif + +} + + +/********************************************************************* + * Lookup the iplist table. + * + * Arguments: + * snort_ip_p - ip to be searched + * + * Returns: + * IPdecision - + * DECISION_NULL + * BLACKLISTED + * WHITELISTED + * + *********************************************************************/ +static inline IPdecision ReputationLookup(snort_ip_p ip) +{ + bw_list * result; + +#ifdef SUP_IP6 + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Lookup address: %s \n",sfip_to_str(ip) );); +#else + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Lookup address: %lx \n", ip);); +#endif + if (!reputation_eval_config->scanlocal) + { + if (sfip_is_private(ip) ) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Private address\n");); + return DECISION_NULL; + } + } + +#ifdef SUP_IP6 + + result = (bw_list *) sfrt_flat_dir8x_lookup((void *)ip, reputation_eval_config->iplist ); + +#else + + result = (bw_list *) sfrt_flat_dir8x_lookup((void *)&ip, reputation_eval_config->iplist); + +#endif + /*Check the source and destination*/ + if (NULL != result) + { +#ifdef SUP_IP6 + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Decision: %s \n", + WHITELISTED == result->isBlack? "WHITED": "BLACKED" );); +#endif + return (result->isBlack); + } + else + return DECISION_NULL; + +} + +/********************************************************************* + * Make decision based on ip addresses + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * IPdecision - + * DECISION_NULL + * BLACKLISTED + * WHITELISTED + * + *********************************************************************/ +static inline IPdecision ReputationDecision(SFSnortPacket *p) +{ + snort_ip_p ip; + IPdecision decision; + IPdecision decision_final = DECISION_NULL; + + /*Check INNER IP, when configured or only one layer*/ + if (( ! p->outer_family ) + ||(INNER == reputation_eval_config->nestedIP) + ||(BOTH == reputation_eval_config->nestedIP)) + { + ip = GET_INNER_SRC_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + + ip = GET_INNER_DST_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + } + /*Check OUTER IP*/ + if (( p->outer_family) && + ((OUTER == reputation_eval_config->nestedIP) + ||(BOTH == reputation_eval_config->nestedIP))) + { + ip = GET_OUTER_SRC_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + ip = GET_OUTER_DST_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + } + return (decision_final); +} + +/********************************************************************* + * Main entry point for Reputation processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * None + * + *********************************************************************/ +static inline void ReputationProcess(SFSnortPacket *p) +{ + + IPdecision decision; + + reputation_eval_config->iplist = (table_flat_t *)*IPtables; + decision = ReputationDecision(p); + + if (DECISION_NULL == decision) + { + return; + } + else if (BLACKLISTED == decision) + { + ALERT(REPUTATION_EVENT_BLACKLIST,REPUTATION_EVENT_BLACKLIST_STR); + _dpd.disableAllDetect(p); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + reputation_stats.blacklisted++; + } + else if (WHITELISTED == decision) + { + ALERT(REPUTATION_EVENT_WHITELIST,REPUTATION_EVENT_WHITELIST_STR); + p->flags |= FLAG_IGNORE_PORT; + _dpd.disableAllDetect(p); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + reputation_stats.whitelisted++; + } + +} +/* Main runtime entry point for Reputation preprocessor. + * Analyzes Reputation packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void ReputationMain( void* ipacketp, void* contextp ) +{ + + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__START_MSG)); + + if (!IsIP((SFSnortPacket*) ipacketp) + ||( ((SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG) + ||( ((SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_STREAM)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION," -> spp_reputation: Not IP or Is a rebuilt packet\n");); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__END_MSG)); + return; + } + + + sfPolicyUserPolicySet (reputation_config, runtimePolicyId); + + reputation_eval_config = sfPolicyUserDataGetCurrent(reputation_config); + + PREPROC_PROFILE_START(reputationPerfStats); + /* + * Start process + */ + + ReputationProcess((SFSnortPacket*) ipacketp); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__END_MSG)); + PREPROC_PROFILE_END(reputationPerfStats); + +} + +static int ReputationCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + _dpd.setParserPolicy(policyId); + + return 0; +} +void ReputationCheckConfig(void) +{ + sfPolicyUserDataIterate (reputation_config, ReputationCheckPolicyConfig); +} + + +static void ReputationCleanExit(int signal, void *data) +{ + if (reputation_config != NULL) + { + ReputationFreeConfig(reputation_config); + reputation_config = NULL; +#ifdef SHARED_REP + ShutdownSharedMemory(); +#endif + } +} +static int ReputationFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + ReputationConfig *pPolicyConfig = (ReputationConfig *)pData; + + //do any housekeeping before freeing ReputationConfig + + sfPolicyUserDataClear (config, policyId); + + Reputation_FreeConfig(pPolicyConfig); + return 0; +} + +void ReputationFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, ReputationFreeConfigPolicy); + sfPolicyConfigDelete(config); +} +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void ReputationPrintStats(int exiting) +{ + + _dpd.logMsg("Reputation Preprocessor Statistics\n"); + + _dpd.logMsg(" Total Memory Allocated: "STDu64"\n", reputation_stats.memoryAllocated); + + if (reputation_stats.blacklisted > 0) + _dpd.logMsg(" Number of packets blacklisted: "STDu64"\n", reputation_stats.blacklisted); + if (reputation_stats.whitelisted > 0) + _dpd.logMsg(" Number of packets whitelisted: "STDu64"\n", reputation_stats.whitelisted); + +} + +#ifdef SNORT_RELOAD +static void ReputationReload(char *args) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + ReputationConfig * pPolicyConfig = NULL; + ReputationConfig *pDefaultPolicyConfig = NULL; + + if (reputation_swap_config == NULL) + { + //create a context + reputation_swap_config = sfPolicyConfigCreate(); + if (reputation_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for Reputation config.\n"); + } + + } + + sfPolicyUserPolicySet (reputation_swap_config, policy_id); + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_swap_config); + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("Reputation preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "Reputation preprocessor configuration.\n"); + } + sfPolicyUserDataSetCurrent(reputation_swap_config, pPolicyConfig); + + ParseReputationArgs(pPolicyConfig, (u_char *)args); + + if ((0 == pPolicyConfig->numEntries) &&(!pPolicyConfig->sharedMem.path)) + { + return; + } + if (policy_id != 0) + pPolicyConfig->memcap = pDefaultPolicyConfig->memcap; + + _dpd.addPreproc( ReputationMain, PRIORITY_FIRST, PP_REPUTATION, PROTO_BIT__IP ); + _dpd.addPreprocReloadVerify(ReputationReloadVerify); +} + +static int ReputationReloadVerify(void) +{ + ReputationConfig * pPolicyConfig = NULL; + ReputationConfig * pCurrentConfig = NULL; + + if (reputation_swap_config == NULL) + return 0; + + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGet(reputation_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + + if (reputation_config != NULL) + { + pCurrentConfig = (ReputationConfig *)sfPolicyUserDataGet(reputation_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + if (pPolicyConfig->memcap != pCurrentConfig->memcap) + { + _dpd.errMsg("Reputation reload: Changing memcap settings requires a restart.\n"); + ReputationFreeConfig(reputation_swap_config); + reputation_swap_config = NULL; + return -1; + } + +#ifdef SHARED_REP + /* Shared memory is used*/ + if (pPolicyConfig->sharedMem.path || pCurrentConfig->sharedMem.path) + { + /*Shared memory setting is changed*/ + if ( (!pCurrentConfig->sharedMem.path)||(!pPolicyConfig->sharedMem.path) + || strcmp(pPolicyConfig->sharedMem.path, pCurrentConfig->sharedMem.path) + ||(pPolicyConfig->sharedMem.updateInterval != pCurrentConfig->sharedMem.updateInterval)) + { + _dpd.errMsg("Reputation reload: Changing memory settings requires a restart.\n"); + ReputationFreeConfig(reputation_swap_config); + reputation_swap_config = NULL; + return -1; + } + else /*no change, do a reload of list*/ + { + reputation_shmem_config = pPolicyConfig; + if ((available_segment = LoadSharedMemDataSegmentForWriter(RELOAD)) >= 0) + { + pPolicyConfig->segment_version = available_segment; + _dpd.logMsg("***New segment %d\n", + available_segment); + switch_state = SWITCHING; + } + + } + } +#endif + return 0; +} + +static int ReputationFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + ReputationConfig *pPolicyConfig = (ReputationConfig *)pData; + + //do any housekeeping before freeing ReputationConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + Reputation_FreeConfig(pPolicyConfig); + } + return 0; +} + +static void * ReputationReloadSwap(void) +{ + tSfPolicyUserContextId old_config = reputation_config; + ReputationConfig *pDefaultPolicyConfig = NULL; + + if (reputation_swap_config == NULL) + return NULL; + + reputation_config = reputation_swap_config; + reputation_swap_config = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + if (pDefaultPolicyConfig->localSegment) + IPtables = &pDefaultPolicyConfig->localSegment; + + sfPolicyUserDataIterate (old_config, ReputationFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void ReputationReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + ReputationFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/reputation/spp_reputation.h snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.h --- snort-2.8.5.2/src/dynamic-preprocessors/reputation/spp_reputation.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,80 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* + * spp_reputation.h: Definitions, structs, function prototype(s) for + * the Reputation preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_REPUTATION_H +#define SPP_REPUTATION_H + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sf_ip.h" +#include "sfrt_flat.h" +#include "reputation_config.h" + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_REPUTATION 136 + +#define CS_TYPE_REPUTATION_SHAREMEM ((GENERATOR_SPP_REPUTATION *10) + 1) + +/*These IDs are reserved for snort shared memory server (writer)*/ +#define SHMEM_SERVER_ID_1 1 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_REPUTATION, x, 1, 0, 3, y, 0 ); } + +#define REPUTATION_EVENT_BLACKLIST 1 +#define REPUTATION_EVENT_BLACKLIST_STR "(spp_reputation) packets blacklisted" +#define REPUTATION_EVENT_WHITELIST 2 +#define REPUTATION_EVENT_WHITELIST_STR "(spp_reputation) packets whitelisted" + + +typedef struct _Reputation_Stats +{ + uint64_t blacklisted; + uint64_t whitelisted; + uint64_t memoryAllocated; + +} Reputation_Stats; + +extern Reputation_Stats reputation_stats; +extern int totalNumEntries; +extern ReputationConfig *reputation_eval_config; +extern tSfPolicyUserContextId reputation_config; +extern void **IPtables; +#ifdef SHARED_REP +extern ReputationConfig *reputation_shmem_config; +#endif +/* Prototypes for public interface */ +void SetupReputation(void); + +#endif /* SPP_REPUTATION_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/Makefile.am snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,38 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +pkglibdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +pkglib_LTLIBRARIES = sf_rzb_saac_preproc.la + +sf_rzb_saac_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +PREPROCLIB=../libsf_dynamic_preproc.la +else +nodist_sf_rzb_saac_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfPolicyUserData.c +endif +sf_rzb_saac_preproc_la_LIBADD = ${PREPROCLIB} @RAZORBACK_LIBS@ +sf_rzb_saac_preproc_la_CFLAGS = @RAZORBACK_CFLAGS@ -Werror + +sf_rzb_saac_preproc_la_SOURCES = \ +rzb_debug.c \ +rzb_debug.h \ +rzb_http-client.c \ +rzb_http-client.h \ +rzb_http.h \ +rzb_http-fileinfo.c \ +rzb_http-fileinfo.h \ +rzb_http-server.c \ +rzb_http-server.h \ +rzb_smtp-collector.c \ +rzb_smtp-collector.h \ +spp_rzb-saac.c + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-pkglibLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/Makefile.in snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -0,0 +1,586 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/rzb_saac +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(pkglibdir)" +LTLIBRARIES = $(pkglib_LTLIBRARIES) +sf_rzb_saac_preproc_la_DEPENDENCIES = $(PREPROCLIB) +am_sf_rzb_saac_preproc_la_OBJECTS = \ + sf_rzb_saac_preproc_la-rzb_debug.lo \ + sf_rzb_saac_preproc_la-rzb_http-client.lo \ + sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo \ + sf_rzb_saac_preproc_la-rzb_http-server.lo \ + sf_rzb_saac_preproc_la-rzb_smtp-collector.lo \ + sf_rzb_saac_preproc_la-spp_rzb-saac.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_sf_rzb_saac_preproc_la_OBJECTS = sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_rzb_saac_preproc_la-sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_rzb_saac_preproc_la-sfPolicyUserData.lo +sf_rzb_saac_preproc_la_OBJECTS = $(am_sf_rzb_saac_preproc_la_OBJECTS) \ + $(nodist_sf_rzb_saac_preproc_la_OBJECTS) +sf_rzb_saac_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) \ + $(sf_rzb_saac_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(sf_rzb_saac_preproc_la_SOURCES) \ + $(nodist_sf_rzb_saac_preproc_la_SOURCES) +DIST_SOURCES = $(sf_rzb_saac_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +pkglibdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +pkglib_LTLIBRARIES = sf_rzb_saac_preproc.la +sf_rzb_saac_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@PREPROCLIB = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_sf_rzb_saac_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +sf_rzb_saac_preproc_la_LIBADD = ${PREPROCLIB} @RAZORBACK_LIBS@ +sf_rzb_saac_preproc_la_CFLAGS = @RAZORBACK_CFLAGS@ -Werror +sf_rzb_saac_preproc_la_SOURCES = \ +rzb_debug.c \ +rzb_debug.h \ +rzb_http-client.c \ +rzb_http-client.h \ +rzb_http.h \ +rzb_http-fileinfo.c \ +rzb_http-fileinfo.h \ +rzb_http-server.c \ +rzb_http-server.h \ +rzb_smtp-collector.c \ +rzb_smtp-collector.h \ +spp_rzb-saac.c + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/rzb_saac/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/rzb_saac/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(pkglibdir)" || $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + +uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + +clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +sf_rzb_saac_preproc.la: $(sf_rzb_saac_preproc_la_OBJECTS) $(sf_rzb_saac_preproc_la_DEPENDENCIES) + $(sf_rzb_saac_preproc_la_LINK) -rpath $(pkglibdir) $(sf_rzb_saac_preproc_la_OBJECTS) $(sf_rzb_saac_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_rzb_saac_preproc_la-rzb_debug.lo: rzb_debug.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_debug.lo `test -f 'rzb_debug.c' || echo '$(srcdir)/'`rzb_debug.c + +sf_rzb_saac_preproc_la-rzb_http-client.lo: rzb_http-client.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-client.lo `test -f 'rzb_http-client.c' || echo '$(srcdir)/'`rzb_http-client.c + +sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo: rzb_http-fileinfo.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo `test -f 'rzb_http-fileinfo.c' || echo '$(srcdir)/'`rzb_http-fileinfo.c + +sf_rzb_saac_preproc_la-rzb_http-server.lo: rzb_http-server.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-server.lo `test -f 'rzb_http-server.c' || echo '$(srcdir)/'`rzb_http-server.c + +sf_rzb_saac_preproc_la-rzb_smtp-collector.lo: rzb_smtp-collector.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_smtp-collector.lo `test -f 'rzb_smtp-collector.c' || echo '$(srcdir)/'`rzb_smtp-collector.c + +sf_rzb_saac_preproc_la-spp_rzb-saac.lo: spp_rzb-saac.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-spp_rzb-saac.lo `test -f 'spp_rzb-saac.c' || echo '$(srcdir)/'`spp_rzb-saac.c + +sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_rzb_saac_preproc_la-sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sf_rzb_saac_preproc_la-sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(pkglibdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-pkglibLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pkglibLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libtool clean-pkglibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pkglibLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pkglibLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-pkglibLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,43 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +#include "rzb_debug.h" + +#include +#include +#include + +void prettyprint(const unsigned char *data, unsigned int size) { + unsigned int i; + const unsigned char *dataptr = data; + unsigned char asciigraph[17]; + + memset(asciigraph, '\x00', 17); + +#ifdef PACKETDUMPSIZE + size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size; +#endif + + for(i=0; i < size; i++, dataptr++) { + printf("%02x ", *dataptr); + asciigraph[i % 16] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.'; + + if(i % 16 == 15) { + printf("%s\n", asciigraph); + memset(asciigraph, '\x00', 17); + } + } + + // Dump any remaining data + if(i % 16) { + printf("%*s", (16 - (i%16)) * 3, " "); + printf("%s\n", asciigraph); + } +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h 2011-02-09 23:23:21.000000000 +0000 @@ -0,0 +1,37 @@ +#ifndef NRT_DEBUG_H +#define NRT_DEBUG_H + +#define D_CRITICAL 0xFFFF + +#define D_EMERG 0x0001 +#define D_WARN 0x0002 +#define D_DEBUG 0x0004 +#define D_INFO 0x0008 +#define D_ALLLVL 0x00FF +#define D_CRIT 0x0080 + +#define D_CLIENT 0x0100 +#define D_SERVER 0X0200 +#define D_DETECT 0x0400 +#define D_PACKET 0x0800 +#define D_FILE 0x1000 +#define D_ALERT 0x2000 +#define D_ALLCOMP 0xFF00 + +#define D_ALLDEBUG 0xFFFF + +#define DEBUG +#ifdef DEBUG +#define DEBUGLEVEL D_ALLDEBUG //((D_ALLCOMP & ~D_PACKET) | D_CRIT)// (D_ALLDEBUG & ~D_PACKET) +#define DEBUGOUT(flag, code) if((flag & DEBUGLEVEL & 0xFF00) && (flag & DEBUGLEVEL & 0x00FF)) code +#else +#define DEBUGOUT(flag, code) +#endif + +#define PACKETDUMPSIZE 256 + +void prettyprint(const unsigned char *, unsigned int); + + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,249 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +#include +#include "rzb_http-client.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http-server.h" +#include "rzb_http.h" + +#include "sf_snort_plugin_api.h" +#include "sfPolicyUserData.h" + +#include +#include +#include +#include + +typedef struct { + pcre *re; + pcre_extra *pe; +} pcrestruct; + +// Ensure the pcre enum lines up with the pcre strings array +enum { PCRE_EOH, PCRE_URL, PCRE_HOST, PCRE_COOKIE, PCRE_UA } http_pcre_enum; +#define NUM_HTTP_PCRES PCRE_UA+1 +pcrestruct http_pcre_structs[NUM_HTTP_PCRES]; +char *http_pcre_strings[] = { + "\\n\\r?\\n", + "^(GET|POST)\\s+([^\\s]+)\\s+HTTP/1\\.[01]\\s*$", + "^Host:\\s*([^\\r\\n]+)", + "^Cookie:\\s*([^\\r\\n]+)", + "^User-Agent:\\s*([^\\r\\n]+)" + }; + +int init_HTTP_PCREs(void) { + const char *error; + int erroffset; + + int i; + + for(i = 0; i < NUM_HTTP_PCRES; i++) { +// /*DEBUGOUT((D_CLIENT | D_INFO),*/printf("Initializing PCRE %d: %s\n", i, http_pcre_strings[i]);//); + + http_pcre_structs[i].re = pcre_compile(http_pcre_strings[i], PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE, &error, &erroffset, NULL); + + if(http_pcre_structs[i].re == NULL) { + printf("Failed to compile pcre regex %d (%s): %s\n", i, http_pcre_strings[i], error); + return(-1); + } + + http_pcre_structs[i].pe = pcre_study(http_pcre_structs[i].re, 0, &error); + + if(error != NULL) { + printf("Failed to study pcre regex %d /%s/: %s\n", i, http_pcre_strings[i], error); + return(-1); + } + } + + return 1; +} + +// < 0 for error. >= 0 for len of extracted string +int extractHTTPClientHeaderVal(const u_int8_t *buf, u_int32_t size, int pcreidx, int substringnum, char *valuebuf, int valuelen) { + int result; + int ovector[9]; + int ovecsize = 9; + const char *tmpstring; + +// printf("Searching for pcre %d (%s)\n", pcreidx, http_pcre_strings[pcreidx]); + + result = pcre_exec(http_pcre_structs[pcreidx].re, http_pcre_structs[pcreidx].pe, + (const char *)buf, size, 0, 0, ovector, ovecsize); + + if(result < 0 || result == PCRE_ERROR_NOMATCH) { +// printf("pcre not found\n"); + return(-1); // We need to find the URL or this isn't a valid request + } + + if(valuebuf) { + result = pcre_get_substring((const char *)buf, ovector, result, substringnum, &tmpstring); + if(result < 0) { +// printf("unable to extract substring\n"); + return(-2); + } + + strncpy(valuebuf, tmpstring, valuelen); + valuebuf[valuelen-1] = '\0'; + + pcre_free_substring(tmpstring); + return(strlen(valuebuf)); + } + + return(0); +} + + +int ParseClientRequest(const u_int8_t *payload, u_int32_t payload_size, WEB_ENTRY* webentry) { + + u_int32_t offset_eoh = 0; + int result; + + DEBUGOUT((D_CLIENT | D_INFO), printf("ParseClientRequest enter\n")); + + if(payload == NULL) { + DEBUGOUT(D_CRITICAL, printf("ParseClientRequest payload is NULL. wtf.\n")); + return(-1); + } + + if(payload_size < 15) { + return(-1); + } + + // I get the sneaking suspicion that eventually I'm going to realize that I still + // need to keep track of HEAD, OPTION, etc because some jackass is going to desynch me by + // injecting such requests into the stream so when I receive file data it won't line up + // correctly. I really should just rob the code from http_inspect here. + + // Find the end of the HTTP headers + // XXX This code is pretty useless here unless I get an offset for the end of headers + result = extractHTTPClientHeaderVal(payload, payload_size, PCRE_EOH, 0, NULL, 0); + offset_eoh = /*(result >= 0) ? result :*/ payload_size; + + // Get the URL + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_URL, 2, webentry->url, sizeof(webentry->url)); + + // We need a URL (also validates this is a valid request) + if(result < 0) { + printf("Unable to extract URL\n"); + return(-1); + } + + // The remaining headers are optional (PCRE_HOST, PCRE_COOKIE, PCRE_UA) + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_HOST, 1, webentry->host, sizeof(webentry->host)); + if(result < 0) { +// printf("Unable to extract Host header\n"); + webentry->host[0] = '\0'; + } + + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_COOKIE, 1, webentry->cookie, sizeof(webentry->cookie)); + if(result < 0) { +// printf("Unable to extract Cookie header\n"); + webentry->cookie[0] = '\0'; + } + + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_UA, 1, webentry->user_agent, sizeof(webentry->user_agent)); + if(result < 0) { +// printf("Unable to extract User-Agent header\n"); + webentry->user_agent[0] = '\0'; + } + + return(1); +} + +int ProcessFromClient(SFSnortPacket *sp) { + RULEDATA *ruledata; + + WEB_ENTRY webentry; + + int result; + FILEINFO *fileinfo; + + DEBUGOUT((D_CLIENT | D_INFO), printf("ProcessFromClient enter\n")); + DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->payload, sp->payload_size)); + + ruledata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_HTTP); + + if(!ruledata) { + DEBUGOUT((D_CLIENT | D_DEBUG), printf("ProcessFromClient: adding new rule data\n")); + ruledata = calloc(1, sizeof(RULEDATA)); + if(!ruledata) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: ruledata malloc failed\n")); + return(-1); + } + + _dpd.streamAPI->set_application_data(sp->stream_session_ptr, SAAC_HTTP, ruledata, &free); + ruledata->sid = NRTSID; + ruledata->streaminfoidx = INVALIDSTREAMIDX; + ruledata->state = WAITINGFORRESPONSEHEADER; + + } else if(ruledata->sid != NRTSID) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid)); + return(-1); + } else if(IsStreamIgnored(ruledata)) { + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromClient: stream is ignored\n")); + return(-1); + } + + fileinfo = calloc(1, sizeof(FILEINFO)); + + // Set all counts and sizes to 0, all strings to empty, and pointers to NULL + // memset(fileinfo, '\0', sizeof(FILEINFO)); + + result = ParseClientRequest(sp->payload, sp->payload_size, &webentry); + DEBUGOUT((D_CLIENT | D_INFO), printf("return from ParseClientRequest() was %d\n", result)); + + if(result <= 0) { + free(fileinfo); + return(-1); + } + + // Copy URL and Host header out of webentry into fileinfo + snprintf(fileinfo->url, sizeof(fileinfo->url), "%s", webentry.url); + fileinfo->url[sizeof(fileinfo->url) - 1] = 0; + snprintf(fileinfo->hostname, sizeof(fileinfo->hostname), "%s", webentry.host); + fileinfo->hostname[sizeof(fileinfo->hostname) - 1] = 0; + + // Now store what we know about this request + fileinfo->saddr = sp->ip4_header->source; + fileinfo->daddr = sp->ip4_header->destination; + + // Add address info to webentry + webentry.src_ip.ip.ipv4 = sp->ip4_header->source; + webentry.src_ip.family = AF_INET; + webentry.dst_ip.ip.ipv4 = sp->ip4_header->destination; + webentry.dst_ip.family = AF_INET; + + // Now send our webentry as an Intel Nugget! + if(rzb_collection.sendWebTrack(&webentry) == R_FAIL) { + printf("Failed to send web track info!\n"); + // Not making this fatal error + } + + DEBUGOUT((D_CLIENT | D_DEBUG), DumpFileInfo(fileinfo)); + + result = AddFileInfoListElem(ruledata, fileinfo); + + DEBUGOUT((D_CLIENT | D_INFO), printf("return from StoreFileData() was %d\n", result)); + + if(result < 0) { + DEBUGOUT(D_CRITICAL, printf("AddFileInfoListElem failed!\n")); + free(fileinfo); + return(-1); + } + + DEBUGOUT((D_CLIENT | D_WARN), DumpFileInfoList(ruledata)); + +// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH, +// 1, 0, 3, DST_PORT_MATCH_STR, 0); + + return(0); +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h 2011-02-09 23:23:21.000000000 +0000 @@ -0,0 +1,13 @@ +#ifndef NRT_CLIENT_H +#define NRT_CLIENT_H + +#include + +#include "sf_snort_packet.h" + +int ParseClientRequest(const u_int8_t *, u_int32_t, WEB_ENTRY*); +int ProcessFromClient(SFSnortPacket *); +int init_HTTP_PCREs(void); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,262 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +#include +#include "rzb_http-client.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http-server.h" +#include "sf_ip.h" + +#include +#include + +int numfileinfostructsinuse = 0; + +u_int32_t nextfreestreaminfoidx = 0; +struct FILEINFOLISTELEM *fileinfolist[NUMSTREAMSTOTRACK]; + +void DumpFileInfo(FILEINFO *fileinfo) { + + char srcaddr[INET_ADDRSTRLEN], dstaddr[INET_ADDRSTRLEN]; + + if(fileinfo == NULL) { + DEBUGOUT(D_CRITICAL, printf("DumpFileInfo fileinfo is NULL!\n")); + return; + } + + // snort typedefs inet_ntoa to sfip_ntoa. We use inetaddrs. wtf. + sfip_raw_ntop(AF_INET, &fileinfo->saddr, srcaddr, sizeof(srcaddr)); + sfip_raw_ntop(AF_INET, &fileinfo->daddr, dstaddr, sizeof(dstaddr)); + + printf("/--- fileinfo start ---\n"); + printf("| url: %s\n", fileinfo->url); + printf("| hostname: %s\n", fileinfo->hostname); + printf("| saddr: %s\n", srcaddr); + printf("| daddr: %s\n", dstaddr); + printf("| filesize: %d\n", fileinfo->filesize); + printf("| amountstored: %d\n", fileinfo->amountstored); + printf("| bufferindex: %d\n", fileinfo->bufferindex); + printf("| filedata = %p\n", fileinfo->filedata); + + if(fileinfo->filedata != NULL) { + DEBUGOUT((D_FILE | D_WARN), prettyprint(fileinfo->filedata, fileinfo->filesize)); +#ifndef DEBUG + prettyprint(fileinfo->filedata, (fileinfo->filesize > 256) ? 256 : fileinfo->filesize); +#endif + } + + printf("\\--- fileinfo end ---\n"); +} + + +int DumpFileInfoList(RULEDATA *ruledata) { + struct FILEINFOLISTELEM *tmp; + + printf("DumpFileInfoList, index %d\n", ruledata->streaminfoidx); + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + printf("Invalid stream index!\n"); + return(-1); + } + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp == NULL) { + printf("Head node is NULL!\n"); + return(-1); + } + + do { + DumpFileInfo(tmp->fileinfo); + } while((tmp = tmp->next)); + + return(1); +} + + +void FreeFileInfo(FILEINFO *fileinfo) { + if(fileinfo) { + if(fileinfo->filedata) { + //printf("Freeing file data 0x%08x\n", fileinfo->filedata); + free(fileinfo->filedata); + //fileinfo->filedata = NULL; + } + + free(fileinfo); + numfileinfostructsinuse--; + } + +// printf("FreeFileInfo numfileinfostructsinuse=%d\n", numfileinfostructsinuse); +} + +void FreeNRTStreamData(void *inptr) { + RULEDATA *ruledata = (RULEDATA *)inptr; + + printf("Freeing NRT stream data. Be afraid. Be very afraid.\n"); + + DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeNRTStreamData enter\n")); + + if(!ruledata) { + DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n")); + return; + } + + FreeFileInfoList(ruledata); + + free(ruledata); +} + + +void FreeFileInfoList(RULEDATA *ruledata) { + + DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeFileInfoList enter\n")); + + if(!ruledata) { + DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n")); + return; + } + + if(ruledata->streaminfoidx != INVALIDSTREAMIDX) { + while(fileinfolist[ruledata->streaminfoidx]) { + DEBUGOUT((D_DEBUG | D_SERVER), printf(" deleting %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url)); + + DeleteFileInfoListHead(ruledata); + } + } + + ruledata->streaminfoidx = INVALIDSTREAMIDX; +} + +int AddFileInfoListElem(RULEDATA *ruledata, FILEINFO *fileinfo) { + struct FILEINFOLISTELEM *tmp, *addme; + + int i; + + DEBUGOUT((D_FILE | D_INFO), printf("AddFileInfoListElem enter\n")); + + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + if(nextfreestreaminfoidx == OUTOFSTREAMINFOSTORAGE) { + DEBUGOUT(D_CRITICAL, printf("out of stream storage!\n")); + return(-1); + } + + ruledata->streaminfoidx = nextfreestreaminfoidx; + DEBUGOUT((D_FILE | D_DEBUG), printf("Using next open slot, at index %d\n", nextfreestreaminfoidx)); + + // Now let's find the next open index + i = nextfreestreaminfoidx + 1; + while(i < NUMSTREAMSTOTRACK) { + if(fileinfolist[i] == NULL) + break; + else + i++; + } + + if(i == NUMSTREAMSTOTRACK) { + i = 0; + while(i < nextfreestreaminfoidx) { + if(fileinfolist[i] == NULL) + break; + else + i++; + } + } + + // Out of additional storage + if(i == ruledata->streaminfoidx) + { + printf("Out of streaminfo storage\n"); + nextfreestreaminfoidx = OUTOFSTREAMINFOSTORAGE; + }else + nextfreestreaminfoidx = i; + + DEBUGOUT((D_FILE | D_DEBUG), printf("nextfreestreaminfoidx = %d\n", nextfreestreaminfoidx)); + } + + DEBUGOUT((D_FILE | D_DEBUG), printf("adding fileinfo at index %d\n", ruledata->streaminfoidx)); + + addme = calloc(1, sizeof(*addme)); + + if(addme == NULL) { + DEBUGOUT(D_CRITICAL, printf("Unable to allocate fileinfolistelem!\n")); + return(-1); + } + + addme->fileinfo = fileinfo; + addme->next = '\0'; + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp) { + while(tmp->next) { + tmp = tmp->next; + } + + tmp->next = addme; + } else { + fileinfolist[ruledata->streaminfoidx] = addme; + } + + numfileinfostructsinuse++; +// printf("AddFileInfoListElem numfileinfostructsinuse=%d\n", numfileinfostructsinuse); + + return(1); +} + + +FILEINFO *PopFileInfo(RULEDATA *ruledata) { + struct FILEINFOLISTELEM *tmp; + FILEINFO *fileinfo; + + DEBUGOUT((D_FILE | D_INFO), printf("PopFileInfo enter\n")); + + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + DEBUGOUT(D_CRITICAL, printf("PopFileInfo streaminfoidx is INVALIDSTREAMIDX!\n")); + return(NULL); + } + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp == NULL) { + DEBUGOUT(D_CRITICAL, printf("PopFileInfo fileinfolist entry is NULL!\n")); + return(NULL); + } + + // Change the head + fileinfolist[ruledata->streaminfoidx] = tmp->next; + + // Grab the fileinfo and free the container + fileinfo = tmp->fileinfo; + free(tmp); + + DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("PopFileInfo freed fileinfo container at %p\n", tmp)); + + return(fileinfo); +} + + +int DeleteFileInfoListHead(RULEDATA *ruledata) { + FILEINFO *fileinfo; + + DEBUGOUT((D_FILE | D_INFO), printf("DeleteFileInfoListHead enter\n")); + + fileinfo = PopFileInfo(ruledata); + + DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("freeing fileinfo at %p\n", fileinfo)); + + if(fileinfo == NULL) + return(-1); + + FreeFileInfo(fileinfo); + + return(1); +} + + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h 2011-02-09 23:23:21.000000000 +0000 @@ -0,0 +1,47 @@ +#ifndef NRT_FILEINFO_H +#define NRT_FILEINFO_H + +#include +#include "rzb_http.h" + +enum filereadstatus { ERROR = -1, WAITINGFORRESPONSEHEADER = 1, SERVERRETURNNOT200, SKIPTONEXTRESPONSE, WAITINGFORDATA, IGNORESTREAM }; + +typedef struct _RULEDATA { + u_int32_t sid; + u_int32_t streaminfoidx; + enum filereadstatus state; +} RULEDATA; + +typedef struct _FILEINFO { + char url[URLLEN]; + char hostname[HOSTNAMELEN]; + struct in_addr saddr; + struct in_addr daddr; + unsigned int filesize; + unsigned int amountstored; + unsigned int bufferindex; + unsigned char *filedata; + unsigned char md5[16]; + int alert; +} FILEINFO; + +struct FILEINFOLISTELEM { + FILEINFO *fileinfo; + struct FILEINFOLISTELEM *next; +}; + +int AddFileInfoListElem(RULEDATA *, FILEINFO *); +void DumpFileInfo(FILEINFO *); +int DumpFileInfoList(RULEDATA *); +void FreeFileInfo(FILEINFO *); + +int DeleteFileInfoListHead(RULEDATA *); +FILEINFO *PopFileInfo(RULEDATA *); +void FreeFileInfoList(RULEDATA *); +void FreeNRTStreamData(void *); + +extern int numfileinfostructsinuse; + +extern struct FILEINFOLISTELEM *fileinfolist[NUMSTREAMSTOTRACK]; +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h 2011-02-09 23:23:21.000000000 +0000 @@ -0,0 +1,15 @@ +#ifndef RZB_SAAC_H +#define RZB_SAAC_H + +#define SAAC_HTTP 6880 + +#define URLLEN 1000 +#define HOSTNAMELEN 256 +#define NUMSTREAMSTOTRACK 5000 + +#define NRTSID 0xa5a5a5a5 +#define INVALIDSTREAMIDX 0xFFFFFFFF +#define OUTOFSTREAMINFOSTORAGE 0xFFFFFFFF + +#endif // RZB_SAAC_H + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,402 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +#include +#include "rzb_http-client.h" +#include "rzb_http-server.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http.h" + +#include "sf_snort_plugin_api.h" +#include "sfPolicyUserData.h" + +#include +#include +#include +#include + +int SkipToEndOfHTTPHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data) { + const u_int8_t *cursor = *in_cursor; + + while(cursor < end_of_data) { + while(cursor < end_of_data && *cursor++ != '\n'); + + if(cursor[0] == '\r' && cursor[1] == '\n') { + cursor += 2; + *in_cursor = cursor; + return(1); + } else if(cursor[0] == '\n') { + cursor++; + *in_cursor = cursor; + return(1); + } + } + + return(-1); +} + + +enum filereadstatus ReadFileData(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) { + const u_int8_t *cursor = *in_cursor; + + u_int32_t amounttoalloc; + u_int32_t bytesavailable; + + const u_int8_t *end_of_file; + u_int8_t *filedataptr; + + if(cursor >= end_of_data) + return(ERROR); + + // Make sure we have somewhere to store our data + if((fileinfo->filedata) == NULL) { + // ZDNOTE Need to limit the amount of memory that will be allocated at a time. This may involve some + // ZDNOTE changes to the FILEINFO struct. + // ZDNOTE amounttoalloc = (fileinfo->filesize < MAXFILEALLOCCHUNK) ? fileinfo->filesize : MAXFILEALLOCCHUNK; + if(fileinfo->filesize > 100000000 /*ULONG_MAX*/) { + // ZDNOTE this will also trip on files for which we don't have a Content-Length header + DEBUGOUT((D_FILE | D_DEBUG), printf("ReadFileData filesize is >100M! Bailing!\n")); + return(ERROR); + } + + amounttoalloc = fileinfo->filesize; + + fileinfo->filedata = calloc(amounttoalloc, 1); + + if((fileinfo->filedata) == NULL) { + printf("ReadFileData unable to allocate file contents buffer!\n"); + return(ERROR); + } + + fileinfo->amountstored = 0; + fileinfo->bufferindex = 0; + } + + end_of_file = cursor + (fileinfo->filesize - fileinfo->amountstored); + if(end_of_file > end_of_data) { + end_of_file = end_of_data; + } + + bytesavailable = end_of_file - cursor; + + // ZDNOTE Need to verify there is enough space left in the buffer before copy + + filedataptr = &((fileinfo->filedata)[fileinfo->bufferindex]); + + while(cursor < end_of_file) { + *filedataptr++ = *cursor++; + } + + *in_cursor = cursor; + fileinfo->amountstored += bytesavailable; + fileinfo->bufferindex += bytesavailable; // ZDNOTE again, check buffer size + + DEBUGOUT((D_FILE | D_DEBUG), printf("Saved %d bytes. (%d/%d total)\n", bytesavailable, fileinfo->amountstored, fileinfo->filesize)); + + if(fileinfo->amountstored == fileinfo->filesize) + return(WAITINGFORRESPONSEHEADER); + else if(fileinfo->amountstored < fileinfo->filesize) + return(WAITINGFORDATA); + else + return(ERROR); +} + + +int CallDetectionFunction(FILEINFO *fileinfo) { + + BLOCK_META_DATA *mdata = NULL; + const unsigned char *tmp; + + // Init the metadata structure + if((mdata = calloc(1, sizeof(*mdata))) == NULL) { + perror("Error allocating mdata\n"); + return -1; + } + + // Fill in the required fields + mdata->timestamp = (unsigned int)time(NULL); + mdata->data = fileinfo->filedata; + mdata->size = fileinfo->filesize; + mdata->src_ip.ip.ipv4 = fileinfo->saddr; + mdata->src_ip.family = AF_INET; + mdata->dst_ip.ip.ipv4 = fileinfo->daddr; + mdata->dst_ip.family = AF_INET; + mdata->ip_proto = 6; + mdata->src_port = 25; + mdata->dst_port = 8000; + tmp = rzb_collection.file_type_lookup(fileinfo->filedata, fileinfo->filesize); + uuid_copy(mdata->datatype, tmp); + +// DEBUGOUT((D_DETECT | D_INFO), printf("CallDetectionFunction enter\n")); + + // ZDNOTE Dunno what to do, so we're just going to... + printf("Calling detection function with following file information:\n"); + DumpFileInfo(fileinfo); + + rzb_collection.sendData(mdata); + + fileinfo->filedata = NULL; + fileinfo->filesize = 0; + + return(0); +} + + +enum filereadstatus ProcessServerHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) { + const u_int8_t *cursor = *in_cursor; + + if(cursor + 15 >= end_of_data) { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data!\n")); + return(ERROR); + } + + // Check for HTTP/1.[01] header + if( (strncasecmp((const char *)cursor, "http/1.", 7) != 0) || (cursor[7] != '0' && cursor[7] != '1')) + { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not a valid HTTP version\n")); + return(ERROR); + } + + cursor += 8; + + while(cursor < end_of_data && *cursor == ' ') + cursor++; + + if(cursor + 6 >= end_of_data) { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data 2!\n")); + return(ERROR); + } + + if( memcmp(cursor, "200", 3) != 0) + { +// DEBUGOUT((D_FILE | D_DEBUG), printf("Unhandled response code: %c%c%c%c%c\n", cursor[-2], cursor[-1], cursor[0], cursor[1], cursor[2])); +// DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *(cursor-3), *(cursor-2), *(cursor-1))); + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *cursor, *(cursor+1), *(cursor+2))); + *in_cursor = cursor; + return(SERVERRETURNNOT200); // ZDNOTE We really need to handle other codes to skip over data + } + + cursor += 3; + // ZDNOTE Don't know if it matters, but we're not caring about the response message + + // Now, we're going to see if we can find a Content-Length header. + // By definition, it has to be at the start of a line. So, we're just going + // To look for newlines and every time we find one, see if we're now looking + // at Content-Length: + while(cursor < end_of_data) { + while(cursor < end_of_data && *cursor++ != '\n'); // Find next newline + + // No Content-Length: header. + if(cursor + 16 >= end_of_data) { + DEBUGOUT((D_SERVER | D_EMERG), printf("No content-length header\n")); + //SkipToEndOfHTTPHeader(&cursor, end_of_data); + fileinfo->filesize = UINT_MAX; + break; //return(WAITINGFORDATA); // ZDNOTE bug if header spans packets. INHTTPHEADERS state?? + } + if( strncasecmp((const char *)cursor, "content-length:", 15) == 0 ) + { + cursor += 15; + if(cursor + 10 <= end_of_data) { + fileinfo->filesize = strtoul((char *)cursor, (char**)(&cursor), 10); // ignores preceeding whitespace + } + + DEBUGOUT((D_SERVER | D_DEBUG), printf("Found content-length. Filesize = %d\n", fileinfo->filesize)); + + SkipToEndOfHTTPHeader(&cursor, end_of_data); + break; + + } else if(cursor[0] == '\r' && cursor[1] == '\n') { + cursor += 2; + break; + } else if(cursor[0] == '\n') { + cursor++; + break; + } + } + + *in_cursor = cursor; + + return(WAITINGFORDATA); +} + + +int ProcessFromServer(SFSnortPacket *sp) { + RULEDATA *ruledata; + + int result; + + const u_int8_t *cursor = sp->payload; + const u_int8_t *end_of_data; + + FILEINFO *currentfile; + +// u_int32_t remaining_data = 0; + + DEBUGOUT((D_SERVER | D_INFO), printf("ProcessFromServer enter\n")); + DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->payload, sp->payload_size)); + + ruledata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_HTTP); + + if(!ruledata) { + DEBUGOUT((D_SERVER | D_DEBUG), printf("ProcessFromServer: no rule data!\n")); + return(-1); + } else if(ruledata->sid != NRTSID) { + DEBUGOUT((D_SERVER | D_WARN), printf("Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid)); + return(-1); + } else if(IsStreamIgnored(ruledata)) { + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromServer: stream is ignored\n")); + return(-1); + } + + + if(fileinfolist[ruledata->streaminfoidx] == NULL) { + printf("Craptacular, the fileinfolist is NULL, ruledata->streaminfoidx = %d\n", ruledata->streaminfoidx); + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer fileinfolist[ruledata->streaminfoidx] is NULL!\n")); + return(-1); + } + + currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo; + + if(currentfile == NULL) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer head fileinfo is NULL!\n")); + return(-1); + } + + cursor = sp->payload; +// dataremaining = sp->dsize; + end_of_data = sp->payload + sp->payload_size; + + while(cursor < end_of_data && !IsStreamIgnored(ruledata)) { + switch(ruledata->state) { + case WAITINGFORRESPONSEHEADER: + // We're currently waiting for the server to answer our request + // ProcessServerHeader moves the cursor to the beginning of the response body + // ...unless the header bridges packets. This will be a bug. ZDNOTE + result = ProcessServerHeader(&cursor, end_of_data, currentfile); + + DEBUGOUT((D_SERVER | D_INFO), printf("return from ProcessServerResponse() was %d\n", result)); + DEBUGOUT((D_SERVER | D_WARN), DumpFileInfo(currentfile)); + + switch(result) { + case WAITINGFORDATA: + // Successfully processed header, now waiting for data + ruledata->state = WAITINGFORDATA; + break; + + case SERVERRETURNNOT200: + case IGNORESTREAM: + case ERROR: + default: + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader() unhandled response code (%d)\n", result)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + break; + + case WAITINGFORDATA: + result = ReadFileData(&cursor, end_of_data, currentfile); + + switch(result) { + case WAITINGFORDATA: + // Nothing's changed regarding state + break; + + case WAITINGFORRESPONSEHEADER: + + DEBUGOUT((D_DEBUG | D_SERVER), printf("WE HAVE A COMPLETE FILE! ruledata=%p, streaminfoidx=%d\n", ruledata, ruledata->streaminfoidx)); + DEBUGOUT((D_DEBUG | D_SERVER), DumpFileInfoList(ruledata)); + + // This means we got all of our data. Call the detection function. + CallDetectionFunction(currentfile); + + // Get the current file off of the stack + PopFileInfo(ruledata); + + // And grab the next file on the list + if(fileinfolist[ruledata->streaminfoidx]) + currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo; + else + currentfile = NULL; // ZDNOTE hm.... + + IgnoreStream(ruledata); // POC1 for now we're ignoring pipelining + + //cursor = end_of_data; + //ruledata->state = IGNORESTREAM; + break; + + default: + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled response from ReadFileData (%d)\n", result)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + + break; + + case SKIPTONEXTRESPONSE: + // Read data, skipping until we find a server response. + // We can totally cheat if we know a content length. +// break; + + default: + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled ruledate state (%d). Bailing.\n", ruledata->state)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + } + +// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH, +// 1, 0, 3, DST_PORT_MATCH_STR, 0); + + if(IsStreamIgnored(ruledata)) + return(-1); + else + return(0); +} + + +// Partially debug / hackery, partially something we'll probably want to keep +void IgnoreStream(RULEDATA *ruledata) { + + if(ruledata == NULL) + return; + + DEBUGOUT((D_DEBUG | D_SERVER), printf("Clearing streaminfoidx %d (%p)\n", ruledata->streaminfoidx, ruledata)); + + // Set state to ignore and clear out the list + ruledata->state = IGNORESTREAM; + + FreeFileInfoList(ruledata); + +// if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { +// DEBUGOUT((D_DEBUG | D_SERVER), printf(" INVALIDSTREAMIDX, exiting\n")); +// return; +// } +// +// while(fileinfolist[ruledata->streaminfoidx]) { +// DEBUGOUT((D_DEBUG | D_SERVER), printf(" popping %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url)); +// +// DeleteFileInfoListHead(ruledata); +//// printf("ZDNOTE MEMORY LEAK! Setting pointer to NULL.\n"); +//// fileinfolist[ruledata->streaminfoidx] = NULL; +// } +// +// ruledata->streaminfoidx = INVALIDSTREAMIDX; +} + +int IsStreamIgnored(RULEDATA *ruledata) { + if(ruledata == NULL || ruledata->state == IGNORESTREAM || ruledata->streaminfoidx == INVALIDSTREAMIDX) + return(1); + + return(0); +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h 2011-02-09 23:23:21.000000000 +0000 @@ -0,0 +1,19 @@ +#ifndef NRT_SERVER_H +#define NRT_SERVER_H + +#include +#include "rzb_http-fileinfo.h" + +#include "sf_snort_packet.h" + +int ProcessFromServer(SFSnortPacket *); +enum filereadstatus ProcessServerHeader(const u_int8_t **, const u_int8_t *, FILEINFO *); +enum filereadstatus ReadFileData(const u_int8_t **, const u_int8_t *, FILEINFO *); +int SkipToEndOfHTTPHeader(const u_int8_t **, const u_int8_t *); +int CallDetectionFunction(FILEINFO *); + +int IsStreamIgnored(RULEDATA *); +void IgnoreStream(RULEDATA *); + +#endif + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,219 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicyUserData.h" + +#include +#include +#include + +#include + +#include +#include "rzb_smtp-collector.h" +#include "rzb_debug.h" + +#define SAAC_SMTP 6825 + +#ifndef RULE_MATCH + #define RULE_MATCH 1 +#endif + +#ifndef RULE_NOMATCH + #define RULE_NOMATCH -1 +#endif + +#define SMTPDUMPERID 2525 + +#define DISPLAY_DEMO_OUTPUT + +#define SMTPCAP_INITSIZE 30000 +#define SMTPCAP_MAXSIZE 15000000 + +typedef struct { + u_int32_t sid; + u_int32_t totalsize; + u_int32_t storedsize; + u_int8_t *clientdata; +} smtpcapture; + + +void smtpdumper_freedata(smtpcapture *sessiondata) { + + //printf("SMTPDUMP smtpdumper_freedata enter\n"); + + if(!sessiondata) { + //printf("SMTPDUMP sessiondata is NULL!\n"); + return; + } + + if(sessiondata->clientdata) { + free(sessiondata->clientdata); + } else { + //printf("SMTPDUMP sessiondata->clientdata is NULL!\n"); + } + + free(sessiondata); +} + +void smtpdumper_calldetection(void *dataptr) { + + BLOCK_META_DATA *mdata = NULL; + + smtpcapture *smtpcapturedata = (smtpcapture*)dataptr; + + //printf("SMTPDUMP smtpdumper_calldetection enter\n"); + + if(!dataptr) { + //printf("SMTPDUMP dataptr is NULL!\n"); + return; + } + + if(smtpcapturedata->clientdata) { + +// printf("SMTPDUMP Calling sendData() with the following data (%d bytes):\n\n", ((smtpcapture*)(dataptr))->storedsize); +#ifdef DISPLAY_DEMO_OUTPUT + prettyprint(smtpcapturedata->clientdata, smtpcapturedata->storedsize); + printf("\n\n"); +#endif + + mdata = calloc(1, sizeof(*mdata)); + if(mdata == NULL) return; + + // Fill in the required fields + mdata->timestamp = (unsigned int)time(NULL); + mdata->data = smtpcapturedata->clientdata; + mdata->size = smtpcapturedata->storedsize; +// mdata->src_ip = 0x01010101; +// mdata->dst_ip = 0x02020202; + mdata->ip_proto = 6; + mdata->src_port = 25; + mdata->dst_port = 8000; + + uuid_copy(mdata->datatype, MAIL_CAPTURE); + + rzb_collection.sendData(mdata); + + } else { + //printf("SMTPDUMP dataptr->clientdata is NULL!\n"); + } + + //printf("SMTPDUMP Freeing session data\n"); + // Data is freed by sendData; we just need to clear out the rest of the structure. + // We can accomplish this by setting clientdata to NULL so we don't do the doublefree + smtpcapturedata->clientdata = NULL; + smtpdumper_freedata(smtpcapturedata); + +} + + +/* detection functions */ +int smtpdumpereval(SFSnortPacket *sp) { + const u_int8_t *cursor_normal, *end_of_payload = 0; +// Packet *sp = (Packet *) p; + + smtpcapture *sessiondata = NULL; + u_int8_t *tmpdataptr; // For realloc()s + + u_int32_t incoming_data_size = 0; + + //printf("SMTPDUMP smtpdumpereval enter\n"); + + if(sp == NULL) + return RULE_NOMATCH; + + if(sp->payload == NULL) + return RULE_NOMATCH; + + sessiondata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_SMTP); + + //printf("SMTPDUMP sessiondata = %p\n", sessiondata); + + if(sessiondata) { + if(sessiondata->sid != SMTPDUMPERID) { + printf("SMTPDUMP Someone else's data!\n"); + return RULE_NOMATCH; + } + + if(sessiondata->storedsize >= SMTPCAP_MAXSIZE) { + printf("SMTPDUMP Already have SMTPCAP_MAXSIZE(%d) bytes of data\n", SMTPCAP_MAXSIZE); + return RULE_NOMATCH; + } + } else { + + sessiondata = (smtpcapture*)calloc(1, sizeof(smtpcapture)); + + if(!sessiondata) { + printf("SMTPDUMP sessiondata malloc failed!\n"); + return RULE_NOMATCH; + } + + sessiondata->sid = SMTPDUMPERID; + sessiondata->clientdata = (u_int8_t*)malloc(SMTPCAP_INITSIZE); + + if(!sessiondata->clientdata) { + printf("SMTPDUMP sessiondata->clientdata malloc failed!\n"); + smtpdumper_freedata(sessiondata); + return RULE_NOMATCH; + } + + sessiondata->totalsize = SMTPCAP_INITSIZE; + sessiondata->storedsize = 0; + + //printf("SMTPDUMP storing rule data\n"); + + _dpd.streamAPI->set_application_data(sp->stream_session_ptr, SAAC_SMTP, sessiondata, &smtpdumper_calldetection); + //printf("SMTPDUMP stored rule data\n"); + } + + cursor_normal = sp->payload; + end_of_payload = sp->payload + sp->payload_size; + + incoming_data_size = sp->payload_size; //end_of_payload - cursor_normal; + + //printf("SMTPDUMP incoming_data_size = %d\n", incoming_data_size); + + // Check if we have enough room for the incoming data + if(incoming_data_size > (sessiondata->totalsize - sessiondata->storedsize)) { + // We've previously ensured we are not already overcapped on data + + //printf("SMTPDUMP reallocating to %d bytes\n", sessiondata->totalsize * 2); + + // Double our amount of storage + tmpdataptr = realloc(sessiondata->clientdata, sessiondata->totalsize * 2); + + if(!tmpdataptr) { + // If there is not enough available memory, realloc() returns a null pointer and sets errno to [ENOMEM]. + if(errno == ENOMEM) { + smtpdumper_freedata(sessiondata); + return(RULE_NOMATCH); + } else { + printf("SMTPDUMP realloc() failed but I dunno wtf\n"); + smtpdumper_freedata(sessiondata); + return(RULE_NOMATCH); + } + } + + sessiondata->clientdata = tmpdataptr; + sessiondata->totalsize *= 2; + + //printf("SMTPDUMP totalsize is now %d\n", sessiondata->totalsize); + } + + // We have enough room, so store the data + //printf("SMTPDUMP storing %d bytes at %p\n", incoming_data_size, &((sessiondata->clientdata)[sessiondata->storedsize])); + memcpy(&((sessiondata->clientdata)[sessiondata->storedsize]), cursor_normal, incoming_data_size); + sessiondata->storedsize += incoming_data_size; + //printf("SMTPDUMP stored size is now %d\n", sessiondata->storedsize); + + return RULE_NOMATCH; +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h 2011-02-09 23:23:22.000000000 +0000 @@ -0,0 +1,9 @@ +#ifndef __RZB_SMTP_DUMP_H__ +#define __RZB_SMTP_DUMP_H__ + +#include "sf_snort_packet.h" + +int smtpdumpereval(SFSnortPacket *); + +#endif // __RZB_SMTP_DUMP_H__ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c --- snort-2.8.5.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,200 @@ +/* +** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 1998-2005 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, RZBston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* Snort Preprocessor Plugin Source File RZB */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include +#include +#include +#include + +#include "sf_types.h" +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preproc_lib.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sf_preproc_info.h" + +#define CONF_SEPARATORS " \t\n\r" +#define RZB_CONF "rzb_conf" + +#define PP_SAAC 6868 + +#include +#include "rzb_smtp-collector.h" +#include "rzb_http-server.h" +#include "rzb_http-client.h" + +#define RZB_COLLECT_DISP_GID 3535 +#define RZB_COLLECT_DISP_SID 3535 +#define RZB_COLLECT_DISP_MESG "Bad file found" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +const char *PREPROC_NAME = "SF_RZB_SaaC_Preprocessor"; + +#define SetupRZB DYNAMIC_PREPROC_SETUP + +void * dlHandle = NULL; // For the API library + +static void RZBCleanExit(int, void *); +static void RZBProcess(void *, void *); + +/* list of function prototypes for this preprocessor */ +static void RZBInit(char *); + +#ifdef SNORT_RELOAD +static void RZBReload(char *); +static void * RZBReloadSwap(void); +static void RZBReloadSwapFree(void *); +#endif + +extern char *maxToken; + +void __attribute__((constructor)) detect_init() { + + printf("Razorback SaaC Initializing.\n"); + + init_HTTP_PCREs(); +} + +void __attribute__((destructor)) detect_fini() { + printf("Razorback SaaC shutting down\n"); +} + +static void RZBCleanExit(int signal, void *unused) { + rzb_collection.finiRZB(10); +} + +#ifdef SNORT_RELOAD +static void RZBReload(char *args) { + printf("Razorback SaaC RZBReload() not implemented\n"); +} + +static void * RZBReloadSwap(void) { + printf("Razorback SaaC RZBReloadSwap() not implemented\n"); + return NULL; +} + +static void RZBReloadSwapFree(void *data) { + printf("Razorback SaaC RZBReloadSwapFree() not implemented\n"); +} +#endif + + +void RZBProcess(void *p, void *context) +{ + SFSnortPacket *sp = (SFSnortPacket *)p; + + if(!sp->ip4_header || sp->ip4_header->proto != IPPROTO_TCP || !sp->tcp_header) + { + /* Not for me, return */ + return; + } + + // Only rebuilt packets from server + if (sp->src_port == 80 && !(sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + ProcessFromServer(sp); + return; + } + + // No rebuilt packets to server, and only packets with data + if(sp->dst_port == 80 && !(sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + ProcessFromClient(sp); + return; + } + + if(sp->dst_port == 25 && (sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + smtpdumpereval(sp); + return; + } + + return; +} + +static int functionsRegistered = 0; + +static void RZBInit(char *args) +{ + if ((args == NULL) || (strlen(args) == 0)) + { + DynamicPreprocessorFatalMessage("%s(%d) No arguments to RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (!functionsRegistered) + { + char *pcToken; + + pcToken = strtok(args, CONF_SEPARATORS); + if (!pcToken) + { + DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it should not.\n", __FILE__, __LINE__); + } + if (strcmp(RZB_CONF, pcToken) == 0) + { + pcToken = strtok(NULL, CONF_SEPARATORS); + if (!pcToken) + { + DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it should not.\n", __FILE__, __LINE__); + } + rzb_collection.initRZB(pcToken); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) Invalid arguments to RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } + + _dpd.addPreprocExit(RZBCleanExit, NULL, PRIORITY_LAST, PP_SAAC); + _dpd.addPreproc(RZBProcess, PRIORITY_TUNNEL, PP_SAAC, PROTO_BIT__TCP); + functionsRegistered = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) More than one RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } +} + +void SetupRZB(void) +{ + /* link the preprocessor keyword to the init function in + the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("rzb", RZBInit); +#else + _dpd.registerPreproc("rzb", RZBInit, RZBReload, RZBReloadSwap, RZBReloadSwapFree); +#endif +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/Makefile.am snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,36 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_sdf_preproc.la + +libsf_sdf_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_sdf_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_sdf_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif + +libsf_sdf_preproc_la_SOURCES = \ +spp_sdf.c \ +spp_sdf.h \ +sdf_pattern_match.c \ +sdf_pattern_match.h \ +sdf_credit_card.c \ +sdf_credit_card.h \ +sdf_us_ssn.c \ +sdf_us_ssn.h \ +sdf_detection_option.c \ +sdf_detection_option.h + +EXTRA_DIST = \ +sf_sdf.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/Makefile.in snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -0,0 +1,557 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/sdf +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_sdf_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_sdf_preproc_la_OBJECTS = spp_sdf.lo sdf_pattern_match.lo \ + sdf_credit_card.lo sdf_us_ssn.lo sdf_detection_option.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sdf_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_sdf_preproc_la_OBJECTS = $(am_libsf_sdf_preproc_la_OBJECTS) \ + $(nodist_libsf_sdf_preproc_la_OBJECTS) +libsf_sdf_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_sdf_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_sdf_preproc_la_SOURCES) \ + $(nodist_libsf_sdf_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_sdf_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_sdf_preproc.la +libsf_sdf_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_sdf_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sdf_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_sdf_preproc_la_SOURCES = \ +spp_sdf.c \ +spp_sdf.h \ +sdf_pattern_match.c \ +sdf_pattern_match.h \ +sdf_credit_card.c \ +sdf_credit_card.h \ +sdf_us_ssn.c \ +sdf_us_ssn.h \ +sdf_detection_option.c \ +sdf_detection_option.h + +EXTRA_DIST = \ +sf_sdf.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/sdf/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/sdf/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_sdf_preproc.la: $(libsf_sdf_preproc_la_OBJECTS) $(libsf_sdf_preproc_la_DEPENDENCIES) + $(libsf_sdf_preproc_la_LINK) -rpath $(libdir) $(libsf_sdf_preproc_la_OBJECTS) $(libsf_sdf_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,135 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_sdf.h" +#include "sdf_credit_card.h" +#include +#include +#include + +/* Check the Issuer Identification Number of a CC#. */ +static inline int CheckIssuers(char *cardnum, uint32_t buflen) +{ + if (cardnum == NULL || buflen < ISSUER_SIZE) + return 0; + + /* Visa */ + if (cardnum[0] == '4') + return 1; + + /* Mastercard */ + if ((cardnum[0] == '5') && + (cardnum[1] > '0') && + (cardnum[1] < '6')) + return 1; + + /* Amex */ + if ((cardnum[0] == '3') && + (cardnum[1] == '4' || cardnum[1] == '7')) + return 1; + + /* Discover */ + if (cardnum[0] == '6' && cardnum[1] == '0' && cardnum[2] == '1' && cardnum[3] == '1') + return 1; + + return 0; +} + +/* This function takes a string representation of a credit card number and + * checks that it's a valid number. The number may contain spaces or dashes. + * + * Returns: 1 on match, 0 otherwise. + */ +int SDFLuhnAlgorithm(char *buf, uint32_t buflen, struct _SDFConfig *config) +{ + int i, digits, alternate, sum, val; + char cc_digits[CC_COPY_BUF_LEN]; /* Normalized CC# string */ + uint32_t j; + + if (buf == NULL || buflen < MIN_CC_BUF_LEN) + return 0; + + /* The buffer has two non-digits, one on either side. Strip these out. */ + buf++; + buflen -= 2; + + /* If the first digit is greater than 6, this isn't one of the major + credit cards. */ + if (!isdigit((int)buf[0]) || buf[0] > '6') + return 0; + + /* Check the issuer number for Visa, Mastercard, Amex, or Discover. */ + if (CheckIssuers(buf, buflen) == 0) + return 0; + + /* Limit to 16 digits + spaces in between */ + if (buflen >= CC_COPY_BUF_LEN) + buflen = CC_COPY_BUF_LEN - 1; + + /* Copy the string into cc_digits, stripping out spaces & dashes. */ + digits = 0; + for (j = 0; j < buflen; j++) + { + if (isdigit((int)buf[j]) == 0) + { + if (buf[j] == ' ' || buf[j] == '-') + continue; + else + break; + } + + cc_digits[digits++] = buf[j]; + } + cc_digits[digits] = '\0'; + + /* Check if the string was too short, or we broke at an invalid character */ + if (digits < 13 || digits > 16 || j < buflen) + return 0; + + /* The Luhn algorithm: + 1) Starting at the right-most digit, double every second digit. + 2) Sum all the *individual* digits (i.e. 16 => 1+6) + 3) If the Sum mod 10 == 0, the CC# is valid. + */ + alternate = 0; + sum = 0; + for (i = digits - 1; i >= 0; i--) + { + val = cc_digits[i] - '0'; + if (alternate) + { + val *= 2; + if (val > 9) + val -= 9; + } + alternate = !alternate; + sum += val; + } + + if (sum % 10) + return 0; + + return 1; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h 2011-02-09 23:23:22.000000000 +0000 @@ -0,0 +1,33 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifndef SDF_CREDIT_CARD__H +#define SDF_CREDIT_CARD__H + +#include +#include "spp_sdf.h" + +#define ISSUER_SIZE 4 +#define CC_COPY_BUF_LEN 20 /* 16 digits + 3 spaces/dashes + null */ +#define MIN_CC_BUF_LEN 15 /* 13 digits + 2 surrounding non-digits */ + +int SDFLuhnAlgorithm(char *buf, uint32_t buflen, struct _SDFConfig *config); + +#endif /* SDF_CREDIT_CARD__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,307 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_sdf.h" +#include "sdf_pattern_match.h" +#include "sdf_detection_option.h" +#include "sf_snort_plugin_api.h" +#include "sdf_us_ssn.h" +#include "sdf_credit_card.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "treenodes.h" + +extern tSfPolicyUserContextId sdf_context_id; +extern sdf_tree_node *head_node; +extern uint32_t num_patterns; + +#ifdef SNORT_RELOAD +extern tSfPolicyUserContextId sdf_swap_context_id; +extern sdf_tree_node *swap_head_node; +extern uint32_t swap_num_patterns; +#endif + +void AddPortsToConf(SDFConfig *config, OptTreeNode *otn); +void AddProtocolsToConf(SDFConfig *config, OptTreeNode *otn); + +/* Function: SDFOptionInit + * Purpose: Parses a SDF rule option. + * Arguments: + * name => Name of rule option + * args => Arguments to rule option + * data => Variable to save option data + * Returns: 1 if successful + * 0 if name is incorrect + * Fatal Error if invalid arguments + */ +int SDFOptionInit(char *name, char *args, void **data) +{ + char *token, *endptr; + unsigned long int tmpcount; + SDFOptionData *sdf_data; + + if (name == NULL || args == NULL || data == NULL) + return 0; + + if (strcasecmp(name, SDF_OPTION_NAME) != 0) + return 0; + + sdf_data = (SDFOptionData *)calloc(1, sizeof(SDFOptionData)); + if (sdf_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "SDF pattern data structure.", __FILE__, __LINE__); + } + + /* Parse the count */ + if (*args == '-') + { + free(sdf_data); + DynamicPreprocessorFatalMessage("SDF rule cannot have a negative count:" + " %s\n", args); + } + + tmpcount = _dpd.SnortStrtoul(args, &endptr, 10); + + if (*endptr != ',') + { + free(sdf_data); + DynamicPreprocessorFatalMessage("SDF rule configured with invalid " + "arguments: %s\n", args); + } + + if (tmpcount == 0 || tmpcount > 255) + { + free(sdf_data); + DynamicPreprocessorFatalMessage("SDF rule needs to have a count between " + " 1 - 255: %s\n", args); + } + + sdf_data->count = (uint8_t)tmpcount; + + /* Take everything after the comma as a pattern. */ + token = endptr + 1; + if (*token == '\0') + { + free(sdf_data); + DynamicPreprocessorFatalMessage("SDF rule missing pattern: %s ", args); + } + if (strcasecmp(token, SDF_CREDIT_KEYWORD) == 0) + { + sdf_data->pii = strdup(SDF_CREDIT_PATTERN_ALL); + sdf_data->validate_func = SDFLuhnAlgorithm; + } + else if (strcasecmp(token, SDF_SOCIAL_KEYWORD) == 0) + { + sdf_data->pii = strdup(SDF_SOCIAL_PATTERN); + sdf_data->validate_func = SDFSocialCheck; + } + else if (strcasecmp(token, SDF_SOCIAL_NODASHES_KEYWORD) == 0) + { + sdf_data->pii = strdup(SDF_SOCIAL_NODASHES_PATTERN); + sdf_data->validate_func = SDFSocialCheck; + } + else if (strcasecmp(token, SDF_EMAIL_KEYWORD) == 0) + { + sdf_data->pii = strdup(SDF_EMAIL_PATTERN); + } + else + { + sdf_data->pii = strdup(token); + sdf_data->validate_func = NULL; + } + + *data = (void *)sdf_data; + return 1; +} + +/* This function receives the OTN of a fully-parsed rule, checks that it is a + SDF rule, then adds pattern & OTN to the SDF pattern-matching tree. */ +int SDFOtnHandler(void *potn) +{ + OptTreeNode *otn = (OptTreeNode *)potn; + SDFConfig *config; + tSfPolicyId policy_id; + SDFOptionData *sdf_data; + OptFpList *tmp = otn->opt_func; + PreprocessorOptionInfo *preproc_info = NULL; + tSfPolicyUserContextId context_to_use = sdf_context_id; + sdf_tree_node *head_node_to_use = head_node; + uint32_t *num_patterns_to_use = &num_patterns; + int sdf_option_added = 0; + +#ifdef SNORT_RELOAD + /* If we are reloading, use that context instead. + This should work since preprocessors get configured before rule parsing */ + if (sdf_swap_context_id != NULL) + { + context_to_use = sdf_swap_context_id; + head_node_to_use = swap_head_node; + num_patterns_to_use = &swap_num_patterns; + } +#endif + + /* Retrieve the current policy being parsed */ + policy_id = _dpd.getParserPolicy(); + sfPolicyUserPolicySet(context_to_use, policy_id); + config = (SDFConfig *) sfPolicyUserDataGetCurrent(context_to_use); + + /* Check that this is a SDF rule, then grab the context data. */ + while (tmp != NULL && tmp->type != RULE_OPTION_TYPE_LEAF_NODE) + { + if (tmp->type == RULE_OPTION_TYPE_PREPROCESSOR) + preproc_info = tmp->context; + + if (preproc_info == NULL || + preproc_info->optionEval != (PreprocOptionEval) SDFOptionEval) + { + DynamicPreprocessorFatalMessage("%s(%d) Rules with SDF options cannot " + "have other detection options in the same rule.\n", + *_dpd.config_file, *_dpd.config_line); + } + + if (sdf_option_added) + { + DynamicPreprocessorFatalMessage("A rule may contain only one " + "\"%s\" option.\n", SDF_OPTION_NAME); + } + + if (otn->sigInfo.generator != GENERATOR_SPP_SDF_RULES) + { + DynamicPreprocessorFatalMessage("Rules with SDF options must " + "use GID %d.\n", GENERATOR_SPP_SDF_RULES); + } + + sdf_data = (SDFOptionData *)preproc_info->data; + sdf_data->otn = otn; + sdf_data->sid = otn->sigInfo.id; + sdf_data->gid = otn->sigInfo.generator; + + /* Add the pattern to the SDF pattern-matching tree */ + AddPii(head_node_to_use, sdf_data); + sdf_data->counter_index = (*num_patterns_to_use)++; + + AddPortsToConf(config, otn); + AddProtocolsToConf(config, otn); + + sdf_option_added = 1; + preproc_info = NULL; + tmp = tmp->next; + } + + return 1; +} + +/* Take a port object's ports and add them to the preprocessor's port array. */ +void AddPortsToConf(SDFConfig *config, OptTreeNode *otn) +{ + int i, nports; + char *src_parray, *dst_parray; + RuleTreeNode *rtn; + + if (config == NULL || otn == NULL) + return; + + /* RTNs vary based on which policy the rule appears in. */ + rtn = otn->proto_nodes[_dpd.getParserPolicy()]; + + /* Take the source port object and add ports to the preproc's array */ + src_parray = _dpd.portObjectCharPortArray(NULL, rtn->src_portobject, &nports); + if (src_parray == 0) + { + /* This is an "any" port object! */ + for (i = 0; i < MAX_PORTS/8; i++) + { + config->src_ports[i] = 0xFF; + } + } + else + { + /* iterate through an array of ports, add each one. */ + for (i = 0; i < MAX_PORTS; i++) + { + if (src_parray[i] == 1) + config->src_ports[PORT_INDEX(i)] |= CONV_PORT(i); + } + } + + /* Repeat for destination ports. */ + dst_parray = _dpd.portObjectCharPortArray(NULL, rtn->dst_portobject, &nports); + if (dst_parray == 0) + { + /* This is an "any" port object! */ + for (i = 0; i < MAX_PORTS/8; i++) + { + config->dst_ports[i] = 0xFF; + } + } + else + { + /* iterate through an array of ports, add each one. */ + for (i = 0; i < MAX_PORTS; i++) + { + if (dst_parray[i] == 1) + config->dst_ports[PORT_INDEX(i)] |= CONV_PORT(i); + } + } + + /* Cleanup */ + if (src_parray) + free(src_parray); + if (dst_parray) + free(dst_parray); +} + +void AddProtocolsToConf(SDFConfig *config, OptTreeNode *otn) +{ +#ifdef TARGET_BASED + unsigned int i; + int16_t ordinal; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + + if (config == NULL || otn == NULL) + return; + + for (i = 0; i < otn->sigInfo.num_services; i++) + { + ordinal = otn->sigInfo.services[i].service_ordinal; + if (ordinal > 0 && ordinal < MAX_PROTOCOL_ORDINAL) + config->protocol_ordinals[ordinal] = 1; + + _dpd.streamAPI->set_service_filter_status( + ordinal, PORT_MONITOR_SESSION, policy_id, 1); + } +#endif +} + +/* Stub function -- We're not evaluating SDF during rule-matching */ +int SDFOptionEval(void *p, const uint8_t **cursor, void *data) +{ + return RULE_NOMATCH; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,48 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifndef SDF_DETECTION_OPTION__H +#define SDF_DETECTION_OPTION__H + +#include +#include "treenodes.h" +#include "sf_dynamic_engine.h" +#include "spp_sdf.h" + +int SDFOptionInit(char *name, char *args, void **data); +int SDFOptionEval(void *p, const uint8_t **cursor, void *data); +int SDFOtnHandler(void *potn); + +/* Struct for SDF option data */ +typedef struct _SDFOptionData +{ + char *pii; + uint32_t counter_index; + OptTreeNode *otn; + int (*validate_func)(char *buf, uint32_t buflen, struct _SDFConfig *config); + uint8_t count; + uint8_t match_success; + + /* These are kept separately in case the OTN reference is freed */ + uint32_t sid; + uint32_t gid; +} SDFOptionData; + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,651 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "sdf_pattern_match.h" +#include "treenodes.h" +#include "sf_dynamic_preprocessor.h" + +/* Main pattern-adding function. + * Arguments: + * head => pointer to top node in PII tree + * data => pointer to SDFOptionData struct w/ new pattern + * otn => pointer to OptTreeNode struct that this pattern belongs to + * Return values: + * -1: error + * 1: pattern added successfully + */ +static int AddPiiPattern(sdf_tree_node *head, SDFOptionData *data) +{ + char *pattern = data->pii; + int i = 0; + int pattern_added = 0; + + if (head == NULL || pattern == NULL) + return -1; + + /* If the root has some children, try to fit the pattern under them first. */ + while(i < head->num_children && !pattern_added) + { + pattern_added = AddPiiPiece(head->children[i], pattern, data); + i++; + } + + /* Otherwise, add a new child to the root node */ + if (!pattern_added) + { + AddChild(head, data, data->pii); + pattern_added = 1; + } + + return pattern_added; +} + +/* Check that the brackets in a pattern match up, and only contain numbers. + * + * Arguments: + * pii - string containing pattern. + * + * Returns: void function. Raises fatal error if there's a problem. + */ +static void ExpandBrackets(char **pii) +{ + char *bracket_index, *new_pii, *endptr, *pii_position; + unsigned long int new_pii_size, repetitions, total_reps = 0; + unsigned int num_brackets = 0; + + if (pii == NULL || *pii == NULL) + return; + + /* Locate first '{' */ + bracket_index = index(*pii, '{'); + + /* Brackets at the beginning have nothing to modify. */ + if (bracket_index == *pii) + { + DynamicPreprocessorFatalMessage("SDF Pattern \"%s\" starts with curly " + "brackets which have nothing to modify.\n", *pii); + } + + /* Check for various error cases. Total up the # of bytes needed in new pattern */ + while (bracket_index) + { + /* Ignore escaped brackets */ + if ((bracket_index > *pii) && (*(bracket_index-1) == '\\')) + { + bracket_index = index(bracket_index+1, '{'); + continue; + } + + /* Check for the case of one bracket set modifying another, i.e. "{3}{4}" + Note: "\}{4}" is OK */ + if ((bracket_index > (*pii)+1) && + (*(bracket_index-1) == '}') && + (*(bracket_index-2) != '\\') ) + { + DynamicPreprocessorFatalMessage("SDF Pattern \"%s\" contains curly " + "brackets which have nothing to modify.\n", *pii); + } + + /* Get the number from inside the brackets */ + repetitions = strtoul(bracket_index+1, &endptr, 10); + if (*endptr != '}' && *endptr != '\0') + { + DynamicPreprocessorFatalMessage("SDF Pattern \"%s\" contains curly " + "brackets with non-digits inside.\n", *pii); + } + else if (*endptr == '\0') + { + DynamicPreprocessorFatalMessage("SDF Pattern \"%s\" contains " + "an unterminated curly bracket.\n", *pii); + } + + /* The brackets look OK. Increase the rep count. */ + if ((bracket_index > (*pii)+1) && (*(bracket_index-2) == '\\')) + total_reps += (repetitions * 2); + else + total_reps += repetitions; + + num_brackets++; + + /* Next bracket */ + bracket_index = index(bracket_index+1, '{'); + } + + /* By this point, the brackets all match up. */ + if (num_brackets == 0) + return; + + /* Allocate the new pii string. */ + new_pii_size = (strlen(*pii) + total_reps - 2*num_brackets + 1); + new_pii = (char *) calloc(new_pii_size, sizeof(char)); + if (new_pii == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory for " + "SDF preprocessor.\n"); + } + + /* Copy the PII string, expanding repeated sections. */ + pii_position = *pii; + while (*pii_position != '\0') + { + char repeated_section[3] = {'\0'}; + unsigned long int i, reps = 1; + + repeated_section[0] = pii_position[0]; + pii_position++; + + if (repeated_section[0] == '\\' && pii_position[0] != '\0') + { + repeated_section[1] = pii_position[0]; + pii_position++; + } + + if (pii_position[0] == '{') + { + reps = strtoul(pii_position+1, &endptr, 10); + pii_position = endptr+1; + } + + /* Channeling "Shlemiel the Painter" here. */ + for (i = 0; i < reps; i++) + { + strncat(new_pii, repeated_section, 2); + } + } + + /* Switch out the pii strings. */ + free(*pii); + *pii = new_pii; +} + +/* Perform any modifications needed to a pattern string, then add it to the tree. */ +int AddPii(sdf_tree_node *head, SDFOptionData *data) +{ + if (head == NULL || data == NULL) + return -1; + + ExpandBrackets(&(data->pii)); + + return AddPiiPattern(head, data); +} + +/* Recursive pattern-adding function. + * Return values: + * -1: error + * 0: pattern did not go in this subtree + * 1: pattern was added in this subtree + */ +int AddPiiPiece(sdf_tree_node *node, char *new_pattern, SDFOptionData *data) +{ + /* Potential cases: + 1) node->pattern and new_pattern overlap by some number of bytes, + but both end differently. + Split the current node then add a second child. + 2) node->pattern is a substring of new_pattern. + Preserve current node, go on to children. + If no children exist, add one and stop. + 3) new_pattern is a substring of node->pattern. + Split the current node, AND add an end-of-pattern marker. + 4) Pattern doesn't fit here at all. Return 0 to caller. + */ + + char *node_pattern_copy; + uint16_t overlapping_bytes = 0; + + if (node == NULL || new_pattern == NULL || *new_pattern == '\0') + return -1; + + /* Count the overlapping bytes between + a) our current node's pattern + b) the piece of the PII pattern being added here + Additionally, we advance the pattern ptr to the non-matching part, + so that only the non-matching part is added to a child node. */ + node_pattern_copy = node->pattern; + while(*node_pattern_copy != '\0' && + *new_pattern != '\0' && + *node_pattern_copy == *new_pattern) + { + /* Handle escape sequences: either the whole thing matches, or not at all */ + if (*new_pattern == '\\') + { + if (*(new_pattern+1) != *(node_pattern_copy+1)) + break; + + /* Don't increment twice if the strings just ended in '\' */ + if (*(new_pattern+1) != '\0') + { + new_pattern++; + node_pattern_copy++; + overlapping_bytes++; + } + } + + new_pattern++; + node_pattern_copy++; + overlapping_bytes++; + } + + if (*node_pattern_copy == '\0' && *new_pattern == '\0') + { + /* Patterns completely match */ + uint16_t i; + int data_added = 0; + + /* Replace old option_data if the sid & gid match. + The OTN has already been freed out from under us. */ + for (i = 0; i < node->num_option_data; i++) + { + if ((node->option_data_list[i]->sid == data->sid) && + (node->option_data_list[i]->gid == data->gid)) + { + free(node->option_data_list[i]->pii); + free(node->option_data_list[i]); + node->option_data_list[i] = data; + data_added = 1; + } + } + + /* Otherwise, append the new option_data to the list. */ + if (!data_added) + { + SDFOptionData **tmp_realloc_ptr = NULL; + + tmp_realloc_ptr = (SDFOptionData **) + realloc((void *)node->option_data_list, + (node->num_option_data + 1) * sizeof(SDFOptionData *)); + + if (tmp_realloc_ptr == NULL) + DynamicPreprocessorFatalMessage("%s(%d) Could not reallocate " + "option_data_list\n", __FILE__, __LINE__); + + node->option_data_list = tmp_realloc_ptr; + + node->option_data_list[node->num_option_data] = data; + node->num_option_data++; + } + + return 1; + } + else if (*node_pattern_copy == '\0') + { + int i; + /* Current node holds a subset of the pattern. Recurse to the children. */ + for(i = 0; i < node->num_children; i++) + { + if (AddPiiPiece(node->children[i], new_pattern, data) == 1) + return 1; + } + + /* No children matched, or no children existed. Add the child here. */ + AddChild(node, data, new_pattern); + return 1; + } + else if (*new_pattern == '\0') + { + /* pattern is a subset of the current node's pattern */ + SplitNode(node, overlapping_bytes); + node->num_option_data = 1; + + node->option_data_list = (SDFOptionData **) calloc(1, sizeof(SDFOptionData *)); + if (node->option_data_list == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate option_data_list\n", + __FILE__, __LINE__); + } + + node->option_data_list[0] = data; + return 1; + } + else if (overlapping_bytes > 0) + { + /* Add the child node */ + SplitNode(node, overlapping_bytes); + AddChild(node, data, new_pattern); + return 1; + } + + /* These patterns don't overlap at all! */ + return 0; +} + +int SplitNode(sdf_tree_node *node, uint16_t split_index) +{ + sdf_tree_node *new_node = NULL; + + if (node == NULL) + return -1; + + if (split_index > strlen(node->pattern)) + return -1; + + /* Create new node for second half of split */ + new_node = (sdf_tree_node *) calloc(1,sizeof(sdf_tree_node)); + if (new_node == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate new_node\n", + __FILE__, __LINE__); + } + + /* Fill in the new node with the child pointers, pattern, pii ptr */ + new_node->pattern = strdup(node->pattern + split_index); + if (new_node->pattern == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate new_node pattern\n", + __FILE__, __LINE__); + } + + new_node->children = node->children; + new_node->option_data_list = node->option_data_list; + new_node->num_children = node->num_children; + new_node->num_option_data = node->num_option_data; + + /* Truncate the pattern of the current node, set child to new node */ + node->children = (sdf_tree_node **) calloc(1,sizeof(sdf_tree_node *)); + if (node->children == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate node children\n", + __FILE__, __LINE__); + } + + node->children[0] = new_node; + node->num_children = 1; + node->option_data_list = NULL; + node->num_option_data = 0; + node->pattern[split_index] = '\0'; + + return 0; +} + + +/* Create a new tree node, and add it as a child to the current node. */ +sdf_tree_node * AddChild(sdf_tree_node *node, SDFOptionData *data, char *pattern) +{ + sdf_tree_node *new_node = NULL; + + /* Take care not to step on the other children */ + if (node->num_children) + { + sdf_tree_node **new_child_ptrs = + (sdf_tree_node **) calloc(node->num_children+1, sizeof(sdf_tree_node *)); + + if (new_child_ptrs == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate new child pointers\n", + __FILE__, __LINE__); + } + + memcpy(new_child_ptrs, node->children, (node->num_children * sizeof(sdf_tree_node *))); + + new_node = (sdf_tree_node *) calloc(1,sizeof(sdf_tree_node)); + if (new_node == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate new node\n", + __FILE__, __LINE__); + } + + new_child_ptrs[node->num_children] = new_node; + + free(node->children); + node->children = new_child_ptrs; + node->num_children++; + } + else + { + node->children = (sdf_tree_node **)calloc(1,sizeof(sdf_tree_node *)); + if (node->children == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate node children\n", + __FILE__, __LINE__); + } + + node->children[0] = (sdf_tree_node *)calloc(1,sizeof(sdf_tree_node)); + if (node->children[0] == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate node children[0]\n", + __FILE__, __LINE__); + } + + node->num_children = 1; + new_node = node->children[0]; + } + + new_node->pattern = strdup(pattern); + if (new_node->pattern == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate node pattern\n", + __FILE__, __LINE__); + } + + new_node->num_option_data = 1; + new_node->option_data_list = (SDFOptionData **) calloc(1, sizeof(SDFOptionData *)); + + if (new_node->option_data_list == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Could not allocate node list\n", + __FILE__, __LINE__); + } + + new_node->option_data_list[0] = data; + + return new_node; +} + +/* Frees an entire PII tree. */ +int FreePiiTree(sdf_tree_node *node) +{ + uint16_t i; + + if (node == NULL) + return -1; + + for (i = 0; i < node->num_children; i++) + { + FreePiiTree(node->children[i]); + } + + free(node->pattern); + free(node->children); + + for (i = 0; i < node->num_option_data; i++) + { + free(node->option_data_list[i]->pii); + free(node->option_data_list[i]); + } + + free(node->option_data_list); + free(node); + + return 0; +} + +/* Returns an sdf_tree_node that matches the pattern */ +static sdf_tree_node * FindPiiRecursively(sdf_tree_node *node, char *buf, uint16_t *buf_index, uint16_t buflen, SDFConfig *config) +{ + uint16_t old_buf_index, pattern_index = 0; + int node_match = 1; + sdf_tree_node *matched_node = NULL; + + if (node == NULL || buf == NULL || buflen == 0 || *buf_index >= buflen) + return NULL; + + /* Save the value of buf_index that was passed in. We revert to this value + if a pattern is not matched here. Ultimately, it should hold the number + of bytes matched against a pattern. */ + old_buf_index = *buf_index; + + /* Match pattern buf against current node. Evaluate escape sequences. + + NOTE: node->pattern is a NULL-terminated string, but buf is network data + and may legitimately contain NULL bytes. */ + while (*buf_index < buflen && + *(node->pattern + pattern_index) != '\0' && + node_match ) + { + /* Match a byte at a time. */ + if ( *(node->pattern + pattern_index) == '\\' && + *(node->pattern + pattern_index + 1) != '\0' ) + { + /* Escape sequence found */ + pattern_index++; + switch ( *(node->pattern + pattern_index) ) + { + /* Escaped special character */ + case '\\': + case '{': + case '}': + case '?': + node_match = (*(buf + *buf_index) == *(node->pattern + pattern_index)); + break; + + /* \d : match digit */ + case 'd': + node_match = isdigit( (int)(*(buf + *buf_index)) ); + break; + /* \D : match non-digit */ + case 'D': + node_match = !isdigit( (int)(*(buf + *buf_index)) ); + break; + + /* \w : match alphanumeric */ + case 'w': + node_match = isalnum( (int)(*(buf + *buf_index)) ); + break; + /* \W : match non-alphanumeric */ + case 'W': + node_match = !isalnum( (int)(*(buf + *buf_index)) ); + break; + + /* \l : match a letter */ + case 'l': + node_match = isalpha( (int)(*(buf + *buf_index)) ); + break; + /* \L : match a non-letter */ + case 'L': + node_match = !isalpha( (int)(*(buf + *buf_index)) ); + break; + } + } + else + { + /* Normal byte */ + node_match = (*(buf + *buf_index) == *(node->pattern + pattern_index)); + } + + /* Handle optional characters */ + if (*(node->pattern + pattern_index + 1) == '?') + { + /* Advance past the '?' in the pattern string. + Only advance in the buffer if we matched the optional char. */ + pattern_index += 2; + if (node_match) + (*buf_index)++; + else + node_match = 1; + } + else + { + /* Advance to next byte */ + (*buf_index)++; + pattern_index++; + } + } + + if (node_match) + { + int i = 0; + uint16_t j = 0; + int node_contains_matches = 0; + + /* Check the children first. Always err on the side of a larger match. */ + while (i < node->num_children && matched_node == NULL) + { + matched_node = FindPiiRecursively(node->children[i], buf, buf_index, buflen, config); + i++; + } + + if (matched_node != NULL) + return matched_node; + + /* An sdf_tree_node holds multiple SDFOptionData. It's possible to get + some with validation funs and some without. Evaluate them independently. */ + for (j = 0; j < node->num_option_data; j++) + { + SDFOptionData *option_data = node->option_data_list[j]; + + /* Run eval func, return NULL if it exists but fails */ + if (option_data->validate_func != NULL && + option_data->validate_func(buf, *buf_index, config) != 1) + { + *buf_index = old_buf_index; + option_data->match_success = 0; + } + else + { + /* No eval func necessary, or an eval func existed and returned 1 */ + option_data->match_success = 1; + node_contains_matches = 1; + } + } + + if (node_contains_matches) + return node; + } + + /* No match here. */ + *buf_index = old_buf_index; + return NULL; +} + +/* This function takes a head node, and searches the children for PII. + * + * head - Pointer to head node of SDF patttern tree. This contains no pattern. + * buf - Buffer to search for patterns + * buf_index - Pointer to store number of bytes that matched a pattern. + * buflen - Length of buffer pointed to by buf + * config - SDF preprocessor configuration. + * + * returns: sdf_tree_node ptr for matched pattern, or NULL if no match. + */ +sdf_tree_node * FindPii(sdf_tree_node *head, char *buf, uint16_t *buf_index, uint16_t buflen, + SDFConfig *config) +{ + uint16_t i; + + if (head == NULL) + return NULL; + + for (i = 0; i < head->num_children; i++) + { + sdf_tree_node * matched_node; + matched_node = FindPiiRecursively(head->children[i], buf, buf_index, buflen, config); + if (matched_node) + return matched_node; + } + + return NULL; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h 2011-02-09 23:23:22.000000000 +0000 @@ -0,0 +1,36 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifndef SDF_PATTERN_MATCH__H +#define SDF_PATTERN_MATCH__H + +#include "spp_sdf.h" +#include "sdf_detection_option.h" +#include "treenodes.h" +#include + +int AddPii(sdf_tree_node *head, SDFOptionData *data); +int AddPiiPiece(sdf_tree_node *node, char *new_pattern, SDFOptionData *data); +int SplitNode(sdf_tree_node *node, uint16_t split_index); +sdf_tree_node * AddChild(sdf_tree_node *node, SDFOptionData *data, char *pattern); +int FreePiiTree(sdf_tree_node *head); + +sdf_tree_node * FindPii(sdf_tree_node *head, char *buf, uint16_t *buf_index, uint16_t buflen, SDFConfig *config); + +#endif /* SDF_PATTERN_MATCH__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,257 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_sdf.h" +#include "sdf_us_ssn.h" +#include +#include +#include +#include +#include + + +static int SDFCompareGroupNumbers(int group, int max_group); +static int SSNGroupCategory(int group); + +/* This function takes a string representation of a US Social Security number + and checks that it is valid. The string may include or omit hyphens.*/ +int SDFSocialCheck(char *buf, uint32_t buflen, struct _SDFConfig *config) +{ + uint32_t i; + int digits, area, group, serial; + char numbuf[9]; + + if (buf == NULL || buflen > 13 || buflen < 9) + return 0; + + /* The string will have a non-digit byte on each side. Truncate these. */ + buflen -= 2; + buf++; + + /* Check that the string is made of digits, and strip hyphens. */ + digits = 0; + for (i = 0; i < buflen; i++) + { + if (isdigit((int)buf[i])) + { + /* Check for too many digits */ + if (digits == 9) + return 0; + + numbuf[digits++] = buf[i]; + } + else if (buf[i] != '-') + break; + } + + if (digits != 9) + return 0; + + /* Convert to ints */ + area = (numbuf[0] - '0') * 100 + (numbuf[1] - '0') * 10 + (numbuf[2] - '0'); + group = (numbuf[3] - '0') * 10 + (numbuf[4] - '0'); + serial = (numbuf[5] - '0') * 1000 + (numbuf[6] - '0') * 100 + + (numbuf[7] - '0') * 10 + (numbuf[8] - '0'); + + /* Start validating */ + if (area > MAX_AREA || + area == 666 || + area <= 0 || + group <= 0 || + group > 99 || + serial <= 0 || + serial > 9999) + return 0; + + /* This range was reserved for advertising */ + if (area == 987 && group == 65) + { + if (serial >= 4320 && serial <= 4329) + return 0; + } + + return SDFCompareGroupNumbers(group, config->ssn_max_group[area]); +} + +static int SDFCompareGroupNumbers(int group, int max_group) +{ + /* Group numbers are not issued in consecutive order. They go in this order: + 1. ODD numbers from 01 through 09 + 2. EVEN numbers from 10 through 98 + 3. EVEN numbers from 02 through 08 + 4. ODD numbers from 11 through 99 + For this reason, the group check is not simple. + */ + + int group_category = SSNGroupCategory(group); + int max_group_category = SSNGroupCategory(max_group); + + if (group_category == 0 || max_group_category == 0) + return 0; + + if (group_category < max_group_category) + return 1; + if ((group_category == max_group_category) && (group <= max_group)) + return 1; + + return 0; +} + +static int SSNGroupCategory(int group) +{ + if ((group % 2 == 1) && (group < 10)) + return 1; + if ((group % 2 == 0) && (group >= 10) && (group <= 98)) + return 2; + if ((group % 2 == 0) && (group < 10)) + return 3; + if ((group % 2 == 1) && (group >= 11) && (group <= 99)) + return 4; + + return 0; +} + +int ParseSSNGroups(char *filename, struct _SDFConfig *config) +{ + FILE *ssn_file; + char *contents, *token, *saveptr, *endptr; + long length; + int i = 1; + + if (filename == NULL || config == NULL) + return -1; + + ssn_file = fopen(filename, "r"); + if (ssn_file == NULL) + { + /* TODO: Print error */ + return -1; + } + + /* Determine size of file */ + fseek(ssn_file, 0, SEEK_END); + length = ftell(ssn_file); + rewind(ssn_file); + + if (length <= 0) + { + /* TODO: Print error */ + return -1; + } + + contents = calloc(length, sizeof(char)); + if (contents == NULL) + { + /* TODO: print error */ + return -1; + } + + /* Read file into memory */ + fread(contents, sizeof(char), length, ssn_file); + fclose(ssn_file); + + /* Parse! */ + token = strtok_r(contents, " ,\n", &saveptr); + while (token) + { + if (i > MAX_AREA) + { + /* TODO: Print error - too many ints */ + free(contents); + return -1; + } + config->ssn_max_group[i++] = strtol(token, &endptr, 10); + if (*endptr != '\0') + { + /* TODO: Print error - not a complete number */ + free(contents); + return -1; + } + + token = strtok_r(NULL, " ,\n", &saveptr); + } + + free(contents); + return 0; +} + +/* Default array of maximum group numbers for each area. + These values were last up-to-date as of November 2009. */ +int SSNSetDefaultGroups(struct _SDFConfig *config) +{ + int i; + int default_max_group[MAX_AREA+1] = { 0, + 8, 8, 6, 11, 11, 11, 8, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, + 92, 92, 92, 92, 92, 92, 92, 92, 92, 90, 90, 90, 90, 90, 90, 74, 74, 72, 72, + 72, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, + 96, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, + 21, 21, 21, 21, 21, 21, 86, 86, 86, 86, 86, 86, 86, 86, 84, 84, 84, 84, 84, + 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, + 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, + 84, 84, 85, 85, 85, 85, 85, 85, 85, 85, 85, 8, 8, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 55, 55, 55, 55, 55, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, + 15, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 35, 35, + 35, 35, 35, 35, 35, 35, 33, 33, 33, 33, 33, 33, 33, 8, 8, 8, 8, 8, 8, + 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, + 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 6, 6, 6, 6, 6, 6, 6, 6, + 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 35, 35, 35, 35, 35, 35, 35, 35, + 35, 35, 35, 35, 35, 35, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 29, + 71, 71, 71, 71, 71, 71, 69, 69, 99, 99, 99, 99, 99, 99, 99, 99, 65, 65, 65, + 65, 65, 65, 65, 63, 63, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 27, 25, 25, 25, 25, 25, 25, 25, 25, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 55, 53, 53, 53, 53, 53, 53, 53, + 53, 53, 41, 41, 39, 39, 39, 39, 39, 39, 27, 27, 27, 27, 27, 27, 27, 27, 27, + 27, 27, 27, 27, 27, 27, 35, 35, 43, 43, 55, 55, 55, 55, 31, 31, 31, 29, 29, + 29, 29, 47, 47, 83, 83, 59, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 67, 67, + 67, 67, 67, 67, 67, 67, 65, 79, 79, 79, 77, 77, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 57, 99, 99, 49, 49, 49, 39, 99, 99, 99, 99, 99, 65, 99, 5, 99, + 99, 99, 99, 99, 99, 99, 90, 88, 88, 88, 99, 99, 79, 79, 79, 79, 79, 77, 77, + 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 23, + 23, 23, 23, 23, 23, 23, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 13, + 11, 52, 52, 56, 56, 54, 54, 32, 32, 32, 32, 32, 20, 20, 20, 20, 18, 18, 18, + 44, 42, 42, 42, 42, 42, 42, 42, 42, 18, 18, 18, 16, 17, 20, 20, 20, 20, 18, + 18, 18, 18, 18, 18, 12, 12, 12, 12, 12, 12, 12, 12, 12, 18, 18, 18, 18, 18, + 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, + 28, 18, 18, 10, 14, 20, 18, 18, 18, 18, 14, 14, 5, 5, 5, 5, 10, 9, 9, + 9, 9, 9, 9, 9, 11, 8, 86, 86, 86, 86, 84, 84, 84 + }; + + if (config == NULL) + return -1; + + for (i = 0; i < MAX_AREA+1; i++) + { + config->ssn_max_group[i] = default_max_group[i]; + } + + return 1; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h 2011-02-09 23:23:22.000000000 +0000 @@ -0,0 +1,35 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifndef SDF_US_SSN__H +#define SDF_US_SSN__H + +#include "spp_sdf.h" + +/* This is the maximum defined area number */ +#define MAX_AREA 772 + +struct _SDFConfig; /* Forward declaration of SDFConfig */ + +int SDFSocialCheck(char *buf, uint32_t buflen, struct _SDFConfig *config); +int ParseSSNGroups(char *filename, struct _SDFConfig *config); +int SSNSetDefaultGroups(struct _SDFConfig *config); + +#endif /* SDF_US_SSN__H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp snort-2.9.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,223 @@ +# Microsoft Developer Studio Project File - Name="sf_sdf" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_sdf - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_sdf.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_sdf.mak" CFG="sf_sdf - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_sdf - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sdf - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sdf - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sdf - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_sdf - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_sdf - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sdf - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_sdf___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_sdf___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sdf - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_sdf___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_sdf___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_sdf - Win32 Release" +# Name "sf_sdf - Win32 Debug" +# Name "sf_sdf - Win32 IPv6 Debug" +# Name "sf_sdf - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_sdf.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\sdf_credit_card.c +# End Source File +# Begin Source File + +SOURCE=.\sdf_credit_card.h +# End Source File +# Begin Source File + +SOURCE=.\sdf_detection_option.c +# End Source File +# Begin Source File + +SOURCE=.\sdf_detection_option.h +# End Source File +# Begin Source File + +SOURCE=.\sdf_pattern_match.c +# End Source File +# Begin Source File + +SOURCE=.\sdf_pattern_match.h +# End Source File +# Begin Source File + +SOURCE=.\sdf_us_ssn.c +# End Source File +# Begin Source File + +SOURCE=.\sdf_us_ssn.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\spp_sdf.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/spp_sdf.c snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.c --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/spp_sdf.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,908 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "sf_types.h" +/* +#include "snort.h" +#include "parser.h" +#include "util.h" +#include "plugbase.h" +*/ +#include "snort_debug.h" +#include "stream_api.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sf_snort_packet.h" + +/* +#ifdef TARGET_BASED +#include "sftarget_protocol_reference.h" +#endif +*/ + +#include "profiler.h" + +#include "spp_sdf.h" +#include "sf_preproc_info.h" +#include "sdf_us_ssn.h" +#include "sdf_detection_option.h" +#include "sdf_pattern_match.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SDF (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SDF"; +#endif + +#define SetupSDF DYNAMIC_PREPROC_SETUP + +/* PROTOTYPES */ +static void SDFInit(char *args); +static void ProcessSDF(void *p, void *context); +static SDFConfig * NewSDFConfig(tSfPolicyUserContextId); +static void ParseSDFArgs(SDFConfig *config, char *args); +static void SDFCleanExit(int signal, void *unused); +static int SDFFreeConfig(tSfPolicyUserContextId context, tSfPolicyId id, void *pData); +static void SDFFillPacket(sdf_tree_node *node, SDFSessionData *session, + SFSnortPacket *p, uint16_t *dlen); +static void SDFPrintPseudoPacket(SDFConfig *config, SDFSessionData *session, + SFSnortPacket *real_packet); + +#ifdef SNORT_RELOAD +static void SDFReload(char *); +static void * SDFReloadSwap(void); +static void SDFReloadSwapFree(void *); +#endif + +/* GLOBALS :( */ +sdf_tree_node *head_node = NULL; +uint32_t num_patterns = 0; +tSfPolicyUserContextId sdf_context_id = NULL; + +#ifdef SNORT_RELOAD +sdf_tree_node *swap_head_node = NULL; +uint32_t swap_num_patterns = 0; +tSfPolicyUserContextId sdf_swap_context_id = NULL; +#endif + +#ifdef PERF_PROFILING +PreprocStats sdfPerfStats; +#endif + +#define IPPROTO_SDF 0xFE // TBD - use same for ps? (eg IPPROTO_SNORT?) + +/* + * Function: SetupSDF() + * + * Purpose: Registers the preprocessor keyword and initialization function + * into the preprocessor list. + * + * Arguments: None. + * + * Returns: void + * + */ +void SetupSDF(void) +{ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("sensitive_data", SDFInit); +#else + _dpd.registerPreproc("sensitive_data", SDFInit, SDFReload, SDFReloadSwap, + SDFReloadSwapFree); +#endif +} + +/* + * Function: SDFInit(char *) + * + * Purpose: Processes the args sent to the preprocessor, sets up the port list, + * links the processing function into the preproc function list + * + * Arguments: args => ptr to argument string + * + * Returns: void + * + */ +void SDFInit(char *args) +{ + SDFConfig *config = NULL; + + /* Check prerequisites */ + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SDFInit(): The Stream preprocessor must be enabled.\n"); + } + + /* Create context id, register callbacks. This is only done once. */ + if (sdf_context_id == NULL) + { + sdf_context_id = sfPolicyConfigCreate(); + /* Allocate the head of the pattern-matching tree */ + head_node = (sdf_tree_node *)calloc(1, sizeof(sdf_tree_node)); + if (!head_node) + DynamicPreprocessorFatalMessage("Failed to allocate memory for SDF " + "configuration.\n"); + + _dpd.addPreprocExit(SDFCleanExit, NULL, PRIORITY_LAST, PP_SDF); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("sensitive_data", (void *)&sdfPerfStats, 0, _dpd.totalPerfStats); +#endif + } + + /* Handle configuration. This is done once for each policy. */ + config = NewSDFConfig(sdf_context_id); + ParseSDFArgs(config, args); + + /* Register callbacks */ + _dpd.addDetect(ProcessSDF, PRIORITY_FIRST, PP_SDF, + PROTO_BIT__TCP | PROTO_BIT__UDP); + _dpd.preprocOptRegister(SDF_OPTION_NAME, SDFOptionInit, SDFOptionEval, + NULL, NULL, NULL, SDFOtnHandler, NULL); +} + + +/* Check the ports and target-based protocol for a given packet. + * + * Returns: 0 if the port check fails + * 1 if the packet should be inspected + */ +static int SDFCheckPorts(SDFConfig *config, SFSnortPacket *packet) +{ +#ifdef TARGET_BASED + int16_t app_ordinal = SFTARGET_UNKNOWN_PROTOCOL; + + /* Do port checks */ + app_ordinal = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + if (app_ordinal == SFTARGET_UNKNOWN_PROTOCOL) + return 0; + if (app_ordinal && (config->protocol_ordinals[app_ordinal] == 0)) + return 0; + if (app_ordinal == 0) + { +#endif + /* No target-based info for this packet. Check ports. */ + if (((config->src_ports[PORT_INDEX(packet->src_port)] & CONV_PORT(packet->src_port)) == 0) || + ((config->dst_ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port)) == 0)) + { + return 0; + } +#ifdef TARGET_BASED + } +#endif + + return 1; +} + +/* A free function that gets registered along with our Stream session data */ +static void FreeSDFSession(void *data) +{ + SDFSessionData *session = (SDFSessionData *)data; + + if (session == NULL) + return; + + free(session->counters); + free(session->rtns_matched); + free(session); + return; +} + +/* Create a new SDF session data struct. + Returns: + Fatal Error if allocation fails + Valid ptr otherwise +*/ +static SDFSessionData * NewSDFSession(SDFConfig *config, SFSnortPacket *packet) +{ + SDFSessionData *session; + + /* Allocate new session data. */ + session = (SDFSessionData *) calloc(1, sizeof(SDFSessionData)); + if (session == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory for " + "SDF preprocessor session data.\n"); + } + + if (packet->stream_session_ptr) + { + _dpd.streamAPI->set_application_data(packet->stream_session_ptr, + PP_SDF, session, FreeSDFSession); + } + + /* Allocate counters in the session data */ + session->num_patterns = num_patterns; + session->counters = calloc(session->num_patterns, sizeof(uint8_t)); + session->rtns_matched = calloc(session->num_patterns, sizeof(int8_t)); + if (session->counters == NULL || session->rtns_matched == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory for " + "SDF preprocessor session data.\n"); + } + + return session; +} + +/* Search a buffer for PII. Generates alerts when enough PII is found. + Returns: void +*/ +static void SDFSearch(SDFConfig *config, SFSnortPacket *packet, + SDFSessionData *session, char *position, char *end, + uint16_t buflen) +{ + while (position < end) + { + uint16_t match_length = 0; + int index; + sdf_tree_node *matched_node = NULL; + + /* Traverse the pattern tree and match PII against our data */ + matched_node = FindPii(head_node, position, &match_length, + buflen, config); + + /* Iterate through the SDFOptionData that matches this pattern. */ + if (matched_node) + { + uint16_t i; + for (i = 0; i < matched_node->num_option_data; i++) + { + SDFOptionData *found_pattern = matched_node->option_data_list[i]; + if (found_pattern->match_success) + { + /* Reset the match_success flag for subsequent matches */ + found_pattern->match_success = 0; + + /* Check the RTN for the PII we found. The IPs & ports might not match. + We only want to do this once per session */ + index = found_pattern->counter_index; + if (session->rtns_matched[index] == 0) + { + int check_ports = 1; + OptTreeNode *otn = found_pattern->otn; + RuleTreeNode *rtn = NULL; +#ifdef TARGET_BASED + uint16_t app_ordinal; + unsigned int i; +#endif + + if (_dpd.getRuntimePolicy() < otn->proto_node_num) + rtn = otn->proto_nodes[_dpd.getRuntimePolicy()]; + +#ifdef TARGET_BASED + /* Check the service against the matched OTN. */ + app_ordinal = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + for (i = 0; i < otn->sigInfo.num_services; i++) + { + if (otn->sigInfo.services[i].service_ordinal == app_ordinal) + check_ports = 0; + } +#endif + if (rtn != NULL && _dpd.fpEvalRTN(rtn, packet, check_ports)) + session->rtns_matched[index] = 1; + else + session->rtns_matched[index] = -1; + } + + if (session->rtns_matched[index] == 1) + { + /* Increment counters */ + session->counters[found_pattern->counter_index]++; + + /* Obfuscate the data. + We do this even if it's not time to alert, to obfuscate each match. */ + if (config->mask_output) + { + uint16_t offset, ob_length = 0; + + /* Only obfuscate built-in patterns */ + if (found_pattern->validate_func) + { + offset = (uint16_t) (position - (char *)packet->payload); + + if (match_length > SDF_OBFUSCATION_DIGITS_SHOWN) + ob_length = match_length - SDF_OBFUSCATION_DIGITS_SHOWN; + + /* The CC# and SS# patterns now contain non-digits on either + side of the actual number. Adjust the mask to match. */ + offset = offset + 1; + ob_length = ob_length - 2; + + _dpd.obApi->addObfuscationEntry(packet, offset, ob_length, + SDF_OBFUSCATION_CHAR); + } + } + + if (session->counters[found_pattern->counter_index] == found_pattern->count) + { + + /* Raise the alert for this particular pattern */ + _dpd.alertAdd(GENERATOR_SPP_SDF_RULES, + found_pattern->otn->sigInfo.id, + found_pattern->otn->sigInfo.rev, + found_pattern->otn->sigInfo.class_id, + found_pattern->otn->sigInfo.priority, + found_pattern->otn->sigInfo.message, + 0); + } + } + } + } + + /* Check the global counter and alert */ + session->global_counter++; + if (session->global_counter == config->threshold) + { + /* Do our "combo alert" */ + SDFPrintPseudoPacket(config, session, packet); + _dpd.genSnortEvent(config->pseudo_packet, + GENERATOR_SPP_SDF_PREPROC, + SDF_COMBO_ALERT_SID, + SDF_COMBO_ALERT_REV, + SDF_COMBO_ALERT_CLASS, + SDF_COMBO_ALERT_PRIORITY, + SDF_COMBO_ALERT_STR); + } + + /* Update position */ + position += match_length; + buflen -= match_length; + } + else + { + position++; + buflen--; + } + } +} + +/* + * Function: ProcessSDF(void *, void *) + * + * Purpose: Inspects a packet's payload for Personally Identifiable Information + * + * Arguments: p => poitner to the current packet data struct + * context => unused void pointer + * + * Returns: void + * + */ +static void ProcessSDF(void *p, void *context) +{ + tSfPolicyId policy_id; + SDFConfig *config = NULL; + SFSnortPacket *packet = (SFSnortPacket *)p; + SDFSessionData *session; + char *begin, *end; + uint16_t buflen; + PROFILE_VARS; + + /* Check if we should be working on this packet */ + if (( !packet ) || // No packet + ( !packet->payload ) || // No data + ( !packet->payload_size ) || // No data size + ( !IPH_IS_VALID(packet) ) || // Invalid IP Header + ( !packet->tcp_header && !packet->udp_header) || // No TCP/UDP Header + ( packet->flags & FLAG_STREAM_INSERT )) // Waiting on stream reassembly + { + return; + } + + /* Retrieve the corresponding config for this packet */ + policy_id = _dpd.getRuntimePolicy(); + sfPolicyUserPolicySet (sdf_context_id, policy_id); + config = sfPolicyUserDataGetCurrent(sdf_context_id); + + /* Retrieve stream session data. Create one if it doesn't exist. */ + session = _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_SDF); + if (session == NULL) + { + /* Do port checks */ + if (SDFCheckPorts(config, packet) == 0) + { + return; + } + + /* If there's no stream session, we'll just count PII for one packet */ + if (packet->stream_session_ptr == NULL) + { + if (config->stateless_session == NULL) + config->stateless_session = NewSDFSession(config, packet); + + session = config->stateless_session; + memset(session->counters, 0, session->num_patterns); + memset(session->rtns_matched, 0, session->num_patterns); + } + else + session = NewSDFSession(config, packet); + } + + PREPROC_PROFILE_START(sdfPerfStats); + + /* Inspect HTTP Body or Email attachments. */ + if (_dpd.fileDataBuf->len > 0) + { + begin = (char *) _dpd.fileDataBuf->data; + buflen = _dpd.fileDataBuf->len; + end = begin + buflen; + + SDFSearch(config, packet, session, begin, end, buflen); + } + + /* If this packet is HTTP, inspect the URI and Client Body while ignoring headers. */ + if (packet->flags & FLAG_HTTP_DECODE) + { + if (_dpd.uriBuffers[HTTP_BUFFER_URI]->uriLength > 0) + { + begin = (char *) _dpd.uriBuffers[HTTP_BUFFER_URI]->uriBuffer; + buflen = _dpd.uriBuffers[HTTP_BUFFER_URI]->uriLength; + end = begin + buflen; + + SDFSearch(config, packet, session, begin, end, buflen); + } + if (_dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriLength > 0) + { + begin = (char *) _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriBuffer; + buflen = _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriLength; + end = begin + buflen; + + SDFSearch(config, packet, session, begin, end, buflen); + } + } + else + { + /* Only inspect raw packet payload on non-HTTP. This is done so that + when server_flow_depth == -1, we don't inspect anyway. */ + begin = (char *)packet->payload; + buflen = packet->payload_size; + end = begin + buflen; + + SDFSearch(config, packet, session, begin, end, buflen); + } + + /* End. */ + PREPROC_PROFILE_END(sdfPerfStats); + return; +} + +static void DisplaySDFConfig(SDFConfig *config) +{ + if (config == NULL) + return; + + _dpd.logMsg("Sensitive Data preprocessor config: \n"); + _dpd.logMsg(" Global Alert Threshold: %d\n", config->threshold); + _dpd.logMsg(" Masked Output: %s\n", + config->mask_output ? "ENABLED" : "DISABLED" ); +} + +/* + * Function: ParseSDFArgs(SDFConfig *, char *) + * + * Purpose: Parse the arguments to the SDF preprocessor and instantiate a + * SDFConfig struct. + * + * Arguments: config => pointer to a newly-allocated SDFConfig struct, which + * will be modified. + * args => pointer to string containing SDF preproc arguments. + * + * Returns: void + * + */ +static void ParseSDFArgs(SDFConfig *config, char *args) +{ + char *argcpy = NULL; + char *cur_tokenp = NULL; + + if (config == NULL || args == NULL) return; + + /* Set default options */ + SSNSetDefaultGroups(config); + + /* Copy args so that we can break them up wtih strtok */ + argcpy = strdup(args); + if (argcpy == NULL) + DynamicPreprocessorFatalMessage("Could not allocate memory to parse " + "SDF options.\n"); + + cur_tokenp = strtok(argcpy, " "); + + /* Loop through config options */ + while (cur_tokenp) + { + /* Parse the global PII threshold */ + if (!strcmp(cur_tokenp, SDF_THRESHOLD_KEYWORD)) + { + char *endptr; + + cur_tokenp = strtok(NULL, " "); + if (cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("SDF preprocessor config option " + "\"%s\" requires an argument.\n", SDF_THRESHOLD_KEYWORD); + } + + if (*cur_tokenp == '-') + { + DynamicPreprocessorFatalMessage("SDF preprocessor config option " + "\"%s\" cannot take a negative argument.\n", + SDF_THRESHOLD_KEYWORD); + } + + config->threshold = _dpd.SnortStrtoul(cur_tokenp, &endptr, 10); + if (config->threshold == 0 || config->threshold > USHRT_MAX) + { + DynamicPreprocessorFatalMessage("SDF preprocessor config option " + "\"%s\" must have an argument between 1 - %u.\n", + SDF_THRESHOLD_KEYWORD, USHRT_MAX); + } + if (*endptr != '\0') + { + DynamicPreprocessorFatalMessage("Invalid argument to SDF config " + "option \"%s\": %s", SDF_THRESHOLD_KEYWORD, cur_tokenp); + } + } + /* Parse the output masking option */ + else if (!strcmp(cur_tokenp, SDF_MASK_KEYWORD)) + { + config->mask_output = 1; + } + /* Parse the file containing new SSN group data */ + else if (!strcmp(cur_tokenp, SDF_SSN_FILE_KEYWORD)) + { + int iRet; + + cur_tokenp = strtok(NULL, " "); + if (cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("SDF preprocessor config option " + "\"%s\" requires an argument.\n", SDF_SSN_FILE_KEYWORD); + } + + iRet = ParseSSNGroups(cur_tokenp, config); + if (iRet < 0) + { + DynamicPreprocessorFatalMessage("Error parsing Social Security " + "group data from file: %s", cur_tokenp); + } + } + + cur_tokenp = strtok(NULL, " "); + } + + /* Cleanup */ + DisplaySDFConfig(config); + free(argcpy); + argcpy = NULL; +} + +/* Allocate & Initialize the pseudo-packet used for logging combo alerts. + * + * Returns: 0 on success, -1 on error. + */ +static int SDFPacketInit(SDFConfig *config) +{ + config->pseudo_packet = _dpd.encodeNew(); + return 0; +} + +/* + * Function: NewSDFConfig(void) + * + * Purpose: Create a new SDFConfig for the current parser policy. + * + * Arguments: context => context ID to use when creating config + * + * Returns: Pointer to newly created SDFConfig struct. + * + */ +static SDFConfig * NewSDFConfig(tSfPolicyUserContextId context) +{ + SDFConfig *config = NULL; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + + /* Check for an existing configuration in this policy */ + sfPolicyUserPolicySet(context, policy_id); + + config = (SDFConfig *) sfPolicyUserDataGetCurrent(context); + if (config) + DynamicPreprocessorFatalMessage("SDF preprocessor can only be " + "configured once.\n"); + + /* Create and store config */ + config = (SDFConfig *)calloc(1, sizeof(SDFConfig)); + if (!config) + DynamicPreprocessorFatalMessage("Failed to allocate memory for SDF " + "configuration.\n"); + sfPolicyUserDataSetCurrent(context, config); + + /* Allocate the pseudo-packet used for logging */ + SDFPacketInit(config); + + return config; +} + +/* + * Function: SDFCleanExit(int, void *) + * + * Purpose: Free memory used by the SDF preprocessor before Snort exits. + * + * Arguments: Signal sent to Snort, unused void pointer + * + * Returns: void + * + */ +static void SDFCleanExit(int signal, void *unused) +{ + /* Free the individual configs. */ + if (sdf_context_id == NULL) + return; + + sfPolicyUserDataIterate(sdf_context_id, SDFFreeConfig); + sfPolicyConfigDelete(sdf_context_id); + sdf_context_id = NULL; + + if (head_node) + FreePiiTree(head_node); +} + +/* + * Function: SDFFreeConfig(tSfPolicyUserContextId, tSfPolicyId, void *) + * + * Purpose: Callback that frees a SDFConfig struct correctly, and clears data + * from the policy. + * + * Arguments: context => context ID for the SDF preprocessor + * id => policy ID for the policy being destroyed + * pData => pointer to SDFConfig struct that gets freed + * + * Returns: zero + * + */ +static int SDFFreeConfig(tSfPolicyUserContextId context, tSfPolicyId id, void *pData) +{ + SDFConfig *config = (SDFConfig *)pData; + + sfPolicyUserDataClear(context, id); + + _dpd.encodeDelete(config->pseudo_packet); + FreeSDFSession(config->stateless_session); + + free(config); + return 0; +} + +#ifdef SNORT_RELOAD +static void SDFReload(char *args) +{ + SDFConfig *config = NULL; + + if (sdf_swap_context_id == NULL) + { + sdf_swap_context_id = sfPolicyConfigCreate(); + + if (sdf_swap_context_id == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate " + "memory for SDF config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupSDF(): The Stream preprocessor " + "must be enabled.\n"); + } + + /* Allocate the head of the pattern-matching tree */ + swap_head_node = (sdf_tree_node *)calloc(1, sizeof(sdf_tree_node)); + if (!swap_head_node) + DynamicPreprocessorFatalMessage("Failed to allocate memory for SDF " + "configuration.\n"); + } + + config = NewSDFConfig(sdf_swap_context_id); + ParseSDFArgs(config, args); + + _dpd.addDetect(ProcessSDF, PRIORITY_FIRST, PP_SDF, + PROTO_BIT__TCP | PROTO_BIT__UDP); + _dpd.preprocOptRegister(SDF_OPTION_NAME, SDFOptionInit, SDFOptionEval, + NULL, NULL, NULL, SDFOtnHandler, NULL); +} + +static void * SDFReloadSwap(void) +{ + tSfPolicyUserContextId old_context_id = sdf_context_id; + sdf_tree_node *old_head_node = head_node; + + if (old_context_id == NULL || sdf_swap_context_id == NULL || + old_head_node == NULL || swap_head_node == NULL) + return NULL; + + sdf_context_id = sdf_swap_context_id; + sdf_swap_context_id = NULL; + + head_node = swap_head_node; + num_patterns = swap_num_patterns; + + FreePiiTree(old_head_node); + swap_head_node = NULL; + swap_num_patterns = 0; + + return (void *) old_context_id; +} + +static void SDFReloadSwapFree(void *data) +{ + tSfPolicyUserContextId context = (tSfPolicyUserContextId) data; + if (context == NULL) + return; + + sfPolicyUserDataIterate(context, SDFFreeConfig); + sfPolicyConfigDelete(context); +} +#endif + +/* +* checksum IP - header=20+ bytes +* +* w - short words of data +* blen - byte length +* +*/ +static inline unsigned short in_chksum_ip( unsigned short * w, int blen ) +{ + unsigned int cksum; + + /* IP must be >= 20 bytes */ + cksum = w[0]; + cksum += w[1]; + cksum += w[2]; + cksum += w[3]; + cksum += w[4]; + cksum += w[5]; + cksum += w[6]; + cksum += w[7]; + cksum += w[8]; + cksum += w[9]; + + blen -= 20; + w += 10; + + while( blen ) /* IP-hdr must be an integral number of 4 byte words */ + { + cksum += w[0]; + cksum += w[1]; + w += 2; + blen -= 4; + } + + cksum = (cksum >> 16) + (cksum & 0x0000ffff); + cksum += (cksum >> 16); + + return (unsigned short) (~cksum); +} + +static void SDFPrintPseudoPacket(SDFConfig *config, SDFSessionData *session, + SFSnortPacket *real_packet) +{ + SFSnortPacket* p = config->pseudo_packet; + + if (config == NULL || session == NULL || real_packet == NULL) + return; + + _dpd.encodeFormat(ENC_DYN_FWD|ENC_DYN_NET, real_packet, config->pseudo_packet, PSEUDO_PKT_SDF); + + if ( IS_IP4(real_packet) ) + { + ((IPV4Header *)p->ip4_header)->proto = IPPROTO_SDF; +#ifdef SUP_IP6 + p->inner_ip4h.ip_proto = IPPROTO_SDF; +#endif + } +#ifdef SUP_IP6 + else if (IS_IP6(p)) + { + // FIXTHIS assumes there are no ip6 extension headers + p->inner_ip6h.next = IPPROTO_SDF; + p->ip6h = &p->inner_ip6h; + } +#endif + + /* Fill in the payload with SDF alert info */ + SDFFillPacket(head_node, session, p, &p->payload_size); + + _dpd.encodeUpdate(config->pseudo_packet); + +#ifdef SUP_IP6 + if (real_packet->family == AF_INET) + { + p->ip4h->ip_len = p->ip4_header->data_length; + } + else + { + IP6RawHdr* ip6h = (IP6RawHdr*)p->raw_ip6_header; + if ( ip6h ) p->ip6h->len = ip6h->payload_len; + } +#endif +} + +/* This function traverses the pattern tree and prints out the relevant + * info into a provided pseudo-packet. */ +static void SDFFillPacket(sdf_tree_node *node, SDFSessionData *session, + SFSnortPacket *p, uint16_t *dlen) +{ + uint16_t i; + + if (node == NULL || session == NULL || p == NULL || dlen == NULL) + return; + + /* Recurse to the leaves of the pattern tree */ + for (i = 0; i < node->num_children; i++) + { + SDFFillPacket(node->children[i], session, p, dlen); + } + + for (i = 0; i < node->num_option_data; i++) + { + SDFOptionData * option_data = node->option_data_list[i]; + + /* Print the info from leaves */ + if (option_data) + { + uint32_t index = option_data->counter_index; + uint8_t counter = session->counters[index]; + if (counter > 0) + { + /* Print line */ + char *sigmessage = option_data->otn->sigInfo.message; + uint8_t *dest = (uint8_t*)p->payload + *dlen; + size_t siglen = strlen(sigmessage); + uint16_t space_left = p->max_payload - *dlen; + + if (space_left < siglen + SDF_ALERT_LENGTH) + return; + + *dlen += (siglen + SDF_ALERT_LENGTH); + snprintf((char *)dest, space_left, "%s: %3d", sigmessage, counter); + } + } + } + + return; +} + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sdf/spp_sdf.h snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.h --- snort-2.8.5.2/src/dynamic-preprocessors/sdf/spp_sdf.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.h 2011-02-09 23:23:23.000000000 +0000 @@ -0,0 +1,112 @@ +/* +** Copyright (C) 2009-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * spp_sdf.h: Definitions, prototypes, etc. for the SDF preprocessor. + * Author: Ryan Jordan + */ + +#ifndef SPP_SDF_H +#define SPP_SDF_H + +/*#include "sdf_pattern_match.h"*/ +#include +#include "sdf_us_ssn.h" +#include "sdf_detection_option.h" + +#define GENERATOR_SPP_SDF_RULES 138 +#define GENERATOR_SPP_SDF_PREPROC 139 + +#define MAX_PORTS 65536 +#define PORT_INDEX(port) port/8 +#define CONV_PORT(port) 1 << (port % 8) +#define MAX_PROTOCOL_ORDINAL 8192 + +typedef struct _sdf_tree_node +{ + char *pattern; + uint16_t num_children; + uint16_t num_option_data; + struct _sdf_tree_node **children; + SDFOptionData **option_data_list; +} sdf_tree_node; + +typedef struct _SDFSessionData +{ + uint32_t num_patterns, global_counter; + uint8_t *counters; + int8_t *rtns_matched; +} SDFSessionData; + +typedef struct _SDFConfig +{ + SFSnortPacket *pseudo_packet; + SDFSessionData *stateless_session; + uint32_t threshold; + uint8_t mask_output; + int ssn_max_group[MAX_AREA+1]; + unsigned char src_ports[MAX_PORTS/8]; + unsigned char dst_ports[MAX_PORTS/8]; + unsigned char protocol_ordinals[MAX_PROTOCOL_ORDINAL]; +} SDFConfig; + +/* Definitions of config options */ +#define SDF_THRESHOLD_KEYWORD "alert_threshold" +#define SDF_MASK_KEYWORD "mask_output" +#define SDF_SSN_FILE_KEYWORD "ssn_file" +#define SDF_OPTION_NAME "sd_pattern" +#define SDF_OPTION_SEPARATORS "," + +/* Order of SDF options */ +#define SDF_OPTION_COUNT_NUM 1 +#define SDF_OPTION_PATTERN_NUM 2 + +/* Keywords for SDF built-in option */ + +/* This pattern matches Visa/Mastercard/Amex, with & without spaces or dashes. + The pattern alone would match other non-credit patterns, but the function + SDFLuhnAlgorithm() does stricter checking. */ +#define SDF_CREDIT_KEYWORD "credit_card" +#define SDF_CREDIT_PATTERN_ALL "\\D\\d{4} ?-?\\d{4} ?-?\\d{2} ?-?\\d{2} ?-?\\d{3}\\d?\\D" + +#define SDF_SOCIAL_KEYWORD "us_social" +#define SDF_SOCIAL_PATTERN "\\D\\d{3}-\\d{2}-\\d{4}\\D" + +#define SDF_SOCIAL_NODASHES_KEYWORD "us_social_nodashes" +#define SDF_SOCIAL_NODASHES_PATTERN "\\D\\d{9}\\D" + +#define SDF_EMAIL_KEYWORD "email" +#define SDF_EMAIL_PATTERN "\\w@\\w" + +/* Obfuscation constants */ +#define SDF_OBFUSCATION_CHAR 'X' +#define SDF_OBFUSCATION_DIGITS_SHOWN 4 + +/* Length of ": 255\0" */ +#define SDF_ALERT_LENGTH 6 + +/* Combo Alert constants */ +#define SDF_COMBO_ALERT_SID 1 +#define SDF_COMBO_ALERT_REV 1 +#define SDF_COMBO_ALERT_CLASS 1 +#define SDF_COMBO_ALERT_PRIORITY 1 +#define SDF_COMBO_ALERT_STR "(spp_sdf) SDF Combination Alert" + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp snort-2.9.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp 2009-10-19 17:44:04.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp 2011-10-26 18:28:52.000000000 +0000 @@ -91,13 +91,13 @@ # Name "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Source File -SOURCE=..\..\sfutil\bitop.h +SOURCE="..\..\dynamic-plugins\attribute_table_api.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -108,8 +108,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -120,8 +120,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -132,8 +132,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -146,13 +146,13 @@ # End Source File # Begin Source File -SOURCE=..\..\bounds.h +SOURCE=..\..\sfutil\bitop.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -163,8 +163,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -175,8 +175,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -187,8 +187,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -256,82 +256,109 @@ # End Source File # Begin Source File -SOURCE=..\..\debug.h +SOURCE=..\..\event.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\event.h +InputName=event -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\idle_processing.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\idle_processing.h +InputName=idle_processing + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build -!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\idle_processing.h +InputName=idle_processing -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\idle_processing.h +InputName=idle_processing "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\idle_processing.h +InputName=idle_processing + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ENDIF @@ -460,7 +487,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -479,7 +506,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -498,7 +525,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -517,7 +544,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -532,54 +559,82 @@ # End Source File # Begin Source File -SOURCE=..\..\preprocids.h +SOURCE=..\..\mempool.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\preprocids.h -InputName=preprocids +InputPath=..\..\mempool.c +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\preprocids.h -InputName=preprocids +InputPath=..\..\mempool.c +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\preprocids.h -InputName=preprocids +InputPath=..\..\mempool.c +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\preprocids.h -InputName=preprocids +InputPath=..\..\mempool.c +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -587,54 +642,82 @@ # End Source File # Begin Source File -SOURCE=..\..\profiler.h +SOURCE=..\..\mempool.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\profiler.h -InputName=profiler +InputPath=..\..\mempool.h +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\profiler.h -InputName=profiler +InputPath=..\..\mempool.h +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\profiler.h -InputName=profiler +InputPath=..\..\mempool.h +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\profiler.h -InputName=profiler +InputPath=..\..\mempool.h +InputName=mempool -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -642,54 +725,82 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_dynamic_common.h" +SOURCE=..\..\obfuscation.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" -InputName=sf_dynamic_common +InputPath=..\..\obfuscation.h +InputName=obfuscation -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" -InputName=sf_dynamic_common +InputPath=..\..\obfuscation.h +InputName=obfuscation -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" -InputName=sf_dynamic_common +InputPath=..\..\obfuscation.h +InputName=obfuscation -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include - -# End Custom Build +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" -InputName=sf_dynamic_common +InputPath=..\..\obfuscation.h +InputName=obfuscation -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -697,13 +808,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_dynamic_define.h" +SOURCE=..\..\pcap_pkthdr32.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" -InputName=sf_dynamic_define +InputPath=..\..\pcap_pkthdr32.h +InputName=pcap_pkthdr32 "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -714,8 +825,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" -InputName=sf_dynamic_define +InputPath=..\..\pcap_pkthdr32.h +InputName=pcap_pkthdr32 "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -726,8 +837,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" -InputName=sf_dynamic_define +InputPath=..\..\pcap_pkthdr32.h +InputName=pcap_pkthdr32 "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -738,8 +849,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" -InputName=sf_dynamic_define +InputPath=..\..\pcap_pkthdr32.h +InputName=pcap_pkthdr32 "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -752,13 +863,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_dynamic_engine.h" +SOURCE=..\..\plugin_enum.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" -InputName=sf_dynamic_engine +InputPath=..\..\plugin_enum.h +InputName=plugin_enum "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -769,8 +880,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" -InputName=sf_dynamic_engine +InputPath=..\..\plugin_enum.h +InputName=plugin_enum "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -781,8 +892,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" -InputName=sf_dynamic_engine +InputPath=..\..\plugin_enum.h +InputName=plugin_enum "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -793,8 +904,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" -InputName=sf_dynamic_engine +InputPath=..\..\plugin_enum.h +InputName=plugin_enum "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -807,13 +918,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_dynamic_meta.h" +SOURCE=..\..\preprocids.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" -InputName=sf_dynamic_meta +InputPath=..\..\preprocids.h +InputName=preprocids "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -824,8 +935,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" -InputName=sf_dynamic_meta +InputPath=..\..\preprocids.h +InputName=preprocids "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -836,8 +947,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" -InputName=sf_dynamic_meta +InputPath=..\..\preprocids.h +InputName=preprocids "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -848,8 +959,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" -InputName=sf_dynamic_meta +InputPath=..\..\preprocids.h +InputName=preprocids "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -862,15 +973,15 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" +SOURCE=..\..\profiler.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\profiler.h +InputName=profiler -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -879,10 +990,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\profiler.h +InputName=profiler -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -891,10 +1002,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\profiler.h +InputName=profiler -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -903,10 +1014,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\profiler.h +InputName=profiler -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -917,13 +1028,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" +SOURCE=..\..\rule_option_types.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\rule_option_types.h +InputName=rule_option_types "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -934,8 +1045,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\rule_option_types.h +InputName=rule_option_types "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -946,8 +1057,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\rule_option_types.h +InputName=rule_option_types "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -958,8 +1069,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" -InputName=sf_dynamic_preproc_lib +InputPath=..\..\rule_option_types.h +InputName=rule_option_types "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -972,15 +1083,15 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" +SOURCE=..\..\sfutil\segment_mem.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" -InputName=sf_dynamic_preprocessor +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -989,10 +1100,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" -InputName=sf_dynamic_preprocessor +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1001,10 +1112,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" -InputName=sf_dynamic_preprocessor +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1013,10 +1124,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" -InputName=sf_dynamic_preprocessor +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1027,15 +1138,15 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.c +SOURCE=..\..\sfutil\segment_mem.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1044,10 +1155,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1056,10 +1167,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1068,10 +1179,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1082,15 +1193,15 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.h +SOURCE=..\..\sfutil\sf_base64decode.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_base64decode.c +InputName=sf_base64decode -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1099,10 +1210,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_base64decode.c +InputName=sf_base64decode -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1111,10 +1222,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_base64decode.c +InputName=sf_base64decode -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1123,10 +1234,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_base64decode.c +InputName=sf_base64decode -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1137,13 +1248,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" +SOURCE=..\..\sfutil\sf_base64decode.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" -InputName=sf_snort_packet +InputPath=..\..\sfutil\sf_base64decode.h +InputName=sf_base64decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1154,8 +1265,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" -InputName=sf_snort_packet +InputPath=..\..\sfutil\sf_base64decode.h +InputName=sf_base64decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1166,8 +1277,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" -InputName=sf_snort_packet +InputPath=..\..\sfutil\sf_base64decode.h +InputName=sf_base64decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1178,8 +1289,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" -InputName=sf_snort_packet +InputPath=..\..\sfutil\sf_base64decode.h +InputName=sf_base64decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1192,13 +1303,13 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" +SOURCE="..\..\dynamic-plugins\sf_dynamic_common.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" -InputName=sf_snort_plugin_api +InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" +InputName=sf_dynamic_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1209,8 +1320,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" -InputName=sf_snort_plugin_api +InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" +InputName=sf_dynamic_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1221,8 +1332,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" -InputName=sf_snort_plugin_api +InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" +InputName=sf_dynamic_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1233,8 +1344,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" -InputName=sf_snort_plugin_api +InputPath="..\..\dynamic-plugins\sf_dynamic_common.h" +InputName=sf_dynamic_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1247,13 +1358,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sf_types.h +SOURCE="..\..\dynamic-plugins\sf_dynamic_define.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" +InputName=sf_dynamic_define "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1264,8 +1375,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" +InputName=sf_dynamic_define "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1276,8 +1387,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" +InputName=sf_dynamic_define "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1288,8 +1399,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath="..\..\dynamic-plugins\sf_dynamic_define.h" +InputName=sf_dynamic_define "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1302,13 +1413,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfhashfcn.h +SOURCE="..\..\dynamic-plugins\sf_dynamic_engine.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" +InputName=sf_dynamic_engine "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1319,8 +1430,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" +InputName=sf_dynamic_engine "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1331,8 +1442,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" +InputName=sf_dynamic_engine "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1343,8 +1454,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath="..\..\dynamic-plugins\sf_dynamic_engine.h" +InputName=sf_dynamic_engine "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1357,82 +1468,247 @@ # End Source File # Begin Source File -SOURCE="..\..\sfutil\sfPolicy.h" +SOURCE="..\..\dynamic-plugins\sf_dynamic_meta.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicy.h" -InputName=sfPolicy - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" +InputName=sf_dynamic_meta "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicy.h" -InputName=sfPolicy - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" +InputName=sf_dynamic_meta "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicy.h" -InputName=sfPolicy - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" +InputName=sf_dynamic_meta + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_dynamic_meta.h" +InputName=sf_dynamic_meta + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.c" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_preproc_example\sf_dynamic_preproc_lib.h" +InputName=sf_dynamic_preproc_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" +InputName=sf_dynamic_preprocessor + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" +InputName=sf_dynamic_preprocessor + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build -!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicy.h" -InputName=sfPolicy +InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" +InputName=sf_dynamic_preprocessor BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_dynamic_preprocessor.h" +InputName=sf_dynamic_preprocessor + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1440,18 +1716,18 @@ # End Source File # Begin Source File -SOURCE="..\..\sfutil\sfPolicyUserData.c" +SOURCE=..\..\sfutil\sf_email_attach_decode.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.c" -InputName=sfPolicyUserData +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).c.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ "..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1464,13 +1740,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.c" -InputName=sfPolicyUserData +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).c.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ "..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1483,13 +1759,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.c" -InputName=sfPolicyUserData +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).c.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ "..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1502,13 +1778,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.c" -InputName=sfPolicyUserData +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).c.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ "..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1523,82 +1799,1542 @@ # End Source File # Begin Source File -SOURCE="..\..\sfutil\sfPolicyUserData.h" +SOURCE=..\..\sfutil\sf_email_attach_decode.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sf_ip.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sf_ip.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_protocols.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_sdlist.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.c +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.c +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.c +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.c +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_sdlist.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.h +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.h +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.h +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.h +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_sdlist_types.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" +InputName=sf_snort_packet + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" +InputName=sf_snort_packet + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" +InputName=sf_snort_packet + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" +InputName=sf_snort_packet + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" +InputName=sf_snort_plugin_api + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" +InputName=sf_snort_plugin_api + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" +InputName=sf_snort_plugin_api + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\sf_snort_plugin_api.h" +InputName=sf_snort_plugin_api + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_types.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_types.h +InputName=sf_types + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_types.h +InputName=sf_types + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_types.h +InputName=sf_types + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_types.h +InputName=sf_types + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\control\sfcontrol.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfhashfcn.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\sfutil\sfPolicy.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicy.h" +InputName=sfPolicy + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicy.h" +InputName=sfPolicy + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicy.h" +InputName=sfPolicy + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicy.h" +InputName=sfPolicy + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\sfutil\sfPolicyUserData.c" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.c" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.c" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.c" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.c" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).c.new > ../include/$(InputName).c \ + + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\sfutil\sfPolicyUserData.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.h" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.h" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.h" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicyUserData.h" +InputName=sfPolicyUserData + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.c +InputName=sfrt + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.c +InputName=sfrt + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.c +InputName=sfrt + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.c +InputName=sfrt + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.h +InputName=sfrt + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.h +InputName=sfrt + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.h +InputName=sfrt + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt.h +InputName=sfrt + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_dir.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.c +InputName=sfrt_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.c +InputName=sfrt_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.c +InputName=sfrt_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.c +InputName=sfrt_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_dir.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.h +InputName=sfrt_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.h +InputName=sfrt_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.h +InputName=sfrt_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_dir.h +InputName=sfrt_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat_dir.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat_dir.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_trie.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_trie.h +InputName=sfrt_trie + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_trie.h +InputName=sfrt_trie + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_trie.h +InputName=sfrt_trie + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_trie.h +InputName=sfrt_trie + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.h" -InputName=sfPolicyUserData +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +InputName=sfsnort_dynamic_detection_lib -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include - -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.h" -InputName=sfPolicyUserData +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +InputName=sfsnort_dynamic_detection_lib -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include - -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.h" -InputName=sfPolicyUserData +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +InputName=sfsnort_dynamic_detection_lib -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include - -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicyUserData.h" -InputName=sfPolicyUserData +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +InputName=sfsnort_dynamic_detection_lib -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include - -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ENDIF @@ -1606,15 +3342,15 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfrt.c +SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.c -InputName=sfrt +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1623,10 +3359,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.c -InputName=sfrt +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1635,10 +3371,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.c -InputName=sfrt +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1647,10 +3383,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.c -InputName=sfrt +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -1661,13 +3397,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfrt.h +SOURCE=..\..\sfutil\sfxhash.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.h -InputName=sfrt +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1678,8 +3414,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.h -InputName=sfrt +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1690,8 +3426,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.h -InputName=sfrt +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1702,8 +3438,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt.h -InputName=sfrt +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1716,54 +3452,82 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfrt_dir.c +SOURCE=..\..\signature.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.c -InputName=sfrt_dir +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.c -InputName=sfrt_dir +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.c -InputName=sfrt_dir +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.c -InputName=sfrt_dir +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1771,13 +3535,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfrt_dir.h +SOURCE=..\..\snort_bounds.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.h -InputName=sfrt_dir +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1788,8 +3552,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.h -InputName=sfrt_dir +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1800,8 +3564,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.h -InputName=sfrt_dir +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1812,8 +3576,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_dir.h -InputName=sfrt_dir +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1826,54 +3590,82 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfrt_trie.h +SOURCE=..\..\snort_debug.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_trie.h -InputName=sfrt_trie +InputPath=..\..\snort_debug.h +InputName=snort_debug -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_trie.h -InputName=sfrt_trie +InputPath=..\..\snort_debug.h +InputName=snort_debug -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_trie.h -InputName=sfrt_trie +InputPath=..\..\snort_debug.h +InputName=snort_debug -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfrt_trie.h -InputName=sfrt_trie +InputPath=..\..\snort_debug.h +InputName=snort_debug -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1881,54 +3673,82 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +SOURCE=..\..\preprocessors\str_search.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\str_search.h +InputName=str_search -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\str_search.h +InputName=str_search -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\str_search.h +InputName=str_search -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\str_search.h +InputName=str_search -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1936,54 +3756,82 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +SOURCE=..\..\preprocessors\stream_api.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\stream_api.h +InputName=stream_api -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\stream_api.h +InputName=stream_api -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\stream_api.h +InputName=stream_api -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\preprocessors\stream_api.h +InputName=stream_api -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" -e "/sfportobject\.h/d" -e "s/PortObject/void/g" ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1991,15 +3839,15 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfxhash.h +SOURCE="..\..\win32\WIN32-Code\strtok_r.c" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath="..\..\win32\WIN32-Code\strtok_r.c" +InputName=strtok_r -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2008,10 +3856,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath="..\..\win32\WIN32-Code\strtok_r.c" +InputName=strtok_r -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2020,10 +3868,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath="..\..\win32\WIN32-Code\strtok_r.c" +InputName=strtok_r -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2032,10 +3880,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath="..\..\win32\WIN32-Code\strtok_r.c" +InputName=strtok_r -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2046,18 +3894,18 @@ # End Source File # Begin Source File -SOURCE=..\..\preprocessors\str_search.h +SOURCE=..\..\treenodes.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\preprocessors\str_search.h -InputName=str_search +InputPath=..\..\treenodes.h +InputName=treenodes BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -2070,13 +3918,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\preprocessors\str_search.h -InputName=str_search +InputPath=..\..\treenodes.h +InputName=treenodes BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -2089,13 +3937,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\preprocessors\str_search.h -InputName=str_search +InputPath=..\..\treenodes.h +InputName=treenodes BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -2108,13 +3956,13 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\preprocessors\str_search.h -InputName=str_search +InputPath=..\..\treenodes.h +InputName=treenodes BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -2129,82 +3977,109 @@ # End Source File # Begin Source File -SOURCE=..\..\preprocessors\stream_api.h +SOURCE=..\..\sfutil\Unified2_common.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\preprocessors\stream_api.h -InputName=stream_api +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build -!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\preprocessors\stream_api.h -InputName=stream_api +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build -!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\util_unfold.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\preprocessors\stream_api.h -InputName=stream_api +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build -!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\preprocessors\stream_api.h -InputName=stream_api +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/Packet /SFSnortPacket /" -e "s/decode.h/sf_snort_packet.h/" ../include/$(InputName).h.new > ../include/$(InputName).h \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include +# End Custom Build -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ENDIF @@ -2212,15 +4087,15 @@ # End Source File # Begin Source File -SOURCE="..\..\win32\WIN32-Code\strtok_r.c" +SOURCE=..\..\sfutil\util_unfold.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\win32\WIN32-Code\strtok_r.c" -InputName=strtok_r +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2229,10 +4104,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\win32\WIN32-Code\strtok_r.c" -InputName=strtok_r +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2241,10 +4116,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\win32\WIN32-Code\strtok_r.c" -InputName=strtok_r +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2253,10 +4128,10 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\win32\WIN32-Code\strtok_r.c" -InputName=strtok_r +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/Makefile.am snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/sip/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,39 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_sip_preproc.la + +libsf_sip_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_sip_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_sip_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfPolicyUserData.c +endif + +libsf_sip_preproc_la_SOURCES = \ +spp_sip.c \ +spp_sip.h \ +sip_config.c \ +sip_config.h \ +sip_parser.c \ +sip_parser.h \ +sip_dialog.c \ +sip_dialog.h \ +sip_roptions.c \ +sip_roptions.h \ +sip_utils.c \ +sip_utils.h \ +sip_debug.h + +EXTRA_DIST = \ +sf_sip.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/Makefile.in snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/sip/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -0,0 +1,564 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/sip +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_sip_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_sip_preproc_la_OBJECTS = spp_sip.lo sip_config.lo \ + sip_parser.lo sip_dialog.lo sip_roptions.lo sip_utils.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sip_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_sip_preproc_la_OBJECTS = $(am_libsf_sip_preproc_la_OBJECTS) \ + $(nodist_libsf_sip_preproc_la_OBJECTS) +libsf_sip_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_sip_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_sip_preproc_la_SOURCES) \ + $(nodist_libsf_sip_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_sip_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_sip_preproc.la +libsf_sip_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_sip_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sip_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_sip_preproc_la_SOURCES = \ +spp_sip.c \ +spp_sip.h \ +sip_config.c \ +sip_config.h \ +sip_parser.c \ +sip_parser.h \ +sip_dialog.c \ +sip_dialog.h \ +sip_roptions.c \ +sip_roptions.h \ +sip_utils.c \ +sip_utils.h \ +sip_debug.h + +EXTRA_DIST = \ +sf_sip.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/sip/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/sip/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_sip_preproc.la: $(libsf_sip_preproc_la_OBJECTS) $(libsf_sip_preproc_la_DEPENDENCIES) + $(libsf_sip_preproc_la_LINK) -rpath $(libdir) $(libsf_sip_preproc_la_OBJECTS) $(libsf_sip_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sf_sip.dsp snort-2.9.2/src/dynamic-preprocessors/sip/sf_sip.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sf_sip.dsp 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sf_sip.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,247 @@ +# Microsoft Developer Studio Project File - Name="sf_sip" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_sip - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_sip.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_sip.mak" CFG="sf_sip - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_sip - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_sip - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_sip - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sip - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_sip___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_sip___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sip - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_sip___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_sip___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_sip - Win32 Release" +# Name "sf_sip - Win32 Debug" +# Name "sf_sip - Win32 IPv6 Debug" +# Name "sf_sip - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\sip_config.c +# End Source File +# Begin Source File + +SOURCE=.\sip_dialog.c +# End Source File +# Begin Source File + +SOURCE=.\sip_parser.c +# End Source File +# Begin Source File + +SOURCE=.\sip_roptions.c +# End Source File +# Begin Source File + +SOURCE=.\sip_utils.c +# End Source File +# Begin Source File + +SOURCE=.\spp_sip.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\sip_config.h +# End Source File +# Begin Source File + +SOURCE=.\sip_debug.h +# End Source File +# Begin Source File + +SOURCE=.\sip_dialog.h +# End Source File +# Begin Source File + +SOURCE=.\sip_parser.h +# End Source File +# Begin Source File + +SOURCE=.\sip_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sip_utils.h +# End Source File +# Begin Source File + +SOURCE=.\spp_sip.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_config.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_config.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,757 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sip_config.h" +#include "spp_sip.h" +#include "sip_debug.h" + +#define METHOD_NOT_FOUND -1 +/* + * Default SIP port + */ +#define SIP_PORT 5060 +#define SIPS_PORT 5061 +/* + * Default values for configurable parameters. + */ +#define SIP_DEFAULT_MAX_SESSIONS 10000 +#define SIP_DEFAULT_MAX_URI_LEN 256 +#define SIP_DEFAULT_MAX_CALL_ID_LEN 256 +#define SIP_DEFAULT_MAX_REQUEST_NAME_LEN 20 +#define SIP_DEFAULT_MAX_FROM_LEN 256 +#define SIP_DEFAULT_MAX_TO_LEN 256 +#define SIP_DEFAULT_MAX_VIA_LEN 1024 +#define SIP_DEFAULT_MAX_CONTACT_LEN 256 +#define SIP_DEFAULT_MAX_CONTENT_LEN 1024 + +/* + * Min/Max values for each configurable parameter. + */ +#define MIN_MAX_NUM_SESSION 1024 +#define MAX_MAX_NUM_SESSION 4194303 +#define MIN_MAX_URI_LEN 0 +#define MAX_MAX_URI_LEN 65535 +#define MIN_MAX_CALL_ID_LEN 0 +#define MAX_MAX_CALL_ID_LEN 65535 +#define MIN_MAX_REQUEST_NAME_LEN 0 +#define MAX_MAX_REQUEST_NAME_LEN 65535 +#define MIN_MAX_FROM_LEN 0 +#define MAX_MAX_FROM_LEN 65535 +#define MIN_MAX_TO_LEN 0 +#define MAX_MAX_TO_LEN 65535 +#define MIN_MAX_VIA_LEN 0 +#define MAX_MAX_VIA_LEN 65535 +#define MIN_MAX_CONTACT_LEN 0 +#define MAX_MAX_CONTACT_LEN 65535 +#define MIN_MAX_CONTENT_LEN 0 +#define MAX_MAX_CONTENT_LEN 65535 +/* + * Keyword strings for parsing configuration options. + */ +#define SIP_DISABLED_KEYWORD "disabled" +#define SIP_PORTS_KEYWORD "ports" +#define SIP_MAX_SESSION_KEYWORD "max_sessions" +#define SIP_METHODS_KEYWORD "methods" +#define SIP_MAX_URI_LEN_KEYWORD "max_uri_len" +#define SIP_MAX_CALL_ID_LEN_KEYWORD "max_call_id_len" +#define SIP_MAX_REQUEST_NAME_LEN_KEYWORD "max_requestName_len" +#define SIP_MAX_FROM_LEN_KEYWORD "max_from_len" +#define SIP_MAX_TO_LEN_KEYWORD "max_to_len" +#define SIP_MAX_VIA_LEN_KEYWORD "max_via_len" +#define SIP_MAX_CONTACT_LEN_KEYWORD "max_contact_len" +#define SIP_MAX_CONTENT_LEN_KEYWORD "max_content_len" +#define SIP_IGNORE_CHANNEL_KEYWORD "ignore_call_channel" + +#define SIP_SEPERATORS "()<>@,;:\\/[]?={}\" " +#define SIP_CONFIG_SECTION_SEPERATORS ",;" +#define SIP_CONFIG_VALUE_SEPERATORS " " + + +/* + * method names defined by standard, 14 methods defined up to Mar. 2011 + * The first 6 methods are standard defined by RFC3261 + */ + +SIPMethod StandardMethods[] = +{ + {"invite", SIP_METHOD_INVITE}, + {"cancel",SIP_METHOD_CANCEL}, + {"ack", SIP_METHOD_ACK}, + {"bye", SIP_METHOD_BYE}, + {"register", SIP_METHOD_REGISTER}, + {"options",SIP_METHOD_OPTIONS}, + {"refer", SIP_METHOD_REFER}, + {"subscribe", SIP_METHOD_SUBSCRIBE}, + {"update", SIP_METHOD_UPDATE}, + {"join", SIP_METHOD_JOIN}, + {"info", SIP_METHOD_INFO}, + {"message", SIP_METHOD_MESSAGE}, + {"notify", SIP_METHOD_NOTIFY}, + {"prack", SIP_METHOD_PRACK}, + {NULL, SIP_METHOD_NULL} +}; + +static SIPMethodsFlag currentUseDefineMethod = SIP_METHOD_USER_DEFINE; +/* + * Function prototype(s) + */ + +static void DisplaySIPConfig(SIPConfig *); +static void SIP_SetDefaultMethods(SIPConfig *); +static void SIP_ParsePortList(char **, uint8_t *); +static void SIP_ParseMethods(char **, uint32_t *,SIPMethodlist*); +static SIPMethodNode* SIP_AddMethodToList(char *, SIPMethodsFlag, SIPMethodlist*); +static int SIP_findMethod(char *, SIPMethod *); +static int ParseNumInRange(char *token, char *keyword, int min, int max); + +/* + * Find method from the array methods + * + * PARAMETERS: + * char *token: the method token name to be checked + * SIPMethod* methods: methods array. + * + * RETURNS: + * the index of the method in the array, -1 if not found + */ +static int SIP_findMethod(char *token, SIPMethod* methods) +{ + int i = 0; + while(NULL != methods[i].name) + { + if ((strlen(token) == strlen(methods[i].name))&& + (strncasecmp(methods[i].name, token, strlen(token)) == 0)) + return i; + i++; + } + return METHOD_NOT_FOUND; +} +/* Display the configuration for the SIP preprocessor. + * + * PARAMETERS: + * + * SIPConfig *config: SIP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplaySIPConfig(SIPConfig *config) +{ + int index; + int newline; + SIPMethodNode *method; + if (config == NULL) + return; + + _dpd.logMsg("SIP config: \n"); + _dpd.logMsg(" Max number of sessions: %d %s \n", + config->maxNumSessions, + config->maxNumSessions + == SIP_DEFAULT_MAX_SESSIONS ? + "(Default)" : "" ); + _dpd.logMsg(" Status: %s\n", + config->disabled ? + "DISABLED":"ENABLED"); + + if (config->disabled) + return; + + _dpd.logMsg(" Ignore media channel: %s\n", + config->ignoreChannel ? + "ENABLED":"DISABLED"); + _dpd.logMsg(" Max URI length: %d %s \n", + config->maxUriLen, + config->maxUriLen + == SIP_DEFAULT_MAX_URI_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Call ID length: %d %s \n", + config->maxCallIdLen, + config->maxCallIdLen + == SIP_DEFAULT_MAX_CALL_ID_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Request name length: %d %s \n", + config->maxRequestNameLen, + config->maxRequestNameLen + == SIP_DEFAULT_MAX_REQUEST_NAME_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max From length: %d %s \n", + config->maxFromLen, + config->maxFromLen + == SIP_DEFAULT_MAX_FROM_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max To length: %d %s \n", + config->maxToLen, + config->maxToLen + == SIP_DEFAULT_MAX_TO_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Via length: %d %s \n", + config->maxViaLen, + config->maxViaLen + == SIP_DEFAULT_MAX_VIA_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Contact length: %d %s \n", + config->maxContactLen, + config->maxContactLen + == SIP_DEFAULT_MAX_CONTACT_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Content length: %d %s \n", + config->maxContentLen, + config->maxContentLen + == SIP_DEFAULT_MAX_CONTENT_LEN ? + "(Default)" : "" ); + + + /* Traverse list, printing ports, 5 per line */ + newline = 1; + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAXPORTS; index++) + { + if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++)% 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); + _dpd.logMsg(" Methods:\n"); + _dpd.logMsg("\t%s ", + config->methodsConfig + == SIP_METHOD_DEFAULT ? + "(Default)" : ""); + method = config->methods; + while(NULL != method) + { + _dpd.logMsg(" %s", method->methodName); + method = method->nextm; + } + + _dpd.logMsg("\n"); +} + +/* + * The first 6 methods are standard defined by RFC3261 + * We use those first 6 methods as default + * + */ +static void SIP_SetDefaultMethods(SIPConfig *config) +{ + + int i; + config->methodsConfig = SIP_METHOD_DEFAULT; + for (i = 0; i < 6 ; i++) + { + SIP_AddMethodToList(StandardMethods[i].name, StandardMethods[i].methodFlag, &config->methods); + } + +} + + +/******************************************************************** + * Function: SIP_ParsePortList() + * + * Parses a port list and adds bits associated with the ports + * parsed to a bit array. + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the IP list. + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * SIP_Ret + * SIP_SUCCESS if we were able to successfully parse the + * port list. + * SIP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static void SIP_ParsePortList(char **ptr, uint8_t *port_array) +{ + int port; + char* cur_tokenp = *ptr; + /* If the user specified ports, remove SIP_PORT for now since + * it now needs to be set explicitly. */ + port_array[ PORT_INDEX( SIP_PORT ) ] = 0; + port_array[ PORT_INDEX( SIPS_PORT ) ] = 0; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port configurations: %s\n",*ptr );); + + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_PORTS_KEYWORD); + } + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + while (( cur_tokenp ) && ( 0 != strncmp (cur_tokenp, "}", 2 ))) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port token: %s\n",cur_tokenp );); + + port = ParseNumInRange(cur_tokenp, SIP_PORTS_KEYWORD, 1, MAXPORTS-1); + port_array[ PORT_INDEX( port ) ] |= CONV_PORT(port); + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_PORTS_KEYWORD); + } + *ptr = cur_tokenp; +} +/* Parses a single numerical value. + * A fatal error is made if the parsed value is out of bounds. + * + * PARAMETERS: + * + * token: String containing argument + * keyword: String containing option's name. Used when printing an error. + * min: Minimum value of argument + * max: Maximum value of argument + * + * RETURNS: bounds-checked integer value of argument. + */ +static int ParseNumInRange(char *token, char *keyword, int min, int max) +{ + long int value; + char *str; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Num token: %s\n",token );); + + if (( !token ) || !isdigit((int)token[0]) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + value = _dpd.SnortStrtol( token, &str, 10); + + if (0 != strlen(str)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + if (value < min || value > max) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + return value; +} + + +/******************************************************************** + * Function: SIP_ParseMethods() + * + * Parses the methods to detect + * + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the methods list. + * SIPMethods* + * Flag for the methods. + * NULL flag if not a valid method type + * Returns: + * + ********************************************************************/ +static void SIP_ParseMethods(char **ptr, uint32_t *methodsConfig, SIPMethodlist* pmethods) +{ + char* cur_tokenp = *ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method configurations: %s\n",*ptr );); + /* If the user specified methods, remove default methods for now since + * it now needs to be set explicitly. */ + *methodsConfig = SIP_METHOD_NULL; + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHODS_KEYWORD); + } + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + while (( cur_tokenp ) && (0 != strncmp (cur_tokenp, "}", 2 ))) + { + int i_method; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method token: %s\n",cur_tokenp );); + // Check whether this is a standard method + i_method = SIP_findMethod(cur_tokenp, StandardMethods); + if (METHOD_NOT_FOUND != i_method ) + { + *methodsConfig |= 1 << (StandardMethods[i_method].methodFlag - 1); + SIP_AddMethodToList(cur_tokenp,StandardMethods[i_method].methodFlag, pmethods); + + } + else + { + SIP_AddUserDefinedMethod(cur_tokenp, methodsConfig, pmethods); + } + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHODS_KEYWORD); + } + *ptr = cur_tokenp; + +} + +static SIPMethodNode* SIP_AddMethodToList(char *methodName, SIPMethodsFlag methodConf, SIPMethodlist* p_methodList) +{ + + SIPMethodNode* method; + int methodLen; + SIPMethodNode* lastMethod; + + if (NULL == methodName) + return NULL; + methodLen = strlen(methodName); + method =*p_methodList; + lastMethod = *p_methodList; + while(method) + { + // Already in the list, return + if(strcasecmp(method->methodName, methodName) == 0) + return method; + lastMethod = method; + method = method->nextm; + } + + method = (SIPMethodNode *) malloc(sizeof (SIPMethodNode)); + if (NULL == method) + return NULL; + method->methodName = strdup(methodName); + if (NULL == method->methodName) + return NULL; + method->methodLen = methodLen; + method->methodFlag = methodConf; + method->nextm = NULL; + // The first method, point to the first created one + if (NULL == *p_methodList) + { + *p_methodList = method; + } + else + { + lastMethod->nextm = method; + } + + return method; +} +/******************************************************************** + * Function: SIP_FreeConfig + * + * Frees a sip configuration + * + * Arguments: + * SIP_Config * + * The configuration to free. + * + * Returns: None + * + ********************************************************************/ +void SIP_FreeConfig (SIPConfig *config) +{ + SIPMethodNode *nextNode; + SIPMethodNode *curNode; + if (config == NULL) + return; + curNode = config->methods; + + while (NULL != curNode) + { + if (NULL != curNode->methodName) + free(curNode->methodName); + nextNode = curNode->nextm; + free(curNode); + curNode = nextNode; + } + free(config); +} +/* Parses and processes the configuration arguments + * supplied in the SIP preprocessor rule. + * + * PARAMETERS: + * + * SIPConfig *config: SIP preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + */ +void ParseSIPArgs(SIPConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (config == NULL) + return; + config->maxNumSessions = SIP_DEFAULT_MAX_SESSIONS; + config->maxUriLen = SIP_DEFAULT_MAX_URI_LEN; + config->maxCallIdLen = SIP_DEFAULT_MAX_CALL_ID_LEN; + config->maxRequestNameLen = SIP_DEFAULT_MAX_REQUEST_NAME_LEN; + config->maxFromLen = SIP_DEFAULT_MAX_FROM_LEN; + config->maxToLen = SIP_DEFAULT_MAX_TO_LEN; + config->maxViaLen = SIP_DEFAULT_MAX_VIA_LEN; + config->maxContactLen = SIP_DEFAULT_MAX_CONTACT_LEN; + config->maxContentLen = SIP_DEFAULT_MAX_CONTENT_LEN; + + /* Set up default port to listen on */ + config->ports[ PORT_INDEX( SIP_PORT ) ] |= CONV_PORT(SIP_PORT); + config->ports[ PORT_INDEX( SIPS_PORT ) ] |= CONV_PORT(SIPS_PORT); + + config->methodsConfig = SIP_METHOD_NULL; + config->methods = NULL; + + /* Reset user defined method for every policy*/ + currentUseDefineMethod = SIP_METHOD_USER_DEFINE; + + /* Sanity check(s) */ + if ( !argp ) + { + SIP_SetDefaultMethods(config); + DisplaySIPConfig(config); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse SIP options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "SIP configurations: %s\n",argcpyp );); + + cur_sectionp = strtok_r( argcpyp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, SIP_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, SIP_PORTS_KEYWORD )) + { + SIP_ParsePortList(&cur_tokenp, config->ports); + + } + else if ( !strcmp( cur_tokenp, SIP_METHODS_KEYWORD )) + { + SIP_ParseMethods(&cur_tokenp, &config->methodsConfig, &config->methods ); + + } + else if ( !strcmp( cur_tokenp, SIP_DISABLED_KEYWORD )) + { + config->disabled = 1; + } + else if ( !strcmp( cur_tokenp, SIP_MAX_SESSION_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxNumSessions = (uint32_t)ParseNumInRange(cur_tokenp, + SIP_MAX_SESSION_KEYWORD, + MIN_MAX_NUM_SESSION, + MAX_MAX_NUM_SESSION); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_URI_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxUriLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_URI_LEN_KEYWORD, + MIN_MAX_URI_LEN, + MAX_MAX_URI_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CALL_ID_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxCallIdLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CALL_ID_LEN_KEYWORD, + MIN_MAX_CALL_ID_LEN, + MAX_MAX_CALL_ID_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_REQUEST_NAME_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxRequestNameLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_REQUEST_NAME_LEN_KEYWORD, + MIN_MAX_REQUEST_NAME_LEN, + MAX_MAX_REQUEST_NAME_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_FROM_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxFromLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_FROM_LEN_KEYWORD, + MIN_MAX_FROM_LEN, + MAX_MAX_FROM_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_TO_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxToLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_TO_LEN_KEYWORD, + MIN_MAX_TO_LEN, + MAX_MAX_TO_LEN); + } + + else if ( !strcmp( cur_tokenp, SIP_MAX_VIA_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxViaLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_VIA_LEN_KEYWORD, + MIN_MAX_VIA_LEN, + MAX_MAX_VIA_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CONTACT_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxContactLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CONTACT_LEN_KEYWORD, + MIN_MAX_CONTACT_LEN, + MAX_MAX_CONTACT_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CONTENT_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxContentLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CONTENT_LEN_KEYWORD, + MIN_MAX_CONTENT_LEN, + MAX_MAX_CONTENT_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_IGNORE_CHANNEL_KEYWORD )) + { + config->ignoreChannel = 1; + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => To many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Arguments token: %s\n",cur_sectionp );); + } + /*If no methods defined, use the default*/ + if (SIP_METHOD_NULL == config->methodsConfig) + { + SIP_SetDefaultMethods(config); + } + DisplaySIPConfig(config); + free(argcpyp); +} +/******************************************************************** + * Function: SIP_AddUserDefinedMethod + * + * Add a user defined method + * + * Arguments: + * char *: the method name + * SIPMethodlist *: the list to be added + * + * Returns: user defined method + * + ********************************************************************/ +SIPMethodNode* SIP_AddUserDefinedMethod(char *methodName, uint32_t *methodsConfig, SIPMethodlist* pmethods) +{ + + int i = 0; + SIPMethodNode* method; + + /*Check whether all the chars are defined by RFC2616*/ + while(methodName[i]) + { + if (iscntrl(methodName[i])|(NULL != strchr(SIP_SEPERATORS,methodName[i]))| (methodName[i] < 0) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad character included in the User defined method: %s." + "Make sure space before and after '}'. \n", + *(_dpd.config_file), *(_dpd.config_line), methodName ); + return NULL; + } + i++; + } + if (currentUseDefineMethod > SIP_METHOD_USER_DEFINE_MAX) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Exceeded max number of user defined methods (%d), can't add %s.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHOD_USER_DEFINE_MAX - SIP_METHOD_USER_DEFINE + 1, + methodName ); + return NULL; + } + *methodsConfig |= 1 << (currentUseDefineMethod - 1); + method = SIP_AddMethodToList(methodName, currentUseDefineMethod, pmethods); + currentUseDefineMethod = (SIPMethodsFlag) (currentUseDefineMethod + 1); + return method; +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_config.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_config.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,137 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _SIP_CONFIG_H_ +#define _SIP_CONFIG_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_debug.h" + +#define SIP_NAME "sip" + + +typedef enum _SIP_method +{ + SIP_METHOD_NULL = 0, //0x0000, + SIP_METHOD_INVITE = 1, //0x0001, + SIP_METHOD_CANCEL = 2, //0x0002, + SIP_METHOD_ACK = 3, //0x0004, + SIP_METHOD_BYE = 4, //0x0008, + SIP_METHOD_REGISTER = 5, //0x0010, + SIP_METHOD_OPTIONS = 6, //0x0020, + SIP_METHOD_REFER = 7, //0x0040, + SIP_METHOD_SUBSCRIBE = 8, //0x0080, + SIP_METHOD_UPDATE = 9, //0x0100, + SIP_METHOD_JOIN = 10,//0x0200, + SIP_METHOD_INFO = 11,//0x0400, + SIP_METHOD_MESSAGE = 12,//0x0800, + SIP_METHOD_NOTIFY = 13,//0x1000, + SIP_METHOD_PRACK = 14,//0x2000, + SIP_METHOD_USER_DEFINE = 15,//0x4000, + SIP_METHOD_USER_DEFINE_MAX = 32//0x80000000, + +} SIPMethodsFlag; + +#define SIP_METHOD_DEFAULT 0x003f +#define SIP_METHOD_ALL 0xffffffff +/* + * Header fields and processing functions + */ +typedef struct _SIPMethod +{ + char *name; + SIPMethodsFlag methodFlag; + +}SIPMethod; + +extern SIPMethod StandardMethods[]; + + +typedef struct _sipMethodlistNode +{ + char *methodName; + int methodLen; + SIPMethodsFlag methodFlag; + struct _sipMethodlistNode* nextm; +} SIPMethodNode; + +typedef SIPMethodNode * SIPMethodlist; + +/* + * One of these structures is kept for each configured + * server port. + */ +typedef struct _sipPortlistNode +{ + uint16_t server_port; + struct _sipPortlistNode* nextp; +} SIPPortNode; + +/* + * SIP preprocessor configuration. + * + * disabled: Whether or not to disable SIP PP. + * maxNumSessions: Maximum amount of run-time memory + * ports: Which ports to check for SIP messages + * methods: Which methods to check + * maxUriLen: Maximum requst_URI size + * maxCallIdLen: Maximum call_ID size. + * maxRequestNameLen: Maximum length of request name in the CSeqID. + * maxFromLen: Maximum From field size + * maxToLen: Maximum To field size + * maxViaLen: Maximum Via field size + * maxContactLen: Maximum Contact field size + * maxContentLen: Maximum Content length + * ignoreChannel: Whether to ignore media channels found by SIP PP + */ +typedef struct _sipConfig +{ + uint8_t disabled; + uint32_t maxNumSessions; + uint8_t ports[MAXPORTS/8]; + uint32_t methodsConfig; + SIPMethodlist methods; + uint16_t maxUriLen; + uint16_t maxCallIdLen; + uint16_t maxRequestNameLen; + uint16_t maxFromLen; + uint16_t maxToLen; + uint16_t maxViaLen; + uint16_t maxContactLen; + uint16_t maxContentLen; + uint8_t ignoreChannel; + int ref_count; + +} SIPConfig; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void SIP_FreeConfig(SIPConfig *); +void ParseSIPArgs(SIPConfig *, u_char*); +SIPMethodNode* SIP_AddUserDefinedMethod(char *, uint32_t *, SIPMethodlist*); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_debug.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_debug.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_debug.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_debug.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 8/17/2008 - Initial implementation ... Todd Wease + * + ****************************************************************************/ + +#ifndef _SIP_DEBUG_H_ +#define _SIP_DEBUG_H_ + +#include +#include "snort_debug.h" + +/******************************************************************** + * Macros + ********************************************************************/ + +#define SIP_DEBUG__START_MSG "SIP Start ********************************************" +#define SIP_DEBUG__END_MSG "SIP End **********************************************" + +#endif /* _SIP_DEBUG_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_dialog.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_dialog.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,722 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for dialog management + * Dialog management is the central part of SIP call flow analysis + * + * 3/15/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_types.h" +#include "sip_dialog.h" +#include "sip_parser.h" +#include "sip_debug.h" +#include "sf_ip.h" +#include "spp_sip.h" +#include "stream_api.h" +#include + + +static void SIP_updateMedias(SIP_MediaSession *, SIP_MediaList *); +static int SIP_compareMedias(SIP_MediaDataList , SIP_MediaDataList ); +static int SIP_checkMediaChange(SIPMsg *sipMsg, SIP_DialogData *dialog); +static int SIP_processRequest(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_processInvite(SIPMsg *, SIP_DialogData *, SIP_DialogList *); +static int SIP_processACK(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_processResponse(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_ignoreChannels( SIP_DialogData *, SFSnortPacket *p); +static SIP_DialogData* SIP_addDialog(SIPMsg *, SIP_DialogData *, SIP_DialogList *); +static int SIP_deleteDialog(SIP_DialogData *, SIP_DialogList *); +#ifdef DEBUG_MSGS +void SIP_displayMedias(SIP_MediaList *dList); +#endif + + + +/******************************************************************** + * Function: SIP_processRequest() + * + * Based on the new received sip request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SFSnortPacket* - the packet + * + * Returns: + * SIP_SUCCESS: request message has been processed correctly + * SIP_FAILURE: request message has not been processed correctly + ********************************************************************/ +static int SIP_processRequest(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + + SIPMethodsFlag methodFlag; + int ret = SIP_SUCCESS; + + assert (NULL != sipMsg); + + /*If dialog not exist, create one */ + if((NULL == dialog)&&(SIP_METHOD_CANCEL != sipMsg->methodFlag)) + { + dialog = SIP_addDialog(sipMsg, *dList, dList); + } + + methodFlag = sipMsg->methodFlag; + sip_stats.requests[TOTAL_REQUESTS]++; + if (methodFlag > 0) + sip_stats.requests[methodFlag]++; + switch (methodFlag) + { + case SIP_METHOD_INVITE: + + ret = SIP_processInvite(sipMsg, dialog, dList); + + break; + + case SIP_METHOD_CANCEL: + + if (NULL == dialog) + return SIP_FAILURE; + /*dialog can be deleted in the early state*/ + if((SIP_DLG_EARLY == dialog->state)||(SIP_DLG_INVITING == dialog->state) + || (SIP_DLG_CREATE == dialog->state)) + SIP_deleteDialog(dialog, dList); + + break; + + case SIP_METHOD_ACK: + + SIP_processACK(sipMsg, dialog, dList, p); + + break; + + case SIP_METHOD_BYE: + + if(SIP_DLG_ESTABLISHED == dialog->state) + dialog->state = SIP_DLG_TERMINATING; + break; + + default: + + break; + + } + return ret; +} + +/******************************************************************** + * Function: SIP_processInvite() + * + * Based on the new received sip invite request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SIP_DialogList*- dialog list + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processInvite(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList) +{ + + int ret = SIP_SUCCESS; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Processing invite, dialog state %d \n", dialog->state );); + + if (NULL == dialog) + return SIP_FAILURE; + + /*Check for the invite replay attack: authenticated invite without challenge*/ + // check whether this invite has authorization information + if ((SIP_DLG_AUTHENCATING != dialog->state) && (NULL != sipMsg ->authorization)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Dialog state code: %u\n", + dialog->status_code)); + + ALERT(SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK,SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR); + return SIP_FAILURE; + + } + if (SIP_DLG_ESTABLISHED == dialog->state) + { + /* this is the case of re-INVITE*/ + // create a temporary new dialog before the current dialog + dialog = SIP_addDialog(sipMsg, dialog, dList); + dialog->state = SIP_DLG_REINVITING; + return SIP_SUCCESS; + } + /*Check for the fake busy attack: change media session before dialog established*/ + else if((SIP_DLG_INVITING == dialog->state) || (SIP_DLG_EARLY == dialog->state) + || (SIP_DLG_REINVITING == dialog->state)|| (SIP_DLG_AUTHENCATING == dialog->state)) + { + ret = SIP_checkMediaChange(sipMsg, dialog); + if (SIP_FAILURE == ret) + ALERT(SIP_EVENT_AUTH_INVITE_DIFF_SESSION,SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR); + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + } + else if (SIP_DLG_TERMINATED == dialog->state) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + } + dialog->state = SIP_DLG_INVITING; + return ret; +} + +/******************************************************************** + * Function: SIP_processACK() + * + * Based on the new received sip ACK request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SIP_DialogList* - dialog list + * SFSnortPacket* - the packet + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processACK(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + if (NULL == dialog) + return SIP_FAILURE; + + if (SIP_DLG_ESTABLISHED == dialog->state) + { + if ((SIP_METHOD_INVITE == dialog->creator)&&(SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE)) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(dialog, p); + } + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_processResponse() + * + * Based on the new received sip response message, update the dialog information. + * + * Arguments: + * SIPMsg * - sip response message + * SIP_DialogData* - dialog to be updated, + * SFSnortPacket* - the packet + * + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processResponse(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + + int statusType; + SIP_DialogData *currDialog = dialog; + + assert (NULL != sipMsg); + + statusType = sipMsg->status_code / 100; + sip_stats.responses[TOTAL_RESPONSES]++; + if (statusType < NUM_OF_RESPONSE_TYPES) + sip_stats.responses[statusType]++; + + if(NULL == dialog) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Processing response, dialog state %d \n", dialog->state );); + + if(sipMsg->status_code > 0) + dialog->status_code = sipMsg->status_code; + + + switch (statusType) + { + case 0: + break; + case RESPONSE1XX: + + if (SIP_DLG_CREATE == currDialog->state) + currDialog->state = SIP_DLG_EARLY; + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + break; + case RESPONSE2XX: + + if (SIP_DLG_REINVITING == currDialog->state) + { + SIP_deleteDialog(currDialog->nextD, dList); + if (SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(currDialog, p); + } + currDialog->state = SIP_DLG_ESTABLISHED; + } + else if (SIP_DLG_TERMINATING == currDialog->state) + { + SIP_deleteDialog(currDialog, dList); + return SIP_SUCCESS; + } + else + { + if ((SIP_METHOD_INVITE == currDialog->creator)&& + (SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE)) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(currDialog, p); + } + currDialog->state = SIP_DLG_ESTABLISHED; + } + break; + case RESPONSE3XX: + case RESPONSE4XX: + case RESPONSE5XX: + case RESPONSE6XX: + + // If authentication is required + if((401 == sipMsg->status_code) || (407 == sipMsg->status_code)) + { + currDialog->state = SIP_DLG_AUTHENCATING; + } + /*Failed re-Invite will resume to the original state*/ + else if(SIP_DLG_REINVITING == currDialog->state) + { + SIP_deleteDialog(currDialog, dList); + } + else + currDialog->state = SIP_DLG_TERMINATED; + + break; + + default: + break; + } + + + return SIP_SUCCESS; + +} +/******************************************************************** + * Function: SIP_checkMediaChange() + * + * Based on the new received sip invite request message, check whether SDP has been changed + * + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * + * Returns: + * SIP_SUCCESS: media not changed + * SIP_FAILURE: media changed + ********************************************************************/ +static int SIP_checkMediaChange(SIPMsg *sipMsg, SIP_DialogData *dialog) +{ + SIP_MediaSession *medias; + + // Compare the medias (SDP part) + if (NULL == sipMsg->mediaSession) + return SIP_SUCCESS; + + medias = dialog->mediaSessions; + while(NULL != medias) + { + if (sipMsg->mediaSession->sessionID == medias->sessionID) + break; + medias = medias->nextS; + } + + if (NULL == medias) + { + // Can't find the media session by ID, SDP has been changed. + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Can't find the media data, ID: %u\n", sipMsg->mediaSession->sessionID );); + + return SIP_FAILURE; + } + // The media content has been changed + if (0 != SIP_compareMedias(medias->medias, sipMsg->mediaSession->medias)) + { + // Can't find the media session by ID, SDP has been changed. + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "The media data is different!\n");); + return SIP_FAILURE; + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_ignoreChannels + * + * Ignore the channels in the current dialog: for a dialog,there will be media + * sessions, one from each side of conversation + * + * Arguments: + * SIP_DialogData * - the current dialog + * + * + * Returns: + * SIP_SUCCESS: the channel has been ignored + * SIP_FAILURE: the channel has not been ignored + * + ********************************************************************/ +static int SIP_ignoreChannels( SIP_DialogData *dialog, SFSnortPacket *p) +{ + SIP_MediaData *mdataA,*mdataB; + + if (0 == sip_eval_config->ignoreChannel) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring the media data in Dialog: %u\n", dialog->dlgID.callIdHash);); + // check the first media session + if (NULL == dialog->mediaSessions) + return SIP_FAILURE; + // check the second media session + if (NULL == dialog->mediaSessions->nextS) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring the media sessions ID: %u and %u\n", + dialog->mediaSessions->sessionID, dialog->mediaSessions->nextS->sessionID);); + mdataA = dialog->mediaSessions->medias; + mdataB = dialog->mediaSessions->nextS->medias; + sip_stats.ignoreSessions++; + while((NULL != mdataA)&&(NULL != mdataB)) + { + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring channels Source IP: %s Port: %u\n", + sfip_to_str(&mdataA->maddress), mdataA->mport);); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring channels Destine IP: %s Port: %u\n", + sfip_to_str(&mdataB->maddress), mdataB->mport);); + /* Call into Streams to mark data channel as something to ignore. */ +#ifdef SUP_IP6 + _dpd.streamAPI->ignore_session(&mdataA->maddress, + mdataA->mport, &mdataB->maddress, + mdataB->mport, IPPROTO_UDP, p->pkt_header->ts.tv_sec, + PP_SIP, SSN_DIR_BOTH, + 0 /* Not permanent */ ); +#else + _dpd.streamAPI->ignore_session( (snort_ip_p)mdataA->maddress.ip.u6_addr32[0], + mdataA->mport, (snort_ip_p)mdataB->maddress.ip.u6_addr32[0], + mdataB->mport, IPPROTO_UDP, p->pkt_header->ts.tv_sec, + PP_SIP, SSN_DIR_BOTH, + 0 /* Not permanent */ ); +#endif + sip_stats.ignoreChannels++; + mdataA = mdataA->nextM; + mdataB = mdataB->nextM; + } + return SIP_SUCCESS; + +} +/******************************************************************** + * Function: SIP_compareMedias + * + * Compare two media list + * + * Arguments: + * SIPMsg * - the message used to create a dialog + * SIP_DialogData * - the current dialog location + * SIP_DialogList * - the dialogs to be added. + * + * + * Returns: + * 1: not the same + * 0: the same + * + ********************************************************************/ +static int SIP_compareMedias(SIP_MediaDataList mlistA, SIP_MediaDataList mlistB ) +{ + SIP_MediaData *mdataA,*mdataB; + mdataA = mlistA; + mdataB = mlistB; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Compare the media data \n");); + while((NULL != mdataA) && (NULL != mdataB)) + { + if(sfip_compare(&mdataA->maddress, &mdataB->maddress) != SFIP_EQUAL) + break; + if((mdataA->mport != mdataB->mport)|| (mdataA->numPort != mdataB->numPort)) + break; + mdataA = mdataA->nextM; + mdataB = mdataB->nextM; + } + if((NULL == mdataA) && (NULL == mdataB)) + return 0; + else + return 1; +} +/******************************************************************** + * Function: SIP_updateMedias() + * + * Based on the new received media session information, update the media list. + * If not in the current list, created one and add it to the head. + * + * Arguments: + * SIP_MediaSession* - media session + * SIP_MediaList* - media session list to be updated, + * + * Returns: + * + ********************************************************************/ +static void SIP_updateMedias(SIP_MediaSession *mSession, SIP_MediaList *dList) +{ + SIP_MediaSession *currSession, *preSession = NULL; + + if(NULL == mSession) + return; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating session id: %u\n", + mSession->sessionID)); + mSession->savedFlag = SIP_SESSION_SAVED; + // Find out the media session based on session id + currSession = *dList; + while(NULL != currSession) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session id: %u\n", + currSession->sessionID)); + if(currSession->sessionID == mSession->sessionID) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found Session id: %u\n", + currSession->sessionID)); + break; + } + preSession = currSession; + currSession = currSession->nextS; + } + // if this is a new session data, add to the list head + if (NULL == currSession) + { + mSession->nextS = *dList; + *dList = mSession; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Add Session id: %u\n", + mSession->sessionID)); + // Display the final media session + #ifdef DEBUG_MSGS + SIP_displayMedias(dList); + #endif + return; + } + // if this session needs to be updated + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Insert Session id: %u\n", + mSession->sessionID)); + mSession->nextS = currSession->nextS; + // if this is the header, update the new header + if (NULL == preSession) + *dList = mSession; + else + preSession->nextS = mSession; + + // Clear the old session + currSession->nextS = NULL; + sip_freeMediaSession(currSession); + + // Display the final media session +#ifdef DEBUG_MSGS + SIP_displayMedias(dList); +#endif + return; +} +#ifdef DEBUG_MSGS +void SIP_displayMedias(SIP_MediaList *dList) +{ + SIP_MediaSession *currSession; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updated Session information------------\n")); + currSession = *dList; + while(NULL != currSession) + { + SIP_MediaData *mdata; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session id: %u\n", currSession->sessionID)); + mdata = currSession->medias; + while(NULL != mdata) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media IP: %s, port: %u, number of ports %u\n", + sfip_to_str(&mdata->maddress), mdata->mport, mdata->numPort)); + mdata = mdata->nextM; + } + currSession = currSession->nextS; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "End of Session information------------\n")); +} +#endif +/******************************************************************** + * Function: SIP_addDialog + * + * Add a sip dialog before the current dialog + * + * Arguments: + * SIPMsg * - the message used to create a dialog + * SIP_DialogData * - the current dialog location + * SIP_DialogList * - the dialogs to be added. + * + * + * Returns: None + * + ********************************************************************/ +static SIP_DialogData* SIP_addDialog(SIPMsg *sipMsg, SIP_DialogData *currDialog, SIP_DialogList *dList) +{ + SIP_DialogData* dialog; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Add Dialog id: %u, From: %u, To: %u, status code: %u\n", + sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash, sipMsg->status_code)); + + sip_stats.dialogs++; + + dialog = (SIP_DialogData *) calloc(1, sizeof(SIP_DialogData)); + if (NULL == dialog) + return NULL; + + // Add to the head + dialog->nextD = currDialog; + if(NULL != currDialog) + { + dialog->prevD = currDialog->prevD; + if (NULL != currDialog->prevD) + currDialog->prevD->nextD = dialog; + else + *dList = dialog; // become the head + currDialog->prevD = dialog; + } + else + { + // The first dialog + dialog->prevD = NULL; + *dList = dialog; + } + dialog->dlgID = sipMsg->dlgID; + dialog->creator = sipMsg->methodFlag; + dialog->state = SIP_DLG_CREATE; + + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + + return dialog; + +} +/******************************************************************** + * Function: SIP_deleteDialog + * + * Delete a sip dialog from the list + * + * Arguments: + * SIP_DialogData * - the current dialog to be deleted + * SIP_DialogList * - the dialog list. + * + * Returns: None + * + ********************************************************************/ +static int SIP_deleteDialog(SIP_DialogData *currDialog, SIP_DialogList *dList) +{ + if ((NULL == currDialog)||(NULL == dList)) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Delete Dialog id: %u, From: %u, To: %u \n", + currDialog->dlgID.callIdHash,currDialog->dlgID.fromTagHash,currDialog->dlgID.toTagHash)); + // If this is the header + if(NULL == currDialog->prevD) + { + if(NULL != currDialog->nextD) + currDialog->nextD->prevD = NULL; + *dList = currDialog->nextD; + } + else + { + currDialog->prevD->nextD = currDialog->nextD; + if(NULL != currDialog->nextD) + currDialog->nextD->prevD = currDialog->prevD; + } + sip_freeMediaList(currDialog->mediaSessions); + free(currDialog); + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_updateDialog() + * + * Based on the new received sip message, update the dialog information. + * If not in the current list, created one and add it to the head. + * + * Arguments: + * SIPMsg * - sip message + * SIP_DialogList* - dialog list to be updated, + * + * Returns: + * SIP_SUCCESS: dialog has been updated + * SIP_FAILURE: dialog has not been updated + ********************************************************************/ +int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p) +{ + SIP_DialogData* dialog; + int ret; + + if ((NULL == sipMsg)||(0 == sipMsg->dlgID.callIdHash)) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating Dialog id: %u, From: %u, To: %u\n", + sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash)); + dialog = *dList; + + /*Find out the dialog in the dialog list*/ + + while(NULL != dialog) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Dialog id: %u, From: %u, To: %u\n", + dialog->dlgID.callIdHash,dialog->dlgID.fromTagHash,dialog->dlgID.toTagHash)); + if (sipMsg->dlgID.callIdHash == dialog->dlgID.callIdHash) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found Dialog id: %u, From: %u, To: %u\n", + dialog->dlgID.callIdHash,dialog->dlgID.fromTagHash,dialog->dlgID.toTagHash)); + break; + + } + dialog = dialog->nextD; + } + + /*Update the dialog information*/ + + if (sipMsg->status_code == 0) + ret = SIP_processRequest(sipMsg, dialog, dList, p); + else if (sipMsg->status_code > 0) + ret = SIP_processResponse(sipMsg, dialog, dList, p); + else + ret = SIP_FAILURE; + + + return ret; +} + +/******************************************************************** + * Function: sip_freeDialogs + * + * Frees a sip dialog + * + * Arguments: + * SIP_DialogList + * The dialogs to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeDialogs (SIP_DialogList list) +{ + SIP_DialogData *nextNode; + SIP_DialogData *curNode = list; + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "*Clean Dialog creator: 0x%x, id: %u, From: %u, To: %u, State: %d\n", + curNode->creator, curNode->dlgID.callIdHash,curNode->dlgID.fromTagHash,curNode->dlgID.toTagHash,curNode->state)); + nextNode = curNode->nextD; + sip_freeMediaList(curNode->mediaSessions); + free(curNode); + curNode = nextNode; + } + +} diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_dialog.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_dialog.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.h 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,34 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 3/15/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef SIP_DIALOG_H_ +#define SIP_DIALOG_H_ + +#include "spp_sip.h" + +int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p); +void sip_freeDialogs (SIP_DialogList list); + +#endif /* SIP_DIALOG_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_parser.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_parser.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,1290 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifndef HAVE_PARSER_H +#include +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sip_parser.h" +#include "spp_sip.h" +#include "sip_config.h" +#include "sip_utils.h" +#include "sf_ip.h" + + +#define MAX_NUM_32BIT 2147483647 + + +#define SIP_PARSE_NOFOLDING (-2) +#define SIP_PARSE_ERROR (-1) +#define SIP_PARSE_SUCCESS (1) + +/*Should at least have SIP/2.0 */ +#define SIP_KEYWORD "SIP/" +#define SIP_KEYWORD_LEN 4 +#define SIP_VERSION_NUM_LEN 3 /*2.0 or 1.0 or 1.1*/ +#define SIP_VERSION_LEN SIP_KEYWORD_LEN + SIP_VERSION_NUM_LEN +#define SIP_MIN_MSG_LEN SIP_VERSION_LEN + +#define SIP_TAG_KEYWORD "tag=" +#define SIP_TAG_KEYWORD_LEN 4 + +static int sip_headers_parse(SIPMsg *, const char *, char *,char **); +static int sip_startline_parse(SIPMsg *, const char *, char *,char **); +static int sip_body_parse(SIPMsg *, const char *, char *, char **); +static int sip_check_headers(SIPMsg *); + +static int sip_parse_via(SIPMsg *, const char *, const char *); +static int sip_parse_from(SIPMsg *, const char *, const char *); +static int sip_parse_to(SIPMsg *, const char *, const char *); +static int sip_parse_call_id(SIPMsg *, const char *, const char *); +static int sip_parse_cseq(SIPMsg *, const char *, const char *); +static int sip_parse_contact(SIPMsg *, const char *, const char *); +static int sip_parse_authorization(SIPMsg *, const char *, const char *); +static int sip_parse_content_type(SIPMsg *, const char *, const char *); +static int sip_parse_content_len(SIPMsg *, const char *, const char *); +static int sip_parse_content_encode(SIPMsg *, const char *, const char *); +static int sip_process_headField(SIPMsg *, const char *, const char *, int *); +static int sip_process_bodyField(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_o(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_c(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_m(SIPMsg *, const char *, const char *); +static int sip_find_linebreak(const char *, char *, char **); + +/* + * Header fields and processing functions + */ +typedef struct _SIPheaderField +{ + char *fname; + int fnameLen; + char *shortName; + int (*setfield) (SIPMsg *, const char *,const char *); + +} SIPheaderField; + +/* + * Body fields and processing functions + */ +typedef struct _SIPbodyField +{ + char *fname; + int fnameLen; + int (*setfield) (SIPMsg *, const char *,const char *); + +} SIPbodyField; + +/* + * header field name, short form field name, and field processing function + */ + +SIPheaderField headerFields[] = +{ + {"Via", 3, NULL, &sip_parse_via}, + {"From", 4,"f", &sip_parse_from}, + {"To", 2, "t", &sip_parse_to}, + {"Call-ID", 7, "i", &sip_parse_call_id}, + {"CSeq", 4, NULL, &sip_parse_cseq}, + {"Contact", 7, "m", &sip_parse_contact}, + {"Authorization", 13, NULL, &sip_parse_authorization}, + {"Content-Type", 12, "c", &sip_parse_content_type}, + {"Content-Length", 14, "l", &sip_parse_content_len}, + {"Content-Encoding", 16, "e", &sip_parse_content_encode}, + {NULL, 0, NULL, NULL} +}; + +/* + * body field name, field processing function + */ + +SIPbodyField bodyFields[] = +{ + {"o=", 2, &sip_parse_sdp_o}, + {"c=", 2, &sip_parse_sdp_c}, + {"m=", 2, &sip_parse_sdp_m}, + {NULL, 0, NULL} +}; + +/******************************************************************** + * Function: sip_process_headField() + * + * Process the header fields (lines). This also deals with folding. + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the header line + * char* end - end of the header line + * int* - index of last field processed. Used for folding processing + * This value will be updated after current field been processed + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_process_headField(SIPMsg *msg, const char *start, const char *end, int *lastFieldIndex) +{ + int findex =0; + int length = end -start; + char *colonIndex; + char *newStart, *newEnd, newLength; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "process line: %.*s\n", length, start)); + + // If this is folding + if((' ' == start[0]) || ('\t' == start[0])) + { + if(SIP_PARSE_NOFOLDING != *lastFieldIndex) + { + SIP_TrimSP(start, end, &newStart, &newEnd); + return(headerFields[*lastFieldIndex].setfield(msg, newStart, newEnd)); + } + } + // Otherwise, continue normal processing + colonIndex = memchr(start, ':', length); + + if (!colonIndex || (colonIndex < start + 1)) + return SIP_PARSE_ERROR; + + if (!SIP_TrimSP(start, colonIndex, &newStart, &newEnd)) + return SIP_PARSE_ERROR; + + newLength = newEnd - newStart; + + /*Find out whether the field name needs to process*/ + while (NULL != headerFields[findex].fname) + { + //Use the full name to check + if ((headerFields[findex].fnameLen == newLength)&& + (0 == strncasecmp(headerFields[findex].fname, newStart, newLength))) + { + break; + } + //Use short name to check + else if ((NULL != headerFields[findex].shortName) && + ( 1 == newLength)&& + (0 == strncasecmp(headerFields[findex].shortName, newStart, newLength))) + { + break; + } + findex++; + } + + if (NULL != headerFields[findex].fname) + { + // Found the field name, evaluate the value + SIP_TrimSP(colonIndex + 1, end, &newStart, &newEnd); + *lastFieldIndex = findex; + return (headerFields[findex].setfield(msg, newStart, newEnd)); + } + *lastFieldIndex = SIP_PARSE_NOFOLDING; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_process_bodyField() + * + * Process the body fields. + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the line + * char* end - end of the line + * + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_process_bodyField(SIPMsg *msg, const char *start, const char *end) +{ + int findex =0; + if (start == end) + return SIP_PARSE_SUCCESS; + /*Find out whether the field name needs to process*/ + while (NULL != bodyFields[findex].fname) + { + int length = bodyFields[findex].fnameLen; + if (0 == strncasecmp(bodyFields[findex].fname, start,length)) + { + return (bodyFields[findex].setfield(msg,start + length, end)); + } + + findex++; + } + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_find_linebreak() + * + * Find the line break \r \n in the current buffer + * + * Arguments: + * char* start - start of the buffer + * char* end - end of the buffer + * char **lineEnd - output, point to the end of the line defined by line breaks + * Returns: + * int - number of line breaks found in the line found. + ********************************************************************/ +static int sip_find_linebreak(const char *start, char *end, char **lineEnd) +{ + int numCRLF; + char *s = (char *)start; + *lineEnd = NULL; + numCRLF = 0; + if (start >= end) + return 0; + + while ((s < end) && !('\r' ==*s || '\n' == *s)) + { + s++; + } + + if (s == end) + return 0; + + s++; + numCRLF = 1; + + if ((s < end) && ('\r' == s[-1]) && ('\n' == s[0])) + { + s++; + numCRLF = 2; + } + + *lineEnd= s; + return numCRLF; +} +/******************************************************************** + * Function: sip_is_valid_version() + * + * Check whether the version is a valid version (2.0, 1.1, 1.0) + * + * Arguments: + * char* start - start of the version + * + * Returns: + * SIP_TRUE + * SIP_FALSE + ********************************************************************/ +static inline int sip_is_valid_version(const char *start) +{ + if (!strncmp(start, "1.", 2)) + { + if ((*(start+2) == '1') || (*(start+2) == '0')) + return SIP_TRUE; + } + else if (!strncmp(start, "2.0", 3)) + return SIP_TRUE; + + return SIP_FALSE; +} +/******************************************************************** + * Function: sip_startline_parse() + * + * Parse the start line: request and response are different + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the sip message buffer + * char* end - end of the buffer + * char**lineEnd - output, the found end of start line + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ + +static int sip_startline_parse(SIPMsg *msg, const char *buff, char *end, char **lineEnd) +{ + char *next; + char *start; + int length; + int numOfLineBreaks; + + start = (char *) buff; + + numOfLineBreaks = sip_find_linebreak(start, end, &next); + if (numOfLineBreaks < 1) + { + /*No CRLF */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No CRLF, check failed\n")); + return SIP_FAILURE; + } + + /*Exclude CRLF from start line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start line: %.*s \n", length, start)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "End of Start line \n")); + + /*Should at least have SIP/2.0 */ + if (length < SIP_MIN_MSG_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Message too short, check failed\n")); + return SIP_FAILURE; + } + + *lineEnd = next; + // This is a response + if (0 == strncmp((const char *) buff, (const char *) SIP_KEYWORD, SIP_KEYWORD_LEN)) + { + char *space; + unsigned long statusCode; + + /*Process response*/ + msg->method = NULL; + msg->uri = NULL; + + /*Check SIP version number, end with SP*/ + if (!(sip_is_valid_version(buff + SIP_KEYWORD_LEN) && (*(buff + SIP_VERSION_LEN) == ' '))) + { + ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); + } + + space = strchr(buff, ' '); + if (space == NULL) + return SIP_FAILURE; + statusCode = _dpd.SnortStrtoul(space + 1, NULL, 10); + if (( statusCode > MAX_STAT_CODE) || (statusCode < MIN_STAT_CODE )) + { + ALERT(SIP_EVENT_BAD_STATUS_CODE,SIP_EVENT_BAD_STATUS_CODE_STR) + msg->status_code = MAX_STAT_CODE + 1; + } + else + msg->status_code = (uint16_t)statusCode; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Status code: %d \n", msg->status_code)); + + } + else /* This might be a request*/ + { + char *space; + char *version; + int length; + SIPMethodNode *method; + + /*Process request*/ + if (NULL ==sip_eval_config) + return SIP_FAILURE; + msg->status_code = 0; + + // Parse the method + space = memchr(buff, ' ', end - buff); + if (space == NULL) + return SIP_FAILURE; + length = space - buff; + msg->method = (char*)buff; + msg->methodLen = length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "method: %.*s\n", msg->methodLen, msg->method)); + + method = SIP_FindMethod (sip_eval_config->methods, msg->method, msg->methodLen); + if (NULL == method) + { + ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); + return SIP_FAILURE; + } + else + { + msg->methodFlag = method->methodFlag; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); + } + + // parse the uri + if (space + 1 > end) + return SIP_FAILURE; + msg->uri = space + 1; + space = memchr(space + 1, ' ', end - msg->uri); + if (space == NULL) + return SIP_FAILURE; + msg->uriLen = space - msg->uri; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "uri: %.*s, length: %u\n", msg->uriLen, msg->uri, msg->uriLen)); + if(0 == msg->uriLen) + ALERT(SIP_EVENT_EMPTY_REQUEST_URI,SIP_EVENT_EMPTY_REQUEST_URI_STR) + else if (sip_eval_config->maxUriLen && (msg->uriLen > sip_eval_config->maxUriLen)) + ALERT(SIP_EVENT_BAD_URI,SIP_EVENT_BAD_URI_STR); + + version = space + 1; + if (version + SIP_VERSION_LEN > end) + return SIP_FAILURE; + if (0 != strncmp((const char *) version, (const char *) SIP_KEYWORD, SIP_KEYWORD_LEN)) + return SIP_FAILURE; + /*Check SIP version number, end with CRLF*/ + if (!sip_is_valid_version(*lineEnd - SIP_VERSION_NUM_LEN - numOfLineBreaks)) + { + ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); + } + + } + + + return SIP_SUCCESS; +} +/******************************************************************** + * Function: sip_headers_parse() + * + * Parse the SIP header: request and response are the same + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the header + * char* end - end of the buffer + * char**lineEnd - output, the found end of header + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_headers_parse(SIPMsg *msg, const char *buff, char *end, char **headEnd) +{ + char *next; + char *start; + int length; + int numOfLineBreaks; + int lastFieldIndex = SIP_PARSE_NOFOLDING ; + + start = (char *) buff; + /* + * The end of header is defined by two CRLFs, or CRCR, or LFLF + */ + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + while (numOfLineBreaks > 0) + { + + /*Processing this line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Header line: %.*s\n", length, start)); + /*Process headers*/ + sip_process_headField(msg, start, start + length, &lastFieldIndex); + + /*check the end of header*/ + if ((1 == numOfLineBreaks) && ( start[0] == start[-1])) + { + /*Either CRCR or LFLF*/ + *headEnd = next ; + return SIP_SUCCESS; + + } + else if ( (2 == numOfLineBreaks) && ('\r' == start[0])&&('\n' == start[1])) + { + *headEnd = next; + return SIP_SUCCESS; + } + + start = next; + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: sip_body_parse() + * + * Parse the SIP body: request and response are the same + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the body + * char* end - end of the buffer + * char**lineEnd - output, the found end of body + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_body_parse(SIPMsg *msg, const char *buff, char *end, char **bodyEnd) +{ + int length; + char *next; + char *start; + int numOfLineBreaks; + length = end - buff; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body length: %d\n", length);); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body line: %.*s\n", length, buff);); + + // Initialize it + *bodyEnd = end; + + if (buff == end) + return SIP_SUCCESS; + + msg->body_data = (uint8_t *)buff; + + // Create a media session + msg->mediaSession = (SIP_MediaSession *)calloc(1, sizeof(SIP_MediaSession)); + if (NULL == msg->mediaSession) + return SIP_FAILURE; + start = (char *) buff; + + /* + * The end of body is defined by two CRLFs or CRCR or LFLF + */ + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + while (numOfLineBreaks > 0) + { + /*Processing this line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body line: %.*s\n", length, start)); + /*Process body fields*/ + sip_process_bodyField(msg, start, start + length); + + start = next; + numOfLineBreaks = sip_find_linebreak(start, end, &next); + } + *bodyEnd = start; + return SIP_SUCCESS; +} + +/******************************************************************** + * Function: sip_check_headers() + * + * Check whether the headers are mal-formed. + * Most checks are here, except some need context information are scattered + * in the parsing. + * + * Arguments: + * SIPMsg * - sip message + * + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_check_headers(SIPMsg *msg) +{ + int ret = SIP_SUCCESS; + if(0 == msg->fromLen) + { + ALERT(SIP_EVENT_EMPTY_FROM,SIP_EVENT_EMPTY_FROM_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxFromLen && (msg->fromLen > sip_eval_config->maxFromLen)) + { + ALERT(SIP_EVENT_BAD_FROM,SIP_EVENT_BAD_FROM_STR); + ret = SIP_FAILURE; + } + + if(0 == msg->toLen) + { + ALERT(SIP_EVENT_EMPTY_TO,SIP_EVENT_EMPTY_TO_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxToLen && (msg->toLen > sip_eval_config->maxToLen)) + { + ALERT(SIP_EVENT_BAD_TO,SIP_EVENT_BAD_TO_STR); + ret = SIP_FAILURE; + } + + if(0 == msg->callIdLen) + { + ALERT(SIP_EVENT_EMPTY_CALL_ID,SIP_EVENT_EMPTY_CALL_ID_STR) + ret = SIP_FAILURE; + } + else if ( sip_eval_config->maxCallIdLen && (msg->callIdLen > sip_eval_config->maxCallIdLen)) + { + ALERT(SIP_EVENT_BAD_CALL_ID,SIP_EVENT_BAD_CALL_ID_STR); + ret = SIP_FAILURE; + } + + if(msg->cseqnum > MAX_NUM_32BIT) + { + ALERT(SIP_EVENT_BAD_CSEQ_NUM,SIP_EVENT_BAD_CSEQ_NUM_STR); + ret = SIP_FAILURE; + } + if ( sip_eval_config->maxRequestNameLen && (msg->cseqNameLen > sip_eval_config->maxRequestNameLen)) + { + ALERT(SIP_EVENT_BAD_CSEQ_NAME,SIP_EVENT_BAD_CSEQ_NAME_STR); + ret = SIP_FAILURE; + } + + /*Alert here after parsing*/ + if(0 == msg->viaLen) + { + ALERT(SIP_EVENT_EMPTY_VIA,SIP_EVENT_EMPTY_VIA_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxViaLen && (msg->viaLen > sip_eval_config->maxViaLen)) + { + ALERT(SIP_EVENT_BAD_VIA,SIP_EVENT_BAD_VIA_STR); + ret = SIP_FAILURE; + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method flag: %d\n", msg->methodFlag)); + + // Contact is required for invite message + if((0 == msg->contactLen)&&(msg->methodFlag == SIP_METHOD_INVITE)&&(0 == msg->status_code)) + { + ALERT(SIP_EVENT_EMPTY_CONTACT,SIP_EVENT_EMPTY_CONTACT_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxContactLen && (msg->contactLen > sip_eval_config->maxContactLen)) + { + ALERT(SIP_EVENT_BAD_CONTACT,SIP_EVENT_BAD_CONTACT_STR); + ret = SIP_FAILURE; + } + + if((0 == msg->contentTypeLen) && (msg->content_len > 0)) + { + ALERT(SIP_EVENT_EMPTY_CONTENT_TYPE,SIP_EVENT_EMPTY_CONTENT_TYPE_STR) + ret = SIP_FAILURE; + } + + return ret; +} + +/******************************************************************** + * Function: sip_parse_via() + * + * Parse the via field: Via can have multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the via filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_via(SIPMsg *msg, const char *start, const char *end) +{ + int length = end -start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Via value: %.*s\n", length, start);); + msg->viaLen = msg->viaLen + length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Via length: %d\n", msg->viaLen);); + + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_from() + * + * Parse the from field and get from tag + * Note: From has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the from filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_from(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + char *buff; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From value: %.*s\n", length, start);); + msg->from = (char *)start; + msg->fromLen = end - start; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From length: %d , content: %.*s\n", + msg->fromLen, msg->fromLen, msg->from);); + + + /*Get the from tag*/ + msg->fromTagLen = 0; + + buff = memchr(start, ';', msg->fromLen); + while ((NULL != buff)&& (buff < end)) + { + if (0 == strncmp(buff + 1, SIP_TAG_KEYWORD, SIP_TAG_KEYWORD_LEN)) + { + msg->from_tag = buff + SIP_TAG_KEYWORD_LEN + 1; + msg->fromTagLen = end - msg->from_tag; + msg->dlgID.fromTagHash = strToHash(msg->from_tag,msg->fromTagLen); + break; + } + buff = memchr(buff + 1, ';', msg->fromLen); + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From tag length: %d , hash: %u, content: %.*s\n", + msg->fromTagLen, msg->dlgID.fromTagHash, msg->fromTagLen, msg->from_tag);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_to() + * + * Parse the to field and get to tag information + * Note: To has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the to filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_to(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + char *buff; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To value: %.*s\n", length, start);); + msg->to = (char *)start; + msg->toLen = end - start; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To length: %d , content: %.*s\n", + msg->toLen, msg->toLen, msg->to);); + + /*Processing tag information*/ + msg->toTagLen = 0; + + buff = memchr(start, ';', msg->toLen); + while ((NULL != buff)&& (buff < end)) + { + if (0 == strncmp(buff + 1, SIP_TAG_KEYWORD, SIP_TAG_KEYWORD_LEN)) + { + msg->to_tag = buff + SIP_TAG_KEYWORD_LEN + 1; + msg->toTagLen = end - msg->to_tag; + msg->dlgID.toTagHash = strToHash(msg->to_tag,msg->toTagLen); + break; + } + buff = memchr(buff + 1, ';', msg->toLen); + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To tag length: %d , Hash: %u, content: %.*s\n", + msg->toTagLen, msg->dlgID.toTagHash, msg->toTagLen, msg->to_tag);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_call_id() + * + * Parse the call-id field + * Note: call-id has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_call_id(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Call-Id value: %.*s\n", length, start);); + msg->call_id = (char *) start; + msg->callIdLen = end - start; + msg->dlgID.callIdHash = strToHash(msg->call_id, msg->callIdLen); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Call-Id length: %d, Hash: %u\n", + msg->callIdLen, msg->dlgID.callIdHash);); + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_cseq() + * + * Parse the cseq field: get sequence number and request name + * Note: Cseq has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_cseq(SIPMsg *msg, const char *start, const char *end) +{ + char *next = NULL; + DEBUG_WRAP(int length = end -start;) + SIPMethodNode* method = NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "CSeq value: %.*s\n", length, start);); + msg->cseqnum = _dpd.SnortStrtoul(start, &next, 10); + if ((NULL != next )&&(next < end)) + { + msg->cseqName = next + 1; + msg->cseqNameLen = end - msg->cseqName; + method = SIP_FindMethod (sip_eval_config->methods, msg->cseqName, msg->cseqNameLen); + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "CSeq number: %d, CSeqName: %.*s\n", + msg->cseqnum, msg->cseqNameLen, msg->cseqName);); + + if (NULL == method) + { + ALERT(SIP_EVENT_INVALID_CSEQ_NAME,SIP_EVENT_INVALID_CSEQ_NAME_STR) + return SIP_PARSE_ERROR; + } + else + { + /*Use request name only for response message*/ + if ((SIP_METHOD_NULL == msg->methodFlag)&&( msg->status_code > 0)) + msg->methodFlag = method->methodFlag; + else if ( method->methodFlag != msg->methodFlag) + { + ALERT(SIP_EVENT_MISMATCH_METHOD,SIP_EVENT_MISMATCH_METHOD_STR) + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); + + } + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_contact() + * + * Parse the to contact field + * Note: Contact has multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_contact(SIPMsg *msg, const char *start, const char *end) +{ + int length = end -start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Contact value: %.*s\n", length, start);); + msg->contact = (char *) start; + msg->contactLen = msg->contactLen + length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Contact length: %d\n", msg->contactLen);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_authorization() + * + * Parse the to authorization field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_authorization(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Authorization value: %.*s\n", length, start);); + msg->authorization = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_content_type() + * + * Parse the to content type field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_type(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content type value: %.*s\n", length, start);); + msg->contentTypeLen = end - start; + msg->content_type = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_content_len() + * + * Parse the to content length field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_len(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *next = NULL; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content length value: %.*s\n", length, start);); + + msg->content_len = _dpd.SnortStrtoul(start, &next, 10); + if ( sip_eval_config->maxContentLen && (msg->content_len > sip_eval_config->maxContentLen)) + ALERT(SIP_EVENT_BAD_CONTENT_LEN,SIP_EVENT_BAD_CONTENT_LEN_STR); + /*Check the length of the value*/ + if (next > start + SIP_CONTENT_LEN) // This check is to prevent overflow + { + if (sip_eval_config->maxContentLen) + ALERT(SIP_EVENT_BAD_CONTENT_LEN,SIP_EVENT_BAD_CONTENT_LEN_STR); + return SIP_PARSE_ERROR; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content length: %u\n", msg->content_len);); + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_content_encode() + * + * Parse the to content encode field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_encode(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content encode value: %.*s\n", length, start);); + msg->content_encode = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_o() + * + * Parse SDP origination information + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_o(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *spaceIndex = NULL; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Origination information: %.*s\n", length, start);); + // Get username and session ID information (before second space) + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + spaceIndex = memchr(spaceIndex + 1, ' ', end - spaceIndex -1 ); // second space + if (NULL == spaceIndex) + return SIP_PARSE_ERROR; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session information: %.*s\n", spaceIndex - start, start);); + msg->mediaSession->sessionID = strToHash(start, spaceIndex - start); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session ID: %u\n", msg->mediaSession->sessionID);); + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_c() + * + * Parse SDP connection data + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_c(SIPMsg *msg, const char *start, const char *end) +{ + int length; + sfip_t *ip; + char ipStr[INET6_ADDRSTRLEN + 5]; /* Enough for IPv4 plus netmask or + full IPv6 plus prefix */ + char *spaceIndex = NULL; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Connection data: %.*s\n", length, start);); + + /*Get the IP address*/ + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + spaceIndex = memchr(spaceIndex + 1, ' ', end - spaceIndex -1 ); // second space + if (NULL == spaceIndex) + return SIP_PARSE_ERROR; + length = end - spaceIndex; + + memset(ipStr, 0, sizeof(ipStr)); + if(length > INET6_ADDRSTRLEN) + { + length = INET6_ADDRSTRLEN; + } + strncpy(ipStr, spaceIndex, length); + ipStr[length] = '\0'; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "IP data: %s\n", ipStr);); + + // If no default session connect information, add it + if(NULL == msg->mediaSession->medias) + { + ip = &(msg->mediaSession->maddress_default); + } + else // otherwise, update the latest media data (header of media list) + { + ip = &(msg->mediaSession->medias->maddress); + } + if( (sfip_pton(ipStr, ip)) != SFIP_SUCCESS) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed error! \n");); + return SIP_PARSE_ERROR; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed Connection data: %s\n", sfip_to_str (ip));); + + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_c() + * + * Parse media type information + * Note: to make it easier update the media address, media data are added to the header of media list + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_m(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *spaceIndex = NULL; + char *next; + SIP_MediaData *mdata; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media information: %.*s\n", length, start);); + + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + mdata = (SIP_MediaData *) calloc(1, sizeof(SIP_MediaData)); + + if (NULL == mdata) + return SIP_PARSE_ERROR; + + mdata->mport = (uint16_t) _dpd.SnortStrtoul(spaceIndex + 1, &next, 10); + if ((NULL != next)&&('/'==next[0])) + mdata->numPort = (uint8_t)_dpd.SnortStrtoul(spaceIndex + 1, &next, 10); + // Put + mdata->nextM = msg->mediaSession->medias; + mdata->maddress = msg->mediaSession->maddress_default; + msg->mediaSession->medias = mdata; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media IP: %s, Media port %u, number of media: %d\n", + sfip_to_str(&mdata->maddress), mdata->mport, mdata->numPort);); + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse() + * + * The main entry for parser: process the sip messages. + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the sip message buffer + * char* end - end of the buffer + * + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +int sip_parse(SIPMsg *msg, const char *buff, char *end) +{ + char *nextIndex; + char *start; + int status; + + /*Initialize key values*/ + msg->methodFlag = SIP_METHOD_NULL; + msg->status_code = 0; + + /*Parse the start line*/ + start = (char *) buff; + nextIndex = NULL; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start parsing...\n")); + + msg->header = (uint8_t *) buff; + status = sip_startline_parse(msg, start, end, &nextIndex); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start line parsing failed...\n")); + return status; + } + + /*Parse the headers*/ + start = nextIndex; + status = sip_headers_parse(msg, start, end, &nextIndex); + msg->headerLen = nextIndex - buff; + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Header parsing failed...\n")); + } + + status = sip_check_headers(msg); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Headers validation failed...\n")); + } + + /*Parse the body*/ + start = nextIndex; + msg->bodyLen = end - start; + /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ + if((!msg->isTcp)&&(msg->content_len != msg->bodyLen)) + ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); + + if (msg->content_len < msg->bodyLen) + status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex); + else + status = sip_body_parse(msg, start, end, &nextIndex); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Headers validation failed...\n")); + } + + // Find out whether multiple SIP messages in this packet + /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ + if ((!msg->isTcp) && (nextIndex < end)) + { + if (SIP_SUCCESS == sip_startline_parse(msg, nextIndex, end, &nextIndex)) + ALERT(SIP_EVENT_MULTI_MSGS,SIP_EVENT_MULTI_MSGS_STR); + } + return status; +} + +/******************************************************************** + * Function: sip_freeMsg + * + * Frees a sip msg. + * Media session information will be release if they are not used by dialog. + * + * Arguments: + * SIPMsg * + * The sip message to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMsg (SIPMsg *msg) +{ + + if (NULL == msg) + return; + if (NULL != msg->mediaSession) + { + if (SIP_SESSION_SAVED != msg->mediaSession->savedFlag) + sip_freeMediaSession(msg->mediaSession); + } + +} +/******************************************************************** + * Function: sip_freeMediaSession + * + * Frees a sip media session + * + * Arguments: + * SIP_MediaSession * + * The media session to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMediaSession (SIP_MediaSession *mediaSession) +{ + SIP_MediaData *nextNode; + SIP_MediaData *curNode = NULL; + + + if (NULL != mediaSession) + { + curNode = mediaSession->medias; + } + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Clear media ip: %s, port: %d, number of port: %d\n", + sfip_to_str(&curNode->maddress), curNode->mport, curNode->numPort )); + nextNode = curNode->nextM; + free(curNode); + curNode = nextNode; + } + if (NULL != mediaSession) + free (mediaSession); +} +/******************************************************************** + * Function: sip_freeMediaList + * + * Frees a sip media session list + * + * Arguments: + * SIP_MediaList + * The media session list to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMediaList (SIP_MediaList medias) +{ + SIP_MediaSession *nextNode; + SIP_MediaSession *curNode = medias; + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Clean Media session default IP: %s, session ID: %u\n", + sfip_to_str(&curNode->maddress_default), curNode->sessionID)); + nextNode = curNode->nextS; + sip_freeMediaSession(curNode); + curNode = nextNode; + } + +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_parser.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_parser.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.h 2011-06-08 00:33:14.000000000 +0000 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ + +#ifndef _SIP_PARSER_H_ +#define _SIP_PARSE_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_debug.h" +#include "spp_sip.h" +#include "sf_ip.h" + + +int sip_parse(SIPMsg *, const char *, char *); +void sip_freeMsg (SIPMsg *msg); +void sip_freeMediaSession (SIP_MediaSession*); +void sip_freeMediaList (SIP_MediaList medias); + +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_roptions.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_roptions.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.c 2011-06-08 00:33:15.000000000 +0000 @@ -0,0 +1,472 @@ +/**************************************************************************** + * Copyright (C) 20011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * + ****************************************************************************/ + +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "sip_roptions.h" +#include "spp_sip.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "sf_dynamic_engine.h" +#include "sf_snort_plugin_api.h" +#include "sfhashfcn.h" +#include "profiler.h" +#include "sip_utils.h" +#include "sip_debug.h" +#include "sip_config.h" +#include "treenodes.h" + +#define SIP_ROPT__METHOD "sip_method" +#define SIP_ROPT__STATUS_CODE "sip_stat_code" +#define SIP_ROPT__HEADER "sip_header" +#define SIP_ROPT__BODY "sip_body" + + +/******************************************************************** + * Private function prototypes + ********************************************************************/ +static int SIP_MethodInit(char *, char *, void **); +static int SIP_MethodEval(void *, const uint8_t **, void *); +static int SIP_HeaderInit(char *, char *, void **); +static int SIP_HeaderEval(void *, const uint8_t **, void *); +static int SIP_StatCodeInit(char *, char *, void **); +static int SIP_StatCodeEval(void *, const uint8_t **, void *); +static int SIP_BodyInit(char *, char *, void **); +static int SIP_BodyEval(void *, const uint8_t **, void *); +static int SIP_MethodAddFastPatterns(void *, int, int, FPContentInfo **); + + +static inline int SIP_RoptDoEval(SFSnortPacket *p) +{ + if ((p->payload_size == 0) || + (p->stream_session_ptr == NULL) || + (!IsTCP(p) && !IsUDP(p))) + { + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload or no " + "session pointer or not TCP or UDP - not evaluating.\n")); + return 0; + } + + return 1; +} + +static inline int IsRequest(SIP_Roptions *ropts) +{ + if (ropts->status_code) + return FALSE; + else + return TRUE; +} + +/* Parsing for the rule option */ +static int SIP_MethodInit(char *name, char *params, void **data) +{ + + int flags = 0, mask = 0; + char *end = NULL; + char *tok; + int negated = 0; + int numTokens = 0; + SipMethodRuleOptData *sdata; + SIPMethodNode *method; + + if (strcasecmp(name, SIP_ROPT__METHOD) != 0) + return 0; + + + /*Evaluate whether all the methods are in the PP configurations */ + sip_eval_config = sfPolicyUserDataGetCurrent(sip_config); + + if (NULL == sip_eval_config) + DynamicPreprocessorFatalMessage("%s(%d) => Configuration error!\n", + *(_dpd.config_file), *(_dpd.config_line)); + + /* Must have arguments */ + if (SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_method keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + tok = strtok_r(params, ",", &end); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_method keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + while (NULL != tok) + { + + numTokens++; + + if (tok[0] == '!') + { + negated = 1; + tok++; + } + + /*Only one method is allowed with !*/ + if (negated && (numTokens > 1)) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s, only one method is allowed with ! for %s.\n", + *(_dpd.config_file), *(_dpd.config_line), tok, name); + } + method = SIP_FindMethod (sip_eval_config->methods, tok, strlen (tok)); + + /*if method is not found, add it as a user defined method*/ + if (NULL == method) + { + method = SIP_AddUserDefinedMethod(tok, &sip_eval_config->methodsConfig, &sip_eval_config->methods ); + if (NULL == method) + DynamicPreprocessorFatalMessage("%s(%d) => %s can't add new method to %s.\n", + *(_dpd.config_file), *(_dpd.config_line), tok, name); + _dpd.logMsg("%s(%d) => Add user defined method: %s to SIP preprocessor through rule.\n", + *(_dpd.config_file), *(_dpd.config_line), method->methodName); + } + + flags |= 1 << (method->methodFlag - 1); + if (negated) + mask |= 1 << (method->methodFlag - 1); + + tok = strtok_r(NULL, ", ", &end); + + } + + sdata = (SipMethodRuleOptData *)calloc(1, sizeof(*sdata)); + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "sip preprocessor rule option.\n"); + } + + sdata->flags = flags; + sdata->mask = mask; + *data = (void *)sdata; + return 1; + +} +/* Rule option evaluation */ +static int SIP_MethodEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data; + uint32_t methodFlag; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__METHOD)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule Flags: %x Data Flags: %x, Mask: %x \n", sdata->flags, ropts->methodFlag, sdata->mask )); + // Not response + methodFlag = 1 << (ropts->methodFlag - 1); + if (IsRequest(ropts) && ((sdata->flags & methodFlag) ^ sdata->mask)) + { + return RULE_MATCH; + } + return RULE_NOMATCH; + +} +static int SIP_MethodAddFastPatterns(void *data, int protocol, + int direction, FPContentInfo **info) +{ + + char *sip = "SIP"; + FPContentInfo *method_fp; + SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" fast pattern rule option.\n", SIP_ROPT__METHOD)); + if ((sdata == NULL) || (info == NULL)) + return -1; + + if ((protocol != IPPROTO_TCP) && (protocol != IPPROTO_UDP)) + return -1; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "adding info to \"%s\" fast pattern rule option.\n", SIP_ROPT__METHOD)); + + method_fp = (FPContentInfo *)calloc(1,sizeof(FPContentInfo)); + if (NULL == method_fp) + return -1; + + method_fp->content = (char *)malloc(strlen(sip)); + if (NULL == method_fp->content) + return -1; + memcpy(method_fp->content, sip, strlen(sip)); + method_fp->length = strlen(sip); + *info = method_fp; + return 0; +} +/* Parsing for the rule option */ +static int SIP_HeaderInit(char *name, char *params, void **data) +{ + if (strcasecmp(name, SIP_ROPT__HEADER) != 0) + return 0; + + /* Must not have arguments */ + if (!SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + SIP_ROPT__HEADER, *(_dpd.config_file), *(_dpd.config_line)); + + } + + return 1; +} +/* Rule option evaluation */ +static int SIP_HeaderEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__HEADER)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (ropts->header_data != NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Setting cursor to header data: %p.\n", ropts->header_data)); + *cursor = ropts->header_data; + //Limit the length + _dpd.SetAltDetect((uint8_t *)ropts->header_data, ropts->header_len); + + return RULE_MATCH; + } + return RULE_NOMATCH; +} + + +/* Parsing for the rule option */ +static int SIP_StatCodeInit(char *name, char *params, void **data) +{ + char *end = NULL; + char *tok; + int i_tok = 0; + SipStatCodeRuleOptData *sdata; + + if (strcasecmp(name, SIP_ROPT__STATUS_CODE) != 0) + return 0; + + /* Must have arguments */ + if (SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + tok = strtok_r(params, ",", &end); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + sdata = (SipStatCodeRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "sip preprocessor rule option.\n"); + } + + while ((NULL != tok) && (i_tok < SIP_NUM_STAT_CODE_MAX)) + { + + unsigned long statCode = _dpd.SnortStrtoul(tok, NULL, 10); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule Status code: %d.\n",sdata->stat_codes[i_tok])); + if ((statCode > MAX_STAT_CODE) || + ((statCode > NUM_OF_RESPONSE_TYPES - 1) && (statCode < MIN_STAT_CODE))) + { + DynamicPreprocessorFatalMessage("%s(%d) => Status code %u specified is not a 3 digit number or 1 - %d\n ", + *(_dpd.config_file), *(_dpd.config_line), statCode, NUM_OF_RESPONSE_TYPES-1); + } + sdata->stat_codes[i_tok] = (uint16_t)statCode; + + tok = strtok_r(NULL, ", ", &end); + i_tok++; + } + + if (NULL != tok) + DynamicPreprocessorFatalMessage("%s(%d) => More than %d argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_NUM_STAT_CODE_MAX); + + + *data = (void *)sdata; + return 1; + +} +/* Rule option evaluation */ +static int SIP_StatCodeEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + SipStatCodeRuleOptData *sdata = (SipStatCodeRuleOptData *)data; + uint16_t short_code; + int i_code; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__STATUS_CODE)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Status code in packet: %d \n", ropts->status_code)); + + if (0 == ropts->status_code) + return RULE_NOMATCH; + + /*Match the status code*/ + short_code = ropts->status_code / 100; + for(i_code = 0; i_code < SIP_NUM_STAT_CODE_MAX; i_code++) + { + if ((sdata->stat_codes[i_code] == short_code)|| + (sdata->stat_codes[i_code] == ropts->status_code)) + return RULE_MATCH; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/* Parsing for the rule option */ +static int SIP_BodyInit(char *name, char *params, void **data) +{ + + if (strcasecmp(name, SIP_ROPT__BODY) != 0) + return 0; + + /* Must not have arguments */ + if (!SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + SIP_ROPT__BODY, *(_dpd.config_file), *(_dpd.config_line)); + + } + + return 1; +} +/* Rule option evaluation */ +static int SIP_BodyEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__BODY)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (ropts->body_data != NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Setting cursor to body data: %p.\n", ropts->body_data)); + *cursor = ropts->body_data; + //Limit the length + _dpd.SetAltDetect((uint8_t *)ropts->body_data, ropts->body_len); + + return RULE_MATCH; + } + + return RULE_NOMATCH; +} +/******************************************************************** + * Function: SIP_RegRuleOptions + * + * Purpose: Register rule options + * + * Arguments: void + * + * Returns: void + * + ********************************************************************/ +void SIP_RegRuleOptions(void) +{ + _dpd.preprocOptRegister(SIP_ROPT__METHOD, SIP_MethodInit, SIP_MethodEval, + free, NULL, NULL, NULL, SIP_MethodAddFastPatterns); + _dpd.preprocOptRegister(SIP_ROPT__HEADER, SIP_HeaderInit, SIP_HeaderEval, + NULL, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(SIP_ROPT__STATUS_CODE, SIP_StatCodeInit, SIP_StatCodeEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(SIP_ROPT__BODY, SIP_BodyInit, SIP_BodyEval, + NULL, NULL, NULL, NULL, NULL); +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_roptions.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_roptions.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,71 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * + ****************************************************************************/ + +#ifndef _SIP_ROPTIONS_H_ +#define _SIP_ROPTIONS_H_ + +#include "sip_config.h" + +#define SIP_NUM_STAT_CODE_MAX 20 +/******************************************************************** + * Structures + ********************************************************************/ +typedef struct _SIP_Roptions +{ + + /* sip_method data*/ + SIPMethodsFlag methodFlag; + /* sip_stat_code data*/ + uint16_t status_code; + /* sip header data */ + const uint8_t *header_data; /* Set to NULL if not applicable */ + uint16_t header_len; + /* sip body data */ + const uint8_t *body_data; /* Set to NULL if not applicable */ + uint16_t body_len; + +} SIP_Roptions; + + +typedef struct _SipMethodRuleOptData +{ + int flags; + int mask; + +} SipMethodRuleOptData; + + +typedef struct _SipStatCodeRuleOptData +{ + uint16_t stat_codes[SIP_NUM_STAT_CODE_MAX]; + +} SipStatCodeRuleOptData; + + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void SIP_RegRuleOptions(void); + + +#endif /* _SIP_ROPTIONS_H_ */ + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_utils.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/sip_utils.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.c 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,190 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 2/17/2011 - Initial implementation ... Hui Cao + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_types.h" +#include "sip_utils.h" + +/******************************************************************** + * Function: SIP_IsEmptyStr() + * + * Checks if string is NULL, empty or just spaces. + * String must be 0 terminated. + * + * Arguments: + * char * - string to check + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +int SIP_IsEmptyStr(char *str) +{ + char *end; + + if (str == NULL) + return 1; + + end = str + strlen(str); + + while ((str < end) && isspace((int)*str)) + str++; + + if (str == end) + return 1; + + return 0; +} +/* + * Trim spaces non-destructively on both sides of string : '', \t, \n, \r + * If string is empty return 0, otherwise 1 + * Note: end point to the location start + length, + * not necessary the real end of string if not end with \0 + */ +int SIP_TrimSP(const char *start, const char *end, char **new_start, char** new_end) +{ + char *before; + char *after; + + if (start >= end ) + { + *new_start = (char *)start; + *new_end = *new_start; + return 0; + } + + before = (char *) start; + + // Trim the starting spaces + while((before < end) && isspace((int)*before)) + { + before++; + } + // This is an empty string + if (before == end) + { + *new_start = (char *)end; + *new_end = *new_start; + return 0; + } + + // Trim the ending spaces + after = (char *) end - 1; + while((before < after) && isspace((int)*after)) + { + after--; + } + *new_start = before; + *new_end = after + 1; + return 1; +} +/******************************************************************** + * Function: SIP_FindMethod() + * + * Find method in the method list by name + * + * Arguments: + * SIPMethodlist - methods list to be searched, + * char * - method name, + * int - length of the method name + * + * Returns: + * SIPMethodNode*- the founded method node, or NULL if not founded + * + ********************************************************************/ + +SIPMethodNode* SIP_FindMethod(SIPMethodlist methods, char* methodName, unsigned int length) +{ + SIPMethodNode* method = NULL; + + method = methods; + while (NULL != method) + { + + if ((length == strlen(method->methodName))&& + (strncasecmp(method->methodName, methodName, length) == 0)) + { + return method; + } + method = method->nextm; + } + return method; +} +/******************************************************************** + * Function: strToHash() + * + * Calculate the hash value of a string + * + * Arguments: + * char * - string to be hashed + * int: length of the string + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +uint32_t strToHash(const char *str, int length ) +{ + uint32_t a,b,c,tmp; + int i,j,k,l; + a = b = c = 0; + for (i=0,j=0;i 4) + k=4; + + for (l=0;l + * + ****************************************************************************/ + +#ifndef SIP_UTILS_H_ +#define SIP_UTILS_H_ +#include "sip_config.h" +#include "sfhashfcn.h" + +int SIP_IsEmptyStr(char *); +int SIP_TrimSP(const char *, const char *, char **, char** ); +SIPMethodNode * SIP_FindMethod(SIPMethodlist, char*, unsigned int); +uint32_t strToHash(const char *, int ); +#endif /* SIP_UTILS_H_ */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/spp_sip.c snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.c --- snort-2.8.5.2/src/dynamic-preprocessors/sip/spp_sip.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,856 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * SIP preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 03-15-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_sip.h" +#include "sip_config.h" +#include "sip_roptions.h" +#include "sip_parser.h" +#include "sip_dialog.h" + +#include +#include +#include +#include +#ifndef WIN32 +#include +#include +#endif +#include +#include + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats sipPerfStats; +#endif + +#include "sf_types.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SIP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SIP"; +#endif + +#define SetupSIP DYNAMIC_PREPROC_SETUP + +#ifdef TARGET_BASED +int16_t sip_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* + * Session state flags for SIPData::state_flags + */ + +#define SIP_FLG_MISSED_PACKETS (0x10000) +#define SIP_FLG_REASSEMBLY_SET (0x20000) +/* + * Function prototype(s) + */ +SIPData * SIPGetNewSession(SFSnortPacket *, tSfPolicyId); +static void SIPInit( char* ); +static void SIPCheckConfig(void); +static void FreeSIPData( void* ); +static inline int SIP_Process(SFSnortPacket *, SIPData*); +static void SIPmain( void*, void* ); +static inline int CheckSIPPort( uint16_t ); +static void SIPFreeConfig(tSfPolicyUserContextId); +static void _addPortsToStream5Filter(SIPConfig *, tSfPolicyId); +static void SIP_PrintStats(int); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void SIPCleanExit(int, void *); + +/******************************************************************** + * Global variables + ********************************************************************/ +uint32_t numSessions = 0; +SIP_Stats sip_stats; +SIPConfig *sip_eval_config; +tSfPolicyUserContextId sip_config; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId sip_swap_config = NULL; +static void SIPReload(char *); +static int SIPReloadVerify(void); +static void * SIPReloadSwap(void); +static void SIPReloadSwapFree(void *); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupSIP(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "sip", SIPInit ); +#else + _dpd.registerPreproc("sip", SIPInit, SIPReload, + SIPReloadSwap, SIPReloadSwapFree); +#endif +} + +/* Initializes the SIP preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for config + * data. + * + * RETURNS: Nothing. + */ +static void SIPInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + SIPConfig *pDefaultPolicyConfig = NULL; + SIPConfig *pPolicyConfig = NULL; + + + if (sip_config == NULL) + { + //create a context + sip_config = sfPolicyConfigCreate(); + if (sip_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for SIP config.\n"); + } + + _dpd.addPreprocConfCheck(SIPCheckConfig); + _dpd.registerPreprocStats(SIP_NAME, SIP_PrintStats); + _dpd.addPreprocExit(SIPCleanExit, NULL, PRIORITY_LAST, PP_SIP); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("sip", (void *)&sipPerfStats, 0, _dpd.totalPerfStats); +#endif + +#ifdef TARGET_BASED + sip_app_id = _dpd.findProtocolReference("sip"); + if (sip_app_id == SFTARGET_UNKNOWN_PROTOCOL) + sip_app_id = _dpd.addProtocolReference("sip"); + +#endif + } + + sfPolicyUserPolicySet (sip_config, policy_id); + pDefaultPolicyConfig = (SIPConfig *)sfPolicyUserDataGetDefault(sip_config); + pPolicyConfig = (SIPConfig *)sfPolicyUserDataGetCurrent(sip_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("SIP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (SIPConfig *)calloc(1, sizeof(SIPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "SIP preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(sip_config, pPolicyConfig); + + SIP_RegRuleOptions(); + + ParseSIPArgs(pPolicyConfig, (u_char *)argp); + + if (policy_id != 0) + pPolicyConfig->maxNumSessions = pDefaultPolicyConfig->maxNumSessions; + if ( pPolicyConfig->disabled ) + return; + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( SIPmain, PRIORITY_APPLICATION, PP_SIP, PROTO_BIT__UDP|PROTO_BIT__TCP ); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} +/********************************************************************* + * Overload PCRE options: this is to support the "H" + * + * For SIP messages, uri Buffers will point to SIP instead of HTTP + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * None + * + *********************************************************************/ +static inline void SIP_overloadURI(SFSnortPacket *p, SIPMsg *sipMsg) +{ + _dpd.uriBuffers[HTTP_BUFFER_HEADER]->uriBuffer = (uint8_t *) sipMsg->header; + _dpd.uriBuffers[HTTP_BUFFER_HEADER]->uriLength = sipMsg->headerLen; + _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriBuffer = (uint8_t *) sipMsg->body_data; + _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriLength = sipMsg->bodyLen; + p->num_uris = HTTP_BUFFER_CLIENT_BODY + 1; + +} +/********************************************************************* + * Main entry point for SIP processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * int - SIP_SUCCESS + * SIP_FAILURE + * + *********************************************************************/ +static inline int SIP_Process(SFSnortPacket *p, SIPData* sessp) +{ + int status; + char* sip_buff = (char*) p->payload; + char* end; + SIP_Roptions *pRopts; + SIPMsg sipMsg; + + memset(&sipMsg, 0, SIPMSG_ZERO_LEN); + + /*Input parameters*/ + sipMsg.isTcp = IsTCP(p); + + end = sip_buff + p->payload_size; + + status = sip_parse(&sipMsg, sip_buff, end); + + if (SIP_SUCCESS == status) + { + SIP_overloadURI(p, &sipMsg); + /*Update the dialog state*/ + SIP_updateDialog(&sipMsg, &(sessp->dialogs), p); + } + /*Update the session data*/ + pRopts = &(sessp->ropts); + pRopts->methodFlag = sipMsg.methodFlag; + pRopts->header_data = sipMsg.header; + pRopts->header_len = sipMsg.headerLen; + pRopts->body_len = sipMsg.bodyLen; + pRopts->body_data = sipMsg.body_data; + pRopts->status_code = sipMsg.status_code; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "SIP message header length: %d\n", + sipMsg.headerLen)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed method: %.*s, Flag: 0x%x\n", + sipMsg.methodLen, sipMsg.method, sipMsg.methodFlag)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed status code: %d\n", + sipMsg.status_code)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed header address: %p.\n", + sipMsg.header)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed body address: %p.\n", + sipMsg.body_data)); + + sip_freeMsg(&sipMsg); + + return status; +} +/* Main runtime entry point for SIP preprocessor. + * Analyzes SIP packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void SIPmain( void* ipacketp, void* contextp ) +{ + SIPData* sessp = NULL; + uint8_t source = 0; + uint8_t dest = 0; + + SFSnortPacket* packetp; +#ifdef TARGET_BASED + int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__START_MSG)); + + packetp = (SFSnortPacket*) ipacketp; + sfPolicyUserPolicySet (sip_config, policy_id); + + /* Make sure this preprocessor should run. */ + if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size )) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + /* check if we're waiting on stream reassembly */ + else if ( packetp->flags & FLAG_STREAM_INSERT) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Stream inserted - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + else if (!IsTCP(packetp) && !IsUDP(packetp)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not UDP or TCP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + + PREPROC_PROFILE_START(sipPerfStats); + + sip_eval_config = sfPolicyUserDataGetCurrent(sip_config); + + /* Attempt to get a previously allocated SIP block. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SIP); + if (sessp != NULL) + { + sip_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id); + + } + + if (sessp == NULL) + { + /* If not doing autodetection, check the ports to make sure this is + * running on an SIP port, otherwise no need to examine the traffic. + */ +#ifdef TARGET_BASED + app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr); + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Unknown protocol - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + else if (app_id && (app_id != sip_app_id)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + else if (!app_id) + { +#endif + source = (uint8_t)CheckSIPPort( packetp->src_port ); + dest = (uint8_t)CheckSIPPort( packetp->dst_port ); + + if ( !source && !dest ) + { + /* Not one of the ports we care about. */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP ports - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } +#ifdef TARGET_BASED + } +#endif + /* Check the stream session. If it does not currently + * have our SIP data-block attached, create one. + */ + sessp = SIPGetNewSession(packetp, policy_id); + + if ( !sessp ) + { + /* Could not get/create the session data for this packet. */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Create session error - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + } + + /* Don't process if we've missed packets */ + if (sessp->state_flags & SIP_FLG_MISSED_PACKETS) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + /* If we picked up mid-stream or missed any packets (midstream pick up + * means we've already missed packets) set missed packets flag and make + * sure we don't do any more reassembly on this session */ + if (IsTCP(packetp)) + { + if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM) + || _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH)) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, + STREAM_FLPOLICY_SET_ABSOLUTE); + + sessp->state_flags |= SIP_FLG_MISSED_PACKETS; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + } + + /* We're interested in this session. Turn on stream reassembly. */ + if ( !(sessp->state_flags & SIP_FLG_REASSEMBLY_SET )) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); + sessp->state_flags |= SIP_FLG_REASSEMBLY_SET; + } + /* + * Start process PAYLOAD + */ + SIP_Process(packetp,sessp); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + +} + +/********************************************************************** + * Retrieves the SIP data block registered with the stream + * session associated w/ the current packet. If none exists, + * allocates it and registers it with the stream API. + * + * Arguments: + * + * packetp: Pointer to the packet from which/in which to + * retrieve/store the SIP data block. + * + * RETURNS: Pointer to an SIP data block, upon success. + * NULL, upon failure. + **********************************************************************/ +SIPData * SIPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id) +{ + SIPData* datap = NULL; + static int MaxSessionsAlerted = 0; + /* Sanity check(s) */ + assert( packetp ); + if ( !packetp->stream_session_ptr ) + { + return NULL; + } + if(numSessions > ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->maxNumSessions) + { + if (!MaxSessionsAlerted) + ALERT(SIP_EVENT_MAX_SESSIONS,SIP_EVENT_MAX_SESSIONS_STR); + MaxSessionsAlerted = 1; + return NULL; + } + else + { + MaxSessionsAlerted = 0; + } + datap = (SIPData *)calloc(1, sizeof(SIPData)); + + if ( !datap ) + return NULL; + + /*Register the new SIP data block in the stream session. */ + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, + PP_SIP, datap, FreeSIPData ); + + datap->policy_id = policy_id; + datap->config = sip_config; + ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->ref_count++; + numSessions++; + sip_stats.sessions++; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Number of sessions created: %u\n", numSessions)); + + return datap; +} + + +/*********************************************************************** + * Registered as a callback with our SIP data blocks when + * they are added to the underlying stream session. Called + * by the stream preprocessor when a session is about to be + * destroyed. + * + * PARAMETERS: + * + * idatap: Pointer to the moribund data. + * + * RETURNS: Nothing. + ***********************************************************************/ +static void FreeSIPData( void* idatap ) +{ + SIPData *ssn = (SIPData *)idatap; + SIPConfig *config = NULL; + + if (ssn == NULL) + return; + if (numSessions > 0) + numSessions--; + + /*Free all the dialog data*/ + sip_freeDialogs(ssn->dialogs); + + /*Clean the configuration data*/ + if (ssn->config != NULL) + { + config = (SIPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); + } + + if (config == NULL) + { + free(ssn); + return; + } + + config->ref_count--; + if ((config->ref_count == 0) && (ssn->config != sip_config)) + { + sfPolicyUserDataClear (ssn->config, ssn->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(ssn->config) == 0) + { + /* No more outstanding configs - free the config array */ + SIPFreeConfig(ssn->config); + } + + } + + free(ssn); +} +/* ********************************************************************** + * Validates given port as an SIP server port. + * + * PARAMETERS: + * + * port: Port to validate. + * + * RETURNS: SIP_TRUE, if the port is indeed an SIP server port. + * SIP_FALSE, otherwise. + ***********************************************************************/ +static inline int CheckSIPPort( uint16_t port ) +{ + if ( sip_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) + { + return SIP_TRUE; + } + + return SIP_FALSE; +} + +static void _addPortsToStream5Filter(SIPConfig *config, tSfPolicyId policy_id) +{ + int portNum; + + assert(config); + assert(_dpd.streamAPI); + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + +} +#ifdef TARGET_BASED + +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(sip_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif +static int SIPCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + if (pPolicyConfig->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SIPCheckPolicyConfig(): The Stream preprocessor must be enabled.\n"); + } + return 0; +} +void SIPCheckConfig(void) +{ + sfPolicyUserDataIterate (sip_config, SIPCheckPolicyConfig); +} + + +static void SIPCleanExit(int signal, void *data) +{ + if (sip_config != NULL) + { + SIPFreeConfig(sip_config); + sip_config = NULL; + } +} +static int SIPFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + //do any housekeeping before freeing SIPConfig + + sfPolicyUserDataClear (config, policyId); + + SIP_FreeConfig(pPolicyConfig); + return 0; +} + +void SIPFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, SIPFreeConfigPolicy); + sfPolicyConfigDelete(config); +} +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void SIP_PrintStats(int exiting) +{ + int i; + _dpd.logMsg("SIP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions: "STDu64"\n", sip_stats.sessions); + if (sip_stats.sessions > 0) + { + if (sip_stats.events > 0) + _dpd.logMsg(" SIP anomalies : "STDu64"\n", sip_stats.events); + if (sip_stats.dialogs > 0) + _dpd.logMsg(" Total dialogs: "STDu64"\n", sip_stats.dialogs); + + _dpd.logMsg(" Requests: "STDu64"\n", sip_stats.requests[0]); + i = 0; + while (NULL != StandardMethods[i].name) + { + _dpd.logMsg("%16s: "STDu64"\n", + StandardMethods[i].name, sip_stats.requests[StandardMethods[i].methodFlag]); + i++; + } + + _dpd.logMsg(" Responses: "STDu64"\n", sip_stats.responses[TOTAL_RESPONSES]); + for (i = 1; i disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( SIPmain, PRIORITY_APPLICATION, PP_SIP, PROTO_BIT__UDP|PROTO_BIT__TCP ); + _dpd.addPreprocReloadVerify(SIPReloadVerify); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int SIPReloadVerify(void) +{ + SIPConfig * pPolicyConfig = NULL; + SIPConfig * pCurrentConfig = NULL; + + if (sip_swap_config == NULL) + return 0; + + pPolicyConfig = (SIPConfig *)sfPolicyUserDataGet(sip_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + if ( pPolicyConfig->disabled ) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + if (sip_config != NULL) + { + pCurrentConfig = (SIPConfig *)sfPolicyUserDataGet(sip_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + if (pPolicyConfig->maxNumSessions != pCurrentConfig->maxNumSessions) + { + _dpd.errMsg("SIP reload: Changing the max_sessions requires a restart.\n"); + SIPFreeConfig(sip_swap_config); + sip_swap_config = NULL; + return -1; + } + + return 0; +} +static int SIPFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + //do any housekeeping before freeing SIPConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + SIP_FreeConfig(pPolicyConfig); + } + return 0; +} + +static void * SIPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = sip_config; + + if (sip_swap_config == NULL) + return NULL; + + sip_config = sip_swap_config; + sip_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, SIPFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void SIPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + SIPFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/sip/spp_sip.h snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.h --- snort-2.8.5.2/src/dynamic-preprocessors/sip/spp_sip.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,286 @@ +/* $Id */ + +/* +** Copyright (C) 2011-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * spp_sip.h: Definitions, structs, function prototype(s) for + * the SIP preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_SIP_H +#define SPP_SIP_H +#include +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_roptions.h" +#include "sf_ip.h" + +/* Convert port value into an index for the sip_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* + * Boolean values. + */ +#define SIP_TRUE (1) +#define SIP_FALSE (0) + +#define SIP_STATUS_CODE_LEN (3) +#define SIP_CONTENT_LEN (5) +/* + * Error codes. + */ +#define SIP_SUCCESS (1) +#define SIP_FAILURE (0) + +typedef struct _SIP_MediaData +{ + sfip_t maddress; // media IP + uint16_t mport; // media port + uint8_t numPort; // number of media ports + struct _SIP_MediaData *nextM; +} SIP_MediaData; + +typedef SIP_MediaData* SIP_MediaDataList; + +#define SIP_SESSION_SAVED (1) +#define SIP_SESSION_INIT (0) + +typedef struct _SIP_MediaSession +{ + uint32_t sessionID; // a hash value of the session + int savedFlag; // whether this data has been saved by a dialog, + // if savedFlag = 1, this session will be deleted after sip message is processed. + sfip_t maddress_default; //Default media IP + SIP_MediaDataList medias; //Media list in the session + struct _SIP_MediaSession *nextS; // Next media session +} SIP_MediaSession; + +typedef SIP_MediaSession* SIP_MediaList; + + +typedef struct _SIP_DialogID +{ + uint32_t callIdHash; + uint32_t fromTagHash; + uint32_t toTagHash; +} SIP_DialogID; + +typedef enum _SIP_DialogState +{ + SIP_DLG_CREATE = 1, //1 + SIP_DLG_INVITING, //2 + SIP_DLG_EARLY, //3 + SIP_DLG_AUTHENCATING, //4 + SIP_DLG_ESTABLISHED, //5 + SIP_DLG_REINVITING, //6 + SIP_DLG_TERMINATING, //7 + SIP_DLG_TERMINATED //8 +} SIP_DialogState; + +typedef struct _SIP_DialogData +{ + SIP_DialogID dlgID; + SIP_DialogState state; + SIPMethodsFlag creator; + uint16_t status_code; + SIP_MediaList mediaSessions; + struct _SIP_DialogData *nextD; + struct _SIP_DialogData *prevD; +} SIP_DialogData; + +typedef SIP_DialogData* SIP_DialogList; + +/* + * Per-session data block containing current state + * of the SIP preprocessor for the session. + * + * state_flags: Bit vector describing the current state of the + * session. + */ +typedef struct _sipData +{ + + uint32_t state_flags; + SIP_DialogList dialogs; + SIP_Roptions ropts; + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} SIPData; + +typedef struct _SIPMsg +{ + uint16_t headerLen; + uint16_t methodLen; + SIPMethodsFlag methodFlag; + uint16_t status_code; + + uint16_t uriLen; + uint16_t callIdLen; + uint16_t cseqNameLen; + uint16_t fromLen; + uint16_t fromTagLen; + uint16_t toLen; + uint16_t toTagLen; + uint16_t viaLen; + uint16_t contactLen; + uint16_t bodyLen; + uint16_t contentTypeLen; + uint32_t content_len; + SIP_DialogID dlgID; + SIP_MediaSession *mediaSession; + char *authorization; + const uint8_t *header; + const uint8_t *body_data; /* Set to NULL if not applicable */ + uint64_t cseqnum; + + /* nothing after this point is zeroed ...*/ + /*Input parameters*/ + unsigned char isTcp; + + char *method; + char *uri; + char *call_id; + char *cseqName; + char *from; + char *from_tag; + char *to; + char *to_tag; + char *via; + char *contact; + + char *content_type; + char *content_encode; + +} SIPMsg; + +#define SIPMSG_ZERO_LEN offsetof(SIPMsg, isTcp) + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_SIP 140 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_SIP, x, 1, 0, 3, y, 0 ); sip_stats.events++; } + +/* + * SIP preprocessor alert types. + */ +#define SIP_EVENT_MAX_SESSIONS 1 +#define SIP_EVENT_EMPTY_REQUEST_URI 2 +#define SIP_EVENT_BAD_URI 3 +#define SIP_EVENT_EMPTY_CALL_ID 4 +#define SIP_EVENT_BAD_CALL_ID 5 +#define SIP_EVENT_BAD_CSEQ_NUM 6 +#define SIP_EVENT_BAD_CSEQ_NAME 7 +#define SIP_EVENT_EMPTY_FROM 8 +#define SIP_EVENT_BAD_FROM 9 +#define SIP_EVENT_EMPTY_TO 10 +#define SIP_EVENT_BAD_TO 11 +#define SIP_EVENT_EMPTY_VIA 12 +#define SIP_EVENT_BAD_VIA 13 +#define SIP_EVENT_EMPTY_CONTACT 14 +#define SIP_EVENT_BAD_CONTACT 15 +#define SIP_EVENT_BAD_CONTENT_LEN 16 +#define SIP_EVENT_MULTI_MSGS 17 +#define SIP_EVENT_MISMATCH_CONTENT_LEN 18 +#define SIP_EVENT_INVALID_CSEQ_NAME 19 +#define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK 20 +#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION 21 +#define SIP_EVENT_BAD_STATUS_CODE 22 +#define SIP_EVENT_EMPTY_CONTENT_TYPE 23 +#define SIP_EVENT_INVALID_VERSION 24 +#define SIP_EVENT_MISMATCH_METHOD 25 +#define SIP_EVENT_UNKOWN_METHOD 26 + +/* + * SIP preprocessor alert strings. + */ +#define SIP_EVENT_MAX_SESSIONS_STR "(spp_sip) Maximum sessions reached" +#define SIP_EVENT_EMPTY_REQUEST_URI_STR "(spp_sip) Empty request URI" +#define SIP_EVENT_BAD_URI_STR "(spp_sip) URI is too long" +#define SIP_EVENT_EMPTY_CALL_ID_STR "(spp_sip) Empty call-Id" +#define SIP_EVENT_BAD_CALL_ID_STR "(spp_sip) Call-Id is too long" +#define SIP_EVENT_BAD_CSEQ_NUM_STR "(spp_sip) CSeq number is too large or negative" +#define SIP_EVENT_BAD_CSEQ_NAME_STR "(spp_sip) Request name in CSeq is too long" +#define SIP_EVENT_EMPTY_FROM_STR "(spp_sip) Empty From header" +#define SIP_EVENT_BAD_FROM_STR "(spp_sip) From header is too long" +#define SIP_EVENT_EMPTY_TO_STR "(spp_sip) Empty To header" +#define SIP_EVENT_BAD_TO_STR "(spp_sip) To header is too long" +#define SIP_EVENT_EMPTY_VIA_STR "(spp_sip) Empty Via header" +#define SIP_EVENT_BAD_VIA_STR "(spp_sip) Via header is too long" +#define SIP_EVENT_EMPTY_CONTACT_STR "(spp_sip) Empty Contact" +#define SIP_EVENT_BAD_CONTACT_STR "(spp_sip) Contact is too long" +#define SIP_EVENT_BAD_CONTENT_LEN_STR "(spp_sip) Content length is too large or negative" +#define SIP_EVENT_MULTI_MSGS_STR "(spp_sip) Multiple SIP messages in a packet" +#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "(spp_sip) Content length mismatch" +#define SIP_EVENT_INVALID_CSEQ_NAME_STR "(spp_sip) Request name is invalid" +#define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR "(spp_sip) Invite replay attack" +#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "(spp_sip) Illegal session information modification" +#define SIP_EVENT_BAD_STATUS_CODE_STR "(spp_sip) Response status code is not a 3 digit number" +#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "(spp_sip) Empty Content-type header" +#define SIP_EVENT_INVALID_VERSION_STR "(spp_sip) SIP version is invalid" +#define SIP_EVENT_MISMATCH_METHOD_STR "(spp_sip) Mismatch in METHOD of request and the CSEQ header" +#define SIP_EVENT_UNKOWN_METHOD_STR "(spp_sip) Method is unknown" + +#define MAX_STAT_CODE 999 +#define MIN_STAT_CODE 100 +#define TOTAL_RESPONSES 0 +#define RESPONSE1XX 1 +#define RESPONSE2XX 2 +#define RESPONSE3XX 3 +#define RESPONSE4XX 4 +#define RESPONSE5XX 5 +#define RESPONSE6XX 6 +#define NUM_OF_RESPONSE_TYPES 10 +#define TOTAL_REQUESTS 0 +#define NUM_OF_REQUEST_TYPES SIP_METHOD_USER_DEFINE_MAX + +typedef struct _SIP_Stats +{ + uint64_t sessions; + uint64_t events; + + uint64_t dialogs; + uint64_t requests[NUM_OF_REQUEST_TYPES]; + uint64_t responses[NUM_OF_RESPONSE_TYPES]; + uint64_t ignoreChannels; + uint64_t ignoreSessions; + +} SIP_Stats; + +extern SIP_Stats sip_stats; +extern SIPConfig *sip_eval_config; +extern tSfPolicyUserContextId sip_config; + + +/* Prototypes for public interface */ +void SetupSIP(void); + +#endif /* SPP_SIP_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/Makefile.am snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/Makefile.am 2009-05-06 22:29:04.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,24 +1,27 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_smtp_preproc.la -libsf_smtp_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +libsf_smtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_smtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_smtp_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/sf_base64decode.c \ +../include/util_unfold.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif libsf_smtp_preproc_la_SOURCES = \ -sf_preproc_info.h \ smtp_config.c \ smtp_config.h \ smtp_log.c \ @@ -39,14 +42,6 @@ EXTRA_DIST = \ sf_smtp.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/Makefile.in snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,27 +44,47 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_smtp_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_smtp_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_smtp_preproc_la_OBJECTS = smtp_config.lo smtp_log.lo \ smtp_normalize.lo smtp_util.lo smtp_xlink2state.lo \ snort_smtp.lo spp_smtp.lo ssl.lo -nodist_libsf_smtp_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_smtp_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_smtp_preproc_la_OBJECTS = $(am_libsf_smtp_preproc_la_OBJECTS) \ $(nodist_libsf_smtp_preproc_la_OBJECTS) libsf_smtp_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_smtp_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -89,31 +111,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -126,12 +148,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -139,20 +167,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -184,6 +219,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -196,21 +232,23 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_smtp_preproc.la -libsf_smtp_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_smtp_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +libsf_smtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_smtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_smtp_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_smtp_preproc_la_SOURCES = \ -sf_preproc_info.h \ smtp_config.c \ smtp_config.h \ smtp_log.c \ @@ -231,8 +269,7 @@ EXTRA_DIST = \ sf_smtp.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -240,14 +277,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/smtp/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/smtp/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/smtp/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/smtp/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -265,23 +302,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -311,7 +353,28 @@ $(LTCOMPILE) -c -o $@ $< ssl.lo: ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ssl.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ssl.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c mostlyclean-libtool: -rm -f *.lo @@ -324,45 +387,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -383,26 +450,28 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -422,14 +491,14 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -443,6 +512,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -451,18 +522,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -487,8 +568,8 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -501,17 +582,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h 2009-08-10 20:41:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -/**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 8 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SMTP (IPV6)" -#else -#define PREPROC_NAME "SF_SMTP" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSMTP -extern void SetupSMTP(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp snort-2.9.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp 2009-05-06 22:29:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_smtp___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_smtp___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,17 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" # SUBTRACT LINK32 /pdb:none !ENDIF @@ -156,10 +157,26 @@ # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.c +# End Source File +# Begin Source File + SOURCE=..\include\sf_dynamic_preproc_lib.c # End Source File # Begin Source File +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + SOURCE=..\include\sfPolicyUserData.c # End Source File # Begin Source File @@ -190,16 +207,36 @@ SOURCE=.\spp_smtp.c # End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File # End Group # Begin Group "Header Files" # PROP Default_Filter "h;hpp;hxx;hm;inl" # Begin Source File +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + SOURCE=.\sf_preproc_info.h # End Source File # Begin Source File +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + SOURCE=.\smtp_config.h # End Source File # Begin Source File @@ -226,6 +263,10 @@ SOURCE=.\spp_smtp.h # End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.h +# End Source File # End Group # Begin Group "Resource Files" diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_config.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_config.c 2009-07-07 15:37:07.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,9 +45,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "sfPolicy.h" @@ -55,24 +56,27 @@ /* Global variable to hold configuration */ extern SMTPConfig **smtp_config; -extern DynamicPreprocessorData _dpd; extern const SMTPToken smtp_known_cmds[]; /* Private functions */ -static void PrintConfig(SMTPConfig *); static int ProcessPorts(SMTPConfig *, char *, int); static int ProcessCmds(SMTPConfig *, char *, int, int); static int GetCmdId(SMTPConfig *, char *); static int AddCmd(SMTPConfig *, char *name); static int ProcessAltMaxCmdLen(SMTPConfig *, char *, int); +static int ProcessMaxMimeMem(SMTPConfig *, char *, int); +static int ProcessSmtpMemcap(SMTPConfig *, char *, int); +static int ProcessMaxMimeDepth(SMTPConfig *, char *, int); +static int ProcessLogDepth(SMTPConfig *, char *, int); static int ProcessXlink2State(SMTPConfig *, char *, int); +static int ProcessDecodeDepth(SMTPConfig *, char *, int , char *, DecodeType ); /* * Function: SMTP_ParseArgs(char *) * - * Purpose: Process the preprocessor arguments from the rules file and + * Purpose: Process the preprocessor arguments from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -87,6 +91,8 @@ char *value; char errStr[ERRSTRLEN]; int errStrLen = ERRSTRLEN; + int b64_option = 0; + int deprecated_options = 0; if ((config == NULL) || (args == NULL)) return; @@ -98,21 +104,35 @@ config->max_command_line_len = DEFAULT_MAX_COMMAND_LINE_LEN; config->max_header_line_len = DEFAULT_MAX_HEADER_LINE_LEN; config->max_response_line_len = DEFAULT_MAX_RESPONSE_LINE_LEN; + config->max_mime_depth = DEFAULT_MAX_MIME_DEPTH; + config->max_mime_mem = DEFAULT_MAX_MIME_MEM; + config->memcap = DEFAULT_SMTP_MEMCAP; config->alert_xlink2state = 1; config->print_cmds = 1; + config->enable_mime_decoding = 0; + config->b64_depth = DEFAULT_MAX_MIME_DEPTH; + config->qp_depth = DEFAULT_MAX_MIME_DEPTH; + config->uu_depth = DEFAULT_MAX_MIME_DEPTH; + config->bitenc_depth = DEFAULT_MAX_MIME_DEPTH; + config->max_depth = MIN_DEPTH; + config->log_filename = 0; + config->log_mailfrom = 0; + config->log_rcptto = 0; + config->log_email_hdrs = 0; + config->email_hdrs_log_depth = DEFAULT_LOG_DEPTH; config->cmd_config = (SMTPCmdConfig *)calloc(CMD_LAST, sizeof(SMTPCmdConfig)); if (config->cmd_config == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } *errStr = '\0'; arg = strtok(args, CONF_SEPARATORS); - + while ( arg != NULL ) { if ( !strcasecmp(CONF_PORTS, arg) ) @@ -156,12 +176,12 @@ } } else if ( !strcasecmp(CONF_IGNORE_DATA, arg) ) - { - config->ignore_data = 1; + { + config->ignore_data = 1; } else if ( !strcasecmp(CONF_IGNORE_TLS_DATA, arg) ) { - config->ignore_tls_data = 1; + config->ignore_tls_data = 1; } else if ( !strcasecmp(CONF_MAX_COMMAND_LINE_LEN, arg) ) { @@ -194,7 +214,7 @@ config->max_response_line_len = strtol(value, &endptr, 10); } else if ( !strcasecmp(CONF_NO_ALERTS, arg) ) - { + { config->no_alerts = 1; } else if ( !strcasecmp(CONF_ALERT_UNKNOWN_CMDS, arg) ) @@ -209,7 +229,7 @@ else if ( !strcasecmp(CONF_VALID_CMDS, arg) ) { /* Parse allowed commands */ - ret = ProcessCmds(config, errStr, errStrLen, ACTION_NO_ALERT); + ret = ProcessCmds(config, errStr, errStrLen, ACTION_NO_ALERT); } else if ( !strcasecmp(CONF_NORMALIZE_CMDS, arg) ) { @@ -221,20 +241,85 @@ /* Parse max line len for commands */ ret = ProcessAltMaxCmdLen(config, errStr, errStrLen); } + else if ( !strcasecmp(CONF_SMTP_MEMCAP, arg) ) + { + ret = ProcessSmtpMemcap(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_MAX_MIME_MEM, arg) ) + { + ret = ProcessMaxMimeMem(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_MAX_MIME_DEPTH, arg) ) + { + deprecated_options = 1; + _dpd.logMsg("WARNING: %s(%d) => The SMTP config option 'max_mime_depth' is deprecated.\n", + *(_dpd.config_file), *(_dpd.config_line)); + if(!b64_option) + ret = ProcessMaxMimeDepth(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_ENABLE_MIME_DECODING, arg) ) + { + deprecated_options = 1; + _dpd.logMsg("WARNING: %s(%d) => The SMTP config option 'enable_mime_decoding' is deprecated.\n", + *(_dpd.config_file), *(_dpd.config_line)); + if(!b64_option) + config->enable_mime_decoding = 1; + } + else if ( !strcasecmp(CONF_DISABLED, arg) ) + { + config->disabled = 1; + } else if ( !strcasecmp(CONF_XLINK2STATE, arg) ) { ret = ProcessXlink2State(config, errStr, errStrLen); } + else if ( !strcasecmp(CONF_LOG_FILENAME, arg) ) + { + config->log_filename = 1; + } + else if ( !strcasecmp(CONF_LOG_MAIL_FROM, arg) ) + { + config->log_mailfrom = 1; + } + else if ( !strcasecmp(CONF_LOG_RCPT_TO, arg) ) + { + config->log_rcptto = 1; + } + else if ( !strcasecmp(CONF_LOG_EMAIL_HDRS, arg) ) + { + config->log_email_hdrs = 1; + } + else if ( !strcasecmp(CONF_EMAIL_HDRS_LOG_DEPTH, arg) ) + { + ret = ProcessLogDepth(config, errStr, errStrLen); + } else if ( !strcasecmp(CONF_PRINT_CMDS, arg) ) { config->print_cmds = 1; } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + b64_option = 1; + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } else { - DynamicPreprocessorFatalMessage("%s(%d) => Unknown SMTP configuration option %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => Unknown SMTP configuration option %s\n", *(_dpd.config_file), *(_dpd.config_line), arg); - } + } if (ret == -1) { @@ -243,12 +328,12 @@ */ if (*errStr) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), errStr); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -257,11 +342,211 @@ arg = strtok(NULL, CONF_SEPARATORS); } - PrintConfig(config); + if(!b64_option) + { + if(config->enable_mime_decoding) + config->b64_depth = config->max_mime_depth; + } + else if(deprecated_options) + { + DynamicPreprocessorFatalMessage("%s(%d) => Cannot specify 'enable_mime_decoding' or 'max_mime_depth' with " + "'b64_decode_depth'\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if(!config->email_hdrs_log_depth) + { + if(config->log_email_hdrs) + { + _dpd.logMsg("WARNING: %s(%d) => 'log_email_hdrs' enabled with 'email_hdrs_log_depth' = 0." + "Email headers won't be logged. Please set 'email_hdrs_log_depth' > 0 to enable logging.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + config->log_email_hdrs = 0; + } + +} +int SMTP_IsDecodingEnabled(SMTPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + } -static void PrintConfig(SMTPConfig *config) +void SMTP_CheckConfig(SMTPConfig *pPolicyConfig, tSfPolicyUserContextId context) +{ + int max = -1; + SMTPConfig *defaultConfig = + (SMTPConfig *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->max_mime_mem) + pPolicyConfig->max_mime_mem = DEFAULT_MAX_MIME_MEM; + + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; + + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_SMTP_MEMCAP; + + if(pPolicyConfig->disabled && !pPolicyConfig->email_hdrs_log_depth) + pPolicyConfig->email_hdrs_log_depth = DEFAULT_LOG_DEPTH; + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->max_mime_mem) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: max_mime_mem must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if(pPolicyConfig->log_email_hdrs && pPolicyConfig->email_hdrs_log_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: email_hdrs_log_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { + pPolicyConfig->max_mime_mem = defaultConfig->max_mime_mem; + pPolicyConfig->max_depth = defaultConfig->max_depth; + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->email_hdrs_log_depth = defaultConfig->email_hdrs_log_depth; + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: uu_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: bitenc_decode_depth value %d in non-default config " + " cannot exceed default config's value.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + } +} + +void SMTP_PrintConfig(SMTPConfig *config) { int i; const SMTPToken *cmd; @@ -273,7 +558,12 @@ memset(&buf[0], 0, sizeof(buf)); _dpd.logMsg("SMTP Config:\n"); - + + if(config->disabled) + { + _dpd.logMsg(" SMTP: INACTIVE\n"); + } + snprintf(buf, sizeof(buf) - 1, " Ports: "); for (i = 0; i < 65536; i++) @@ -314,15 +604,15 @@ { _dpd.printfappend(buf, sizeof(buf) - 1, "cmds"); } - + break; } _dpd.logMsg("%s\n", buf); - _dpd.logMsg(" Ignore Data: %s\n", + _dpd.logMsg(" Ignore Data: %s\n", config->ignore_data ? "Yes" : "No"); - _dpd.logMsg(" Ignore TLS Data: %s\n", + _dpd.logMsg(" Ignore TLS Data: %s\n", config->ignore_tls_data ? "Yes" : "No"); _dpd.logMsg(" Ignore SMTP Alerts: %s\n", config->no_alerts ? "Yes" : "No"); @@ -386,7 +676,7 @@ else _dpd.logMsg("%s%d\n", buf, config->max_response_line_len); } - + _dpd.logMsg(" X-Link2State Alert: %s\n", config->alert_xlink2state ? "Yes" : "No"); if (config->alert_xlink2state) @@ -398,7 +688,7 @@ if (config->print_cmds && !config->no_alerts) { int alert_count = 0; - + snprintf(buf, sizeof(buf) - 1, " Alert on commands: "); for (cmd = config->cmds; cmd->name != NULL; cmd++) @@ -419,6 +709,96 @@ _dpd.logMsg("%s\n", buf); } } + _dpd.logMsg(" Alert on unknown commands: %s\n", + config->alert_unknown_cmds ? "Yes" : "No"); + + _dpd.logMsg(" SMTP Memcap: %u\n", + config->memcap); + + _dpd.logMsg(" MIME Max Mem: %d\n", + config->max_mime_mem); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + + _dpd.logMsg(" Log Attachment filename: %s\n", + config->log_filename ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log MAIL FROM Address: %s\n", + config->log_mailfrom ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log RCPT TO Addresses: %s\n", + config->log_rcptto ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log Email Headers: %s\n", + config->log_email_hdrs ? "Enabled" : "Not Enabled"); + + if(config->log_email_hdrs) + { + _dpd.logMsg(" Email Hdrs Log Depth: %u\n", + config->email_hdrs_log_depth); + } } /* @@ -428,13 +808,13 @@ /** ** Process the port list. ** -** This configuration is a list of valid ports and is ended by a +** This configuration is a list of valid ports and is ended by a ** delimiter. ** ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -447,6 +827,7 @@ char *pcEnd; int iPort; int iEndPorts = 0; + int num_ports = 0; if (config == NULL) { @@ -504,6 +885,7 @@ } config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; } if(!iEndPorts) @@ -514,6 +896,12 @@ return -1; } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "SMTP: Empty port list not allowed."); + return -1; + } return 0; } @@ -525,13 +913,13 @@ /** ** Process the command list. ** -** This configuration is a list of valid ports and is ended by a +** This configuration is a list of valid ports and is ended by a ** delimiter. ** ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -548,7 +936,7 @@ snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); return -1; } - + pcToken = strtok(NULL, CONF_SEPARATORS); if (!pcToken) { @@ -564,7 +952,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if (strcmp(CONF_END_LIST, pcToken) == 0) @@ -615,7 +1003,7 @@ return cmd->search_id; } } - + return AddCmd(config, name); } @@ -640,7 +1028,7 @@ if (cmds == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -649,7 +1037,7 @@ if (cmd_search == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -657,7 +1045,7 @@ if (cmd_config == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -668,7 +1056,7 @@ if (ret != SAFEMEM_SUCCESS) { - DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", + DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -677,7 +1065,7 @@ if (ret != SAFEMEM_SUCCESS) { - DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", + DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -692,7 +1080,7 @@ if (tmp_cmds->name == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -714,6 +1102,255 @@ return (config->num_cmds - 1); } +static int ProcessMaxMimeMem(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + int max_mime_mem = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for max_mime_mem."); + return -1; + } + max_mime_mem = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for max_mime_mem."); + return -1; + } + + if (max_mime_mem < MIN_MIME_MEM || max_mime_mem > MAX_MIME_MEM) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for max_mime_mem." + "It should range between %d and %d.", + MIN_MIME_MEM, MAX_MIME_MEM); + return -1; + } + + config->max_mime_mem = max_mime_mem; + return 0; +} + + +static int ProcessSmtpMemcap(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t smtp_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for memcap."); + return -1; + } + smtp_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for memcap."); + return -1; + } + + if (smtp_memcap < MIN_SMTP_MEMCAP || smtp_memcap > MAX_SMTP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_SMTP_MEMCAP, MAX_SMTP_MEMCAP); + return -1; + } + + config->memcap = smtp_memcap; + return 0; +} + + +static int ProcessMaxMimeDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + int max_mime_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for max_mime_depth."); + return -1; + } + max_mime_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for max_mime_depth."); + return -1; + } + + if (max_mime_depth < MIN_MIME_DEPTH || max_mime_depth > MAX_MIME_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for max_mime_depth." + "It should range between %d and %d.", + MIN_MIME_DEPTH, MAX_MIME_DEPTH); + return -1; + } + if(max_mime_depth & 3) + { + max_mime_depth += 4 - (max_mime_depth & 3); + _dpd.logMsg("WARNING: %s(%d) => SMTP: 'max_mime_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'max_mime_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), max_mime_depth); + + } + + config->max_mime_depth = max_mime_depth; + return 0; +} + +static int ProcessLogDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t log_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Missing value for email_hdrs_log_depth."); + return -1; + } + log_depth = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format '%s' for email_hdrs_log_depth.", + value); + return -1; + } + + if(log_depth && log_depth < MIN_LOG_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for email_hdrs_log_depth." + "It should range between %d and %d.", + MIN_LOG_DEPTH, MAX_LOG_DEPTH); + return -1; + } + else if (log_depth > MAX_LOG_DEPTH) + { + _dpd.logMsg("WARNING: %s(%d) => Invalid value for email_hdrs_log_depth. " + "It should range between %d and %d. The email_hdrs_log_depth " + "will be reduced to the max value.\n", *(_dpd.config_file), *(_dpd.config_line), + MIN_LOG_DEPTH, MAX_LOG_DEPTH); + + log_depth = MAX_LOG_DEPTH; + } + + + config->email_hdrs_log_depth = log_depth; + return 0; +} + +static int ProcessDecodeDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for SMTP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for SMTP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for SMTP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => SMTP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} + + /* ** NAME @@ -726,7 +1363,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -746,7 +1383,7 @@ snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); return -1; } - + /* Find number */ pcLen = strtok(NULL, CONF_SEPARATORS); if (!pcLen) @@ -765,7 +1402,7 @@ return -1; } - + cmd_len = strtoul(pcLen, &pcLenEnd, 10); if (pcLenEnd == pcLen) { @@ -783,7 +1420,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if (strcmp(CONF_END_LIST, pcToken) == 0) @@ -791,7 +1428,7 @@ iEndCmds = 1; break; } - + id = GetCmdId(config, pcToken); config->cmd_config[id].max_line_len = cmd_len; @@ -801,7 +1438,7 @@ { snprintf(ErrorString, ErrStrLen, "Must end alt_max_command_line_len configuration with '%s'.", CONF_END_LIST); - + return -1; } @@ -820,7 +1457,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -854,7 +1491,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if(!strcmp(CONF_END_LIST, pcToken)) @@ -882,19 +1519,7 @@ return -1; } - - if (_dpd.inlineMode()) - { - config->drop_xlink2state = 1; - } - else - { - snprintf(ErrorString, ErrStrLen, - "Cannot use 'drop' keyword in X-LINK2STATE config " - "if Snort is not in inline mode."); - - return -1; - } + config->drop_xlink2state = 1; } } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_config.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_config.h 2009-05-06 22:29:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -31,6 +31,7 @@ #ifndef __SMTP_CONFIG_H__ #define __SMTP_CONFIG_H__ +#include "sfPolicyUserData.h" #define CONF_SEPARATORS " \t\n\r" #define CONF_PORTS "ports" #define CONF_INSPECTION_TYPE "inspection_type" @@ -42,6 +43,20 @@ #define CONF_MAX_HEADER_LINE_LEN "max_header_line_len" #define CONF_MAX_RESPONSE_LINE_LEN "max_response_line_len" #define CONF_ALT_MAX_COMMAND_LINE_LEN "alt_max_command_line_len" +#define CONF_MAX_MIME_MEM "max_mime_mem" +#define CONF_MAX_MIME_DEPTH "max_mime_depth" +#define CONF_ENABLE_MIME_DECODING "enable_mime_decoding" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_LOG_FILENAME "log_filename" +#define CONF_LOG_MAIL_FROM "log_mailfrom" +#define CONF_LOG_RCPT_TO "log_rcptto" +#define CONF_LOG_EMAIL_HDRS "log_email_hdrs" +#define CONF_SMTP_MEMCAP "memcap" +#define CONF_EMAIL_HDRS_LOG_DEPTH "email_hdrs_log_depth" +#define CONF_DISABLED "disabled" #define CONF_NO_ALERTS "no_alerts" #define CONF_VALID_CMDS "valid_cmds" #define CONF_INVALID_CMDS "invalid_cmds" @@ -72,9 +87,26 @@ #define DEFAULT_MAX_HEADER_LINE_LEN 0 #define DEFAULT_MAX_RESPONSE_LINE_LEN 0 +/*These are temporary values*/ +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 +#define DEFAULT_MAX_MIME_MEM 838860 +#define DEFAULT_MAX_MIME_DEPTH 1460 +#define DEFAULT_SMTP_MEMCAP 838860 +#define DEFAULT_LOG_DEPTH 1464 +#define MAX_MIME_MEM 104857600 +#define MIN_MIME_MEM 3276 +#define MAX_MIME_DEPTH 20480 +#define MIN_MIME_DEPTH 4 +#define MAX_SMTP_MEMCAP 104857600 +#define MIN_SMTP_MEMCAP 3276 +#define MAX_LOG_DEPTH 20480 +#define MIN_LOG_DEPTH 1 #define SMTP_DEFAULT_SERVER_PORT 25 /* SMTP normally runs on port 25 */ #define SMTP_DEFAULT_SUBMISSION_PORT 587 /* SMTP Submission port - see RFC 2476 */ #define XLINK2STATE_DEFAULT_PORT 691 /* XLINK2STATE sometimes runs on port 691 */ +#define MAX_FILE 1024 +#define MAX_EMAIL 1024 #define ERRSTRLEN 512 @@ -115,19 +147,43 @@ char alert_unknown_cmds; char alert_xlink2state; char drop_xlink2state; - char print_cmds; + char print_cmds; + char enable_mime_decoding; + char log_mailfrom; + char log_rcptto; + char log_filename; + char log_email_hdrs; + uint32_t email_hdrs_log_depth; + uint32_t memcap; + int max_mime_mem; + int max_mime_depth; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + SMTPToken *cmds; SMTPCmdConfig *cmd_config; SMTPSearch *cmd_search; void *cmd_search_mpse; int num_cmds; + int disabled; int ref_count; + uint32_t xtra_filename_id; + uint32_t xtra_mfrom_id; + uint32_t xtra_rcptto_id; + uint32_t xtra_ehdrs_id; } SMTPConfig; /* Function prototypes */ void SMTP_ParseArgs(SMTPConfig *, char *); +void SMTP_PrintConfig(SMTPConfig *config); + +void SMTP_CheckConfig(SMTPConfig *, tSfPolicyUserContextId); +int SMTP_IsDecodingEnabled(SMTPConfig *pPolicyConfig); #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_log.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_log.c 2009-05-06 22:29:05.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - -/************************************************************************** + +/************************************************************************** * * smtp_log.c * @@ -39,14 +39,18 @@ #include #include -#include "debug.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "smtp_config.h" #include "smtp_log.h" #include "snort_smtp.h" #include "sf_dynamic_preprocessor.h" extern SMTPConfig *smtp_eval_config; -extern DynamicPreprocessorData _dpd; extern SMTP *smtp_ssn; char smtp_event[SMTP_EVENT_MAX][EVENT_STR_LEN]; @@ -59,7 +63,7 @@ /* Only log a specific alert once per session */ if (smtp_ssn->alert_mask & (1 << event)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Already alerted on: %s - " "ignoring event.\n", smtp_event[event]);); #endif @@ -72,7 +76,7 @@ if (smtp_eval_config->no_alerts) { -#ifdef DEBUG +#ifdef DEBUG_MSGS va_start(ap, format); smtp_event[event][0] = '\0'; @@ -100,3 +104,25 @@ va_end(ap); } +void SMTP_DecodeAlert(void) +{ + switch( smtp_ssn->decode_state->decode_type ) + { + case DECODE_B64: + SMTP_GenerateAlert(SMTP_B64_DECODING_FAILED, "%s", SMTP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + SMTP_GenerateAlert(SMTP_QP_DECODING_FAILED, "%s", SMTP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + SMTP_GenerateAlert(SMTP_UU_DECODING_FAILED, "%s", SMTP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + SMTP_GenerateAlert(SMTP_BITENC_DECODING_FAILED, "%s", SMTP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_log.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_log.h 2009-08-10 20:41:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -42,8 +42,13 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 +#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +#define SMTP_B64_DECODING_FAILED 10 +#define SMTP_QP_DECODING_FAILED 11 +#define SMTP_BITENC_DECODING_FAILED 12 +#define SMTP_UU_DECODING_FAILED 13 -#define SMTP_EVENT_MAX 9 +#define SMTP_EVENT_MAX 14 /* Messages for each event */ #define SMTP_COMMAND_OVERFLOW_STR "(smtp) Attempted command buffer overflow" @@ -54,13 +59,19 @@ #define SMTP_ILLEGAL_CMD_STR "(smtp) Illegal command" #define SMTP_HEADER_NAME_OVERFLOW_STR "(smtp) Attempted header name buffer overflow" #define SMTP_XLINK2STATE_OVERFLOW_STR "(smtp) Attempted X-Link2State command buffer overflow" +#define SMTP_DECODE_MEMCAP_EXCEEDED_STR "(smtp) No memory available for decoding. Max Mime Mem exceeded" +#define SMTP_B64_DECODING_FAILED_STR "(smtp) Base64 Decoding failed." +#define SMTP_QP_DECODING_FAILED_STR "(smtp) Quoted-Printable Decoding failed." +#define SMTP_BITENC_DECODING_FAILED_STR "(smtp) 7bit/8bit/binary/text Extraction failed." +#define SMTP_UU_DECODING_FAILED_STR "(smtp) Unix-to-Unix Decoding failed." #define EVENT_STR_LEN 256 /* Function prototypes */ void SMTP_GenerateAlert(int, char *, ...); - +void SMTP_Decode( void ); +void SMTP_DecodeAlert(void); #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_normalize.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_normalize.c 2009-05-06 22:29:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.c 2011-10-26 18:28:52.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * @@ -34,25 +34,28 @@ #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_util.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_packet.h" extern SMTP *smtp_ssn; -extern DynamicPreprocessorData _dpd; extern char smtp_normalizing; - /* * SMTP_NormalizeCmd - * + * * If command doesn't need normalizing it will do nothing, except in * the case where we are already normalizing in which case the line * will get copied to the alt buffer. - * If the command needs normalizing the normalized data will be copied - * to the alt buffer. If we are not already normalizing, all of the + * If the command needs normalizing the normalized data will be copied + * to the alt buffer. If we are not already normalizing, all of the * data up to this point will be copied into the alt buffer first. * * XXX This may copy unwanted data if we are ignoring the data in the diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_normalize.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_normalize.h 2009-05-06 22:29:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.h 2011-02-09 23:23:24.000000000 +0000 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_util.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_util.c 2009-05-06 22:29:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.c 2011-11-21 20:15:24.000000000 +0000 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * @@ -39,15 +39,19 @@ #include #include -#include "debug.h" -#include "bounds.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" #include "snort_smtp.h" #include "smtp_util.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_packet.h" -extern DynamicPreprocessorData _dpd; extern SMTP *smtp_ssn; extern char smtp_normalizing; @@ -57,7 +61,7 @@ const uint8_t *tmp_eol; const uint8_t *tmp_eolm; - /* XXX maybe should fatal error here since none of these + /* XXX maybe should fatal error here since none of these * pointers should be NULL */ if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) return; @@ -70,7 +74,7 @@ } else { - /* end of line marker (eolm) should point to marker and + /* end of line marker (eolm) should point to marker and * end of line (eol) should point to end of marker */ if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) { @@ -98,25 +102,133 @@ /* if we make a call to this it means we want to use the alt buffer * regardless of whether we copy any data into it or not - barring a failure */ - p->flags |= FLAG_ALT_DECODE; smtp_normalizing = 1; /* if start and end the same, nothing to copy */ if (length == 0) return 0; - alt_buf = &_dpd.altBuffer[0]; - alt_size = _dpd.altBufferLen; - alt_len = &p->normalized_payload_size; + alt_buf = _dpd.altBuffer->data; + alt_size = sizeof(_dpd.altBuffer->data); + alt_len = &_dpd.altBuffer->len; ret = SafeMemcpy(alt_buf + *alt_len, start, length, alt_buf, alt_buf + alt_size); if (ret != SAFEMEM_SUCCESS) { - p->flags &= ~FLAG_ALT_DECODE; + _dpd.DetectFlag_Disable(SF_FLAG_ALT_DECODE); smtp_normalizing = 0; - *alt_len = 0; + return -1; + } + *alt_len += length; + + _dpd.SetAltDecode(*alt_len); + return 0; +} +/* Accumulate EOL seperated headers, one or more at a time */ +int SMTP_CopyEmailHdrs(const uint8_t *start, int length) +{ + int log_avail = 0; + uint8_t *log_buf; + uint32_t *hdrs_logged; + int ret = 0; + + if ((smtp_ssn->log_state == NULL) || (length <= 0)) + return -1; + + + log_avail = (smtp_ssn->log_state->log_depth - smtp_ssn->log_state->hdrs_logged); + hdrs_logged = &(smtp_ssn->log_state->hdrs_logged); + log_buf = (uint8_t *)smtp_ssn->log_state->emailHdrs; + + if(log_avail <= 0) + { + return -1; + } + + if(length > log_avail ) + { + length = log_avail; + } + + /* appended by the EOL \r\n */ + + ret = SafeMemcpy(log_buf + *hdrs_logged, start, length, log_buf, log_buf+(smtp_ssn->log_state->log_depth)); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *hdrs_logged += length; + smtp_ssn->log_flags |= SMTP_FLAG_EMAIL_HDRS_PRESENT; + + return 0; +} + +/* Accumulate email addresses from RCPT TO and/or MAIL FROM commands. Email addresses are separated by comma */ +int SMTP_CopyEmailID(const uint8_t *start, int length, int command_type) +{ + uint8_t *alt_buf; + int alt_size; + uint16_t *alt_len; + int ret; + int log_avail=0; + const uint8_t *tmp_eol; + + if ((smtp_ssn->log_state == NULL) || (length <= 0)) + return -1; + + tmp_eol = (uint8_t *)memchr(start, ':', length); + if(tmp_eol == NULL) + return -1; + + if((tmp_eol+1) < (start+length)) + { + length = length - ( (tmp_eol+1) - start ); + start = tmp_eol+1; + } + else + return -1; + + + + switch (command_type) + { + case CMD_MAIL: + alt_buf = smtp_ssn->log_state->senders; + alt_size = MAX_EMAIL; + alt_len = &(smtp_ssn->log_state->snds_logged); + break; + + case CMD_RCPT: + alt_buf = smtp_ssn->log_state->recipients; + alt_size = MAX_EMAIL; + alt_len = &(smtp_ssn->log_state->rcpts_logged); + break; + + default: + return -1; + } + + log_avail = alt_size - *alt_len; + + if(log_avail <= 0 || !alt_buf) + return -1; + + if ( *alt_len > 0 && ((*alt_len + 1) < alt_size)) + { + alt_buf[*alt_len] = ','; + *alt_len = *alt_len + 1; + } + + ret = SafeMemcpy(alt_buf + *alt_len, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) + { + if(*alt_len != 0) + *alt_len = *alt_len - 1; return -1; } @@ -125,7 +237,209 @@ return 0; } -#ifdef DEBUG + +void SMTP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; + + if(smtp_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(smtp_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(smtp_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(smtp_ssn->decode_state->bitenc_state.depth > -1) + { + smtp_ssn->decode_state->decode_type = DECODE_BITENC; + return; + } + + return; +} + + + +/* Extract the filename from the header */ +static inline int SMTP_ExtractFileName(const char **start, int length) +{ + const char *tmp = NULL; + const char *end = *start+length; + + if ((smtp_ssn->log_state == NULL) || (length <= 0)) + return -1; + + + if (!(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) + { + tmp = _dpd.SnortStrcasestr(*start, length, "filename"); + + if( tmp == NULL ) + return -1; + + tmp = tmp + 8; + while( (tmp < end) && ((isspace(*tmp)) || (*tmp == '=') )) + { + tmp++; + } + } + else + tmp = *start; + + if(tmp < end) + { + if(*tmp == '"' || (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) + { + if(*tmp == '"') + { + if(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT) + { + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP_CONT; + return (tmp - *start); + } + tmp++; + + } + *start = tmp; + tmp = _dpd.SnortStrnPbrk(*start ,(end - tmp),"\""); + if(tmp == NULL ) + { + if ((end - tmp) > 0 ) + { + tmp = end; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_DISP_CONT; + } + else + return -1; + } + else + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP_CONT; + end = tmp; + } + else + { + *start = tmp; + } + return (end - *start); + } + else + { + return -1; + } + + return 0; +} + + +/* accumulate MIME attachment filenames. The filenames are appended by commas */ +int SMTP_CopyFileName(const uint8_t *start, int length) +{ + uint8_t *alt_buf; + int alt_size; + uint16_t *alt_len; + int ret=0; + int cont =0; + int log_avail = 0; + + + if(length == 0) + return -1; + + if(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT) + cont = 1; + + ret = SMTP_ExtractFileName((const char **)(&start), length ); + + if (ret == -1) + return ret; + + length = ret; + + alt_buf = smtp_ssn->log_state->filenames; + alt_size = MAX_FILE; + alt_len = &(smtp_ssn->log_state->file_logged); + log_avail = alt_size - *alt_len; + + if(!alt_buf || (log_avail <= 0)) + return -1; + + + if ( *alt_len > 0 && ((*alt_len + 1) < alt_size)) + { + if(!cont) + { + alt_buf[*alt_len] = ','; + *alt_len = *alt_len + 1; + } + } + + ret = SafeMemcpy(alt_buf + *alt_len, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) + { + if(*alt_len != 0) + *alt_len = *alt_len - 1; + return -1; + } + + *alt_len += length; + smtp_ssn->log_flags |= SMTP_FLAG_FILENAME_PRESENT; + + return 0; +} + + +void SMTP_LogFuncs(SMTPConfig *config, SFSnortPacket *p) +{ + if((smtp_ssn->log_flags == 0) || !config) + return; + + if(smtp_ssn->log_flags & SMTP_FLAG_FILENAME_PRESENT) + { + SetLogFuncs(p, config->xtra_filename_id, 0); + } + + if(smtp_ssn->log_flags & SMTP_FLAG_MAIL_FROM_PRESENT) + { + SetLogFuncs(p, config->xtra_mfrom_id, 0); + } + + if(smtp_ssn->log_flags & SMTP_FLAG_RCPT_TO_PRESENT) + { + SetLogFuncs(p, config->xtra_rcptto_id, 0); + } + + if(smtp_ssn->log_flags & SMTP_FLAG_EMAIL_HDRS_PRESENT) + { + SetLogFuncs(p, config->xtra_ehdrs_id, 0); + } + +} + +#ifdef DEBUG_MSGS char smtp_print_buffer[65537]; const char * SMTP_PrintBuffer(SFSnortPacket *p) @@ -136,8 +450,8 @@ if (smtp_normalizing) { - ptr = &_dpd.altBuffer[0]; - len = p->normalized_payload_size; + ptr = _dpd.altBuffer->data; + len = _dpd.altBuffer->len; } else { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_util.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_util.h 2009-05-06 22:29:06.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -35,8 +35,13 @@ void SMTP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); int SMTP_CopyToAltBuffer(SFSnortPacket *, const uint8_t *, int); +int SMTP_CopyEmailHdrs(const uint8_t *, int ); +int SMTP_CopyEmailID(const uint8_t *, int , int ); +int SMTP_CopyFileName(const uint8_t *, int ); +void SMTP_LogFuncs(SMTPConfig *config, SFSnortPacket *p); +void SMTP_DecodeType(const char *, int ); -#ifdef DEBUG +#ifdef DEBUG_MSGS const char * SMTP_PrintBuffer(SFSnortPacket *); #endif diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c 2009-08-10 20:41:49.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /*************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,7 +20,7 @@ ****************************************************************************/ /************************************************************************ - * + * * smtp_xlink2state.c * * Author: Andy Mullican @@ -43,6 +43,11 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_util.h" @@ -62,11 +67,8 @@ /* X-Link2State overlong length */ #define XLINK2STATE_MAX_LEN 520 - extern SMTP *smtp_ssn; extern SMTPConfig *smtp_eval_config; -extern DynamicPreprocessorData _dpd; - /* Prototypes */ static uint32_t get_xlink_hex_value(const uint8_t *, const uint8_t *); @@ -78,7 +80,7 @@ * @param buf pointer to beginning of buffer to parse * @param end end pointer of buffer to parse * - * @return unsigned long value of number extracted + * @return unsigned long value of number extracted * * @note this could be more efficient, but the search buffer should be pretty short */ @@ -121,7 +123,7 @@ /* * Check for X-LINK2STATE keywords FIRST or CHUNK - * + * * * @param x pointer to "X-LINK2STATE" in buffer * @param x_len length of buffer after x @@ -147,7 +149,7 @@ len = end - ptr; - if (len > 5 && strncasecmp((const char *)ptr, "FIRST", 5) == 0) + if (len > 5 && strncasecmp((const char *)ptr, "FIRST", 5) == 0) { return XLINK_FIRST; } @@ -161,9 +163,9 @@ /* * Handle X-Link2State vulnerability - * + * * From Lurene Grenier: - + The X-LINK2STATE command always takes the following form: X-LINK2STATE [FIRST|NEXT|LAST] CHUNK= @@ -186,7 +188,7 @@ next; # chunks came with proper first chunk specified if (/X-LINK2STATE [FIRST|NEXT|LAST] CHUNK/) { if (/X-LINK2STATE FIRST CHUNK/) gotFirstChunk = TRUE; - next; # some specifier is marked + next; # some specifier is marked } if (chunkLen > 520) attempt = TRUE; # Gotcha! @@ -269,11 +271,10 @@ if (len > XLINK2STATE_MAX_LEN) { /* Need to drop the packet if we're told to - * and we're inline mode (outside of whether its - * thresholded). */ - if (smtp_eval_config->drop_xlink2state && _dpd.inlineMode()) + * (outside of whether its thresholded). */ + if (smtp_eval_config->drop_xlink2state) { - _dpd.inlineDrop(p); + _dpd.inlineDropAndReset(p); } SMTP_GenerateAlert(SMTP_XLINK2STATE_OVERFLOW, "%s", SMTP_XLINK2STATE_OVERFLOW_STR); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h 2009-05-06 22:29:07.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h 2011-02-09 23:23:24.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/snort_smtp.c snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/snort_smtp.c 2009-07-07 15:37:07.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,14 +45,12 @@ #endif #include - -#include "sf_types.h" - #include #include #include #include +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_normalize.h" @@ -62,15 +60,15 @@ #include "sf_snort_packet.h" #include "stream_api.h" -#include "debug.h" +#include "snort_debug.h" #include "profiler.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "ssl.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" - -#ifdef DEBUG +#include "Unified2_common.h" +#ifdef DEBUG_MSGS #include "sf_types.h" #endif @@ -86,10 +84,10 @@ extern tSfPolicyUserContextId smtp_config; extern SMTPConfig *smtp_eval_config; +extern MemPool *smtp_mime_mempool; +extern MemPool *smtp_mempool; -extern DynamicPreprocessorData _dpd; - -#ifdef DEBUG +#ifdef DEBUG_MSGS extern char smtp_print_buffer[]; #endif @@ -175,6 +173,8 @@ const SMTPToken smtp_hdrs[] = { {"Content-type:", 13, HDR_CONTENT_TYPE}, + {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {"Content-Disposition:", 20, HDR_CONT_DISP}, {NULL, 0, 0} }; @@ -193,7 +193,7 @@ char smtp_normalizing; SMTPSearchInfo smtp_search_info; -#ifdef DEBUG +#ifdef DEBUG_MSGS uint64_t smtp_session_counter = 0; #endif @@ -242,6 +242,69 @@ /**************************************************************************/ +static void SetSmtpBuffers(SMTP *ssn) +{ + if ((ssn != NULL) && (ssn->decode_state == NULL) + && (!SMTP_IsDecodingEnabled(smtp_eval_config))) + { + MemBucket *bkt = mempool_alloc(smtp_mime_mempool); + + if (bkt != NULL) + { + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); + if( ssn->decode_state != NULL ) + { + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, smtp_eval_config->max_depth, + smtp_eval_config->b64_depth, smtp_eval_config->qp_depth, + smtp_eval_config->uu_depth, smtp_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(smtp_mime_mempool, bkt); + } + } + else + { + SMTP_GenerateAlert(SMTP_DECODE_MEMCAP_EXCEEDED, "%s", SMTP_DECODE_MEMCAP_EXCEEDED_STR); + } + } +} + +static void SetLogBuffers(SMTP *ssn) +{ + if((ssn != NULL) && (ssn->log_state == NULL) + && (smtp_eval_config->log_email_hdrs || smtp_eval_config->log_filename + || smtp_eval_config->log_mailfrom || smtp_eval_config->log_rcptto)) + { + MemBucket *bkt = mempool_alloc(smtp_mempool); + + if(bkt != NULL) + { + ssn->log_state = (SMTP_LogState *)calloc(1, sizeof(SMTP_LogState)); + if(ssn->log_state != NULL) + { + ssn->log_state->log_hdrs_bkt = bkt; + ssn->log_state->log_depth = smtp_eval_config->email_hdrs_log_depth; + ssn->log_state->recipients = (uint8_t *)bkt->data; + ssn->log_state->rcpts_logged = 0; + ssn->log_state->senders = (uint8_t *)bkt->data + MAX_EMAIL; + ssn->log_state->snds_logged = 0; + ssn->log_state->filenames = (uint8_t *)bkt->data + (2*MAX_EMAIL); + ssn->log_state->file_logged = 0; + ssn->log_state->emailHdrs = (unsigned char *)bkt->data + (2*MAX_EMAIL) + MAX_FILE; + ssn->log_state->hdrs_logged = 0; + } + else + { + /*free bkt if calloc fails*/ + mempool_free(smtp_mempool, bkt); + } + } + } +} + void SMTP_InitCmds(SMTPConfig *config) { @@ -255,7 +318,7 @@ if (config->cmds == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -268,7 +331,7 @@ if (config->cmds[tmp->search_id].name == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -278,7 +341,7 @@ if (config->cmd_search == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -382,7 +445,7 @@ } } -/* +/* * Initialize run-time boundary search */ static int SMTP_BoundarySearchInit(void) @@ -424,6 +487,7 @@ smtp_ssn->state = STATE_COMMAND; smtp_ssn->data_state = STATE_DATA_INIT; smtp_ssn->state_flags = 0; + ClearEmailDecodeState(smtp_ssn->decode_state); memset(&smtp_ssn->mime_boundary, 0, sizeof(SMTPMimeBoundary)); } @@ -455,7 +519,7 @@ if ((p->stream_session_ptr == NULL) || (pPolicyConfig->inspection_type == SMTP_STATELESS)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (p->stream_session_ptr == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stream session pointer is NULL - " @@ -479,8 +543,11 @@ DynamicPreprocessorFatalMessage("Failed to allocate SMTP session data\n"); } + smtp_ssn = ssn; + SetSmtpBuffers(smtp_ssn); + SetLogBuffers(smtp_ssn); _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_SMTP, - ssn, &SMTP_SessionFree); + ssn, &SMTP_SessionFree); if (p->flags & SSNFLAG_MIDSTREAM) { @@ -489,7 +556,7 @@ ssn->state = STATE_UNKNOWN; } -#ifdef DEBUG +#ifdef DEBUG_MSGS smtp_session_counter++; ssn->session_number = smtp_session_counter; #endif @@ -530,7 +597,7 @@ /* Figure out direction of packet */ pkt_dir = SMTP_GetPacketDirection(p, flags); - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Session number: "STDu64"\n", ssn->session_number);); + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Session number: "STDu64"\n", ssn->session_number);); /* reset check ssl flag for new packet */ if (!(ssn->session_flags & SMTP_FLAG_CHECK_SSL)) @@ -585,7 +652,7 @@ * @return none */ static int SMTP_GetPacketDirection(SFSnortPacket *p, int flags) -{ +{ int pkt_direction = SMTP_PKT_FROM_UNKNOWN; if (flags & SSNFLAG_MIDSTREAM) @@ -675,6 +742,18 @@ smtp->mime_boundary.boundary_search = NULL; } + if(smtp->decode_state != NULL) + { + mempool_free(smtp_mime_mempool, smtp->decode_bkt); + free(smtp->decode_state); + } + + if(smtp->log_state != NULL) + { + mempool_free(smtp_mempool, smtp->log_state->log_hdrs_bkt); + free(smtp->log_state); + } + free(smtp); } @@ -690,7 +769,7 @@ static int SMTP_FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -789,6 +868,7 @@ smtp_search_info.index = index; smtp_search_info.length = smtp_current_search[search_id].name_len; + /* Returning non-zero stops search, which is okay since we only look for one at a time */ return 1; } @@ -829,7 +909,7 @@ mime_boundary = &smtp_ssn->mime_boundary.boundary[0]; mime_boundary_len = &smtp_ssn->mime_boundary.boundary_len; - + /* result will be the number of matches (including submatches) */ result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, data, data_len, 0, 0, ovector, ovecsize); @@ -891,7 +971,7 @@ /* calculate length of command line */ cmd_line_len = eol - ptr; - /* check for command line exceeding maximum + /* check for command line exceeding maximum * do this before checking for a command since this could overflow * some server's buffers without the presence of a known command */ if ((smtp_eval_config->max_command_line_len != 0) && @@ -902,7 +982,7 @@ /* TODO If the end of line marker coincides with the end of payload we can't be * sure that we got a command and not a substring which we could tell through - * inpsection of the next packet. Maybe a command pending state where the first + * inspection of the next packet. Maybe a command pending state where the first * char in the next packet is checked for a space and end of line marker */ /* do not confine since there could be space chars before command */ @@ -922,11 +1002,11 @@ while ((tmp < cmd_start) && isspace((int)*tmp)) tmp++; - /* if not all spaces before command, we found a + /* if not all spaces before command, we found a * substring */ if (tmp != cmd_start) cmd_found = 0; - + /* if we're before the end of line marker and the next * character is not whitespace, we found a substring */ if ((cmd_end < eolm) && !isspace((int)*cmd_end)) @@ -959,9 +1039,7 @@ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring encrypted data\n");); - - p->normalized_payload_size = 0; - p->flags |= FLAG_ALT_DECODE; + _dpd.SetAltDecode(0); } return end; @@ -1041,6 +1119,11 @@ * caused the error */ case CMD_MAIL: smtp_ssn->state_flags |= SMTP_FLAG_GOT_MAIL_CMD; + if( smtp_eval_config->log_mailfrom ) + { + if(!SMTP_CopyEmailID(ptr, eolm - ptr, CMD_MAIL)) + smtp_ssn->log_flags |= SMTP_FLAG_MAIL_FROM_PRESENT; + } break; @@ -1051,6 +1134,12 @@ smtp_ssn->state_flags |= SMTP_FLAG_GOT_RCPT_CMD; } + if( smtp_eval_config->log_rcptto) + { + if(!SMTP_CopyEmailID(ptr, eolm - ptr, CMD_RCPT)) + smtp_ssn->log_flags |= SMTP_FLAG_RCPT_TO_PRESENT; + } + break; case CMD_RSET: @@ -1079,7 +1168,7 @@ /* bad BDAT command - needs chunk argument */ if (begin_chunk == eolm) break; - + end_chunk = begin_chunk; while ((end_chunk < eolm) && isdigit((int)*end_chunk)) end_chunk++; @@ -1137,7 +1226,7 @@ { break; } - + smtp_ssn->bdat_last = 1; } } @@ -1179,13 +1268,13 @@ smtp_ssn->state = STATE_TLS_CLIENT_PEND; break; - - case CMD_X_LINK2STATE: + + case CMD_X_LINK2STATE: if (smtp_eval_config->alert_xlink2state) ParseXLink2State(p, ptr + smtp_search_info.index); break; - + default: break; } @@ -1202,7 +1291,7 @@ ret = SMTP_NormalizeCmd(p, ptr, eolm, eol); if (ret == -1) return NULL; - } + } else if (smtp_normalizing) /* Already normalizing */ { ret = SMTP_CopyToAltBuffer(p, ptr, eol - ptr); @@ -1220,6 +1309,7 @@ const uint8_t *data_end = NULL; int data_end_found; int ret; + uint16_t alt_decode_len = 0; /* if we've just entered the data state, check for a dot + end of line * if found, no data */ @@ -1233,7 +1323,7 @@ SMTP_GetEOL(ptr, end, &eol, &eolm); - /* this means we got a real end of line and not just end of payload + /* this means we got a real end of line and not just end of payload * and that the dot is only char on line */ if ((eolm != end) && (eolm == (ptr + 1))) { @@ -1262,7 +1352,7 @@ * Postfix and Qmail will consider the start of data: * . text\r\n * . text\r\n - * to be part of the header and the effect will be that of a + * to be part of the header and the effect will be that of a * folded line with the '.' deleted. Exchange will put the same * in the body which seems more reasonable. */ } @@ -1285,10 +1375,12 @@ data_end_marker = data_end = end; } + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + if ((smtp_ssn->data_state == STATE_DATA_HEADER) || (smtp_ssn->data_state == STATE_DATA_UNKNOWN)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (smtp_ssn->data_state == STATE_DATA_HEADER) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); @@ -1302,6 +1394,7 @@ ptr = SMTP_HandleHeader(p, ptr, data_end_marker); if (ptr == NULL) return NULL; + } /* if we're ignoring data and not already normalizing, copy everything @@ -1326,6 +1419,30 @@ while ((ptr != NULL) && (ptr < data_end_marker)) { + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( smtp_ssn->state_flags & SMTP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + alt_decode_len = 0; + _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + SMTP_LogFuncs(smtp_eval_config, p); + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + alt_decode_len = _dpd.altBuffer->len; + } + _dpd.detect(p); + smtp_ssn->state_flags &= ~SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(smtp_ssn->decode_state); + p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + + /* There might be previously normalized data for this session which should not be cleared */ + if(alt_decode_len) + _dpd.SetAltDecode(alt_decode_len); + } switch (smtp_ssn->data_state) { case STATE_MIME_HEADER: @@ -1339,6 +1456,14 @@ } } + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(smtp_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(smtp_ssn->decode_state); + } + /* if we got the data end reset state, otherwise we're probably still in the data * to expect more data in next packet */ if (data_end_marker != end) @@ -1366,6 +1491,8 @@ const uint8_t *eolm; const uint8_t *colon; const uint8_t *content_type_ptr = NULL; + const uint8_t *cont_trans_enc = NULL; + const uint8_t *cont_disp = NULL; int header_line_len; int header_found; int ret; @@ -1379,6 +1506,12 @@ if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONTENT_TYPE) content_type_ptr = ptr; + if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_TRANS_ENC) + cont_trans_enc = ptr; + + if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP) + cont_disp = ptr; + while (ptr < data_end_marker) { SMTP_GetEOL(ptr, data_end_marker, &eol, &eolm); @@ -1388,7 +1521,8 @@ { /* reset global header state values */ smtp_ssn->state_flags &= - ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT); + ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT + | SMTP_FLAG_IN_CONT_TRANS_ENC |SMTP_FLAG_IN_CONT_DISP ); smtp_ssn->data_state = STATE_DATA_BODY; @@ -1399,7 +1533,7 @@ return eol; } - /* if we're not folding, see if we should interpret line as a data line + /* if we're not folding, see if we should interpret line as a data line * instead of a header line */ if (!(smtp_ssn->state_flags & (SMTP_FLAG_FOLDING | SMTP_FLAG_DATA_HEADER_CONT))) { @@ -1414,7 +1548,7 @@ } /* look for header field colon - if we're not folding then we need - * to find a header which will be all printables (except colon) + * to find a header which will be all printables (except colon) * followed by a colon */ colon = ptr; while ((colon < eolm) && (*colon != ':')) @@ -1442,44 +1576,69 @@ /* no colon or got spaces in header name (won't be interpreted as a header) * assume we're in the body */ smtp_ssn->state_flags &= - ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT); + ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT + |SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_IN_CONT_DISP); smtp_ssn->data_state = STATE_DATA_BODY; return ptr; } - smtp_current_search = &smtp_hdr_search[0]; - header_found = _dpd.searchAPI->search_instance_find - (smtp_hdr_search_mpse, (const char *)ptr, - eolm - ptr, 1, SMTP_SearchStrFound); - - /* Headers must start at beginning of line */ - if ((header_found > 0) && (smtp_search_info.index == 0)) + if(tolower((int)*ptr) == 'c') { - switch (smtp_search_info.id) + + smtp_current_search = &smtp_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (smtp_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, SMTP_SearchStrFound); + /* Headers must start at beginning of line */ + if ((header_found > 0) && (smtp_search_info.index == 0)) { - case HDR_CONTENT_TYPE: - /* for now we're just looking for the boundary in the data - * header section */ - if (smtp_ssn->data_state != STATE_MIME_HEADER) - { - content_type_ptr = ptr + smtp_search_info.length; - smtp_ssn->state_flags |= SMTP_FLAG_IN_CONTENT_TYPE; - } + switch (smtp_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (smtp_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONTENT_TYPE; + } + + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_TRANS_ENC; + break; + case HDR_CONT_DISP: + cont_disp = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_DISP; + break; - break; - default: - break; + break; + } } } + else if(tolower((int)*ptr) == 'e') + { + if( (eolm - ptr) >= 9 ) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_TRANS_ENC; + } + } + + } + } else { smtp_ssn->state_flags &= ~SMTP_FLAG_DATA_HEADER_CONT; } - + /* get length of header line */ header_line_len = eol - ptr; @@ -1496,7 +1655,8 @@ /* assume we guessed wrong and are in the body */ smtp_ssn->data_state = STATE_DATA_BODY; smtp_ssn->state_flags &= - ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT); + ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT + | SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_IN_CONT_DISP); return ptr; } } @@ -1510,7 +1670,15 @@ return NULL; } - /* check for folding + if(smtp_eval_config->log_email_hdrs) + { + if(smtp_ssn->data_state == STATE_DATA_HEADER) + { + ret = SMTP_CopyEmailHdrs(ptr, eol - ptr); + } + } + + /* check for folding * if char on next line is a space and not \n or \r\n, we are folding */ if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) { @@ -1553,6 +1721,32 @@ smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONTENT_TYPE; content_type_ptr = NULL; } + else if ((smtp_ssn->state_flags & + (SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_FOLDING)) == SMTP_FLAG_IN_CONT_TRANS_ENC) + { + /* Check for Content-Transfer-Encoding : */ + if( (!SMTP_IsDecodingEnabled(smtp_eval_config)) && (smtp_ssn->decode_state != NULL)) + { + SMTP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + smtp_ssn->state_flags |= SMTP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( smtp_ssn->decode_state->decoded_bytes ) + smtp_ssn->state_flags |= SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; + } + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_TRANS_ENC; + + cont_trans_enc = NULL; + } + else if ((smtp_ssn->state_flags & + (SMTP_FLAG_IN_CONT_DISP | SMTP_FLAG_FOLDING)) == SMTP_FLAG_IN_CONT_DISP) + { + if( smtp_eval_config->log_filename ) + SMTP_CopyFileName(cont_disp, eolm - cont_disp); + if (!(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP; + + cont_disp = NULL; + } /* if state was unknown, at this point assume we know */ if (smtp_ssn->data_state == STATE_DATA_UNKNOWN) @@ -1582,7 +1776,11 @@ { int boundary_found = 0; const uint8_t *boundary_ptr = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; + if ( smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; /* look for boundary */ if (smtp_ssn->state_flags & SMTP_FLAG_GOT_BOUNDARY) { @@ -1601,6 +1799,19 @@ const uint8_t *eolm; const uint8_t *tmp; + if (smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) + { + attach_end = boundary_ptr-1; + smtp_ssn->state_flags &= ~SMTP_FLAG_EMAIL_ATTACH; + if( attach_start < attach_end ) + { + if(EmailDecode( attach_start, attach_end, smtp_ssn->decode_state) != DECODE_SUCCESS ) + { + SMTP_DecodeAlert(); + } + } + } + /* Check for end boundary */ tmp = boundary_ptr + smtp_search_info.length; @@ -1631,7 +1842,19 @@ } } } - + + if ( smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) + { + attach_end = data_end_marker; + if( attach_start < attach_end ) + { + if(EmailDecode( attach_start, attach_end, smtp_ssn->decode_state) != DECODE_SUCCESS ) + { + SMTP_DecodeAlert(); + } + } + } + return data_end_marker; } @@ -1675,7 +1898,7 @@ } } -#ifdef DEBUG +#ifdef DEBUG_MSGS if (smtp_normalizing) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Normalized payload\n%s\n", SMTP_PrintBuffer(p));); @@ -1684,8 +1907,8 @@ } -/* very simplistic - just enough to say this is binary data - the rules will make a final - * judgement. Should maybe add an option to the smtp configuration to enable the +/* very simplistic - just enough to say this is binary data - the rules will make a final + * judgement. Should maybe add an option to the smtp configuration to enable the * continuing of command inspection like ftptelnet. */ static int SMTP_IsTlsClientHello(const uint8_t *ptr, const uint8_t *end) { @@ -1746,9 +1969,9 @@ const uint8_t *end; const uint8_t *eolm; const uint8_t *eol; - int do_flush = 0; + int do_flush = 0; int resp_line_len; -#ifdef DEBUG +#ifdef DEBUG_MSGS const uint8_t *dash; #endif @@ -1767,21 +1990,19 @@ smtp_ssn->state = STATE_COMMAND; } } - + if (smtp_ssn->state == STATE_TLS_DATA) { /* Ignore data */ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - - p->normalized_payload_size = 0; - p->flags |= FLAG_ALT_DECODE; + _dpd.SetAltDecode(0); } return 0; } - + while (ptr < end) { SMTP_GetEOL(ptr, end, &eol, &eolm); @@ -1793,7 +2014,7 @@ resp_found = _dpd.searchAPI->search_instance_find (smtp_resp_search_mpse, (const char *)ptr, resp_line_len, 1, SMTP_SearchStrFound); - + if (resp_found > 0) { switch (smtp_search_info.id) @@ -1818,13 +2039,13 @@ break; } -#ifdef DEBUG +#ifdef DEBUG_MSGS dash = ptr + smtp_search_info.index + smtp_search_info.length; /* only add response if not a dash after response code */ if ((dash == eolm) || ((dash < eolm) && (*dash != '-'))) { - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Server sent %s response\n", + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Server sent %s response\n", smtp_resps[smtp_search_info.id].name);); } #endif @@ -1844,9 +2065,7 @@ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - - p->normalized_payload_size = 0; - p->flags |= FLAG_ALT_DECODE; + _dpd.SetAltDecode(0); } return 0; @@ -1863,7 +2082,7 @@ SMTP_GenerateAlert(SMTP_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, resp_line_len); } - + ptr = eol; } @@ -1902,7 +2121,7 @@ { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: No stream session.\n");); - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: Configured for this " @@ -1930,7 +2149,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: Unknown protocol for " "this session. See if we're configured.\n");); - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: SMTP port is configured.");); @@ -1943,7 +2162,7 @@ #else /* Make sure it's traffic we're interested in */ - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) return 1; @@ -1967,11 +2186,12 @@ PROFILE_VARS; - smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGetCurrent(smtp_config); smtp_ssn = (SMTP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SMTP); if (smtp_ssn != NULL) smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGet(smtp_ssn->config, smtp_ssn->policy_id); + else + smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGetCurrent(smtp_config); if (smtp_eval_config == NULL) return; @@ -1990,8 +2210,8 @@ /* reset normalization stuff */ smtp_normalizing = 0; + _dpd.DetectFlag_Disable(SF_FLAG_ALT_DECODE); p->normalized_payload_size = 0; - p->flags &= ~FLAG_ALT_DECODE; if (pkt_dir == SMTP_PKT_FROM_SERVER) { @@ -2010,7 +2230,7 @@ } else { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (pkt_dir == SMTP_PKT_FROM_CLIENT) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP client packet\n");); @@ -2044,8 +2264,7 @@ /* if we're ignoring tls data, set a zero length alt buffer */ if (smtp_eval_config->ignore_tls_data) { - p->normalized_payload_size = 0; - p->flags |= FLAG_ALT_DECODE; + _dpd.SetAltDecode(0); } } else @@ -2058,11 +2277,11 @@ } else if (smtp_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) { - /* If this isn't a reassembled packet and didn't get + /* If this isn't a reassembled packet and didn't get * inserted into reassembly buffer, there could be a * problem. If we miss syn or syn-ack that had window * scaling this packet might not have gotten inserted - * into reassembly buffer because it fell outside of + * into reassembly buffer because it fell outside of * window, because we aren't scaling it */ smtp_ssn->session_flags |= SMTP_FLAG_GOT_NON_REBUILT; smtp_ssn->state = STATE_UNKNOWN; @@ -2080,7 +2299,7 @@ smtp_ssn->session_flags &= ~SMTP_FLAG_GOT_NON_REBUILT; } -#ifdef DEBUG +#ifdef DEBUG_MSGS /* Interesting to see how often packets are rebuilt */ DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Payload: %s\n%s\n", (p->flags & FLAG_REBUILT_STREAM) ? @@ -2094,6 +2313,7 @@ PREPROC_PROFILE_START(smtpDetectPerfStats); + SMTP_LogFuncs(smtp_eval_config, p); detected = _dpd.detect(p); #ifdef PERF_PROFILING @@ -2104,7 +2324,7 @@ /* Turn off detection since we've already done it. */ SMTP_DisableDetect(p); - + if (detected) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP vulnerability detected\n");); @@ -2118,6 +2338,74 @@ _dpd.setPreprocBit(p, PP_SFPORTSCAN); _dpd.setPreprocBit(p, PP_PERFMONITOR); _dpd.setPreprocBit(p, PP_STREAM5); + _dpd.setPreprocBit(p, PP_SDF); +} + + +static inline SMTP *SMTP_GetSession(void *data) +{ + if(data) + return (SMTP *)_dpd.streamAPI->get_application_data(data, PP_SMTP); + + return NULL; +} + +/* Callback to return the MIME attachment filenames accumulated */ +int SMTP_GetFilename(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->filenames; + *len = ssn->log_state->file_logged; + *type = EVENT_INFO_SMTP_FILENAME; + return 1; +} + +/* Callback to return the email addresses accumulated from the MAIL FROM command */ +int SMTP_GetMailFrom(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->senders; + *len = ssn->log_state->snds_logged; + *type = EVENT_INFO_SMTP_MAILFROM; + return 1; +} + +/* Callback to return the email addresses accumulated from the RCP TO command */ +int SMTP_GetRcptTo(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->recipients; + *len = ssn->log_state->rcpts_logged; + *type = EVENT_INFO_SMTP_RCPTTO; + return 1; } +/* Calback to return the email headers */ +int SMTP_GetEmailHdrs(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->emailHdrs; + *len = ssn->log_state->hdrs_logged; + *type = EVENT_INFO_SMTP_EMAIL_HDRS; + return 1; +} + + + diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/snort_smtp.h snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/snort_smtp.h 2009-05-06 22:29:07.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,6 +45,8 @@ #include "smtp_config.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" +#include "mempool.h" +#include "sf_email_attach_decode.h" #ifdef DEBUG #include "sf_types.h" @@ -95,6 +97,17 @@ #define SMTP_FLAG_IN_CONTENT_TYPE 0x00000008 #define SMTP_FLAG_GOT_BOUNDARY 0x00000010 #define SMTP_FLAG_DATA_HEADER_CONT 0x00000020 +#define SMTP_FLAG_IN_CONT_TRANS_ENC 0x00000040 +#define SMTP_FLAG_EMAIL_ATTACH 0x00000080 +#define SMTP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000100 +#define SMTP_FLAG_IN_CONT_DISP 0x00000200 +#define SMTP_FLAG_IN_CONT_DISP_CONT 0x00000400 + +/* log flags */ +#define SMTP_FLAG_MAIL_FROM_PRESENT 0x00000001 +#define SMTP_FLAG_RCPT_TO_PRESENT 0x00000002 +#define SMTP_FLAG_FILENAME_PRESENT 0x00000004 +#define SMTP_FLAG_EMAIL_HDRS_PRESENT 0x00000008 /* session flags */ #define SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK 0x00000001 @@ -197,6 +210,8 @@ typedef enum _SMTPHdrEnum { HDR_CONTENT_TYPE = 0, + HDR_CONT_TRANS_ENC, + HDR_CONT_DISP, HDR_LAST } SMTPHdrEnum; @@ -234,15 +249,30 @@ } SMTPPcre; +typedef struct s_SMTP_LogState +{ + MemBucket *log_hdrs_bkt; + unsigned char *emailHdrs; + uint32_t log_depth; + uint32_t hdrs_logged; + uint8_t *recipients; + uint16_t rcpts_logged; + uint8_t *senders; + uint16_t snds_logged; + uint8_t *filenames; + uint16_t file_logged; +} SMTP_LogState; + typedef struct _SMTP { int state; int data_state; int state_flags; + int log_flags; int session_flags; int alert_mask; int reassembling; -#ifdef DEBUG +#ifdef DEBUG_MSGS uint64_t session_number; #endif @@ -251,7 +281,10 @@ int cur_server_line_len; */ + MemBucket *decode_bkt; SMTPMimeBoundary mime_boundary; + Email_DecodeState *decode_state; + SMTP_LogState *log_state; /* In future if we look at forwarded mail (message/rfc822) we may * need to keep track of additional mime boundaries @@ -277,6 +310,10 @@ int SMTP_IsServer(uint16_t); void SMTP_FreeConfig(SMTPConfig *); void SMTP_FreeConfigs(tSfPolicyUserContextId); +int SMTP_GetFilename(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetMailFrom(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetRcptTo(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetEmailHdrs(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); /**************************************************************************/ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/spp_smtp.c snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.c --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/spp_smtp.c 2009-10-02 20:29:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /************************************************************************** * * spp_smtp.c @@ -43,7 +43,13 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_smtp.h" +#include "sf_preproc_info.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_log.h" @@ -51,7 +57,7 @@ #include "preprocids.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -63,21 +69,36 @@ #endif #include "sf_types.h" +#include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 9; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SMTP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SMTP"; +#endif + +#define SetupSMTP DYNAMIC_PREPROC_SETUP + +MemPool *smtp_mime_mempool = NULL; +MemPool *smtp_mempool = NULL; tSfPolicyUserContextId smtp_config = NULL; SMTPConfig *smtp_eval_config = NULL; -extern DynamicPreprocessorData _dpd; extern SMTP smtp_no_session; extern int16_t smtp_proto_id; static void SMTPInit(char *); static void SMTPDetect(void *, void *context); static void SMTPCleanExitFunction(int, void *); -static void SMTPRestartFunction(int, void *); static void SMTPResetFunction(int, void *); static void SMTPResetStatsFunction(int, void *); static void _addPortsToStream5Filter(SMTPConfig *, tSfPolicyId); +static void SMTP_RegXtraDataFuncs(SMTPConfig *config); #ifdef TARGET_BASED static void _addServicesToStream5Filter(tSfPolicyId); #endif @@ -95,7 +116,7 @@ /* * Function: SetupSMTP() * - * Purpose: Registers the preprocessor keyword and initialization + * Purpose: Registers the preprocessor keyword and initialization * function into the preprocessor list. This is the function that * gets called from InitPreprocessors() in plugbase.c. * @@ -152,9 +173,8 @@ memset(&smtp_no_session, 0, sizeof(SMTP)); /* Put the preprocessor function into the function list */ - _dpd.addPreproc(SMTPDetect, PRIORITY_APPLICATION, PP_SMTP, PROTO_BIT__TCP); + /* _dpd.addPreproc(SMTPDetect, PRIORITY_APPLICATION, PP_SMTP, PROTO_BIT__TCP);*/ _dpd.addPreprocExit(SMTPCleanExitFunction, NULL, PRIORITY_LAST, PP_SMTP); - _dpd.addPreprocRestart(SMTPRestartFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocReset(SMTPResetFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocResetStats(SMTPResetStatsFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocConfCheck(SMTPCheckConfig); @@ -169,7 +189,7 @@ #endif #ifdef PERF_PROFILING - _dpd.addPreprocProfileFunc("smtp", (void*)&smtpPerfStats, 0, _dpd.totalPerfStats); + _dpd.addPreprocProfileFunc("smtp", (void*)&smtpPerfStats, 0, _dpd.totalPerfStats); #endif } @@ -180,24 +200,33 @@ DynamicPreprocessorFatalMessage("Can only configure SMTP preprocessor once.\n"); } - if (_dpd.streamAPI == NULL) - { - DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " - "for SMTP preprocessor\n"); - } - pPolicyConfig = (SMTPConfig *)calloc(1, sizeof(SMTPConfig)); if (pPolicyConfig == NULL) { DynamicPreprocessorFatalMessage("Not enough memory to create SMTP " "configuration.\n"); } - + sfPolicyUserDataSetCurrent(smtp_config, pPolicyConfig); + SMTP_RegXtraDataFuncs(pPolicyConfig); SMTP_InitCmds(pPolicyConfig); SMTP_ParseArgs(pPolicyConfig, args); + SMTP_CheckConfig(pPolicyConfig, smtp_config); + SMTP_PrintConfig(pPolicyConfig); + + if(pPolicyConfig->disabled) + return; + + _dpd.addPreproc(SMTPDetect, PRIORITY_APPLICATION, PP_SMTP, PROTO_BIT__TCP); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for SMTP preprocessor\n"); + } + /* Command search - do this here because it's based on configuration */ pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); if (pPolicyConfig->cmd_search_mpse == NULL) @@ -210,7 +239,7 @@ { pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; - + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, tmp->name_len, tmp->search_id); } @@ -232,7 +261,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -270,7 +299,7 @@ } -/* +/* * Function: SMTPCleanExitFunction(int, void *) * * Purpose: This function gets called when Snort is exiting, if there's @@ -278,37 +307,29 @@ * it should be done here. * * Arguments: signal => the code of the signal that was issued to Snort - * data => any arguments or data structs linked to this + * data => any arguments or data structs linked to this * function when it was registered, may be * needed to properly exit - * + * * Returns: void function - */ + */ static void SMTPCleanExitFunction(int signal, void *data) -{ +{ SMTP_Free(); -} - + if (mempool_destroy(smtp_mime_mempool) == 0) + { + free(smtp_mime_mempool); + smtp_mime_mempool = NULL; + } + if (mempool_destroy(smtp_mempool) == 0) + { + free(smtp_mempool); + smtp_mempool = NULL; + } -/* - * Function: SMTPRestartFunction(int, void *) - * - * Purpose: This function gets called when Snort is restarting on a SIGHUP, - * if there's any initialization or cleanup that needs to happen - * it should be done here. - * - * Arguments: signal => the code of the signal that was issued to Snort - * data => any arguments or data structs linked to this - * functioin when it was registered, may be - * needed to properly exit - * - * Returns: void function - */ -static void SMTPRestartFunction(int signal, void *foo) -{ - return; } + static void SMTPResetFunction(int signal, void *data) { return; @@ -344,14 +365,55 @@ } #endif +static int SMTPEnableDecoding(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + SMTPConfig *context = (SMTPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(!SMTP_IsDecodingEnabled(context)) + return 1; + + return 0; +} +static int SMTPLogExtraData(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + SMTPConfig *context = (SMTPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(context->log_email_hdrs || context->log_filename || + context->log_mailfrom || context->log_rcptto) + return 1; + + return 0; +} + static int SMTPCheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { + SMTPConfig *context = (SMTPConfig *)pData; + _dpd.setParserPolicy(policyId); + /* In a multiple-policy setting, the SMTP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + if (!_dpd.isPreprocEnabled(PP_STREAM5)) { DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " @@ -360,9 +422,100 @@ return 0; } + +static void SMTP_RegXtraDataFuncs(SMTPConfig *config) +{ + if ((_dpd.streamAPI == NULL) || !config) + return; + config->xtra_filename_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetFilename); + config->xtra_mfrom_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetMailFrom); + config->xtra_rcptto_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetRcptTo); + config->xtra_ehdrs_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetEmailHdrs); + +} + static void SMTPCheckConfig(void) { sfPolicyUserDataIterate (smtp_config, SMTPCheckPolicyConfig); + { + SMTPConfig *defaultConfig = + (SMTPConfig *)sfPolicyUserDataGetDefault(smtp_config); + + if (sfPolicyUserDataIterate(smtp_config, SMTPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("SMTP: Must configure a default " + "configuration if you want to enable smtp decoding.\n"); + } + + encode_depth = defaultConfig->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = defaultConfig->max_mime_mem / (2 * encode_depth ); + + smtp_mime_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(smtp_mime_mempool, max_sessions, + (2 * encode_depth )) != 0) + { + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mime mempool.\n"); + } + + } + + if (sfPolicyUserDataIterate(smtp_config, SMTPLogExtraData) != 0) + { + uint32_t log_depth, max_bkt_size; + uint32_t max_sessions_logged; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("SMTP: Must configure a default " + "configuration if you want to log email headers.\n"); + } + + log_depth = defaultConfig->email_hdrs_log_depth; + + /* Rounding the log depth to a multiple of 8 since + * multiple sessions use the same mempool + */ + + if (log_depth & 7) + { + log_depth += (8 - (log_depth & 7)); + defaultConfig->email_hdrs_log_depth = log_depth; + } + + max_bkt_size = ( (2 * MAX_EMAIL) + MAX_FILE + defaultConfig->email_hdrs_log_depth); + max_sessions_logged = defaultConfig->memcap / max_bkt_size; + + + smtp_mempool = calloc(1, sizeof(*smtp_mempool)); + + if (mempool_init(smtp_mempool, max_sessions_logged, max_bkt_size) != 0) + { + if(!max_sessions_logged) + { + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); + } + else + { + DynamicPreprocessorFatalMessage("SMTP: Error setting the \"memcap\" \n"); + } + } + } + } + } #ifdef SNORT_RELOAD @@ -385,12 +538,6 @@ _dpd.addPreprocReloadVerify(SMTPReloadVerify); } - if (_dpd.streamAPI == NULL) - { - DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " - "for SMTP preprocessor\n"); - } - sfPolicyUserPolicySet (smtp_swap_config, policy_id); pPolicyConfig = (SMTPConfig *)sfPolicyUserDataGetCurrent(smtp_swap_config); @@ -406,9 +553,22 @@ sfPolicyUserDataSetCurrent(smtp_swap_config, pPolicyConfig); + SMTP_RegXtraDataFuncs(pPolicyConfig); SMTP_InitCmds(pPolicyConfig); SMTP_ParseArgs(pPolicyConfig, args); + SMTP_CheckConfig(pPolicyConfig, smtp_swap_config); + SMTP_PrintConfig(pPolicyConfig); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for SMTP preprocessor\n"); + } + /* Command search - do this here because it's based on configuration */ pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); if (pPolicyConfig->cmd_search_mpse == NULL) @@ -421,7 +581,7 @@ { pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; - + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, tmp->name_len, tmp->search_id); } @@ -439,6 +599,163 @@ static int SMTPReloadVerify(void) { + SMTPConfig *config = NULL; + SMTPConfig *configNext = NULL; + + if (smtp_swap_config == NULL) + return 0; + + if (smtp_config != NULL) + { + config = (SMTPConfig *)sfPolicyUserDataGet(smtp_config, _dpd.getDefaultPolicy()); + } + + configNext = (SMTPConfig *)sfPolicyUserDataGet(smtp_swap_config, _dpd.getDefaultPolicy()); + + if (config == NULL) + { + return 0; + } + + if (smtp_mime_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("SMTP reload: Changing the SMTP configuration requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if (configNext->max_mime_mem != config->max_mime_mem) + { + _dpd.errMsg("SMTP reload: Changing the max_mime_mem requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("SMTP reload: Changing the b64_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("SMTP reload: Changing the qp_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("SMTP reload: Changing the bitenc_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("SMTP reload: Changing the uu_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + + } + + if (smtp_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("SMTP reload: Changing the memcap or email_hdrs_log_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("SMTP reload: Changing the memcap requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if (configNext->email_hdrs_log_depth & 7) + configNext->email_hdrs_log_depth += (8 - (configNext->email_hdrs_log_depth & 7)); + + if(config->email_hdrs_log_depth != config->email_hdrs_log_depth) + { + _dpd.errMsg("SMTP reload: Changing the email_hdrs_log_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + } + else if(configNext != NULL) + { + if (sfPolicyUserDataIterate(smtp_swap_config, SMTPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + + encode_depth = configNext->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = configNext->max_mime_mem / ( 2 * encode_depth); + + smtp_mime_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(smtp_mime_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mime mempool.\n"); + } + } + + if (sfPolicyUserDataIterate(smtp_config, SMTPLogExtraData) != 0) + { + uint32_t log_depth, max_bkt_size; + uint32_t max_sessions_logged; + + log_depth = configNext->email_hdrs_log_depth; + + + if (log_depth & 7) + { + log_depth += (8 - (log_depth & 7)); + configNext->email_hdrs_log_depth = log_depth; + } + + max_bkt_size = configNext->memcap/((2* MAX_EMAIL) + MAX_FILE + configNext->email_hdrs_log_depth); + max_sessions_logged = configNext->memcap/max_bkt_size; + + smtp_mempool = calloc(1, sizeof(*smtp_mempool)); + + if (mempool_init(smtp_mempool, max_sessions_logged, max_bkt_size) != 0) + { + if(!max_sessions_logged) + { + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); + } + else + { + DynamicPreprocessorFatalMessage("SMTP: Error setting the \"memcap\" \n"); + } + } + } + + } + + + if ( configNext->disabled ) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) { DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " @@ -450,7 +767,7 @@ static int SMTPReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -461,7 +778,7 @@ sfPolicyUserDataClear (config, policyId); SMTP_FreeConfig(pPolicyConfig); } - + return 0; } diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/smtp/spp_smtp.h snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.h --- snort-2.8.5.2/src/dynamic-preprocessors/smtp/spp_smtp.h 2009-01-26 16:26:20.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.h 2011-02-09 23:23:25.000000000 +0000 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2009 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/Makefile.am 2009-05-06 22:29:08.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,39 +1,28 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ssh_preproc.la -libsf_ssh_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +libsf_ssh_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_ssh_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ssh_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_ssh_preproc_la_SOURCES = \ spp_ssh.c \ -spp_ssh.h \ -sf_preproc_info.h +spp_ssh.h EXTRA_DIST = \ sf_ssh.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.in 2011-12-07 19:23:20.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,25 +44,42 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ssh_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ssh_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ssh_preproc_la_OBJECTS = spp_ssh.lo -nodist_libsf_ssh_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssh_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ssh_preproc_la_OBJECTS = $(am_libsf_ssh_preproc_la_OBJECTS) \ $(nodist_libsf_ssh_preproc_la_OBJECTS) libsf_ssh_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_ssh_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -87,31 +106,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -124,12 +143,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -137,20 +162,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -182,6 +214,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -194,29 +227,25 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ssh_preproc.la -libsf_ssh_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_ssh_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +libsf_ssh_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_ssh_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssh_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ssh_preproc_la_SOURCES = \ spp_ssh.c \ -spp_ssh.h \ -sf_preproc_info.h +spp_ssh.h EXTRA_DIST = \ sf_ssh.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -224,14 +253,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssh/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssh/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssh/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssh/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -249,23 +278,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -294,6 +328,12 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -305,45 +345,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -364,26 +408,28 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -403,14 +449,14 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -424,6 +470,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -432,18 +480,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -468,8 +526,8 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -482,18 +540,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h 2009-08-10 20:41:50.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -/* Copyright (C) 2005-2009 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 2 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SSH (IPV6)" -#else -#define PREPROC_NAME "SF_SSH" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSSH -extern void SetupSSH(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp snort-2.9.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp 2009-05-06 22:29:09.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ssh - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssh - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ssh___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssh - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ssh___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/spp_ssh.c snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.c --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/spp_ssh.c 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -24,27 +24,29 @@ /* * SSH preprocessor * Author: Chris Sherwin - * Contributors: Adam Keeton + * Contributors: Adam Keeton, Ryan Jordan * * * Alert for Gobbles, CRC32, protocol mismatch (Cisco catalyst vulnerability), - * and a SecureCRT vulnerability. Will also alert if the client or server - * traffic appears to flow the wrong direction, or if packets appear + * and a SecureCRT vulnerability. Will also alert if the client or server + * traffic appears to flow the wrong direction, or if packets appear * malformed/spoofed. - * + * */ #ifdef HAVE_CONFIG_H #include "config.h" #endif /* HAVE_CONFIG_H */ +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_plugin_api.h" -#include "debug.h" +#include "snort_debug.h" #include "preprocids.h" #include "spp_ssh.h" +#include "sf_preproc_info.h" #include #include @@ -63,6 +65,17 @@ #include "sf_types.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 3; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SSH (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SSH"; +#endif + +#define SetupSSH DYNAMIC_PREPROC_SETUP + #ifdef TARGET_BASED int16_t ssh_app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif @@ -82,8 +95,8 @@ static void FreeSSHData( void* ); static void ParseSSHArgs(SSHConfig *, u_char*); static void ProcessSSH( void*, void* ); -static INLINE int CheckSSHPort( uint16_t ); -static int ProcessSSHProtocolVersionExchange( SSHData*, SFSnortPacket*, +static inline int CheckSSHPort( uint16_t ); +static int ProcessSSHProtocolVersionExchange( SSHData*, SFSnortPacket*, uint8_t, uint8_t ); static int ProcessSSHKeyExchange( SSHData*, SFSnortPacket*, uint8_t ); static int ProcessSSHKeyInitExchange( SSHData*, SFSnortPacket*, uint8_t ); @@ -118,19 +131,17 @@ static void SSHReloadSwapFree(void *); #endif -extern DynamicPreprocessorData _dpd; - /* Called at preprocessor setup time. Links preprocessor keyword * to corresponding preprocessor initialization function. * * PARAMETERS: None. -* +* * RETURNS: Nothing. * */ void SetupSSH(void) { - /* Link preprocessor keyword to initialization function + /* Link preprocessor keyword to initialization function * in the preprocessor list. */ #ifndef SNORT_RELOAD _dpd.registerPreproc( "ssh", SSHInit ); @@ -142,13 +153,13 @@ /* Initializes the SSH preprocessor module and registers * it in the preprocessor list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Pointer to argument string to process for config * data. * - * RETURNS: Nothing. + * RETURNS: Nothing. */ static void SSHInit(char *argp) { @@ -199,7 +210,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "SSH preprocessor configuration.\n"); } - + sfPolicyUserDataSetCurrent(ssh_config, pPolicyConfig); ParseSSHArgs(pPolicyConfig, (u_char *)argp); @@ -248,16 +259,16 @@ return value; } -/* Parses and processes the configuration arguments +/* Parses and processes the configuration arguments * supplied in the SSH preprocessor rule. * - * PARAMETERS: + * PARAMETERS: * * argp: Pointer to string containing the config arguments. - * + * * RETURNS: Nothing. */ -static void +static void ParseSSHArgs(SSHConfig *config, u_char* argp) { char* cur_tokenp = NULL; @@ -270,7 +281,7 @@ config->MaxEncryptedPackets = SSH_DEFAULT_MAX_ENC_PKTS; config->MaxClientBytes = SSH_DEFAULT_MAX_CLIENT_BYTES; config->MaxServerVersionLen = SSH_DEFAULT_MAX_SERVER_VERSION_LEN; - + /* Set up default port to listen on */ config->ports[ PORT_INDEX( 22 ) ] |= CONV_PORT(22); @@ -295,10 +306,10 @@ { if ( !strcmp( cur_tokenp, SSH_SERVERPORTS_KEYWORD )) { - /* If the user specified ports, remove '22' for now since + /* If the user specified ports, remove '22' for now since * it now needs to be set explicitely. */ config->ports[ PORT_INDEX( 22 ) ] = 0; - + /* Eat the open brace. */ cur_tokenp = strtok( NULL, " "); if (( !cur_tokenp ) || ( cur_tokenp[0] != '{' )) @@ -321,19 +332,19 @@ else { port = atoi( cur_tokenp ); - if( port < 0 || port > MAX_PORTS ) + if( port < 0 || port > MAX_PORTS ) { DynamicPreprocessorFatalMessage("Port value illegitimate: %s\n", cur_tokenp); //free(argcpyp); //return; } - + config->ports[ PORT_INDEX( port ) ] |= CONV_PORT(port); } cur_tokenp = strtok( NULL, " "); } - + } else if ( !strcmp( cur_tokenp, SSH_AUTODETECT_KEYWORD )) { @@ -371,17 +382,17 @@ { config->EnabledAlerts |= SSH_ALERT_CRC32; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_SECURECRT_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_SECURECRT; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_PROTOMISMATCH_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_PROTOMISMATCH; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_WRONGDIR_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_WRONGDIR; @@ -389,10 +400,10 @@ #if 0 else if ( !strcmp( cur_tokenp, SSH_DISABLE_RULES_KEYWORD )) { - config->DisableRules++; - } + config->DisableRules++; + } #endif - else if( !strcmp( cur_tokenp, SSH_ENABLE_PAYLOAD_SIZE )) + else if( !strcmp( cur_tokenp, SSH_ENABLE_PAYLOAD_SIZE )) { config->EnabledAlerts |= SSH_ALERT_PAYSIZE; } @@ -413,8 +424,8 @@ free(argcpyp); } -/* Display the configuration for the SSH preprocessor. - * +/* Display the configuration for the SSH preprocessor. + * * PARAMETERS: None. * * RETURNS: Nothing. @@ -427,10 +438,10 @@ if (config == NULL) return; - + _dpd.logMsg("SSH config: \n"); - _dpd.logMsg(" Autodetection: %s\n", - config->AutodetectEnabled ? + _dpd.logMsg(" Autodetection: %s\n", + config->AutodetectEnabled ? "ENABLED":"DISABLED"); _dpd.logMsg(" Challenge-Response Overflow Alert: %s\n", config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW ? @@ -454,22 +465,22 @@ _dpd.logMsg(" Unrecognized Version Alert: %s\n", config->EnabledAlerts & SSH_ALERT_UNRECOGNIZED ? "ENABLED" : "DISABLED" ); - _dpd.logMsg(" Max Encrypted Packets: %d %s \n", - config->MaxEncryptedPackets, - config->MaxEncryptedPackets + _dpd.logMsg(" Max Encrypted Packets: %d %s \n", + config->MaxEncryptedPackets, + config->MaxEncryptedPackets == SSH_DEFAULT_MAX_ENC_PKTS ? "(Default)" : "" ); - _dpd.logMsg(" Max Server Version String Length: %d %s \n", - config->MaxServerVersionLen, + _dpd.logMsg(" Max Server Version String Length: %d %s \n", + config->MaxServerVersionLen, config->MaxServerVersionLen == SSH_DEFAULT_MAX_SERVER_VERSION_LEN ? "(Default)" : "" ); - if ( config->EnabledAlerts & + if ( config->EnabledAlerts & (SSH_ALERT_RESPOVERFLOW | SSH_ALERT_CRC32)) { - _dpd.logMsg(" MaxClientBytes: %d %s \n", - config->MaxClientBytes, + _dpd.logMsg(" MaxClientBytes: %d %s \n", + config->MaxClientBytes, config->MaxClientBytes == SSH_DEFAULT_MAX_CLIENT_BYTES ? "(Default)" : "" ); @@ -477,8 +488,8 @@ /* Traverse list, printing ports, 5 per line */ newline = 1; - _dpd.logMsg(" Ports:\n"); - for(index = 0; index < MAX_PORTS; index++) + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAX_PORTS; index++) { if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) { @@ -492,12 +503,12 @@ _dpd.logMsg("\n"); } -/* Main runtime entry point for SSH preprocessor. - * Analyzes SSH packets for anomalies/exploits. - * +/* Main runtime entry point for SSH preprocessor. + * Analyzes SSH packets for anomalies/exploits. + * * PARAMETERS: * - * packetp: Pointer to current packet to process. + * packetp: Pointer to current packet to process. * contextp: Pointer to context block, not used. * * RETURNS: Nothing. @@ -509,7 +520,7 @@ uint8_t source = 0; uint8_t dest = 0; uint8_t known_port = 0; - uint8_t direction; + uint8_t direction; SFSnortPacket* packetp; #ifdef TARGET_BASED int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; @@ -530,7 +541,7 @@ ( packetp->flags & FLAG_STREAM_INSERT)) { return; - } + } PREPROC_PROFILE_START(sshPerfStats); @@ -546,7 +557,7 @@ if (sessp == NULL) { - /* If not doing autodetection, check the ports to make sure this is + /* If not doing autodetection, check the ports to make sure this is * running on an SSH port, otherwise no need to examine the traffic. */ #ifdef TARGET_BASED @@ -619,9 +630,15 @@ if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM) || _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH)) { - _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, - STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, - STREAM_FLPOLICY_SET_ABSOLUTE); + /* Don't turn off reassembly if autodetected since another preprocessor + * may actually be looking at this session as well and the SSH + * autodetect of this session may be wrong. */ + if (!(sessp->state_flags & SSH_FLG_AUTODETECTED)) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, + STREAM_FLPOLICY_SET_ABSOLUTE); + } sessp->state_flags |= SSH_FLG_MISSED_PACKETS; @@ -632,7 +649,7 @@ if ( !(sessp->state_flags & SSH_FLG_REASSEMBLY_SET )) { _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, - STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, 0); + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_APPEND); sessp->state_flags |= SSH_FLG_REASSEMBLY_SET; } @@ -642,13 +659,13 @@ if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED )) { - /* If server and client have not performed the protocol + /* If server and client have not performed the protocol * version exchange yet, must look for version strings. */ if ( (sessp->state_flags & SSH_FLG_BOTH_IDSTRING_SEEN) != SSH_FLG_BOTH_IDSTRING_SEEN ) { - if ( ProcessSSHProtocolVersionExchange( sessp, + if ( ProcessSSHProtocolVersionExchange( sessp, packetp, direction, known_port ) == SSH_FAILURE ) { @@ -659,8 +676,8 @@ return; } - /* Expecting to see the key init exchange at this point - * (in SSH2) or the actual key exchange if SSH1 + /* Expecting to see the key init exchange at this point + * (in SSH2) or the actual key exchange if SSH1 */ if ((( sessp->state_flags & SSH_FLG_V1_KEYEXCH_DONE ) != SSH_FLG_V1_KEYEXCH_DONE ) && @@ -668,7 +685,7 @@ != SSH_FLG_V2_KEXINIT_DONE )) { ProcessSSHKeyInitExchange( sessp, packetp, direction ); - + PREPROC_PROFILE_END(sshPerfStats); return; } @@ -681,11 +698,11 @@ } else { - /* Traffic on this session is currently encrypted. + /* Traffic on this session is currently encrypted. * Two of the major SSH exploits, SSH1 CRC-32 and * the Challenge-Response Overflow attack occur within * the encrypted portion of the SSH session. Therefore, - * the only way to detect these attacks is by examining + * the only way to detect these attacks is by examining * amounts of data exchanged for anomalies. */ sessp->num_enc_pkts++; @@ -696,20 +713,20 @@ { sessp->num_client_bytes += packetp->payload_size; - if ( sessp->num_client_bytes >= - ssh_eval_config->MaxClientBytes ) + if ( sessp->num_client_bytes >= + ssh_eval_config->MaxClientBytes ) { /* Probable exploit in progress.*/ - if (sessp->version == SSH_VERSION_1) + if (sessp->version == SSH_VERSION_1) { if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_CRC32 ) { ALERT(SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR); - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); } } else @@ -718,18 +735,18 @@ { ALERT(SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR); - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); } } } } else { - /* - * Have seen a server response, so + /* + * Have seen a server response, so * this appears to be a valid exchange. * Reset suspicious byte count to zero. */ @@ -741,24 +758,24 @@ /* Have already examined more than the limit * of encrypted packets. Both the Gobbles and * the CRC32 attacks occur during authentication - * and therefore cannot be used late in an + * and therefore cannot be used late in an * encrypted session. For performance purposes, * stop examining this session. */ - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); - + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); + } } PREPROC_PROFILE_END(sshPerfStats); } -/* Retrieves the SSH data block registered with the stream +/* Retrieves the SSH data block registered with the stream * session associated w/ the current packet. If none exists, - * allocates it and registers it with the stream API. + * allocates it and registers it with the stream API. * * PARAMETERS: * @@ -784,8 +801,8 @@ return NULL; /*Register the new SSH data block in the stream session. */ - _dpd.streamAPI->set_application_data( - packetp->stream_session_ptr, + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, PP_SSH, datap, FreeSSHData ); datap->policy_id = policy_id; @@ -797,7 +814,7 @@ static int SshFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -819,11 +836,11 @@ sfPolicyConfigDelete(config); } -/* Registered as a callback with our SSH data blocks when +/* Registered as a callback with our SSH data blocks when * they are added to the underlying stream session. Called * by the stream preprocessor when a session is about to be * destroyed. - * + * * PARAMETERS: * * idatap: Pointer to the moribund data. @@ -844,7 +861,7 @@ config = (SSHConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); } - if (config != NULL) + if (config != NULL) { config->ref_count--; if ((config->ref_count == 0) && @@ -874,7 +891,7 @@ * RETURNS: SSH_TRUE, if the port is indeed an SSH server port. * SSH_FALSE, otherwise. */ -static INLINE int +static inline int CheckSSHPort( uint16_t port ) { if ( ssh_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) @@ -885,12 +902,12 @@ return SSH_FALSE; } -/* Checks if the string 'str' is 'max' bytes long or longer. +/* Checks if the string 'str' is 'max' bytes long or longer. * Returns 0 if 'str' is less than or equal to 'max' bytes; * returns 1 otherwise. */ -static INLINE int SSHCheckStrlen(char *str, int max) { +static inline int SSHCheckStrlen(char *str, int max) { while(*(str++) && max--) ; if(max > 0) return 0; /* str size is <= max bytes */ @@ -908,22 +925,22 @@ * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. * known_port: A pre-configured or default server port is involved. - * + * * RETURNS: SSH_SUCCESS, if successfully processed a proto exch msg * SSH_FAILURE, otherwise. */ static int -ProcessSSHProtocolVersionExchange( SSHData* sessionp, SFSnortPacket* packetp, +ProcessSSHProtocolVersionExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction, uint8_t known_port ) { - char* version_stringp = (char*) packetp->payload; + char* version_stringp = (char*) packetp->payload; uint8_t version; /* Get the version. */ - if ( packetp->payload_size >= 6 && + if ( packetp->payload_size >= 6 && !strncasecmp( version_stringp, "SSH-1.", 6)) { - if (( packetp->payload_size > 7 ) && ( version_stringp[6] == '9') + if (( packetp->payload_size > 7 ) && ( version_stringp[6] == '9') && (version_stringp[7] == '9')) { /* SSH 1.99 which is the same as SSH2.0 */ @@ -935,22 +952,22 @@ } /* CAN-2002-0159 */ - /* Verify the version string is not greater than - * the configured maximum. + /* Verify the version string is not greater than + * the configured maximum. * We've already verified the first 6 bytes, so we'll start * check from &version_string[6] */ if( (ssh_eval_config->EnabledAlerts & SSH_ALERT_SECURECRT ) && /* First make sure the payload itself is sufficiently large */ (packetp->payload_size > ssh_eval_config->MaxServerVersionLen) && - /* CheckStrlen will check if the version string up to - * MaxServerVersionLen+1 since there's no reason to + /* CheckStrlen will check if the version string up to + * MaxServerVersionLen+1 since there's no reason to * continue checking after that point*/ (SSHCheckStrlen(&version_stringp[6], ssh_eval_config->MaxServerVersionLen-6))) { ALERT(SSH_EVENT_SECURECRT, SSH_EVENT_SECURECRT_STR); } } - else if ( packetp->payload_size >= 6 && + else if ( packetp->payload_size >= 6 && !strncasecmp( version_stringp, "SSH-2.", 6)) { version = SSH_VERSION_2; @@ -958,10 +975,10 @@ else { /* Not SSH on SSH port, CISCO vulnerability */ - if ((direction == SSH_DIR_FROM_CLIENT) && - ( known_port != 0 ) && - !( sessionp->state_flags & SSH_FLG_AUTODETECTED ) && - ( ssh_eval_config->EnabledAlerts & + if ((direction == SSH_DIR_FROM_CLIENT) && + ( known_port != 0 ) && + ( !(sessionp->state_flags & SSH_FLG_AUTODETECTED) ) && + ( ssh_eval_config->EnabledAlerts & SSH_ALERT_PROTOMISMATCH )) { ALERT(SSH_EVENT_PROTOMISMATCH, SSH_EVENT_PROTOMISMATCH_STR); @@ -971,7 +988,7 @@ } /* Saw a valid protocol exchange message. Mark the session - * according to the direction. + * according to the direction. */ switch( direction ) { @@ -985,10 +1002,10 @@ sessionp->version = version; - return SSH_SUCCESS; + return SSH_SUCCESS; } -/* Called to process SSH1 key exchange or SSH2 key exchange init +/* Called to process SSH1 key exchange or SSH2 key exchange init * messages. On failure, inspection will be continued, but the packet * will be alerted on, and ignored. * @@ -997,14 +1014,14 @@ * sessionp: Pointer to SSH data for packet's session. * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. - * - * RETURN: SSH_SUCCESS, if a valid key exchange message is processed + * + * RETURN: SSH_SUCCESS, if a valid key exchange message is processed * SSH_FAILURE, otherwise. */ -static int -ProcessSSHKeyInitExchange( SSHData* sessionp, SFSnortPacket* packetp, +static int +ProcessSSHKeyInitExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction ) -{ +{ SSH2Packet* ssh2packetp = NULL; if ( sessionp->version == SSH_VERSION_1 ) @@ -1013,9 +1030,9 @@ uint8_t padding_length; uint8_t message_type; - /* + /* * Validate packet payload. - * First 4 bytes should have the SSH packet length, + * First 4 bytes should have the SSH packet length, * minus any padding. */ if ( packetp->payload_size < 4 ) @@ -1028,7 +1045,7 @@ return SSH_FAILURE; } - /* + /* * SSH1 key exchange is very simple and * consists of only two messages, a server * key and a client key message.` @@ -1039,7 +1056,7 @@ if ( packetp->payload_size < length ) { if(ssh_eval_config->EnabledAlerts & SSH_ALERT_PAYSIZE) - { + { ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); } @@ -1048,7 +1065,7 @@ padding_length = (uint8_t)(8 - (length % 8)); - /* + /* * With the padding calculated, verify payload is sufficiently large * to include the message type. */ @@ -1061,19 +1078,19 @@ return SSH_FAILURE; } - - message_type = + + message_type = *( (uint8_t*) (packetp->payload + padding_length + 4)); switch( message_type ) { - case SSH_MSG_V1_SMSG_PUBLIC_KEY: + case SSH_MSG_V1_SMSG_PUBLIC_KEY: if ( direction == SSH_DIR_FROM_SERVER ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_SERV_PKEY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg not from server. */ @@ -1083,13 +1100,13 @@ case SSH_MSG_V1_CMSG_SESSION_KEY: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_CLIENT_SKEY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { - /* Client msg not from client. */ + /* Client msg not from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); } break; @@ -1098,7 +1115,7 @@ break; } - /* Once the V1 key exchange is done, remainder of + /* Once the V1 key exchange is done, remainder of * communications are encrypted. */ if ( (sessionp->state_flags & SSH_FLG_V1_KEYEXCH_DONE) == @@ -1111,17 +1128,17 @@ { /* We want to overlay the payload on our data packet struct, * so first verify that the payload size is big enough. - * This may legitimately occur such as in the case of a + * This may legitimately occur such as in the case of a * retransmission. */ if ( packetp->payload_size < sizeof(SSH2Packet) ) { return SSH_FAILURE; } - + /* Overlay the SSH2 binary data packet struct on the packet */ ssh2packetp = (SSH2Packet*) packetp->payload; - if (( packetp->payload_size < SSH2_HEADERLEN + 1) || + if (( packetp->payload_size < SSH2_HEADERLEN + 1) || ( packetp->payload_size < ntohl(ssh2packetp->packet_length) )) { /* Invalid packet length. */ @@ -1132,7 +1149,7 @@ switch ( packetp->payload[SSH2_HEADERLEN] ) { case SSH_MSG_KEXINIT: - sessionp->state_flags |= + sessionp->state_flags |= (direction == SSH_DIR_FROM_SERVER ? SSH_FLG_SERV_KEXINIT_SEEN : SSH_FLG_CLIENT_KEXINIT_SEEN ); @@ -1152,25 +1169,25 @@ return SSH_FAILURE; } - + return SSH_SUCCESS; } /* Called to process SSH2 key exchange msgs (key exch init msgs already - * processed earlier). On failure, inspection will be continued, but the + * processed earlier). On failure, inspection will be continued, but the * packet will be alerted on, and ignored. - * - * PARAMETERS: + * + * PARAMETERS: * * sessionp: Pointer to SSH data for packet's session. * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. - * - * RETURN: SSH_SUCCESS, if a valid key exchange message is processed + * + * RETURN: SSH_SUCCESS, if a valid key exchange message is processed * SSH_FAILURE, otherwise. */ static int -ProcessSSHKeyExchange( SSHData* sessionp, SFSnortPacket* packetp, +ProcessSSHKeyExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction ) { SSH2Packet* ssh2packetp = NULL; @@ -1180,10 +1197,10 @@ /* Invalid packet length. */ return SSH_FAILURE; } - + ssh2packetp = (SSH2Packet*) packetp->payload; - if (( packetp->payload_size < SSH2_HEADERLEN + 1 ) || + if (( packetp->payload_size < SSH2_HEADERLEN + 1 ) || ( packetp->payload_size < ntohl(ssh2packetp->packet_length) )) { @@ -1201,10 +1218,10 @@ case SSH_MSG_KEXDH_INIT: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_KEXDH_INIT_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Client msg from server. */ @@ -1217,12 +1234,12 @@ /* KEXDH_REPLY has the same msg * type as the new style GEX_REPLY */ - sessionp->state_flags |= - SSH_FLG_KEXDH_REPLY_SEEN | + sessionp->state_flags |= + SSH_FLG_KEXDH_REPLY_SEEN | SSH_FLG_GEX_REPLY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1232,10 +1249,10 @@ case SSH_MSG_KEXDH_GEX_REQ: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_REQ_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1245,10 +1262,10 @@ case SSH_MSG_KEXDH_GEX_GRP: if ( direction == SSH_DIR_FROM_SERVER ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_GRP_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Client msg from server. */ @@ -1258,10 +1275,10 @@ case SSH_MSG_KEXDH_GEX_INIT: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_INIT_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1271,9 +1288,9 @@ case SSH_MSG_NEWKEYS: /* This message is required to complete the * key exchange. Both server and client should - * send one, but as per Alex Kirk's note on this, + * send one, but as per Alex Kirk's note on this, * in some implementations the server does not - * actually send this message. So receving a new + * actually send this message. So receving a new * keys msg from the client is sufficient. */ if ( direction == SSH_DIR_FROM_CLIENT ) @@ -1287,14 +1304,14 @@ } /* If either an old-style or new-style Diffie Helman exchange - * has completed, the session will enter encrypted mode. + * has completed, the session will enter encrypted mode. */ if (( (sessionp->state_flags & - SSH_FLG_V2_DHOLD_DONE) == SSH_FLG_V2_DHOLD_DONE ) - || ( (sessionp->state_flags & + SSH_FLG_V2_DHOLD_DONE) == SSH_FLG_V2_DHOLD_DONE ) + || ( (sessionp->state_flags & SSH_FLG_V2_DHNEW_DONE) == SSH_FLG_V2_DHNEW_DONE )) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_SESS_ENCRYPTED; } @@ -1330,7 +1347,7 @@ static int SSHCheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1417,7 +1434,7 @@ } static int SshFreeUnusedConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssh/spp_ssh.h snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.h --- snort-2.8.5.2/src/dynamic-preprocessors/ssh/spp_ssh.h 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.h 2011-06-08 00:33:15.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -31,6 +31,7 @@ #include "sfPolicy.h" #include "sfPolicyUserData.h" +#include "snort_bounds.h" #define MAX_PORTS 65536 @@ -71,7 +72,7 @@ #define MAX_MAX_SERVER_VERSION_LEN 255 /* - * One of these structures is kept for each configured + * One of these structures is kept for each configured * server port. */ typedef struct _sshPortlistNode @@ -113,12 +114,12 @@ /* * Per-session data block containing current state * of the SSH preprocessor for the session. - * - * version: Version of SSH detected for this session. + * + * version: Version of SSH detected for this session. * num_enc_pkts: Number of encrypted packets seen on this session. - * num_client_bytes: Number of bytes of encrypted data sent by client, + * num_client_bytes: Number of bytes of encrypted data sent by client, * without a server response. - * state_flags: Bit vector describing the current state of the + * state_flags: Bit vector describing the current state of the * session. */ typedef struct _sshData @@ -142,7 +143,7 @@ #define SSH_FLG_SERV_PKEY_SEEN (0x4) #define SSH_FLG_CLIENT_SKEY_SEEN (0x8) #define SSH_FLG_CLIENT_KEXINIT_SEEN (0x10) -#define SSH_FLG_SERV_KEXINIT_SEEN (0x20) +#define SSH_FLG_SERV_KEXINIT_SEEN (0x20) #define SSH_FLG_KEXDH_INIT_SEEN (0x40) #define SSH_FLG_KEXDH_REPLY_SEEN (0x80) #define SSH_FLG_GEX_REQ_SEEN (0x100) @@ -207,8 +208,8 @@ } SSH2Packet; -/* - * SSH v1 message types (of interest) +/* + * SSH v1 message types (of interest) */ #define SSH_MSG_V1_SMSG_PUBLIC_KEY 2 #define SSH_MSG_V1_CMSG_SESSION_KEY 3 @@ -216,7 +217,7 @@ /* * SSH v2 message types (of interest) */ -#define SSH_MSG_KEXINIT 20 +#define SSH_MSG_KEXINIT 20 #define SSH_MSG_NEWKEYS 21 #define SSH_MSG_KEXDH_INIT 30 #define SSH_MSG_KEXDH_REPLY 31 diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.am --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/Makefile.am 2009-05-06 22:29:09.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.am 2011-07-13 22:44:51.000000000 +0000 @@ -1,26 +1,24 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ssl_preproc.la -libsf_ssl_preproc_la_LDFLAGS = -module - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +libsf_ssl_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_ssl_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ssl_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_ssl_preproc_la_SOURCES = \ spp_ssl.c \ spp_ssl.h \ -sf_preproc_info.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c \ @@ -29,15 +27,6 @@ EXTRA_DIST = \ sf_ssl.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.in --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,25 +44,42 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ssl_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ssl_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ssl_preproc_la_OBJECTS = spp_ssl.lo ssl.lo sfparser.lo -nodist_libsf_ssl_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssl_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ssl_preproc_la_OBJECTS = $(am_libsf_ssl_preproc_la_OBJECTS) \ $(nodist_libsf_ssl_preproc_la_OBJECTS) libsf_ssl_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libsf_ssl_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -87,31 +106,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -124,12 +143,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -137,20 +162,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -182,6 +214,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -194,23 +227,20 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ssl_preproc.la -libsf_ssl_preproc_la_LDFLAGS = -module -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_ssl_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +libsf_ssl_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_ssl_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssl_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ssl_preproc_la_SOURCES = \ spp_ssl.c \ spp_ssl.h \ -sf_preproc_info.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c \ @@ -219,8 +249,7 @@ EXTRA_DIST = \ sf_ssl.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -228,14 +257,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssl/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssl/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssl/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/ssl/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -253,23 +282,28 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -299,10 +333,16 @@ $(LTCOMPILE) -c -o $@ $< ssl.lo: ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ssl.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ssl.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c sfparser.lo: ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfparser.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfparser.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c mostlyclean-libtool: -rm -f *.lo @@ -315,45 +355,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -374,26 +418,28 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -413,14 +459,14 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -434,6 +480,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -442,18 +490,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-libLTLIBRARIES install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -478,8 +536,8 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -492,18 +550,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -all-local: +all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h 2009-08-10 20:41:51.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -/* Copyright (C) 2007-2009 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 3 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SSLPP (IPV6)" -#else -#define PREPROC_NAME "SF_SSLPP" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSSLPP -extern void SetupSSLPP(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp snort-2.9.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp 2009-05-06 22:29:10.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp 2011-11-21 20:15:24.000000000 +0000 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\libs" /D "NDEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ssl - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\libs" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssl - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ssl___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\libs" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssl - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ssl___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,17 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /D "NDEBUG" /D "SUP_IP6" /D "DYNAMIC_PLUGIN" /D "PERF_PROFILING" /D "SF_SNORT_PREPROC_DLL" /D "_WINDOWS" /D "_USRDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /YX /FD /I ../libs /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /I ../libs /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/spp_ssl.c snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.c --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/spp_ssl.c 2009-10-02 20:29:58.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -28,13 +28,15 @@ #include "config.h" #endif /* HAVE_CONFIG_H */ +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_plugin_api.h" -#include "debug.h" +#include "snort_debug.h" #include "preprocids.h" #include "spp_ssl.h" +#include "sf_preproc_info.h" #include #include @@ -51,6 +53,17 @@ #include "sfPolicy.h" #include "sfPolicyUserData.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 4; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SSLPP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SSLPP"; +#endif + +#define SetupSSLPP DYNAMIC_PREPROC_SETUP + #ifdef PERF_PROFILING PreprocStats sslpp_perf_stats; #endif @@ -59,7 +72,6 @@ int16_t ssl_app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif -#define GENERATOR_SPP_SSLPP 137 /* Ultimately calls SnortEventqAdd */ /* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ @@ -68,8 +80,6 @@ /* Wraps disabling detect with incrementing the counter */ #define DISABLE_DETECT() { _dpd.disableDetect(packet); counts.disabled++; } -extern DynamicPreprocessorData _dpd; - static tSfPolicyUserContextId ssl_config = NULL; static SSLPP_counters_t counts; @@ -81,15 +91,14 @@ static void SSLReloadSwapFree(void *); #endif -static INLINE void SSLSetPort(SSLPP_config_t *, int); +static inline void SSLSetPort(SSLPP_config_t *, int); static void SSL_UpdateCounts(const uint32_t); -#if DEBUG +#ifdef DEBUG_MSGS static void SSL_PrintFlags(uint32_t); #endif static void SSLFreeConfig(tSfPolicyUserContextId config); static void SSLCleanExit(int, void *); -static void SSLRestart(int, void *); static void SSLResetStats(int, void *); static void SSLPP_CheckConfig(void); @@ -98,7 +107,14 @@ static void _addServicesToStream5Filter(tSfPolicyId); #endif -static INLINE int SSLPP_is_encrypted(uint32_t ssl_flags, SFSnortPacket *packet) +typedef struct _SslRuleOptData +{ + int flags; + int mask; + +} SslRuleOptData; + +static inline int SSLPP_is_encrypted(uint32_t ssl_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -106,7 +122,7 @@ if (config->flags & SSLPP_TRUSTSERVER_FLAG) { - if(ssl_flags & SSL_SAPP_FLAG) + if(ssl_flags & SSL_SAPP_FLAG) return SSLPP_TRUE; } @@ -118,12 +134,12 @@ counts.completed_hs++; return SSLPP_TRUE; } - /* Check if we're either midstream or if packets were missed after the + /* Check if we're either midstream or if packets were missed after the * connection was established */ else if ((_dpd.streamAPI->get_session_flags (packet->stream_session_ptr) & SSNFLAG_MIDSTREAM) || (_dpd.streamAPI->missed_packets(packet->stream_session_ptr, SSN_DIR_BOTH))) { - if ((ssl_flags & (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) == (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) + if ((ssl_flags & (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) == (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) { return SSLPP_TRUE; } @@ -133,7 +149,7 @@ return SSLPP_FALSE; } -static INLINE uint32_t SSLPP_process_alert( +static inline uint32_t SSLPP_process_alert( uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -146,7 +162,7 @@ /* Check if we've seen a handshake, that this isn't it, * that the cipher flags is not set, and that we are disabling detection */ - if(SSL_IS_HANDSHAKE(ssn_flags) && + if(SSL_IS_HANDSHAKE(ssn_flags) && !SSL_IS_HANDSHAKE(new_flags) && !(new_flags & SSL_CHANGE_CIPHER_FLAG) && (config->flags & SSLPP_DISABLE_FLAG)) @@ -166,13 +182,13 @@ return ssn_flags; } -static INLINE uint32_t SSLPP_process_hs(uint32_t ssl_flags, uint32_t new_flags) +static inline uint32_t SSLPP_process_hs(uint32_t ssl_flags, uint32_t new_flags) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Process Handshake\n");); if(!SSL_BAD_HS(new_flags)) { - ssl_flags |= new_flags & (SSL_CLIENT_HELLO_FLAG | + ssl_flags |= new_flags & (SSL_CLIENT_HELLO_FLAG | SSL_SERVER_HELLO_FLAG | SSL_CLIENT_KEYX_FLAG | SSL_SFINISHED_FLAG); @@ -185,8 +201,8 @@ return ssl_flags; } -static INLINE uint32_t SSLPP_process_app( - uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) +static inline uint32_t SSLPP_process_app( + uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -197,7 +213,7 @@ if(!(config->flags & SSLPP_DISABLE_FLAG)) return ssn_flags | new_flags; - if(SSLPP_is_encrypted(ssn_flags | new_flags, packet) ) + if(SSLPP_is_encrypted(ssn_flags | new_flags, packet) ) { ssn_flags |= SSL_ENCRYPTED_FLAG; @@ -211,8 +227,8 @@ return ssn_flags | new_flags; } -static INLINE void SSLPP_process_other( - uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) +static inline void SSLPP_process_other( + uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -221,7 +237,7 @@ /* Encrypted SSLv2 will appear unrecognizable. Check if the handshake was * seen and stop inspecting if so. */ /* Check for an existing handshake from both sides */ - if((ssn_flags & SSL_VER_SSLV2_FLAG) && + if((ssn_flags & SSL_VER_SSLV2_FLAG) && SSL_IS_CHELLO(ssn_flags) && SSL_IS_SHELLO(ssn_flags) && (config->flags & SSLPP_DISABLE_FLAG) && !(new_flags & SSL_CHANGE_CIPHER_FLAG)) { @@ -236,14 +252,14 @@ counts.unrecognized++; /* Special handling for SSLv2 */ - if(new_flags & SSL_VER_SSLV2_FLAG) + if(new_flags & SSL_VER_SSLV2_FLAG) ssn_flags |= new_flags; if(new_flags & SSL_UNKNOWN_FLAG) ssn_flags |= new_flags; /* The following block is intentionally disabled. */ -/* If we were unable to decode the packet, and previous packets had been +/* If we were unable to decode the packet, and previous packets had been * missed, we will not assume it is encrypted SSLv2. */ #if 0 /* More special handling for SSLv2. @@ -252,10 +268,10 @@ if( !(ssn_flags & ( SSL_VER_SSLV3_FLAG | SSL_VER_TLS10_FLAG | SSL_VER_TLS11_FLAG | SSL_VER_TLS12_FLAG)) ) { - if(packet->stream_session_ptr && + if(packet->stream_session_ptr && + _dpd.streamAPI->missed_packets( + packet->stream_session_ptr, SSN_DIR_SERVER) && _dpd.streamAPI->missed_packets( - packet->stream_session_ptr, SSN_DIR_SERVER) && - _dpd.streamAPI->missed_packets( packet->stream_session_ptr, SSN_DIR_CLIENT) ) ssn_flags |= SSL_VER_SSLV2_FLAG; @@ -287,16 +303,15 @@ if (config == NULL) return; - PREPROC_PROFILE_START(sslpp_perf_stats); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL Start ================================\n");); packet = (SFSnortPacket*)raw_packet; - if(!packet || !packet->payload || !packet->payload_size || + if(!packet || !packet->payload || !packet->payload_size || !packet->tcp_header || !packet->stream_session_ptr) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Packet is NULL\n");); @@ -325,7 +340,6 @@ DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Not inspecting packet\n");); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL End ================================\n");); #endif - PREPROC_PROFILE_END(sslpp_perf_stats); return; } #ifdef TARGET_BASED @@ -348,7 +362,6 @@ !(config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port))) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Not configured for these ports\n");); - PREPROC_PROFILE_END(sslpp_perf_stats); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL End ================================\n");); return; } @@ -356,7 +369,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet->flags & FLAG_FROM_SERVER) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Server packet\n");); @@ -372,6 +385,8 @@ } #endif + PREPROC_PROFILE_START(sslpp_perf_stats); + ssn_flags = (uint32_t)(uintptr_t) _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_SSL); @@ -409,14 +424,18 @@ } } +#if 0 + /* XXX If the preprocessor should in the future need to do any data + * reassembly, one or the other of raw or reassembled needs to be used */ if (packet->flags & FLAG_STREAM_INSERT) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Packet is stream inserted - not inspecting\n");); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL End ================================\n");); return; } +#endif -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Ssn flags before ----------------------\n");); SSL_PrintFlags(ssn_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -424,7 +443,7 @@ SSL_CLEAR_TEMPORARY_FLAGS(ssn_flags); -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet->payload_size >= 5) { const uint8_t *pkt = packet->payload; @@ -438,11 +457,25 @@ } #endif - new_flags = SSL_decode(packet->payload, packet->payload_size, packet->flags); + new_flags = SSL_decode(packet->payload, (int)packet->payload_size, packet->flags); + + if( SSL_IS_CHELLO(new_flags) && SSL_IS_CHELLO(ssn_flags) && SSL_IS_SHELLO(ssn_flags) ) + { + ALERT(SSL_INVALID_CLIENT_HELLO, SSL_INVALID_CLIENT_HELLO_STR); + } + else if(!(config->flags & SSLPP_TRUSTSERVER_FLAG)) + { + if( (SSL_IS_SHELLO(new_flags) && !SSL_IS_CHELLO(ssn_flags) )) + { + if(!(_dpd.streamAPI->missed_packets( packet->stream_session_ptr, SSN_DIR_CLIENT))) + ALERT(SSL_INVALID_SERVER_HELLO, SSL_INVALID_SERVER_HELLO_STR); + } + } + counts.decoded++; -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "New flags -----------------------------\n");); SSL_PrintFlags(new_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -466,7 +499,7 @@ { ssn_flags = SSLPP_process_app(ssn_flags, new_flags, packet); } - else + else { /* Different record type that we don't care about. * Either it's a 'change cipher spec' or we failed to recognize the @@ -482,7 +515,7 @@ ssn_flags |= new_flags; -#if DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Ssn flags after -----------------------\n");); SSL_PrintFlags(ssn_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -498,7 +531,7 @@ static void SSL_UpdateCounts(const uint32_t new_flags) { - if(new_flags & SSL_CHANGE_CIPHER_FLAG) + if(new_flags & SSL_CHANGE_CIPHER_FLAG) counts.cipher_change++; if (new_flags & SSL_ALERT_FLAG) @@ -533,11 +566,12 @@ } /* Parsing for the ssl_state rule option */ -static int SSLPP_state_init(char *name, char *params, void **data) +static int SSLPP_state_init(char *name, char *params, void **data) { - int flags = 0; + int flags = 0, mask = 0; char *end = NULL; char *tok; + SslRuleOptData *sdata; tok = strtok_r(params, ",", &end); @@ -547,34 +581,74 @@ do { + int negated = 0; + + if (tok[0] == '!') + { + negated = 1; + tok++; + } + if(!strcasecmp("client_hello", tok)) + { flags |= SSL_CUR_CLIENT_HELLO_FLAG; + if (negated) + mask |= SSL_CUR_CLIENT_HELLO_FLAG; + } else if(!strcasecmp("server_hello", tok)) + { flags |= SSL_CUR_SERVER_HELLO_FLAG; + if (negated) + mask |= SSL_CUR_SERVER_HELLO_FLAG; + } else if(!strcasecmp("client_keyx", tok)) + { flags |= SSL_CUR_CLIENT_KEYX_FLAG; + if (negated) + mask |= SSL_CUR_CLIENT_KEYX_FLAG; + } else if(!strcasecmp("server_keyx", tok)) + { flags |= SSL_CUR_SERVER_KEYX_FLAG; + if (negated) + mask |= SSL_CUR_SERVER_KEYX_FLAG; + } else if(!strcasecmp("unknown", tok)) + { flags |= SSL_UNKNOWN_FLAG; - else + if (negated) + mask |= SSL_UNKNOWN_FLAG; + } + else + { DynamicPreprocessorFatalMessage( - "%s(%d) => %s is not a recognized argument to %s.\n", - *(_dpd.config_file), _dpd.config_file, tok, name); + "%s(%d) => %s is not a recognized argument to %s.\n", + *(_dpd.config_file), _dpd.config_file, tok, name); + } } while( (tok = strtok_r(NULL, ",", &end)) != NULL ); - *data = (void *)(uintptr_t)flags; + sdata = (SslRuleOptData *)calloc(1, sizeof(*sdata)); + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "ssl_state preprocessor rule option.\n"); + } + + sdata->flags = flags; + sdata->mask = mask; + *data = (void *)sdata; - return 0; + return 1; } /* Parsing for the ssl_version rule option */ -static int SSLPP_ver_init(char *name, char *params, void **data) +static int SSLPP_ver_init(char *name, char *params, void **data) { - int flags = 0; + int flags = 0, mask = 0; char *end = NULL; char *tok; + SslRuleOptData *sdata; tok = strtok_r(params, ",", &end); @@ -584,44 +658,84 @@ do { + int negated = 0; + + if (tok[0] == '!') + { + negated = 1; + tok++; + } + if(!strcasecmp("sslv2", tok)) + { flags |= SSL_VER_SSLV2_FLAG; + if (negated) + mask |= SSL_VER_SSLV2_FLAG; + } else if(!strcasecmp("sslv3", tok)) + { flags |= SSL_VER_SSLV3_FLAG; + if (negated) + mask |= SSL_VER_SSLV3_FLAG; + } else if(!strcasecmp("tls1.0", tok)) + { flags |= SSL_VER_TLS10_FLAG; + if (negated) + mask |= SSL_VER_TLS10_FLAG; + } else if(!strcasecmp("tls1.1", tok)) + { flags |= SSL_VER_TLS11_FLAG; + if (negated) + mask |= SSL_VER_TLS11_FLAG; + } else if(!strcasecmp("tls1.2", tok)) + { flags |= SSL_VER_TLS12_FLAG; - else + if (negated) + mask |= SSL_VER_TLS12_FLAG; + } + else + { DynamicPreprocessorFatalMessage( - "%s(%d) => %s is not a recognized argument to %s.\n", - *(_dpd.config_file), _dpd.config_file, tok, name); + "%s(%d) => %s is not a recognized argument to %s.\n", + *(_dpd.config_file), _dpd.config_file, tok, name); + } } while( (tok = strtok_r(NULL, ",", &end)) != NULL ); - *data = (void *)(uintptr_t)flags; + sdata = (SslRuleOptData *)calloc(1, sizeof(*sdata)); + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "ssl_version preprocessor rule option.\n"); + } - return 0; + sdata->flags = flags; + sdata->mask = mask; + *data = (void *)sdata; + + return 1; } /* Rule option evaluation (for both rule options) */ static int SSLPP_rule_eval(void *raw_packet, const uint8_t **cursor, void *data) { - int ssn_data; - SFSnortPacket *p = (SFSnortPacket*)raw_packet; + int ssn_data; + SFSnortPacket *p = (SFSnortPacket*)raw_packet; + SslRuleOptData *sdata = (SslRuleOptData *)data; - if (!p || !p->tcp_header || !p->stream_session_ptr) - return 0; + if (!p || !p->tcp_header || !p->stream_session_ptr || !data) + return RULE_NOMATCH; - ssn_data = (int)(uintptr_t)_dpd.streamAPI->get_application_data( - p->stream_session_ptr, PP_SSL); + ssn_data = (int)(uintptr_t)_dpd.streamAPI->get_application_data( + p->stream_session_ptr, PP_SSL); - if((int)(uintptr_t)data & ssn_data) - return 1; + if ((sdata->flags & ssn_data) ^ sdata->mask) + return RULE_MATCH; - return 0; + return RULE_NOMATCH; } /* SSL Preprocessor configuration parsing */ @@ -634,15 +748,15 @@ char *search; SFP_errstr_t err; - if(!conf) + if(!conf) return; if (config == NULL) return; - + search = conf; - while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) + while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) { search = NULL; @@ -650,7 +764,7 @@ if(!space_tok) return; - + if(!strcasecmp(space_tok, "ports")) { memset(config->ports, 0, sizeof(config->ports)); @@ -661,14 +775,14 @@ *(_dpd.config_file), *(_dpd.config_line), SFP_GET_ERR(err)); } - else if(!strcasecmp(space_tok, "noinspect_encrypted")) + else if(!strcasecmp(space_tok, "noinspect_encrypted")) { char *tmpChar; tmpChar = strtok_r(NULL, " \t\n", &portptr); if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config->flags |= SSLPP_DISABLE_FLAG; @@ -680,7 +794,7 @@ if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config->flags |= SSLPP_TRUSTSERVER_FLAG; @@ -688,10 +802,10 @@ else { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), comma_tok, conf); } - } + } /* Verify configured options make sense */ if ((config->flags & SSLPP_TRUSTSERVER_FLAG) && @@ -720,12 +834,12 @@ _dpd.logMsg(" Ports:\n"); - for(newline = 0, i = 0; i < MAXPORTS; i++) + for(newline = 0, i = 0; i < MAXPORTS; i++) { if( config->ports[ PORT_INDEX(i) ] & CONV_PORT(i) ) { SFP_snprintfa(buf, sizeof(buf), " %5d", i); - if( !((++newline) % 5) ) + if( !((++newline) % 5) ) { SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf); @@ -738,7 +852,7 @@ SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf); - + if ( config->flags & SSLPP_TRUSTSERVER_FLAG ) { _dpd.logMsg(" Server side data is trusted\n"); @@ -762,15 +876,15 @@ SSLSetPort(config, 995); /* POPS */ } -static INLINE void SSLSetPort(SSLPP_config_t *config, int port) +static inline void SSLSetPort(SSLPP_config_t *config, int port) { if (config == NULL) return; - config->ports[ PORT_INDEX(port) ] |= CONV_PORT(port); + config->ports[ PORT_INDEX(port) ] |= CONV_PORT(port); } -static void SSLPP_drop_stats(int exiting) +static void SSLPP_drop_stats(int exiting) { if(!counts.decoded) return; @@ -822,7 +936,6 @@ _dpd.registerPreprocStats("ssl", SSLPP_drop_stats); _dpd.addPreprocConfCheck(SSLPP_CheckConfig); _dpd.addPreprocExit(SSLCleanExit, NULL, PRIORITY_LAST, PP_SSL); - _dpd.addPreprocRestart(SSLRestart, NULL, PRIORITY_LAST, PP_SSL); _dpd.addPreprocResetStats(SSLResetStats, NULL, PRIORITY_LAST, PP_SSL); #ifdef PERF_PROFILING @@ -852,15 +965,17 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for the " "SSL preprocessor configuration.\n"); } - + sfPolicyUserDataSetCurrent(ssl_config, pPolicyConfig); SSLPP_init_config(pPolicyConfig); SSLPP_config(pPolicyConfig, args); SSLPP_print_config(pPolicyConfig); - _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, NULL, NULL, NULL); - _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, NULL, NULL, NULL); + _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, + free, NULL, NULL, NULL, NULL); _dpd.addPreproc( SSLPP_process, PRIORITY_TUNNEL, PP_SSL, PROTO_BIT__TCP ); @@ -881,7 +996,7 @@ #endif } -#if DEBUG +#ifdef DEBUG_MSGS static void SSL_PrintFlags(uint32_t flags) { if (flags & SSL_CHANGE_CIPHER_FLAG) @@ -1080,7 +1195,7 @@ static int SSLFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1111,11 +1226,6 @@ } } -static void SSLRestart(int signal, void *data) -{ - SSLCleanExit(signal, data); -} - static void SSLResetStats(int signal, void *data) { memset(&counts, 0, sizeof(counts)); @@ -1123,7 +1233,7 @@ static int SSLPP_CheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1187,8 +1297,10 @@ SSLPP_config(pPolicyConfig, args); SSLPP_print_config(pPolicyConfig); - _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, NULL, NULL, NULL); - _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, NULL, NULL, NULL); + _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, + free, NULL, NULL, NULL, NULL); _dpd.addPreproc(SSLPP_process, PRIORITY_TUNNEL, PP_SSL, PROTO_BIT__TCP); _dpd.addPreprocReloadVerify(SSLReloadVerify); diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/ssl/spp_ssl.h snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.h --- snort-2.8.5.2/src/dynamic-preprocessors/ssl/spp_ssl.h 2009-05-06 22:29:10.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.h 2011-02-09 23:23:26.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -84,5 +84,12 @@ SSL_CAPP_FLAG | SSL_SAPP_FLAG) #define SSLPP_ENCRYPTED_FLAGS2 (SSL_HS_SDONE_FLAG | SSL_CHANGE_CIPHER_FLAG | \ SSL_CAPP_FLAG | SSL_SAPP_FLAG) + +#define GENERATOR_SPP_SSLPP 137 +#define SSL_INVALID_CLIENT_HELLO 1 +#define SSL_INVALID_SERVER_HELLO 2 + +#define SSL_INVALID_CLIENT_HELLO_STR "(ssp_ssl) Invalid Client HELLO after Server HELLO Detected" +#define SSL_INVALID_SERVER_HELLO_STR "(ssp_ssl) Invalid Server HELLO without Client HELLO Detected" #endif /* SPP_SSLPP_H */ diff -Nru snort-2.8.5.2/src/dynamic-preprocessors/treenodes.sed snort-2.9.2/src/dynamic-preprocessors/treenodes.sed --- snort-2.8.5.2/src/dynamic-preprocessors/treenodes.sed 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/dynamic-preprocessors/treenodes.sed 2009-12-22 02:56:59.000000000 +0000 @@ -0,0 +1,16 @@ +s/Packet /SFSnortPacket / +s/rules\.h/signature.h/ +/signature.h/ a\ +#include "sf_snort_packet.h" \ +#include "event.h" +s/RspFpList/void/ +s/OutputFuncNode/void/ +s/TagData/void/ +s/RuleType/int/ +s/IpAddrSet/void/ +s/PortObject/void/ +s/ActivateListNode/void/ +s/struct _ListHead/void/ +/sfutil\/sfghash\.h/d +/sf_types\.h/d +s/SFGHASH/void/g diff -Nru snort-2.8.5.2/src/encode.c snort-2.9.2/src/encode.c --- snort-2.8.5.2/src/encode.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/encode.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,1329 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file encode.c +// @author Russ Combs + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#ifdef HAVE_DUMBNET_H +#include +#else +#include +#endif + +#include "encode.h" +#include "sfdaq.h" +#include "sf_iph.h" +#include "snort.h" +#include "stream_api.h" + +#define GET_IP_HDR_LEN(h) (((h)->ip_verhl & 0x0f) << 2) +#define GET_TCP_HDR_LEN(h) (((h)->th_offx2 & 0xf0) >> 2) +#define SET_TCP_HDR_LEN(h, n) (h)->th_offx2 = ((n << 2) & 0xF0) + +#define MAX_TTL 255 +#define ICMP_UNREACH_DATA 8 // (per RFC 792) +#define IP_ID_COUNT 8192 + +static uint8_t *dst_mac = NULL; + +static inline int IsIcmp (int type) +{ + static int s_icmp[ENC_MAX] = { 0, 0, 1, 1, 1 }; + return ( s_icmp[type] ); +} + +//------------------------------------------------------------------------- +// encoders operate layer by layer: +// * base+off is start of packet +// * base+end is start of current layer +// * base+size-1 is last byte of packet (in) / buffer (out) +typedef blob_t Buffer; + +typedef enum { + ENC_OK, ENC_BAD_PROTO, ENC_BAD_OPT, ENC_OVERFLOW +} ENC_STATUS; + +typedef struct { + EncodeType type; + EncodeFlags flags; + + uint8_t layer; + const Packet* p; + uint16_t ip_len; + uint8_t* ip_hdr; + + const uint8_t* payLoad; + uint32_t payLen; + uint8_t proto; + +} EncState; + +#define FORWARD(e) (e->flags & ENC_FLAG_FWD) +#define REVERSE(f) (!(f & ENC_FLAG_FWD)) + +#define PKT_SZ (ETHERNET_HEADER_LEN + VLAN_HEADER_LEN + IP_MAXPACKET) + +// all layer encoders look like this: +typedef ENC_STATUS (*Encoder)(EncState*, Buffer* in, Buffer* out); +typedef ENC_STATUS (*Updater)(Packet*, Layer*, uint32_t* len); +typedef void (*Formatter)(EncodeFlags, const Packet* p, Packet* c, Layer*); +// TBD implement other encoder functions + +typedef struct { + Encoder fencode; + Updater fupdate; + Formatter fformat; +} EncoderFunctions; + +// forward declaration; definition at end of file +static EncoderFunctions encoders[PROTO_MAX]; + +static void IpId_Init(); +static void IpId_Term(); + +static const uint8_t* Encode_Packet( + EncState* enc, const Packet* p, uint32_t* len); + +static ENC_STATUS UN6_Encode(EncState*, Buffer*, Buffer*); + +//------------------------------------------------------------------------- + +static inline PROTO_ID NextEncoder (EncState* enc) +{ + if ( enc->layer < enc->p->next_layer ) + { + PROTO_ID next = enc->p->layers[enc->layer++].proto; + if ( next < PROTO_MAX ) + { + if ( encoders[next].fencode ) return next; + } + } + return PROTO_MAX; +} + +//------------------------------------------------------------------------- +// basic setup stuff +//------------------------------------------------------------------------- + +void Encode_Init (void) +{ + IpId_Init(); +} + +void Encode_Term (void) +{ + IpId_Term(); +} + +//------------------------------------------------------------------------- +// encoders: +// - raw pkt data only, no need for Packet stuff except to facilitate +// encoding +// - don't include original options +// - inner layer differs from original (eg tcp data segment becomes rst) +// - must ensure proper ttl/hop limit for reverse direction +// - sparc twiddle must be factored in packet start for transmission +// +// iterate over decoded layers and encode the response packet. actually +// make nested calls. on the way in we setup invariant stuff and as we +// unwind the stack we finish up encoding in a more normal fashion (now +// the outer layer knows the length of the inner layer, etc.). +// +// when multiple responses are sent, both forwards and backwards directions, +// or multiple ICMP types (unreachable port, host, net), it may be possible +// to reuse the 1st encoding and just tweak it. optimization for later +// consideration. + +// pci is copied from in to out +// * addresses / ports are swapped if !fwd +// * options, etc. are stripped +// * checksums etc. are set +// * if next layer is udp, it is set to icmp unreachable w/udp +// * if next layer is tcp, it becomes a tcp rst or tcp fin w/opt data + +//------------------------------------------------------------------------- + +const uint8_t* Encode_Reject( + EncodeType type, EncodeFlags flags, const Packet* p, uint32_t* len) +{ + EncState enc; + + enc.type = type; + enc.flags = flags; + + enc.payLoad = NULL; + enc.payLen = 0; + + enc.ip_hdr = NULL; + enc.ip_len = 0; + enc.proto = 0; + + return Encode_Packet(&enc, p, len); +} + +const uint8_t* Encode_Response( + EncodeType type, EncodeFlags flags, const Packet* p, uint32_t* len, + const uint8_t* payLoad, uint32_t payLen +) { + EncState enc; + + enc.type = type; + enc.flags = flags; + + enc.payLoad = payLoad; + enc.payLen = payLen; + + enc.ip_hdr = NULL; + enc.ip_len = 0; + enc.proto = 0; + + return Encode_Packet(&enc, p, len); +} + +//------------------------------------------------------------------------- +// formatters: +// - these packets undergo detection +// - need to set Packet stuff except for frag3 which calls grinder +// - include original options except for frag3 inner ip +// - inner layer header is very similar but payload differs +// - original ttl is always used +//------------------------------------------------------------------------- + +int Encode_Format (EncodeFlags f, const Packet* p, Packet* c, PseudoPacketType type) +{ + DAQ_PktHdr_t* pkth = (DAQ_PktHdr_t*)c->pkth; + uint8_t* pkt = (uint8_t*)c->pkt; + + int i, next_layer = p->next_layer; + Layer* lyr; + size_t len; + + if ( next_layer < 1 ) return -1; + + memset(c, 0, PKT_ZERO_LEN); + c->raw_ip6h = NULL; + + c->pkth = pkth; + c->pkt = pkt; + + if ( f & ENC_FLAG_NET ) + { + for ( i = next_layer-1; i >= 0; i-- ) + if ( p->layers[i].proto == PROTO_IP4 +#ifdef SUP_IP6 + || p->layers[i].proto == PROTO_IP6 +#endif + ) + break; + if ( i < next_layer ) next_layer = i + 1; + } + // copy raw packet data to clone + lyr = (Layer*)p->layers + next_layer - 1; + len = lyr->start - p->pkt + lyr->length; + + memcpy((void*)c->pkt, p->pkt, len); + + // set up layers + for ( i = 0; i < next_layer; i++ ) + { + const uint8_t* b = c->pkt + (p->layers[i].start - p->pkt); + lyr = c->layers + i; + + lyr->proto = p->layers[i].proto; + lyr->length = p->layers[i].length; + lyr->start = (uint8_t*)b; + + if ( lyr->proto < PROTO_MAX ) + encoders[lyr->proto].fformat(f, p, c, lyr); + +#ifdef DEBUG + else + FatalError("Encode_New() => unsupported proto = %d\n", + lyr->proto); +#endif + } + c->next_layer = next_layer; + + // setup payload info + c->data = lyr->start + lyr->length; + len = c->data - c->pkt; + + // should actually be max less specific layers + // but this is a safe limit + c->max_dsize = IP_MAXPACKET - len; + + c->proto_bits = p->proto_bits; + c->packet_flags |= PKT_PSEUDO; + c->pseudo_type = type; + + switch ( type ) + { + case PSEUDO_PKT_SMB_SEG: + case PSEUDO_PKT_DCE_SEG: + case PSEUDO_PKT_DCE_FRAG: + case PSEUDO_PKT_SMB_TRANS: + c->packet_flags |= PKT_REASSEMBLED_OLD; + break; + default: + break; + } + + // setup pkt capture header + pkth->caplen = pkth->pktlen = len; + pkth->ts = p->pkth->ts; + + // cooked packet gets same policy as raw + c->configPolicyId = p->configPolicyId; + + c->policyEngineData = p->policyEngineData; + + if ( !c->max_dsize ) + return -1; + + return 0; +} + +//------------------------------------------------------------------------- +// updaters: these functions set length and checksum fields, only needed +// when a packet is modified. some packets only have replacements so only +// the checksums need to be updated. we always set the length rather than +// checking each time if needed. +//------------------------------------------------------------------------- + +void Encode_Update (Packet* p) +{ + int i; + uint32_t len = 0; + DAQ_PktHdr_t* pkth = (DAQ_PktHdr_t*)p->pkth; + + p->actual_ip_len = 0; + + for ( i = p->next_layer - 1; i >= 0; i-- ) + { + Layer* lyr = p->layers + i; + encoders[lyr->proto].fupdate(p, lyr, &len); + } + // see IP6_Update() for an explanation of this ... + if ( !(p->packet_flags & PKT_MODIFIED) +#ifdef NORMALIZER + || (p->packet_flags & PKT_RESIZED) +#endif + ) + pkth->caplen = pkth->pktlen = len; +} + +//------------------------------------------------------------------------- +// internal packet support +//------------------------------------------------------------------------- + +Packet* Encode_New () +{ + Packet* p = SnortAlloc(sizeof(*p)); + uint8_t* b = SnortAlloc(sizeof(*p->pkth) + PKT_SZ + SPARC_TWIDDLE); + + if ( !p || !b ) + FatalError("Encode_New() => Failed to allocate packet\n"); + + p->pkth = (void*)b; + b += sizeof(*p->pkth); + b += SPARC_TWIDDLE; + p->pkt = b; + + return p; +} + +void Encode_Delete (Packet* p) +{ + free((void*)p->pkth); // cast away const! + free(p); +} + +/* Set the destination MAC address*/ +void Encode_SetDstMAC(uint8_t *mac) +{ + dst_mac = mac; +} +//------------------------------------------------------------------------- +// private implementation stuff +//------------------------------------------------------------------------- + +static uint8_t s_pkt[ETHERNET_HEADER_LEN+VLAN_HEADER_LEN+IP_MAXPACKET]; + +static const uint8_t* Encode_Packet( + EncState* enc, const Packet* p, uint32_t* len) +{ + Buffer ibuf, obuf; + ENC_STATUS status = ENC_BAD_PROTO; + PROTO_ID next; + + ibuf.base = (uint8_t*)p->pkt; + ibuf.off = ibuf.end = 0; + ibuf.size = p->pkth->caplen; + + obuf.base = s_pkt; + obuf.off = obuf.end = 0; + obuf.size = sizeof(s_pkt); + + enc->layer = 0; + enc->p = p; + + next = NextEncoder(enc); + + if ( next < PROTO_MAX ) + { + Encoder e = encoders[next].fencode; + status = (*e)(enc, &ibuf, &obuf); + } + if ( status != ENC_OK || enc->layer != p->next_layer ) + { + *len = 0; + return NULL; + } + *len = (uint32_t)obuf.end; + return obuf.base + obuf.off; +} + +//------------------------------------------------------------------------- +// ip id considerations: +// +// we use dnet's rand services to generate a vector of random 16-bit values and +// iterate over the vector as IDs are assigned. when we wrap to the beginning, +// the vector is randomly reordered. +//------------------------------------------------------------------------- + +static rand_t* s_rand = NULL; +static uint16_t s_id_index = 0; +static uint16_t s_id_pool[IP_ID_COUNT]; + +static void IpId_Init (void) +{ + if ( s_rand ) rand_close(s_rand); + + s_rand = rand_open(); + + if ( !s_rand ) + FatalError("encode::IpId_Init: rand_open() failed.\n"); + + rand_get(s_rand, s_id_pool, sizeof(s_id_pool)); +} + +static void IpId_Term (void) +{ + if ( s_rand ) rand_close(s_rand); + s_rand = NULL; +} + +static inline uint16_t IpId_Next () +{ +#ifdef REG_TEST + uint16_t id = htons(s_id_index + 1); +#else + uint16_t id = s_id_pool[s_id_index]; +#endif + s_id_index = (s_id_index + 1) % IP_ID_COUNT; + + if ( !s_id_index ) + rand_shuffle(s_rand, s_id_pool, sizeof(s_id_pool), 1); + + return id; +} + +//------------------------------------------------------------------------- +// ttl considerations: +// +// we try to use the TTL captured for the session by the stream preprocessor +// when the session started. if that is not available, we use the current +// TTL for forward packets and use (maximum - current) TTL for reverse +// packets. +// +// the reason we don't just force ttl to 255 (max) is to make it look a +// little more authentic. +// +// for reference, flexresp used a const rand >= 64 in both directions (the +// number was determined at startup and never changed); flexresp2 used the +// next higher multiple of 64 in both directions; and react used a const +// 64 in both directions. +// +// note that the ip6 hop limit field is entirely equivalent to the ip4 TTL. +// hop limit is in fact a more accurrate name for the actual usage of this +// field. +//------------------------------------------------------------------------- + +static inline uint8_t GetTTL (const EncState* enc) +{ + char dir; + uint8_t ttl; + int outer = !enc->ip_hdr; + + if ( !enc->p->ssnptr ) + return 0; + + if ( enc->p->packet_flags & PKT_FROM_CLIENT ) + dir = FORWARD(enc) ? SSN_DIR_CLIENT : SSN_DIR_SERVER; + else + dir = FORWARD(enc) ? SSN_DIR_SERVER : SSN_DIR_CLIENT; + + // outermost ip is considered to be outer here, + // even if it is the only ip layer ... + ttl = stream_api->get_session_ttl(enc->p->ssnptr, dir, outer); + + // so if we don't get outer, we use inner + if ( 0 == ttl && outer ) + ttl = stream_api->get_session_ttl(enc->p->ssnptr, dir, 0); + + return ttl; +} + +static inline uint8_t FwdTTL (const EncState* enc, uint8_t ttl) +{ + uint8_t new_ttl = GetTTL(enc); + if ( !new_ttl ) + new_ttl = ttl; + return new_ttl; +} + +static inline uint8_t RevTTL (const EncState* enc, uint8_t ttl) +{ + uint8_t new_ttl = GetTTL(enc); + if ( !new_ttl ) + new_ttl = ( MAX_TTL - ttl ); + return new_ttl; +} + +//------------------------------------------------------------------------- +// the if in UPDATE_BOUND can be defined out after testing because: +// 1. the packet was already decoded in decode.c so is structurally sound; and +// 2. encode takes at most the same space as decode. +#define UPDATE_BOUND(buf, n) \ + buf->end += n; \ + if ( buf->end > buf->size ) \ + return ENC_OVERFLOW +//------------------------------------------------------------------------- + +//------------------------------------------------------------------------- +// ethernet +//------------------------------------------------------------------------- + +static ENC_STATUS Eth_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + // not raw ip -> encode layer 2 + int raw = ( enc->flags & ENC_FLAG_RAW ); + + EtherHdr* hi = (EtherHdr*)enc->p->layers[enc->layer-1].start; + PROTO_ID next = NextEncoder(enc); + + // if not raw ip AND out buf is empty + if ( !raw && (out->off == out->end) ) + { + // for alignment + out->off = out->end = SPARC_TWIDDLE; + } + // if not raw ip OR out buf is not empty + if ( !raw || (out->off != out->end) ) + { + // we get here for outer-most layer when not raw ip + // we also get here for any encapsulated ethernet layer. + EtherHdr* ho = (EtherHdr*)(out->base + out->end); + UPDATE_BOUND(out, sizeof(*ho)); + + ho->ether_type = hi->ether_type; + if ( FORWARD(enc) ) + { + memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src)); + /*If user configured remote MAC address, use it*/ + if (NULL != dst_mac) + memcpy(ho->ether_dst, dst_mac, sizeof(ho->ether_dst)); + else + memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst)); + } + else + { + memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src)); + /*If user configured remote MAC address, use it*/ + if (NULL != dst_mac) + memcpy(ho->ether_dst, dst_mac, sizeof(ho->ether_dst)); + else + memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst)); + } + } + if ( next < PROTO_MAX ) + return encoders[next].fencode(enc, in, out); + + return ENC_OK; +} + +static ENC_STATUS Eth_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + *len += lyr->length; + return ENC_OK; +} + +static void Eth_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + EtherHdr* ch = (EtherHdr*)lyr->start; + c->eh = ch; + + if ( REVERSE(f) ) + { + int i = lyr - c->layers; + EtherHdr* ph = (EtherHdr*)p->layers[i].start; + + memcpy(ch->ether_dst, ph->ether_src, sizeof(ch->ether_dst)); + memcpy(ch->ether_src, ph->ether_dst, sizeof(ch->ether_src)); + } +} + +//------------------------------------------------------------------------- +// VLAN +//------------------------------------------------------------------------- + +static void VLAN_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + c->vh = (VlanTagHdr*)lyr->start; +} + +//------------------------------------------------------------------------- +// GRE +//------------------------------------------------------------------------- +#ifdef GRE +static void GRE_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + c->greh = (GREHdr*)lyr->start; +} +#endif + +//------------------------------------------------------------------------- +// IP4 +//------------------------------------------------------------------------- + +static ENC_STATUS IP4_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int len; + uint32_t start = out->end; + + IPHdr* hi = (IPHdr*)enc->p->layers[enc->layer-1].start; + IPHdr* ho = (IPHdr*)(out->base + out->end); + PROTO_ID next = NextEncoder(enc); + UPDATE_BOUND(out, sizeof(*ho)); + + len = GET_IP_HDR_LEN(hi) - sizeof(*hi); + + ho->ip_verhl = 0x45; + ho->ip_off = 0; + + ho->ip_id = IpId_Next(); + ho->ip_tos = hi->ip_tos; + ho->ip_proto = hi->ip_proto; + + if ( FORWARD(enc) ) + { + ho->ip_src.s_addr = hi->ip_src.s_addr; + ho->ip_dst.s_addr = hi->ip_dst.s_addr; + + ho->ip_ttl = FwdTTL(enc, hi->ip_ttl); + } + else + { + ho->ip_src.s_addr = hi->ip_dst.s_addr; + ho->ip_dst.s_addr = hi->ip_src.s_addr; + + ho->ip_ttl = RevTTL(enc, hi->ip_ttl); + } + + enc->ip_hdr = (uint8_t*)hi; + enc->ip_len = IP_HLEN(hi) << 2; + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; + } + if ( enc->proto ) + { + ho->ip_proto = enc->proto; + enc->proto = 0; + } + len = out->end - start; + ho->ip_len = htons((uint16_t)len); + ip_checksum(ho, len); + + return ENC_OK; +} + +static ENC_STATUS IP4_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + IPHdr* h = (IPHdr*)(lyr->start); + int i = lyr - p->layers; + + *len += GET_IP_HDR_LEN(h); + + if ( i + 1 == p->next_layer ) + { + *len += p->dsize; + } + h->ip_len = htons((uint16_t)*len); + + if ( !PacketWasCooked(p) || (p->packet_flags & PKT_REBUILT_FRAG) ) + ip_checksum(h, *len); + + return ENC_OK; +} + +static void IP4_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + // TBD handle nested ip layers + IPHdr* ch = (IPHdr*)lyr->start; + c->iph = ch; + + if ( REVERSE(f) ) + { + int i = lyr - c->layers; + IPHdr* ph = (IPHdr*)p->layers[i].start; + + ch->ip_src.s_addr = ph->ip_dst.s_addr; + ch->ip_dst.s_addr = ph->ip_src.s_addr; + } + if ( f & ENC_FLAG_DEF ) + { + int i = lyr - c->layers; + if ( i + 1 == p->next_layer ) + { + lyr->length = sizeof(*ch); + ch->ip_len = htons(lyr->length); + SET_IP_HLEN(ch, lyr->length >> 2); + } + } +#ifdef SUP_IP6 + sfiph_build(c, c->iph, AF_INET); +#endif +} + +//------------------------------------------------------------------------- +// ICMP +// UNR encoder creates ICMP unreachable +//------------------------------------------------------------------------- + +static inline int IcmpCode (EncodeType et) { + switch ( et ) { + case ENC_UNR_NET: return ICMP_UNREACH_NET; + case ENC_UNR_HOST: return ICMP_UNREACH_HOST; + case ENC_UNR_PORT: return ICMP_UNREACH_PORT; + default: break; + } + return ICMP_UNREACH_PORT; +} + +typedef struct { + uint8_t type; + uint8_t code; + uint16_t cksum; + uint32_t unused; +} IcmpHdr; + +static ENC_STATUS UN4_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + uint8_t* p; + + uint8_t* hi = enc->p->layers[enc->layer-1].start; + IcmpHdr* ho = (IcmpHdr*)(out->base + out->end); + +#ifdef DEBUG + if ( enc->type < ENC_UNR_NET ) + return ENC_BAD_OPT; +#endif + + enc->proto = IPPROTO_ICMP; + + UPDATE_BOUND(out, sizeof(*ho)); + ho->type = ICMP_UNREACH; + ho->code = IcmpCode(enc->type); + ho->cksum = 0; + ho->unused = 0; + + // no need to set csum here because ip_checksum() will + // take care of it. see Encode_TCP() for details. + + // copy original ip header + p = out->base + out->end; + UPDATE_BOUND(out, enc->ip_len); + memcpy(p, enc->ip_hdr, enc->ip_len); + + // copy first 8 octets of original ip data (ie udp header) + p = out->base + out->end; + UPDATE_BOUND(out, ICMP_UNREACH_DATA); + memcpy(p, hi, ICMP_UNREACH_DATA); + + return ENC_OK; +} + +static void ICMP4_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + // TBD handle nested icmp4 layers + c->icmph = (ICMPHdr*)lyr->start; +} + +//------------------------------------------------------------------------- +// UDP +//------------------------------------------------------------------------- + +static ENC_STATUS UDP_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + PROTO_ID next = PROTO_MAX; + + if ( enc->layer < enc->p->next_layer ) + { + next = enc->p->layers[enc->layer].proto; + } + if ((PROTO_GTP == next) && (encoders[next].fencode)) + { + int len; + ENC_STATUS err; + uint32_t start = out->end; + + UDPHdr* hi = (UDPHdr*)enc->p->layers[enc->layer-1].start; + UDPHdr* ho = (UDPHdr*)(out->base + out->end); + UPDATE_BOUND(out, sizeof(*ho)); + + if ( FORWARD(enc) ) + { + ho->uh_sport = hi->uh_sport; + ho->uh_dport = hi->uh_dport; + } + else + { + ho->uh_sport = hi->uh_dport; + ho->uh_dport = hi->uh_sport; + } + + next = NextEncoder(enc); + err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + len = out->end - start; + ho->uh_len = htons((uint16_t)len); + return ENC_OK; + } + if ( IP_VER((IPHdr*)enc->ip_hdr) == 4 ) + return UN4_Encode(enc, in, out); + + return UN6_Encode(enc, in, out); +} + +static ENC_STATUS UDP_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + UDPHdr* h = (UDPHdr*)(lyr->start); + + *len += sizeof(*h) + p->dsize; + h->uh_len = htons((uint16_t)*len); + + // don't calculate the UDP checksum here; + // dnet's ip_checksum() will do it + return ENC_OK; +} + +static void UDP_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + UDPHdr* ch = (UDPHdr*)lyr->start; + c->udph = ch; + + if ( REVERSE(f) ) + { + int i = lyr - c->layers; + UDPHdr* ph = (UDPHdr*)p->layers[i].start; + + ch->uh_sport = ph->uh_dport; + ch->uh_dport = ph->uh_sport; + } + c->sp = ntohs(ch->uh_sport); + c->dp = ntohs(ch->uh_dport); +} + +//------------------------------------------------------------------------- +// TCP +// encoder creates TCP RST +// should always try to use acceptable ack since we send RSTs in a +// stateless fashion ... from rfc 793: +// +// In all states except SYN-SENT, all reset (RST) segments are validated +// by checking their SEQ-fields. A reset is valid if its sequence number +// is in the window. In the SYN-SENT state (a RST received in response +// to an initial SYN), the RST is acceptable if the ACK field +// acknowledges the SYN. +//------------------------------------------------------------------------- + +static ENC_STATUS TCP_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int len, ctl; + + TCPHdr* hi = (TCPHdr*)enc->p->layers[enc->layer-1].start; + TCPHdr* ho = (TCPHdr*)(out->base + out->end); + + UPDATE_BOUND(out, sizeof(*ho)); + + len = GET_TCP_HDR_LEN(hi) - sizeof(*hi); + UPDATE_BOUND(in, len); + ctl = (hi->th_flags & TH_SYN) ? 1 : 0; + + if ( FORWARD(enc) ) + { + ho->th_sport = hi->th_sport; + ho->th_dport = hi->th_dport; + + // th_seq depends on whether the data passes or drops + if ( (enc->type == ENC_TCP_FIN) || !ScAdapterInlineMode() ) + ho->th_seq = htonl(ntohl(hi->th_seq) + enc->p->dsize + ctl); + else + ho->th_seq = hi->th_seq; + + ho->th_ack = hi->th_ack; + } + else + { + ho->th_sport = hi->th_dport; + ho->th_dport = hi->th_sport; + + ho->th_seq = hi->th_ack; + ho->th_ack = htonl(ntohl(hi->th_seq) + enc->p->dsize + ctl); + } + + if ( enc->flags & ENC_FLAG_SEQ ) + { + uint32_t seq = ntohl(ho->th_seq); + seq += (enc->flags & ENC_FLAG_VAL); + ho->th_seq = htonl(seq); + } + ho->th_offx2 = 0; + SET_TCP_OFFSET(ho, (TCP_HDR_LEN >> 2)); + ho->th_win = ho->th_urp = 0; + + if ( enc->type == ENC_TCP_FIN ) + { + if ( enc->payLoad && enc->payLen > 0 ) + { + uint8_t* pdu = out->base + out->end; + UPDATE_BOUND(out, enc->payLen); + memcpy(pdu, enc->payLoad, enc->payLen); + } + ho->th_flags = TH_FIN | TH_ACK; + } + else + { + ho->th_flags = TH_RST | TH_ACK; + } + + // we don't need to set th_sum here because dnet's + // ip_checksum() sets both IP and TCP checksums and + // ip6_checksum() sets the TCP checksum. + return ENC_OK; +} + +static ENC_STATUS TCP_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + TCPHdr* h = (TCPHdr*)(lyr->start); + *len += GET_TCP_HDR_LEN(h) + p->dsize; + + // don't calculate the TCP checksum here; + // dnet's ip_checksum() will do it + + return ENC_OK; +} + +static void TCP_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + TCPHdr* ch = (TCPHdr*)lyr->start; + c->tcph = ch; + + if ( REVERSE(f) ) + { + int i = lyr - c->layers; + TCPHdr* ph = (TCPHdr*)p->layers[i].start; + + ch->th_sport = ph->th_dport; + ch->th_dport = ph->th_sport; + } + c->sp = ntohs(ch->th_sport); + c->dp = ntohs(ch->th_dport); +} + +//------------------------------------------------------------------------- +// IP6 encoder +//------------------------------------------------------------------------- + +#ifdef SUP_IP6 +static ENC_STATUS IP6_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int len; + uint32_t start = out->end; + + IP6RawHdr* hi = (IP6RawHdr*)enc->p->layers[enc->layer-1].start; + IP6RawHdr* ho = (IP6RawHdr*)(out->base + out->end); + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, sizeof(*ho)); + + ho->ip6flow = htonl(ntohl(hi->ip6flow) & 0xFFF00000); + ho->ip6nxt = hi->ip6nxt; + + if ( FORWARD(enc) ) + { + memcpy(ho->ip6_src.s6_addr, hi->ip6_src.s6_addr, sizeof(ho->ip6_src.s6_addr)); + memcpy(ho->ip6_dst.s6_addr, hi->ip6_dst.s6_addr, sizeof(ho->ip6_dst.s6_addr)); + + ho->ip6hops = FwdTTL(enc, hi->ip6hops); + } + else + { + memcpy(ho->ip6_src.s6_addr, hi->ip6_dst.s6_addr, sizeof(ho->ip6_src.s6_addr)); + memcpy(ho->ip6_dst.s6_addr, hi->ip6_src.s6_addr, sizeof(ho->ip6_dst.s6_addr)); + + ho->ip6hops = RevTTL(enc, hi->ip6hops); + } + + enc->ip_hdr = (uint8_t*)hi; + enc->ip_len = sizeof(*hi); + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; + } + if ( enc->proto ) + { + ho->ip6nxt = enc->proto; + enc->proto = 0; + } + len = out->end - start; + ho->ip6plen = htons((uint16_t)(len - sizeof(*ho))); + ip6_checksum(ho, len); + + return ENC_OK; +} + +static ENC_STATUS IP6_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + IP6RawHdr* h = (IP6RawHdr*)(lyr->start); + int i = lyr - p->layers; + + // if we didn't trim payload or format this packet, + // we may not know the actual lengths because not all + // extension headers are decoded and we stop at frag6. + // in such case we do not modify the packet length. + if ( (p->packet_flags & PKT_MODIFIED) +#ifdef NORMALIZER + && !(p->packet_flags & PKT_RESIZED) +#endif + ) { + *len = ntohs(h->ip6plen) + sizeof(*h); + } + else + { + if ( i + 1 == p->next_layer ) + *len += lyr->length + p->dsize; + + // w/o all extension headers, can't use just the + // fixed ip6 header length so we compute header delta + else + *len += lyr[1].start - lyr->start; + + // len includes header, remove for payload + h->ip6plen = htons((uint16_t)(*len - sizeof(*h))); + } + + if ( !PacketWasCooked(p) || (p->packet_flags & PKT_REBUILT_FRAG) ) + ip6_checksum(h, *len); + + return ENC_OK; +} + +static void IP6_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + IP6RawHdr* ch = (IP6RawHdr*)lyr->start; + + if ( REVERSE(f) ) + { + int i = lyr - c->layers; + IP6RawHdr* ph = (IP6RawHdr*)p->layers[i].start; + + memcpy(ch->ip6_src.s6_addr, ph->ip6_dst.s6_addr, sizeof(ch->ip6_src.s6_addr)); + memcpy(ch->ip6_dst.s6_addr, ph->ip6_src.s6_addr, sizeof(ch->ip6_dst.s6_addr)); + } + if ( f & ENC_FLAG_DEF ) + { + int i = lyr - c->layers; + if ( i + 1 == p->next_layer ) + { + uint8_t* b = (uint8_t*)p->ip6_extensions[p->ip6_frag_index].data; + if ( b ) lyr->length = b - p->layers[i].start; + } + } + sfiph_build(c, ch, AF_INET6); + + // set outer to inner so this will always wind pointing to inner + c->raw_ip6h = ch; +} + +//------------------------------------------------------------------------- +// IP6 options functions +//------------------------------------------------------------------------- + +static ENC_STATUS Opt6_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + // we don't encode ext headers + PROTO_ID next = NextEncoder(enc); + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; + } + return ENC_OK; +} + +static ENC_STATUS Opt6_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + int i = lyr - p->layers; + *len += lyr->length; + + if ( i + 1 == p->next_layer ) + *len += p->dsize; + + return ENC_OK; +} +#endif + +//------------------------------------------------------------------------- +// ICMP6 functions +//------------------------------------------------------------------------- + +static ENC_STATUS UN6_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + uint8_t* p; + uint8_t* hi = enc->p->layers[enc->layer-1].start; + IcmpHdr* ho = (IcmpHdr*)(out->base + out->end); + +#ifdef DEBUG + if ( enc->type < ENC_UNR_NET ) + return ENC_BAD_OPT; +#endif + + enc->proto = IPPROTO_ICMPV6; + + UPDATE_BOUND(out, sizeof(*ho)); + ho->type = 1; // dest unreachable + ho->code = 4; // port unreachable + ho->cksum = 0; + ho->unused = 0; + + // no need to set csum here because ip6_checksum() will + // take care of it. see Encode_TCP() for details. + + // ip + udp headers are copied separately because there + // may be intervening extension headers which aren't copied + + // copy original ip header + p = out->base + out->end; + UPDATE_BOUND(out, enc->ip_len); + // TBD should be able to elminate enc->ip_hdr by using layer-2 + memcpy(p, enc->ip_hdr, enc->ip_len); + ((IP6RawHdr*)p)->ip6nxt = IPPROTO_UDP; + + // copy first 8 octets of original ip data (ie udp header) + // TBD: copy up to minimum MTU worth of data + p = out->base + out->end; + UPDATE_BOUND(out, ICMP_UNREACH_DATA); + memcpy(p, hi, ICMP_UNREACH_DATA); + + return ENC_OK; +} + +#ifdef SUP_IP6 +static void ICMP6_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + // TBD handle nested icmp6 layers + c->icmp6h = (ICMP6Hdr*)lyr->start; +} +#endif + +//------------------------------------------------------------------------- +// GTP functions +//------------------------------------------------------------------------- + +static ENC_STATUS update_GTP_length(GTPHdr* h, int gtp_total_len ) +{ + /*The first 3 bits are version number*/ + uint8_t version = (h->flag & 0xE0) >> 5; + switch (version) + { + case 0: /*GTP v0*/ + h->length = htons((uint16_t)(gtp_total_len - GTP_V0_HEADER_LEN)); + break; + case 1: /*GTP v1*/ + h->length = htons((uint16_t)(gtp_total_len - GTP_MIN_LEN)); + break; + default: + return ENC_BAD_PROTO; + } + return ENC_OK; + +} + +static ENC_STATUS GTP_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int n = enc->p->layers[enc->layer-1].length; + int len; + + GTPHdr* hi = (GTPHdr*) (enc->p->layers[enc->layer-1].start); + GTPHdr* ho = (GTPHdr*)(out->base + out->end); + uint32_t start = out->end; + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, n); + memcpy(ho, hi, n); + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + } + len = out->end - start; + return( update_GTP_length(ho,len)); +} + +static ENC_STATUS GTP_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + GTPHdr* h = (GTPHdr*)(lyr->start); + *len += lyr->length; + return( update_GTP_length(h,*len)); +} + +//------------------------------------------------------------------------- +// PPPoE functions +//------------------------------------------------------------------------- + +static ENC_STATUS PPPoE_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int n = enc->p->layers[enc->layer-1].length; + int len; + + PPPoEHdr* hi = (PPPoEHdr*)(enc->p->layers[enc->layer-1].start); + PPPoEHdr* ho = (PPPoEHdr*)(out->base + out->end); + + uint32_t start; + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, n); + memcpy(ho, hi, n); + + start = out->end; + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + } + len = out->end - start; + ho->length = htons((uint16_t)len); + + return ENC_OK; +} + +//------------------------------------------------------------------------- +// XXX (generic) functions +//------------------------------------------------------------------------- + +static ENC_STATUS XXX_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int n = enc->p->layers[enc->layer-1].length; + + uint8_t* hi = enc->p->layers[enc->layer-1].start; + uint8_t* ho = (uint8_t*)(out->base + out->end); + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, n); + memcpy(ho, hi, n); + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + } + return ENC_OK; +} + +// for general cases, may need to move dsize out of top, tcp, and +// udp and put in Encode_Update() (then this can be eliminated and +// xxx called instead). (another thought is to add data as a "layer"). + +static ENC_STATUS Top_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + *len += lyr->length + p->dsize; + return ENC_OK; +} + +static ENC_STATUS XXX_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + *len += lyr->length; + return ENC_OK; +} + +static void XXX_Format (EncodeFlags f, const Packet* p, Packet* c, Layer* lyr) +{ + // nop +} + +//------------------------------------------------------------------------- +// function table: +// these must be in the same order PROTO_IDs are defined! +// all entries must have a function +//------------------------------------------------------------------------- + +static EncoderFunctions encoders[PROTO_MAX] = { + { Eth_Encode, Eth_Update, Eth_Format }, + { IP4_Encode, IP4_Update, IP4_Format }, + { UN4_Encode, Top_Update, ICMP4_Format }, + { XXX_Encode, XXX_Update, XXX_Format, }, // ICMP_IP4 + { UDP_Encode, UDP_Update, UDP_Format }, + { TCP_Encode, TCP_Update, TCP_Format }, +#ifdef SUP_IP6 + { IP6_Encode, IP6_Update, IP6_Format }, + { Opt6_Encode, Opt6_Update, XXX_Format }, // IP6 Hop Opts + { Opt6_Encode, Opt6_Update, XXX_Format }, // IP6 Dst Opts + { UN6_Encode, Top_Update, ICMP6_Format }, + { XXX_Encode, XXX_Update, XXX_Format, }, // ICMP_IP6 +#endif + { XXX_Encode, XXX_Update, VLAN_Format }, +#ifdef GRE + { XXX_Encode, XXX_Update, GRE_Format }, +#endif + { PPPoE_Encode,XXX_Update, XXX_Format }, + { XXX_Encode, XXX_Update, XXX_Format }, // PPP Encap +#ifdef MPLS + { XXX_Encode, XXX_Update, XXX_Format }, // MPLS +#endif + { XXX_Encode, XXX_Update, XXX_Format, }, // ARP + { GTP_Encode, GTP_Update, XXX_Format, } // GTP +}; + diff -Nru snort-2.8.5.2/src/encode.h snort-2.9.2/src/encode.h --- snort-2.8.5.2/src/encode.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/encode.h 2011-10-26 18:28:52.000000000 +0000 @@ -0,0 +1,78 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file encode.h +// @author Russ Combs + +#ifndef __ENCODE_H__ +#define __ENCODE_H__ + +#include "decode.h" + +void Encode_Init(void); +void Encode_Term(void); + +typedef enum { + ENC_TCP_FIN, ENC_TCP_RST, + ENC_UNR_NET, ENC_UNR_HOST, ENC_UNR_PORT, + ENC_MAX +} EncodeType; + +#define ENC_FLAG_FWD 0x80000000 // send in forward direction +#define ENC_FLAG_SEQ 0x40000000 // VAL bits contain seq adj +#define ENC_FLAG_ID 0x20000000 // use randomized IP ID +#define ENC_FLAG_NET 0x10000000 // stop after innermost network (ip4/6) layer +#define ENC_FLAG_DEF 0x08000000 // stop before innermost ip4 opts or ip6 frag header +#define ENC_FLAG_RAW 0x04000000 // don't encode outer eth header (this is raw ip) +#define ENC_FLAG_RES 0x03000000 // bits reserved for future use +#define ENC_FLAG_VAL 0x00FFFFFF // bits for adjusting seq and/or ack + +typedef uint32_t EncodeFlags; + +// orig must be the current packet from the interface to +// ensure proper encoding (not the reassembled packet). +// len is number of bytes in the encoded packet upon return +// (or 0 if the returned pointer is null). +const uint8_t* Encode_Reject( + EncodeType, EncodeFlags, const Packet* orig, uint32_t* len); + +const uint8_t* Encode_Response( + EncodeType, EncodeFlags, const Packet* orig, uint32_t* len, + const uint8_t* payLoad, uint32_t payLen); + +// allocate a Packet for later formatting (cloning) +Packet* Encode_New(void); + +// release the allocated Packet +void Encode_Delete(Packet*); + +// orig is the wire pkt; clone was obtained with New() +int Encode_Format(EncodeFlags, const Packet* orig, Packet* clone, PseudoPacketType); + +// update length and checksum fields in layers and caplen, etc. +void Encode_Update(Packet*); + +// Set the destination MAC address +void Encode_SetDstMAC(uint8_t* ); + +#endif // __ENCODE_H__ + diff -Nru snort-2.8.5.2/src/event.h snort-2.9.2/src/event.h --- snort-2.8.5.2/src/event.h 2009-05-06 22:28:10.000000000 +0000 +++ snort-2.9.2/src/event.h 2011-06-08 00:33:05.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -23,18 +23,11 @@ #ifndef __EVENT_H__ #define __EVENT_H__ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #ifdef OSF1 #include #endif #include -#ifndef WIN32 -#include -#endif #include "pcap_pkthdr32.h" diff -Nru snort-2.8.5.2/src/event_queue.c snort-2.9.2/src/event_queue.c --- snort-2.8.5.2/src/event_queue.c 2009-05-06 22:28:11.000000000 +0000 +++ snort-2.9.2/src/event_queue.c 2011-07-13 22:44:51.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2004-2009 Sourcefire, Inc. + ** Copyright (C) 2004-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -29,15 +29,15 @@ ** functions for ordering incoming events. ** ** Notes: -** 11/1/05 Updates to add support for rules for all events in +** 11/1/05 Updates to add support for rules for all events in ** decoders and preprocessors and the detection engine. ** Added support for rule by rule flushing control via ** metadata. Also added code to check fo an otn for every ** event (gid,sid pair). This is now required to get events -** to be logged. The decoders and preprocessors are still -** configured independently, which allows them to inspect and +** to be logged. The decoders and preprocessors are still +** configured independently, which allows them to inspect and ** call the alerting functions SnortEventqAdd, GenerateSnortEvent() -** and GenerateEvent2() for sfportscan.c. The GnerateSnoprtEvent() +** and GenerateEvent2() for sfportscan.c. The GenerateSnortEvent() ** function now finds and otn and calls fpLogEvent. ** ** Any event that has no otn associated with it's gid,sid pair, @@ -45,17 +45,18 @@ ** configured to detect an alertable event. ** ** In the future, preporcessor may have an api that gets called -** after rules are loaded that checks for the gid/sid -> otn +** after rules are loaded that checks for the gid/sid -> otn ** mapping, and then adjusts it's inspection or detection -** accordingly. +** accordingly. +** +** SnortEventqAdd() - only adds events that have an otn ** -** SnortEventqAdd() - only adds events that have an otn -** */ #ifdef HAVE_CONFIG_H #include "config.h" #endif +#include "sf_types.h" #include "fpcreate.h" #include "fpdetect.h" #include "util.h" @@ -65,6 +66,28 @@ #include "sfthreshold.h" #include "sfPolicy.h" +//------------------------------------------------- +// the push/pop methods ensure that qIndex stays in +// bounds and that it is only popped after it was +// successfully pushed. +static unsigned qIndex = 0; +static unsigned qOverflow = 0; + +void SnortEventqPush(void) +{ + if ( qIndex < NUM_EVENT_QUEUES-1 ) qIndex++; + else qOverflow++; +} + +void SnortEventqPop(void) +{ + if ( qOverflow > 0 ) qOverflow--; + else if ( qIndex > 0 ) qIndex--; +} + +static unsigned s_events = 0; + +//------------------------------------------------- /* ** Set default values */ @@ -75,6 +98,7 @@ eq->max_events = 8; eq->log_events = 3; + eq->order = SNORT_EVENTQ_CONTENT_LEN; eq->process_all_events = 0; @@ -97,17 +121,17 @@ * g_event_queue.log_events into the queue. * ... Jan '06 */ -int SnortEventqAdd(unsigned int gid, - unsigned int sid, - unsigned int rev, - unsigned int classification, +int SnortEventqAdd(unsigned int gid, + unsigned int sid, + unsigned int rev, + unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; - - en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue); + en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue[qIndex]); + if(!en) return -1; @@ -119,24 +143,24 @@ en->msg = msg; en->rule_info = rule_info; - /* + /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect - * and alert in their principle configuration (legacy code) - * this test than checks if the rule otn says they should + * and alert in their principal configuration (legacy code) + * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ - + #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); - /* - * if no rule otn exists for this event, than it was - * not enabled via rules + /* + * if no rule otn exists for this event, than it was + * not enabled via rules */ if (potn == NULL) @@ -151,24 +175,38 @@ en->priority, en->msg); - if (potn != NULL) + if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } + if (potn == NULL) + { + /* no otn found/created - do not add it to the queue */ + return 0; + } } - - if (potn == NULL) + else { - /* no otn found/created - do not add it to the queue */ - return 0; + tSfPolicyId policyId = getRuntimePolicy(); + RuleTreeNode* rtn = getRtnFromOtn(potn, policyId); + + if ( !rtn ) + { + if ( ScAutoGenPreprocDecoderOtns() ) + rtn = GenerateSnortEventRtn(potn, getRuntimePolicy()); + + if ( !rtn ) + return 0; + } } } #endif - - if (sfeventq_add(snort_conf->event_queue, (void *)en)) + + if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en)) { return -1; } - + s_events++; + return 0; } #ifdef OLD_RULE_ORDER @@ -222,7 +260,7 @@ { /* ** Neither event is a rule. Use incoming as - ** priority. Last one in goes at the end to + ** priority. Last one in goes at the end to ** preserve rule order. */ return 0; @@ -243,10 +281,11 @@ #endif -SF_EVENTQ * SnortEventqNew(EventQueueConfig *eq_config) -{ - SF_EVENTQ *eq; +void SnortEventqNew( + EventQueueConfig *eq_config, SF_EVENTQ *eq[] +) { int (*sort)(void *, void*) = NULL; + int i; #ifdef OLD_RULE_ORDER if (eq_config->order == SNORT_EVENTQ_PRIORITY) @@ -263,13 +302,21 @@ } #endif - eq = sfeventq_new(eq_config->max_events, eq_config->log_events, + for ( i = 0; i < NUM_EVENT_QUEUES; i++ ) + { + eq[i] = sfeventq_new(eq_config->max_events, eq_config->log_events, sizeof(EventNode), sort); - if (eq == NULL) - FatalError("Failed to initialize Snort event queue.\n"); + if (eq[i] == NULL) + FatalError("Failed to initialize Snort event queue.\n"); + } +} - return eq; +void SnortEventqFree(SF_EVENTQ *eq[]) +{ + int i; + for ( i = 0; i < NUM_EVENT_QUEUES; i++ ) + sfeventq_free(eq[i]); } static int LogSnortEvents(void *event, void *user) @@ -283,6 +330,9 @@ if(!event || !user) return 0; + if ( s_events > 0 ) + s_events--; + en = (EventNode *)event; snort_user = (SNORT_EVENTQ_USER *)user; p = (Packet *)snort_user->pkt; @@ -325,7 +375,7 @@ en->classification, en->priority, en->msg); -#endif +#endif if (potn != NULL) { OtnLookupAdd(snort_conf->otn_map, potn); @@ -362,14 +412,14 @@ ** @return 1 logged events ** @return 0 did not log events or logged only decoder/preprocessor events */ -int SnortEventqLog(SF_EVENTQ *eq, Packet *p) +int SnortEventqLog(SF_EVENTQ *eq[], Packet *p) { static SNORT_EVENTQ_USER user; user.rule_alert = 0x00; user.pkt = (void *)p; - if (sfeventq_action(eq, LogSnortEvents, (void *)&user) > 0) + if (sfeventq_action(eq[qIndex], LogSnortEvents, (void *)&user) > 0) { if (user.rule_alert) return 1; @@ -378,12 +428,20 @@ return 0; } -void SnortEventqReset(void) +static inline void reset_counts (void) { - sfeventq_reset(snort_conf->event_queue); + pc.log_limit += s_events; + s_events = 0; } -void SnortEventqFree(SF_EVENTQ *eq) +void SnortEventqResetCounts (void) { - sfeventq_free(eq); + reset_counts(); } + +void SnortEventqReset(void) +{ + sfeventq_reset(snort_conf->event_queue[qIndex]); + reset_counts(); +} + diff -Nru snort-2.8.5.2/src/event_queue.h snort-2.9.2/src/event_queue.h --- snort-2.8.5.2/src/event_queue.h 2009-05-06 22:28:11.000000000 +0000 +++ snort-2.9.2/src/event_queue.h 2011-07-13 22:44:51.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2009 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -60,12 +60,19 @@ EventQueueConfig * EventQueueConfigNew(void); void EventQueueConfigFree(EventQueueConfig *); -SF_EVENTQ * SnortEventqNew(EventQueueConfig *); -void SnortEventqFree(SF_EVENTQ *); + +void SnortEventqNew(EventQueueConfig *, SF_EVENTQ*[]); +void SnortEventqFree(SF_EVENTQ *[]); + void SnortEventqReset(void); -int SnortEventqLog(SF_EVENTQ *, Packet *); +void SnortEventqResetCounts(void); + +int SnortEventqLog(SF_EVENTQ *[], Packet *); int SnortEventqAdd(unsigned int gid,unsigned int sid,unsigned int rev, unsigned int classification,unsigned int pri,char *msg, void *rule_info); +void SnortEventqPush(void); +void SnortEventqPop(void); + #endif diff -Nru snort-2.8.5.2/src/event_wrapper.c snort-2.9.2/src/event_wrapper.c --- snort-2.8.5.2/src/event_wrapper.c 2009-05-06 22:28:11.000000000 +0000 +++ snort-2.9.2/src/event_wrapper.c 2011-06-08 00:33:05.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2009 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,19 +20,19 @@ /** * @file event_wrapper.c * @author Chris Green - * + * * @date Wed Jun 18 10:49:59 2003 - * + * * @brief generate a snort event - * - * This is a wrapper around SetEvent,CallLogFuncs,CallEventFuncs + * + * This is a wrapper around SetEvent,CallLogFuncs,CallEventFuncs * * Notes: * - * 10/31/05 - Marc Norton + * 10/31/05 - Marc Norton * Changes to support every event being controlled via a rule. - * Modified GenerateSnortEvent() to re-route events to 'fpLogEvent' - * if a suitable otn was found. If no otn was found, than we do + * Modified GenerateSnortEvent() to re-route events to 'fpLogEvent' + * if a suitable otn was found. If no otn was found, than we do * not log the event at all, as no rule was provided. * Preprocessors are configured independently, and may detect * an event, but the rule controls the alert/drop functionality. @@ -42,14 +42,38 @@ #include "config.h" #endif +#include "sf_types.h" #include "rules.h" +#include "treenodes.h" #include "signature.h" #include "util.h" #include "event_wrapper.h" #include "fpdetect.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" +RuleTreeNode* GenerateSnortEventRtn ( + OptTreeNode* otn, + tSfPolicyId policyId +) { + RuleTreeNode* rtn = getRtnFromOtn(otn, policyId); + + rtn = calloc(1, sizeof(RuleTreeNode)); + + if ( !rtn ) + return NULL; + + rtn->type = RULE_TYPE__ALERT; + + if ( addRtnToOtn(otn, policyId, rtn) != 0 ) + { + //unsuccessful adding rtn + free(rtn); + return NULL; + } + return rtn; +} + OptTreeNode * GenerateSnortEventOtn( uint32_t gen_id, uint32_t sig_id, @@ -73,7 +97,7 @@ p->sigInfo.class_id = classification; p->generated = 1; - + p->sigInfo.rule_type=SI_RULE_TYPE_PREPROC; /* TODO: could be detect ... */ p->sigInfo.rule_flushing=SI_RULE_FLUSHING_OFF; /* only standard rules do this */ @@ -83,34 +107,25 @@ p->event_data.classification = classification; p->event_data.priority = priority; - rtn = calloc( 1, sizeof(RuleTreeNode) ); - if( !rtn ) - { - free(p); - return NULL; - } + rtn = GenerateSnortEventRtn(p, getRuntimePolicy()); - rtn->type = RULE_TYPE__ALERT; - - if (addRtnToOtn(p, getRuntimePolicy(), rtn) != 0) + if( !rtn ) { - //unsuccessful adding rtn free(p); - free(rtn); return NULL; } DEBUG_WRAP( LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id);); - + return p; } /* * This function has been updated to find an otn and route the call to fpLogEvent - * if possible. This requires a rule be written for each decoder event, - * and possibly some preporcessor events. The bulk of eventing is handled vie the - * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to + * if possible. This requires a rule be written for each decoder event, + * and possibly some preporcessor events. The bulk of eventing is handled vie the + * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to * the fpLogEvent()function. */ uint32_t GenerateSnortEvent(Packet *p, @@ -121,27 +136,27 @@ uint32_t priority, char *msg) { - struct _OptTreeNode * potn; + struct _OptTreeNode * potn; if(!msg) { return 0; } - - /* + + /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect - * and alert in their principle configuration (legacy code) - * this test then checks if the rule otn says they should + * and alert in their principle configuration (legacy code) + * this test then checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ - + /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gen_id, sig_id); - /* - * if no rule otn exists for this event, than it was - * not enabled via rules + /* + * if no rule otn exists for this event, than it was + * not enabled via rules */ if (potn == NULL) { @@ -158,7 +173,7 @@ msg); } #else - /* + /* * Until we have official 'preprocessor/decoder rules' we * will add the rule to the otn_lookup , once enabled, remove * this call to gen the otn... Once a preprocessor/decoder @@ -172,7 +187,7 @@ priority, msg); #endif - if (potn != NULL) + if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } @@ -187,9 +202,9 @@ return potn->event_data.event_id; } -/** +/** * Log additional packet data using the same kinda mechanism tagging does. - * + * * @param p Packet to log * @param gen_id generator id * @param sig_id signature id @@ -199,7 +214,7 @@ * @param event_ref reference of a previous event * @param ref_sec the tv_sec of that previous event * @param msg The message data txt - * + * * @return 1 on success, 0 on FAILURE ( note this is to stay the same as GenerateSnortEvent() ) */ int LogTagData(Packet *p, @@ -211,20 +226,20 @@ uint32_t event_ref, time_t ref_sec, char *msg) - + { Event event; - + if(!event_ref || !ref_sec) return 0; SetEvent(&event, gen_id, sig_id, sig_rev, classification, priority, event_ref); event.ref_time.tv_sec = (uint32_t)ref_sec; - + if(p) CallLogFuncs(p, msg, NULL, &event); return 1; } - + diff -Nru snort-2.8.5.2/src/event_wrapper.h snort-2.9.2/src/event_wrapper.h --- snort-2.8.5.2/src/event_wrapper.h 2009-05-06 22:28:12.000000000 +0000 +++ snort-2.9.2/src/event_wrapper.h 2011-02-09 23:22:47.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -26,6 +26,7 @@ #include "detect.h" #include "decode.h" #include "rules.h" +#include "treenodes.h" /* * this has been upgarded to reroute traffic to fpLogEvent() @@ -51,6 +52,8 @@ uint32_t priority, char *msg ); +RuleTreeNode* GenerateSnortEventRtn(OptTreeNode*, tSfPolicyId); + int LogTagData(Packet *p, uint32_t gen_id, uint32_t sig_id, diff -Nru snort-2.8.5.2/src/fpcreate.c snort-2.9.2/src/fpcreate.c --- snort-2.8.5.2/src/fpcreate.c 2009-10-02 20:29:55.000000000 +0000 +++ snort-2.9.2/src/fpcreate.c 2011-10-26 18:28:52.000000000 +0000 @@ -3,7 +3,7 @@ ** ** fpcreate.c ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker ** Marc Norton ** @@ -34,50 +34,99 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "snort.h" #include "rules.h" +#include "treenodes.h" +#include "treenodes.h" #include "parser.h" #include "fpcreate.h" #include "fpdetect.h" #include "sp_pattern_match.h" #include "sp_icmp_code_check.h" #include "sp_icmp_type_check.h" +#include "sp_file_data.h" #include "sp_ip_proto.h" #include "plugin_enum.h" #include "util.h" #include "rules.h" +#include "treenodes.h" +#include "treenodes.h" #include "parser.h" - +#include "target-based/sftarget_reader.h" #include "mpse.h" #include "bitop_funcs.h" -#ifdef PORTLISTS +#ifdef INTEL_SOFT_CPM +#include "sfutil/intel-soft-cpm.h" +#endif + #include "snort.h" #include "sp_clientserver.h" #include "sfutil/sfportobject.h" #include "sfutil/sfrim.h" -#endif - -SnortConfig *snort_conf_for_fast_pattern = NULL; - #include "detection_options.h" #include "sfPolicy.h" - -extern int CheckANDPatternMatch(void *option_data, Packet *p); -extern int CheckUriPatternMatch(void *option_data, Packet *p); - #ifdef DYNAMIC_PLUGIN #include "dynamic-plugins/sp_dynamic.h" +#include "dynamic-plugins/sp_preprocopt.h" #endif +#include "dynamic-plugins/sf_dynamic_define.h" + +/* + * Content flag values + */ +enum +{ + PGCT_NOCONTENT=0, + PGCT_CONTENT=1, + PGCT_URICONTENT=2 +}; static void fpAddIpProtoOnlyRule(SF_LIST **, OptTreeNode *); static void fpRegIpProto(uint8_t *, OptTreeNode *); static int fpCreatePortGroups(SnortConfig *, rule_port_tables_t *); static void fpDeletePortGroup(void *); +static void fpDeletePMX(void *data); +static int fpGetFinalPattern(FastPatternConfig *fp, PatternMatchData *pmd, + char **ret_pattern, int *ret_bytes); +#ifdef DYNAMIC_PLUGIN +static FPContentInfo * GetLongestDynamicContent(FPContentInfo *content_list); +static PatternMatchData * GetDynamicFastPatternPmd(DynamicData *dd, int dd_type); +static inline int IsDynamicContentFpEligible(FPContentInfo *content); +static inline PatternMatchData * DynamicContentToPmd(FPContentInfo *content_info); +static inline void FreeDynamicContentList(FPContentInfo *fplist); +#endif +static PatternMatchData * GetLongestPmdContent(OptTreeNode *otn, int type); +static int fpFinishPortGroupRule(PORT_GROUP *pg, PmType pm_type, + OptTreeNode *otn, PatternMatchData *pmd, FastPatternConfig *fp); +static int fpFinishPortGroup(PORT_GROUP *pg, FastPatternConfig *fp); +static int fpAllocPms(PORT_GROUP *pg, FastPatternConfig *fp); +static int fpAddPortGroupRule(PORT_GROUP *pg, OptTreeNode *otn, FastPatternConfig *fp); +static int fpAddPortGroupPrmx(PORT_GROUP *pg, OptTreeNode *otn, int cflag); +static inline int IsPmdFpEligible(PatternMatchData *content); +static void PrintFastPatternInfo(OptTreeNode *otn, PatternMatchData *pmd, + const char *pattern, int pattern_length, PmType pm_type); +#ifdef DYNAMIC_PLUGIN +static int GetPreprocOptPmdList(OptTreeNode *, PatternMatchData **); +static int UsePreprocOptFastPatterns(PatternMatchData *, PatternMatchData *); +#endif + +static const char *pm_type_strings[PM_TYPE__MAX] = +{ + "Normal Content", + "HTTP Uri content", + "HTTP Header content", + "HTTP Client body content", + "HTTP Method content", +}; /* #define LOCAL_DEBUG */ -#ifdef PORTLISTS extern rule_index_map_t * ruleIndexMap; extern int rule_count; @@ -93,16 +142,16 @@ /* * Test if this otn is for traffic to the server */ -static int fpOtnFlowToServer( OptTreeNode * otn ) +static int fpOtnFlowToServer( OptTreeNode * otn ) { - if( OtnFlowFromClient(otn) ) + if( OtnFlowFromClient(otn) ) return 1; - + #ifdef DYNAMIC_PLUGIN if (otn->ds_list[PLUGIN_DYNAMIC]) { DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; - int optType = OPTION_TYPE_FLOWFLAGS; + DynamicOptionType optType = OPTION_TYPE_FLOWFLAGS; int flags = FLOW_TO_SERVER; if (dd->hasOptionFunction(dd->contextData, optType, flags)) @@ -112,19 +161,19 @@ return 0; } /* - * Test if this otn is for traffic to the client + * Test if this otn is for traffic to the client */ -static -int fpOtnFlowToClient( OptTreeNode * otn ) +static +int fpOtnFlowToClient( OptTreeNode * otn ) { - if( OtnFlowFromServer(otn) ) + if( OtnFlowFromServer(otn) ) return 1; - + #ifdef DYNAMIC_PLUGIN if (otn->ds_list[PLUGIN_DYNAMIC]) { DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; - int optType = OPTION_TYPE_FLOWFLAGS; + DynamicOptionType optType = OPTION_TYPE_FLOWFLAGS; int flags = FLOW_TO_CLIENT; if (dd->hasOptionFunction(dd->contextData, optType, flags)) @@ -137,25 +186,25 @@ #if 0 Not currently used /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. * * returns : * -1 : any, or not an EQ tests * >0 : any other ip type -* +* */ -static +static int GetOtnIcmpType (OptTreeNode * otn ) { int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return -1; @@ -181,14 +230,14 @@ static srmm_table_t * ServiceMapNew(void) { srmm_table_t *table = (srmm_table_t *)SnortAlloc(sizeof(srmm_table_t)); - - table->tcp_to_srv = alloc_srvmap(); - table->tcp_to_cli = alloc_srvmap(); - table->udp_to_srv = alloc_srvmap(); - table->udp_to_cli = alloc_srvmap(); - - table->icmp_to_srv = alloc_srvmap(); + table->tcp_to_srv = alloc_srvmap(); + table->tcp_to_cli = alloc_srvmap(); + + table->udp_to_srv = alloc_srvmap(); + table->udp_to_cli = alloc_srvmap(); + + table->icmp_to_srv = alloc_srvmap(); table->icmp_to_cli = alloc_srvmap(); table->ip_to_srv = alloc_srvmap(); @@ -223,14 +272,14 @@ static SFGHASH * alloc_spgmm(void) { SFGHASH * p; - + /* TODO: keys are ascii service names - for now ! */ p = sfghash_new(1000, /* # rows in table */ 0, /* size: of key 0 = ascii, >0 = fixed size */ 0, /* bool:user keys, if true just store this pointer, don't copy the key */ fpDeletePortGroup); /* ??? Why shouldn't we delete the port groups ??? */ - //(void(*)(void*))0 /* free nodes are port_groups do not delete here */ ); + //(void(*)(void*))0 /* free nodes are port_groups do not delete here */ ); if (p == NULL) FatalError("could not allocate a service port_group map : no memory?\n"); @@ -242,13 +291,13 @@ { srmm_table_t *table = (srmm_table_t *)SnortAlloc(sizeof(srmm_table_t)); - table->tcp_to_srv = alloc_spgmm(); - table->tcp_to_cli = alloc_spgmm(); + table->tcp_to_srv = alloc_spgmm(); + table->tcp_to_cli = alloc_spgmm(); - table->udp_to_srv = alloc_spgmm(); - table->udp_to_cli = alloc_spgmm(); + table->udp_to_srv = alloc_spgmm(); + table->udp_to_cli = alloc_spgmm(); - table->icmp_to_srv = alloc_spgmm(); + table->icmp_to_srv = alloc_spgmm(); table->icmp_to_cli = alloc_spgmm(); table->ip_to_srv = alloc_spgmm(); @@ -312,43 +361,43 @@ void ServiceMapAddOtnRaw( SFGHASH * table, char * servicename, OptTreeNode * otn ) { SF_LIST * list; - + list = (SF_LIST*) sfghash_find( table, servicename ); - + if( !list ) { /* create the list */ list = sflist_new(); if( !list ) FatalError("service_rule_map: could not create a service rule-list\n"); - + /* add the service list to the table */ if( sfghash_add( table, servicename, list ) != SFGHASH_OK ) { FatalError("service_rule_map: could not add a rule to the rule-service-map\n"); } } - + /* add the rule */ if( sflist_add_tail( list, otn ) ) FatalError("service_rule_map: could not add a rule to the service rule-list\n"); } /* * maintain a table of service maps, one for each protocol and direction, - * each service map maintains a list of otn's for each service it maps to a + * each service map maintains a list of otn's for each service it maps to a * service name. */ static int ServiceMapAddOtn(srmm_table_t *srmm, int proto, char *servicename, OptTreeNode *otn) { SFGHASH * to_srv; /* to srv service rule map */ SFGHASH * to_cli; /* to cli service rule map */ - - if( !servicename ) + + if( !servicename ) return 0; if(!otn ) return 0; - + if( proto == IPPROTO_TCP) { to_srv = srmm->tcp_to_srv; @@ -378,7 +427,7 @@ { ServiceMapAddOtnRaw( to_srv, servicename, otn ); } - else if( fpOtnFlowToClient(otn) ) + else if( fpOtnFlowToClient(otn) ) { ServiceMapAddOtnRaw( to_cli, servicename, otn ); } @@ -392,9 +441,6 @@ } // TARGET_BASED #endif -// PORTLISTS -#endif - /* ** The following functions are wrappers to the pcrm routines, @@ -415,103 +461,18 @@ return prmFindRuleGroup( prm, type, -1, &src, type_group, gen); } -int prmFindRuleGroupTcp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, +int prmFindRuleGroupTcp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst , PORT_GROUP ** gen) { return prmFindRuleGroup( prm, dport, sport, src, dst , gen); } -int prmFindRuleGroupUdp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, +int prmFindRuleGroupUdp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst , PORT_GROUP ** gen) { return prmFindRuleGroup( prm, dport, sport, src, dst , gen); } - -/* -** These Otnhas* functions check the otns for different contents. This -** helps us decide later what group (uri, content) the otn will go to. -*/ -int OtnHasContent( OptTreeNode * otn ) -{ - if( !otn ) return 0; - - if( otn->ds_list[PLUGIN_PATTERN_MATCH] || otn->ds_list[PLUGIN_PATTERN_MATCH_OR] ) - { - return 1; - } - -#ifdef DYNAMIC_PLUGIN - if (otn->ds_list[PLUGIN_DYNAMIC]) - { - DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; - if (dd->fpContentFlags & FASTPATTERN_NORMAL) - return 1; - } -#endif - - return 0; -} - -int OtnHasUriContent( OptTreeNode * otn ) -{ - if( !otn ) return 0; - - if( otn->ds_list[PLUGIN_PATTERN_MATCH_URI] ) - { - return PatternMatchUriBuffer(otn->ds_list[PLUGIN_PATTERN_MATCH_URI]); - } - -#ifdef DYNAMIC_PLUGIN - if (otn->ds_list[PLUGIN_DYNAMIC]) - { - DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; - if (dd->fpContentFlags & FASTPATTERN_URI) - return 1; - } -#endif - - return 0; -} - -#ifndef PORTLISTS -/* -** -** NAME -** CheckPorts:: -** -** DESCRIPTION -** This function returns the port to use for a given signature. -** Currently, only signatures that have a unique port (meaning that -** the port is singular and not a range) are added as specific -** ports to the port list. If there is a range of ports in the -** signature, then it is added as a generic rule. -** -** This can be refined at any time, and limiting the number of -** generic rules would be a good idea. -** -** FORMAL INPUTS -** u_short - the high port of the signature range -** u_short - the low port of the signature range -** -** FORMAL OUTPUT -** int - -1 means generic, otherwise it is the port -** -*/ -static int CheckPorts(u_short high_port, u_short low_port) -{ - if( high_port == low_port ) - { - return high_port; - } - else - { - return -1; - } -} -#endif /* PORTLISTS */ - - void free_detection_option_root(void **existing_tree) { detection_option_tree_root_t *root; @@ -603,7 +564,7 @@ /* Build out sub-nodes for each option in the OTN fp list */ while (opt_fp) { - /* If child node does not match existing option_data, + /* If child node does not match existing option_data, * Create a child branch from a given sub-node. */ void *option_data = opt_fp->context; char found_child_match = 0; @@ -614,6 +575,19 @@ continue; } + /* Don't add contents that are only for use in the + * fast pattern matcher */ + if ((opt_fp->type == RULE_OPTION_TYPE_CONTENT) + || (opt_fp->type == RULE_OPTION_TYPE_CONTENT_URI)) + { + PatternMatchData *pmd = (PatternMatchData *)option_data; + if (pmd->fp_only) + { + opt_fp = opt_fp->next; + continue; + } + } + if (!child) { /* No children at this node */ @@ -687,7 +661,8 @@ { root->num_children++; tmp_children = SnortAlloc(sizeof(detection_option_tree_node_t *) * root->num_children); - memcpy(tmp_children, root->children, sizeof(detection_option_tree_node_t *) * (root->num_children-1)); + memcpy(tmp_children, root->children, + sizeof(detection_option_tree_node_t *) * (root->num_children-1)); free(root->children); root->children = tmp_children; @@ -697,7 +672,8 @@ { node->num_children++; tmp_children = SnortAlloc(sizeof(detection_option_tree_node_t *) * node->num_children); - memcpy(tmp_children, node->children, sizeof(detection_option_tree_node_t *) * (node->num_children-1)); + memcpy(tmp_children, node->children, + sizeof(detection_option_tree_node_t *) * (node->num_children-1)); free(node->children); node->children = tmp_children; @@ -724,7 +700,8 @@ detection_option_tree_node_t **tmp_children; root->num_children++; tmp_children = SnortAlloc(sizeof(detection_option_tree_node_t *) * root->num_children); - memcpy(tmp_children, root->children, sizeof(detection_option_tree_node_t *) * (root->num_children-1)); + memcpy(tmp_children, root->children, + sizeof(detection_option_tree_node_t *) * (root->num_children-1)); free(root->children); root->children = tmp_children; } @@ -737,7 +714,8 @@ detection_option_tree_node_t **tmp_children; node->num_children++; tmp_children = SnortAlloc(sizeof(detection_option_tree_node_t *) * node->num_children); - memcpy(tmp_children, node->children, sizeof(detection_option_tree_node_t *) * (node->num_children-1)); + memcpy(tmp_children, node->children, + sizeof(detection_option_tree_node_t *) * (node->num_children-1)); free(node->children); node->children = tmp_children; } @@ -811,9 +789,9 @@ } /* -** The following functions deal with the intialization of the +** The following functions deal with the intialization of the ** detection engine. These are set through parser.c with the -** option 'config detection:'. This functionality may be +** option 'config detection:'. This functionality may be ** broken out later into it's own file to separate from this ** file's functionality. */ @@ -827,15 +805,21 @@ FastPatternConfig *fp = (FastPatternConfig *)SnortAlloc(sizeof(FastPatternConfig)); + fpSetDefaults(fp); + return fp; +} + +void fpSetDefaults(FastPatternConfig *fp) +{ + if (fp == NULL) + return; + + memset(fp, 0, sizeof(FastPatternConfig)); + fp->inspect_stream_insert = 1; fp->search_method = MPSE_AC_BNFA; fp->max_queue_events = 5; - -#ifdef PORTLISTS fp->bleedover_port_limit = 1024; -#endif - - return fp; } void FastPatternConfigFree(FastPatternConfig *fp) @@ -875,7 +859,14 @@ { return fp->portlists_flags & PL_DEBUG_PRINT_RULEGROUPS_UNCOMPILED;; } - +int fpDetectGetDebugPrintFastPatterns(FastPatternConfig *fp) +{ + return fp->debug_print_fast_pattern; +} +int fpDetectSplitAnyAny(FastPatternConfig *fp) +{ + return fp->split_any_any; +} void fpDetectSetSingleRuleGroup(FastPatternConfig *fp) { fp->portlists_flags |= PL_SINGLE_RULE_GROUP; @@ -904,7 +895,10 @@ { fp->portlists_flags |= PL_DEBUG_PRINT_RULEGROUPS_UNCOMPILED; } - +void fpDetectSetDebugPrintFastPatterns(FastPatternConfig *fp, int flag) +{ + fp->debug_print_fast_pattern = flag; +} void fpSetDetectSearchOpt(FastPatternConfig *fp, int flag) { fp->search_opt = flag; @@ -920,7 +914,7 @@ { LogMessage("Detection:\n"); - if( !strcasecmp(method,"ac-std") ) /* default */ + if( !strcasecmp(method,"ac-std") ) { fp->search_method = MPSE_AC; LogMessage(" Search-Method = AC-Std\n"); @@ -942,6 +936,13 @@ fp->search_method = MPSE_ACF_Q; LogMessage(" Search-Method = AC-Full-Q\n"); } + else if( !strcasecmp(method,"ac-split") ) + { + fp->search_method = MPSE_ACF_Q; + fp->split_any_any = 1; + LogMessage(" Search-Method = AC-Full-Q\n"); + LogMessage(" Split Any/Any group = enabled\n"); + } else if( !strcasecmp(method,"ac-nq") ) { fp->search_method = MPSE_ACF; @@ -963,7 +964,7 @@ LogMessage(" Search-Method = AC-Sparse-Bands\n"); } /* These are for backwards compatability - and will be removed in future releases*/ - else if( !strcasecmp(method,"mwm") ) + else if( !strcasecmp(method,"mwm") ) { fp->search_method = MPSE_LOWMEM; LogMessage(" Search-Method = Low-Mem (MWM depracated)\n"); @@ -979,6 +980,13 @@ fp->search_method = MPSE_LOWMEM; LogMessage(" Search-Method = Low-Mem\n"); } +#ifdef INTEL_SOFT_CPM + else if( !strcasecmp(method,"intel-cpm") ) + { + fp->search_method = MPSE_INTEL_CPM; + LogMessage(" Search-Method = Intel CPM\n"); + } +#endif else { return -1; @@ -987,6 +995,19 @@ return 0; } +void fpDetectSetSplitAnyAny(FastPatternConfig *fp, int enable) +{ + if (enable) + { + fp->split_any_any = 1; + LogMessage(" Split Any/Any group = enabled\n"); + } + else + { + fp->split_any_any = 0; + } +} + /* ** Set the debug mode for the detection engine. */ @@ -1014,53 +1035,24 @@ } /* -** -** NAME -** IsPureNotRule -** -** DESCRIPTION -** Checks to see if a rule is a pure not rule. A pure not rule -** is a rule that has all "not" contents or Uri contents. -** -** FORMAL INPUTS -** PatternMatchData * - the match data to check for not contents. -** -** FORMAL OUTPUTS -** int - 1 is rule is a pure not, 0 is rule is not a pure not. -** +** Sets the maximum length of patterns to be inserted into the +** pattern matcher used. */ -static int IsPureNotRule( PatternMatchData *pmd_to_check, OptTreeNode * otn ) +void fpSetMaxPatternLen(FastPatternConfig *fp, unsigned int max_len) { - int rcnt=0,ncnt=0; - OptFpList *opt_fp = otn->opt_func; - PatternMatchData *pmd; - - while (opt_fp) + if (fp->max_pattern_len != 0) { - if ((opt_fp->OptTestFunc == CheckANDPatternMatch) || - (opt_fp->OptTestFunc == CheckUriPatternMatch)) - { - pmd = (PatternMatchData *)opt_fp->context; - if (pmd->buffer_func != pmd_to_check->buffer_func) - { - opt_fp = opt_fp->next; - continue; - } - rcnt++; - if( pmd->exception_flag ) ncnt++; - } - opt_fp = opt_fp->next; + LogMessage("WARNING: Maximum pattern length redefined.\n"); } - if( !rcnt ) return 0; - - return ( rcnt == ncnt ) ; + fp->max_pattern_len = max_len; + LogMessage(" Maximum pattern length = %u\n", max_len); } /* FLP_Trim * * Trim zero byte prefixes, this increases uniqueness - * - * returns + * + * returns * length - of trimmed pattern * buff - ptr to new beggining of trimmed buffer */ @@ -1068,2815 +1060,2198 @@ { int i; int size = 0; - + if( !p ) return 0; - + for(i=0;iopt_func; PatternMatchData *pmd; - PatternMatchData *pmdmax = NULL; - PatternMatchData *pmdmax_raw = NULL; - u_int max_size_raw=0; - int max_size=0; - int size=0; - int is_pure_not = IsPureNotRule(pmd_to_check, otn); + if (content_info == NULL) + return NULL; - while (opt_fp) + pmd = (PatternMatchData *)SnortAlloc(sizeof(PatternMatchData)); + pmd->pattern_buf = (char *)SnortAlloc(content_info->length); + memcpy(pmd->pattern_buf, content_info->content, content_info->length); + pmd->pattern_size = content_info->length; + pmd->nocase = content_info->noCaseFlag; + pmd->exception_flag = content_info->exception_flag; + pmd->fp = content_info->fp; + pmd->fp_offset = content_info->fp_offset; + pmd->fp_length = content_info->fp_length; + pmd->fp_only = content_info->fp_only; + pmd->uri_buffer = content_info->uri_buffer; + + return pmd; +} + +static PatternMatchData * DynamicFpContentsToPmdList(FPContentInfo *fp_list) +{ + FPContentInfo *tmp; + PatternMatchData *pmd_list = NULL; + + if (fp_list == NULL) + return NULL; + + for (tmp = fp_list; tmp != NULL; tmp = tmp->next) { - if ((opt_fp->OptTestFunc == CheckANDPatternMatch) || - (opt_fp->OptTestFunc == CheckUriPatternMatch)) + PatternMatchData *pmd = DynamicContentToPmd(tmp); + if (pmd != NULL) { - pmd = (PatternMatchData *)opt_fp->context; - if (pmd->buffer_func != pmd_to_check->buffer_func) - { - opt_fp = opt_fp->next; - continue; - } + /* Add these flags to indicate these patterns are only + * for the fast pattern matcher */ + pmd->fp = 1; + pmd->fp_only = 1; + + /* Add to list of pmds */ + (void)AppendPmdToList(&pmd_list, pmd); + } + } + + return pmd_list; +} + +static inline void FreeDynamicContentList(FPContentInfo *fplist) +{ + while (fplist != NULL) + { + FPContentInfo *tmp = fplist->next; + if (fplist->content != NULL) + free(fplist->content); + free(fplist); + fplist = tmp; + } +} + +static PatternMatchData * GetDynamicFastPatternPmd(DynamicData *dd, int dd_type) +{ + FPContentInfo *dc_list = NULL; + + if (dd == NULL) + return NULL; + + if (dd->getDynamicContents(dd->contextData, dd_type, &dc_list) == 0) + { + PatternMatchData *pmd = DynamicContentToPmd(GetLongestDynamicContent(dc_list)); + FreeDynamicContentList(dc_list); + return pmd; + } + + return NULL; +} + +static inline int IsDynamicContentFpEligible(FPContentInfo *content) +{ + if (content == NULL) + return 0; + + if ((content->content != NULL) && (content->length != 0)) + { + /* Negative contents cannot be considered for dynamic rules since + * detection option tree evaluation only looks at content types + * for short circuiting rules found in the pattern matcher and + * essentially the dynamic rule will always have to be evaluated + * anyway in the no content tree */ + if (content->exception_flag) + return 0; + + return 1; + } + + return 0; +} + +static FPContentInfo * GetLongestDynamicContent(FPContentInfo *content_list) +{ + FPContentInfo *content = NULL; + FPContentInfo *content_zero = NULL; + FPContentInfo *tmp; + int max_size = 0; + int max_zero_size = 0; + + if (content_list == NULL) + return NULL; + + for (tmp = content_list; tmp != NULL; tmp = tmp->next) + { + if (tmp->fp) + return tmp; + + /* XXX COOKIE contents and some others should not be in the content list + * See GetDynamicContents() in sf_snort_detection_engine.c */ + + if (IsDynamicContentFpEligible(tmp)) + { + int size = FLP_Trim(tmp->content, tmp->length, NULL); - if ((opt_fp->OptTestFunc == CheckUriPatternMatch) && - (pmd->uri_buffer == HTTP_SEARCH_COOKIE)) + /* In case we get all zeros patterns */ + if ((size == 0) && (tmp->length > max_zero_size)) { - /* Don't add cookie buffer patterns */ - opt_fp = opt_fp->next; - continue; + max_zero_size = tmp->length; + content_zero = tmp; } - - /* If this content is flagged for fast pattern, use it */ - if (pmd->flags & CONTENT_FAST_PATTERN) + else if (size > max_size) { - return pmd; + max_size = size; + content = tmp; } + } + } - if (pmd->pattern_buf && - (!pmd->exception_flag || (is_pure_not && !opt_fp->isRelative && !pmd->offset && !pmd->depth))) - { - /* Track longest filtered pattern length */ - size = FLP_Trim(pmd->pattern_buf, pmd->pattern_size,NULL); - if( (size > max_size) ) - { - pmdmax = pmd; - max_size = size; - } + if (content != NULL) + return content; + else if (content_zero != NULL) + return content_zero; - /* Track longest raw pattern length */ - if( pmd->pattern_size > max_size_raw ) - { - pmdmax_raw=pmd; - max_size_raw = pmd->pattern_size; - } + return NULL; + +} +#endif + +static inline int IsPmdFpEligible(PatternMatchData *content) +{ + if (content == NULL) + return 0; + + if ((content->pattern_buf != NULL) && (content->pattern_size != 0)) + { + /* We don't add cookie and some other contents to fast pattern matcher */ + if(content->uri_buffer && !IsHttpBufFpEligible(content->uri_buffer)) + return 0; + + if (content->exception_flag) + { + /* Negative contents can only be considered if they are not relative + * and don't have any offset or depth. This is because the pattern + * matcher does not take these into consideration and may find the + * content in a non-relevant section of the payload and thus disable + * the rule when it shouldn't be. + * Also case sensitive patterns cannot be considered since patterns + * are inserted into the pattern matcher without case which may + * lead to false negatives */ + if (content->use_doe || !content->nocase + || (content->offset != 0) || (content->depth != 0)) + { + return 0; } } - opt_fp = opt_fp->next; + return 1; } - /* return the longest filterd pattern, if a non-zero-byte one exists */ - if( pmdmax ) - return pmdmax; - - /* else return the longest, even if its all zeros */ - return pmdmax_raw; + return 0; } -#ifdef PORTLISTS -/* - * Original PortRuleMaps for each protocol requires creating the following structures. - * -pcrm.h - * PORT_RULE_MAP -> srcPortGroup,dstPortGroup,genericPortGroup - * PORT_GROUP -> pgPatData, pgPatDataUri (acsm objects), (also rule_node lists 1/rule, not neeed) - * each rule content added to an acsm object has a PMX data ptr associated with it. - * RULE_NODE -> iRuleNodeID (used for bitmap object index), otnx - * - * -fpcreate.h - * PMX -> RULE_NODE(->otnx), PatternMatchData - * OTNX -> otn,rtn,content_length - * - * PortList model supports the same structures except: - * - * -pcrm.h - * PORT_GROUP -> no rule_node lists needed, PortObjects maintain a list of rules used - * - * Generation of PortRuleMaps and data is done differently. - * - * 1) Build tcp/udp/icmp/ip src and dst PORT_GROUP objects based on the PortList Objects rules. - * - * 2) For each protocols PortList objects walk it's ports and assign the PORT_RULE_MAP src and dst - * PORT_GROUP[port] array pointers to that PortList objects PORT_GROUP. - * - * Implementation: - * - * Each PortList Object will be translated into a PORT_GROUP, than pointed to by the - * PORT_GROUP array in the PORT_RULE_MAP for the procotocol - * - * protocol = tcp, udp, ip, icmp - one port_rule_map for each of these protocols - * { create a port_rule_map - * dst port processing - * for each port-list object create a port_group object - * { create a pattern match object, store its pointer in port_group - * for each rule index in port-list object - * { - * get the gid+sid for the index - * lookup up the otn - * create otnx - * create pmx - * create RULE_NODE, set iRuleNodeID within this port-list object - * get longest content for the rule - * set up otnx,pmx,RULE_NODE - * add the content and pmx to the pattern match object - * } - * compile the pattern match object - * - * repeat for uri content - * } - * src port processing - * repeat as for dst port processing - * } - * ** bidirectional rules - these are added to both src and dst PortList objects, so they are - * automatically handled during conversion to port_group objects. - */ -/* -** Build a Pattern group for the Uri-Content rules in this group -** -** The patterns added for each rule must be suffcient so if we find any of them -** we proceed to fully analyze the OTN and RTN against the packet. -** -*/ -/* - * Init a port-list based rule map - */ -static -int fpCreateInitRuleMap( PORT_RULE_MAP * prm, PortTable * src, PortTable * dst, PortObject * anyany, PortObject * nc ) +static PatternMatchData * GetLongestPmdContent(OptTreeNode *otn, int type) { - SFGHASH_NODE * node; - PortObjectItem * poi; - PortObject2 * po; - int i; - //int * pi; - - /* setup the any-any-port content port group */ - prm->prmGeneric =(PORT_GROUP*) anyany->data; - - /* all rules that are any any some may not be content ? */ - prm->prmNumGenericRules = anyany->rule_list->count; - - prm->prmNumSrcRules= 0; - prm->prmNumDstRules= 0; - - prm->prmNumSrcGroups= 0; - prm->prmNumDstGroups= 0; - - /* Process src PORT groups */ - if(src ) - for( node=sfghash_findfirst(src->pt_mpxo_hash); - node; - node=sfghash_findnext(src->pt_mpxo_hash) ) - { - po = (PortObject2*)node->data; - - if( !po ) continue; - if( !po->data ) continue; - - /* Add up the total src rules */ - prm->prmNumSrcRules += po->rule_hash->count; - - /* Increment the port group count */ - prm->prmNumSrcGroups++; + PatternMatchData *pmd = NULL; + PatternMatchData *pmd_not = NULL; + PatternMatchData *pmd_zero = NULL; + PatternMatchData *pmd_zero_not = NULL; + OptFpList *ofl; + int max_size = 0; + int max_not_size = 0; + int max_zero_size = 0; + int max_zero_not_size = 0; + uint8_t base64_buf_flag = 0; + uint8_t mime_buf_flag = 0; + + if (otn == NULL) + return NULL; + + for (ofl = otn->opt_func; ofl != NULL; ofl = ofl->next) + { + PatternMatchData *tmp = (PatternMatchData *)ofl->context; + FileData *filedata; - /* Add this port group to the src table at each port that uses it */ - for( poi = (PortObjectItem*)sflist_first(po->item_list); - poi; - poi = (PortObjectItem*)sflist_next(po->item_list) ) + switch (ofl->type) { - switch(poi->type) - { - case PORT_OBJECT_ANY: - break; - case PORT_OBJECT_PORT: -#if 0 - /* This test is always true since poi->lport is a 16 bit - * int and MAX_PORTS is 64K. If this relationship should - * change, the test should be compiled back in. - */ - if( poi->lport < MAX_PORTS ) -#endif - prm->prmSrcPort[ poi->lport ] = (PORT_GROUP*)po->data; - break; - case PORT_OBJECT_RANGE: - for(i= poi->lport;i<= poi->hport;i++ ) - { - prm->prmSrcPort[ i ] = (PORT_GROUP*)po->data; - } - break; - } + case RULE_OPTION_TYPE_CONTENT: + if (type != CONTENT_NORMAL) + continue; + else if(base64_buf_flag || mime_buf_flag) + continue; + break; + case RULE_OPTION_TYPE_CONTENT_URI: + base64_buf_flag = 0; + mime_buf_flag = 0; + if (type != CONTENT_HTTP) + continue; + break; + case RULE_OPTION_TYPE_BASE64_DATA: + base64_buf_flag =1; + continue; + case RULE_OPTION_TYPE_PKT_DATA: + base64_buf_flag = 0; + mime_buf_flag = 0; + continue; + case RULE_OPTION_TYPE_FILE_DATA: + filedata = (FileData *)ofl->context; + if(filedata->mime_decode_flag) + mime_buf_flag = 1; + continue; + + default: + continue; } - } - - /* process destination port groups */ - if( dst ) - for( node=sfghash_findfirst(dst->pt_mpxo_hash); - node; - node=sfghash_findnext(dst->pt_mpxo_hash) ) - { - po = (PortObject2*)node->data; - - if( !po ) continue; - if( !po->data ) continue; - /* Add up the total src rules */ - prm->prmNumDstRules += po->rule_hash->count; - - /* Increment the port group count */ - prm->prmNumDstGroups++; + if (tmp->fp) + return tmp; - /* Add this port group to the src table at each port that uses it */ - for( poi = (PortObjectItem*)sflist_first(po->item_list); - poi; - poi = (PortObjectItem*)sflist_next(po->item_list) ) + if (IsPmdFpEligible(tmp)) { - switch(poi->type) - { - case PORT_OBJECT_ANY: - break; - case PORT_OBJECT_PORT: -#if 0 - /* This test is always true since poi->lport is a 16 bit - * int and MAX_PORTS is 64K. If this relationship should - * change, the test should be compiled back in. - */ - if( poi->lport < MAX_PORTS ) -#endif - prm->prmDstPort[ poi->lport ] = (PORT_GROUP*)po->data; - break; - case PORT_OBJECT_RANGE: - for(i= poi->lport;i<= poi->hport;i++ ) - { - prm->prmDstPort[ i ] = (PORT_GROUP*)po->data; - } - break; - } + int size = FLP_Trim(tmp->pattern_buf, tmp->pattern_size, NULL); + + /* In case we get all zeros patterns */ + if ((size == 0) && ((int)tmp->pattern_size > max_zero_size)) + { + if (tmp->exception_flag) + { + max_zero_not_size = tmp->pattern_size; + pmd_zero_not = tmp; + } + else + { + max_zero_size = tmp->pattern_size; + pmd_zero = tmp; + } + } + else if (size > max_size) + { + if (tmp->exception_flag) + { + max_not_size = size; + pmd_not = tmp; + } + else + { + max_size = size; + pmd = tmp; + } + } } - } - - return 0; + } + + if (pmd != NULL) + return pmd; + else if (pmd_zero != NULL) + return pmd_zero; + else if (pmd_not != NULL) + return pmd_not; + else if (pmd_zero_not != NULL) + return pmd_zero_not; + + return NULL; } -/* - * Create and initialize the rule maps - */ -static int fpCreateRuleMaps(SnortConfig *sc, rule_port_tables_t *p) + +#ifdef DYNAMIC_PLUGIN +static int GetPreprocOptPmdList(OptTreeNode *otn, PatternMatchData **pmd_list) { - sc->prmTcpRTNX = prmNewMap(); - if (sc->prmTcpRTNX == NULL) - return 1; + OptFpList *ofl; + int dir = 0; - if (fpCreateInitRuleMap(sc->prmTcpRTNX, p->tcp_src, p->tcp_dst, p->tcp_anyany,p->tcp_nocontent)) + if ((otn == NULL) || (pmd_list == NULL)) return -1; - sc->prmUdpRTNX = prmNewMap(); - if (sc->prmUdpRTNX == NULL) - return -1; + if (otn->ds_list[PLUGIN_DYNAMIC] != NULL) + { + DynamicData *dd = otn->ds_list[PLUGIN_DYNAMIC]; + FPContentInfo *fp_contents = NULL; - if (fpCreateInitRuleMap(sc->prmUdpRTNX, p->udp_src, p->udp_dst, p->udp_anyany,p->udp_nocontent)) - return -1; + if (dd->getPreprocFpContents(dd->contextData, &fp_contents) == 0) + { + *pmd_list = DynamicFpContentsToPmdList(fp_contents); + FreeDynamicContentList(fp_contents); - sc->prmIpRTNX = prmNewMap(); - if (sc->prmIpRTNX == NULL) - return 1; + if (*pmd_list == NULL) + return -1; + + return 0; + } - if (fpCreateInitRuleMap(sc->prmIpRTNX, p->ip_src, p->ip_dst, p->ip_anyany, p->ip_nocontent)) return -1; + } - sc->prmIcmpRTNX = prmNewMap(); - if (sc->prmIcmpRTNX == NULL) - return 1; + if (otn->ds_list[PLUGIN_CLIENTSERVER] != NULL) + { + ClientServerData *csd = (ClientServerData *)otn->ds_list[PLUGIN_CLIENTSERVER]; + if (csd->from_server) + dir = PKT_FROM_SERVER; + else if (csd->from_client) + dir = PKT_FROM_CLIENT; + } - if (fpCreateInitRuleMap(sc->prmIcmpRTNX, p->icmp_src, p->icmp_dst, p->icmp_anyany, p->icmp_nocontent)) + for (ofl = otn->opt_func; ofl != NULL; ofl = ofl->next) + { + if (ofl->type == RULE_OPTION_TYPE_PREPROCESSOR) + { + FPContentInfo *fp_contents = NULL; + + if (GetPreprocFastPatterns(ofl->context, otn->proto, dir, &fp_contents) == 0) + { + PatternMatchData *tmp_list = DynamicFpContentsToPmdList(fp_contents); + (void)AppendPmdToList(pmd_list, tmp_list); + + FreeDynamicContentList(fp_contents); + } + } + } + + if (*pmd_list == NULL) return -1; return 0; } -static void fpFreeRuleMaps(SnortConfig *sc) +static int UsePreprocOptFastPatterns(PatternMatchData *pmd, PatternMatchData *preproc_pmds) { - if (sc == NULL) - return; + int pmd_size; + PatternMatchData *tmp; - if (sc->prmTcpRTNX != NULL) - { - free(sc->prmTcpRTNX); - sc->prmTcpRTNX = NULL; - } + if ((pmd == NULL) || !IsPmdFpEligible(pmd)) + return 1; - if (sc->prmUdpRTNX != NULL) - { - free(sc->prmUdpRTNX); - sc->prmUdpRTNX = NULL; - } + if (preproc_pmds == NULL) + return 0; - if (sc->prmIpRTNX != NULL) - { - free(sc->prmIpRTNX); - sc->prmIpRTNX = NULL; - } + pmd_size = FLP_Trim(pmd->pattern_buf, pmd->pattern_size, NULL); - if (sc->prmIcmpRTNX != NULL) + for (tmp = preproc_pmds; tmp != NULL; tmp = tmp->next) { - free(sc->prmIcmpRTNX); - sc->prmIcmpRTNX = NULL; - } -} + int tmp_size = FLP_Trim(tmp->pattern_buf, tmp->pattern_size, NULL); + /* If both are not contents or both are not not contents, + * compare pattern length */ + if ((tmp->exception_flag && pmd->exception_flag) + || (!tmp->exception_flag && !pmd->exception_flag)) + { + if (tmp_size > pmd_size) + return 1; + } -/* - * Add the longest content in the Pattern Match Data - * to the mpse pattern matcher - */ -static -int fpAddLongestContent( void * mpse, - OptTreeNode * otn, - int id, - PatternMatchData * pmd ) -{ - PatternMatchData * pmdmax; - OTNX * otnx; - PMX * pmx; - RULE_NODE * rn; - int FLP_Bytes; - char * FLP_Ptr; - - /* add AND content */ - if( !pmd || ! otn || ! pmd ) - return 0; - - /* get longest content after trimming the zero prefix - * this may return a zero byte string, if there is no choice - */ - pmdmax = FindLongestPattern( pmd, otn ); - if( !pmdmax ) - return 0; - - /* create ontx */ - otnx = SnortAlloc( sizeof(OTNX) ); - otnx->otn = otn; - otnx->content_length = pmdmax->pattern_size; + /* If the preproc pattern is not notted and the content pmd is, + * use the preproc patterns */ + if (!tmp->exception_flag && pmd->exception_flag) + return 1; + } - /* create a rule_node */ - rn = (RULE_NODE*) SnortAlloc( sizeof(RULE_NODE) ); - rn->iRuleNodeID = id; - rn->rnRuleData = otnx; - - /* create pmx */ - pmx = (PMX*)SnortAlloc (sizeof(PMX) ); - pmx->RuleNode = rn; - pmx->PatternMatchData= pmdmax; - - /* trim the prefix */ - FLP_Bytes= FLP_Trim(pmdmax->pattern_buf,pmdmax->pattern_size,&FLP_Ptr); - - /* if we have a zero byte string, use the whole string */ - if( FLP_Bytes == 0 ) - { - FLP_Bytes = pmdmax->pattern_size; - FLP_Ptr = pmdmax->pattern_buf; - } - - mpseAddPattern( mpse, - FLP_Ptr, - FLP_Bytes, - pmdmax->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmdmax->offset, - pmdmax->depth, - (unsigned)pmdmax->exception_flag, - pmx, - rn->iRuleNodeID ); - return 0; } -/* - * Add all contents in the Pattern Match Data - * to the mpse pattern matcher - */ -static -int fpAddAllContents( void * mpse, - OptTreeNode * otn, - int id, - PatternMatchData * pmd ) +#endif + +static int fpFinishPortGroupRule(PORT_GROUP *pg, PmType pm_type, + OptTreeNode *otn, PatternMatchData *pmd_list, FastPatternConfig *fp) { - OTNX * otnx; + OTNX *otnx; PMX * pmx; RULE_NODE * rn; - int FLP_Bytes; - char * FLP_Ptr; - OptFpList *opt_fp; - PatternMatchData *pmd_to_check = pmd; - int is_pure_not = IsPureNotRule(pmd_to_check, otn); + char *pattern; + int pattern_length; + PatternMatchData *pmd; + int pg_type; - if( !pmd || ! otn || ! pmd ) - return 0; + if ((pg == NULL) || (otn == NULL) || (fp == NULL)) + return -1; - opt_fp = otn->opt_func; + switch (pm_type) + { + case PM_TYPE__CONTENT: + if (pmd_list == NULL) + return -1; + pg_type = PGCT_CONTENT; + break; + case PM_TYPE__HTTP_URI_CONTENT: + case PM_TYPE__HTTP_HEADER_CONTENT: + case PM_TYPE__HTTP_CLIENT_BODY_CONTENT: + if (pmd_list == NULL) + return -1; + pg_type = PGCT_URICONTENT; + break; + case PM_TYPE__MAX: + default: + if (pmd_list != NULL) + return -1; + fpAddPortGroupPrmx(pg, otn, PGCT_NOCONTENT); + return 0; /* Not adding any content to pattern matcher */ + } - while (opt_fp) + for (pmd = pmd_list; pmd != NULL; pmd = pmd->next) { - if ((opt_fp->OptTestFunc == CheckANDPatternMatch) || - (opt_fp->OptTestFunc == CheckUriPatternMatch)) - { - pmd = (PatternMatchData *)opt_fp->context; - if (pmd->buffer_func != pmd_to_check->buffer_func) - { - opt_fp = opt_fp->next; - continue; - } - - if ((opt_fp->OptTestFunc == CheckUriPatternMatch) && - (pmd->uri_buffer == HTTP_SEARCH_COOKIE)) - { - /* Don't add cookie buffer patterns */ - opt_fp = opt_fp->next; - continue; - } - - /* If a not pattern, only add it if the rule is a pure not - * rule and the pattern is not relative */ - if (pmd->exception_flag && (!is_pure_not || opt_fp->isRelative || pmd->offset || pmd->depth)) - { - opt_fp = opt_fp->next; - continue; - } + if (pmd->exception_flag) + fpAddPortGroupPrmx(pg, otn, PGCT_NOCONTENT); + else + fpAddPortGroupPrmx(pg, otn, pg_type); - /* create ontx */ - otnx = SnortAlloc( sizeof(OTNX) ); - otnx->otn = otn; - otnx->content_length = pmd->pattern_size; - - /* create a rule_node */ - rn = (RULE_NODE*) SnortAlloc( sizeof(RULE_NODE) ); - rn->iRuleNodeID = id; - rn->rnRuleData = otnx; - - /* create pmx */ - pmx = (PMX*)SnortAlloc (sizeof(PMX) ); - pmx->RuleNode = rn; - pmx->PatternMatchData = pmd; - - /* Trim leading zeros for the muli-match */ - FLP_Bytes= FLP_Trim(pmd->pattern_buf,pmd->pattern_size,&FLP_Ptr); - if( FLP_Bytes == 0 ) - { - FLP_Bytes = pmd->pattern_size; - FLP_Ptr = pmd->pattern_buf; - } - mpseAddPattern( mpse, - FLP_Ptr, - FLP_Bytes, - pmd->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, - rn->iRuleNodeID ); - - } + if (fpGetFinalPattern(fp, pmd, &pattern, &pattern_length) == -1) + return -1; - opt_fp = opt_fp->next; + otnx = (OTNX *)SnortAlloc(sizeof(OTNX)); + otnx->otn = otn; + otnx->content_length = pmd->pattern_size; + + /* create a rule_node */ + rn = (RULE_NODE *)SnortAlloc(sizeof(RULE_NODE)); + rn->rnRuleData = otnx; + + /* create pmx */ + pmx = (PMX *)SnortAlloc(sizeof(PMX)); + pmx->RuleNode = rn; + pmx->PatternMatchData = pmd; + + if (fpDetectGetDebugPrintFastPatterns(fp)) + PrintFastPatternInfo(otn, pmd, pattern, pattern_length, pm_type); + + mpseAddPattern( + pg->pgPms[pm_type], + pattern, + pattern_length, + pmd->nocase, + pmd->offset, + pmd->depth, + (unsigned)pmd->exception_flag, + pmx, + rn->iRuleNodeID + ); } - return 0; + return 0; } -/* - * Add the content 'type' to the mpse pattern matcher - */ -#ifdef DYNAMIC_PLUGIN -static -int fpAddDynamicContents( - void *mpse, - OptTreeNode *otn, - int id, - int type /* normal or uri */ - ) -{ - /* Add in plugin contents for fast pattern matcher */ - DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; - - if (dd != NULL) - { - /* get the array of content 'types = NORMAL or URI */ - FPContentInfo *fplist[PLUGIN_MAX_FPLIST_SIZE]; - int n = dd->fastPatternContents(dd->contextData,type,fplist,PLUGIN_MAX_FPLIST_SIZE); - int i; - - for(i=0;ipmds == NULL) + for (i = PM_TYPE__CONTENT; i < PM_TYPE__MAX; i++) + { + if (pg->pgPms[i] != NULL) + { + if (mpseGetPatternCount(pg->pgPms[i]) != 0) { - dd->pmds = pmd; + if (mpsePrepPatterns(pg->pgPms[i], pmx_create_tree, + add_patrn_to_neg_list) != 0) + { + FatalError("%s(%d) Failed to compile port group " + "patterns.\n", __FILE__, __LINE__); + } + + if (fp->debug) + mpsePrintInfo(pg->pgPms[i]); + rules = 1; } else { - pmd->next = dd->pmds; - dd->pmds = pmd; + mpseFree(pg->pgPms[i]); + pg->pgPms[i] = NULL; } - - /* create ontx */ - otnx = (OTNX *)SnortAlloc( sizeof(OTNX) ); - otnx->otn = otn; - otnx->content_length = fplist[i]->length; /* this forces a unique otnx/rn/pmx for each pmd */ - - /* create a rule_node */ - rn = (RULE_NODE*) SnortAlloc( sizeof(RULE_NODE) ); - rn->iRuleNodeID = id; - rn->rnRuleData = otnx; - - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - pmx->RuleNode = rn; - pmx->PatternMatchData= pmd; - - pmd->pattern_buf = (char *)SnortAlloc(fplist[i]->length); - memcpy(pmd->pattern_buf, fplist[i]->content, fplist[i]->length); - pmd->pattern_size= fplist[i]->length; - pmd->nocase = fplist[i]->noCaseFlag; - pmd->offset = 0; - pmd->depth = 0; - - /* Here we will trim leading zeros for the muli-match */ - FLP_Bytes= FLP_Trim(pmd->pattern_buf,pmd->pattern_size,&FLP_Ptr); - if( FLP_Bytes == 0 ) - { - FLP_Bytes = pmd->pattern_size; - FLP_Ptr = pmd->pattern_buf; - } - - mpseAddPattern( mpse, - FLP_Ptr, - FLP_Bytes, - pmd->nocase, /* 1-NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, - rn->iRuleNodeID ); - - /* Free the bucket */ - free(fplist[i]); } } - return 0; -} - -void fpDynamicDataFree(void *data) -{ - DynamicData *dd = (DynamicData *)data; - PatternMatchData *pmd; - - if (dd == NULL) - return; - pmd = (PatternMatchData *)dd->pmds; - while (pmd != NULL) + if (pg->pgHeadNC != NULL) { - PatternMatchData *tmp = pmd->next; - PatternMatchFree(pmd); - pmd = tmp; - } + RULE_NODE *ruleNode; - free(dd); -} -#endif - -/* - * Content flag values - */ -enum -{ - PGCT_NOCONTENT=0, - PGCT_CONTENT=1, - PGCT_URICONTENT=2 -}; -/* - * Add a rule to the proper port group RULE_NODE list - * - * cflag : content flag ( 0=no content, 1=content, 2=uri-content) - */ -static -int fpAddPortGroupRule( PORT_GROUP * pg, OptTreeNode * otn, int id,int cflag ) -{ - OTNX * otnx; - //RULE_NODE * rn; + for (ruleNode = pg->pgHeadNC; ruleNode; ruleNode = ruleNode->rnNext) + { + OTNX *otnx = (OTNX *)ruleNode->rnRuleData; + otn_create_tree(otnx->otn, &pg->pgNonContentTree); + } - /* create otnx */ - otnx = (OTNX*) SnortAlloc( sizeof(OTNX) ); - otnx->otn = otn; - otnx->content_length = 0; + finalize_detection_option_tree((detection_option_tree_root_t*)pg->pgNonContentTree); + rules = 1; + } - /* Add the no content rule_node to the port group (NClist) */ - switch( cflag ) + if (!rules) { - case PGCT_NOCONTENT: - prmxAddPortRuleNC( pg, otnx ); - break; - case PGCT_CONTENT: - prmxAddPortRule( pg, otnx ); - break; - case PGCT_URICONTENT: - prmxAddPortRuleUri( pg, otnx ); - break; - default: - return -1; - break; + /* Nothing in the port group so we can just free it */ + free(pg); + return -1; } - return 0; -} - -void fpDeletePMX(void *data) -{ - PMX *pmx = (PMX *)data; - RULE_NODE *rn; - OTNX *otnx; - rn = (RULE_NODE *)pmx->RuleNode; - otnx = (OTNX *)rn->rnRuleData; - free(otnx); - free(rn); - free(pmx); + return 0; } -static void fpDeletePortGroup(void *data) +static int fpAllocPms(PORT_GROUP *pg, FastPatternConfig *fp) { - PORT_GROUP *pg = (PORT_GROUP *)data; - RULE_NODE *rn, *tmpRn; - OTNX *otnx; + PmType i; - rn = pg->pgHead; - while (rn) + for (i = PM_TYPE__CONTENT; i < PM_TYPE__MAX; i++) { - tmpRn = rn->rnNext; - otnx = (OTNX *)rn->rnRuleData; - free(otnx); - free(rn); - rn = tmpRn; - } - pg->pgHead = NULL; + /* init pattern matchers */ + pg->pgPms[i] = mpseNew(fp->search_method, + MPSE_INCREMENT_GLOBAL_CNT, + fpDeletePMX, + free_detection_option_root, + neg_list_free); - rn = pg->pgUriHead; - while (rn) - { - tmpRn = rn->rnNext; - otnx = (OTNX *)rn->rnRuleData; - free(otnx); - free(rn); - rn = tmpRn; - } - pg->pgUriHead = NULL; - - rn = pg->pgHeadNC; - while (rn) - { - tmpRn = rn->rnNext; - otnx = (OTNX *)rn->rnRuleData; - free(otnx); - free(rn); - rn = tmpRn; - } - pg->pgHeadNC = NULL; + if (pg->pgPms[i] == NULL) + { + PmType j; - mpseFree( pg->pgPatData ); - pg->pgPatData = NULL; - mpseFree( pg->pgPatDataUri ); - pg->pgPatDataUri = NULL; + for (j = PM_TYPE__CONTENT; j < i; j++) + { + mpseFree(pg->pgPms[j]); + pg->pgPms[j] = NULL; + } - boFreeBITOP(&pg->boRuleNodeID); + LogMessage("%s(%d) Failed to create pattern matcher for pattern " + "matcher type: %d\n", __FILE__, __LINE__, i); - free_detection_option_root(&pg->pgNonContentTree); + return -1; + } - free(pg); + if (fp->search_opt) + mpseSetOpt(pg->pgPms[i], 1); + } + + return 0; } -/* - * Create the PortGroup for these PortObject2 entitiies - * - * This builds the 1st pass multi-pattern state machines for - * content and uricontent based on the rules in the PortObjects - * hash table. - */ -static int fpCreatePortObject2PortGroup(SnortConfig *sc, PortObject2 *po, PortObject2 *poaa) +static int fpAddPortGroupRule(PORT_GROUP *pg, OptTreeNode *otn, FastPatternConfig *fp) { - SFGHASH_NODE * node; - unsigned sid,gid; - OptTreeNode * otn; - PatternMatchData *pmd, *pmdor; - PORT_GROUP * pg; - int crules = 0; /* content rule count */ - int urules = 0; /* uri rule count */ - int ncrules = 0; /* no content rules */ - int id = 0; /* for id'ing rules within this group for bitop */ - int hc; - int huc; - PortObject2 * pox; - FastPatternConfig *fp = sc->fast_pattern_config; - - /* verify we have a port object */ - if (po == NULL) - return 0; - - po->data = 0; - - //TODO : - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - PortObject2PrintPorts( po ); - - /* Check if we have any rules */ - if (po->rule_hash == NULL) - return 0; - - /* create a port_group */ - pg = (PORT_GROUP *)SnortAlloc(sizeof(PORT_GROUP)); - - /* init pattern matchers */ - pg->pgPatData = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); + PatternMatchData *pmd = NULL; + PatternMatchData *pmd_uri = NULL; +#ifdef DYNAMIC_PLUGIN + PatternMatchData *preproc_opt_pmds = NULL; +#endif - if (pg->pgPatData == NULL) - { - free(pg); - LogMessage("mpseNew failed\n"); + if ((pg == NULL) || (otn == NULL)) return -1; - } - - if (fp->search_opt) - mpseSetOpt(pg->pgPatData, 1); - pg->pgPatDataUri = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); + /* Preprocessor or decoder rule, skip inserting it */ + if (otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT) + return -1; - if (pg->pgPatDataUri == NULL) - { - LogMessage("mpseNew failed\n"); - mpseFree(pg->pgPatData); - free(pg); + /* Rule not enabled */ + if (otn->rule_state != RULE_STATE_ENABLED) return -1; - } - if (fp->search_opt) - mpseSetOpt(pg->pgPatDataUri, 1); +#ifdef DYNAMIC_PLUGIN + /* Check for an so dynamic rule */ + if (otn->ds_list[PLUGIN_DYNAMIC] != NULL) + { + DynamicData *dd = otn->ds_list[PLUGIN_DYNAMIC]; - /* - * Walk the rules in the PortObject and add to - * the PORT_GROUP pattern state machine - * and to the port group RULE_NODE lists. - * (The lists are still used in some cases - * during detection to walk the rules in a group - * so we have to load these as well...fpEvalHeader()... for now.) - * - * po src/dst ports : content/uri and nocontent - * poaa any-any ports : content/uri and nocontent - * - * each PG has src or dst contents, generic-contents, and no-contents - * (src/dst or any-any ports) - * - */ - pox = po; + /* The pmds returned here will have been dynamically allocated */ + pmd = GetDynamicFastPatternPmd(dd, CONTENT_NORMAL); + if ((pmd != NULL) && pmd->fp) + { + if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + /* Need to do this so the pmd can be freed later */ + (void)AppendPmdToList(&dd->pmds, pmd); + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; + return 0; + } - if (po == NULL) - pox = poaa; + PatternMatchFree((void *)pmd); + pmd = NULL; + } - while (pox != NULL) - { - for (node = sfghash_findfirst(pox->rule_hash); - node; - node = sfghash_findnext(pox->rule_hash)) + pmd_uri = GetDynamicFastPatternPmd(dd, CONTENT_HTTP); + if (pmd_uri != NULL) { - int * prindex; + PmType pm_type; - prindex = (int*)node->data; - if( !prindex ) - continue; /* be safe - no rule index, ignore it */ - - /* look up sid:gid */ - sid = RuleIndexMapSid( ruleIndexMap, *prindex ); - gid = RuleIndexMapGid( ruleIndexMap, *prindex ); + if (pmd_uri->uri_buffer & HTTP_SEARCH_URI) + pm_type = PM_TYPE__HTTP_URI_CONTENT; + else if (pmd_uri->uri_buffer & HTTP_SEARCH_HEADER) + pm_type = PM_TYPE__HTTP_HEADER_CONTENT; + else if (pmd_uri->uri_buffer & HTTP_SEARCH_CLIENT_BODY) + pm_type = PM_TYPE__HTTP_CLIENT_BODY_CONTENT; + else + pm_type = PM_TYPE__CONTENT; - /* look up otn */ - otn = OtnLookup(sc->otn_map, gid, sid); - if (otn == NULL) + if (fpFinishPortGroupRule(pg, pm_type, otn, pmd_uri, fp) == 0) { - LogMessage("fpCreatePortObject2PortGroup...failed otn lookup, " - "gid=%u sid=%u\n", gid, sid); - continue; - } + /* Using the http content so free this */ + if (pmd != NULL) + PatternMatchFree((void *)pmd); - if (otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT) - { - /* Preprocessor or decoder rule, skip inserting it */ - continue; + (void)AppendPmdToList(&dd->pmds, pmd_uri); + if (pmd_uri->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd_uri->pattern_size; + return 0; } - hc = huc = 0; /* track if we have content or uri content in this rule */ + PatternMatchFree((void *)pmd_uri); + pmd_uri = NULL; + } - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - { - continue; - } + /* If we get this far then no URI contents were added */ - if (otn->proto == ETHERNET_TYPE_IP) + if (GetPreprocOptPmdList(otn, &preproc_opt_pmds) == 0) + { + if (UsePreprocOptFastPatterns(pmd, preproc_opt_pmds)) { - /* If only one detection option and it's ip_proto it will be evaluated - * at decode time instead of detection time */ - if ((otn->ds_list[PLUGIN_IP_PROTO_CHECK] != NULL) && - (otn->num_detection_opts == 1)) - { - fpAddIpProtoOnlyRule(sc->ip_proto_only_lists, otn); - continue; - } + /* Preprocessor rule option fast pattern contents + * will be used so free and NULL the content pmd */ + if (pmd != NULL) + FreePmdList(pmd); - fpRegIpProto(sc->ip_proto_array, otn); + pmd = preproc_opt_pmds; } - - if( OtnHasUriContent(otn) ) + else { - /* get the uri content pattern match data */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; - /* add ALL AND contents for HTTP... */ - if( pmd ) - fpAddAllContents( pg->pgPatDataUri, otn, id, pmd ); + /* The content rule option fast pattern is a better choice + * than the preprocessor rule option fast patterns, so use it */ + FreePmdList(preproc_opt_pmds); + } + } - /* add uri content for shared object rules */ -#ifdef DYNAMIC_PLUGIN - fpAddDynamicContents( pg->pgPatDataUri, otn, id, FASTPATTERN_URI ); -#endif - if (!IsPureNotRule(pmd, otn)) - { - huc++; - /* Add the rule to the port groups uricontent RULE_NODE lists */ - fpAddPortGroupRule(pg,otn,id,PGCT_URICONTENT); - } + if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + (void)AppendPmdToList(&dd->pmds, pmd); + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; + return 0; + } - urules++; - } - else if( OtnHasContent(otn) ) - { - /* get the content pattern match data */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH]; - /* add the longest AND content... */ - if( pmd ) - fpAddLongestContent( pg->pgPatData, otn, id, pmd ); - - /* add ALL OR contents... */ - pmdor = otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; - if( pmdor ) - fpAddAllContents( pg->pgPatData, otn, id, pmdor ); + /* Either no content or adding pmd failed */ - /* add content for shared object rules */ -#ifdef DYNAMIC_PLUGIN - fpAddDynamicContents( pg->pgPatData, otn, id, FASTPATTERN_NORMAL ); + /* Either single pmd or preprocessor rule option pmd list */ + if (pmd != NULL) + FreePmdList(pmd); + + if (fpFinishPortGroupRule(pg, PM_TYPE__MAX, otn, NULL, fp) != 0) + return -1; + + return 0; + } #endif - if (!IsPureNotRule(pmd, otn)) - { - hc++; - /* Add the rule to the port groups content RULE_NODE lists */ - fpAddPortGroupRule(pg,otn,id,PGCT_CONTENT); - } - crules++; - } + pmd = GetLongestPmdContent(otn, CONTENT_NORMAL); - if( !hc && !huc ) - { - /* no content for this rule - add into this port groups no-content rule list */ - fpAddPortGroupRule(pg,otn,id,PGCT_NOCONTENT); - ncrules++; - } + /* Pull it out of the ds_list so we can treat it as a one item list + * It will get free'd via the detection option tree callback for + * content rule options - the ds pmd list is useless at this point + * and should not be used anyway because of detection option tree + * duplicate handling - see FinalizeContentUniqueness() */ + (void)RemovePmdFromList(pmd); - id++; /* inc rule node id, used for bitmap indexing */ + if ((pmd != NULL) && pmd->fp) + { + if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; + + return 0; } + } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + /* http buffer contents take precedence over normal contents if + * no normal contents have the fast_pattern option */ + pmd_uri = GetLongestPmdContent(otn, CONTENT_HTTP); + (void)RemovePmdFromList(pmd_uri); + if (pmd_uri != NULL) + { + PmType pm_type; + + if (pmd_uri->uri_buffer & HTTP_SEARCH_URI) + pm_type = PM_TYPE__HTTP_URI_CONTENT; + else if (pmd_uri->uri_buffer & HTTP_SEARCH_HEADER) + pm_type = PM_TYPE__HTTP_HEADER_CONTENT; + else if (pmd_uri->uri_buffer & HTTP_SEARCH_CLIENT_BODY) + pm_type = PM_TYPE__HTTP_CLIENT_BODY_CONTENT; + else + pm_type = PM_TYPE__CONTENT; + + if (fpFinishPortGroupRule(pg, pm_type, otn, pmd_uri, fp) == 0) { - LogMessage("PortGroup Summary: CONTENT: %d, URICONTENT: %d," - " NOCONTENT: %d\n", crules,urules,ncrules); + if (pmd_uri->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd_uri->pattern_size; + return 0; } + } - if (pox == poaa) - break; + /* If we get this far then no URI contents were added */ - pox = poaa; - } - - /* - ** Initialize the BITOP structure for this - ** port group. - */ - if( pg->pgContentCount && boInitBITOP(&(pg->boRuleNodeID),pg->pgContentCount) ) - { - LogMessage("boInitBITOP failed, content count=%d\n",pg->pgContentCount); - mpseFree( pg->pgPatData ); - mpseFree( pg->pgPatDataUri ); - free(pg); - return -1; - } - - /* Compile the Content Pattern Machine */ - if( crules ) - { - mpsePrepPatterns( pg->pgPatData, pmx_create_tree, add_patrn_to_neg_list ); - if( fp->debug ) mpsePrintInfo( pg->pgPatData ); - } - else - { - mpseFree( pg->pgPatData ); - pg->pgPatData = NULL; - } - - /* Compile the UriContent Pattern Machine */ - if( urules ) - { - mpsePrepPatterns( pg->pgPatDataUri, pmx_create_tree, add_patrn_to_neg_list ); - if( fp->debug ) mpsePrintInfo( pg->pgPatDataUri ); - } - else - { - /* release the pattern matcher */ - mpseFree( pg->pgPatDataUri ); - pg->pgPatDataUri = NULL; - } - - if (ncrules) - { - RULE_NODE *ruleNode; - - for (ruleNode = pg->pgHeadNC; ruleNode; ruleNode = ruleNode->rnNext) - { - OTNX *otnx = (OTNX *)ruleNode->rnRuleData; - otn_create_tree(otnx->otn, &pg->pgNonContentTree); - } - finalize_detection_option_tree((detection_option_tree_root_t*)pg->pgNonContentTree); - //num_nc_trees++; - } - - /* Assign the port_group */ - if( urules || crules || ncrules ) - { - po->data = pg; - po->data_free = fpDeletePortGroup; - } - else - { - free( pg ); /* no rules...mmm, clean it up */ - } - - return 0; -} - -/* - * Create the port groups for this port table - */ -static int fpCreatePortTablePortGroups(SnortConfig *sc, PortTable *p, PortObject2 *poaa) -{ - SFGHASH_NODE * node; - int cnt=1; - FastPatternConfig *fp = sc->fast_pattern_config; - - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("%d Port Groups in Port Table\n",p->pt_mpo_hash->count); - - for (node=sfghash_findfirst(p->pt_mpo_hash); //p->pt_mpxo_hash - node; - node=sfghash_findnext(p->pt_mpo_hash) ) //p->pt->mpxo_hash - { - PortObject2 * po; - - po = (PortObject2*)node->data; - if (po == NULL) - continue; +#ifdef DYNAMIC_PLUGIN + if (GetPreprocOptPmdList(otn, &preproc_opt_pmds) == 0) + { + if (!UsePreprocOptFastPatterns(pmd, preproc_opt_pmds)) + { + /* The content rule option fast pattern is a better choice + * than the preprocessor rule option fast patterns, so use it */ + FreePmdList(preproc_opt_pmds); + } + else + { + pmd = preproc_opt_pmds; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Creating Port Group Object %d of %d\n",cnt++,p->pt_mpo_hash->count); + /* Need to be able to free this list */ + (void)AppendPmdToList( + (PatternMatchData **)&otn->preproc_fp_list, + preproc_opt_pmds); + } + } +#endif - /* if the object is not referenced, don't add it to the PORT_GROUPs - * as it may overwrite other objects that are more inclusive. */ - if (!po->port_cnt) - continue; + if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; + return 0; + } - if (fpCreatePortObject2PortGroup(sc, po, poaa)) - { - LogMessage("fpCreatePortObject2PortGroup() failed\n"); - return -1; - } +#if 0 + /* XXX Not currently used */ + /* If the "or" content rule option should ever be instated, some sort of + * decision should be made between this and other normal "and" contents. + * Adding one content is probably preferable over adding multiple contents, + * but if the one content is only one, two bytes and the "or" contents are + * more unique, then adding the "or" contents might be preferable. Maybe + * if the "and" content is more unique than the least unique "or" content */ + pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; + if (pmd != NULL) + fpAddAllContents(pg->pgPms[PM_TYPE__CONTENT], otn, id, pmd, fp); +#endif +#ifdef DYNAMIC_PLUGIN + /* No content added */ + if (pmd == preproc_opt_pmds) + FreePmdList(pmd); +#endif - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - mpsePrintSummary(); //PORTLISTS-testing - } + if (fpFinishPortGroupRule(pg, PM_TYPE__MAX, otn, NULL, fp) != 0) + return -1; - return 0; + return 0; } /* - * Create port group objects for all port tables + * Original PortRuleMaps for each protocol requires creating the following structures. + * -pcrm.h + * PORT_RULE_MAP -> srcPortGroup,dstPortGroup,genericPortGroup + * PORT_GROUP -> pgPatData, pgPatDataUri (acsm objects), (also rule_node lists 1/rule, not neeed) + * each rule content added to an acsm object has a PMX data ptr associated with it. + * RULE_NODE -> iRuleNodeID (used for bitmap object index), otnx * - * note: any-any ports are standard PortObjects not PortObject2's so we have to - * uprade them for the create port group function + * -fpcreate.h + * PMX -> RULE_NODE(->otnx), PatternMatchData + * OTNX -> otn,rtn,content_length + * + * PortList model supports the same structures except: + * + * -pcrm.h + * PORT_GROUP -> no rule_node lists needed, PortObjects maintain a list of rules used + * + * Generation of PortRuleMaps and data is done differently. + * + * 1) Build tcp/udp/icmp/ip src and dst PORT_GROUP objects based on the PortList Objects rules. + * + * 2) For each protocols PortList objects walk it's ports and assign the PORT_RULE_MAP src and dst + * PORT_GROUP[port] array pointers to that PortList objects PORT_GROUP. + * + * Implementation: + * + * Each PortList Object will be translated into a PORT_GROUP, than pointed to by the + * PORT_GROUP array in the PORT_RULE_MAP for the procotocol + * + * protocol = tcp, udp, ip, icmp - one port_rule_map for each of these protocols + * { create a port_rule_map + * dst port processing + * for each port-list object create a port_group object + * { create a pattern match object, store its pointer in port_group + * for each rule index in port-list object + * { + * get the gid+sid for the index + * lookup up the otn + * create otnx + * create pmx + * create RULE_NODE, set iRuleNodeID within this port-list object + * get longest content for the rule + * set up otnx,pmx,RULE_NODE + * add the content and pmx to the pattern match object + * } + * compile the pattern match object + * + * repeat for uri content + * } + * src port processing + * repeat as for dst port processing + * } + * ** bidirectional rules - these are added to both src and dst PortList objects, so they are + * automatically handled during conversion to port_group objects. */ -static int fpCreatePortGroups(SnortConfig *sc, rule_port_tables_t *p) +/* +** Build a Pattern group for the Uri-Content rules in this group +** +** The patterns added for each rule must be suffcient so if we find any of them +** we proceed to fully analyze the OTN and RTN against the packet. +** +*/ +/* + * Init a port-list based rule map + */ +static +int fpCreateInitRuleMap( PORT_RULE_MAP * prm, PortTable * src, PortTable * dst, PortObject * anyany, PortObject * nc ) { - PortObject2 * po2; - FastPatternConfig *fp = sc->fast_pattern_config; - - if (!rule_count) - return 0 ; - - /* TCP */ - /* convert the tcp-any-any to a PortObject2 creature */ - po2 = PortObject2Dup(p->tcp_anyany); - if (po2 == NULL) - FatalError("Could not create a PortObject version 2 for tcp-any-any rules\n!"); - - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nTCP-SRC "); - - if (fpCreatePortTablePortGroups(sc, p->tcp_src, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-tcp_src\n"); - return -1; - } - - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nTCP-DST "); - - if (fpCreatePortTablePortGroups(sc, p->tcp_dst, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-tcp_dst\n"); - return -1; - } + SFGHASH_NODE * node; + PortObjectItem * poi; + PortObject2 * po; + int i; + //int * pi; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nTCP-ANYANY "); + /* setup the any-any-port content port group */ + prm->prmGeneric =(PORT_GROUP*) anyany->data; - if (fpCreatePortObject2PortGroup(sc, po2, 0)) - { - LogMessage("fpCreatePorTablePortGroups failed-tcp any-any\n"); - return -1; - } + /* all rules that are any any some may not be content ? */ + prm->prmNumGenericRules = anyany->rule_list->count; - /* save the any-any port group */ - p->tcp_anyany->data = po2->data; - p->tcp_anyany->data_free = fpDeletePortGroup; - po2->data = 0; - /* release the dummy PortObject2 copy of tcp-any-any */ - //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); - PortObject2Free(po2); + prm->prmNumSrcRules= 0; + prm->prmNumDstRules= 0; - /* UDP */ - po2 = PortObject2Dup(p->udp_anyany); - if (po2 == NULL ) - FatalError("Could not create a PortObject version 2 for udp-any-any rules\n!"); + prm->prmNumSrcGroups= 0; + prm->prmNumDstGroups= 0; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nUDP-SRC "); + /* Process src PORT groups */ + if(src ) + for( node=sfghash_findfirst(src->pt_mpxo_hash); + node; + node=sfghash_findnext(src->pt_mpxo_hash) ) + { + po = (PortObject2*)node->data; - if (fpCreatePortTablePortGroups(sc, p->udp_src, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); - return -1; - } + if( !po ) continue; + if( !po->data ) continue; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nUDP-DST "); + /* Add up the total src rules */ + prm->prmNumSrcRules += po->rule_hash->count; - if (fpCreatePortTablePortGroups(sc, p->udp_dst, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); - return -1; - } + /* Increment the port group count */ + prm->prmNumSrcGroups++; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nUDP-ANYANY "); + /* Add this port group to the src table at each port that uses it */ + for( poi = (PortObjectItem*)sflist_first(po->item_list); + poi; + poi = (PortObjectItem*)sflist_next(po->item_list) ) + { + switch(poi->type) + { + case PORT_OBJECT_ANY: + break; + case PORT_OBJECT_PORT: +#if 0 + /* This test is always true since poi->lport is a 16 bit + * int and MAX_PORTS is 64K. If this relationship should + * change, the test should be compiled back in. + */ + if( poi->lport < MAX_PORTS ) +#endif + prm->prmSrcPort[ poi->lport ] = (PORT_GROUP*)po->data; + break; + case PORT_OBJECT_RANGE: + for(i= poi->lport;i<= poi->hport;i++ ) + { + prm->prmSrcPort[ i ] = (PORT_GROUP*)po->data; + } + break; + } + } + } - if (fpCreatePortObject2PortGroup(sc, po2, 0)) - { - LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); - return -1; - } + /* process destination port groups */ + if( dst ) + for( node=sfghash_findfirst(dst->pt_mpxo_hash); + node; + node=sfghash_findnext(dst->pt_mpxo_hash) ) + { + po = (PortObject2*)node->data; - p->udp_anyany->data = po2->data; - p->udp_anyany->data_free = fpDeletePortGroup; - po2->data = 0; - //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); - PortObject2Free(po2); + if( !po ) continue; + if( !po->data ) continue; - /* ICMP */ - po2 = PortObject2Dup(p->icmp_anyany); - if (po2 == NULL) - FatalError("Could not create a PortObject version 2 for icmp-any-any rules\n!"); + /* Add up the total src rules */ + prm->prmNumDstRules += po->rule_hash->count; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nICMP-SRC "); + /* Increment the port group count */ + prm->prmNumDstGroups++; - if (fpCreatePortTablePortGroups(sc, p->icmp_src, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-icmp_src\n"); - return -1; - } + /* Add this port group to the src table at each port that uses it */ + for( poi = (PortObjectItem*)sflist_first(po->item_list); + poi; + poi = (PortObjectItem*)sflist_next(po->item_list) ) + { + switch(poi->type) + { + case PORT_OBJECT_ANY: + break; + case PORT_OBJECT_PORT: +#if 0 + /* This test is always true since poi->lport is a 16 bit + * int and MAX_PORTS is 64K. If this relationship should + * change, the test should be compiled back in. + */ + if( poi->lport < MAX_PORTS ) +#endif + prm->prmDstPort[ poi->lport ] = (PORT_GROUP*)po->data; + break; + case PORT_OBJECT_RANGE: + for(i= poi->lport;i<= poi->hport;i++ ) + { + prm->prmDstPort[ i ] = (PORT_GROUP*)po->data; + } + break; + } + } + } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nICMP-DST "); + return 0; +} +/* + * Create and initialize the rule maps + */ +static int fpCreateRuleMaps(SnortConfig *sc, rule_port_tables_t *p) +{ + sc->prmTcpRTNX = prmNewMap(); + if (sc->prmTcpRTNX == NULL) + return 1; - if (fpCreatePortTablePortGroups(sc, p->icmp_dst, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-icmp_src\n"); + if (fpCreateInitRuleMap(sc->prmTcpRTNX, p->tcp_src, p->tcp_dst, p->tcp_anyany,p->tcp_nocontent)) return -1; - } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nICMP-ANYANY "); - - if (fpCreatePortObject2PortGroup(sc, po2, 0)) - { - LogMessage("fpCreatePorTablePortGroups failed-icmp any-any\n"); + sc->prmUdpRTNX = prmNewMap(); + if (sc->prmUdpRTNX == NULL) return -1; - } - - p->icmp_anyany->data = po2->data; - p->icmp_anyany->data_free = fpDeletePortGroup; - po2->data = 0; - //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); - PortObject2Free(po2); - - /* IP */ - po2 = PortObject2Dup(p->ip_anyany); - if (po2 == NULL) - FatalError("Could not create a PortObject version 2 for ip-any-any rules\n!"); - - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nIP-SRC "); - if (fpCreatePortTablePortGroups(sc, p->ip_src, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-ip_src\n"); + if (fpCreateInitRuleMap(sc->prmUdpRTNX, p->udp_src, p->udp_dst, p->udp_anyany,p->udp_nocontent)) return -1; - } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nIP-DST "); + sc->prmIpRTNX = prmNewMap(); + if (sc->prmIpRTNX == NULL) + return 1; - if (fpCreatePortTablePortGroups(sc, p->ip_dst, po2)) - { - LogMessage("fpCreatePorTablePortGroups failed-ip_dst\n"); + if (fpCreateInitRuleMap(sc->prmIpRTNX, p->ip_src, p->ip_dst, p->ip_anyany, p->ip_nocontent)) return -1; - } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("\nIP-ANYANY "); + sc->prmIcmpRTNX = prmNewMap(); + if (sc->prmIcmpRTNX == NULL) + return 1; - if (fpCreatePortObject2PortGroup(sc, po2, 0)) - { - LogMessage("fpCreatePorTablePortGroups failed-ip any-any\n"); + if (fpCreateInitRuleMap(sc->prmIcmpRTNX, p->icmp_src, p->icmp_dst, p->icmp_anyany, p->icmp_nocontent)) return -1; - } - - p->ip_anyany->data = po2->data; - p->ip_anyany->data_free = fpDeletePortGroup; - po2->data = 0; - //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); - PortObject2Free(po2); return 0; } - - -/* - * Scan the master otn lists and and pass - * - * - * enabled - if true requires otn to be enabled - * fcn - callback - * proto - IP,TCP,IDP,ICMP protocol flag - * otn - OptTreeNode - */ -void fpWalkOtns(int enabled, OtnWalkFcn fcn) +static void fpFreeRuleMaps(SnortConfig *sc) { - RuleTreeNode *rtn; - SFGHASH_NODE *hashNode; - OptTreeNode *otn = NULL; - tSfPolicyId policyId = 0; - - if (snort_conf == NULL) + if (sc == NULL) return; - for (hashNode = sfghash_findfirst(snort_conf->otn_map); - hashNode; - hashNode = sfghash_findnext(snort_conf->otn_map)) + if (sc->prmTcpRTNX != NULL) { - otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; - policyId++ ) - { - rtn = getRtnFromOtn(otn, policyId); + free(sc->prmTcpRTNX); + sc->prmTcpRTNX = NULL; + } - /* There can be gaps in the list of rtns. */ - if (rtn == NULL) - continue; + if (sc->prmUdpRTNX != NULL) + { + free(sc->prmUdpRTNX); + sc->prmUdpRTNX = NULL; + } - if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { - //do operation - if ( enabled && (otn->rule_state != RULE_STATE_ENABLED) ) - continue; + if (sc->prmIpRTNX != NULL) + { + free(sc->prmIpRTNX); + sc->prmIpRTNX = NULL; + } - fcn( rtn->proto, rtn, otn ); - } - } + if (sc->prmIcmpRTNX != NULL) + { + free(sc->prmIcmpRTNX); + sc->prmIcmpRTNX = NULL; } } -#ifdef TARGET_BASED -/* - * Scan the master otn lists and load the Service maps - * for service based rule grouping. - */ -static int fpCreateServiceMaps(SnortConfig *sc) +static int fpGetFinalPattern(FastPatternConfig *fp, PatternMatchData *pmd, + char **ret_pattern, int *ret_bytes) { - RuleTreeNode *rtn; - SFGHASH_NODE *hashNode; - OptTreeNode *otn = NULL; - tSfPolicyId policyId = 0; - unsigned int svc_idx; + char *pattern; + int bytes; - for (hashNode = sfghash_findfirst(sc->otn_map); - hashNode; - hashNode = sfghash_findnext(sc->otn_map)) + if ((fp == NULL) || (pmd == NULL) + || (ret_pattern == NULL) || (ret_bytes == NULL)) { - otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; - policyId++ ) - { - rtn = getRtnFromOtn(otn, policyId); + return -1; + } - if (rtn && ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP))) - { - //do operation + pattern = pmd->pattern_buf; + bytes = pmd->pattern_size; - /* Non-content preprocessor or decoder rule. - * don't add it */ - if (otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT) - { - continue; - } + /* Don't mess with fast pattern only contents - they should be inserted + * into the pattern matcher as is since the content won't be evaluated + * as a rule option. + * Don't mess with negated contents since truncating them could + * inadvertantly disable evaluation of a rule - the shorter pattern + * may be found, while the unaltered pattern may not be found, + * disabling inspection of a rule we should inspect */ + if (pmd->fp_only || pmd->exception_flag) + { + *ret_pattern = pattern; + *ret_bytes = bytes; - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - continue; + return 0; + } - for (svc_idx = 0; svc_idx < otn->sigInfo.num_services; svc_idx++) + if (pmd->fp && (pmd->fp_length != 0)) + { + /* (offset + length) potentially being larger than the pattern itself + * is taken care of during parsing */ + pattern = pmd->pattern_buf + pmd->fp_offset; + bytes = pmd->fp_length; + } + else + { + /* Trim leading null bytes for non-deterministic pattern matchers. + * Assuming many packets may have strings of 0x00 bytes in them, + * this should help performance with non-deterministic pattern matchers + * that have a full next state vector at state 0. If no patterns are + * inserted into the state machine that start with 0x00, failstates that + * land us at state 0 will allow us to roll through the 0x00 bytes, + * since the next state is deterministic in state 0 and we won't move + * beyond state 0 as long as the next input char is 0x00 */ + if ((fp->search_method == MPSE_AC_BNFA_Q) + || (fp->search_method == MPSE_AC_BNFA)) + { + bytes = + FLP_Trim(pmd->pattern_buf, pmd->pattern_size, &pattern); + + if (bytes < (int)pmd->pattern_size) + { + /* The patten is all '\0' - use the whole pattern + * XXX This potentially hurts the performance boost + * gained by stripping leading zeros */ + if (bytes == 0) { - if (ServiceMapAddOtn(sc->srmmTable, rtn->proto, otn->sigInfo.services[svc_idx].service, otn)) - return -1; + bytes = pmd->pattern_size; + pattern = pmd->pattern_buf; + } + else + { + fp->num_patterns_trimmed++; } } } } + if ((fp->max_pattern_len != 0) + && (bytes > fp->max_pattern_len)) + { + bytes = fp->max_pattern_len; + fp->num_patterns_truncated++; + } + + *ret_pattern = pattern; + *ret_bytes = bytes; + return 0; } +#ifdef DYNAMIC_PLUGIN +void fpDynamicDataFree(void *data) +{ + DynamicData *dd = (DynamicData *)data; + PatternMatchData *pmd; + + if (dd == NULL) + return; + + pmd = (PatternMatchData *)dd->pmds; + while (pmd != NULL) + { + PatternMatchData *tmp = pmd->next; + PatternMatchFree((void *)pmd); + pmd = tmp; + } + + free(dd); +} +#endif /* -* Build a Port Group for this service based on the list of otns. The final -* port_group pointer is stored using the service name as the key. -* -* p - hash table mapping services to port_groups -* srvc- service name, key used to store the port_group -* ...could use a service id instead (bytes, fixed length,etc...) -* list- list of otns for this service -*/ -void fpBuildServicePortGroupByServiceOtnList(SFGHASH *p, char *srvc, SF_LIST *list, FastPatternConfig *fp) + * Add a rule to the proper port group RULE_NODE list + * + * cflag : content flag ( 0=no content, 1=content, 2=uri-content) + */ +static int fpAddPortGroupPrmx(PORT_GROUP *pg, OptTreeNode *otn, int cflag) { - OptTreeNode * otn; - //SFGHASH_NODE * node; - //unsigned sid,gid; - PatternMatchData *pmd, *pmdor; - PORT_GROUP * pg; - int crules=0; /* content rule count */ - int urules=0; /* uri rule count */ - int ncrules=0; /* no content rules */ - int id=0; /* for id'ing rules within this group for bitop */ - int hc; - int huc; - - /* create a port_group */ - pg = (PORT_GROUP*)SnortAlloc(sizeof(PORT_GROUP)); - - /* init content pattern matcher */ - pg->pgPatData = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); - - if (pg->pgPatData == NULL) - FatalError("mpseNew failed\n"); - - if (fp->search_opt) - mpseSetOpt(pg->pgPatData, 1); - - /* init uri pattern matcher */ - pg->pgPatDataUri = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); - - if (pg->pgPatDataUri == NULL) - FatalError("mpseNew failed\n"); - - if (fp->search_opt) - mpseSetOpt(pg->pgPatDataUri, 1); - - /* - * add each rule to the port group pattern matchers, - * or to the no-content rule list - */ - for( otn = sflist_first(list); - otn; - otn = sflist_next(list) ) - { - hc = huc = 0; /* track if we have content or uri content in this rule */ + OTNX *otnx = (OTNX *)SnortAlloc(sizeof(OTNX)); + + otnx->otn = otn; + otnx->content_length = 0; + + /* Add the no content rule_node to the port group (NClist) */ + switch (cflag) + { + case PGCT_NOCONTENT: + prmxAddPortRuleNC( pg, otnx ); + break; + case PGCT_CONTENT: + prmxAddPortRule( pg, otnx ); + break; + case PGCT_URICONTENT: + prmxAddPortRuleUri( pg, otnx ); + break; + default: + return -1; + } + + return 0; +} + +static void fpPortGroupPrintRuleCount(PORT_GROUP *pg) +{ + PmType type; + + if (pg == NULL) + return; + + LogMessage("PortGroup rule summary:\n"); + + for (type = PM_TYPE__CONTENT; type < PM_TYPE__MAX; type++) + { + int count = mpseGetPatternCount(pg->pgPms[type]); - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) + switch (type) { - continue; + case PM_TYPE__CONTENT: + LogMessage("\tContent: %d\n", count); + break; + case PM_TYPE__HTTP_URI_CONTENT: + LogMessage("\tHttp Uri Content: %d\n", count); + break; + case PM_TYPE__HTTP_HEADER_CONTENT: + LogMessage("\tHttp Header Content: %d\n", count); + break; + case PM_TYPE__HTTP_CLIENT_BODY_CONTENT: + LogMessage("\tHttp Client Body Content: %d\n", count); + break; + default: + break; } + } - if( OtnHasContent(otn) ) - { - /* get the content pattern match data */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH]; + LogMessage("\tNo content: %u\n", pg->pgNoContentCount); +} + +static void fpDeletePMX(void *data) +{ + PMX *pmx = (PMX *)data; + RULE_NODE *rn; + OTNX *otnx; - /* add the longest AND content... */ - if( pmd ) //&& !IsPureNotRule( pmd ) ) - fpAddLongestContent( pg->pgPatData, otn, id, pmd ); + rn = (RULE_NODE *)pmx->RuleNode; + otnx = (OTNX *)rn->rnRuleData; + free(otnx); + free(rn); + free(pmx); +} - /* add ALL OR contents... */ - pmdor = otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; +static void fpDeletePortGroup(void *data) +{ + PORT_GROUP *pg = (PORT_GROUP *)data; + RULE_NODE *rn, *tmpRn; + OTNX *otnx; + PmType i; - if( pmdor ) //&& !IsPureNotRule( pmdor ) ) /* ignore pure not rules */ - fpAddAllContents( pg->pgPatData, otn, id, pmdor ); + rn = pg->pgHead; + while (rn) + { + tmpRn = rn->rnNext; + otnx = (OTNX *)rn->rnRuleData; + free(otnx); + free(rn); + rn = tmpRn; + } + pg->pgHead = NULL; - /* add content for shared object rules */ -#ifdef DYNAMIC_PLUGIN - fpAddDynamicContents( pg->pgPatData, otn, id, FASTPATTERN_NORMAL ); -#endif + rn = pg->pgUriHead; + while (rn) + { + tmpRn = rn->rnNext; + otnx = (OTNX *)rn->rnRuleData; + free(otnx); + free(rn); + rn = tmpRn; + } + pg->pgUriHead = NULL; - if (!IsPureNotRule(pmd, otn)) - { - hc++; - /* Add the rule to the port groups content RULE_NODE lists */ - fpAddPortGroupRule(pg,otn,id,PGCT_CONTENT); - } + rn = pg->pgHeadNC; + while (rn) + { + tmpRn = rn->rnNext; + otnx = (OTNX *)rn->rnRuleData; + free(otnx); + free(rn); + rn = tmpRn; + } + pg->pgHeadNC = NULL; - crules++; - } - - if( OtnHasUriContent(otn) ) + for (i = PM_TYPE__CONTENT; i < PM_TYPE__MAX; i++) + { + if (pg->pgPms[i] != NULL) { - /* get the uri content pattern match data */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; - - /* add ALL AND contents for HTTP... */ - if( pmd && !IsPureNotRule( pmd, otn ) )/* ignore pure not rules */ - fpAddAllContents( pg->pgPatDataUri, otn, id, pmd ); - - /* add uri content for shared object rules */ -#ifdef DYNAMIC_PLUGIN - fpAddDynamicContents( pg->pgPatDataUri, otn, id, FASTPATTERN_URI ); -#endif - if (!IsPureNotRule(pmd, otn)) - { - huc++; - /* Add the rule to the port groups uricontent RULE_NODE lists */ - fpAddPortGroupRule(pg,otn,id,PGCT_URICONTENT); - } - - urules++; - } - - if( !hc && !huc ) - { - /* no content for this rule - add into this port groups no-content rule list */ - fpAddPortGroupRule(pg,otn,id,PGCT_NOCONTENT); - - ncrules++; + mpseFree(pg->pgPms[i]); + pg->pgPms[i] = NULL; } - - id++; /* inc rule node id, used for bitmap indexing */ - } - - /* - ** Initialize the BITOP structure for this - ** port group. - */ - if( pg->pgContentCount && boInitBITOP(&(pg->boRuleNodeID),pg->pgContentCount) ) - { - FatalError("boInitBITOP failed, content count=%d\n",pg->pgContentCount); - } - - /* Compile the Content Pattern Machine */ - if( crules ) - { - mpsePrepPatterns( pg->pgPatData, pmx_create_tree, add_patrn_to_neg_list ); - if (fp->debug ) - mpsePrintInfo(pg->pgPatData); - } - else - { - mpseFree( pg->pgPatData ); - pg->pgPatData = NULL; - } - - /* Compile the UriContent Pattern Machine */ - if( urules ) - { - mpsePrepPatterns( pg->pgPatDataUri, pmx_create_tree, add_patrn_to_neg_list ); - if (fp->debug ) - mpsePrintInfo(pg->pgPatDataUri); - } - else - { - /* release the pattern matcher */ - mpseFree( pg->pgPatDataUri ); - pg->pgPatDataUri = NULL; - } + } - if (ncrules) - { - RULE_NODE *ruleNode; - - for (ruleNode = pg->pgHeadNC; ruleNode; ruleNode = ruleNode->rnNext) - { - OTNX *otnx = (OTNX *)ruleNode->rnRuleData; - otn_create_tree(otnx->otn, &pg->pgNonContentTree); - } - finalize_detection_option_tree((detection_option_tree_root_t*)pg->pgNonContentTree); - //num_nc_trees++; - } + free_detection_option_root(&pg->pgNonContentTree); - /* Assign the port_group if we have content, uri-content, or even just no-content rules */ - if( urules || crules || ncrules ) - { - /* Add the port_group using it's service name */ - sfghash_add( p, srvc, pg ); - } - else - { - free( pg ); /* no rules of any kind..mmm, clean it up */ - } + free(pg); } /* - * For each service we create a PORT_GROUP based on the otn's defined to - * be applicable to that service by the metadata option. - * - * Than we lookup the protocol/srvc oridinal in the target-based area - * and assign the PORT_GROUP for the srvc to it. - * - * spg - service port group (lookup should be by service id/tag) - * - this table maintains a port_group ptr for each service - * srm - service rule map table (lookup by ascii service name) - * - this table maintains a sf_list ptr (list of rule otns) for each service + * Create the PortGroup for these PortObject2 entitiies * + * This builds the 1st pass multi-pattern state machines for + * content and uricontent based on the rules in the PortObjects + * hash table. */ -void fpBuildServicePortGroups(SFGHASH *spg, PORT_GROUP **sopg, SFGHASH *srm, FastPatternConfig *fp) +static int fpCreatePortObject2PortGroup(SnortConfig *sc, PortObject2 *po, PortObject2 *poaa) { - SFGHASH_NODE * n; - char * srvc; - SF_LIST * list; + SFGHASH_NODE *node; + unsigned sid, gid; + OptTreeNode * otn; PORT_GROUP * pg; + PortObject2 *pox; + FastPatternConfig *fp = sc->fast_pattern_config; - for(n=sfghash_findfirst(srm); - n; - n=sfghash_findnext(srm) ) + /* verify we have a port object */ + if (po == NULL) + return 0; + + po->data = 0; + + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + PortObject2PrintPorts( po ); + + /* Check if we have any rules */ + if (po->rule_hash == NULL) + return 0; + + /* create a port_group */ + pg = (PORT_GROUP *)SnortAlloc(sizeof(PORT_GROUP)); + + if (fpAllocPms(pg, fp) != 0) { - list = (SF_LIST *)n->data; - if(!list)continue; + free(pg); + return -1; + } + + /* + * Walk the rules in the PortObject and add to + * the PORT_GROUP pattern state machine + * and to the port group RULE_NODE lists. + * (The lists are still used in some cases + * during detection to walk the rules in a group + * so we have to load these as well...fpEvalHeader()... for now.) + * + * po src/dst ports : content/uri and nocontent + * poaa any-any ports : content/uri and nocontent + * + * each PG has src or dst contents, generic-contents, and no-contents + * (src/dst or any-any ports) + * + */ + pox = po; + + if (po == NULL) + pox = poaa; + + while (pox != NULL) + { + for (node = sfghash_findfirst(pox->rule_hash); + node; + node = sfghash_findnext(pox->rule_hash)) + { + int *prindex = (int *)node->data; - srvc = n->key; - if(!srvc)continue; + /* be safe - no rule index, ignore it */ + if (prindex == NULL) + continue; - fpBuildServicePortGroupByServiceOtnList(spg, srvc, list, fp); + /* look up gid:sid */ + gid = RuleIndexMapGid(ruleIndexMap, *prindex); + sid = RuleIndexMapSid(ruleIndexMap, *prindex); - /* Add this PORT_GROUP to the protocol-ordinal -> port_group table */ - pg = sfghash_find( spg, srvc ); - if( pg ) - { - int16_t id; - id = FindProtocolReference(srvc); - if(id==SFTARGET_UNKNOWN_PROTOCOL) + /* look up otn */ + otn = OtnLookup(sc->otn_map, gid, sid); + if (otn == NULL) { - id = AddProtocolReference(srvc); - if(id <=0 ) - { - FatalError("Could not AddProtocolReference!\n"); - } - if( id >= MAX_PROTOCOL_ORDINAL ) - { - LogMessage("fpBuildServicePortGroups: protocol-ordinal=%d exceeds " - "limit of %d for service=%s\n",id,MAX_PROTOCOL_ORDINAL,srvc); - } + LogMessage("fpCreatePortObject2PortGroup...failed otn lookup, " + "gid=%u sid=%u\n", gid, sid); + continue; } - else if( id > 0 ) + + if (otn->proto == ETHERNET_TYPE_IP) { - if( id < MAX_PROTOCOL_ORDINAL ) - { - sopg[ id ] = pg; - LogMessage("fpBuildServicePortGroups: adding protocol-ordinal=%d " - "as service=%s\n",id,srvc); - } - else + /* If only one detection option and it's ip_proto it will be evaluated + * at decode time instead of detection time */ + if ((otn->ds_list[PLUGIN_IP_PROTO_CHECK] != NULL) && + (otn->num_detection_opts == 1)) { - LogMessage("fpBuildServicePortGroups: protocol-ordinal=%d exceeds " - "limit of %d for service=%s\n",id,MAX_PROTOCOL_ORDINAL,srvc); + fpAddIpProtoOnlyRule(sc->ip_proto_only_lists, otn); + continue; } - } - else /* id < 0 */ - { - LogMessage("fpBuildServicePortGroups: adding protocol-ordinal=%d for " - "service=%s, can't use that !!!\n",id,srvc); + fpRegIpProto(sc->ip_proto_array, otn); } + + if (fpAddPortGroupRule(pg, otn, fp) != 0) + continue; } - else - { - LogMessage("*** fpBuildServicePortGroups: failed to create and find a port group for '%s' !!! \n",srvc ); - } - } -} -/* - * For each proto+dir+service build a PORT_GROUP - */ -static void fpCreateServiceMapPortGroups(SnortConfig *sc) -{ - FastPatternConfig *fp = sc->fast_pattern_config; + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + fpPortGroupPrintRuleCount(pg); - sc->spgmmTable = ServicePortGroupMapNew(); - sc->sopgTable = ServicePortGroupTableNew(); + if (pox == poaa) + break; - fpBuildServicePortGroups(sc->spgmmTable->tcp_to_srv, sc->sopgTable->tcp_to_srv, - sc->srmmTable->tcp_to_srv, fp); - fpBuildServicePortGroups(sc->spgmmTable->tcp_to_cli, sc->sopgTable->tcp_to_cli, - sc->srmmTable->tcp_to_cli, fp); + pox = poaa; + } - fpBuildServicePortGroups(sc->spgmmTable->udp_to_srv, sc->sopgTable->udp_to_srv, - sc->srmmTable->udp_to_srv, fp); - fpBuildServicePortGroups(sc->spgmmTable->udp_to_cli, sc->sopgTable->udp_to_cli, - sc->srmmTable->udp_to_cli, fp); + /* This might happen if there was ip proto only rules + * Don't return failure */ + if (fpFinishPortGroup(pg, fp) != 0) + return 0; - fpBuildServicePortGroups(sc->spgmmTable->icmp_to_srv, sc->sopgTable->icmp_to_srv, - sc->srmmTable->icmp_to_srv, fp); - fpBuildServicePortGroups(sc->spgmmTable->icmp_to_cli, sc->sopgTable->icmp_to_cli, - sc->srmmTable->icmp_to_cli, fp); + po->data = pg; + po->data_free = fpDeletePortGroup; - fpBuildServicePortGroups(sc->spgmmTable->ip_to_srv, sc->sopgTable->ip_to_srv, - sc->srmmTable->ip_to_srv, fp); - fpBuildServicePortGroups(sc->spgmmTable->ip_to_cli, sc->sopgTable->ip_to_srv, - sc->srmmTable->ip_to_cli, fp); + return 0; } -PORT_GROUP * fpGetServicePortGroupByOrdinal(sopg_table_t *sopg, int proto, int dir, int16_t proto_ordinal) +/* + * Create the port groups for this port table + */ +static int fpCreatePortTablePortGroups(SnortConfig *sc, PortTable *p, PortObject2 *poaa) { - //SFGHASH_NODE * n; - PORT_GROUP *pg = NULL; + SFGHASH_NODE * node; + int cnt=1; + FastPatternConfig *fp = sc->fast_pattern_config; - if (proto_ordinal >= MAX_PROTOCOL_ORDINAL) - return NULL; + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("%d Port Groups in Port Table\n",p->pt_mpo_hash->count); - if (sopg == NULL) - return NULL; - - switch (proto) + for (node=sfghash_findfirst(p->pt_mpo_hash); //p->pt_mpxo_hash + node; + node=sfghash_findnext(p->pt_mpo_hash) ) //p->pt->mpxo_hash { - case IPPROTO_TCP: - if (dir == TO_SERVER) - pg = sopg->tcp_to_srv[proto_ordinal]; - else - pg = sopg->tcp_to_cli[proto_ordinal]; - - break; - - case IPPROTO_UDP: - if (dir == TO_SERVER) - pg = sopg->udp_to_srv[proto_ordinal]; - else - pg = sopg->udp_to_cli[proto_ordinal]; - - break; + PortObject2 * po; - case IPPROTO_ICMP: - if (dir == TO_SERVER) - pg = sopg->icmp_to_srv[proto_ordinal]; - else - pg = sopg->icmp_to_cli[proto_ordinal]; + po = (PortObject2*)node->data; + if (po == NULL) + continue; - break; + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Creating Port Group Object %d of %d\n",cnt++,p->pt_mpo_hash->count); - case ETHERNET_TYPE_IP: - if (dir == TO_SERVER) - pg = sopg->ip_to_srv[proto_ordinal]; - else - pg = sopg->ip_to_cli[proto_ordinal]; + /* if the object is not referenced, don't add it to the PORT_GROUPs + * as it may overwrite other objects that are more inclusive. */ + if (!po->port_cnt) + continue; - break; + if (fpCreatePortObject2PortGroup(sc, po, poaa)) + { + LogMessage("fpCreatePortObject2PortGroup() failed\n"); + return -1; + } - default: - break; + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + mpsePrintSummary(fp->search_method); } - return pg; + return 0; } - /* - * Print the rule gid:sid based onm the otn list + * Create port group objects for all port tables + * + * note: any-any ports are standard PortObjects not PortObject2's so we have to + * uprade them for the create port group function */ -void fpPrintRuleList( SF_LIST * list ) -{ - OptTreeNode * otn; - - for( otn=(OptTreeNode*)sflist_first(list); - otn; - otn=(OptTreeNode*)sflist_next(list) ) - { - LogMessage("| %u:%u\n",otn->sigInfo.generator,otn->sigInfo.id); - } -} -static -void fpPrintServiceRuleMapTable( SFGHASH * p, char * msg ) +static int fpCreatePortGroups(SnortConfig *sc, rule_port_tables_t *p) { - SFGHASH_NODE * n; - - if( !p || !p->count ) - return; + PortObject2 *po2, *add_any_any = NULL; + FastPatternConfig *fp = sc->fast_pattern_config; - LogMessage("| Protocol [%s] %d services\n",msg,p->count ); - LogMessage("----------------------------------------------------\n"); - - for( n = sfghash_findfirst(p); - n; - n = sfghash_findnext(p) ) - { - SF_LIST * list; - - list = (SF_LIST*)n->data; - if( !list ) continue; + if (!rule_count) + return 0 ; - if( !n->key ) continue; + /* TCP */ + /* convert the tcp-any-any to a PortObject2 creature */ + po2 = PortObject2Dup(p->tcp_anyany); + if (po2 == NULL) + FatalError("Could not create a PortObject version 2 for tcp-any-any rules\n!"); - LogMessage("| Service [%s] %d rules, rule list follows as gid:sid.\n",n->key,list->count); - - fpPrintRuleList( list ); - } - LogMessage("----------------------------------------------------\n"); -} + if (!fpDetectSplitAnyAny(fp)) + add_any_any = po2; -static void fpPrintServiceRuleMaps(srmm_table_t *service_map) -{ - LogMessage("+---------------------------------------------------\n"); - LogMessage("| Service Rule Maps\n"); - LogMessage("----------------------------------------------------\n"); - fpPrintServiceRuleMapTable( service_map->tcp_to_srv, "tcp to server" ); - fpPrintServiceRuleMapTable( service_map->tcp_to_cli, "tcp to client" ); - - fpPrintServiceRuleMapTable( service_map->udp_to_srv, "udp to server" ); - fpPrintServiceRuleMapTable( service_map->udp_to_cli, "udp to client" ); - - fpPrintServiceRuleMapTable( service_map->icmp_to_srv, "icmp to server" ); - fpPrintServiceRuleMapTable( service_map->icmp_to_cli, "icmp to client" ); - - fpPrintServiceRuleMapTable( service_map->ip_to_srv, "ip to server" ); - fpPrintServiceRuleMapTable( service_map->ip_to_cli, "ip to client" ); -} + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nTCP-SRC "); -/* - * - */ -void fpPrintServicePortGroupSummary(srmm_table_t *srvc_pg_map) -{ + if (fpCreatePortTablePortGroups(sc, p->tcp_src, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-tcp_src\n"); + return -1; + } - LogMessage("+--------------------------------\n"); - LogMessage("| Service-PortGroup Table Summary \n"); - LogMessage("---------------------------------\n"); + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nTCP-DST "); - if(srvc_pg_map->tcp_to_srv->count) - LogMessage("| tcp to server : %d services\n",srvc_pg_map->tcp_to_srv->count); - if(srvc_pg_map->tcp_to_cli->count) - LogMessage("| tcp to cient : %d services\n",srvc_pg_map->tcp_to_cli->count); + if (fpCreatePortTablePortGroups(sc, p->tcp_dst, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-tcp_dst\n"); + return -1; + } - if(srvc_pg_map->udp_to_srv->count) - LogMessage("| udp to server : %d services\n",srvc_pg_map->udp_to_srv->count); - if(srvc_pg_map->udp_to_cli->count) - LogMessage("| udp to cient : %d services\n",srvc_pg_map->udp_to_cli->count); + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nTCP-ANYANY "); - if(srvc_pg_map->icmp_to_srv->count) - LogMessage("| icmp to server : %d services\n",srvc_pg_map->icmp_to_srv->count); - if(srvc_pg_map->icmp_to_cli->count) - LogMessage("| icmp to cient : %d services\n",srvc_pg_map->icmp_to_cli->count); + if (fpCreatePortObject2PortGroup(sc, po2, 0)) + { + LogMessage("fpCreatePorTablePortGroups failed-tcp any-any\n"); + return -1; + } - if(srvc_pg_map->ip_to_srv->count) - LogMessage("| ip to server : %d services\n",srvc_pg_map->ip_to_srv->count); - if(srvc_pg_map->ip_to_cli->count) - LogMessage("| ip to cient : %d services\n",srvc_pg_map->ip_to_cli->count); - LogMessage("---------------------------------\n"); -} + /* save the any-any port group */ + p->tcp_anyany->data = po2->data; + p->tcp_anyany->data_free = fpDeletePortGroup; + po2->data = 0; + /* release the dummy PortObject2 copy of tcp-any-any */ + //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); + PortObject2Free(po2); -/* - * Build Service based PORT_GROUPs using the rules - * metadata option service parameter. - */ -static int fpCreateServicePortGroups(SnortConfig *sc) -{ - FastPatternConfig *fp = sc->fast_pattern_config; + /* UDP */ + po2 = PortObject2Dup(p->udp_anyany); + if (po2 == NULL ) + FatalError("Could not create a PortObject version 2 for udp-any-any rules\n!"); - sc->srmmTable = ServiceMapNew(); + if (!fpDetectSplitAnyAny(fp)) + add_any_any = po2; - if (fpCreateServiceMaps(sc)) - return -1; - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - fpPrintServiceRuleMaps(sc->srmmTable); - - fpCreateServiceMapPortGroups(sc); + LogMessage("\nUDP-SRC "); + + if (fpCreatePortTablePortGroups(sc, p->udp_src, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); + return -1; + } if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - fpPrintServicePortGroupSummary(sc->spgmmTable); - - //srvcmap_term(); - - return 0; -} -//TARGET_BASED -#endif + LogMessage("\nUDP-DST "); -/* -* Port list version -* -* 7/2007 - man -* -* Build Pattern Groups for 1st pass of content searching using -* multi-pattern search method. -*/ -int fpCreateFastPacketDetection(SnortConfig *sc) -{ - rule_port_tables_t *port_tables; - FastPatternConfig *fp; + if (fpCreatePortTablePortGroups(sc, p->udp_dst, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); + return -1; + } - /* This is somewhat necessary because of how the detection option trees - * are added via a callback from the pattern matcher */ - snort_conf_for_fast_pattern = sc; + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nUDP-ANYANY "); - if(!rule_count || (sc == NULL)) - return 0; + if (fpCreatePortObject2PortGroup(sc, po2, 0)) + { + LogMessage("fpCreatePorTablePortGroups failed-udp_src\n"); + return -1; + } - port_tables = sc->port_tables; - fp = sc->fast_pattern_config; + p->udp_anyany->data = po2->data; + p->udp_anyany->data_free = fpDeletePortGroup; + po2->data = 0; + //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); + PortObject2Free(po2); - if ((port_tables == NULL) || (fp == NULL)) - return 0; + /* ICMP */ + po2 = PortObject2Dup(p->icmp_anyany); + if (po2 == NULL) + FatalError("Could not create a PortObject version 2 for icmp-any-any rules\n!"); + + if (!fpDetectSplitAnyAny(fp)) + add_any_any = po2; - /* Use PortObjects to create PORT_GROUPs */ if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Creating Port Groups....\n"); + LogMessage("\nICMP-SRC "); - if (fpCreatePortGroups(sc, port_tables)) - FatalError("Could not create PortGroup objects for PortObjects\n"); + if (fpCreatePortTablePortGroups(sc, p->icmp_src, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-icmp_src\n"); + return -1; + } if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Port Groups Done....\n"); + LogMessage("\nICMP-DST "); + + if (fpCreatePortTablePortGroups(sc, p->icmp_dst, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-icmp_src\n"); + return -1; + } - /* Create rule_maps */ if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Creating Rule Maps....\n"); + LogMessage("\nICMP-ANYANY "); - if (fpCreateRuleMaps(sc, port_tables)) - FatalError("Could not create rule maps\n"); + if (fpCreatePortObject2PortGroup(sc, po2, 0)) + { + LogMessage("fpCreatePorTablePortGroups failed-icmp any-any\n"); + return -1; + } - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Rule Maps Done....\n"); + p->icmp_anyany->data = po2->data; + p->icmp_anyany->data_free = fpDeletePortGroup; + po2->data = 0; + //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); + PortObject2Free(po2); -#ifndef TARGET_BASED - LogMessage("\n"); - LogMessage("[ Port Based Pattern Matching Memory ]\n" ); - mpsePrintSummary(); -#else - if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Creating Service Based Rule Maps....\n"); + /* IP */ + po2 = PortObject2Dup(p->ip_anyany); + if (po2 == NULL) + FatalError("Could not create a PortObject version 2 for ip-any-any rules\n!"); - /* Build Service based port groups - rules require service metdata - * i.e. 'metatdata: service [=] service-name, ... ;' - * - * Also requires a service attribute for lookup ... - */ - if (fpCreateServicePortGroups(sc)) - FatalError("Could not create service based port groups\n"); + if (!fpDetectSplitAnyAny(fp)) + add_any_any = po2; if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) - LogMessage("Service Based Rule Maps Done....\n"); - - LogMessage("\n"); - LogMessage("[ Port and Service Based Pattern Matching Memory ]\n" ); - mpsePrintSummary(); -#endif + LogMessage("\nIP-SRC "); - snort_conf_for_fast_pattern = NULL; + if (fpCreatePortTablePortGroups(sc, p->ip_src, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-ip_src\n"); + return -1; + } - return 0; -} + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nIP-DST "); -void fpDeleteFastPacketDetection(SnortConfig *sc) -{ - if (sc == NULL) - return; + if (fpCreatePortTablePortGroups(sc, p->ip_dst, add_any_any)) + { + LogMessage("fpCreatePorTablePortGroups failed-ip_dst\n"); + return -1; + } - /* Cleanup the detection option tree */ - DetectionHashTableFree(sc->detection_option_hash_table); - DetectionTreeHashTableFree(sc->detection_option_tree_hash_table); + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("\nIP-ANYANY "); - fpFreeRuleMaps(sc); + if (fpCreatePortObject2PortGroup(sc, po2, 0)) + { + LogMessage("fpCreatePorTablePortGroups failed-ip any-any\n"); + return -1; + } -#ifdef TARGET_BASED - ServiceMapFree(sc->srmmTable); - ServicePortGroupMapFree(sc->spgmmTable); - if (sc->sopgTable != NULL) - free(sc->sopgTable); -#endif + p->ip_anyany->data = po2->data; + p->ip_anyany->data_free = fpDeletePortGroup; + po2->data = 0; + //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); + PortObject2Free(po2); + return 0; } -/* END PORTLIST VERSION */ -#else - -/* ORIGINAL - NON PORT LIST BASED VERSION */ /* -** Build a Pattern group for the Uri-Content rules in this group -** -** The patterns added for each rule must be suffcient so if we find any of them -** we proceed to fully analyze the OTN and RTN against the packet. -** -*/ -static void BuildMultiPatGroupsUri(PORT_GROUP *pg, FastPatternConfig *fp) + * Scan the master otn lists and and pass + * + * + * enabled - if true requires otn to be enabled + * fcn - callback + * proto - IP,TCP,IDP,ICMP protocol flag + * otn - OptTreeNode + */ +void fpWalkOtns(int enabled, OtnWalkFcn fcn) { - OptTreeNode *otn; - RuleTreeNode *rtn; - OTNX *otnx; /* otnx->otn & otnx->rtn */ - PatternMatchData *pmd; - RULE_NODE *rnWalk = NULL; - PMX *pmx; - void *mpse_obj; -#ifdef DYNAMIC_PLUGIN - DynamicData *dd; - FPContentInfo *fplist[PLUGIN_MAX_FPLIST_SIZE]; -#endif + RuleTreeNode *rtn; + SFGHASH_NODE *hashNode; + OptTreeNode *otn = NULL; + tSfPolicyId policyId = 0; - if(!pg || !pg->pgCount) - return; - - /* test for any Content Rules */ - if( !prmGetFirstRuleUri(pg) ) + if (snort_conf == NULL) return; - mpse_obj = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); - - if (mpse_obj == NULL) - FatalError("BuildMultiPatGroupUri: mpse_obj=mpseNew"); - - if (fp->search_opt) - mpseSetOpt(mpse_obj, 1); - - /* - ** Save the Multi-Pattern data structure for processing Uri's in this - ** group later during packet analysis. - */ - pg->pgPatDataUri = mpse_obj; - - /* - ** Initialize the BITOP structure for this - ** port group. This is most likely going to be initialized - ** by the non-uri BuildMultiPattGroup. If for some reason there - ** is only uri contents in a port group, then we miss the initialization - ** in the content port groups and catch it here. - */ - if( boInitBITOP(&(pg->boRuleNodeID),pg->pgCount) ) + for (hashNode = sfghash_findfirst(snort_conf->otn_map); + hashNode; + hashNode = sfghash_findnext(snort_conf->otn_map)) { - return; - } + otn = (OptTreeNode *)hashNode->data; + for ( policyId = 0; + policyId < otn->proto_node_num; + policyId++ ) + { + rtn = getRtnFromOtn(otn, policyId); - /* - * Add in all of the URI contents, since these are effectively OR rules. - * - */ - for( rnWalk=pg->pgUriHead; rnWalk; rnWalk=rnWalk->rnNext) - { - otnx = (OTNX *)rnWalk->rnRuleData; - - otn = otnx->otn; - rtn = otnx->rtn; - - /* Add all of the URI contents */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; - while( pmd ) - { - if(pmd->pattern_buf) - { - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - pmx->RuleNode = rnWalk; - pmx->PatternMatchData= pmd; - - /* - ** Add the max content length to this otnx - */ - if(otnx->content_length < pmd->pattern_size) - otnx->content_length = pmd->pattern_size; + /* There can be gaps in the list of rtns. */ + if (rtn == NULL) + continue; - mpseAddPattern(mpse_obj, pmd->pattern_buf, pmd->pattern_size, - pmd->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, //(unsigned)rnWalk, /* rule ptr */ - //(unsigned)pmd, - rnWalk->iRuleNodeID ); + if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { + //do operation + if ( enabled && (otn->rule_state != RULE_STATE_ENABLED) ) + continue; + + fcn( rtn->proto, rtn, otn ); } - - pmd = pmd->next; } -#ifdef DYNAMIC_PLUGIN - /* - ** - ** Add in plugin contents for fast pattern matcher - ** - **/ - dd =(DynamicData*) otn->ds_list[PLUGIN_DYNAMIC]; - if( dd ) + } +} + +#ifdef TARGET_BASED +/* + * Scan the master otn lists and load the Service maps + * for service based rule grouping. + */ +static int fpCreateServiceMaps(SnortConfig *sc) +{ + RuleTreeNode *rtn; + SFGHASH_NODE *hashNode; + OptTreeNode *otn = NULL; + tSfPolicyId policyId = 0; + unsigned int svc_idx; + + for (hashNode = sfghash_findfirst(sc->otn_map); + hashNode; + hashNode = sfghash_findnext(sc->otn_map)) + { + otn = (OptTreeNode *)hashNode->data; + for ( policyId = 0; + policyId < otn->proto_node_num; + policyId++ ) { - int n,i; - n = dd->fastPatternContents(dd->contextData,FASTPATTERN_URI,fplist,PLUGIN_MAX_FPLIST_SIZE); - - for(i=0;iproto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP))) { - pmd = (PatternMatchData*)SnortAlloc(sizeof(PatternMatchData) ); - - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - - pmx->RuleNode = rnWalk; - pmx->PatternMatchData= pmd; - - pmd->pattern_buf = fplist[i]->content; - pmd->pattern_size= fplist[i]->length; - pmd->nocase = fplist[i]->noCaseFlag; - pmd->offset = 0; - pmd->depth = 0; - - mpseAddPattern( mpse_obj, - pmd->pattern_buf, - pmd->pattern_size, - pmd->nocase, /* 1--NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, - rnWalk->iRuleNodeID ); + //do operation + + /* Non-content preprocessor or decoder rule. + * don't add it */ + if (otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT) + { + continue; + } + + /* Not enabled, don't do the FP content */ + if (otn->rule_state != RULE_STATE_ENABLED) + continue; - /* Free the bucket */ - free(fplist[i]); + for (svc_idx = 0; svc_idx < otn->sigInfo.num_services; svc_idx++) + { + if (ServiceMapAddOtn(sc->srmmTable, rtn->proto, otn->sigInfo.services[svc_idx].service, otn)) + return -1; + } } } -#endif } - mpsePrepPatterns( mpse_obj, pmx_create_tree, add_patrn_to_neg_list); - if( fp->debug ) mpsePrintInfo( mpse_obj ); + return 0; } + /* -* Build Content-Pattern Information for this group +* Build a Port Group for this service based on the list of otns. The final +* port_group pointer is stored using the service name as the key. +* +* p - hash table mapping services to port_groups +* srvc- service name, key used to store the port_group +* ...could use a service id instead (bytes, fixed length,etc...) +* list- list of otns for this service */ -static void BuildMultiPatGroup(PORT_GROUP * pg, FastPatternConfig *fp) +void fpBuildServicePortGroupByServiceOtnList(SFGHASH *p, char *srvc, SF_LIST *list, FastPatternConfig *fp) { - OptTreeNode *otn; - RuleTreeNode *rtn; - OTNX *otnx; /* otnx->otn & otnx->rtn */ - PatternMatchData *pmd, *pmdmax; - RULE_NODE *rnWalk = NULL; - PMX *pmx; - void *mpse_obj; - /*int maxpats; */ -#ifdef DYNAMIC_PLUGIN - DynamicData *dd; - FPContentInfo *fplist[PLUGIN_MAX_FPLIST_SIZE]; -#endif - if(!pg || !pg->pgCount) - return; - - /* test for any Content Rules */ - if( !prmGetFirstRule(pg) ) - return; - - mpse_obj = mpseNew(fp->search_method, - MPSE_INCREMENT_GLOBAL_CNT, - fpDeletePMX, - free_detection_option_root, - neg_list_free); - - if (mpse_obj == NULL) - FatalError("BuildMultiPatGroup: memory error, mpseNew(%d,0) failed\n",fpDetect.search_method); - - if (fp->search_opt) - mpseSetOpt(mpse_obj, 1); - - /* Save the Multi-Pattern data structure for processing this group later - during packet analysis. - */ - pg->pgPatData = mpse_obj; + OptTreeNode * otn; + PORT_GROUP *pg = (PORT_GROUP *)SnortAlloc(sizeof(PORT_GROUP)); - /* - ** Initialize the BITOP structure for this - ** port group. - */ - if( boInitBITOP(&(pg->boRuleNodeID),pg->pgCount) ) + if (fpAllocPms(pg, fp) != 0) { + free(pg); return; } - - /* - * For each content rule, add one of the AND contents, - * and all of the OR contents - */ - for(rnWalk=pg->pgHead; rnWalk; rnWalk=rnWalk->rnNext) - { - otnx = (OTNX *)(rnWalk->rnRuleData); - - otn = otnx->otn; - rtn = otnx->rtn; - - /* Add the longest AND patterns, 'content:' patterns*/ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH]; - - /* - ** Add all the content's for the Pure Not rules, - ** because we will check after processing the packet - ** to see if these pure not rules were hit using the - ** bitop functionality. If they were hit, then there - ** is no event, otherwise there is an event. - */ - if( pmd && IsPureNotRule( pmd, otn ) ) - { - /* - ** Pure Not Rules are not supported. - */ - LogMessage("SNORT DETECTION ENGINE: Pure Not Rule " - "'%s' not added to detection engine. " - "These rules are not supported at this " - "time.\n", otn->sigInfo.message); - while( pmd ) + /* + * add each rule to the port group pattern matchers, + * or to the no-content rule list + */ + for (otn = sflist_first(list); + otn; + otn = sflist_next(list)) + { + if (otn->proto == ETHERNET_TYPE_IP) + { + /* If only one detection option and it's ip_proto it will be evaluated + * at decode time instead of detection time + * These will have already been added when adding port groups */ + if ((otn->ds_list[PLUGIN_IP_PROTO_CHECK] != NULL) && + (otn->num_detection_opts == 1)) { - if( pmd->pattern_buf ) - { - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - pmx->RuleNode = rnWalk; - pmx->PatternMatchData= pmd; - - mpseAddPattern( mpse_obj, pmd->pattern_buf, - pmd->pattern_size, - pmd->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, - rnWalk->iRuleNodeID ); - } - - pmd = pmd->next; - } - - /* Build the list of pure NOT rules for this group */ - prmAddNotNode( pg, (int)rnWalk->iRuleNodeID ); - } - else - { - /* Add the longest content for normal or mixed contents */ - pmdmax = FindLongestPattern( pmd, otn ); - if( pmdmax ) - { - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - pmx->RuleNode = rnWalk; - pmx->PatternMatchData= pmdmax; - - otnx->content_length = pmdmax->pattern_size; - - mpseAddPattern( mpse_obj, pmdmax->pattern_buf, pmdmax->pattern_size, - pmdmax->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmdmax->offset, - pmdmax->depth, - (unsigned)pmdmax->exception_flag, - pmx, - rnWalk->iRuleNodeID ); - } - } - - /* Add all of the OR contents 'file-list' content */ - pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; - while( pmd ) - { - if(pmd->pattern_buf) - { - pmx = (PMX*)SnortAlloc(sizeof(PMX) ); - pmx->RuleNode = rnWalk; - pmx->PatternMatchData= pmd; - - mpseAddPattern( mpse_obj, pmd->pattern_buf, pmd->pattern_size, - pmd->nocase, /* NoCase: 1-NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, //rnWalk, /* rule ptr */ - //(unsigned)pmd, - rnWalk->iRuleNodeID ); + continue; } - - pmd = pmd->next; } -#ifdef DYNAMIC_PLUGIN - /* - ** - ** Add in plugin contents for fast pattern matcher - ** - */ - dd =(DynamicData*) otn->ds_list[PLUGIN_DYNAMIC]; - if( dd ) - { - int n,i; - n = dd->fastPatternContents(dd->contextData,FASTPATTERN_NORMAL,fplist,PLUGIN_MAX_FPLIST_SIZE); - - for(i=0;iRuleNode = rnWalk; - pmx->PatternMatchData= pmd; - - pmd->pattern_buf = fplist[i]->content; - pmd->pattern_size= fplist[i]->length; - pmd->nocase = fplist[i]->noCaseFlag; - pmd->offset = 0; - pmd->depth = 0; - - mpseAddPattern( mpse_obj, - pmd->pattern_buf, - pmd->pattern_size, - pmd->nocase, /* 1--NoCase, 0-Case */ - pmd->offset, - pmd->depth, - (unsigned)pmd->exception_flag, - pmx, - rnWalk->iRuleNodeID ); - - /* Free the bucket */ - free(fplist[i]); - } - } -#endif + if (fpAddPortGroupRule(pg, otn, fp) != 0) + continue; } - /* - ** We don't have PrepLongPatterns here, because we've found that - ** the minimum length for the BM shift is not fulfilled by snort's - ** ruleset. We may add this in later, after initial performance - ** has been verified. - */ - - mpsePrepPatterns( mpse_obj, pmx_create_tree, add_patrn_to_neg_list ); - if( fp->debug ) mpsePrintInfo( mpse_obj ); + if (fpFinishPortGroup(pg, fp) != 0) + return; + + /* Add the port_group using it's service name */ + sfghash_add(p, srvc, pg); } /* -** -** NAME -** BuildMultiPatternGroups:: -** -** DESCRIPTION -** This is the main function that sets up all the -** port groups for a given PORT_RULE_MAP. We iterate -** through the dst and src ports building up port groups -** where possible, and then build the generic set. -** -** FORMAL INPUTS -** PORT_RULE_MAP * - the port rule map to build -** -** FORMAL OUTPUTS -** None -** -*/ -static void BuildMultiPatternGroups(PORT_RULE_MAP *prm, FastPatternConfig *fp) + * For each service we create a PORT_GROUP based on the otn's defined to + * be applicable to that service by the metadata option. + * + * Than we lookup the protocol/srvc oridinal in the target-based area + * and assign the PORT_GROUP for the srvc to it. + * + * spg - service port group (lookup should be by service id/tag) + * - this table maintains a port_group ptr for each service + * srm - service rule map table (lookup by ascii service name) + * - this table maintains a sf_list ptr (list of rule otns) for each service + * + */ +void fpBuildServicePortGroups(SFGHASH *spg, PORT_GROUP **sopg, SFGHASH *srm, FastPatternConfig *fp) { - int i; + SFGHASH_NODE * n; + char * srvc; + SF_LIST * list; PORT_GROUP * pg; - - for(i=0;idebug) - LogMessage("---SrcRuleGroup-Port %d\n",i); - BuildMultiPatGroup(pg, fp); + list = (SF_LIST *)n->data; + if(!list)continue; - if (fp->debug) - LogMessage("---SrcRuleGroup-UriPort %d\n",i); - BuildMultiPatGroupsUri(pg, fp); - } + srvc = n->key; + if(!srvc)continue; + + fpBuildServicePortGroupByServiceOtnList(spg, srvc, list, fp); - pg = prmFindDstRuleGroup( prm, i ); - if(pg) + /* Add this PORT_GROUP to the protocol-ordinal -> port_group table */ + pg = sfghash_find( spg, srvc ); + if( pg ) { - BuildMultiPatGroup(pg, fp); - if( fpDetect.debug ) - LogMessage("---DstRuleGroup-Port %d\n",i); + int16_t id; + id = FindProtocolReference(srvc); + if(id==SFTARGET_UNKNOWN_PROTOCOL) + { + id = AddProtocolReference(srvc); + if(id <=0 ) + { + FatalError("Could not AddProtocolReference!\n"); + } + if( id >= MAX_PROTOCOL_ORDINAL ) + { + LogMessage("fpBuildServicePortGroups: protocol-ordinal=%d exceeds " + "limit of %d for service=%s\n",id,MAX_PROTOCOL_ORDINAL,srvc); + } + } + else if( id > 0 ) + { + if( id < MAX_PROTOCOL_ORDINAL ) + { + sopg[ id ] = pg; + LogMessage("fpBuildServicePortGroups: adding protocol-ordinal=%d " + "as service=%s\n",id,srvc); + } + else + { + LogMessage("fpBuildServicePortGroups: protocol-ordinal=%d exceeds " + "limit of %d for service=%s\n",id,MAX_PROTOCOL_ORDINAL,srvc); + } + } + else /* id < 0 */ + { + LogMessage("fpBuildServicePortGroups: adding protocol-ordinal=%d for " + "service=%s, can't use that !!!\n",id,srvc); - BuildMultiPatGroupsUri(pg, fp); - if( fpDetect.debug ) - LogMessage("---DstRuleGroup-UriPort %d\n",i); + } + } + else + { + LogMessage("*** fpBuildServicePortGroups: failed to create and find a port group for '%s' !!! \n",srvc ); } } - - pg = prm->prmGeneric; - - if (fp->debug ) - LogMessage("---GenericRuleGroup \n"); - BuildMultiPatGroup(pg, fp); - BuildMultiPatGroupsUri(pg, fp); } - /* -** -** NAME -** fpCreateFastPacketDetection:: -** -** DESCRIPTION -** fpCreateFastPacketDetection initializes and creates the whole -** FastPacket detection engine. It reads the list of RTNs and OTNs -** that snort creates on startup, and adds the RTN/OTN pair for a -** rule to the appropriate PORT_GROUP. The routine builds up -** PORT_RULE_MAPs for TCP, UDP, ICMP, and IP. More can easily be -** added if necessary. -** -** After initialization and setup, stats are printed out about the -** different PORT_GROUPS. -** -** FORMAL INPUTS -** None -** -** FORMAL OUTPUTS -** int - 0 is successful, other is failure. -** -*/ -int fpCreateFastPacketDetection(SnortConfig *sc) + * For each proto+dir+service build a PORT_GROUP + */ +static void fpCreateServiceMapPortGroups(SnortConfig *sc) { - RuleListNode *rule; - RuleTreeNode *rtn; - int sport; - int dport; - OptTreeNode * otn; - int iBiDirectional = 0; - - int ip_non_detect_cnt=0; - int icmp_non_detect_cnt=0; - int tcp_non_detect_cnt=0; - int udp_non_detect_cnt=0; - OTNX * otnx; FastPatternConfig *fp = sc->fast_pattern_config; - sc->prmTcpRTNX = prmNewMap(); - if (sc->prmTcpRTNX == NULL) - return 1; + sc->spgmmTable = ServicePortGroupMapNew(); + sc->sopgTable = ServicePortGroupTableNew(); - sc->prmUdpRTNX = prmNewMap(); - if (sc->prmUdpRTNX == NULL) - return 1; + fpBuildServicePortGroups(sc->spgmmTable->tcp_to_srv, sc->sopgTable->tcp_to_srv, + sc->srmmTable->tcp_to_srv, fp); + fpBuildServicePortGroups(sc->spgmmTable->tcp_to_cli, sc->sopgTable->tcp_to_cli, + sc->srmmTable->tcp_to_cli, fp); - sc->prmIpRTNX = prmNewMap(); - if (sc->prmIpRTNX == NULL) - return 1; + fpBuildServicePortGroups(sc->spgmmTable->udp_to_srv, sc->sopgTable->udp_to_srv, + sc->srmmTable->udp_to_srv, fp); + fpBuildServicePortGroups(sc->spgmmTable->udp_to_cli, sc->sopgTable->udp_to_cli, + sc->srmmTable->udp_to_cli, fp); - sc->prmIcmpRTNX = prmNewMap(); - if (sc->prmIcmpRTNX == NULL) - return 1; + fpBuildServicePortGroups(sc->spgmmTable->icmp_to_srv, sc->sopgTable->icmp_to_srv, + sc->srmmTable->icmp_to_srv, fp); + fpBuildServicePortGroups(sc->spgmmTable->icmp_to_cli, sc->sopgTable->icmp_to_cli, + sc->srmmTable->icmp_to_cli, fp); - for (rule = sc->rule_lists; rule != NULL; rule = rule->next) - { - if(!rule->RuleList) - continue; + fpBuildServicePortGroups(sc->spgmmTable->ip_to_srv, sc->sopgTable->ip_to_srv, + sc->srmmTable->ip_to_srv, fp); + fpBuildServicePortGroups(sc->spgmmTable->ip_to_cli, sc->sopgTable->ip_to_srv, + sc->srmmTable->ip_to_cli, fp); +} - /* - ** Process TCP signatures - */ - if(rule->RuleList->TcpList) - { - for(rtn = rule->RuleList->TcpList; rtn != NULL; rtn = rtn->right) - { -#ifdef LOCAL_DEBUG - printf("** TCP\n"); - printf("** bidirectional = %s\n", - (rtn->flags & BIDIRECTIONAL) ? "YES" : "NO"); - printf("** not sp_flag = %d\n", rtn->not_sp_flag); - printf("** not dp_flag = %d\n", rtn->not_dp_flag); - printf("** hsp = %u\n", rtn->hsp); - printf("** lsp = %u\n", rtn->lsp); - printf("** hdp = %u\n", rtn->hdp); - printf("** ldp = %u\n", rtn->ldp); -#endif - - /* - ** Check for bi-directional rules - */ - if(rtn->flags & BIDIRECTIONAL) - { - iBiDirectional = 1; - }else{ - iBiDirectional = 0; - } +PORT_GROUP * fpGetServicePortGroupByOrdinal(sopg_table_t *sopg, int proto, int dir, int16_t proto_ordinal) +{ + //SFGHASH_NODE * n; + PORT_GROUP *pg = NULL; + if (proto_ordinal >= MAX_PROTOCOL_ORDINAL) + return NULL; - sport = CheckPorts(rtn->hsp, rtn->lsp); + if (sopg == NULL) + return NULL; - if( rtn->flags & ANY_SRC_PORT ) sport = -1; + switch (proto) + { + case IPPROTO_TCP: + if (dir == TO_SERVER) + pg = sopg->tcp_to_srv[proto_ordinal]; + else + pg = sopg->tcp_to_cli[proto_ordinal]; - if( sport > 0 && rtn->not_sp_flag > 0 ) - { - sport = -1; - } + break; - dport = CheckPorts(rtn->hdp, rtn->ldp); + case IPPROTO_UDP: + if (dir == TO_SERVER) + pg = sopg->udp_to_srv[proto_ordinal]; + else + pg = sopg->udp_to_cli[proto_ordinal]; - if( rtn->flags & ANY_DST_PORT ) dport = -1; + break; - if( dport > 0 && rtn->not_dp_flag > 0 ) - { - dport = -1; - } + case IPPROTO_ICMP: + if (dir == TO_SERVER) + pg = sopg->icmp_to_srv[proto_ordinal]; + else + pg = sopg->icmp_to_cli[proto_ordinal]; - /* Walk OTN list -Add as Content/UriContent, or NoContent */ - for( otn = rtn->down; otn; otn=otn->next ) - { - /* skip preprocessor and decode event */ - if( otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT ) - { - tcp_non_detect_cnt++; - continue; - } - - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - { - continue; - } + break; - otnx = SnortAlloc( sizeof(OTNX) ); + case ETHERNET_TYPE_IP: + if (dir == TO_SERVER) + pg = sopg->ip_to_srv[proto_ordinal]; + else + pg = sopg->ip_to_cli[proto_ordinal]; - otnx->otn = otn; - otnx->rtn = rtn; - otnx->content_length = 0; + break; - if( OtnHasContent( otn ) ) - { - if (fp->debug) - { - LogMessage("TCP Content-Rule[dst=%d,src=%d] %s\n", - dport,sport,otn->sigInfo.message); - } + default: + break; + } - prmAddRule(sc->prmTcpRTNX, dport, sport, otnx); + return pg; +} - if(iBiDirectional && (sport!=dport)) - { - /* - ** We switch the ports. - */ - prmAddRule(sc->prmTcpRTNX, sport, dport, otnx); - } - } - if( OtnHasUriContent( otn ) ) - { - if (fp->debug) - { - LogMessage("TCP UriContent-Rule[dst=%d,src=%d] %s\n", - dport,sport,otn->sigInfo.message); - } +/* + * Print the rule gid:sid based onm the otn list + */ +void fpPrintRuleList( SF_LIST * list ) +{ + OptTreeNode * otn; - prmAddRuleUri(sc->prmTcpRTNX, dport, sport, otnx); + for( otn=(OptTreeNode*)sflist_first(list); + otn; + otn=(OptTreeNode*)sflist_next(list) ) + { + LogMessage("| %u:%u\n",otn->sigInfo.generator,otn->sigInfo.id); + } +} +static +void fpPrintServiceRuleMapTable( SFGHASH * p, char * msg ) +{ + SFGHASH_NODE * n; - if(iBiDirectional && (sport!=dport) ) - { - /* - ** We switch the ports. - */ - prmAddRuleUri(sc->prmTcpRTNX, sport, dport, otnx); - } - } - if( !OtnHasContent( otn ) && !OtnHasUriContent( otn ) ) - { - if (fp->debug) - { - LogMessage("TCP NoContent-Rule[dst=%d,src=%d] %s\n", - dport,sport,otn->sigInfo.message); - } + if( !p || !p->count ) + return; - prmAddRuleNC(sc->prmTcpRTNX, dport, sport, otnx); + LogMessage("| Protocol [%s] %d services\n",msg,p->count ); + LogMessage("----------------------------------------------------\n"); - if(iBiDirectional && (sport!=dport)) - { - /* - ** We switch the ports. - */ - prmAddRuleNC(sc->prmTcpRTNX, sport, dport, otnx); - } - } - } - } - } + for( n = sfghash_findfirst(p); + n; + n = sfghash_findnext(p) ) + { + SF_LIST * list; - /* - ** Process UDP signatures - */ - if(rule->RuleList->UdpList) - { - for(rtn = rule->RuleList->UdpList; rtn != NULL; rtn = rtn->right) - { -#ifdef LOCAL_DEBUG - printf("** UDP\n"); - printf("** bidirectional = %s\n", - (rtn->flags & BIDIRECTIONAL) ? "YES" : "NO"); - printf("** not sp_flag = %d\n", rtn->not_sp_flag); - printf("** not dp_flag = %d\n", rtn->not_dp_flag); - printf("** hsp = %u\n", rtn->hsp); - printf("** lsp = %u\n", rtn->lsp); - printf("** hdp = %u\n", rtn->hdp); - printf("** ldp = %u\n", rtn->ldp); -#endif - - /* - ** Check for bi-directional rules - */ - if(rtn->flags & BIDIRECTIONAL) - { - iBiDirectional = 1; - }else{ - iBiDirectional = 0; - } + list = (SF_LIST*)n->data; + if( !list ) continue; - sport = CheckPorts(rtn->hsp, rtn->lsp); + if( !n->key ) continue; - if( rtn->flags & ANY_SRC_PORT ) sport = -1; + LogMessage("| Service [%s] %d rules, rule list follows as gid:sid.\n", + (char*)n->key, list->count); - if(sport > 0 && rtn->not_sp_flag > 0 ) - { - sport = -1; - } + fpPrintRuleList( list ); + } + LogMessage("----------------------------------------------------\n"); +} + +static void fpPrintServiceRuleMaps(srmm_table_t *service_map) +{ + LogMessage("+---------------------------------------------------\n"); + LogMessage("| Service Rule Maps\n"); + LogMessage("----------------------------------------------------\n"); + fpPrintServiceRuleMapTable( service_map->tcp_to_srv, "tcp to server" ); + fpPrintServiceRuleMapTable( service_map->tcp_to_cli, "tcp to client" ); - dport = CheckPorts(rtn->hdp, rtn->ldp); + fpPrintServiceRuleMapTable( service_map->udp_to_srv, "udp to server" ); + fpPrintServiceRuleMapTable( service_map->udp_to_cli, "udp to client" ); - if( rtn->flags & ANY_DST_PORT ) dport = -1; + fpPrintServiceRuleMapTable( service_map->icmp_to_srv, "icmp to server" ); + fpPrintServiceRuleMapTable( service_map->icmp_to_cli, "icmp to client" ); + fpPrintServiceRuleMapTable( service_map->ip_to_srv, "ip to server" ); + fpPrintServiceRuleMapTable( service_map->ip_to_cli, "ip to client" ); +} - if(dport > 0 && rtn->not_dp_flag > 0 ) - { - dport = -1; - } +/* + * + */ +void fpPrintServicePortGroupSummary(srmm_table_t *srvc_pg_map) +{ - /* Walk OTN list -Add as Content, or NoContent */ - for( otn = rtn->down; otn; otn=otn->next ) - { - /* skip preprocessor and decode event */ - if( otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT ) - { - udp_non_detect_cnt++; - continue; - } + LogMessage("+--------------------------------\n"); + LogMessage("| Service-PortGroup Table Summary \n"); + LogMessage("---------------------------------\n"); - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - { - continue; - } + if(srvc_pg_map->tcp_to_srv->count) + LogMessage("| tcp to server : %d services\n",srvc_pg_map->tcp_to_srv->count); + if(srvc_pg_map->tcp_to_cli->count) + LogMessage("| tcp to cient : %d services\n",srvc_pg_map->tcp_to_cli->count); - otnx = SnortAlloc( sizeof(OTNX) ); + if(srvc_pg_map->udp_to_srv->count) + LogMessage("| udp to server : %d services\n",srvc_pg_map->udp_to_srv->count); + if(srvc_pg_map->udp_to_cli->count) + LogMessage("| udp to cient : %d services\n",srvc_pg_map->udp_to_cli->count); - otnx->otn = otn; - otnx->rtn = rtn; - otnx->content_length = 0; + if(srvc_pg_map->icmp_to_srv->count) + LogMessage("| icmp to server : %d services\n",srvc_pg_map->icmp_to_srv->count); + if(srvc_pg_map->icmp_to_cli->count) + LogMessage("| icmp to cient : %d services\n",srvc_pg_map->icmp_to_cli->count); - if( OtnHasContent( otn ) ) - { - if (fp->debug) - { - LogMessage("UDP Content-Rule[dst=%d,src=%d] %s\n", - dport,sport,otn->sigInfo.message); - } + if(srvc_pg_map->ip_to_srv->count) + LogMessage("| ip to server : %d services\n",srvc_pg_map->ip_to_srv->count); + if(srvc_pg_map->ip_to_cli->count) + LogMessage("| ip to cient : %d services\n",srvc_pg_map->ip_to_cli->count); + LogMessage("---------------------------------\n"); +} - prmAddRule(sc->prmUdpRTNX, dport, sport, otnx); +/* + * Build Service based PORT_GROUPs using the rules + * metadata option service parameter. + */ +static int fpCreateServicePortGroups(SnortConfig *sc) +{ + FastPatternConfig *fp = sc->fast_pattern_config; - /* - ** If rule is bi-directional we switch - ** the ports. - */ - if(iBiDirectional && (sport!=dport)) - { - prmAddRule(sc->prmUdpRTNX, sport, dport, otnx); - } - } - else - { - if (fp->debug) - { - LogMessage("UDP NoContent-Rule[dst=%d,src=%d] %s\n", - dport,sport,otn->sigInfo.message); - } + sc->srmmTable = ServiceMapNew(); - prmAddRuleNC(sc->prmUdpRTNX, dport, sport, otnx); + if (fpCreateServiceMaps(sc)) + return -1; - /* - ** If rule is bi-directional we switch - ** the ports. - */ - if(iBiDirectional && (dport != sport) ) - { - prmAddRuleNC(sc->prmUdpRTNX, sport, dport, otnx); - } - } - } - } - } + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + fpPrintServiceRuleMaps(sc->srmmTable); - /* - ** Process ICMP signatures - */ - if(rule->RuleList->IcmpList) - { - for(rtn = rule->RuleList->IcmpList; rtn != NULL; rtn = rtn->right) - { - /* Walk OTN list -Add as Content, or NoContent */ - for( otn = rtn->down; otn; otn=otn->next ) - { - int type; - IcmpTypeCheckData * IcmpType; + fpCreateServiceMapPortGroups(sc); - /* skip preprocessor and decode event */ - if( otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT ) - { - icmp_non_detect_cnt++; - continue; - } - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - { - continue; - } - otnx = SnortAlloc( sizeof(OTNX) ); + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + fpPrintServicePortGroupSummary(sc->spgmmTable); - otnx->otn = otn; - otnx->rtn = rtn; - otnx->content_length = 0; + //srvcmap_term(); - IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) - { - type = IcmpType->icmp_type; - } - else - { - type = -1; - } + return 0; +} +//TARGET_BASED +#endif - if( OtnHasContent( otn ) ) - { - if (fp->debug) - { - LogMessage("ICMP Type=%d Content-Rule %s\n", - type,otn->sigInfo.message); - } +/* +* Port list version +* +* 7/2007 - man +* +* Build Pattern Groups for 1st pass of content searching using +* multi-pattern search method. +*/ +int fpCreateFastPacketDetection(SnortConfig *sc) +{ + rule_port_tables_t *port_tables; + FastPatternConfig *fp; - prmAddRule(sc->prmIcmpRTNX, type, -1, otnx); - } - else - { - if (fp->debug) - { - LogMessage("ICMP Type=%d NoContent-Rule %s\n", - type,otn->sigInfo.message); - } + /* This is somewhat necessary because of how the detection option trees + * are added via a callback from the pattern matcher */ + snort_conf_for_parsing = sc; - prmAddRuleNC(sc->prmIcmpRTNX, type, -1, otnx); - } - } - } - } + if(!rule_count || (sc == NULL)) + return 0; - /* - ** Process IP signatures - ** - ** NOTE: - ** We may want to revisit this and add IP rules for TCP and - ** UDP into the right port groups using the rule ports, instead - ** of just using the generic port. - */ - if(rule->RuleList->IpList) - { - for(rtn = rule->RuleList->IpList; rtn != NULL; rtn = rtn->right) - { - /* Walk OTN list -Add as Content, or NoContent */ - for( otn=rtn->down; otn; otn=otn->next ) - { - int protocol = GetOtnIpProto(otn); + port_tables = sc->port_tables; + fp = sc->fast_pattern_config; - /* skip preprocessor and decode event */ - if( otn->sigInfo.rule_type != SI_RULE_TYPE_DETECT ) - { - ip_non_detect_cnt++; - continue; - } - /* Not enabled, don't do the FP content */ - if (otn->rule_state != RULE_STATE_ENABLED) - { - continue; - } - otnx = SnortAlloc( sizeof(OTNX) ); + if ((port_tables == NULL) || (fp == NULL)) + return 0; - otnx->otn = otn; - otnx->rtn = rtn; - otnx->content_length = 0; +#ifdef INTEL_SOFT_CPM + if (fp->search_method == MPSE_INTEL_CPM) + IntelPmStartInstance(); +#endif - if( OtnHasContent( otn ) ) - { - if (fp->debug) - { - LogMessage("IP Proto=%d Content-Rule %s\n", - protocol,otn->sigInfo.message); - } + /* Use PortObjects to create PORT_GROUPs */ + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Creating Port Groups....\n"); - prmAddRule(sc->prmIpRTNX, protocol, -1, otnx); + if (fpCreatePortGroups(sc, port_tables)) + FatalError("Could not create PortGroup objects for PortObjects\n"); - if(protocol == IPPROTO_TCP || protocol == -1) - { - prmAddRule(sc->prmTcpRTNX, -1, -1, otnx); - } - - if(protocol == IPPROTO_UDP || protocol == -1) - { - prmAddRule(sc->prmUdpRTNX, -1, -1, otnx); - } + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Port Groups Done....\n"); - if(protocol == IPPROTO_ICMP || protocol == -1) - { - prmAddRule(sc->prmIcmpRTNX, -1, -1, otnx); - } - } - else - { - if (fp->debug) - { - LogMessage("IP Proto=%d NoContent-Rule %s\n", - protocol,otn->sigInfo.message); - } + /* Create rule_maps */ + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Creating Rule Maps....\n"); - prmAddRuleNC(sc->prmIpRTNX, protocol, -1, otnx); + if (fpCreateRuleMaps(sc, port_tables)) + FatalError("Could not create rule maps\n"); - if(protocol == IPPROTO_TCP || protocol == -1) - { - prmAddRuleNC(sc->prmTcpRTNX, -1, -1, otnx); - } - - if(protocol == IPPROTO_UDP || protocol == -1) - { - prmAddRuleNC(sc->prmUdpRTNX, -1, -1, otnx); - } + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Rule Maps Done....\n"); - if(protocol == IPPROTO_ICMP || protocol == -1) - { - prmAddRuleNC(sc->prmIcmpRTNX, -1, -1, otnx); - } - } - } - } - } +#ifndef TARGET_BASED + LogMessage("\n"); + LogMessage("[ Port Based Pattern Matching Memory ]\n" ); + mpsePrintSummary(fp->search_method); + if (fp->max_pattern_len != 0) + { + LogMessage("[ Number of patterns truncated to %d bytes: %d ]\n", + fp->max_pattern_len, fp->num_patterns_truncated); + } + if (fp->num_patterns_trimmed != 0) + { + LogMessage("[ Number of null byte prefixed patterns trimmed: %d ]\n", + fp->num_patterns_trimmed); } +#else + if (IsAdaptiveConfigured(getParserPolicy(), 1) + || fpDetectGetDebugPrintFastPatterns(fp)) + { + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Creating Service Based Rule Maps....\n"); - prmCompileGroups(sc->prmTcpRTNX); - prmCompileGroups(sc->prmUdpRTNX); - prmCompileGroups(sc->prmIcmpRTNX); - prmCompileGroups(sc->prmIpRTNX); - - BuildMultiPatternGroups(sc->prmTcpRTNX, fp); - BuildMultiPatternGroups(sc->prmUdpRTNX, fp); - BuildMultiPatternGroups(sc->prmIcmpRTNX, fp); - BuildMultiPatternGroups(sc->prmIpRTNX, fp); + /* Build Service based port groups - rules require service metdata + * i.e. 'metatdata: service [=] service-name, ... ;' + * + * Also requires a service attribute for lookup ... + */ + if (fpCreateServicePortGroups(sc)) + FatalError("Could not create service based port groups\n"); - LogMessage("Preprocessor/Decoder Rule Count: %d\n", - ip_non_detect_cnt+icmp_non_detect_cnt+tcp_non_detect_cnt+udp_non_detect_cnt); + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) + LogMessage("Service Based Rule Maps Done....\n"); - if (fp->debug) - { - LogMessage("\n"); - LogMessage("** TCP Rule Group Stats -- "); - prmShowStats(sc->prmTcpRTNX); - - LogMessage("\n"); - LogMessage("** UDP Rule Group Stats -- "); - prmShowStats(sc->prmUdpRTNX); - LogMessage("\n"); - LogMessage("** ICMP Rule Group Stats -- "); - prmShowStats(sc->prmIcmpRTNX); - + LogMessage("[ Port and Service Based Pattern Matching Memory ]\n" ); + } + else + { LogMessage("\n"); - LogMessage("** IP Rule Group Stats -- "); - prmShowStats(sc->prmIpRTNX); + LogMessage("[ Port Based Pattern Matching Memory ]\n" ); + } + + mpsePrintSummary(fp->search_method); + if (fp->max_pattern_len != 0) + { + LogMessage("[ Number of patterns truncated to %d bytes: %d ]\n", + fp->max_pattern_len, fp->num_patterns_truncated); + } + if (fp->num_patterns_trimmed != 0) + { + LogMessage("[ Number of null byte prefixed patterns trimmed: %d ]\n", + fp->num_patterns_trimmed); } +#endif + +#ifdef INTEL_SOFT_CPM + if (fp->search_method == MPSE_INTEL_CPM) + IntelPmCompile(); +#endif + + snort_conf_for_parsing = NULL; return 0; } + +void fpDeleteFastPacketDetection(SnortConfig *sc) +{ + if (sc == NULL) + return; + + /* Cleanup the detection option tree */ + DetectionHashTableFree(sc->detection_option_hash_table); + DetectionTreeHashTableFree(sc->detection_option_tree_hash_table); + + fpFreeRuleMaps(sc); + +#ifdef TARGET_BASED + ServiceMapFree(sc->srmmTable); + ServicePortGroupMapFree(sc->spgmmTable); + if (sc->sopgTable != NULL) + free(sc->sopgTable); #endif +} + /* ** Wrapper for prmShowEventStats */ @@ -3966,3 +3341,123 @@ if (ip_protos[i]) ip_proto_array[i] = 1; } +const char * PatternRawToContent(const char *pattern, int pattern_len) +{ + static char content_buf[1024]; + int max_write_size = sizeof(content_buf) - 64; + int i, j = 0; + int hex = 0; + + if ((pattern == NULL) || (pattern_len <= 0)) + return ""; + + content_buf[j++] = '"'; + + for (i = 0; i < pattern_len; i++) + { + uint8_t c = (uint8_t)pattern[i]; + + if ((c < 128) && isprint(c) && !isspace(c) + && (c != '|') && (c != '"') && (c != ';')) + { + if (hex) + { + content_buf[j-1] = '|'; + hex = 0; + } + + content_buf[j++] = c; + } + else + { + uint8_t up4, lo4; + + if (!hex) + { + content_buf[j++] = '|'; + hex = 1; + } + + up4 = c >> 4; + lo4 = c & 0x0f; + + if (up4 > 0x09) up4 += ('A' - 0x0a); + else up4 += '0'; + + if (lo4 > 0x09) lo4 += ('A' - 0x0a); + else lo4 += '0'; + + content_buf[j++] = up4; + content_buf[j++] = lo4; + content_buf[j++] = ' '; + } + + if (j > max_write_size) + break; + } + + if (j > max_write_size) + { + content_buf[j] = 0; + SnortSnprintfAppend(content_buf, sizeof(content_buf), + " ... \" (pattern too large)"); + } + else + { + if (hex) + content_buf[j-1] = '|'; + + content_buf[j++] = '"'; + content_buf[j] = 0; + } + + return content_buf; +} + +static void PrintFastPatternInfo(OptTreeNode *otn, PatternMatchData *pmd, + const char *pattern, int pattern_length, PmType pm_type) +{ + if ((otn == NULL) || (pmd == NULL)) + return; + + LogMessage("%u:%u\n", otn->sigInfo.generator, otn->sigInfo.id); + LogMessage(" Fast pattern matcher: %s\n", pm_type_strings[pm_type]); + LogMessage(" Fast pattern set: %s\n", pmd->fp ? "yes" : "no"); + LogMessage(" Fast pattern only: %s\n", pmd->fp_only ? "yes" : "no"); + LogMessage(" Negated: %s\n", pmd->exception_flag ? "yes" : "no"); + + /* Fast pattern only patterns don't use offset and length */ + if ((pmd->fp_length != 0) && !pmd->fp_only) + { + LogMessage(" Pattern : %d,%d\n", + pmd->fp_offset, pmd->fp_length); + LogMessage(" %s\n", + PatternRawToContent(pmd->pattern_buf + pmd->fp_offset, + pmd->fp_length)); + } + else + { + LogMessage(" Pattern offset,length: none\n"); + } + + /* Fast pattern only patterns don't get truncated */ + if (!pmd->fp_only + && (((pmd->fp_length != 0) && (pmd->fp_length > pattern_length)) + || ((pmd->fp_length == 0) && ((int)pmd->pattern_size > pattern_length)))) + { + LogMessage(" Pattern truncated: %d to %d bytes\n", + pmd->fp_length ? pmd->fp_length : pmd->pattern_size, + pattern_length); + } + else + { + LogMessage(" Pattern truncated: no\n"); + } + + LogMessage(" Original pattern\n"); + LogMessage(" %s\n", + PatternRawToContent(pmd->pattern_buf,pmd->pattern_size)); + + LogMessage(" Final pattern\n"); + LogMessage(" %s\n", PatternRawToContent(pattern, pattern_length)); +} diff -Nru snort-2.8.5.2/src/fpcreate.h snort-2.9.2/src/fpcreate.h --- snort-2.8.5.2/src/fpcreate.h 2009-05-06 22:28:12.000000000 +0000 +++ snort-2.9.2/src/fpcreate.h 2011-02-09 23:22:48.000000000 +0000 @@ -3,7 +3,7 @@ ** ** fpcreate.h ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker ** Marc Norton ** @@ -37,6 +37,7 @@ #endif #include "rules.h" +#include "treenodes.h" //#include "parser.h" #include "pcrm.h" @@ -107,9 +108,14 @@ int search_method_verbose; int debug; unsigned int max_queue_events; -//PORTLISTS unsigned int bleedover_port_limit; + int configured; int portlists_flags; + int split_any_any; + int max_pattern_len; + int num_patterns_truncated; /* due to max_pattern_len */ + int num_patterns_trimmed; /* due to zero byte prefix */ + int debug_print_fast_pattern; } FastPatternConfig; @@ -164,13 +170,10 @@ ** engine. It reads in the snort list of RTNs and OTNs and ** assigns them to PORT_MAPS. */ -#ifdef PORTLISTS int fpCreateFastPacketDetection(struct _SnortConfig *); -#else -int fpCreateFastPacketDetection(RuleListNode *); -#endif FastPatternConfig * FastPatternConfigNew(void); +void fpSetDefaults(FastPatternConfig *); void FastPatternConfigFree(FastPatternConfig *); /* @@ -187,6 +190,8 @@ void fpSetDebugMode(FastPatternConfig *); void fpSetStreamInsert(FastPatternConfig *); void fpSetMaxQueueEvents(FastPatternConfig *, unsigned int); +void fpDetectSetSplitAnyAny(FastPatternConfig *, int); +void fpSetMaxPatternLen(FastPatternConfig *, unsigned int); void fpDetectSetSingleRuleGroup(FastPatternConfig *); void fpDetectSetBleedOverPortLimit(FastPatternConfig *, unsigned int); @@ -195,6 +200,7 @@ void fpDetectSetDebugPrintRuleGroupBuildDetails(FastPatternConfig *); void fpDetectSetDebugPrintRuleGroupsCompiled(FastPatternConfig *); void fpDetectSetDebugPrintRuleGroupsUnCompiled(FastPatternConfig *); +void fpDetectSetDebugPrintFastPatterns(FastPatternConfig *, int); int fpDetectGetSingleRuleGroup(FastPatternConfig *); int fpDetectGetBleedOverPortLimit(FastPatternConfig *); @@ -203,17 +209,15 @@ int fpDetectGetDebugPrintRuleGroupBuildDetails(FastPatternConfig *); int fpDetectGetDebugPrintRuleGroupsCompiled(FastPatternConfig *); int fpDetectGetDebugPrintRuleGroupsUnCompiled(FastPatternConfig *); +int fpDetectSplitAnyAny(FastPatternConfig *); +int fpDetectGetDebugPrintFastPatterns(FastPatternConfig *); void fpDeleteFastPacketDetection(struct _SnortConfig *); void free_detection_option_tree(detection_option_tree_node_t *node); -#ifdef PORTLISTS -int OtnHasContent( OptTreeNode * p ); -int OtnHasUriContent( OptTreeNode * p ); int OtnFlowDir( OptTreeNode * p ); -# ifdef TARGET_BASED +#ifdef TARGET_BASED PORT_GROUP * fpGetServicePortGroupByOrdinal(sopg_table_t *, int, int, int16_t); -# endif #endif /* @@ -227,4 +231,6 @@ void fpDynamicDataFree(void *); #endif -#endif +const char * PatternRawToContent(const char *pattern, int pattern_len); + +#endif /* __FPCREATE_H__ */ diff -Nru snort-2.8.5.2/src/fpdetect.c snort-2.9.2/src/fpdetect.c --- snort-2.8.5.2/src/fpdetect.c 2009-08-10 20:41:39.000000000 +0000 +++ snort-2.9.2/src/fpdetect.c 2011-10-26 18:28:52.000000000 +0000 @@ -3,7 +3,7 @@ ** ** fpdetect.c ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author(s): Dan Roelker ** Marc Norton ** Andrew R. Baker @@ -36,12 +36,17 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "detect.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "tag.h" #include "rules.h" +#include "treenodes.h" #include "pcrm.h" #include "fpcreate.h" #include "fpdetect.h" @@ -51,7 +56,7 @@ #include "sfthreshold.h" #include "rate_filter.h" #include "event_queue.h" -#include "inline.h" +#include "active.h" #include "sp_pattern_match.h" #include "spp_frag3.h" @@ -64,16 +69,16 @@ #include "ppm.h" #include "sfPolicy.h" #include "generators.h" +#include "detection_util.h" /* ** This define enables set-wise signature detection for ** IP and ICMP packets. During early testing, the old -** method of detection seemed faster for ICMP and IP +** method of detection seemed faster for ICMP and IP ** signatures, but with modifications to the set-wise engine ** performance became much better. This define could be ** taken out, but is still in for regression testing. */ -#define FPSW /* ** GLOBALS @@ -86,39 +91,25 @@ ** Assorted global variables from the old detection engine ** for backwards compatibility. */ -extern uint16_t event_id; -extern char check_tags_flag; extern OptTreeNode *otn_tmp; -extern uint8_t DecodeBuffer[DECODE_BLEN]; extern SFEVENT sfEvent; -/* XXX it is not a good idea to allocate memory here */ -extern HttpUri UriBufs[URI_COUNT]; /* decode.c */ - -extern SnortConfig *snort_conf; - /* ** Static function prototypes */ int fpEvalRTN(RuleTreeNode *rtn, Packet *p, int check_ports); -#ifndef FPSW -static INLINE int fpEvalHeader(PORT_GROUP *port_group, Packet *p, - int check_ports); -#endif -static INLINE int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, +static inline int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, int check_ports, char ip_rule, OTNX_MATCH_DATA *); static int rule_tree_match (void* id, void * tree, int index, void * data, void *neg_list ); int fpAddMatch( OTNX_MATCH_DATA *omd_local, OTNX *otnx, int pLen, OptTreeNode *otn); -static INLINE int fpAddSessionAlert(Packet *p, OptTreeNode *otn); -static INLINE int fpSessionAlerted(Packet *p, OptTreeNode *otn); - -//static INLINE int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p); +static inline int fpAddSessionAlert(Packet *p, OptTreeNode *otn, int alerted); +static inline int fpSessionAlerted(Packet *p, OptTreeNode *otn); -extern const uint8_t *doe_ptr; +//static inline int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p); #ifdef PERF_PROFILING PreprocStats rulePerfStats; @@ -138,6 +129,36 @@ return omd; } +/* +** +** NAME +** InitMatchInfo:: +** +** DESCRIPTION +** Initialize the OTNX_MATCH_DATA structure. We do this for +** every packet so calloc is not used as this would zero the +** whole space and this only sets the necessary counters to +** zero, and saves us time. +** +** FORMAL INPUTS +** OTNX_MATCH_DATA * - pointer to structure to init. +** +** FORMAL OUTPUT +** None +** +*/ +static inline void InitMatchInfo(OTNX_MATCH_DATA *o) +{ + int i = 0; + + for(i = 0; i < o->iMatchInfoArraySize; i++) + { + o->matchInfo[i].iMatchCount = 0; + o->matchInfo[i].iMatchIndex = 0; + o->matchInfo[i].iMatchMaxLen = 0; + } +} + void OtnxMatchDataFree(OTNX_MATCH_DATA *omd) { if (omd == NULL) @@ -149,6 +170,18 @@ free(omd); } +// called by fpLogEvent(), which does the filtering etc. +// this handles the non-rule-actions (responses). +static inline void fpLogOther (Packet* p, OptTreeNode* otn, int action) +{ + TriggerResponses(p, otn); + + if ( !EventTrace_IsEnabled() ) + return; + + EventTrace_Log(p, otn, action); +} + /* ** ** NAME @@ -156,7 +189,7 @@ ** ** DESCRIPTION ** This function takes the corresponding RTN and OTN for a snort rule -** and logs the event and packet that was alerted upon. This +** and logs the event and packet that was alerted upon. This ** function was pulled out of fpEvalSomething, so now we can log an ** event no matter where we are. ** @@ -174,10 +207,14 @@ { return 1; } - + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - " => Got rule match, rtn type = %d\n", - rtn->type);); + " => Got rule match, rtn type = %d, evalIndex = %d, passIndex = %d\n", + rtn->type,ScGetEvalIndex(rtn->type), ScGetEvalIndex(RULE_TYPE__PASS));); + if (RULE_TYPE__PASS == rtn->type) + { + p->packet_flags |= PKT_PASS_RULE; + } if ( otn->stateless ) { @@ -197,21 +234,15 @@ (!(p->packet_flags & PKT_REBUILT_STREAM)) && (otn->stateless == 0)) { - /* - ** If InlineMode is on, then we still want to drop packets - ** that are drop rules. We just don't want to see the alert. - */ - if (ScInlineMode()) + // We still want to drop packets that are drop rules. + // We just don't want to see the alert. + if ( (rtn->type == RULE_TYPE__DROP) || + (rtn->type == RULE_TYPE__SDROP) || + (rtn->type == RULE_TYPE__REJECT) ) { - if ((rtn->type == RULE_TYPE__DROP) -#ifdef GIDS - || (rtn->type == RULE_TYPE__SDROP) -#endif - ) - { - InlineDrop(p); - } + Active_DropSession(); } + fpLogOther(p, otn, rtn->type); return 1; } @@ -255,27 +286,31 @@ ** If InlineMode is on, then we still want to drop packets ** that are drop rules. We just don't want to see the alert. */ - if (ScInlineMode()) + if ( (action == RULE_TYPE__DROP) || + (action == RULE_TYPE__SDROP) || + (action == RULE_TYPE__REJECT) ) { - if ((action == RULE_TYPE__DROP) -#ifdef GIDS - || (action == RULE_TYPE__SDROP) -#endif - ) - { - InlineDrop(p); - } + Active_DropSession(); } - return 1; /* Don't log it ! */ + pc.event_limit++; + fpLogOther(p, otn, action); + return 1; } - - /* - ** Set the ref_time to 0 so we make the logging work right. - */ - otn->event_data.ref_time.tv_sec = 0; - /* - ** Set otn_tmp because log.c uses it to log details + /* If this packet has been passed based on detection rules, + * check the decoder/preprocessor events (they have been added to Event queue already). + * If its order is lower than 'pass', it should have been passed. + * This is consistent with other detection rules */ + if ( (p->packet_flags & PKT_PASS_RULE) + &&(ScGetEvalIndex(rtn->type) > ScGetEvalIndex(RULE_TYPE__PASS))) + { + fpLogOther(p, otn, rtn->type); + return 1; + } + // Set the ref_time to 0 so we make the logging work right. + otn->event_data.ref_time.tv_sec = 0; + + /* Set otn_tmp because log.c uses it to log details ** of the event. Maybe we should look into making this ** part of the log routines and not a global variable. ** This way we could support multiple events per packet. @@ -285,8 +320,6 @@ event_id++; - TriggerResponses(p, otn); - switch (action) { case RULE_TYPE__PASS: @@ -295,84 +328,50 @@ case RULE_TYPE__ACTIVATE: ActivateAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__ALERT: AlertAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__DYNAMIC: DynamicAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__LOG: LogAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__DROP: DropAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; -#ifdef GIDS case RULE_TYPE__SDROP: SDropAction(p, otn, &otn->event_data); break; case RULE_TYPE__REJECT: - RejectAction(p, otn, &otn->event_data); + DropAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; -#endif /* GIDS */ default: break; } - SetTags(p, otn, event_id); - - if ( action != RULE_TYPE__PASS ) - { - check_tags_flag = 0; - } - - p->packet_flags &= ~PKT_INLINE_DROP; otn_tmp = NULL; - + fpLogOther(p, otn, action); return 0; } /* ** ** NAME -** InitMatchInfo:: -** -** DESCRIPTION -** Initialize the OTNX_MATCH_DATA structure. We do this for -** every packet so calloc is not used as this would zero the -** whole space and this only sets the necessary counters to -** zero, and saves us time. -** -** FORMAL INPUTS -** OTNX_MATCH_DATA * - pointer to structure to init. -** -** FORMAL OUTPUT -** None -** -*/ -static INLINE void InitMatchInfo(OTNX_MATCH_DATA *o) -{ - int i = 0; - - for(i = 0; i < o->iMatchInfoArraySize; i++) - { - o->matchInfo[i].iMatchCount = 0; - o->matchInfo[i].iMatchIndex = 0; - o->matchInfo[i].iMatchMaxLen = 0; - } -} - -/* -** -** NAME ** fpAddMatch:: ** ** DESCRIPTION @@ -384,7 +383,7 @@ ** IMPORTANT NOTE: ** fpAddMatch must be called even when the queue has been maxed ** out. This is because there are three different queues (alert, -** pass, log) and unless all three are filled (or at least the +** pass, log) and unless all three are filled (or at least the ** queue that is in the highest priority), events must be looked ** at to see if they are members of a queue that is not maxed out. ** @@ -407,24 +406,26 @@ RuleTreeNode *rtn = getRuntimeRtnFromOtn(otn); evalIndex = rtn->listhead->ruleListNode->evalIndex; - + /* bounds check index */ if( evalIndex >= omd_local->iMatchInfoArraySize ) + { + pc.match_limit++; return 1; - + } pmi = &omd_local->matchInfo[evalIndex]; /* ** If we hit the max number of unique events for any rule type alert, ** log or pass, then we don't add it to the list. */ - if( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->max_queue_events || + if( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->max_queue_events || pmi->iMatchCount >= MAX_EVENT_MATCH) { + pc.match_limit++; return 1; } -//ifdef PORTLISTS /* Check that we are not storing the same otn again */ for( i=0; i< pmi->iMatchCount;i++ ) { @@ -434,7 +435,6 @@ return 0; } } -//endif /* ** Add the event to the appropriate list @@ -462,7 +462,7 @@ } pmi->iMatchCount++; - + return 0; } @@ -496,22 +496,8 @@ return 0; } -#ifdef PORTLISTS /* TODO: maybe add a port test here ... */ -#else - /* - ** This used to be a speed improvement. Might still be. - */ - if(check_ports) - { - if(!(rtn->flags & EXCEPT_DST_PORT) && !(rtn->flags & BIDIRECTIONAL) && - (p->dp < rtn->ldp)) - { - PREPROC_PROFILE_END(ruleRTNEvalPerfStats); - return 0; - } - } -#endif + if (rtn->type == RULE_TYPE__DYNAMIC) { if (!snort_conf->active_dynamic_nodes) @@ -527,24 +513,24 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "[*] Rule Head %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "[*] Rule Head %d\n", rtn->head_node_number);) if(!rtn->rule_func->RuleHeadFunc(p, rtn, rtn->rule_func, check_ports)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => Header check failed, checking next node\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => returned from next node check\n");); PREPROC_PROFILE_END(ruleRTNEvalPerfStats); return 0; } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");); DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => RTN %d Matched!\n", rtn->head_node_number);); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv\n");); /* ** Return that there is a rule match and log the event outside @@ -587,7 +573,7 @@ for ( i = 0; i< root->num_children; i++) { /* New tree, reset doe_ptr for safety */ - doe_ptr = NULL; + UpdateDoePtr(NULL, 0); /* Increment number of events generated from that child */ rval += detection_option_node_evaluate(root->children[i], eval_data); @@ -637,6 +623,10 @@ PREPROC_PROFILE_START(rulePerfStats); + /* NOTE: The otn will be the first one in the match state. If there are + * multiple rules associated with a match state, mucking with the otn + * may muck with an unintended rule */ + /* Set flag for not contents so they aren't evaluated */ for (ncl = (NCListNode *)neg_list; ncl != NULL; ncl = ncl->next) { @@ -645,7 +635,7 @@ neg_pmd->last_check.ts.tv_sec = eval_data.p->pkth->ts.tv_sec; neg_pmd->last_check.ts.tv_usec = eval_data.p->pkth->ts.tv_usec; - neg_pmd->last_check.packet_number = pc.total_from_pcap; + neg_pmd->last_check.packet_number = rule_eval_pkt_count; neg_pmd->last_check.rebuild_flag = (eval_data.p->packet_flags & REBUILD_FLAGS); } @@ -653,7 +643,7 @@ if (rval) { /* - ** We have a qualified event from this tree + ** We have a qualified event from this tree */ pomd->pg->pgQEvents++; UpdateQEvents(&sfEvent); @@ -672,7 +662,7 @@ { return -1; } - + #ifdef GRE /* If this is for an IP rule set, evalute the rules from * the inner IP offset as well */ @@ -696,9 +686,9 @@ eval_data.p->dsize = eval_data.p->ip_dsize; /* clear so we dont keep recursing */ - eval_data.p->packet_flags &= ~PKT_IP_RULE; + eval_data.p->packet_flags &= ~PKT_IP_RULE; eval_data.p->packet_flags |= PKT_IP_RULE_2ND; - + /* Recurse, and evaluate with the inner IP */ rval = rule_tree_match(id, tree, index, data, NULL); @@ -731,19 +721,18 @@ otn2 = *(OptTreeNode **)e2; if( otn1->sigInfo.priority < otn2->sigInfo.priority ) - return +1; + return -1; if( otn1->sigInfo.priority > otn2->sigInfo.priority ) - return -1; + return +1; -/* This improves stability of repeated tests */ -//#ifdef PORTLISTS + /* This improves stability of repeated tests */ if( otn1->sigInfo.id < otn2->sigInfo.id ) - return +1; + return -1; if( otn1->sigInfo.id > otn2->sigInfo.id ) - return -1; -//#endif + return +1; + return 0; } @@ -758,7 +747,19 @@ otn1 = *(OptTreeNode **)e1; otn2 = *(OptTreeNode **)e2; - /**** XXX: TODO for RULE_OPTION_TREE */ + if (otn1->longestPatternLen < otn2->longestPatternLen) + return +1; + + if (otn1->longestPatternLen > otn2->longestPatternLen) + return -1; + + /* This improves stability of repeated tests */ + if( otn1->sigInfo.id < otn2->sigInfo.id ) + return +1; + + if( otn1->sigInfo.id > otn2->sigInfo.id ) + return -1; + return 0; } @@ -771,7 +772,7 @@ ** DESCRIPTION ** fpFinalSelectEvent is called at the end of packet processing ** to decide, if there hasn't already been a selection, to decide -** what event to select. This function is different from +** what event to select. This function is different from ** fpSelectEvent by the fact that fpSelectEvent only selects an ** event if it is the first priority setting (drop/pass/alert...). ** @@ -834,9 +835,9 @@ ** ** FORMAL OUTPUT ** int - return 0 if no match, 1 if match. -** +** */ -static INLINE int fpFinalSelectEvent(OTNX_MATCH_DATA *o, Packet *p) +static inline int fpFinalSelectEvent(OTNX_MATCH_DATA *o, Packet *p) { int i; int j; @@ -845,6 +846,7 @@ int tcnt = 0; EventQueueConfig *eq = snort_conf->event_queue_config; RuleTreeNode *rtn; + int alerted = 0; for( i = 0; i < o->iMatchInfoArraySize; i++ ) { @@ -903,7 +905,7 @@ { if(o->matchInfo[i].MatchArray[k] == otn) { - otn = NULL; + otn = NULL; break; } } @@ -914,29 +916,38 @@ /* ** QueueEvent */ - SnortEventqAdd(otn->sigInfo.generator, + int err = SnortEventqAdd( + otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.class_id, otn->sigInfo.priority, otn->sigInfo.message, (void *)NULL); + if ( err ) + pc.queue_limit++; + + alerted = 1; tcnt++; } - - if ( p->ssnptr ) - { - fpAddSessionAlert(p, otn); - } + else + pc.alert_limit++; - if ( p->fragtracker ) + /* Only count it if we're going to log it */ + if (tcnt <= eq->log_events) { - fpAddFragAlert(p, otn); + if ( p->ssnptr ) + fpAddSessionAlert(p, otn, alerted); + + if ( p->fragtracker ) + fpAddFragAlert(p, otn); } - if (tcnt >= eq->log_events) + if (tcnt >= eq->max_events) + { + pc.queue_limit++; return 1; - + } /* only log/count one pass */ if ((otn != NULL) && (rtn != NULL) && (rtn->type == RULE_TYPE__PASS)) { @@ -951,7 +962,7 @@ } /* -** +** ** NAME ** fpAddSessionAlert:: ** @@ -961,13 +972,14 @@ ** FORMAL INPUTS ** Packet * - the packet to inspect ** OTNX * - the rule that generated the alert +** int - if the packet generated alert or not. ** ** FORMAL OUTPUTS ** int - 0 if not flagged ** 1 if flagged ** */ -static INLINE int fpAddSessionAlert(Packet *p, OptTreeNode *otn) +static inline int fpAddSessionAlert(Packet *p, OptTreeNode *otn, int alerted) { if ( !p->ssnptr ) return 0; @@ -979,12 +991,12 @@ if (stream_api) return !stream_api->add_session_alert(p->ssnptr, p, otn->sigInfo.generator, - otn->sigInfo.id); + otn->sigInfo.id, alerted); return 0; } /* -** +** ** NAME ** fpSessionAlerted:: ** @@ -1001,7 +1013,7 @@ ** 1 if alert previously generated ** */ -static INLINE int fpSessionAlerted(Packet *p, OptTreeNode *otn) +static inline int fpSessionAlerted(Packet *p, OptTreeNode *otn) { SigInfo *si = &otn->sigInfo; @@ -1015,85 +1027,6 @@ } - -#ifndef FPSW -/* -** fpEvalHeader:: -** -** This function is the old way of walking PORT_GROUPs. We -** check the OTNs for matches and then check the RTN for -** validation if the OTN matches. -** Kept for backwards-compatibility -*/ -static INLINE int fpEvalHeader(PORT_GROUP *port_group, Packet *p, int check_ports) -{ - RULE_NODE *rnWalk; - OTNX *otnxWalk; - - /* - ** Walk the content OTNs - */ - for(rnWalk = port_group->pgHead; rnWalk; rnWalk = rnWalk->rnNext) - { - /* - ** Reset the last match offset for each OTN we touch... - */ - doe_ptr = NULL; - - otnxWalk = (OTNX *)rnWalk->rnRuleData; - /* - ** Do the OTN check, if successful than we check - ** the RTN for validation purposes. - */ - if(fpEvalOTN(otnxWalk->otn, p)) - { - /* - ** OTN is match, check RTN - */ - if(fpEvalRTN(otnxWalk->rtn, p, check_ports)) - { - fpLogEvent(otnxWalk->rtn, otnxWalk->otn, p); - return 1; - } - - continue; - } - } - - /* - ** Walk the non-content OTNs - */ - for(rnWalk = port_group->pgHeadNC; rnWalk; rnWalk = rnWalk->rnNext) - { - /* - ** Reset the last match offset for each OTN we touch... - */ - doe_ptr = NULL; - - otnxWalk = (OTNX *)rnWalk->rnRuleData; - /* - ** Do the OTN check, if successful than we check - ** the RTN for validation purposes. - */ - if(fpEvalOTN(otnxWalk->otn, p)) - { - /* - ** OTN is match, check RTN - */ - if(fpEvalRTN(otnxWalk->rtn, p, check_ports)) - { - fpLogEvent(otnxWalk->rtn, otnxWalk->otn, p); - return 1; - } - - continue; - } - } - - return 0; -} -#endif - #if 0 Not currently used /* @@ -1105,63 +1038,37 @@ { RuleTreeNode *rtn = getParserRtnFromOtn(otn); - LogMessage("rule proto: "); + LogMessage("rule proto: "); if( rtn->proto== IPPROTO_TCP )LogMessage("tcp "); else if( rtn->proto== IPPROTO_UDP )LogMessage("udp "); else if( rtn->proto== IPPROTO_ICMP )LogMessage("icmp "); else if( rtn->proto== ETHERNET_TYPE_IP)LogMessage("ip "); - + LogMessage("gid:%u sid:%5u ", otn->sigInfo.generator,otn->sigInfo.id); - + LogMessage(" sp:"); - + fflush(stdout);fflush(stderr); -#ifdef PORTLISTS PortObjectPrintPortsRaw(rtn->src_portobject); -#else - if( rtn->flags & ANY_SRC_PORT ) - { - printf("any"); - } - else - { - if( rtn->not_sp_flag )printf("!"); - printf("%d",rtn->lsp); - if( rtn->lsp != rtn->hsp) printf(":%d",rtn->hsp); - } -#endif fflush(stdout);fflush(stderr); - + LogMessage(" dp:"); - -#ifdef PORTLISTS + PortObjectPrintPortsRaw(rtn->dst_portobject); -#else - if( rtn->flags & ANY_DST_PORT ) - { - printf("any"); - } - else - { - if( rtn->not_dp_flag )printf("!"); - printf("%d",rtn->ldp); - if( rtn->ldp != rtn->hdp) printf(":%d",rtn->hdp); - } -#endif printf("\n"); fflush(stdout);fflush(stderr); } #endif /* -** +** ** NAME ** fpEvalHeaderSW:: ** ** DESCRIPTION ** This function does a set-wise match on content, and walks an otn list -** for non-content. The otn list search will eventually be redone for +** for non-content. The otn list search will eventually be redone for ** for performance purposes. ** ** FORMAL INPUTS @@ -1175,13 +1082,12 @@ ** 1 for sucessful pattern match ** */ -static INLINE int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, - int check_ports, char ip_rule, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, + int check_ports, char ip_rule, OTNX_MATCH_DATA *omd) { RULE_NODE *rnWalk; void * so; int start_state; - char http_buffer_checked = 0; const uint8_t *tmp_payload = p->data; uint16_t tmp_dsize = p->dsize; void *tmp_iph = (void *)p->iph; @@ -1192,211 +1098,214 @@ char repeat = 0; FastPatternConfig *fp = snort_conf->fast_pattern_config; PROFILE_VARS; - + if (ip_rule) { /* Set the packet payload pointers to that of IP, - ** since this is an IP rule. */ + ** since this is an IP rule. */ #ifdef GRE if (p->outer_ip_data) { p->iph = p->outer_iph; -#ifdef SUP_IP6 +# ifdef SUP_IP6 p->ip6h = &p->outer_ip6h; p->ip4h = &p->outer_ip4h; -#endif +# endif p->data = p->outer_ip_data; p->dsize = p->outer_ip_dsize; p->packet_flags |= PKT_IP_RULE; repeat = 2; } else -#endif - if (p->ip_data) +#endif /* GRE */ { - p->data = p->ip_data; - p->dsize = p->ip_dsize; - p->packet_flags |= PKT_IP_RULE; + if (p->ip_data) + { + p->data = p->ip_data; + p->dsize = p->ip_dsize; + p->packet_flags |= PKT_IP_RULE; + } } } else { p->packet_flags &= ~PKT_IP_RULE; } - + /* - ** Init the info for rule ordering selection - */ + ** Init the info for rule ordering selection + */ //InitMatchInfo(omd); - + if (do_detect_content) { /* - ** PKT_STREAM_INSERT packets are being rebuilt and re-injected - ** through this detection engine. So in order to avoid pattern - ** matching bytes twice, we wait until the PKT_STREAM_INSERT - ** packets are rebuilt and injected through the detection engine. - ** - ** PROBLEM: - ** If a stream gets stomped on before it gets re-injected, an attack - ** would be missed. So before a connection gets stomped, we - ** re-inject the stream we have. - */ + ** PKT_STREAM_INSERT packets are being rebuilt and re-injected + ** through this detection engine. So in order to avoid pattern + ** matching bytes twice, we wait until the PKT_STREAM_INSERT + ** packets are rebuilt and injected through the detection engine. + ** + ** PROBLEM: + ** If a stream gets stomped on before it gets re-injected, an attack + ** would be missed. So before a connection gets stomped, we + ** re-inject the stream we have. + */ + + /* + ** First evaluate the detection functions. Namely those things + ** that are between a preprocessor and rules. + */ + { + tSfPolicyId policy_id = getRuntimePolicy(); + SnortPolicy *policy = snort_conf->targeted_policies[policy_id]; + /* safe to assume policy is non NULL here because of check in + * Preprocess() */ + DetectionEvalFuncNode *idx = policy->detect_eval_funcs; + + for (; (idx != NULL) && !(p->packet_flags & PKT_PASS_RULE); idx = idx->next) + { + if ((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL)) + //IsDetectBitSet(p, idx->preproc_bit)) + { + idx->func(p, idx->context); + } + } + } + if (fp->inspect_stream_insert || !(p->packet_flags & PKT_STREAM_INSERT)) { + omd->pg = port_group; + omd->p = p; + omd->check_ports = check_ports; + /* - ** Uri-Content Match - ** This check indicates that http_decode found - ** at least one uri - */ - if( p->uri_count > 0) + ** Uri-Content Match + ** This check indicates that http_decode found + ** at least one uri + */ + if (p->uri_count > 0) { int i; - so = (void *)port_group->pgPatDataUri; - - if( so && (mpseGetPatternCount(so) > 0)) /* Do we have any HTTP buffer rules ? */ + + for (i = HTTP_BUFFER_URI; (i < p->uri_count) && (i <= HTTP_BUFFER_CLIENT_BODY); i++) { - mpseSetRuleMask( so, &port_group->boRuleNodeID ); - - /* - ** Process the packet's HTTP decoded buffers - */ - for( i=HTTP_BUFFER_URI; iuri_count && i <= HTTP_BUFFER_METHOD; i++) + if ((UriBufs[i].uri == NULL) || (UriBufs[i].length == 0)) + continue; + + switch (i) { - /* Only search the URI, Header, Client Body buffers, - ** and only when they have data - */ - if((UriBufs[i].uri == NULL) || (UriBufs[i].length == 0)) - continue; - - omd->pg = port_group; - omd->p = p; - omd->check_ports = check_ports; - - start_state = 0; - mpseSearch(so, UriBufs[i].uri, UriBufs[i].length, - rule_tree_match, - omd, &start_state); + case HTTP_BUFFER_URI: + so = (void *)port_group->pgPms[PM_TYPE__HTTP_URI_CONTENT]; + break; + case HTTP_BUFFER_HEADER: + so = (void *)port_group->pgPms[PM_TYPE__HTTP_HEADER_CONTENT]; + break; + case HTTP_BUFFER_CLIENT_BODY: + so = (void *)port_group->pgPms[PM_TYPE__HTTP_CLIENT_BODY_CONTENT]; + break; + default: + so = NULL; + break; + } - http_buffer_checked = 1; + if ((so != NULL) && (mpseGetPatternCount(so) > 0)) + { + start_state = 0; + mpseSearch(so, UriBufs[i].uri, UriBufs[i].length, + rule_tree_match, omd, &start_state); #ifdef PPM_MGR - if( PPM_PACKET_ABORT_FLAG() ) - return 0; /* bail if we spent too much time already */ + /* Bail if we spent too much time already */ + if (PPM_PACKET_ABORT_FLAG()) + goto fp_eval_header_sw_reset_ip; #endif } } } - + /* - ** Decode Content Match - ** We check to see if the packet has been normalized into - ** the global (decode.c) DecodeBuffer. Currently, only - ** telnet normalization writes to this buffer. So, if - ** it is set, we do this the match against the normalized - ** buffer and we do the check against the original - ** payload, in case any of the rules have the - ** 'rawbytes' option. - */ - so = (void *)port_group->pgPatData; - - if((p->packet_flags & PKT_ALT_DECODE) && so && p->alt_dsize && (mpseGetPatternCount(so) > 0)) + ** Decode Content Match + ** We check to see if the packet has been normalized into + ** the global (decode.c) DecodeBuffer. Currently, only + ** telnet normalization writes to this buffer. So, if + ** it is set, we do this the match against the normalized + ** buffer and we do the check against the original + ** payload, in case any of the rules have the + ** 'rawbytes' option. + */ + so = (void *)port_group->pgPms[PM_TYPE__CONTENT]; + if ((so != NULL) && (mpseGetPatternCount(so) > 0)) { - mpseSetRuleMask( so, &port_group->boRuleNodeID ); - - omd->pg = port_group; - omd->p = p; - omd->check_ports = check_ports; - - start_state = 0; - mpseSearch(so, DecodeBuffer, p->alt_dsize, - rule_tree_match, - omd, &start_state); + if (Is_DetectFlag(FLAG_ALT_DECODE) && DecodeBuffer.len) + { + start_state = 0; + mpseSearch(so, DecodeBuffer.data, DecodeBuffer.len, + rule_tree_match, omd, &start_state); #ifdef PPM_MGR - if( PPM_PACKET_ABORT_FLAG() ) - return 0; /* bail if we spent too much time already */ + /* Bail if we spent too much time already */ + if (PPM_PACKET_ABORT_FLAG()) + goto fp_eval_header_sw_reset_ip; #endif - - /* - ** The reason that we reset the bitops is because - ** an OTN might not be verified using the DecodeBuffer - ** because of the 'rawbytes' option, while the next pass - ** will need to validate that same rule in the case - ** of rawbytes. - */ - boResetBITOP(&(port_group->boRuleNodeID)); - } - - /* - ** Content-Match - If no Uri-Content matches, than do a Content search - ** - ** NOTE: - ** We may want to bail after the Content search if there - ** has been a successful match. - */ - if( so && p->data && p->dsize && (mpseGetPatternCount(so) > 0)) - { - uint16_t pattern_match_size = p->dsize; - mpseSetRuleMask( so, &port_group->boRuleNodeID ); - - omd->pg = port_group; - omd->p = p; - omd->check_ports = check_ports; - - start_state = 0; + } - /* Only search alt_dsize if http_buffer_checked is set */ - if (http_buffer_checked) + /* Adding this extra search on file data since we no more use DecodeBuffer to decode now*/ + if(file_data_ptr.len) { - pattern_match_size = p->alt_dsize; + start_state = 0; + mpseSearch(so, file_data_ptr.data, file_data_ptr.len, + rule_tree_match, omd, &start_state); +#ifdef PPM_MGR + /* Bail if we spent too much time already */ + if (PPM_PACKET_ABORT_FLAG()) + goto fp_eval_header_sw_reset_ip; +#endif } - mpseSearch(so, p->data, pattern_match_size, - rule_tree_match, - omd, &start_state); -#ifdef PPM_MGR - if( PPM_PACKET_ABORT_FLAG() ) + /* + ** Content-Match - If no Uri-Content matches, than do a Content search + ** + ** NOTE: + ** We may want to bail after the Content search if there + ** has been a successful match. + */ + if (p->data && p->dsize) { - if (ip_rule) - { - /* Set the data & dsize back to original values. */ - p->iph = (IPHdr *)tmp_iph; -#ifdef SUP_IP6 - p->ip6h = (IP6Hdr *)tmp_ip6h; - p->ip4h = (IP4Hdr *)tmp_ip4h; + uint16_t pattern_match_size = p->dsize; + + if ( IsLimitedDetect(p) && (p->alt_dsize < p->dsize) ) + pattern_match_size = p->alt_dsize; + + start_state = 0; + mpseSearch(so, p->data, pattern_match_size, + rule_tree_match, omd, &start_state); +#ifdef PPM_MGR + /* Bail if we spent too much time already */ + if (PPM_PACKET_ABORT_FLAG()) + goto fp_eval_header_sw_reset_ip; #endif - p->data = tmp_payload; - p->dsize = tmp_dsize; - p->packet_flags &= ~(PKT_IP_RULE| PKT_IP_RULE_2ND); - } - - return 0; /* bail if we spent too much time already */ } -#endif } - - boResetBITOP(&(port_group->boRuleNodeID)); } } /* - ** PKT_REBUILT_STREAM packets are re-injected streams. This means - ** that the "packet headers" are completely bogus and only the - ** content matches are important. So for PKT_REBUILT_STREAMs, we - ** don't inspect against no-content OTNs since these deal with - ** packet headers, packet sizes, etc. - ** - ** NOTE: - ** This has been changed when evaluating no-content rules because - ** it was interfering with the pass->alert ordering. We still - ** need to check no-contents against rebuilt packets, because of - ** this problem. Immediate solution is to have the detection plugins - ** bail if the rule should only be inspected against packets, a.k.a - ** dsize checks. - */ + ** PKT_REBUILT_STREAM packets are re-injected streams. This means + ** that the "packet headers" are completely bogus and only the + ** content matches are important. So for PKT_REBUILT_STREAMs, we + ** don't inspect against no-content OTNs since these deal with + ** packet headers, packet sizes, etc. + ** + ** NOTE: + ** This has been changed when evaluating no-content rules because + ** it was interfering with the pass->alert ordering. We still + ** need to check no-contents against rebuilt packets, because of + ** this problem. Immediate solution is to have the detection plugins + ** bail if the rule should only be inspected against packets, a.k.a + ** dsize checks. + */ /* - ** Walk and test the non-content OTNs - */ + ** Walk and test the non-content OTNs + */ if (fpDetectGetDebugPrintNcRules(fp)) LogMessage("NC-testing %u rules\n", port_group->pgNoContentCount); @@ -1407,48 +1316,46 @@ do { - if (port_group->pgHeadNC) - { - detection_option_eval_data_t eval_data; - int rval; - rnWalk = port_group->pgHeadNC; - eval_data.pomd = omd; - eval_data.otnx = rnWalk->rnRuleData; - eval_data.p = p; - eval_data.pmd = NULL; - eval_data.flowbit_failed = 0; - eval_data.flowbit_noalert = 0; - PREPROC_PROFILE_START(ncrulePerfStats); - rval = detection_option_tree_evaluate(port_group->pgNonContentTree, &eval_data); - PREPROC_PROFILE_END(ncrulePerfStats); - - if (rval) + if (port_group->pgHeadNC) { - /* - ** We have a qualified event from this tree - */ - port_group->pgQEvents++; - UpdateQEvents(&sfEvent); - } - else - { - /* - ** This means that the event is non-qualified. - */ - port_group->pgNQEvents++; - UpdateNQEvents(&sfEvent); + detection_option_eval_data_t eval_data; + int rval; + + rnWalk = port_group->pgHeadNC; + eval_data.pomd = omd; + eval_data.otnx = rnWalk->rnRuleData; + eval_data.p = p; + eval_data.pmd = NULL; + eval_data.flowbit_failed = 0; + eval_data.flowbit_noalert = 0; + + PREPROC_PROFILE_START(ncrulePerfStats); + rval = detection_option_tree_evaluate(port_group->pgNonContentTree, &eval_data); + PREPROC_PROFILE_END(ncrulePerfStats); + + if (rval) + { + /* We have a qualified event from this tree */ + port_group->pgQEvents++; + UpdateQEvents(&sfEvent); + } + else + { + /* This means that the event is non-qualified. */ + port_group->pgNQEvents++; + UpdateNQEvents(&sfEvent); + } } - } #ifdef GRE if (ip_rule && p->outer_ip_data) { /* Evaluate again with the inner IPs */ p->iph = p->inner_iph; -#ifdef SUP_IP6 +# ifdef SUP_IP6 p->ip6h = &p->inner_ip6h; p->ip4h = &p->inner_ip4h; -#endif +# endif p->data = p->ip_data; p->dsize = p->ip_dsize; p->packet_flags |= PKT_IP_RULE_2ND | PKT_IP_RULE; @@ -1456,10 +1363,13 @@ } #else repeat = 0; -#endif +#endif /* GRE */ } while(repeat != 0); +#ifdef PPM_MGR /* Tag only used with PPM right now */ +fp_eval_header_sw_reset_ip: +#endif if (ip_rule) { /* Set the data & dsize back to original values. */ @@ -1479,17 +1389,16 @@ /* ** fpEvalHeaderUdp:: */ -static INLINE int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *omd) { PORT_GROUP *src = NULL, *dst = NULL, *gen = NULL; - int retval = 0; -#if defined(TARGET_BASED) && defined(PORTLISTS) +#ifdef TARGET_BASED if (IsAdaptiveConfigured(getRuntimePolicy(), 0)) { - int16_t proto_ordinal; /* Check for a service/protocol ordinal for this packet */ - proto_ordinal = GetProtocolReference(p); + int16_t proto_ordinal = GetProtocolReference(p); + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE,"proto_ordinal=%d\n",proto_ordinal);); if (proto_ordinal > 0) @@ -1499,82 +1408,54 @@ TO_SERVER, proto_ordinal); src = fpGetServicePortGroupByOrdinal(snort_conf->sopgTable, IPPROTO_UDP, TO_CLIENT, proto_ordinal); - if (dst != NULL) - retval |=1; - if (src != NULL) - retval |=2; - - DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE,"fpEvalHeaderUdpp:targetbased-ordinal-lookup: " - "retval=%d, sport=%d, dport=%d, proto_ordinal=%d, src:%x, " - "dst:%x, gen:%x\n",retval,p->sp,p->dp,proto_ordinal,src,dst,gen);); + DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, + "fpEvalHeaderUdpp:targetbased-ordinal-lookup: " + "sport=%d, dport=%d, proto_ordinal=%d, src:%x, " + "dst:%x, gen:%x\n",p->sp,p->dp,proto_ordinal,src,dst,gen);); } } - if (retval == 0) + if ((src == NULL) && (dst == NULL)) { /* we did not have a target based port group, use ports */ - retval = prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->dp, p->sp, &src, &dst, &gen); - DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE,"fpEvalHeaderUdp: retval=%d, sport=%d, dport=%d, " - "src:%x, dst:%x, gen:%x\n",retval,p->sp,p->dp,src,dst,gen);); + if (!prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->dp, p->sp, &src, &dst, &gen)) + return 0; + + DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, + "fpEvalHeaderUdp: sport=%d, dport=%d, " + "src:%x, dst:%x, gen:%x\n",p->sp,p->dp,src,dst,gen);); } #else - retval = prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->dp, p->sp, &src, &dst, &gen); + if (!prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->dp, p->sp, &src, &dst, &gen)) + return 0; #endif if (fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) { - LogMessage("fpEvalHeaderUdp: retval=%d, sport=%d, dport=%d, src:%x, " - "dst:%x, gen:%x\n",retval,p->sp,p->dp,src,dst,gen); + LogMessage( + "fpEvalHeaderUdp: sport=%d, dport=%d, src:%p, dst:%p, gen:%p\n", + p->sp, p->dp, (void*)src, (void*)dst, (void*)gen); } - switch (retval) + InitMatchInfo(omd); + + if (dst != NULL) { - case 0: - /* nothing */ - return 0; - case 1: - InitMatchInfo(omd); - - /* destination groups */ - if(fpEvalHeaderSW(dst, p, 1, 0, omd)) - { - return 1; - } - break; - case 2: - InitMatchInfo(omd); - - /* source groups */ - if(fpEvalHeaderSW(src, p, 1, 0, omd)) - { - return 1; - } - break; - case 3: - InitMatchInfo(omd); - - /* both ports */ - if(fpEvalHeaderSW(dst, p, 1, 0, omd)) - { - return 1; - } - if(fpEvalHeaderSW(src, p, 1, 0, omd)) - { - return 1; - } - break; - case 4: - InitMatchInfo(omd); - - /* generic */ - if(fpEvalHeaderSW(gen, p, 1, 0, omd)) - { - return 1; - } - break; - default: - return 0; + if (fpEvalHeaderSW(dst, p, 1, 0, omd)) + return 1; + } + + if (src != NULL) + { + if (fpEvalHeaderSW(src, p, 1, 0, omd)) + return 1; + } + + if (gen != NULL) + { + if (fpEvalHeaderSW(gen, p, 1, 0, omd)) + return 1; } return fpFinalSelectEvent(omd, p); @@ -1583,21 +1464,16 @@ /* ** fpEvalHeaderTcp:: */ -static INLINE int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *omd) { PORT_GROUP *src = NULL, *dst = NULL, *gen = NULL; - int retval = 0; -#if defined(TARGET_BASED) && defined(PORTLISTS) +#ifdef TARGET_BASED if (IsAdaptiveConfigured(getRuntimePolicy(), 0)) { - int16_t proto_ordinal; - DEBUG_WRAP(static int cnt=0;); + int16_t proto_ordinal = GetProtocolReference(p); - proto_ordinal = GetProtocolReference(p); - - DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "packet=%d, proto_ordinal=%d\n", - cnt++,proto_ordinal);); + DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "proto_ordinal=%d\n", proto_ordinal);); if (proto_ordinal > 0) { @@ -1607,8 +1483,6 @@ src = fpGetServicePortGroupByOrdinal(snort_conf->sopgTable, IPPROTO_TCP, 0 /*to_cli */, proto_ordinal); - if (src != NULL) - retval |= 2; } if (p->packet_flags & PKT_FROM_CLIENT) /* to srv */ @@ -1617,83 +1491,55 @@ dst = fpGetServicePortGroupByOrdinal(snort_conf->sopgTable, IPPROTO_TCP, 1 /*to_srv */, proto_ordinal); - if (dst != NULL) - retval |= 1; } - DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "fpEvalHeaderTcp:targetbased-ordinal-lookup: " - "retval=%d, sport=%d, dport=%d, proto_ordinal=%d, src:%x, " - "dst:%x, gen:%x\n",retval,p->sp,p->dp,proto_ordinal,src,dst,gen);); - - /* retval == 0, will just return below , means no rules for this service*/ + DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, + "fpEvalHeaderTcp:targetbased-ordinal-lookup: " + "sport=%d, dport=%d, proto_ordinal=%d, src:%x, " + "dst:%x, gen:%x\n",p->sp,p->dp,proto_ordinal,src,dst,gen);); } } - if (retval == 0) + if ((src == NULL) && (dst == NULL)) { /* we did not have a target based group, use ports */ - retval = prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->dp, p->sp, &src, &dst, &gen); + if (!prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->dp, p->sp, &src, &dst, &gen)) + return 0; - DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "fpEvalHeaderTcp: retval=%d, sport=%d, " - "dport=%d, src:%x, dst:%x, gen:%x\n",retval,p->sp,p->dp,src,dst,gen);); + DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, + "fpEvalHeaderTcp: sport=%d, " + "dport=%d, src:%x, dst:%x, gen:%x\n",p->sp,p->dp,src,dst,gen);); } #else - retval = prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->dp, p->sp, &src, &dst, &gen); + if (!prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->dp, p->sp, &src, &dst, &gen)) + return 0; #endif if (fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) { - LogMessage("fpEvalHeaderTcp: retval=%d, sport=%d, dport=%d, src:%x, " - "dst:%x, gen:%x\n",retval,p->sp,p->dp,src,dst,gen); + LogMessage( + "fpEvalHeaderTcp: sport=%d, dport=%d, src:%p, dst:%p, gen:%p\n", + p->sp, p->dp, (void*)src, (void*)dst, (void*)gen); } - switch (retval) - { - case 0: - /* nothing */ - return 0; - case 1: - InitMatchInfo(omd); - - /* destination groups */ - if(fpEvalHeaderSW(dst, p, 1, 0, omd)) - { - return 1; - } - break; - case 2: - InitMatchInfo(omd); + InitMatchInfo(omd); - /* source groups */ - if(fpEvalHeaderSW(src, p, 1, 0, omd)) - { - return 1; - } - break; - case 3: - InitMatchInfo(omd); + if (dst != NULL) + { + if (fpEvalHeaderSW(dst, p, 1, 0, omd)) + return 1; + } - /* both ports */ - if(fpEvalHeaderSW(dst, p, 1, 0, omd)) - { - return 1; - } - if(fpEvalHeaderSW(src, p, 1, 0, omd)) - { - return 1; - } - break; - case 4: - InitMatchInfo(omd); + if (src != NULL) + { + if (fpEvalHeaderSW(src, p, 1, 0, omd)) + return 1; + } - /* generic */ - if(fpEvalHeaderSW(gen, p, 1, 0, omd)) - { - return 1; - } - break; - default: - return 0; + if (gen != NULL) + { + if(fpEvalHeaderSW(gen, p, 1, 0, omd)) + return 1; } return fpFinalSelectEvent(omd, p); @@ -1702,59 +1548,32 @@ /* ** fpEvalHeaderICMP:: */ -static INLINE int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *omd) { - PORT_GROUP *gen, *type; - int retval; - FastPatternConfig *fp = snort_conf->fast_pattern_config; + PORT_GROUP *gen = NULL, *type = NULL; - retval = prmFindRuleGroupIcmp(snort_conf->prmIcmpRTNX, p->icmph->type, &type, &gen); - - // PORTLISTS - if (fpDetectGetDebugPrintNcRules(fp)) + if (!prmFindRuleGroupIcmp(snort_conf->prmIcmpRTNX, p->icmph->type, &type, &gen)) + return 0; + + if (fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) { - LogMessage("fpEvalHeaderIcmp: retval: %d, icmp->type=%d type=%x " - "gen=%x\n",retval,p->icmph->type,type,gen); + LogMessage( + "fpEvalHeaderIcmp: icmp->type=%d type=%p gen=%p\n", + p->icmph->type, (void*)type, (void*)gen); } - - switch(retval) - { - case 0: - return 0; - case 1: - InitMatchInfo(omd); - - /* icmp type */ -#ifdef FPSW - if(fpEvalHeaderSW(type, p, 0, 0, omd)) -#else - if(fpEvalHeader(type, p, 0)) -#endif - { - return 1; - } - break; - case 2: - return 0; - case 3: - return 0; - case 4: - InitMatchInfo(omd); - - /* generic */ -#ifdef FPSW - if(fpEvalHeaderSW(gen, p, 0, 0, omd)) -#else - if(fpEvalHeader(gen, p, 0)) -#endif - { - return 1; - } + InitMatchInfo(omd); - break; - default: - return 0; + if (type != NULL) + { + if (fpEvalHeaderSW(type, p, 0, 0, omd)) + return 1; + } + + if (gen != NULL) + { + if (fpEvalHeaderSW(gen, p, 0, 0, omd)) + return 1; } return fpFinalSelectEvent(omd, p); @@ -1763,56 +1582,28 @@ /* ** fpEvalHeaderIP:: */ -static INLINE int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *omd) { - PORT_GROUP *gen, *ip_group; - int retval; + PORT_GROUP *gen = NULL, *ip_group = NULL; + + if (!prmFindRuleGroupIp(snort_conf->prmIpRTNX, ip_proto, &ip_group, &gen)) + return 0; - retval = prmFindRuleGroupIp(snort_conf->prmIpRTNX, ip_proto, &ip_group, &gen); - - // PORTLISTS if(fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) - LogMessage("fpEvalHeaderIp: retval: %d, ip_group=%x, gen=%x\n",retval,ip_group,gen); - - switch(retval) - { - case 0: - return 0; - case 1: - InitMatchInfo(omd); - - /* ip_group */ -#ifdef FPSW - if(fpEvalHeaderSW(ip_group, p, 0, 1, omd)) -#else - if(fpEvalHeader(ip_group, p, 0)) -#endif - { - return 1; - } + LogMessage("fpEvalHeaderIp: ip_group=%p, gen=%p\n", (void*)ip_group, (void*)gen); - break; - case 2: - return 0; - case 3: - return 0; - case 4: - InitMatchInfo(omd); - - /* generic */ -#ifdef FPSW - if(fpEvalHeaderSW(gen, p, 0, 1, omd)) -#else - if(fpEvalHeader(gen, p, 0)) -#endif - { - return 1; - } + InitMatchInfo(omd); - break; + if (ip_group != NULL) + { + if (fpEvalHeaderSW(ip_group, p, 0, 1, omd)) + return 1; + } - default: - return 0; + if (gen != NULL) + { + if (fpEvalHeaderSW(gen, p, 0, 1, omd)) + return 1; } return fpFinalSelectEvent(omd, p); @@ -1824,7 +1615,7 @@ ** fpEvalPacket:: ** ** DESCRIPTION -** This function is the interface to the Detect() routine. Here +** This function is the interface to the Detect() routine. Here ** the IP protocol is processed. If it is TCP, UDP, or ICMP, we ** process the both that particular ruleset and the IP ruleset ** with in the fpEvalHeader for that protocol. If the protocol @@ -1848,10 +1639,38 @@ int ip_proto = GET_IPH_PROTO(p); OTNX_MATCH_DATA *omd = snort_conf->omd; + /* Run UDP rules against the UDP header of Teredo packets */ + if ( p->udph && (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP)) ) + { + uint16_t tmp_sp = p->sp; + uint16_t tmp_dp = p->dp; + const UDPHdr *tmp_udph = p->udph; + const uint8_t *tmp_data = p->data; + uint16_t tmp_dsize = p->dsize; + + if (p->outer_udph) + { + p->udph = p->outer_udph; + } + p->sp = ntohs(p->udph->uh_sport); + p->dp = ntohs(p->udph->uh_dport); + p->data = (const uint8_t *)p->udph + UDP_HEADER_LEN; + if (p->outer_ip_dsize > UDP_HEADER_LEN) + p->dsize = p->outer_ip_dsize - UDP_HEADER_LEN; + + fpEvalHeaderUdp(p, omd); + + p->sp = tmp_sp; + p->dp = tmp_dp; + p->udph = tmp_udph; + p->data = tmp_data; + p->dsize = tmp_dsize; + } + switch(ip_proto) { case IPPROTO_TCP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on TcpList\n");); if(p->tcph == NULL) @@ -1863,7 +1682,7 @@ return fpEvalHeaderTcp(p, omd); case IPPROTO_UDP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on UdpList\n");); if(p->udph == NULL) @@ -1871,20 +1690,20 @@ ip_proto = -1; break; } - + return fpEvalHeaderUdp(p, omd); #ifdef SUP_IP6 case IPPROTO_ICMPV6: #endif case IPPROTO_ICMP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on IcmpList\n");); if(p->icmph == NULL) { ip_proto = -1; - break; + break; } return fpEvalHeaderIcmp(p, omd); @@ -1913,13 +1732,17 @@ { if (fpEvalRTN(getRuntimeRtnFromOtn(otn), p, 0)) { - SnortEventqAdd(otn->sigInfo.generator, + SnortEventqAdd(otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.class_id, otn->sigInfo.priority, otn->sigInfo.message, (void *)NULL); + if (RULE_TYPE__PASS == getRuntimeRtnFromOtn(otn)->type) + { + p->packet_flags |= PKT_PASS_RULE; + } } } } diff -Nru snort-2.8.5.2/src/fpdetect.h snort-2.9.2/src/fpdetect.h --- snort-2.8.5.2/src/fpdetect.h 2009-08-10 20:41:39.000000000 +0000 +++ snort-2.9.2/src/fpdetect.h 2011-06-08 00:33:06.000000000 +0000 @@ -3,7 +3,7 @@ ** ** fpfuncs.h ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker ** Marc Norton ** @@ -35,7 +35,7 @@ #endif #include "fpcreate.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "sflsq.h" #include "event_queue.h" @@ -56,9 +56,9 @@ ** to match before choosing which event to log. ** (Since we can only log one.) This define is the limit. */ -#define MAX_EVENT_MATCH 100 +#define MAX_EVENT_MATCH 100 -/* +/* ** MATCH_INFO ** The events that are matched get held in this structure, ** and iMatchIndex gets set to the event that holds the @@ -70,7 +70,7 @@ int iMatchCount; int iMatchIndex; int iMatchMaxLen; - + }MATCH_INFO; /* @@ -82,7 +82,7 @@ ** the event to log based on the event comparison ** function. */ -typedef struct +typedef struct { PORT_GROUP * pg; Packet * p; diff -Nru snort-2.8.5.2/src/generators.h snort-2.9.2/src/generators.h --- snort-2.8.5.2/src/generators.h 2009-12-15 23:27:52.000000000 +0000 +++ snort-2.9.2/src/generators.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -83,7 +83,7 @@ #define DECODE_BAD_VLAN 130 #define DECODE_BAD_VLAN_ETHLLC 131 #define DECODE_BAD_VLAN_OTHER 132 -#define DECODE_BAD_80211_ETHLLC 133 +#define DECODE_BAD_80211_ETHLLC 133 #define DECODE_BAD_80211_OTHER 134 #define DECODE_BAD_TRH 140 @@ -91,8 +91,8 @@ #define DECODE_BAD_TR_MR_LEN 142 #define DECODE_BAD_TRHMR 143 -#define DECODE_BAD_TRAFFIC_LOOPBACK 150 -#define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 +#define DECODE_BAD_TRAFFIC_LOOPBACK 150 +#define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 #ifdef GRE #define DECODE_GRE_DGRAM_LT_GREHDR 160 @@ -113,30 +113,114 @@ #define DECODE_MPLS_LABEL_STACK 176 #define DECODE_ICMP_ORIG_IP_TRUNCATED 250 -#define DECODE_ICMP_ORIG_IP_NOT_IPV4 251 +#define DECODE_ICMP_ORIG_IP_VER_MISMATCH 251 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP 252 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64 253 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576 254 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET 255 -#define DECODE_IPV6_MIN_TTL 270 +#define DECODE_IPV6_MIN_TTL 270 #define DECODE_IPV6_IS_NOT 271 #define DECODE_IPV6_TRUNCATED_EXT 272 #define DECODE_IPV6_TRUNCATED 273 #define DECODE_IPV6_DGRAM_LT_IPHDR 274 #define DECODE_IPV6_DGRAM_GT_CAPLEN 275 +#define DECODE_IPV6_DST_ZERO 276 +#define DECODE_IPV6_SRC_MULTICAST 277 +#define DECODE_IPV6_DST_RESERVED_MULTICAST 278 +#define DECODE_IPV6_BAD_OPT_TYPE 279 +#define DECODE_IPV6_BAD_MULTICAST_SCOPE 280 +#define DECODE_IPV6_BAD_NEXT_HEADER 281 +#define DECODE_IPV6_ROUTE_AND_HOPBYHOP 282 +#define DECODE_IPV6_TWO_ROUTE_HEADERS 283 + +#define DECODE_ICMPV6_TOO_BIG_BAD_MTU 285 +#define DECODE_ICMPV6_UNREACHABLE_BAD_CODE 286 +#define DECODE_ICMPV6_SOLICITATION_BAD_CODE 287 +#define DECODE_ICMPV6_ADVERT_BAD_CODE 288 +#define DECODE_ICMPV6_SOLICITATION_BAD_RESERVED 289 +#define DECODE_ICMPV6_ADVERT_BAD_REACHABLE 290 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED 291 +#define DECODE_IPV6_DSTOPTS_WITH_ROUTING 292 +#define DECODE_IP_MULTIPLE_ENCAPSULATION 293 -#define DECODE_TCP_XMAS 400 -#define DECODE_TCP_NMAP_XMAS 401 - -#define DECODE_DOS_NAPTHA 402 -#define DECODE_SYN_TO_MULTICAST 403 -#define DECODE_ZERO_TTL 404 -#define DECODE_BAD_FRAGBITS 405 +#define DECODE_ESP_HEADER_TRUNC 294 +#define DECODE_IPV6_BAD_OPT_LEN 295 +#define DECODE_IPV6_UNORDERED_EXTENSIONS 296 + +#define DECODE_GTP_MULTIPLE_ENCAPSULATION 297 +#define DECODE_GTP_BAD_LEN 298 + +//----------------------------------------------------- +// remember to add rules to preproc_rules/decoder.rules +// add the new decoder rules to the following enum. + +#define DECODE_START_INDEX 400 + +enum { + DECODE_TCP_XMAS = DECODE_START_INDEX, + DECODE_TCP_NMAP_XMAS, + DECODE_DOS_NAPTHA, + DECODE_SYN_TO_MULTICAST, + DECODE_ZERO_TTL, + DECODE_BAD_FRAGBITS, + DECODE_UDP_IPV6_ZERO_CHECKSUM, + DECODE_IP4_LEN_OFFSET, + DECODE_IP4_SRC_THIS_NET, + DECODE_IP4_DST_THIS_NET, + DECODE_IP4_SRC_MULTICAST, + DECODE_IP4_SRC_RESERVED, + DECODE_IP4_DST_RESERVED, + DECODE_IP4_SRC_BROADCAST, + DECODE_IP4_DST_BROADCAST, + DECODE_ICMP4_DST_MULTICAST, + DECODE_ICMP4_DST_BROADCAST, + DECODE_ICMP4_TYPE_OTHER = 418, + DECODE_TCP_BAD_URP, + DECODE_TCP_SYN_FIN, + DECODE_TCP_SYN_RST, + DECODE_TCP_MUST_ACK, + DECODE_TCP_NO_SYN_ACK_RST, + DECODE_ETH_HDR_TRUNC, + DECODE_IP4_HDR_TRUNC, + DECODE_ICMP4_HDR_TRUNC, + DECODE_ICMP6_HDR_TRUNC, + DECODE_IP4_MIN_TTL, + DECODE_IP6_ZERO_HOP_LIMIT, + DECODE_IP4_DF_OFFSET, + DECODE_ICMP6_TYPE_OTHER, + DECODE_ICMP6_DST_MULTICAST, + DECODE_TCP_SHAFT_SYNFLOOD, + DECODE_ICMP_PING_NMAP, + DECODE_ICMP_ICMPENUM, + DECODE_ICMP_REDIRECT_HOST, + DECODE_ICMP_REDIRECT_NET, + DECODE_ICMP_TRACEROUTE_IPOPTS, + DECODE_ICMP_SOURCE_QUENCH, + DECODE_ICMP_BROADSCAN_SMURF_SCANNER, + DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED, + DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED, + DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED, + DECODE_IP_OPTION_SET, + DECODE_UDP_LARGE_PACKET, + DECODE_TCP_PORT_ZERO, + DECODE_UDP_PORT_ZERO, + DECODE_IP_RESERVED_FRAG_BIT, + DECODE_IP_UNASSIGNED_PROTO, + DECODE_IP_BAD_PROTO, + DECODE_ICMP_PATH_MTU_DOS, + DECODE_ICMP_DOS_ATTEMPT, + DECODE_IPV6_ISATAP_SPOOF, + DECODE_PGM_NAK_OVERFLOW, + DECODE_IGMP_OPTIONS_DOS, + DECODE_IP6_EXCESS_EXT_HDR, + + DECODE_INDEX_MAX +}; +//----------------------------------------------------- /* ** HttpInspect Generator IDs ** @@ -146,11 +230,15 @@ ** trick is that whatever the number is in HttpInspect, ** it must be +1 when you define it here. */ +// these are client specific events #define GENERATOR_SPP_HTTP_INSPECT_CLIENT 119 #define HI_CLIENT_ASCII 1 /* done */ #define HI_CLIENT_DOUBLE_DECODE 2 /* done */ #define HI_CLIENT_U_ENCODE 3 /* done */ #define HI_CLIENT_BARE_BYTE 4 /* done */ +/* Base 36 is deprecated and essentially a noop + * Leaving here in case anyone out there has historical data with + * alerts of this type */ #define HI_CLIENT_BASE36 5 /* done */ #define HI_CLIENT_UTF_8 6 /* done */ #define HI_CLIENT_IIS_UNICODE 7 /* done */ @@ -168,9 +256,30 @@ #define HI_CLIENT_LONG_HDR 19 /* done */ #define HI_CLIENT_MAX_HEADERS 20 /* done */ #define HI_CLIENT_MULTIPLE_CONTLEN 21 +#define HI_CLIENT_CHUNK_SIZE_MISMATCH 22 +#define HI_CLIENT_INVALID_TRUEIP 23 +#define HI_CLIENT_MULTIPLE_HOST_HDRS 24 +#define HI_CLIENT_LONG_HOSTNAME 25 +#define HI_CLIENT_EXCEEDS_SPACES 26 +#define HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES 27 +#define HI_CLIENT_UNBOUNDED_POST 28 +#define HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION 29 +#define HI_CLIENT_BOTH_TRUEIP_XFF_HDRS 30 -#define GENERATOR_SPP_HTTP_INSPECT_ANOM_SERVER 120 +// these are either server specific or both client / server +#define GENERATOR_SPP_HTTP_INSPECT 120 #define HI_ANOM_SERVER_ALERT 1 /* done */ +#define HI_SERVER_INVALID_STATCODE 2 +#define HI_SERVER_NO_CONTLEN 3 +#define HI_SERVER_UTF_NORM_FAIL 4 +#define HI_SERVER_UTF7 5 +#define HI_SERVER_DECOMPR_FAILED 6 +#define HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES 7 +#define HI_CLISRV_MSG_SIZE_EXCEPTION 8 +#define HI_SERVER_JS_OBFUSCATION_EXCD 9 +#define HI_SERVER_JS_EXCESS_WS 10 +#define HI_SERVER_MIXED_ENCODINGS 11 + #define GENERATOR_PSNG 122 #define PSNG_TCP_PORTSCAN 1 @@ -229,6 +338,11 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 +#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +#define SMTP_B64_DECODING_FAILED 10 +#define SMTP_QP_DECODING_FAILED 11 +#define SMTP_BITENC_DECODING_FAILED 12 +#define SMTP_UU_DECODING_FAILED 13 /* ** FTPTelnet Generator IDs @@ -277,9 +391,13 @@ #define STREAM5_SESSION_HIJACKED_SERVER 10 #define STREAM5_DATA_WITHOUT_FLAGS 11 #define STREAM5_SMALL_SEGMENT 12 - -#define GENERATOR_DCERPC 130 -#define DCERPC_MEMORY_OVERFLOW 1 +#define STREAM5_4WAY_HANDSHAKE 13 +#define STREAM5_NO_TIMESTAMP 14 +#define STREAM5_BAD_RST 15 +#define STREAM5_BAD_FIN 16 +#define STREAM5_BAD_ACK 17 +#define STREAM5_DATA_AFTER_RST_RCVD 18 +#define STREAM5_WINDOW_SLAM 19 #define GENERATOR_DNS 131 #define DNS_EVENT_OBSOLETE_TYPES 1 @@ -332,6 +450,11 @@ #define DCE2_EVENT__CL_BAD_PDU_TYPE 41 #define DCE2_EVENT__CL_DATA_LT_HDR 42 #define DCE2_EVENT__CL_BAD_SEQ_NUM 43 +#define DCE2_EVENT__SMB_V1 44 +#define DCE2_EVENT__SMB_V2 45 +#define DCE2_EVENT__SMB_INVALID_BINDING 46 +#define DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING 47 + #define GENERATOR_PPM 134 #define PPM_EVENT_RULE_TREE_DISABLED 1 @@ -347,6 +470,20 @@ #define GENERATOR_SPP_SSLPP 137 +#define GENERATOR_SPP_SDF_RULES 138 +#define GENERATOR_SPP_SDF_PREPROC 139 +// #define GENERATOR_SPP_SIP 140 // Defined in spp_sip.h file, not here. +// #define GENERATOR_SPP_IMAP 141 // Defined in imap_log.h file +// #define GENERATOR_SPP_POP 142 // Defined in pop_log.h file. +#define SDF_COMBO_ALERT 1 + + +#define GENERATOR_SPP_GTP 143 + +#define GENERATOR_SPP_MODBUS 144 + +#define GENERATOR_SPP_DNP3 145 + /* This is where all the alert messages will be archived for each internal alerts */ @@ -386,11 +523,18 @@ #define STREAM5_BAD_SEGMENT_STR "Bad segment, adjusted size <= 0" #define STREAM5_WINDOW_TOO_LARGE_STR "Window size (after scaling) larger than policy allows" #define STREAM5_EXCESSIVE_TCP_OVERLAPS_STR "Limit on number of overlapping TCP packets reached" -#define STREAM5_DATA_AFTER_RESET_STR "Data sent on stream after TCP Reset" +#define STREAM5_DATA_AFTER_RESET_STR "Data sent on stream after TCP Reset sent" #define STREAM5_SESSION_HIJACKED_CLIENT_STR "TCP Client possibly hijacked, different Ethernet Address" #define STREAM5_SESSION_HIJACKED_SERVER_STR "TCP Server possibly hijacked, different Ethernet Address" #define STREAM5_DATA_WITHOUT_FLAGS_STR "TCP Data with no TCP Flags set" #define STREAM5_SMALL_SEGMENT_STR "Consecutive TCP small segments exceeding threshold" +#define STREAM5_4WAY_HANDSHAKE_STR "4-way handshake detected" +#define STREAM5_NO_TIMESTAMP_STR "TCP Timestamp is missing" +#define STREAM5_BAD_RST_STR "Reset outside window" +#define STREAM5_BAD_FIN_STR "FIN number is greater than prior FIN" +#define STREAM5_BAD_ACK_STR "ACK number is greater than prior FIN" +#define STREAM5_DATA_AFTER_RST_RCVD_STR "Data sent on stream after TCP Reset received" +#define STREAM5_WINDOW_SLAM_STR "TCP window closed before receiving data" #define STREAM5_INTERNAL_EVENT_STR "" @@ -399,52 +543,52 @@ #define PPM_EVENT_RULE_TREE_ENABLED_STR "Rule Options Re-enabled by Rule Latency" /* Snort decoder strings */ -#define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram!" -#define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN!" -#define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" -#define DECODE_IPV4OPT_BADLEN_STR "(snort_decoder): Ipv4 Options found with bad lengths" -#define DECODE_IPV4OPT_TRUNCATED_STR "(snort_decoder): Truncated Ipv4 Options" -#define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" +#define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram" +#define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN" +#define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" +#define DECODE_IPV4OPT_BADLEN_STR "(snort_decoder) WARNING: Ipv4 Options found with bad lengths" +#define DECODE_IPV4OPT_TRUNCATED_STR "(snort_decoder) WARNING:Truncated Ipv4 Options" +#define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" #define DECODE_NOT_IPV6_DGRAM_STR "(snort_decoder) WARNING: Not an IPv6 datagram" -#define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) TCP packet len is smaller than 20 bytes!" -#define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5!" -#define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length!" - -#define DECODE_TCPOPT_BADLEN_STR "(snort_decoder): Tcp Options found with bad lengths" -#define DECODE_TCPOPT_TRUNCATED_STR "(snort_decoder): Truncated Tcp Options" -#define DECODE_TCPOPT_TTCP_STR "(snort_decoder): T/TCP Detected" -#define DECODE_TCPOPT_OBSOLETE_STR "(snort_decoder): Obsolete TCP Options found" -#define DECODE_TCPOPT_EXPERIMENT_STR "(snort_decoder): Experimental Tcp Options found" -#define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder): Tcp Window Scale Option found with length > 14" - -#define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header!" -#define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder): Invalid UDP header, length field < 8" -#define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder): Short UDP packet, length field > payload length" -#define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder): Long UDP packet, length field < payload length" - -#define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated!" -#define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated!" -#define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated!" -#define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) Unknown Datagram decoding problem!" -#define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP!" -#define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header!" -#define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated!" -#define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated!" -#define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected!" -#define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame!" -#define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header!" -#define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info!" -#define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header!" -#define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info!" - -#define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header!" -#define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!" -#define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader!" -#define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header!" +#define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) WARNING: TCP packet len is smaller than 20 bytes" +#define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5" +#define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length" + +#define DECODE_TCPOPT_BADLEN_STR "(snort_decoder) WARNING: Tcp Options found with bad lengths" +#define DECODE_TCPOPT_TRUNCATED_STR "(snort_decoder) WARNING: Truncated Tcp Options" +#define DECODE_TCPOPT_TTCP_STR "(snort_decoder) WARNING: T/TCP Detected" +#define DECODE_TCPOPT_OBSOLETE_STR "(snort_decoder) WARNING: Obsolete TCP Options found" +#define DECODE_TCPOPT_EXPERIMENT_STR "(snort_decoder) WARNING: Experimental Tcp Options found" +#define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder) WARNING: Tcp Window Scale Option found with length > 14" + +#define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header" +#define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder) WARNING: Invalid UDP header, length field < 8" +#define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder) WARNING: Short UDP packet, length field > payload length" +#define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder) WARNING: Long UDP packet, length field < payload length" + +#define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated" +#define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated" +#define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated" +#define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) WARNING: Unknown Datagram decoding problem" +#define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP" +#define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header" +#define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated" +#define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated" +#define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected" +#define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame" +#define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header" +#define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info" +#define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header" +#define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info" + +#define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header" +#define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header" +#define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader" +#define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header" -#define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) Bad Traffic Loopback IP" -#define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) Bad Traffic Same Src/Dst IP" +#define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) WARNING: Bad Traffic Loopback IP" +#define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) WARNING: Bad Traffic Same Src/Dst IP" #ifdef GRE #define DECODE_GRE_DGRAM_LT_GREHDR_STR "(snort decoder) WARNING: GRE header length > payload length" @@ -455,28 +599,104 @@ #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR "(snort decoder) WARNING: GRE Trans header length > payload length" #endif /* GRE */ -#define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated!" -#define DECODE_ICMP_ORIG_IP_NOT_IPV4_STR "(snort_decoder) WARNING: ICMP Original IP Header Not IPv4!" -#define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length!" -#define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits!" -#define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes!" -#define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0!" - -#define DECODE_IPV6_MIN_TTL_STR "(snort decoder) IPV6 packet exceeded TTL limit" -#define DECODE_IPV6_IS_NOT_STR "(snort decoder) IPv6 header claims to not be IPv6" -#define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) IPV6 truncated extension header" -#define DECODE_IPV6_TRUNCATED_STR "(snort decoder) IPV6 truncated header" -#define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" -#define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" -#define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR "(snort_decoder) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack" - -#define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected!" -#define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected!" +#define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated" +#define DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR "(snort_decoder) WARNING: ICMP version and Original IP Header versions differ" +#define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length" +#define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits" +#define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes" +#define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0" + +#define DECODE_IPV6_MIN_TTL_STR "(snort decoder) WARNING: IPv6 packet below TTL limit" +#define DECODE_IPV6_IS_NOT_STR "(snort decoder) WARNING: IPv6 header claims to not be IPv6" +#define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) WARNING: IPV6 truncated extension header" +#define DECODE_IPV6_TRUNCATED_STR "(snort decoder) WARNING: IPV6 truncated header" +#define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" +#define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" + +#define DECODE_IPV6_DST_ZERO_STR "(snort_decoder) WARNING: IPv6 packet with destination address ::0" +#define DECODE_IPV6_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with multicast source address" +#define DECODE_IPV6_DST_RESERVED_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with reserved multicast destination address" +#define DECODE_IPV6_BAD_OPT_TYPE_STR "(snort_decoder) WARNING: IPv6 header includes an undefined option type" +#define DECODE_IPV6_BAD_MULTICAST_SCOPE_STR "(snort_decoder) WARNING: IPv6 address includes an unassigned multicast scope value" +#define DECODE_IPV6_BAD_NEXT_HEADER_STR "(snort_decoder) WARNING: IPv6 header includes an invalid value for the \"next header\" field" +#define DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR "(snort_decoder) WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header" +#define DECODE_IPV6_TWO_ROUTE_HEADERS_STR "(snort_decoder) WARNING: IPv6 header includes two routing extension headers" +#define DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR "(snort_decoder) WARNING: IPv6 header has destination options followed by a routing header" +#define DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR "(snort_decoder) WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280" +#define DECODE_ICMPV6_UNREACHABLE_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 packet of type 1 (destination unreachable) with invalid code field" +#define DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with a code not equal to 0" +#define DECODE_ICMPV6_ADVERT_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with a code not equal to 0" +#define DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0" +#define DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour" + +#define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR "(snort_decoder) WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack" + +#define DECODE_IP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more IP (v4 and/or v6) encapsulation layers present" + +#define DECODE_ESP_HEADER_TRUNC_STR "(snort_decoder) WARNING: truncated Encapsulated Security Payload (ESP) header" + +#define DECODE_IPV6_BAD_OPT_LEN_STR "(snort_decoder) WARNING: IPv6 header includes an option which is too big for the containing header" + +#define DECODE_IPV6_UNORDERED_EXTENSIONS_STR "(snort_decoder) WARNING: IPv6 packet includes out-of-order extension headers" +#define DECODE_GTP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more GTP encapsulation layers present" +#define DECODE_GTP_BAD_LEN_STR "(snort_decoder) WARNING: GTP header length is invalid" +#define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected" +#define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected" -#define DECODE_DOS_NAPTHA_STR "(snort_decoder) DOS NAPTHA Vulnerability Detected!" -#define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) Bad Traffic SYN to multicast address" +#define DECODE_DOS_NAPTHA_STR "(snort_decoder) WARNING: DOS NAPTHA Vulnerability Detected" +#define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) WARNING: Bad Traffic SYN to multicast address" #define DECODE_ZERO_TTL_STR "(snort_decoder) WARNING: IPV4 packet with zero TTL" #define DECODE_BAD_FRAGBITS_STR "(snort_decoder) WARNING: IPV4 packet with bad frag bits (Both MF and DF set)" +#define DECODE_UDP_IPV6_ZERO_CHECKSUM_STR "(snort_decoder) WARNING: Invalid IPv6 UDP packet, checksum zero" +#define DECODE_IP4_LEN_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet frag offset + length exceed maximum" +#define DECODE_IP4_SRC_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet from 'current net' source address" +#define DECODE_IP4_DST_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet to 'current net' dest address" +#define DECODE_IP4_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPV4 packet from multicast source address" +#define DECODE_IP4_SRC_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet from reserved source address" +#define DECODE_IP4_DST_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet to reserved dest address" +#define DECODE_IP4_SRC_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet from broadcast source address" +#define DECODE_IP4_DST_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet to broadcast dest address" +#define DECODE_ICMP4_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP4 packet to multicast dest address" +#define DECODE_ICMP4_DST_BROADCAST_STR "(snort_decoder) WARNING: ICMP4 packet to broadcast dest address" +#define DECODE_ICMP4_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP4 type other" +#define DECODE_TCP_BAD_URP_STR "(snort_decoder) WARNING: TCP urgent pointer exceeds payload length or no payload" +#define DECODE_TCP_SYN_FIN_STR "(snort_decoder) WARNING: TCP SYN with FIN" +#define DECODE_TCP_SYN_RST_STR "(snort_decoder) WARNING: TCP SYN with RST" +#define DECODE_TCP_MUST_ACK_STR "(snort_decoder) WARNING: TCP PDU missing ack for established session" +#define DECODE_TCP_NO_SYN_ACK_RST_STR "(snort_decoder) WARNING: TCP has no SYN, ACK, or RST" +#define DECODE_ETH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated eth header" +#define DECODE_IP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated IP4 header" +#define DECODE_ICMP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP4 header" +#define DECODE_ICMP6_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP6 header" +#define DECODE_IP4_MIN_TTL_STR "(snort decoder) WARNING: IPV4 packet below TTL limit" +#define DECODE_IP6_ZERO_HOP_LIMIT_STR "(snort decoder) WARNING: IPV6 packet has zero hop limit" +#define DECODE_IP4_DF_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet both DF and offset set" +#define DECODE_ICMP6_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP6 type not decoded" +#define DECODE_ICMP6_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP6 packet to multicast address" +#define DECODE_TCP_SHAFT_SYNFLOOD_STR "(snort_decoder) WARNING: DDOS shaft synflood" +#define DECODE_ICMP_PING_NMAP_STR "(snort_decoder) WARNING: ICMP PING NMAP" +#define DECODE_ICMP_ICMPENUM_STR "(snort_decoder) WARNING: ICMP icmpenum v1.1.1" +#define DECODE_ICMP_REDIRECT_HOST_STR "(snort_decoder) WARNING: ICMP redirect host" +#define DECODE_ICMP_REDIRECT_NET_STR "(snort_decoder) WARNING: ICMP redirect net" +#define DECODE_ICMP_TRACEROUTE_IPOPTS_STR "(snort_decoder) WARNING: ICMP traceroute ipopts" +#define DECODE_ICMP_SOURCE_QUENCH_STR "(snort_decoder) WARNING: ICMP Source Quench" +#define DECODE_ICMP_BROADSCAN_SMURF_SCANNER_STR "(snort_decoder) WARNING: Broadscan Smurf Scanner" +#define DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication Administratively Prohibited" +#define DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" +#define DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited" +#define DECODE_IP_OPTION_SET_STR "(snort_decoder) WARNING: MISC IP option set" +#define DECODE_UDP_LARGE_PACKET_STR "(snort_decoder) WARNING: MISC Large UDP Packet" +#define DECODE_TCP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC TCP port 0 traffic" +#define DECODE_UDP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC UDP port 0 traffic" +#define DECODE_IP_RESERVED_FRAG_BIT_STR "(snort_decoder) WARNING: BAD-TRAFFIC IP reserved bit set" +#define DECODE_IP_UNASSIGNED_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol" +#define DECODE_IP_BAD_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Bad IP protocol" +#define DECODE_ICMP_PATH_MTU_DOS_STR "(snort_decoder) WARNING: ICMP PATH MTU denial of service attempt" +#define DECODE_ICMP_DOS_ATTEMPT_STR "(snort_decoder) WARNING: BAD-TRAFFIC linux ICMP header dos attempt" +#define DECODE_IPV6_ISATAP_SPOOF_STR "(snort_decoder) WARNING: BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt" +#define DECODE_PGM_NAK_OVERFLOW_STR "(snort_decoder) WARNING: BAD-TRAFFIC PGM nak list overflow attempt" +#define DECODE_IGMP_OPTIONS_DOS_STR "(snort_decoder) WARNING: DOS IGMP IP Options validation attempt" +#define DECODE_IP6_EXCESS_EXT_HDR_STR "(snort_decoder) WARNING: too many IP6 extension headers" /* RPC decode preprocessor strings */ #define RPC_FRAG_TRAFFIC_STR "(spp_rpc_decode) Fragmented RPC Records" @@ -517,7 +737,7 @@ #define PSNG_OPEN_PORT_STR "(portscan) Open Port" -#define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame!" +#define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame" #define DECODE_BAD_MPLS_LABEL0_STR "(snort_decoder) WARNING: MPLS Label 0 Appears in Nonbottom Header" #define DECODE_BAD_MPLS_LABEL1_STR "(snort_decoder) WARNING: MPLS Label 1 Appears in Bottom Header" #define DECODE_BAD_MPLS_LABEL2_STR "(snort_decoder) WARNING: MPLS Label 2 Appears in Nonbottom Header" @@ -525,4 +745,5 @@ #define DECODE_MPLS_RESERVEDLABEL_STR "(snort_decoder) WARNING: MPLS Label 4, 5,.. or 15 Appears in Header" #define DECODE_MPLS_LABEL_STACK_STR "(snort_decoder) WARNING: Too Many MPLS headers" #define DECODE_MULTICAST_MPLS_STR "(snort_decoder) WARNING: Multicast MPLS traffic detected" + #endif /* __GENERATORS_H__ */ diff -Nru snort-2.8.5.2/src/idle_processing.c snort-2.9.2/src/idle_processing.c --- snort-2.8.5.2/src/idle_processing.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/idle_processing.c 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,80 @@ +/* $Id$ */ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ +/** + * @file idle_processing.c + * @author Ron Dempster + * @date Tue Jun 17 17:09:59 2003 + * + * @brief Allow functions to be registered to be called when packet + * processing is idle. + * + */ + +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "idle_processing_funcs.h" +#include "util.h" + +typedef struct _IDLE_HANDLER_ELEMENT +{ + struct _IDLE_HANDLER_ELEMENT *next; + IdleProcessingHandler handler; +} IdleHandlerElement; + +static IdleHandlerElement *idle_handlers; + +int IdleProcessingRegisterHandler(IdleProcessingHandler func) +{ + IdleHandlerElement *e; + + if ((e = calloc(1, sizeof(*e))) == NULL) + { + WarningMessage("%s\n", "Failed to allocate an idle handler element"); + return -1; + } + e->handler = func; + e->next = idle_handlers; + idle_handlers = e; + return 0; +} + +void IdleProcessingExecute(void) +{ + IdleHandlerElement *e; + + for (e = idle_handlers; e; e = e->next) + e->handler(); +} + +void IdleProcessingCleanUp(void) +{ + IdleHandlerElement *e; + + while ((e = idle_handlers)) + { + idle_handlers = e->next; + free(e); + } +} + diff -Nru snort-2.8.5.2/src/idle_processing_funcs.h snort-2.9.2/src/idle_processing_funcs.h --- snort-2.8.5.2/src/idle_processing_funcs.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/idle_processing_funcs.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,31 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef _IDLE_PROCESSING_FUNCS_H +#define _IDLE_PROCESSING_FUNCS_H + +#include "idle_processing.h" + +int IdleProcessingRegisterHandler(IdleProcessingHandler); +void IdleProcessingExecute(void); +void IdleProcessingCleanUp(void); + +#endif /* _IDLE_PROCESSING_FUNCS_H */ diff -Nru snort-2.8.5.2/src/idle_processing.h snort-2.9.2/src/idle_processing.h --- snort-2.8.5.2/src/idle_processing.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/idle_processing.h 2011-10-26 14:49:57.000000000 +0000 @@ -0,0 +1,27 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef _IDLE_PROCESSING_H +#define _IDLE_PROCESSING_H + +typedef void (*IdleProcessingHandler)(void); + +#endif /* _IDLE_PROCESSING_H */ diff -Nru snort-2.8.5.2/src/inline.c snort-2.9.2/src/inline.c --- snort-2.8.5.2/src/inline.c 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/src/inline.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,886 +0,0 @@ -/* $Id$ */ -/* - ** Portions Copyright (C) 1998-2009 Sourcefire, Inc. - ** - ** This program is free software; you can redistribute it and/or modify - ** it under the terms of the GNU General Public License as published by - ** the Free Software Foundation; either version 2 of the License, or - ** (at your option) any later version. - ** - ** This program is distributed in the hope that it will be useful, - ** but WITHOUT ANY WARRANTY; without even the implied warranty of - ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - ** GNU General Public License for more details. - ** - ** You should have received a copy of the GNU General Public License - ** along with this program; if not, write to the Free Software - ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - */ -#ifdef GIDS -#include "snort.h" -#include -#include -#include -#include -#ifndef Pru16 -#define PRu16 3 -#endif -#ifndef LIBNET_ERR_WARNING -#define LIBNET_ERR_WARNING 1 -#define LIBNET_ERR_CRITICAL 2 -#define LIBNET_ERR_FATAL 3 -#endif - - -#include "decode.h" -#include "inline.h" -#include "rules.h" -#include "stream_api.h" -#include "spp_frag3.h" - -#define PKT_BUFSIZE 65536 - -/* Most of the code related to libnet (resets and icmp unreach) was - * taken from sp_respond.c */ - -extern pcap_t *pcap_handle; - -/* vars */ -int libnet_nd; /* libnet descriptor */ -char errbuf[LIBNET_ERRBUF_SIZE]; - -Packet *tmpP; - -u_char *l_tcp, *l_icmp; - -#ifndef IPFW -ipq_packet_msg_t *g_m = NULL; -#endif - -/* predeclarations */ -#ifndef IPFW -void HandlePacket(ipq_packet_msg_t *); -void TranslateToPcap(ipq_packet_msg_t *, struct pcap_pkthdr *); -#else -void HandlePacket(void); -void TranslateToPcap(struct pcap_pkthdr *phdr, ssize_t len); -#endif /* IPFW */ -void ResetIV(void); - - -int InlineModeSetPrivsAllowed(void) -{ - if (ScAdapterInlineMode()) - return 0; - - return 1; -} - -#ifndef IPFW -void TranslateToPcap(ipq_packet_msg_t *m, struct pcap_pkthdr *phdr) -{ - static struct timeval t; - if (!m->timestamp_sec) - { - memset (&t, 0, sizeof(struct timeval)); - gettimeofday(&t, NULL); - phdr->ts.tv_sec = t.tv_sec; - phdr->ts.tv_usec = t.tv_usec; - } - else - { - phdr->ts.tv_sec = m->timestamp_sec; - phdr->ts.tv_usec = m->timestamp_usec; - } - phdr->caplen = m->data_len; - phdr->len = m->data_len; -} -#else -void TranslateToPcap(struct pcap_pkthdr *phdr, ssize_t len) -{ - static struct timeval t; - memset (&t, 0, sizeof(struct timeval)); - gettimeofday(&t, NULL); - phdr->ts.tv_sec = t.tv_sec; - phdr->ts.tv_usec = t.tv_usec; - phdr->caplen = len; - phdr->len = len; - -} -#endif - - -void ResetIV(void) -{ - iv.drop = 0; - iv.reject = 0; - iv.replace = 0; -} - - -/* - * Function: void InitInlinePostConfig - * - * Purpose: perform initialization tasks that depend on the configfile - * - * Args: none - * - * Returns: nothing void function - */ -void InitInlinePostConfig(void) -{ - int tcp_size = 0; - int icmp_size = 0; - - //printf("InitInline stage 2: InitInlinePostConfig starting...\n"); - - /* Let's initialize Libnet, but not if we are in - * layer 2 resets mode, because we use the link - * layer then... */ -#ifndef IPFW - if (ScLinkLayerResets()) - { - tcp_size = LIBNET_ETH_H + LIBNET_IPV4_H + LIBNET_TCP_H; - icmp_size = 128 + LIBNET_ETH_H; - } - else -#endif - { - //printf("opening raw socket in IP-mode\n"); - - if((libnet_nd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) - { - fprintf(stdout, "InitInline: Could not open raw socket for libnet\n"); - exit(-1); - } - - tcp_size = LIBNET_IPV4_H + LIBNET_TCP_H; - icmp_size = 128; - } - - /* init */ - l_tcp = calloc(tcp_size, sizeof(char)); - if (l_tcp == NULL) - { - perror("InitInline: Could not allocate l_tcp\n"); - exit(-1); - } - l_icmp = calloc(icmp_size, sizeof(char)); - if (l_icmp == NULL) - { - perror("InitInline: Could not allocate l_icmp\n"); - exit(-1); - } - - -#ifndef IPFW - if (ScLinkLayerResets()) - { - /* Building Layer 2 Reset Packets */ - printf("building cached link layer reset packets\n"); - - libnet_build_ip(LIBNET_TCP_H, 0, libnet_get_prand(PRu16), 0, 255, - IPPROTO_TCP, 0, 0, NULL, 0, l_tcp + LIBNET_ETH_H); - - libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0, - l_tcp + LIBNET_ETH_H + LIBNET_IPV4_H); - - /* create icmp cached packet */ - libnet_build_ip(LIBNET_ICMPV4_UNREACH_H, 0, libnet_get_prand(PRu16), 0, - 255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp + LIBNET_ETH_H); - libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, - l_icmp + LIBNET_ETH_H + LIBNET_IPV4_H); - } - else -#endif - { - /* Building Socket Reset Packets */ - printf("building cached socket reset packets\n"); - - libnet_build_ip(LIBNET_TCP_H, 0, libnet_get_prand(PRu16), 0, 255, - IPPROTO_TCP, 0, 0, NULL, 0, l_tcp); - - libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0, - l_tcp + LIBNET_IPV4_H); - - /* create icmp cached packet */ - libnet_build_ip(LIBNET_ICMPV4_UNREACH_H, 0, libnet_get_prand(PRu16), 0, - 255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp); - libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, - l_icmp + LIBNET_IPV4_H); - } -} - - -/* InitInline is called before the Snort_inline configuration file is read. */ -int InitInline(void) -{ -#ifndef IPFW - int status; -#endif - - printf("Initializing Inline mode \n"); - -#ifndef IPFW - ipqh = ipq_create_handle(0, PF_INET); - if (!ipqh) - { - ipq_perror("InlineInit: "); - ipq_destroy_handle(ipqh); - exit(1); - } - - status = ipq_set_mode(ipqh, IPQ_COPY_PACKET, PKT_BUFSIZE); - if (status < 0) - { - ipq_perror("InitInline: "); - ipq_destroy_handle(ipqh); - exit(1); - } -#endif /* IPFW */ - - ResetIV(); - - /* Just in case someone wants to write to a pcap file - * using DLT_RAW because iptables does not give us datalink layer. */ - pcap_handle = pcap_open_dead(DLT_RAW, SNAPLEN); - - return 0; -} - -#ifndef IPFW -void IpqLoop(void) -{ - int status; - struct pcap_pkthdr PHdr; - unsigned char buf[PKT_BUFSIZE]; - static ipq_packet_msg_t *m; - -#ifdef DEBUG_GIDS - printf("Reading Packets from ipq handle \n"); -#endif - - while(1) - { - ResetIV(); - status = ipq_read(ipqh, buf, PKT_BUFSIZE, 1000000); - if (status < 0) - { - ipq_perror("IpqLoop: "); - } - /* man ipq_read tells us that when a timeout is specified - * ipq_read will return 0 when it is interupted. */ - else if(status == 0) - { - /* Do the signal check. If we don't do this we will - * evaluate the signal only when we receive an actual - * packet. We don't want to depend on this. */ - if (SignalCheck()) - { -#ifndef SNORT_RELOAD - Restart(); -#endif - } - } - else - { - switch(ipq_message_type(buf)) - { - case NLMSG_ERROR: - fprintf(stderr, "Received error message %d\n", - ipq_get_msgerr(buf)); - break; - - case IPQM_PACKET: - m = ipq_get_packet(buf); - g_m = m; -#ifdef DEBUG_INLINE - printf("%02X:%02X:%02X:%02X:%02X:%02X\n", m->hw_addr[0], m->hw_addr[1], - m->hw_addr[2], m->hw_addr[3], m->hw_addr[4], m->hw_addr[5]); -#endif - - TranslateToPcap(m, &PHdr); - PcapProcessPacket(NULL, &PHdr, (u_char *)m->payload); - HandlePacket(m); - break; - } /* switch */ - } /* if - else */ - } /* while() */ -} -#else // IPFW - -#ifndef IPPROTO_DIVERT -# define IPPROTO_DIVERT 254 -#endif - -/* Loop reading packets from IPFW - - borrowed mostly from the TCP-MSSD daemon in FreeBSD ports tree - Questions, comments send to: nick@rogness.net -*/ -void IpfwLoop(void) -{ - uint8_t pkt[IP_MAXPACKET]; - struct pcap_pkthdr PHdr; - ssize_t pktlen, hlen; - struct ip *pip = (struct ip *)pkt; - struct sockaddr_in sin; - socklen_t sinlen; - int s; - int rtsock; - int ifindex; - fd_set fdset; - ifindex = 0; - rtsock = -1; - -#ifdef DEBUG_GIDS - printf("Reading Packets from ipfw divert socket \n"); -#endif - - /* Build divert socket */ - if ((s = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) == -1) - { - perror("IpfwLoop: can't create divert socket"); - exit(-1); - } - - /* Fill in necessary fields */ - bzero(&sin, sizeof(sin)); - sin.sin_family = PF_INET; - sin.sin_addr.s_addr = INADDR_ANY; - sin.sin_port = htons(ScDivertPort()); - - /* Bind that biatch */ - if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) - { - perror("IpfwLoop: can't bind divert socket"); - exit(-1); - } - - /* Lets process the packet */ - while (1) - { - ResetIV(); - FD_ZERO(&fdset); - FD_SET(s, &fdset); - if (rtsock != -1) - { - FD_SET(rtsock, &fdset); - } - - if (select(32, &fdset, (fd_set *)NULL, (fd_set *)NULL, (struct timeval *)NULL) == -1) - { - printf("select failed"); - continue; - } - - if (FD_ISSET(s, &fdset)) - { - sinlen = sizeof(sin); - - if ((pktlen = recvfrom(s, pkt, sizeof(pkt), 0,(struct sockaddr *)&sin, &sinlen)) == -1) - { - if (errno != EINTR) - { - printf("IpfwLoop: read from divert socket failed"); - continue; - } - } - - hlen = pip->ip_hl << 2; - - TranslateToPcap(&PHdr,pktlen); - PcapProcessPacket(NULL, &PHdr, pkt); - HandlePacket(); - - /* If we don't drop and don't reject, reinject it back into ipfw, - * otherwise, we just drop it - */ - if (! iv.drop && ! iv.reject) - { - if (sendto(s, pkt, pktlen, 0,(struct sockaddr *)&sin, sinlen) == -1) - { - printf("IpfwLoop: write to divert socket failed"); - } - } - } /* end if */ - - } /* end while */ -} -#endif // IPFW - - -/* - * Function: static void RejectSocket - * - * Purpose: send a reject packet (tcp-reset or icmp-unreachable - * - * Args: none - * - * Returns: nothing void function - */ -static void -RejectSocket(void) -{ - IPHdr *iph; - TCPHdr *tcph; - ICMPHdr *icmph; - - int proto; - int size = 0; - int payload_len = 0; - - iph = (IPHdr *)l_tcp; - - proto = tmpP->iph->ip_proto; - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - switch(proto) - { - case IPPROTO_TCP: - if (!tmpP->frag_flag) - { - size = LIBNET_IPV4_H + LIBNET_TCP_H; - iph = (IPHdr *)l_tcp; - tcph = (TCPHdr *)(l_tcp + LIBNET_IPV4_H); - - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - tcph->th_sport = tmpP->tcph->th_dport; - tcph->th_dport = tmpP->tcph->th_sport; - tcph->th_seq = tmpP->tcph->th_ack; - tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1); - - //printf("Send TCP Rst in IP-mode.\n"); - - /* calculate the checksum */ - if (libnet_do_checksum(l_tcp, IPPROTO_TCP, LIBNET_TCP_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendTCPRST: libnet_do_checksum"); - return; - } - /* write it to the socket */ - if(libnet_write_ip(libnet_nd, l_tcp, size) < size) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendTCPRST: libnet_write_ip"); - return; - } - } /* end if !tmpP->frag_flag */ - break; - - case IPPROTO_UDP: - if (!tmpP->frag_flag) - { - iph = (IPHdr *)l_icmp; - icmph = (ICMPHdr *)(l_icmp + LIBNET_IPV4_H); - - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - if ((payload_len = ntohs(tmpP->iph->ip_len) - - (IP_HLEN(tmpP->iph) << 2)) > 8) - { - payload_len = 8; - } - - memcpy((char *)icmph + LIBNET_ICMPV4_UNREACH_H, tmpP->iph, - (IP_HLEN(tmpP->iph) << 2) + payload_len); - - size = LIBNET_IPV4_H + LIBNET_ICMPV4_UNREACH_H + - (IP_HLEN(tmpP->iph) << 2) + payload_len; - - iph->ip_len = htons(size); - - /* calculate checksums */ - if (libnet_do_checksum(l_icmp, IPPROTO_ICMP, size - LIBNET_IPV4_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendICMPRST: libnet_do_checksum failed for IPPROTO_ICMP"); - return; - } - - /* finally write to socket */ - if(libnet_write_ip(libnet_nd, l_icmp, size) < size) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendICMPRST: libnet_write_ip"); - return; - } - } /* end if !tmpP->frag_flag */ - break; - } /* end switch(proto) */ -} - - -/* - * Function: static void RejectLayer2(ipq_packet_msg_t *m) - * - * Purpose: send a reject packet (tcp-reset or icmp-unreachable - * - * Args: the ipq_packet_msg_t m for determining the output interface - * and the source mac for our packet. - * - * Returns: nothing void function - * - * TODO: make it also work on *BSD. - */ -#ifndef IPFW -static void -RejectLayer2(ipq_packet_msg_t *m) -{ - IPHdr *iph; - TCPHdr *tcph; - ICMPHdr *icmph; - EtherHdr *eh; - - int proto; - int size = 0; - int payload_len = 0; - - /* pointer to the device to use: according to the libnet manpage - * this should be u_char, but I get a compiler warning then. - * Making it a char fixes that. VJ. */ - char *device = NULL; - - /* to get the mac address of the interface when in layer2 mode */ - struct ether_addr *link_addr; - - u_char enet_dst[6]; /* mac addr for creating the ethernet packet. */ - u_char enet_src[6]; /* mac addr for creating the ethernet packet. */ - - struct libnet_link_int *network = NULL; /* pointer to link interface struct */ - - int i = 0; - - iph = (IPHdr *)(l_tcp + LIBNET_ETH_H); - - - proto = tmpP->iph->ip_proto; - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - - /* set the interface. For Nat/Ip-mode the device we use to send a reset to the offender - * is the device on which the packet entered. For bridge-mode indev and outdev are always - * equal, so we use indev as well. There is one rare exception to this... if on the Snort_ - * inline box a client is run that causes a reset, indev is not set but outdev. */ - if(m->indev_name[0] != '\0') - device = m->indev_name; - else - device = m->outdev_name; - - - /* Let's initialize Libnet */ - if((network = libnet_open_link_interface(device, errbuf)) == NULL) - { - libnet_error(LIBNET_ERR_FATAL, - "libnet_open_link_interface for device %s failed: %s\n", - device, errbuf); - return; - } - /* lets get the mac addr of the interface */ - if(!(link_addr = libnet_get_hwaddr(network, device, errbuf))) - { - libnet_error(LIBNET_ERR_FATAL, - "libnet_get_hwaddr failed: %s\n", - errbuf); - return; - } - /* copy the mac: the src is set the the interface mac - * but only if the mac wasn't supplied in the configfile */ - if ((snort_conf->enet_src[0] == 0) && (snort_conf->enet_src[1] == 0) && - (snort_conf->enet_src[2] == 0) && (snort_conf->enet_src[3] == 0) && - (snort_conf->enet_src[4] == 0) && (snort_conf->enet_src[5] == 0)) - { - /* either user set mac as 00:00:00:00:00:00 or it is blank */ - for(i = 0; i < 6; i++) - enet_src[i] = link_addr->ether_addr_octet[i]; - } - else - { - for(i = 0; i < 6; i++) - enet_src[i] = snort_conf->enet_src[i]; - } - /* copy the mac: the old src now becomes dst */ - for(i = 0; i < 6; i++) - enet_dst[i] = m->hw_addr[i]; - - //printf("reset src mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0],enet_src[1],enet_src[2],enet_src[3],enet_src[4],enet_src[5]); - //printf("reset dst mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0],enet_dst[1],enet_dst[2],enet_dst[3],enet_dst[4],enet_dst[5]); - - switch(proto) - { - case IPPROTO_TCP: - if (!tmpP->frag_flag) - { - size = LIBNET_ETH_H + LIBNET_IPV4_H + LIBNET_TCP_H; - eh = (EtherHdr *)l_tcp; - iph = (IPHdr *)(l_tcp + LIBNET_ETH_H); - tcph = (TCPHdr *)(l_tcp + LIBNET_ETH_H + LIBNET_IPV4_H); - - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - tcph->th_sport = tmpP->tcph->th_dport; - tcph->th_dport = tmpP->tcph->th_sport; - tcph->th_seq = tmpP->tcph->th_ack; - tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1); - - //printf("Send TCP Rst in Bridge-mode.\n"); - - /* calculate the checksums */ - if (libnet_do_checksum(l_tcp + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthTCPRST: libnet_do_checksum failed for LIBNET_TCP_H"); - return; - } - if (libnet_do_checksum(l_tcp + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IPV4_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthTCPRST: libnet_do_checksum failed for LIBNET_IPV4_H"); - return; - } - /* build the ethernet packet */ - if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_tcp) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthTCPRST: libnet_build_ethernet"); - return; - } - /* finally write it to the link */ - if(libnet_write_link_layer(network, device, l_tcp, size) < size) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthTCPRST: libnet_write_link_layer"); - return; - } - } /* end if !tmpP->frag_flag */ - break; - - case IPPROTO_UDP: - if (!tmpP->frag_flag) - { - eh = (EtherHdr *)l_icmp; - iph = (IPHdr *)(l_icmp + LIBNET_ETH_H); - icmph = (ICMPHdr *) (l_icmp + LIBNET_ETH_H + LIBNET_IPV4_H); - - iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; - iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; - - if ((payload_len = ntohs(tmpP->iph->ip_len) - - (IP_HLEN(tmpP->iph) << 2)) > 8) - { - payload_len = 8; - } - - memcpy((char *)icmph + LIBNET_ICMPV4_UNREACH_H, tmpP->iph, - (IP_HLEN(tmpP->iph) << 2) + payload_len); - - size = LIBNET_ETH_H + LIBNET_IPV4_H + LIBNET_ICMPV4_UNREACH_H + - (IP_HLEN(tmpP->iph) << 2) + payload_len; - - iph->ip_len = htons(size); - - /* calculate the checksums */ - if (libnet_do_checksum(l_icmp + LIBNET_ETH_H, IPPROTO_ICMP, size - LIBNET_IPV4_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthICMPRST: libnet_do_checksum failed for IPPROTO_ICMP"); - return; - } - if (libnet_do_checksum(l_icmp + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IPV4_H) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthICMPRST: libnet_do_checksum failed for IPPROTO_IP"); - return; - } - - /* build the ethernet packet */ - if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_icmp) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthICMPRST: libnet_build_ethernet"); - return; - } - - /* finally write it to the link */ - //printf("Send ICMP Rst in Bridge-mode.\n"); - - if(libnet_write_link_layer(network, device, l_icmp, size) < size) - { - libnet_error(LIBNET_ERR_CRITICAL, - "SendEthICMPRST: libnet_write_link_layer"); - return; - } - } - break; - } /* end switch(proto) */ - - /* clean up file-descriptors for the next time we call RejectLayer2 */ - if((libnet_close_link_interface(network)) == -1) - { - libnet_error(LIBNET_ERR_CRITICAL, - "libnet_close_link_interface error\n"); - } -} -#endif // IPFW - - -#ifndef IPFW -void HandlePacket(ipq_packet_msg_t *m) -#else -void HandlePacket(void) -#endif -{ -#ifndef IPFW - int status; -#endif - - if (iv.drop) - { -#ifndef IPFW - status = ipq_set_verdict(ipqh, m->packet_id, NF_DROP, 0, NULL); - if (status < 0) - { - ipq_perror("NF_DROP: "); - } -#endif - if (iv.reject) - { -#ifndef IPFW - if (ScLinkLayerResets()) - { - RejectLayer2(m); - } - else -#endif - { - RejectSocket(); - } - } - } -#ifndef IPFW - else if (!iv.replace) - { - status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, 0, NULL); - if (status < 0) - { - ipq_perror("NF_ACCEPT: "); - } - } - else - { - status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, - m->data_len, m->payload); - if (status < 0) - { - ipq_perror("NF_ACCEPT: "); - } - } -#endif -} - -int InlineWasPacketDropped(void) -{ - if (iv.drop) - return 1; - - return 0; -} - -int InlineDrop(Packet *p) -{ - if(!ScInlineMode()) - return 0; - iv.drop = 1; - p->packet_flags |= PKT_INLINE_DROP; - - if (p->ssnptr && stream_api) - { - stream_api->drop_packet(p); - - if (!(p->packet_flags & PKT_STATELESS)) - stream_api->drop_traffic(p->ssnptr, SSN_DIR_BOTH); - } - - //drop this and all following fragments - frag3DropAllFragments(p); - - return 0; -} - -int InlineReject(Packet *p) -{ - //printf("InlineReject(): rejecting\n"); - iv.reject = 1; - iv.drop = 1; - tmpP = p; - return 0; -} - -int InlineAccept(void) -{ - iv.drop = 0; - return 0; -} - -int InlineReplace(void) -{ - iv.replace = 1; - return 0; -} - -#else // GIDS - -#include "snort.h" -#include "stream_api.h" -#include "spp_frag3.h" - -#ifndef WIN32 -extern int g_drop_pkt; -#endif - -int InlineModeSetPrivsAllowed(void) -{ - return 1; -} - -int InlineWasPacketDropped(void) -{ -#ifndef WIN32 - if (g_drop_pkt) - return 1; -#endif - - return 0; -} - -int InlineDrop(Packet *p) -{ - if(!ScInlineMode()) - return 0; - -#ifndef WIN32 - g_drop_pkt = 1; -#endif - - p->packet_flags |= PKT_INLINE_DROP; - - if (p->ssnptr && stream_api) - { - stream_api->drop_packet(p); - - if (!(p->packet_flags & PKT_STATELESS)) - stream_api->drop_traffic(p->ssnptr, SSN_DIR_BOTH); - } - - //drop this and all following fragments - frag3DropAllFragments(p); - return 0; -} -#endif /* GIDS */ - diff -Nru snort-2.8.5.2/src/inline.h snort-2.9.2/src/inline.h --- snort-2.8.5.2/src/inline.h 2009-05-06 22:28:14.000000000 +0000 +++ snort-2.9.2/src/inline.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -/* $Id$ */ -#ifndef __INLINE_H__ -#define __INLINE_H__ - -#ifdef GIDS - -#ifndef IPFW -#include -#include -#else -#include -#include -#include -#include -#endif /* IPFW */ - -#include "snort.h" - -typedef struct _inline_vals -{ - int drop; - int reject; - int replace; - int proto; -} IV; - -#ifndef IPFW -struct ipq_handle *ipqh; -#endif -IV iv; - -int InitInline(void); -void InitInlinePostConfig(void); -#ifndef IPFW -void IpqLoop(void); -#else -void IpfwLoop(void); -#endif /* IPFW */ -int InlineReject(Packet *); /* call to reject current packet */ -int InlineAccept(void); -int InlineReplace(void); - -#endif - -int InlineModeSetPrivsAllowed(void); -int InlineDrop(Packet *p); /* call to drop current packet */ -int InlineWasPacketDropped(void); - -#endif /* __INLINE_H__ */ diff -Nru snort-2.8.5.2/src/ipv6_port.h snort-2.9.2/src/ipv6_port.h --- snort-2.8.5.2/src/ipv6_port.h 2009-07-07 15:37:01.000000000 +0000 +++ snort-2.9.2/src/ipv6_port.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,8 +20,7 @@ #ifndef IPV6_PORT_H #define IPV6_PORT_H -#include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /////////////////// /* IPv6 and IPv4 */ @@ -42,63 +41,67 @@ #endif #define inet_ntoa sfip_ntoa -#define GET_SRC_IP(p) (p->iph_api->iph_ret_src(p)) -#define GET_DST_IP(p) (p->iph_api->iph_ret_dst(p)) +#define GET_SRC_IP(p) ((p)->iph_api->iph_ret_src(p)) +#define GET_DST_IP(p) ((p)->iph_api->iph_ret_dst(p)) -#define GET_ORIG_SRC(p) (p->orig_iph_api->orig_iph_ret_src(p)) -#define GET_ORIG_DST(p) (p->orig_iph_api->orig_iph_ret_dst(p)) +#define GET_ORIG_SRC(p) ((p)->orig_iph_api->orig_iph_ret_src(p)) +#define GET_ORIG_DST(p) ((p)->orig_iph_api->orig_iph_ret_dst(p)) /* These are here for backwards compatibility */ #define GET_SRC_ADDR(x) GET_SRC_IP(x) #define GET_DST_ADDR(x) GET_DST_IP(x) -#define IP_EQUALITY(x,y) (sfip_compare(x,y) == SFIP_EQUAL) -#define IP_EQUALITY_UNSET(x,y) (sfip_compare_unset(x,y) == SFIP_EQUAL) -#define IP_LESSER(x,y) (sfip_compare(x,y) == SFIP_LESSER) -#define IP_GREATER(x,y) (sfip_compare(x,y) == SFIP_GREATER) - -#define GET_IPH_TOS(p) p->iph_api->iph_ret_tos(p) -#define GET_IPH_LEN(p) p->iph_api->iph_ret_len(p) -#define GET_IPH_TTL(p) p->iph_api->iph_ret_ttl(p) -#define GET_IPH_ID(p) p->iph_api->iph_ret_id(p) -#define GET_IPH_OFF(p) p->iph_api->iph_ret_off(p) -#define GET_IPH_VER(p) p->iph_api->iph_ret_ver(p) -#define GET_IPH_PROTO(p) p->iph_api->iph_ret_proto(p) - -#define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) -#define GET_ORIG_IPH_VER(p) p->orig_iph_api->orig_iph_ret_ver(p) -#define GET_ORIG_IPH_LEN(p) p->orig_iph_api->orig_iph_ret_len(p) -#define GET_ORIG_IPH_OFF(p) p->orig_iph_api->orig_iph_ret_off(p) -#define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) +#define IP_EQUALITY(x,y) (sfip_compare((x),(y)) == SFIP_EQUAL) +#define IP_EQUALITY_UNSET(x,y) (sfip_compare_unset((x),(y)) == SFIP_EQUAL) +#define IP_LESSER(x,y) (sfip_compare((x),(y)) == SFIP_LESSER) +#define IP_GREATER(x,y) (sfip_compare((x),(y)) == SFIP_GREATER) + +#define IS_IP4(x) ((x)->family == AF_INET) +#define IS_IP6(x) ((x)->family == AF_INET6) + +#define IS_OUTER_IP4(x) ((x)->outer_family == AF_INET) +#define IS_OUTER_IP6(x) ((x)->outer_family == AF_INET6) + +#define GET_IPH_TOS(p) (p)->iph_api->iph_ret_tos(p) +#define GET_IPH_LEN(p) (p)->iph_api->iph_ret_len(p) +#define GET_IPH_TTL(p) (p)->iph_api->iph_ret_ttl(p) +#define GET_IPH_ID(p) (p)->iph_api->iph_ret_id(p) +#define GET_IPH_OFF(p) (p)->iph_api->iph_ret_off(p) +#define GET_IPH_VER(p) (p)->iph_api->iph_ret_ver(p) +#define GET_IPH_PROTO(p) ((uint8_t)(IS_IP6(p) ? ((p)->ip6h->next) : ((p)->iph_api->iph_ret_proto(p)))) + +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph_api->orig_iph_ret_proto(p) +#define GET_ORIG_IPH_VER(p) (p)->orig_iph_api->orig_iph_ret_ver(p) +#define GET_ORIG_IPH_LEN(p) (p)->orig_iph_api->orig_iph_ret_len(p) +#define GET_ORIG_IPH_OFF(p) (p)->orig_iph_api->orig_iph_ret_off(p) +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph_api->orig_iph_ret_proto(p) -#define IS_IP4(x) (x->family == AF_INET) -#define IS_IP6(x) (x->family == AF_INET6) /* XXX make sure these aren't getting confused with sfip_is_valid within the code */ #define IPH_IS_VALID(p) iph_is_valid(p) -#define IP_CLEAR(x) x.bits = x.family = x.ip32[0] = x.ip32[1] = x.ip32[2] = x.ip32[3] = 0; +#define IP_CLEAR(x) (x).bits = (x).family = (x).ip32[0] = (x).ip32[1] = (x).ip32[2] = (x).ip32[3] = 0; -#define IS_SET(x) sfip_is_set(&x) +#define IP_IS_SET(x) sfip_is_set(&x) -/* This loop trickery is intentional. If each copy is performed +/* This loop trickery is intentional. If each copy is performed * individually on each field, then the following expression gets broken: - * + * * if(conditional) IP_COPY_VALUE(a,b); - * + * * If the macro is instead enclosed in braces, then having a semicolon - * trailing the macro causes compile breakage. + * trailing the macro causes compile breakage. * So: use loop. */ #define IP_COPY_VALUE(x,y) \ do { \ - x.bits = y->bits; \ - x.family = y->family; \ - x.ip32[0] = y->ip32[0]; \ - x.ip32[1] = y->ip32[1]; \ - x.ip32[2] = y->ip32[2]; \ - x.ip32[3] = y->ip32[3]; \ + (x).bits = (y)->bits; \ + (x).family = (y)->family; \ + (x).ip32[0] = (y)->ip32[0]; \ + (x).ip32[1] = (y)->ip32[1]; \ + (x).ip32[2] = (y)->ip32[2]; \ + (x).ip32[3] = (y)->ip32[3]; \ } while(0) -#define GET_IPH_HLEN(p) (p->iph_api->iph_ret_hlen(p)) +#define GET_IPH_HLEN(p) ((p)->iph_api->iph_ret_hlen(p)) #define SET_IPH_HLEN(p, val) #define GET_IP_DGMLEN(p) IS_IP6(p) ? (ntohs(GET_IPH_LEN(p)) + (GET_IPH_HLEN(p) << 2)) : ntohs(GET_IPH_LEN(p)) @@ -109,7 +112,11 @@ #define IP_VAL(ipt) (*ipt) #define IP_SIZE(ipp) (sfip_size(ipp)) -static INLINE int sfip_equal (snort_ip* ip1, snort_ip* ip2) +#define GET_INNER_SRC_IP(p) (IS_IP6(p) ? (&((p)->inner_ip6h.ip_src)):(&((p)->inner_ip4h.ip_src))) +#define GET_INNER_DST_IP(p) (IS_IP6(p) ? (&((p)->inner_ip6h.ip_dst)):(&((p)->inner_ip4h.ip_dst))) +#define GET_OUTER_SRC_IP(p) (IS_OUTER_IP6(p) ? (&((p)->outer_ip6h.ip_src)):(&((p)->outer_ip4h.ip_src))) +#define GET_OUTER_DST_IP(p) (IS_OUTER_IP6(p) ? (&((p)->outer_ip6h.ip_dst)):(&((p)->outer_ip4h.ip_dst))) +static inline int sfip_equal (snort_ip* ip1, snort_ip* ip2) { if ( ip1->family != ip2->family ) { @@ -130,52 +137,52 @@ /////////////// /* IPv4 only */ #include -#ifdef HAVE_CONFIG_H -#include -#endif - -typedef u_int32_t snort_ip; /* 32 bits only -- don't use unsigned long */ -typedef u_int32_t snort_ip_p; /* 32 bits only -- don't use unsigned long */ -#define IP_SRC_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_src.s_addr & x->netmask)) -#define IP_DST_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_dst.s_addr & x->netmask)) +typedef uint32_t snort_ip; /* 32 bits only -- don't use unsigned long */ +typedef uint32_t snort_ip_p; /* 32 bits only -- don't use unsigned long */ -#define GET_SRC_IP(x) x->iph->ip_src.s_addr -#define GET_DST_IP(x) x->iph->ip_dst.s_addr +#define IP_SRC_EQUALITY(x,y) ((x)->ip_addr == ((y)->iph->ip_src.s_addr & x->netmask)) +#define IP_DST_EQUALITY(x,y) ((x)->ip_addr == ((y)->iph->ip_dst.s_addr & x->netmask)) -#define GET_ORIG_SRC(p) (p->orig_iph->ip_src.s_addr) -#define GET_ORIG_DST(p) (p->orig_iph->ip_dst.s_addr) - -#define GET_SRC_ADDR(x) x->iph->ip_src -#define GET_DST_ADDR(x) x->iph->ip_dst - -#define IP_CLEAR_SRC(x) x->iph->ip_src.s_addr = 0 -#define IP_CLEAR_DST(x) x->iph->ip_dst.s_addr = 0 - -#define IP_EQUALITY(x,y) (x == y) -#define IP_EQUALITY_UNSET(x,y) (x == y) -#define IP_LESSER(x,y) (x < y) -#define IP_GREATER(x,y) (x > y) - -#define GET_IPH_PROTO(p) p->iph->ip_proto -#define GET_IPH_TOS(p) p->iph->ip_tos -#define GET_IPH_LEN(p) p->iph->ip_len -#define GET_IPH_TTL(p) p->iph->ip_ttl -#define GET_IPH_VER(p) ((p->iph->ip_verhl & 0xf0) >> 4) -#define GET_IPH_ID(p) p->iph->ip_id -#define GET_IPH_OFF(p) p->iph->ip_off - -#define GET_ORIG_IPH_VER(p) IP_VER(p->orig_iph) -#define GET_ORIG_IPH_LEN(p) p->orig_iph->ip_len -#define GET_ORIG_IPH_OFF(p) p->orig_iph->ip_off -#define GET_ORIG_IPH_PROTO(p) p->orig_iph->ip_proto +#define GET_SRC_IP(x) (x)->iph->ip_src.s_addr +#define GET_DST_IP(x) (x)->iph->ip_dst.s_addr +#define GET_INNER_SRC_IP(x) (x)->iph->ip_src.s_addr +#define GET_INNER_DST_IP(x) (x)->iph->ip_dst.s_addr +#define GET_OUTER_SRC_IP(x) (x)->outer_ip4_header->source.s_addr +#define GET_OUTER_DST_IP(x) (x)->outer_ip4_header->destination.s_addr +#define GET_ORIG_SRC(p) ((p)->orig_iph->ip_src.s_addr) +#define GET_ORIG_DST(p) ((p)->orig_iph->ip_dst.s_addr) + +#define GET_SRC_ADDR(x) (x)->iph->ip_src +#define GET_DST_ADDR(x) (x)->iph->ip_dst + +#define IP_CLEAR_SRC(x) (x)->iph->ip_src.s_addr = 0 +#define IP_CLEAR_DST(x) (x)->iph->ip_dst.s_addr = 0 + +#define IP_EQUALITY(x,y) ((x) == (y)) +#define IP_EQUALITY_UNSET(x,y) ((x) == (y)) +#define IP_LESSER(x,y) ((x) < (y)) +#define IP_GREATER(x,y) ((x) > (y)) + +#define GET_IPH_PROTO(p) (p)->iph->ip_proto +#define GET_IPH_TOS(p) (p)->iph->ip_tos +#define GET_IPH_LEN(p) (p)->iph->ip_len +#define GET_IPH_TTL(p) (p)->iph->ip_ttl +#define GET_IPH_VER(p) (((p)->iph->ip_verhl & 0xf0) >> 4) +#define GET_IPH_ID(p) (p)->iph->ip_id +#define GET_IPH_OFF(p) (p)->iph->ip_off + +#define GET_ORIG_IPH_VER(p) IP_VER((p)->orig_iph) +#define GET_ORIG_IPH_LEN(p) (p)->orig_iph->ip_len +#define GET_ORIG_IPH_OFF(p) (p)->orig_iph->ip_off +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph->ip_proto #define IS_IP4(x) 1 #define IS_IP6(x) 0 -#define IPH_IS_VALID(p) p->iph +#define IPH_IS_VALID(p) (p)->iph #define IP_CLEAR(x) x = 0; -#define IS_SET(x) x +#define IP_IS_SET(x) x #define IP_COPY_VALUE(x,y) x = y @@ -186,11 +193,11 @@ #define GET_IP_PAYLEN(p) ntohs(GET_IPH_LEN(p)) - (GET_IPH_HLEN(p) << 2) #define IP_ARG(ipt) (ipt) -#define IP_PTR(ipp) (&ipp) +#define IP_PTR(ipp) (&(ipp)) #define IP_VAL(ipt) (ipt) #define IP_SIZE(ipp) (sizeof(ipp)) -static INLINE int sfip_equal (snort_ip ip1, snort_ip ip2) +static inline int sfip_equal (snort_ip ip1, snort_ip ip2) { return IP_EQUALITY(ip1, ip2); } diff -Nru snort-2.8.5.2/src/log.c snort-2.9.2/src/log.c --- snort-2.8.5.2/src/log.c 2009-10-19 15:48:42.000000000 +0000 +++ snort-2.9.2/src/log.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -41,9 +41,15 @@ #include "log.h" #include "rules.h" +#include "treenodes.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "signature.h" +#include "util_net.h" +#include "snort_bounds.h" +#include "obfuscation.h" +#include "detection_util.h" +#include "detect.h" #include "snort.h" @@ -53,8 +59,8 @@ int data_dump_buffer_size = 0;/* size of printout buffer */ int dump_size; /* amount of data to print */ -extern uint16_t event_id; - +extern int IsGzipData(void *); +extern int IsJSNormData(void *); void AllocDumpBuf(); @@ -67,7 +73,7 @@ #endif /* - * Function: PrintNetData(FILE *, u_char *,int) + * Function: PrintNetData(FILE *, u_char *,int, Packet *) * * Purpose: Do a side by side dump of a buffer, hex dump of buffer bytes on * the left, decoded ASCII on the right. @@ -78,7 +84,7 @@ * * Returns: void function */ -void PrintNetData(FILE * fp, const u_char * start, const int len) +void PrintNetData(FILE * fp, const u_char * start, const int len, Packet *p) { char *end; /* ptr to buffer end */ int i; /* counter */ @@ -90,6 +96,11 @@ char *d_ptr; /* data pointer into the frame */ char *c_ptr; /* char pointer into the frame */ char conv[] = "0123456789ABCDEF"; /* xlation lookup table */ + int next_layer, ip_start, ip_ob_start, ip_ob_end, byte_pos; + + next_layer = ip_start = byte_pos = 0; + + ip_ob_start = ip_ob_end = -1; /* initialization */ done = 0; @@ -106,7 +117,7 @@ printf("Got NULL ptr in PrintNetData()\n"); return; } - + end = (char*) (start + (len - 1)); /* set the end of buffer ptr */ if(len > IP_MAXPACKET) @@ -166,6 +177,36 @@ i = 0; j = 0; + if(p && ScObfuscate() ) + { + next_layer = p->next_layer; + for ( i = 0; i < next_layer; i++ ) + { + if ( p->layers[i].proto == PROTO_IP4 +#ifdef SUP_IP6 + || p->layers[i].proto == PROTO_IP6 +#endif + ) + { + if(p->layers[i].length && p->layers[i].start) + break; + } + } + ip_start = p->layers[i].start - start; + + if(ip_start > 0 ) + { + ip_ob_start = ip_start + 10; + if(p->layers[i].proto == PROTO_IP4) + ip_ob_end = ip_ob_start + 2 + 2*(sizeof(struct in_addr)); + else + ip_ob_end = ip_ob_start + 2 + 2*(sizeof(struct in6_addr)); + } + + + i=0; + } + /* loop thru the whole buffer */ while(!done) { @@ -185,28 +226,45 @@ } /* process 16 bytes per frame */ - for(i = 0; i < 16; i++) + for(i = 0; i < 16; i++, byte_pos++) { - /* - * look up the ASCII value of the first nybble of the current - * data buffer - */ - *d_ptr = conv[((*data & 0xFF) >> 4)]; - d_ptr++; - - /* look up the second nybble */ - *d_ptr = conv[((*data & 0xFF) & 0x0F)]; - d_ptr++; - - /* put a space in between */ - *d_ptr = 0x20; - d_ptr++; - - /* print out the char equivalent */ - if(*data > 0x1F && *data < 0x7F) - *c_ptr = (char) (*data & 0xFF); + if(ScObfuscate() && ((byte_pos >= ip_ob_start) && (byte_pos < ip_ob_end))) + { + *d_ptr = 'X'; + d_ptr++; + *d_ptr = 'X'; + d_ptr++; + + *d_ptr = 0x20; + d_ptr++; + + *c_ptr = 'X'; + + } else - *c_ptr = 0x2E; + { + + /* + * look up the ASCII value of the first nybble of the current + * data buffer + */ + *d_ptr = conv[((*data & 0xFF) >> 4)]; + d_ptr++; + + /* look up the second nybble */ + *d_ptr = conv[((*data & 0xFF) & 0x0F)]; + d_ptr++; + + /* put a space in between */ + *d_ptr = 0x20; + d_ptr++; + + /* print out the char equivalent */ + if(*data > 0x1F && *data < 0x7F) + *c_ptr = (char) (*data & 0xFF); + else + *c_ptr = 0x2E; + } c_ptr++; @@ -340,6 +398,46 @@ //ClearDumpBuf(); } +static int PrintObfuscatedData(FILE* fp, Packet *p) +{ + uint8_t *payload = NULL; + uint16_t payload_len = 0; + + if (obApi->getObfuscatedPayload(p, &payload, + (uint16_t *)&payload_len) != OB_RET_SUCCESS) + { + return -1; + } + + /* dump the application layer data */ + if (ScOutputAppData() && !ScVerboseByteDump()) + { + if (ScOutputCharData()) + PrintCharData(fp, (char *)payload, payload_len); + else + PrintNetData(fp, payload, payload_len, NULL); + } + else if (ScVerboseByteDump()) + { + uint8_t buf[UINT16_MAX]; + uint16_t dlen = p->data - p->pkt; + + SafeMemcpy(buf, p->pkt, dlen, buf, buf + sizeof(buf)); + SafeMemcpy(buf + dlen, payload, payload_len, + buf, buf + sizeof(buf)); + + PrintNetData(fp, buf, dlen + payload_len, NULL); + } + + fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" + "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); + + p->packet_flags |= PKT_LOGGED; + + free(payload); + + return 0; +} /* @@ -372,14 +470,24 @@ if(ScOutputDataLink()) { Print2ndHeader(fp, p); - } + #ifdef MPLS - if(p->mpls) - { - PrintMPLSHeader(fp, p); - } + if(p->mpls) + { + PrintMPLSHeader(fp, p); + } +#endif + +#ifdef GRE + if (p->outer_iph) + { + PrintOuterIPHeader(fp, p); + if (p->greh) + PrintGREHeader(fp, p); + } #endif - /* etc */ + } + PrintIPHeader(fp, p); /* if this isn't a fragment, print the other header info */ @@ -396,13 +504,13 @@ else { #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) - (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), - GET_IP_PAYLEN(p)); + PrintNetData(fp, (u_char *) + (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), + GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), - (p->actual_ip_len - (IP_HLEN(p->iph) << 2))); + PrintNetData(fp, (u_char *) + ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), + (p->actual_ip_len - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -416,13 +524,13 @@ else { #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) - (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), - GET_IP_PAYLEN(p)); + PrintNetData(fp, (u_char *) + (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), + GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), - (p->actual_ip_len - (IP_HLEN(p->iph) << 2))); + PrintNetData(fp, (u_char *) + ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), + (p->actual_ip_len - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -435,20 +543,14 @@ } else { -/* - printf("p->iph: %p\n", p->iph); - printf("p->icmph: %p\n", p->icmph); - printf("p->iph->ip_hlen: %d\n", (IP_HLEN(p->iph) << 2)); - printf("p->iph->ip_len: %d\n", p->iph->ip_len); - */ #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) - ((u_char *)p->iph + (GET_IPH_HLEN(p) << 2)), - GET_IP_PAYLEN(p)); + PrintNetData(fp, (u_char *) + ((u_char *)p->iph + (GET_IPH_HLEN(p) << 2)), + GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *) p->iph + (IP_HLEN(p->iph) << 2)), - (ntohs(p->iph->ip_len) - (IP_HLEN(p->iph) << 2))); + PrintNetData(fp, (u_char *) + ((u_char *) p->iph + (IP_HLEN(p->iph) << 2)), + (ntohs(p->iph->ip_len) - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -458,17 +560,48 @@ break; } } + + if ((p->dsize > 0) && obApi->payloadObfuscationRequired(p) + && (PrintObfuscatedData(fp, p) == 0)) + { + return; + } + /* dump the application layer data */ if (ScOutputAppData() && !ScVerboseByteDump()) { if (ScOutputCharData()) + { PrintCharData(fp, (char*) p->data, p->dsize); + if(!IsJSNormData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Normalized JavaScript for this packet"); + PrintCharData(fp, (char *)file_data_ptr.data, file_data_ptr.len); + } + else if(!IsGzipData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Decompressed Data for this packet"); + PrintCharData(fp, (char *)file_data_ptr.data, file_data_ptr.len); + } + } else - PrintNetData(fp, p->data, p->dsize); + { + PrintNetData(fp, p->data, p->dsize, NULL); + if(!IsJSNormData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Normalized JavaScript for this packet"); + PrintNetData(fp, file_data_ptr.data, file_data_ptr.len, NULL); + } + else if(!IsGzipData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Decompressed Data for this packet"); + PrintNetData(fp, file_data_ptr.data, file_data_ptr.len, NULL); + } + } } else if (ScVerboseByteDump()) { - PrintNetData(fp, p->pkt, p->pkth->caplen); + PrintNetData(fp, p->pkt, p->pkth->caplen, p); } fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" @@ -503,11 +636,19 @@ if(filearg == NULL) { - if(!ScDaemonMode()) - SnortSnprintf(filename, STD_BUF, "%s/alert%s", snort_conf->log_dir, suffix); + if (snort_conf->alert_file == NULL) + { + if(!ScDaemonMode()) + SnortSnprintf(filename, STD_BUF, "%s/alert%s", snort_conf->log_dir, suffix); + else + SnortSnprintf(filename, STD_BUF, "%s/%s", snort_conf->log_dir, + DEFAULT_DAEMON_ALERT_FILE); + } else - SnortSnprintf(filename, STD_BUF, "%s/%s", snort_conf->log_dir, - DEFAULT_DAEMON_ALERT_FILE); + { + SnortSnprintf(filename, STD_BUF, "%s/%s%s", + snort_conf->log_dir, snort_conf->alert_file, suffix); + } } else { @@ -560,7 +701,7 @@ if(!ScDaemonMode()) SnortSnprintf(oldname, STD_BUF, "%s/alert%s", snort_conf->log_dir, suffix); else - SnortSnprintf(oldname, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(oldname, STD_BUF, "%s/%s", snort_conf->log_dir, DEFAULT_DAEMON_ALERT_FILE); } else @@ -685,7 +826,7 @@ void Print2ndHeader(FILE * fp, Packet * p) { - switch(datalink) + switch(DAQ_GetBaseProtocol()) { case DLT_EN10MB: /* Ethernet */ if(p && p->eh) @@ -697,12 +838,12 @@ if(p && p->wifih) PrintWifiHeader(fp, p); break; -#endif +#endif case DLT_IEEE802: /* Token Ring */ if(p && p->trh) PrintTrHeader(fp, p); - break; -#ifdef DLT_LINUX_SLL + break; +#ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: if (p && p->sllh) PrintSLLHeader(fp, p); /* Linux cooked sockets */ @@ -713,7 +854,7 @@ if (ScLogVerbose()) { ErrorMessage("Datalink %i type 2nd layer display is not " - "supported\n", datalink); + "supported\n", DAQ_GetBaseProtocol()); } } } @@ -780,17 +921,17 @@ void PrintEthHeader(FILE * fp, Packet * p) { /* src addr */ - fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0], + fprintf(fp, "%02X:%02X:%02X:%02X:%02X:%02X -> ", p->eh->ether_src[0], p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], p->eh->ether_src[4], p->eh->ether_src[5]); /* dest addr */ - fprintf(fp, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0], + fprintf(fp, "%02X:%02X:%02X:%02X:%02X:%02X ", p->eh->ether_dst[0], p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], p->eh->ether_dst[4], p->eh->ether_dst[5]); /* protocol and pkt size */ - fprintf(fp, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len); + fprintf(fp, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->pktlen); } #ifdef MPLS @@ -798,7 +939,18 @@ { fprintf(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n", - p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); + p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); +} +#endif + +#ifdef GRE +void PrintGREHeader(FILE *log, Packet *p) +{ + if (p->greh == NULL) + return; + + fprintf(log, "GRE version:%u flags:0x%02X ether-type:0x%04X\n", + GRE_VERSION(p->greh), p->greh->flags, GRE_PROTO(p->greh)); } #endif @@ -841,7 +993,7 @@ } /* mac addr */ - fprintf(fp, "l/l len: %i l/l type: 0x%X %X:%X:%X:%X:%X:%X\n", + fprintf(fp, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); @@ -849,7 +1001,7 @@ /* protocol and pkt size */ fprintf(fp, "pkt type:0x%X proto: 0x%X len:0x%X\n", ntohs(p->sllh->sll_pkttype), - ntohs(p->sllh->sll_protocol), p->pkth->len); + ntohs(p->sllh->sll_protocol), p->pkth->pktlen); } @@ -868,12 +1020,12 @@ ts_print((struct timeval *) & p->pkth->ts, timestamp); /* determine what to use as MAC src and dst */ - if (p->eh != NULL) + if (p->eh != NULL) { mac_src = p->eh->ether_src; mac_dst = p->eh->ether_dst; } /* per table 4, 802.11 section 7.2.2 */ - else if (p->wifih != NULL && + else if (p->wifih != NULL && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { mac_src = p->wifih->addr3; @@ -891,8 +1043,8 @@ mac_dst = p->wifih->addr1; } - /* - * if these are null this function will break, exit until + /* + * if these are null this function will break, exit until * someone writes a function for it... */ if(mac_src == NULL || mac_dst == NULL) @@ -942,7 +1094,7 @@ fprintf(fp, "ARP reply %s", inet_ntoa(ip_addr)); /* print out the originating request if we're on a weirder - * wireless protocol */ + * wireless protocol */ if(memcmp((char *) mac_src, (char *) p->ah->arp_sha, 6) != 0) { fprintf(fp, " (%X:%X:%X:%X:%X:%X)", mac_src[0], @@ -1009,42 +1161,7 @@ return; } - if(p->frag_flag) - { - /* just print the straight IP header */ - fputs(inet_ntoa(GET_SRC_ADDR(p)), fp); - fwrite(" -> ", 4, 1, fp); - fputs(inet_ntoa(GET_DST_ADDR(p)), fp); - } - else - { - if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP) - { - /* just print the straight IP header */ - fputs(inet_ntoa(GET_SRC_ADDR(p)), fp); - fwrite(" -> ", 4, 1, fp); - fputs(inet_ntoa(GET_DST_ADDR(p)), fp); - } - else - { - if (!ScObfuscate()) - { - /* print the header complete with port information */ - fputs(inet_ntoa(GET_SRC_ADDR(p)), fp); - fprintf(fp, ":%d -> ", p->sp); - fputs(inet_ntoa(GET_DST_ADDR(p)), fp); - fprintf(fp, ":%d", p->dp); - } - else - { - /* print the header complete with port information */ - if(IS_IP4(p)) - fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp); - else if(IS_IP6(p)) - fprintf(fp, "x:x:x:x::x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp); - } - } - } + PrintIpAddrs(fp, p); if (!ScOutputDataLink()) { @@ -1060,7 +1177,7 @@ GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), - GET_IPH_HLEN(p) << 2, + GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ @@ -1091,7 +1208,57 @@ } } +#ifdef GRE +void PrintOuterIPHeader(FILE *fp, Packet *p) +{ + int save_family = p->family; + IPH_API *save_api = p->iph_api; + const IPHdr *save_iph = p->iph; + uint8_t save_ip_option_count = p->ip_option_count; + IP4Hdr *save_ip4h = p->ip4h; + IP6Hdr *save_ip6h = p->ip6h; + uint8_t save_frag_flag = p->frag_flag; + uint16_t save_sp = p->sp, save_dp = p->dp; + + p->family = p->outer_family; + p->iph_api = p->outer_iph_api; + p->iph = p->outer_iph; + p->ip_option_count = 0; + p->ip4h = &p->outer_ip4h; + p->ip6h = &p->outer_ip6h; + p->frag_flag = 0; + + if (p->proto_bits & PROTO_BIT__TEREDO) + { + if (p->outer_udph) + { + p->sp = ntohs(p->outer_udph->uh_sport); + p->dp = ntohs(p->outer_udph->uh_dport); + } + else + { + p->sp = ntohs(p->udph->uh_sport); + p->dp = ntohs(p->udph->uh_dport); + } + } + + PrintIPHeader(fp, p); + p->family = save_family; + p->iph_api = save_api; + p->iph = save_iph; + p->ip_option_count = save_ip_option_count; + p->ip4h = save_ip4h; + p->ip6h = save_ip6h; + p->frag_flag = save_frag_flag; + + if (p->proto_bits & PROTO_BIT__TEREDO) + { + p->sp = save_sp; + p->dp = save_dp; + } +} +#endif /**************************************************************************** * @@ -1212,7 +1379,7 @@ switch(p->icmph->type) { case ICMP_ECHOREPLY: - fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); fwrite("ECHO REPLY", 10, 1, fp); break; @@ -1260,12 +1427,12 @@ break; case ICMP_PKT_FILTERED_NET: - fwrite("ADMINISTRATIVELY PROHIBITED NETWORK FILTERED", 44, + fwrite("ADMINISTRATIVELY PROHIBITED NETWORK FILTERED", 44, 1, fp); break; case ICMP_PKT_FILTERED_HOST: - fwrite("ADMINISTRATIVELY PROHIBITED HOST FILTERED", 41, + fwrite("ADMINISTRATIVELY PROHIBITED HOST FILTERED", 41, 1, fp); break; @@ -1327,14 +1494,14 @@ fwrite(" TOS HOST", 9, 1, fp); break; } - + #ifdef SUP_IP6 -/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa +/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa * which requires sfip_t instead of inaddr's. This call to inet_ntoa * is a rare case that doesn't use sfip_t's. */ -// XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP header - +// XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP header + sfip_raw_ntop(AF_INET, (void *)&p->icmph->s_icmp_gwaddr, buf, sizeof(buf)); fprintf(fp, " NEW GW: %s", buf); #else @@ -1342,19 +1509,19 @@ #endif PrintICMPEmbeddedIP(fp, p); - + break; case ICMP_ECHO: - fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); fwrite("ECHO", 4, 1, fp); break; case ICMP_ROUTER_ADVERTISE: fprintf(fp, "ROUTER ADVERTISMENT: " - "Num addrs: %d Addr entry size: %d Lifetime: %u", - p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, + "Num addrs: %d Addr entry size: %d Lifetime: %u", + p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, ntohs(p->icmph->s_icmp_lifetime)); break; @@ -1402,37 +1569,37 @@ break; case ICMP_TIMESTAMP: - fprintf(fp, "ID: %u Seq: %u TIMESTAMP REQUEST", + fprintf(fp, "ID: %u Seq: %u TIMESTAMP REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_TIMESTAMPREPLY: fprintf(fp, "ID: %u Seq: %u TIMESTAMP REPLY:\n" - "Orig: %u Rtime: %u Ttime: %u", + "Orig: %u Rtime: %u Ttime: %u", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, + p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, p->icmph->s_icmp_ttime); break; case ICMP_INFO_REQUEST: - fprintf(fp, "ID: %u Seq: %u INFO REQUEST", + fprintf(fp, "ID: %u Seq: %u INFO REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_INFO_REPLY: - fprintf(fp, "ID: %u Seq: %u INFO REPLY", + fprintf(fp, "ID: %u Seq: %u INFO REPLY", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESS: - fprintf(fp, "ID: %u Seq: %u ADDRESS REQUEST", + fprintf(fp, "ID: %u Seq: %u ADDRESS REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: - fprintf(fp, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", + fprintf(fp, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - (u_int) ntohl(p->icmph->s_icmp_mask)); + (u_int) ntohl(p->icmph->s_icmp_mask)); break; default: @@ -1579,7 +1746,7 @@ case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_ADDRESSREPLY: - fprintf(fp, " Id: %u SeqNo: %u", + fprintf(fp, " Id: %u SeqNo: %u", ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq)); break; @@ -1621,7 +1788,7 @@ fwrite("\nIP Options => ", 15, 1, fp); init_offset = ftell(fp); } - + switch(p->ip_options[i].code) { case IPOPT_RR: @@ -1663,7 +1830,7 @@ case IPOPT_RTRALT: fwrite("RTRALT ", 7, 1, fp); - break; + break; default: fprintf(fp, "Opt %d: ", p->ip_options[i].code); @@ -1676,7 +1843,7 @@ fprintf(fp, "%02X", p->ip_options[i].data[j]); else fprintf(fp, "%02X", 0); - + if((j % 2) == 0) fprintf(fp, " "); } @@ -1713,7 +1880,7 @@ fwrite("\nTCP Options => ", 16, 1, fp); init_offset = ftell(fp); } - + switch(p->tcp_options[i].code) { case TCPOPT_MAXSEG: @@ -1812,7 +1979,7 @@ fprintf(fp, "%02X", p->tcp_options[i].data[j]); else fprintf(fp, "%02X", 0); - + if ((j + 1) % 2 == 0) fprintf(fp, " "); } @@ -1840,30 +2007,26 @@ * do_newline => tack a \n to the end of the line or not (bool) * * Returns: void function - */ + */ void PrintPriorityData(FILE *fp, int do_newline) { - - if(!otn_tmp) + if (otn_tmp == NULL) return; - if(otn_tmp->sigInfo.classType) - { - fprintf(fp, "[Classification: %s] [Priority: %d] ", - otn_tmp->sigInfo.classType->name, - otn_tmp->sigInfo.priority); - } - else + if ((otn_tmp->sigInfo.classType != NULL) + && (otn_tmp->sigInfo.classType->name != NULL)) { - fprintf(fp, "[Priority: %d] ", - otn_tmp->sigInfo.priority); + fprintf(fp, "[Classification: %s] ", + otn_tmp->sigInfo.classType->name); } - if(do_newline) - fprintf(fp, "\n"); + fprintf(fp, "[Priority: %d] ", otn_tmp->sigInfo.priority); + + if (do_newline) + fprintf(fp, "\n"); } - + /* * Function: PrintXrefs(FILE *) * @@ -1873,7 +2036,7 @@ * do_newline => tack a \n to the end of the line or not (bool) * * Returns: void function - */ + */ void PrintXrefs(FILE *fp, int do_newline) { ReferenceNode *refNode = NULL; @@ -1907,7 +2070,7 @@ #else void SnortSetEvent #endif - (Event *event, uint32_t generator, uint32_t id, uint32_t rev, + (Event *event, uint32_t generator, uint32_t id, uint32_t rev, uint32_t classification, uint32_t priority, uint32_t event_ref) { event->sig_generator = generator; @@ -1942,7 +2105,7 @@ void PrintEapolPkt(FILE * fp, Packet * p) { char timestamp[TIMEBUF_SIZE]; - + bzero((char *) timestamp, TIMEBUF_SIZE); ts_print((struct timeval *) & p->pkth->ts, timestamp); @@ -1969,14 +2132,14 @@ if (ScOutputCharData()) PrintCharData(fp, (char*) p->data, p->dsize); else - PrintNetData(fp, p->data, p->dsize); + PrintNetData(fp, p->data, p->dsize, NULL); } else if (ScVerboseByteDump()) { - PrintNetData(fp, p->pkt, p->pkth->caplen); + PrintNetData(fp, p->pkt, p->pkth->caplen, p); } - - fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); + + fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); } /**************************************************************************** @@ -2019,7 +2182,7 @@ sa = p->wifih->addr2; bssid = p->wifih->addr3; } - + /* DO this switch to provide additional info on the type */ switch(p->wifih->frame_control & 0x00ff) { @@ -2057,7 +2220,7 @@ case WLAN_TYPE_MGMT_DEAUTH: fprintf(fp, "Deauthent. "); break; - + /* Control frames */ case WLAN_TYPE_CONT_PS: case WLAN_TYPE_CONT_RTS: @@ -2067,8 +2230,8 @@ case WLAN_TYPE_CONT_CFACK: fprintf(fp, "Control "); break; - } - + } + if (sa != NULL) { fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]); @@ -2076,8 +2239,8 @@ else if (ta != NULL) { fprintf(fp, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0], ta[1], ta[2], ta[3], ta[4], ta[5]); - } - + } + fprintf(fp, "%X:%X:%X:%X:%X:%X\n", da[0], da[1], da[2], da[3], da[4], da[5]); @@ -2086,7 +2249,7 @@ fprintf(fp, "bssid: %X:%X:%X:%X:%X:%X", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]); } - + if (ra != NULL) { fprintf(fp, " ra: %X:%X:%X:%X:%X:%X", ra[0], ra[1], ra[2], ra[3], ra[4], ra[5]); @@ -2133,11 +2296,11 @@ if (ScOutputCharData()) PrintCharData(fp, (char*) p->data, p->dsize); else - PrintNetData(fp, p->data, p->dsize); + PrintNetData(fp, p->data, p->dsize, NULL); } else if (ScVerboseByteDump()) { - PrintNetData(fp, p->pkt, p->pkth->caplen); + PrintNetData(fp, p->pkt, p->pkth->caplen, p); } fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" @@ -2262,7 +2425,7 @@ void PrintEapolKey(FILE * fp, Packet * p) { uint16_t length; - + if(p->eapolk == NULL) { fprintf(fp, "Eapol Key truncated\n"); @@ -2278,8 +2441,49 @@ fprintf(fp, " len: %d", length); fprintf(fp, " index: %d ", p->eapolk->index & 0x7F); fprintf(fp, p->eapolk->index & 0x80 ? " unicast\n" : " broadcast\n"); - - } #endif // NO_NON_ETHER_DECODER +void PrintIpAddrs(FILE *fp, Packet *p) +{ + if (!IPH_IS_VALID(p)) + return; + + if (p->frag_flag + || ((GET_IPH_PROTO(p) != IPPROTO_TCP) + && (GET_IPH_PROTO(p) != IPPROTO_UDP))) + { + char *ip_fmt = "%s -> %s"; + + if (ScObfuscate()) + { + fprintf(fp, ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), + ObfuscateIpToText(GET_DST_ADDR(p))); + } + else + { + fprintf(fp, ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), + inet_ntoax(GET_DST_ADDR(p))); + } + } + else + { + char *ip_fmt = "%s:%d -> %s:%d"; + + if (ScObfuscate()) + { + fprintf(fp, ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), p->sp, + ObfuscateIpToText(GET_DST_ADDR(p)), p->dp); + } + else + { + fprintf(fp, ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), p->sp, + inet_ntoax(GET_DST_ADDR(p)), p->dp); + } + } +} + diff -Nru snort-2.8.5.2/src/log.h snort-2.9.2/src/log.h --- snort-2.8.5.2/src/log.h 2009-12-15 23:27:52.000000000 +0000 +++ snort-2.9.2/src/log.h 2011-02-09 23:22:49.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -41,14 +41,19 @@ /* P R O T O T Y P E S ******************************************************/ +void PrintIpAddrs(FILE *, Packet *); void PrintIPPkt(FILE *, int,Packet*); -void PrintNetData(FILE *, const u_char *, const int); +void PrintNetData(FILE *, const u_char *, const int, Packet *); void ClearDumpBuf(void); void Print2ndHeader(FILE *, Packet *); void PrintEthHeader(FILE *, Packet *); #ifdef MPLS void PrintMPLSHeader(FILE *, Packet *); #endif +#ifdef GRE +void PrintGREHeader(FILE *, Packet *); +void PrintOuterIPHeader(FILE *, Packet *); +#endif void PrintIPHeader(FILE *, Packet *); void PrintTCPHeader(FILE *, Packet *); void PrintTcpOptions(FILE *, Packet *); diff -Nru snort-2.8.5.2/src/log_text.c snort-2.9.2/src/log_text.c --- snort-2.8.5.2/src/log_text.c 2009-05-06 22:28:15.000000000 +0000 +++ snort-2.9.2/src/log_text.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,6 +19,9 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +// @file log_text.c +// @author Russ Combs + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -41,13 +44,18 @@ #include "log.h" #include "rules.h" +#include "treenodes.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "signature.h" +#include "util_net.h" #include "snort.h" #include "log_text.h" #include "sfutil/sf_textlog.h" +#include "snort_bounds.h" +#include "obfuscation.h" +#include "detection_util.h" #ifdef SUP_IP6 #include "sfutil/sf_ip.h" @@ -55,6 +63,9 @@ extern OptTreeNode *otn_tmp; /* global ptr to current rule data */ +extern int IsGzipData(void *); +extern int IsJSNormData(void *); + /*-------------------------------------------------------------------- * utility functions *-------------------------------------------------------------------- @@ -80,24 +91,22 @@ * * Returns: void function *-------------------------------------------------------------------- - */ + */ void LogPriorityData(TextLog* log, bool doNewLine) { - if ( !otn_tmp ) + if (otn_tmp == NULL) return; - if ( otn_tmp->sigInfo.classType ) - { - TextLog_Print( - log, "[Classification: %s] [Priority: %d] ", - otn_tmp->sigInfo.classType->name, otn_tmp->sigInfo.priority - ); - } - else + if ((otn_tmp->sigInfo.classType != NULL) + && (otn_tmp->sigInfo.classType->name != NULL)) { - TextLog_Print(log, "[Priority: %d] ", otn_tmp->sigInfo.priority); + TextLog_Print(log, "[Classification: %s] ", + otn_tmp->sigInfo.classType->name); } - if ( doNewLine ) + + TextLog_Print(log, "[Priority: %d] ", otn_tmp->sigInfo.priority); + + if (doNewLine) TextLog_NewLine(log); } @@ -163,17 +172,18 @@ static void LogEthHeader(TextLog* log, Packet* p) { /* src addr */ - TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0], - p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], - p->eh->ether_src[4], p->eh->ether_src[5]); + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X -> ", p->eh->ether_src[0], + p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], + p->eh->ether_src[4], p->eh->ether_src[5]); /* dest addr */ - TextLog_Print(log, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0], - p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], - p->eh->ether_dst[4], p->eh->ether_dst[5]); + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X ", p->eh->ether_dst[0], + p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], + p->eh->ether_dst[4], p->eh->ether_dst[5]); /* protocol and pkt size */ - TextLog_Print(log, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len); + TextLog_Print(log, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), + p->pkth->pktlen); } #ifdef MPLS @@ -181,9 +191,21 @@ { TextLog_Print(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n", - p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); + p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); } #endif + +#ifdef GRE +static void LogGREHeader(TextLog *log, Packet *p) +{ + if (p->greh == NULL) + return; + + TextLog_Print(log, "GRE version:%u flags:0x%02X ether-type:0x%04X\n", + GRE_VERSION(p->greh), p->greh->flags, GRE_PROTO(p->greh)); +} +#endif + #ifndef NO_NON_ETHER_DECODER /*-------------------------------------------------------------------- * Function: LogSLLHeader(TextLog* ) @@ -196,7 +218,7 @@ * Returns: void function *-------------------------------------------------------------------- */ -#ifdef DLT_LINUX_SLL +#ifdef DLT_LINUX_SLL static void LogSLLHeader(TextLog* log, Packet* p) { switch (ntohs(p->sllh->sll_pkttype)) { @@ -221,15 +243,15 @@ } /* mac addr */ - TextLog_Print(log, "l/l len: %i l/l type: 0x%X %X:%X:%X:%X:%X:%X\n", - htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), - p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], - p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); + TextLog_Print(log, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", + htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), + p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], + p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); /* protocol and pkt size */ TextLog_Print(log, "pkt type:0x%X proto: 0x%X len:0x%X\n", - ntohs(p->sllh->sll_pkttype), - ntohs(p->sllh->sll_protocol), p->pkth->len); + ntohs(p->sllh->sll_pkttype), + ntohs(p->sllh->sll_protocol), p->pkth->pktlen); } #endif @@ -272,7 +294,7 @@ sa = p->wifih->addr2; bssid = p->wifih->addr3; } - + /* DO this switch to provide additional info on the type */ switch(p->wifih->frame_control & 0x00ff) { @@ -310,7 +332,7 @@ case WLAN_TYPE_MGMT_DEAUTH: TextLog_Puts(log, "Deauthent. "); break; - + /* Control frames */ case WLAN_TYPE_CONT_PS: case WLAN_TYPE_CONT_RTS: @@ -320,8 +342,8 @@ case WLAN_TYPE_CONT_CFACK: TextLog_Puts(log, "Control "); break; - } - + } + if (sa != NULL) { TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]); @@ -329,8 +351,8 @@ else if (ta != NULL) { TextLog_Print(log, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0], ta[1], ta[2], ta[3], ta[4], ta[5]); - } - + } + TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", da[0], da[1], da[2], da[3], da[4], da[5]); @@ -339,7 +361,7 @@ TextLog_Print(log, "bssid: %X:%X:%X:%X:%X:%X", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]); } - + if (ra != NULL) { TextLog_Print(log, " ra: %X:%X:%X:%X:%X:%X", ra[0], ra[1], ra[2], ra[3], ra[4], ra[5]); @@ -370,7 +392,7 @@ void Log2ndHeader(TextLog* log, Packet* p) { - switch(datalink) + switch(DAQ_GetBaseProtocol()) { case DLT_EN10MB: /* Ethernet */ if(p && p->eh) @@ -386,8 +408,8 @@ case DLT_IEEE802: /* Token Ring */ if(p && p->trh) LogTrHeader(log, p); - break; -#ifdef DLT_LINUX_SLL + break; +#ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: if (p && p->sllh) LogSLLHeader(log, p); /* Linux cooked sockets */ @@ -397,8 +419,9 @@ default: if (ScLogVerbose()) { + // FIXTHIS should only be output once! ErrorMessage("Datalink %i type 2nd layer display is not " - "supported\n", datalink); + "supported\n", DAQ_GetBaseProtocol()); } } } @@ -430,7 +453,7 @@ TextLog_Puts(log, "\nIP Options => "); init_offset = TextLog_Tell(log); } - + switch(p->ip_options[i].code) { case IPOPT_RR: @@ -472,7 +495,7 @@ case IPOPT_RTRALT: TextLog_Puts(log, "RTRALT "); - break; + break; default: TextLog_Print(log, "Opt %d: ", p->ip_options[i].code); @@ -485,7 +508,7 @@ TextLog_Print(log, "%02X", p->ip_options[i].data[j]); else TextLog_Print(log, "%02X", 0); - + if((j % 2) == 0) TextLog_Putc(log, ' '); } @@ -497,59 +520,79 @@ } /*-------------------------------------------------------------------- - * Function: LogIPHeader(TextLog* ) + * Function: LogIPAddrs(TextLog* ) * - * Purpose: Dump the IP header info to the given TextLog + * Purpose: Dump the IP addresses to the given TextLog + * Handles obfuscation * * Arguments: log => TextLog to print to + * p => packet structure * * Returns: void function *-------------------------------------------------------------------- */ -void LogIPHeader(TextLog* log, Packet * p) +void LogIpAddrs(TextLog *log, Packet *p) { - if(!IPH_IS_VALID(p)) - { - TextLog_Print(log, "IP header truncated\n"); + if (!IPH_IS_VALID(p)) return; - } - if(p->frag_flag) + if (p->frag_flag + || ((GET_IPH_PROTO(p) != IPPROTO_TCP) + && (GET_IPH_PROTO(p) != IPPROTO_UDP))) { - /* just print the straight IP header */ - TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Puts(log, " -> "); - TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); + char *ip_fmt = "%s -> %s"; + + if (ScObfuscate()) + { + TextLog_Print(log, ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), + ObfuscateIpToText(GET_DST_ADDR(p))); + } + else + { + TextLog_Print(log, ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), + inet_ntoax(GET_DST_ADDR(p))); + } } else { - if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP) + char *ip_fmt = "%s:%d -> %s:%d"; + + if (ScObfuscate()) { - /* just print the straight IP header */ - TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Puts(log, " -> "); - TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); + TextLog_Print(log, ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), p->sp, + ObfuscateIpToText(GET_DST_ADDR(p)), p->dp); } else { - if (!ScObfuscate()) - { - /* print the header complete with port information */ - TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Print(log, ":%d -> ", p->sp); - TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); - TextLog_Print(log, ":%d", p->dp); - } - else - { - /* print the header complete with port information */ - if(IS_IP4(p)) - TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp); - else if(IS_IP6(p)) - TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp); - } + TextLog_Print(log, ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), p->sp, + inet_ntoax(GET_DST_ADDR(p)), p->dp); } } +} + +/*-------------------------------------------------------------------- + * Function: LogIPHeader(TextLog* ) + * + * Purpose: Dump the IP header info to the given TextLog + * + * Arguments: log => TextLog to print to + * + * Returns: void function + *-------------------------------------------------------------------- + */ +void LogIPHeader(TextLog* log, Packet * p) +{ + if(!IPH_IS_VALID(p)) + { + TextLog_Print(log, "IP header truncated\n"); + return; + } + + LogIpAddrs(log, p); if(!ScOutputDataLink()) { @@ -565,7 +608,7 @@ GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), - GET_IPH_HLEN(p) << 2, + GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ @@ -596,6 +639,61 @@ } } +#ifdef GRE +static void LogOuterIPHeader(TextLog *log, Packet *p) +{ + int save_family = p->family; + IPH_API *save_api = p->iph_api; + const IPHdr *save_iph = p->iph; + uint8_t save_ip_option_count = p->ip_option_count; + IP4Hdr *save_ip4h = p->ip4h; + IP6Hdr *save_ip6h = p->ip6h; + uint8_t save_frag_flag = p->frag_flag; + uint16_t save_sp, save_dp; + + p->family = p->outer_family; + p->iph_api = p->outer_iph_api; + p->iph = p->outer_iph; + p->ip_option_count = 0; + p->ip4h = &p->outer_ip4h; + p->ip6h = &p->outer_ip6h; + p->frag_flag = 0; + + if (p->proto_bits & PROTO_BIT__TEREDO) + { + save_sp = p->sp; + save_dp = p->dp; + + if (p->outer_udph) + { + p->sp = ntohs(p->outer_udph->uh_sport); + p->dp = ntohs(p->outer_udph->uh_dport); + } + else + { + p->sp = ntohs(p->udph->uh_sport); + p->dp = ntohs(p->udph->uh_dport); + } + } + + LogIPHeader(log, p); + + p->family = save_family; + p->iph_api = save_api; + p->iph = save_iph; + p->ip_option_count = save_ip_option_count; + p->ip4h = save_ip4h; + p->ip6h = save_ip6h; + p->frag_flag = save_frag_flag; + + if (p->proto_bits & PROTO_BIT__TEREDO) + { + p->sp = save_sp; + p->dp = save_dp; + } +} +#endif + /*------------------------------------------------------------------- * TCP stuff cloned from log.c *------------------------------------------------------------------- @@ -624,7 +722,7 @@ TextLog_Puts(log, "\nTCP Options => "); init_offset = TextLog_Tell(log); } - **/ + **/ switch(p->tcp_options[i].code) { case TCPOPT_MAXSEG: @@ -722,7 +820,7 @@ TextLog_Print(log, "%02X", p->tcp_options[i].data[j]); else TextLog_Print(log, "%02X", 0); - + if ((j + 1) % 2 == 0) TextLog_Putc(log, ' '); } @@ -863,7 +961,7 @@ case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_ADDRESSREPLY: - TextLog_Print(log, " Id: %u SeqNo: %u", + TextLog_Print(log, " Id: %u SeqNo: %u", ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq)); break; @@ -994,7 +1092,7 @@ switch(p->icmph->type) { case ICMP_ECHOREPLY: - TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO REPLY"); break; @@ -1107,14 +1205,14 @@ TextLog_Puts(log, " TOS HOST"); break; } - + #ifdef SUP_IP6 -/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa +/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa * which requires sfip_t instead of inaddr's. This call to inet_ntoa * is a rare case that doesn't use sfip_t's. */ // XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP - + /* no inet_ntop in Windows */ sfip_raw_ntop(AF_INET, (const void *)(&p->icmph->s_icmp_gwaddr.s_addr), buf, sizeof(buf)); @@ -1124,19 +1222,19 @@ #endif LogICMPEmbeddedIP(log, p); - + break; case ICMP_ECHO: - TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO"); break; case ICMP_ROUTER_ADVERTISE: TextLog_Print(log, "ROUTER ADVERTISMENT: " - "Num addrs: %d Addr entry size: %d Lifetime: %u", - p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, + "Num addrs: %d Addr entry size: %d Lifetime: %u", + p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, ntohs(p->icmph->s_icmp_lifetime)); break; @@ -1184,37 +1282,37 @@ break; case ICMP_TIMESTAMP: - TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REQUEST", + TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_TIMESTAMPREPLY: TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REPLY:\n" - "Orig: %u Rtime: %u Ttime: %u", + "Orig: %u Rtime: %u Ttime: %u", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, + p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, p->icmph->s_icmp_ttime); break; case ICMP_INFO_REQUEST: - TextLog_Print(log, "ID: %u Seq: %u INFO REQUEST", + TextLog_Print(log, "ID: %u Seq: %u INFO REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_INFO_REPLY: - TextLog_Print(log, "ID: %u Seq: %u INFO REPLY", + TextLog_Print(log, "ID: %u Seq: %u INFO REPLY", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESS: - TextLog_Print(log, "ID: %u Seq: %u ADDRESS REQUEST", + TextLog_Print(log, "ID: %u Seq: %u ADDRESS REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: - TextLog_Print(log, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", + TextLog_Print(log, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - (u_int) ntohl(p->icmph->s_icmp_mask)); + (u_int) ntohl(p->icmph->s_icmp_mask)); break; default: @@ -1239,7 +1337,7 @@ if(refNode->system) { if(refNode->system->url) - TextLog_Print(log, "[Xref => %s%s]", refNode->system->url, + TextLog_Print(log, "[Xref => %s%s]", refNode->system->url, refNode->id); else TextLog_Print(log, "[Xref => %s %s]", refNode->system->name, @@ -1250,7 +1348,7 @@ TextLog_Print(log, "[Xref => %s]", refNode->id); } } - return; + return; } /* @@ -1262,8 +1360,8 @@ * doNewLine => tack a \n to the end of the line or not (bool) * * Returns: void function - */ -void LogXrefs(TextLog* log, int doNewLine) + */ +void LogXrefs(TextLog* log, bool doNewLine) { ReferenceNode *refNode = NULL; @@ -1337,7 +1435,7 @@ } /* - * Function: LogNetData(TextLog*, u_char *,int) + * Function: LogNetData(TextLog*, u_char *,int, Packet *) * * Purpose: Do a side by side dump of a buffer, hex on * the left, decoded ASCII on the right. @@ -1353,13 +1451,19 @@ /* at end of packet:"41 02 43 04 45 06 47 08 A.C.E.G."*/ static char* pad3 = " "; -static void LogNetData (TextLog* log, const u_char* data, const int len) +static void LogNetData (TextLog* log, const u_char* data, const int len, Packet *p) { const u_char* pb = data; const u_char* end = data + len; int offset = 0; char conv[] = "0123456789ABCDEF"; /* xlation lookup table */ + int next_layer, ip_start, ip_ob_start, ip_ob_end, byte_pos, char_pos; + int i; + + next_layer = ip_start = byte_pos = char_pos = 0; + + ip_ob_start = ip_ob_end = -1; if ( !len ) { @@ -1384,10 +1488,40 @@ end = data + BYTES_PER_FRAME; } + if(p && ScObfuscate() ) + { + next_layer = p->next_layer; + for ( i = 0; i < next_layer; i++ ) + { + if ( p->layers[i].proto == PROTO_IP4 +#ifdef SUP_IP6 + || p->layers[i].proto == PROTO_IP6 +#endif + ) + { + if(p->layers[i].length && p->layers[i].start) + break; + } + } + + ip_start = p->layers[i].start - data; + + if(ip_start > 0 ) + { + ip_ob_start = ip_start + 10; + if(p->layers[i].proto == PROTO_IP4) + ip_ob_end = ip_ob_start + 2 + 2*(sizeof(struct in_addr)); + else + ip_ob_end = ip_ob_start + 2 + 2*(sizeof(struct in6_addr)); + + } + + } + /* loop thru the whole buffer */ while ( pb < end ) { - int i = 0; + i = 0; if (ScVerboseByteDump()) { @@ -1396,26 +1530,42 @@ } /* process one frame */ /* first print the binary as ascii hex */ - for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++) + for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++, byte_pos++) { - char b = pb[i]; - TextLog_Putc(log, conv[(b & 0xFF) >> 4]); - TextLog_Putc(log, conv[(b & 0xFF) & 0x0F]); - TextLog_Putc(log, ' '); + if(ScObfuscate() && ((byte_pos >= ip_ob_start) && (byte_pos < ip_ob_end))) + { + TextLog_Putc(log, 'X'); + TextLog_Putc(log, 'X'); + TextLog_Putc(log, ' '); + } + else + { + char b = pb[i]; + TextLog_Putc(log, conv[(b & 0xFF) >> 4]); + TextLog_Putc(log, conv[(b & 0xFF) & 0x0F]); + TextLog_Putc(log, ' '); + } } /* print ' ' past end of packet and before ascii */ TextLog_Puts(log, pad3+(3*i)); /* then print the actual ascii chars */ /* or a '.' for control chars */ - for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++) + for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++, char_pos++) { - char b = pb[i]; - - if ( b > 0x1F && b < 0x7F) - TextLog_Putc(log, (char)(b & 0xFF)); + if(ScObfuscate() && ((char_pos >= ip_ob_start) && (char_pos < ip_ob_end))) + { + TextLog_Putc(log, 'X'); + } else - TextLog_Putc(log, '.'); + { + char b = pb[i]; + + if ( b > 0x1F && b < 0x7F) + TextLog_Putc(log, (char)(b & 0xFF)); + else + TextLog_Putc(log, '.'); + } } pb += BYTES_PER_FRAME; TextLog_NewLine(log); @@ -1423,6 +1573,47 @@ TextLog_NewLine(log); } +#define SEPARATOR \ + "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" + +static int LogObfuscatedData(TextLog* log, Packet *p) +{ + uint8_t *payload = NULL; + uint16_t payload_len = 0; + + if (obApi->getObfuscatedPayload(p, &payload, + (uint16_t *)&payload_len) != OB_RET_SUCCESS) + { + return -1; + } + + /* dump the application layer data */ + if (ScOutputAppData() && !ScVerboseByteDump()) + { + if (ScOutputCharData()) + LogCharData(log, (char *)payload, payload_len); + else + LogNetData(log, payload, payload_len, NULL); + } + else if (ScVerboseByteDump()) + { + uint8_t buf[UINT16_MAX]; + uint16_t dlen = p->data - p->pkt; + + SafeMemcpy(buf, p->pkt, dlen, buf, buf + sizeof(buf)); + SafeMemcpy(buf + dlen, payload, payload_len, + buf, buf + sizeof(buf)); + + LogNetData(log, buf, dlen + payload_len, NULL); + } + + TextLog_Print(log, "%s\n\n", SEPARATOR); + + free(payload); + + return 0; +} + /*-------------------------------------------------------------------- * Function: LogIPPkt(TextLog*, int, Packet *) * @@ -1435,7 +1626,7 @@ * Returns: void function *-------------------------------------------------------------------- */ - + #ifdef SUP_IP6 #define DATA_PTR(p) \ ((u_char*)p->iph + (GET_IPH_HLEN(p) << 2)) @@ -1448,9 +1639,6 @@ (p->actual_ip_len - (IP_HLEN(p->iph) << 2)) #endif -#define SEPARATOR \ - "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" - void LogIPPkt(TextLog* log, int type, Packet * p) { DEBUG_WRAP(DebugMessage(DEBUG_LOG, "LogIPPkt type = %d\n", type);); @@ -1459,18 +1647,27 @@ LogTimeStamp(log, p); /* dump the ethernet header if we're doing that sort of thing */ - if (ScOutputDataLink()) + if ( ScOutputDataLink() ) { Log2ndHeader(log, p); - } - + #ifdef MPLS - if(p->mpls) - { - LogMPLSHeader(log, p); - } + if ( p->mpls ) + { + LogMPLSHeader(log, p); + } #endif - /* etc */ + +#ifdef GRE + if ( p->outer_iph ) + { + LogOuterIPHeader(log, p); + if ( p->greh ) + LogGREHeader(log, p); + } +#endif + } + LogIPHeader(log, p); /* if this isn't a fragment, print the other header info */ @@ -1486,7 +1683,7 @@ } else { - LogNetData(log, DATA_PTR(p), DATA_LEN(p)); + LogNetData(log, DATA_PTR(p), DATA_LEN(p), NULL); } break; @@ -1497,7 +1694,7 @@ } else { - LogNetData(log, DATA_PTR(p), DATA_LEN(p)); + LogNetData(log, DATA_PTR(p), DATA_LEN(p), NULL); } break; @@ -1509,7 +1706,7 @@ } else { - LogNetData(log, DATA_PTR(p), GET_IP_PAYLEN(p)); + LogNetData(log, DATA_PTR(p), GET_IP_PAYLEN(p), NULL); } break; @@ -1518,17 +1715,47 @@ } } + if ((p->dsize > 0) && obApi->payloadObfuscationRequired(p) + && (LogObfuscatedData(log, p) == 0)) + { + return; + } + /* dump the application layer data */ if (ScOutputAppData() && !ScVerboseByteDump()) { if (ScOutputCharData()) - LogCharData(log, (char*) p->data, p->dsize); + { + LogCharData(log, (char *)p->data, p->dsize); + if(!IsJSNormData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Normalized JavaScript for this packet"); + LogCharData(log, (char *)file_data_ptr.data, file_data_ptr.len); + } + else if(!IsGzipData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Decompressed Data for this packet"); + LogCharData(log, (char *)file_data_ptr.data, file_data_ptr.len); + } + } else - LogNetData(log, p->data, p->dsize); + { + LogNetData(log, p->data, p->dsize, NULL); + if(!IsJSNormData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Normalized JavaScript for this packet"); + LogNetData(log, file_data_ptr.data, file_data_ptr.len, NULL); + } + else if(!IsGzipData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Decompressed Data for this packet"); + LogNetData(log, file_data_ptr.data, file_data_ptr.len, NULL); + } + } } else if (ScVerboseByteDump()) { - LogNetData(log, p->pkt, p->pkth->caplen); + LogNetData(log, p->pkt, p->pkth->caplen, p); } TextLog_Print(log, "%s\n\n", SEPARATOR); @@ -1556,12 +1783,12 @@ memset((struct in_addr *) &ip_addr, 0, sizeof(struct in_addr)); /* determine what to use as MAC src and dst */ - if (p->eh != NULL) + if (p->eh != NULL) { mac_src = p->eh->ether_src; mac_dst = p->eh->ether_dst; } /* per table 4, 802.11 section 7.2.2 */ - else if (p->wifih != NULL && + else if (p->wifih != NULL && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { mac_src = p->wifih->addr3; @@ -1579,8 +1806,8 @@ mac_dst = p->wifih->addr1; } - /* - * if these are null this function will break, exit until + /* + * if these are null this function will break, exit until * someone writes a function for it... */ if(mac_src == NULL || mac_dst == NULL) @@ -1630,7 +1857,7 @@ TextLog_Print(log, "ARP reply %s", inet_ntoa(ip_addr)); /* print out the originating request if we're on a weirder - * wireless protocol */ + * wireless protocol */ if(memcmp((char *) mac_src, (char *) p->ah->arp_sha, 6) != 0) { TextLog_Print(log, " (%X:%X:%X:%X:%X:%X)", mac_src[0], @@ -1677,3 +1904,4 @@ } #endif // NO_NON_ETHER_DECODER + diff -Nru snort-2.8.5.2/src/log_text.h snort-2.9.2/src/log_text.h --- snort-2.8.5.2/src/log_text.h 2009-05-06 22:28:15.000000000 +0000 +++ snort-2.9.2/src/log_text.h 2011-06-08 00:33:06.000000000 +0000 @@ -1,7 +1,7 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,7 +22,7 @@ /** * @file log_text.h - * @author Russ Combs + * @author Russ Combs * @date Fri Jun 27 10:34:37 2003 * * @brief logging to text file @@ -43,6 +43,7 @@ void LogTimeStamp(TextLog*, Packet*); void LogTrHeader(TextLog*, Packet*); void Log2ndHeader(TextLog*, Packet*); +void LogIpAddrs(TextLog*, Packet*); void LogIPHeader(TextLog*, Packet*); void LogTCPHeader(TextLog*, Packet*); void LogUDPHeader(TextLog*, Packet*); @@ -60,7 +61,7 @@ static void LogICMPEmbeddedIP(TextLog*, Packet*); static void LogReference(TextLog*, ReferenceNode*); static void ScOutputCharData(TextLog*, char* data, int len); -static void LogNetData (TextLog*, const u_char* data, const int len); +static void LogNetData (TextLog*, const u_char* data, const int len, Packet *); #endif #if 0 diff -Nru snort-2.8.5.2/src/Makefile.am snort-2.9.2/src/Makefile.am --- snort-2.8.5.2/src/Makefile.am 2009-10-19 15:48:42.000000000 +0000 +++ snort-2.9.2/src/Makefile.am 2011-10-26 18:28:52.000000000 +0000 @@ -3,16 +3,22 @@ bin_PROGRAMS = snort +if BUILD_SNPRINTF +SNPRINTF_SOURCES = snprintf.c snprintf.h +endif + snort_SOURCES = cdefs.h \ event.h \ generators.h \ -prototypes.h \ +sf_protocols.h \ plugin_enum.h \ rules.h \ -sys_include.h \ +treenodes.h \ checksum.h \ -debug.c debug.h \ +debug.c snort_debug.h \ decode.c decode.h \ +encode.c encode.h \ +active.c active.h \ log.c log.h \ mstring.c mstring.h \ parser.c parser.h \ @@ -21,7 +27,7 @@ preprocids.h \ snort.c snort.h \ build.h \ -snprintf.c snprintf.h \ +$(SNPRINTF_SOURCES) \ strlcatu.c strlcatu.h \ strlcpyu.c strlcpyu.h \ tag.c tag.h \ @@ -29,11 +35,11 @@ detect.c detect.h \ signature.c signature.h \ mempool.c mempool.h \ -sf_sdlist.c sf_sdlist.h \ +sf_sdlist.c sf_sdlist.h sf_sdlist_types.h \ fpcreate.c fpcreate.h \ fpdetect.c fpdetect.h \ pcrm.c pcrm.h \ -bounds.h \ +snort_bounds.h \ byte_extract.c \ byte_extract.h \ timersub.h \ @@ -41,9 +47,7 @@ sfthreshold.c sfthreshold.h \ packet_time.c packet_time.h \ event_wrapper.c event_wrapper.h \ -smalloc.h \ event_queue.c event_queue.h \ -inline.c inline.h \ ipv6_port.h \ ppm.c ppm.h \ pcap_pkthdr32.h \ @@ -51,7 +55,12 @@ sf_types.h \ log_text.c log_text.h \ detection_filter.c detection_filter.h \ -rate_filter.c rate_filter.h +detection_util.c detection_util.h \ +rate_filter.c rate_filter.h \ +obfuscation.c obfuscation.h \ +rule_option_types.h \ +sfdaq.c sfdaq.h \ +idle_processing.c idle_processing.h idle_processing_funcs.h snort_LDADD = output-plugins/libspo.a \ detection-plugins/libspd.a \ @@ -61,10 +70,14 @@ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ preprocessors/Stream5/libstream5.a \ -sfutil/libsfutil.a +sfutil/libsfutil.a \ +control/libsfcontrol.a +if BUILD_DYNAMIC_EXAMPLES EXAMPLES_DIR = dynamic-examples +endif + -SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based $(EXAMPLES_DIR) +SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based control $(EXAMPLES_DIR) INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/src/Makefile.in snort-2.9.2/src/Makefile.in --- snort-2.8.5.2/src/Makefile.in 2009-10-19 21:17:59.000000000 +0000 +++ snort-2.9.2/src/Makefile.in 2011-12-07 19:23:17.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -43,28 +45,51 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(bin_PROGRAMS) -am_snort_OBJECTS = debug.$(OBJEXT) decode.$(OBJEXT) log.$(OBJEXT) \ - mstring.$(OBJEXT) parser.$(OBJEXT) profiler.$(OBJEXT) \ - plugbase.$(OBJEXT) snort.$(OBJEXT) snprintf.$(OBJEXT) \ - strlcatu.$(OBJEXT) strlcpyu.$(OBJEXT) tag.$(OBJEXT) \ - util.$(OBJEXT) detect.$(OBJEXT) signature.$(OBJEXT) \ - mempool.$(OBJEXT) sf_sdlist.$(OBJEXT) fpcreate.$(OBJEXT) \ - fpdetect.$(OBJEXT) pcrm.$(OBJEXT) byte_extract.$(OBJEXT) \ - sfthreshold.$(OBJEXT) packet_time.$(OBJEXT) \ - event_wrapper.$(OBJEXT) event_queue.$(OBJEXT) inline.$(OBJEXT) \ - ppm.$(OBJEXT) log_text.$(OBJEXT) detection_filter.$(OBJEXT) \ - rate_filter.$(OBJEXT) +am__snort_SOURCES_DIST = cdefs.h event.h generators.h sf_protocols.h \ + plugin_enum.h rules.h treenodes.h checksum.h debug.c \ + snort_debug.h decode.c decode.h encode.c encode.h active.c \ + active.h log.c log.h mstring.c mstring.h parser.c parser.h \ + profiler.c profiler.h plugbase.c plugbase.h preprocids.h \ + snort.c snort.h build.h snprintf.c snprintf.h strlcatu.c \ + strlcatu.h strlcpyu.c strlcpyu.h tag.c tag.h util.c util.h \ + detect.c detect.h signature.c signature.h mempool.c mempool.h \ + sf_sdlist.c sf_sdlist.h sf_sdlist_types.h fpcreate.c \ + fpcreate.h fpdetect.c fpdetect.h pcrm.c pcrm.h snort_bounds.h \ + byte_extract.c byte_extract.h timersub.h spo_plugbase.h \ + sfthreshold.c sfthreshold.h packet_time.c packet_time.h \ + event_wrapper.c event_wrapper.h event_queue.c event_queue.h \ + ipv6_port.h ppm.c ppm.h pcap_pkthdr32.h cpuclock.h sf_types.h \ + log_text.c log_text.h detection_filter.c detection_filter.h \ + detection_util.c detection_util.h rate_filter.c rate_filter.h \ + obfuscation.c obfuscation.h rule_option_types.h sfdaq.c \ + sfdaq.h idle_processing.c idle_processing.h \ + idle_processing_funcs.h +@BUILD_SNPRINTF_TRUE@am__objects_1 = snprintf.$(OBJEXT) +am_snort_OBJECTS = debug.$(OBJEXT) decode.$(OBJEXT) encode.$(OBJEXT) \ + active.$(OBJEXT) log.$(OBJEXT) mstring.$(OBJEXT) \ + parser.$(OBJEXT) profiler.$(OBJEXT) plugbase.$(OBJEXT) \ + snort.$(OBJEXT) $(am__objects_1) strlcatu.$(OBJEXT) \ + strlcpyu.$(OBJEXT) tag.$(OBJEXT) util.$(OBJEXT) \ + detect.$(OBJEXT) signature.$(OBJEXT) mempool.$(OBJEXT) \ + sf_sdlist.$(OBJEXT) fpcreate.$(OBJEXT) fpdetect.$(OBJEXT) \ + pcrm.$(OBJEXT) byte_extract.$(OBJEXT) sfthreshold.$(OBJEXT) \ + packet_time.$(OBJEXT) event_wrapper.$(OBJEXT) \ + event_queue.$(OBJEXT) ppm.$(OBJEXT) log_text.$(OBJEXT) \ + detection_filter.$(OBJEXT) detection_util.$(OBJEXT) \ + rate_filter.$(OBJEXT) obfuscation.$(OBJEXT) sfdaq.$(OBJEXT) \ + idle_processing.$(OBJEXT) snort_OBJECTS = $(am_snort_OBJECTS) snort_DEPENDENCIES = output-plugins/libspo.a \ detection-plugins/libspd.a dynamic-plugins/libdynamic.a \ preprocessors/libspp.a parser/libparser.a \ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ - preprocessors/Stream5/libstream5.a sfutil/libsfutil.a -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ + preprocessors/Stream5/libstream5.a sfutil/libsfutil.a \ + control/libsfcontrol.a +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -77,7 +102,7 @@ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(snort_SOURCES) -DIST_SOURCES = $(snort_SOURCES) +DIST_SOURCES = $(am__snort_SOURCES_DIST) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ install-dvi-recursive install-exec-recursive \ @@ -87,10 +112,40 @@ ps-recursive uninstall-recursive RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = sfutil win32 output-plugins detection-plugins \ + dynamic-plugins preprocessors parser dynamic-preprocessors \ + target-based control dynamic-examples DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -100,31 +155,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -137,12 +192,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -150,20 +211,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -195,6 +263,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -207,19 +276,23 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies +@BUILD_SNPRINTF_TRUE@SNPRINTF_SOURCES = snprintf.c snprintf.h snort_SOURCES = cdefs.h \ event.h \ generators.h \ -prototypes.h \ +sf_protocols.h \ plugin_enum.h \ rules.h \ -sys_include.h \ +treenodes.h \ checksum.h \ -debug.c debug.h \ +debug.c snort_debug.h \ decode.c decode.h \ +encode.c encode.h \ +active.c active.h \ log.c log.h \ mstring.c mstring.h \ parser.c parser.h \ @@ -228,7 +301,7 @@ preprocids.h \ snort.c snort.h \ build.h \ -snprintf.c snprintf.h \ +$(SNPRINTF_SOURCES) \ strlcatu.c strlcatu.h \ strlcpyu.c strlcpyu.h \ tag.c tag.h \ @@ -236,11 +309,11 @@ detect.c detect.h \ signature.c signature.h \ mempool.c mempool.h \ -sf_sdlist.c sf_sdlist.h \ +sf_sdlist.c sf_sdlist.h sf_sdlist_types.h \ fpcreate.c fpcreate.h \ fpdetect.c fpdetect.h \ pcrm.c pcrm.h \ -bounds.h \ +snort_bounds.h \ byte_extract.c \ byte_extract.h \ timersub.h \ @@ -248,9 +321,7 @@ sfthreshold.c sfthreshold.h \ packet_time.c packet_time.h \ event_wrapper.c event_wrapper.h \ -smalloc.h \ event_queue.c event_queue.h \ -inline.c inline.h \ ipv6_port.h \ ppm.c ppm.h \ pcap_pkthdr32.h \ @@ -258,7 +329,12 @@ sf_types.h \ log_text.c log_text.h \ detection_filter.c detection_filter.h \ -rate_filter.c rate_filter.h +detection_util.c detection_util.h \ +rate_filter.c rate_filter.h \ +obfuscation.c obfuscation.h \ +rule_option_types.h \ +sfdaq.c sfdaq.h \ +idle_processing.c idle_processing.h idle_processing_funcs.h snort_LDADD = output-plugins/libspo.a \ detection-plugins/libspd.a \ @@ -268,10 +344,11 @@ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ preprocessors/Stream5/libstream5.a \ -sfutil/libsfutil.a +sfutil/libsfutil.a \ +control/libsfcontrol.a -EXAMPLES_DIR = dynamic-examples -SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based $(EXAMPLES_DIR) +@BUILD_DYNAMIC_EXAMPLES_TRUE@EXAMPLES_DIR = dynamic-examples +SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based control $(EXAMPLES_DIR) all: all-recursive .SUFFIXES: @@ -280,14 +357,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -305,34 +382,50 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ + } \ + ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list snort$(EXEEXT): $(snort_OBJECTS) $(snort_DEPENDENCIES) @rm -f snort$(EXEEXT) $(LINK) $(snort_OBJECTS) $(snort_LDADD) $(LIBS) @@ -365,7 +458,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -382,7 +475,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -390,7 +483,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -416,16 +509,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -433,14 +526,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -452,39 +545,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -505,29 +602,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -560,6 +672,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -579,6 +692,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -587,18 +702,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-binPROGRAMS install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -620,8 +745,8 @@ uninstall-am: uninstall-binPROGRAMS -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ + install-am install-strip tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am check check-am clean clean-binPROGRAMS \ @@ -639,6 +764,7 @@ tags tags-recursive uninstall uninstall-am \ uninstall-binPROGRAMS + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/mempool.c snort-2.9.2/src/mempool.c --- snort-2.8.5.2/src/mempool.c 2009-08-10 20:41:39.000000000 +0000 +++ snort-2.9.2/src/mempool.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -37,10 +37,17 @@ #endif #include "mempool.h" +#include "sf_sdlist.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" +#include "sf_types.h" +/*SharedObjectAddStarts +#include "sf_dynamic_preprocessor.h" +SharedObjectAddEnds */ -static INLINE void mempool_free_pools(MemPool *mempool) +//#define TEST_MEMPOOL + +static inline void mempool_free_pools(MemPool *mempool) { if (mempool == NULL) return; @@ -66,19 +73,19 @@ /* Function: int mempool_init(MemPool *mempool, * PoolCount num_objects, size_t obj_size) - * + * * Purpose: initialize a mempool object and allocate memory for it * Args: mempool - pointer to a MemPool struct * num_objects - number of items in this pool * obj_size - size of the items - * + * * Returns: 0 on success, 1 on failure - */ + */ int mempool_init(MemPool *mempool, PoolCount num_objects, size_t obj_size) { PoolCount i; - + if(mempool == NULL) return 1; @@ -89,7 +96,7 @@ return 1; mempool->obj_size = obj_size; - + /* this is the basis pool that represents all the *data pointers in the list */ mempool->datapool = calloc(num_objects, obj_size); @@ -140,29 +147,26 @@ bp = &mempool->bucketpool[i]; itemp = &mempool->listpool[i]; - + /* each bucket knows where it resides in the list */ bp->key = itemp; -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("listpool: %p itemp: %p diff: %u\n", - mempool->listpool, itemp, - (((char *) itemp) - - ((char *) mempool->listpool))); -#endif /* TEST_MEMPOOL */ - + mempool->listpool, itemp, + (((char *) itemp) - ((char *) mempool->listpool))); +#endif + bp->data = ((char *) mempool->datapool) + (i * mempool->obj_size); - -#ifdef TEST_MEMPOOL + +#ifdef TEST_MEMPOOL printf("datapool: %p bp.data: %p diff: %u\n", - mempool->datapool, - mempool->datapool + (i * mempool->obj_size), - (((char *) bp->data) - - ((char *) mempool->datapool))); -#endif /* TEST_MEMPOOL */ - + mempool->datapool, + mempool->datapool + (i * mempool->obj_size), + (((char *) bp->data) - ((char *) mempool->datapool))); +#endif - if(sf_sdlist_append(&mempool->free_list, + if(sf_sdlist_append(&mempool->free_list, &mempool->bucketpool[i], &mempool->listpool[i])) { @@ -172,22 +176,19 @@ return 1; } - mempool->free++; + mempool->total++; } - mempool->used = 0; - mempool->total = num_objects; - return 0; } -/* Function: int mempool_clean(MemPool *mempool) - * +/* Function: int mempool_clean(MemPool *mempool) + * * Purpose: return all memory to free list * Args: mempool - pointer to a MemPool struct - * + * * Returns: 0 on success, -1 on failure - */ + */ int mempool_clean(MemPool *mempool) { unsigned int i; @@ -200,13 +201,11 @@ ret = sf_sdlist_delete(&mempool->used_list); if (ret != 0) return -1; - mempool->used = 0; /* clean free list */ ret = sf_sdlist_delete(&mempool->free_list); if (ret != 0) return -1; - mempool->free = 0; /* add everything back to free list */ for (i = 0; i < mempool->total; i++) @@ -215,20 +214,18 @@ &mempool->listpool[i]); if (ret == -1) return -1; - - mempool->free++; } return 0; } -/* Function: int mempool_destroy(MemPool *mempool) - * +/* Function: int mempool_destroy(MemPool *mempool) + * * Purpose: destroy a set of mempool objects * Args: mempool - pointer to a MemPool struct - * + * * Returns: 0 on success, 1 on failure - */ + */ int mempool_destroy(MemPool *mempool) { if(mempool == NULL) @@ -238,29 +235,24 @@ /* TBD - callback to free up every stray pointer */ memset(mempool, 0, sizeof(MemPool)); - - return 0; + + return 0; } /* Function: MemBucket *mempool_alloc(MemPool *mempool); - * + * * Purpose: allocate a new object from the mempool * Args: mempool - pointer to a MemPool struct - * + * * Returns: a pointer to the mempool object on success, NULL on failure - */ + */ MemBucket *mempool_alloc(MemPool *mempool) { SDListItem *li = NULL; MemBucket *b; - - if(mempool == NULL) - { - return NULL; - } - if(mempool->free <= 0) + if(mempool == NULL) { return NULL; } @@ -273,44 +265,49 @@ if((li == NULL) || sf_sdlist_remove(&mempool->free_list, li)) { +#ifdef TEST_MEMPOOL printf("Failure on sf_sdlist_remove\n"); +#endif return NULL; } - mempool->free--; - mempool->used++; - if(sf_sdlist_append(&mempool->used_list, li->data, li)) { +#ifdef TEST_MEMPOOL printf("Failure on sf_sdlist_append\n"); +#endif return NULL; } /* TBD -- make configurable */ b = li->data; bzero(b->data, mempool->obj_size); - + return b; } void mempool_free(MemPool *mempool, MemBucket *obj) -{ +{ + if ((mempool == NULL) || (obj == NULL)) + return; + if(sf_sdlist_remove(&mempool->used_list, obj->key)) { +#ifdef TEST_MEMPOOL printf("failure on remove from used_list"); +#endif return; } - - mempool->used--; /* put the address of the membucket back in the list */ if(sf_sdlist_append(&mempool->free_list, obj, obj->key)) { +#ifdef TEST_MEMPOOL printf("failure on add to free_list"); +#endif return; } - mempool->free++; return; } @@ -323,7 +320,6 @@ MemBucket *bucks[SIZE]; MemBucket *bucket = NULL; int i; - long long a = 1; //char *stuffs[4] = { "eenie", "meenie", "minie", "moe" }; char *stuffs2[36] = @@ -337,7 +333,7 @@ "1eenie", "2meenie", "3minie", " 4moe", "1eenie", "2meenie", "3minie", " 4moe" }; - + if(mempool_init(&test, 36, 256)) { printf("error in mempool initialization\n"); @@ -363,7 +359,7 @@ mempool_free(&test, bucks[i]); bucks[i] = NULL; } - + for(i = 0; i < 14; i++) { if((bucks[i] = mempool_alloc(&test)) == NULL) @@ -379,9 +375,9 @@ printf("bucket->data: %s\n", (char *) bucket->data); } - printf("free: %u, used: %u\n", test.free, test.used); + printf("free: %u, used: %u\n", test.free_list.size, test.used_list.size); + - return 0; } #endif /* TEST_MEMPOOL */ diff -Nru snort-2.8.5.2/src/mempool.h snort-2.9.2/src/mempool.h --- snort-2.8.5.2/src/mempool.h 2009-07-07 15:37:02.000000000 +0000 +++ snort-2.9.2/src/mempool.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -23,8 +23,9 @@ #ifndef _MEMPOOL_H #define _MEMPOOL_H -#include "sf_sdlist.h" -#include "debug.h" +#include "sf_sdlist_types.h" +#include "sf_types.h" +#include "snort_debug.h" typedef unsigned int PoolCount; @@ -38,20 +39,17 @@ typedef struct _MemPool { void **datapool; /* memory buffer for MemBucket->data */ - + MemBucket *bucketpool; /* memory buffer */ SDListItem *listpool; /* list of things to use for memory bufs */ - PoolCount free; /* free block count */ - PoolCount used; /* used block count */ - PoolCount total; - + sfSDList free_list; sfSDList used_list; - - size_t obj_size; + + size_t obj_size; } MemPool; int mempool_init(MemPool *mempool, PoolCount num_objects, size_t obj_size); @@ -60,7 +58,7 @@ void mempool_free(MemPool *mempool, MemBucket *obj); int mempool_clean(MemPool *mempool); -static INLINE MemBucket* mempool_oldestUsedBucket( +static inline MemBucket* mempool_oldestUsedBucket( MemPool *mempool ) { @@ -73,11 +71,11 @@ return NULL; } -static INLINE unsigned int mempool_numUsedBucket( +static inline unsigned int mempool_numUsedBucket( MemPool *mempool ) { - return mempool->used; + return mempool->used_list.size; } #endif /* _MEMPOOL_H */ diff -Nru snort-2.8.5.2/src/mstring.c snort-2.9.2/src/mstring.c --- snort-2.8.5.2/src/mstring.c 2009-07-07 15:37:02.000000000 +0000 +++ snort-2.9.2/src/mstring.c 2011-06-08 00:33:06.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** This program is free software; you can redistribute it and/or modify @@ -50,16 +50,12 @@ #include #include +#include "sf_types.h" #include "mstring.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" /* needed for fasthex() */ #include "util.h" - -#ifdef GIDS -extern int detect_depth; -#endif /* GIDS */ - -extern const uint8_t *doe_ptr; +#include "detection_util.h" static char * mSplitAddTok(const char *, const int, const char *, const char); @@ -228,7 +224,7 @@ if (!isspace((int)str[j - 1])) break; } - + /* Allocate a buffer. The length will not have included the * meta char of escaped separators */ toks[cur_tok] = mSplitAddTok(&str[tok_start], j - tok_start, sep_chars, meta_char); @@ -350,7 +346,7 @@ return NULL; } - + /* Trim whitespace at end of last tok */ for (j = i; j > tok_start; j--) { @@ -515,7 +511,7 @@ const char *p_idx; /* index ptr into the pattern buffer */ const char *b_end; /* ptr to the end of the data buffer */ int m_cnt = 0; /* number of pattern matches so far... */ -#ifdef DEBUG +#ifdef DEBUG_MSGS unsigned long loopcnt = 0; #endif @@ -528,7 +524,7 @@ do { -#ifdef DEBUG +#ifdef DEBUG_MSGS loopcnt++; #endif @@ -675,7 +671,7 @@ { int b_idx = plen; -#ifdef DEBUG +#ifdef DEBUG_MSGS char *hexbuf; int cmpcnt = 0; #endif @@ -683,7 +679,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH,"buf: %p blen: %d ptrn: %p " "plen: %d\n", buf, blen, ptrn, plen);); -#ifdef DEBUG +#ifdef DEBUG_MSGS hexbuf = fasthex((const u_char *)buf, blen); DebugMessage(DEBUG_PATTERN_MATCH,"buf: %s\n", hexbuf); free(hexbuf); @@ -692,7 +688,7 @@ free(hexbuf); DebugMessage(DEBUG_PATTERN_MATCH,"buf: %p blen: %d ptrn: %p " "plen: %d\n", buf, blen, ptrn, plen); -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ if(plen == 0) return 1; @@ -702,7 +698,7 @@ while(buf[--b_idx] == ptrn[--p_idx]) { -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif if(b_idx < 0) @@ -710,15 +706,9 @@ if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", cmpcnt);); - - doe_ptr = (const uint8_t *)&(buf[b_idx]) + plen; - -#ifdef GIDS - detect_depth = b_idx; -#endif /* GIDS */ - + UpdateDoePtr(((const uint8_t *)&(buf[b_idx]) + plen), 0); return 1; } } @@ -760,7 +750,7 @@ int mSearchCI(const char *buf, int blen, const char *ptrn, int plen, int *skip, int *shift) { int b_idx = plen; -#ifdef DEBUG +#ifdef DEBUG_MSGS int cmpcnt = 0; #endif @@ -771,21 +761,18 @@ { int p_idx = plen, skip_stride, shift_stride; - while((unsigned char) ptrn[--p_idx] == + while((unsigned char) ptrn[--p_idx] == toupper((unsigned char) buf[--b_idx])) { -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "match: compares = %d.\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "match: compares = %d.\n", cmpcnt);); - doe_ptr = (const uint8_t *)&(buf[b_idx]) + plen; -#ifdef GIDS - detect_depth = b_idx; -#endif /* GIDS */ + UpdateDoePtr(((const uint8_t *)&(buf[b_idx]) + plen), 0); return 1; } } @@ -827,17 +814,17 @@ int b_idx = plen; int literal = 0; int regexcomp = 0; -#ifdef DEBUG +#ifdef DEBUG_MSGS int cmpcnt = 0; -#endif /*DEBUG*/ - +#endif /* DEBUG_MSGS */ + DEBUG_WRAP( DebugMessage(DEBUG_PATTERN_MATCH, "buf: %p blen: %d ptrn: %p " " plen: %d b_idx: %d\n", buf, blen, ptrn, plen, b_idx); DebugMessage(DEBUG_PATTERN_MATCH, "packet data: \"%s\"\n", buf); DebugMessage(DEBUG_PATTERN_MATCH, "matching for \"%s\"\n", ptrn); ); - + if(plen == 0) return 1; @@ -847,8 +834,8 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Looping... " "([%d]0x%X (%c) -> [%d]0x%X(%c))\n", - b_idx, buf[b_idx-1], - buf[b_idx-1], + b_idx, buf[b_idx-1], + buf[b_idx-1], p_idx, ptrn[p_idx-1], ptrn[p_idx-1]);); while(buf[--b_idx] == ptrn[--p_idx] @@ -856,9 +843,9 @@ || (ptrn[p_idx] == '*' && !literal) || (ptrn[p_idx] == '\\' && !literal)) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "comparing: b:%c -> p:%c\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "comparing: b:%c -> p:%c\n", buf[b_idx], ptrn[p_idx]);); -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif @@ -890,7 +877,7 @@ if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", cmpcnt);); return 1; } @@ -902,7 +889,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "skip-shifting...\n");); skip_stride = skip[(unsigned char) buf[b_idx]]; shift_stride = shift[p_idx]; - + b_idx += (skip_stride > shift_stride) ? skip_stride : shift_stride; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "b_idx skip-shifted to %d\n", b_idx);); b_idx += regexcomp; diff -Nru snort-2.8.5.2/src/mstring.h snort-2.9.2/src/mstring.h --- snort-2.8.5.2/src/mstring.h 2009-07-07 15:37:02.000000000 +0000 +++ snort-2.9.2/src/mstring.h 2011-02-09 23:22:49.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/obfuscation.c snort-2.9.2/src/obfuscation.c --- snort-2.8.5.2/src/obfuscation.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/obfuscation.c 2011-06-08 00:33:06.000000000 +0000 @@ -0,0 +1,1488 @@ +/****************************************************************************** + * Copyright (C) 2009-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ******************************************************************************/ + +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "obfuscation.h" +#include "sf_types.h" +#include "snort_debug.h" +#include "decode.h" +#include "util.h" +#include "stream_api.h" +#include "snort_bounds.h" + +#ifdef OBFUSCATION_TEST_STANDALONE +# ifndef OBFUSCATION_TEST +# define OBFUSCATION_TEST +# endif +# define TraverseReassembled stream_api->traverse_stream_segments +static int TraverseReassembled( + Packet *, + int (*)(DAQ_PktHdr_t *, uint8_t *, uint8_t *, uint32_t, void *), + void * + ); +#endif + +/******************************************************************************* + * Macros + ******************************************************************************/ +#define OBFUSCATE_ENTRIES 512 +#define OBFUSCATE_MAXLEN_ENTRIES 8 +#define OBFUSCATE_SLICE_ENTRIES (OBFUSCATE_ENTRIES - OBFUSCATE_MAXLEN_ENTRIES) + + +/******************************************************************************* + * Data structures + ******************************************************************************/ +typedef struct _ObfuscationEntry +{ + Packet *p; + ob_size_t offset; + ob_size_t length; + ob_char_t ob_char; + +} ObfuscationEntry; + +typedef struct _ObfuscationStruct +{ + int num_entries; + int num_maxlen_entries; + int sorted; + ObfuscationEntry entries[OBFUSCATE_ENTRIES]; + ObfuscationEntry *sort_entries[OBFUSCATE_ENTRIES]; + ObfuscationEntry *maxlen_entries[OBFUSCATE_MAXLEN_ENTRIES]; + +} ObfuscationStruct; + +typedef struct _ObfuscationCallbackData +{ + const Packet *packet; + ObfuscationCallback user_callback; + void *user_data; + int entry_index; + ob_size_t total_offset; + +} ObfuscationCallbackData; + +typedef struct _ObfuscationStreamCallbackData +{ + ObfuscationCallbackData *data; + uint32_t next_seq; + int last_entry_index; + +} ObfuscationStreamCallbackData; + +typedef struct _ObfuscatedPayload +{ + uint8_t **payload; + ob_size_t *payload_len; + ob_size_t payload_size; + +} ObfuscatedPayload; + + +/******************************************************************************* + * Globals + ******************************************************************************/ +static ObfuscationStruct ob_struct; + + +/******************************************************************************* + * Private function prototypes + ******************************************************************************/ +static inline int NumObfuscateMaxLenEntries(void); +static inline int NumObfuscateSliceEntries(void); +static inline ObRet ObfuscationEntryOverflow(ob_size_t); +static inline int PayloadObfuscationRequired(Packet *); +static inline void SetObfuscationEntry(ObfuscationEntry *, Packet *, + ob_size_t, ob_size_t, ob_char_t); +static inline void SortObfuscationEntries(void); +static inline void SetObfuscationCallbackData( + ObfuscationCallbackData *, Packet *, ObfuscationCallback, void *); +static inline void SetObfuscationStreamCallbackData( + ObfuscationStreamCallbackData *, ObfuscationCallbackData *, + Packet *, ObfuscationCallback, void *); + +static ObRet AddObfuscationEntry(Packet *, ob_size_t, ob_size_t, ob_char_t); +static int ObfuscationEntrySort(const void *, const void *); +static ObRet TraverseObfuscationList(ObfuscationCallbackData *, + const DAQ_PktHdr_t *, const uint8_t *, ob_size_t); +static int ObfuscateStreamSegmentsCallback(DAQ_PktHdr_t *, + uint8_t *, uint8_t *, uint32_t, void *); +static ObRet GetObfuscatedPayloadCallback(const DAQ_PktHdr_t *, + const uint8_t *, ob_size_t, ob_char_t, void *); +static void PrintObfuscationEntry(const ObfuscationEntry *, int); + + +/******************************************************************************* + * API prototypes + ******************************************************************************/ +static void OB_API_ResetObfuscationEntries(void); +static ObRet OB_API_AddObfuscationEntry(Packet *, ob_size_t, + ob_size_t, ob_char_t); +static int OB_API_PayloadObfuscationRequired(Packet *); +static ObRet OB_API_ObfuscatePacket(Packet *, ObfuscationCallback, void *); +static ObRet OB_API_ObfuscatePacketStreamSegments(Packet *, + ObfuscationCallback, void *); +static ObRet OB_API_GetObfuscatedPayload(Packet *, uint8_t **, ob_size_t *); +static void OB_API_PrintObfuscationEntries(int); + +/* API accessor */ +ObfuscationApi obfuscationApi = +{ + OB_API_ResetObfuscationEntries, // resetObfuscationEntries + OB_API_AddObfuscationEntry, // addObfuscationEntry + OB_API_PayloadObfuscationRequired, // payloadObfuscationRequired + OB_API_ObfuscatePacket, // obfuscatePacket + OB_API_ObfuscatePacketStreamSegments, // obfuscatePacketStreamSegments + OB_API_GetObfuscatedPayload, // getObfuscatedPayload + OB_API_PrintObfuscationEntries // printObfuscationEntries +}; + +ObfuscationApi *obApi = &obfuscationApi; + + +/******************************************************************************* + * API Function definitions + ******************************************************************************/ +// resetObfuscationEntries +void OB_API_ResetObfuscationEntries(void) +{ + ob_struct.num_entries = 0; + ob_struct.num_maxlen_entries = 0; + ob_struct.sorted = 0; +} + +// addObfuscationEntry +static ObRet OB_API_AddObfuscationEntry(Packet *p, ob_size_t offset, + ob_size_t length, ob_char_t ob_char) +{ + if (p == NULL) + return OB_RET_ERROR; + + p->packet_flags |= PKT_PAYLOAD_OBFUSCATE; + + return AddObfuscationEntry(p, offset, length, ob_char); +} + +// payloadObfuscationRequired +static int OB_API_PayloadObfuscationRequired(Packet *p) +{ + return PayloadObfuscationRequired(p); +} + +// obfuscatePacket +static ObRet OB_API_ObfuscatePacket(Packet *p, + ObfuscationCallback user_callback, void *user_data) +{ + ObfuscationCallbackData callback_data; + + if (!PayloadObfuscationRequired(p)) + return OB_RET_ERROR; + + SortObfuscationEntries(); + SetObfuscationCallbackData(&callback_data, p, user_callback, user_data); + + /* Send header information first - isn't obfuscated */ + if (user_callback(p->pkth, p->pkt, (ob_size_t)(p->data - p->pkt), + 0, user_data) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + + if (TraverseObfuscationList(&callback_data, NULL, p->data, + (ob_size_t)(p->pkth->caplen - (p->data - p->pkt))) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + + return OB_RET_SUCCESS; +} + +// obfuscatePacketStreamSegments +static ObRet OB_API_ObfuscatePacketStreamSegments(Packet *p, + ObfuscationCallback user_callback, void *user_data) +{ + ObfuscationStreamCallbackData stream_callback_data; + ObfuscationCallbackData callback_data; + + if (!PayloadObfuscationRequired(p)) + return OB_RET_ERROR; + + SortObfuscationEntries(); + SetObfuscationStreamCallbackData(&stream_callback_data, &callback_data, + p, user_callback, user_data); + + if (stream_api->traverse_stream_segments(p, ObfuscateStreamSegmentsCallback, + (void *)&stream_callback_data) == -1) + { + return OB_RET_ERROR; + } + + return OB_RET_SUCCESS; +} + +// getObfuscatedPayload +static ObRet OB_API_GetObfuscatedPayload(Packet *p, + uint8_t **payload, ob_size_t *payload_len) +{ + ObfuscationCallbackData callback_data; + ObfuscatedPayload user_data; + + if (!PayloadObfuscationRequired(p)) + return OB_RET_ERROR; + + if ((payload == NULL) || (payload_len == NULL)) + return OB_RET_ERROR; + + *payload = NULL; + *payload_len = 0; + + user_data.payload = payload; + user_data.payload_len = payload_len; + user_data.payload_size = 0; + + SortObfuscationEntries(); + SetObfuscationCallbackData(&callback_data, p, + GetObfuscatedPayloadCallback, (void *)&user_data); + + if (TraverseObfuscationList(&callback_data, NULL, p->data, + (ob_size_t)(p->pkth->caplen - (p->data - p->pkt))) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + + return OB_RET_SUCCESS; +} + +// printObfuscationEntries +static void OB_API_PrintObfuscationEntries(int sorted) +{ + int i; + ObfuscationEntry *entry; + + if (sorted) + SortObfuscationEntries(); + + for (i = 0; i < ob_struct.num_entries; i++) + { + LogMessage("Entry: %d\n", i); + + if (sorted) + entry = ob_struct.sort_entries[i]; + else + entry = &ob_struct.entries[i]; + + PrintObfuscationEntry(entry, 2); + } +} + + +/******************************************************************************* + * Private function definitions + ******************************************************************************/ + +/******************************************************************************* + * Function: NumObfuscateMaxLenEntries() + * + * Gets the number of current OB_LENGTH_MAX entries that have been added. + * + * Arguments + * None + * + * Returns + * The number of current OB_LENGTH_MAX entries. + * + ******************************************************************************/ +static inline int NumObfuscateMaxLenEntries(void) +{ + return ob_struct.num_maxlen_entries; +} + +/******************************************************************************* + * Function: NumObfuscateSliceEntries() + * + * Gets the number of current slice entries that have been added. + * + * Arguments + * None + * + * Returns + * The number of current slice entries. + * + ******************************************************************************/ +static inline int NumObfuscateSliceEntries(void) +{ + return ob_struct.num_entries - ob_struct.num_maxlen_entries; +} + +/******************************************************************************* + * Function: ObfuscationEntryOverflow() + * + * Determines whether or not there is enough space in the static entry array to + * add another obfucation entry. + * + * Arguments + * ob_size_t + * The length of the entry that should be added. If length is OB_LENGTH_MAX + * then the max length array is checked. + * + * Returns + * OB_RET_SUCCESS if the entry can be added + * OB_RET_OVERFLOW if there isn't enough space to add another entry + * + ******************************************************************************/ +static inline ObRet ObfuscationEntryOverflow(ob_size_t length) +{ + if (length == OB_LENGTH_MAX) + { + if (NumObfuscateMaxLenEntries() >= OBFUSCATE_MAXLEN_ENTRIES) + return OB_RET_OVERFLOW; + } + else + { + if (NumObfuscateSliceEntries() >= OBFUSCATE_SLICE_ENTRIES) + return OB_RET_OVERFLOW; + } + + return OB_RET_SUCCESS; +} + +/******************************************************************************* + * Function: PayloadObfuscationRequired() + * + * Determines whether or not the packet requires obfuscation. An obfuscation + * flag is added to the packet flags when an obfuscation entry is added that + * is associated with the packet. If there isn't any data, then it doesn't + * need obfuscation. + * + * Arguments + * Packet *p + * The Packet to check + * + * Returns + * 0 if obfuscation is not needed. + * 1 if the packet has been flagged for obfuscation. + * + ******************************************************************************/ +static inline int PayloadObfuscationRequired(Packet *p) +{ + if ((p == NULL) || (p->pkth == NULL) + || (p->pkt == NULL) || (p->data == NULL) + || (p->pkt >= p->data) + || ((ob_size_t)(p->data - p->pkt) > p->pkth->caplen)) + { + return 0; + } + + if (!(p->packet_flags & PKT_PAYLOAD_OBFUSCATE) + || (ob_struct.num_entries == 0)) + { + return 0; + } + + return 1; +} + +/******************************************************************************* + * Function: SetObfuscationEntry() + * + * Initializes an obfuscation entry with the passed in values. + * + * Arguments + * ObfuscationEntry *entry + * The obfuscation entry to initialize + * Packet *p + * The Packet to associate with this entry + * ob_size_t offset + * The offset into the packet to start obfuscation + * ob_size_t length + * The amount of data to obfuscate starting from offset + * ob_char_t ob_char + * The character to use when obfuscating + * + * Returns + * None + * + ******************************************************************************/ +static inline void SetObfuscationEntry(ObfuscationEntry *entry, + Packet *p, ob_size_t offset, ob_size_t length, ob_char_t ob_char) +{ + if (entry == NULL) + return; + + entry->p = p; + entry->offset = offset; + entry->length = length; + entry->ob_char = ob_char; +} + +/******************************************************************************* + * Function: SetObfuscationCallbackData() + * + * Initializes the callback data for use in TraverseObfuscationList. + * + * Arguments + * ObfuscationCallbackData *callback_data + * The callback data struct to initialize + * Packet *p + * The Packet to associate with this entry + * ob_size_t offset + * The offset into the packet to start obfuscation + * ob_size_t length + * The amount of data to obfuscate starting from offset + * ob_char_t ob_char + * The character to use when obfuscating + * + * Returns + * None + * + ******************************************************************************/ +static inline void SetObfuscationCallbackData( + ObfuscationCallbackData *callback_data, Packet *packet, + ObfuscationCallback user_callback, void *user_data) +{ + if (callback_data == NULL) + return; + + callback_data->packet = packet; + callback_data->user_callback = user_callback; + callback_data->user_data = user_data; + callback_data->entry_index = 0; + callback_data->total_offset = 0; +} + +/******************************************************************************* + * Function: SetObfuscationStreamCallbackData() + * + * Initializes the callback data for use in TraverseObfuscationList. + * + * Arguments + * ObfuscationStreamCallbackData *stream_callback_data + * The stream callback data struct to initialize + * ObfuscationCallbackData *callback_data + * The callback data struct to initialize + * Packet *p + * The Packet to associate with this entry + * ob_size_t offset + * The offset into the packet to start obfuscation + * ob_size_t length + * The amount of data to obfuscate starting from offset + * ob_char_t ob_char + * The character to use when obfuscating + * + * Returns + * None + * + ******************************************************************************/ +static inline void SetObfuscationStreamCallbackData( + ObfuscationStreamCallbackData *stream_callback_data, + ObfuscationCallbackData *callback_data, Packet *packet, + ObfuscationCallback user_callback, void *user_data) +{ + if ((stream_callback_data == NULL) || (callback_data == NULL)) + return; + + SetObfuscationCallbackData(callback_data, packet, user_callback, user_data); + stream_callback_data->data = callback_data; + stream_callback_data->next_seq = 0; + stream_callback_data->last_entry_index = 0; +} + +/******************************************************************************* + * Function: SortObfuscationEntries() + * + * Uses qsort to sort the entries that have been added. Possibly qsort is not + * the most efficient sort here since, in general, the entries will be added + * from smallest offset to largest. + * + * Arguments + * None + * + * Returns + * None + * + ******************************************************************************/ +static inline void SortObfuscationEntries(void) +{ + if (!ob_struct.sorted) + { + qsort((void *)ob_struct.sort_entries, ob_struct.num_entries, + sizeof(ObfuscationEntry *), ObfuscationEntrySort); + ob_struct.sorted = 1; + } +} + +/******************************************************************************* + * Function: AddObfuscationEntry() + * + * Adds an obfuscation entry to the obfuscation list. OB_LENGTH_MAX entries + * are first checked to see if there is an entry already associated with + * the Packet passed in. If there is, the entry with the lesser of the two + * offsets is used. + * + * Arguments + * Packet *p + * The Packet to be associated with this entry + * ob_size_t offset + * The offset into the payload of this packet to start obfuscating + * ob_size_t length + * The length of the payload starting at offset to obfuscate + * ob_char_t + * The character to use when obfuscating + * + * Returns + * OB_RET_SUCCESS if the entry was successfully added + * OB_RET_OVERFLOW if there is no room left to store the entry + * + ******************************************************************************/ +static ObRet AddObfuscationEntry(Packet *p, ob_size_t offset, + ob_size_t length, ob_char_t ob_char) +{ + ObfuscationEntry *entry; + int entry_index = ob_struct.num_entries; + + if (length == OB_LENGTH_MAX) + { + int i; + + /* Check to see if there is an OB_LENGTH_MAX entry already associated + * with this packet */ + for (i = 0; i < ob_struct.num_maxlen_entries; i++) + { + entry = ob_struct.maxlen_entries[i]; + if (entry->p == p) + { + /* Already have an entry for this packet. Use the entry with + * the lesser of the two offsets */ + if (offset < entry->offset) + { + entry->offset = offset; + entry->ob_char = ob_char; + } + + return OB_RET_SUCCESS; + } + } + } + + if (ObfuscationEntryOverflow(length) != OB_RET_SUCCESS) + return OB_RET_OVERFLOW; + + /* Reset sorted since we're adding an entry and the list will need + * to be sorted again */ + ob_struct.sorted = 0; + + /* Get the entry at the current index */ + entry = &ob_struct.entries[entry_index]; + SetObfuscationEntry(entry, p, offset, length, ob_char); + + ob_struct.sort_entries[entry_index] = entry; + ob_struct.num_entries++; + + if (length == OB_LENGTH_MAX) + { + ob_struct.maxlen_entries[ob_struct.num_maxlen_entries] = entry; + ob_struct.num_maxlen_entries++; + } + + return OB_RET_SUCCESS; +} + +/******************************************************************************* + * Function: ObfuscationEntrySort() + * + * Sorting callback. Sorted by offset, then length if the offsets are the same. + * + * Arguments + * const void *data1 + * The compare to argument + * const void *data2 + * The argument to compare to the first argument + * + * Returns + * -1 if the first ObfuscationEntry is considered less than the second + * 1 if the first ObfuscationEntry is considered greater than the second + * 0 if both offset and length are equal + * + ******************************************************************************/ +static int ObfuscationEntrySort(const void *data1, const void *data2) +{ + ObfuscationEntry *ob1 = *((ObfuscationEntry **)data1); + ObfuscationEntry *ob2 = *((ObfuscationEntry **)data2); + + if (ob1->offset < ob2->offset) + return -1; + else if (ob1->offset > ob2->offset) + return 1; + else if (ob1->length < ob2->length) + return -1; + else if (ob1->length > ob2->length) + return 1; + + return 0; +} + +/******************************************************************************* + * Function: TraverseObfuscationList() + * + * This is the main function for obfuscating a payload or stream segments. + * It walks through a packet and obfuscation entries, calling the user + * callback with obfuscated and non-obfuscated instructions. + * + * Arguments + * ObfuscationCallbackData *data + * The state tracking data structure. Has the packet being obfuscated, + * current obfuscation entry and total number of bytes obfuscated thus + * far. + * DAQ_PktHdr_t *pkth + * The pcap header information associated with the payload being + * obfuscated. + * uint8_t *pkt + * The start of the packet including Ethernet headers, etc. + * uint8_t *payload + * Pointer to the payload data to be obfuscated + * ob_size_t + * The size of the payload data + * + * Returns + * OB_RET_SUCCESS if successfully completed + * OB_RET_ERROR if the user callback doesn't return OB_RET_SUCCESS + * + ******************************************************************************/ +static ObRet TraverseObfuscationList(ObfuscationCallbackData *data, + const DAQ_PktHdr_t *pkth, const uint8_t *payload_data, + ob_size_t payload_size) +{ + int i; + ob_size_t total_offset = data->total_offset; + ob_size_t payload_offset = 0; + const DAQ_PktHdr_t *pkth_tmp = pkth; +#ifdef OBFUSCATION_TEST + uint8_t print_array[OB_LENGTH_MAX]; + ob_size_t start_total_offset = 0; + ob_size_t start_payload_offset = 0; +#endif + + if ((payload_data == NULL) || (payload_size == 0)) + return OB_RET_ERROR; + +#ifdef OBFUSCATION_TEST + LogMessage("Payload data: %u bytes\n", payload_size); + LogMessage("===============================================================" + "=================\n"); +#endif + + /* Start from current saved obfuscation entry index */ + for (i = data->entry_index; i < ob_struct.num_entries; i++) + { + /* Get the entry from the sorted array */ + const ObfuscationEntry *entry = ob_struct.sort_entries[i]; + ob_size_t ob_offset = entry->offset; + ob_size_t ob_length = entry->length; + + /* Make sure it's for the right packet */ + if (entry->p != data->packet) + { +#ifdef OBFUSCATION_TEST + LogMessage("flags1: %08x, flags2: %08x\n", entry->p->packet_flags, data->packet->packet_flags); +#endif + continue; + } + + /* We've already obfuscated this part of the packet payload + * Account for overflow */ + if (((ob_offset + ob_length) <= total_offset) + && ((ob_offset + ob_length) > ob_offset)) + { + continue; + } + +#ifdef OBFUSCATION_TEST + LogMessage(" Total offset: %u\n\n", total_offset); + start_total_offset = total_offset; + start_payload_offset = payload_offset; +#endif + + /* Note the obfuscation offset is only used at this point to determine + * the amount of data that does not need to be obfuscated up to the + * offset or the length of what needs to be obfuscated if the offset + * is less than what's already been logged */ + + if (ob_offset > total_offset) + { + /* Get the amount of non-obfuscated data - need to log straight + * packet data up to obfuscation offset */ + ob_size_t length = ob_offset - total_offset; + + /* If there is more length than what's left in the packet, + * truncate it, do we don't overflow */ + if (length > (payload_size - payload_offset)) + length = payload_size - payload_offset; + + /* Call the user callback and tell it not to obfuscate the data + * by passing in a non-NULL packet pointer */ + if (data->user_callback(pkth_tmp, payload_data + payload_offset, + length, 0, data->user_data) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + +#ifdef OBFUSCATION_TEST + SafeMemcpy(print_array + payload_offset, payload_data + payload_offset, + length, print_array, print_array + sizeof(print_array)); +#endif + /* Only the first payload call sends the pcap_pkthdr */ + pkth_tmp = NULL; + + /* Adjust offsets */ + payload_offset += length; + total_offset += length; + + /* If there is no more packet data, break out of the loop */ + if (payload_offset == payload_size) + { +#ifdef OBFUSCATION_TEST + PrintPacketData(print_array + start_payload_offset, length); + LogMessage("\n"); +#endif + break; + } + } + else if (ob_offset < total_offset) + { + /* If the entries offset is less than the current total offset, + * decrease the length. */ + ob_length -= (total_offset - ob_offset); + } + + /* Adjust the amount of data to obfuscate if it exceeds the amount of + * data left in the packet. Account for overflow */ + if (((payload_offset + ob_length) > payload_size) + || ((payload_offset + ob_length) <= payload_offset)) + { + ob_length = payload_size - payload_offset; + } + + /* Call the user callback and tell it to obfuscate the data by passing + * in a NULL packet pointer */ + if (data->user_callback(pkth_tmp, NULL, ob_length, + entry->ob_char, data->user_data) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + +#ifdef OBFUSCATION_TEST + LogMessage(" Entry: %d\n", i); + LogMessage(" --------------------------\n"); + PrintObfuscationEntry(entry, 4); + LogMessage("\n"); + + SafeMemset(print_array + payload_offset, entry->ob_char, + ob_length, print_array, print_array + sizeof(print_array)); + + if (ob_length < entry->length) + { + if (ob_offset < start_total_offset) + { + if (payload_offset + ob_length == payload_size) + { + LogMessage(" Obfuscating beyond already obfuscated " + "(%u bytes) and to end of payload: %u bytes\n\n", + (start_total_offset - ob_offset), ob_length); + } + else + { + LogMessage(" Obfuscating beyond already obfuscated " + "(%u bytes): %u bytes\n\n", + (start_total_offset - ob_offset), ob_length); + } + } + else + { + LogMessage(" Obfuscating to end of payload: " + "%u bytes\n\n", ob_length); + } + } + else + { + LogMessage(" Obfuscating: %u bytes\n\n", ob_length); + } + + PrintPacketData(print_array + start_payload_offset, + (payload_offset - start_payload_offset) + ob_length); + + if (((entry->offset + entry->length) - (total_offset + ob_length)) > 0) + { + LogMessage("\n Remaining amount to obfuscate: %u bytes\n", + (entry->offset + entry->length) - (total_offset + ob_length)); + } + + LogMessage("\n"); +#endif + + /* Only the first payload call sends the pcap_pkthdr */ + pkth_tmp = NULL; + + /* Adjust offsets */ + payload_offset += ob_length; + total_offset += ob_length; + + /* If there is no more packet data, break out of the loop */ + if (payload_offset == payload_size) + break; + } + + /* There's more data in the packet left, meaning we ran out of + * obfuscation entries */ + if (payload_size > payload_offset) + { + ob_size_t length = payload_size - payload_offset; + + /* Call the user callback and tell it not to obfuscate the data + * by passing in a non-NULL packet pointer */ + if (data->user_callback(pkth_tmp, payload_data + payload_offset, + length, 0, data->user_data) != OB_RET_SUCCESS) + { + return OB_RET_ERROR; + } + +#ifdef OBFUSCATION_TEST + SafeMemcpy(print_array + payload_offset, payload_data + payload_offset, + length, print_array, print_array + sizeof(print_array)); +#endif + + /* Adjust offsets - don't need to adjust packet offset since + * we're done with the packet */ + total_offset += length; + } + +#ifdef OBFUSCATION_TEST + LogMessage("Obfuscated payload\n"); + LogMessage("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + "~~~~~~~~~~\n"); + PrintPacketData(print_array, payload_size); + LogMessage("\n\n"); +#endif + + /* Save these for next time we come in if necessary. Mainly for + * traversing stream segments */ + data->entry_index = i; + data->total_offset = total_offset; + + return OB_RET_SUCCESS; +} + +/******************************************************************************* + * Function: ObfuscateStreamSegmentsCallback() + * + * Stream API callback for traverse_stream_segments. + * + * Arguments + * DAQ_PktHdr_t *pkth + * The pcap header information associated with the segment packet. + * uint8_t *pkt + * Pointer to the segment packet data starting at packet headers + * uint8_t *payload + * Pointer to the segment payload data to be obfuscated + * uint32_t + * The sequence number of this segment + * void *data + * The ObfuscationCallBack data + * + * Returns + * Per stream api traverse_reassembled: + * 0 if obfuscation was successful. + * -1 if we had to bail on the obfuscation due to the user callback + * telling us to - this should tell traverse_stream_segments to stop + * traversing and not call this anymore. + * + ******************************************************************************/ +static int ObfuscateStreamSegmentsCallback(DAQ_PktHdr_t *pkth, + uint8_t *pkt, uint8_t *payload, uint32_t seq_num, void *data) +{ + ObfuscationStreamCallbackData *callback_data = + (ObfuscationStreamCallbackData *)data; + ob_size_t payload_size = (uint16_t)(pkth->caplen - (payload - pkt)); + + if ((pkt >= payload) || ((ob_size_t)(payload - pkt) > pkth->caplen)) + return -1; + + if (callback_data->data->user_callback(pkth, pkt, (ob_size_t)(payload - pkt), + 0, callback_data->data->user_data) != OB_RET_SUCCESS) + { + return -1; + } + + /* If we get an overlap set the entry index to where the last packet + * started, else set the last entry index to the end of the one for + * the last segment */ + if (callback_data->next_seq > seq_num) + { + callback_data->data->entry_index = callback_data->last_entry_index; + callback_data->data->total_offset -= + (ob_size_t)(callback_data->next_seq - seq_num); + } + else + { + callback_data->last_entry_index = callback_data->data->entry_index; + } + + if (TraverseObfuscationList(callback_data->data, NULL, + payload, payload_size) != OB_RET_SUCCESS) + { + return -1; + } + + /* Update next expected sequence number */ + callback_data->next_seq = seq_num + payload_size; + + return 0; +} + +/******************************************************************************* + * Function: GetObfuscationPayloadCallback() + * + * ObfuscationCallback for returning an allocated obfuscated payload. + * + * Arguments + * DAQ_PktHdr_t *pkth + * The pcap header information associated with the payload being + * obfuscated. + * uint8_t *packet_data + * Pointer to the packet data to be obfuscated + * ob_char_t ob_char + * The obfuscation character + * ob_size_t length + * The length of the portion of packet payload to use + * void *user_data + * The ObfuscatedPayload data + * + * Returns + * OB_RET_ERROR if copying obfuscation data is not successful + * OB_RET_SUCCESS if successful copying data to payload + * + ******************************************************************************/ +static ObRet GetObfuscatedPayloadCallback(const DAQ_PktHdr_t *pkth, + const uint8_t *packet_data, ob_size_t length, + ob_char_t ob_char, void *user_data) +{ + ObfuscatedPayload *ob_payload = (ObfuscatedPayload *)user_data; + uint8_t *payload; + ob_size_t payload_len, payload_size; + + if (ob_payload == NULL) + return OB_RET_ERROR; + + if ((ob_payload->payload == NULL) || (ob_payload->payload_len == NULL)) + return OB_RET_ERROR; + + payload = *ob_payload->payload; + payload_len = *ob_payload->payload_len; + payload_size = ob_payload->payload_size; + + if ((payload_len + length) > payload_size) + { + /* Allocate extra so we don't have to reallocate every time in */ + ob_size_t new_size = payload_len + length + 100; + uint8_t *tmp = (uint8_t *)SnortAlloc(new_size); + + if (payload != NULL) + { + if (SafeMemcpy(tmp, payload, payload_len, + tmp, tmp + new_size) != SAFEMEM_SUCCESS) + { + free(tmp); + free(payload); + return OB_RET_ERROR; + } + + free(payload); + } + + payload_size = new_size; + ob_payload->payload_size = new_size; + + *ob_payload->payload = tmp; + payload = tmp; + } + + if (packet_data != NULL) + { + if (SafeMemcpy(payload + payload_len, packet_data, length, + payload, payload + payload_size) != SAFEMEM_SUCCESS) + { + free(payload); + return OB_RET_ERROR; + } + } + else + { + if (SafeMemset(payload + payload_len, (uint8_t)ob_char, length, + payload, payload + payload_size) != SAFEMEM_SUCCESS) + { + free(payload); + return OB_RET_ERROR; + } + } + + *ob_payload->payload_len += length; + + return OB_RET_SUCCESS; +} + +/******************************************************************************* + * Function: PrintObfuscationEntry() + * + * Prints an obfuscation entry offsetted with optional leading whitespace. + * + * Arguments + * const ObfuscationEntry *entry + * The entry to print + * int leading_whitespace + * The amount of whitespace to use before printing a line. + * Returns + * None + * + ******************************************************************************/ +static void PrintObfuscationEntry(const ObfuscationEntry *entry, + int leading_space) +{ + if (entry == NULL) + return; + + LogMessage("%*sPacket: %p\n", leading_space, "", (void*)entry->p); + LogMessage("%*sOffset: %u\n", leading_space, "", entry->offset); + LogMessage("%*sLength: %u\n", leading_space, "", entry->length); + if (isgraph((int)entry->ob_char)) + LogMessage("%*sOb char: \'%c\'\n", leading_space, "", entry->ob_char); + else + LogMessage("%*sOb char: 0x%02x\n", leading_space, "", entry->ob_char); +} + + +/****************************************************************************** + * Testing + ******************************************************************************/ +#ifdef OBFUSCATION_TEST_STANDALONE + +#include +#include +#include +#include +#include +#include + +#define PAYLOAD_ALLOC_SIZE 1024 + +/* Used for standalone testing */ +typedef struct _Segment +{ + DAQ_PktHdr_t *pkth; + uint8_t *data; + uint16_t size; + struct _Segment *next; + +} Segment; + +/* Used for standalone testing */ +typedef struct _ObPacket +{ + struct Packet p; + Segment *seglist; + +} ObPacket; + +static uint8_t *ob_payload = NULL; +static void ObTestAlloc(void **, int, int); +static void CreateObEntries(Packet *, ob_char_t, ob_size_t, + ob_size_t, int, int); +static ObRet ObCallback(DAQ_PktHdr_t *, uint8_t *, ob_char_t, + ob_size_t, void *); +static uint8_t * GetPayloadFromFile(char *, ob_size_t *); + +static int TraverseReassembled(Packet *p, + int (*callback)(DAQ_PktHdr_t *, uint8_t *, void *), + void *user_data) +{ + ObfuscationCallbackData *callback_data = + (ObfuscationCallbackData *)user_data; + int segments = 0; + Segment *seg; + ObPacket *op = (ObPacket *)p; + + for (seg = op->seglist; seg != NULL; seg = seg->next) + { + if (callback(seg->pkth, seg->data, user_data) != 0) + return segments; + segments++; + } + + return segments; +} + +static void ObTestAlloc(void **ptr, int ptr_size, int this_size) +{ + if (ptr == NULL) + return; + + if (*ptr == NULL) + { + *ptr = calloc(1, this_size); + if (*ptr == NULL) + { + fprintf(stderr, "Failed to allocate memory for payload.\n"); + exit(1); + } + } + else + { + if (this_size > ptr_size) + { + *ptr = realloc(*ptr, this_size); + if (*ptr == NULL) + { + fprintf(stderr, "Failed to allocate memory for payload.\n"); + exit(1); + } + } + } +} + +static void CreateObEntries(Packet *p, ob_char_t ob_char, + ob_size_t ob_offset, ob_size_t ob_length, int reverse, int add_maxlen) +{ + typedef struct _ob_tmp_struct + { ob_size_t offset; ob_size_t length; } ob_tmp_struct_t; + + ob_size_t offset; + ob_tmp_struct_t *tmp_struct = NULL; + int num_tmps = 0; + int i; + + if (p == NULL) + return; + + for (offset = (rand() % ob_offset) + 1; + offset < (p->dsize - ob_offset); + offset += (rand() % ob_offset) + 1) + { + ob_size_t length = rand() % ob_length + 1; + + ObTestAlloc((void **)&tmp_struct, sizeof(ob_tmp_struct_t) * num_tmps, + sizeof(ob_tmp_struct_t) * (num_tmps + 1)); + tmp_struct[num_tmps].offset = offset; + tmp_struct[num_tmps].length = length; + num_tmps++; + + if (add_maxlen && (offset > p->dsize/2)) + obApi->addObfuscationEntry(p, offset, OB_LENGTH_MAX, ob_char); + + if ((offset + length) >= p->dsize) + break; + } + + if (reverse) + { + for (i = num_tmps - 1; i >= 0; i--) + { + obApi->addObfuscationEntry(p, tmp_struct[i].offset, + tmp_struct[i].length, ob_char); + } + } + else + { + for (i = 0; i < num_tmps; i++) + { + obApi->addObfuscationEntry(p, tmp_struct[i].offset, + tmp_struct[i].length, ob_char); + } + } +} + +static ObRet ObCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, + ob_char_t ob_char, ob_size_t length, void *user_data) +{ + ob_size_t *offset = (ob_size_t *)user_data; + + if (packet_data != NULL) + memcpy(ob_payload + *offset, packet_data, length); + else + memset(ob_payload + *offset, ob_char, length); + + *offset += length; + return OB_RET_SUCCESS; +} + +static uint8_t * GetPayloadFromFile(char *payload_file, ob_size_t *payload_bytes) +{ + uint8_t *payload = NULL; + FILE *fp; + ob_size_t bytes; + + if (payload_bytes == NULL) + return NULL; + + *payload_bytes = 0; + + fp = fopen(payload_file, "r"); + if (fp == NULL) + { + fprintf(stderr, "Could not open payload file \"%s\": %s\n", + payload_file, strerror(errno)); + exit(1); + } + + ObTestAlloc((void **)&payload, 0, PAYLOAD_ALLOC_SIZE); + while ((bytes = fread(payload + *payload_bytes, sizeof(char), + PAYLOAD_ALLOC_SIZE, fp)) == PAYLOAD_ALLOC_SIZE) + { + ObTestAlloc((void **)&payload, *payload_bytes + bytes, + *payload_bytes + bytes + bytes); + *payload_bytes += bytes; + } + + *payload_bytes += bytes; + if (*payload_bytes > OB_LENGTH_MAX) + *payload_bytes = OB_LENGTH_MAX; + + return payload; +} + +static uint8_t * GetStaticPayload(ob_char_t ob_char, ob_size_t *payload_bytes) +{ + uint8_t *payload = NULL; + ob_size_t alloc_size = 1000; + ob_char_t char1 = 0x00; + ob_char_t char2 = 0x01; + ob_char_t c = char1; + + if (c == ob_char) + c = char2; + + ObTestAlloc((void **)&payload, 0, alloc_size); + memset(payload, c, alloc_size); + + *payload_bytes = alloc_size; + return payload; +} + +static void SegmentPayload(Packet *p) +{ + ob_size_t length; + ob_size_t i; + Segment *last; + ObPacket *op = (ObPacket *)p; + + for (i = 0; i < p->dsize; i += length) + { + Segment *seg = NULL; + + length = rand() % 20 + 1; + if (i + length > p->dsize) + length = p->dsize - i; + + ObTestAlloc((void **)&seg, 0, sizeof(Segment)); + ObTestAlloc((void **)&seg->data, 0, length); + ObTestAlloc((void **)&seg->pkth, 0, sizeof(DAQ_PktHdr_t)); + + memcpy(seg->data, p->data + i, length); + seg->size = length; + seg->pkth->caplen = length; + + if (op->seglist == NULL) + { + op->seglist = seg; + last = seg; + } + else + { + last->next = seg; + last = seg; + } + + if ((i + length) == p->dsize) + break; + } +} + +void PrintUsage(char *prog) +{ + fprintf(stderr, "Usage: %s [options]\n", prog); + fprintf(stderr, " -a (add max length entry)\n"); + fprintf(stderr, " -c \n"); + fprintf(stderr, " -l \n"); + fprintf(stderr, " -o \n"); + fprintf(stderr, " -p \n"); + fprintf(stderr, " -s (use segmentation)\n"); + fprintf(stderr, " -r (reverse entries before sorting)\n"); +} + +int main(int argc, char *argv[]) +{ + char c; + char *payload_file = NULL; + ob_char_t ob_char = 'X'; + int segment = 0; + int reverse = 0; + int add_maxlen = 0; + ob_size_t ob_offset = 50; + ob_size_t ob_length = 16; + uint8_t *payload = NULL; + ob_size_t payload_bytes = 0; + ob_size_t offset = 0; + DAQ_PktHdr_t pkth, *pkthtmp; + Packet packet; + + while ((c = getopt(argc, argv, "ac:l:o:p:rsh")) != -1) + { + switch (c) { + case 'a': + add_maxlen = 1; + break; + case 'c': + ob_char = (ob_char_t)strtol(optarg, NULL, 0); + break; + case 'l': + { + int value; + if (!isdigit(optarg[0])) + { + PrintUsage(argv[0]); + fprintf(stderr, "Obfuscation max length must be a " + "positive integer.\n"); + exit(1); + } + value = atoi(optarg); + if (value > UINT16_MAX) + { + PrintUsage(argv[0]); + fprintf(stderr, "Obfuscation max length must be " + "less than 65535.\n"); + exit(1); + } + ob_length = (ob_size_t)value; + } + break; + case 'o': + { + int value; + if (!isdigit(optarg[0])) + { + PrintUsage(argv[0]); + fprintf(stderr, "Obfuscation offset must be a " + "positive integer.\n"); + exit(1); + } + value = atoi(optarg); + if (value > UINT16_MAX) + { + PrintUsage(argv[0]); + fprintf(stderr, "Obfuscation max offset must " + "be less than 65535.\n"); + exit(1); + } + ob_offset = (ob_size_t)value; + } + break; + case 'p': + payload_file = strdup(optarg); + if (payload_file == NULL) + { + PrintUsage(argv[0]); + fprintf(stderr, "Failed to copy payload file.\n"); + exit(1); + } + break; + case 'r': + reverse = 1; + break; + case 's': + segment = 1; + break; + case 'h': + PrintUsage(argv[0]); + exit(0); + default: + PrintUsage(argv[0]); + fprintf(stderr, "Invalid option. Use -h for usage.\n"); + exit(1); + } + } + + srand(time(NULL)); + + if (payload_file != NULL) + { + payload = GetPayloadFromFile(payload_file, &payload_bytes); + if (payload == NULL) + { + fprintf(stderr, "Failed to get data from \"%s\"\n", payload_file); + exit(1); + } + } + else + { + payload = GetStaticPayload(ob_char, &payload_bytes); + } + + ObTestAlloc((void **)&ob_payload, 0, payload_bytes); + + obApi->resetObfuscationEntries(); + + memset(&packet, 0, sizeof(packet)); + pkthtmp = (DAQ_PktHdr_t *)&packet.pkth; + pkthtmp = &pkth; + pkthtmp->caplen = payload_bytes; + pkthtmp->ts.tv_sec = 0; + pkthtmp->ts.tv_usec = 0; + packet.packet_flags |= PKT_PAYLOAD_OBFUSCATE; + packet.data = payload; + packet.dsize = payload_bytes; + + CreateObEntries(&packet, ob_char, ob_offset, ob_length, + reverse, add_maxlen); + //obApi->printObfuscationEntries(); + + if (segment) + { + SegmentPayload(&packet); + if (obApi->payloadObfuscationRequired(&packet)) + obApi->obfuscateStreamSegments(&packet, ObCallback, &offset); + } + else + { + if (obApi->payloadObfuscationRequired(&packet)) + obApi->obfuscatePayload(&packet, ObCallback, &offset); + } + + free(payload); + free(ob_payload); + if (payload_file != NULL) + free(payload_file); + + return 0; +} + +#endif /* OBFUSCATION_TEST_STANDALONE */ diff -Nru snort-2.8.5.2/src/obfuscation.h snort-2.9.2/src/obfuscation.h --- snort-2.8.5.2/src/obfuscation.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/obfuscation.h 2011-06-08 00:33:06.000000000 +0000 @@ -0,0 +1,271 @@ +/****************************************************************************** + * Copyright (C) 2009-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ******************************************************************************/ + +#ifndef __OBFUSCATION_H__ +#define __OBFUSCATION_H__ + +#include +#include "decode.h" + + +/******************************************************************************* + * Macros + ******************************************************************************/ +/* This should be defined to be greater than or equal to the maximum + * amount of data expected to be obfuscated */ +#define OB_LENGTH_MAX UINT16_MAX + + +/******************************************************************************* + * Types + ******************************************************************************/ +typedef uint8_t ob_char_t; +typedef uint16_t ob_size_t; + +typedef enum _ObRet +{ + OB_RET_SUCCESS, + OB_RET_ERROR, + OB_RET_OVERFLOW + +} ObRet; + + +/******************************************************************************* + * Callback to use for obfuscating payload or stream segments - see API below. + * + * The first chunk of a payload or stream segment whether needing obfuscation + * or not will pass a valid pcap_pkthdr struct. Subsequent calls will pass NULL + * for this structure. This is useful, especially for the stream segment API + * call to know when a new segment begins. Any new "payload" will have a valid + * pcap_pkthdr struct. + * + * If the slice sent in has a non-NULL packet data pointer, the data should *NOT* + * be obfuscated. + * + * If the chunk sent in has a NULL packet data pointer, then that chunk of data + * should be obfuscated with the obfuscation character. + * + * The length passed in is the amount of data that should be copied from the + * packet data pointer or the amount of data that should be written with the + * obfuscation character. + * + * Arguments + * DAQ_PktHdr_t *pkth + * The pcap header that contains the packet caplen and timestamps + * uint8_t *packet_data + * A pointer to the current offset into the packet data. NULL if + * obfuscation of the payload slice is required. + * ob_char_t ob_char + * The obfuscation character to use if packet_data is NULL. + * ob_size_t length + * The amount of data to be logged or obfuscated. + * void *user_data + * The user data passed in to the API functions obfuscatePayload() or + * obfuscateStreamSegments below. + * + * Returns + * OB_RET_SUCCESS if all is good + * OB_RET_ERROR if the rest of the obfuscation should not be done + * + ******************************************************************************/ +typedef ObRet (*ObfuscationCallback) + ( + const DAQ_PktHdr_t *pkth, + const uint8_t *packet_data, + ob_size_t length, + ob_char_t ob_char, + void *user_data + ); + + +/******************************************************************************* + * Obfuscation API + ******************************************************************************/ +typedef struct _ObfuscationApi +{ + /* + * Resets/clears any entries that have been added + * Should be done per packet aquisition + * + * Arguments + * None + * + * Returns + * None + */ + + void (*resetObfuscationEntries)(void); + + + /* + * Adds an obfuscation entry to the queue + * + * Arguments + * Packet *p + * The Packet struct that has the payload data that should be obfuscated + * ob_size_t offset + * The offset from the beginning of the payload to start obfuscation + * ob_size_t length + * The amount of data to obfuscate + * ob_char_t ob_char + * The character to use when obfuscating + * + * There are two types of entries that can be added. A slice entry that + * has an offset and length less than OB_LENGTH_MAX and an entry with + * length OB_LENGTH_MAX that implies obfuscating from offset to the end + * of the packet data. + * + * NOTE -- + * There is a fixed size of slice entries and OB_LENGTH_MAX entries. + * If OB_RET_OVERFLOW is returned when attempting to add a slice entry, + * a second call can be made to add an OB_LENGTH_MAX entry. Only one + * OB_LENGTH_MAX entry can be associated with each Packet. If there is + * already an OB_LENGTH_MAX entry for the packet, the lower of the two + * offsets will be used. Although you should check for OB_RET_OVERFLOW + * when attempting to add an OB_LENGTH_MAX entry, the fixed size should + * be more than enough space to store an entry for each possible packet + * that could be in the system at the time. + * + * Returns + * OB_RET_SUCCESS on sucess + * OB_RET_ERROR on error + * OB_RET_OVERFLOW if there is no space left to add an entry + */ + + ObRet (*addObfuscationEntry)(Packet *p, ob_size_t offset, + ob_size_t length, ob_char_t ob_char); + + + /* + * Determines if there are any obfuscation entries associated with + * the given Packet + * + * Arguments + * Packet * + * The Packet to check + * + * Returns + * 1 if the packet requires obfuscation + * 0 if it doesn't + */ + + int (*payloadObfuscationRequired)(Packet *p); + + + /* + * Obfuscate the payload associated with the Packet. Mainly for use by the + * output system to print or log an obfuscated payload. The callback will + * be called for both payload segments that need obfuscation and those that + * don't. See comment on ObfuscationCallback above. + * + * Arguments + * Packet * + * The Packet whose payload should be obfuscated + * ObfuscationCallback + * The function that will be called for each obfuscated and + * non-obfuscated segment in the payload + * void * + * User data that will be passed to the callback + * + * Returns + * OB_RET_SUCCESS on sucess + * OB_RET_ERROR on error + */ + + ObRet (*obfuscatePacket)(Packet *p, + ObfuscationCallback callback, void *user_data); + + + /* + * Obfuscate the stream segments associated with the Packet. Mainly for use + * by the output system to print or log the stream segments associated with + * a Packet that have been marked as needing obfuscation. The callback will + * be called for both stream segments that need obfuscation and those that + * don't. It will be called for all stream segments. See comment on + * ObfuscationCallback above. + * + * Arguments + * Packet * + * The Packet whose stream segments should be obfuscated + * ObfuscationCallback + * The function that will be called for each obfuscated and + * non-obfuscated part of the stream segments. + * void * + * User data that will be passed to the callback + * + * Returns + * OB_RET_SUCCESS on sucess + * OB_RET_ERROR on error + */ + + ObRet (*obfuscatePacketStreamSegments)(Packet *p, + ObfuscationCallback callback, void *user_data); + + + /* + * Obfuscates the Packet payload and returns payload and payload length + * in parameters + * + * NOTE + * *payload will be set to NULL, so don't pass in an already + * allocated pointer. + * *payload_len will be zeroed. + * + * The payload returned is dynamically allocated and MUST be free'd. + * + * Arguments + * Packet * + * The Packet whose payload should be obfuscated + * uint8_t **payload + * A pointer to a payload pointer so it can be allocated, returned + * and accessed. + * ob_size_t *payload_len + * A pointer to an ob_size_t so the length can be returned. + * + * Returns + * OB_RET_ERROR if the payload could not be obfuscated + * the pointers to payload and payload_len will not be valid + * OB_RET_SUCCESS if the payload was obfuscated + * the pointers to payload and payload_len will be valid + */ + + ObRet (*getObfuscatedPayload)(Packet *p, uint8_t **payload, + ob_size_t *payload_len); + + /* + * Prints the current obfuscation entries. + * + * Arguments + * int sorted + * Print the sorted entries and sort if necessary. + * + * Returns + * None + */ + + void (*printObfuscationEntries)(int sorted); + +} ObfuscationApi; + +/* For access when including header */ +extern ObfuscationApi *obApi; + +#endif /* __OBFUSCATION_H__ */ diff -Nru snort-2.8.5.2/src/output-plugins/Makefile.am snort-2.9.2/src/output-plugins/Makefile.am --- snort-2.8.5.2/src/output-plugins/Makefile.am 2007-08-20 17:26:04.000000000 +0000 +++ snort-2.9.2/src/output-plugins/Makefile.am 2010-06-09 22:05:17.000000000 +0000 @@ -3,6 +3,10 @@ noinst_LIBRARIES = libspo.a +if BUILD_PRELUDE +PRELUDE_CODE = spo_alert_prelude.c spo_alert_prelude.h +endif + libspo_a_SOURCES = spo_alert_fast.c spo_alert_fast.h \ spo_alert_full.c spo_alert_full.h \ spo_alert_syslog.c spo_alert_syslog.h spo_alert_unixsock.c \ @@ -10,7 +14,7 @@ spo_log_null.c spo_log_null.h spo_log_tcpdump.c \ spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h spo_unified2.h \ spo_log_ascii.c spo_log_ascii.h spo_alert_sf_socket.h spo_alert_sf_socket.c \ -spo_alert_prelude.c spo_alert_prelude.h spo_alert_arubaaction.c spo_alert_arubaaction.h \ +$(PRELUDE_CODE) spo_alert_arubaaction.c spo_alert_arubaaction.h \ spo_alert_test.c spo_alert_test.h INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/src/output-plugins/Makefile.in snort-2.9.2/src/output-plugins/Makefile.in --- snort-2.8.5.2/src/output-plugins/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/output-plugins/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,20 +44,33 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libspo_a_AR = $(AR) $(ARFLAGS) libspo_a_LIBADD = +am__libspo_a_SOURCES_DIST = spo_alert_fast.c spo_alert_fast.h \ + spo_alert_full.c spo_alert_full.h spo_alert_syslog.c \ + spo_alert_syslog.h spo_alert_unixsock.c spo_alert_unixsock.h \ + spo_csv.c spo_csv.h spo_database.c spo_database.h \ + spo_log_null.c spo_log_null.h spo_log_tcpdump.c \ + spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h \ + spo_unified2.h spo_log_ascii.c spo_log_ascii.h \ + spo_alert_sf_socket.h spo_alert_sf_socket.c \ + spo_alert_prelude.c spo_alert_prelude.h \ + spo_alert_arubaaction.c spo_alert_arubaaction.h \ + spo_alert_test.c spo_alert_test.h +@BUILD_PRELUDE_TRUE@am__objects_1 = spo_alert_prelude.$(OBJEXT) am_libspo_a_OBJECTS = spo_alert_fast.$(OBJEXT) \ spo_alert_full.$(OBJEXT) spo_alert_syslog.$(OBJEXT) \ spo_alert_unixsock.$(OBJEXT) spo_csv.$(OBJEXT) \ spo_database.$(OBJEXT) spo_log_null.$(OBJEXT) \ spo_log_tcpdump.$(OBJEXT) spo_unified.$(OBJEXT) \ spo_unified2.$(OBJEXT) spo_log_ascii.$(OBJEXT) \ - spo_alert_sf_socket.$(OBJEXT) spo_alert_prelude.$(OBJEXT) \ + spo_alert_sf_socket.$(OBJEXT) $(am__objects_1) \ spo_alert_arubaaction.$(OBJEXT) spo_alert_test.$(OBJEXT) libspo_a_OBJECTS = $(am_libspo_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -68,7 +83,7 @@ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(libspo_a_SOURCES) -DIST_SOURCES = $(libspo_a_SOURCES) +DIST_SOURCES = $(am__libspo_a_SOURCES_DIST) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -81,31 +96,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -118,12 +133,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -131,20 +152,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -176,6 +204,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -188,10 +217,12 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies noinst_LIBRARIES = libspo.a +@BUILD_PRELUDE_TRUE@PRELUDE_CODE = spo_alert_prelude.c spo_alert_prelude.h libspo_a_SOURCES = spo_alert_fast.c spo_alert_fast.h \ spo_alert_full.c spo_alert_full.h \ spo_alert_syslog.c spo_alert_syslog.h spo_alert_unixsock.c \ @@ -199,7 +230,7 @@ spo_log_null.c spo_log_null.h spo_log_tcpdump.c \ spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h spo_unified2.h \ spo_log_ascii.c spo_log_ascii.h spo_alert_sf_socket.h spo_alert_sf_socket.c \ -spo_alert_prelude.c spo_alert_prelude.h spo_alert_arubaaction.c spo_alert_arubaaction.h \ +$(PRELUDE_CODE) spo_alert_arubaaction.c spo_alert_arubaaction.h \ spo_alert_test.c spo_alert_test.h all: all-am @@ -210,14 +241,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/output-plugins/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/output-plugins/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/output-plugins/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/output-plugins/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -235,6 +266,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -269,45 +301,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -328,13 +364,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -362,6 +402,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -382,6 +423,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -390,18 +433,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -438,6 +491,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_arubaaction.c snort-2.9.2/src/output-plugins/spo_alert_arubaaction.c --- snort-2.8.5.2/src/output-plugins/spo_alert_arubaaction.c 2009-05-06 22:29:11.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_arubaaction.c 2011-10-26 18:28:52.000000000 +0000 @@ -20,7 +20,7 @@ /* $Id$ */ /* spo_alert_arubaaction - * + * * Purpose: output plugin for dynamically changing station access status on * an Aruba switch. * @@ -30,7 +30,7 @@ * "cleartext" * secret The shared secret configured on the Aruba switch * action The action the switch should take with the target user - * + * * Effect: * * When an alert is passed to this output plugin, the plugin connects to the @@ -46,9 +46,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "event.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" @@ -127,7 +128,7 @@ }; -#define ArubaResponseCode ArubaSecretType +#define ArubaResponseCode ArubaSecretType #define ARUBA_RESP_SUCCESS 0 #define ARUBA_RESP_UNKN_USER 1 @@ -146,7 +147,7 @@ { ARUBA_RESP_UNKN_EXT_AGENT, "unknown external agent" }, { ARUBA_RESP_AUTH_FAILED, "authentication failed" }, { ARUBA_RESP_INVAL_CMD, "invalid command" }, - { ARUBA_RESP_INVAL_AUTH_METHOD, + { ARUBA_RESP_INVAL_AUTH_METHOD, "invalid message authentication method" }, { ARUBA_RESP_INVAL_MSG_DGST, "invalid message digest" }, { ARUBA_RESP_MSSNG_MSG_AUTH, "missing message authentication" }, @@ -166,7 +167,7 @@ /* * Function: SetupAlertArubaAction() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -177,7 +178,7 @@ */ void AlertArubaActionSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_aruba_action", OUTPUT_TYPE_FLAG__ALERT, AlertArubaActionInit); @@ -202,6 +203,11 @@ { SpoAlertArubaActionData *data; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The alert_aruba_action output plugin is considered\n"); + WarningMessage("!! deprecated as of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output: AlertArubaAction " "Initialized\n");); @@ -210,7 +216,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertArubaAction functions " "to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertArubaAction, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertArubaActionCleanExitFunc, data); @@ -368,7 +374,7 @@ #endif (unsigned long)strlen(cmdbuf), cmdbuf ); - + /* Send the action command to the switch */ if (ArubaSwitchSend(data, (uint8_t *)post, postlen) != postlen) { ErrorMessage("aruba_action: Error sending data to Aruba " @@ -430,7 +436,7 @@ close(data->fd); - + return; } @@ -471,7 +477,7 @@ return -1; } #ifdef SUP_IP6 - } + } else { memcpy(&sa6.sin6_addr, data->aswitch.ip8, 16); sa6.sin6_family = AF_INET6; @@ -483,7 +489,7 @@ close(data->fd); return -1; } - } + } #endif @@ -500,7 +506,7 @@ close(data->fd); return -1; } - } + } else { memcpy(&sa6.sin6_addr, data->aswitch.ip8, 16); #else @@ -516,9 +522,9 @@ return -1; } #ifdef SUP_IP6 - } + } #endif - + return data->fd; } @@ -526,9 +532,9 @@ /* * Function: ParseAlertArubaActionArgs(char *) * - * Purpose: Process the preprocessor arguments from the rules file and + * Purpose: Process the preprocessor arguments from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -564,9 +570,9 @@ } #ifdef SUP_IP6 // XXX could probably be changed to a macro - if (sfip_pton(toks[0], &data->aswitch) == 0) + if (sfip_pton(toks[0], &data->aswitch) == 0) #else - if (inet_aton(toks[0], &data->aswitch) == 0) + if (inet_aton(toks[0], &data->aswitch) == 0) #endif { ErrorMessage("aruba_action: invalid Aruba switch address " @@ -576,7 +582,7 @@ } for (i=0; secret_lookup[i].name != NULL; i++) { - if (strncmp(toks[1], secret_lookup[i].name, + if (strncmp(toks[1], secret_lookup[i].name, strlen(secret_lookup[i].name)) == 0) { data->secret_type = secret_lookup[i].type; break; @@ -595,7 +601,7 @@ /* action can be "blacklist" or "setrole:rolename", parse */ for (i=0; action_lookup[i].name != NULL; i++) { - if (strncmp(action_lookup[i].name, toks[3], + if (strncmp(action_lookup[i].name, toks[3], strlen(action_lookup[i].name)) == 0) { data->action_type = action_lookup[i].type; break; @@ -617,12 +623,12 @@ "specification \"%s\"\n", toks[3]); FatalError("Improperly formatted action\n"); return NULL; - } + } data->role_name = (char *)SnortAlloc(strlen(action_toks[1])+1); - strncpy(data->role_name, action_toks[1], + strncpy(data->role_name, action_toks[1], strlen(action_toks[1])); - } + } /* free toks */ mSplitFree(&toks, num_toks); @@ -643,11 +649,10 @@ void AlertArubaActionRestartFunc(int signal, void *arg) { SpoAlertArubaActionData *data = (SpoAlertArubaActionData *)arg; - + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertArubaActionRestartFunc\n");); free(data->secret); free(data->role_name); free(data); } - diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_fast.c snort-2.9.2/src/output-plugins/spo_alert_fast.c --- snort-2.8.5.2/src/output-plugins/spo_alert_fast.c 2009-05-06 22:29:11.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_fast.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_alert_fast - * + * * Purpose: output plugin for fast alerting * * Arguments: alert file - * + * * Effect: * * Alerts are written to a file in the snort fast alert format @@ -40,17 +40,6 @@ #include "config.h" #endif -#include "event.h" -#include "decode.h" -#include "debug.h" -#include "plugbase.h" -#include "spo_plugbase.h" -#include "parser.h" -#include "util.h" -#include "log.h" -#include "mstring.h" -#include "snort.h" - #include #include #include @@ -67,9 +56,22 @@ #include +#include "spo_alert_fast.h" +#include "event.h" +#include "decode.h" +#include "snort_debug.h" +#include "plugbase.h" +#include "spo_plugbase.h" +#include "parser.h" +#include "util.h" +#include "log.h" +#include "mstring.h" +#include "active.h" #include "sfutil/sf_textlog.h" #include "log_text.h" #include "sf_textlog.h" +#include "snort.h" +#include "sfdaq.h" /* full buf was chosen to allow printing max size packets * in hex/ascii mode: @@ -85,9 +87,6 @@ */ #define DEFAULT_LIMIT (128*M_BYTES) -extern char *pcap_interface; -extern SnortConfig *snort_conf_for_parsing; - typedef struct _SpoAlertFastData { TextLog* log; @@ -103,7 +102,7 @@ /* * Function: SetupAlertFast() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -114,7 +113,7 @@ */ void AlertFastSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_fast", OUTPUT_TYPE_FLAG__ALERT, AlertFastInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: AlertFast is setup...\n");); @@ -142,7 +141,7 @@ data = ParseAlertFastArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertFast functions to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertFast, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFastCleanExitFunc, data); @@ -155,8 +154,15 @@ LogTimeStamp(data->log, p); - if( p != NULL && p->packet_flags & PKT_INLINE_DROP ) + if( p != NULL && Active_PacketWasDropped() ) + { TextLog_Puts(data->log, " [Drop]"); + } + else if( p != NULL && Active_PacketWouldBeDropped() ) + { + TextLog_Puts(data->log, " [WDrop]"); + } + if(msg != NULL) { @@ -181,7 +187,7 @@ if (ScAlertInterface()) { - TextLog_Print(data->log, " <%s> ", PRINT_INTERFACE(pcap_interface)); + TextLog_Print(data->log, " <%s> ", PRINT_INTERFACE(DAQ_GetInterfaceSpec())); TextLog_Puts(data->log, msg); } else @@ -193,68 +199,45 @@ } /* print the packet header to the alert file */ - if(p && IPH_IS_VALID(p)) + if ((p != NULL) && IPH_IS_VALID(p)) { LogPriorityData(data->log, 0); - TextLog_Print(data->log, "{%s} ", protocol_names[GET_IPH_PROTO(p)]); - - if(p->frag_flag) - { - /* just print the straight IP header */ - TextLog_Puts(data->log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Puts(data->log, " -> "); - TextLog_Puts(data->log, inet_ntoa(GET_DST_ADDR(p))); - } - else - { - switch(GET_IPH_PROTO(p)) - { - case IPPROTO_UDP: - case IPPROTO_TCP: - /* print the header complete with port information */ - TextLog_Puts(data->log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Print(data->log, ":%d -> ", p->sp); - TextLog_Puts(data->log, inet_ntoa(GET_DST_ADDR(p))); - TextLog_Print(data->log, ":%d", p->dp); - break; - case IPPROTO_ICMP: - default: - /* just print the straight IP header */ - TextLog_Puts(data->log, inet_ntoa(GET_SRC_ADDR(p))); - TextLog_Puts(data->log, " -> "); - TextLog_Puts(data->log, inet_ntoa(GET_DST_ADDR(p))); - } - } - } /* end of if (p) */ + LogIpAddrs(data->log, p); + } if(p && data->packet_flag) { /* Log whether or not this is reassembled data - only indicate * if we're actually going to show any of the payload */ - if (ScOutputAppData() && (p->dsize > 0)) + if (ScOutputAppData() && (p->dsize > 0) && PacketWasCooked(p)) { - if (p->packet_flags & - (PKT_DCE_RPKT | PKT_REBUILT_STREAM | PKT_REBUILT_FRAG | - PKT_SMB_SEG | PKT_DCE_SEG | PKT_DCE_FRAG | PKT_SMB_TRANS)) - { - TextLog_NewLine(data->log); + switch ( p->pseudo_type ) { + case PSEUDO_PKT_SMB_SEG: + TextLog_Print(data->log, "\n%s", "SMB desegmented packet"); + break; + case PSEUDO_PKT_DCE_SEG: + TextLog_Print(data->log, "\n%s", "DCE/RPC desegmented packet"); + break; + case PSEUDO_PKT_DCE_FRAG: + TextLog_Print(data->log, "\n%s", "DCE/RPC defragmented packet"); + break; + case PSEUDO_PKT_SMB_TRANS: + TextLog_Print(data->log, "\n%s", "SMB Transact reassembled packet"); + break; + case PSEUDO_PKT_DCE_RPKT: + TextLog_Print(data->log, "\n%s", "DCE/RPC reassembled packet"); + break; + case PSEUDO_PKT_TCP: + TextLog_Print(data->log, "\n%s", "Stream reassembled packet"); + break; + case PSEUDO_PKT_IP: + TextLog_Print(data->log, "\n%s", "Frag reassembled packet"); + break; + default: + // FIXTHIS do we get here for portscan or sdf? + break; } - - if (p->packet_flags & PKT_SMB_SEG) - TextLog_Print(data->log, "%s", "SMB desegmented packet"); - else if (p->packet_flags & PKT_DCE_SEG) - TextLog_Print(data->log, "%s", "DCE/RPC desegmented packet"); - else if (p->packet_flags & PKT_DCE_FRAG) - TextLog_Print(data->log, "%s", "DCE/RPC defragmented packet"); - else if (p->packet_flags & PKT_SMB_TRANS) - TextLog_Print(data->log, "%s", "SMB Transact reassembled packet"); - else if (p->packet_flags & PKT_DCE_RPKT) - TextLog_Print(data->log, "%s", "DCE/RPC reassembled packet"); - else if (p->packet_flags & PKT_REBUILT_STREAM) - TextLog_Print(data->log, "%s", "Stream reassembled packet"); - else if (p->packet_flags & PKT_REBUILT_FRAG) - TextLog_Print(data->log, "%s", "Frag reassembled packet"); } TextLog_NewLine(data->log); @@ -361,8 +344,14 @@ DEBUG_INIT, "alert_fast: '%s' %d %ld\n", filename?filename:"alert", data->packet_flag, limit );); + + if ((filename == NULL) && (snort_conf->alert_file != NULL)) + filename = SnortStrdup(snort_conf->alert_file); + data->log = TextLog_Init(filename, bufSize, limit); - if ( filename ) free(filename); + + if (filename != NULL) + free(filename); return data; } diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_fast.h snort-2.9.2/src/output-plugins/spo_alert_fast.h --- snort-2.8.5.2/src/output-plugins/spo_alert_fast.h 2009-01-26 16:26:22.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_fast.h 2011-02-09 23:23:26.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_full.c snort-2.9.2/src/output-plugins/spo_alert_full.c --- snort-2.8.5.2/src/output-plugins/spo_alert_full.c 2009-05-06 22:29:11.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_full.c 2011-06-08 00:33:15.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_alert_full - * + * * Purpose: output plugin for full alerting * * Arguments: alert file (eventually) - * + * * Effect: * * Alerts are written to a file in the snort full alert format @@ -39,11 +39,20 @@ #include "config.h" #endif +#ifdef HAVE_STRINGS_H +#include +#endif + +#include +#include + +#include "sf_types.h" +#include "spo_alert_full.h" #include "event.h" #include "decode.h" #include "plugbase.h" #include "spo_plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "util.h" #include "log.h" @@ -51,16 +60,7 @@ #include "snort.h" #include "sfutil/sf_textlog.h" #include "log_text.h" - -#ifdef HAVE_STRINGS_H -#include -#endif - -#include -#include - -extern char *pcap_interface; -extern SnortConfig *snort_conf_for_parsing; +#include "sfdaq.h" typedef struct _SpoAlertFullData { @@ -84,7 +84,7 @@ /* * Function: SetupAlertFull() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -95,7 +95,7 @@ */ void AlertFullSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_full", OUTPUT_TYPE_FLAG__ALERT, AlertFullInit); @@ -118,7 +118,7 @@ { SpoAlertFullData *data; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: AlertFull Initialized\n");); - + /* parse the argument list from the rules file */ data = ParseAlertFullArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertFull functions to call lists...\n");); @@ -147,7 +147,8 @@ if (ScAlertInterface()) { - TextLog_Print(data->log, " <%s> ", PRINT_INTERFACE(pcap_interface)); + const char* iface = PRINT_INTERFACE(DAQ_GetInterfaceSpec()); + TextLog_Print(data->log, " <%s> ", iface); TextLog_Puts(data->log, msg); TextLog_Puts(data->log, " [**]\n"); } @@ -180,7 +181,7 @@ Log2ndHeader(data->log, p); } - LogIPHeader(data->log, p); + LogIPHeader(data->log, p); /* if this isn't a fragment, print the other header info */ if(!p->frag_flag) @@ -202,9 +203,8 @@ default: break; } - - LogXrefs(data->log, 1); } + LogXrefs(data->log, 1); TextLog_Putc(data->log, '\n'); } /* End of if(p) */ @@ -255,7 +255,6 @@ case 0: if ( !strcasecmp(tok, "stdout") ) filename = SnortStrdup(tok); - else filename = ProcessFileOption(snort_conf_for_parsing, tok); break; @@ -293,8 +292,14 @@ DEBUG_INIT, "alert_full: '%s' %ld\n", filename ? filename : "alert", limit );); + + if ((filename == NULL) && (snort_conf->alert_file != NULL)) + filename = SnortStrdup(snort_conf->alert_file); + data->log = TextLog_Init(filename, LOG_BUFFER, limit); - if ( filename ) free(filename); + + if (filename != NULL) + free(filename); return data; } diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_full.h snort-2.9.2/src/output-plugins/spo_alert_full.h --- snort-2.8.5.2/src/output-plugins/spo_alert_full.h 2009-01-26 16:26:22.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_full.h 2011-02-09 23:23:26.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_prelude.c snort-2.9.2/src/output-plugins/spo_alert_prelude.c --- snort-2.8.5.2/src/output-plugins/spo_alert_prelude.c 2009-12-15 23:27:53.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_prelude.c 2011-10-26 18:28:52.000000000 +0000 @@ -41,23 +41,22 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" - #include "snort.h" +#include "sfdaq.h" #define ANALYZER_CLASS "NIDS" #define ANALYZER_MODEL "Snort" #define ANALYZER_MANUFACTURER "http://www.snort.org" -#define ANALYZER_SID_URL "http://www.snort.org/pub-bin/sigs.cgi?sid=" +#define ANALYZER_SID_URL "http://www.snort.org/search/sid/" #define SNORT_MAX_OWNED_SID 1000000 #define DEFAULT_ANALYZER_NAME "snort" extern OptTreeNode *otn_tmp; -extern char *pcap_interface; static char *init_args = NULL; static unsigned int info_priority = 4; @@ -70,7 +69,7 @@ { int ret; prelude_string_t *string; - + ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) return ret; @@ -82,7 +81,7 @@ prelude_string_set_constant(string, ANALYZER_CLASS); ret = idmef_analyzer_new_manufacturer(analyzer, &string); - if ( ret < 0 ) + if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MANUFACTURER); @@ -136,29 +135,26 @@ if ( ! IPH_IS_VALID(p) ) return 0; - + ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - if (pcap_interface != NULL) - { - ret = idmef_source_new_interface(source, &string); - if ( ret < 0 ) - return ret; - prelude_string_set_ref(string, pcap_interface); - } - + ret = idmef_source_new_interface(source, &string); + if ( ret < 0 ) + return ret; + prelude_string_set_ref(string, PRINT_INTERFACE(DAQ_GetInterfaceSpec())); + ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); - + idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); - + ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; @@ -170,7 +166,7 @@ ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; - + SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); @@ -178,39 +174,36 @@ if ( ret < 0 ) return ret; - if (pcap_interface != NULL) - { - ret = idmef_target_new_interface(target, &string); - if ( ret < 0 ) - return ret; - prelude_string_set_ref(string, pcap_interface); - } + ret = idmef_target_new_interface(target, &string); + if ( ret < 0 ) + return ret; + prelude_string_set_ref(string, PRINT_INTERFACE(DAQ_GetInterfaceSpec())); ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; - - if ( p->tcph || p->udph ) + + if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); - + idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); - + ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; - + ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; - + SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); - + return 0; } @@ -224,7 +217,7 @@ if ( ! data || ! size ) return 0; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -242,14 +235,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -263,7 +256,7 @@ if ( ! data ) return 0; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -281,14 +274,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -299,11 +292,11 @@ int ret; prelude_string_t *str; idmef_additional_data_t *ad; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); @@ -312,14 +305,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -329,13 +322,13 @@ static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert) { int i; - + if ( ! p ) return 0; add_int_data(alert, "snort_rule_sid", event->sig_id); add_int_data(alert, "snort_rule_rev", event->sig_rev); - + if ( IPH_IS_VALID(p) ) { add_int_data(alert, "ip_ver", GET_IPH_VER(p)); add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p)); @@ -358,18 +351,18 @@ #else add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum)); #endif - + for ( i = 0; i < p->ip_option_count; i++ ) { add_int_data(alert, "ip_option_code", p->ip_options[i].code); - add_byte_data(alert, "ip_option_data", - p->ip_options[i].data, p->ip_options[i].len); + add_byte_data(alert, "ip_option_data", + p->ip_options[i].data, p->ip_options[i].len); } } - + if ( p->tcph ) { add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack)); - + add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); @@ -378,10 +371,10 @@ add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); - + for ( i = 0; i < p->tcp_option_count; i++ ) { add_int_data(alert, "tcp_option_code", p->tcp_options[i].code); - add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); + add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); } } @@ -396,7 +389,7 @@ add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum)); switch ( p->icmph->type ) { - + case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_INFO_REQUEST: @@ -406,13 +399,13 @@ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); break; - + case ICMP_ADDRESSREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask)); break; - + case ICMP_REDIRECT: #ifndef SUP_IP6 add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr)); @@ -424,13 +417,13 @@ } #endif break; - + case ICMP_ROUTER_ADVERTISE: add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs); add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa); add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime)); break; - + case ICMP_TIMESTAMPREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); @@ -442,7 +435,7 @@ } add_byte_data(alert, "payload", p->data, p->dsize); - + return 0; } @@ -456,7 +449,7 @@ idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; - + ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; @@ -480,7 +473,7 @@ if ( ! otn_tmp ) return 0; - + classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); @@ -489,7 +482,7 @@ prelude_string_set_ref(str, classtype->name); } - + return 0; } @@ -503,15 +496,15 @@ if ( sig_id >= SNORT_MAX_OWNED_SID ) return 0; - + ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; - + idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC); if ( gen_id == 0 ) @@ -529,7 +522,7 @@ ret = prelude_string_sprintf(str, "Snort Signature ID"); if ( ret < 0 ) return ret; - + ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; @@ -537,8 +530,8 @@ if ( gen_id == 0 ) ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id); else - ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u:%u", gen_id, sig_id); - + ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u-%u", gen_id, sig_id); + return ret; } @@ -578,7 +571,7 @@ system = refs->system; if ( ! system ) continue; - + ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -586,7 +579,7 @@ ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; - + idmef_reference_set_origin(ref, reference_to_origin(system->name)); if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC ) prelude_string_set_ref(str, refs->id); @@ -596,9 +589,9 @@ ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; - + prelude_string_sprintf(str, "%s%s", system->url ? system->url : "", refs->id ? refs->id : ""); - } + } return 0; } @@ -644,15 +637,15 @@ ret = event_to_reference(event, class); if ( ret < 0 ) goto err; - + ret = event_to_source_target(p, alert); if ( ret < 0 ) goto err; - + ret = packet_to_data(p, event, alert); if ( ret < 0 ) goto err; - + ret = idmef_alert_new_detect_time(alert, &time); if ( ret < 0 ) goto err; @@ -660,15 +653,15 @@ tv.tv_sec = p->pkth->ts.tv_sec; tv.tv_usec = p->pkth->ts.tv_usec; idmef_time_set_from_timeval(time, &tv); - + ret = idmef_time_new_from_gettimeofday(&time); if ( ret < 0 ) - goto err; + goto err; idmef_alert_set_create_time(alert, time); - + idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND); prelude_client_send_idmef(client, idmef); - + err: idmef_message_destroy(idmef); } @@ -696,26 +689,26 @@ { int i, tokens, ret; char **args_table, *value, *key; - + args_table = mSplit(args, " \t", 0, &tokens, '\\'); for ( i = 0; i < tokens; i++ ) { - + key = args_table[i]; strtok(key, "="); - + value = strtok(NULL, ""); if ( ! value ) FatalError("spo_alert_prelude: missing value for keyword '%s'.\n", key); - + ret = strcasecmp("profile", key); if ( ret == 0 ) { if ( *profile ) free(*profile); - + *profile = strdup(value); continue; } - + ret = strcasecmp("info", key); if ( ret == 0 ) { info_priority = atoi(value); @@ -750,10 +743,15 @@ if ( ! initialized ) return; - + + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The alert_prelude output plugin is considered deprecated\n"); + WarningMessage("!! as of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + parse_args(init_args, &profile); free(init_args); - + ret = prelude_thread_init(NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude thread subsystem: %s.\n", @@ -763,26 +761,26 @@ if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + ret = prelude_client_new(&client, profile ? profile : DEFAULT_ANALYZER_NAME); if ( profile ) free(profile); - + if ( ret < 0 ) FatalError("%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + flags = PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER; - + ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | flags); if ( ret < 0 ) FatalError("%s: Unable to set asynchronous send and timer: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + setup_analyzer(prelude_client_get_analyzer(client)); - + ret = prelude_client_start(client); if ( ret < 0 ) { if ( prelude_client_is_setup_needed(ret) ) @@ -791,7 +789,7 @@ FatalError("%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); } - + AddFuncToOutputList(snort_alert_prelude, OUTPUT_TYPE__ALERT, client); AddFuncToCleanExitList(snort_alert_prelude_clean_exit, client); AddFuncToRestartList(snort_alert_prelude_clean_exit, client); diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_sf_socket.c snort-2.9.2/src/output-plugins/spo_alert_sf_socket.c --- snort-2.8.5.2/src/output-plugins/spo_alert_sf_socket.c 2009-10-12 16:39:08.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_sf_socket.c 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2009 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -27,12 +27,14 @@ #ifdef LINUX +#include "sf_types.h" #include "spo_plugbase.h" #include "plugbase.h" #include "event.h" #include "rules.h" -#include "debug.h" +#include "treenodes.h" +#include "snort_debug.h" #include "util.h" #include "sfPolicy.h" #include @@ -49,8 +51,6 @@ #define SNORT_ENOENT 2 #define SNORT_ENOMEM 3 -extern SnortConfig *snort_conf; - static int configured = 0; static int connected = 0; static int sock = -1; @@ -62,8 +62,8 @@ uint32_t tv_sec; uint32_t generator; uint32_t sid; - snort_ip src_ip; - snort_ip dest_ip; + uint32_t src_ip; + uint32_t dest_ip; uint16_t sport; uint16_t dport; uint8_t protocol; @@ -87,7 +87,7 @@ static int AlertSFSocket_Connect(void); static OptTreeNode *OptTreeNode_Search(uint32_t gid, uint32_t sid); -static int SignatureAddOutputFunc(uint32_t gid, uint32_t sid, +static int SignatureAddOutputFunc(uint32_t gid, uint32_t sid, void (*outputFunc)(Packet *, char *, void *, Event *), void *args); int String2ULong(char *string, unsigned long *result); @@ -121,11 +121,11 @@ if(strlen(sockname) == 0) FatalError("AlertSFSocket: must specify a socket name\n"); - + if(strlen(sockname) > UNIX_PATH_MAX - 1) FatalError("AlertSFSocket: socket name must be less than %i " "characters\n", UNIX_PATH_MAX - 1); - + /* create socket */ if((sock = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { @@ -135,7 +135,7 @@ memset(&sockAddr, 0, sizeof(sockAddr)); sockAddr.sun_family = AF_UNIX; memcpy(sockAddr.sun_path + 1, sockname, strlen(sockname)); - + if(AlertSFSocket_Connect() == 0) connected = 1; @@ -154,7 +154,7 @@ *gidValue=GENERATOR_SNORT_ENGINE; *sidValue=0; - + i=0; while( args && *args && (i < 20) ) { @@ -164,17 +164,17 @@ i++; } sbuff[i]=0; - + if( i >= 20 ) { return SNORT_EINVAL; } - if( *args == ':' ) + if( *args == ':' ) { memcpy(gbuff,sbuff,i); gbuff[i]=0; - + if(String2ULong(gbuff,&glong)) { return SNORT_EINVAL; @@ -210,7 +210,7 @@ } *sidValue=(uint32_t)slong; } - + return SNORT_SUCCESS; } @@ -219,12 +219,12 @@ uint32_t sidValue; uint32_t gidValue; AlertSFSocketGidSid *new_sid = NULL; - + /* check configured value */ if(!configured) FatalError("AlertSFSocket must be configured before attaching it to a " "sid"); - + if (GidSid2UInt((char*)args, &sidValue, &gidValue) ) FatalError("Invalid argument '%s' to alert_sf_socket_sid\n", args); @@ -268,12 +268,12 @@ break; case SNORT_EINVAL: DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Invalid argument " - "attempting to attach output for sid %u.\n", + "attempting to attach output for sid %u.\n", sidValue);); break; case SNORT_ENOENT: LogMessage("No entry found. SFSocket output not enabled for " - "sid %lu.\n", sidValue); + "sid %u.\n", sidValue); break; case SNORT_ENOMEM: FatalError("Out of memory"); @@ -300,7 +300,7 @@ if(errno == ECONNREFUSED || errno == ENOENT) { LogMessage("WARNING: AlertSFSocket: Unable to connect to socket: " - "%s\n", strerror(errno)); + "%s.\n", strerror(errno)); return 1; } else @@ -311,8 +311,8 @@ } return 0; } - - + + static SnortActionRequest sar; void AlertSFSocket(Packet *packet, char *msg, void *arg, Event *event) @@ -322,14 +322,27 @@ if(!event || !packet || !IPH_IS_VALID(packet)) return; + // for now, only support ip4 + if ( !IS_IP4(packet) ) + return; + /* construct the action request */ sar.event_id = event->event_id; sar.tv_sec = packet->pkth->ts.tv_sec; sar.generator = event->sig_generator; sar.sid = event->sig_id; + + // when ip6 is supported: + // * suggest TLV format where T == family, L is implied by + // T (and not sent), and V is just the address octets in + // network order + // * if T is made the 1st octet of struct, bytes to read + // can be determined by reading 1 byte + // * addresses could be moved to end of struct in uint8_t[32] + // and only 1st 8 used for ip4 #ifdef SUP_IP6 - sar.src_ip = *GET_SRC_IP(packet); - sar.dest_ip = *GET_DST_IP(packet); + sar.src_ip = ntohl(GET_SRC_IP(packet)->ip32[0]); + sar.dest_ip = ntohl(GET_DST_IP(packet)->ip32[0]); #else sar.src_ip = ntohl(packet->iph->ip_src.s_addr); sar.dest_ip = ntohl(packet->iph->ip_dst.s_addr); @@ -377,18 +390,18 @@ { connected = 0; LogMessage("WARNING: AlertSFSocket: connection reset, will attempt " - "to reconnect\n"); + "to reconnect.\n"); } else if(errno == ECONNREFUSED) { LogMessage("WARNING: AlertSFSocket: connection refused, " - "will attempt to reconnect\n"); + "will attempt to reconnect.\n"); connected = 0; } else if(errno == ENOTCONN) { LogMessage("WARNING: AlertSFSocket: not connected, " - "will attempt to reconnect\n"); + "will attempt to reconnect.\n"); connected = 0; } else @@ -402,16 +415,16 @@ return; } -static int SignatureAddOutputFunc( uint32_t gid, uint32_t sid, +static int SignatureAddOutputFunc( uint32_t gid, uint32_t sid, void (*outputFunc)(Packet *, char *, void *, Event *), void *args) { OptTreeNode *optTreeNode = NULL; OutputFuncNode *outputFuncs = NULL; - + if(!outputFunc) return SNORT_EINVAL; /* Invalid argument */ - + if(!(optTreeNode = OptTreeNode_Search(gid,sid))) { LogMessage("Unable to find OptTreeNode for SID %u\n", sid); @@ -426,11 +439,11 @@ outputFuncs->func = outputFunc; outputFuncs->arg = args; - + outputFuncs->next = optTreeNode->outputFuncs; optTreeNode->outputFuncs = outputFuncs; - + return SNORT_SUCCESS; } @@ -444,7 +457,7 @@ if(sid == 0) return NULL; - + for (hashNode = sfghash_findfirst(snort_conf->otn_map); hashNode; hashNode = sfghash_findnext(snort_conf->otn_map)) @@ -454,8 +467,8 @@ if (rtn) { if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { if (otn->sigInfo.id == sid) { return otn; diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_sf_socket.h snort-2.9.2/src/output-plugins/spo_alert_sf_socket.h --- snort-2.8.5.2/src/output-plugins/spo_alert_sf_socket.h 2009-01-26 16:26:22.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_sf_socket.h 2011-02-09 23:23:26.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2009 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_syslog.c snort-2.9.2/src/output-plugins/spo_alert_syslog.c --- snort-2.8.5.2/src/output-plugins/spo_alert_syslog.c 2009-10-19 17:44:04.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_syslog.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,14 +19,14 @@ */ /* $Id$ */ -/* spo_alert_syslog - * +/* spo_alert_syslog + * * Purpose: * * This module sends alerts to the syslog service. * * Arguments: - * + * * Logging mechanism? * * Effect: @@ -60,19 +60,20 @@ #include "decode.h" #include "event.h" #include "rules.h" +#include "treenodes.h" #include "plugbase.h" #include "spo_plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "mstring.h" #include "util.h" #include "strlcatu.h" #include "strlcpyu.h" - +#include "util_net.h" #include "snort.h" +#include "sfdaq.h" extern OptTreeNode *otn_tmp; -extern char *pcap_interface; typedef struct _SyslogData { @@ -81,18 +82,18 @@ int options; } SyslogData; -void AlertSyslogInit(char *); -SyslogData *ParseSyslogArgs(char *); -void AlertSyslog(Packet *, char *, void *, Event *); -void AlertSyslogCleanExit(int, void *); -void AlertSyslogRestart(int, void *); +static void AlertSyslogInit(char *); +static SyslogData *ParseSyslogArgs(char *); +static void AlertSyslog(Packet *, char *, void *, Event *); +static void AlertSyslogCleanExit(int, void *); +static void AlertSyslogRestart(int, void *); /* * Function: SetupSyslog() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -103,7 +104,7 @@ */ void AlertSyslogSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_syslog", OUTPUT_TYPE_FLAG__ALERT, AlertSyslogInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: Alert-Syslog is setup...\n");); @@ -121,7 +122,7 @@ * Returns: void function * */ -void AlertSyslogInit(char *args) +static void AlertSyslogInit(char *args) { SyslogData *data; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Alert-Syslog Initialized\n");); @@ -147,9 +148,9 @@ /* * Function: ParseSyslogArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -157,7 +158,7 @@ * Returns: void function * */ -SyslogData *ParseSyslogArgs(char *args) +static SyslogData *ParseSyslogArgs(char *args) { #ifdef WIN32 char *DEFAULT_SYSLOG_HOST = "127.0.0.1"; @@ -185,7 +186,7 @@ { /* horrible kludge to catch default initialization */ if(file_name != NULL) - { + { LogMessage("%s(%d) => No arguments to alert_syslog preprocessor!\n", file_name, file_line); } @@ -196,7 +197,7 @@ /* * NON-WIN32: Config should be in the format: * output alert_syslog: LOG_AUTH LOG_ALERT - * + * * WIN32: Config can be in any of these formats: * output alert_syslog: LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT @@ -226,7 +227,7 @@ if(num_host_toks > 0 && strcmp(host_toks[0], "host") != 0 ) { FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } /* check for empty strings */ @@ -235,7 +236,7 @@ (num_host_toks >= 3 && strlen(host_toks[2]) == 0)) { FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } switch(num_host_toks) @@ -252,16 +253,16 @@ { snort_conf->syslog_server_port = DEFAULT_SYSLOG_PORT; /*default*/ LogMessage("WARNING %s(%d) => alert_syslog port " - "appears to be non-numeric ('%s'). Defaulting " - "to port %d!\n", file_name, file_line, + "appears to be non-numeric ('%s'). Defaulting " + "to port %d!\n", file_name, file_line, host_toks[2], DEFAULT_SYSLOG_PORT); - + } break; default: /* badly formed, should never occur */ FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } mSplitFree(&host_toks, num_host_toks); @@ -273,7 +274,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to syslog " - "server %s on port %d\n", snort_conf->syslog_server, + "server %s on port %d\n", snort_conf->syslog_server, snort_conf->syslog_server_port);); mSplitFree(&config_toks, num_facility_toks); #endif /* WIN32 */ @@ -287,7 +288,7 @@ { if((tmp = VarGet(facility_toks[i]+1)) == NULL) { - FatalError("%s(%d) => Undefined variable %s\n", + FatalError("%s(%d) => Undefined variable %s\n", file_name, file_line, facility_toks[i]); } } @@ -298,28 +299,28 @@ /* possible openlog options */ -#ifdef LOG_CONS +#ifdef LOG_CONS if(!strcasecmp("LOG_CONS", tmp)) { data->options |= LOG_CONS; } else #endif -#ifdef LOG_NDELAY +#ifdef LOG_NDELAY if(!strcasecmp("LOG_NDELAY", tmp)) { data->options |= LOG_NDELAY; } else #endif -#ifdef LOG_PERROR +#ifdef LOG_PERROR if(!strcasecmp("LOG_PERROR", tmp)) { data->options |= LOG_PERROR; } else #endif -#ifdef LOG_PID +#ifdef LOG_PID if(!strcasecmp("LOG_PID", tmp)) { data->options |= LOG_PID; @@ -336,84 +337,84 @@ /* possible openlog facilities */ -#ifdef LOG_AUTHPRIV +#ifdef LOG_AUTHPRIV if(!strcasecmp("LOG_AUTHPRIV", tmp)) { data->facility = LOG_AUTHPRIV; } else #endif -#ifdef LOG_AUTH +#ifdef LOG_AUTH if(!strcasecmp("LOG_AUTH", tmp)) { data->facility = LOG_AUTH; } else #endif -#ifdef LOG_DAEMON +#ifdef LOG_DAEMON if(!strcasecmp("LOG_DAEMON", tmp)) { data->facility = LOG_DAEMON; } else #endif -#ifdef LOG_LOCAL0 +#ifdef LOG_LOCAL0 if(!strcasecmp("LOG_LOCAL0", tmp)) { data->facility = LOG_LOCAL0; } else #endif -#ifdef LOG_LOCAL1 +#ifdef LOG_LOCAL1 if(!strcasecmp("LOG_LOCAL1", tmp)) { data->facility = LOG_LOCAL1; } else #endif -#ifdef LOG_LOCAL2 +#ifdef LOG_LOCAL2 if(!strcasecmp("LOG_LOCAL2", tmp)) { data->facility = LOG_LOCAL2; } else #endif -#ifdef LOG_LOCAL3 +#ifdef LOG_LOCAL3 if(!strcasecmp("LOG_LOCAL3", tmp)) { data->facility = LOG_LOCAL3; } else #endif -#ifdef LOG_LOCAL4 +#ifdef LOG_LOCAL4 if(!strcasecmp("LOG_LOCAL4", tmp)) { data->facility = LOG_LOCAL4; } else #endif -#ifdef LOG_LOCAL5 +#ifdef LOG_LOCAL5 if(!strcasecmp("LOG_LOCAL5", tmp)) { data->facility = LOG_LOCAL5; } else #endif -#ifdef LOG_LOCAL6 +#ifdef LOG_LOCAL6 if(!strcasecmp("LOG_LOCAL6", tmp)) { data->facility = LOG_LOCAL6; } else #endif -#ifdef LOG_LOCAL7 +#ifdef LOG_LOCAL7 if(!strcasecmp("LOG_LOCAL7", tmp)) { data->facility = LOG_LOCAL7; } else #endif -#ifdef LOG_USER +#ifdef LOG_USER if(!strcasecmp("LOG_USER", tmp)) { data->facility = LOG_USER; @@ -423,56 +424,56 @@ /* possible syslog priorities */ -#ifdef LOG_EMERG +#ifdef LOG_EMERG if(!strcasecmp("LOG_EMERG", tmp)) { data->priority = LOG_EMERG; } else #endif -#ifdef LOG_ALERT +#ifdef LOG_ALERT if(!strcasecmp("LOG_ALERT", tmp)) { data->priority = LOG_ALERT; } else #endif -#ifdef LOG_CRIT +#ifdef LOG_CRIT if(!strcasecmp("LOG_CRIT", tmp)) { data->priority = LOG_CRIT; } else #endif -#ifdef LOG_ERR +#ifdef LOG_ERR if(!strcasecmp("LOG_ERR", tmp)) { data->priority = LOG_ERR; } else #endif -#ifdef LOG_WARNING +#ifdef LOG_WARNING if(!strcasecmp("LOG_WARNING", tmp)) { data->priority = LOG_WARNING; } else #endif -#ifdef LOG_NOTICE +#ifdef LOG_NOTICE if(!strcasecmp("LOG_NOTICE", tmp)) { data->priority = LOG_NOTICE; } else #endif -#ifdef LOG_INFO +#ifdef LOG_INFO if(!strcasecmp("LOG_INFO", tmp)) { data->priority = LOG_INFO; } else #endif -#ifdef LOG_DEBUG +#ifdef LOG_DEBUG if(!strcasecmp("LOG_DEBUG", tmp)) { data->priority = LOG_DEBUG; @@ -508,156 +509,116 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * */ -void AlertSyslog(Packet *p, char *msg, void *arg, Event *event) +static void AlertSyslog(Packet *p, char *msg, void *arg, Event *event) { - char sip[16]; - char dip[16]; - char pri_data[STD_BUF]; - char ip_data[STD_BUF]; - char event_data[STD_BUF]; -#define SYSLOG_BUF 1024 - char event_string[SYSLOG_BUF]; SyslogData *data = (SyslogData *)arg; + char event_string[STD_BUF]; - event_string[0] = '\0'; - - /* Remove this check when we support IPv6 below. */ - /* sip and dip char arrays need to change size for IPv6. */ - if (!IS_IP4(p)) - { + if (data == NULL) return; - } - if(p && IPH_IS_VALID(p)) + event_string[0] = '\0'; + + if ((p != NULL) && IPH_IS_VALID(p)) { - if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip)) - return; + if (event != NULL) + { + SnortSnprintfAppend(event_string, sizeof(event_string), + "[%lu:%lu:%lu] ", + (unsigned long)event->sig_generator, + (unsigned long)event->sig_id, + (unsigned long)event->sig_rev); + } - if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip)) - return; + if (msg != NULL) + SnortSnprintfAppend(event_string, sizeof(event_string), "%s ", msg); + else + SnortSnprintfAppend(event_string, sizeof(event_string), "ALERT "); - if(event != NULL) + if (otn_tmp != NULL) { - if( SnortSnprintf(event_data, STD_BUF, "[%lu:%lu:%lu] ", - (unsigned long) event->sig_generator, - (unsigned long) event->sig_id, - (unsigned long) event->sig_rev) != SNORT_SNPRINTF_SUCCESS ) - return ; + if ((otn_tmp->sigInfo.classType != NULL) + && (otn_tmp->sigInfo.classType->name != NULL)) + { + SnortSnprintfAppend(event_string, sizeof(event_string), + "[Classification: %s] ", + otn_tmp->sigInfo.classType->name); + } + + if (otn_tmp->sigInfo.priority != 0) + { + SnortSnprintfAppend(event_string, sizeof(event_string), + "[Priority: %d] ", otn_tmp->sigInfo.priority); + } + } - if( strlcat(event_string, event_data, SYSLOG_BUF) >= SYSLOG_BUF) - return ; + if (ScAlertInterface()) + { + SnortSnprintfAppend(event_string, sizeof(event_string), + "<%s> ", PRINT_INTERFACE(DAQ_GetInterfaceSpec())); } - if(msg != NULL) + if (protocol_names[GET_IPH_PROTO(p)] != NULL) { - if( strlcat(event_string, msg, SYSLOG_BUF) >= SYSLOG_BUF ) - return ; + SnortSnprintfAppend(event_string, sizeof(event_string), + "{%s} ", protocol_names[GET_IPH_PROTO(p)]); } else { - if(strlcat(event_string, "ALERT", SYSLOG_BUF) >= SYSLOG_BUF) - return ; + SnortSnprintfAppend(event_string, sizeof(event_string), + "{%d} ", GET_IPH_PROTO(p)); } - if(otn_tmp != NULL) + if (p->frag_flag + || ((GET_IPH_PROTO(p) != IPPROTO_TCP) + && (GET_IPH_PROTO(p) != IPPROTO_UDP))) { - if(otn_tmp->sigInfo.classType) - { - if( otn_tmp->sigInfo.classType->name ) - { - if( SnortSnprintf(pri_data, STD_BUF-1, " [Classification: %s] " - "[Priority: %d]:", - otn_tmp->sigInfo.classType->name, - otn_tmp->sigInfo.priority) != SNORT_SNPRINTF_SUCCESS ) - return ; - } - if( strlcat(event_string, pri_data, SYSLOG_BUF) >= SYSLOG_BUF) - return ; - } - else if(otn_tmp->sigInfo.priority != 0) - { - if( SnortSnprintf(pri_data, STD_BUF, "[Priority: %d]:", - otn_tmp->sigInfo.priority) != SNORT_SNPRINTF_SUCCESS ) - return ; + char *ip_fmt = "%s -> %s"; - if( strlcat(event_string, pri_data, SYSLOG_BUF) >= SYSLOG_BUF) - return; - } - } - - if((GET_IPH_PROTO(p) != IPPROTO_TCP && - GET_IPH_PROTO(p) != IPPROTO_UDP) || - p->frag_flag) - { - if(!ScAlertInterface()) + if (ScObfuscate()) { - if( protocol_names[GET_IPH_PROTO(p)] ) - { - if( SnortSnprintf(ip_data, STD_BUF, " {%s} %s -> %s", - protocol_names[GET_IPH_PROTO(p)], - sip, dip) != SNORT_SNPRINTF_SUCCESS ) - return; - } + SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), + ObfuscateIpToText(GET_DST_ADDR(p))); } else { - if( protocol_names[GET_IPH_PROTO(p)] && PRINT_INTERFACE(pcap_interface) ) - { - if( SnortSnprintf(ip_data, STD_BUF, " <%s> {%s} %s -> %s", - PRINT_INTERFACE(pcap_interface), - protocol_names[GET_IPH_PROTO(p)], - sip, dip) != SNORT_SNPRINTF_SUCCESS ) - return ; - } + SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), inet_ntoax(GET_DST_ADDR(p))); } } else { - if(ScAlertInterface()) + char *ip_fmt = "%s:%d -> %s:%d"; + + if (ScObfuscate()) { - if( protocol_names[GET_IPH_PROTO(p)] && PRINT_INTERFACE(pcap_interface) ) - { - if( SnortSnprintf(ip_data, STD_BUF, " <%s> {%s} %s:%i -> %s:%i", - PRINT_INTERFACE(pcap_interface), - protocol_names[GET_IPH_PROTO(p)], sip, - p->sp, dip, p->dp) != SNORT_SNPRINTF_SUCCESS ) - return ; - } + SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, + ObfuscateIpToText(GET_SRC_ADDR(p)), p->sp, + ObfuscateIpToText(GET_DST_ADDR(p)), p->dp); } else { - if( protocol_names[GET_IPH_PROTO(p)] ) - { - if( SnortSnprintf(ip_data, STD_BUF, " {%s} %s:%i -> %s:%i", - protocol_names[GET_IPH_PROTO(p)], sip, p->sp, - dip, p->dp) != SNORT_SNPRINTF_SUCCESS ) - return ; - } + SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, + inet_ntoax(GET_SRC_ADDR(p)), p->sp, + inet_ntoax(GET_DST_ADDR(p)), p->dp); } } - if( strlcat(event_string, ip_data, SYSLOG_BUF) >= SYSLOG_BUF) - return; - syslog(data->priority, "%s", event_string); - } - else + else { syslog(data->priority, "%s", msg == NULL ? "ALERT!" : msg); } - - return; - } - -void AlertSyslogCleanExit(int signal, void *arg) +static void AlertSyslogCleanExit(int signal, void *arg) { SyslogData *data = (SyslogData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogCleanExit\n");); @@ -666,7 +627,7 @@ free(data); } -void AlertSyslogRestart(int signal, void *arg) +static void AlertSyslogRestart(int signal, void *arg) { SyslogData *data = (SyslogData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogRestartFunc\n");); diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_syslog.h snort-2.9.2/src/output-plugins/spo_alert_syslog.h --- snort-2.8.5.2/src/output-plugins/spo_alert_syslog.h 2009-01-26 16:26:23.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_syslog.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_test.c snort-2.9.2/src/output-plugins/spo_alert_test.c --- snort-2.8.5.2/src/output-plugins/spo_alert_test.c 2009-05-06 22:29:12.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_test.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,7 +20,7 @@ /* $Id$ */ /* spo_alert_test_ - * + * * Purpose: output plugin for test alerting * * Arguments: file , stdout, rebuilt, session, msg @@ -31,7 +31,7 @@ * S - Stream rebuilt * F - IP frag rebuilt * outputs: : - * session - include src/dst IPs and ports + * session - include src/dst IPs and ports * outputs: :-: * msg - include alert message * @@ -45,7 +45,7 @@ * output alert_test: rebuilt, session, msg * output alert_test: stdout, rebuilt, session, msg * output alert_test: file test.alert, rebuilt, session, msg - * + * * Effect: * * Alerts are written to a file in the snort test alert format @@ -59,9 +59,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "event.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" @@ -87,8 +88,6 @@ #include -extern SnortConfig *snort_conf_for_parsing; - #define TEST_FLAG_FILE 0x01 #define TEST_FLAG_STDOUT 0x02 #define TEST_FLAG_MSG 0x04 @@ -108,13 +107,13 @@ void AlertTestRestartFunc(int, void *); void AlertTest(Packet *, char *, void *, Event *); -extern PacketCount pc; +extern PacketCount pc; /* * Function: SetupAlertTest() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -125,7 +124,7 @@ */ void AlertTestSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_test", OUTPUT_TYPE_FLAG__ALERT, AlertTestInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: AlertTest is setup...\n");); @@ -153,7 +152,7 @@ data = ParseAlertTestArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertTest functions to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertTest, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertTestCleanExitFunc, data); @@ -169,60 +168,43 @@ data = (SpoAlertTestData *)arg; - fprintf(data->file, "" STDu64 "\t", pc.total_from_pcap); + fprintf(data->file, "" STDu64 "\t", pc.total_from_daq); - if(event != NULL) + if (event != NULL) { fprintf(data->file, "%lu\t%lu\t%lu\t", (unsigned long) event->sig_generator, (unsigned long) event->sig_id, (unsigned long) event->sig_rev); } - + if (data->flags & TEST_FLAG_MSG) { - if(msg != NULL) - { - fprintf(data->file, "%s\t", msg); - } + if (msg != NULL) + fprintf(data->file, "%s\t", msg); } if (data->flags & TEST_FLAG_SESSION) - { - if (IPH_IS_VALID(p)) - { - fprintf(data->file, "%s:%d", - inet_ntoa(GET_SRC_ADDR(p)), p->sp); - fprintf(data->file, "-%s:%d\t", - inet_ntoa(GET_DST_ADDR(p)), p->dp); - } - } + PrintIpAddrs(data->file, p); if (data->flags & TEST_FLAG_REBUILT) { if (p->packet_flags & PKT_REBUILT_FRAG) - { fprintf(data->file, "F:" STDu64 "\t", pc.rebuilt_frags); - } else if (p->packet_flags & PKT_REBUILT_STREAM) - { fprintf(data->file, "S:" STDu64 "\t", pc.rebuilt_tcp); - } } fprintf(data->file, "\n"); - fflush(data->file); - - return; } /* * Function: ParseAlertTestArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -233,14 +215,13 @@ SpoAlertTestData * ParseAlertTestArgs(char *args) { char **toks; - char *option; int num_toks; SpoAlertTestData *data; int i; data = (SpoAlertTestData *)SnortAlloc(sizeof(SpoAlertTestData)); - if(args == NULL) + if (args == NULL) { data->file = OpenAlertFile(NULL); data->flags |= TEST_FLAG_FILE; @@ -249,86 +230,65 @@ DEBUG_WRAP(DebugMessage(DEBUG_LOG, "ParseAlertTestArgs: %s\n", args);); - toks = mSplit(args, ",", 5, &num_toks, 0); + toks = mSplit(args, ",", 0, &num_toks, 0); for (i = 0; i < num_toks; i++) { - option = toks[i]; + char *option; + char **atoks; + int num_atoks; - while (isspace((int)*option)) - option++; + atoks = mSplit(toks[i], " ", 0, &num_atoks, 0); + option = atoks[0]; - if(strncasecmp("stdout", option, strlen("stdout")) == 0) + if (!strcasecmp("stdout", option)) { if (data->flags & TEST_FLAG_FILE) - { - FatalError("alert_test: cannot specify both stdout and file\n"); - } + ParseError("alert_test: cannot specify both stdout and file\n"); data->file = stdout; data->flags |= TEST_FLAG_STDOUT; } - else if (strncasecmp("session", option, strlen("session")) == 0) + else if (!strcasecmp("session", option)) { data->flags |= TEST_FLAG_SESSION; } - else if (strncasecmp("rebuilt", option, strlen("rebuilt")) == 0) + else if (!strcasecmp("rebuilt", option)) { data->flags |= TEST_FLAG_REBUILT; } - else if (strncasecmp("msg", option, strlen("msg")) == 0) + else if (!strcasecmp("msg", option)) { data->flags |= TEST_FLAG_MSG; } - else if (strncasecmp("file", option, strlen("file")) == 0) + else if (!strcasecmp("file", option)) { - char *filename; - if (data->flags & TEST_FLAG_STDOUT) - { - FatalError("alert_test: cannot specify both stdout and file\n"); - } - - filename = strstr(option, " "); + ParseError("alert_test: cannot specify both stdout and file\n"); + + data->flags |= TEST_FLAG_FILE; - if (filename == NULL) + if (num_atoks == 1) { data->file = OpenAlertFile(NULL); - data->flags |= TEST_FLAG_FILE; + } + else if (num_atoks == 2) + { + char *outfile = ProcessFileOption(snort_conf_for_parsing, atoks[1]); + data->file = OpenAlertFile(outfile); + free(outfile); } else { - while (isspace((int)*filename)) - filename++; - - if (*filename == '\0') - { - data->file = OpenAlertFile(NULL); - data->flags |= TEST_FLAG_FILE; - } - else - { - char *filename_end; - char *outfile; - - filename_end = filename + strlen(filename) - 1; - while (isspace((int)*filename_end)) - filename_end--; - - filename_end++; - filename_end = '\0'; - - outfile = ProcessFileOption(snort_conf_for_parsing, filename); - data->file = OpenAlertFile(outfile); - data->flags |= TEST_FLAG_FILE; - free(outfile); - } + ParseError("Invalid \"file\" argument to alert_test: %s", option); } } else { - FatalError("Unrecognized alert_test option: %s\n", option); + ParseError("Unrecognized alert_test option: %s\n", option); } + + mSplitFree(&atoks, num_atoks); } /* free toks */ diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_test.h snort-2.9.2/src/output-plugins/spo_alert_test.h --- snort-2.8.5.2/src/output-plugins/spo_alert_test.h 2009-01-26 16:26:23.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_test.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_unixsock.c snort-2.9.2/src/output-plugins/spo_alert_unixsock.c --- snort-2.8.5.2/src/output-plugins/spo_alert_unixsock.c 2009-05-06 22:29:12.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_unixsock.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** @@ -21,11 +21,11 @@ */ /* spo_alert_unixsock - * + * * Purpose: output plugin for Unix Socket alerting * * Arguments: none (yet) - * + * * Effect: ??? * */ @@ -45,12 +45,13 @@ #include #include +#include "sf_types.h" #include "event.h" #include "decode.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "snort.h" @@ -79,23 +80,23 @@ static int alertsd; #ifndef WIN32 -struct sockaddr_un alertaddr; +static struct sockaddr_un alertaddr; #else -struct sockaddr_in alertaddr; +static struct sockaddr_in alertaddr; #endif -void AlertUnixSockInit(char *); -void AlertUnixSock(Packet *, char *, void *, Event *); -void ParseAlertUnixSockArgs(char *); -void AlertUnixSockCleanExit(int, void *); -void AlertUnixSockRestart(int, void *); -void OpenAlertSock(void); -void CloseAlertSock(void); +static void AlertUnixSockInit(char *); +static void AlertUnixSock(Packet *, char *, void *, Event *); +static void ParseAlertUnixSockArgs(char *); +static void AlertUnixSockCleanExit(int, void *); +static void AlertUnixSockRestart(int, void *); +static void OpenAlertSock(void); +static void CloseAlertSock(void); /* * Function: SetupAlertUnixSock() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -106,7 +107,7 @@ */ void AlertUnixSockSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_unixsock", OUTPUT_TYPE_FLAG__ALERT, AlertUnixSockInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output plugin: AlertUnixSock is setup...\n");); @@ -124,7 +125,7 @@ * Returns: void function * */ -void AlertUnixSockInit(char *args) +static void AlertUnixSockInit(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output: AlertUnixSock Initialized\n");); @@ -144,16 +145,16 @@ /* * Function: ParseAlertUnixSockArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list * * Returns: void function */ -void ParseAlertUnixSockArgs(char *args) +static void ParseAlertUnixSockArgs(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"ParseAlertUnixSockArgs: %s\n", args);); /* eventually we may support more than one socket */ @@ -170,7 +171,7 @@ * Returns: void function * ***************************************************************************/ -void AlertUnixSock(Packet *p, char *msg, void *arg, Event *event) +static void AlertUnixSock(Packet *p, char *msg, void *arg, Event *event) { static Alertpkt alertpkt; @@ -184,9 +185,10 @@ if(p && p->pkt) { - bcopy((const void *)p->pkth,(void *)&alertpkt.pkth,sizeof(struct pcap_pkthdr)); + uint32_t snaplen = DAQ_GetSnapLen(); + bcopy((const void *)p->pkth,(void *)&alertpkt.pkth,sizeof(DAQ_PktHdr_t)); bcopy((const void *)p->pkt,alertpkt.pkt, - alertpkt.pkth.caplen > SNAPLEN? SNAPLEN : alertpkt.pkth.caplen); + alertpkt.pkth.caplen > snaplen? snaplen : alertpkt.pkth.caplen); } else alertpkt.val|=NOPACKET_STRUCT; @@ -202,39 +204,39 @@ { if(p) { - if (p->eh) + if (p->eh) { alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt; } - + /* we don't log any headers besides eth yet */ - if (IPH_IS_VALID(p) && p->pkt) + if (IPH_IS_VALID(p) && p->pkt && IS_IP4(p)) { alertpkt.nethdr=(char *)p->iph-(char *)p->pkt; - + switch(GET_IPH_PROTO(p)) { case IPPROTO_TCP: - if (p->tcph) + if (p->tcph) { alertpkt.transhdr=(char *)p->tcph-(char *)p->pkt; } break; - + case IPPROTO_UDP: - if (p->udph) + if (p->udph) { alertpkt.transhdr=(char *)p->udph-(char *)p->pkt; } break; - + case IPPROTO_ICMP: - if (p->icmph) + if (p->icmph) { alertpkt.transhdr=(char *)p->icmph-(char *)p->pkt; } break; - + default: /* alertpkt.transhdr is null due to initial bzero */ alertpkt.val|=NO_TRANSHDR; @@ -267,7 +269,7 @@ * * Returns: void function */ -void OpenAlertSock(void) +static void OpenAlertSock(void) { char srv[STD_BUF]; @@ -283,7 +285,7 @@ } bzero((char *) &alertaddr, sizeof(alertaddr)); - + /* 108 is the size of sun_path */ strncpy(alertaddr.sun_path, srv, 108); @@ -295,19 +297,19 @@ } } -void AlertUnixSockCleanExit(int signal, void *arg) +static void AlertUnixSockCleanExit(int signal, void *arg) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockCleanExitFunc\n");); CloseAlertSock(); } -void AlertUnixSockRestart(int signal, void *arg) +static void AlertUnixSockRestart(int signal, void *arg) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockRestartFunc\n");); CloseAlertSock(); } -void CloseAlertSock(void) +static void CloseAlertSock(void) { if(alertsd >= 0) { close(alertsd); diff -Nru snort-2.8.5.2/src/output-plugins/spo_alert_unixsock.h snort-2.9.2/src/output-plugins/spo_alert_unixsock.h --- snort-2.8.5.2/src/output-plugins/spo_alert_unixsock.h 2009-05-06 22:29:12.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_alert_unixsock.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** @@ -30,14 +30,15 @@ #define __SPO_ALERT_UNIXSOCK_H__ #include -#include #include "event.h" +#include "pcap_pkthdr32.h" /* this struct is for the alert socket code.... */ +// FIXTHIS alert unix sock supports l2-l3-l4 encapsulations typedef struct _Alertpkt { uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ - struct pcap_pkthdr pkth; + struct pcap_pkthdr32 pkth; uint32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ uint32_t nethdr; /* network header offset. (ip etc...) */ uint32_t transhdr; /* transport header offset (tcp/udp/icmp ..) */ @@ -48,7 +49,7 @@ #define NOPACKET_STRUCT 0x1 /* no transport headers in packet */ #define NO_TRANSHDR 0x2 - uint8_t pkt[SNAPLEN]; + uint8_t pkt[65535]; Event event; } Alertpkt; diff -Nru snort-2.8.5.2/src/output-plugins/spo_csv.c snort-2.9.2/src/output-plugins/spo_csv.c --- snort-2.8.5.2/src/output-plugins/spo_csv.c 2009-05-06 22:29:13.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_csv.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2001 Brian Caswell ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_csv - * + * * Purpose: output plugin for csv alerting * * Arguments: alert file (eventually) - * + * * Effect: * * Alerts are written to a file in the snort csv alert format @@ -52,12 +52,13 @@ #include #endif +#include "spo_csv.h" #include "event.h" #include "decode.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "util.h" #include "log.h" @@ -73,8 +74,6 @@ #define DEFAULT_LIMIT (128*M_BYTES) #define LOG_BUFFER (4*K_BYTES) -extern SnortConfig *snort_conf_for_parsing; - typedef struct _AlertCSVConfig { char *type; @@ -104,7 +103,7 @@ /* * Function: SetupCSV() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -115,7 +114,7 @@ */ void AlertCSVSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_CSV", OUTPUT_TYPE_FLAG__ALERT, AlertCSVInit); @@ -175,10 +174,6 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "ParseCSVArgs: %s\n", args);); data = (AlertCSVData *)SnortAlloc(sizeof(AlertCSVData)); - if ( !data ) - { - FatalError("alert_csv: unable to allocate memory!\n"); - } if ( !args ) args = ""; toks = mSplit((char *)args, " \t", 4, &num_toks, '\\'); @@ -192,20 +187,15 @@ case 0: if ( !strcasecmp(tok, "stdout") ) filename = SnortStrdup(tok); - else filename = ProcessFileOption(snort_conf_for_parsing, tok); break; case 1: if ( !strcasecmp("default", tok) ) - { - data->csvargs = strdup(DEFAULT_CSV); - } + data->csvargs = SnortStrdup(DEFAULT_CSV); else - { - data->csvargs = strdup(toks[1]); - } + data->csvargs = SnortStrdup(toks[i]); break; case 2: @@ -235,7 +225,7 @@ if ( !filename ) filename = ProcessFileOption(snort_conf_for_parsing, DEFAULT_FILE); mSplitFree(&toks, num_toks); - toks = mSplit(data->csvargs, ",", 128, &num_toks, 0); + toks = mSplit(data->csvargs, ",", 0, &num_toks, 0); data->args = toks; data->numargs = num_toks; @@ -254,8 +244,8 @@ AlertCSVData *data = (AlertCSVData *)arg; /* close alert file */ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"%s\n", msg);); - - if(data) + + if(data) { mSplitFree(&data->args, data->numargs); if (data->log) TextLog_Term(data->log); @@ -279,7 +269,7 @@ static void AlertCSV(Packet *p, char *msg, void *arg, Event *event) { AlertCSVData *data = (AlertCSVData *)arg; - RealAlertCSV(p, msg, data->args, data->numargs, event, data->log); + RealAlertCSV(p, msg, data->args, data->numargs, event, data->log); } /* @@ -290,240 +280,237 @@ * * Arguments: p => packet. (could be NULL) * msg => the message to send - * args => CSV output arguements + * args => CSV output arguements * numargs => number of arguements * log => Log * Returns: void function * */ -static void RealAlertCSV(Packet * p, char *msg, char **args, +static void RealAlertCSV(Packet * p, char *msg, char **args, int numargs, Event *event, TextLog* log) { - int num; + int num; char *type; char tcpFlags[9]; if(p == NULL) - return; + return; - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"Logging CSV Alert data\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"Logging CSV Alert data\n");); for (num = 0; num < numargs; num++) { - type = args[num]; + type = args[num]; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);); - if(!strncasecmp("timestamp", type, 9)) - { - LogTimeStamp(log, p); - } - else if(!strncasecmp("sig_generator",type,13)) - { - if(event != NULL) - { - TextLog_Print(log, "%lu", (unsigned long) event->sig_generator); - } - } - else if(!strncasecmp("sig_id",type,6)) - { - if(event != NULL) - { - TextLog_Print(log, "%lu", (unsigned long) event->sig_id); - } - } - else if(!strncasecmp("sig_rev",type,7)) - { - if(event != NULL) - { - TextLog_Print(log, "%lu", (unsigned long) event->sig_rev); - } - } - else if(!strncasecmp("msg", type, 3)) - { - if ( !TextLog_Quote(log, msg) ) - { - FatalError("Not enough buffer space to escape msg string\n"); - } - } - else if(!strncasecmp("proto", type, 5)) - { - if(IPH_IS_VALID(p)) + if (!strcasecmp("timestamp", type)) + { + LogTimeStamp(log, p); + } + else if (!strcasecmp("sig_generator", type)) { - switch (GET_IPH_PROTO(p)) + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_generator); + } + else if (!strcasecmp("sig_id", type)) + { + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_id); + } + else if (!strcasecmp("sig_rev", type)) + { + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_rev); + } + else if (!strcasecmp("msg", type)) + { + TextLog_Quote(log, msg); /* Don't fatal */ + } + else if (!strcasecmp("proto", type)) + { + if (IPH_IS_VALID(p)) { - case IPPROTO_UDP: - TextLog_Puts(log, "UDP"); - break; - case IPPROTO_TCP: - TextLog_Puts(log, "TCP"); - break; - case IPPROTO_ICMP: - TextLog_Puts(log, "ICMP"); - break; + switch (GET_IPH_PROTO(p)) + { + case IPPROTO_UDP: + TextLog_Puts(log, "UDP"); + break; + case IPPROTO_TCP: + TextLog_Puts(log, "TCP"); + break; + case IPPROTO_ICMP: + TextLog_Puts(log, "ICMP"); + break; + default: + break; + } } } - } - else if(!strncasecmp("ethsrc", type, 6)) - { - if(p->eh) - { - TextLog_Print(log, "%X:%X:%X:%X:%X:%X", p->eh->ether_src[0], - p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], - p->eh->ether_src[4], p->eh->ether_src[5]); - } - } - else if(!strncasecmp("ethdst", type, 6)) - { - if(p->eh) - { - TextLog_Print(log, "%X:%X:%X:%X:%X:%X", p->eh->ether_dst[0], - p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], - p->eh->ether_dst[4], p->eh->ether_dst[5]); - } - } - else if(!strncasecmp("ethtype", type, 7)) - { - if(p->eh) - { - TextLog_Print(log, "0x%X",ntohs(p->eh->ether_type)); - } - } - else if(!strncasecmp("udplength", type, 9)) - { - if(p->udph) - TextLog_Print(log, "%d",ntohs(p->udph->uh_len)); - } - else if(!strncasecmp("ethlen", type, 6)) - { - if(p->eh) - TextLog_Print(log, "0x%X",p->pkth->len); - } + else if (!strcasecmp("ethsrc", type)) + { + if (p->eh != NULL) + { + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X", p->eh->ether_src[0], + p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], + p->eh->ether_src[4], p->eh->ether_src[5]); + } + } + else if (!strcasecmp("ethdst", type)) + { + if (p->eh != NULL) + { + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X", p->eh->ether_dst[0], + p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], + p->eh->ether_dst[4], p->eh->ether_dst[5]); + } + } + else if (!strcasecmp("ethtype", type)) + { + if (p->eh != NULL) + TextLog_Print(log, "0x%X", ntohs(p->eh->ether_type)); + } + else if (!strcasecmp("udplength", type)) + { + if (p->udph != NULL) + TextLog_Print(log, "%d", ntohs(p->udph->uh_len)); + } + else if (!strcasecmp("ethlen", type)) + { + if (p->eh != NULL) + TextLog_Print(log, "0x%X", p->pkth->pktlen); + } #ifndef NO_NON_ETHER_DECODER - else if(!strncasecmp("trheader", type, 8)) - { - if(p->trh) - LogTrHeader(log, p); - } + else if (!strcasecmp("trheader", type)) + { + if (p->trh != NULL) + LogTrHeader(log, p); + } #endif - else if(!strncasecmp("srcport", type, 7)) - { - if(IPH_IS_VALID(p)) - { - switch(GET_IPH_PROTO(p)) - { - case IPPROTO_UDP: - case IPPROTO_TCP: - TextLog_Print(log, "%d", p->sp); - break; - } - } - } - else if(!strncasecmp("dstport", type, 7)) - { - if(IPH_IS_VALID(p)) - { - switch(GET_IPH_PROTO(p)) - { - case IPPROTO_UDP: - case IPPROTO_TCP: - TextLog_Print(log, "%d", p->dp); - break; - } - } - } - else if(!strncasecmp("src", type, 3)) - { - if(IPH_IS_VALID(p)) - TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); - } - else if(!strncasecmp("dst", type, 3)) - { - if(IPH_IS_VALID(p)) - TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); - } - else if(!strncasecmp("icmptype",type,8)) - { - if(p->icmph) - { - TextLog_Print(log, "%d",p->icmph->type); - } - } - else if(!strncasecmp("icmpcode",type,8)) - { - if(p->icmph) - { - TextLog_Print(log, "%d",p->icmph->code); - } - } - else if(!strncasecmp("icmpid",type,6)) - { - if(p->icmph) - TextLog_Print(log, "%d",ntohs(p->icmph->s_icmp_id)); - } - else if(!strncasecmp("icmpseq",type,7)) - { - if(p->icmph) - TextLog_Print(log, "%d",ntohs(p->icmph->s_icmp_seq)); - } - else if(!strncasecmp("ttl",type,3)) - { - if(IPH_IS_VALID(p)) - TextLog_Print(log, "%d",GET_IPH_TTL(p)); - } - else if(!strncasecmp("tos",type,3)) - { - if(IPH_IS_VALID(p)) - TextLog_Print(log, "%d",GET_IPH_TOS(p)); - } - else if(!strncasecmp("id",type,2)) - { - if(IPH_IS_VALID(p)) - TextLog_Print(log, "%u", IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p))); - } - else if(!strncasecmp("iplen",type,5)) - { - if(IPH_IS_VALID(p)) - TextLog_Print(log, "%d",GET_IPH_LEN(p) << 2); - } - else if(!strncasecmp("dgmlen",type,6)) - { - if(IPH_IS_VALID(p)) -// XXX might cause a bug when IPv6 is printed? - TextLog_Print(log, "%d",ntohs(GET_IPH_LEN(p))); - } - else if(!strncasecmp("tcpseq",type,6)) - { - if(p->tcph) - TextLog_Print(log, "0x%lX",(u_long) ntohl(p->tcph->th_seq)); - } - else if(!strncasecmp("tcpack",type,6)) - { - if(p->tcph) - TextLog_Print(log, "0x%lX",(u_long) ntohl(p->tcph->th_ack)); - } - else if(!strncasecmp("tcplen",type,6)) - { - if(p->tcph) - TextLog_Print(log, "%d",TCP_OFFSET(p->tcph) << 2); - } - else if(!strncasecmp("tcpwindow",type,9)) - { - if(p->tcph) - TextLog_Print(log, "0x%X",ntohs(p->tcph->th_win)); - } - else if(!strncasecmp("tcpflags",type,8)) - { - if(p->tcph) - { - CreateTCPFlagString(p, tcpFlags); - TextLog_Print(log, "%s", tcpFlags); - } - } + else if (!strcasecmp("srcport", type)) + { + if (IPH_IS_VALID(p)) + { + switch (GET_IPH_PROTO(p)) + { + case IPPROTO_UDP: + case IPPROTO_TCP: + TextLog_Print(log, "%d", p->sp); + break; + default: + break; + } + } + } + else if (!strcasecmp("dstport", type)) + { + if (IPH_IS_VALID(p)) + { + switch (GET_IPH_PROTO(p)) + { + case IPPROTO_UDP: + case IPPROTO_TCP: + TextLog_Print(log, "%d", p->dp); + break; + default: + break; + } + } + } + else if (!strcasecmp("src", type)) + { + if (IPH_IS_VALID(p)) + TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); + } + else if (!strcasecmp("dst", type)) + { + if (IPH_IS_VALID(p)) + TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); + } + else if (!strcasecmp("icmptype", type)) + { + if (p->icmph != NULL) + TextLog_Print(log, "%d", p->icmph->type); + } + else if (!strcasecmp("icmpcode", type)) + { + if (p->icmph != NULL) + TextLog_Print(log, "%d", p->icmph->code); + } + else if (!strcasecmp("icmpid", type)) + { + if (p->icmph != NULL) + TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_id)); + } + else if (!strcasecmp("icmpseq", type)) + { + if (p->icmph != NULL) + TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_seq)); + } + else if (!strcasecmp("ttl", type)) + { + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_TTL(p)); + } + else if (!strcasecmp("tos", type)) + { + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_TOS(p)); + } + else if (!strcasecmp("id", type)) + { + if (IPH_IS_VALID(p)) + { + TextLog_Print(log, "%u", IS_IP6(p) ? ntohl(GET_IPH_ID(p)) + : ntohs((uint16_t)GET_IPH_ID(p))); + } + } + else if (!strcasecmp("iplen", type)) + { + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_LEN(p) << 2); + } + else if (!strcasecmp("dgmlen", type)) + { + if (IPH_IS_VALID(p)) + { + // XXX might cause a bug when IPv6 is printed? + TextLog_Print(log, "%d", ntohs(GET_IPH_LEN(p))); + } + } + else if (!strcasecmp("tcpseq", type)) + { + if (p->tcph != NULL) + TextLog_Print(log, "0x%lX", (u_long)ntohl(p->tcph->th_seq)); + } + else if (!strcasecmp("tcpack", type)) + { + if (p->tcph != NULL) + TextLog_Print(log, "0x%lX", (u_long)ntohl(p->tcph->th_ack)); + } + else if (!strcasecmp("tcplen", type)) + { + if (p->tcph != NULL) + TextLog_Print(log, "%d", TCP_OFFSET(p->tcph) << 2); + } + else if (!strcasecmp("tcpwindow", type)) + { + if (p->tcph != NULL) + TextLog_Print(log, "0x%X", ntohs(p->tcph->th_win)); + } + else if (!strcasecmp("tcpflags",type)) + { + if (p->tcph != NULL) + { + CreateTCPFlagString(p, tcpFlags); + TextLog_Print(log, "%s", tcpFlags); + } + } - if (num < numargs - 1) - TextLog_Putc(log, ','); + if (num < numargs - 1) + TextLog_Putc(log, ','); } + TextLog_NewLine(log); TextLog_Flush(log); } diff -Nru snort-2.8.5.2/src/output-plugins/spo_csv.h snort-2.9.2/src/output-plugins/spo_csv.h --- snort-2.8.5.2/src/output-plugins/spo_csv.h 2009-01-26 16:26:23.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_csv.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2001 Brian Caswell ** diff -Nru snort-2.8.5.2/src/output-plugins/spo_database.c snort-2.9.2/src/output-plugins/spo_database.c --- snort-2.8.5.2/src/output-plugins/spo_database.c 2009-10-02 20:29:59.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_database.c 2011-10-26 18:28:52.000000000 +0000 @@ -22,12 +22,12 @@ /* $Id$ */ /* Snort Database Output Plug-in - * + * * Maintainer: Roman Danyliw , * * Originally written by Jed Pickel (2000-2001) * - * See the doc/README.database file with this distribution + * See the doc/README.database file with this distribution * documentation or the snortdb web site for configuration * information * @@ -36,9 +36,9 @@ /******** Configuration *************************************************/ -/* - * If you want extra debugging information for solving database - * configuration problems, uncomment the following line. +/* + * If you want extra debugging information for solving database + * configuration problems, uncomment the following line. */ /* #define DEBUG */ @@ -55,17 +55,19 @@ #include #include +#include "sf_types.h" +#include "spo_database.h" #include "event.h" #include "decode.h" #include "rules.h" +#include "treenodes.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" - #include "snort.h" -#include "inline.h" +#include "sfdaq.h" #ifdef ENABLE_POSTGRESQL # include @@ -289,31 +291,29 @@ /******** Prototypes **************************************************/ -void DatabaseInit(char *); -DatabaseData *InitDatabaseData(char *args); -void DatabaseInitFinalize(int unused, void *arg); -void ParseDatabaseArgs(DatabaseData *data); -void Database(Packet *, char *, void *, Event *); -char * snort_escape_string(char *, DatabaseData *); -void SpoDatabaseCleanExitFunction(int, void *); -void SpoDatabaseRestartFunction(int, void *); -void InitDatabase(); -int UpdateLastCid(DatabaseData *, int, int); -int GetLastCid(DatabaseData *, int); -int CheckDBVersion(DatabaseData *); -void BeginTransaction(DatabaseData * data); -void CommitTransaction(DatabaseData * data); -void RollbackTransaction(DatabaseData * data); -int Insert(char *, DatabaseData *); -int Select(char *, DatabaseData *); -void Connect(DatabaseData *); -void DatabasePrintUsage(); -void FreeSharedDataList(); +static void DatabaseInit(char *); +static DatabaseData *InitDatabaseData(char *args); +static void DatabaseInitFinalize(int unused, void *arg); +static void ParseDatabaseArgs(DatabaseData *data); +static void Database(Packet *, char *, void *, Event *); +static char * snort_escape_string(const char *, DatabaseData *); +static void SpoDatabaseCleanExitFunction(int, void *); +static void SpoDatabaseRestartFunction(int, void *); +//static void InitDatabase(void); +static int UpdateLastCid(DatabaseData *, int, int); +static int GetLastCid(DatabaseData *, int); +static int CheckDBVersion(DatabaseData *); +static void BeginTransaction(DatabaseData * data); +static void CommitTransaction(DatabaseData * data); +static void RollbackTransaction(DatabaseData * data); +static int Insert(char *, DatabaseData *); +static int Select(char *, DatabaseData *); +static void Connect(DatabaseData *); +static void DatabasePrintUsage(void); +static void FreeSharedDataList(void); /******** Global Variables ********************************************/ -extern SnortConfig *snort_conf; -extern char *pcap_interface; extern OptTreeNode *otn_tmp; /* rule node */ extern ListHead *head_tmp; @@ -339,20 +339,20 @@ #define CLEARSTATEMENT() NULL; #endif /* DEBUG || ENABLE_MSSQL_DEBUG*/ - /* Prototype of SQL Server callback functions. - * See actual declaration elsewhere for details. + /* Prototype of SQL Server callback functions. + * See actual declaration elsewhere for details. */ - static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, + static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, LPCSTR dberrstr, LPCSTR oserrstr); - static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, - int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, + static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, + int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, DBUSMALLINT line); #endif /* ENABLE_MSSQL */ /******************************************************************************* * Function: SetupDatabase() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -363,7 +363,7 @@ ******************************************************************************/ void DatabaseSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("database", OUTPUT_TYPE_FLAG__ALERT, DatabaseInit); @@ -381,17 +381,24 @@ * Returns: void function * ******************************************************************************/ -void DatabaseInit(char *args) +static void DatabaseInit(char *args) { DatabaseData *data = NULL; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + /* parse the argument list from the rules file */ data = InitDatabaseData(args); - + data->tz = GetLocalTimezone(); ParseDatabaseArgs(data); - + /* Add the processor function into the function list */ if (strncasecmp(data->facility, "log", 3) == 0) { @@ -401,15 +408,15 @@ { AddFuncToOutputList(Database, OUTPUT_TYPE__ALERT, data); } - + AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); - AddFuncToRestartList(SpoDatabaseRestartFunction, data); + AddFuncToRestartList(SpoDatabaseRestartFunction, data); AddFuncToPostConfigList(DatabaseInitFinalize, data); ++instances; } -void DatabaseInitFinalize(int unused, void *arg) +static void DatabaseInitFinalize(int unused, void *arg) { DatabaseData *data = (DatabaseData *)arg; char * select_sensor_id = NULL; @@ -421,6 +428,7 @@ char * escapedInterfaceName = NULL; char * escapedBPFFilter = NULL; int ret, bad_query = 0; + const char* iface = DAQ_GetInterfaceSpec(); if (!data) { @@ -430,7 +438,7 @@ /* find a unique name for sensor if one was not supplied as an option */ if(!data->sensor_name) { - data->sensor_name = GetUniqueName((char *)PRINT_INTERFACE(pcap_interface)); + data->sensor_name = GetUniqueName((char *)PRINT_INTERFACE(iface)); if ( data->sensor_name ) { if( data->sensor_name[strlen(data->sensor_name)-1] == '\n' ) @@ -446,33 +454,22 @@ insert_into_sensor = (char *)SnortAlloc(MAX_QUERY_LENGTH); escapedSensorName = snort_escape_string(data->sensor_name, data); - - if(pcap_interface != NULL) - { - escapedInterfaceName = snort_escape_string(PRINT_INTERFACE(pcap_interface), data); - } - else - { - if(ScInlineMode()) - { - escapedInterfaceName = snort_escape_string("inline", data); - } - } + escapedInterfaceName = snort_escape_string(PRINT_INTERFACE(iface), data); if( data->ignore_bpf == 0 ) { if(snort_conf->bpf_filter == NULL) { - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) " - "VALUES ('%s','%s',%u,%u, 0)", + "VALUES ('%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -482,7 +479,7 @@ " AND filter IS NULL", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); - + if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } @@ -490,16 +487,16 @@ { escapedBPFFilter = snort_escape_string(snort_conf->bpf_filter, data); - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) " - "VALUES ('%s','%s','%s',%u,%u, 0)", + "VALUES ('%s','%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -518,16 +515,16 @@ { if(snort_conf->bpf_filter == NULL) { - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) " - "VALUES ('%s','%s',%u,%u, 0)", + "VALUES ('%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -544,16 +541,16 @@ { escapedBPFFilter = snort_escape_string(snort_conf->bpf_filter, data); - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) " - "VALUES ('%s','%s','%s',%u,%u, 0)", + "VALUES ('%s','%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -591,7 +588,7 @@ data->shared->sid = Select(select_sensor_id,data); if(data->shared->sid == 0) { - ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", + ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", data->shared->dbname); FatalError("%s\n%s\n", FATAL_NO_SENSOR_1, FATAL_NO_SENSOR_2); @@ -602,8 +599,8 @@ * plugin, first we check the shared data list to see if we already * have a value to use, if so, we replace the SharedDatabaseData struct * in the DatabaseData struct with the one out of the sharedDataList. - * Sound confusing enough? - * -Andrew + * Sound confusing enough? + * -Andrew */ /* XXX: Creating a set of list handling functions would make this cleaner */ @@ -622,7 +619,7 @@ } current = current->next; } - + if(foundEntry == 0) { /* Add it the the shared data list */ @@ -643,9 +640,9 @@ current->next = newNode; } - /* Set the cid value + /* Set the cid value * - get the cid value in sensor.last_cid - * - get the MAX(cid) from event + * - get the MAX(cid) from event * - if snort crashed without storing the latest cid, then * the MAX(event.cid) > sensor.last_cid. Update last_cid in this case */ @@ -659,7 +656,7 @@ " FROM event " " WHERE sid = %u", data->shared->sid); - + if (ret != SNORT_SNPRINTF_SUCCESS) FatalError("Database: Unable to construct query - output error or truncation\n"); @@ -672,9 +669,9 @@ if (ret == -1) FatalError("Database: Unable to construct query - output error or truncation\n"); - ErrorMessage("database: inconsistent cid information for sid=%u\n", + ErrorMessage("database: inconsistent cid information for sid=%u\n", data->shared->sid); - ErrorMessage(" Recovering by rolling forward the cid=%u\n", + ErrorMessage(" Recovering by rolling forward the cid=%u\n", event_cid); } @@ -716,7 +713,7 @@ } /* else if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION ) - { + { ErrorMessage("database: The database is using an older version of the DB schema\n"); } */ @@ -729,6 +726,13 @@ database_support_buf[0] = '\0'; database_in_use_buf[0] = '\0'; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + /* These strings will not overflow the buffers */ #ifdef ENABLE_MYSQL snprintf(database_support_buf, sizeof(database_support_buf), @@ -817,7 +821,7 @@ * Returns: Pointer to database structure * ******************************************************************************/ -DatabaseData *InitDatabaseData(char *args) +static DatabaseData *InitDatabaseData(char *args) { DatabaseData *data; @@ -828,7 +832,7 @@ { ErrorMessage("database: you must supply arguments for database plugin\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } data->args = SnortStrdup(args); @@ -839,7 +843,7 @@ /******************************************************************************* * Function: ParseDatabaseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. * * Arguments: args => argument list @@ -848,7 +852,7 @@ * ******************************************************************************/ //DatabaseData *ParseDatabaseArgs(char *args) -void ParseDatabaseArgs(DatabaseData *data) +static void ParseDatabaseArgs(DatabaseData *data) { char *dbarg; char *a1; @@ -859,7 +863,7 @@ { ErrorMessage("database: you must supply arguments for database plugin\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } data->shared->dbtype_id = DB_UNDEFINED; @@ -878,14 +882,14 @@ { ErrorMessage("database: The first argument needs to be the logging facility\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } } else { - ErrorMessage("database: Invalid format for first argment\n"); + ErrorMessage("database: Invalid format for first argment\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } type = strtok(NULL, ", "); @@ -895,28 +899,28 @@ ErrorMessage("database: you must enter the database type in configuration " "file as the second argument\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } #ifdef ENABLE_MYSQL if(!strncasecmp(type,KEYWORD_MYSQL,strlen(KEYWORD_MYSQL))) - data->shared->dbtype_id = DB_MYSQL; + data->shared->dbtype_id = DB_MYSQL; #endif #ifdef ENABLE_POSTGRESQL if(!strncasecmp(type,KEYWORD_POSTGRESQL,strlen(KEYWORD_POSTGRESQL))) - data->shared->dbtype_id = DB_POSTGRESQL; + data->shared->dbtype_id = DB_POSTGRESQL; #endif #ifdef ENABLE_ODBC if(!strncasecmp(type,KEYWORD_ODBC,strlen(KEYWORD_ODBC))) - data->shared->dbtype_id = DB_ODBC; + data->shared->dbtype_id = DB_ODBC; #endif #ifdef ENABLE_ORACLE if(!strncasecmp(type,KEYWORD_ORACLE,strlen(KEYWORD_ORACLE))) - data->shared->dbtype_id = DB_ORACLE; + data->shared->dbtype_id = DB_ORACLE; #endif #ifdef ENABLE_MSSQL if(!strncasecmp(type,KEYWORD_MSSQL,strlen(KEYWORD_MSSQL))) - data->shared->dbtype_id = DB_MSSQL; + data->shared->dbtype_id = DB_MSSQL; #endif if(data->shared->dbtype_id == 0) @@ -1000,7 +1004,7 @@ else { FatalError("database: unknown detail level (%s)", a1); - } + } } if(!strncasecmp(dbarg,KEYWORD_IGNOREBPF,strlen(KEYWORD_IGNOREBPF))) { @@ -1021,23 +1025,23 @@ } dbarg = strtok(NULL, "="); - } + } if(data->shared->dbname == NULL) { ErrorMessage("database: must enter database name in configuration file\n\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } else if(data->shared->host == NULL) { ErrorMessage("database: must enter host in configuration file\n\n"); DatabasePrintUsage(); - FatalError(""); + FatalError("\n"); } } -void FreeQueryNode(SQLQuery * node) +static void FreeQueryNode(SQLQuery * node) { if(node) { @@ -1049,7 +1053,7 @@ } } -SQLQuery * NewQueryNode(SQLQuery * parent, int query_size) +static SQLQuery * NewQueryNode(SQLQuery * parent, int query_size) { SQLQuery * rval; @@ -1077,20 +1081,20 @@ rval->next = NULL; return rval; -} +} /******************************************************************************* * Function: Database(Packet *, char * msg, void *arg) * * Purpose: Insert data into the database * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * msg => pointer to the signature message * * Returns: void function * ******************************************************************************/ -void Database(Packet *p, char *msg, void *arg, Event *event) +static void Database(Packet *p, char *msg, void *arg, Event *event) { DatabaseData *data = (DatabaseData *)arg; SQLQuery *query = NULL, @@ -1130,7 +1134,7 @@ #ifdef ENABLE_DB_TRANSACTIONS BeginTransaction(data); #endif - + if(msg == NULL) { msg = ""; @@ -1247,8 +1251,8 @@ } #endif - /* Write the signature information - * - Determine the ID # of the signature of this alert + /* Write the signature information + * - Determine the ID # of the signature of this alert */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_name = snort_escape_string(msg, data); @@ -1256,7 +1260,7 @@ if (event->sig_rev == 0) { ret = SnortSnprintf(sig_rev, sizeof(sig_rev), "IS NULL"); - + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } @@ -1316,12 +1320,12 @@ * - write the signature * - write the signature's references, classification, priority, id, * revision number - * Note: if a signature (identified with a unique text message, revision #) - * initially is logged to the DB without references/classification, - * but later they are added, this information will _not_ be + * Note: if a signature (identified with a unique text message, revision #) + * initially is logged to the DB without references/classification, + * but later they are added, this information will _not_ be * stored/updated unless the revision number is changed. * This algorithm is used in order to prevent many DB SELECTs to - * verify their presence _every_ time the alert is triggered. + * verify their presence _every_ time the alert is triggered. */ if(sig_id == 0) { @@ -1335,11 +1339,11 @@ /* classification */ if(class_ptr->type) { - /* Get the ID # of this classification */ + /* Get the ID # of this classification */ select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_class = snort_escape_string(class_ptr->type, data); - - ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, + + ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, "SELECT sig_class_id " " FROM sig_class " " WHERE sig_class_name = '%s'", @@ -1392,12 +1396,12 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(insert_values, MAX_QUERY_LENGTH - insert_values_len, "'%s'", sig_name); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); @@ -1408,16 +1412,16 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", class_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); - } + } if ( event->priority > 0 ) { @@ -1426,13 +1430,13 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->priority); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } @@ -1450,7 +1454,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } @@ -1462,15 +1466,15 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); - insert_values_len = strlen(insert_values); + insert_values_len = strlen(insert_values); } if ( event->sig_generator > 0 ) @@ -1480,15 +1484,15 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_generator); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); - insert_values_len = strlen(insert_values); + insert_values_len = strlen(insert_values); } ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, @@ -1497,7 +1501,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + Insert(insert0,data); sig_id = Select(select0,data); @@ -1524,19 +1528,19 @@ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_system_name = snort_escape_string(refNode->system->name, data); - + /* Note: There is an underlying assumption that the SELECT * will do a case-insensitive comparison. */ - ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_system_id " " FROM reference_system " " WHERE ref_system_name = '%s'", ref_system_name); - + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference_system (ref_system_name) " @@ -1545,7 +1549,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ref_system_id = Select(select0, data); if ( ref_system_id == 0 ) @@ -1572,11 +1576,11 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ref_id = Select(select0, data); free(ref_tag); ref_tag = NULL; - + /* If this reference is not in the database, write it */ if ( ref_id == 0 ) { @@ -1635,7 +1639,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + Insert(insert0, data); free(insert0); insert0 = NULL; @@ -1656,7 +1660,7 @@ } free(sig_name); sig_name = NULL; - + if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { @@ -1694,12 +1698,12 @@ free(timestamp_string); timestamp_string = NULL; - /* We do not log fragments! They are assumed to be handled + /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ if(p != NULL) { - if((!p->frag_flag) && (IPH_IS_VALID(p))) + if((!p->frag_flag) && (IPH_IS_VALID(p))) { /* query = NewQueryNode(query, 0); */ if(GET_IPH_PROTO(p) == IPPROTO_ICMP && p->icmph) @@ -1710,7 +1714,7 @@ { if(p->icmph) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) " "VALUES (%u,%u,%u,%u,%u,%u,%u)", @@ -1723,7 +1727,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) " "VALUES (%u,%u,%u,%u,%u)", @@ -1736,7 +1740,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES (%u,%u,%u,%u)", @@ -1753,7 +1757,7 @@ /*** Build a query for the TCP Header ***/ if(data->detail) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid, cid, tcp_sport, tcp_dport, " " tcp_seq, tcp_ack, tcp_off, tcp_res, " @@ -1761,13 +1765,13 @@ "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - ntohs(p->tcph->th_sport), + ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), (u_long)ntohl(p->tcph->th_seq), (u_long)ntohl(p->tcph->th_ack), - TCP_OFFSET(p->tcph), + TCP_OFFSET(p->tcph), TCP_X2(p->tcph), - p->tcph->th_flags, + p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)); @@ -1777,13 +1781,13 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES (%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - ntohs(p->tcph->th_sport), + ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), p->tcph->th_flags); @@ -1799,7 +1803,7 @@ query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { - packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); + packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); } else { @@ -1811,7 +1815,7 @@ * opt_data data after query, which later in Insert() * will be cut off and uploaded with OCIBindByPos(). */ - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,:1)|%s", @@ -1821,8 +1825,8 @@ 6, p->tcp_options[i].code, p->tcp_options[i].len, - packet_data); - + packet_data); + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; @@ -1830,7 +1834,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,'%s')", @@ -1840,7 +1844,7 @@ 6, p->tcp_options[i].code, p->tcp_options[i].len, - packet_data); + packet_data); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; @@ -1862,7 +1866,7 @@ "VALUES (%u, %u, %u, %u, %u, %u)", data->shared->sid, data->shared->cid, - ntohs(p->udph->uh_sport), + ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport), ntohs(p->udph->uh_len), ntohs(p->udph->uh_chk)); @@ -1878,23 +1882,23 @@ "VALUES (%u, %u, %u, %u)", data->shared->sid, data->shared->cid, - ntohs(p->udph->uh_sport), + ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } } - } + } /*** Build the query for the IP Header ***/ - if ( p->iph ) + if ( IPH_IS_VALID(p) && IS_IP4(p) ) { query = NewQueryNode(query, 0); if(data->detail) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " " ip_tos, ip_len, ip_id, ip_flags, ip_off," @@ -1902,17 +1906,17 @@ "VALUES (%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - (u_long)ntohl(p->iph->ip_src.s_addr), - (u_long)ntohl(p->iph->ip_dst.s_addr), + (u_long)ntohl(p->iph->ip_src.s_addr), + (u_long)ntohl(p->iph->ip_dst.s_addr), IP_VER(p->iph), - IP_HLEN(p->iph), + IP_HLEN(p->iph), p->iph->ip_tos, ntohs(p->iph->ip_len), - ntohs(p->iph->ip_id), + ntohs(p->iph->ip_id), p->frag_flag, ntohs(p->frag_offset), - p->iph->ip_ttl, - p->iph->ip_proto, + p->iph->ip_ttl, + GET_IPH_PROTO(p), ntohs(p->iph->ip_csum)); if (ret != SNORT_SNPRINTF_SUCCESS) @@ -1920,7 +1924,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_proto) " "VALUES (%u,%u,%lu,%lu,%u)", @@ -1944,11 +1948,11 @@ query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { - packet_data = fasthex(p->ip_options[i].data, p->ip_options[i].len); + packet_data = fasthex(p->ip_options[i].data, p->ip_options[i].len); } else { - packet_data = base64(p->ip_options[i].data, p->ip_options[i].len); + packet_data = base64(p->ip_options[i].data, p->ip_options[i].len); } if(data->shared->dbtype_id == DB_ORACLE) @@ -2024,8 +2028,8 @@ if(data->shared->dbtype_id == DB_ORACLE) { - /* Oracle field BLOB type case. We append unescaped - * packet_payload data after query, which later in Insert() + /* Oracle field BLOB type case. We append unescaped + * packet_payload data after query, which later in Insert() * will be cut off and uploaded with OCIBindByPos(). */ ret = SnortSnprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3, @@ -2081,7 +2085,7 @@ query = query->next; } } - FreeQueryNode(root); + FreeQueryNode(root); root = NULL; /* Increment the cid*/ @@ -2093,7 +2097,7 @@ CommitTransaction(data); } #endif - + /* An ODBC bugfix */ #ifdef ENABLE_ODBC if(data->shared->cid == 600) @@ -2126,21 +2130,21 @@ return; } -/* Some of the code in this function is from the +/* Some of the code in this function is from the mysql_real_escape_string() function distributed with mysql. Those portions of this function remain Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB We needed a more general case that was not MySQL specific so there - were small modifications made to the mysql_real_escape_string() + were small modifications made to the mysql_real_escape_string() function. */ -char * snort_escape_string(char * from, DatabaseData * data) +static char * snort_escape_string(const char * from, DatabaseData * data) { char * to; char * to_start; - char * end; + const char* end; int from_length; from_length = (int)strlen(from); @@ -2176,7 +2180,7 @@ { switch(*from) { - case '\'': /* ' --> '' */ + case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; @@ -2249,11 +2253,11 @@ } else { - *to++= *from; + *to++= *from; } break; default: /* copy character directly */ - *to++= *from; + *to++= *from; } } } @@ -2264,7 +2268,7 @@ { switch(*from) { - case '\'': /* ' --> '' */ + case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; @@ -2280,16 +2284,16 @@ /******************************************************************************* * Function: UpdateLastCid(DatabaseData * data, int sid, int cid) * - * Purpose: Sets the last cid used for a given a sensor ID (sid), + * Purpose: Sets the last cid used for a given a sensor ID (sid), * * Arguments: data : database information * sid : sensor ID - * cid : event ID + * cid : event ID * * Returns: status of the update * ******************************************************************************/ -int UpdateLastCid(DatabaseData *data, int sid, int cid) +static int UpdateLastCid(DatabaseData *data, int sid, int cid) { char *insert0; int ret; @@ -2315,7 +2319,7 @@ /******************************************************************************* * Function: GetLastCid(DatabaseData * data, int sid) * - * Purpose: Returns the last cid used for a given a sensor ID (sid), + * Purpose: Returns the last cid used for a given a sensor ID (sid), * * Arguments: data : database information * sid : sensor ID @@ -2323,7 +2327,7 @@ * Returns: last cid for a given sensor ID (sid) * ******************************************************************************/ -int GetLastCid(DatabaseData *data, int sid) +static int GetLastCid(DatabaseData *data, int sid) { char *select0; int tmp_cid, ret; @@ -2342,7 +2346,7 @@ tmp_cid = Select(select0,data); free(select0); select0 = NULL; - + return tmp_cid; } @@ -2356,7 +2360,7 @@ * Returns: version number of the schema * ******************************************************************************/ -int CheckDBVersion(DatabaseData * data) +static int CheckDBVersion(DatabaseData * data) { char *select0; int schema_version; @@ -2422,9 +2426,9 @@ * Function: BeginTransaction(DatabaseData * data) * * Purpose: Database independent SQL to start a transaction - * + * ******************************************************************************/ -void BeginTransaction(DatabaseData * data) +static void BeginTransaction(DatabaseData * data) { #ifdef ENABLE_ODBC if ( data->shared->dbtype_id == DB_ODBC ) @@ -2456,9 +2460,9 @@ * Function: CommitTransaction(DatabaseData * data) * * Purpose: Database independent SQL to commit a transaction - * + * ******************************************************************************/ -void CommitTransaction(DatabaseData * data) +static void CommitTransaction(DatabaseData * data) { #ifdef ENABLE_ODBC if ( data->shared->dbtype_id == DB_ODBC ) @@ -2511,9 +2515,9 @@ * Function: RollbackTransaction(DatabaseData * data) * * Purpose: Database independent SQL to rollback a transaction - * + * ******************************************************************************/ -void RollbackTransaction(DatabaseData * data) +static void RollbackTransaction(DatabaseData * data) { #ifdef ENABLE_ODBC if ( data->shared->dbtype_id == DB_ODBC ) @@ -2566,13 +2570,13 @@ * Function: Insert(char * query, DatabaseData * data) * * Purpose: Database independent function for SQL inserts - * + * * Arguments: query (An SQL insert) * * Returns: 1 if successful, 0 if fail * ******************************************************************************/ -int Insert(char * query, DatabaseData * data) +static int Insert(char * query, DatabaseData * data) { int result = 0; @@ -2591,7 +2595,7 @@ ErrorMessage("database: postgresql_error: %s\n", PQerrorMessage(data->p_connection)); } - } + } PQclear(data->p_result); } #endif @@ -2608,7 +2612,7 @@ { if(mysql_errno(data->m_sock)) { - ErrorMessage("database: mysql_error: %s\nSQL=%s\n", + ErrorMessage("database: mysql_error: %s\nSQL=%s\n", mysql_error(data->m_sock), query); } @@ -2663,7 +2667,7 @@ { char *blob = NULL; - /* If BLOB type - split query to actual SQL and blob to BLOB data */ + /* If BLOB type - split query to actual SQL and blob to BLOB data */ if(strncasecmp(query,"INSERT INTO data",16)==0 || strncasecmp(query,"INSERT INTO opt",15)==0) { if((blob=strchr(query,'|')) != NULL) @@ -2720,7 +2724,7 @@ , OCI_HTYPE_ERROR); ErrorMessage("database: oracle_error: %s\n", data->o_errormsg); ErrorMessage(" : query: %s\n", query); - } + } } #endif @@ -2743,7 +2747,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if(result) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) executed\n", query);); @@ -2760,15 +2764,15 @@ /******************************************************************************* * Function: Select(char * query, DatabaeData * data) * - * Purpose: Database independent function for SQL selects that + * Purpose: Database independent function for SQL selects that * return a non zero int - * + * * Arguments: query (An SQL insert) * * Returns: result of query if successful, 0 if fail * ******************************************************************************/ -int Select(char * query, DatabaseData * data) +static int Select(char * query, DatabaseData * data) { int result = 0; @@ -2789,7 +2793,7 @@ else { result = atoi(PQgetvalue(data->p_result,0,0)); - } + } } } if(!result) @@ -2951,7 +2955,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if(result) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) returned %u\n", query, result);); @@ -2969,11 +2973,11 @@ /******************************************************************************* * Function: Connect(DatabaseData * data) * - * Purpose: Database independent function to initiate a database + * Purpose: Database independent function to initiate a database * connection * ******************************************************************************/ -void Connect(DatabaseData * data) +static void Connect(DatabaseData * data) { #ifdef ENABLE_POSTGRESQL if( data->shared->dbtype_id == DB_POSTGRESQL ) @@ -3124,39 +3128,39 @@ if(data->shared->dbtype_id == DB_ORACLE) { - if (!getenv("ORACLE_HOME")) + if (!getenv("ORACLE_HOME")) { ErrorMessage("database : ORACLE_HOME environment variable not set\n"); } - - if (!data->user || !data->password || !data->shared->dbname) - { + + if (!data->user || !data->password || !data->shared->dbname) + { ErrorMessage("database: user, password and dbname required for Oracle\n"); ErrorMessage("database: dbname must also be in tnsnames.ora\n"); } - if (data->shared->host) + if (data->shared->host) { ErrorMessage("database: hostname not required for Oracle, use dbname\n"); ErrorMessage("database: dbname must be in tnsnames.ora\n"); } - if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) + if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) PRINT_ORACLE_ERR("OCIInitialize"); - - if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) + + if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) PRINT_ORACLE_ERR("OCIEnvInit"); - - if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) + + if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) PRINT_ORACLE_ERR("OCIEnvInit (2)"); - + if (OCIHandleAlloc(data->o_environment, (dvoid **)&data->o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) PRINT_ORACLE_ERR("OCIHandleAlloc"); if (OCILogon(data->o_environment, data->o_error, &data->o_servicecontext, - data->user, strlen(data->user), data->password, strlen(data->password), - data->shared->dbname, strlen(data->shared->dbname))) - { + data->user, strlen(data->user), data->password, strlen(data->password), + data->shared->dbname, strlen(data->shared->dbname))) + { OCIErrorGet(data->o_error, 1, NULL, &data->o_errorcode, data->o_errormsg, sizeof(data->o_errormsg), OCI_HTYPE_ERROR); ErrorMessage("database: oracle_error: %s\n", data->o_errormsg); ErrorMessage("database: Checklist: check database is listed in tnsnames.ora\n"); @@ -3164,7 +3168,7 @@ ErrorMessage("database: check database accessible with sqlplus\n"); FatalError("database: OCILogon : Connection to database '%s' failed\n", data->shared->dbname); } - + if (OCIHandleAlloc(data->o_environment, (dvoid **)&data->o_statement, OCI_HTYPE_STMT, 0, NULL)) PRINT_ORACLE_ERR("OCIHandleAlloc (2)"); } @@ -3188,7 +3192,7 @@ DBSETLUSER (data->ms_login, data->user); DBSETLPWD (data->ms_login, data->password); DBSETLAPP (data->ms_login, "snort"); - + data->ms_dbproc = dbopen(data->ms_login, data->shared->host); if( data->ms_dbproc == NULL ) { @@ -3217,11 +3221,18 @@ * Purpose: Database independent function to close a connection * ******************************************************************************/ -void Disconnect(DatabaseData * data) +static void Disconnect(DatabaseData * data) { - LogMessage("database: Closing connection to database \"%s\"\n", + LogMessage("database: Closing connection to database \"%s\"\n", data->shared->dbname); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + if(data) { #ifdef ENABLE_POSTGRESQL @@ -3249,8 +3260,8 @@ { if(data->u_handle) { - SQLDisconnect(data->u_connection); - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); + SQLDisconnect(data->u_connection); + SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); } } #endif @@ -3289,7 +3300,7 @@ } } -void DatabasePrintUsage(void) +static void DatabasePrintUsage(void) { puts("\nUSAGE: database plugin\n"); @@ -3304,15 +3315,15 @@ puts(" The parameter list consists of key value pairs. The proper"); puts(" format is a list of key=value pairs each separated a space.\n"); - puts(" The only parameter that is absolutely necessary is \"dbname\"."); + puts(" The only parameter that is absolutely necessary is \"dbname\"."); puts(" All other parameters are optional but may be necessary"); puts(" depending on how you have configured your RDBMS.\n"); - puts(" dbname - the name of the database you are connecting to\n"); + puts(" dbname - the name of the database you are connecting to\n"); puts(" host - the host the RDBMS is on\n"); - puts(" port - the port number the RDBMS is listening on\n"); + puts(" port - the port number the RDBMS is listening on\n"); puts(" user - connect to the database as this user\n"); @@ -3337,16 +3348,16 @@ puts(" output database: log, mysql, dbname=snort user=snortusr host=localhost\n"); } -void SpoDatabaseCleanExitFunction(int signal, void *arg) +static void SpoDatabaseCleanExitFunction(int signal, void *arg) { DatabaseData *data = (DatabaseData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseCleanExitFunction\n");); - if(data != NULL) + if(data != NULL) { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); - Disconnect(data); + Disconnect(data); free(data->args); free(data); data = NULL; @@ -3358,13 +3369,13 @@ } } -void SpoDatabaseRestartFunction(int signal, void *arg) +static void SpoDatabaseRestartFunction(int signal, void *arg) { DatabaseData *data = (DatabaseData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseRestartFunction\n");); - if(data != NULL) + if(data != NULL) { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); Disconnect(data); @@ -3379,12 +3390,12 @@ } } -void FreeSharedDataList(void) +static void FreeSharedDataList(void) { SharedDatabaseDataNode *current; while(sharedDataList != NULL) - { + { current = sharedDataList; free(current->data); current->data = NULL; @@ -3401,7 +3412,7 @@ * This should only occur whenever an error has occurred, or when the connection switches to * a different database within the server. */ -static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, +static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, LPCSTR dberrstr, LPCSTR oserrstr) { int retval; @@ -3423,7 +3434,7 @@ } -static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, int severity, +static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, DBUSMALLINT line) { ErrorMessage("database: SQL Server message %ld, state %d, severity %d: \n\t%s\n", @@ -3432,7 +3443,7 @@ ErrorMessage("Server '%s', ", srvname); if ( (procname!=NULL) && strlen(procname)!=0 ) ErrorMessage("Procedure '%s', ", procname); - if (line !=0) + if (line !=0) ErrorMessage("Line %d", line); ErrorMessage("\n"); #ifdef ENABLE_MSSQL_DEBUG diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_ascii.c snort-2.9.2/src/output-plugins/spo_log_ascii.c --- snort-2.8.5.2/src/output-plugins/spo_log_ascii.c 2009-05-06 22:29:14.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_ascii.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** (C) 2002 Sourcefire, Inc. ** @@ -24,13 +24,13 @@ /* $Id$ */ /* spo_log_ascii - * + * * Purpose: * * This output module provides the default packet logging funtionality * * Arguments: - * + * * None. * * Effect: @@ -59,10 +59,11 @@ #include #endif /* ! WIN32 */ +#include "spo_log_ascii.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "event.h" #include "log.h" @@ -74,11 +75,11 @@ extern OptTreeNode *otn_tmp; /* internal functions */ -void LogAsciiInit(char *args); -void LogAscii(Packet *p, char *msg, void *arg, Event *event); -void LogAsciiCleanExit(int signal, void *arg); -void LogAsciiRestart(int signal, void *arg); -char *IcmpFileName(Packet * p); +static void LogAsciiInit(char *args); +static void LogAscii(Packet *p, char *msg, void *arg, Event *event); +static void LogAsciiCleanExit(int signal, void *arg); +static void LogAsciiRestart(int signal, void *arg); +static char *IcmpFileName(Packet * p); static FILE *OpenLogFile(int mode, Packet * p); @@ -90,14 +91,14 @@ void LogAsciiSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_ascii", OUTPUT_TYPE_FLAG__LOG, LogAsciiInit); DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Output: LogAscii is setup\n");); } -void LogAsciiInit(char *args) +static void LogAsciiInit(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Output: Ascii logging initialized\n");); @@ -107,12 +108,12 @@ AddFuncToRestartList(LogAsciiRestart, NULL); } -void LogAscii(Packet *p, char *msg, void *arg, Event *event) +static void LogAscii(Packet *p, char *msg, void *arg, Event *event) { FILE *log_ptr = NULL; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "LogPkt started\n");); if(p) - { + { if(IPH_IS_VALID(p)) log_ptr = OpenLogFile(0, p); #ifndef NO_NON_ETHER_DECODER @@ -127,14 +128,14 @@ if(!log_ptr) FatalError("Unable to open packet log file\n"); - + if(msg) { fwrite("[**] ", 5, 1, log_ptr); /* * Protect against potential log injection, - * check for delimiters and newlines in msg + * check for delimiters and newlines in msg */ if( !strstr(msg,"[**]") && !strchr(msg,'\n') ) { @@ -156,12 +157,12 @@ } -void LogAsciiCleanExit(int signal, void *arg) +static void LogAsciiCleanExit(int signal, void *arg) { return; } -void LogAsciiRestart(int signal, void *arg) +static void LogAsciiRestart(int signal, void *arg) { return; } @@ -180,7 +181,7 @@ * * Returns: FILE pointer on success, else NULL */ -FILE *OpenLogFile(int mode, Packet * p) +static FILE *OpenLogFile(int mode, Packet * p) { char log_path[STD_BUF]; /* path to log file */ char log_file[STD_BUF]; /* name of log file */ @@ -226,7 +227,7 @@ log_ptr = fopen(log_file, "a"); if (!log_ptr) { - FatalError("OpenLogFile() => fopen(%s) log file: %s\n", + FatalError("OpenLogFile() => fopen(%s) log file: %s\n", log_file, strerror(errno)); } return log_ptr; @@ -245,19 +246,19 @@ if((p->iph->ip_src.s_addr & snort_conf->netmask) != snort_conf->homenet) #endif { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { if(p->sp >= p->dp) { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } } @@ -271,19 +272,19 @@ if((p->iph->ip_src.s_addr & snort_conf->netmask) == snort_conf->homenet) #endif { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } else { if(p->sp >= p->dp) { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } } @@ -344,7 +345,7 @@ } else { - if(GET_IPH_PROTO(p) == IPPROTO_ICMP) + if (GET_IPH_PROTO(p) == IPPROTO_ICMP) { SnortSnprintf(log_file, STD_BUF, "%s/%s_%s%s", log_path, "ICMP", IcmpFileName(p), suffix); @@ -384,7 +385,7 @@ * Returns: the name of the file to set * ***************************************************************************/ -char *IcmpFileName(Packet * p) +static char *IcmpFileName(Packet * p) { if(p->icmph == NULL) { diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_ascii.h snort-2.9.2/src/output-plugins/spo_log_ascii.h --- snort-2.8.5.2/src/output-plugins/spo_log_ascii.h 2009-05-06 22:29:14.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_ascii.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** ** Author(s): Andrew R. Baker ** diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_null.c snort-2.9.2/src/output-plugins/spo_log_null.c --- snort-2.8.5.2/src/output-plugins/spo_log_null.c 2009-05-06 22:29:14.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_null.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -20,15 +20,15 @@ /* $Id$ */ /* spo_log_null - * + * * Purpose: * - * This module is a NULL placeholder for people that want to turn off + * This module is a NULL placeholder for people that want to turn off * logging for whatever reason. Please note that logging is separate from * alerting, they are completely separate output facilities within Snort. * * Arguments: - * + * * None. * * Effect: @@ -41,24 +41,29 @@ #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "spo_log_null.h" #include "decode.h" #include "event.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "snort.h" /* list of function prototypes for this output plugin */ -void LogNullInit(char *); -void LogNull(Packet *, char *, void *, Event *); -void LogNullCleanExitFunc(int, void *); -void LogNullRestartFunc(int, void *); +static void LogNullInit(char *); +static void LogNull(Packet *, char *, void *, Event *); +static void LogNullCleanExitFunc(int, void *); +static void LogNullRestartFunc(int, void *); void LogNullSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_null", OUTPUT_TYPE_FLAG__LOG, LogNullInit); @@ -66,7 +71,7 @@ } -void LogNullInit(char *args) +static void LogNullInit(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Output: LogNull Initialized\n");); @@ -78,18 +83,18 @@ -void LogNull(Packet *p, char *msg, void *arg, Event *event) +static void LogNull(Packet *p, char *msg, void *arg, Event *event) { return; } -void LogNullCleanExitFunc(int signal, void *arg) +static void LogNullCleanExitFunc(int signal, void *arg) { return; } -void LogNullRestartFunc(int signal, void *arg) +static void LogNullRestartFunc(int signal, void *arg) { return; } diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_null.h snort-2.9.2/src/output-plugins/spo_log_null.h --- snort-2.8.5.2/src/output-plugins/spo_log_null.h 2009-05-06 22:29:14.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_null.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_tcpdump.c snort-2.9.2/src/output-plugins/spo_log_tcpdump.c --- snort-2.8.5.2/src/output-plugins/spo_log_tcpdump.c 2009-05-06 22:29:15.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_tcpdump.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -20,14 +20,14 @@ /* $Id$ */ -/* spo_log_tcpdump - * +/* spo_log_tcpdump + * * Purpose: * * This plugin generates tcpdump formatted binary log files * * Arguments: - * + * * filename of the output log (default: snort.log) * * Effect: @@ -50,24 +50,25 @@ #endif #include -#include #include #include #include #include #include #include +#include +#include "spo_log_tcpdump.h" #include "decode.h" #include "event.h" #include "mstring.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" - #include "snort.h" +#include "sfbpf_dlt.h" /* For the traversal of reassembled packets */ #include "stream_api.h" @@ -109,17 +110,15 @@ static void SpoLogTcpdumpRestartFunc(int, void *); static void LogTcpdumpSingle(Packet *, char *, void *, Event *); static void LogTcpdumpStream(Packet *, char *, void *, Event *); - -/* external globals from rules.c */ -extern pcap_t *pcap_handle; +//static void DirectLogTcpdump(DAQ_PktHdr_t *, uint8_t *); /* If you need to instantiate the plugin's data structure, do it here */ -LogTcpdumpData *log_tcpdump_ptr; +static LogTcpdumpData *log_tcpdump_ptr; /* * Function: SetupLogTcpdump() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -130,7 +129,7 @@ */ void LogTcpdumpSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_tcpdump", OUTPUT_TYPE_FLAG__LOG, LogTcpdumpInit); @@ -236,6 +235,11 @@ } mSplitFree(&toks, num_toks); if ( !data->filename ) data->filename = SnortStrdup(DEFAULT_FILE); + if (ScPcapLogFile() != NULL) + { + free(data->filename); + data->filename = SnortStrdup(ScPcapLogFile()); + } DEBUG_WRAP(DebugMessage( DEBUG_INIT, "log_tcpdump: '%s' %ld\n", data->filename, data->limit @@ -251,7 +255,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function */ @@ -271,12 +275,12 @@ } } -static INLINE size_t SizeOf (const struct pcap_pkthdr *pkth) +static inline size_t SizeOf (const DAQ_PktHdr_t *pkth) { return PCAP_PKT_HDR_SZ + pkth->caplen; } -static int SizeOfCallback(struct pcap_pkthdr *pkth, +static int SizeOfCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { size_t* pSize = (size_t*)userdata; @@ -293,11 +297,11 @@ if ( data->size + dumpSize > data->limit ) TcpdumpRollLogFile(data); - pcap_dump((u_char *)data->dumpd,p->pkth,p->pkt); + pcap_dump((u_char *)data->dumpd,(struct pcap_pkthdr*)p->pkth,p->pkt); data->size += dumpSize; if (!ScLineBufferedLogging()) - { + { #ifdef WIN32 fflush( NULL ); /* flush all open output streams */ #else @@ -307,14 +311,14 @@ } } -static int LogTcpdumpStreamCallback(struct pcap_pkthdr *pkth, +static int LogTcpdumpStreamCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { LogTcpdumpData *data = (LogTcpdumpData *)userdata; - pcap_dump((u_char *)data->dumpd, - pkth, - (u_char *) packet_data); + pcap_dump((u_char*)data->dumpd, + (struct pcap_pkthdr*)pkth, + (u_char*)packet_data); return 0; } @@ -336,7 +340,7 @@ data->size += dumpSize; if (!ScLineBufferedLogging()) - { + { #ifdef WIN32 fflush( NULL ); /* flush all open output streams */ #else @@ -356,7 +360,7 @@ * * Purpose: Initialize the tcpdump log file header * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -370,16 +374,16 @@ if(data->filename[0] == '/') value = SnortSnprintf(data->logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } - else + else { if(data->filename[0] == '/') - value = SnortSnprintf(data->logdir, STD_BUF, "%s.%lu", data->filename, + value = SnortSnprintf(data->logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)data->lastTime); else - value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s.%lu", snort_conf->log_dir, + value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)data->lastTime); } @@ -390,12 +394,23 @@ if (!ScTestMode()) { - data->dumpd = pcap_dump_open(pcap_handle, data->logdir); + pcap_t* pcap; + int dlt = DAQ_GetBaseProtocol(); + + // convert these flavors of raw to the generic + // for compatibility with libpcap 1.0.0 + if ( dlt == DLT_IPV4 || dlt == DLT_IPV6 ) + dlt = DLT_RAW; + + pcap = pcap_open_dead(dlt, DAQ_GetSnapLen()); + data->dumpd = pcap ? pcap_dump_open(pcap, data->logdir) : NULL; + if(data->dumpd == NULL) { FatalError("log_tcpdump: Failed to open log file \"%s\": %s\n", data->logdir, strerror(errno)); } + pcap_close(pcap); } data->size = PCAP_FILE_HDR_SZ; @@ -446,9 +461,9 @@ data->dumpd = NULL; } - /* + /* * if we haven't written any data, dump the output file so there aren't - * fragments all over the disk + * fragments all over the disk */ if(!ScTestMode() && *data->logdir && (pc.alert_pkts == 0) && (pc.log_pkts == 0)) @@ -488,7 +503,9 @@ TcpdumpRollLogFile(log_tcpdump_ptr); } -void DirectLogTcpdump(struct pcap_pkthdr *ph, uint8_t *pkt) +#if 0 +/* Not currently used */ +void DirectLogTcpdump(DAQ_PktHdr_t *ph, uint8_t *pkt) { size_t dumpSize = SizeOf(ph); @@ -500,4 +517,5 @@ log_tcpdump_ptr->size += dumpSize; } +#endif diff -Nru snort-2.8.5.2/src/output-plugins/spo_log_tcpdump.h snort-2.9.2/src/output-plugins/spo_log_tcpdump.h --- snort-2.8.5.2/src/output-plugins/spo_log_tcpdump.h 2009-01-26 16:26:24.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_log_tcpdump.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/output-plugins/spo_unified2.c snort-2.9.2/src/output-plugins/spo_unified2.c --- snort-2.8.5.2/src/output-plugins/spo_unified2.c 2009-05-06 22:29:15.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_unified2.c 2011-12-07 17:58:23.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -19,7 +19,7 @@ /* spo_unified2.c * Adam Keeton - * + * * 09/26/06 * This file is litterally spo_unified.c converted to write unified2 * @@ -37,30 +37,37 @@ #endif #include #include +#ifdef HAVE_UUID_UUID_H +#include +#endif +#include "sfutil/Unified2_common.h" #include "spo_unified2.h" #include "decode.h" #include "rules.h" +#include "treenodes.h" #include "util.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "event.h" #include "generators.h" -#include "debug.h" -#include "bounds.h" +#include "snort_debug.h" +#include "snort_bounds.h" +#include "obfuscation.h" +#include "active.h" +#include "detection_util.h" +#include "detect.h" #include "snort.h" #include "pcap_pkthdr32.h" /* For the traversal of reassembled packets */ #include "stream_api.h" +#include "snort_httpinspect.h" -#ifdef GIDS -#include "inline.h" -#endif /* ------------------ Data structures --------------------------*/ typedef struct _Unified2Config @@ -76,43 +83,46 @@ int mpls_event_types; #endif int vlan_event_types; + int base_proto; } Unified2Config; -typedef struct _Unified2LogStreamCallbackData +typedef struct _Unified2LogCallbackData { - Unified2Packet *logheader; + Serial_Unified2Packet *logheader; Unified2Config *config; Event *event; - int once; -} Unified2LogStreamCallbackData; + uint32_t num_bytes; + +} Unified2LogCallbackData; + +Unified2Config *log_config = NULL; +Unified2Config *alert_config = NULL; + /* ----------------External variables -------------------- */ /* From fpdetect.c, for logging reassembled packets */ -extern uint16_t event_id; extern OptTreeNode *otn_tmp; -#ifdef GIDS -#ifndef IPFW -extern ipq_packet_msg_t *g_m; -#endif -#endif - /* -------------------- Global Variables ----------------------*/ -#ifdef GIDS -EtherHdr g_ethernet; -#endif - /* Used for buffering header and payload of unified records so only one - * write is necessary. Unified2Event6 is used as Unified2Event size + * write is necessary. Serial_Unified2IDSEventIPv6_legacy is used as Serial_Unified2IDSEvent_legacy size * since it is the largest */ -static uint8_t write_pkt_buffer[sizeof(Unified2RecordHeader) + - sizeof(Unified2Event6) + IP_MAXPACKET]; +static uint8_t write_pkt_buffer[sizeof(Serial_Unified2_Header) + + sizeof(Serial_Unified2IDSEventIPv6_legacy) + IP_MAXPACKET]; #define write_pkt_end (write_pkt_buffer + sizeof(write_pkt_buffer)) -static uint8_t write_pkt_buffer_v2[sizeof(Unified2RecordHeader) + - sizeof(Unified2Event6_v2) + IP_MAXPACKET]; +static uint8_t write_pkt_buffer_v2[sizeof(Serial_Unified2_Header) + + sizeof(Unified2IDSEventIPv6) + IP_MAXPACKET]; #define write_pkt_end_v2 (write_pkt_buffer_v2 + sizeof(write_pkt_buffer_v2)) +static uint8_t write_pkt_buffer_ng[sizeof(Serial_Unified2_Header) + + sizeof(Unified2IDSEventIPv6_NG) + IP_MAXPACKET]; + +#define write_pkt_end_ng (write_pkt_buffer_ng + sizeof(write_pkt_buffer_ng)) + +#define MAX_XDATA_WRITE_BUF_LEN (MAX_XFF_WRITE_BUF_LENGTH - \ + sizeof(struct in6_addr) + DECODE_BLEN) + /* This is the buffer to use for I/O. Try to make big enough so the system * doesn't potentially flush in the middle of a record. Every write is * force flushed to disk immediately after the entire record is written so @@ -120,14 +130,14 @@ #define UNIFIED2_SETVBUF #ifndef WIN32 /* use the size of the buffer we copy record data into */ -static char io_buffer[sizeof(write_pkt_buffer_v2)]; +static char io_buffer[sizeof(write_pkt_buffer_ng)]; #else # ifdef _MSC_VER # if _MSC_VER <= 1200 /* use maximum size defined by VC++ 6.0 */ static char io_buffer[32768]; # else -static char io_buffer[sizeof(write_pkt_buffer_v2)]; +static char io_buffer[sizeof(write_pkt_buffer_ng)]; # endif /* _MSC_VER <= 1200 */ # else /* no _MSC_VER, don't set I/O buffer */ @@ -144,14 +154,14 @@ static void Unified2Init(char *); static void Unified2PostConfig(int, void *); static void Unified2InitFile(Unified2Config *); -static INLINE void Unified2RotateFile(Unified2Config *); +static inline void Unified2RotateFile(Unified2Config *); static void Unified2LogAlert(Packet *, char *, void *, Event *); static void _AlertIP4(Packet *, char *, Unified2Config *, Event *); static void _AlertIP6(Packet *, char *, Unified2Config *, Event *); static void Unified2LogPacketAlert(Packet *, char *, void *, Event *); static void _Unified2LogPacketAlert(Packet *, char *, Unified2Config *, Event *); static void _Unified2LogStreamAlert(Packet *, char *, Unified2Config *, Event *); -static int Unified2LogStreamCallback(struct pcap_pkthdr *, uint8_t *, void *); +static int Unified2LogStreamCallback(DAQ_PktHdr_t *, uint8_t *, void *); static void Unified2Write(uint8_t *, uint32_t, Unified2Config *); static void _AlertIP4_v2(Packet *, char *, Unified2Config *, Event *); @@ -163,14 +173,23 @@ /* Unified2 Packet Log functions (deprecated) */ static void Unified2LogInit(char *); -#define U2_PACKET_FLAG 1 +static ObRet Unified2LogObfuscationCallback(const DAQ_PktHdr_t *pkth, + const uint8_t *packet_data, ob_size_t length, ob_char_t ob_char, void *userdata); +void AlertExtraData(void *ssnptr, void *data, LogFunction *log_funcs, uint32_t max_count, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second); +void AlertExtraDataPerPacket(void *ssnptr, void *data, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second); + +#define U2_PACKET_FLAG 1 +/* Obsolete flag as UI wont check the impact_flag field anymore.*/ #define U2_FLAG_BLOCKED 0x20 +/* New flags to set the pad field (corresponds to blocked column in UI) with packet action*/ +#define U2_BLOCKED_FLAG_BLOCKED 0x01 +#define U2_BLOCKED_FLAG_WDROP 0x02 /* * Function: SetupUnified2() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -181,7 +200,7 @@ */ void Unified2Setup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_unified2", OUTPUT_TYPE_FLAG__LOG, Unified2LogInit); RegisterOutputPlugin("alert_unified2", OUTPUT_TYPE_FLAG__ALERT, Unified2AlertInit); @@ -248,16 +267,23 @@ FatalError("%s(%d) Failed to copy unified2 file name\n", __FILE__, __LINE__); } + config->base_proto = htonl(DAQ_GetBaseProtocol()); + Unified2InitFile(config); + + if(stream_api) + { + stream_api->reg_xtra_data_log(AlertExtraData, (void *)config); + } } /* * Function: Unified2InitFile() * - * Purpose: Initialize the unified2 ouput file + * Purpose: Initialize the unified2 ouput file * - * Arguments: config => pointer to the plugin's reference data struct + * Arguments: config => pointer to the plugin's reference data struct * * Returns: void function */ @@ -321,7 +347,7 @@ } } -static INLINE void Unified2RotateFile(Unified2Config *config) +static inline void Unified2RotateFile(Unified2Config *config) { fclose(config->stream); config->current = 0; @@ -330,12 +356,12 @@ static void _AlertIP4(Packet *p, char *msg, Unified2Config *config, Event *event) { - Unified2RecordHeader hdr; - Unified2Event alertdata; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Event); + Serial_Unified2_Header hdr; + Serial_Unified2IDSEvent_legacy alertdata; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2IDSEvent_legacy); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -347,9 +373,14 @@ if (p != NULL) { - if (p->packet_flags & PKT_INLINE_DROP) + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) { - alertdata.packet_action = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; } if(IPH_IS_VALID(p)) @@ -370,26 +401,26 @@ } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(sizeof(Unified2Event)); + hdr.length = htonl(sizeof(Serial_Unified2IDSEvent_legacy)); hdr.type = htonl(UNIFIED2_IDS_EVENT); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader), - &alertdata, sizeof(Unified2Event), + + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Serial_Unified2IDSEvent_legacy), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Event. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEvent_legacy. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } @@ -399,12 +430,12 @@ static void _AlertIP4_v2(Packet *p, char *msg, Unified2Config *config, Event *event) { - Unified2RecordHeader hdr; - Unified2Event_v2 alertdata; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Event_v2); + Serial_Unified2_Header hdr; + Unified2IDSEvent alertdata; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEvent); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -416,9 +447,14 @@ if(p) { - if (p->packet_flags & PKT_INLINE_DROP) + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) { - alertdata.packet_action = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; } if(IPH_IS_VALID(p)) @@ -451,31 +487,31 @@ alertdata.vlanId = htons(VTH_VLAN(p->vh)); } - alertdata.configPolicyId = htons(p->configPolicyId); + alertdata.pad2 = htons(p->configPolicyId); } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(sizeof(Unified2Event_v2)); - hdr.type = htonl(UNIFIED2_IDS_EVENT_V2); + hdr.length = htonl(sizeof(Unified2IDSEvent)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_VLAN); - if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - - if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Unified2RecordHeader), - &alertdata, sizeof(Unified2Event_v2), + + if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEvent), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Event. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEvent_legacy. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } @@ -483,15 +519,15 @@ Unified2Write(write_pkt_buffer_v2, write_len, config); } -static void _AlertIP6(Packet *p, char *msg, Unified2Config *config, Event *event) +static void _AlertIP6(Packet *p, char *msg, Unified2Config *config, Event *event) { #ifdef SUP_IP6 - Unified2RecordHeader hdr; - Unified2Event6 alertdata; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Event6); + Serial_Unified2_Header hdr; + Serial_Unified2IDSEventIPv6_legacy alertdata; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2IDSEventIPv6_legacy); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -503,9 +539,14 @@ if(p) { - if (p->packet_flags & PKT_INLINE_DROP) + if ( Active_PacketWasDropped() ) { - alertdata.packet_action = U2_FLAG_BLOCKED; + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) + { + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; } if(IPH_IS_VALID(p)) @@ -532,26 +573,26 @@ } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(sizeof(Unified2Event6)); + hdr.length = htonl(sizeof(Serial_Unified2IDSEventIPv6_legacy)); hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader), - &alertdata, sizeof(Unified2Event6), + + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Serial_Unified2IDSEventIPv6_legacy), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Event6. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEventIPv6_legacy. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } @@ -563,9 +604,9 @@ static void _AlertIP6_v2(Packet *p, char *msg, Unified2Config *config, Event *event) { #ifdef SUP_IP6 - Unified2RecordHeader hdr; - Unified2Event6_v2 alertdata; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Event6_v2); + Serial_Unified2_Header hdr; + Unified2IDSEventIPv6 alertdata; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEventIPv6); memset(&alertdata, 0, sizeof(alertdata)); @@ -580,9 +621,14 @@ if(p) { - if (p->packet_flags & PKT_INLINE_DROP) + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) { - alertdata.packet_action = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; } if(IPH_IS_VALID(p)) @@ -621,30 +667,30 @@ alertdata.vlanId = htons(VTH_VLAN(p->vh)); } - alertdata.configPolicyId = htons(p->configPolicyId); + alertdata.pad2 = htons(p->configPolicyId); } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(sizeof(Unified2Event6_v2)); - hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6_V2); + hdr.length = htonl(sizeof(Unified2IDSEventIPv6)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6_VLAN); - if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - - if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Unified2RecordHeader), - &alertdata, sizeof(Unified2Event6_v2), + + if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEventIPv6), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Event6_v2. " + ErrorMessage("%s(%d) Failed to copy Unified2IDSEventIPv6. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } @@ -652,41 +698,452 @@ Unified2Write(write_pkt_buffer_v2, write_len, config); #endif } + +static inline void UUIDPack(uint8_t *policy_uuid, char *str, int size) +{ +#ifdef HAVE_LIBUUID + uuid_parse(str, policy_uuid); +#else + strncpy((char *)policy_uuid, str, size); +#endif +} + +static void _AlertIP4_NG(Packet *p, char *msg, Unified2Config *config, Event *event, PESessionRecord *session) +{ + Serial_Unified2_Header hdr; + Unified2IDSEventNG alertdata; + tSfPolicyId policy_id; + SnortPolicy *policy = NULL; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEventNG); + + memset(&alertdata, 0, sizeof(alertdata)); + + alertdata.event_id = htonl(event->event_id); + alertdata.event_second = htonl(event->ref_time.tv_sec); + alertdata.event_microsecond = htonl(event->ref_time.tv_usec); + alertdata.generator_id = htonl(event->sig_generator); + alertdata.signature_id = htonl(event->sig_id); + alertdata.signature_revision = htonl(event->sig_rev); + alertdata.classification_id = htonl(event->classification); + alertdata.priority_id = htonl(event->priority); + + if(p) + { + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) + { + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } + + if(IPH_IS_VALID(p)) + { + alertdata.ip_source = p->iph->ip_src.s_addr; + alertdata.ip_destination = p->iph->ip_dst.s_addr; + alertdata.protocol = GET_IPH_PROTO(p); + + if ((alertdata.protocol == IPPROTO_ICMP) && p->icmph) + { + alertdata.sport_itype = htons(p->icmph->type); + alertdata.dport_icode = htons(p->icmph->code); + } + else if (alertdata.protocol != 255) + { + alertdata.sport_itype = htons(p->sp); + alertdata.dport_icode = htons(p->dp); + } + +#ifdef MPLS + if((p->mpls) && (config->mpls_event_types)) + { + alertdata.mpls_label = htonl(p->mplsHdr.label); + } +#endif + if(config->vlan_event_types) + { + if(p->vh) + { + alertdata.vlanId = htons(VTH_VLAN(p->vh)); + } + + } + + } + + policy_id = getRuntimePolicy(); + if(policy_id == getDefaultPolicy()) + { + if(snort_conf->base_version) + { + UUIDPack(alertdata.policy_uuid, snort_conf->base_version, sizeof(alertdata.policy_uuid)); + } + } + else + { + policy = snort_conf->targeted_policies[policy_id]; + + if(policy && policy->policy_version) + UUIDPack(alertdata.policy_uuid, policy->policy_version, sizeof(alertdata.policy_uuid)); + } + + alertdata.user_id = htonl(session->userId); + alertdata.web_application_id = htonl(session->webAppId); + alertdata.client_application_id = htonl(session->clientId); + alertdata.application_protocol_id = htonl(session->appProtoId); + alertdata.policyengine_rule_id = htonl(session->policyengine_ruleId); + memcpy(alertdata.policyengine_policy_uuid, session->policyRevision, sizeof(alertdata.policyengine_policy_uuid)); + memcpy(alertdata.interface_ingress_uuid, session->ingressIntf, sizeof(alertdata.interface_ingress_uuid)); + memcpy(alertdata.interface_egress_uuid, session->egressIntf, sizeof(alertdata.interface_egress_uuid)); + memcpy(alertdata.security_zone_ingress_uuid, session->ingressZone, sizeof(alertdata.security_zone_ingress_uuid)); + memcpy(alertdata.security_zone_egress_uuid, session->egressZone, sizeof(alertdata.security_zone_egress_uuid)); + + } + + if ((config->current + write_len) > config->limit) + Unified2RotateFile(config); + + hdr.length = htonl(sizeof(Unified2IDSEventNG)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_NG); + + if (SafeMemcpy(write_pkt_buffer_ng, &hdr, sizeof(Serial_Unified2_Header), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + if (SafeMemcpy(write_pkt_buffer_ng + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEventNG), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Unified2IDSEventNG. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + Unified2Write(write_pkt_buffer_ng, write_len, config); +} + +static void _AlertIP6_NG(Packet *p, char *msg, Unified2Config *config, Event *event, PESessionRecord *session) +{ +#ifdef SUP_IP6 + Serial_Unified2_Header hdr; + Unified2IDSEventIPv6_NG alertdata; + tSfPolicyId policy_id; + SnortPolicy *policy = NULL; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEventIPv6_NG); + + memset(&alertdata, 0, sizeof(alertdata)); + + alertdata.event_id = htonl(event->event_id); + alertdata.event_second = htonl(event->ref_time.tv_sec); + alertdata.event_microsecond = htonl(event->ref_time.tv_usec); + alertdata.generator_id = htonl(event->sig_generator); + alertdata.signature_id = htonl(event->sig_id); + alertdata.signature_revision = htonl(event->sig_rev); + alertdata.classification_id = htonl(event->classification); + alertdata.priority_id = htonl(event->priority); + + if(p) + { + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) + { + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } + + if(IPH_IS_VALID(p)) + { + snort_ip_p ip; + + ip = GET_SRC_IP(p); + alertdata.ip_source = *(struct in6_addr*)ip->ip32; + + ip = GET_DST_IP(p); + alertdata.ip_destination = *(struct in6_addr*)ip->ip32; + + alertdata.protocol = GET_IPH_PROTO(p); + + if ((alertdata.protocol == IPPROTO_ICMP) && p->icmph) + { + alertdata.sport_itype = htons(p->icmph->type); + alertdata.dport_icode = htons(p->icmph->code); + } + else if (alertdata.protocol != 255) + { + alertdata.sport_itype = htons(p->sp); + alertdata.dport_icode = htons(p->dp); + } + +#ifdef MPLS + if((p->mpls) && (config->mpls_event_types)) + { + alertdata.mpls_label = htonl(p->mplsHdr.label); + } +#endif + if(config->vlan_event_types) + { + if(p->vh) + { + alertdata.vlanId = htons(VTH_VLAN(p->vh)); + } + + } + + } + + policy_id = getRuntimePolicy(); + if(policy_id == getDefaultPolicy()) + { + if(snort_conf->base_version) + UUIDPack(alertdata.policy_uuid, snort_conf->base_version, sizeof(alertdata.policy_uuid)); + } + else + { + policy = snort_conf->targeted_policies[policy_id]; + + if(policy && policy->policy_version) + UUIDPack(alertdata.policy_uuid, policy->policy_version, sizeof(alertdata.policy_uuid)); + } + + alertdata.user_id = htonl(session->userId); + alertdata.web_application_id = htonl(session->webAppId); + alertdata.client_application_id = htonl(session->clientId); + alertdata.application_protocol_id = htonl(session->appProtoId); + alertdata.policyengine_rule_id = htonl(session->policyengine_ruleId); + memcpy(alertdata.policyengine_policy_uuid, session->policyRevision, sizeof(alertdata.policyengine_policy_uuid)); + memcpy(alertdata.interface_ingress_uuid, session->ingressIntf, sizeof(alertdata.interface_ingress_uuid)); + memcpy(alertdata.interface_egress_uuid, session->egressIntf, sizeof(alertdata.interface_egress_uuid)); + memcpy(alertdata.security_zone_ingress_uuid, session->ingressZone, sizeof(alertdata.security_zone_ingress_uuid)); + memcpy(alertdata.security_zone_egress_uuid, session->egressZone, sizeof(alertdata.security_zone_egress_uuid)); + } + + if ((config->current + write_len) > config->limit) + Unified2RotateFile(config); + + hdr.length = htonl(sizeof(Unified2IDSEventIPv6_NG)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6_NG); + + if (SafeMemcpy(write_pkt_buffer_ng, &hdr, sizeof(Serial_Unified2_Header), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + if (SafeMemcpy(write_pkt_buffer_ng + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEventIPv6_NG), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Unified2IDSEventIPv6_NG. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + Unified2Write(write_pkt_buffer_ng, write_len, config); +#endif +} + +void _WriteExtraData(Unified2Config *config, uint32_t event_id, uint32_t event_second, uint8_t *buffer, uint32_t len, uint32_t type ) +{ + + Serial_Unified2_Header hdr; + SerialUnified2ExtraData alertdata; + Unified2ExtraDataHdr alertHdr; + uint8_t write_buffer[MAX_XDATA_WRITE_BUF_LEN]; + uint8_t *write_end = NULL; + uint8_t *ptr = NULL; + + + uint32_t write_len; + + write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2ExtraDataHdr); + + alertdata.sensor_id = 0; + alertdata.event_id = htonl(event_id); + alertdata.event_second = htonl(event_second); + alertdata.data_type = htonl(EVENT_DATA_TYPE_BLOB); + + alertdata.type = htonl(type); + alertdata.blob_length = htonl(sizeof(alertdata.data_type) + + sizeof(alertdata.blob_length) + len); + + + write_len = write_len + sizeof(alertdata) + len; + alertHdr.event_type = htonl(EVENT_TYPE_EXTRA_DATA); + alertHdr.event_length = htonl(write_len - sizeof(Serial_Unified2_Header)); + + + if ((config->current + write_len) > config->limit) + Unified2RotateFile(config); + + hdr.length = htonl(write_len - sizeof(Serial_Unified2_Header)); + hdr.type = htonl(UNIFIED2_EXTRA_DATA); + + write_end = write_buffer + sizeof(write_buffer); + + + ptr = write_buffer; + + if (SafeMemcpy(ptr, &hdr, sizeof(hdr), + write_buffer, write_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + ptr = ptr + sizeof(hdr); + + if (SafeMemcpy(ptr, &alertHdr, sizeof(alertHdr), + write_buffer, write_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Unified2ExtraDataHdr. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + ptr = ptr + sizeof(alertHdr); + + if (SafeMemcpy(ptr, &alertdata, sizeof(alertdata), + write_buffer, write_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy SerialUnified2ExtraData. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + ptr = ptr + sizeof(alertdata); + + if (SafeMemcpy(ptr, buffer, len, + write_buffer, write_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Gzip Decompressed Buffer. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + + Unified2Write(write_buffer, write_len, config); +} + +void AlertExtraDataPerPacket(void *ssnptr, void *data, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second) +{ + LogFunction *log_funcs; + uint32_t max_count; + + max_count = stream_api->get_xtra_data_map(&log_funcs); + + if(max_count > 0) + { + AlertExtraData(ssnptr, data, log_funcs, max_count, xtradata_mask, event_id, event_second); + } +} +void AlertExtraData(void *ssnptr, void *data, LogFunction *log_funcs, uint32_t max_count, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second) +{ + Unified2Config *config = (Unified2Config *)data; + uint32_t type = 0; + uint32_t len = 0; + uint8_t *write_buffer; + uint32_t i = 0; + + if((config == NULL) || !xtradata_mask || !event_second) + return; + + while( i < max_count ) + { + if( xtradata_mask & (1 << i) ) + { + if((*(log_funcs[i]))(ssnptr, &write_buffer,&len,&type)) + { + if(len > 0) + _WriteExtraData(config, event_id, event_second, write_buffer, len, type); + } + } + i++; + } + +} + static void Unified2LogAlert(Packet *p, char *msg, void *arg, Event *event) { Unified2Config *config = (Unified2Config *)arg; + PESessionRecord *session = NULL; if (config == NULL) return; if(!event) return; + if(p->policyEngineData) + { + session = (PESessionRecord*)(p->policyEngineData); + } if(IS_IP4(p)) { + if(session) + _AlertIP4_NG(p, msg, config, event, session); + else + { #ifdef MPLS - if((config->vlan_event_types) || (config->mpls_event_types)) + if((config->vlan_event_types) || (config->mpls_event_types)) #else - if(config->vlan_event_types) + if(config->vlan_event_types) #endif - { - _AlertIP4_v2(p, msg, config, event); + { + _AlertIP4_v2(p, msg, config, event); + } + else + _AlertIP4(p, msg, config, event); } - else - _AlertIP4(p, msg, config, event); - } - else + } + else { + if(session) + _AlertIP6_NG(p, msg, config, event, session); + else + { #ifdef MPLS - if((config->vlan_event_types) || (config->mpls_event_types)) + if((config->vlan_event_types) || (config->mpls_event_types)) #else - if(config->vlan_event_types) + if(config->vlan_event_types) #endif + { + _AlertIP6_v2(p, msg, config, event); + } + else + _AlertIP6(p, msg, config, event); + } + +#ifdef SUP_IP6 + if(ScLogIPv6Extra() && IS_IP6(p)) { - _AlertIP6_v2(p, msg, config, event); + snort_ip_p ip = GET_SRC_IP(p); + _WriteExtraData(config, event->event_id, event->ref_time.tv_sec, + &ip->ip8[0], sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC); + ip = GET_DST_IP(p); + _WriteExtraData(config, event->event_id, event->ref_time.tv_sec, + &ip->ip8[0], sizeof(struct in6_addr), EVENT_INFO_IPV6_DST); } - else - _AlertIP6(p, msg, config, event); +#endif + } + + if(p->ssnptr) + { + stream_api->log_session_extra_data(p->ssnptr, p, event->sig_generator, event->sig_id, event->event_id, event->ref_time.tv_sec); + + if(p->per_packet_xtradata) + AlertExtraDataPerPacket(p->ssnptr, config, p->per_packet_xtradata, event->event_id, event->ref_time.tv_sec); } + return; } @@ -697,15 +1154,15 @@ if (config == NULL) return; - if(p) + if(p) { if ((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Reassembled packet, dumping stream packets\n");); _Unified2LogStreamAlert(p, msg, config, event); } - else + else { DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Logging unified 2 packets...\n");); _Unified2LogPacketAlert(p, msg, config, event); @@ -713,16 +1170,16 @@ } } -static void _Unified2LogPacketAlert(Packet *p, char *msg, +static void _Unified2LogPacketAlert(Packet *p, char *msg, Unified2Config *config, Event *event) -{ - Unified2RecordHeader hdr; - Unified2Packet logheader; - uint32_t pkt_length = 0; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Packet) - 4; +{ + Serial_Unified2_Header hdr; + Serial_Unified2Packet logheader; + uint32_t pkt_length = 0; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2Packet) - 4; logheader.sensor_id = 0; - logheader.linktype = htonl(datalink); + logheader.linktype = config->base_proto; if (event != NULL) { @@ -737,6 +1194,26 @@ logheader.event_second = 0; } + if ((p != NULL) && (p->pkt != NULL) && (p->pkth != NULL) + && obApi->payloadObfuscationRequired(p)) + { + Unified2LogCallbackData unifiedData; + + unifiedData.logheader = &logheader; + unifiedData.config = config; + unifiedData.event = event; + unifiedData.num_bytes = 0; + + if (obApi->obfuscatePacket(p, Unified2LogObfuscationCallback, + (void *)&unifiedData) == OB_RET_SUCCESS) + { + /* Write the last record */ + if (unifiedData.num_bytes != 0) + Unified2Write(write_pkt_buffer, unifiedData.num_bytes, config); + return; + } + } + if(p && p->pkt && p->pkth) { logheader.packet_second = htonl((uint32_t)p->pkth->ts.tv_sec); @@ -756,30 +1233,30 @@ if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(sizeof(Unified2Packet) - 4 + pkt_length); + hdr.length = htonl(sizeof(Serial_Unified2Packet) - 4 + pkt_length); hdr.type = htonl(UNIFIED2_PACKET); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader), - &logheader, sizeof(Unified2Packet) - 4, + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), + &logheader, sizeof(Serial_Unified2Packet) - 4, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Packet. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2Packet. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } if (pkt_length != 0) { - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader) + - sizeof(Unified2Packet) - 4, + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header) + + sizeof(Serial_Unified2Packet) - 4, p->pkt, pkt_length, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { @@ -796,12 +1273,12 @@ * Callback for the Stream reassembler to log packets * */ -static int Unified2LogStreamCallback(struct pcap_pkthdr *pkth, +static int Unified2LogStreamCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { - Unified2LogStreamCallbackData *unifiedData = (Unified2LogStreamCallbackData *)userdata; - Unified2RecordHeader hdr; - uint32_t write_len = sizeof(Unified2RecordHeader) + sizeof(Unified2Packet) - 4; + Unified2LogCallbackData *unifiedData = (Unified2LogCallbackData *)userdata; + Serial_Unified2_Header hdr; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2Packet) - 4; if (!userdata || !pkth || !packet_data) return -1; @@ -811,7 +1288,7 @@ Unified2RotateFile(unifiedData->config); hdr.type = htonl(UNIFIED2_PACKET); - hdr.length = htonl(sizeof(Unified2Packet) - 4 + pkth->caplen); + hdr.length = htonl(sizeof(Serial_Unified2Packet) - 4 + pkth->caplen); /* Event data will already be set */ @@ -819,25 +1296,25 @@ unifiedData->logheader->packet_microsecond = htonl((uint32_t)pkth->ts.tv_usec); unifiedData->logheader->packet_length = htonl(pkth->caplen); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2RecordHeader. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return -1; } - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader), - unifiedData->logheader, sizeof(Unified2Packet) - 4, + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), + unifiedData->logheader, sizeof(Serial_Unified2Packet) - 4, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2Packet. " + ErrorMessage("%s(%d) Failed to copy Serial_Unified2Packet. " "Not writing unified2 event.\n", __FILE__, __LINE__); return -1; } - if (SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader) + - sizeof(Unified2Packet) - 4, + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header) + + sizeof(Serial_Unified2Packet) - 4, packet_data, pkth->caplen, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { @@ -848,7 +1325,7 @@ Unified2Write(write_pkt_buffer, write_len, unifiedData->config); -#if 0 +#if 0 /* DO NOT DO THIS FOR UNIFIED2. * The event referenced below in the unifiedData is a pointer * to the actual event and this changes its gid & sid to 2:1. @@ -862,7 +1339,7 @@ unifiedData->event->sig_rev = 1; unifiedData->event->classification = 0; unifiedData->event->priority = unifiedData->event->priority; - /* Note that event_id is now incorrect. + /* Note that event_id is now incorrect. * See OldUnified2LogPacketAlert() for details. */ } #endif @@ -870,6 +1347,94 @@ return 0; } +static ObRet Unified2LogObfuscationCallback(const DAQ_PktHdr_t *pkth, + const uint8_t *packet_data, ob_size_t length, + ob_char_t ob_char, void *userdata) +{ + Unified2LogCallbackData *unifiedData = (Unified2LogCallbackData *)userdata; + + if (userdata == NULL) + return OB_RET_ERROR; + + if (pkth != NULL) + { + Serial_Unified2_Header hdr; + uint32_t record_len = (pkth->caplen + sizeof(Serial_Unified2_Header) + + (sizeof(Serial_Unified2Packet) - 4)); + + /* Write the last buffer if present. Want to write an entire record + * at a time in case of failures, we don't corrupt the log file. */ + if (unifiedData->num_bytes != 0) + Unified2Write(write_pkt_buffer, unifiedData->num_bytes, unifiedData->config); + + if ((write_pkt_buffer + record_len) > write_pkt_end) + { + ErrorMessage("%s(%d) Too much data. Not writing unified2 event.\n", + __FILE__, __LINE__); + return OB_RET_ERROR; + } + + if ((unifiedData->config->current + record_len) > unifiedData->config->limit) + Unified2RotateFile(unifiedData->config); + + hdr.type = htonl(UNIFIED2_PACKET); + hdr.length = htonl((sizeof(Serial_Unified2Packet) - 4) + pkth->caplen); + + /* Event data will already be set */ + + unifiedData->logheader->packet_second = htonl((uint32_t)pkth->ts.tv_sec); + unifiedData->logheader->packet_microsecond = htonl((uint32_t)pkth->ts.tv_usec); + unifiedData->logheader->packet_length = htonl(pkth->caplen); + + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), + write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return OB_RET_ERROR; + } + + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), + unifiedData->logheader, sizeof(Serial_Unified2Packet) - 4, + write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Serial_Unified2Packet. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return OB_RET_ERROR; + } + + /* Reset this for the new record */ + unifiedData->num_bytes = (record_len - pkth->caplen); + } + + if (packet_data != NULL) + { + if (SafeMemcpy(write_pkt_buffer + unifiedData->num_bytes, + packet_data, (size_t)length, + write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy packet data " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return OB_RET_ERROR; + } + } + else + { + if (SafeMemset(write_pkt_buffer + unifiedData->num_bytes, + (uint8_t)ob_char, (size_t)length, + write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to obfuscate packet data " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return OB_RET_ERROR; + } + } + + unifiedData->num_bytes += length; + + return OB_RET_SUCCESS; +} + /** * Log a set of packets stored in the stream reassembler @@ -877,12 +1442,11 @@ */ static void _Unified2LogStreamAlert(Packet *p, char *msg, Unified2Config *config, Event *event) { - Unified2LogStreamCallbackData unifiedData; - Unified2Packet logheader; - int once = 0; + Unified2LogCallbackData unifiedData; + Serial_Unified2Packet logheader; logheader.sensor_id = 0; - logheader.linktype = htonl(datalink); + logheader.linktype = config->base_proto; /* setup the event header */ if (event != NULL) @@ -900,7 +1464,23 @@ unifiedData.logheader = &logheader; unifiedData.config = config; unifiedData.event = event; - unifiedData.once = once; + unifiedData.num_bytes = 0; + + if ((p != NULL) && (p->pkt != NULL) && (p->pkth != NULL) + && obApi->payloadObfuscationRequired(p)) + { + if (obApi->obfuscatePacketStreamSegments(p, Unified2LogObfuscationCallback, + (void *)&unifiedData) == OB_RET_SUCCESS) + { + /* Write the last record */ + if (unifiedData.num_bytes != 0) + Unified2Write(write_pkt_buffer, unifiedData.num_bytes, config); + return; + } + + /* Reset since we failed */ + unifiedData.num_bytes = 0; + } stream_api->traverse_reassembled(p, Unified2LogStreamCallback, &unifiedData); } @@ -908,9 +1488,9 @@ /* * Function: Unified2ParseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -941,9 +1521,9 @@ char *index = toks[i]; while(isspace((int)*index)) ++index; - + stoks = mSplit(index, " \t", 2, &num_stoks, 0); - + if(strcasecmp("filename", stoks[0]) == 0) { if(num_stoks > 1 && config->base_filename == NULL) @@ -958,7 +1538,7 @@ if ((num_stoks > 1) && (config->limit == 0)) { - config->limit = strtoul(stoks[1], &end, 10); + config->limit = SnortStrtoul(stoks[1], &end, 10); if ((stoks[1] == end) || (errno == ERANGE)) { FatalError("Argument Error in %s(%i): %s\n", @@ -1005,7 +1585,7 @@ } else if (config->limit > 512) { - LogMessage("spo_unified2 %s(%d)=> Lowering limit of %iMB to 512MB\n", + LogMessage("spo_unified2 %s(%d)=> Lowering limit of %iMB to 512MB\n", file_name, file_line, config->limit); config->limit = 512; } @@ -1062,6 +1642,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Restart\n");); + log_config = alert_config = NULL; /* free up initialized memory */ if (config != NULL) { @@ -1079,12 +1660,26 @@ static void Unified2AlertInit(char *args) { Unified2Config *config; + int signal = 0; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Alert Initialized\n");); /* parse the argument list from the rules file */ config = Unified2ParseArgs(args, "snort-unified.alert"); + alert_config = config; + + if(log_config && log_config->base_filename) + { + if(strcmp(config->base_filename, log_config->base_filename) == 0) + { + Unified2CleanExit(signal , (void *)log_config); + Unified2CleanExit(signal, (void *)config); + FatalError("Argument Error in %s(%i). Cannot reuse the filename in config option '%s'\n", + file_name, file_line, "alert_unified2"); + } + } + /* Set the preprocessor function into the function list */ AddFuncToOutputList(Unified2LogAlert, OUTPUT_TYPE__ALERT, config); AddFuncToCleanExitList(Unified2CleanExit, config); @@ -1096,12 +1691,26 @@ static void Unified2LogInit(char *args) { Unified2Config *config; + int signal = 0; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Log Initialized\n");); /* parse the argument list from the rules file */ config = Unified2ParseArgs(args, "snort-unified.log"); + log_config = config; + + if(alert_config && alert_config->base_filename) + { + if(strcmp(config->base_filename, alert_config->base_filename) == 0) + { + Unified2CleanExit(signal, (void *)alert_config); + Unified2CleanExit(signal, (void *)config); + FatalError("Argument Error in %s(%i). Cannot reuse the filename in config option '%s'\n", + file_name, file_line, "log_unified2"); + } + } + //LogMessage("Unified2LogFilename = %s\n", Unified2Info->filename); /* Set the preprocessor function into the function list */ @@ -1122,7 +1731,7 @@ * writes sometimes fail and leave the unified2 file corrupted. If the write * to the newly created unified2 file fails, Snort will fatal error. * - * In the case of interrupt errors, the write is retried, but only for a + * In the case of interrupt errors, the write is retried, but only for a * finite number of times. * * All other errors are treated as non-recoverable and Snort will fatal error. @@ -1161,7 +1770,7 @@ int max_retries = 3; /* On iterations other than the first, the only non-zero error will be - * EINTR or interrupt. Only iterate a maximum of max_retries times so + * EINTR or interrupt. Only iterate a maximum of max_retries times so * there is no chance of infinite looping if for some reason the write * is constantly interrupted */ while ((error != 0) && (max_retries != 0)) diff -Nru snort-2.8.5.2/src/output-plugins/spo_unified2.h snort-2.9.2/src/output-plugins/spo_unified2.h --- snort-2.8.5.2/src/output-plugins/spo_unified2.h 2009-07-07 15:37:07.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_unified2.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -33,139 +33,39 @@ #include "decode.h" /* for struct in6_addr -- maybe move to sf_types.h? */ #include "sf_types.h" -/* ------------------ Data structures --------------------------*/ - -/* Each unified 2 record will start out with one of these */ -typedef struct _Unified2RecordHeader -{ - uint32_t type; /* Type of header. A set most-significant - bit indicates presence of extended header */ - uint32_t length; - -} Unified2RecordHeader; - -/* The Unified2Event and Unified2Packet structures below are copied from the - * original unified 2 library, sfunified2 */ -typedef struct _Unified2Event -{ - uint32_t sensor_id; - uint32_t event_id; - uint32_t event_second; - uint32_t event_microsecond; - uint32_t signature_id; - uint32_t generator_id; - uint32_t signature_revision; - uint32_t classification_id; - uint32_t priority_id; - uint32_t ip_source; - uint32_t ip_destination; - uint16_t sport_itype; - uint16_t dport_icode; - uint8_t protocol; - uint8_t packet_action; - uint16_t pad; /* restore 4 byte alignment */ -} Unified2Event; - -typedef struct _Unified2Event_v2 +typedef struct _PESessionEndRecord { - uint32_t sensor_id; - uint32_t event_id; - uint32_t event_second; - uint32_t event_microsecond; - uint32_t signature_id; - uint32_t generator_id; - uint32_t signature_revision; - uint32_t classification_id; - uint32_t priority_id; - uint32_t ip_source; - uint32_t ip_destination; - uint16_t sport_itype; - uint16_t dport_icode; - uint8_t protocol; - uint8_t packet_action; - uint16_t pad; /* restore 4 byte alignment */ - uint32_t mpls_label; - uint16_t vlanId; - uint16_t configPolicyId; + uint32_t sensorId; + uint8_t ingressZone[16]; + uint8_t egressZone[16]; + uint8_t ingressIntf[16]; + uint8_t egressIntf[16]; + uint8_t initiatorIp[16]; + uint8_t responderIp[16]; + uint8_t policyRevision[16]; + uint32_t policyengine_ruleId; + uint32_t policyengine_ruleAction; + uint16_t initiatorPort; + uint16_t responderPort; + uint16_t tcpFlags; + uint8_t protocol; + uint8_t padding; + uint8_t netflowSource[16]; + uint32_t firstPktsecond; + uint32_t lastPktsecond; + uint64_t initiatorPkts; + uint64_t responderPkts; + uint64_t initiatorBytes; + uint64_t responderBytes; + uint32_t appProtoId; + uint32_t webAppId; + uint32_t userId; + uint32_t urlCategory; + uint32_t urlReputation; + uint32_t clientId; -} Unified2Event_v2; - -typedef struct _Unified2Event6 -{ - uint32_t sensor_id; - uint32_t event_id; - uint32_t event_second; - uint32_t event_microsecond; - uint32_t signature_id; - uint32_t generator_id; - uint32_t signature_revision; - uint32_t classification_id; - uint32_t priority_id; - struct in6_addr ip_source; - struct in6_addr ip_destination; - uint16_t sport_itype; - uint16_t dport_icode; - uint8_t protocol; - uint8_t packet_action; - uint16_t pad; /* restore 4 byte alignment */ - -} Unified2Event6; - -/**UnifiedEvent version 2 includes mpls tag, vlan tag and policy id in additional - * to data contained in version 1. Version 2 will be used only when either vlan or - * mpls tag is enabled using unified2 configuration. - */ -typedef struct _Unified2Event6_v2 -{ - uint32_t sensor_id; - uint32_t event_id; - uint32_t event_second; - uint32_t event_microsecond; - uint32_t signature_id; - uint32_t generator_id; - uint32_t signature_revision; - uint32_t classification_id; - uint32_t priority_id; - struct in6_addr ip_source; - struct in6_addr ip_destination; - uint16_t sport_itype; - uint16_t dport_icode; - uint8_t protocol; - uint8_t packet_action; - uint16_t pad; /* restore 4 byte alignment */ - uint32_t mpls_label; - uint16_t vlanId; - uint16_t configPolicyId; - -} Unified2Event6_v2; - -typedef struct _Unified2Packet -{ - uint32_t sensor_id; - uint32_t event_id; - uint32_t event_second; - uint32_t packet_second; - uint32_t packet_microsecond; - uint32_t linktype; - uint32_t packet_length; - uint8_t packet_data[4]; /* For debugging */ -} Unified2Packet; +} PESessionRecord; void Unified2Setup(void); -/* XXX Remove these when the real Unified 2 header becomes available */ -#define UNIFIED2_EVENT 1 -#define UNIFIED2_PACKET 2 -#define UNIFIED2_IDS_EVENT 7 -#define UNIFIED2_EVENT_EXTENDED 66 -#define UNIFIED2_PERFORMANCE 67 -#define UNIFIED2_PORTSCAN 68 -#define UNIFIED2_IDS_EVENT_IPV6 72 -#define UNIFIED2_IDS_EVENT_MPLS 99 -#define UNIFIED2_IDS_EVENT_IPV6_MPLS 100 - -//version 2 -#define UNIFIED2_IDS_EVENT_V2 104 -#define UNIFIED2_IDS_EVENT_IPV6_V2 105 - #endif /* __SPO_UNIFIED_H__ */ diff -Nru snort-2.8.5.2/src/output-plugins/spo_unified.c snort-2.9.2/src/output-plugins/spo_unified.c --- snort-2.8.5.2/src/output-plugins/spo_unified.c 2009-08-10 20:41:52.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_unified.c 2011-06-08 00:33:16.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Copyright (C) 1998-2005 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -20,14 +20,14 @@ /* $Id$ */ -/* spo_unified - * +/* spo_unified + * * Purpose: * * This plugin generates the new unified alert and logging formats * * Arguments: - * + * * filename of the alert and log spools * * Effect: @@ -51,18 +51,23 @@ #endif #include #include +#include +#include "spo_unified.h" #include "decode.h" #include "rules.h" +#include "treenodes.h" #include "util.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "event.h" #include "generators.h" -#include "bounds.h" +#include "snort_bounds.h" +#include "sfdaq.h" +#include "detect.h" #include "snort.h" #include "pcap_pkthdr32.h" @@ -70,26 +75,17 @@ /* For the traversal of reassembled packets */ #include "stream_api.h" -#ifdef GIDS -#include "inline.h" -#endif - #define SNORT_MAGIC 0xa1b2c3d4 #define ALERT_MAGIC 0xDEAD4137 /* alert magic, just accept it */ #define LOG_MAGIC 0xDEAD1080 /* log magic, what's 31337-speak for G? */ #define SNORT_VERSION_MAJOR 1 #define SNORT_VERSION_MINOR 2 -/* From fpdetect.c, for logging reassembled packets */ -extern uint16_t event_id; -extern SnortConfig *snort_conf; -extern int pcap_snaplen; - /* file header for snort unified format log files * * Identical to pcap file header, used for portability where the libpcap * might not be used after the pa_engine code becomes available - */ + */ typedef struct _UnifiedLogFileHeader { uint32_t magic; @@ -109,10 +105,10 @@ uint32_t timezone; } UnifiedAlertFileHeader; -/* unified log packet header format +/* unified log packet header format * - * One of these per packet in the log file, the packets are appended in the - * file after each UnifiedLog header (extended pcap format) + * One of these per packet in the log file, the packets are appended in the + * file after each UnifiedLog header (extended pcap format) */ typedef struct _UnifiedLog { @@ -154,12 +150,6 @@ /* ----------------External variables -------------------- */ extern OptTreeNode *otn_tmp; -#ifdef GIDS -#ifndef IPFW -extern ipq_packet_msg_t *g_m; -#endif -#endif - /* ------------------ Data structures --------------------------*/ typedef struct _UnifiedConfig { @@ -188,11 +178,6 @@ #define UNIFIED_TYPE_PACKET_ALERT 0x2 #define UNIFIED_TYPE_IPV6_ALERT 0x3 -/* -------------------- Global Variables ----------------------*/ -#ifdef GIDS -EtherHdr g_ethernet; -#endif - /* -------------------- Local Functions -----------------------*/ static UnifiedConfig *UnifiedParseArgs(char *, char *); static void UnifiedCleanExit(int, void *); @@ -205,13 +190,13 @@ static void UnifiedRotateFile(UnifiedConfig *); static void UnifiedLogAlert(Packet *, char *, void *, Event *); static void UnifiedLogPacketAlert(Packet *, char *, void *, Event *); -static void RealUnifiedLogAlert(Packet *, char *, void *, Event *, +static void RealUnifiedLogAlert(Packet *, char *, void *, Event *, DataHeader *); -static void RealUnifiedLogAlert6(Packet *, char *, void *, Event *, +static void RealUnifiedLogAlert6(Packet *, char *, void *, Event *, DataHeader *); -static void RealUnifiedLogPacketAlert(Packet *, char *, void *, Event *, +static void RealUnifiedLogPacketAlert(Packet *, char *, void *, Event *, DataHeader *); -void RealUnifiedLogStreamAlert(Packet *,char *,void *,Event *,DataHeader *); +static void RealUnifiedLogStreamAlert(Packet *,char *,void *,Event *,DataHeader *); static void UnifiedRotateFile(UnifiedConfig *data); /* Unified Alert functions (deprecated) */ @@ -226,16 +211,18 @@ static void UnifiedInitLogFile(UnifiedConfig *); static void OldUnifiedLogPacketAlert(Packet *, char *, void *, Event *); static void UnifiedLogRotateFile(UnifiedConfig *data); +static int UnifiedFirstPacketCallback(DAQ_PktHdr_t *pkth, + uint8_t *packet_data, void *userdata); /* Used for buffering header and payload of unified records so only one * write is necessary. */ -static char write_pkt_buffer[sizeof(DataHeader) + +static char write_pkt_buffer[sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET]; /* * Function: SetupUnified() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -246,7 +233,7 @@ */ void UnifiedSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_unified", OUTPUT_TYPE_FLAG__LOG, UnifiedLogInit); RegisterOutputPlugin("alert_unified", OUTPUT_TYPE_FLAG__ALERT, UnifiedAlertInit); @@ -289,9 +276,9 @@ /* * Function: InitOutputFile() * - * Purpose: Initialize the unified ouput file + * Purpose: Initialize the unified ouput file * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -308,21 +295,21 @@ if(data == NULL) FatalError("SpoUnified: Unable to get context data\n"); - if(data->nostamp) + if(data->nostamp) { if(*(data->filename) == '/') value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } - else + else { if(*(data->filename) == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%lu", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%lu", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -358,25 +345,25 @@ void UnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event) { DataHeader dHdr; - + /* check for a pseudo-packet, we don't want to log those */ if(IS_IP4(p)) { dHdr.type = UNIFIED_TYPE_ALERT; dHdr.length = sizeof(UnifiedAlert); - + RealUnifiedLogAlert(p, msg, arg, event, &dHdr); } else { dHdr.type = UNIFIED_TYPE_IPV6_ALERT; dHdr.length = sizeof(UnifiedIPv6Alert); - + RealUnifiedLogAlert6(p, msg, arg, event, &dHdr); } } - -int UnifiedFirstPacketCallback(struct pcap_pkthdr *pkth, + +static int UnifiedFirstPacketCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { UnifiedAlert *alertdata = (UnifiedAlert*)userdata; @@ -386,13 +373,13 @@ { alertdata->ts.tv_sec = (uint32_t)pkth->ts.tv_sec; alertdata->ts.tv_usec = (uint32_t)pkth->ts.tv_usec; - } + } /* return non-zero so we only do this once */ return 1; } -void RealUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event, +static void RealUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr) { UnifiedConfig *data = (UnifiedConfig *)arg; @@ -418,10 +405,10 @@ { alertdata.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; alertdata.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; - + if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata); @@ -449,7 +436,7 @@ alertdata.flags = p->packet_flags; } } - + /* backward compatibility stuff */ if(dHdr == NULL) { @@ -468,7 +455,7 @@ FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } - + if(fwrite((char *)&alertdata, sizeof(UnifiedAlert), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); @@ -477,7 +464,7 @@ data->current += sizeof(UnifiedAlert); } -void RealUnifiedLogAlert6(Packet *p, char *msg, void *arg, Event *event, +static void RealUnifiedLogAlert6(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr) { UnifiedConfig *data = (UnifiedConfig *)arg; @@ -503,10 +490,10 @@ { alertdata.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; alertdata.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; - + if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata); @@ -534,7 +521,7 @@ alertdata.flags = p->packet_flags; } } - + /* backward compatibility stuff */ if(dHdr == NULL) { @@ -553,7 +540,7 @@ FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } - + if(fwrite((char *)&alertdata, sizeof(UnifiedIPv6Alert), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); @@ -568,10 +555,10 @@ DataHeader dHdr; dHdr.type = UNIFIED_TYPE_PACKET_ALERT; dHdr.length = sizeof(UnifiedLog); - + if(p->packet_flags & PKT_REBUILT_STREAM) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Reassembled packet, dumping stream packets\n");); RealUnifiedLogStreamAlert(p, msg, arg, event, &dHdr); } @@ -619,14 +606,14 @@ { logheader.flags = p->packet_flags; - /* + /* * this will have to be fixed when we transition to the pa_engine * code (p->pkth is libpcap specific) - */ + */ logheader.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; logheader.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; logheader.pkth.caplen = p->pkth->caplen; - logheader.pkth.pktlen = p->pkth->len; + logheader.pkth.len = p->pkth->pktlen; } else @@ -635,55 +622,55 @@ logheader.pkth.ts.tv_sec = 0; logheader.pkth.ts.tv_usec = 0; logheader.pkth.caplen = 0; - logheader.pkth.pktlen = 0; + logheader.pkth.len = 0; } - + /* backward compatibility stuff */ if(dHdr == NULL) { - if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > + if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); } else - { - if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + { + if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + logheader.pkth.caplen) > data->limit) UnifiedRotateFile(data); } if(dHdr) { SafeMemcpy(write_pkt_buffer, dHdr, sizeof(DataHeader), - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); data->current += sizeof(DataHeader); offset = sizeof(DataHeader); } - + SafeMemcpy(write_pkt_buffer + offset, &logheader, sizeof(UnifiedLog), - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); data->current += sizeof(UnifiedLog); offset += sizeof(UnifiedLog); - + if(p) { SafeMemcpy(write_pkt_buffer + offset, p->pkt, p->pkth->caplen, - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); - if(fwrite(write_pkt_buffer, offset + p->pkth->caplen, + if(fwrite(write_pkt_buffer, offset + p->pkth->caplen, 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += p->pkth->caplen; } - else + else { - if(fwrite(write_pkt_buffer, sizeof(DataHeader) + + if(fwrite(write_pkt_buffer, sizeof(DataHeader) + sizeof(UnifiedLog), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); } @@ -704,7 +691,7 @@ * Callback for the Stream reassembler to log packets * */ -int UnifiedLogStreamCallback(struct pcap_pkthdr *pkth, +int UnifiedLogStreamCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { UnifiedLogStreamCallbackData *unifiedData; @@ -719,22 +706,22 @@ unifiedData->logheader->pkth.ts.tv_sec = (uint32_t)pkth->ts.tv_sec; unifiedData->logheader->pkth.ts.tv_usec = (uint32_t)pkth->ts.tv_usec; unifiedData->logheader->pkth.caplen = (uint32_t)pkth->caplen; - unifiedData->logheader->pkth.pktlen = (uint32_t)pkth->len; + unifiedData->logheader->pkth.len = (uint32_t)pkth->pktlen; /* backward compatibility stuff */ if(unifiedData->dHdr == NULL) { if((unifiedData->data->current + sizeof(UnifiedLog)+ - unifiedData->logheader->pkth.caplen) > + unifiedData->logheader->pkth.caplen) > unifiedData->data->limit) { UnifiedLogRotateFile(unifiedData->data); } } else - { - if((unifiedData->data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + { + if((unifiedData->data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + unifiedData->logheader->pkth.caplen) > unifiedData->data->limit) UnifiedRotateFile(unifiedData->data); } @@ -750,9 +737,9 @@ unifiedData->data->current += sizeof(DataHeader); } - SafeMemcpy(write_pkt_buffer + offset, unifiedData->logheader, - sizeof(UnifiedLog), write_pkt_buffer, - write_pkt_buffer + sizeof(DataHeader) + + SafeMemcpy(write_pkt_buffer + offset, unifiedData->logheader, + sizeof(UnifiedLog), write_pkt_buffer, + write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); offset += sizeof(UnifiedLog); @@ -761,9 +748,9 @@ if(packet_data) { - SafeMemcpy(write_pkt_buffer + offset, packet_data, + SafeMemcpy(write_pkt_buffer + offset, packet_data, offset + unifiedData->logheader->pkth.caplen, - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); if(fwrite(write_pkt_buffer, offset + unifiedData->logheader->pkth.caplen, @@ -772,7 +759,7 @@ unifiedData->data->current += unifiedData->logheader->pkth.caplen; } - else + else { if(fwrite(write_pkt_buffer, offset, 1, unifiedData->data->stream) != 1) @@ -787,7 +774,7 @@ unifiedData->logheader->event.sig_rev = 1; unifiedData->logheader->event.classification = 0; unifiedData->logheader->event.priority = unifiedData->event->priority; - /* Note that event_id is now incorrect. + /* Note that event_id is now incorrect. * See OldUnifiedLogPacketAlert() for details. */ } @@ -799,7 +786,7 @@ * Log a set of packets stored in the stream reassembler * */ -void RealUnifiedLogStreamAlert(Packet *p, char *msg, void *arg, Event *event, +static void RealUnifiedLogStreamAlert(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr) { UnifiedLogStreamCallbackData unifiedData; @@ -817,7 +804,7 @@ logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; - /* Note that ref_time is probably incorrect. + /* Note that ref_time is probably incorrect. * See OldUnifiedLogPacketAlert() for details. */ logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; @@ -829,11 +816,11 @@ DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification); DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority); DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id); - DebugMessage(DEBUG_LOG, "erf: %u\n", + DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference); - DebugMessage(DEBUG_LOG, "sec: %lu\n", + DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec); - DebugMessage(DEBUG_LOG, "usc: %lu\n", + DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } @@ -847,16 +834,16 @@ unifiedData.once = once; stream_api->traverse_reassembled(p, UnifiedLogStreamCallback, &unifiedData); } - + fflush(data->stream); } /* * Function: UnifiedParseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -895,9 +882,9 @@ char *index = toks[i]; while(isspace((int)*index)) ++index; - + stoks = mSplit(index, " \t", 2, &num_stoks, 0); - + if(strcasecmp("filename", stoks[0]) == 0) { if(num_stoks > 1 && tmp->filename == NULL) @@ -919,7 +906,7 @@ } } else if(strcasecmp("nostamp", stoks[0]) == 0) - { + { tmp->nostamp = 1; } else @@ -927,7 +914,7 @@ LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } - + mSplitFree(&stoks, num_stoks); } mSplitFree(&toks, num_toks); @@ -935,7 +922,7 @@ if(tmp->filename == NULL) tmp->filename = strdup(default_filename); - + //LogMessage("limit == %i\n", limit); if(limit <= 0) @@ -1028,7 +1015,7 @@ * * Purpose: Initialize the unified log alert file * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -1042,22 +1029,21 @@ bzero(logdir, STD_BUF); curr_time = time(NULL); - if(data->nostamp) + if(data->nostamp) { if(data->filename[0] == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename, - (uint32_t)curr_time); + value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, - data->filename, (uint32_t)curr_time); + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + data->filename); } else { if(data->filename[0] == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%lu", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%lu", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -1083,19 +1069,19 @@ { FatalError("UnifiedAlertInit(): %s\n", strerror(errno)); } - + fflush(data->stream); return; } -void OldUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event) +static void OldUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event) { RealUnifiedLogAlert(p, msg, arg, event, NULL); } -void UnifiedAlertRotateFile(UnifiedConfig *data) +static void UnifiedAlertRotateFile(UnifiedConfig *data) { fclose(data->stream); @@ -1105,7 +1091,7 @@ /* Unified Packet Log functions (deprecated) */ -void UnifiedLogInit(char *args) +static void UnifiedLogInit(char *args) { UnifiedConfig *UnifiedInfo; @@ -1129,19 +1115,16 @@ { UnifiedConfig *data = (UnifiedConfig *)arg; UnifiedLogFileHeader hdr; + int datalink = DAQ_GetBaseProtocol(); /* write the log file header */ hdr.magic = LOG_MAGIC; hdr.version_major = SNORT_VERSION_MAJOR; hdr.version_minor = SNORT_VERSION_MINOR; hdr.timezone = snort_conf->thiszone; - hdr.snaplen = (uint32_t)pcap_snaplen; + hdr.snaplen = DAQ_GetSnapLen(); hdr.sigfigs = 0; - hdr.linktype = datalink; - -#ifdef GIDS - hdr.linktype = DLT_EN10MB; -#endif + hdr.linktype = (datalink == DLT_RAW) ? DLT_EN10MB : datalink; if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { @@ -1156,11 +1139,11 @@ * * Purpose: Initialize the unified log file header * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ -void UnifiedInitLogFile(UnifiedConfig *data) +static void UnifiedInitLogFile(UnifiedConfig *data) { time_t curr_time; /* place to stick the clock data */ char logdir[STD_BUF]; @@ -1178,19 +1161,18 @@ if(data->nostamp) { if(*(data->filename) == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename, - (uint32_t)curr_time); + value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, - data->filename, (uint32_t)curr_time); + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + data->filename); } else { if(*(data->filename) == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%lu", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%lu", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -1211,13 +1193,9 @@ hdr.version_major = SNORT_VERSION_MAJOR; hdr.version_minor = SNORT_VERSION_MINOR; hdr.timezone = snort_conf->thiszone; - hdr.snaplen = (uint32_t)pcap_snaplen; + hdr.snaplen = DAQ_GetSnapLen(); hdr.sigfigs = 0; - hdr.linktype = datalink; - -#ifdef GIDS - hdr.linktype = DLT_EN10MB; -#endif + hdr.linktype = (datalink == DLT_RAW) ? DLT_EN10MB : datalink; if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { @@ -1244,7 +1222,7 @@ * Callback for the Stream reassembler to log packets * */ -int OldUnifiedLogStreamCallback(struct pcap_pkthdr *pkth, +static int OldUnifiedLogStreamCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { OldUnifiedLogStreamCallbackData *unifiedData; @@ -1260,65 +1238,54 @@ unifiedData->logheader->pkth.ts.tv_sec = (uint32_t)pkth->ts.tv_sec; unifiedData->logheader->pkth.ts.tv_usec = (uint32_t)pkth->ts.tv_usec; unifiedData->logheader->pkth.caplen = (uint32_t)pkth->caplen; - unifiedData->logheader->pkth.pktlen = (uint32_t)pkth->len; + unifiedData->logheader->pkth.len = (uint32_t)pkth->pktlen; -#ifdef GIDS /* - ** Add the ethernet header size to the total pktlen. - ** If the ethernet hdr is already set, then this means - ** that it's a portscan packet and we don't add the - ** ethernet header. + ** Add the ethernet header size to the total len. + ** if the ethernet header is not already set. We always + ** log the ethernet header, even for raw packets. */ if(!unifiedData->eh) { unifiedData->logheader->pkth.caplen += sizeof(EtherHdr); - unifiedData->logheader->pkth.pktlen += sizeof(EtherHdr); + unifiedData->logheader->pkth.len += sizeof(EtherHdr); } -#endif /* Set reference time equal to log time for the first packet */ if (unifiedData->first_time) - { + { unifiedData->logheader->event.ref_time.tv_sec = unifiedData->logheader->pkth.ts.tv_sec; unifiedData->logheader->event.ref_time.tv_usec = unifiedData->logheader->pkth.ts.tv_usec; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", unifiedData->logheader->event.ref_time.tv_sec);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", unifiedData->logheader->event.ref_time.tv_usec);); } if(fwrite((char*)unifiedData->logheader,sizeof(UnifiedLog),1,unifiedData->data->stream) != 1) - FatalError("SpoUnified: write failed: %s\n", + FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(UnifiedLog); if(packet_data) { -#ifdef GIDS if(!unifiedData->eh) { -#ifndef IPFW - SafeMemcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6, - (u_char *)g_ethernet.ether_src, - (u_char *)g_ethernet.ether_src + sizeof(EtherHdr)); - memset((u_char *)g_ethernet.ether_dst,0x00,6); -#else - memset(g_ethernet.ether_dst,0x00,6); - memset(g_ethernet.ether_src,0x00,6); -#endif - g_ethernet.ether_type = htons(0x0800); + EtherHdr eth; + memset(eth.ether_src,0x00,6); + memset(eth.ether_dst,0x00,6); + eth.ether_type = htons(ETHERNET_TYPE_IP); - if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,unifiedData->data->stream) != 1) + if(fwrite((char*)ð,sizeof(eth),1,unifiedData->data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(EtherHdr); } -#endif - + if(fwrite((char*)packet_data,pkth->caplen,1, unifiedData->data->stream) != 1) - FatalError("SpoUnified: write failed: %s\n", + FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += pkth->caplen; @@ -1326,12 +1293,12 @@ /* after the first logged packet modify the event headers */ if (unifiedData->first_time) - { + { unifiedData->logheader->event.sig_generator = GENERATOR_TAG; unifiedData->logheader->event.sig_id = TAG_LOG_PKT; unifiedData->logheader->event.sig_rev = 1; unifiedData->logheader->event.classification = 0; - unifiedData->logheader->event.priority = unifiedData->event->priority; + unifiedData->logheader->event.priority = unifiedData->event->priority; unifiedData->first_time = 0; } @@ -1349,11 +1316,11 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function */ -void OldUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event) +static void OldUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event) { OldUnifiedLogStreamCallbackData unifiedData; int first_time = 1; @@ -1373,19 +1340,19 @@ logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);); @@ -1412,22 +1379,19 @@ logheader.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; logheader.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; logheader.pkth.caplen = p->pkth->caplen; - logheader.pkth.pktlen = p->pkth->len; + logheader.pkth.len = p->pkth->pktlen; -#ifdef GIDS /* - ** Add the ethernet header size to the total pktlen. - ** If the ethernet hdr is already set, then this means - ** that it's a portscan packet and we don't add the - ** ethernet header. + ** Add the ethernet header size to the total len. + ** if the ethernet header is not already set. We always + ** log the ethernet header, even for raw packets. */ if(!p->eh) { logheader.pkth.caplen += sizeof(EtherHdr); - logheader.pkth.pktlen += sizeof(EtherHdr); + logheader.pkth.len += sizeof(EtherHdr); } -#endif } else { @@ -1435,10 +1399,10 @@ logheader.pkth.ts.tv_sec = 0; logheader.pkth.ts.tv_usec = 0; logheader.pkth.caplen = 0; - logheader.pkth.pktlen = 0; + logheader.pkth.len = 0; } - if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > + if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); @@ -1446,40 +1410,31 @@ if(p) { -#ifdef GIDS if(!p->eh) { -#ifndef IPFW - SafeMemcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6, - (u_char *)g_ethernet.ether_src, - (u_char *)g_ethernet.ether_src + sizeof(EtherHdr)); - memset((u_char *)g_ethernet.ether_dst,0x00,6); -#else - memset(g_ethernet.ether_dst,0x00,6); - memset(g_ethernet.ether_src,0x00,6); -#endif - g_ethernet.ether_type = htons(0x0800); + EtherHdr eth; + memset(eth.ether_src,0x00,6); + memset(eth.ether_dst,0x00,6); + eth.ether_type = htons(ETHERNET_TYPE_IP); - if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,data->stream) != 1) + if(fwrite((char*)ð,sizeof(eth),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(EtherHdr); } -#endif - fwrite((char*)p->pkt, p->pkth->caplen, 1, data->stream); } } fflush(data->stream); - + data->current += sizeof(UnifiedLog); - + if(p && p->pkth) data->current += p->pkth->caplen; } -void UnifiedLogRotateFile(UnifiedConfig *data) +static void UnifiedLogRotateFile(UnifiedConfig *data) { fclose(data->stream); diff -Nru snort-2.8.5.2/src/output-plugins/spo_unified.h snort-2.9.2/src/output-plugins/spo_unified.h --- snort-2.8.5.2/src/output-plugins/spo_unified.h 2009-05-06 22:29:15.000000000 +0000 +++ snort-2.9.2/src/output-plugins/spo_unified.h 2011-02-09 23:23:27.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.8.5.2/src/packet_time.c snort-2.9.2/src/packet_time.c --- snort-2.8.5.2/src/packet_time.c 2009-01-26 16:25:55.000000000 +0000 +++ snort-2.9.2/src/packet_time.c 2011-06-08 00:33:06.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2009 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -21,15 +21,19 @@ * @file packet_time.c * @author Chris Green * @date Tue Jun 17 17:09:59 2003 - * + * * @brief Easily allow modules to have a gettimeofday() based on packet time - * + * * In many modules in snort, especially the rate detectors need to * work based off time values. It's very hard to reproduce time * constraints via pcap readbacks so we either have to throttle snort * or use the packet time. I choose the latter. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "packet_time.h" static time_t s_first_packet = 0; diff -Nru snort-2.8.5.2/src/packet_time.h snort-2.9.2/src/packet_time.h --- snort-2.8.5.2/src/packet_time.h 2009-01-26 16:25:57.000000000 +0000 +++ snort-2.9.2/src/packet_time.h 2011-02-09 23:22:50.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/parser/IpAddrSet.c snort-2.9.2/src/parser/IpAddrSet.c --- snort-2.8.5.2/src/parser/IpAddrSet.c 2009-07-07 15:37:07.000000000 +0000 +++ snort-2.9.2/src/parser/IpAddrSet.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /* - * Copyright (C) 2002-2009 Sourcefire, Inc. - * + * Copyright (C) 2002-2011 Sourcefire, Inc. + * * Author(s): Andrew R. Baker * Martin Roesch * @@ -10,7 +10,7 @@ * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the @@ -48,7 +48,7 @@ #include "util.h" #include "mstring.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "snort.h" #include "sfPolicy.h" @@ -85,7 +85,7 @@ iplist = ipAddrSet->iplist; neglist = ipAddrSet->neg_iplist; - while(iplist) + while(iplist) { buffer[0] = '\0'; @@ -105,10 +105,10 @@ LogMessage("%s\n", buffer); iplist = iplist->next; - + } - while(neglist) + while(neglist) { buffer[0] = '\0'; @@ -141,7 +141,7 @@ if(!ipAddrSet) return NULL; newIpAddrSet = (IpAddrSet *)calloc(sizeof(IpAddrSet), 1); - if(!newIpAddrSet) + if(!newIpAddrSet) { goto failed; } @@ -159,7 +159,7 @@ if(!newIpAddrSet->iplist) newIpAddrSet->iplist = current; - + current->ip_addr = iplist->ip_addr; current->netmask = iplist->netmask; current->addr_flags = iplist->addr_flags; @@ -173,6 +173,7 @@ iplist = iplist->next; } + prev = current = NULL; while(neglist) { current = (IpAddrNode *)malloc(sizeof(IpAddrNode)); @@ -180,7 +181,7 @@ { goto failed; } - + if(!newIpAddrSet->neg_iplist) newIpAddrSet->neg_iplist = current; @@ -197,6 +198,8 @@ neglist = neglist->next; } + newIpAddrSet->id = ipAddrSet->id; + return newIpAddrSet; failed: @@ -216,7 +219,7 @@ * * Arguments: char *addr => address string to convert * IpAddrSet * => - * + * * * Returns: 0 for normal addresses, 1 for an "any" address */ @@ -234,7 +237,7 @@ IpAddrNode *address_data = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode)); - if(!paddr || !ias) + if(!paddr || !ias) return 1; addr = paddr; @@ -250,13 +253,13 @@ /* check for wildcards */ if(!strcasecmp(addr, "any")) { - if(negate) + if(negate) { FatalError("%s(%d) => !any is not allowed\n", file_name, file_line); } - + /* Make first node 0, which matches anything */ - if(!ias->iplist) + if(!ias->iplist) { ias->iplist = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode)); } @@ -306,10 +309,10 @@ /* if second char is != '\0', it must be a digit * by Daniel B. Cid, dcid@sourcefire.com - */ + */ if((toks[1][1] != '\0')&&(!isdigit((int) toks[1][1]) )) nmask = -1; - + if((nmask > -1) && (nmask < 33)) { address_data->netmask = netmasks[nmask]; @@ -318,15 +321,15 @@ { FatalError("%s(%d): Invalid CIDR block for IP addr " "%s\n", file_name, file_line, addr); - + } } else { /* convert the netmask into its 32-bit value */ - /* broadcast address fix from - * Steve Beaty + /* broadcast address fix from + * Steve Beaty */ /* @@ -428,15 +431,15 @@ mSplitFree(&toks, num_toks); /* Add new IP address to address set */ - if(!negate) + if(!negate) { IpAddrNode *idx; - if(!ias->iplist) + if(!ias->iplist) { ias->iplist = address_data; } - else + else { /* Get to the end of the list */ for(idx = ias->iplist; idx->next; idx=idx->next) ; @@ -448,11 +451,11 @@ { IpAddrNode *idx; - if(!ias->neg_iplist) + if(!ias->neg_iplist) { ias->neg_iplist = address_data; } - else + else { /* Get to the end of the list */ for(idx = ias->neg_iplist; idx->next; idx=idx->next) ; @@ -462,17 +465,17 @@ address_data->addr_flags |= EXCEPT_IP; } - + return 0; -} +} -void IpAddrSetBuild(char *addr, IpAddrSet *ret, int neg_list) +void IpAddrSetBuild(char *addr, IpAddrSet *ret, int neg_list) { char *tok, *end, *tmp; int neg_ip; - while(*addr) + while(*addr) { /* Skip whitespace and leading commas */ for(; *addr && (isspace((int)*addr) || *addr == ','); addr++) ; @@ -480,98 +483,98 @@ /* Handle multiple negations (such as if someone negates variable that * contains a negated IP */ neg_ip = 0; - for(; *addr == '!'; addr++) + for(; *addr == '!'; addr++) neg_ip = !neg_ip; /* Find end of this token */ - for(end = addr+1; + for(end = addr+1; *end && !isspace((int)*end) && *end != ']' && *end != ','; end++) ; tok = SnortStrndup(addr, end - addr); - if(!tok) + if(!tok) { - FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", + FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", file_name, file_line, addr); } - if(*addr == '[') + if(*addr == '[') { int brack_count = 0; char *list_tok; - + /* Find corresponding ending bracket */ - for(end = addr; *end; end++) + for(end = addr; *end; end++) { - if(*end == '[') + if(*end == '[') brack_count++; else if(*end == ']') brack_count--; - + if(!brack_count) break; } - - if(!*end) + + if(!*end) { - FatalError("%s(%d) => Unterminated IP List '%s'\n", + FatalError("%s(%d) => Unterminated IP List '%s'\n", file_name, file_line, addr); } - + addr++; list_tok = SnortStrndup(addr, end - addr); - if(!list_tok) + if(!list_tok) { - FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", + FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", file_name, file_line, addr); } IpAddrSetBuild(list_tok, ret, neg_ip ^ neg_list); free(list_tok); } - else if(*addr == '$') + else if(*addr == '$') { if((tmp = VarGet(tok + 1)) == NULL) { - FatalError("%s(%d) => Undefined variable %s\n", file_name, + FatalError("%s(%d) => Undefined variable %s\n", file_name, file_line, addr); } - - IpAddrSetBuild(tmp, ret, neg_list ^ neg_ip); + + IpAddrSetBuild(tmp, ret, neg_list ^ neg_ip); } else if(*addr == ']') { - if(!(*(addr+1))) + if(!(*(addr+1))) { /* Succesfully reached the end of this list */ free(tok); return; } - FatalError("%s(%d) => Mismatched bracket in '%s'\n", + FatalError("%s(%d) => Mismatched bracket in '%s'\n", file_name, file_line, addr); } - else + else { /* Skip leading commas */ for(; *addr && (*addr == ',' || isspace((int)*addr)); addr++) ; ParseIP(tok, ret, neg_list ^ neg_ip); - if(ret->iplist && !ret->iplist->ip_addr && !ret->iplist->netmask) + if(ret->iplist && !ret->iplist->ip_addr && !ret->iplist->netmask) ret->iplist->addr_flags |= ANY_SRC_IP; - + /* Note: the neg_iplist is not checked for '!any' here since * ParseIP should have already FatalError'ed on it. */ } - + free(tok); if(*end) - addr = end + 1; + addr = end + 1; else break; } @@ -580,7 +583,7 @@ #endif -IpAddrSet *IpAddrSetParse(char *addr) +IpAddrSet *IpAddrSetParse(char *addr) { IpAddrSet *ret; #ifdef SUP_IP6 @@ -597,13 +600,13 @@ ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", addr);); ret = (IpAddrSet*)SnortAlloc(sizeof(IpAddrSet)); -#ifdef SUP_IP6 - if((ret_code = sfvt_add_to_var(ip_vartable, ret, addr)) != SFIP_SUCCESS) +#ifdef SUP_IP6 + if((ret_code = sfvt_add_to_var(ip_vartable, ret, addr)) != SFIP_SUCCESS) { if(ret_code == SFIP_LOOKUP_FAILURE) FatalError("%s(%d) => Undefined variable in the string: %s\n", @@ -611,7 +614,7 @@ else if(ret_code == SFIP_CONFLICT) FatalError("%s(%d) => Negated IP ranges that equal to or are" " more-specific than non-negated ranges are not allowed." - " Consider inverting the logic: %s.\n", + " Consider inverting the logic: %s.\n", file_name, file_line, addr); else FatalError("%s(%d) => Unable to process the IP address: %s\n", @@ -632,7 +635,7 @@ IpAddrNode *node, *tmp; #endif - if(!ipAddrSet) + if(!ipAddrSet) return; #ifdef SUP_IP6 @@ -666,31 +669,29 @@ int match = 0; if(!ias) - { - DEBUG_WRAP(DebugMessage(DEBUG_ALL,"Null IP address set!\n");); return 0; - } - if(!ias->iplist) + + if(!ias->iplist) match = 1; for(index = ias->iplist; index != NULL; index = index->next) { - if(index->ip_addr == (raw_addr & index->netmask)) + if(index->ip_addr == (raw_addr & index->netmask)) { match = 1; break; } - } + } - if(!match) + if(!match) return 0; - if(!ias->neg_iplist) + if(!ias->neg_iplist) return 1; for(index = ias->neg_iplist; index != NULL; index = index->next) { - if(index->ip_addr == (raw_addr & index->netmask)) + if(index->ip_addr == (raw_addr & index->netmask)) return 0; } diff -Nru snort-2.8.5.2/src/parser/IpAddrSet.h snort-2.9.2/src/parser/IpAddrSet.h --- snort-2.8.5.2/src/parser/IpAddrSet.h 2009-07-07 15:37:07.000000000 +0000 +++ snort-2.9.2/src/parser/IpAddrSet.h 2011-02-09 23:23:28.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* - * Copyright (C) 2002-2009 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * * Author(s): Andrew R. Baker * @@ -46,6 +46,7 @@ { IpAddrNode *iplist; IpAddrNode *neg_iplist; + uint32_t id; } IpAddrSet; #endif /* SUP_IP6 */ diff -Nru snort-2.8.5.2/src/parser/Makefile.in snort-2.9.2/src/parser/Makefile.in --- snort-2.8.5.2/src/parser/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/parser/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,13 +44,14 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libparser_a_AR = $(AR) $(ARFLAGS) libparser_a_LIBADD = am_libparser_a_OBJECTS = IpAddrSet.$(OBJEXT) libparser_a_OBJECTS = $(am_libparser_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -74,31 +77,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -111,12 +114,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -124,20 +133,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +185,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -181,6 +198,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -194,14 +212,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/parser/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/parser/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/parser/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/parser/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -219,6 +237,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -253,45 +272,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -312,13 +335,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -346,6 +373,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -366,6 +394,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -374,18 +404,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -422,6 +462,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/parser.c snort-2.9.2/src/parser.c --- snort-2.8.5.2/src/parser.c 2012-02-14 11:37:23.000000000 +0000 +++ snort-2.9.2/src/parser.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000,2001 Andrew R. Baker ** @@ -33,6 +33,12 @@ #include #include #include +#include +#ifdef HAVE_DUMBNET_H +#include +#else +#include +#endif #ifdef HAVE_STRINGS_H # include @@ -48,12 +54,13 @@ # include #endif /* !WIN32 */ -#include "bounds.h" +#include "snort_bounds.h" #include "rules.h" +#include "treenodes.h" #include "parser.h" #include "plugbase.h" #include "plugin_enum.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "detect.h" @@ -67,7 +74,6 @@ #include "sfthreshold.h" #include "sfutil/sfthd.h" #include "snort.h" -#include "inline.h" #include "event_queue.h" #include "asn1.h" #include "sfutil/sfghash.h" @@ -84,21 +90,26 @@ #include "detection_filter.h" #include "sfPolicy.h" #include "sfutil/mpse.h" +#include "sfutil/sfrim.h" +#include "sfutil/sfportobject.h" +#include "sfutil/strvec.h" +#include "active.h" #ifdef TARGET_BASED # include "sftarget_reader.h" #endif -#ifdef PORTLISTS -# include "sfutil/sfrim.h" -# include "sfutil/sfportobject.h" +#ifdef DYNAMIC_PLUGIN +# include "dynamic-plugins/sp_dynamic.h" #endif - /* Macros *********************************************************************/ +#define ENABLE_ALL_RULES 1 +#define ENABLE_RULE 1 +#define ENABLE_ONE_RULE 0 #define MAX_RULE_OPTIONS 256 #define MAX_LINE_LENGTH 32768 -#define MAX_IPLIST_ENTRIES 4096 +#define MAX_IPLIST_ENTRIES 4096 #define DEFAULT_LARGE_RULE_GROUP 9 #define SF_IPPROTO_UNKNOWN -1 #define MAX_RULE_COUNT (65535 * 2) @@ -112,10 +123,8 @@ #define RULE_LIST_TYPE__DYNAMIC "dynamic" #define RULE_LIST_TYPE__LOG "log" #define RULE_LIST_TYPE__PASS "pass" -#ifdef GIDS -# define RULE_LIST_TYPE__REJECT "reject" -# define RULE_LIST_TYPE__SDROP "sdrop" -#endif /* GIDS */ +#define RULE_LIST_TYPE__REJECT "reject" +#define RULE_LIST_TYPE__SDROP "sdrop" #define RULE_PROTO_OPT__IP "ip" #define RULE_PROTO_OPT__TCP "tcp" @@ -218,12 +227,20 @@ #define DETECTION_OPT__NO_STREAM_INSERTS "no_stream_inserts" #define DETECTION_OPT__SEARCH_METHOD "search-method" #define DETECTION_OPT__SEARCH_OPTIMIZE "search-optimize" +#define DETECTION_OPT__SPLIT_ANY_ANY "split-any-any" +#define DETECTION_OPT__MAX_PATTERN_LEN "max-pattern-len" +#define DETECTION_OPT__DEBUG_PRINT_FAST_PATTERN "debug-print-fast-pattern" #define EVENT_QUEUE_OPT__LOG "log" #define EVENT_QUEUE_OPT__MAX_QUEUE "max_queue" #define EVENT_QUEUE_OPT__ORDER_EVENTS "order_events" #define EVENT_QUEUE_OPT__PROCESS_ALL_EVENTS "process_all_events" +#define EVENT_TRACE_OPT__FILE "file" +#define EVENT_TRACE_OPT__MAX_DATA "max_data" +#define EVENT_TRACE_OPT__FILE_DEFAULT "event_trace.txt" +#define EVENT_TRACE_OPT__MAX_DATA_DEFAULT 64 + #define ORDER_EVENTS_OPT__CONTENT_LENGTH "content_length" #define ORDER_EVENTS_OPT__PRIORITY "priority" @@ -245,6 +262,7 @@ #define POLICY_MODE_PASSIVE "tap" #define POLICY_MODE_INLINE "inline" +#define POLICY_MODE_INLINE_TEST "inline_test" #ifdef PERF_PROFILING # define PROFILE_OPT__FILENAME "filename" @@ -275,6 +293,12 @@ # define PPM_OPT__DEBUG_PKTS "debug-pkts" #endif +#ifdef ACTIVE_RESPONSE +#define RESPONSE_OPT__ATTEMPTS "attempts" +#define RESPONSE_OPT__DEVICE "device" +#define RESPONSE_OPT__DST_MAC "dst_mac" +#endif + #define ERR_PAIR_COUNT \ "%s has incorrect argument count; should be %d pairs.", ERR_KEY #define ERR_NOT_PAIRED \ @@ -324,7 +348,7 @@ char *name; KeywordType type; int expand_vars; - int default_policy_only; + int default_policy_only; ParseFunc parse_func; } KeywordFunc; @@ -343,12 +367,11 @@ char *name; int args_required; int only_once; - int default_policy_only; + int default_policy_only; ParseConfigFunc parse_func; } ConfigFunc; -#ifdef PORTLISTS /* Tracking the port_list_t structure for printing and debugging at * this point...temporarily... */ typedef struct @@ -377,7 +400,7 @@ } port_list_t; /* rule counts for port lists */ -typedef struct +typedef struct { int src; int dst; @@ -386,16 +409,14 @@ int nc; /* no content */ } rule_count_t; -#endif /* PORTLISTS */ /* Externs ********************************************************************/ extern VarNode *cmd_line_var_list; extern char *snort_conf_file; extern char *snort_conf_dir; -extern SF_LIST *pcap_object_list; extern RuleOptConfigFuncNode *rule_opt_config_funcs; - +extern unsigned int giFlowbitSize; /* Globals ********************************************************************/ @@ -435,7 +456,6 @@ int otn_count = 0; /* number of chains */ int dynamic_rule_count = 0; -#ifdef PORTLISTS static port_list_t port_list; static rule_count_t tcpCnt; @@ -444,7 +464,6 @@ static rule_count_t ipCnt; rule_index_map_t *ruleIndexMap = NULL; /* rule index -> sid:gid map */ -#endif /* PORTLISTS */ static tSfPolicyId currHeadNodePolicy = 0; static OptTreeNode *currHeadNodeOtn = NULL; @@ -456,10 +475,8 @@ static void ParseDynamic(SnortConfig *, SnortPolicy *, char *); static void ParseLog(SnortConfig *, SnortPolicy *, char *); static void ParsePass(SnortConfig *, SnortPolicy *, char *); -#ifdef GIDS static void ParseReject(SnortConfig *, SnortPolicy *, char *); static void ParseSdrop(SnortConfig *, SnortPolicy *, char *); -#endif /* GIDS */ #ifdef TARGET_BASED static void ParseAttributeTable(SnortConfig *, SnortPolicy *, char *); @@ -473,9 +490,7 @@ static void ParseEventFilter(SnortConfig *, SnortPolicy *, char *); static void ParseInclude(SnortConfig *, SnortPolicy *, char *); static void ParseIpVar(SnortConfig *, SnortPolicy *, char *); -#ifdef PORTLISTS static void ParsePortVar(SnortConfig *, SnortPolicy *, char *); -#endif /* PORTLISTS */ static void ParsePreprocessor(SnortConfig *, SnortPolicy *, char *); static void ParseRateFilter(SnortConfig *, SnortPolicy *, char *); static void ParseRuleState(SnortConfig *, SnortPolicy *, char *); @@ -485,23 +500,29 @@ static void ParseVar(SnortConfig *, SnortPolicy *, char *); static void AddVarToTable(SnortConfig *, char *, char *); +int ParseBool(char *arg); + static const KeywordFunc snort_conf_keywords[] = { /* Rule keywords */ { SNORT_CONF_KEYWORD__ACTIVATE, KEYWORD_TYPE__RULE, 0, 0, ParseActivate }, { SNORT_CONF_KEYWORD__ALERT, KEYWORD_TYPE__RULE, 0, 0, ParseAlert }, { SNORT_CONF_KEYWORD__DROP, KEYWORD_TYPE__RULE, 0, 0, ParseDrop }, + { SNORT_CONF_KEYWORD__BLOCK, KEYWORD_TYPE__RULE, 0, 0, ParseDrop }, { SNORT_CONF_KEYWORD__DYNAMIC, KEYWORD_TYPE__RULE, 0, 0, ParseDynamic }, { SNORT_CONF_KEYWORD__LOG, KEYWORD_TYPE__RULE, 0, 0, ParseLog }, { SNORT_CONF_KEYWORD__PASS, KEYWORD_TYPE__RULE, 0, 0, ParsePass }, -#ifdef GIDS { SNORT_CONF_KEYWORD__REJECT, KEYWORD_TYPE__RULE, 0, 0, ParseReject }, { SNORT_CONF_KEYWORD__SDROP, KEYWORD_TYPE__RULE, 0, 0, ParseSdrop }, -#endif + { SNORT_CONF_KEYWORD__SBLOCK, KEYWORD_TYPE__RULE, 0, 0, ParseSdrop }, /* Non-rule keywords */ #ifdef TARGET_BASED - { SNORT_CONF_KEYWORD__ATTRIBUTE_TABLE, KEYWORD_TYPE__MAIN, 1, 1, ParseAttributeTable }, + /* Need to fatal error if attribute_table is not configured in default + * policy. Since we're just skipping configuring non-default + * configurations with default only configuration types, set this to + * be configured for non-default policies and fatal in function */ + { SNORT_CONF_KEYWORD__ATTRIBUTE_TABLE, KEYWORD_TYPE__MAIN, 1, 0, ParseAttributeTable }, #endif { SNORT_CONF_KEYWORD__CONFIG, KEYWORD_TYPE__MAIN, 1, 0, ParseConfig }, #ifdef DYNAMIC_PLUGIN @@ -513,9 +534,7 @@ { SNORT_CONF_KEYWORD__INCLUDE, KEYWORD_TYPE__ALL, 1, 0, ParseInclude }, { SNORT_CONF_KEYWORD__IPVAR, KEYWORD_TYPE__MAIN, 0, 0, ParseIpVar }, { SNORT_CONF_KEYWORD__OUTPUT, KEYWORD_TYPE__MAIN, 1, 1, ParseOutput }, -#ifdef PORTLISTS { SNORT_CONF_KEYWORD__PORTVAR, KEYWORD_TYPE__MAIN, 0, 0, ParsePortVar }, -#endif { SNORT_CONF_KEYWORD__PREPROCESSOR, KEYWORD_TYPE__MAIN, 1, 0, ParsePreprocessor }, { SNORT_CONF_KEYWORD__RATE_FILTER, KEYWORD_TYPE__MAIN, 0, 0, ParseRateFilter }, { SNORT_CONF_KEYWORD__RULE_STATE, KEYWORD_TYPE__MAIN, 1, 0, ParseRuleState }, @@ -524,7 +543,7 @@ { SNORT_CONF_KEYWORD__THRESHOLD, KEYWORD_TYPE__MAIN, 1, 0, ParseThreshold }, { SNORT_CONF_KEYWORD__VAR, KEYWORD_TYPE__MAIN, 0, 0, ParseVar }, - { NULL, 0, 0, 0, NULL } /* Marks end of array */ + { NULL, KEYWORD_TYPE__ALL, 0, 0, NULL } /* Marks end of array */ }; static void ParseOtnActivatedBy(SnortConfig *, RuleTreeNode *, @@ -590,7 +609,7 @@ { CONFIG_OPT__ALERT_FILE, 1, 1, 1, ConfigAlertFile }, { CONFIG_OPT__ALERT_WITH_IFACE_NAME, 0, 1, 1, ConfigAlertWithInterfaceName }, #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS - { CONFIG_OPT__AUTOGEN_PREPROC_DECODER_RULES, 0, 1, 1, ConfigAutogenPreprocDecoderRules }, + { CONFIG_OPT__AUTOGEN_PREPROC_DECODER_RULES, 0, 1, 0, ConfigAutogenPreprocDecoderRules }, #endif { CONFIG_OPT__ASN1, 1, 1, 1, ConfigAsn1 }, { CONFIG_OPT__BINDING, 1, 0, 1, ConfigBinding }, @@ -601,8 +620,9 @@ { CONFIG_OPT__CLASSIFICATION, 1, 0, 0, ConfigClassification }, { CONFIG_OPT__DAEMON, 0, 1, 1, ConfigDaemon }, { CONFIG_OPT__DECODE_DATA_LINK, 0, 1, 1, ConfigDecodeDataLink }, + { CONFIG_OPT__DECODE_ESP, 0, 1, 1, ConfigEnableEspDecoding }, { CONFIG_OPT__DEFAULT_RULE_STATE, 0, 1, 1, ConfigDefaultRuleState }, - { CONFIG_OPT__DETECTION, 1, 1, 1, ConfigDetection }, + { CONFIG_OPT__DETECTION, 1, 0, 1, ConfigDetection }, /* This is reconfigurable */ { CONFIG_OPT__DETECTION_FILTER, 1, 1, 1, ConfigDetectionFilter }, { CONFIG_OPT__DISABLE_DECODE_ALERTS, 0, 1, 1, ConfigDisableDecodeAlerts }, { CONFIG_OPT__DISABLE_DECODE_DROPS, 0, 1, 1, ConfigDisableDecodeDrops }, @@ -626,6 +646,8 @@ { CONFIG_OPT__ENABLE_DECODE_DROPS, 0, 1, 1, ConfigEnableDecodeDrops }, { CONFIG_OPT__ENABLE_DECODE_OVERSIZED_ALERTS, 0, 1, 1, ConfigEnableDecodeOversizedAlerts }, { CONFIG_OPT__ENABLE_DECODE_OVERSIZED_DROPS, 0, 1, 1, ConfigEnableDecodeOversizedDrops }, + { CONFIG_OPT__ENABLE_DEEP_TEREDO_INSPECTION, 0, 1, 1, ConfigEnableDeepTeredoInspection }, + { CONFIG_OPT__ENABLE_GTP_DECODING, 0, 1, 1, ConfigEnableGTPDecoding }, { CONFIG_OPT__ENABLE_IP_OPT_DROPS, 0, 1, 1, ConfigEnableIpOptDrops }, #ifdef MPLS { CONFIG_OPT__ENABLE_MPLS_MULTICAST, 0, 1, 1, ConfigEnableMplsMulticast }, @@ -638,12 +660,17 @@ { CONFIG_OPT__ENABLE_TCP_OPT_TTCP_DROPS, 0, 1, 1, ConfigEnableTTcpDrops }, { CONFIG_OPT__EVENT_FILTER, 1, 1, 1, ConfigEventFilter }, { CONFIG_OPT__EVENT_QUEUE, 1, 1, 1, ConfigEventQueue }, -#ifdef ENABLE_RESPONSE2 - { CONFIG_OPT__FLEXRESP2_ATTEMPTS, 1, 1, 1, ConfigFlexresp2Attempts }, + { CONFIG_OPT__EVENT_TRACE, 0, 1, 1, ConfigEventTrace }, + { CONFIG_OPT__REACT, 1, 1, 1, ConfigReact }, +#ifdef ENABLE_RESPONSE3 { CONFIG_OPT__FLEXRESP2_INTERFACE, 1, 1, 1, ConfigFlexresp2Interface }, + { CONFIG_OPT__FLEXRESP2_ATTEMPTS, 1, 1, 1, ConfigFlexresp2Attempts }, { CONFIG_OPT__FLEXRESP2_MEMCAP, 1, 1, 1, ConfigFlexresp2Memcap }, { CONFIG_OPT__FLEXRESP2_ROWS, 1, 1, 1, ConfigFlexresp2Rows }, #endif +#ifdef ACTIVE_RESPONSE + { CONFIG_OPT__RESPONSE, 1, 1, 1, ConfigResponse }, +#endif { CONFIG_OPT__FLOWBITS_SIZE, 1, 1, 1, ConfigFlowbitsSize }, { CONFIG_OPT__IGNORE_PORTS, 1, 0, 1, ConfigIgnorePorts }, { CONFIG_OPT__ALERT_VLAN, 0, 1, 1, ConfigIncludeVlanInAlert }, @@ -651,6 +678,11 @@ { CONFIG_OPT__IPV6_FRAG, 1, 1, 1, ConfigIpv6Frag }, { CONFIG_OPT__LAYER2RESETS, 1, 1, 1, ConfigLayer2Resets }, { CONFIG_OPT__LOG_DIR, 1, 1, 1, ConfigLogDir }, + { CONFIG_OPT__DAQ_TYPE, 1, 1, 1, ConfigDaqType }, + { CONFIG_OPT__DAQ_MODE, 1, 1, 1, ConfigDaqMode }, + { CONFIG_OPT__DAQ_VAR, 1, 0, 1, ConfigDaqVar }, + { CONFIG_OPT__DAQ_DIR, 1, 0, 1, ConfigDaqDir }, + { CONFIG_OPT__DIRTY_PIG, 0, 1, 1, ConfigDirtyPig }, #ifdef TARGET_BASED { CONFIG_OPT__MAX_ATTRIBUTE_HOSTS, 1, 1, 1, ConfigMaxAttributeHosts }, { CONFIG_OPT__MAX_METADATA_SERVICES, 1, 1, 1, ConfigMaxMetadataServices }, @@ -659,12 +691,16 @@ { CONFIG_OPT__MAX_MPLS_LABELCHAIN_LEN, 0, 1, 1, ConfigMaxMplsLabelChain }, { CONFIG_OPT__MPLS_PAYLOAD_TYPE, 0, 1, 1, ConfigMplsPayloadType }, #endif - { CONFIG_OPT__MIN_TTL, 1, 1, 1, ConfigMinTTL }, + { CONFIG_OPT__MIN_TTL, 1, 1, 0, ConfigMinTTL }, +#ifdef NORMALIZER + { CONFIG_OPT__NEW_TTL, 1, 1, 0, ConfigNewTTL }, +#endif { CONFIG_OPT__NO_LOG, 0, 1, 1, ConfigNoLog }, { CONFIG_OPT__NO_PCRE, 0, 1, 1, ConfigNoPcre }, { CONFIG_OPT__NO_PROMISCUOUS, 0, 1, 1, ConfigNoPromiscuous }, { CONFIG_OPT__OBFUSCATE, 0, 1, 1, ConfigObfuscate }, { CONFIG_OPT__ORDER, 1, 1, 1, ConfigRuleListOrder }, + { CONFIG_OPT__PAF_MAX, 1, 1, 0, ConfigPafMax }, { CONFIG_OPT__PKT_COUNT, 1, 1, 1, ConfigPacketCount }, { CONFIG_OPT__PKT_SNAPLEN, 1, 1, 1, ConfigPacketSnaplen }, { CONFIG_OPT__PCRE_MATCH_LIMIT, 1, 1, 1, ConfigPcreMatchLimit }, @@ -674,7 +710,7 @@ { CONFIG_OPT__PID_PATH, 1, 1, 1, ConfigPidPath }, #endif { CONFIG_OPT__POLICY, 1, 1, 0, ConfigPolicy }, - { CONFIG_OPT__POLICY_MODE , 1, 1, 0, ConfigPolicyMode }, + { CONFIG_OPT__POLICY_MODE, 1, 1, 0, ConfigPolicyMode }, { CONFIG_OPT__POLICY_VERSION , 1, 0, 0, ConfigPolicyVersion }, #ifdef PPM_MGR { CONFIG_OPT__PPM, 1, 0, 1, ConfigPPM }, @@ -691,23 +727,24 @@ { CONFIG_OPT__SET_GID, 1, 1, 1, ConfigSetGid }, { CONFIG_OPT__SET_UID, 1, 1, 1, ConfigSetUid }, { CONFIG_OPT__SHOW_YEAR, 0, 1, 1, ConfigShowYear }, + { CONFIG_OPT__SO_RULE_MEMCAP, 1, 1, 1, ConfigSoRuleMemcap }, { CONFIG_OPT__STATEFUL, 0, 1, 1, ConfigStateful }, { CONFIG_OPT__TAGGED_PACKET_LIMIT, 1, 1, 1, ConfigTaggedPacketLimit }, { CONFIG_OPT__THRESHOLD, 1, 1, 1, ConfigThreshold }, -#ifdef TIMESTATS - { CONFIG_OPT__TIMESTATS_INTERVAL, 1, 1, 1, ConfigTimestatsInterval }, -#endif { CONFIG_OPT__UMASK, 1, 1, 1, ConfigUmask }, { CONFIG_OPT__UTC, 0, 1, 1, ConfigUtc }, { CONFIG_OPT__VERBOSE, 0, 1, 1, ConfigVerbose }, + { CONFIG_OPT__VLAN_AGNOSTIC, 0, 1, 1, ConfigVlanAgnostic }, + { CONFIG_OPT__LOG_IPV6_EXTRA, 0, 1, 1, ConfigLogIPv6Extra }, #ifdef DYNAMIC_PLUGIN { CONFIG_OPT__DUMP_DYNAMIC_RULES_PATH, 1, 1, 1, ConfigDumpDynamicRulesPath }, #endif + { CONFIG_OPT__CONTROL_SOCKET_DIR, 1, 1, 1, ConfigControlSocketDirectory }, { NULL, 0, 0, 0, NULL } /* Marks end of array */ }; /* Used to determine if a config option has already been configured - * Gets zeroed when initially parsing a configuration file, then each + * Gets zeroed when initially parsing a configuration file, then each * index gets set to 1 as an option is configured. Maps to config_opts */ static uint8_t config_opt_configured[sizeof(config_opts) / sizeof(ConfigFunc)]; @@ -719,7 +756,7 @@ #ifdef SUP_IP6 static int VarIsIpAddr(vartable_t *, char *); #endif -static int GetRuleType(char *); +static RuleType GetRuleType(char *); static void CreateDefaultRules(SnortConfig *); static void ParseConfigFile(SnortConfig *, SnortPolicy *, char *); static int ValidateUserDefinedRuleType(SnortConfig *, char *); @@ -746,8 +783,11 @@ static uint16_t ConvPort(char *, char *); static char * ReadLine(FILE *); static void DeleteVars(VarEntry *); -#ifdef PORTLISTS static int ValidateIPList(IpAddrSet *, char *); +#ifndef SUP_IP6 +static int CompareIPAddrSets(IpAddrSet *, IpAddrSet *); +static int CompareIPLists(IpAddrNode *, IpAddrNode *); +#endif static int PortVarDefine(SnortConfig *, char *, char *); static void port_entry_free(port_entry_t *); static int port_list_add_entry(port_list_t *, port_entry_t *); @@ -763,7 +803,6 @@ int, port_entry_t *, FastPatternConfig *); static PortObject * ParsePortListTcpUdpPort(PortVarTable *, PortTable *, char *); static int ParsePortList(RuleTreeNode *, PortVarTable *, PortTable *, char *, int, int); -#endif /* PORTLISTS */ static void ParseRule(SnortConfig *, SnortPolicy *, char *, RuleType, ListHead *); static void TransferOutputConfigs(OutputConfig *, OutputConfig **); static OutputConfig * DupOutputConfig(OutputConfig *); @@ -776,7 +815,7 @@ static void DefineIfaceVar(SnortConfig *, char *, uint8_t *, uint8_t *); #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS #if 0 static void DumpList(IpAddrNode *, int); #endif @@ -785,6 +824,9 @@ #endif static void SetLinks(SnortConfig *, int); static int ProcessIP(SnortConfig *, char *, RuleTreeNode *, int, int); +#ifndef SUP_IP6 +static int ProcessIpList(SnortConfig *, char *, RuleTreeNode *, int, int); +#endif static int TestHeader(RuleTreeNode *, RuleTreeNode *); static void FreeRuleTreeNode(RuleTreeNode *rtn); static void DestroyRuleTreeNode(RuleTreeNode *rtn); @@ -794,7 +836,7 @@ static void DisallowCrossTableDuplicateVars(SnortConfig *, char *, VarType); static int mergeDuplicateOtn(SnortConfig *, OptTreeNode *, OptTreeNode *, RuleTreeNode *); #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS static void PrintRtnPorts(RuleTreeNode *); #endif #endif @@ -804,11 +846,26 @@ static int ParseNetworkBindingLine(tSfPolicyConfig *, int, char **, char *); static int ParseVlanBindingLine(tSfPolicyConfig *, int, char **, char *); +static int ParsePolicyIdBindingLine(tSfPolicyConfig *, int, char **, char *); static OptTreeNode * firstHeadNode(SnortConfig *, int, RuleType, tSfPolicyId *); static OptTreeNode * nextHeadNode(SnortConfig *, int, RuleType, tSfPolicyId *); static RuleTreeNode * findHeadNode(SnortConfig *, RuleTreeNode *, tSfPolicyId); +// only keep drop rules +// if we are inline (and can actually drop), +// or we are going to just alert instead of drop, +// or we are going to ignore session data instead of drop. +// the alert case is tested for separately with ScTreatDropAsAlert(). +static inline int ScKeepDropRules (void) +{ + return ( ScInlineMode() || ScAdapterInlineMode() || ScTreatDropAsIgnore() ); +} + +static inline int ScLoadAsDropRules (void) +{ + return ( ScInlineTestMode() || ScAdapterInlineTestMode() ); +} /**************************************************************************** * Function: ParseSnortConf() @@ -845,9 +902,7 @@ * Need to do this now in case we get a user defined rule type */ CreateDefaultRules(sc); -#ifdef PORTLISTS sc->port_tables = PortTablesNew(); -#endif mpseInitSummary(); OtnInit(sc); @@ -887,7 +942,7 @@ setParserPolicy(policy_id); #ifndef SOURCEFIRE - /* If snort is not run with root priveleges, no interfaces will be defined, + /* If snort is not run with root privileges, no interfaces will be defined, * so user beware if an iface_ADDRESS variable is used in snort.conf and * snort is not run as root (even if just in read mode) */ DefineAllIfaceVars(sc); @@ -928,12 +983,14 @@ if (fname != NULL) { - sfDynArrayCheckBounds((void **)&sc->targeted_policies, policy_id, &sc->num_policies_allocated); - sc->targeted_policies[policy_id] = (SnortPolicy *)SnortAlloc(sizeof(SnortPolicy)); + sfDynArrayCheckBounds( + (void **)&sc->targeted_policies, policy_id, &sc->num_policies_allocated); + sc->targeted_policies[policy_id] = SnortPolicyNew(); + InitVarTables(sc->targeted_policies[policy_id]); - InitPolicyMode(sc->targeted_policies[policy_id]); + InitPolicyMode(sc->targeted_policies[policy_id]); setParserPolicy(policy_id); - + /* Need to reset this for each targeted policy */ memset(config_opt_configured, 0, sizeof(config_opt_configured)); @@ -977,15 +1034,51 @@ return sc; } -static int ParseVlanBindingLine( +static int ParsePolicyIdBindingLine( + tSfPolicyConfig *config, + int num_toks, + char **toks, + char *fileName + ) +{ + int i; + int parsedPolicyId; + + for (i = 0; i < num_toks; i++) + { + char *endp; + if ( toks[i] ) + { + errno = 0; + parsedPolicyId = SnortStrtolRange(toks[i], &endp, 10, 0, USHRT_MAX); + if ((errno == ERANGE) || (*endp != '\0')) + return -1; + + if ( sfPolicyIdAddBinding(config, parsedPolicyId, fileName) != 0) + { + return -1; + //FatalError("Unable to add policy: policyId %d, file %s\n", parsedPolicyId, fileName); + } + } + else + { + return -1; + //FatalError("formating error in binding file: %s\n", aLine); + } + } + + return 0; +} + +static int ParseVlanBindingLine( tSfPolicyConfig *config, - int num_toks, + int num_toks, char **toks, char *fileName ) { int i; - int vlanId1, vlanId2; + int vlanId1=0, vlanId2=0; for (i = 0; i < num_toks; i++) @@ -1012,13 +1105,16 @@ toks2 = mSplit(toks[i], "-", 2, &num_tok2, 0); if (num_tok2 == 2) { - vlanId1 = strtol(toks2[0], &endp, 10); + /* vlanId1 must be < SF_VLAN_BINDING_MAX -1 + to allow for an actual range */ + vlanId1 = SnortStrtolRange(toks2[0], &endp, 10, 0, SF_VLAN_BINDING_MAX-1); if( *endp ) { mSplitFree(&toks2, num_tok2); return -1; } - vlanId2 = strtol(toks2[1], &endp, 10); + /* vlanId2 must be > vlanId1 */ + vlanId2 = SnortStrtolRange(toks2[1], &endp, 10, vlanId1+1, SF_VLAN_BINDING_MAX); if ( *endp ) { mSplitFree(&toks2, num_tok2); @@ -1052,7 +1148,7 @@ else if ( toks[i] ) { - vlanId = strtol(toks[i], &endp, 10); + vlanId = SnortStrtolRange(toks[i], &endp, 10, 0, SF_VLAN_BINDING_MAX-1); if( *endp ) return -1; if ( (vlanId >= SF_VLAN_BINDING_MAX) || sfVlanAddBinding(config, vlanId, fileName) != 0) @@ -1071,9 +1167,9 @@ return 0; } -static int ParseNetworkBindingLine( +static int ParseNetworkBindingLine( tSfPolicyConfig *config, - int num_toks, + int num_toks, char **toks, char *fileName ) @@ -1102,7 +1198,7 @@ return 0; } -#ifdef DEBUG +#ifdef DEBUG_MSGS static void DumpRuleChains(RuleListNode *rule_lists) { RuleListNode *rule = rule_lists; @@ -1150,7 +1246,7 @@ * Purpose: print out the chain lists by header block node group * * Arguments: node => the head node - * + * * Returns: void function * ***************************************************************************/ @@ -1176,7 +1272,7 @@ if(negated) { - DEBUG_WRAP(DebugMessage(DEBUG_RULES, + DEBUG_WRAP(DebugMessage(DEBUG_RULES, " (EXCEPTION_FLAG Active)\n");); } else @@ -1185,25 +1281,24 @@ } idx = idx->next; - } + } } #endif /* 0 */ #endif /* DEBUG */ -#ifdef PORTLISTS /* * Finish adding the rule to the port tables * * 1) find the table this rule should belong to (src/dst/any-any tcp,udp,icmp,ip or nocontent) - * 2) find an index for the sid:gid pair - * 3) add all no content rules to a single no content port object, the ports are irrelevant so + * 2) find an index for the sid:gid pair + * 3) add all no content rules to a single no content port object, the ports are irrelevant so * make it a any-any port object. * 4) if it's an any-any rule with content, add to an any-any port object * 5) find if we have a port object with these ports defined, if so get it, otherwise create it. - * a)do this for src and dst port + * a)do this for src and dst port * b)add the rule index/id to the portobject(s) * c)if the rule is bidir add the rule and port-object to both src and dst tables - * + * */ static int FinishPortListRule(rule_port_tables_t *port_tables, RuleTreeNode *rtn, OptTreeNode *otn, int proto, port_entry_t *pe, FastPatternConfig *fp) @@ -1256,14 +1351,14 @@ { return -1; } - + /* Count rules with both src and dst specific ports */ - if (!(rtn->flags & ANY_DST_PORT) && !(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_DST_PORT) && !(rtn->flags & ANY_SRC_PORT)) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "***\n***Info: src & dst ports are both specific" " >> gid=%u sid=%u src=%s dst=%s\n***\n", - otn->sigInfo.generator, otn->sigInfo.id, + otn->sigInfo.generator, otn->sigInfo.id, pe->src_port, pe->dst_port);); prc->sd++; @@ -1272,24 +1367,24 @@ /* Create/find an index to store this rules sid and gid at, * and use as reference in Port Objects */ rim_index = otn->ruleIndex; - + /* Add up the nocontent rules */ - if (!OtnHasContent(otn) && !OtnHasUriContent(otn)) + if (!pe->content && !pe->uricontent) prc->nc++; /* If not an any-any rule test for port bleedover, if we are using a * single rule group, don't bother */ if (!fpDetectGetSingleRuleGroup(fp) && - (rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) != (ANY_DST_PORT|ANY_SRC_PORT)) + (rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) != (ANY_DST_PORT|ANY_SRC_PORT)) { - if (!(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_SRC_PORT)) { src_cnt = PortObjectPortCount(rtn->src_portobject); if (src_cnt >= fpDetectGetBleedOverPortLimit(fp)) large_port_group = 1; - } + } - if (!(rtn->flags & ANY_DST_PORT)) + if (!(rtn->flags & ANY_DST_PORT)) { dst_cnt = PortObjectPortCount(rtn->dst_portobject); if (dst_cnt >= fpDetectGetBleedOverPortLimit(fp)) @@ -1309,24 +1404,24 @@ PortObjectPrintPortsRaw(rtn->src_portobject); LogMessage(" -> "); PortObjectPrintPortsRaw(rtn->dst_portobject); - LogMessage(" adding to any-any group\n"); + LogMessage(" adding to any-any group\n"); fflush(stdout);fflush(stderr); } } - + /* If an any-any rule add rule index to any-any port object - * both content and no-content type rules go here if they are + * both content and no-content type rules go here if they are * any-any port rules... - * If we have an any-any rule or a large port group or + * If we have an any-any rule or a large port group or * were using a single rule group we make it an any-any rule. */ if (((rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) == (ANY_DST_PORT|ANY_SRC_PORT)) || large_port_group || fpDetectGetSingleRuleGroup(fp)) { if (proto == ETHERNET_TYPE_IP) { - /* Add the IP rules to the higher level app protocol groups, if they apply + /* Add the IP rules to the higher level app protocol groups, if they apply * to those protocols. All IP rules should have any-any port descriptors - * and fall into this test. IP rules that are not tcp/udp/icmp go only into the + * and fall into this test. IP rules that are not tcp/udp/icmp go only into the * IP table */ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "Finishing IP any-any rule %u:%u\n", @@ -1380,7 +1475,7 @@ } /* add rule index to dst table if we have a specific dst port or port list */ - if (!(rtn->flags & ANY_DST_PORT)) + if (!(rtn->flags & ANY_DST_PORT)) { PortObject *pox; @@ -1394,7 +1489,7 @@ if (pox == NULL) { /* Create a permanent port object */ - pox = PortObjectDupPorts(rtn->dst_portobject); + pox = PortObjectDupPorts(rtn->dst_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a port object - out of memory!\n", @@ -1408,12 +1503,12 @@ PortObjectAddRule(pox, rim_index); /* if bidir, add this rule and port group to the src table */ - if (rtn->flags & BIDIRECTIONAL) + if (rtn->flags & BIDIRECTIONAL) { pox = PortTableFindInputPortObjectPorts(srcTable, rtn->dst_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->dst_portobject); + pox = PortObjectDupPorts(rtn->dst_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a bidir-port object - out of memory!\n", @@ -1428,7 +1523,7 @@ } /* add rule index to src table if we have a specific src port or port list */ - if (!(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_SRC_PORT)) { PortObject *pox; @@ -1437,7 +1532,7 @@ pox = PortTableFindInputPortObjectPorts(srcTable, rtn->src_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->src_portobject); + pox = PortObjectDupPorts(rtn->src_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a port object - out of memory!\n", @@ -1450,12 +1545,12 @@ PortObjectAddRule(pox, rim_index); /* if bidir, add this rule and port group to the dst table */ - if (rtn->flags & BIDIRECTIONAL) + if (rtn->flags & BIDIRECTIONAL) { pox = PortTableFindInputPortObjectPorts(dstTable, rtn->src_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->src_portobject); + pox = PortObjectDupPorts(rtn->src_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a bidir-port object - out " @@ -1472,13 +1567,13 @@ return 0; } /* -* Parse a port string as a port var, and create or find a port object for it, +* Parse a port string as a port var, and create or find a port object for it, * and add it to the port var table. These are used by the rtn's * as src and dst port lists for final rtn/otn processing. * * These should not be confused with the port objects used to merge ports and rules * to build PORT_GROUP objects. Those are generated after the otn processing. -* +* */ static PortObject * ParsePortListTcpUdpPort(PortVarTable *pvt, PortTable *noname, char *port_str) @@ -1490,9 +1585,9 @@ if ((pvt == NULL) || (noname == NULL) || (port_str == NULL)) return NULL; - + /* 1st - check if we have an any port */ - if( strcasecmp(port_str,"any")== 0 ) + if( strcasecmp(port_str,"any")== 0 ) { portobject = PortVarTableFind(pvt, "any"); if (portobject == NULL) @@ -1502,37 +1597,35 @@ } /* 2nd - check if we have a PortVar */ - else if( port_str[0]=='$' ) - { + else if( port_str[0]=='$' ) + { /*||isalpha(port_str[0])*/ /*TODO: interferes with protocol names for ports*/ - char * name = port_str; + char * name = port_str + 1; - if( name[0]=='$' ) name++; /* in case this is allowed */ - DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortVarTableFind: finding '%s'\n", port_str);); /* look it up in the port var table */ portobject = PortVarTableFind(pvt, name); if (portobject == NULL) - ParseError("***Src PortVar Lookup failed on '%s'."); + ParseError("***PortVar Lookup failed on '%s'.", port_str); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortVarTableFind: '%s' found!\n", port_str);); } - + /* 3rd - and finally process a raw port list */ - else - { - /* port list = [p,p,p:p,p,...] or p or p:p , no embedded spaces due to tokenizer */ + else + { + /* port list = [p,p,p:p,p,...] or p or p:p , no embedded spaces due to tokenizer */ PortObject * pox; - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c->PortObjectParseString: parsing '%s'\n",port_str);); - + portobject = PortObjectParseString(pvt, &poparser, 0, port_str, 0); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c->PortObjectParseString: '%s' done.\n",port_str);); - + if( !portobject ) { errstr = PortObjectParseError( &poparser ); @@ -1541,7 +1634,7 @@ } /* check if we already have this port object in the un-named port var table ... */ - pox = PortTableFindInputPortObjectPorts(noname, portobject); + pox = PortTableFindInputPortObjectPorts(noname, portobject); if( pox ) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, @@ -1552,7 +1645,7 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c: adding '%s' as a PortObject line=%d\n",port_str,__LINE__ );); /* Add to the un-named port var table */ if (PortTableAddObject(noname, portobject)) @@ -1567,20 +1660,20 @@ } #ifdef XXXXX /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. */ PortObject * GetPortListIcmpPortObject( OptTreeNode * otn, PortTable * rulesPortTable, PortObject * anyAnyPortObject ) { PortObject * portobject=0; int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return anyAnyPortObject; @@ -1590,13 +1683,13 @@ return anyAnyPortObject; } /* - * Extract the IP Protocol field to determine the PortGroup. + * Extract the IP Protocol field to determine the PortGroup. */ PortObject * GetPortListIPPortObject( OptTreeNode * otn,PortTable * rulesPortTable, PortObject * anyAnyPortObject ) { if (GetOtnIpProto(otn) == -1) return anyAnyPortObject; - + /* TODO: optimize */ return anyAnyPortObject; } @@ -1604,20 +1697,20 @@ #if 0 Not currently used /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. */ -static +static int GetOtnIcmpType(OptTreeNode * otn ) { int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return -1; @@ -1635,7 +1728,7 @@ * TCP/UDP rules use ports/portlists, icmp uses the icmp type field and ip uses the protocol * field as a dst port for the purposes of looking up a rule group as packets are being * processed. - * + * * TCP/UDP- use src/dst ports * ICMP - use icmp type as dst port,src=-1 * IP - use protocol as dst port,src=-1 @@ -1654,7 +1747,7 @@ /* Get the protocol specific port object */ if( proto == IPPROTO_TCP || proto == IPPROTO_UDP ) { - portobject = ParsePortListTcpUdpPort(pvt, noname, port_str); + portobject = ParsePortListTcpUdpPort(pvt, noname, port_str); } else /* ICMP, IP - no real ports just Type and Protocol */ { @@ -1667,9 +1760,9 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Rule-PortVar Parsed: %s \n",port_str);); - - /* !ports - port lists can be mixed 80:90,!82, - * so the old NOT flag is depracated for port lists + + /* !ports - port lists can be mixed 80:90,!82, + * so the old NOT flag is depracated for port lists */ /* set up any any flags */ @@ -1681,7 +1774,7 @@ rtn->flags |= ANY_SRC_PORT; } - /* check for a pure not rule - fatal if we find one */ + /* check for a pure not rule - fatal if we find one */ if( PortObjectIsPureNot( portobject ) ) { ParseError("Pure NOT ports are not allowed!"); @@ -1693,7 +1786,7 @@ */ } - /* + /* * set to the port object for this rules src/dst port, * these are used during rtn/otn port verification of the rule. */ @@ -1706,9 +1799,6 @@ return 0; } -#endif /* PORTLISTS */ - - /**************************************************************************** * * Function: CheckForIPListConflicts @@ -1716,7 +1806,7 @@ * Purpose: Checks For IP List Conflicts in a RuleTreeNode. Such as * negations that are overlapping and more general are not allowed. * - * For example, the following is not allowed: + * For example, the following is not allowed: * * [1.1.0.0/16,!1.0.0.0/8] * @@ -1736,27 +1826,27 @@ return 0; #else IpAddrNode *idx = NULL, *neg_idx = NULL; - + if( !addrset ) return( -1 ); - + if(!addrset->iplist || !addrset->neg_iplist) return 0; - - for(idx = addrset->iplist; idx; idx = idx->next) + + for(idx = addrset->iplist; idx; idx = idx->next) { for(neg_idx = addrset->neg_iplist; neg_idx; neg_idx = neg_idx->next) { /* A smaller netmask means "less specific" */ if(neg_idx->netmask <= idx->netmask && /* Verify they overlap */ - ((neg_idx->ip_addr & neg_idx->netmask) == + ((neg_idx->ip_addr & neg_idx->netmask) == (idx->ip_addr & neg_idx->netmask))) { return 1; } } } - + return 0; #endif } @@ -1774,7 +1864,7 @@ * Returns: void function * ***************************************************************************/ -void AddRuleFuncToList(int (*func) (Packet *, struct _RuleTreeNode *, struct _RuleFpList *, int), RuleTreeNode * rtn) +void AddRuleFuncToList(int (*rfunc) (Packet *, struct _RuleTreeNode *, struct _RuleFpList *, int), RuleTreeNode * rtn) { RuleFpList *idx; @@ -1785,7 +1875,7 @@ { rtn->rule_func = (RuleFpList *)SnortAlloc(sizeof(RuleFpList)); - rtn->rule_func->RuleHeadFunc = func; + rtn->rule_func->RuleHeadFunc = rfunc; } else { @@ -1794,7 +1884,7 @@ idx->next = (RuleFpList *)SnortAlloc(sizeof(RuleFpList)); idx = idx->next; - idx->RuleHeadFunc = func; + idx->RuleHeadFunc = rfunc; } } @@ -2116,13 +2206,13 @@ /* Parses standalone rate_filter configuration. * - * Parses rate_filter configuration in the following format and populates internal - * structures: + * Parses rate_filter configuration in the following format and populates internal + * structures: * @code - * rate_filter gid , sid , - * track , - * count , seconds , - * new_action , + * rate_filter gid , sid , + * track , + * count , seconds , + * new_action , * timeout [, apply_to ]; * @endcode * And then adds it into pContext. @@ -2161,7 +2251,7 @@ int num_pairs; pairs = mSplit(toks[i], " \t", 2, &num_pairs, 0); /* get rule option pairs */ - + if (num_pairs != 2) { ParseError(ERR_NOT_PAIRED); @@ -2250,7 +2340,6 @@ { thdx.newAction = RULE_TYPE__LOG; } -#ifdef GIDS else if (!strcasecmp(pairs[1], "reject")) { thdx.newAction = RULE_TYPE__REJECT; @@ -2259,7 +2348,6 @@ { thdx.newAction = RULE_TYPE__SDROP; } -#endif else { ParseError(ERR_BAD_VALUE); @@ -2604,34 +2692,34 @@ for (config = sc->output_configs; config != NULL; config = config->next) { - OutputConfigFunc func; + OutputConfigFunc oc_func; file_name = config->file_name; file_line = config->file_line; - func = GetOutputConfigFunc(config->keyword); - if (func == NULL) + oc_func = GetOutputConfigFunc(config->keyword); + if (oc_func == NULL) ParseError("Unknown output plugin: \"%s\"", config->keyword); - func(config->opts); + oc_func(config->opts); } /* Configure output plugins for user defined rule types */ for (config = sc->rule_type_output_configs; config != NULL; config = config->next) { - OutputConfigFunc func; + OutputConfigFunc oc_func; file_name = config->file_name; file_line = config->file_line; - func = GetOutputConfigFunc(config->keyword); - if (func == NULL) + oc_func = GetOutputConfigFunc(config->keyword); + if (oc_func == NULL) ParseError("Unknown output plugin \"%s\"", config->keyword); /* Each user defined rule type has it's own rule list and output plugin is * attached to it's Alert and/or Log lists */ head_tmp = config->rule_list; - func(config->opts); + oc_func(config->opts); head_tmp = NULL; } @@ -2697,7 +2785,7 @@ * * Function: mergeDuplicateOtn() * - * Purpose: Conditionally removes duplicate SID/GIDs. Keeps duplicate with + * Purpose: Conditionally removes duplicate SID/GIDs. Keeps duplicate with * higher revision. If revision is the same, keeps newest rule. * * Arguments: otn_dup => The existing duplicate @@ -2724,22 +2812,22 @@ rtn_dup = getParserRtnFromOtn(otn_dup); - if((rtn_dup != NULL) && (rtn_dup->type != rtn_new->type)) + if((rtn_dup != NULL) && (rtn_dup->type != rtn_new->type)) { ParseError("GID %d SID %d in rule duplicates previous rule, with " "different type.", otn_new->sigInfo.generator, otn_new->sigInfo.id); } - if((otn_new->sigInfo.shared < otn_dup->sigInfo.shared) - || ((otn_new->sigInfo.shared == otn_dup->sigInfo.shared) + if((otn_new->sigInfo.shared < otn_dup->sigInfo.shared) + || ((otn_new->sigInfo.shared == otn_dup->sigInfo.shared) && (otn_new->sigInfo.rev < otn_dup->sigInfo.rev))) { //existing OTN is newer version. Keep existing and discard the new one. //OTN is for new policy group, salvage RTN deleteRtnFromOtn(otn_new, getParserPolicy()); - ParseMessage("GID %d SID %d duplicates previous rule. Using %s.", + ParseMessage("GID %d SID %d duplicates previous rule. Using %s.", otn_new->sigInfo.generator, otn_new->sigInfo.id, otn_dup->sigInfo.shared ? "SO rule.":"higher revision"); @@ -2764,7 +2852,7 @@ return 0; } - + //delete existing rule instance and keep the new one for (i = 0; i < otn_dup->proto_node_num; i++) @@ -2784,10 +2872,10 @@ ParseError("GID %d SID %d in rule duplicates previous rule.", otn_new->sigInfo.generator, otn_new->sigInfo.id); } - else + else { - LogMessage("%s(%d): GID %d SID %d in rule duplicates previous " - "rule. Ignoring old rule.\n", file_name, file_line, + ParseWarning("GID %d SID %d in rule duplicates previous " + "rule. Ignoring old rule.\n", otn_new->sigInfo.generator, otn_new->sigInfo.id); } @@ -2840,6 +2928,7 @@ char *rule_opts, RuleType rule_type, int protocol) { OptTreeNode *otn; + RuleOptOtnHandler otn_handler = NULL; int num_detection_opts = 0; char *dopt_keyword = NULL; OptFpList *fpl = NULL; @@ -2866,8 +2955,8 @@ addRtnToOtn(otn, getParserPolicy(), rtn); - otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, - otn->sigInfo.generator, + otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, + otn->sigInfo.generator, otn->sigInfo.id); } else @@ -2954,6 +3043,11 @@ { dopt->func(option_args, otn, protocol); + /* If this option contains an OTN handler, save it for + use after the rule is done parsing. */ + if (dopt->otn_handler != NULL) + otn_handler = dopt->otn_handler; + /* This is done so if we have a preprocessor/decoder * rule, we can tell the user that detection options * are not supported with those types of rules, and @@ -2974,15 +3068,21 @@ /* Maybe it's a preprocessor rule option */ PreprocOptionInit initFunc = NULL; PreprocOptionEval evalFunc = NULL; + PreprocOptionFastPatternFunc fpFunc = NULL; + PreprocOptionOtnHandler preprocOtnHandler = NULL; + PreprocOptionCleanup cleanupFunc = NULL; void *opt_data = NULL; int ret = GetPreprocessorRuleOptionFuncs - (opts[0], &initFunc, &evalFunc); + (opts[0], &initFunc, &evalFunc, + &preprocOtnHandler, &fpFunc, &cleanupFunc); if (ret && (initFunc != NULL)) { initFunc(opts[0], option_args, &opt_data); AddPreprocessorRuleOption(opts[0], otn, opt_data, evalFunc); + if (preprocOtnHandler != NULL) + otn_handler = (RuleOptOtnHandler)preprocOtnHandler; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "%s->", opts[0]);); } @@ -3038,8 +3138,8 @@ } else { - otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, - otn->sigInfo.generator, + otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, + otn->sigInfo.generator, otn->sigInfo.id); } @@ -3053,11 +3153,8 @@ detect_rule_count++; else if (otn->sigInfo.rule_type == SI_RULE_TYPE_DECODE) { - /* mark the decoder rules with sid greater than 400 in the array */ - if (otn->sigInfo.id >= DECODE_START_INDEX && otn->sigInfo.id <= DECODE_SID_MAX) - { - sc->targeted_policies[getParserPolicy()]->decodeRulesArray[otn->sigInfo.id - DECODE_START_INDEX ] = 1; - } + //Set the bit if the decoder rule is enabled in the policies + UpdateDecodeRulesArray(otn->sigInfo.id, ENABLE_RULE, ENABLE_ONE_RULE); decode_rule_count++; } else if (otn->sigInfo.rule_type == SI_RULE_TYPE_PREPROC) @@ -3066,6 +3163,11 @@ fpl = AddOptFuncToList(OptListEnd, otn); fpl->type = RULE_OPTION_TYPE_LEAF_NODE; + if (otn_handler != NULL) + { + otn_handler(otn); + } + FinalizeContentUniqueness(otn); if ((thdx_tmp != NULL) && (otn->detection_filter != NULL)) @@ -3100,8 +3202,8 @@ } /* setup gid,sid->otn mapping */ - SoRuleOtnLookupAdd(sc->so_rule_otn_map, otn); - OtnLookupAdd(sc->otn_map, otn); + SoRuleOtnLookupAdd(sc->so_rule_otn_map, otn); + OtnLookupAdd(sc->otn_map, otn); return otn; } @@ -3149,30 +3251,48 @@ static int ProcessIP(SnortConfig *sc, char *addr, RuleTreeNode *rtn, int mode, int neg_list) { #ifndef SUP_IP6 - char *tok, *end, *tmp; - int neg_ip; + VarEntry *var_table = sc->targeted_policies[getParserPolicy()]->var_table; + VarEntry *ip_var = NULL; #else vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", addr);); - -#ifdef SUP_IP6 - /* If a rule has a variable in it, we want to copy that variable's + assert(rtn); +#ifdef SUP_IP6 + /* If a rule has a variable in it, we want to copy that variable's * contents to the IP variable (IP list) stored with the rtn. - * This code tries to look up the variable, and if found, will copy it + * This code tries to look up the variable, and if found, will copy it * to the rtn->{sip,dip} */ - if(mode == SRC) - { + if(mode == SRC) + { int ret; - if( !rtn->sip && ((rtn->sip = calloc(1, sizeof(sfip_var_t))) == NULL) ) + + if (rtn->sip == NULL) + { + sfip_var_t *tmp = sfvt_lookup_var(ip_vartable, addr); + if (tmp != NULL) + { + rtn->sip = sfvar_create_alias(tmp, tmp->name); + if (rtn->sip == NULL) + ret = SFIP_FAILURE; + else + ret = SFIP_SUCCESS; + } + else + { + rtn->sip = (sfip_var_t *)SnortAlloc(sizeof(sfip_var_t)); + ret = sfvt_add_to_var(ip_vartable, rtn->sip, addr); + } + } + else { - ParseError("Failed to allocate memory for address: %s.", addr); + ret = sfvt_add_to_var(ip_vartable, rtn->sip, addr); } /* The function sfvt_add_to_var adds 'addr' to the variable 'rtn->sip' */ - if((ret = sfvt_add_to_var(ip_vartable, rtn->sip, addr)) != SFIP_SUCCESS) + if (ret != SFIP_SUCCESS) { if(ret == SFIP_LOOKUP_FAILURE) { @@ -3184,7 +3304,7 @@ "non-negated ranges are not allowed. Consider " "inverting the logic: %s.", addr); } - else if(ret == SFIP_NOT_ANY) + else if(ret == SFIP_NOT_ANY) { ParseError("!any is not allowed: %s.", addr); } @@ -3194,21 +3314,39 @@ } } - if(rtn->sip->head && rtn->sip->head->flags & SFIP_ANY) + if(rtn->sip->head && rtn->sip->head->flags & SFIP_ANY) { rtn->flags |= ANY_SRC_IP; } - } + } /* mode == DST */ - else + else { int ret; - if( !rtn->dip && ((rtn->dip = calloc(1, sizeof(sfip_var_t))) == NULL) ) + + if (rtn->dip == NULL) + { + sfip_var_t *tmp = sfvt_lookup_var(ip_vartable, addr); + if (tmp != NULL) + { + rtn->dip = sfvar_create_alias(tmp, tmp->name); + if (rtn->dip == NULL) + ret = SFIP_FAILURE; + else + ret = SFIP_SUCCESS; + } + else + { + rtn->dip = (sfip_var_t *)SnortAlloc(sizeof(sfip_var_t)); + ret = sfvt_add_to_var(ip_vartable, rtn->dip, addr); + } + } + else { - ParseError("Failed to allocate memory for address: %s.", addr); + ret = sfvt_add_to_var(ip_vartable, rtn->dip, addr); } - if((ret = sfvt_add_to_var(ip_vartable, rtn->dip, addr)) != SFIP_SUCCESS) + if (ret != SFIP_SUCCESS) { if(ret == SFIP_LOOKUP_FAILURE) { @@ -3220,7 +3358,7 @@ "non-negated ranges are not allowed. Consider " "inverting the logic: %s.", addr); } - else if(ret == SFIP_NOT_ANY) + else if(ret == SFIP_NOT_ANY) { ParseError("!any is not allowed: %s.", addr); } @@ -3230,13 +3368,75 @@ } } - if(rtn->dip->head && rtn->dip->head->flags & SFIP_ANY) + if(rtn->dip->head && rtn->dip->head->flags & SFIP_ANY) { rtn->flags |= ANY_DST_IP; } } #else - while(*addr) + + if ((var_table != NULL) && (*addr == '$')) + { + VarEntry *tmp = var_table; + + do + { + /* addr+1 to move past $ */ + if (strcmp(tmp->name, addr+1) == 0) + { + if (tmp->addrset != NULL) + { + if (mode == SRC) + rtn->sip = IpAddrSetCopy(tmp->addrset); + else + rtn->dip = IpAddrSetCopy(tmp->addrset); + + return 0; + } + + ip_var = tmp; + break; + } + + tmp = tmp->next; + + } while (tmp != var_table); + } + + ProcessIpList(sc, addr, rtn, mode, neg_list); + + if (ip_var != NULL) + { + if ((mode == SRC) && (rtn->sip)) + { + rtn->sip->id = ip_var->id; + ip_var->addrset = IpAddrSetCopy(rtn->sip); + } + else if ((mode == DST) && (rtn->dip)) + { + rtn->dip->id = ip_var->id; + ip_var->addrset = IpAddrSetCopy(rtn->dip); + } + } + +#endif + + /* Make sure the IP lists provided by the user are valid */ + if (mode == SRC) + ValidateIPList(rtn->sip, addr); + else + ValidateIPList(rtn->dip, addr); + + return 0; +} + +#ifndef SUP_IP6 +static int ProcessIpList(SnortConfig *sc, char *addr, RuleTreeNode *rtn, int mode, int neg_list) +{ + char *tok, *end, *tmp; + int neg_ip; + + while (*addr) { /* Skip whitespace and leading commas */ for(; *addr && (isspace((int)*addr) || *addr == ','); addr++) ; @@ -3244,59 +3444,59 @@ /* Handle multiple negations (such as if someone negates variable that * contains a negated IP */ neg_ip = 0; - for(; *addr == '!'; addr++) - neg_ip = !neg_ip; + for(; *addr == '!'; addr++) + neg_ip = !neg_ip; /* Find end of this token */ - for(end = addr+1; - *end && !isspace((int)*end) && *end != ']' && *end != ','; - end++) ; + for(end = addr+1; + *end && !isspace((int)*end) && *end != ']' && *end != ','; + end++) ; tok = SnortStrndup(addr, end - addr); if (!tok) ParseError("Unterminated IP List '%s'.", addr); - if(*addr == '[') + if(*addr == '[') { int brack_count = 0; char *list_tok; - + /* Find corresponding ending bracket */ - for(end = addr; *end; end++) + for(end = addr; *end; end++) { - if(*end == '[') + if(*end == '[') brack_count++; else if(*end == ']') brack_count--; - + if(!brack_count) break; } - - if(!*end) + + if(!*end) ParseError("Unterminated IP List '%s'.", addr); addr++; - + list_tok = SnortStrndup(addr, end - addr); - + if(!list_tok) ParseError("Failed to allocate space for parsing '%s'.", addr); - ProcessIP(sc, list_tok, rtn, mode, neg_list ^ neg_ip); + ProcessIpList(sc, list_tok, rtn, mode, neg_list ^ neg_ip); free(list_tok); } - else if(*addr == '$') + else if(*addr == '$') { if((tmp = VarGet(tok + 1)) == NULL) ParseError("Undefined variable %s.", addr); - ProcessIP(sc, tmp, rtn, mode, neg_list ^ neg_ip); + ProcessIpList(sc, tmp, rtn, mode, neg_list ^ neg_ip); } else if(*addr == ']') { - if(!(*(addr+1))) + if(!(*(addr+1))) { /* Succesfully reached the end of this list */ free(tok); @@ -3305,22 +3505,22 @@ ParseError("Mismatched bracket in '%s'.", addr); } - else + else { /* Skip leading commas */ for(; *addr && (*addr == ',' || isspace((int)*addr)); addr++) ; - if(mode == SRC) + if(mode == SRC) { if(!rtn->sip) rtn->sip = (IpAddrSet*)SnortAlloc(sizeof(IpAddrSet)); ParseIP(tok, rtn->sip, neg_list ^ neg_ip); - if(rtn->sip->iplist && - !rtn->sip->iplist->ip_addr && !rtn->sip->iplist->netmask) + if(rtn->sip->iplist && + !rtn->sip->iplist->ip_addr && !rtn->sip->iplist->netmask) rtn->flags |= ANY_SRC_IP; - + } else { @@ -3330,25 +3530,24 @@ ParseIP(tok, rtn->dip, neg_list ^ neg_ip); if(rtn->dip->iplist && - !rtn->dip->iplist->ip_addr && !rtn->dip->iplist->netmask) + !rtn->dip->iplist->ip_addr && !rtn->dip->iplist->netmask) rtn->flags |= ANY_DST_IP; /* Note: the neg_iplist is not checked for '!any' here since * ParseIP should have already FatalError'ed on it. */ } } - + free(tok); if(*end) - addr = end + 1; + addr = end + 1; else break; } -#endif return 0; } - +#endif /**************************************************************************** * @@ -3394,16 +3593,16 @@ *hi_port = 0; *lo_port = 0; return 1; - } + } if(rule_port[0] == '!') { if(!strcasecmp(&rule_port[1], "any")) { - ParseMessage("Warning: Negating \"any\" is invalid. Rule " + ParseWarning("Negating \"any\" is invalid. Rule " "will be ignored."); return -1; - } + } *not_flag = 1; rule_port++; @@ -3532,20 +3731,10 @@ rtn->sip = test_node->sip; rtn->dip = test_node->dip; - // PORTLISTS rtn->proto = test_node->proto; -#ifdef PORTLISTS rtn->src_portobject = test_node->src_portobject; rtn->dst_portobject = test_node->dst_portobject; -#else - rtn->hsp = test_node->hsp; - rtn->lsp = test_node->lsp; - rtn->hdp = test_node->hdp; - rtn->ldp = test_node->ldp; - rtn->not_sp_flag = test_node->not_sp_flag; - rtn->not_dp_flag = test_node->not_dp_flag; -#endif } /**************************************************************************** @@ -3558,7 +3747,7 @@ * Returns: 1 if they match, 0 if they don't * ***************************************************************************/ -int CompareIPNodes(IpAddrNode *one, IpAddrNode *two) +int CompareIPNodes(IpAddrNode *one, IpAddrNode *two) { #ifdef SUP_IP6 if( (sfip_compare(one->ip, two->ip) != SFIP_EQUAL) || @@ -3575,6 +3764,21 @@ return 1; } +#ifndef SUP_IP6 +static int CompareIPAddrSets(IpAddrSet *one, IpAddrSet *two) +{ + if ((one->id != 0) && (one->id == two->id)) + return 1; + + if (!CompareIPLists(one->iplist, two->iplist)) + return 0; + + if (!CompareIPLists(one->neg_iplist, two->neg_iplist)) + return 0; + + return 1; +} + /**************************************************************************** * * Function: CompareIPLists(RuleTreeNode *, RuleTreeNode *). Support function @@ -3585,7 +3789,7 @@ * Returns: 1 if they match, 0 if they don't * ***************************************************************************/ -int CompareIPLists(IpAddrNode *one, IpAddrNode *two) +static int CompareIPLists(IpAddrNode *one, IpAddrNode *two) { IpAddrNode *idx1, *idx2; int i, match; @@ -3597,19 +3801,19 @@ return 1; /* Walk first list. For each node, check if there is an equal - * counterpart in the second list. This method breaks down of there are + * counterpart in the second list. This method breaks down of there are * duplicated nodes. For instance, if one = {a, b} and two = {a, a}. - * Therefore, need additional data structure[s] ('usage') to check off - * which nodes have been accounted for already. + * Therefore, need additional data structure[s] ('usage') to check off + * which nodes have been accounted for already. * * Also, the lists are unordered, so comparing node-for-node won't work */ - for(idx1 = one; idx1; idx1 = idx1->next) + for(idx1 = one; idx1; idx1 = idx1->next) total1++; - for(idx2 = two; idx2; idx2 = idx2->next) + for(idx2 = two; idx2; idx2 = idx2->next) total2++; - if(total1 != total2) + if(total1 != total2) return 0; usage = (char *)SnortAlloc(total1); @@ -3637,7 +3841,7 @@ free(usage); return 1; } - +#endif /**************************************************************************** * @@ -3653,74 +3857,62 @@ ***************************************************************************/ static int TestHeader(RuleTreeNode * rule, RuleTreeNode * rtn) { -#ifdef SUP_IP6 - if(rule->sip && rtn->sip) - { - if(sfvar_compare(rule->sip, rtn->sip) != SFIP_EQUAL) - { - return 0; - } - } + if ((rule == NULL) || (rtn == NULL)) + return 0; - if(rule->dip && rtn->dip) - { - if(sfvar_compare(rule->dip, rtn->dip) != SFIP_EQUAL) - { - return 0; - } - } + if (rule->type != rtn->type) + return 0; + + if (rule->proto != rtn->proto) + return 0; + + /* For custom rule type declarations */ + if (rule->listhead != rtn->listhead) + return 0; + + if (rule->flags != rtn->flags) + return 0; + + if ((rule->sip != NULL) && (rtn->sip != NULL) && +#ifdef SUP_IP6 + (sfvar_compare(rule->sip, rtn->sip) != SFIP_EQUAL)) #else - if(rule->sip && rtn->sip) + (!CompareIPAddrSets(rule->sip, rtn->sip))) +#endif { - if(!CompareIPLists(rule->sip->iplist, rtn->sip->iplist)) - return 0; - if(!CompareIPLists(rule->sip->neg_iplist, rtn->sip->neg_iplist)) - return 0; + return 0; } - if(rule->dip && rtn->dip) - { - if(!CompareIPLists(rule->dip->iplist, rtn->dip->iplist)) - return 0; - if(!CompareIPLists(rule->dip->neg_iplist, rtn->dip->neg_iplist)) - return 0; - } + if ((rule->dip != NULL) && (rtn->dip != NULL) && +#ifdef SUP_IP6 + (sfvar_compare(rule->dip, rtn->dip) != SFIP_EQUAL)) +#else + (!CompareIPAddrSets(rule->dip, rtn->dip))) #endif - -#ifdef PORTLISTS - /* - * compare the port group pointers - this prevents confusing src/dst port objects - * with the same port set, and it's quicker. It does assume that we only have - * one port object and pointer for each unique port set...this is handled by the - * parsing and initial port object storage and lookup. This must be consistent during - * the rule parsing phase. - man - */ - if ((rtn->src_portobject == rule->src_portobject) && - (rtn->dst_portobject == rule->dst_portobject) && - (rtn->flags == rule->flags)) { - return 1; + return 0; } -#else - if ((rtn->hsp == rule->hsp) && (rtn->lsp == rule->lsp) && - (rtn->hdp == rule->hdp) && (rtn->ldp == rule->ldp) && - (rtn->flags == rule->flags)) + /* compare the port group pointers - this prevents confusing src/dst port objects + * with the same port set, and it's quicker. It does assume that we only have + * one port object and pointer for each unique port set...this is handled by the + * parsing and initial port object storage and lookup. This must be consistent during + * the rule parsing phase. - man */ + if ((rule->src_portobject != rtn->src_portobject) + || (rule->dst_portobject != rtn->dst_portobject)) { - return 1; + return 0; } -#endif - return 0; + return 1; } -#ifdef PORTLISTS /* * PortVarDefine * * name - portlist name, i.e. http, smtp, ... * s - port number, port range, or a list of numbers/ranges in brackets - * + * * examples: * portvar http [80,8080,8138,8700:8800,!8711] * portvar http $http_basic @@ -3733,9 +3925,9 @@ int rstat; PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__PORTVAR); + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__PORTVAR); - if( SnortStrcasestr(s,"any") ) /* this allows 'any' or '[any]' */ + if( SnortStrcasestr(s,strlen(s),"any") ) /* this allows 'any' or '[any]' */ { if(strstr(s,"!")) { @@ -3781,7 +3973,6 @@ return 0; } -#endif /**************************************************************************** * @@ -3820,7 +4011,7 @@ static int VarIsIpAddr(vartable_t *ip_vartable, char *value) { char *tmp; - + /* empty list, consider this an IP address */ if ((*value == '[') && (*(value+1) == ']')) return 1; @@ -3829,10 +4020,10 @@ /* Check for dotted-quad */ if( isdigit((int)*value) && - ((tmp = strchr(value, (int)'.')) != NULL) && + ((tmp = strchr(value, (int)'.')) != NULL) && ((tmp = strchr(tmp+1, (int)'.')) != NULL) && (strchr(tmp+1, (int)'.') != NULL)) - return 1; + return 1; /* IPv4 with a mask, and fewer than 4 fields */ else if( isdigit((int)*value) && @@ -3842,15 +4033,15 @@ return 1; /* IPv6 */ - else if((tmp = strchr(value, (int)':')) != NULL) + else if((tmp = strchr(value, (int)':')) != NULL) { char *tmp2; - if((tmp2 = strchr(tmp+1, (int)':')) == NULL) + if((tmp2 = strchr(tmp+1, (int)':')) == NULL) return 0; for(tmp++; tmp < tmp2; tmp++) - if(!isxdigit((int)*tmp)) + if(!isxdigit((int)*tmp)) return 0; return 1; @@ -3868,7 +4059,7 @@ } /**************************************************************************** - * + * * Function: CheckBrackets(char *) * * Purpose: Check that the brackets match up in a string that @@ -3954,13 +4145,13 @@ /**************************************************************************** * - * Function: DisallowCrossTableDuplicateVars(char *, int) + * Function: DisallowCrossTableDuplicateVars(char *, int) * - * Purpose: FatalErrors if the a variable name is redefined across variable + * Purpose: FatalErrors if the a variable name is redefined across variable * types. Enforcing this mutual exclusion prevents the * catatrophe where the variable lookup fall-through (see VarSearch) * finds an unintended variable from the wrong table. Note: VarSearch - * is only necessary for ExpandVars. + * is only necessary for ExpandVars. * * Arguments: name => The name of the variable * var_type => The type of the variable that is about to be defined. @@ -3969,48 +4160,36 @@ * Returns: void function * ***************************************************************************/ -static void DisallowCrossTableDuplicateVars(SnortConfig *sc, char *name, VarType var_type) +static void DisallowCrossTableDuplicateVars(SnortConfig *sc, char *name, VarType var_type) { VarEntry *var_table = sc->targeted_policies[getParserPolicy()]->var_table; -#ifdef SUP_IP6 - vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; -#endif -#ifdef PORTLISTS PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; -#endif -#if defined(SUP_IP6) || defined(PORTLISTS) VarEntry *p = var_table; +#ifdef SUP_IP6 + vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif -#ifdef PORTLISTS /* If this is a faked Portvar, treat as a portvar */ if ((var_type == VAR_TYPE__DEFAULT) && (strstr(name, "_PORT") || strstr(name, "PORT_"))) { var_type = VAR_TYPE__PORTVAR; } -#endif - switch (var_type) + switch (var_type) { case VAR_TYPE__DEFAULT: - if( + if (PortVarTableFind(portVarTable, name) #ifdef SUP_IP6 - sfvt_lookup_var(ip_vartable, name) || -#endif -#ifdef PORTLISTS - PortVarTableFind(portVarTable, name) || + || sfvt_lookup_var(ip_vartable, name) #endif - /* This 0 is for the case that neither IPv6 - * support or Portlists is compiled in. Quiets a warning. */ - 0) + ) { ParseError("Can not redefine variable name %s to be of type " "'var'. Use a different name.", name); } break; -#ifdef PORTLISTS case VAR_TYPE__PORTVAR: if (var_table != NULL) { @@ -4032,7 +4211,6 @@ "'portvar'. Use a different name.", name); } #endif /* SUP_IP6 */ -#endif /* PORTLISTS */ break; @@ -4052,13 +4230,11 @@ } while(p != var_table); } -#ifdef PORTLISTS - if(PortVarTableFind(portVarTable, name)) + if(PortVarTableFind(portVarTable, name)) { ParseError("Can not redefine variable name %s to be of type " "'ipvar'. Use a different name.", name); } -#endif /* PORTLISTS */ #endif /* SUP_IP6 */ default: @@ -4086,8 +4262,7 @@ vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif VarEntry *p; - //int vlen,n; - //char *s; + uint32_t var_id = 0; if(value == NULL) { @@ -4096,19 +4271,19 @@ } #ifdef SUP_IP6 - if(VarIsIpList(ip_vartable, value)) + if(VarIsIpList(ip_vartable, value)) { SFIP_RET ret; if (ip_vartable == NULL) return NULL; - /* Verify a variable by this name is not already used as either a + /* Verify a variable by this name is not already used as either a * portvar or regular var. Enforcing this mutual exclusion prevents the * catatrophe where the variable lookup fall-through (see VarSearch) * finds an unintended variable from the wrong table. Note: VarSearch * is only necessary for ExpandVars. */ - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__IPVAR); + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__IPVAR); if((ret = sfvt_define(ip_vartable, name, value)) != SFIP_SUCCESS) { @@ -4141,7 +4316,7 @@ else if(*value == '$') { sfip_var_t *var; - if((var = sfvt_lookup_var(ip_vartable, value)) != NULL) + if((var = sfvt_lookup_var(ip_vartable, value)) != NULL) { sfvt_define(ip_vartable, name, value); return NULL; @@ -4150,32 +4325,55 @@ #endif -#ifdef PORTLISTS DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "VarDefine: name=%s value=%s\n",name,value);); - value = ExpandVars(sc, value); - if(!value) - { - ParseError("Could not expand var('%s').", name); - } - - DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, - "VarDefine: name=%s value=%s (expanded)\n",name,value);); -#endif - - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__DEFAULT); - if (var_table == NULL) + /* Check to see if this variable is just being aliased */ + if (var_table != NULL) + { + VarEntry *tmp = var_table; + + do + { + /* value+1 to move past $ */ + if (strcmp(tmp->name, value+1) == 0) + { + var_id = tmp->id; + break; + } + + tmp = tmp->next; + + } while (tmp != var_table); + } + + value = ExpandVars(sc, value); + if(!value) + { + ParseError("Could not expand var('%s').", name); + } + + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, + "VarDefine: name=%s value=%s (expanded)\n",name,value);); + + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__DEFAULT); + + if (var_table == NULL) { p = VarAlloc(); p->name = SnortStrdup(name); p->value = SnortStrdup(value); - + p->prev = p; p->next = p; sc->targeted_policies[getParserPolicy()]->var_table = p; + if (!var_id) + p->id = sc->targeted_policies[getParserPolicy()]->var_id++; + else + p->id = var_id; + return p; } @@ -4190,7 +4388,7 @@ free(p->value); p->value = SnortStrdup(value); - LogMessage("Var '%s' redefined\n", p->name); + ParseWarning("Var '%s' redefined\n", p->name); return p; } @@ -4206,10 +4404,15 @@ p->next->prev = p; var_table->next = p; + if (!var_id) + p->id = sc->targeted_policies[getParserPolicy()]->var_id++; + else + p->id = var_id; + #ifdef XXXXXXX vlen = strlen(value); LogMessage("Var '%s' defined, value len = %d chars", p->name, vlen ); - + if( vlen < 64 ) { LogMessage(", value = %s\n", value ); @@ -4243,6 +4446,11 @@ free(p->name); if (p->value) free(p->value); + if (p->addrset) + { + IpAddrSetDestroy(p->addrset); + free(p->addrset); + } free(p); p = q; if (p == var_table) @@ -4286,12 +4494,12 @@ #ifdef SUP_IP6 // XXX-IPv6 This function should never be used if IP6 support is enabled! -// Infact it won't presently even work for IP variables since the raw ASCII +// Infact it won't presently even work for IP variables since the raw ASCII // value is never stored, and is never meant to be used. ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; if((var = sfvt_lookup_var(ip_vartable, name)) == NULL) { - /* Do the old style lookup since it wasn't found in + /* Do the old style lookup since it wasn't found in * the variable table */ if(var_table != NULL) { @@ -4349,7 +4557,7 @@ * * Returns: * char * - * The expanded string. Note that the string is returned in a + * The expanded string. Note that the string is returned in a * static variable and most likely needs to be string dup'ed. * ***************************************************************************/ @@ -4374,7 +4582,7 @@ while(i < l_string && j < (int)sizeof(estring) - 1) { c = string[i++]; - + if(c == '"') { /* added checks to make sure that we are inside a quoted string @@ -4596,7 +4804,7 @@ { activateData->otn->RTN_activation_ptr = otn->proto_nodes[getParserPolicy()]; //activateData->RTN_activation_ptr = otn->proto_node[policyId]; - activateData->otn->OTN_activation_ptr = otn; + activateData->otn->OTN_activation_ptr = otn; sfghash_remove(actHash, &activateKey); } else @@ -4620,7 +4828,7 @@ if(filespec == NULL) { - FatalError("no argument in this file option, remove extra ':' at the end of the alert option\n"); + FatalError("no arguement in this file option, remove extra ':' at the end of the alert option\n"); } /* look for ".." in the string and complain and exit if it is found */ @@ -4788,7 +4996,7 @@ * * Notes: man - modified to used .shared flag in otn sigInfo instead of specialGID * sas - removed specialGID - * + * *****************************************************************************/ int CheckRuleStates(SnortConfig *sc) { @@ -4806,8 +5014,8 @@ hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for (policyId = 0; - policyId < otn->proto_node_num; + for (policyId = 0; + policyId < otn->proto_node_num; policyId++) { rtn = otn->proto_nodes[policyId]; @@ -4818,14 +5026,58 @@ } if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) || - (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { //do operation if ( otn->sigInfo.shared ) { if (otn->ds_list[PLUGIN_DYNAMIC] == NULL) { - LogMessage("Encoded Rule Plugin SID: %d, GID: %d not " + // Have a dynamic rule but no dynamic plugin + if (otn->sigInfo.id != otn->sigInfo.otnKey.sid) + { + // If its a different SID, but same soid metadata as something + // else, try to find it + OptTreeNode *otn_original; + otn_original = SoRuleOtnLookup(sc->so_rule_otn_map, + otn->sigInfo.otnKey.gid, otn->sigInfo.otnKey.sid); + if (otn_original) + { + OptFpList *opt_func = otn->opt_func; + while (opt_func != NULL) + { + /* Delete the option functions that came from the + * parsing -- this rule will be identical to its + * "cloned" brother. */ + OptFpList *tmp = opt_func; + opt_func = opt_func->next; + free(tmp); + } + if (otn_original->sigInfo.shared) + { + /* Its still a shared object -- has its own detection function. */ + otn->ds_list[PLUGIN_DYNAMIC] = otn_original->ds_list[PLUGIN_DYNAMIC]; + } + else + { + /* It was back-converted from a shared object */ + int i; + for (i=PLUGIN_CLIENTSERVER; ids_list[i] = otn_original->ds_list[i]; + } + otn->sigInfo.shared = 0; /* no longer shared */ + } + otn->opt_func = otn_original->opt_func; + otn->sigInfo.dup_opt_func = 1; + } + } + } + + if (otn->sigInfo.shared && (otn->ds_list[PLUGIN_DYNAMIC] == NULL)) + { + /* If still shared... */ + ParseWarning("Encoded Rule Plugin SID: %d, GID: %d not " "registered properly. Disabling this rule.\n", otn->sigInfo.id, otn->sigInfo.generator); oneErr = 1; @@ -4849,7 +5101,7 @@ * Returns: void function * * Notes: specialGID is depracated, uses sigInfo.shared flag - * + * *****************************************************************************/ void SetRuleStates(SnortConfig *sc) { @@ -4921,14 +5173,14 @@ state = (RuleState *)SnortAlloc(sizeof(RuleState)); - state->sid = strtoul(toks[0], &endptr, 0); + state->sid = SnortStrtoul(toks[0], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid sid for rule state: %s. Sid must be between 0 and " "%u inclusive.", args, UINT32_MAX); } - state->gid = strtoul(toks[1], &endptr, 0); + state->gid = SnortStrtoul(toks[1], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid gid for rule state: %s. Gid must be between 0 and " @@ -5183,8 +5435,8 @@ if ((sc == NULL) || (fp == NULL) || (arg == NULL)) return; - /* Already parsed this or ignoring for any non-default policy, but need to move past - * the rule declaration because it doesn't have continuation characters + /* Already parsed this or ignoring for any non-default policy, but need to move past + * the rule declaration because it doesn't have continuation characters */ if (prules /* parsing rules */ || (getParserPolicy() != getDefaultPolicy())) @@ -5381,47 +5633,34 @@ static char * VarSearch(SnortConfig *sc, char *name) { VarEntry *var_table = sc->targeted_policies[getParserPolicy()]->var_table; + PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; #ifdef SUP_IP6 vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; -#endif -#ifdef PORTLISTS - PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; -#endif + sfip_var_t *ipvar; -#ifdef SUP_IP6 - if(!sfvt_lookup_var(ip_vartable, name)) - { + if ((ipvar = sfvt_lookup_var(ip_vartable, name)) != NULL) + return ExpandVars(sc, ipvar->value); #endif -#ifdef PORTLISTS - if(!PortVarTableFind(portVarTable, name)) + /* XXX Return a string value */ + if (PortVarTableFind(portVarTable, name)) + return name; + + if (var_table != NULL) { -#endif - if(var_table != NULL) + VarEntry *p = var_table; + do { - VarEntry *p = var_table; - do - { - if(strcasecmp(p->name, name) == 0) - return p->value; - p = p->next; - } while(p != var_table); - } - - return NULL; - -#ifdef PORTLISTS - } -#endif + if(strcasecmp(p->name, name) == 0) + return p->value; + p = p->next; -#ifdef SUP_IP6 + } while(p != var_table); } -#endif - return name; + return NULL; } - /***************************************************************** * Function: GetPcaps() * @@ -5470,7 +5709,7 @@ arg, strerror(errno)); return -1; } - else if (!(stat_buf.st_mode & S_IFREG)) + else if (!(stat_buf.st_mode & (S_IFREG|S_IFIFO))) { ErrorMessage("Specified pcap is not a regular file: %s\n", arg); return -1; @@ -5571,10 +5810,10 @@ { #ifdef WIN32 ErrorMessage("Specified entry in \'%s\' is not a regular file: %s\n", - pcap_file, path_buf_ptr); + arg, path_buf_ptr); #else ErrorMessage("Specified entry in \'%s\' is not a regular file or directory: %s\n", - pcap_file, path_buf_ptr); + arg, path_buf_ptr); #endif fclose(pcap_file); return -1; @@ -5609,7 +5848,7 @@ tmp, strerror(errno)); return -1; } - else if (!(stat_buf.st_mode & S_IFREG)) + else if (!(stat_buf.st_mode & (S_IFREG|S_IFIFO))) { ErrorMessage("Specified pcap is not a regular file: %s\n", tmp); return -1; @@ -5665,15 +5904,15 @@ #else check_flag = CheckForIPListConflicts(addrset); #endif - + switch( check_flag ) { case -1: ParseError("Empty IP used either as source IP or as destination IP " "in a rule. IP list: %s.", token); break; - - case 1: + + case 1: ParseError("Negated IP ranges that are equal to or are more " "general than non-negated ranges are not allowed. " "Consider inverting the logic: %s.", token); @@ -5688,7 +5927,6 @@ void ParserCleanup(void) { -#ifdef PORTLISTS port_list_free(&port_list); if (ruleIndexMap != NULL) @@ -5696,7 +5934,6 @@ RuleIndexMapFree(&ruleIndexMap); ruleIndexMap = NULL; } -#endif } static void InitVarTables(SnortPolicy *p) @@ -5706,6 +5943,7 @@ if (p->var_table != NULL) DeleteVars(p->var_table); + p->var_id = 1; #ifdef SUP_IP6 if (p->ip_vartable != NULL) @@ -5713,7 +5951,6 @@ p->ip_vartable = sfvt_alloc_table(); #endif -#ifdef PORTLISTS if (p->portVarTable != NULL) PortVarTableFree(p->portVarTable); p->portVarTable = PortVarTableCreate(); @@ -5727,18 +5964,21 @@ FatalError("%s(%d) Failed to create port variable tables.\n", __FILE__, __LINE__); } -#endif } static void InitPolicyMode(SnortPolicy *p) { - if (!ScAdapterInlineMode()) + if (!ScAdapterInlineMode() && !ScAdapterInlineTestMode()) + { + p->policy_mode = POLICY_MODE__PASSIVE; + } + else if (ScAdapterInlineTestMode()) { - p->policy_mode = POLICYMODE_FLAG__PASSIVE; + p->policy_mode = POLICY_MODE__INLINE_TEST; } else { - p->policy_mode = POLICYMODE_FLAG__INLINE; + p->policy_mode = POLICY_MODE__INLINE; } } @@ -5752,7 +5992,6 @@ otn_count = 0; dynamic_rule_count = 0; -#ifdef PORTLISTS memset(&tcpCnt, 0, sizeof(tcpCnt)); memset(&udpCnt, 0, sizeof(udpCnt)); memset(&ipCnt, 0, sizeof(ipCnt)); @@ -5770,7 +6009,6 @@ FatalError("%s(%d) Failed to create rule index map.\n", __FILE__, __LINE__); } -#endif /* PORTLISTS */ /* This is for determining if a config option has already been * configured. Most can only be configured once */ @@ -5836,14 +6074,13 @@ if (dynamic_rule_count != 0) LinkDynamicRules(sc); -#ifdef DEBUG +#ifdef DEBUG_MSGS DumpRuleChains(sc->rule_lists); #endif IntegrityCheckRules(sc); /*FindMaxSegSize();*/ -#ifdef PORTLISTS /* Compile/Finish and Print the PortList Tables */ PortTablesFinish(sc->port_tables, sc->fast_pattern_config); @@ -5858,7 +6095,6 @@ ///print_rule_index_map( ruleIndexMap ); ///port_list_print( &port_list ); -#endif /* Make sure this gets set back to NULL when we're done parsing */ snort_conf_for_parsing = NULL; @@ -5882,7 +6118,7 @@ ParseError("Cannot include \"%s\" in an include directive.", snort_conf_file); } - + /* XXX Maybe not allow an include in an included file to avoid * potential recursion issues */ @@ -5890,7 +6126,7 @@ file_name = SnortStrdup(arg); /* Stat the file. If that fails, stat it relative to the directory - * that the top level snort configuration file was in */ + * that the top level snort configuration file was in */ if (stat(file_name, &file_stat) == -1) { int path_len = strlen(snort_conf_dir) + strlen(arg) + 1; @@ -5960,7 +6196,7 @@ /* If it's an empty line or starts with a comment character */ if ((strlen(index) == 0) || (*index == '#') || (*index == ';')) continue; - + if (continuation) { int new_line_len = strlen(saved_line) + strlen(index) + 1; @@ -5981,13 +6217,13 @@ saved_line = NULL; index = new_line; - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"concat rule: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"concat rule: %s\n", new_line);); } /* check for a '\' continuation character at the end of the line * if it's there we need to get the next line in the file */ - if (ContinuationCheck(index) == 0) + if (ContinuationCheck(index) == 0) { char **toks; int num_toks; @@ -6014,7 +6250,7 @@ snort_conf_keywords[i].default_policy_only) { /* Keyword only configurable in the default policy*/ - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Config option \"%s\" configurable only by default policy. Ignoring it", toks[0])); break; } @@ -6062,22 +6298,21 @@ if (node == NULL) ParseError("Unknown rule type: %s.", toks[0]); - /* Check for drop rules and inline mode or treating - * drop as alert */ - if ((node->mode == RULE_TYPE__DROP) -#ifdef GIDS - || (node->mode == RULE_TYPE__REJECT) - || (node->mode == RULE_TYPE__SDROP) -#endif - ) + if ( node->mode == RULE_TYPE__DROP ) { - if (ScTreatDropAsAlert() || ScInlineMode()) - { - if (ScTreatDropAsAlert()) - ParseRule(sc, p, args, RULE_TYPE__ALERT, node->RuleList); - else - ParseRule(sc, p, args, node->mode, node->RuleList); - } + if ( ScTreatDropAsAlert() ) + ParseRule(sc, p, args, RULE_TYPE__ALERT, node->RuleList); + + else if ( ScKeepDropRules() || ScLoadAsDropRules() ) + ParseRule(sc, p, args, node->mode, node->RuleList); + } + else if ( node->mode == RULE_TYPE__SDROP ) + { + if ( ScKeepDropRules() && !ScTreatDropAsAlert() ) + ParseRule(sc, p, args, node->mode, node->RuleList); + + else if ( ScLoadAsDropRules() ) + ParseRule(sc, p, args, RULE_TYPE__DROP, node->RuleList); } else { @@ -6110,10 +6345,10 @@ new_line = NULL; } - /* set the flag to let us know the next line is - * a continuation line */ + /* set the flag to let us know the next line is + * a continuation line */ continuation = 1; - } + } } fclose(fp); @@ -6126,7 +6361,7 @@ idx = rule + strlen(rule) - 1; - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"initial idx set to \'%c\'\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"initial idx set to \'%c\'\n", *idx);); while(isspace((int)*idx)) @@ -6166,7 +6401,7 @@ sc->alert_file = SnortStrdup(args); - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"alertfile set to: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"alertfile set to: %s\n", sc->alert_file);); } @@ -6186,7 +6421,7 @@ if ((sc == NULL) || (args == NULL)) return; - num_nodes = strtol(args, &endptr, 0); + num_nodes = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (num_nodes <= 0)) { ParseError("Invalid argument to 'asn1' configuration. " @@ -6199,11 +6434,15 @@ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS void ConfigAutogenPreprocDecoderRules(SnortConfig *sc, char *args) { + SnortPolicy* policy; + if (sc == NULL) return; /* config autogenerate_preprocessor_decoder_rules */ - sc->run_flags |= RUN_FLAG__AUTOGEN_PREPROC_DECODER_OTN; + UpdateDecodeRulesArray( 0, ENABLE_RULE, ENABLE_ALL_RULES); + policy = sc->targeted_policies[getParserPolicy()]; + policy->policy_flags |= POLICY_FLAG__AUTO_OTN; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Autogenerating Preprocessor and Decoder OTNs\n");); } #endif @@ -6223,7 +6462,12 @@ ParseError("Need at least two arguments to 'config binding'"); return; } - if (!strcmp("vlan", toks1[1])) + + if (!strcmp("policy_id", toks1[1])) + { + bindingType = SF_BINDING_TYPE_POLICY_ID; + } + else if (!strcmp("vlan", toks1[1])) { bindingType = SF_BINDING_TYPE_VLAN; } @@ -6240,7 +6484,8 @@ fileName = toks1[0]; DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "Policy File: %s\n", fileName);); - toks = mSplit(toks1[2], ",", 20, &num_toks, 0); +#define MAX_BOUND_ADDRS_PER_LINE 512 + toks = mSplit(toks1[2], ",", MAX_BOUND_ADDRS_PER_LINE + 1, &num_toks, 0); if (num_toks < 1) { @@ -6250,19 +6495,34 @@ return; } + if (num_toks >= 512) + { + mSplitFree(&toks1, num_toks1); + mSplitFree(&toks, num_toks); + ParseError(" Too many network addresses specified in 'config binding'. " + " Maximum is %d.\n", MAX_BOUND_ADDRS_PER_LINE); + return; + } - if (bindingType == SF_BINDING_TYPE_VLAN) + if (bindingType == SF_BINDING_TYPE_POLICY_ID) + { + if (ParsePolicyIdBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) + { + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); + } + } + else if (bindingType == SF_BINDING_TYPE_VLAN) { if (ParseVlanBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) { - FatalError("formating error in binding file: %s\n", fileName); + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); } } - else + else { if (ParseNetworkBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) { - FatalError("formating error in binding file: %s\n", fileName); + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); } } mSplitFree(&toks1, num_toks1); @@ -6347,13 +6607,13 @@ negative_flags = CHECKSUM_FLAG__ALL; got_negative_flag = 1; } - else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__IP) == 0) + else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__IP) == 0) { positive_flags |= CHECKSUM_FLAG__IP; negative_flags &= ~CHECKSUM_FLAG__IP; got_positive_flag = 1; } - else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__NO_IP) == 0) + else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__NO_IP) == 0) { positive_flags &= ~CHECKSUM_FLAG__IP; negative_flags |= CHECKSUM_FLAG__IP; @@ -6462,7 +6722,7 @@ new_node->type = SnortStrdup(toks[0]); new_node->name = SnortStrdup(toks[1]); - new_node->priority = strtol(toks[2], &endptr, 0); + new_node->priority = SnortStrtol(toks[2], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (new_node->priority <= 0)) { ParseError("Invalid argument for classification priority " @@ -6477,8 +6737,8 @@ { if (getParserPolicy() == getDefaultPolicy()) { - LogMessage("%s(%d): Duplicate classification \"%s\"" - "found, ignoring this line\n", file_name, file_line, + ParseWarning("Duplicate classification \"%s\"" + "found, ignoring this line\n", file_name, file_line, new_node->type); } @@ -6569,13 +6829,28 @@ char **toks; int num_toks; FastPatternConfig *fp; + int old_stream_inserts = -1; + int old_max_queue_events = -1; if ((sc == NULL) || (args == NULL)) return; fp = sc->fast_pattern_config; - toks = mSplit(args, ", ",20, &num_toks, 0); + if (fp->configured) + { + ParseWarning("Reconfiguring detection options."); + + /* Save max queue events and stream inserts in case they are + * not configured again - these will carry over into the new + * configuration */ + old_max_queue_events = fp->max_queue_events; + old_stream_inserts = fp->inspect_stream_insert; + + fpSetDefaults(fp); + } + + toks = mSplit(args, ", ", 20, &num_toks, 0); for (i = 0; i < num_toks; i++) { @@ -6599,11 +6874,11 @@ else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG_PRINT_RULE_GROUPS_UNCOMPILED) == 0) { fpDetectSetDebugPrintRuleGroupsUnCompiled(fp); - } + } else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG_PRINT_RULE_GROUPS_COMPILED) == 0) { fpDetectSetDebugPrintRuleGroupsCompiled(fp); - } + } else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG) == 0) { fpSetDebugMode(fp); @@ -6611,6 +6886,7 @@ else if (strcasecmp(toks[i], DETECTION_OPT__NO_STREAM_INSERTS) == 0) { fpSetStreamInsert(fp); + old_stream_inserts = -1; /* Don't reset to old value */ } else if (strcasecmp(toks[i], DETECTION_OPT__BLEEDOVER_WARNINGS_ENABLED) == 0) { @@ -6619,7 +6895,7 @@ else if (strcasecmp(toks[i], DETECTION_OPT__SEARCH_METHOD) == 0) { i++; - if (i < num_toks) + if (i < num_toks) { if (fpSetDetectSearchMethod(fp, toks[i]) == -1) { @@ -6633,12 +6909,11 @@ } else if (strcasecmp(toks[i], DETECTION_OPT__BLEEDOVER_PORT_LIMIT) == 0) { - //#ifdef PORTLISTS i++; if (i < num_toks) { char *endptr; - int n = strtol(toks[i], &endptr, 0); + int n = SnortStrtol(toks[i], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (n <= 0)) { @@ -6653,7 +6928,6 @@ { ParseError("Missing port-count argument to 'bleedover_port_limit'."); } - //#endif } else if (strcasecmp(toks[i], DETECTION_OPT__MAX_QUEUE_EVENTS) == 0) { @@ -6661,7 +6935,7 @@ if (i < num_toks) { char *endptr; - int n = strtol(toks[i], &endptr, 0); + int n = SnortStrtol(toks[i], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (n <= 0)) { @@ -6670,12 +6944,42 @@ } fpSetMaxQueueEvents(fp, n); + old_max_queue_events = -1; /* Don't reset to old value */ } else { ParseError("Missing argument to 'max_queue_events'."); } } + else if (strcasecmp(toks[i], DETECTION_OPT__SPLIT_ANY_ANY) == 0) + { + fpDetectSetSplitAnyAny(fp, 1); + } + else if (strcasecmp(toks[i], DETECTION_OPT__MAX_PATTERN_LEN) == 0) + { + i++; + if (i < num_toks) + { + char *endptr; + int n = SnortStrtol(toks[i], &endptr, 0); + + if ((errno == ERANGE) || (*endptr != '\0') || (n < 0)) + { + ParseError("Invalid argument for max-pattern-len: %s. " + "Need a non-negative integer.", toks[i]); + } + + fpSetMaxPatternLen(fp, n); + } + else + { + ParseError("Missing argument to 'max-pattern-len'."); + } + } + else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG_PRINT_FAST_PATTERN) == 0) + { + fpDetectSetDebugPrintFastPatterns(fp, 1); + } else { ParseError("'%s' is an invalid option to the 'config detection' " @@ -6684,6 +6988,13 @@ } mSplitFree(&toks, num_toks); + + if (old_max_queue_events != -1) + fp->max_queue_events = old_max_queue_events; + if (old_stream_inserts != -1) + fp->inspect_stream_insert = old_stream_inserts; + + fp->configured = 1; } void ConfigDetectionFilter(SnortConfig *sc, char *args) @@ -6708,7 +7019,7 @@ { char *endptr; - sc->detection_filter_config->memcap = strtol(toks[1], &endptr, 0); + sc->detection_filter_config->memcap = SnortStrtol(toks[1], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (sc->detection_filter_config->memcap < 0)) { @@ -6884,7 +7195,7 @@ if (sc == NULL) return; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the drop of decoder alerts\n");); + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Enabling the drop of decoder alerts\n");); sc->targeted_policies[getParserPolicy()]->decoder_drop_flags |= DECODE_EVENT_FLAG__DEFAULT; } @@ -6906,6 +7217,67 @@ sc->targeted_policies[getParserPolicy()]->decoder_drop_flags |= DECODE_EVENT_FLAG__OVERSIZED; } +void ConfigEnableDeepTeredoInspection(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Enabling deep Teredo inspection\n");); + sc->enable_teredo = 1; /* TODO: add this to some existing flag bitfield? */ +} + +#define GTP_U_PORT 2152 +#define GTP_U_PORT_V0 3386 +void ConfigEnableGTPDecoding(SnortConfig *sc, char *args) +{ + PortObject *portObject; + int numberOfPorts = 0; + + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Enabling GTP decoding\n");); + sc->enable_gtp = 1; + + /*Set the ports*/ + + portObject = PortVarTableFind( sc->targeted_policies[getParserPolicy()]->portVarTable, "GTP_PORTS"); + if (portObject) + { + sc->gtp_ports = PortObjectCharPortArray(sc->gtp_ports,portObject, &numberOfPorts); + } + + if (!sc->gtp_ports || (0 == numberOfPorts)) + { + /*No ports defined, use default GTP ports*/ + sc->gtp_ports = (char *)SnortAlloc(UINT16_MAX); + sc->gtp_ports[GTP_U_PORT] = 1; + sc->gtp_ports[GTP_U_PORT_V0] = 1; + + } +} + +void ConfigEnableEspDecoding(SnortConfig *sc, char *args) +{ + int ret; + if (sc == NULL) + return; + + if (args) + { + ret = ParseBool(args); + if (ret == -1) + { + ParseError("Invalid argument to ESP decoder argument: %s\n" + "Please specify \"enable\" or \"disable\".", args); + } + + sc->enable_esp = ret; + } + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Changing ESP decoding\n");); +} + void ConfigEnableIpOptDrops(SnortConfig *sc, char *args) { if (sc == NULL) @@ -6990,7 +7362,7 @@ { char *endptr; - sc->threshold_config->memcap = strtol(toks[1], &endptr, 0); + sc->threshold_config->memcap = SnortStrtol(toks[1], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (sc->threshold_config->memcap < 0)) { @@ -7029,7 +7401,7 @@ { char *endptr; - eq->max_events = strtol(toks[i], &endptr, 0); + eq->max_events = SnortStrtol(toks[i], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (eq->max_events <= 0)) { @@ -7050,7 +7422,7 @@ { char *endptr; - eq->log_events = strtol(toks[i], &endptr, 0); + eq->log_events = SnortStrtol(toks[i], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (eq->log_events <= 0)) { @@ -7108,132 +7480,181 @@ mSplitFree(&toks, num_toks); } -#ifdef ENABLE_RESPONSE2 -void ConfigFlexresp2Attempts(SnortConfig *sc, char *args) +void ConfigEventTrace(SnortConfig *sc, char *args) { - char *endp; - u_long val = 0; + char **toks; + int num_toks = 0; + int i; - if ((sc == NULL) || (args == NULL)) + if ( !sc ) return; - val = strtoul(args, &endp, 0); - if (args == endp || *endp) - { - ParseError("flexresp2_attempts: Invalid number of response " - "attempts '%s'.", args); - } - - if (val < 21) - { - sc->respond2_attempts = (uint8_t)val; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "sp_respond2: " - "response attempts: %u\n", sc->respond2_attempts);); - } - else - { - ErrorMessage("%s(%d) => flexresp2_attempts: Maximum " - "number of response attempts is 20.\n", file_name, - file_line); - sc->respond2_attempts = 20; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "sp_respond2: response " - "attempts: %u\n", sc->respond2_attempts);); - } -} - -void ConfigFlexresp2Interface(SnortConfig *sc, char *args) -{ -#ifdef WIN32 - int adaplen = atoi(args); - char errorbuf[PCAP_ERRBUF_SIZE]; -#endif + sc->event_trace_file = EVENT_TRACE_OPT__FILE_DEFAULT; + sc->event_trace_max = EVENT_TRACE_OPT__MAX_DATA_DEFAULT; - if ((sc == NULL) || (args == NULL)) - return; + if ( args ) + toks = mSplit(args, ", ", 0, &num_toks, 0); -#ifdef WIN32 - if (adaplen > 0) + for (i = 0; i < num_toks; i++) { - pcap_if_t *alldevs; - pcap_if_t *dev; - int i = 1; - - if (pcap_findalldevs(&alldevs, errorbuf) == -1) - ParseError("flexresp2: Could not get device list: %s.", errorbuf); + if (strcasecmp(toks[i], EVENT_TRACE_OPT__MAX_DATA) == 0) + { + i++; + if (i < num_toks) + { + char* endptr; + long max = SnortStrtol(toks[i], &endptr, 0); - for (dev = alldevs; dev != NULL; dev = dev->next) + if ( (errno == ERANGE) || (*endptr != '\0') || + (max <= 0) || (max > 65535) ) + { + ParseError("Invalid argument for %s: %s. Must be a positive " + "integer < 65536.", EVENT_TRACE_OPT__MAX_DATA, toks[i]); + } + sc->event_trace_max = (uint16_t)max; + } + else + { + ParseError("No argument to %s. Argument must be a positive " + "integer < 65536.", EVENT_TRACE_OPT__MAX_DATA); + } + } + else if (strcasecmp(toks[i], EVENT_TRACE_OPT__FILE) == 0) { - if (i == adaplen) - break; i++; + if(i < num_toks) + sc->event_trace_file = toks[i]; + else + { + ParseError("No argument to %s. Argument must be a string." + EVENT_TRACE_OPT__FILE); + } + } + else + { + ParseError("Invalid argument to 'event_trace'. To configure " + "event_trace, only the options 'file' and 'max_data' can " + "can be specified. Defaults are %s and %d.", + EVENT_TRACE_OPT__FILE_DEFAULT, EVENT_TRACE_OPT__MAX_DATA_DEFAULT); } - - if (dev == NULL) - ParseError("flexresp2: Invalid device number: %d.", adaplen); - - sc->respond2_ethdev = SnortStrdup(dev->name); - pcap_freealldevs(alldevs); - - sc->respond2_link = 1; - DEBUG_WRAP( - DebugMessage(DEBUG_INIT, - "sp_respond2: link-layer responses: ENABLED\n"); - DebugMessage(DEBUG_INIT, - "sp_respond2: link-layer device: %s\n", - sc->respond2_ethdev);); - } - else -#endif /* WIN32 */ - { - sc->respond2_ethdev = SnortStrdup(args); - sc->respond2_link = 1; - DEBUG_WRAP( - DebugMessage(DEBUG_INIT, - "sp_respond2: link-layer responses: ENABLED\n"); - DebugMessage(DEBUG_INIT, - "sp_respond2: link-layer device: %s\n", - sc->respond2_ethdev);); } + sc->event_trace_file = SnortStrdup(sc->event_trace_file); + + if ( num_toks > 0 ) + mSplitFree(&toks, num_toks); } -void ConfigFlexresp2Memcap(SnortConfig *sc, char *args) +void ConfigReact (SnortConfig *sc, char *args) { - char *endp; - long val = 0; - if ((sc == NULL) || (args == NULL)) return; - val = strtol(args, &endp, 0); - if (args == endp || *endp) - ParseError("flexresp2_memcap: Invalid memcap '%s'.", args); - - sc->respond2_memcap = val; + sc->react_page = SnortStrdup(args); - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "sp_respond2: memcap: " - "%d\n", sc->respond2_memcap);); + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "react: page is %s\n", sc->react_page);); } -void ConfigFlexresp2Rows(SnortConfig *sc, char *args) +#ifdef ENABLE_RESPONSE3 +void ConfigFlexresp2Interface(SnortConfig *sc, char *args) { - char *endp; - long val = 0; - - if ((sc == NULL) || (args == NULL)) - return; - - val = strtol(args, &endp, 0); - if (args == endp || *endp) - ParseError("flexresp2_memcap: Invalid rows '%s'.", args); - - sc->respond2_rows = val; + ParseWarning("flexresp2_interface is no longer supported.\n"); +} - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "sp_respond2: rows: %d\n", - sc->respond2_rows);); +void ConfigFlexresp2Attempts(SnortConfig *sc, char *args) +{ + ParseWarning("flexresp2_attempts is no longer supported; " + "you must use config response: attempts <#> instead.\n"); } -#endif /* defined(ENABLE_RESPONSE2) */ -void ConfigFlowbitsSize(SnortConfig *sc, char *args) +void ConfigFlexresp2Memcap(SnortConfig *sc, char *args) +{ + ParseWarning("flexresp2_memcap is no longer supported.\n"); +} + +void ConfigFlexresp2Rows(SnortConfig *sc, char *args) +{ + ParseWarning("flexresp2_rows is no longer supported.\n"); +} +#endif + +#ifdef ACTIVE_RESPONSE +// TBD: once code can be checked in, move all config funcs +// from parser.[ch] to [parser-]config.[ch] *or* at least move +// Config* declarations from parser.h to parser.c or parser-config.h. +void ConfigResponse (SnortConfig *sc, char *args) +{ + char **toks; + int num_toks; + int i; + + if ((sc == NULL) || (args == NULL)) + return; + + toks = mSplit(args, ", ", 0, &num_toks, 0); + + for (i = 0; i < num_toks; i++) + { + if ( !strcasecmp(toks[i], RESPONSE_OPT__ATTEMPTS) ) + { + if ( ++i < num_toks ) + { + char *endptr; + long int value = strtol(toks[i], &endptr, 0); + + if ((errno == ERANGE) || (*endptr != '\0') || + (value < 1) || (value > 20)) + { + ParseError("Invalid argument for attempts: %s. " + "Argument must be between 1 and 20 inclusive.", toks[i]); + } + sc->respond_attempts = (uint8_t)value; + } + else + { + ParseError("No argument to 'attempts'. " + "Argument must be between 1 and 20 inclusive."); + } + } + else if ( !strcasecmp(toks[i], RESPONSE_OPT__DEVICE) ) + { + if ( ++i < num_toks ) + { + sc->respond_device = SnortStrdup(toks[i]); + } + else + { + ParseError("No argument to 'device'. Use 'ip' for network " + "layer responses or 'eth0' etc. for link layer responses."); + } + } + else if ( !strcasecmp(toks[i], RESPONSE_OPT__DST_MAC) ) + { + if ( ++i < num_toks ) + { + eth_addr_t dst; + if (eth_pton( toks[i], &dst) < 0) + { + ParseError("Format check failed: %s, Use format like 12:34:56:78:90:1a", toks[i]); + } + sc->eth_dst = SnortAlloc (sizeof(dst.data)); + memcpy(sc->eth_dst, dst.data, sizeof(dst.data)); + } + else + { + ParseError("No argument to 'dst_mac'. Use format 12:34:56:78:90:1a"); + } + } + else + { + ParseError("Invalid config response option '%s'", toks[i]); + } + } + mSplitFree(&toks, num_toks); +} +#endif + +void ConfigFlowbitsSize(SnortConfig *sc, char *args) { char *endptr; long int size; @@ -7241,15 +7662,16 @@ if ((sc == NULL) || (args == NULL)) return; - size = strtol(args, &endptr, 0); + size = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || - (size < 0) || (size > 256)) + (size < 0) || (size > 2096)) { ParseError("Invalid argument to 'flowbits_size': %s. Must be a " - "positive integer and less than 256.", args); + "positive integer and less than 2096.", args); } - sc->flowbit_size = (uint8_t)size; + giFlowbitSize = (uint8_t)(size >> 3); + sc->flowbit_size = (uint8_t)(size >> 3); } /**************************************************************************** @@ -7298,14 +7720,19 @@ } for ( i = 1; i < num_toks; i++ ) - { + { /* Re-use function from rules processing */ - ParsePort(toks[i], &hi_port, &lo_port, toks[0], ¬_flag); - + ParsePort(toks[i], &hi_port, &lo_port, toks[0], ¬_flag); + for ( p = lo_port; p <= hi_port; p++ ) - sc->ignore_ports[p] = (uint8_t)protocol; /* protocol will be 6 (TCP) or 17 (UDP) */ + { + if (protocol == IPPROTO_TCP) + sc->ignore_ports[p] |= PROTO_BIT__TCP; + else if (protocol == IPPROTO_UDP) + sc->ignore_ports[p] |= PROTO_BIT__UDP; + } } - + mSplitFree(&toks, num_toks); } @@ -7386,7 +7813,7 @@ arg_toks = mSplit(opt_toks[i], " \t", 2, &num_args, 0); - if(!arg_toks[1]) + if(!arg_toks[1]) { ParseError("ipv6_frag option '%s' requires an argument.", arg_toks[0]); @@ -7394,18 +7821,18 @@ if(!strcasecmp(arg_toks[0], "bsd_icmp_frag_alert")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the BSD ICMP fragmentation alert\n");); if(!strcasecmp(arg_toks[1], "off")) sc->targeted_policies[getParserPolicy()]->decoder_alert_flags &= ~DECODE_EVENT_FLAG__IPV6_BSD_ICMP_FRAG; } else if(!strcasecmp(arg_toks[0], "bad_ipv6_frag_alert")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the IPv6 bad fragmentation packet alerts\n");); if(!strcasecmp(arg_toks[1], "off")) sc->targeted_policies[getParserPolicy()]->decoder_alert_flags &= ~DECODE_EVENT_FLAG__IPV6_BAD_FRAG; - + } else if (!strcasecmp(arg_toks[0], "frag_timeout")) { @@ -7428,7 +7855,7 @@ if(args == endp || *endp) { - ParseError("ipv6_frag_timeout: Invalid argument '%s'.", + ParseError("ipv6_frag_timeout: Invalid argument '%s'.", arg_toks[1]); } @@ -7446,7 +7873,7 @@ } val = strtol(arg_toks[1], &endp, 0); - if (val <= 0) + if (val <= 0) { ParseError("ipv6_max_frag_sessions: Invalid number of sessions " "'%s'. Must be greater than 0.", arg_toks[1]); @@ -7464,12 +7891,12 @@ { if(!strcasecmp(arg_toks[1], "off")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the BSD ICMP fragmentation alert\n");); sc->targeted_policies[getParserPolicy()]->decoder_drop_flags &= ~DECODE_EVENT_FLAG__IPV6_BAD_FRAG; } } - else + else { ParseError("Invalid option to ipv6_frag '%s %s'.", arg_toks[0], arg_toks[1]); @@ -7483,50 +7910,75 @@ void ConfigLayer2Resets(SnortConfig *sc, char *args) { -#if defined(GIDS) && !defined(IPFW) - unsigned int i; - char **toks; - int num_toks; + ParseWarning("layer2resets is deprecated.\n"); +} - if ((sc == NULL) || (args == NULL)) +void ConfigLogDir(SnortConfig *sc, char *args) +{ + if ((args == NULL) || (sc == NULL) || (sc->log_dir != NULL)) return; - sc->run_flags |= RUN_FLAG__LINK_LAYER_RESETS; + sc->log_dir = SnortStrdup(args); +} - toks = mSplit(args, ":", 6, &num_toks, '\\'); - if (num_toks != 6) - { - ParseError("'%s' is not a valid MAC address for layer2resets", args); - } +void ConfigDaqType(SnortConfig *sc, char *args) +{ + if ( !args || !sc ) + return; - for (i = 0; i < num_toks; i++) - { - if ((strlen(toks[i]) != 2) || - !isxdigit((int)toks[i][0]) || !isxdigit((int)toks[i][1])) - { - ParseError("'%s' is not a valid MAC address for " - "layer2resets.", args); - } + if ( sc->daq_type ) + ParseError("Setting DAQ to %s but %s already selected.\n", + args, sc->daq_type); - /* Already verified that it's in range and has - * convertable characters */ - sc->enet_src[i] = (uint8_t)strtoul(toks[i], NULL, 16); - } + // will be validated later after paths are established + sc->daq_type = SnortStrdup(args); +} - mSplitFree(&toks, num_toks); +void ConfigDaqMode(SnortConfig *sc, char *args) +{ + if ( !args || !sc || sc->daq_mode ) + return; -#else - ErrorMessage("%s(%d) 'layer2resets' can only be used with " - "an inline snort.\n", file_name, file_line); -#endif + // will be validated later when daq is instantiated + sc->daq_mode = SnortStrdup(args); } -void ConfigLogDir(SnortConfig *sc, char *args) +void ConfigDaqVar(SnortConfig *sc, char *args) { - if ((args == NULL) || (sc == NULL) || (sc->log_dir != NULL)) + if ( !args || !sc ) return; - sc->log_dir = SnortStrdup(args); + if ( !sc->daq_vars ) + { + sc->daq_vars = StringVector_New(); + + if ( !sc->daq_vars ) + ParseError("can't allocate memory for daq_var '%s'.", args); + } + if ( !StringVector_Add(sc->daq_vars, args) ) + ParseError("can't allocate memory for daq_var '%s'.", args); +} + +void ConfigDaqDir(SnortConfig *sc, char *args) +{ + if ( !args || !sc ) + return; + + if ( !sc->daq_dirs ) + { + sc->daq_dirs = StringVector_New(); + + if ( !sc->daq_dirs ) + ParseError("can't allocate memory for daq_dir '%s'.", args); + } + if ( !StringVector_Add(sc->daq_dirs, args) ) + ParseError("can't allocate memory for daq_dir '%s'.", args); +} + +void ConfigDirtyPig(SnortConfig *sc, char *args) +{ + if ( sc ) + sc->dirty_pig = 1; } #ifdef TARGET_BASED @@ -7593,8 +8045,8 @@ val = strtol(args, &endp, 0); if ((args == endp) || *endp || (val < -1)) val = DEFAULT_LABELCHAIN_LENGTH; - } - else + } + else { val = DEFAULT_LABELCHAIN_LENGTH; } @@ -7612,21 +8064,21 @@ if (strcasecmp(args, MPLS_PAYLOAD_OPT__IPV4) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_IPV4; - } + } else if (strcasecmp(args, MPLS_PAYLOAD_OPT__IPV6) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_IPV6; - } + } else if (strcasecmp(args, MPLS_PAYLOAD_OPT__ETHERNET) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_ETHERNET; - } - else + } + else { ParseError("Non supported mpls payload type: %s.", args); } - } - else + } + else { sc->mpls_payload_type = DEFAULT_MPLS_PAYLOADTYPE; } @@ -7635,22 +8087,51 @@ void ConfigMinTTL(SnortConfig *sc, char *args) { - long int min_ttl_value = 0; + long int value; char *endptr; if ((sc == NULL) || (args == NULL)) return; - min_ttl_value = strtol(args, &endptr, 0); + value = strtol(args, &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0') || - (min_ttl_value < 0) || (min_ttl_value > UINT8_MAX)) + (value < 1) || (value > UINT8_MAX)) { ParseError("Invalid argument to 'min_ttl' configuration: %s. " "Must be a positive integer.", args); } - sc->min_ttl = (uint8_t)min_ttl_value; + { + SnortPolicy* pPolicy = sc->targeted_policies[getParserPolicy()]; + pPolicy->min_ttl = (uint8_t)value; + } +} + +#ifdef NORMALIZER +void ConfigNewTTL(SnortConfig *sc, char *args) +{ + long int value; + char *endptr; + + if ((sc == NULL) || (args == NULL)) + return; + + value = strtol(args, &endptr, 0); + + if ((errno == ERANGE) || (*endptr != '\0') || + (value < 1) || (value > UINT8_MAX)) + { + ParseError("Invalid argument to 'new_ttl' configuration: %s. " + "Must be a non-negative integer.", args); + } + + { + SnortPolicy* pPolicy = sc->targeted_policies[getParserPolicy()]; + pPolicy->new_ttl = (uint8_t)value; + } } +#endif void ConfigNoLog(SnortConfig *sc, char *args) { @@ -7699,9 +8180,9 @@ char **toks; /* dbl ptr to store mSplit return data in */ int num_toks; /* number of tokens mSplit returns */ int nmask; /* temporary netmask storage */ -# ifdef DEBUG +#ifdef DEBUG_MSGS struct in_addr sin; -# endif +#endif #endif if ((sc == NULL) || (args == NULL)) @@ -7709,9 +8190,10 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Got obfus data: %s\n", args);); + sc->output_flags |= OUTPUT_FLAG__OBFUSCATE; + #ifdef SUP_IP6 sfip_pton(args, &sc->obfuscation_net); - sc->output_flags |= OUTPUT_FLAG__OBFUSCATE; #else /* break out the CIDR notation from the IP address */ toks = mSplit(args, "/", 2, &num_toks, 0); @@ -7736,32 +8218,59 @@ ParseError("No netmask specified for obsucation mask!"); } - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "obfuscation netmask = %#8lX\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "obfuscation netmask = %#8lX\n", sc->obfuscation_mask);); /* convert the IP addr into its 32-bit value */ if((net.s_addr = inet_addr(toks[0])) == INADDR_NONE) ParseError("Obfuscation mask (%s) didn't translate.", toks[0]); - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", inet_ntoa(net), net.s_addr);); /* set the final homenet address up */ sc->obfuscation_net = net.s_addr & sc->obfuscation_mask; -#ifdef DEBUG +#ifdef DEBUG_MSGS sin.s_addr = sc->obfuscation_net; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", inet_ntoa(sin), sin.s_addr);); #endif sc->obfuscation_mask = ~sc->obfuscation_mask; - sc->output_flags |= OUTPUT_FLAG__OBFUSCATE; mSplitFree(&toks, num_toks); #endif } +void ConfigPafMax (SnortConfig *sc, char *args) +{ + long int value; + char *endptr; + + // 255 is max pseudo-random flush point; eth mtu + // ensures that maximum flushes are not trimmed + // which throws off the tracking total in stream5_paf.c + const unsigned max = IP_MAXPACKET - ETHERNET_MTU - 255; + + if ((sc == NULL) || (args == NULL)) + return; + + value = SnortStrtoulRange(args, &endptr, 0, 0, max); + + if ( (errno == ERANGE) || (*endptr != '\0') ) + { + ParseError( + "Invalid argument to '%s' configuration: %s. " + "Must be between 0 (off) and %u (max).", + CONFIG_OPT__PAF_MAX, args, max); + } + + { + sc->paf_max = (uint32_t)value; + } +} + void ConfigRuleListOrder(SnortConfig *sc, char *args) { OrderRuleLists(sc, args); @@ -7822,7 +8331,7 @@ if ((sc == NULL) || (args == NULL)) return; - sc->pkt_cnt = strtoul(args, &endptr, 0); + sc->pkt_cnt = SnortStrtoul(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid packet count: %s. Packet count must be between " @@ -7837,26 +8346,26 @@ void ConfigPacketSnaplen(SnortConfig *sc, char *args) { char *endptr; - unsigned long int snaplen; + uint32_t snaplen; if ((sc == NULL) || (args == NULL)) return; - snaplen = strtoul(args, &endptr, 0); + snaplen = SnortStrtoul(args, &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0') || - ((snaplen != 0) && (snaplen < MIN_SNAPLEN)) || (snaplen > UINT16_MAX)) + ((snaplen != 0) && (snaplen < MIN_SNAPLEN)) || + (snaplen > MAX_SNAPLEN) ) { ParseError("Invalid snaplen: %s. Snaplen must be between " - "%u and %u inclusive or 0 for max snaplen.", - args, MIN_SNAPLEN, UINT16_MAX); + "%u and %u inclusive or 0 for default = %u.", + args, MIN_SNAPLEN, MAX_SNAPLEN, DAQ_GetSnapLen()); } - sc->pkt_snaplen = (uint16_t)snaplen; - if (sc->pkt_snaplen == 0) - sc->pkt_snaplen = UINT16_MAX; + sc->pkt_snaplen = snaplen; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Snaplength of Packets set to: %d\n", - sc->pkt_snaplen);); + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "Snap length of packets set to: %d\n", sc->pkt_snaplen);); } void ConfigPidPath(SnortConfig *sc, char *args) @@ -7869,8 +8378,8 @@ sc->run_flags |= RUN_FLAG__CREATE_PID_FILE; if (SnortStrncpy(sc->pid_path, args, sizeof(sc->pid_path)) != SNORT_STRNCPY_SUCCESS) ParseError("Pid path too long."); - - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Pid Path directory = %s\n", + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Pid Path directory = %s\n", sc->pid_path);); } @@ -7908,14 +8417,16 @@ char **toks; int num_toks; int i; - int ret_flags = 0; + int mode = 0; if (args == NULL) { if ( run_flags & RUN_FLAG__INLINE ) - return POLICYMODE_FLAG__INLINE; + return POLICY_MODE__INLINE; + else if ( run_flags & RUN_FLAG__INLINE_TEST ) + return POLICY_MODE__INLINE_TEST; else - return POLICYMODE_FLAG__PASSIVE; + return POLICY_MODE__PASSIVE; } toks = mSplit(args, " \t", 10, &num_toks, 0); @@ -7923,11 +8434,30 @@ { if (strcasecmp(toks[i], POLICY_MODE_PASSIVE) == 0) { - ret_flags = POLICYMODE_FLAG__PASSIVE; + if ( ScAdapterInlineTestMode() ) + mode = POLICY_MODE__INLINE_TEST; + else + mode = POLICY_MODE__PASSIVE; } else if (strcasecmp(toks[i], POLICY_MODE_INLINE) == 0) { - ret_flags = POLICYMODE_FLAG__INLINE; + /* If --enable-inline-test is specified it overwrites + * policy_mode: inline */ + if( ScAdapterInlineTestMode() ) + mode = POLICY_MODE__INLINE_TEST; + else if (!ScAdapterInlineMode()) + { + ParseWarning("Adapter is in Passive Mode. Hence switching " + "policy mode to tap."); + mode = POLICY_MODE__PASSIVE; + + } + else + mode = POLICY_MODE__INLINE; + } + else if (strcasecmp(toks[i], POLICY_MODE_INLINE_TEST) == 0) + { + mode = POLICY_MODE__INLINE_TEST; } else { @@ -7936,7 +8466,7 @@ } mSplitFree(&toks, num_toks); - return ret_flags; + return mode; } void ConfigPolicyVersion(SnortConfig *sc, char *args) @@ -8020,10 +8550,10 @@ #ifdef PPM_MGR /* * config ppm: feature, feature, feature,.. - * + * * config ppm: max-pkt-time usecs, * disable-pkt-inspection, - * max-rule-time usecs, + * max-rule-time usecs, * disable-rule-inspection, threshold 5, * max-suspend-time secs, * rule-events alert|syslog|console, @@ -8044,7 +8574,7 @@ if (sc == NULL) return; - + toks = mSplit(args, ",", 0, &num_toks, 0); if (!sc->ppm_cfg.enabled) @@ -8054,7 +8584,7 @@ for(i = 0; i < num_toks; i++) { opts = mSplit(toks[i], " \t", 0, &num_opts, 0); - + if (strcasecmp(opts[0], PPM_OPT__MAX_PKT_TIME) == 0) { if (num_opts != 2) @@ -8062,7 +8592,7 @@ ParseError("config ppm: missing argument for '%s'.", opts[0]); } - val = strtoul(opts[1], &endptr, 0); + val = SnortStrtoul(opts[1], &endptr, 0); if ((opts[1][0] == '-') || (errno == ERANGE) || (*endptr != '\0')) { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); @@ -8077,12 +8607,12 @@ ParseError("config ppm: missing argument for '%s'.", opts[0]); } - val = strtoul(opts[1], &endptr, 0); + val = SnortStrtoul(opts[1], &endptr, 0); if ((opts[1][0] == '-') || (errno == ERANGE) || (*endptr != '\0')) { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); } - + ppm_set_max_rule_time(&sc->ppm_cfg, val); } else if (strcasecmp(opts[0], PPM_OPT__SUSPEND_TIMEOUT) == 0) @@ -8092,12 +8622,12 @@ ParseError("config ppm: missing argument for '%s'.", opts[0]); } - val = strtoul(opts[1], &endptr, 0); + val = SnortStrtoul(opts[1], &endptr, 0); if ((opts[1][0] == '-') || (errno == ERANGE) || (*endptr != '\0')) { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); } - + ppm_set_max_suspend_time(&sc->ppm_cfg, val); ruleOpts++; } @@ -8118,7 +8648,7 @@ ParseError("config ppm: missing argument for '%s'.", opts[0]); } - val = strtoul(opts[1], &endptr, 0); + val = SnortStrtoul(opts[1], &endptr, 0); if ((opts[1][0] == '-') || (errno == ERANGE) || (*endptr != '\0')) { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); @@ -8146,16 +8676,16 @@ ppm_set_pkt_log(&sc->ppm_cfg, PPM_LOG_MESSAGE); pktOpts++; - } + } else if (strcasecmp(opts[0], PPM_OPT__RULE_LOG) == 0) { int k; - + if (num_opts == 1) { ParseError("config ppm: insufficient %s opts.", opts[0]); } - + for (k = 1; k < num_opts; k++) { if (strcasecmp(opts[k], PPM_OPT__ALERT) == 0) @@ -8173,7 +8703,7 @@ } ruleOpts++; - } + } else if (strcasecmp(opts[0], PPM_OPT__DEBUG_PKTS) == 0) { if (num_opts != 1) @@ -8197,7 +8727,7 @@ ParseError("'%s' is an invalid option to the 'config ppm:' " "configuration.", opts[0]); } - + mSplitFree(&opts, num_opts); } @@ -8271,7 +8801,7 @@ } else { - sc->profile_preprocs.num = strtol(opts[1], &endptr, 10); + sc->profile_preprocs.num = SnortStrtol(opts[1], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to profile_preprocs 'print' " @@ -8303,7 +8833,7 @@ sc->profile_preprocs.filename = ProcessFileOption(sc, opts[1]); if (opts[2] && (strcasecmp(opts[2], PROFILE_OPT__APPEND) == 0)) { - sc->profile_preprocs.append = 1; + sc->profile_preprocs.append = 1; } else { @@ -8376,7 +8906,7 @@ } else { - sc->profile_rules.num = strtol(opts[1], &endptr, 10); + sc->profile_rules.num = SnortStrtol(opts[1], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to profile_rules 'print' " @@ -8424,7 +8954,7 @@ sc->profile_rules.filename = ProcessFileOption(sc, opts[1]); if (opts[2] && (strcasecmp(opts[2], PROFILE_OPT__APPEND) == 0)) { - sc->profile_rules.append = 1; + sc->profile_rules.append = 1; } else { @@ -8454,7 +8984,7 @@ /* * Process the 'config rate_filter: memcap <#bytes>' */ -// FIXTHIS cloned from sfthreshold.c +// TBD refactor - was cloned from sfthreshold.c void ConfigRateFilter(SnortConfig *sc, char *args) { char **toks; @@ -8462,7 +8992,7 @@ if ((sc == NULL) || (args == NULL)) return; - + toks = mSplit(args, " \t", 2, &num_toks, 0); if (num_toks != 2) { @@ -8473,7 +9003,7 @@ { char *endptr; - sc->rate_filter_config->memcap = strtol(toks[1], &endptr, 0); + sc->rate_filter_config->memcap = SnortStrtol(toks[1], &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (sc->rate_filter_config->memcap < 0)) { @@ -8632,7 +9162,7 @@ /* It's all digits. Assume it's a group id */ if (i == strlen(args)) { - sc->group_id = strtol(args, &endptr, 10); + sc->group_id = SnortStrtol(args, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (sc->group_id < 0)) { @@ -8679,7 +9209,7 @@ /* It's all digits. Assume it's a user id */ if (i == strlen(args)) { - sc->user_id = strtol(args, &endptr, 10); + sc->user_id = SnortStrtol(args, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0')) ParseError("User id \"%s\" out of range.", args); @@ -8710,6 +9240,21 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Enabled year in timestamp\n");); } +void ConfigSoRuleMemcap(SnortConfig *sc, char *args) +{ + char *endptr; + + if ((sc == NULL) || (args == NULL)) + return; + + sc->so_rule_memcap = SnortStrtoul(args, &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0')) + { + ParseError("Invalid so rule memcap: %s. Memcap must be between " + "0 and %u inclusive.", args, UINT32_MAX); + } +} + void ConfigStateful(SnortConfig *sc, char *args) { if (sc == NULL) @@ -8727,7 +9272,7 @@ if ((sc == NULL) || (args == NULL)) return; - sc->tagged_packet_limit = strtol(args, &endptr, 0); + sc->tagged_packet_limit = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (sc->tagged_packet_limit < 0)) { @@ -8747,9 +9292,8 @@ if (!warned) { - LogMessage("Warning: %s(%d) => config threshold is deprecated" - " use config event_filter instead.\n", - file_name, file_line); + ParseWarning("config threshold is deprecated;" + " use config event_filter instead.\n"); warned = 1; } @@ -8757,35 +9301,20 @@ ConfigEventFilter(sc, args); } -#ifdef TIMESTATS -void ConfigTimestatsInterval(SnortConfig *sc, char *args) +void ConfigTreatDropAsAlert(SnortConfig *sc, char *args) { - char *endp; - uint32_t val = 0; - - if ((sc == NULL) || (args == NULL)) + if (sc == NULL) return; - val = strtoul(args, &endp, 0); - if (args == endp || *endp) - { - ParseError("timestats_interval: Invalid argument '%s'.", args); - } - - sc->timestats_interval = val; - /* Reset the alarm to use the new time interval */ - alarm(sc->timestats_interval); - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "timetstats_interval: " - "%d\n", sc->timestats_interval);); + sc->run_flags |= RUN_FLAG__TREAT_DROP_AS_ALERT; } -#endif -void ConfigTreatDropAsAlert(SnortConfig *sc, char *args) +void ConfigTreatDropAsIgnore(SnortConfig *sc, char *args) { if (sc == NULL) return; - sc->run_flags |= RUN_FLAG__TREAT_DROP_AS_ALERT; + sc->run_flags |= RUN_FLAG__TREAT_DROP_AS_IGNORE; } void ConfigUmask(SnortConfig *sc, char *args) @@ -8800,7 +9329,7 @@ if ((sc == NULL) || (args == NULL)) return; - mask = strtol(args, &endptr, 0); + mask = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (mask < 0) || (mask & ~FILEACCESSBITS)) @@ -8828,6 +9357,24 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Verbose Flag active\n");); } +void ConfigVlanAgnostic(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "VLAN Agnostic active\n");); + sc->vlan_agnostic = 1; /* TODO: add this to some existing flag bitfield? */ +} + +void ConfigLogIPv6Extra(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "LOG IPV6 EXTRA DATA active\n");); + sc->log_ipv6_extra = 1; /* TODO: add this to some existing flag bitfield? */ +} + #ifdef DYNAMIC_PLUGIN void ConfigDumpDynamicRulesPath(SnortConfig *sc, char *args) { @@ -8838,7 +9385,13 @@ sc->dynamic_rules_path = SnortStrdup(args); } #endif - +void ConfigControlSocketDirectory(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + if ( args != NULL ) + sc->cs_dir = SnortStrdup(args); +} /**************************************************************************** * * Function: ParseRule() @@ -8861,21 +9414,15 @@ OptTreeNode *otn; char *roptions = NULL; port_entry_t pe; -#ifdef PORTLISTS PortVarTable *portVarTable = p->portVarTable; PortTable *nonamePortVarTable = p->nonamePortVarTable; -#else - int ret; -#endif if ((sc == NULL) || (args == NULL)) return; memset(&test_rtn, 0, sizeof(RuleTreeNode)); - -#ifdef PORTLISTS + memset(&pe, 0, sizeof(pe)); -#endif DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"[*] Rule start\n");); @@ -8932,7 +9479,7 @@ /* This will be set via ip_protos */ break; default: - ParseError("Bad protocol: %s", toks[1]); + ParseError("Bad protocol: %s", toks[0]); break; } @@ -8944,9 +9491,6 @@ * processing packets. */ ProcessIP(sc, toks[1], &test_rtn, SRC, 0); - /* Make sure the IP lists provided by the user are valid */ - ValidateIPList(test_rtn.sip, toks[1]); - /* Check to make sure that the user entered port numbers. * Sometimes they forget/don't know that ICMP rules need them */ if ((strcasecmp(toks[2], RULE_DIR_OPT__DIRECTIONAL) == 0) || @@ -8955,7 +9499,6 @@ ParseError("Port value missing in rule!"); } -#ifdef PORTLISTS DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Src-Port: %s\n",toks[2]);); if (ParsePortList(&test_rtn, portVarTable, nonamePortVarTable, @@ -8963,24 +9506,7 @@ { ParseError("Bad source port: '%s'", toks[2]); } -#else - /* do the same for the port */ - ret = ParsePort(toks[2], &test_rtn.hsp, &test_rtn.lsp, toks[0], - &test_rtn.not_sp_flag); - if(ret > 0) - { - test_rtn.flags |= ANY_SRC_PORT; - } - else if(ret < 0) - { - mSplitFree(&toks, num_toks); - FreeRuleTreeNode(&test_rtn); - return; - } - if(test_rtn.not_sp_flag) - test_rtn.flags |= EXCEPT_SRC_PORT; -#endif /* changed version 1.8.4 * Die when someone has tried to define a rule character other * than -> or <> */ @@ -9006,10 +9532,6 @@ * properly deal with it when we are processing packets */ ProcessIP(sc, toks[4], &test_rtn, DST, 0); - /* Make sure the IP lists provided by the user are valid */ - ValidateIPList(test_rtn.dip, toks[4]); - -#ifdef PORTLISTS DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Dst-Port: %s\n", toks[5]);); if (ParsePortList(&test_rtn, portVarTable, nonamePortVarTable, @@ -9017,28 +9539,13 @@ { ParseError("Bad destination port: '%s'", toks[5]); } -#else - ret = ParsePort(toks[5], &test_rtn.hdp, &test_rtn.ldp, toks[0], - &test_rtn.not_dp_flag); - if(ret > 0) - { - test_rtn.flags |= ANY_DST_PORT; - } - else if(ret < 0) - { - mSplitFree(&toks, num_toks); - FreeRuleTreeNode(&test_rtn); - return; - } - - if(test_rtn.not_dp_flag) - test_rtn.flags |= EXCEPT_DST_PORT; -#endif } DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"test_rtn.flags = 0x%X\n", test_rtn.flags);); DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Processing Head Node....\n");); + test_rtn.listhead = list; + rtn = ProcessHeadNode(sc, &test_rtn, list); /* The IPs in the test node get free'd in ProcessHeadNode if there is * already a matching RTN. The portobjects will get free'd when the @@ -9055,8 +9562,7 @@ } rule_count++; - -#ifdef PORTLISTS + /* Get rule option info */ pe.gid = otn->sigInfo.generator; pe.sid = otn->sigInfo.id; @@ -9068,32 +9574,58 @@ pe.src_port = SnortStrdup(toks[2]); pe.dst_port = SnortStrdup(toks[5]); } - - if (OtnHasContent(otn)) - pe.content = 1; - - if (OtnHasUriContent(otn)) - pe.uricontent = 1; + + /* See what kind of content is going in the fast pattern matcher */ +#ifdef DYNAMIC_PLUGIN + if (otn->ds_list[PLUGIN_DYNAMIC] != NULL) + { + DynamicData *dd = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; + if (dd->contentFlags & CONTENT_HTTP) + pe.uricontent = 1; + else if (dd->contentFlags & CONTENT_NORMAL) + pe.content = 1; + } + else +#endif + { + /* Since http_cookie content is not used in fast pattern matcher, + * need to iterate the entire list */ + if (otn->ds_list[PLUGIN_PATTERN_MATCH_URI] != NULL) + { + PatternMatchData *pmd = otn->ds_list[PLUGIN_PATTERN_MATCH_URI]; + for (; pmd != NULL; pmd = pmd->next) + { + if((pmd->uri_buffer) && IsHttpBufFpEligible(pmd->uri_buffer)) + { + pe.uricontent = 1; + break; + } + } + } + + if (!pe.uricontent && ((otn->ds_list[PLUGIN_PATTERN_MATCH] != NULL) + || (otn->ds_list[PLUGIN_PATTERN_MATCH_OR] != NULL))) + { + pe.content = 1; + } + } if (rtn->flags & BIDIRECTIONAL) pe.dir = 1; pe.proto = protocol; pe.rule_type = rule_type; - + port_list_add_entry(&port_list, &pe); - - /* - * The src/dst port parsing must be done before the Head Nodes are processed, since they must - * compare the ports/port_objects to find the right rtn list to add the otn rule to. - * - * After otn processing we can finalize port object processing for this rule - */ - if (FinishPortListRule(sc->port_tables, rtn, otn, protocol, &pe, sc->fast_pattern_config)) - { - ParseError("Failed to finish a port list rule."); - } -#endif + + /* + * The src/dst port parsing must be done before the Head Nodes are processed, since they must + * compare the ports/port_objects to find the right rtn list to add the otn rule to. + * + * After otn processing we can finalize port object processing for this rule + */ + if (FinishPortListRule(sc->port_tables, rtn, otn, protocol, &pe, sc->fast_pattern_config)) + ParseError("Failed to finish a port list rule."); mSplitFree(&toks, num_toks); } @@ -9152,7 +9684,7 @@ } #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS static void PrintRtnPorts(RuleTreeNode *rtn_list) { int i = 0; @@ -9204,15 +9736,11 @@ { DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Drop\n");); - /* If we are not treating drop as alert and not listening to iptables, let's - * ignore any drop rules in the configuration file */ - if (!ScTreatDropAsAlert() && !ScAdapterInlineMode()) - return; - /* Parse as an alert if we're treating drops as alerts */ if (ScTreatDropAsAlert()) ParseRule(sc, p, args, RULE_TYPE__ALERT, &sc->Alert); - else + + else if ( ScKeepDropRules() || ScLoadAsDropRules() ) ParseRule(sc, p, args, RULE_TYPE__DROP, &sc->Drop); } @@ -9234,41 +9762,23 @@ ParseRule(sc, p, args, RULE_TYPE__PASS, &sc->Pass); } -#ifdef GIDS static void ParseReject(SnortConfig *sc, SnortPolicy *p, char *args) { DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "Reject\n");); - - /* If we are not treating drop as alert and not listening to iptables, let's - * ignore any drop rules in the configuration file */ - if (!ScTreatDropAsAlert() && !ScAdapterInlineMode()) - return; - - /* Parse as an alert if we're treating drops as alerts */ - if (ScTreatDropAsAlert()) - ParseRule(sc, p, args, RULE_TYPE__ALERT, &sc->Alert); - else - ParseRule(sc, p, args, RULE_TYPE__REJECT, &sc->Reject); + ParseRule(sc, p, args, RULE_TYPE__REJECT, &sc->Reject); +#ifdef ACTIVE_RESPONSE + Active_SetEnabled(1); +#endif } static void ParseSdrop(SnortConfig *sc, SnortPolicy *p, char *args) { DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "SDrop\n");); - /* If we are not treating drop as alert and not listening to iptables, let's - * ignore any drop rules in the configuration file */ - if (!ScTreatDropAsAlert() && !ScAdapterInlineMode()) - return; - - /* Parse as an alert if we're treating drops as alerts */ - if (ScTreatDropAsAlert()) - ParseRule(sc, p, args, RULE_TYPE__ALERT, &sc->Alert); - else + if ( ScKeepDropRules() && !ScTreatDropAsAlert() ) ParseRule(sc, p, args, RULE_TYPE__SDROP, &sc->SDrop); } -#endif -#ifdef PORTLISTS static void ParsePortVar(SnortConfig *sc, SnortPolicy *p, char *args) { char **toks; @@ -9305,13 +9815,13 @@ mSplitFree(&toks, num_toks); } -#endif #ifdef SUP_IP6 static void ParseIpVar(SnortConfig *sc, SnortPolicy *p, char *args) { char **toks; int num_toks; + int ret; DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "IpVar\n");); @@ -9341,7 +9851,32 @@ } DisallowCrossTableDuplicateVars(sc, toks[0], VAR_TYPE__IPVAR); - sfvt_define(p->ip_vartable, toks[0], toks[1]); + + if((ret = sfvt_define(p->ip_vartable, toks[0], toks[1])) != SFIP_SUCCESS) + { + switch(ret) { + case SFIP_ARG_ERR: + ParseError("The following is not allowed: %s.", toks[1]); + break; + + case SFIP_DUPLICATE: + ParseMessage("Var '%s' redefined.", toks[0]); + break; + + case SFIP_CONFLICT: + ParseError("Negated IP ranges that are more general than " + "non-negated ranges are not allowed. Consider " + "inverting the logic in %s.", toks[0]); + break; + + case SFIP_NOT_ANY: + ParseError("!any is not allowed in %s.", toks[0]); + break; + + default: + ParseError("Failed to parse the IP address: %s.", toks[1]); + } + } mSplitFree(&toks, num_toks); } @@ -9373,7 +9908,7 @@ while (tmp != NULL) { - // Already defined this via command line + // Already defined this via command line if (strcasecmp(toks[0], tmp->name) == 0) { mSplitFree(&toks, num_toks); @@ -9382,7 +9917,7 @@ tmp = tmp->next; } - } + } AddVarToTable(sc, toks[0], toks[1]); mSplitFree(&toks, num_toks); @@ -9390,7 +9925,6 @@ static void AddVarToTable(SnortConfig *sc, char *name, char *value) { -#ifdef PORTLISTS //TODO: snort.cfg and rules should use PortVar instead ...this allows compatability for now. if (strstr(name, "_PORT") || strstr(name, "PORT_")) { @@ -9398,7 +9932,6 @@ PortVarDefine(sc, name, value); } else -#endif { VarDefine(sc, name, value); } @@ -9565,9 +10098,8 @@ if (!warned) { - LogMessage("Warning: %s(%d) => threshold (standalone) " - "is deprecated; use event_filter instead.\n", - file_name, file_line); + ParseWarning("threshold (standalone) is deprecated; " + "use event_filter instead.\n"); warned = 1; } @@ -9736,7 +10268,7 @@ tmp->next = node; } - act_num = strtol(args, &endptr, 0); + act_num = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (act_num < 0) || (act_num > INT32_MAX)) { @@ -9779,7 +10311,7 @@ "'activate' rules."); } - act_num = strtol(args, &endptr, 0); + act_num = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (act_num < 0) || (act_num > INT32_MAX)) { @@ -9797,7 +10329,7 @@ if (args == NULL) { - ParseMessage("WARNING: ClassType without an argument!"); + ParseWarning("ClassType without an argument!"); return; } @@ -9851,7 +10383,7 @@ "'dynamic' rules."); } - count = strtol(args, &endptr, 0); + count = SnortStrtol(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0') || (count < 0)) { ParseError("Invalid argument to 'count' rule option: %s. " @@ -9965,7 +10497,7 @@ if (args == NULL) ParseError("Gid rule option requires an argument."); - gid = strtoul(args, &endptr, 0); + gid = SnortStrtoul(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to 'gid' rule option: %s. " @@ -10122,20 +10654,20 @@ /* * metadata may be key/value pairs or just keys - * + * * metadata: key [=] value, key [=] value, key [=] value, key, key, ... ; * * This option may be used one or more times, with one or more key/value pairs. * - * updated 8/28/06 - man + * updated 8/28/06 - man * * keys: - * + * * engine * rule-flushing * rule-type * soid - * service + * service * os */ static void ParseOtnMetadata(SnortConfig *sc, RuleTreeNode *rtn, @@ -10149,9 +10681,9 @@ ParseError("Metadata rule option requires an argument."); DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "metadata: %s\n", args);); - + metadata_toks = mSplit(args, ",", 100, &num_metadata_toks, 0); - + for (i = 0; i < num_metadata_toks; i++) { char **key_value_toks; @@ -10171,7 +10703,7 @@ DebugMessage(DEBUG_CONFIGRULES, " value=%s", value); DebugMessage(DEBUG_CONFIGRULES, "\n"); ); - + /* process key/value pairs */ if (strcasecmp(key, METADATA_KEY__ENGINE) == 0) { @@ -10258,13 +10790,13 @@ "(|) separated pair.", key); } - long_val = strtoul(toks[0], &endptr, 10); + long_val = SnortStrtoul(toks[0], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (long_val > UINT32_MAX)) ParseError("Bogus gid %s", toks[0]); otn->sigInfo.otnKey.gid = (uint32_t)long_val; - - long_val = strtoul(toks[1], &endptr, 10); + + long_val = SnortStrtoul(toks[1], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (long_val > UINT32_MAX)) ParseError("Bogus sid %s", toks[1]); @@ -10272,7 +10804,7 @@ mSplitFree(&toks, num_toks); } -#if defined(TARGET_BASED) && defined(PORTLISTS) +#ifdef TARGET_BASED /* track all of the rules for each service */ else if (strcasecmp(key, METADATA_KEY__SERVICE) == 0 ) { @@ -10309,7 +10841,7 @@ else if (strcasecmp(key, METADATA_KEY__OS) == 0 ) { // metadata: os = Linux:w - // + // if (value == NULL) ParseError("Metadata key '%s' requires a value.", key); @@ -10337,7 +10869,7 @@ if (args == NULL) ParseError("Priority rule option requires an argument."); - priority = strtoul(args, &endptr, 0); + priority = SnortStrtoul(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to 'gid' rule option: %s. " @@ -10362,7 +10894,7 @@ toks = mSplit(args, ",", 2, &num_toks, 0); if (num_toks != 2) { - ParseMessage("WARNING: Ignoring invalid Reference spec '%s'.", args); + ParseWarning("Ignoring invalid Reference spec '%s'.", args); return; } @@ -10380,7 +10912,7 @@ if (args == NULL) ParseError("Revision rule option requires an argument."); - rev = strtoul(args, &endptr, 0); + rev = SnortStrtoul(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to 'rev' rule option: %s. " @@ -10401,7 +10933,7 @@ if (args == NULL) ParseError("Revision rule option requires an argument."); - sid = strtoul(args, &endptr, 0); + sid = SnortStrtoul(args, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) { ParseError("Invalid argument to 'sid' rule option: %s. " @@ -10426,6 +10958,7 @@ int i; char **toks; int num_toks; + uint8_t got_count = 0; if (otn->tag != NULL) ParseError("Can only use 'tag' rule option once per rule."); @@ -10433,90 +10966,83 @@ DEBUG_WRAP(DebugMessage(DEBUG_RULES, "Parsing tag args: %s\n", args);); toks = mSplit(args, " ,", 0, &num_toks, 0); - for (i = 0; i < num_toks; i++) - { - DEBUG_WRAP(DebugMessage(DEBUG_RULES, "parsing tag tok: \"%s\"\n", toks[i]);); + if (num_toks < 3) + ParseError("Invalid tag arguments: %s", args); - if (strcasecmp(toks[i], TAG_OPT__SESSION) == 0) - { - DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "Setting type to SESSION\n");); - type = TAG_SESSION; - } - else if (strcasecmp(toks[i], TAG_OPT__HOST) == 0) - { - type = TAG_HOST; - } - else if (strcasecmp(toks[i], TAG_OPT__SRC) == 0) - { - direction = TAG_HOST_SRC; - } - else if (strcasecmp(toks[i], TAG_OPT__DST) == 0) - { - direction = TAG_HOST_DST; - } - else if (strcasecmp(toks[i], TAG_OPT__SECONDS) == 0) - { - metric |= TAG_METRIC_SECONDS; - seconds = count; - } - else if (strcasecmp(toks[i], TAG_OPT__PACKETS) == 0) + if (strcasecmp(toks[0], TAG_OPT__SESSION) == 0) + type = TAG_SESSION; + else if (strcasecmp(toks[0], TAG_OPT__HOST) == 0) + type = TAG_HOST; + else + ParseError("Invalid tag type: %s", toks[0]); + + for (i = 1; i < num_toks; i++) + { + if (!got_count) { - if (count) + if (isdigit((int)toks[i][0])) { - metric |= TAG_METRIC_PACKETS; - packets = count; + long int val; + char *endptr; + + val = SnortStrtol(toks[i], &endptr, 0); + if ((errno == ERANGE) || (*endptr != '\0') || + (val < 0) || (val > INT32_MAX)) + { + ParseError("Invalid argument to 'tag' rule option. " + "Numbers must be between 0 and %d.", INT32_MAX); + } + + count = (int)val; + got_count = 1; } else { - metric |= TAG_METRIC_UNLIMITED; - /* Set count in case 'packets' is the last - * option parsed since 0 is a valid value now */ - count = -1; + /* Check for src/dst */ + break; } } - else if (strcasecmp(toks[i], TAG_OPT__BYTES) == 0) - { - metric |= TAG_METRIC_BYTES; - bytes = count; - } - else if (isdigit((int)toks[i][0])) + else { - long int val; - char *endptr; - - val = strtol(toks[i], &endptr, 0); - if ((errno == ERANGE) || (*endptr != '\0') || - (val < 0) || (val > INT32_MAX)) + if (strcasecmp(toks[i], TAG_OPT__SECONDS) == 0) { - ParseError("Invalid argument to 'tag' rule option. " - "Numbers must be between 0 and %d.", INT32_MAX); + if (metric & TAG_METRIC_SECONDS) + ParseError("Can only configure seconds metric to tag rule option once"); + if (!count) + ParseError("Tag seconds metric must have a positive count"); + metric |= TAG_METRIC_SECONDS; + seconds = count; + } + else if (strcasecmp(toks[i], TAG_OPT__PACKETS) == 0) + { + if (metric & (TAG_METRIC_PACKETS|TAG_METRIC_UNLIMITED)) + ParseError("Can only configure packets metric to tag rule option once"); + if (count) + metric |= TAG_METRIC_PACKETS; + else + metric |= TAG_METRIC_UNLIMITED; + packets = count; + } + else if (strcasecmp(toks[i], TAG_OPT__BYTES) == 0) + { + if (metric & TAG_METRIC_BYTES) + ParseError("Can only configure bytes metric to tag rule option once"); + if (!count) + ParseError("Tag bytes metric must have a positive count"); + metric |= TAG_METRIC_BYTES; + bytes = count; + } + else + { + ParseError("Invalid tag metric: %s", toks[i]); } - count = (int)val; - } - else - { - ParseError("Invalid 'tag' option: %s.", toks[i]); + got_count = 0; } } - mSplitFree(&toks, num_toks); - - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Set type: %d metric: %x count: %d\n", type, - metric, count);); - - /* check that we've got enough to set a tag with */ - if(type && metric && count) - { - otn->tag = (TagData *)SnortAlloc(sizeof(TagData)); - - otn->tag->tag_type = type; - otn->tag->tag_metric = metric; - otn->tag->tag_seconds = seconds; - otn->tag->tag_bytes = bytes; - otn->tag->tag_packets = packets; - otn->tag->tag_direction = direction; - } + if (!metric || got_count) + ParseError("Invalid tag rule option: %s", args); if ((metric & TAG_METRIC_UNLIMITED) && !(metric & (TAG_METRIC_BYTES|TAG_METRIC_SECONDS))) @@ -10524,6 +11050,43 @@ ParseError("Invalid Tag options. 'packets' parameter '0' but " "neither seconds or bytes specified: %s", args); } + + if (i < num_toks) + { + if (type != TAG_HOST) + ParseError("Only tag host type can configure direction"); + + if (strcasecmp(toks[i], TAG_OPT__SRC) == 0) + direction = TAG_HOST_SRC; + else if (strcasecmp(toks[i], TAG_OPT__DST) == 0) + direction = TAG_HOST_DST; + else + ParseError("Invalid 'tag' option: %s.", toks[i]); + + i++; + } + else if (type == TAG_HOST) + { + ParseError("Tag host type must specify direction"); + } + + /* Shouldn't be any more tokens */ + if (i != num_toks) + ParseError("Invalid 'tag' option: %s.", args); + + mSplitFree(&toks, num_toks); + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Set type: %d metric: %x count: %d\n", type, + metric, count);); + + otn->tag = (TagData *)SnortAlloc(sizeof(TagData)); + + otn->tag->tag_type = type; + otn->tag->tag_metric = metric; + otn->tag->tag_seconds = seconds; + otn->tag->tag_bytes = bytes; + otn->tag->tag_packets = packets; + otn->tag->tag_direction = direction; } /* @@ -10550,9 +11113,8 @@ if (!warned) { - LogMessage("Warning: %s(%d) => threshold (in rule) " - "is deprecated; use detection_filter instead.\n", - file_name, file_line); + ParseWarning("threshold (in rule) is deprecated; " + "use detection_filter instead.\n"); warned = 1; } @@ -10671,18 +11233,16 @@ CreateRuleType(sc, RULE_LIST_TYPE__DYNAMIC, RULE_TYPE__DYNAMIC, 1, &sc->Dynamic); CreateRuleType(sc, RULE_LIST_TYPE__PASS, RULE_TYPE__PASS, 0, &sc->Pass); /* changed on Jan 06 */ CreateRuleType(sc, RULE_LIST_TYPE__DROP, RULE_TYPE__DROP, 1, &sc->Drop); -#ifdef GIDS CreateRuleType(sc, RULE_LIST_TYPE__SDROP, RULE_TYPE__SDROP, 0, &sc->SDrop); CreateRuleType(sc, RULE_LIST_TYPE__REJECT, RULE_TYPE__REJECT, 1, &sc->Reject); -#endif /* GIDS */ CreateRuleType(sc, RULE_LIST_TYPE__ALERT, RULE_TYPE__ALERT, 1, &sc->Alert); CreateRuleType(sc, RULE_LIST_TYPE__LOG, RULE_TYPE__LOG, 1, &sc->Log); } -static int GetRuleType(char *arg) +static RuleType GetRuleType(char *arg) { if (arg == NULL) - return RULE_TYPE__NONE; + return RULE_TYPE__NONE; if (strcasecmp(arg, SNORT_CONF_KEYWORD__ACTIVATE) == 0) return RULE_TYPE__ACTIVATE; @@ -10690,18 +11250,20 @@ return RULE_TYPE__ALERT; else if (strcasecmp(arg, SNORT_CONF_KEYWORD__DROP) == 0) return RULE_TYPE__DROP; + else if (strcasecmp(arg, SNORT_CONF_KEYWORD__BLOCK) == 0) + return RULE_TYPE__DROP; else if (strcasecmp(arg, SNORT_CONF_KEYWORD__DYNAMIC) == 0) return RULE_TYPE__DYNAMIC; else if (strcasecmp(arg, SNORT_CONF_KEYWORD__LOG) == 0) return RULE_TYPE__LOG; else if (strcasecmp(arg, SNORT_CONF_KEYWORD__PASS) == 0) return RULE_TYPE__PASS; -#ifdef GIDS else if (strcasecmp(arg, SNORT_CONF_KEYWORD__REJECT) == 0) return RULE_TYPE__REJECT; else if (strcasecmp(arg, SNORT_CONF_KEYWORD__SDROP) == 0) return RULE_TYPE__SDROP; -#endif /* GIDS */ + else if (strcasecmp(arg, SNORT_CONF_KEYWORD__SBLOCK) == 0) + return RULE_TYPE__SDROP; return RULE_TYPE__NONE; } @@ -10756,10 +11318,8 @@ FreeRuleTreeNodes(sc); FreeOutputLists(&sc->Drop); -#ifdef GIDS FreeOutputLists(&sc->SDrop); FreeOutputLists(&sc->Reject); -#endif /* GIDS */ FreeOutputLists(&sc->Alert); FreeOutputLists(&sc->Log); FreeOutputLists(&sc->Pass); @@ -10778,10 +11338,8 @@ node = node->next; if ((tmp->RuleList != &sc->Drop) && -#ifdef GIDS (tmp->RuleList != &sc->SDrop) && (tmp->RuleList != &sc->Reject) && -#endif /* GIDS */ (tmp->RuleList != &sc->Alert) && (tmp->RuleList != &sc->Log) && (tmp->RuleList != &sc->Pass) && @@ -10802,7 +11360,6 @@ } } -#ifdef PORTLISTS static void port_entry_free(port_entry_t *pentry) { if (pentry->src_port != NULL) @@ -10839,11 +11396,11 @@ } SafeMemcpy( &plist->pl_array[plist->pl_cnt], pentry, sizeof(port_entry_t), - &plist->pl_array[plist->pl_cnt], + &plist->pl_array[plist->pl_cnt], (char*)(&plist->pl_array[plist->pl_cnt]) + sizeof(port_entry_t)); plist->pl_cnt++; - return 0; + return 0; } #if 0 @@ -10868,9 +11425,9 @@ LogMessage(" src_port %s dst_port %s ", plist->pl_array[i].src_port, plist->pl_array[i].dst_port ); - LogMessage(" content %d", + LogMessage(" content %d", plist->pl_array[i].content); - LogMessage(" uricontent %d", + LogMessage(" uricontent %d", plist->pl_array[i].uricontent); LogMessage(" }\n"); } @@ -10903,9 +11460,9 @@ if( fpDetectGetDebugPrintRuleGroupsCompiled(fp) ) { LogMessage("***\n***Port-Table : %s Ports/Rules-Compiled\n",s); - PortTablePrintCompiledEx( pt, rule_index_map_print_index ); + PortTablePrintCompiledEx( pt, rule_index_map_print_index ); LogMessage("*** End of Compiled Group\n"); - } + } } void rule_index_map_print_index( int index, char *buf, int bufsize ) @@ -10923,7 +11480,7 @@ rule_port_tables_t *rpt = (rule_port_tables_t *)SnortAlloc(sizeof(rule_port_tables_t)); - /* No content rule objects */ + /* No content rule objects */ rpt->tcp_nocontent = PortObjectNew(); if (rpt->tcp_nocontent == NULL) FatalError("ParseRulesFile nocontent PortObjectNew() failed\n"); @@ -11005,14 +11562,14 @@ * someday these could be read from snort.conf, something like... * 'config portlist: large-rule-count ' */ - rpt->tcp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->tcp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->udp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->udp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->icmp_src->pt_lrc= DEFAULT_LARGE_RULE_GROUP; - rpt->icmp_dst->pt_lrc= DEFAULT_LARGE_RULE_GROUP; - rpt->ip_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->ip_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->tcp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->tcp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->udp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->udp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->icmp_src->pt_lrc= DEFAULT_LARGE_RULE_GROUP; + rpt->icmp_dst->pt_lrc= DEFAULT_LARGE_RULE_GROUP; + rpt->ip_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->ip_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; return rpt; } @@ -11030,7 +11587,7 @@ finish_portlist_table(fp, "tcp src", port_tables->tcp_src); finish_portlist_table(fp, "tcp dst", port_tables->tcp_dst); - /* UDP-SRC */ + /* UDP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("*** UDP-Any-Any Port List\n"); @@ -11041,7 +11598,7 @@ finish_portlist_table(fp, "udp src", port_tables->udp_src); finish_portlist_table(fp, "udp dst", port_tables->udp_dst); - /* ICMP-SRC */ + /* ICMP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("*** ICMP-Any-Any Port List\n"); @@ -11052,7 +11609,7 @@ finish_portlist_table(fp, "icmp src", port_tables->icmp_src); finish_portlist_table(fp, "icmp dst", port_tables->icmp_dst); - /* IP-SRC */ + /* IP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("IP-Any-Any Port List\n"); @@ -11067,10 +11624,10 @@ RuleListSortUniq(port_tables->udp_anyany->rule_list); RuleListSortUniq(port_tables->icmp_anyany->rule_list); RuleListSortUniq(port_tables->ip_anyany->rule_list); - RuleListSortUniq(port_tables->tcp_nocontent->rule_list); - RuleListSortUniq(port_tables->udp_nocontent->rule_list); - RuleListSortUniq(port_tables->icmp_nocontent->rule_list); - RuleListSortUniq(port_tables->ip_nocontent->rule_list); + RuleListSortUniq(port_tables->tcp_nocontent->rule_list); + RuleListSortUniq(port_tables->udp_nocontent->rule_list); + RuleListSortUniq(port_tables->icmp_nocontent->rule_list); + RuleListSortUniq(port_tables->ip_nocontent->rule_list); } void VarTablesFree(SnortConfig *sc) @@ -11101,7 +11658,6 @@ } #endif -#ifdef PORTLISTS if (p->portVarTable != NULL) { PortVarTableFree(p->portVarTable); @@ -11113,7 +11669,6 @@ PortTableFree(p->nonamePortVarTable); p->nonamePortVarTable = NULL; } -#endif } } @@ -11159,7 +11714,6 @@ free(port_tables); } -#endif /**************************************************************************** * @@ -11232,8 +11786,9 @@ node->name = SnortStrdup(name); node->evalIndex = evalIndex; + sc->evalOrder[node->mode] = evalIndex; sc->num_rule_types++; - + return node->RuleList; } @@ -11262,8 +11817,8 @@ typedef struct iface_var { char name[128]; - bpf_u_int32 net; - bpf_u_int32 netmask; + uint32_t net; + uint32_t netmask; } iface_var_t; /**************************************************************************** @@ -11290,7 +11845,7 @@ for (i = 0; i < num_vars; i++) { DefineIfaceVar(sc, iface_vars[i].name, - (uint8_t *)&iface_vars[i].net, + (uint8_t *)&iface_vars[i].net, (uint8_t *)&iface_vars[i].netmask); } } @@ -11323,7 +11878,7 @@ sizeof(iface_vars[num_vars].name), "%s", dev->name); #endif DefineIfaceVar(sc, iface_vars[num_vars].name, - (uint8_t *)&net, + (uint8_t *)&net, (uint8_t *)&netmask); iface_vars[num_vars].net = net; @@ -11343,7 +11898,7 @@ /**************************************************************************** * * Function : DefineIfaceVar() - * Purpose : Assign network address and network mast to IFACE_ADDR_VARNAME + * Purpose : Assign network address and network mask to IFACE_ADDR_VARNAME * variable. * Arguments : interface name (string) netaddress and netmask (4 octets each) * Returns : void function @@ -11360,8 +11915,8 @@ SnortSnprintf(varbuf, BUFSIZ, "%s_ADDRESS", iname); SnortSnprintf(valbuf, 32, "%d.%d.%d.%d/%d.%d.%d.%d", - network[0] & 0xff, network[1] & 0xff, network[2] & 0xff, - network[3] & 0xff, netmask[0] & 0xff, netmask[1] & 0xff, + network[0] & 0xff, network[1] & 0xff, network[2] & 0xff, + network[3] & 0xff, netmask[0] & 0xff, netmask[1] & 0xff, netmask[2] & 0xff, netmask[3] & 0xff); VarDefine(sc, varbuf, valbuf); @@ -11410,6 +11965,7 @@ /* Add node to ordered list */ ordered_list = addNodeToOrderedList(ordered_list, node, evalIndex++); + sc->evalOrder[node->mode] = evalIndex; break; } @@ -11436,22 +11992,23 @@ sc->rule_lists = node->next; /* Add node to ordered list */ ordered_list = addNodeToOrderedList(ordered_list, node, evalIndex++); + sc->evalOrder[node->mode] = evalIndex; } /* set the rulelists to the ordered list */ sc->rule_lists = ordered_list; } -static RuleListNode *addNodeToOrderedList(RuleListNode *ordered_list, +static RuleListNode *addNodeToOrderedList(RuleListNode *ordered_list, RuleListNode *node, int evalIndex) { RuleListNode *prev; prev = ordered_list; - + /* set the eval order for this rule set */ node->evalIndex = evalIndex; - + if(!prev) { ordered_list = node; @@ -11503,6 +12060,23 @@ FatalError("%s\n", buf); } +void ParseWarning(const char *format, ...) +{ + char buf[STD_BUF+1]; + va_list ap; + + va_start(ap, format); + vsnprintf(buf, STD_BUF, format, ap); + va_end(ap); + + buf[STD_BUF] = '\0'; + + if (file_name != NULL) + LogMessage("WARNING %s(%d) %s\n", file_name, file_line, buf); + else + LogMessage("%s\n", buf); +} + void ParseMessage(const char *format, ...) { char buf[STD_BUF+1]; @@ -11530,13 +12104,13 @@ * @return pointer to deleted RTN, NULL otherwise. */ RuleTreeNode * deleteRtnFromOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId ) { RuleTreeNode *rtn = NULL; - if (otn->proto_nodes + if (otn->proto_nodes && (otn->proto_node_num >= (policyId+1))) { rtn = getRtnFromOtn(otn, policyId); @@ -11558,8 +12132,8 @@ * -ve otherwise */ int addRtnToOtn( - OptTreeNode *otn, - tSfPolicyId policyId, + OptTreeNode *otn, + tSfPolicyId policyId, RuleTreeNode *rtn ) { @@ -11573,7 +12147,7 @@ if (!tmpNodeArray) { return -1; - } + } //copy original contents, the remaining elements are already zeroed out by snortAlloc if (otn->proto_nodes) @@ -11585,14 +12159,14 @@ otn->proto_node_num = numNodes; otn->proto_nodes = tmpNodeArray; } - + //add policyId if (otn->proto_nodes[policyId]) { DestroyRuleTreeNode(rtn); } - otn->proto_nodes[policyId] = rtn; + otn->proto_nodes[policyId] = rtn; return 0; //success } @@ -11604,23 +12178,23 @@ char* FixSeparators (char* rule, char c, const char* err) { int list = 0; - char* p = strchr(rule, c); + char* p = strchr(rule, c); if ( p && err ) - { + { FatalError("%s(%d) => %s: '%c' not allowed in argument\n", - file_name, file_line, err, c); - } + file_name, file_line, err, c); + } while ( isspace((int)*rule) ) rule++; p = rule; - while ( *p ) { + while ( *p ) { if ( *p == '[' ) list++; else if ( *p == ']' ) list--; else if ( *p == ',' && !list ) *p = c; p++; - } + } return rule; } @@ -11634,10 +12208,10 @@ *val = arg; if ( err && !**val ) - { + { FatalError("%s(%d) => %s: name value pair expected: %s\n", file_name, file_line, err, *nam); - } + } } static void IntegrityCheckRules(SnortConfig *sc) @@ -11655,8 +12229,8 @@ { otn = (OptTreeNode *)hashNode->data; - for (policyId = 0; - policyId < otn->proto_node_num; + for (policyId = 0; + policyId < otn->proto_node_num; policyId++) { rtn = getRtnFromOtn(otn, policyId); @@ -11667,8 +12241,8 @@ } if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { //do operation ofl_idx = otn->opt_func; opt_func_count = 0; @@ -11676,7 +12250,7 @@ while(ofl_idx != NULL) { opt_func_count++; - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "%p->",ofl_idx->OptTestFunc);); + //DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "%p->",ofl_idx->OptTestFunc);); ofl_idx = ofl_idx->next; } @@ -11684,13 +12258,13 @@ { FatalError("Zero Length OTN List\n"); } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"\n");); + //DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"\n");); } } } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "OK\n");); + //DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "OK\n");); } /**returns matched header node. @@ -11709,15 +12283,15 @@ hashNode = sfghash_findnext(sc->otn_map)) { currHeadNodeOtn = (OptTreeNode *)hashNode->data; - for (currHeadNodePolicy = 0; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (currHeadNodePolicy = 0; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -11735,15 +12309,15 @@ if (currHeadNodeOtn) { - for (; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -11756,15 +12330,15 @@ { currHeadNodeOtn = (OptTreeNode *)hashNode->data; - for (currHeadNodePolicy = 0; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (currHeadNodePolicy = 0; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -11774,7 +12348,7 @@ return NULL; } -/**returns matched header node. +/**returns matched header node. */ static RuleTreeNode * findHeadNode(SnortConfig *sc, RuleTreeNode *testNode, tSfPolicyId policyId) @@ -11791,14 +12365,8 @@ rtn = getRtnFromOtn(otn, policyId); //(protocol, rule_type) match - if (rtn && (rtn->type == testNode->type) - && (rtn->proto == testNode->proto)) - { - if (TestHeader(rtn, testNode)) - { - return rtn; - } - } + if (TestHeader(rtn, testNode)) + return rtn; } return NULL; @@ -11833,6 +12401,13 @@ if (pPolicy) { + // minimum possible (allows all but errors to pass by default) + pPolicy->min_ttl = 1; + +#ifdef NORMALIZER + pPolicy->new_ttl = 5; +#endif + /* Turn on all decoder alerts by default except for oversized alert. * Useful for bug reports ... */ pPolicy->decoder_alert_flags |= DECODE_EVENT_FLAG__DEFAULT; @@ -11869,3 +12444,39 @@ } #endif } + + +/* Parse a boolean argument, with many ways to say "on" or "off". + Arguments: + char * arg => string argument to parse + Returns: + 1: Parsed a positive argument ("1", "on", "yes", "enable", "true") + 0: Parsed a negative argument ("0", "off", "no", "disable", "false") + -1: Error +*/ +int ParseBool(char *arg) +{ + if (arg == NULL) + return -1; + + /* Trim leading whitespace */ + while (isspace(*arg)) + arg++; + + if ( (strcasecmp(arg, "1") == 0) || + (strcasecmp(arg, "on") == 0) || + (strcasecmp(arg, "yes") == 0) || + (strcasecmp(arg, "enable") == 0) || + (strcasecmp(arg, "true") == 0) ) + return 1; + + if ( (strcasecmp(arg, "0") == 0) || + (strcasecmp(arg, "off") == 0) || + (strcasecmp(arg, "no") == 0) || + (strcasecmp(arg, "disable") == 0) || + (strcasecmp(arg, "false") == 0) ) + return 0; + + /* Other values are invalid! */ + return -1; +} diff -Nru snort-2.8.5.2/src/parser.h snort-2.9.2/src/parser.h --- snort-2.8.5.2/src/parser.h 2009-08-10 20:41:40.000000000 +0000 +++ snort-2.9.2/src/parser.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,8 +1,8 @@ -/* -** Copyright (C) 2002-2009 Sourcefire, Inc. +/* +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** Copyright (C) 2000-2001 Andrew R. Baker -** +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -13,11 +13,11 @@ ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. -** +** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ +*/ /* $Id$ */ #ifndef __PARSER_H__ @@ -31,6 +31,7 @@ #include #include "rules.h" +#include "treenodes.h" #include "decode.h" #include "sflsq.h" #include "snort.h" @@ -41,13 +42,13 @@ #define SNORT_CONF_KEYWORD__ACTIVATE "activate" #define SNORT_CONF_KEYWORD__ALERT "alert" #define SNORT_CONF_KEYWORD__DROP "drop" +#define SNORT_CONF_KEYWORD__BLOCK "block" #define SNORT_CONF_KEYWORD__DYNAMIC "dynamic" #define SNORT_CONF_KEYWORD__LOG "log" #define SNORT_CONF_KEYWORD__PASS "pass" -#ifdef GIDS -# define SNORT_CONF_KEYWORD__REJECT "reject" -# define SNORT_CONF_KEYWORD__SDROP "sdrop" -#endif /* GIDS */ +#define SNORT_CONF_KEYWORD__REJECT "reject" +#define SNORT_CONF_KEYWORD__SDROP "sdrop" +#define SNORT_CONF_KEYWORD__SBLOCK "sblock" /* Include keyword */ #define SNORT_CONF_KEYWORD__INCLUDE "include" @@ -63,9 +64,7 @@ #define SNORT_CONF_KEYWORD__EVENT_FILTER "event_filter" # define SNORT_CONF_KEYWORD__IPVAR "ipvar" #define SNORT_CONF_KEYWORD__OUTPUT "output" -#ifdef PORTLISTS -# define SNORT_CONF_KEYWORD__PORTVAR "portvar" -#endif /* PORTLISTS */ +#define SNORT_CONF_KEYWORD__PORTVAR "portvar" #define SNORT_CONF_KEYWORD__PREPROCESSOR "preprocessor" #define SNORT_CONF_KEYWORD__RATE_FILTER "rate_filter" #define SNORT_CONF_KEYWORD__RULE_STATE "rule_state" @@ -90,6 +89,7 @@ #define CONFIG_OPT__CLASSIFICATION "classification" #define CONFIG_OPT__DAEMON "daemon" #define CONFIG_OPT__DECODE_DATA_LINK "decode_data_link" +#define CONFIG_OPT__DECODE_ESP "decode_esp" #define CONFIG_OPT__DEFAULT_RULE_STATE "default_rule_state" #define CONFIG_OPT__DETECTION "detection" #define CONFIG_OPT__DETECTION_FILTER "detection_filter" @@ -115,6 +115,8 @@ #define CONFIG_OPT__ENABLE_DECODE_DROPS "enable_decode_drops" #define CONFIG_OPT__ENABLE_DECODE_OVERSIZED_ALERTS "enable_decode_oversized_alerts" #define CONFIG_OPT__ENABLE_DECODE_OVERSIZED_DROPS "enable_decode_oversized_drops" +#define CONFIG_OPT__ENABLE_DEEP_TEREDO_INSPECTION "enable_deep_teredo_inspection" +#define CONFIG_OPT__ENABLE_GTP_DECODING "enable_gtp" #define CONFIG_OPT__ENABLE_IP_OPT_DROPS "enable_ipopt_drops" #ifdef MPLS # define CONFIG_OPT__ENABLE_MPLS_MULTICAST "enable_mpls_multicast" @@ -127,12 +129,17 @@ #define CONFIG_OPT__ENABLE_TCP_OPT_TTCP_DROPS "enable_tcpopt_ttcp_drops" #define CONFIG_OPT__EVENT_FILTER "event_filter" #define CONFIG_OPT__EVENT_QUEUE "event_queue" -#ifdef ENABLE_RESPONSE2 -# define CONFIG_OPT__FLEXRESP2_ATTEMPTS "flexresp2_attempts" +#define CONFIG_OPT__EVENT_TRACE "event_trace" +# define CONFIG_OPT__REACT "react" +#ifdef ENABLE_RESPONSE3 # define CONFIG_OPT__FLEXRESP2_INTERFACE "flexresp2_interface" +# define CONFIG_OPT__FLEXRESP2_ATTEMPTS "flexresp2_attempts" # define CONFIG_OPT__FLEXRESP2_MEMCAP "flexresp2_memcap" # define CONFIG_OPT__FLEXRESP2_ROWS "flexresp2_rows" -#endif /* ENABLE_RESPONSE2 */ +#endif // ENABLE_RESPONSE3 +#ifdef ACTIVE_RESPONSE +# define CONFIG_OPT__RESPONSE "response" +#endif #define CONFIG_OPT__FLOWBITS_SIZE "flowbits_size" #define CONFIG_OPT__IGNORE_PORTS "ignore_ports" #define CONFIG_OPT__ALERT_VLAN "include_vlan_in_alerts" @@ -140,6 +147,11 @@ #define CONFIG_OPT__IPV6_FRAG "ipv6_frag" #define CONFIG_OPT__LAYER2RESETS "layer2resets" #define CONFIG_OPT__LOG_DIR "logdir" +#define CONFIG_OPT__DAQ_TYPE "daq" +#define CONFIG_OPT__DAQ_MODE "daq_mode" +#define CONFIG_OPT__DAQ_VAR "daq_var" +#define CONFIG_OPT__DAQ_DIR "daq_dir" +#define CONFIG_OPT__DIRTY_PIG "dirty_pig" #ifdef TARGET_BASED # define CONFIG_OPT__MAX_ATTRIBUTE_HOSTS "max_attribute_hosts" # define CONFIG_OPT__MAX_METADATA_SERVICES "max_metadata_services" @@ -149,11 +161,15 @@ # define CONFIG_OPT__MPLS_PAYLOAD_TYPE "mpls_payload_type" #endif /* MPLS */ #define CONFIG_OPT__MIN_TTL "min_ttl" +#ifdef NORMALIZER +#define CONFIG_OPT__NEW_TTL "new_ttl" +#endif #define CONFIG_OPT__NO_LOG "nolog" #define CONFIG_OPT__NO_PCRE "nopcre" #define CONFIG_OPT__NO_PROMISCUOUS "no_promisc" #define CONFIG_OPT__OBFUSCATE "obfuscate" #define CONFIG_OPT__ORDER "order" +#define CONFIG_OPT__PAF_MAX "paf_max" #define CONFIG_OPT__PCRE_MATCH_LIMIT "pcre_match_limit" #define CONFIG_OPT__PCRE_MATCH_LIMIT_RECURSION "pcre_match_limit_recursion" #define CONFIG_OPT__PKT_COUNT "pkt_count" @@ -177,25 +193,27 @@ #define CONFIG_OPT__SET_GID "set_gid" #define CONFIG_OPT__SET_UID "set_uid" #define CONFIG_OPT__SHOW_YEAR "show_year" +#define CONFIG_OPT__SO_RULE_MEMCAP "so_rule_memcap" #define CONFIG_OPT__STATEFUL "stateful" #define CONFIG_OPT__TAGGED_PACKET_LIMIT "tagged_packet_limit" #define CONFIG_OPT__THRESHOLD "threshold" -#ifdef TIMESTATS -# define CONFIG_OPT__TIMESTATS_INTERVAL "timestats_interval" -#endif /* TIMESTATS */ #define CONFIG_OPT__UMASK "umask" #define CONFIG_OPT__UTC "utc" #define CONFIG_OPT__VERBOSE "verbose" +#define CONFIG_OPT__VLAN_AGNOSTIC "vlan_agnostic" +#define CONFIG_OPT__LOG_IPV6_EXTRA "log_ipv6_extra_data" #ifdef DYNAMIC_PLUGIN -#define CONFIG_OPT__DUMP_DYNAMIC_RULES_PATH "dump-dynamic-rules-path" +#define CONFIG_OPT__DUMP_DYNAMIC_RULES_PATH "dump-dynamic-rules-path" #endif +#define CONFIG_OPT__CONTROL_SOCKET_DIR "cs_dir" - +extern SnortConfig *snort_conf_for_parsing; /* exported values */ extern char *file_name; extern int file_line; + /* rule setup funcs */ SnortConfig * ParseSnortConf(void); void ParseRules(SnortConfig *); @@ -212,15 +230,15 @@ void ParserCleanup(void); void FreeRuleLists(SnortConfig *); void VarTablesFree(SnortConfig *); -#ifdef PORTLISTS void PortTablesFree(rule_port_tables_t *); -#endif +int CompareIPNodes(IpAddrNode *, IpAddrNode *); void ResolveOutputPlugins(SnortConfig *, SnortConfig *); void ConfigureOutputPlugins(SnortConfig *); void ConfigurePreprocessors(SnortConfig *, int); NORETURN void ParseError(const char *, ...); +void ParseWarning(const char *, ...); void ParseMessage(const char *, ...); void ConfigAlertBeforePass(SnortConfig *, char *); @@ -263,6 +281,9 @@ void ConfigEnableDecodeDrops(SnortConfig *, char *); void ConfigEnableDecodeOversizedAlerts(SnortConfig *, char *); void ConfigEnableDecodeOversizedDrops(SnortConfig *, char *); +void ConfigEnableDeepTeredoInspection(SnortConfig *sc, char *args); +void ConfigEnableGTPDecoding(SnortConfig *sc, char *args); +void ConfigEnableEspDecoding(SnortConfig *sc, char *args); void ConfigEnableIpOptDrops(SnortConfig *, char *); #ifdef MPLS void ConfigEnableMplsMulticast(SnortConfig *, char *); @@ -274,12 +295,17 @@ void ConfigEnableTTcpDrops(SnortConfig *, char *); void ConfigEventFilter(SnortConfig *, char *); void ConfigEventQueue(SnortConfig *, char *); -#ifdef ENABLE_RESPONSE2 -void ConfigFlexresp2Attempts(SnortConfig *, char *); +void ConfigEventTrace(SnortConfig *, char *); +#ifdef ENABLE_RESPONSE3 void ConfigFlexresp2Interface(SnortConfig *, char *); +void ConfigFlexresp2Attempts(SnortConfig *, char *); void ConfigFlexresp2Memcap(SnortConfig *, char *); void ConfigFlexresp2Rows(SnortConfig *, char *); #endif +#ifdef ACTIVE_RESPONSE +void ConfigResponse(SnortConfig*, char*); +#endif +void ConfigReact(SnortConfig*, char*); void ConfigFlowbitsSize(SnortConfig *, char *); void ConfigIgnorePorts(SnortConfig *, char *); void ConfigIncludeVlanInAlert(SnortConfig *, char *); @@ -287,6 +313,11 @@ void ConfigIpv6Frag(SnortConfig *, char *); void ConfigLayer2Resets(SnortConfig *, char *); void ConfigLogDir(SnortConfig *, char *); +void ConfigDaqType(SnortConfig *, char *); +void ConfigDaqMode(SnortConfig *, char *); +void ConfigDaqVar(SnortConfig *, char *); +void ConfigDaqDir(SnortConfig *, char *); +void ConfigDirtyPig(SnortConfig *, char *); #ifdef TARGET_BASED void ConfigMaxAttributeHosts(SnortConfig *, char *); void ConfigMaxMetadataServices(SnortConfig *, char *); @@ -296,12 +327,16 @@ void ConfigMplsPayloadType(SnortConfig *, char *); #endif void ConfigMinTTL(SnortConfig *, char *); +#ifdef NORMALIZER +void ConfigNewTTL(SnortConfig *, char *); +#endif void ConfigNoLog(SnortConfig *, char *); void ConfigNoLoggingTimestamps(SnortConfig *, char *); void ConfigNoPcre(SnortConfig *, char *); void ConfigNoPromiscuous(SnortConfig *, char *); void ConfigObfuscate(SnortConfig *, char *); void ConfigObfuscationMask(SnortConfig *, char *); +void ConfigPafMax(SnortConfig *, char *); void ConfigRateFilter(SnortConfig *, char *); void ConfigRuleListOrder(SnortConfig *, char *); void ConfigPacketCount(SnortConfig *, char *); @@ -328,6 +363,7 @@ void ConfigSetGid(SnortConfig *, char *); void ConfigSetUid(SnortConfig *, char *); void ConfigShowYear(SnortConfig *, char *); +void ConfigSoRuleMemcap(SnortConfig *, char *); void ConfigStateful(SnortConfig *, char *); void ConfigTaggedPacketLimit(SnortConfig *, char *); void ConfigThreshold(SnortConfig *, char *); @@ -335,21 +371,25 @@ void ConfigTimestatsInterval(SnortConfig *, char *); #endif void ConfigTreatDropAsAlert(SnortConfig *, char *); +void ConfigTreatDropAsIgnore(SnortConfig *, char *); void ConfigUmask(SnortConfig *, char *); void ConfigUtc(SnortConfig *, char *); void ConfigVerbose(SnortConfig *, char *); +void ConfigVlanAgnostic(SnortConfig *, char *); +void ConfigLogIPv6Extra(SnortConfig *, char *); #ifdef DYNAMIC_PLUGIN void ConfigDumpDynamicRulesPath(SnortConfig *, char *); #endif +void ConfigControlSocketDirectory(SnortConfig *, char *); int addRtnToOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId, RuleTreeNode *rtn ); RuleTreeNode* deleteRtnFromOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId ); @@ -366,7 +406,7 @@ * * @return pointer to deleted RTN, NULL otherwise. */ -static INLINE RuleTreeNode *getRtnFromOtn(OptTreeNode *otn, tSfPolicyId policyId) +static inline RuleTreeNode *getRtnFromOtn(OptTreeNode *otn, tSfPolicyId policyId) { if (otn && otn->proto_nodes && (otn->proto_node_num > (unsigned)policyId)) { @@ -378,12 +418,12 @@ /**Get rtn from otn for the current policy. */ -static INLINE RuleTreeNode *getParserRtnFromOtn(OptTreeNode *otn) +static inline RuleTreeNode *getParserRtnFromOtn(OptTreeNode *otn) { return getRtnFromOtn(otn, getParserPolicy()); } -static INLINE RuleTreeNode *getRuntimeRtnFromOtn(OptTreeNode *otn) +static inline RuleTreeNode *getRuntimeRtnFromOtn(OptTreeNode *otn) { return getRtnFromOtn(otn, getRuntimePolicy()); } diff -Nru snort-2.8.5.2/src/pcap_pkthdr32.h snort-2.9.2/src/pcap_pkthdr32.h --- snort-2.8.5.2/src/pcap_pkthdr32.h 2009-05-06 22:28:17.000000000 +0000 +++ snort-2.9.2/src/pcap_pkthdr32.h 2011-06-08 00:33:06.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2009 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,23 +20,8 @@ #ifndef __PCAP_PKTHDR32_H__ #define __PCAP_PKTHDR32_H__ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef WIN32 -#include -#else -#include -#endif - -#include -#include -#include - #include "sf_types.h" - /* we must use fixed size of 32 bits, because on-disk * format of savefiles uses 32-bit tv_sec (and tv_usec) */ @@ -52,8 +37,8 @@ struct pcap_pkthdr32 { struct sf_timeval32 ts; /* packet timestamp */ - uint32_t caplen; /* packet capture length */ - uint32_t pktlen; /* packet "real" length */ + uint32_t caplen; /* packet capture length */ + uint32_t len; /* packet "real" length */ }; diff -Nru snort-2.8.5.2/src/pcrm.c snort-2.9.2/src/pcrm.c --- snort-2.8.5.2/src/pcrm.c 2009-05-06 22:28:17.000000000 +0000 +++ snort-2.9.2/src/pcrm.c 2011-02-09 23:22:51.000000000 +0000 @@ -3,7 +3,7 @@ ** ** pcrm.c ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton ** Dan Roelker ** @@ -206,6 +206,8 @@ #include "pcrm.h" #include "util.h" +#include "fpcreate.h" +#include "snort.h" /* ** @@ -1119,11 +1121,8 @@ ** PORT_GROUP ** - the generic PORT_GROUP ptr to set. ** ** FORMAL OUTPUT -** int - 0: No rules -** 1: Use Dst Rules -** 2: Use Src Rules -** 3: Use Both Dst and Src Rules -** 4: Use Generic Rules +** int - 0: Don't evaluate +** 1: There are port groups to evaluate ** ** NOTES ** Currently, if there is a "unique conflict", we return both the src @@ -1136,45 +1135,46 @@ ** what to match against. ** */ -int prmFindRuleGroup( PORT_RULE_MAP * p, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst , PORT_GROUP ** gen) +int +prmFindRuleGroup( + PORT_RULE_MAP *p, + int dport, + int sport, + PORT_GROUP **src, + PORT_GROUP **dst, + PORT_GROUP **gen + ) { - int stat= 0; - - if (!p) + if ((p == NULL) || (src == NULL) + || (dst == NULL) || (gen == NULL)) + { return 0; + } - if( (dport != ANYPORT && dport < MAX_PORTS) && p->prmDstPort[dport] ) - { - *dst = p->prmDstPort[dport]; - stat = 1; + *src = NULL; + *dst = NULL; + *gen = NULL; - }else{ - - *dst=NULL; - } + if ((dport != ANYPORT) && (dport < MAX_PORTS)) + *dst = p->prmDstPort[dport]; - if( (sport != ANYPORT && sport < MAX_PORTS ) && p->prmSrcPort[sport]) - { - *src = p->prmSrcPort[sport]; - stat |= 2; - - }else{ - *src = NULL; - } + if ((sport != ANYPORT) && (sport < MAX_PORTS)) + *src = p->prmSrcPort[sport]; /* If no Src/Dst rules - use the generic set, if any exist */ - if( !stat && ((p->prmGeneric != NULL) && (p->prmGeneric->pgCount > 0)) ) + if ((p->prmGeneric != NULL) && (p->prmGeneric->pgCount > 0)) { - *gen = p->prmGeneric; - stat = 4; - - }else{ - - *gen = NULL; + if (fpDetectSplitAnyAny(snort_conf->fast_pattern_config) + || ((*src == NULL) && (*dst == NULL))) + { + *gen = p->prmGeneric; + } } - - return stat; + if ((*src == NULL) && (*dst == NULL) && (*gen == NULL)) + return 0; + + return 1; } /* @@ -1241,7 +1241,7 @@ */ int prmSetGroupPatData( PORT_GROUP * pg, void * data ) { - pg->pgPatData = data; + pg->pgPms[PM_TYPE__CONTENT] = data; return 0; } @@ -1250,7 +1250,7 @@ */ void * prmGetGroupPatData( PORT_GROUP * pg ) { - return pg->pgPatData; + return pg->pgPms[PM_TYPE__CONTENT]; } /* diff -Nru snort-2.8.5.2/src/pcrm.h snort-2.9.2/src/pcrm.h --- snort-2.8.5.2/src/pcrm.h 2009-05-06 22:28:18.000000000 +0000 +++ snort-2.9.2/src/pcrm.h 2011-02-09 23:22:51.000000000 +0000 @@ -3,7 +3,7 @@ ** ** pcrm.h ** -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton ** Dan Roelker ** @@ -51,6 +51,17 @@ #define PRM_GET_FIRST_GROUP_NODE_NC(pg) (pg->pgHeadNC) #define PRM_GET_NEXT_GROUP_NODE_NC(rn) (rn->rnNext) +typedef enum _PmType +{ + PM_TYPE__CONTENT = 0, + PM_TYPE__HTTP_URI_CONTENT, + PM_TYPE__HTTP_HEADER_CONTENT, + PM_TYPE__HTTP_CLIENT_BODY_CONTENT, + PM_TYPE__HTTP_METHOD_CONTENT, + PM_TYPE__MAX + +} PmType; + typedef struct _not_rule_node_ { struct _not_rule_node_ * next; @@ -66,12 +77,10 @@ struct _rule_node_ * rnNext; RULE_PTR rnRuleData; - int iRuleNodeID; }RULE_NODE; - typedef struct { /* Content List */ @@ -86,10 +95,11 @@ RULE_NODE *pgUriHead, *pgUriTail, *pgUriCur; int pgUriContentCount; - /* Setwise Pattern Matching data structures */ - void * pgPatData; - void * pgPatDataUri; - void * pgNonContentTree; + /* Pattern Matching data structures (MPSE) */ + void *pgPms[PM_TYPE__MAX]; + + /* detection option tree */ + void *pgNonContentTree; int avgLen; int minLen; @@ -97,11 +107,6 @@ int c1,c2,c3,c4,c5; /* - ** Bit operation for validating matches - */ - BITOP boRuleNodeID; - - /* * Not rule list for this group */ NOT_RULE_NODE *pgNotRuleList; @@ -148,8 +153,8 @@ } BYTE_RULE_MAP ; -PORT_RULE_MAP * prmNewMap( ); -BYTE_RULE_MAP * prmNewByteMap( ); +PORT_RULE_MAP * prmNewMap(void); +BYTE_RULE_MAP * prmNewByteMap(void); void prmFreeMap( PORT_RULE_MAP * p ); void prmFreeByteMap( BYTE_RULE_MAP * p ); diff -Nru snort-2.8.5.2/src/plugbase.c snort-2.9.2/src/plugbase.c --- snort-2.8.5.2/src/plugbase.c 2009-08-10 20:41:41.000000000 +0000 +++ snort-2.9.2/src/plugbase.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -45,7 +45,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "log.h" #include "detect.h" @@ -59,6 +59,7 @@ #include "preprocessors/spp_httpinspect.h" #include "preprocessors/spp_sfportscan.h" #include "preprocessors/spp_frag3.h" +#include "preprocessors/spp_normalize.h" /* built-in detection plugins */ #include "detection-plugins/sp_pattern_match.h" @@ -84,9 +85,14 @@ #include "detection-plugins/sp_clientserver.h" #include "detection-plugins/sp_byte_check.h" #include "detection-plugins/sp_byte_jump.h" +#include "detection-plugins/sp_byte_extract.h" #include "detection-plugins/sp_isdataat.h" #include "detection-plugins/sp_pcre.h" #include "detection-plugins/sp_flowbits.h" +#include "detection-plugins/sp_file_data.h" +#include "detection-plugins/sp_base64_decode.h" +#include "detection-plugins/sp_base64_data.h" +#include "detection-plugins/sp_pkt_data.h" #include "detection-plugins/sp_asn1.h" #ifdef ENABLE_REACT #include "detection-plugins/sp_react.h" @@ -126,13 +132,12 @@ #include "output-plugins/spo_alert_test.h" extern ListHead *head_tmp; -extern SnortConfig *snort_conf_for_parsing; extern PreprocConfigFuncNode *preproc_config_funcs; extern OutputConfigFuncNode *output_config_funcs; extern RuleOptConfigFuncNode *rule_opt_config_funcs; extern RuleOptOverrideInitFuncNode *rule_opt_override_init_funcs; extern RuleOptParseCleanupNode *rule_opt_parse_cleanup_list; -extern PreprocSignalFuncNode *preproc_restart_funcs; +extern RuleOptByteOrderFuncNode *rule_opt_byte_order_funcs; extern PreprocSignalFuncNode *preproc_clean_exit_funcs; extern PreprocSignalFuncNode *preproc_shutdown_funcs; extern PreprocSignalFuncNode *preproc_reset_funcs; @@ -143,11 +148,11 @@ extern PluginSignalFuncNode *plugin_restart_funcs; extern OutputFuncNode *AlertList; extern OutputFuncNode *LogList; - +extern PeriodicCheckFuncNode *periodic_check_funcs; /**************************** Detection Plugin API ****************************/ /* For translation from enum to char* */ -#ifdef DEBUG +#ifdef DEBUG_MSGS static const char *optTypeMap[OPT_TYPE_MAX] = { "action", @@ -158,7 +163,7 @@ #define ENUM2STR(num, map) \ ((num < sizeof(map)/sizeof(map[0])) ? map[num] : "undefined") #endif - + void RegisterRuleOptions(void) { @@ -185,9 +190,14 @@ SetupIpProto(); SetupIpSameCheck(); SetupClientServer(); + SetupPktData(); SetupByteTest(); SetupByteJump(); + SetupByteExtract(); SetupIsDataAt(); + SetupFileData(); + SetupBase64Decode(); + SetupBase64Data(); SetupPcre(); SetupFlowBits(); SetupAsn1(); @@ -217,14 +227,15 @@ * Returns: void function * ***************************************************************************/ -void RegisterRuleOption(char *opt_name, RuleOptConfigFunc config_func, +void RegisterRuleOption(char *opt_name, RuleOptConfigFunc ro_config_func, RuleOptOverrideInitFunc override_init_func, - RuleOptType opt_type) + RuleOptType opt_type, + RuleOptOtnHandler otn_handler) { RuleOptConfigFuncNode *node; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Registering keyword:func => %s/%s:%p\n", - ENUM2STR(opt_type, optTypeMap), opt_name, config_func);); + ENUM2STR(opt_type, optTypeMap), opt_name, ro_config_func);); node = (RuleOptConfigFuncNode *)SnortAlloc(sizeof(RuleOptConfigFuncNode)); @@ -242,8 +253,8 @@ if (strcasecmp(tmp->keyword, opt_name) == 0) { free(node); - FatalError("Duplicate detection plugin keyword: %s.\n", - file_line, opt_name); + FatalError("%s(%d) Duplicate detection plugin keyword: %s.\n", + file_name, file_line, opt_name); } last = tmp; @@ -256,7 +267,8 @@ node->keyword = SnortStrdup(opt_name); node->type = opt_type; - node->func = config_func; + node->func = ro_config_func; + node->otn_handler = otn_handler; if (override_init_func != NULL) { @@ -285,17 +297,18 @@ tmp = tmp->next; } while (tmp != NULL); - + last->next = node_override; } node_override->keyword = SnortStrdup(opt_name); node_override->type = opt_type; node_override->func = override_init_func; + node_override->otn_handler = otn_handler; } } -void RegisterOverrideKeyword(char *keyword, char *option, RuleOptOverrideFunc func) +void RegisterOverrideKeyword(char *keyword, char *option, RuleOptOverrideFunc roo_func) { RuleOptOverrideInitFuncNode *node = rule_opt_override_init_funcs; @@ -303,7 +316,7 @@ { if (strcasecmp(node->keyword, keyword) == 0) { - node->func(keyword, option, func); + node->func(keyword, option, roo_func); break; } @@ -311,6 +324,52 @@ } } +void RegisterByteOrderKeyword(char *keyword, RuleOptByteOrderFunc roo_func) +{ + RuleOptByteOrderFuncNode *node = (RuleOptByteOrderFuncNode *)SnortAlloc(sizeof(RuleOptByteOrderFuncNode)); + RuleOptByteOrderFuncNode *list = rule_opt_byte_order_funcs; + RuleOptByteOrderFuncNode *last; + + node->keyword = SnortStrdup(keyword); + node->func = roo_func; + node->next = NULL; + + if (list == NULL) + rule_opt_byte_order_funcs = node; + else + { + while (list != NULL) + { + if (strcasecmp(node->keyword, list->keyword) == 0) + { + free(node->keyword); + free(node); + return; + } + + last = list; + list = list->next; + } + + last->next = node; + } +} + +RuleOptByteOrderFunc GetByteOrderFunc(char *keyword) +{ + RuleOptByteOrderFuncNode *node = rule_opt_byte_order_funcs; + + while (node != NULL) + { + if (strcasecmp(keyword, node->keyword) == 0) + return node->func; + + node = node->next; + } + + return NULL; +} + /**************************************************************************** * * Function: DumpPlugIns() @@ -334,7 +393,7 @@ while (node != NULL) { - LogMessage("%-13s: %p\n", node->keyword, node->func); + LogMessage("%-13s: %p\n", node->keyword, (void *)node->vfunc); node = node->next; } @@ -344,7 +403,7 @@ /**************************************************************************** - * + * * Function: AddOptFuncToList(int (*func)(), OptTreeNode *) * * Purpose: Links the option detection module to the OTN @@ -355,7 +414,7 @@ * Returns: void function * ***************************************************************************/ -OptFpList * AddOptFuncToList(RuleOptEvalFunc func, OptTreeNode *otn) +OptFpList * AddOptFuncToList(RuleOptEvalFunc ro_eval_func, OptTreeNode *otn) { OptFpList *ofp = (OptFpList *)SnortAlloc(sizeof(OptFpList)); @@ -377,9 +436,9 @@ tmp->next = ofp; } - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Set OptTestFunc to %p\n", func);); + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Set OptTestFunc to %p\n", ro_eval_func);); - ofp->OptTestFunc = func; + ofp->OptTestFunc = ro_eval_func; return ofp; } @@ -396,7 +455,9 @@ * Returns: void function * ***************************************************************************/ -void AddRspFuncToList(ResponseFunc func, OptTreeNode *otn, void *params) +// TBD this can prolly be replaced with a single item +// because we allow at most one response per packet +void AddRspFuncToList(ResponseFunc resp_func, OptTreeNode *otn, void *params) { RspFpList *rsp = (RspFpList *)SnortAlloc(sizeof(RspFpList)); @@ -418,9 +479,9 @@ tmp->next = rsp; } - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Set ResponseFunc to %p\n", func);); + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Set ResponseFunc to %p\n", resp_func);); - rsp->func = func; + rsp->func = resp_func; rsp->params = params; } @@ -465,6 +526,21 @@ } } +void FreeRuleOptByteOrderFuncs(RuleOptByteOrderFuncNode *head) +{ + while (head != NULL) + { + RuleOptByteOrderFuncNode *tmp = head; + + head = head->next; + + if (tmp->keyword != NULL) + free(tmp->keyword); + + free(tmp); + } +} + void FreePluginSigFuncs(PluginSignalFuncNode *head) { while (head != NULL) @@ -478,6 +554,99 @@ } } +/************************** Non Rule Detection Plugin API *********************/ +DetectionEvalFuncNode * AddFuncToDetectionList(DetectionEvalFunc detect_eval_func, + uint16_t priority, uint32_t detect_id, + uint32_t proto_mask) +{ + DetectionEvalFuncNode *node; + SnortConfig *sc = snort_conf_for_parsing; + tSfPolicyId policy_id = getParserPolicy(); + SnortPolicy *p; + + if (sc == NULL) + { + FatalError("%s(%d) Snort config for parsing is NULL.\n", + __FILE__, __LINE__); + } + + p = sc->targeted_policies[policy_id]; + if (p == NULL) + return NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, + "Adding detection function ID %d/bit %d/pri %d to list\n", + detect_id, p->num_detects, priority);); + + node = (DetectionEvalFuncNode *)SnortAlloc(sizeof(DetectionEvalFuncNode)); + + if (p->detect_eval_funcs == NULL) + { + p->detect_eval_funcs = node; + } + else + { + DetectionEvalFuncNode *tmp = p->detect_eval_funcs; + DetectionEvalFuncNode *last = NULL; + + do + { + if (tmp->detect_id == detect_id) + { + free(node); + FatalError("Detection function already registered with ID %d\n", + detect_id); + } + + /* Insert higher priority preprocessors first. Lower priority + * number means higher priority */ + if (priority < tmp->priority) + break; + + last = tmp; + tmp = tmp->next; + + } while (tmp != NULL); + + /* Priority higher than first item in list */ + if (last == NULL) + { + node->next = tmp; + p->detect_eval_funcs = node; + } + else + { + node->next = tmp; + last->next = node; + } + } + + node->func = detect_eval_func; + node->priority = priority; + node->detect_id = detect_id; + //node->detect_bit = (1 << detect_id); + node->proto_mask = proto_mask; + + p->num_detects++; + p->detect_proto_mask |= proto_mask; + //p->detect_bit_mask |= node->detect_bit; + + return node; +} + +void FreeDetectionEvalFuncs(DetectionEvalFuncNode *head) +{ + DetectionEvalFuncNode *tmp; + + while (head != NULL) + { + tmp = head->next; + //if (head->context) + // free(head->context); + free(head); + head = tmp; + } +} /************************** Preprocessor Plugin API ***************************/ static void AddFuncToPreprocSignalList(PreprocSignalFunc, void *, @@ -489,6 +658,9 @@ LogMessage("Initializing Preprocessors!\n"); SetupARPspoof(); +#ifdef NORMALIZER + SetupNormalizer(); +#endif SetupFrag3(); SetupStream5(); SetupRpcDecode(); @@ -512,9 +684,9 @@ * ***************************************************************************/ #ifndef SNORT_RELOAD -void RegisterPreprocessor(char *keyword, PreprocConfigFunc func) +void RegisterPreprocessor(const char *keyword, PreprocConfigFunc pp_config_func) #else -void RegisterPreprocessor(char *keyword, PreprocConfigFunc func, +void RegisterPreprocessor(const char *keyword, PreprocConfigFunc pp_config_func, PreprocReloadFunc rfunc, PreprocReloadSwapFunc sfunc, PreprocReloadSwapFreeFunc ffunc) #endif @@ -522,7 +694,7 @@ PreprocConfigFuncNode *node = (PreprocConfigFuncNode *)SnortAlloc(sizeof(PreprocConfigFuncNode)); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:preproc => %s:%p\n", keyword, func);); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:preproc => %s:%p\n", keyword, pp_config_func);); if (preproc_config_funcs == NULL) { @@ -550,7 +722,7 @@ } node->keyword = SnortStrdup(keyword); - node->config_func = func; + node->config_func = pp_config_func; #ifdef SNORT_RELOAD node->reload_func = rfunc; @@ -587,7 +759,7 @@ while (head != NULL) { if (strcasecmp(head->keyword, keyword) == 0) - return head->config_func; + return head->config_func; head = head->next; } @@ -608,12 +780,12 @@ * Returns: void function * ***************************************************************************/ -void RegisterPreprocStats(char *keyword, PreprocStatsFunc func) +void RegisterPreprocStats(const char *keyword, PreprocStatsFunc pp_stats_func) { PreprocStatsFuncNode *node; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering final stats function: " - "preproc => %s:%p\n", keyword, func);); + "preproc => %s:%p\n", keyword, pp_stats_func);); node = (PreprocStatsFuncNode *)SnortAlloc(sizeof(PreprocStatsFuncNode)); @@ -643,7 +815,7 @@ } node->keyword = SnortStrdup(keyword); - node->func = func; + node->func = pp_stats_func; } /**************************************************************************** @@ -667,7 +839,7 @@ while (node != NULL) { - LogMessage("%-13s: %p\n", node->keyword, node->config_func); + LogMessage("%-13s: %p\n", node->keyword, node->config_vfunc); node = node->next; } @@ -700,7 +872,7 @@ return 0; } -PreprocEvalFuncNode * AddFuncToPreprocList(PreprocEvalFunc func, uint16_t priority, +PreprocEvalFuncNode * AddFuncToPreprocList(PreprocEvalFunc pp_eval_func, uint16_t priority, uint32_t preproc_id, uint32_t proto_mask) { PreprocEvalFuncNode *node; @@ -765,7 +937,7 @@ } } - node->func = func; + node->func = pp_eval_func; node->priority = priority; node->preproc_id = preproc_id; node->preproc_bit = (1 << preproc_id); @@ -773,11 +945,96 @@ p->num_preprocs++; p->preproc_proto_mask |= proto_mask; + p->preproc_bit_mask |= node->preproc_bit; + + return node; +} + +PreprocMetaEvalFuncNode * AddFuncToPreprocMetaEvalList( + PreprocMetaEvalFunc pp_meta_eval_func, + uint16_t priority, + uint32_t preproc_id) +{ + PreprocMetaEvalFuncNode *node; + SnortConfig *sc = snort_conf_for_parsing; + tSfPolicyId policy_id = getParserPolicy(); + SnortPolicy *p; + + if (sc == NULL) + { + FatalError("%s(%d) Snort config for parsing is NULL.\n", + __FILE__, __LINE__); + } + +#ifndef HAVE_DAQ_ACQUIRE_WITH_META + WarningMessage("Metadata not available for processing. Not registering Preprocessor Meta Eval id %d\n", preproc_id); + return NULL; // Not supported +#endif + + p = sc->targeted_policies[policy_id]; + if (p == NULL) + return NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, + "Adding preprocessor function ID %d/bit %d/pri %d to list\n", + preproc_id, p->num_preprocs, priority);); + + node = (PreprocMetaEvalFuncNode *)SnortAlloc(sizeof(PreprocMetaEvalFuncNode)); + + if (p->preproc_meta_eval_funcs == NULL) + { + p->preproc_meta_eval_funcs = node; + SetupMetadataCallback(); + } + else + { + PreprocMetaEvalFuncNode *tmp = p->preproc_meta_eval_funcs; + PreprocMetaEvalFuncNode *last = NULL; + + do + { + if (tmp->preproc_id == preproc_id) + { + free(node); + FatalError("Preprocessor Meta Eval already registered with ID %d\n", + preproc_id); + } + + /* Insert higher priority preprocessors first. Lower priority + * number means higher priority */ + if (priority < tmp->priority) + break; + + last = tmp; + tmp = tmp->next; + + } while (tmp != NULL); + + /* Priority higher than first item in list */ + if (last == NULL) + { + node->next = tmp; + p->preproc_meta_eval_funcs = node; + } + else + { + node->next = tmp; + last->next = node; + } + } + + node->func = pp_meta_eval_func; + node->priority = priority; + node->preproc_id = preproc_id; + node->preproc_bit = (1 << preproc_id); + + p->num_meta_preprocs++; + p->preproc_meta_bit_mask |= node->preproc_bit; return node; } -void AddFuncToPreprocPostConfigList(PreprocPostConfigFunc func, void *data) +void AddFuncToPreprocPostConfigList(PreprocPostConfigFunc pp_post_config_func, void *data) { PreprocPostConfigFuncNode *node; SnortConfig *sc = snort_conf_for_parsing; @@ -805,7 +1062,7 @@ } node->data = data; - node->func = func; + node->func = pp_post_config_func; } void PostConfigPreprocessors(SnortConfig *sc) @@ -858,7 +1115,7 @@ } } -void AddFuncToPreprocReloadVerifyList(PreprocReloadVerifyFunc func) +void AddFuncToPreprocReloadVerifyList(PreprocReloadVerifyFunc pp_reload_func) { PreprocReloadVerifyFuncNode *node; SnortConfig *sc = snort_conf_for_parsing; @@ -885,7 +1142,7 @@ tmp->next = node; } - node->func = func; + node->func = pp_reload_func; } void FreePreprocReloadVerifyFuncList(PreprocReloadVerifyFuncNode *head) @@ -900,7 +1157,7 @@ } #endif -void AddFuncToConfigCheckList(PreprocCheckConfigFunc func) +void AddFuncToConfigCheckList(PreprocCheckConfigFunc pp_chk_config_func) { PreprocCheckConfigFuncNode *node; SnortConfig *sc = snort_conf_for_parsing; @@ -927,41 +1184,35 @@ tmp->next = node; } - node->func = func; + node->func = pp_chk_config_func; } /* functions to aid in cleaning up after plugins */ -void AddFuncToPreprocRestartList(PreprocSignalFunc func, void *arg, - uint16_t priority, uint32_t preproc_id) -{ - AddFuncToPreprocSignalList(func, arg, &preproc_restart_funcs, priority, preproc_id); -} - -void AddFuncToPreprocCleanExitList(PreprocSignalFunc func, void *arg, +void AddFuncToPreprocCleanExitList(PreprocSignalFunc pp_sig_func, void *arg, uint16_t priority, uint32_t preproc_id) { - AddFuncToPreprocSignalList(func, arg, &preproc_clean_exit_funcs, priority, preproc_id); + AddFuncToPreprocSignalList(pp_sig_func, arg, &preproc_clean_exit_funcs, priority, preproc_id); } -void AddFuncToPreprocShutdownList(PreprocSignalFunc func, void *arg, +void AddFuncToPreprocShutdownList(PreprocSignalFunc pp_shutdown_func, void *arg, uint16_t priority, uint32_t preproc_id) { - AddFuncToPreprocSignalList(func, arg, &preproc_shutdown_funcs, priority, preproc_id); + AddFuncToPreprocSignalList(pp_shutdown_func, arg, &preproc_shutdown_funcs, priority, preproc_id); } -void AddFuncToPreprocResetList(PreprocSignalFunc func, void *arg, +void AddFuncToPreprocResetList(PreprocSignalFunc pp_sig_func, void *arg, uint16_t priority, uint32_t preproc_id) { - AddFuncToPreprocSignalList(func, arg, &preproc_reset_funcs, priority, preproc_id); + AddFuncToPreprocSignalList(pp_sig_func, arg, &preproc_reset_funcs, priority, preproc_id); } -void AddFuncToPreprocResetStatsList(PreprocSignalFunc func, void *arg, +void AddFuncToPreprocResetStatsList(PreprocSignalFunc pp_sig_func, void *arg, uint16_t priority, uint32_t preproc_id) { - AddFuncToPreprocSignalList(func, arg, &preproc_reset_stats_funcs, priority, preproc_id); + AddFuncToPreprocSignalList(pp_sig_func, arg, &preproc_reset_stats_funcs, priority, preproc_id); } -static void AddFuncToPreprocSignalList(PreprocSignalFunc func, void *arg, +static void AddFuncToPreprocSignalList(PreprocSignalFunc pp_sig_func, void *arg, PreprocSignalFuncNode **list, uint16_t priority, uint32_t preproc_id) { @@ -1006,46 +1257,63 @@ } } - node->func = func; + node->func = pp_sig_func; node->arg = arg; node->preproc_id = preproc_id; node->priority = priority; } -void AddFuncToPreprocReassemblyPktList(PreprocReassemblyPktFunc func, uint32_t preproc_id) +void AddFuncToPeriodicCheckList(PeriodicFunc periodic_func, void *arg, + uint16_t priority, uint32_t preproc_id, uint32_t period ) { - PreprocReassemblyPktFuncNode *node; - SnortConfig *sc = snort_conf_for_parsing; - tSfPolicyId policy_id = getParserPolicy(); - SnortPolicy *p; - - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } + PeriodicCheckFuncNode **list= &periodic_check_funcs; + PeriodicCheckFuncNode *node; - p = sc->targeted_policies[policy_id]; - if (p == NULL) + if (list == NULL) return; - node = (PreprocReassemblyPktFuncNode *)SnortAlloc(sizeof(PreprocReassemblyPktFuncNode)); + node = (PeriodicCheckFuncNode *)SnortAlloc(sizeof(PeriodicCheckFuncNode)); - if (p->preproc_reassembly_pkt_funcs == NULL) + if (*list == NULL) { - p->preproc_reassembly_pkt_funcs = node; + *list = node; } else { - PreprocReassemblyPktFuncNode *tmp = p->preproc_reassembly_pkt_funcs; + PeriodicCheckFuncNode *tmp = *list; + PeriodicCheckFuncNode *last = NULL; - /* just insert at front of list */ - p->preproc_reassembly_pkt_funcs = node; - node->next = tmp; + do + { + /* Insert higher priority stuff first. Lower priority + * number means higher priority */ + if (priority < tmp->priority) + break; + + last = tmp; + tmp = tmp->next; + + } while (tmp != NULL); + + /* Priority higher than first item in list */ + if (last == NULL) + { + node->next = tmp; + *list = node; + } + else + { + node->next = tmp; + last->next = node; + } } - node->func = func; + node->func = periodic_func; + node->arg = arg; node->preproc_id = preproc_id; + node->priority = priority; + node->period = period; + node->time_left = period; } void FreePreprocConfigFuncs(void) @@ -1115,13 +1383,15 @@ } } -void FreePreprocReassemblyPktFuncs(PreprocReassemblyPktFuncNode *head) +void FreePreprocMetaEvalFuncs(PreprocMetaEvalFuncNode *head) { - PreprocReassemblyPktFuncNode *tmp; + PreprocMetaEvalFuncNode *tmp; while (head != NULL) { tmp = head->next; + //if (head->context) + // free(head->context); free(head); head = tmp; } @@ -1140,6 +1410,19 @@ } } +void FreePeriodicFuncs(PeriodicCheckFuncNode *head) +{ + PeriodicCheckFuncNode *tmp; + + while (head != NULL) + { + tmp = head->next; + /* don't free sig->arg, that's free'd by the CleanExit/Restart func */ + free(head); + head = tmp; + } +} + void CheckPreprocessorsConfig(SnortConfig *sc) { PreprocCheckConfigFuncNode *idx; @@ -1251,12 +1534,12 @@ * Returns: void function * ***************************************************************************/ -void RegisterOutputPlugin(char *keyword, int type_flags, OutputConfigFunc func) +void RegisterOutputPlugin(char *keyword, int type_flags, OutputConfigFunc oc_func) { OutputConfigFuncNode *node = (OutputConfigFuncNode *)SnortAlloc(sizeof(OutputConfigFuncNode)); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:output => %s:%p\n", - keyword, func);); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:output => %s:%p\n", + keyword, oc_func);); if (output_config_funcs == NULL) { @@ -1284,7 +1567,7 @@ } node->keyword = SnortStrdup(keyword); - node->func = func; + node->config_func = oc_func; node->output_type_flags = type_flags; } @@ -1298,7 +1581,7 @@ while (head != NULL) { if (strcasecmp(head->keyword, keyword) == 0) - return head->func; + return head->config_func; head = head->next; } @@ -1370,29 +1653,29 @@ LogMessage("-------------------------------------------------\n"); while(idx != NULL) { - LogMessage("%-13s: %p\n", idx->keyword, idx->func); + LogMessage("%-13s: %p\n", idx->keyword, idx->config_vfunc); idx = idx->next; } LogMessage("-------------------------------------------------\n\n"); } -void AddFuncToOutputList(OutputFunc func, OutputType type, void *arg) +void AddFuncToOutputList(OutputFunc o_func, OutputType type, void *arg) { switch (type) { case OUTPUT_TYPE__ALERT: if (head_tmp != NULL) - AppendOutputFuncList(func, arg, &head_tmp->AlertList); + AppendOutputFuncList(o_func, arg, &head_tmp->AlertList); else - AppendOutputFuncList(func, arg, &AlertList); + AppendOutputFuncList(o_func, arg, &AlertList); break; case OUTPUT_TYPE__LOG: if (head_tmp != NULL) - AppendOutputFuncList(func, arg, &head_tmp->LogList); + AppendOutputFuncList(o_func, arg, &head_tmp->LogList); else - AppendOutputFuncList(func, arg, &LogList); + AppendOutputFuncList(o_func, arg, &LogList); break; @@ -1403,7 +1686,7 @@ } } -void AppendOutputFuncList(OutputFunc func, void *arg, OutputFuncNode **list) +void AppendOutputFuncList(OutputFunc o_func, void *arg, OutputFuncNode **list) { OutputFuncNode *node; @@ -1426,7 +1709,7 @@ tmp->next = node; } - node->func = func; + node->func = o_func; node->arg = arg; } @@ -1435,22 +1718,22 @@ /* functions to aid in cleaning up after plugins * Used for both rule options and output. Preprocessors have their own */ -void AddFuncToRestartList(PluginSignalFunc func, void *arg) +void AddFuncToRestartList(PluginSignalFunc pl_sig_func, void *arg) { - AddFuncToSignalList(func, arg, &plugin_restart_funcs); + AddFuncToSignalList(pl_sig_func, arg, &plugin_restart_funcs); } -void AddFuncToCleanExitList(PluginSignalFunc func, void *arg) +void AddFuncToCleanExitList(PluginSignalFunc pl_sig_func, void *arg) { - AddFuncToSignalList(func, arg, &plugin_clean_exit_funcs); + AddFuncToSignalList(pl_sig_func, arg, &plugin_clean_exit_funcs); } -void AddFuncToShutdownList(PluginSignalFunc func, void *arg) +void AddFuncToShutdownList(PluginSignalFunc pl_sig_func, void *arg) { - AddFuncToSignalList(func, arg, &plugin_shutdown_funcs); + AddFuncToSignalList(pl_sig_func, arg, &plugin_shutdown_funcs); } -void AddFuncToPostConfigList(PluginSignalFunc func, void *arg) +void AddFuncToPostConfigList(PluginSignalFunc pl_sig_func, void *arg) { SnortConfig *sc = snort_conf_for_parsing; @@ -1460,10 +1743,10 @@ __FILE__, __LINE__); } - AddFuncToSignalList(func, arg, &sc->plugin_post_config_funcs); + AddFuncToSignalList(pl_sig_func, arg, &sc->plugin_post_config_funcs); } -void AddFuncToSignalList(PluginSignalFunc func, void *arg, PluginSignalFuncNode **list) +void AddFuncToSignalList(PluginSignalFunc pl_sig_func, void *arg, PluginSignalFuncNode **list) { PluginSignalFuncNode *node; @@ -1486,11 +1769,11 @@ tmp->next = node; } - node->func = func; + node->func = pl_sig_func; node->arg = arg; } -void AddFuncToRuleOptParseCleanupList(RuleOptParseCleanupFunc func) +void AddFuncToRuleOptParseCleanupList(RuleOptParseCleanupFunc ro_parse_clean_func) { RuleOptParseCleanupNode *node = (RuleOptParseCleanupNode *)SnortAlloc(sizeof(RuleOptParseCleanupNode)); @@ -1509,7 +1792,7 @@ tmp->next = node; } - node->func = func; + node->func = ro_parse_clean_func; } void RuleOptParseCleanup(void) diff -Nru snort-2.8.5.2/src/plugbase.h snort-2.9.2/src/plugbase.h --- snort-2.8.5.2/src/plugbase.h 2009-05-06 22:28:18.000000000 +0000 +++ snort-2.9.2/src/plugbase.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2009 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -28,8 +28,9 @@ #include "bitop_funcs.h" #include "rules.h" +#include "treenodes.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #ifndef WIN32 # include @@ -79,7 +80,7 @@ #define DETAIL_FULL 1 -/**************************** Detection Plugin API ****************************/ +/**************************** Rule Option Plugin API **************************/ typedef enum _RuleOptType { OPT_TYPE_ACTION = 0, @@ -90,18 +91,27 @@ } RuleOptType; typedef void (*RuleOptConfigFunc)(char *, OptTreeNode *, int); +typedef void (*RuleOptOtnHandler)(OptTreeNode *); typedef void (*RuleOptOverrideFunc)(char *, char *, char *, OptTreeNode *, int); typedef void (*RuleOptOverrideInitFunc)(char *, char *, RuleOptOverrideFunc); typedef int (*RuleOptEvalFunc)(void *, Packet *); -typedef int (*ResponseFunc)(Packet *, RspFpList *); +typedef int (*ResponseFunc)(Packet*, void*); typedef void (*PluginSignalFunc)(int, void *); typedef void (*RuleOptParseCleanupFunc)(void); +typedef int (*RuleOptByteOrderFunc)(void *, int32_t); + +#define func fptr.fptr +#define vfunc fptr.void_fptr typedef struct _RuleOptConfigFuncNode { char *keyword; RuleOptType type; - RuleOptConfigFunc func; + union { + RuleOptConfigFunc fptr; + void *void_fptr; + } fptr; + RuleOptOtnHandler otn_handler; struct _RuleOptConfigFuncNode *next; } RuleOptConfigFuncNode; @@ -110,21 +120,39 @@ { char *keyword; RuleOptType type; - RuleOptOverrideInitFunc func; + union { + RuleOptOverrideInitFunc fptr; + void *void_fptr; + } fptr; + RuleOptOtnHandler otn_handler; struct _RuleOptOverrideInitFuncNode *next; } RuleOptOverrideInitFuncNode; typedef struct _RuleOptParseCleanupNode { - RuleOptParseCleanupFunc func; + union { + RuleOptParseCleanupFunc fptr; + void *void_fptr; + } fptr; struct _RuleOptParseCleanupNode *next; } RuleOptParseCleanupNode; +typedef struct _RuleOptByteOrderFuncNode +{ + char *keyword; + union { + RuleOptByteOrderFunc fptr; + void *void_fptr; + } fptr; + struct _RuleOptByteOrderFuncNode *next; +} RuleOptByteOrderFuncNode; + void RegisterRuleOptions(void); -void RegisterRuleOption(char *, RuleOptConfigFunc, RuleOptOverrideInitFunc, RuleOptType); +void RegisterRuleOption(char *, RuleOptConfigFunc, RuleOptOverrideInitFunc, RuleOptType, RuleOptOtnHandler); void RegisterOverrideKeyword(char *, char *, RuleOptOverrideFunc); +void RegisterByteOrderKeyword(char *, RuleOptByteOrderFunc); void DumpRuleOptions(void); OptFpList * AddOptFuncToList(RuleOptEvalFunc, OptTreeNode *); void AddRspFuncToList(ResponseFunc, OptTreeNode *, void *); @@ -134,6 +162,30 @@ void RuleOptParseCleanup(void); void FreeRuleOptParseCleanupList(RuleOptParseCleanupNode *); +void RegisterByteOrderKeyword(char *, RuleOptByteOrderFunc); +RuleOptByteOrderFunc GetByteOrderFunc(char *); +void FreeRuleOptByteOrderFuncs(RuleOptByteOrderFuncNode *); + +/***************************** Non Rule Detection API *************************/ +typedef void (*DetectionEvalFunc)(Packet *, void *); +typedef struct _DetectionEvalFuncNode +{ + void *context; + uint16_t priority; + uint32_t detect_id; + //uint32_t detect_bit; + uint32_t proto_mask; + union + { + DetectionEvalFunc fptr; + void *void_fptr; + } fptr; + struct _DetectionEvalFuncNode *next; + +} DetectionEvalFuncNode; + +DetectionEvalFuncNode * AddFuncToDetectionList(DetectionEvalFunc, uint16_t, uint32_t, uint32_t); +void FreeDetectionEvalFuncs(DetectionEvalFuncNode *); /***************************** Preprocessor API *******************************/ typedef void (*PreprocConfigFunc)(char *); @@ -141,8 +193,10 @@ typedef void (*PreprocEvalFunc)(Packet *, void *); typedef void (*PreprocCheckConfigFunc)(void); typedef void (*PreprocSignalFunc)(int, void *); -typedef void * (*PreprocReassemblyPktFunc)(void); typedef void (*PreprocPostConfigFunc)(void *); +typedef void (*PreprocMetaEvalFunc)(int, const uint8_t *); + +typedef void (*PeriodicFunc)(int, void *); #ifdef SNORT_RELOAD typedef void (*PreprocReloadFunc)(char *); @@ -151,10 +205,15 @@ typedef void (*PreprocReloadSwapFreeFunc)(void *); #endif +#define config_func cfptr.fptr +#define config_vfunc cfptr.void_fptr typedef struct _PreprocConfigFuncNode { char *keyword; - PreprocConfigFunc config_func; + union { + PreprocConfigFunc fptr; + void *void_fptr; + } cfptr; #ifdef SNORT_RELOAD /* Tells whether we call the config func or reload func */ @@ -173,7 +232,11 @@ typedef struct _PreprocStatsFuncNode { char *keyword; - PreprocStatsFunc func; + union + { + PreprocStatsFunc fptr; + void *void_fptr; + } fptr; struct _PreprocStatsFuncNode *next; } PreprocStatsFuncNode; @@ -185,14 +248,35 @@ uint32_t preproc_id; uint32_t preproc_bit; uint32_t proto_mask; - PreprocEvalFunc func; + union + { + PreprocEvalFunc fptr; + void *void_fptr; + } fptr; struct _PreprocEvalFuncNode *next; } PreprocEvalFuncNode; +typedef struct _PreprocMetaEvalFuncNode +{ + uint16_t priority; + uint32_t preproc_id; + uint32_t preproc_bit; + union + { + PreprocMetaEvalFunc fptr; + void *void_fptr; + } fptr; + struct _PreprocMetaEvalFuncNode *next; +} PreprocMetaEvalFuncNode; + typedef struct _PreprocCheckConfigFuncNode { - PreprocCheckConfigFunc func; + union + { + PreprocCheckConfigFunc fptr; + void *void_fptr; + } fptr; struct _PreprocCheckConfigFuncNode *next; } PreprocCheckConfigFuncNode; @@ -202,31 +286,51 @@ void *arg; uint16_t priority; uint32_t preproc_id; - PreprocSignalFunc func; + union + { + PreprocSignalFunc fptr; + void *void_fptr; + } fptr; struct _PreprocSignalFuncNode *next; } PreprocSignalFuncNode; -typedef struct _PreprocReassemblyPktFuncNode -{ - unsigned int preproc_id; - PreprocReassemblyPktFunc func; - struct _PreprocReassemblyPktFuncNode *next; - -} PreprocReassemblyPktFuncNode; - typedef struct _PreprocPostConfigFuncNode { void *data; - PreprocPostConfigFunc func; + union + { + PreprocPostConfigFunc fptr; + void *void_fptr; + } fptr; struct _PreprocPostConfigFuncNode *next; } PreprocPostConfigFuncNode; +typedef struct _PeriodicCheckFuncNode +{ + void *arg; + uint16_t priority; + uint32_t preproc_id; + uint32_t period; + uint32_t time_left; + union + { + PeriodicFunc fptr; + void *void_fptr; + } fptr; + struct _PeriodicCheckFuncNode *next; + +} PeriodicCheckFuncNode; + #ifdef SNORT_RELOAD typedef struct _PreprocReloadVerifyFuncNode { - PreprocReloadVerifyFunc func; + union + { + PreprocReloadVerifyFunc fptr; + void *void_fptr; + } fptr; struct _PreprocReloadVerifyFuncNode *next; } PreprocReloadVerifyFuncNode; @@ -237,31 +341,30 @@ void RegisterPreprocessors(void); #ifndef SNORT_RELOAD -void RegisterPreprocessor(char *, PreprocConfigFunc); +void RegisterPreprocessor(const char *, PreprocConfigFunc); #else -void RegisterPreprocessor(char *, PreprocConfigFunc, PreprocReloadFunc, +void RegisterPreprocessor(const char *, PreprocConfigFunc, PreprocReloadFunc, PreprocReloadSwapFunc, PreprocReloadSwapFreeFunc); #endif PreprocConfigFuncNode * GetPreprocConfig(char *); PreprocConfigFunc GetPreprocConfigFunc(char *); -void RegisterPreprocStats(char *, PreprocStatsFunc); +void RegisterPreprocStats(const char *, PreprocStatsFunc); void DumpPreprocessors(void); void AddFuncToConfigCheckList(PreprocCheckConfigFunc); void AddFuncToPreprocPostConfigList(PreprocPostConfigFunc, void *); void CheckPreprocessorsConfig(struct _SnortConfig *); PreprocEvalFuncNode * AddFuncToPreprocList(PreprocEvalFunc, uint16_t, uint32_t, uint32_t); -void AddFuncToPreprocRestartList(PreprocSignalFunc, void *, uint16_t, uint32_t); +PreprocMetaEvalFuncNode * AddFuncToPreprocMetaEvalList(PreprocMetaEvalFunc, uint16_t, uint32_t); void AddFuncToPreprocCleanExitList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocShutdownList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocResetList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocResetStatsList(PreprocSignalFunc, void *, uint16_t, uint32_t); -void AddFuncToPreprocReassemblyPktList(PreprocReassemblyPktFunc, uint32_t); int IsPreprocEnabled(uint32_t); void FreePreprocConfigFuncs(void); void FreePreprocCheckConfigFuncs(PreprocCheckConfigFuncNode *); void FreePreprocStatsFuncs(PreprocStatsFuncNode *); void FreePreprocEvalFuncs(PreprocEvalFuncNode *); -void FreePreprocReassemblyPktFuncs(PreprocReassemblyPktFuncNode *); +void FreePreprocMetaEvalFuncs(PreprocMetaEvalFuncNode *); void FreePreprocSigFuncs(PreprocSignalFuncNode *); void FreePreprocPostConfigFuncs(PreprocPostConfigFuncNode *); void PostConfigPreprocessors(struct _SnortConfig *); @@ -275,36 +378,36 @@ void FreePreprocReloadVerifyFuncList(PreprocReloadVerifyFuncNode *); #endif -static INLINE void DisablePreprocessors(Packet *p) +void AddFuncToPeriodicCheckList(PeriodicFunc, void *, uint16_t, uint32_t, uint32_t); +void FreePeriodicFuncs(PeriodicCheckFuncNode *head); + +static inline void DisablePreprocessors(Packet *p) { p->preprocessor_bits = PP_ALL_OFF; } -static INLINE void EnablePreprocessors(Packet *p) +static inline void EnablePreprocessors(Packet *p) { p->preprocessor_bits = PP_ALL_ON; } -static INLINE int IsPreprocBitSet(Packet *p, unsigned int preproc_bit) +static inline int IsPreprocBitSet(Packet *p, unsigned int preproc_bit) { return (p->preprocessor_bits & preproc_bit); } -static INLINE int SetPreprocBit(Packet *p, unsigned int preproc_id) +static inline int SetPreprocBit(Packet *p, unsigned int preproc_id) { p->preprocessor_bits |= (1 << preproc_id); return 0; } -static INLINE int IsPreprocReassemblyPktBitSet(Packet *p, unsigned int preproc_id) +static inline int SetAllPreprocBits(Packet *p) { - return (p->preproc_reassembly_pkt_bits & (1 << preproc_id)) != 0; -} - -static INLINE int SetPreprocReassemblyPktBit(Packet *p, unsigned int preproc_id) -{ - p->preproc_reassembly_pkt_bits |= (1 << preproc_id); - p->packet_flags |= PKT_PREPROC_RPKT; + SetPreprocBit(p, PP_SFPORTSCAN); + SetPreprocBit(p, PP_PERFMONITOR); + SetPreprocBit(p, PP_STREAM5); + SetPreprocBit(p, PP_SDF); return 0; } @@ -313,7 +416,11 @@ typedef struct _PluginSignalFuncNode { void *arg; - PluginSignalFunc func; + union + { + PluginSignalFunc fptr; + void *void_fptr; + } fptr; struct _PluginSignalFuncNode *next; } PluginSignalFuncNode; @@ -327,4 +434,5 @@ void PostConfigInitPlugins(PluginSignalFuncNode *); void FreePluginSigFuncs(PluginSignalFuncNode *); + #endif /* __PLUGBASE_H__ */ diff -Nru snort-2.8.5.2/src/plugin_enum.h snort-2.9.2/src/plugin_enum.h --- snort-2.8.5.2/src/plugin_enum.h 2009-01-26 16:25:58.000000000 +0000 +++ snort-2.9.2/src/plugin_enum.h 2011-02-09 23:22:51.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -47,7 +47,7 @@ PLUGIN_PATTERN_MATCH, /* AND match */ PLUGIN_PATTERN_MATCH_OR, PLUGIN_PATTERN_MATCH_URI, - PLUGIN_RESPOND, + PLUGIN_RESPONSE, PLUGIN_RPC_CHECK, PLUGIN_SESSION, PLUGIN_TCP_ACK_CHECK, @@ -60,6 +60,8 @@ PLUGIN_URILEN_CHECK, PLUGIN_DYNAMIC, PLUGIN_FLOWBIT, + PLUGIN_FILE_DATA, + PLUGIN_BASE64_DECODE, PLUGIN_MAX /* sentinel value */ }; diff -Nru snort-2.8.5.2/src/ppm.c snort-2.9.2/src/ppm.c --- snort-2.8.5.2/src/ppm.c 2009-05-06 22:28:18.000000000 +0000 +++ snort-2.9.2/src/ppm.c 2011-06-08 00:33:06.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2009 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -51,13 +51,21 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "rules.h" +#include "treenodes.h" +#include "treenodes.h" #include "decode.h" #include "parser.h" #include "plugin_enum.h" #include "util.h" #include "rules.h" +#include "treenodes.h" +#include "treenodes.h" #include "fpcreate.h" #include "event_queue.h" #include "event_wrapper.h" @@ -81,8 +89,9 @@ ppm_pkt_timer_t ppm_pkt_times[PPM_MAX_TIMERS]; ppm_pkt_timer_t *ppm_pt = NULL; unsigned int ppm_pkt_index = 0; -ppm_rule_timer_t ppm_rule_times; +ppm_rule_timer_t ppm_rule_times[PPM_MAX_TIMERS]; ppm_rule_timer_t *ppm_rt = NULL; +unsigned int ppm_rule_times_index = 0; uint64_t ppm_cur_time = 0; /* temporary flags */ @@ -224,30 +233,45 @@ if(ppm_cfg->max_pkt_ticks) { LogMessage("Packet Performance Summary:\n"); - LogMessage(" max packet time : %lu usecs\n",(unsigned long)(ppm_cfg->max_pkt_ticks/ppm_tpu)); - LogMessage(" packet events : %u\n",(unsigned int)ppm_cfg->pkt_event_cnt); + + LogMessage(" max packet time : %g usecs\n", + ppm_ticks_to_usecs(ppm_cfg->max_pkt_ticks)); + + LogMessage(" packet events : %u\n", + (unsigned int)ppm_cfg->pkt_event_cnt); + if( ppm_cfg->tot_pkts ) LogMessage(" avg pkt time : %g usecs\n", - ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_pkt_time/ppm_cfg->tot_pkts)) ); + ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_pkt_time/ + ppm_cfg->tot_pkts))); } if(ppm_cfg->max_rule_ticks) { LogMessage("Rule Performance Summary:\n"); - LogMessage(" max rule time : %lu usecs\n",(unsigned long)(ppm_cfg->max_rule_ticks/ppm_tpu)); - LogMessage(" rule events : %u\n",(unsigned int)ppm_cfg->rule_event_cnt); + + LogMessage(" max rule time : %lu usecs\n", + (unsigned long)(ppm_cfg->max_rule_ticks/ppm_tpu)); + + LogMessage(" rule events : %u\n", + (unsigned int)ppm_cfg->rule_event_cnt); + if( ppm_cfg->tot_rules ) LogMessage(" avg rule time : %g usecs\n", - ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_rule_time/ppm_cfg->tot_rules)) ); + ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_rule_time/ + ppm_cfg->tot_rules))); + if( ppm_cfg->tot_nc_rules ) LogMessage(" avg nc-rule time : %g usecs\n", - ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_nc_rule_time/ppm_cfg->tot_nc_rules)) ); + ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_nc_rule_time/ + ppm_cfg->tot_nc_rules))); + if( ppm_cfg->tot_pcre_rules ) LogMessage(" avg nc-pcre-rule time : %g usecs\n", - ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_pcre_rule_time/ppm_cfg->tot_pcre_rules)) ); -#ifdef PORTLISTS + ppm_ticks_to_usecs((PPM_TICKS)(ppm_cfg->tot_pcre_rule_time/ + ppm_cfg->tot_pcre_rules))); + fpWalkOtns( 0, print_rule ); -#endif } } @@ -315,8 +339,8 @@ } } -#define PPM_FMT_SUSPENDED "PPM: Rule-Event address=0x%x Pkt[" STDi64 "] used=%g usecs suspended %s" -#define PPM_FMT_REENABLED "PPM: Rule-Event address=0x%x Pkt[" STDi64 "] re-enabled %s" +#define PPM_FMT_SUSPENDED "PPM: Rule-Event address=0x%p Pkt[" STDi64 "] used=%g usecs suspended %s" +#define PPM_FMT_REENABLED "PPM: Rule-Event address=0x%p Pkt[" STDi64 "] re-enabled %s" void ppm_rule_log(ppm_cfg_t *ppm_cfg, uint64_t pktcnt, Packet *p) { @@ -364,7 +388,7 @@ AlertAction(p, potn, &ev); } - if (ppm_cfg->rule_log & PPM_LOG_MESSAGE) + if (ppm_cfg->rule_log & PPM_LOG_MESSAGE) { int i; @@ -376,7 +400,7 @@ proot = ppm_crules[i]; LogMessage(PPM_FMT_REENABLED, - proot, + (void*)proot, pktcnt, timestamp); } @@ -432,7 +456,7 @@ proot = ppm_rules[i].tree; LogMessage(PPM_FMT_SUSPENDED, - proot, + (void*)proot, pktcnt, ppm_ticks_to_usecs((PPM_TICKS)ppm_rules[i].ticks), timestamp); diff -Nru snort-2.8.5.2/src/ppm.h snort-2.9.2/src/ppm.h --- snort-2.8.5.2/src/ppm.h 2009-07-07 15:37:02.000000000 +0000 +++ snort-2.9.2/src/ppm.h 2011-02-09 23:22:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2009 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -106,8 +106,9 @@ extern ppm_pkt_timer_t ppm_pkt_times[PPM_MAX_TIMERS]; extern ppm_pkt_timer_t *ppm_pt; extern unsigned int ppm_pkt_index; -extern ppm_rule_timer_t ppm_rule_times; +extern ppm_rule_timer_t ppm_rule_times[PPM_MAX_TIMERS]; extern ppm_rule_timer_t *ppm_rt; +extern unsigned int ppm_rule_times_index; extern uint64_t ppm_cur_time; extern int ppm_abort_this_pkt; extern int ppm_suspend_this_rule; @@ -194,13 +195,25 @@ } #define PPM_INIT_RULE_TIMER() \ - ppm_rt = &ppm_rule_times; \ + if(ppm_rule_times_index < PPM_MAX_TIMERS) \ +{ \ + ppm_rt = &ppm_rule_times[ppm_rule_times_index++]; \ ppm_suspend_this_rule = 0; \ ppm_rt->start=ppm_cur_time; \ - ppm_rt->max_rule_ticks = snort_conf->ppm_cfg.max_rule_ticks; + ppm_rt->max_rule_ticks = snort_conf->ppm_cfg.max_rule_ticks; \ +} #define PPM_END_RULE_TIMER() \ - if( ppm_rt ) ppm_rt=NULL + if(( ppm_rule_times_index > 0) && ppm_rt ) \ +{ \ + ppm_rule_times_index--; \ + if (ppm_rule_times_index > 0) \ + { \ + ppm_rt=&ppm_rule_times[ppm_rule_times_index-1]; \ + } else { \ + ppm_rt=NULL; \ + } \ +} /* use PPM_GET_TIME; first to get the current time */ #define PPM_PACKET_TEST() \ @@ -217,7 +230,7 @@ #if 0 && defined(PPM_TEST) #define PPM_DBG_CSV(state, otn, when) \ LogMessage( \ - "PPM, %u, %u, %s, %llu\n", \ + "PPM, %u, %u, %s, " STDu64 "\n", \ otn->sigInfo.generator, otn->sigInfo.id, state, when \ ) #else diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c 2009-01-26 16:26:28.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c 2011-06-08 00:33:18.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ad.c ** @@ -33,6 +33,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_ui_config.h" #include "hi_return_codes.h" #include "hi_eo_log.h" diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,13 +44,14 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhi_ad_a_AR = $(AR) $(ARFLAGS) libhi_ad_a_LIBADD = am_libhi_ad_a_OBJECTS = hi_ad.$(OBJEXT) libhi_ad_a_OBJECTS = $(am_libhi_ad_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -74,31 +77,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -111,12 +114,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -124,20 +133,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +185,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -181,6 +198,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -196,14 +214,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/anomaly_detection/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/anomaly_detection/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/anomaly_detection/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/anomaly_detection/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -221,6 +239,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -255,45 +274,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -314,13 +337,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -348,6 +375,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -368,6 +396,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -376,18 +406,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -424,6 +464,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/client/hi_client.c snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/client/hi_client.c 2009-12-15 23:27:54.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client.c 2011-12-08 16:49:14.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_client.c ** @@ -32,12 +32,12 @@ ** protocol, finding where the various fields begin and end. This must ** be accomplished in a stateful and stateless manner. ** -** While the fields are being determined, we also do checks for +** While the fields are being determined, we also do checks for ** normalization, so we don't normalize fields that don't need it. ** ** Currently, the only fields we check for this is the URI and the ** parameter fields. -** +** ** NOTES: ** - 3.8.03: Initial development. DJR ** - 2.4.05: Added tab_uri_delimiter config option. AJM. @@ -50,6 +50,10 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_ui_config.h" #include "hi_si.h" #include "hi_mi.h" @@ -59,74 +63,39 @@ #include "hi_util_hbm.h" #include "hi_return_codes.h" #include "util.h" - -/* These numbers were chosen to avoid conflicting with - * the return codes in hi_return_codes.h */ -#define URI_END 99 -#define POST_END 100 -#define NO_URI 101 -#define INVALID_HEX_VAL -1 - +#include "mstring.h" +#include "sfutil/util_unfold.h" +#include "hi_cmd_lookup.h" +#include "detection_util.h" #define HEADER_NAME__COOKIE "Cookie" #define HEADER_LENGTH__COOKIE 6 #define HEADER_NAME__CONTENT_LENGTH "Content-length" #define HEADER_LENGTH__CONTENT_LENGTH 14 +#define HEADER_NAME__XFF "X-Forwarded-For" +#define HEADER_LENGTH__XFF 15 +#define HEADER_NAME__TRUE_IP "True-Client-IP" +#define HEADER_LENGTH__TRUE_IP 14 +#define HEADER_NAME__HOSTNAME "Host" +#define HEADER_LENGTH__HOSTNAME 4 +#define HEADER_NAME__TRANSFER_ENCODING "Transfer-encoding" +#define HEADER_LENGTH__TRANSFER_ENCODING 17 -/** -** This structure holds pointers to the different sections of an HTTP -** request. We need to track where whitespace begins and ends, so we -** can evaluate the placement of the URI correctly. -** -** For example, -** -** GET / HTTP/1.0 -** ^ ^ -** start end -** -** The end space pointers are set to NULL if there is space until the end -** of the buffer. -*/ -typedef struct s_URI_PTR -{ - const u_char *uri; /* the beginning of the URI */ - const u_char *uri_end; /* the end of the URI */ - const u_char *norm; /* ptr to first normalization occurence */ - const u_char *ident; /* ptr to beginning of the HTTP identifier */ - const u_char *first_sp_start; /* beginning of first space delimiter */ - const u_char *first_sp_end; /* end of first space delimiter */ - const u_char *second_sp_start; /* beginning of second space delimiter */ - const u_char *second_sp_end; /* end of second space delimiter */ - const u_char *param; /* '?' (beginning of parameter field) */ - const u_char *delimiter; /* HTTP URI delimiter (\r\n\) */ - const u_char *last_dir; /* ptr to last dir, so we catch long dirs */ - const u_char *proxy; /* ptr to the absolute URI */ -} URI_PTR; - -typedef struct s_HEADER_PTR -{ - URI_PTR header; - //HEADER_FIELD_PTR hdr_field; - COOKIE_PTR cookie; - CONTLEN_PTR content_len; -} HEADER_PTR; - -/** -** This makes passing function arguments much more readable and easier +/** This makes passing function arguments much more readable and easier ** to follow. */ typedef int (*LOOKUP_FCN)(HI_SESSION *, const u_char *, const u_char *, const u_char **, - URI_PTR *); + URI_PTR *); /* -** The lookup table contains functions for different HTTP delimiters +** The lookup table contains functions for different HTTP delimiters ** (like whitespace and the HTTP delimiter \r and \n). */ -static LOOKUP_FCN lookup_table[256]; -static int hex_lookup[256]; -static int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, +LOOKUP_FCN lookup_table[256]; +int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr); - +extern const u_char *extract_http_transfer_encoding(HI_SESSION *, HttpSessionData *, + const u_char *, const u_char *, const u_char *, HEADER_PTR *, int); /* ** NAME ** CheckChunkEncoding:: @@ -134,52 +103,162 @@ /** ** This routine checks for chunk encoding anomalies in an HTTP client request ** packet. -** +** ** We convert potential chunk lengths and test them against the user-defined ** max chunk length. We log events on any chunk lengths that are over this ** defined chunk lengths. -** +** ** Chunks are skipped to save time when the chunk is contained in the packet. -** +** ** We assume coming into this function that we are pointed at the beginning ** of what may be a chunk length. That's why the iCheckChunk var is set ** to 1. -** +** ** @param Session pointer to the Session construct ** @param start pointer to where to beginning of buffer ** @param end pointer to the end of buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_INVALID_ARG invalid argument */ -static int CheckChunkEncoding(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **post_end) -{ - u_int iChunkLen = 0; - int iChunkChars = 0; - int iCheckChunk = 1; +int CheckChunkEncoding(HI_SESSION *Session, const u_char *start, const u_char *end, + const u_char **post_end, u_char *iChunkBuf, uint32_t max_size, + uint32_t last_chunk_size, uint32_t *chunkSize, uint32_t *chunkRead, HttpSessionData *hsd, + int iInspectMode) +{ + uint32_t iChunkLen = 0; + uint32_t iChunkChars = 0; + int chunkPresent = 0; + uint32_t iCheckChunk = 1; const u_char *ptr; const u_char *jump_ptr; + uint32_t iDataLen = 0; + uint32_t chunkBytesCopied = 0; + uint8_t stateless_chunk_count = 0; if(!start || !end) return HI_INVALID_ARG; ptr = start; + if(last_chunk_size) + { + if(last_chunk_size > max_size) + { + if(chunkSize) + *chunkSize = last_chunk_size - max_size ; + last_chunk_size = max_size; + } + + iDataLen = end - ptr; + + if(last_chunk_size > iDataLen) + { + if(chunkSize) + *chunkSize = last_chunk_size - iDataLen ; + last_chunk_size = iDataLen; + } + + jump_ptr = ptr + last_chunk_size - 1; + + if(hi_util_in_bounds(start, end, jump_ptr)) + { + chunkPresent = 1; + if(iChunkBuf) + { + memcpy(iChunkBuf, ptr, last_chunk_size); + chunkBytesCopied = last_chunk_size; + } + ptr = jump_ptr + 1; + } + } + while(hi_util_in_bounds(start, end, ptr)) { if(*ptr == '\n' || *ptr == ' ' || *ptr == '\t') { if(iCheckChunk && iChunkLen != 0) { - if(Session->server_conf->chunk_length < iChunkLen && - hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK)) + if (((Session->server_conf->chunk_length != 0) + && (iInspectMode == HI_SI_CLIENT_MODE) + && (Session->server_conf->chunk_length < iChunkLen) + && hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK))) { hi_eo_client_event_log(Session, HI_EO_CLIENT_LARGE_CHUNK, NULL, NULL); } + if (Session->server_conf->small_chunk_length.size != 0) + { + if (iChunkLen <= Session->server_conf->small_chunk_length.size) + { + uint8_t* chunk_count; + int (*log_func)(HI_SESSION *, int, void *, void (*)(void *)); + int event; + + if (iInspectMode == HI_SI_CLIENT_MODE) + { + if (hsd) + chunk_count = &hsd->cli_small_chunk_count; + else + chunk_count = &stateless_chunk_count; + log_func = hi_eo_client_event_log; + event = HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS; + } + else + { + if (hsd) + chunk_count = &hsd->srv_small_chunk_count; + else + chunk_count = &stateless_chunk_count; + log_func = hi_eo_server_event_log; + event = HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS; + } + + (*chunk_count)++; + if (hi_eo_generate_event(Session, event) + && (*chunk_count >= Session->server_conf->small_chunk_length.num)) + { + log_func(Session, event, NULL, NULL); + *chunk_count = 0; + } + } + else + { + // Reset for non-consecutive small chunks + if (iInspectMode == HI_SI_CLIENT_MODE) + { + if (hsd) + hsd->cli_small_chunk_count = 0; + else + stateless_chunk_count = 0; + } + else + { + if (hsd) + hsd->srv_small_chunk_count = 0; + else + stateless_chunk_count = 0; + } + } + } + + SkipBlankAndNewLine(start,end, &ptr); + + if(*ptr == '\n') + ptr++; + + iDataLen = end - ptr ; + + if( iChunkLen > iDataLen) + { + if(chunkSize) + *chunkSize = iChunkLen - iDataLen; + iChunkLen = iDataLen; + } + jump_ptr = ptr + iChunkLen; if(jump_ptr <= ptr) @@ -187,9 +266,30 @@ break; } - if(hi_util_in_bounds(start, end, jump_ptr)) + /* Since we're doing a memcpy end and jump_ptr can be the same + * but hi_util_in_bounds ensures last arg is less than so + * subtract 1 from jump_ptr */ + if(hi_util_in_bounds(start, end, jump_ptr - 1)) { + chunkPresent = 1; + if(iChunkBuf && ((chunkBytesCopied + iChunkLen) <= max_size)) + { + memcpy(iChunkBuf+chunkBytesCopied, ptr, iChunkLen); + chunkBytesCopied += iChunkLen; + } ptr = jump_ptr; + + if (!hi_util_in_bounds(start, end, ptr)) + break; + + /* Check to see if the chunks ends - LF or CRLF are valid */ + if (hi_eo_generate_event(Session, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH) + && (*ptr != '\n') && (*ptr != '\r') + && ((ptr + 1) < end) && (*(ptr + 1) != '\n')) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, + NULL, NULL); + } } else { @@ -205,7 +305,7 @@ ** for handling new chunks, we reset and starting evaluating possible ** chunk lengths. */ - if(iCheckChunk || *ptr == '\n') + if(iCheckChunk || (hi_util_in_bounds(start, end, ptr) && *ptr == '\n')) { iCheckChunk = 1; iChunkLen = 0; @@ -218,7 +318,7 @@ if(iCheckChunk) { - if(hex_lookup[*ptr] == INVALID_HEX_VAL) + if(valid_lookup[*ptr] != HEX_VAL) { if(*ptr == '\r') { @@ -257,6 +357,15 @@ { if(iChunkChars >= 8) { + if (((Session->server_conf->chunk_length != 0) + && (iInspectMode == HI_SI_CLIENT_MODE) + && (Session->server_conf->chunk_length < iChunkLen) + && hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK))) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_LARGE_CHUNK, + NULL, NULL); + } + iCheckChunk = 0; iChunkLen = 0; iChunkChars = 0; @@ -264,8 +373,7 @@ else { iChunkLen <<= 4; - iChunkLen |= (unsigned int)hex_lookup[*ptr]; - + iChunkLen |= (unsigned int)(hex_lookup[*ptr]); iChunkChars++; } } @@ -273,9 +381,17 @@ ptr++; } - if (post_end && iChunkChars ) + if (chunkPresent ) { - *(post_end) = ptr; + if(post_end) + { + *(post_end) = ptr; + } + + if(chunkRead) + { + *chunkRead = chunkBytesCopied; + } return 1; } @@ -289,7 +405,7 @@ /** ** Catch multiple requests per packet, by returning pointer to after the ** end of the request header if there is another request. -** +** ** There are 4 types of "valid" delimiters that we look for. They are: ** "\r\n\r\n" ** "\r\n\n" @@ -298,19 +414,19 @@ ** The only patterns that we really only need to look for are: ** "\n\r\n" ** "\n\n" -** The reason being that these two patterns are suffixes of the other +** The reason being that these two patterns are suffixes of the other ** patterns. So once we find those, we are all good. -** +** ** @param Session pointer to the session ** @param start pointer to the start of text ** @param end pointer to the end of text -** +** ** @return pointer -** +** ** @retval NULL Did not find pipeline request ** @retval !NULL Found another possible request. */ -static INLINE const u_char *FindPipelineReq(HI_SESSION *Session, +static inline const u_char *FindPipelineReq(HI_SESSION *Session, const u_char *start, const u_char *end) { const u_char *p; @@ -331,7 +447,7 @@ ** ** a.k.a there needs to be data after the initial request to inspect ** to make it worth our while. - */ + */ while(p < (end - 6)) { if(*p == '\n') @@ -384,29 +500,29 @@ /** ** This checks that there is a version following a space with in an HTTP ** packet. -** +** ** This function gets called when a whitespace area has ended, and we want ** to know if a version identifier is followed directly after. So we look ** for the rfc standard "HTTP/" and report appropriately. We also need ** to make sure that the function succeeds given an end of buffer, so for ** instance if the buffer ends like " HTT", we still assume that this is ** a valid version identifier because of TCP segmentation. -** +** ** We also check for the 0.9 standard of GET URI\r\n. When we see a \r or ** a \n, then we just return with the pointer still pointing to that char. ** The reason is because on the next loop, we'll do the evaluation that ** we normally do and finish up processing there. -** +** ** @param start pointer to the start of the version identifier ** @param end pointer to the end of the buffer (could be the end of the ** data section, or just to the beginning of the delimiter. -** +** ** @return integer -** +** ** @retval 1 this is an HTTP version identifier ** @retval 0 this is not an HTTP identifier, or bad parameters */ -static int IsHttpVersion(const u_char **ptr, const u_char *end) +int IsHttpVersion(const u_char **ptr, const u_char *end) { static u_char s_acHttpDelimiter[] = "HTTP/"; static int s_iHttpDelimiterLen = 5; @@ -447,15 +563,15 @@ } (*ptr)++; - } + } /* - ** This means that we match all the chars that we could given the + ** This means that we match all the chars that we could given the ** remaining length so we should increment the pointer by that much ** since we don't need to inspect this again. */ - /* This pointer is not used again. When 1 is returned it causes + /* This pointer is not used again. When 1 is returned it causes * NextNonWhiteSpace to return also. */ #if 0 (*ptr)++; @@ -481,14 +597,14 @@ ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index ** @param uri_ptr pointer to the URI_PTR construct -** +** ** @return integer -** -** @retval HI_OUT_OF_BOUNDS +** +** @retval HI_OUT_OF_BOUNDS ** @retval URI_END end of the URI is found, check URI_PTR. ** @retval NO_URI malformed delimiter, no URI. */ -static int find_rfc_delimiter(HI_SESSION *Session, const u_char *start, +int find_rfc_delimiter(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { if(*ptr == start || !uri_ptr->uri) @@ -515,14 +631,14 @@ { return HI_OUT_OF_BOUNDS; } - + if(**ptr == '\n') { uri_ptr->delimiter = (*ptr)-1; if(!uri_ptr->ident) uri_ptr->uri_end = uri_ptr->delimiter; - + return URI_END; } @@ -536,7 +652,7 @@ /** ** Check for non standard delimiter '\n'. ** -** It now appears that apache and iis both take this non-standard +** It now appears that apache and iis both take this non-standard ** delimiter. So, we most likely will always look for it, but maybe ** give off a special alert or something. ** @@ -544,14 +660,14 @@ ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval URI_END delimiter found, end of URI -** @retval NO_URI +** @retval NO_URI */ -static int find_non_rfc_delimiter(HI_SESSION *Session, const u_char *start, +int find_non_rfc_delimiter(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -583,10 +699,10 @@ } uri_ptr->delimiter = *ptr; - + if(!uri_ptr->ident) uri_ptr->uri_end = uri_ptr->delimiter; - + return URI_END; } @@ -612,33 +728,33 @@ /** ** Update the URI_PTR fields spaces, find the next non-white space char, ** and validate the HTTP version identifier after the spaces. -** +** ** This is the main part of the URI algorithm. This verifies that there ** isn't too many spaces in the data to be a URI, it checks that after the ** second space that there is an HTTP identifier or otherwise it's no good. ** Also, if we've found an identifier after the first whitespace, and ** find another whitespace, there is no URI. -** +** ** The uri and uri_end pointers are updated in this function depending ** on what space we are at, and if the space was followed by the HTTP ** identifier. (NOTE: the HTTP delimiter is no longer "HTTP/", but ** can also be "\r\n", "\n", or "\r". This is the defunct method, and ** we deal with it in the IsHttpVersion and delimiter functions.) -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS found the next non-whitespace ** @retval HI_OUT_OF_BOUNDS whitespace to the end of the buffer ** @retval URI_END delimiter found, end of URI ** @retval NO_URI */ -static int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, +int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -693,7 +809,7 @@ if(uri_ptr->first_sp_end) { /* - ** If the second space has been set, then this means that we have + ** If the second space has been set, then this means that we have ** seen a third space, which we shouldn't see in the URI so we ** are now done and know there is no URI in this packet. */ @@ -702,7 +818,7 @@ return NO_URI; } - /* + /* ** Treat whitespace differently at the end of the URI than we did ** at the beginning. Ignore and return if special characters are ** not defined as whitespace after the URI. @@ -734,7 +850,7 @@ ** and we unset the URI so we can set it later if need be. ** ** This is mainly so we handle data that is all spaces correctly. - ** + ** ** In the normal case where we've seen text and then the first space, ** we leave the uri ptr pointing at the beginning of the data, and ** set the uri end after we've determined where to put it. @@ -764,7 +880,7 @@ { if(ServerConf->apache_whitespace.on) { - if(hi_eo_generate_event(Session, + if(hi_eo_generate_event(Session, ServerConf->apache_whitespace.alert)) { hi_eo_client_event_log(Session, HI_EO_CLIENT_APACHE_WS, @@ -827,7 +943,7 @@ ** ** When we get here it means that we have found the end of ** the FIRST whitespace, and that there was no delimiter, - ** so we reset the uri pointers and other related + ** so we reset the uri pointers and other related ** pointers. */ uri_ptr->uri = *end_sp; @@ -876,7 +992,7 @@ */ /** ** Check for percent normalization in the URI buffer. -** +** ** We don't do much here besides check the configuration, set the pointer, ** and continue processing. ** @@ -884,13 +1000,13 @@ ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int SetPercentNorm(HI_SESSION *Session, const u_char *start, +int SetPercentNorm(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -904,7 +1020,7 @@ } (*ptr)++; - + return HI_SUCCESS; } @@ -914,16 +1030,16 @@ */ /** ** We check the directory length against the global config. -** +** ** @param Session pointer to the current session ** @param uri_ptr pointer to the URI state ** @param ptr pointer to the current index in buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS */ -static INLINE int CheckLongDir(HI_SESSION *Session, URI_PTR *uri_ptr, +static inline int CheckLongDir(HI_SESSION *Session, URI_PTR *uri_ptr, const u_char *ptr) { int iDirLen; @@ -931,7 +1047,7 @@ /* ** Check for oversize directory */ - if(Session->server_conf->long_dir && + if(Session->server_conf->long_dir && uri_ptr->last_dir && !uri_ptr->param) { iDirLen = ptr - uri_ptr->last_dir; @@ -954,19 +1070,19 @@ */ /** ** Check for any directory traversal or multi-slash normalization. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_OUT_OF_BOUNDS reached the end of the buffer */ -static int SetSlashNorm(HI_SESSION *Session, const u_char *start, +int SetSlashNorm(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -1039,21 +1155,21 @@ */ /** ** Check for backslashes and if we need to normalize. -** +** ** This really just checks the configuration option, and sets the norm ** variable if applicable. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int SetBackSlashNorm(HI_SESSION *Session, const u_char *start, +int SetBackSlashNorm(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -1072,27 +1188,60 @@ } /* + * ** NAME + * ** SetPlusNorm:: + * */ +/** + * ** Check for "+" and if we need to normalize. + * ** + * ** + * ** @param ServerConf pointer to the server configuration + * ** @param start pointer to the start of payload + * ** @param end pointer to the end of the payload + * ** @param ptr pointer to the pointer of the current index + * ** @param uri_ptr pointer to the URI_PTR construct + * ** + * ** @return integer + * ** + * ** @retval HI_SUCCESS function successful + * */ + + +int SetPlusNorm(HI_SESSION *Session, const u_char *start, + const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) +{ + if(!uri_ptr->norm && !uri_ptr->ident) + { + uri_ptr->norm = *ptr; + } + + (*ptr)++; + + return HI_SUCCESS; +} + +/* ** NAME ** SetBinaryNorm:: */ /** ** Look for non-ASCII chars in the URI. -** +** ** We look for these chars in the URI and set the normalization variable ** if it's not already set. I think we really only need this for IIS ** servers, but we may want to know if it's in the URI too. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int SetBinaryNorm(HI_SESSION *Session, const u_char *start, +int SetBinaryNorm(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { if(!uri_ptr->norm && !uri_ptr->ident) @@ -1113,18 +1262,18 @@ ** This function sets the parameter field as the first '?'. The big thing ** is that we set the param value, so we don't false positive long dir ** events when it's really just a long parameter field. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int SetParamField(HI_SESSION *Session, const u_char *start, +int SetParamField(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { if(!uri_ptr->ident) @@ -1142,18 +1291,18 @@ */ /** ** This function checks for an absolute URI in the URI. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int SetProxy(HI_SESSION *Session, const u_char *start, +int SetProxy(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -1184,12 +1333,12 @@ /** ** This is where we set the HI_CLIENT values that we found during URI ** discovery. This also covers checking these values for errors. -** +** ** @param Client pointer to HI_CLIENT structure ** @param uri_ptr pointer to the uri data -** +** ** @return integer -** +** ** @retval HI_NONFATAL_ERR problem with the uri values. ** @retval HI_SUCCESS values set successfully */ @@ -1211,7 +1360,7 @@ printf("** second_end = %c\n", *uri_ptr->second_sp_end); if(uri_ptr->delimiter) printf("** delimiter = %c\n", *uri_ptr->delimiter); - + if(uri_ptr->uri) printf("** uri = %c\n", *uri_ptr->uri); if(uri_ptr->norm) @@ -1219,7 +1368,7 @@ */ /* - ** This means that there was only spaces or delimiters within the + ** This means that there was only spaces or delimiters within the ** complete URI. In this case, there is no valid URI so we just ** return such. */ @@ -1261,20 +1410,22 @@ return HI_SUCCESS; } -static INLINE int hi_client_extract_post( +static inline int hi_client_extract_post( HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - const u_char *ptr, const u_char *end, URI_PTR *result, int content_length) + const u_char *ptr, const u_char *end, URI_PTR *result, + int content_length, bool is_chunked, HttpSessionData *hsd) { - int iRet; const u_char *start = ptr; const u_char *post_end = end; Session->norm_flags &= HI_BODY; /* Limit search depth */ - if ((!content_length)) + if (is_chunked) { - if ( ServerConf->chunk_length && (CheckChunkEncoding(Session, start, end, &post_end) == 1) ) + if ( (ServerConf->chunk_length || ServerConf->small_chunk_length.size) + && (CheckChunkEncoding(Session, start, end, &post_end, NULL, 0, + 0, NULL, NULL, hsd, HI_SI_CLIENT_MODE) == 1) ) { result->uri = start; result->uri_end = post_end; @@ -1285,74 +1436,146 @@ return HI_NONFATAL_ERR; } } - if ( ServerConf->post_depth && (content_length > ServerConf->post_depth) && ((post_end - ptr ) > ServerConf->post_depth)) + else if(content_length > 0) { - post_end = ptr + ServerConf->post_depth; - result->uri_end = ptr + content_length; + if ((post_end - ptr ) > content_length) + { + post_end = ptr + content_length; + } } - else if (((post_end - ptr ) > content_length) && content_length > 0 ) + else { - post_end = ptr + content_length; - result->uri_end = post_end; + return HI_NONFATAL_ERR; } result->uri = start; + result->uri_end = post_end; + + return POST_END; +} + - while(hi_util_in_bounds(start, post_end, ptr)) +static inline int HTTP_CopyExtraDataToSession(const uint8_t *start, int length, int command_type, HTTP_LOG_STATE *log_state) +{ + uint8_t *alt_buf; + uint32_t alt_size; + uint32_t *alt_len; + int ret; + + if (length <= 0) + return -1; + + + switch (command_type) { - if(lookup_table[*ptr] || ServerConf->whitespace[*ptr]) - { - if(lookup_table[*ptr]) - { - iRet = (lookup_table[*ptr])(Session, start, post_end, &ptr, result); - } - else - { - iRet = NextNonWhiteSpace(Session, start, post_end, &ptr, result); - } - if (iRet) - { - if(iRet == URI_END || iRet == HI_OUT_OF_BOUNDS) - { - result->uri = start; - return POST_END; - } - else if(iRet != HI_SUCCESS) - { - result->uri = start; - return HI_NONFATAL_ERR; - } - } - else - { - continue; - } + case COPY_URI: + alt_buf = log_state->uri_extracted; + alt_size = MAX_URI_EXTRACTED; + alt_len = &(log_state->uri_bytes); + break; + + case COPY_HOSTNAME: + alt_buf = log_state->hostname_extracted; + alt_size = MAX_HOSTNAME; + alt_len = &(log_state->hostname_bytes); + break; + + default: + return -1; + } + + if(length > (int) alt_size) + length = alt_size; + + *alt_len = 0; + + ret = SafeMemcpy(alt_buf, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *alt_len += length; + + return 0; +} + +static inline void HTTP_CopyUri(HTTPINSPECT_CONF *ServerConf, const u_char *start, const u_char *end, HttpSessionData *hsd, int stream_ins) +{ + int iRet = 0; + const u_char *cur_ptr; + + cur_ptr = start; + if(ServerConf->log_uri && !stream_ins && hsd) + { + SkipBlankSpace(start,end,&cur_ptr); + + start = cur_ptr; + if(!SetLogBuffers(hsd)) + { + iRet = HTTP_CopyExtraDataToSession((uint8_t *)start, (end - start), COPY_URI, hsd->log_state); + if(!iRet) + hsd->log_flags |= HTTP_LOG_URI; } + } +} - /* Reset these, since we're not delimited by spaces for the version - * with post data */ - result->first_sp_start = result->first_sp_end = NULL; - ptr++; + +static inline int unfold_http_uri(HTTPINSPECT_CONF *ServerConf, const u_char *end, URI_PTR *uri_ptr, HttpSessionData *hsd, int stream_ins) +{ + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *p; + int folded = 0; + const char *tmp = NULL; + int iRet = -1; + + p = uri_ptr->uri; + + + sf_unfold_header(p, (end - p), unfold_buf, sizeof(unfold_buf), &unfold_size, 0, &folded); + + if( !folded) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + return iRet; } - result->uri = start; - return POST_END; + tmp = SnortStrnPbrk((const char *)unfold_buf, unfold_size, " \t"); + + if (tmp != NULL) + { + unfold_size = ((uint8_t *)tmp - unfold_buf); + iRet = 0; + } + + p = p + unfold_size; + uri_ptr->uri_end = p; + + HTTP_CopyUri(ServerConf, unfold_buf, unfold_buf + unfold_size, hsd, stream_ins); + + return iRet; } -static INLINE int hi_client_extract_uri( - HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - HI_CLIENT * Client, const u_char *start, const u_char *end, - const u_char *ptr, URI_PTR *uri_ptr) + +static inline int hi_client_extract_uri( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HI_CLIENT * Client, const u_char *start, const u_char *end, + const u_char *ptr, URI_PTR *uri_ptr, HttpSessionData *hsd, int stream_ins) { int iRet = HI_SUCCESS; + const u_char *tmp; + int uri_copied = 0; Session->norm_flags &= ~HI_BODY; + /* ** This loop compares each char to an array of functions ** (one for each char) and calling that function if there is one. - ** + ** ** If there is no function, then we just increment the char ptr and ** continue processing. ** @@ -1365,12 +1588,24 @@ while(hi_util_in_bounds(start, end, ptr)) { - /* isascii returns non-zero if it is ascii */ - if (isascii((int)*ptr) == 0) + if(!ServerConf->extended_ascii_uri) { - /* Possible post data or something else strange... */ - iRet = URI_END; - break; + /* isascii returns non-zero if it is ascii */ + if (isascii((int)*ptr) == 0) + { + /* Possible post data or something else strange... */ + iRet = URI_END; + /* Find the end of the URI in this case*/ + tmp = (const u_char *)SnortStrnPbrk((const char *)ptr, (uri_ptr->uri_end - ptr), " \r\n\t"); + if(tmp != NULL) + uri_ptr->uri_end = tmp; + + if(!uri_copied) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + } + break; + } } if(lookup_table[*ptr] || ServerConf->whitespace[*ptr]) @@ -1389,6 +1624,19 @@ { if(iRet == URI_END) { + if((*(uri_ptr->uri_end) == '\n') || (*(uri_ptr->uri_end) == '\r') ) + { + uri_copied = 1; + if(!unfold_http_uri(ServerConf, end, uri_ptr, hsd, stream_ins )) + { + SkipCRLF(start,end, &ptr); + continue; + } + } + else if(!uri_copied) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + } /* ** You found a URI, let's break and check it out. */ @@ -1409,14 +1657,17 @@ ** also be a space, which would look like a pipeline request ** to us if we don't do this first. */ - if(Session->server_conf->chunk_length) - CheckChunkEncoding(Session, start, end, NULL); + if(Session->server_conf->chunk_length || Session->server_conf->small_chunk_length.size) + { + (void)CheckChunkEncoding(Session, start, end, NULL, NULL, 0, + 0, NULL, NULL, hsd, HI_SI_CLIENT_MODE); + } /* ** We only inspect the packet for another pipeline ** request if there wasn't a previous pipeline request. - ** The reason that we do this is because - */ + ** The reason that we do this is because + */ if(!Client->request.pipeline_req) { /* @@ -1454,20 +1705,11 @@ } -static INLINE int IsHeaderFieldName(const u_char *p, const u_char *start, const u_char *end, const char *header_name, size_t header_len) -{ - if( hi_util_in_bounds(start, end, p+header_len)) - { - if(!strncasecmp((const char *)p, header_name, header_len)) - return 1; - else - return 0; - } - return 0; -} - -static INLINE const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) +const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *header_ptr, + HEADER_FIELD_PTR *header_field_ptr) { + const u_char *crlf; + const u_char *start; if (header_ptr->cookie.cookie) { /* unusal, multiple cookies... alloc new cookie pointer */ @@ -1478,65 +1720,276 @@ header_ptr->header.uri_end = p; return p; } - (header_field_ptr)->cookie->next = extra_cookie; - (header_field_ptr)->cookie = extra_cookie; + header_field_ptr->cookie->next = extra_cookie; + header_field_ptr->cookie = extra_cookie; /* extra_cookie->next = NULL; */ /* removed, since calloc NULLs this. */ } else { - (header_field_ptr)->cookie = &header_ptr->cookie; + header_field_ptr->cookie = &header_ptr->cookie; + } + + start = p; + /* skip spaces before : */ + SkipBlankSpace(start,end,&p); + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + SkipBlankSpace(start,end,&p); } - (header_field_ptr)->cookie->cookie = p; + + header_field_ptr->cookie->cookie = p; { - const u_char *crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); + crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); + /* find a \n */ if (crlf) /* && hi_util_in_bounds(start, end, crlf+1)) bounds is checked in SnortStrnStr */ { - (header_field_ptr)->cookie->cookie_end = crlf + 1; + if(*(crlf -1) == '\r') + header_field_ptr->cookie->cookie_end = crlf - 1; + else + header_field_ptr->cookie->cookie_end = crlf; + p = crlf; } else { - header_ptr->header.uri_end = (header_field_ptr)->cookie->cookie_end = end; + header_ptr->header.uri_end = header_field_ptr->cookie->cookie_end = end; return end; } } return p; } -static INLINE const u_char *extract_http_content_length(HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) + +const u_char *extract_http_xff(HI_SESSION *Session, const u_char *p, const u_char *start, + const u_char *end, HI_CLIENT_HDR_ARGS *hdrs_args) { + int num_spaces = 0; + SFIP_RET status; + sfip_t *tmp; + char *ipAddr = NULL; + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *start_ptr, *end_ptr, *cur_ptr; + HEADER_PTR *header_ptr; + sfip_t **true_ip; + + header_ptr = hdrs_args->hdr_ptr; + true_ip = &(hdrs_args->sd->true_ip); + + if(!true_ip) + return p; + + if( (hdrs_args->true_clnt_xff & HDRS_BOTH) == HDRS_BOTH) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, NULL, NULL); + } + + } + + SkipBlankSpace(start,end,&p); + + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0 , &num_spaces); + + if(!unfold_size) + { + header_ptr->header.uri_end = end; + return end; + } + + if(num_spaces >= Session->server_conf->max_spaces) + { + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + + } + + p = p + unfold_size; + + start_ptr = unfold_buf; + cur_ptr = unfold_buf; + end_ptr = unfold_buf + unfold_size; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; + while( cur_ptr < end_ptr ) + { + if( *cur_ptr == ' ' || *cur_ptr == '\t' || + *cur_ptr == ',' ) + break; + cur_ptr++; + } + + if(cur_ptr - start_ptr) + ipAddr = SnortStrndup((const char *)start_ptr, cur_ptr - start_ptr ); + if(ipAddr) + { + if( (tmp = sfip_alloc(ipAddr, &status)) == NULL ) + { + if((status != SFIP_ARG_ERR) && (status !=SFIP_ALLOC_ERR)) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_INVALID_TRUEIP)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_INVALID_TRUEIP, NULL, NULL); + } + } + free(ipAddr); + return p; + } +#ifndef SUP_IP6 + if (tmp->family == AF_INET6) + { + sfip_free(tmp); + free(ipAddr); + return p; + } +#endif + if(*true_ip) + { + if(!IP_EQUALITY(*true_ip, tmp)) + { + sfip_free(*true_ip); + *true_ip = tmp; + + //alert + if(hi_eo_generate_event(Session, HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, NULL, NULL); + } + } + else + sfip_free(tmp); + + } + else + *true_ip = tmp; + free(ipAddr); + } + + } + else + { + header_ptr->header.uri_end = end; + return end; + } + + return p; + +} + + +const u_char *extract_http_hostname(HI_SESSION *Session, const u_char *p, const u_char *start, + const u_char *end, HEADER_PTR *header_ptr, HttpSessionData *hsd) +{ + int num_spaces = 0; + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *start_ptr, *end_ptr, *cur_ptr; + int iRet=0; + + + SkipBlankSpace(start,end,&p); + + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0, &num_spaces); + + if(!unfold_size) + { + header_ptr->header.uri_end = end; + return end; + } + + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } + p = p + unfold_size; + + start_ptr = unfold_buf; + cur_ptr = unfold_buf; + end_ptr = unfold_buf + unfold_size; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; + + if((end_ptr - start_ptr) >= MAX_HOSTNAME) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_LONG_HOSTNAME)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_LONG_HOSTNAME, NULL, NULL); + } + } + + iRet = HTTP_CopyExtraDataToSession((uint8_t *)start_ptr, (end_ptr - start_ptr), COPY_HOSTNAME, hsd->log_state); + if(!iRet) + { + hsd->log_flags |= HTTP_LOG_HOSTNAME; + } + } + else + { + header_ptr->header.uri_end = end; + return end; + } + + return p; +} + + +const u_char *extract_http_content_length(HI_SESSION *Session, + HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *start, + const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) +{ + int num_spaces = 0; const u_char *crlf; int space_present = 0; if (header_ptr->content_len.cont_len_start) { - hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_CONTLEN, NULL, NULL); + if(hi_eo_generate_event(Session, HI_EO_CLIENT_MULTIPLE_CONTLEN)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_CONTLEN, NULL, NULL); + } header_ptr->header.uri_end = p; - //header_ptr->content_len.cont_len_start = header_ptr->content_len.cont_len_end = NULL; header_ptr->content_len.len = 0; return p; } else { - (header_field_ptr)->content_len = &header_ptr->content_len; + header_field_ptr->content_len = &header_ptr->content_len; p = p + 14; } /* Move past all the blank spaces. Only tabs and spaces are allowed here */ - while((hi_util_in_bounds(start, end, p)) && ( *p == ' ' || *p == '\t') ) {p++;} + SkipBlankSpace(start,end,&p); if(hi_util_in_bounds(start, end, p) && *p == ':') { p++; if ( hi_util_in_bounds(start, end, p) ) { - if ( ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) + if ( ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) { - while( (hi_util_in_bounds(start, end, p)) && isspace((int)*p) && (*p != '\n') ) {p++;} + SkipWhiteSpace(start,end,&p); } else { - while( (hi_util_in_bounds(start, end, p)) && ( *p == ' ' || *p == '\t') && (*p != '\n') ) {p++;} + SkipBlankAndNewLine(start,end,&p); } if( hi_util_in_bounds(start, end, p)) { @@ -1547,46 +2000,58 @@ if ( *p == '\n') { p++; - while( hi_util_in_bounds(start, end, p) && ( *p == ' ' || *p == '\t')) + while( hi_util_in_bounds(start, end, p) && ( *p == ' ' || *p == '\t')) { space_present = 1; p++; + num_spaces++; } if ( space_present ) { + if(num_spaces >= Session->server_conf->max_spaces) + { + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } if ( isdigit((int)*p)) break; - else if(isspace((int)*p) && (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) ) + else if(isspace((int)*p) && + (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) ) { - while((hi_util_in_bounds(start, end, p)) && isspace((int)*p) && (*p != '\n') ) {p++;} + SkipWhiteSpace(start,end,&p); } else - { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + { + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; return p; } } else { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; return p; } } else - break; + break; } } else if(!isdigit((int)*p)) { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; return p; } if(isdigit((int)*p)) { - (header_field_ptr)->content_len->cont_len_start = p; + header_field_ptr->content_len->cont_len_start = p; p++; while(hi_util_in_bounds(start, end, p)) { @@ -1597,13 +2062,14 @@ } else if((*p == '\n')) /* digit followed by \n */ { - (header_field_ptr)->content_len->cont_len_end = p; + header_field_ptr->content_len->cont_len_end = p; break; } - else if( (!isdigit((int)*p)) && (!isspace((int)*p))) // alphabet after digit + else if( (!isdigit((int)*p)) && (!isspace((int)*p))) /* alphabet after digit*/ { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); if (crlf) @@ -1615,26 +2081,27 @@ header_ptr->header.uri_end = end; return end; } - } + } else { if (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) { - while( (hi_util_in_bounds(start, end, p)) && isspace((int)*p) && (*p != '\n') ) {p++;} + SkipWhiteSpace(start,end,&p); } else { - while( (hi_util_in_bounds(start, end, p)) && ( *p == ' ' || *p == '\t') && (*p != '\n') ) {p++;} + SkipBlankAndNewLine(start,end,&p); } if ( *p == '\n' ) { - (header_field_ptr)->content_len->cont_len_end = p; + header_field_ptr->content_len->cont_len_end = p; break; } else /*either a "digit digit" or "digit other character" */ { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); if (crlf) { @@ -1653,8 +2120,9 @@ } else { - (header_field_ptr)->content_len->cont_len_start = (header_field_ptr)->content_len->cont_len_end = NULL; - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_end = NULL; + header_field_ptr->content_len->len = 0; return p; } } @@ -1676,16 +2144,21 @@ } } } - if ( header_field_ptr && ((header_field_ptr)->content_len->cont_len_start) ) + if ( header_field_ptr && (header_field_ptr->content_len->cont_len_start) && + (header_field_ptr->content_len->cont_len_end) ) { char *pcEnd; - errno = 0; - (header_field_ptr)->content_len->len = strtol((char *)(header_field_ptr)->content_len->cont_len_start, &pcEnd, 10); - if(errno == ERANGE || ((char *)(header_field_ptr)->content_len->cont_len_start == pcEnd)) + uint64_t len; + len = (uint64_t)SnortStrtol((char *)header_field_ptr->content_len->cont_len_start, &pcEnd, 10); + + if ( (errno == ERANGE) + || ((char *)header_field_ptr->content_len->cont_len_start == pcEnd) + || (len > 0xFFFFFFFF) ) { - //warning - (header_field_ptr)->content_len->len = 0; + header_field_ptr->content_len->len = 0; } + else + header_field_ptr->content_len->len = (uint32_t)len; } if(!p || !hi_util_in_bounds(start, end, p)) p = end; @@ -1693,19 +2166,76 @@ return p; } -static INLINE const u_char *extractHeaderFieldValues(HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *offset, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) +static inline const u_char *extractHeaderFieldValues(HI_SESSION *Session, + HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *offset, + const u_char *start, const u_char *end, HI_CLIENT_HDR_ARGS *hdrs_args) { + HttpSessionData *hsd; + + hsd = hdrs_args->sd; if (((p - offset) == 0) && ((*p == 'C') || (*p == 'c'))) { /* Search for 'Cookie' at beginning, starting from current *p */ - if (IsHeaderFieldName(p, start, end, HEADER_NAME__COOKIE, HEADER_LENGTH__COOKIE)) + if ( ServerConf->enable_cookie && + IsHeaderFieldName(p, end, HEADER_NAME__COOKIE, HEADER_LENGTH__COOKIE)) { - p = extract_http_cookie(p, end, header_ptr, header_field_ptr); + p = extract_http_cookie((p+ HEADER_LENGTH__COOKIE), end, hdrs_args->hdr_ptr, hdrs_args->hdr_field_ptr); } - else if ( IsHeaderFieldName(p, start, end, HEADER_NAME__CONTENT_LENGTH, HEADER_LENGTH__CONTENT_LENGTH) ) + else if ( IsHeaderFieldName(p, end, HEADER_NAME__CONTENT_LENGTH, HEADER_LENGTH__CONTENT_LENGTH) ) { - p = extract_http_content_length(Session, ServerConf, p, start, end, header_ptr, header_field_ptr ); - + p = extract_http_content_length(Session, ServerConf, p, start, + end, hdrs_args->hdr_ptr, hdrs_args->hdr_field_ptr ); + } + } + else if (((p - offset) == 0) && ((*p == 'x') || (*p == 'X') || (*p == 't') || (*p == 'T'))) + { + if ( (ServerConf->enable_xff) && hsd ) + { + if(IsHeaderFieldName(p, end, HEADER_NAME__XFF, HEADER_LENGTH__XFF)) + { + hdrs_args->true_clnt_xff |= XFF_HDR; + p = p + HEADER_LENGTH__XFF; + p = extract_http_xff(Session, p, start, end, hdrs_args); + } + else if(IsHeaderFieldName(p, end, HEADER_NAME__TRUE_IP, HEADER_LENGTH__TRUE_IP)) + { + hdrs_args->true_clnt_xff |= TRUE_CLIENT_IP_HDR; + p = p + HEADER_LENGTH__TRUE_IP; + p = extract_http_xff(Session, p, start, end, hdrs_args); + } + } + else if ( IsHeaderFieldName(p, end, HEADER_NAME__TRANSFER_ENCODING, + HEADER_LENGTH__TRANSFER_ENCODING) && hsd) + { + p = p + HEADER_LENGTH__TRANSFER_ENCODING; + p = extract_http_transfer_encoding(Session, hsd, p, start, end, hdrs_args->hdr_ptr, HI_SI_CLIENT_MODE); + } + } + else if(((p - offset) == 0) && ((*p == 'H') || (*p == 'h'))) + { + if(IsHeaderFieldName(p, end, HEADER_NAME__HOSTNAME, HEADER_LENGTH__HOSTNAME)) + { + /* Alert when there are multiple host headers in one request */ + if(hdrs_args->hst_name_hdr) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_MULTIPLE_HOST_HDRS)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_HOST_HDRS, NULL, NULL); + } + return p; + } + else + { + hdrs_args->hst_name_hdr = 1; + if ( hsd && !(hdrs_args->strm_ins) && (ServerConf->log_hostname)) + { + if(!SetLogBuffers(hsd)) + { + p = p + HEADER_LENGTH__HOSTNAME; + p = extract_http_hostname(Session, p, start, end, hdrs_args->hdr_ptr, hsd); + } + } + } } } return p; @@ -1719,7 +2249,7 @@ /** ** Catch multiple requests per packet, by returning pointer to after the ** end of the request header if there is another request. -** +** ** There are 4 types of "valid" delimiters that we look for. They are: ** "\r\n\r\n" ** "\r\n\n" @@ -1728,29 +2258,31 @@ ** The only patterns that we really only need to look for are: ** "\n\r\n" ** "\n\n" -** The reason being that these two patterns are suffixes of the other +** The reason being that these two patterns are suffixes of the other ** patterns. So once we find those, we are all good. -** +** ** @param Session pointer to the session ** @param start pointer to the start of text ** @param end pointer to the end of text -** +** ** @return pointer -** +** ** @retval NULL Did not find pipeline request ** @retval !NULL Found another possible request. */ -static INLINE const u_char *hi_client_extract_header( - HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - HI_CLIENT * Client, HEADER_PTR *header_ptr, - const u_char *start, const u_char *end) +static inline const u_char *hi_client_extract_header( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HEADER_PTR *header_ptr, const u_char *start, + const u_char *end, HttpSessionData *hsd, int stream_ins) { int iRet = HI_SUCCESS; const u_char *p; const u_char *offset; URI_PTR version_string; HEADER_FIELD_PTR header_field_ptr ; + HI_CLIENT_HDR_ARGS hdrs_args; int header_count = 0; + int num_spaces = 0; if(!start || !end) return NULL; @@ -1765,13 +2297,23 @@ ** ** a.k.a there needs to be data after the initial request to inspect ** to make it worth our while. - */ + */ if (p > (end - 6 )) { header_ptr->header.uri = NULL; return p; } header_ptr->content_len.len = 0; + header_ptr->is_chunked = false; + + header_ptr->header.uri = start; + header_ptr->header.uri_end = end; + hdrs_args.hdr_ptr = header_ptr; + hdrs_args.hdr_field_ptr = &header_field_ptr; + hdrs_args.sd = hsd; + hdrs_args.strm_ins = stream_ins; + hdrs_args.hst_name_hdr = 0; + hdrs_args.true_clnt_xff = 0; /* This is to skip past the HTTP/1.0 (or 1.1) version string */ if (IsHttpVersion(&p, end)) @@ -1805,6 +2347,17 @@ { return p; } + + + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + num_spaces = SkipBlankSpace(start,end,&p); + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } } break; } @@ -1850,6 +2403,16 @@ p++; + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + num_spaces = SkipBlankSpace(start,end,&p); + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } + offset = (u_char*)p; if (!hi_util_in_bounds(start, end, p)) @@ -1858,6 +2421,9 @@ return p; } + hdrs_args.hdr_ptr = header_ptr; + hdrs_args.hdr_field_ptr = &header_field_ptr; + /* As performance ugly as this may be, need to bounds check p in each of the * if blocks below to prevent read beyond end of buffer */ if (*p < 0x0E) @@ -1868,23 +2434,26 @@ if(hi_util_in_bounds(start, end, p) && (*p == '\n')) { + p++; header_ptr->header.uri_end = p; - return ++p; + return p; } } else if(*p == '\n') { + p++; header_ptr->header.uri_end = p; - return ++p; + return p; } } - else if ( (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, header_ptr, &header_field_ptr)) == end) + else if ( (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, &hdrs_args)) == end) { return end; } - + } - else if( (p == header_ptr->header.uri) && (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, header_ptr, &header_field_ptr)) == end) + else if( (p == header_ptr->header.uri) && + (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, &hdrs_args)) == end) { return end; } @@ -1920,24 +2489,31 @@ Client->request.cookie.next = NULL;\ } while(0); +#define CLR_METHOD(Client) \ + do { \ + Client->request.method_raw = NULL;\ + Client->request.method_size = 0; \ + Client->request.method = 0 ;\ + } while(0); + /* ** NAME ** StatelessInspection:: */ /** ** Find the URI and determine whether the URI needs to be normalized. -** +** ** This is a big step in stateless inspection, because we need to reliably ** find the URI and when possible filter out non-URIs. We do this using a ** simple state machine that is based on characters found in the data ** buffer. -** +** ** Another important aspect of the stateless inspection is the ability to ** track and inspect pipelined requests. It is VERY IMPORTANT to reset the ** pipeline_req pointer, since we don't memset the whole structure. This ** pointer is reset in the hi_si_session_inspection() function. Check there ** for more details. -** +** ** Normalization is detected when we are looking at the packet for the URI. ** We look for the following issues: ** - //// @@ -1951,25 +2527,26 @@ ** pointer, then the normalization pointer is reset and we start over. ** Using this method should cut down the memcpy()s per URI, since most ** URIs are not normalized. -** +** ** If this function returns HI_NONFATAL_ERR, we return out of mode_inspection ** with an error and abort HttpInspect processing, and continue on with ** any other processing we do. The Session parameters that we use here are ** reset in the next time that we do session_inspection, so we don't do ** any initialization here. -** +** ** @param Session pointer to the HTTP session ** @param data pointer to the start of the packet payload ** @param dsize size of the payload -** +** ** @return integer -** +** ** @retval HI_INVALID_ARG invalid argument ** @retval HI_NONFATAL_ERR no URI detected ** @retval HI_SUCCESS URI detected and Session pointers updated */ -static int StatelessInspection(HI_SESSION *Session, const unsigned char *data, - int dsize) + +int StatelessInspection(HI_SESSION *Session, const unsigned char *data, + int dsize, HttpSessionData *hsd, int stream_ins) { HTTPINSPECT_CONF *ServerConf; HTTPINSPECT_CONF *ClientConf; @@ -1978,12 +2555,13 @@ URI_PTR uri_ptr; URI_PTR post_ptr; HEADER_PTR header_ptr; + HTTP_CMD_CONF *CmdConf = NULL; const u_char *start; const u_char *end; const u_char *ptr, *mthd; const u_char *method_end = NULL; int method_len; - int iRet; + int iRet=0; int len; char non_ascii_mthd = 0; char sans_uri = 0; @@ -2054,7 +2632,7 @@ } } } - + break; } @@ -2091,10 +2669,10 @@ } method_len = method_ptr.uri_end - method_ptr.uri; - /* Need slightly special handling for POST requests + /* Need slightly special handling for POST requests * Since we don't normalize on the request method itself, * just do a strcmp here and skip the characters below. */ - if(method_len == 4 && !strncasecmp("POST", (const char *)method_ptr.uri, 4)) + if(method_len == 4 && !strncasecmp("POST", (const char *)method_ptr.uri, 4)) { hi_stats.post++; Client->request.method = HI_POST_METHOD; @@ -2104,38 +2682,22 @@ hi_stats.get++; Client->request.method = HI_GET_METHOD; } - else + else if(method_len > 0 && method_len <= MAX_METHOD_LEN ) { - Client->request.method = HI_UNKNOWN_METHOD; - } + CmdConf = http_cmd_lookup_find(ServerConf->cmd_lookup, (const char *)method_ptr.uri, + method_len, &iRet); - if (Client->request.method == HI_UNKNOWN_METHOD) - { - if (IsHttpVersion(&ptr, end)) + if(iRet == -1 || (CmdConf == NULL)) { sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (method_len == len) - { - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (SnortStrnPbrk((const char *)method_ptr.uri, method_len, "()<>@,;:\\\"/[]?={} \t") != NULL) - { - /* Look for the seperator charactors as part of the method */ - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (non_ascii_mthd == 1) - { - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; + Client->request.method = HI_UNKNOWN_METHOD; } + + } + else + { + sans_uri = 1; + Client->request.method = HI_UNKNOWN_METHOD; } if (!sans_uri ) @@ -2146,7 +2708,7 @@ /* This will set up the URI pointers - effectively extracting * the URI. */ iRet = hi_client_extract_uri( - Session, ServerConf, Client, start, end, ptr, &uri_ptr); + Session, ServerConf, Client, start, end, ptr, &uri_ptr, hsd, stream_ins); } /* Check if the URI exceeds the max header field length */ @@ -2159,8 +2721,9 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_LONG_HDR, NULL, NULL); } - if(iRet == URI_END && - (Client->request.method & (HI_POST_METHOD | HI_GET_METHOD))) + if(iRet == URI_END && + !(ServerConf->uri_only) && + !(Client->request.method & HI_UNKNOWN_METHOD)) { Client->request.method_raw = method_ptr.uri; Client->request.method_size = method_ptr.uri_end - method_ptr.uri; @@ -2170,32 +2733,34 @@ // // uri_ptr.end points to end of URI & HTTP version identifier. if (hi_util_in_bounds(start, end, uri_ptr.uri_end + 1)) - ptr = hi_client_extract_header(Session, ServerConf, Client, &header_ptr, uri_ptr.uri_end+1, end); + ptr = hi_client_extract_header(Session, ServerConf, &header_ptr, uri_ptr.uri_end+1, end, hsd, stream_ins); if (header_ptr.header.uri) { Client->request.header_raw = header_ptr.header.uri; Client->request.header_raw_size = header_ptr.header.uri_end - header_ptr.header.uri; - if ((int)Client->request.header_raw_size <= 0) + if(!Client->request.header_raw_size) { CLR_HEADER(Client); } else { - hi_stats.headers++; - Client->request.header_norm = header_ptr.header.norm; + hi_stats.req_headers++; + Client->request.header_norm = header_ptr.header.uri; if (header_ptr.cookie.cookie) { - hi_stats.cookies++; + hi_stats.req_cookies++; Client->request.cookie.cookie = header_ptr.cookie.cookie; Client->request.cookie.cookie_end = header_ptr.cookie.cookie_end; Client->request.cookie.next = header_ptr.cookie.next; + Client->request.cookie_norm = header_ptr.cookie.cookie; } else { Client->request.cookie.cookie = NULL; Client->request.cookie.cookie_end = NULL; Client->request.cookie.next = NULL; + Client->request.cookie_norm = NULL; } } } @@ -2204,18 +2769,20 @@ CLR_HEADER(Client); } - /* Need to skip over header and get to the body. - * The unaptly named FindPipelineReq will do that. */ - ptr = FindPipelineReq(Session, uri_ptr.delimiter, end); - //ptr = FindPipelineReq(Session, ptr, end); - if(ptr) - { - if (header_ptr.content_len.cont_len_start) + /* Got a Content-Length or it's a POST request which may be chunked */ + if (header_ptr.content_len.cont_len_start || header_ptr.is_chunked) + { + /* Need to skip over header and get to the body. + * The unaptly named FindPipelineReq will do that. */ + ptr = FindPipelineReq(Session, uri_ptr.delimiter, end); + //ptr = FindPipelineReq(Session, ptr, end); + if(ptr) { post_ptr.uri = ptr; post_ptr.uri_end = end; if((POST_END == hi_client_extract_post( - Session, ServerConf, ptr, end, &post_ptr, header_ptr.content_len.len ))) + Session, ServerConf, ptr, end, &post_ptr, + header_ptr.content_len.len, header_ptr.is_chunked, hsd ))) { hi_stats.post_params++; Client->request.post_raw = post_ptr.uri; @@ -2230,95 +2797,69 @@ if ( ptr < end ) Client->request.pipeline_req = ptr; - } - else - { - uint8_t *tmp = memchr(ptr, (int)' ', end - ptr); - if(tmp && ( (tmp - (uint8_t*)ptr) < 8 )) + if(Client->request.post_raw && (ServerConf->post_depth > -1)) { - Client->request.pipeline_req = ptr; - CLR_POST(Client); + if(ServerConf->post_depth && ((int)Client->request.post_raw_size > ServerConf->post_depth)) + { + Client->request.post_raw_size = ServerConf->post_depth; + } } else { - post_ptr.uri = ptr; - post_ptr.uri_end = end; - - if((POST_END == hi_client_extract_post( - Session, ServerConf, ptr, end, &post_ptr, -1))) - { - hi_stats.post_params++; - Client->request.post_raw = post_ptr.uri; - Client->request.post_raw_size = post_ptr.uri_end - post_ptr.uri; - Client->request.post_norm = post_ptr.norm; - } - else - { - CLR_POST(Client); - } + CLR_POST(Client); } } + else + { + CLR_POST(Client); + ptr = uri_ptr.delimiter; + } } - else + else { - CLR_POST(Client); ptr = uri_ptr.delimiter; } } - else + else { + CLR_HEADER(Client); CLR_POST(Client); - if (method_ptr.uri) + if (!(Client->request.method & HI_UNKNOWN_METHOD) && method_ptr.uri) { Client->request.method_raw = method_ptr.uri; Client->request.method_size = method_ptr.uri_end - method_ptr.uri; } + else + { + CLR_METHOD(Client); + return HI_NONFATAL_ERR; + } ptr = uri_ptr.delimiter; } /* - ** If there is a pipelined request in this packet, we should always - ** see the first space followed by text (which is the URI). Without - ** that first space, then we never get to the URI, so we should just - ** return, since there is nothing else to inspect. - */ - if(Client->request.pipeline_req) + ** Find the next pipeline request, if one is there. If we don't find + ** a pipeline request, then we return NULL here, so this is always + ** set to the correct value. + */ + if(!ServerConf->no_pipeline) { - if(uri_ptr.uri != uri_ptr.first_sp_end) + if(post_ptr.uri) { - if(Session->server_conf->chunk_length) - CheckChunkEncoding(Session, start, end, NULL); - - return HI_NONFATAL_ERR; + Client->request.pipeline_req = + FindPipelineReq(Session, post_ptr.delimiter, end); } - } - else - { - /* - ** Find the next pipeline request, if one is there. If we don't find - ** a pipeline request, then we return NULL here, so this is always - ** set to the correct value. - */ - if(!ServerConf->no_pipeline) + else if(!Client->request.pipeline_req && uri_ptr.uri) { - if(post_ptr.uri) - { - Client->request.pipeline_req = - FindPipelineReq(Session, post_ptr.delimiter, end); - } - else if(!Client->request.pipeline_req && uri_ptr.uri) - { - Client->request.pipeline_req = - FindPipelineReq(Session, ptr, end); - } - } - else - { - Client->request.pipeline_req = NULL; + Client->request.pipeline_req = + FindPipelineReq(Session, ptr, end); } } - + else + { + Client->request.pipeline_req = NULL; + } /* ** We set the HI_CLIENT variables from the URI_PTR structure. We also @@ -2329,7 +2870,6 @@ { return iRet; } - /* ** One last check for an oversize directory. This gets the long ** directory when there is a beginning slash and no other slashes @@ -2354,7 +2894,7 @@ { if(hi_eo_generate_event(Session, HI_EO_CLIENT_PROXY_USE)) { - hi_eo_client_event_log(Session, HI_EO_CLIENT_PROXY_USE, + hi_eo_client_event_log(Session, HI_EO_CLIENT_PROXY_USE, NULL, NULL); } } @@ -2362,7 +2902,7 @@ return HI_SUCCESS; } -int hi_client_inspection(void *S, const unsigned char *data, int dsize) +int hi_client_inspection(void *S, const unsigned char *data, int dsize, HttpSessionData *hsd, int stream_ins) { HTTPINSPECT_GLOBAL_CONF *GlobalConf; HI_SESSION *Session; @@ -2399,7 +2939,7 @@ /* ** Otherwise we assume stateless inspection */ - iRet = StatelessInspection(Session, data, dsize); + iRet = StatelessInspection(Session, data, dsize, hsd, stream_ins); if (iRet) { return iRet; @@ -2416,17 +2956,16 @@ /** ** Initializes arrays and search algorithms depending on the type of ** inspection that we are doing. -** +** ** @param GlobalConf pointer to the global configuration -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful. */ int hi_client_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf) { int iCtr; - int iNum; if(GlobalConf->inspection_type == HI_UI_CONFIG_STATEFUL) { @@ -2437,7 +2976,6 @@ else { memset(lookup_table, 0x00, sizeof(lookup_table)); - memset(hex_lookup, -1, sizeof(hex_lookup)); /* ** Set up the non-ASCII register for processing. @@ -2467,6 +3005,9 @@ */ lookup_table['\\'] = SetBackSlashNorm; + lookup_table['+'] = SetPlusNorm; + + /* ** Look up parameter field, so we don't alert on long directory ** strings, when the next slash in the parameter field. @@ -2478,35 +3019,6 @@ */ lookup_table[':'] = SetProxy; - /* - ** Set up the hex array - */ - iNum = 0; - for(iCtr = 48; iCtr < 58; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } - - /* - ** Set the upper case values. - */ - iNum = 10; - for(iCtr = 65; iCtr < 71; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } - - /* - ** Set the lower case values. - */ - iNum = 10; - for(iCtr = 97; iCtr < 103; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } } return HI_SUCCESS; @@ -2551,12 +3063,12 @@ printf("** error client init\n"); return iRet; } - + SiInput.sip = inet_addr("1.1.1.1"); SiInput.sip = inet_addr("1.1.1.2"); SiInput.dport = 80; SiInput.sport = 7880; - + if((iRet = hi_si_session_inspection(&GlobalConf, &Session, &SiInput, &iInspectMode))) { @@ -2565,7 +3077,7 @@ } printf("** iInspectMode = %d\n", iInspectMode); - if((iRet = hi_mi_mode_inspection(Session, iInspectMode, data, + if((iRet = hi_mi_mode_inspection(Session, iInspectMode, data, strlen(data)))) { printf("** error mode_inspection\n"); @@ -2575,5 +3087,5 @@ return 0; } #endif - - + + diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/client/hi_client_norm.c snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client_norm.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/client/hi_client_norm.c 2009-01-26 18:54:53.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client_norm.c 2011-06-08 00:33:18.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,17 +18,17 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_client_norm.c -** +** ** @author Daniel Roelker -** +** ** @brief HTTP client normalization routines -** -** We deal with the normalization of HTTP client requests headers and +** +** We deal with the normalization of HTTP client requests headers and ** URI. -** +** ** In this file, we handle all the different HTTP request URI evasions. The ** list is: ** - ASCII decoding @@ -39,8 +39,10 @@ ** - Double decoding ** - %U decoding ** - Bare Byte Unicode decoding +** +** Base 36 is deprecated and essentially a noop ** - Base36 decoding -** +** ** NOTES: ** - Initial development. DJR */ @@ -49,13 +51,16 @@ #include #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_norm.h" #include "hi_util.h" #include "hi_return_codes.h" -#include "bounds.h" +#include "snort_bounds.h" -#define MAX_URI 4096 int hi_split_header_cookie(HI_SESSION *Session, u_char *header, int *i_header_len, u_char *cookie_header, int *i_cookie_len, @@ -74,7 +79,7 @@ const u_char *cookie_end; if (!cookie || !i_header_len || !i_cookie_len) - return iRet; + return HI_INVALID_ARG; /* Can't use hi_util_in_bounds header because == is okay */ if (cookie->cookie_end > raw_header + i_raw_header_len) @@ -202,6 +207,7 @@ int iHeaderBufSize = MAX_URI; int iCookieBufSize = MAX_URI; int iPostBufSize = MAX_URI; + uint16_t encodeType = 0; if(!Session || !Session->server_conf) { @@ -209,26 +215,33 @@ } ClientReq = &Session->client.request; + ClientReq->uri_encode_type = 0; + ClientReq->header_encode_type = 0; + ClientReq->cookie_encode_type = 0; + ClientReq->post_encode_type = 0; /* Handle URI normalization */ if(ClientReq->uri_norm) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, UriBuf, &iUriBufSize, - ClientReq->uri, ClientReq->uri_size); + iRet = hi_norm_uri(Session, UriBuf, &iUriBufSize, + ClientReq->uri, ClientReq->uri_size, &encodeType); if (iRet == HI_NONFATAL_ERR) { /* There was a non-fatal problem normalizing */ ClientReq->uri_norm = NULL; ClientReq->uri_norm_size = 0; + ClientReq->uri_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->uri_norm = UriBuf; ClientReq->uri_norm_size = iUriBufSize; + ClientReq->uri_encode_type = encodeType; } + encodeType = 0; } if (ClientReq->cookie.cookie) @@ -240,6 +253,12 @@ RawCookieBuf, &iRawCookieBufSize, ClientReq->header_raw, ClientReq->header_raw_size, &ClientReq->cookie); + if( iRet == HI_SUCCESS ) + { + ClientReq->cookie.cookie = RawCookieBuf; + ClientReq->cookie.cookie_end = RawCookieBuf + iRawCookieBufSize; + + } } else { @@ -260,80 +279,91 @@ if(ClientReq->header_norm && Session->server_conf->normalize_headers) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, - RawHeaderBuf, iRawHeaderBufSize); + iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, + RawHeaderBuf, iRawHeaderBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { /* There was a non-fatal problem normalizing */ ClientReq->header_norm = NULL; ClientReq->header_norm_size = 0; + ClientReq->header_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->header_norm = HeaderBuf; ClientReq->header_norm_size = iHeaderBufSize; + ClientReq->header_encode_type = encodeType; } + encodeType = 0; } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawHeaderBufSize) { ClientReq->header_norm = RawHeaderBuf; ClientReq->header_norm_size = iRawHeaderBufSize; + ClientReq->header_encode_type = 0; } } - if(ClientReq->header_norm && Session->server_conf->normalize_cookies) + if(ClientReq->cookie.cookie && Session->server_conf->normalize_cookies) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, - RawCookieBuf, iRawCookieBufSize); + iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, + RawCookieBuf, iRawCookieBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { /* There was a non-fatal problem normalizing */ ClientReq->cookie_norm = NULL; ClientReq->cookie_norm_size = 0; + ClientReq->cookie_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->cookie_norm = CookieBuf; ClientReq->cookie_norm_size = iCookieBufSize; + ClientReq->cookie_encode_type = encodeType; } + encodeType = 0; } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawCookieBufSize) { ClientReq->cookie_norm = RawCookieBuf; ClientReq->cookie_norm_size = iRawCookieBufSize; + ClientReq->cookie_encode_type = 0; } } - /* Handle normalization of post methods. + /* Handle normalization of post methods. * Note: posts go into a different buffer. */ if(ClientReq->post_norm) { Session->norm_flags |= HI_BODY; - iRet = hi_norm_uri(Session, PostBuf, &iPostBufSize, - ClientReq->post_raw, ClientReq->post_raw_size); + iRet = hi_norm_uri(Session, PostBuf, &iPostBufSize, + ClientReq->post_raw, ClientReq->post_raw_size, &encodeType); if (iRet == HI_NONFATAL_ERR) { ClientReq->post_norm = NULL; ClientReq->post_norm_size = 0; + ClientReq->post_encode_type = 0; } - else + else { ClientReq->post_norm = PostBuf; ClientReq->post_norm_size = iPostBufSize; + ClientReq->post_encode_type = encodeType; } + encodeType = 0; } /* diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/client/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/client/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/client/Makefile.in 2009-10-19 21:18:01.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,6 +44,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhi_client_a_AR = $(AR) $(ARFLAGS) @@ -49,7 +52,7 @@ am_libhi_client_a_OBJECTS = hi_client.$(OBJEXT) \ hi_client_norm.$(OBJEXT) libhi_client_a_OBJECTS = $(am_libhi_client_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -75,31 +78,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -112,12 +115,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -125,20 +134,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -170,6 +186,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -182,6 +199,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -198,14 +216,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/client/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/client/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/client/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/client/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -223,6 +241,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -257,45 +276,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -316,13 +339,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -350,6 +377,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -370,6 +398,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -378,18 +408,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -426,6 +466,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.9.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2009-12-15 23:27:54.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,19 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_eo_log.c ** ** @author Daniel Roelker ** -** @brief This file contains the event output functionality that +** @brief This file contains the event output functionality that ** HttpInspect uses to log events and data associated with ** the events. ** ** Log events, retrieve events, and select events that HttpInspect ** generates. -** +** ** Logging Events: ** Since the object behind this is no memset()s, we have to rely on the ** stack interface to make sure we don't log the same event twice. So @@ -44,6 +44,10 @@ */ #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_si.h" #include "hi_eo.h" #include "hi_util_xmalloc.h" @@ -54,7 +58,7 @@ ** Any time that a new client event is added, we have to ** add the event id and the priority here. If you want to ** change either of those characteristics, you have to change -** them here. +** them here. */ static HI_EVENT_INFO client_event_info[HI_EO_CLIENT_EVENT_NUM] = { { HI_EO_CLIENT_ASCII, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_ASCII_STR }, @@ -62,13 +66,14 @@ HI_EO_CLIENT_DOUBLE_DECODE_STR }, { HI_EO_CLIENT_U_ENCODE, HI_EO_MED_PRIORITY, HI_EO_CLIENT_U_ENCODE_STR }, { HI_EO_CLIENT_BARE_BYTE, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_BARE_BYTE_STR}, + /* Base36 is deprecated - leave here so events keep the same number */ { HI_EO_CLIENT_BASE36, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_BASE36_STR }, { HI_EO_CLIENT_UTF_8, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_UTF_8_STR }, - { HI_EO_CLIENT_IIS_UNICODE, HI_EO_LOW_PRIORITY, + { HI_EO_CLIENT_IIS_UNICODE, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_IIS_UNICODE_STR }, { HI_EO_CLIENT_MULTI_SLASH, HI_EO_MED_PRIORITY, HI_EO_CLIENT_MULTI_SLASH_STR }, - { HI_EO_CLIENT_IIS_BACKSLASH, HI_EO_MED_PRIORITY, + { HI_EO_CLIENT_IIS_BACKSLASH, HI_EO_MED_PRIORITY, HI_EO_CLIENT_IIS_BACKSLASH_STR }, { HI_EO_CLIENT_SELF_DIR_TRAV, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_SELF_DIR_TRAV_STR }, @@ -91,11 +96,49 @@ {HI_EO_CLIENT_MAX_HEADERS, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_MAX_HEADERS_STR}, {HI_EO_CLIENT_MULTIPLE_CONTLEN, HI_EO_HIGH_PRIORITY, - HI_EO_CLIENT_MULTIPLE_CONTLEN_STR} + HI_EO_CLIENT_MULTIPLE_CONTLEN_STR}, + {HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, HI_EO_HIGH_PRIORITY, + HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR}, + {HI_EO_CLIENT_INVALID_TRUEIP, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_INVALID_TRUEIP_STR}, + {HI_EO_CLIENT_MULTIPLE_HOST_HDRS, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_MULTIPLE_HOST_HDRS_STR}, + {HI_EO_CLIENT_LONG_HOSTNAME, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_LONG_HOSTNAME_STR}, + {HI_EO_CLIENT_EXCEEDS_SPACES, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_EXCEEDS_SPACES_STR}, + {HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS_STR}, + {HI_EO_CLIENT_UNBOUNDED_POST, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_UNBOUNDED_POST_STR}, + {HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION_STR}, + {HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS_STR} }; -static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = { - {HI_EO_ANOM_SERVER, HI_EO_HIGH_PRIORITY, HI_EO_ANOM_SERVER_STR } +static HI_EVENT_INFO server_event_info[HI_EO_SERVER_EVENT_NUM] = { + {HI_EO_ANOM_SERVER, HI_EO_HIGH_PRIORITY, HI_EO_ANOM_SERVER_STR }, + {HI_EO_SERVER_INVALID_STATCODE, HI_EO_MED_PRIORITY, + HI_EO_SERVER_INVALID_STATCODE_STR}, + {HI_EO_SERVER_NO_CONTLEN, HI_EO_MED_PRIORITY, + HI_EO_SERVER_NO_CONTLEN_STR}, + {HI_EO_SERVER_UTF_NORM_FAIL, HI_EO_MED_PRIORITY, + HI_EO_SERVER_UTF_NORM_FAIL_STR}, + {HI_EO_SERVER_UTF7, HI_EO_MED_PRIORITY, + HI_EO_SERVER_UTF7_STR}, + {HI_EO_SERVER_DECOMPR_FAILED, HI_EO_MED_PRIORITY, + HI_EO_SERVER_DECOMPR_FAILED_STR}, + {HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS_STR}, + {HI_EO_CLISRV_MSG_SIZE_EXCEPTION, HI_EO_MED_PRIORITY, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR}, + {HI_EO_SERVER_JS_OBFUSCATION_EXCD, HI_EO_MED_PRIORITY, + HI_EO_SERVER_JS_OBFUSCATION_EXCD_STR}, + {HI_EO_SERVER_JS_EXCESS_WS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_JS_EXCESS_WS_STR}, + {HI_EO_SERVER_MIXED_ENCODINGS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_MIXED_ENCODINGS_STR} }; /* @@ -103,7 +146,7 @@ */ /** ** This routine logs anomalous server events to the event queue. -** +** ** @param Session pointer to the HttpInspect session ** @param iEvent the event id for the client ** @param data pointer to the user data of the event @@ -124,16 +167,16 @@ /* ** Check the input variables for correctness */ - if(!Session || (iEvent >= HI_EO_ANOM_SERVER_EVENT_NUM)) + if(!Session || (iEvent >= HI_EO_SERVER_EVENT_NUM)) { return HI_INVALID_ARG; } anom_server_events = &(Session->anom_server.event_list); - /* this won't happen since iEvent < HI_EO_ANOM_SERVER_EVENT_NUM and - * stack_count can at most equal HI_EO_ANOM_SERVER_EVENT_NUM */ - if (anom_server_events->stack_count > HI_EO_ANOM_SERVER_EVENT_NUM) + /* this won't happen since iEvent < HI_EO_SERVER_EVENT_NUM and + * stack_count can at most equal HI_EO_SERVER_EVENT_NUM */ + if (anom_server_events->stack_count > HI_EO_SERVER_EVENT_NUM) return HI_INVALID_ARG; /* @@ -154,14 +197,14 @@ /* this won't happen since iEvent will have been found above * before this happens */ - if (anom_server_events->stack_count >= HI_EO_ANOM_SERVER_EVENT_NUM) + if (anom_server_events->stack_count >= HI_EO_SERVER_EVENT_NUM) return HI_INVALID_ARG; /* ** Initialize the event before putting it in the queue. */ event = &(anom_server_events->events[iEvent]); - event->event_info = &anom_server_event_info[iEvent]; + event->event_info = &server_event_info[iEvent]; event->count = 1; event->data = data; event->free_data = free_data; @@ -186,7 +229,7 @@ ** performance. We accomplish this utilizing an optimized stack as an ** index into the client event array, instead of walking a list for ** already logged events. The problem here is that we can't just log -** every event that we've already seen, because this opens us up to a +** every event that we've already seen, because this opens us up to a ** DOS. So by using this method, we can quickly check if an event ** has already been logged and deal appropriately. ** @@ -250,3 +293,79 @@ return HI_SUCCESS; } + +/* +** NAME +** hi_eo_server_event_log:: +*/ +/** +** This function logs server events during HttpInspect processing. +** +** The idea behind this event logging is modularity, but at the same time +** performance. We accomplish this utilizing an optimized stack as an +** index into the server event array, instead of walking a list for +** already logged events. The problem here is that we can't just log +** every event that we've already seen, because this opens us up to a +** DOS. So by using this method, we can quickly check if an event +** has already been logged and deal appropriately. +** +** @param Session pointer to the HttpInspect session +** @param iEvent the event id for the server +** @param data pointer to the user data of the event +** @param free_data pointer to a function to free the user data +** +** @return integer +** +** @retval HI_SUCCESS function successful +** @retval HI_INVALID_ARG invalid arguments +*/ +int hi_eo_server_event_log(HI_SESSION *Session, int iEvent, void *data, + void (*free_data)(void *)) +{ + HI_SERVER_EVENTS *server_events; + HI_EVENT *event; + int iCtr; + + /* + ** Check the input variables for correctness + */ + if(!Session || (iEvent >= HI_EO_SERVER_EVENT_NUM)) + { + return HI_INVALID_ARG; + } + + server_events = &(Session->server.event_list); + + /* + ** This is where we cycle through the current event stack. If the event + ** to be logged is already in the queue, then we increment the event + ** count, before returning. Otherwise, we fall through the loop and + ** set the event before adding it to the queue and incrementing the + ** pointer. + */ + for(iCtr = 0; iCtr < server_events->stack_count; iCtr++) + { + if(server_events->stack[iCtr] == iEvent) + { + server_events->events[iEvent].count++; + return HI_SUCCESS; + } + } + + /* + ** Initialize the event before putting it in the queue. + */ + event = &(server_events->events[iEvent]); + event->event_info = &server_event_info[iEvent]; + event->count = 1; + event->data = data; + event->free_data = free_data; + + /* + ** We now add the event to the stack. + */ + server_events->stack[server_events->stack_count] = iEvent; + server_events->stack_count++; + + return HI_SUCCESS; +} diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/event_output/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/event_output/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/event_output/Makefile.in 2009-10-19 21:18:01.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/event_output/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,13 +44,14 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhi_eo_a_AR = $(AR) $(ARFLAGS) libhi_eo_a_LIBADD = am_libhi_eo_a_OBJECTS = hi_eo_log.$(OBJEXT) libhi_eo_a_OBJECTS = $(am_libhi_eo_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -74,31 +77,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -111,12 +114,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -124,20 +133,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +185,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -181,6 +198,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -196,14 +214,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/event_output/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/event_output/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/event_output/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/event_output/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -221,6 +239,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -255,45 +274,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -314,13 +337,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -348,6 +375,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -368,6 +396,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -376,18 +406,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -424,6 +464,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ad.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ad.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ad.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ad.h 2011-02-09 23:23:31.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client.h 2009-12-15 23:27:54.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -30,9 +30,19 @@ #include +#include "snort_httpinspect.h" #include "hi_include.h" #include "hi_eo.h" #include "hi_eo_events.h" +#define URI_END 99 +#define POST_END 100 +#define NO_URI 101 +typedef enum { + TRUE_CLIENT_IP_HDR = 0x01, + XFF_HDR = 0x02, + HDRS_BOTH = 0x03 +} ActionSFCC; + typedef struct s_COOKIE_PTR { @@ -41,19 +51,72 @@ struct s_COOKIE_PTR *next; } COOKIE_PTR; + typedef struct s_CONTLEN_PTR { const u_char *cont_len_start; const u_char *cont_len_end; - int len; + uint32_t len; }CONTLEN_PTR; +typedef struct s_CONT_ENCODING_PTR +{ + const u_char *cont_encoding_start; + const u_char *cont_encoding_end; + uint16_t compress_fmt; +}CONT_ENCODING_PTR; + typedef struct s_HEADER_FIELD_PTR { COOKIE_PTR *cookie; CONTLEN_PTR *content_len; + CONT_ENCODING_PTR *content_encoding; } HEADER_FIELD_PTR; +/* These numbers were chosen to avoid conflicting with + * the return codes in hi_return_codes.h */ + +/** + ** This structure holds pointers to the different sections of an HTTP + ** request. We need to track where whitespace begins and ends, so we + ** can evaluate the placement of the URI correctly. + ** + ** For example, + ** + ** GET / HTTP/1.0 + ** ^ ^ + ** start end + ** + ** The end space pointers are set to NULL if there is space until the end + ** of the buffer. + */ + +typedef struct s_URI_PTR +{ + const u_char *uri; /* the beginning of the URI */ + const u_char *uri_end; /* the end of the URI */ + const u_char *norm; /* ptr to first normalization occurence */ + const u_char *ident; /* ptr to beginning of the HTTP identifier */ + const u_char *first_sp_start; /* beginning of first space delimiter */ + const u_char *first_sp_end; /* end of first space delimiter */ + const u_char *second_sp_start; /* beginning of second space delimiter */ + const u_char *second_sp_end; /* end of second space delimiter */ + const u_char *param; /* '?' (beginning of parameter field) */ + const u_char *delimiter; /* HTTP URI delimiter (\r\n\) */ + const u_char *last_dir; /* ptr to last dir, so we catch long dirs */ + const u_char *proxy; /* ptr to the absolute URI */ +} URI_PTR; + +typedef struct s_HEADER_PTR +{ + URI_PTR header; + COOKIE_PTR cookie; + CONTLEN_PTR content_len; + CONT_ENCODING_PTR content_encoding; + bool is_chunked; +} HEADER_PTR; + + typedef struct s_HI_CLIENT_REQ { /* @@ -99,6 +162,11 @@ const u_char *pipeline_req; u_char method; + uint16_t uri_encode_type; + uint16_t header_encode_type; + uint16_t cookie_encode_type; + uint16_t post_encode_type; + } HI_CLIENT_REQ; @@ -110,7 +178,17 @@ } HI_CLIENT; -int hi_client_inspection(void *Session, const unsigned char *data, int dsize); +typedef struct s_HI_CLIENT_HDR_ARGS +{ + HEADER_PTR *hdr_ptr; + HEADER_FIELD_PTR *hdr_field_ptr; + HttpSessionData *sd; + int strm_ins; + int hst_name_hdr; + int true_clnt_xff; +} HI_CLIENT_HDR_ARGS; + +int hi_client_inspection(void *Session, const unsigned char *data, int dsize, HttpSessionData *hsd, int stream_ins); int hi_client_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf); -#endif +#endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_norm.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client_norm.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_norm.h 2011-02-09 23:23:31.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h 2011-02-09 23:23:31.000000000 +0000 @@ -0,0 +1,37 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/* +* hi_client_stateful.h: Functions prototypes for client + * stateful processing. +* +* Author: Chris Sherwin +* +*/ +#ifndef HI_CLIENT_STATEFUL_H +#define HI_CLIENT_STATEFUL_H + +#include "hi_include.h" +#include "hi_si.h" + +int StatefulInspection( HI_SESSION* sessionp, unsigned char* datap, int dsize ); + +#endif /* HI_CLIENT_STATEFUL_H */ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h 2011-02-09 23:23:31.000000000 +0000 @@ -0,0 +1,34 @@ +/**************************************************************************** + * * + * * Copyright (C) 2003-2011 Sourcefire, Inc. + * * + * * This program is free software; you can redistribute it and/or modify + * * it under the terms of the GNU General Public License Version 2 as + * * published by the Free Software Foundation. You may not use, modify or + * * distribute this program under any other version of the GNU General + * * Public License. + * * + * * This program is distributed in the hope that it will be useful, + * * but WITHOUT ANY WARRANTY; without even the implied warranty of + * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * * GNU General Public License for more details. + * * + * * You should have received a copy of the GNU General Public License + * * along with this program; if not, write to the Free Software + * * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * * + * ****************************************************************************/ +#ifndef __HI_CMD_LOOKUP_H__ +#define __HI_CMD_LOOKUP_H__ + +#include "hi_ui_config.h" + +int http_cmd_lookup_init(CMD_LOOKUP **CmdLookup); +int http_cmd_lookup_cleanup(CMD_LOOKUP **CmdLookup); +int http_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char cmd[], int len, HTTP_CMD_CONF *HTTPCmd); + +HTTP_CMD_CONF *http_cmd_lookup_find(CMD_LOOKUP *CmdLookup, const char cmd[], int len, int *iError); +HTTP_CMD_CONF *http_cmd_lookup_first(CMD_LOOKUP *CmdLookup, int *iError); +HTTP_CMD_CONF *http_cmd_lookup_next(CMD_LOOKUP *CmdLookup, int *iError); + +#endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_events.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo_events.h 2009-12-15 23:27:54.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_events.h 2011-10-26 18:28:52.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_EO_EVENTS_H__ #define __HI_EO_EVENTS_H__ @@ -27,31 +27,57 @@ /* ** Client Events */ -typedef enum _HI_EVENTS +typedef enum _HI_CLI_EVENTS { HI_EO_CLIENT_ASCII = 0, HI_EO_CLIENT_DOUBLE_DECODE , HI_EO_CLIENT_U_ENCODE , HI_EO_CLIENT_BARE_BYTE , - HI_EO_CLIENT_BASE36 , + /* Base36 is deprecated - leave here so events keep the same number */ + HI_EO_CLIENT_BASE36 , HI_EO_CLIENT_UTF_8 , HI_EO_CLIENT_IIS_UNICODE , HI_EO_CLIENT_MULTI_SLASH , HI_EO_CLIENT_IIS_BACKSLASH , HI_EO_CLIENT_SELF_DIR_TRAV , HI_EO_CLIENT_DIR_TRAV , - HI_EO_CLIENT_APACHE_WS , - HI_EO_CLIENT_IIS_DELIMITER , - HI_EO_CLIENT_NON_RFC_CHAR , - HI_EO_CLIENT_OVERSIZE_DIR , - HI_EO_CLIENT_LARGE_CHUNK , - HI_EO_CLIENT_PROXY_USE , - HI_EO_CLIENT_WEBROOT_DIR , + HI_EO_CLIENT_APACHE_WS , + HI_EO_CLIENT_IIS_DELIMITER , + HI_EO_CLIENT_NON_RFC_CHAR , + HI_EO_CLIENT_OVERSIZE_DIR , + HI_EO_CLIENT_LARGE_CHUNK , + HI_EO_CLIENT_PROXY_USE , + HI_EO_CLIENT_WEBROOT_DIR , HI_EO_CLIENT_LONG_HDR , HI_EO_CLIENT_MAX_HEADERS , HI_EO_CLIENT_MULTIPLE_CONTLEN, + HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, + HI_EO_CLIENT_INVALID_TRUEIP , + HI_EO_CLIENT_MULTIPLE_HOST_HDRS, + HI_EO_CLIENT_LONG_HOSTNAME , + HI_EO_CLIENT_EXCEEDS_SPACES , + HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS, + HI_EO_CLIENT_UNBOUNDED_POST, + HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, + HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, HI_EO_CLIENT_EVENT_NUM -} HI_EVENTS; +} HI_CLI_EVENTS; + +typedef enum _HI_EVENTS +{ + HI_EO_ANOM_SERVER = 0, + HI_EO_SERVER_INVALID_STATCODE, + HI_EO_SERVER_NO_CONTLEN, + HI_EO_SERVER_UTF_NORM_FAIL, + HI_EO_SERVER_UTF7, + HI_EO_SERVER_DECOMPR_FAILED, + HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION, + HI_EO_SERVER_JS_OBFUSCATION_EXCD, + HI_EO_SERVER_JS_EXCESS_WS, + HI_EO_SERVER_MIXED_ENCODINGS, + HI_EO_SERVER_EVENT_NUM +}HI_EVENTS; /* ** These defines are the alert names for each event @@ -64,8 +90,9 @@ "(http_inspect) U ENCODING" #define HI_EO_CLIENT_BARE_BYTE_STR \ "(http_inspect) BARE BYTE UNICODE ENCODING" +/* Base36 is deprecated - leave here so events keep the same number */ #define HI_EO_CLIENT_BASE36_STR \ - "(http_inspect) BASE36 ENCODING" + "(http_inspect) BASE36 ENCODING" #define HI_EO_CLIENT_UTF_8_STR \ "(http_inspect) UTF-8 ENCODING" #define HI_EO_CLIENT_IIS_UNICODE_STR \ @@ -94,20 +121,55 @@ "(http_inspect) WEBROOT DIRECTORY TRAVERSAL" #define HI_EO_CLIENT_LONG_HDR_STR \ "(http_inspect) LONG HEADER" -#define HI_EO_CLIENT_MAX_HEADERS_STR \ +#define HI_EO_CLIENT_MAX_HEADERS_STR \ "(http_inspect) MAX HEADER FIELDS" #define HI_EO_CLIENT_MULTIPLE_CONTLEN_STR \ "(http_inspect) MULTIPLE CONTENT LENGTH" +#define HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR \ + "(http_inspect) CHUNK SIZE MISMATCH DETECTED" +#define HI_EO_CLIENT_MULTIPLE_HOST_HDRS_STR \ + "(http_inspect) MULTIPLE HOST HDRS DETECTED" +#define HI_EO_CLIENT_INVALID_TRUEIP_STR \ + "(http_inspect) INVALID IP IN TRUE-CLIENT-IP/XFF HEADER" +#define HI_EO_CLIENT_LONG_HOSTNAME_STR \ + "(http_inspect) HOSTNAME EXCEEDS 255 CHARACTERS" +#define HI_EO_CLIENT_EXCEEDS_SPACES_STR \ + "(http_inspect) HEADER PARSING SPACE SATURATION" +#define HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS_STR \ + "(http_inspect) CLIENT CONSECUTIVE SMALL CHUNK SIZES" +#define HI_EO_CLIENT_UNBOUNDED_POST_STR \ + "(http_inspect) POST W/O CONTENT-LENGTH OR CHUNKS" +#define HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION_STR \ + "(http_inspect) MULTIPLE TRUE IPS IN A SESSION" +#define HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS_STR \ + "(http_inspect) BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT" /* -** Anomalous Server Events +** Server Events */ -#define HI_EO_ANOM_SERVER 0 - -#define HI_EO_ANOM_SERVER_EVENT_NUM 1 #define HI_EO_ANOM_SERVER_STR \ "(http_inspect) ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT" +#define HI_EO_SERVER_INVALID_STATCODE_STR \ + "(http_inspect) INVALID STATUS CODE IN HTTP RESPONSE" +#define HI_EO_SERVER_NO_CONTLEN_STR \ + "(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE" +#define HI_EO_SERVER_UTF_NORM_FAIL_STR \ + "(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE" +#define HI_EO_SERVER_UTF7_STR \ + "(http_inspect) HTTP RESPONSE HAS UTF-7 CHARSET" +#define HI_EO_SERVER_DECOMPR_FAILED_STR \ + "(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED" +#define HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS_STR \ + "(http_inspect) SERVER CONSECUTIVE SMALL CHUNK SIZES" +#define HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR \ + "(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE" +#define HI_EO_SERVER_JS_OBFUSCATION_EXCD_STR \ + "(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1" +#define HI_EO_SERVER_JS_EXCESS_WS_STR \ + "(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED" +#define HI_EO_SERVER_MIXED_ENCODINGS_STR \ + "(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA" /* ** Event Priorities diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo.h 2011-02-09 23:23:31.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -96,10 +96,18 @@ typedef struct s_HI_ANOM_SERVER_EVENTS { - int stack[HI_EO_ANOM_SERVER_EVENT_NUM]; + int stack[HI_EO_SERVER_EVENT_NUM]; int stack_count; - HI_EVENT events[HI_EO_ANOM_SERVER_EVENT_NUM]; + HI_EVENT events[HI_EO_SERVER_EVENT_NUM]; } HI_ANOM_SERVER_EVENTS; +typedef struct s_HI_SERVER_EVENTS +{ + int stack[HI_EO_SERVER_EVENT_NUM]; + int stack_count; + HI_EVENT events[HI_EO_SERVER_EVENT_NUM]; + +} HI_SERVER_EVENTS; + #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo_log.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_log.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_eo_log.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_log.h 2011-06-08 00:33:18.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_EO_LOG_H__ #define __HI_EO_LOG_H__ @@ -26,7 +26,7 @@ #include "hi_si.h" #include "hi_return_codes.h" -static INLINE int hi_eo_generate_event(HI_SESSION *Session, int iAlert) +static inline int hi_eo_generate_event(HI_SESSION *Session, int iAlert) { if(iAlert && !(Session->norm_flags & HI_BODY) && !Session->server_conf->no_alerts) @@ -40,6 +40,8 @@ int hi_eo_client_event_log(HI_SESSION *Session, int iEvent, void *data, void (*free_data)(void *)); +int hi_eo_server_event_log(HI_SESSION *Session, int iEvent, void *data, + void (*free_data)(void *)); int hi_eo_anom_server_event_log(HI_SESSION *Session, int iEvent, void *data, void (*free_data)(void *)); diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_include.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_include.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_include.h 2009-05-06 22:29:25.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_include.h 2011-06-08 00:33:18.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_INCLUDE_H__ #define __HI_INCLUDE_H__ #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #include "ipv6_port.h" #define HI_UNKNOWN_METHOD 1 @@ -34,33 +34,41 @@ uint64_t unicode; uint64_t double_unicode; uint64_t non_ascii; /* Non ASCII-representable character in URL */ - uint64_t base36; uint64_t dir_trav; /* '../' */ uint64_t slashes; /* '//' */ uint64_t self_ref; /* './' */ uint64_t post; /* Number of POST methods encountered */ uint64_t get; /* Number of GETs */ uint64_t post_params; /* Number of successfully extract post parameters */ - uint64_t headers; /* Number of successfully extracted headers */ + uint64_t req_headers; /* Number of successfully extracted request headers */ + uint64_t resp_headers; /* Number of successfully extracted response headers */ #ifdef DEBUG - uint64_t header_len; + uint64_t req_header_len; + uint64_t resp_header_len; #endif - uint64_t cookies; /* Number of successfully extracted cookies */ + uint64_t req_cookies; /* Number of successfully extracted request cookies */ + uint64_t resp_cookies; /* Number of successfully extracted response cookies */ #ifdef DEBUG - uint64_t cookie_len; + uint64_t req_cookie_len; + uint64_t resp_cookie_len; #endif uint64_t total; +#ifdef ZLIB + uint64_t gzip_pkts; + uint64_t compr_bytes_read; + uint64_t decompr_bytes_read; +#endif } HIStats; extern HIStats hi_stats; -#ifndef INLINE +#ifndef inline #ifdef WIN32 -#define INLINE __inline +#define inline __inline #else -#define INLINE inline +#define inline inline #endif +#endif /* endif for inline */ -#endif /* endif for INLINE */ #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_mi.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_mi.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_mi.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_mi.h 2011-02-09 23:23:31.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -34,11 +34,11 @@ #include -#include "hi_include.h" #include "hi_si.h" +#include "hi_include.h" +#include "snort_httpinspect.h" -int hi_mi_mode_inspection(HI_SESSION *Session, int iInspectMode, - const u_char *data, int dsize); +int hi_mi_mode_inspection(HI_SESSION *Session, int iInspectMode, Packet *p, HttpSessionData *); #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_norm.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_norm.h 2009-01-26 16:26:29.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_norm.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -40,9 +40,8 @@ #include "hi_ui_config.h" #include "hi_si.h" -int hi_norm_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf); -int hi_normalization(HI_SESSION *Session, int iInspectMode); +int hi_normalization(HI_SESSION *Session, int iInspectMode, HttpSessionData *hsd); int hi_norm_uri(HI_SESSION *Session, u_char *uribuf,int *uribuf_size, - const u_char *uri, int uri_size); + const u_char *uri, int uri_size, uint16_t *encodeType); #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_paf.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_paf.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_paf.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_paf.h 2011-07-13 22:44:51.000000000 +0000 @@ -0,0 +1,41 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +//-------------------------------------------------------------------- +// hi stuff +// +// @file hi_paf.h +// @author Russ Combs +//-------------------------------------------------------------------- + +#ifndef __HI_PAF_H__ +#define __HI_PAF_H__ + +#include "sfPolicy.h" +#include "sf_types.h" + +bool hi_paf_init(uint32_t cap); +void hi_paf_term(void); +int hi_paf_register(uint16_t port, bool client, bool server, tSfPolicyId pid); + +#endif + diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h 2011-02-09 23:23:32.000000000 +0000 @@ -0,0 +1,52 @@ +/* +** Copyright (C) 2005-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * hi_reqmethod_check.h: Structure definitions/function prototype(s) + * for the request method type check + */ + +/* $Id */ + +#ifndef HI_REQMETHOD_CHECK_H +#define HI_REQMETHOD_CHECK_H + +#define HI_RMFLG_CLEAR (0x0) +#define HI_RMFLG_GET (0x1) +#define HI_RMFLG_HEAD (0x2) +#define HI_RMFLG_POST (0x4) +#define HI_RMFLG_PUT (0x8) +#define HI_RMFLG_DELETE (0x10) +#define HI_RMFLG_TRACE (0x20) +#define HI_RMFLG_CONNECT (0x40) +#define HI_RMFLG_ALL (0xFFFFFFFF) + +/* Structure stored as callback data for use by request method + * detection plugin code. + */ +typedef struct _ReqMethodCheckData +{ + int type_vector; +} ReqMethodCheckData; + +/* Function prototype(s) */ +extern int ReqMethodCheckInit( char*, char*, void** ); +extern int ReqMethodCheckEval( void*, uint8_t**, void* ); + +#endif /* HI_REQMETHOD_CHECK */ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_return_codes.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_return_codes.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_return_codes.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_return_codes.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_server.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_server.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -36,14 +36,39 @@ #define __HI_SERVER_H__ #include "hi_include.h" +#include "hi_util.h" +#include "snort_httpinspect.h" +#include "hi_client.h" -typedef struct s_HI_SERVER +typedef struct s_HI_SERVER_RESP { - const unsigned char *header; - int header_size; + const u_char *status_code; + const u_char *status_msg; + const u_char *header_raw; + const u_char *header_norm; + COOKIE_PTR cookie; + const u_char *cookie_norm; + const u_char *body; + + u_int body_size; + u_int status_code_size; + u_int status_msg_size; + u_int header_raw_size; + u_int header_norm_size; + u_int cookie_norm_size; + + uint16_t header_encode_type; + uint16_t cookie_encode_type; + +} HI_SERVER_RESP; + +typedef struct s_HI_SERVER +{ + HI_SERVER_RESP response; + HI_SERVER_EVENTS event_list; } HI_SERVER; -int hi_server_inspection(void *S, const unsigned char *data, int dsize); +int hi_server_inspection(void *, Packet *, HttpSessionData *); #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_server_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server_norm.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_server_norm.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server_norm.h 2011-02-09 23:23:32.000000000 +0000 @@ -0,0 +1,42 @@ +/**************************************************************************** + * + * Copyright (C) 2003-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/** +** @file hi_client_norm.h +** +** @author Daniel Roelker +** +** @brief Function prototypes for client normalization routines. +** +** Contains public functions for accessing client normalization. +** +** NOTES: +** - Initial development, DJR +*/ +#ifndef __HI_SERVER_NORM_H__ +#define __HI_SERVER_NORM_H__ + +#include "hi_include.h" +#include "hi_si.h" + +int hi_server_norm(HI_SESSION *Session, HttpSessionData *hsd); + +#endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_si.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_si.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_si.h 2009-05-06 22:29:25.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_si.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h 2011-02-09 23:23:32.000000000 +0000 @@ -0,0 +1,238 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + + +/* + * hi_stateful_inspect.h: Defines, structs, function prototype(s) for + * HTTP inspect stateful inspection module. + * + * Author(s): Chris Sherwin + */ + +#ifndef STATEFUL_INSPECT_H +#define STATEFUL_INSPECT_H + +/* + * Flags modifying stateful inspection's behavior + * + * HI_ST_FLG_CLEAR: No flags set + * HI_ST_FLG_CRLF_EOM: Found a CRLF at the end of + * the previous pkt. + * HI_ST_FLG_POSTPARM: Request contains post parameters. + */ +#define HI_ST_FLG_CLEAR (0x0) +#define HI_ST_FLG_CRLF_EOM (0x1) +#define HI_ST_FLG_POSTPARM (0x2) + +/* + * States into which the HTTP request + * stateful processing can enter. + * + * HI_ST_STATE_URI_KEY: HTTP Inspect is searching for + * request method keyword which + * signifies URI. + * HI_ST_STATE_URI_CONT: HTTP Inspect is building the + * contents of the URI. + * HI_ST_STATE_HDR_KEY: HTTP Inspect is searching for + * a header keyword. + * HI_ST_STATE_HDR_CT: HTTP Inspect is processing a + * content-type header. + * HI_ST_STATE_HDR_PA: HTTP Inspect is processing a + * proxy-authenticate header. + * HI_ST_STATE_HDR_CONT: HTTP Inspect is examining the + * contents of a header. + * HI_ST_STATE_BDY_POST: HTTP Inspect is treating body + * as a set of post parameters. + * HI_ST_STATE_BDY_PIPE: HTTP Inspect is searching for + * a pipelined request. + * HI_ST_STATE_MSG_DONE: A complete HTTP request has + * been seen and processed. + */ +#define HI_ST_STATE_URI_KEY (0x1) +#define HI_ST_STATE_URI_CONT (0x2) +#define HI_ST_STATE_HDR_KEY (0x3) +#define HI_ST_STATE_HDR_CT (0x4) +#define HI_ST_STATE_HDR_PA (0x5) +#define HI_ST_STATE_HDR_CONT (0x6) +#define HI_ST_STATE_BDY_POST (0x7) +#define HI_ST_STATE_BDY_PIPE (0x8) +#define HI_ST_STATE_MSG_DONE (0x9) +#define HI_ST_NUM_STATES (8) + +/* + * + */ +#define HI_ST_MAXBUFLEN 10400 + +/* + * Recognized delimiter types. + */ +#define HI_ST_DELIM_NONE (0x0) +#define HI_ST_DELIM_CRLF (0x1) +#define HI_ST_DELIM_AHF (0x2) + +#define HI_ST_SUCCESS (0x1) +#define HI_ST_FAILURE (0x0) + +/* + * Flag values for BUFFER::buf_flags. These + * define any special processing of the buffer + * that may be needed/pending. + * + * HI_ST_BUFFLGS_NONE: No flags. + * HI_ST_BUFFLGS_COMPACT: Buffer "compacting" is required + */ +#define HI_ST_BUFFLGS_NONE (0x0) +#define HI_ST_BUFFLGS_COMPACT (0x1) + +#define HI_ST_MAX_BYTES_WO_HEADER 10 + +/* + * Default value for max header bytes. Used for + * header folding detection, etc. to alert on + * suspiciously long header fields. + */ +#define HI_ST_MAX_HEADER_BYTES 8190 + +/* Buffer structure used in stateful inspection + * packet processing. + * + * startp: Start of actual data in buffer. + * endp: End of actual data in buffer. + * curp: Pointer/index into the buffer data. + * bufendp: End of the allocated memory for the buffer. + * buf_flags: Flags indicating special processing which is required. + */ +typedef struct _BUF +{ + unsigned char* startp; + unsigned char* endp; + unsigned char* curp; + unsigned char* bufendp; + unsigned int buf_flags; +} BUFFER; + +/* Structure containing current state regarding headers for + * a request. + * + * num_headers: Number of headers seen in the current request. + * bytes_wo_header: Bytes examined since last header, w/o finding + * a new header. + * hf_bytes: Bytes examined so far in current header. Used for + * header folding inspection. + * startp: Pointer to start of headers section of request. + * endp: Pointer to end of headers section of request. + * base64startp: Pointer to start of base64 encoded portion of req. + * base64endp: Pointer to end of base64 encoded portion of req. + * + */ +typedef struct _HEADER_STATE +{ + int num_headers; + int bytes_wo_header; + int hf_bytes; + unsigned char* startp; + unsigned char* endp; + unsigned char* base64startp; + unsigned char* base64endp; +} HEADER_STATE; + +/* + * One of these structures is kept for each HTTP session + * tracked by HTTP inspect. + * + * request_buffer: + * mpse_state: Saved MPSE state from searches started in + * previous packet + * flags: State flags + * state: Current state of the inspectin state machine. + * request_type: Discovered method type for current request. + * uristate: State block containing discovered info about + * URI in current request. + * headerstate: State block containing discovered info about headers + * in current request. + * bodyp: Pointer to beginning of body portion of request. + * body_endp: Pointer to end of body portion of request. + */ +typedef struct _HI_SI_STATE +{ + BUFFER request_buffer; + int mpse_state; + int flags; + int state; + int request_type; + URI_PTR uristate; + HEADER_STATE headerstate; + unsigned char* bodyp; + unsigned char* body_endp; +} HI_SI_STATE; + +/* + * Match-types to be filled into HI_SI_MATCHDATA::type + * + * HI_ST_MATCHTYPE_NONE: No match + * HI_ST_MATCHTYPE_REQMETHOD: A req. method keyword has been found. + * HI_ST_MATCHTYPE_HEADER: A header keyword has been found. + * HI_ST_MATCHTYPE_CRLF: A delimiter token has been found. + * HI_ST_MATCHTYPE_POSTPARMCT: The post-param content-type has been found. + * HI_ST_MATCHTYPE_BASE64: A keyword indicating base64 enc. has been found. + */ +#define HI_ST_MATCHTYPE_NONE (0x0) +#define HI_ST_MATCHTYPE_REQMETHOD (0x1) +#define HI_ST_MATCHTYPE_HEADER (0x2) +#define HI_ST_MATCHTYPE_CRLF (0x3) +#define HI_ST_MATCHTYPE_POSTPARMCT (0x4) +#define HI_ST_MATCHTYPE_BASE64 (0x5) + +#define HI_ST_CT_KEYWORD "Content-Type:" +#define HI_ST_PA_KEYWORD "Proxy-Authorization:" + +/* + * Request method types + */ +#define HI_ST_METHOD_GET (0x1) +#define HI_ST_METHOD_HEAD (0x2) +#define HI_ST_METHOD_POST (0x3) +#define HI_ST_METHOD_PUT (0x4) +#define HI_ST_METHOD_DELETE (0x5) +#define HI_ST_METHOD_TRACE (0x6) +#define HI_ST_METHOD_CONNECT (0x7) + +/* One of these structs is passed into the MPSE search + * to be filled in by the match callback. + * + * index: The index of the match, in bytes, + * into the searched string + * type: The type of keyword found + * (e.g. request method or header ) + * data: Type-specific data. + * + * keywordp: Pointer to the keyword which matched. + */ +typedef struct _HI_SI_MATCHDATA +{ + int index; + int type; + int data; + unsigned char* keywordp; +} HI_SI_MATCHDATA; + +#endif /* STATEFUL_INSPECT_H */ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_config.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_config.h 2009-07-07 15:37:08.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_config.h 2011-11-21 20:15:24.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,10 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ui_config.h -** +** ** @author Daniel Roelker ** ** @brief This file contains the internal configuration structures @@ -36,10 +36,12 @@ #define __HI_UI_CONFIG_H__ #include "hi_include.h" +#include "snort_bounds.h" #include "sfrt.h" #include "ipv6_port.h" #include "sf_ip.h" #include "sfPolicy.h" +#include "hi_util_kmap.h" /* ** Defines @@ -50,6 +52,7 @@ #define HI_UI_CONFIG_MAX_HDR_DEFAULT 0 #define HI_UI_CONFIG_MAX_HEADERS_DEFAULT 0 +#define HI_UI_CONFIG_MAX_SPACES_DEFAULT 200 /* ** Special characters treated as whitespace before or after URI @@ -83,7 +86,7 @@ /* The following are used to delineate server profiles for user output * and debugging information. */ -typedef enum e_PROFILES +typedef enum e_PROFILES { HI_ALL, HI_APACHE, @@ -92,6 +95,21 @@ HI_IIS5 } PROFILES; +typedef KMAP CMD_LOOKUP; + +typedef struct s_HTTP_CMD_CONF +{ + char cmd_name[1]; // variable length array + +} HTTP_CMD_CONF; + +typedef struct _HISmallChunkLength +{ + uint8_t size; + uint8_t num; + +} HISmallChunkLength; + /** ** This is the configuration construct that holds the specific ** options for a server. Each unique server has it's own structure @@ -114,15 +132,28 @@ int iis_unicode_codepage; int long_dir; - + /* ** Chunk encoding anomaly detection */ unsigned int chunk_length; + HISmallChunkLength small_chunk_length; char uri_only; char no_alerts; + char enable_cookie; + char inspect_response; + char enable_xff; + char log_uri; + char log_hostname; + +#ifdef ZLIB + char extract_gzip; + char unlimited_decompress; +#endif + /* Support Extended ascii codes in the URI */ + char extended_ascii_uri; /* ** pipeline requests */ @@ -145,18 +176,28 @@ char tab_uri_delimiter; /* - ** Normalize HTTP Headers if they exist. + ** Normalize HTTP Headers if they exist. XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. */ char normalize_headers; /* - ** Normalize HTTP Headers if they exist. + ** Normalize HTTP Headers if they exist. XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. */ char normalize_cookies; /* + ** Normalize multi-byte UTF charsets in HTTP server responses. + */ + char normalize_utf; + + /* + * Normalize Javascripts in HTTP server responses + */ + char normalize_javascript; + + /* ** Characters to be treated as whitespace bracketing a URI. */ char whitespace[256]; @@ -168,7 +209,6 @@ HTTPINSPECT_CONF_OPT double_decoding; HTTPINSPECT_CONF_OPT u_encoding; HTTPINSPECT_CONF_OPT bare_byte; - HTTPINSPECT_CONF_OPT base36; HTTPINSPECT_CONF_OPT utf_8; HTTPINSPECT_CONF_OPT iis_unicode; char non_rfc_chars[256]; @@ -184,14 +224,17 @@ HTTPINSPECT_CONF_OPT iis_delimiter; int max_hdr_len; int max_headers; + int max_spaces; + int max_js_ws; PROFILES profile; - + CMD_LOOKUP *cmd_lookup; + /**Used to track references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When free is attempted and reference count is 0, then - * this HTTPINSPECT_CONF should be actually freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When free is attempted and reference count is 0, then + * this HTTPINSPECT_CONF should be actually freed. + */ int referenceCount; } HTTPINSPECT_CONF; @@ -204,6 +247,7 @@ */ typedef struct s_HTTPINSPECT_GLOBAL_CONF { + int disabled; int max_pipeline_requests; int inspection_type; int anomalous_servers; @@ -220,11 +264,24 @@ HTTPINSPECT_CONF *global_server; SERVER_LOOKUP *server_lookup; - int hex_lookup[256]; - int valid_lookup[256]; +#ifdef ZLIB + int max_gzip_sessions; + int max_gzip_mem; + int compr_depth; + int decompr_depth; +#endif + int memcap; + uint32_t xtra_trueip_id; + uint32_t xtra_uri_id; + uint32_t xtra_hname_id; + uint32_t xtra_gzip_id; + uint32_t xtra_jsnorm_id; + +} HTTPINSPECT_GLOBAL_CONF; -} HTTPINSPECT_GLOBAL_CONF; +#define INVALID_HEX_VAL -1 +#define HEX_VAL 1 /* ** Functions @@ -233,6 +290,7 @@ int hi_ui_config_default(HTTPINSPECT_CONF *GlobalConf); int hi_ui_config_reset_global(HTTPINSPECT_GLOBAL_CONF *GlobalConf); int hi_ui_config_reset_server(HTTPINSPECT_CONF *ServerConf); +void hi_ui_config_reset_http_methods(HTTPINSPECT_CONF *ServerConf); int hi_ui_config_add_server(HTTPINSPECT_GLOBAL_CONF *GlobalConf, sfip_t *ServerIP, @@ -242,5 +300,8 @@ int hi_ui_config_set_profile_iis(HTTPINSPECT_CONF *GlobalConf, int *); int hi_ui_config_set_profile_iis_4or5(HTTPINSPECT_CONF *GlobalConf, int *); int hi_ui_config_set_profile_all(HTTPINSPECT_CONF *GlobalConf, int *); +void HttpInspectCleanupHttpMethodsConf(void *); +extern int hex_lookup[256]; +extern int valid_lookup[256]; #endif diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_uri.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_uri.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_uri.h 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_uri.h 2011-02-09 23:23:32.000000000 +0000 @@ -0,0 +1,61 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef HI_URI_H +#define HI_URI_H + +#ifdef HAVE_CONFIG_H +#include +#endif +/** +** This structure holds pointers to the different sections of an HTTP +** request. We need to track where whitespace begins and ends, so we +** can evaluate the placement of the URI correctly. +** +** For example, +** +** GET / HTTP/1.0 +** ^ ^ +** start end +** +** The end space pointers are set to NULL if there is space until the end +** of the buffer. +*/ +typedef struct s_URI_PTR +{ + const u_char *uri; /* the beginning of the URI */ + const u_char *uri_end; /* the end of the URI */ + const u_char *norm; /* ptr to first normalization occurence */ + const u_char *ident; /* ptr to beginning of the HTTP identifier */ + const u_char *first_sp_start; /* beginning of first space delimiter */ + const u_char *first_sp_end; /* end of first space delimiter */ + const u_char *second_sp_start; /* beginning of second space delimiter */ + const u_char *second_sp_end; /* end of second space delimiter */ + const u_char *param; /* '?' (beginning of parameter field) */ + const u_char *delimiter; /* HTTP URI delimiter (\r\n\) */ + const u_char *last_dir; /* ptr to last dir, so we catch long dirs */ + const u_char *proxy; /* ptr to the absolute URI */ +} URI_PTR; + +#define URI_END 1 +#define NO_URI -1 + +#endif /* HI_URI_H */ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util.h 2011-07-13 22:44:51.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,14 +18,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_util.h -** +** ** @author Daniel Roelker ** ** @brief HttpInspect utility functions. -** +** ** Contains function prototype and inline utility functions. ** ** NOTES: @@ -35,6 +35,7 @@ #ifndef __HI_UTIL_H__ #define __HI_UTIL_H__ +#include #include "hi_include.h" /* @@ -42,25 +43,25 @@ ** hi_util_in_bounds:: */ /** -** This function checks for in bounds condition on buffers. -** +** This function checks for in bounds condition on buffers. +** ** This is very important for much of what we do here, since inspecting ** data buffers is mainly what we do. So we always make sure that we are ** within the buffer. -** +** ** This checks a half-open interval with the end pointer being one char ** after the end of the buffer. -** +** ** @param start the start of the buffer. ** @param end the end of the buffer. ** @param p the pointer within the buffer -** +** ** @return integer -** +** ** @retval 1 within bounds ** @retval 0 not within bounds */ -static INLINE int hi_util_in_bounds(const u_char *start, const u_char *end, const u_char *p) +static inline int hi_util_in_bounds(const u_char *start, const u_char *end, const u_char *p) { if(p >= start && p < end) { @@ -70,5 +71,56 @@ return 0; } -#endif +static inline void SkipWhiteSpace(const u_char *start, const u_char *end, + const u_char **ptr) +{ + while (hi_util_in_bounds(start, end, *ptr) && isspace((int)**ptr) && (**ptr != '\n')) + (*ptr)++; +} +static inline int SkipBlankSpace(const u_char *start, const u_char *end, + const u_char **ptr) +{ + int count = 0; + while((hi_util_in_bounds(start, end, *ptr)) && ( **ptr == ' ' || **ptr == '\t') ) + { + (*ptr)++; + count++; + } + return count; +} +static inline void SkipDigits(const u_char *start, const u_char *end, + const u_char **ptr) +{ + while((hi_util_in_bounds(start, end, *ptr)) && (isdigit((int)**ptr)) ) {(*ptr)++;} +} + +static inline void SkipBlankAndNewLine(const u_char *start, const u_char *end, + const u_char **ptr) +{ + while( (hi_util_in_bounds(start, end, *ptr)) && + ( **ptr == ' ' || **ptr == '\t') && (**ptr != '\n') ) {(*ptr)++;} +} + +static inline void SkipCRLF(const u_char *start, const u_char *end, + const u_char **ptr) +{ + while( (hi_util_in_bounds(start, end, *ptr)) && + ( **ptr == '\r' || **ptr == '\n') ) {(*ptr)++;} +} + + +static inline int IsHeaderFieldName(const u_char *p, const u_char *end, + const char *header_name, size_t header_len) +{ + if ((p+header_len) <= end) + { + if(!strncasecmp((const char *)p, header_name, header_len)) + return 1; + else + return 0; + } + return 0; +} + +#endif /* __HI_UTIL_H__ */ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h 2009-01-26 16:26:30.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h 2009-05-06 22:29:26.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h 2011-02-09 23:23:32.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/Makefile.am snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.am --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/Makefile.am 2003-10-20 15:03:40.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.am 2011-06-08 00:33:18.000000000 +0000 @@ -4,19 +4,26 @@ hi_ad.h \ hi_client.h \ hi_client_norm.h \ +hi_client_stateful.h \ hi_eo_events.h \ hi_eo.h \ hi_eo_log.h \ +hi_paf.h \ hi_include.h \ hi_mi.h \ hi_norm.h \ +hi_reqmethod_check.h \ hi_return_codes.h \ hi_server.h \ +hi_server_norm.h \ hi_si.h \ +hi_stateful_inspect.h \ hi_ui_config.h \ +hi_cmd_lookup.h \ hi_ui_iis_unicode_map.h \ hi_ui_server_lookup.h \ +hi_uri.h \ hi_util.h \ hi_util_hbm.h \ hi_util_kmap.h \ -hi_util_xmalloc.h +hi_util_xmalloc.h diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/include/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/include/Makefile.in 2009-10-19 21:18:01.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,8 +16,9 @@ @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -41,6 +43,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = @@ -55,31 +58,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -92,12 +95,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -105,20 +114,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -150,6 +166,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -162,6 +179,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -169,22 +187,29 @@ hi_ad.h \ hi_client.h \ hi_client_norm.h \ +hi_client_stateful.h \ hi_eo_events.h \ hi_eo.h \ hi_eo_log.h \ +hi_paf.h \ hi_include.h \ hi_mi.h \ hi_norm.h \ +hi_reqmethod_check.h \ hi_return_codes.h \ hi_server.h \ +hi_server_norm.h \ hi_si.h \ +hi_stateful_inspect.h \ hi_ui_config.h \ +hi_cmd_lookup.h \ hi_ui_iis_unicode_map.h \ hi_ui_server_lookup.h \ +hi_uri.h \ hi_util.h \ hi_util_hbm.h \ hi_util_kmap.h \ -hi_util_xmalloc.h +hi_util_xmalloc.h all: all-am @@ -193,14 +218,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/include/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/include/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/include/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/include/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -218,6 +243,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo @@ -247,13 +273,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -281,6 +311,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -299,6 +330,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -307,18 +340,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -352,6 +395,7 @@ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/Makefile.am snort-2.9.2/src/preprocessors/HttpInspect/Makefile.am --- snort-2.8.5.2/src/preprocessors/HttpInspect/Makefile.am 2003-10-20 15:03:39.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/Makefile.am 2011-06-08 00:33:18.000000000 +0000 @@ -18,10 +18,13 @@ utils/hi_util_kmap.o \ utils/hi_util_xmalloc.o \ utils/hi_util_hbm.o \ +utils/hi_cmd_lookup.o \ +utils/hi_paf.o \ event_output/hi_eo_log.o \ client/hi_client.o \ client/hi_client_norm.o \ server/hi_server.o \ +server/hi_server_norm.o \ normalization/hi_norm.o INCLUDES = @INCLUDES@ diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/Makefile.in 2009-10-19 21:18:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,6 +44,7 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhttp_inspect_a_AR = $(AR) $(ARFLAGS) @@ -51,12 +54,12 @@ session_inspection/hi_si.o mode_inspection/hi_mi.o \ anomaly_detection/hi_ad.o utils/hi_util_kmap.o \ utils/hi_util_xmalloc.o utils/hi_util_hbm.o \ - event_output/hi_eo_log.o client/hi_client.o \ - client/hi_client_norm.o server/hi_server.o \ - normalization/hi_norm.o + utils/hi_cmd_lookup.o utils/hi_paf.o event_output/hi_eo_log.o \ + client/hi_client.o client/hi_client_norm.o server/hi_server.o \ + server/hi_server_norm.o normalization/hi_norm.o am_libhttp_inspect_a_OBJECTS = libhttp_inspect_a_OBJECTS = $(am_libhttp_inspect_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -79,10 +82,38 @@ ps-recursive uninstall-recursive RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -92,31 +123,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -129,12 +160,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -142,20 +179,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -187,6 +231,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -199,6 +244,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -217,10 +263,13 @@ utils/hi_util_kmap.o \ utils/hi_util_xmalloc.o \ utils/hi_util_hbm.o \ +utils/hi_cmd_lookup.o \ +utils/hi_paf.o \ event_output/hi_eo_log.o \ client/hi_client.o \ client/hi_client_norm.o \ server/hi_server.o \ +server/hi_server_norm.o \ normalization/hi_norm.o all: all-recursive @@ -230,14 +279,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -255,6 +304,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -282,7 +332,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -299,7 +349,7 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ @@ -307,7 +357,7 @@ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -333,16 +383,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -350,14 +400,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -369,39 +419,43 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -422,29 +476,44 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ @@ -474,6 +543,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -494,6 +564,8 @@ html: html-recursive +html-am: + info: info-recursive info-am: @@ -502,18 +574,28 @@ install-dvi: install-dvi-recursive +install-dvi-am: + install-exec-am: install-html: install-html-recursive +install-html-am: + install-info: install-info-recursive +install-info-am: + install-man: install-pdf: install-pdf-recursive +install-pdf-am: + install-ps: install-ps-recursive +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -535,8 +617,8 @@ uninstall-am: -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ - install-strip +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ + install-am install-strip tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am check check-am clean clean-generic clean-libtool \ @@ -553,6 +635,7 @@ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c 2009-01-26 16:26:31.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c 2011-06-08 00:33:19.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_mi.c ** @@ -35,12 +35,13 @@ ** - 3.2.03: Initial development. DJR */ -#include "sys/types.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif #include "hi_si.h" #include "hi_client.h" #include "hi_server.h" -#include "hi_ad.h" #include "hi_return_codes.h" /* @@ -65,24 +66,15 @@ ** @retval HI_INVALID_ARG argument(s) was invalid or NULL */ -int hi_mi_mode_inspection(HI_SESSION *Session, int iInspectMode, - const u_char *data, int dsize) +int hi_mi_mode_inspection(HI_SESSION *Session, int iInspectMode, + Packet *p, HttpSessionData *hsd) { int iRet; - - - if(!Session || !data || dsize < 0) - { + if (!Session || !p->data || (p->dsize == 0)) return HI_INVALID_ARG; - } /* ** Depending on the mode, we inspect the packet differently. - ** - ** HI_SI_NO_MODE: - ** This means that the packet is neither an HTTP client or server, - ** so we can do what we want with the packet, like look for rogue - ** HTTP servers or HTTP tunneling. ** ** HI_SI_CLIENT_MODE: ** Inspect for HTTP client communication. @@ -90,32 +82,22 @@ ** HI_SI_SERVER_MODE: ** Inspect for HTTP server communication. */ - if(iInspectMode == HI_SI_NO_MODE) - { - /* - ** Let's look for rogue HTTP servers and stuff - */ - iRet = hi_server_anomaly_detection(Session, data, dsize); - if (iRet) - { - return iRet; - } - } - else if(iInspectMode == HI_SI_CLIENT_MODE) + if(iInspectMode == HI_SI_CLIENT_MODE) { - iRet = hi_client_inspection((void *)Session, data, dsize); +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + iRet = hi_client_inspection((void *)Session, p->data, p->dsize, hsd, !PacketHasStartOfPDU(p)); + else +#endif + iRet = hi_client_inspection((void *)Session, p->data, p->dsize, hsd, p->packet_flags & PKT_STREAM_INSERT); if (iRet) - { return iRet; - } } - else if(iInspectMode == HI_SI_SERVER_MODE) + else if( hsd && iInspectMode == HI_SI_SERVER_MODE ) { - iRet = hi_server_inspection((void *)Session, data, dsize); + iRet = hi_server_inspection((void *)Session, p, hsd); if (iRet) - { return iRet; - } } else { diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in 2009-10-19 21:18:01.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,13 +44,14 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhi_mi_a_AR = $(AR) $(ARFLAGS) libhi_mi_a_LIBADD = am_libhi_mi_a_OBJECTS = hi_mi.$(OBJEXT) libhi_mi_a_OBJECTS = $(am_libhi_mi_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -74,31 +77,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -111,12 +114,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -124,20 +133,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +185,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -181,6 +198,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -196,14 +214,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/mode_inspection/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/mode_inspection/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/mode_inspection/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/mode_inspection/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -221,6 +239,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -255,45 +274,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -314,13 +337,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -348,6 +375,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -368,6 +396,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -376,18 +406,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -424,6 +464,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/normalization/hi_norm.c snort-2.9.2/src/preprocessors/HttpInspect/normalization/hi_norm.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/normalization/hi_norm.c 2009-05-06 22:29:26.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/normalization/hi_norm.c 2011-06-08 00:33:19.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,19 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_norm.c -** +** ** @author Daniel Roelker #include +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_client_norm.h" +#include "hi_server_norm.h" #include "hi_eo.h" #include "hi_eo_events.h" #include "hi_eo_log.h" @@ -50,12 +55,10 @@ #include "hi_util.h" #include "hi_util_xmalloc.h" #include "sfPolicy.h" +#include "detection_util.h" #define MAX_DIRS 2048 -#define NO_HEX_VAL -1 -#define BASE36_VAL -2 -#define HEX_VAL 1 /** ** This define checks for negative return codes, since we have multiple @@ -83,10 +86,8 @@ } URI_NORM_STATE; typedef int (*DECODE_FUNC)(HI_SESSION *, const u_char *, - const u_char *, const u_char **, URI_NORM_STATE *); + const u_char *, const u_char **, URI_NORM_STATE *, uint16_t *); -int hex_lookup[256] = {0}; -int valid_lookup[256] = {0}; /* ** NAME @@ -94,33 +95,33 @@ */ /** ** This routine is for getting bytes in the U decode. -** +** ** This checks the current bounds and checking for the double decoding. ** This routine differs from the other Get routines because it returns ** other values than just END_OF_BUFFER and the char. -** +** ** We also return DOUBLE_ENCODING if there is a % and double decoding ** is turned on. -** +** ** When using this function it is important to note that it increments ** the buffer before checking the bounds. So, if you call this function -** in a loop and don't check for END_OF_BUFFER being returned, then +** in a loop and don't check for END_OF_BUFFER being returned, then ** you are going to overwrite the buffer. If I put the check in, you ** would just be in an never-ending loop. So just use this correctly. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER the end of the buffer has been reached. ** @retval DOUBLE_ENCODING a percent was found and double decoding is on -** @retval <= 0xff an ASCII char +** @retval <= 0xff an ASCII char */ static int GetPtr(HI_SESSION *Session, const u_char *start, - const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state) + const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -130,7 +131,10 @@ return END_OF_BUFFER; if(ServerConf->double_decoding.on && **ptr == '%') + { + *encodeType |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE ; return DOUBLE_ENCODING; + } return (int)**ptr; } @@ -141,18 +145,18 @@ */ /** ** Handles the single decode for %U encoding. -** +** ** This routine receives the ptr pointing to the u. We check the bounds ** and continue with processing. %u encoding works by specifying the ** exact codepoint to be used. For example, %u002f would be /. So this ** all seems fine. BUT, the problem is that IIS maps multiple codepoints ** to ASCII characters. So, %u2044 also maps to /. So this is what we ** need to handle here. -** +** ** This routine only handles the single encoding. For double decoding, ** %u is handled in DoubleDecode(). It's the same routine, with just ** the GetByte function different. -** +** ** We use a get_byte function to get the bytes, so we can use this ** routine for PercentDecode and for DoubleDecode. ** @@ -161,9 +165,9 @@ ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param get_byte the function pointer to get bytes. -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we are at the end of the buffer ** @retval DOUBLE_ENCODING this U encoding is possible double encoded ** @retval NON_ASCII_CHAR return this char for non-ascii or bad decodes @@ -171,7 +175,7 @@ */ static int UDecode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, DECODE_FUNC get_byte, - URI_NORM_STATE *norm_state) + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iByte; @@ -179,17 +183,18 @@ int iCtr; iNorm = 0; - + *encodeType |= HTTP_ENCODE_TYPE__UENCODE; hi_stats.unicode++; for(iCtr = 0; iCtr < 4; iCtr++) { - iByte = get_byte(Session, start, end, ptr, norm_state); + iByte = get_byte(Session, start, end, ptr, norm_state, encodeType); if(iByte & GET_ERR) return iByte; if(valid_lookup[(u_char)iByte] < 0) { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; return NON_ASCII_CHAR; } @@ -212,7 +217,8 @@ iNorm = ServerConf->iis_unicode_map[iNorm]; if(iNorm == HI_UI_NON_ASCII_CODEPOINT) - { + { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; iNorm = NON_ASCII_CHAR; } @@ -223,9 +229,11 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_UNICODE, NULL, NULL); } + *encodeType |= HTTP_ENCODE_TYPE__IIS_UNICODE; } else { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; return NON_ASCII_CHAR; } @@ -254,32 +262,32 @@ ** This function is the main decoding function. It handles all the ASCII ** encoding and the U encoding, and tells us when there is a double ** encoding. -** +** ** We use the GetPtr() routine to get the bytes for us. This routine ** checks for DOUBLE_ENCODING and tells us about it if it finds something, ** so we can reset the ptrs and run it through the double decoding ** routine. -** +** ** The philosophy behind this routine is that if we run out of buffer ** we return such, the only other thing we return besides the decodes ** char is a NON_ASCII_CHAR in the case that we try and decode something ** like %tt. This is no good, so we return a place holder. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER We've hit the end of buffer while decoding. ** @retval NON_ASCII_CHAR Invalid hex encoding, so we return a placeholder. ** @retval char return the valid char -** +** ** @see GetPtr() */ -static int PercentDecode(HI_SESSION *Session, const u_char *start, - const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state) +static int PercentDecode(HI_SESSION *Session, const u_char *start, + const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iByte; @@ -288,7 +296,7 @@ orig_ptr = *ptr; - iByte = GetPtr(Session, start, end, ptr, norm_state); + iByte = GetPtr(Session, start, end, ptr, norm_state, encodeType); if(iByte & GET_ERR) { if(iByte == END_OF_BUFFER) @@ -318,7 +326,7 @@ */ if(ServerConf->u_encoding.on && (toupper(iByte) == 'U')) { - iNorm = UDecode(Session, start, end, ptr, GetPtr, norm_state); + iNorm = UDecode(Session, start, end, ptr, GetPtr, norm_state, encodeType); /* ** We have to handle the double meaning of END_OF_BUFFER @@ -337,6 +345,7 @@ if(iNorm == DOUBLE_ENCODING) { + *encodeType |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE; *ptr = orig_ptr; return (int)**ptr; } @@ -344,27 +353,16 @@ return iNorm; } - else if(!ServerConf->base36.on || - valid_lookup[(u_char)iByte] != BASE36_VAL) + else { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; return NON_ASCII_CHAR; } - - /* - ** The logic above dictates that if we get to this point, we - ** have a valid base36 encoding, so let's log the event. - */ - hi_stats.base36++; - if(hi_eo_generate_event(Session, ServerConf->base36.alert) && - !norm_state->param) - { - hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); - } } iNorm = (hex_lookup[(u_char)iByte]<<4); - iByte = GetPtr(Session, start, end, ptr, norm_state); + iByte = GetPtr(Session, start, end, ptr, norm_state, encodeType); if(iByte & GET_ERR) { if(iByte == END_OF_BUFFER) @@ -379,26 +377,15 @@ if(valid_lookup[(u_char)iByte] < 0) { - if(!ServerConf->base36.on || valid_lookup[(u_char)iByte] != BASE36_VAL) - { - hi_stats.non_ascii++; - return NON_ASCII_CHAR; - } - - /* - ** Once again, we know we have a valid base36 encoding, let's alert - ** if possible. - */ - hi_stats.base36++; - if(hi_eo_generate_event(Session, ServerConf->base36.alert) && - !norm_state->param) - { - hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); - } + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; + hi_stats.non_ascii++; + return NON_ASCII_CHAR; } iNorm = (iNorm | (hex_lookup[(u_char)iByte])) & 0xff; + *encodeType |= HTTP_ENCODE_TYPE__ASCII; + if(hi_eo_generate_event(Session,ServerConf->ascii.alert) && !norm_state->param) { @@ -416,29 +403,29 @@ /** ** Wrapper for PercentDecode() and handles the return values from ** PercentDecode(). -** +** ** This really decodes the chars for UnicodeDecode(). If the char is ** a percent then we process stuff, otherwise we just increment the ** pointer and return. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param bare_byte value for a non-ASCII char or a decoded non-ASCII char -** +** ** @return integer -** +** ** @retval END_OF_BUFFER End of the buffer has been reached before decode. ** @retval NON_ASCII_CHAR End of buffer during decoding, return decoded char. ** @retval char return the valid decoded/undecoded char -** +** ** @see PercentDecode() ** @see GetByte() */ static int GetChar(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, int *bare_byte, - URI_NORM_STATE *norm_state) + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iNorm; @@ -447,13 +434,13 @@ return END_OF_BUFFER; iNorm = (int)(**ptr); - + if(**ptr == '%' && ServerConf->ascii.on) { /* ** We go into percent encoding. */ - iNorm = PercentDecode(Session, start, end, ptr, norm_state); + iNorm = PercentDecode(Session, start, end, ptr, norm_state, encodeType); /* ** If during the course of PercentDecode() we run into the end @@ -469,6 +456,7 @@ { if(ServerConf->bare_byte.on && (u_char)iNorm > 0x7f) { + *encodeType |= HTTP_ENCODE_TYPE__BARE_BYTE; if(hi_eo_generate_event(Session, ServerConf->bare_byte.alert) && !norm_state->param) { @@ -505,30 +493,30 @@ /* ** Decode the UTF-8 sequences and check for valid codepoints via the ** Unicode standard and the IIS standard. -** +** ** We decode up to 3 bytes of UTF-8 because that's all I've been able to ** get to work on various servers, so let's reduce some false positives. ** So we decode valid UTF-8 sequences and then check the value. If the ** value is ASCII, then it's decoded to that. Otherwise, if iis_unicode ** is turned on, we will check the unicode codemap for valid IIS mappings. ** If a mapping turns up, then we return the mapped ASCII. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval NON_ASCII_CHAR Reached end of buffer while decoding ** @retval char return the decoded or badly decoded char -** +** ** @see GetByte() ** @see UnicodeDecode() */ static int UTF8Decode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, int iFirst, - URI_NORM_STATE *norm_state) + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iBareByte; @@ -538,7 +526,7 @@ int iByte; /* - ** Right now we support up to 3 byte unicode sequences. We can add + ** Right now we support up to 3 byte unicode sequences. We can add ** more if any of the HTTP servers support more. */ if((iFirst & 0xe0) == 0xc0) @@ -553,6 +541,7 @@ } else { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; /* ** This means that we have an invalid first sequence byte for @@ -569,7 +558,7 @@ */ for(iCtr = 0; iCtr < iNumBytes; iCtr++) { - iByte = GetChar(Session, start, end, ptr, &iBareByte, norm_state); + iByte = GetChar(Session, start, end, ptr, &iBareByte, norm_state, encodeType); if(iByte == END_OF_BUFFER || iByte == NON_ASCII_CHAR || iBareByte) return NON_ASCII_CHAR; @@ -580,6 +569,7 @@ } else { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; /* ** This means that we don't have a valid unicode sequence, so @@ -610,17 +600,21 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_UNICODE, NULL, NULL); } + *encodeType |= HTTP_ENCODE_TYPE__IIS_UNICODE; hi_stats.unicode++; return iNorm; } else { + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; iNorm = NON_ASCII_CHAR; } } + *encodeType |= HTTP_ENCODE_TYPE__UTF8_UNICODE; + if(hi_eo_generate_event(Session, ServerConf->utf_8.alert) && !norm_state->param) { @@ -637,30 +631,30 @@ */ /** ** Checks for the ServerConf values before we actually decode. -** +** ** This function is really a ServerConf wrapper for UTF8Decode. ** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval char the decode/undecoded byte. -** +** ** @see GetByte() */ -static int UnicodeDecode(HI_SESSION *Session, const u_char *start, +static int UnicodeDecode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, int iFirst, - URI_NORM_STATE *norm_state) + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iNorm = iFirst; if(ServerConf->iis_unicode.on || ServerConf->utf_8.on) { - iNorm = UTF8Decode(Session, start, end, ptr, iFirst, norm_state); + iNorm = UTF8Decode(Session, start, end, ptr, iFirst, norm_state, encodeType); } return iNorm; @@ -673,28 +667,28 @@ /** ** Handles the first stage of URI decoding for the case of IIS double ** decoding. -** +** ** The first stage consists of ASCII decoding and unicode decoding. %U ** decoding is handled in the ASCII decoding. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER means that we've reached the end of buffer in ** GetChar. ** @retval iChar this is the character that was decoded. */ static int GetByte(HI_SESSION *Session, const u_char *start, const u_char *end, - const u_char **ptr, URI_NORM_STATE *norm_state) + const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { int iChar; int iBareByte; - iChar = GetChar(Session, start, end, ptr, &iBareByte, norm_state); + iChar = GetChar(Session, start, end, ptr, &iBareByte, norm_state, encodeType); if(iChar == END_OF_BUFFER) return END_OF_BUFFER; @@ -706,7 +700,7 @@ */ if((iChar & 0x80) && !iBareByte) { - iChar = UnicodeDecode(Session, start, end, ptr, iChar, norm_state); + iChar = UnicodeDecode(Session, start, end, ptr, iChar, norm_state, encodeType); } return iChar; @@ -718,7 +712,7 @@ */ /** ** The double decoding routine for IIS good times. -** +** ** Coming into this function means that we just decoded a % or that ** we just saw two percents in a row. We know which state we are ** in depending if the first char is a '%' or not. @@ -730,21 +724,21 @@ ** - ascii ** ** Knowing this, we can decode appropriately. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param norm_state the ptr to the URI norm state -** +** ** @return integer -** +** ** @retval NON_ASCII_CHAR End of buffer reached while decoding ** @retval char The decoded char */ static int DoubleDecode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, - URI_NORM_STATE *norm_state) + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iByte; @@ -752,6 +746,7 @@ const u_char *orig_ptr; orig_ptr = *ptr; + *encodeType |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE; /* ** We now know that we have seen a previous % and that we need to @@ -768,7 +763,7 @@ ** So now we just get the remaining bytes and do the processing ** ourselves in this routine. */ - iByte = GetByte(Session, start, end, ptr, norm_state); + iByte = GetByte(Session, start, end, ptr, norm_state, encodeType); if(iByte == END_OF_BUFFER) return NON_ASCII_CHAR; @@ -776,8 +771,8 @@ { if(ServerConf->u_encoding.on && (toupper(iByte) == 'U')) { - iNorm = UDecode(Session, start, end, ptr, GetByte, norm_state); - + iNorm = UDecode(Session, start, end, ptr, GetByte, norm_state, encodeType); + if(iNorm == END_OF_BUFFER) { /* @@ -797,7 +792,7 @@ iNorm = (hex_lookup[(u_char)iByte]<<4); - iByte = GetByte(Session, start, end, ptr, norm_state); + iByte = GetByte(Session, start, end, ptr, norm_state, encodeType); if(iByte == END_OF_BUFFER) return NON_ASCII_CHAR; @@ -826,44 +821,44 @@ ** This is the final GetByte routine. The value that is returned from this ** routine is the final decoded byte, and normalization can begin. This ** routine handles the double phase of decoding that IIS is fond of. -** +** ** So to recap all the decoding up until this point. -** +** ** The first phase is to call GetByte(). GetByte() returns the first stage ** of decoding, which handles the UTF-8 decoding. If we have decoded a ** % of some type, then we head into DoubleDecode() if the ServerConf ** allows it. -** +** ** What returns from DoubleDecode is the final result. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param norm_state the pointer to the URI norm state -** +** ** @return integer -** +** ** @retval END_OF_BUFFER While decoding, the end of buffer was reached. ** @retval char The resultant decoded char. -** +** ** @see DoubleDecode(); ** @see GetByte(); */ static int GetDecodedByte(HI_SESSION *Session, const u_char *start, - const u_char *end, const u_char **ptr, - URI_NORM_STATE *norm_state) + const u_char *end, const u_char **ptr, + URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iChar; - iChar = GetByte(Session,start,end,ptr, norm_state); + iChar = GetByte(Session,start,end,ptr, norm_state,encodeType); if(iChar == END_OF_BUFFER) return END_OF_BUFFER; if(ServerConf->double_decoding.on && (u_char)iChar == '%') { - iChar = DoubleDecode(Session,start,end,ptr, norm_state); + iChar = DoubleDecode(Session,start,end,ptr,norm_state,encodeType); } /* @@ -874,13 +869,18 @@ if(hi_eo_generate_event(Session, ServerConf->iis_backslash.alert) && !norm_state->param) { - hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_BACKSLASH, + hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_BACKSLASH, NULL, NULL); } iChar = 0x2f; } + if( (u_char)iChar == '+') + { + iChar = 0x20; + } + return iChar; } @@ -890,18 +890,18 @@ */ /** ** Set the ub_ptr and update the URI_NORM_STATE. -** +** ** The main point of this function is to take care of the details in ** updating the directory stack and setting the buffer pointer to the ** last directory. -** +** ** @param norm_state pointer to the normalization state struct ** @param ub_ptr double pointer to the normalized buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful -** +** ** @see hi_norm_uri() */ static int DirTrav(HI_SESSION *Session, URI_NORM_STATE *norm_state, @@ -913,7 +913,7 @@ if(norm_state->dir_count) { *ub_ptr = norm_state->dir_track[norm_state->dir_count - 1]; - + /* ** Check to make sure that we aren't at the beginning */ @@ -943,7 +943,7 @@ } } - return HI_SUCCESS; + return HI_SUCCESS; } /* @@ -953,18 +953,18 @@ /** ** Set the directory by writing a '/' to the normalization buffer and ** updating the directory stack. -** +** ** This gets called after every slash that isn't a directory traversal. We ** just write a '/' and then update the directory stack to point to the ** last directory, in the case of future directory traversals. -** +** ** @param norm_state pointer to the normalization state struct ** @param ub_ptr double pointer to the normalized buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful -** +** ** @see hi_norm_uri() */ static int DirSet(URI_NORM_STATE *norm_state, u_char **ub_ptr) @@ -994,55 +994,56 @@ /** ** The main function for dealing with multiple slashes, self-referential ** directories, and directory traversals. -** +** ** This routine does GetDecodedByte() while looking for directory foo. It's ** called every time that we see a slash in the main hi_norm_uri. Most of -** the time we just enter this loop, find a non-directory-foo char and +** the time we just enter this loop, find a non-directory-foo char and ** return that char. hi_norm_uri() takes care of the directory state ** updating and so forth. -** +** ** But when we run into trouble with directories, this function takes care ** of that. We loop through multiple slashes until we get to the next ** directory. We also loop through self-referential directories until we -** get to the next directory. Then finally we deal with directory +** get to the next directory. Then finally we deal with directory ** traversals. -** +** ** With directory traversals we do a kind of "look ahead". We verify that ** there is indeed a directory traversal, and then set the ptr back to ** the beginning of the '/', so when we iterate through hi_norm_uri() we ** catch it. -** +** ** The return value for this function is usually the character after ** the directory. When there was a directory traversal, it returns the ** value DIR_TRAV. And when END_OF_BUFFER is returned, it means that we've ** really hit the end of the buffer, or we were looping through multiple ** slashes and self-referential directories until the end of the URI ** buffer. -** +** ** @param ServerConf pointer to the Server configuration ** @param start pointer to the start of the URI buffer ** @param end pointer to the end of the URI buffer ** @param ptr pointer to the index in the URI buffer -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we've reached the end of buffer ** @retval DIR_TRAV we found a directory traversal ** @retval char return the next char after the directory -** +** ** @see hi_norm_uri() ** @see GetDecodedByte() */ static int DirNorm(HI_SESSION *Session, const u_char *start, const u_char *end, - const u_char **ptr, URI_NORM_STATE *norm_state) + const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iChar; int iDir; const u_char *orig_ptr; const u_char *dir_ptr; + // save the directory path here to check for unicode attack - while((iChar = GetDecodedByte(Session, start, end, ptr, norm_state)) != + while((iChar = GetDecodedByte(Session, start, end, ptr, norm_state, encodeType)) != END_OF_BUFFER) { orig_ptr = *ptr; @@ -1080,7 +1081,7 @@ else if(ServerConf->directory.on && (u_char)iChar == '.' && !norm_state->param) { - iDir = GetDecodedByte(Session,start,end,ptr,norm_state); + iDir = GetDecodedByte(Session,start,end,ptr,norm_state,encodeType); if(iDir != END_OF_BUFFER) { if((u_char)iDir == '.') @@ -1093,7 +1094,7 @@ */ dir_ptr = *ptr; - iDir = GetDecodedByte(Session,start,end,ptr,norm_state); + iDir = GetDecodedByte(Session,start,end,ptr,norm_state,encodeType); if(iDir != END_OF_BUFFER) { if((u_char)iDir == '/') @@ -1141,7 +1142,7 @@ continue; } } - + /* ** This means that we saw '.' and then another char, so ** it was just a file/dir that started with a '.'. @@ -1166,16 +1167,16 @@ */ /** ** This function checks for long directory names in the request URI. -** +** ** @param Session pointer to the session ** @param norm_state pointer to the directory stack ** @param ub_ptr current pointer in normalization buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS */ -static int CheckLongDir(HI_SESSION *Session, URI_NORM_STATE *norm_state, +static int CheckLongDir(HI_SESSION *Session, URI_NORM_STATE *norm_state, u_char *ub_ptr) { int iDirLen; @@ -1211,18 +1212,18 @@ /** ** This function inspects the normalized chars for any other processing ** that we need to do, such as directory traversals. -** +** ** The main things that we check for here are '/' and '?'. There reason ** for '/' is that we do directory traversals. If it's a slash, we call ** the routine that will normalize mutli-slashes, self-referential dirs, ** and dir traversals. We do all that processing here and call the ** appropriate functions. -** +** ** The '?' is so we can mark the parameter field, and check for oversize ** directories one last time. Once the parameter field is set, we don't ** do any more oversize directory checks since we aren't in the url ** any more. -** +** ** @param Session pointer to the current session ** @param iChar the char to inspect ** @param norm_state the normalization state @@ -1232,20 +1233,20 @@ ** @param ub_start the start of the norm buffer ** @param ub_end the end of the norm buffer ** @param ub_ptr the address of the pointer index into the norm buffer -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we've reached the end of the URI or norm buffer ** @retval HI_NONFATAL_ERR no special char, so just write the char and ** increment the ub_ptr. ** @retval HI_SUCCESS normalized the special char and already ** incremented the buffers. */ -static INLINE int InspectUriChar(HI_SESSION *Session, int iChar, +static inline int InspectUriChar(HI_SESSION *Session, int iChar, URI_NORM_STATE *norm_state, const u_char *start, const u_char *end, const u_char **ptr, u_char *ub_start, u_char *ub_end, - u_char **ub_ptr) + u_char **ub_ptr, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; int iDir; @@ -1306,7 +1307,7 @@ */ CheckLongDir(Session, norm_state, *ub_ptr); - iDir = DirNorm(Session, start, end, ptr, norm_state); + iDir = DirNorm(Session, start, end, ptr, norm_state, encodeType); if(iDir == DIR_TRAV) { @@ -1340,7 +1341,7 @@ */ if(!hi_util_in_bounds(ub_start, ub_end, *ub_ptr)) return END_OF_BUFFER; - + /* ** Set the char to what we got in DirNorm() */ @@ -1368,7 +1369,7 @@ if((u_char)iChar == '?') { /* - ** We assume that this is the beginning of the parameter field, + ** We assume that this is the beginning of the parameter field, ** and check for a long directory following. Event though seeing ** a question mark does not guarantee the parameter field, thanks ** IIS. @@ -1390,33 +1391,33 @@ */ /** ** Normalize the URI into the URI normalize buffer. -** +** ** This is the routine that users call to normalize the URI. It iterates ** through the URI buffer decoding the next character and is then checked ** for any directory problems before writing the decoded character into the ** normalizing buffer. -** +** ** We return the length of the normalized URI buffer in the variable, ** uribuf_size. This value is passed in as the max size of the normalization ** buffer, which we then set in iMaxUriBufSize for later reference. -** +** ** If there was some sort of problem during normalizing we set the normalized ** URI buffer size to 0 and return HI_NONFATAL_ERR. -** +** ** @param ServerConf the pointer to the server configuration ** @param uribuf the pointer to the normalize uri buffer ** @param uribuf_size the size of the normalize buffer ** @param uri the pointer to the unnormalized uri buffer ** @param uri_size the size of the unnormalized uri buffer -** +** ** @return integer -** +** ** @retval HI_NONFATAL_ERR there was a problem during normalizing, the ** uribuf_size is also set to 0 ** @retval HI_SUCCESS Normalizing the URI was successful */ int hi_norm_uri(HI_SESSION *Session, u_char *uribuf, int *uribuf_size, - const u_char *uri, int uri_size) + const u_char *uri, int uri_size, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf; int iChar; @@ -1451,7 +1452,7 @@ while(hi_util_in_bounds(ub_start, ub_end, ub_ptr)) { - iChar = GetDecodedByte(Session, start, end, &ptr, &norm_state); + iChar = GetDecodedByte(Session, start, end, &ptr, &norm_state, encodeType); if(iChar == END_OF_BUFFER) break; @@ -1470,7 +1471,7 @@ } iRet = InspectUriChar(Session, iChar, &norm_state, start, end, &ptr, - ub_start, ub_end, &ub_ptr); + ub_start, ub_end, &ub_ptr, encodeType); if (iRet) { if(iRet == END_OF_BUFFER) @@ -1505,97 +1506,23 @@ /* ** NAME -** hi_norm_init:: -*/ -/** -** Initialize the arrays neccessary to normalize the HTTP protocol fields. -** -** Currently, we set a hex_lookup array where we can convert the hex encoding -** that we encounter in the URI into numbers we deal with. -** -** @param GlobalConf pointer to the global configuration of HttpInspect -** -** @return HI_SUCCESS function successful -*/ -int hi_norm_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf) -{ - int iCtr; - int iNum; - - memset(hex_lookup, NO_HEX_VAL, sizeof(hex_lookup)); - memset(valid_lookup, NO_HEX_VAL, sizeof(valid_lookup)); - - /* - ** Set the decimal number values - */ - iNum = 0; - for(iCtr = 48; iCtr < 58; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - /* - ** Set the upper case values. - */ - iNum = 10; - for(iCtr = 65; iCtr < 71; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - iNum = 16; - for(iCtr = 71; iCtr < 91; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = BASE36_VAL; - iNum++; - } - - /* - ** Set the lower case values. - */ - iNum = 10; - for(iCtr = 97; iCtr < 103; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - iNum = 16; - for(iCtr = 103; iCtr < 123; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = BASE36_VAL; - iNum++; - } - - return HI_SUCCESS; -} - -/* -** NAME ** hi_normalization:: */ /** ** Wrap the logic for normalizing different inspection modes. -** +** ** We call the various normalization modes here, and adjust the appropriate ** Session constructs. -** +** ** @param Session pointer to the session structure. ** @param iInspectMode the type of inspection/normalization to do -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_INVALID_ARG invalid argument */ -int hi_normalization(HI_SESSION *Session, int iInspectMode) +int hi_normalization(HI_SESSION *Session, int iInspectMode, HttpSessionData *hsd) { int iRet; @@ -1620,6 +1547,14 @@ return iRet; } } + else if(iInspectMode == HI_SI_SERVER_MODE) + { + iRet = hi_server_norm((void *)Session, hsd); + if (iRet) + { + return iRet; + } + } return HI_SUCCESS; } diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/normalization/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/normalization/Makefile.in --- snort-2.8.5.2/src/preprocessors/HttpInspect/normalization/Makefile.in 2009-10-19 21:18:01.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/normalization/Makefile.in 2011-12-07 19:23:21.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -42,13 +44,14 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) ARFLAGS = cru libhi_norm_a_AR = $(AR) $(ARFLAGS) libhi_norm_a_LIBADD = am_libhi_norm_a_OBJECTS = hi_norm.$(OBJEXT) libhi_norm_a_OBJECTS = $(am_libhi_norm_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -74,31 +77,31 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ -ECHO = @ECHO@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ @@ -111,12 +114,18 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -124,20 +133,27 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +185,7 @@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -181,6 +198,7 @@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -196,14 +214,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/normalization/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/normalization/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/normalization/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/preprocessors/HttpInspect/normalization/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -221,6 +239,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) @@ -255,45 +274,49 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -314,13 +337,17 @@ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -348,6 +375,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -368,6 +396,8 @@ html: html-am +html-am: + info: info-am info-am: @@ -376,18 +406,28 @@ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -424,6 +464,7 @@ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags uninstall uninstall-am + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/server/hi_server.c snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/server/hi_server.c 2009-01-26 16:26:31.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server.c 2011-12-08 16:49:14.000000000 +0000 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2009 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,30 +18,152 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_server.c -** +** ** @author Daniel Roelker -** +** ** @brief Handles inspection of HTTP server responses. -** +** ** HttpInspect handles server responses in a stateless manner because we ** are really only interested in the first response packet that contains ** the HTTP response code, headers, and the payload. -** +** ** The first big thing is to incorporate the HTTP protocol flow ** analyzer. -** +** ** NOTES: ** - Initial development. DJR */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include +#include +#ifdef ZLIB +#include +#include "mempool.h" +extern MemPool *hi_gzip_mempool; +#endif +#include "hi_server.h" #include "hi_ui_config.h" -#include "hi_si.h" #include "hi_return_codes.h" -#include "hi_server.h" +#include "hi_si.h" +#include "hi_eo_log.h" +#include "snort_bounds.h" +#include "detection_util.h" +#include "stream_api.h" +#include "sfutil/util_unfold.h" + +#define STAT_END 100 +#define HTTPRESP_HEADER_NAME__COOKIE "Set-Cookie" +#define HTTPRESP_HEADER_LENGTH__COOKIE 10 +#define HTTPRESP_HEADER_NAME__CONTENT_ENCODING "Content-Encoding" +#define HTTPRESP_HEADER_LENGTH__CONTENT_ENCODING 16 +#define HTTPRESP_HEADER_NAME__GZIP "gzip" +#define HTTPRESP_HEADER_NAME__XGZIP "x-gzip" +#define HTTPRESP_HEADER_LENGTH__GZIP 4 +#define HTTPRESP_HEADER_LENGTH__XGZIP 6 +#define HTTPRESP_HEADER_NAME__DEFLATE "deflate" +#define HTTPRESP_HEADER_LENGTH__DEFLATE 7 +#define HTTPRESP_HEADER_NAME__CONTENT_LENGTH "Content-length" +#define HTTPRESP_HEADER_LENGTH__CONTENT_LENGTH 14 +#define HTTPRESP_HEADER_NAME__CONTENT_TYPE "Content-Type" +#define HTTPRESP_HEADER_LENGTH__CONTENT_TYPE 12 +#define HTTPRESP_HEADER_NAME__TRANSFER_ENCODING "Transfer-Encoding" +#define HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING 17 + +typedef int (*LOOKUP_FCN)(HI_SESSION *, const u_char *, const u_char *, const u_char **, + URI_PTR *); +extern LOOKUP_FCN lookup_table[256]; +extern int NextNonWhiteSpace(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int CheckChunkEncoding(HI_SESSION *, const u_char *, const u_char *, const u_char **, u_char *, + uint32_t , uint32_t, uint32_t *, uint32_t *, HttpSessionData *, int); +extern int IsHttpVersion(const u_char **, const u_char *); +extern int find_rfc_delimiter(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int find_non_rfc_delimiter(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int NextNonWhiteSpace(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetPercentNorm(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetSlashNorm(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetBackSlashNorm(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetPlusNorm(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetBinaryNorm(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetParamField(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern int SetProxy(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); +extern const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *, HEADER_FIELD_PTR *); +extern const u_char *extract_http_content_length(HI_SESSION *, HTTPINSPECT_CONF *, const u_char *, const u_char *, const u_char *, HEADER_PTR *, HEADER_FIELD_PTR *) ; + +static inline void ApplyFlowDepth(HTTPINSPECT_CONF *, Packet *, HttpSessionData *, int, int, uint32_t); +#define CLR_SERVER_HEADER(Server) \ + do { \ + Server->response.header_raw = NULL;\ + Server->response.header_raw_size = 0;\ + Server->response.header_norm = NULL; \ + Server->response.header_norm_size = 0 ;\ + Server->response.cookie.cookie = NULL;\ + Server->response.cookie.cookie_end = NULL;\ + Server->response.cookie.next = NULL;\ + Server->response.cookie_norm = NULL;\ + Server->response.cookie_norm_size = 0;\ + } while(0); + +#define CLR_SERVER_STAT(Server) \ + do { \ + Server->response.status_msg = NULL;\ + Server->response.status_code = NULL;\ + Server->response.status_code_size = 0;\ + Server->response.status_msg_size = 0;\ + }while(0); + +#define CLR_SERVER_STAT_MSG(Server) \ + do { \ + Server->response.status_msg = NULL;\ + Server->response.status_msg_size = 0;\ + }while(0); + +#define CLR_SERVER_BODY(Server)\ + do { \ + Server->response.body = NULL;\ + Server->response.body_size = 0;\ + }while(0); + +static inline void clearHttpRespBuffer(HI_SERVER *Server) +{ + CLR_SERVER_HEADER(Server); + CLR_SERVER_STAT(Server); + CLR_SERVER_BODY(Server); +} + +static inline const u_char *MovePastDelims(const u_char *start, const u_char *end,const u_char *ptr) +{ + + while(hi_util_in_bounds(start, end, ptr)) + { + if(*ptr < 0x21) + { + if(*ptr < 0x0E && *ptr > 0x08) + { + ptr++; + continue; + } + else + { + if(*ptr == 0x20) + { + ptr++; + continue; + } + } + } + + break; + } + + return ptr; +} /** ** NAME @@ -49,100 +171,1530 @@ */ /** ** Inspect an HTTP server response packet to determine the state. -** +** ** We inspect this packet and determine whether we are in the beginning ** of a response header or if we are looking at payload. We limit the ** amount of inspection done on responses by only inspecting the HTTP header ** and some payload. If the whole packet is a payload, then we just ignore ** it, since we inspected the previous header and payload. -** +** ** We limit the amount of the payload by adjusting the Server structure ** members, header and header size. -** +** ** @param Server the server structure ** @param data pointer to the beginning of payload ** @param dsize the size of the payload ** @param flow_depth the amount of header and payload to inspect -** +** ** @return integer -** +** ** @retval HI_INVALID_ARG invalid argument ** @retval HI_SUCCESS function success */ -static int IsHttpServerData(HI_SERVER *Server, const u_char *data, int dsize, - int flow_depth) +static int IsHttpServerData(HI_SESSION *Session, Packet *p, HttpSessionData *sd) { - /* + const u_char *start; + const u_char *end; + const u_char *ptr; + int len; + uint32_t seq_num = 0; + HI_SERVER *Server; + HTTPINSPECT_CONF *ServerConf; + + ServerConf = Session->server_conf; + if(!ServerConf) + return HI_INVALID_ARG; + + Server = &(Session->server); + + clearHttpRespBuffer(Server); + /* ** HTTP:Server-Side-Session-Performance-Optimization - ** This drops Server->Client packets which are not part of the - ** HTTP Response header. It can miss part of the response header + ** This drops Server->Client packets which are not part of the + ** HTTP Response header. It can miss part of the response header ** if the header is sent as multiple packets. */ - if(!data) + if(!(p->data)) { return HI_INVALID_ARG; } + seq_num = GET_PKT_SEQ(p); + /* ** Let's set up the data pointers. */ - Server->header = data; - Server->header_size = dsize; + Server->response.header_raw = p->data; + Server->response.header_raw_size = p->dsize; - /* - ** This indicates that we want to inspect the complete response, so - ** we don't waste any time otherwise. - */ - if(flow_depth < 1) + start = p->data; + end = p->data + p->dsize; + ptr = start; + + ptr = MovePastDelims(start,end,ptr); + + len = end - ptr; + if ( len > 4 ) + { + if(!IsHttpVersion(&ptr, end)) + { + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(ServerConf, p, sd, 0, 0, seq_num); + return HI_SUCCESS; + } + else + { + if(ServerConf->server_flow_depth > 0) + { + sd->resp_state.is_max_seq = 1; + sd->resp_state.max_seq = seq_num + ServerConf->server_flow_depth; + } + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(ServerConf, p, sd, 0, 1, seq_num); + return HI_SUCCESS; + } + } + else { return HI_SUCCESS; } - if(dsize > 4 ) + + return HI_SUCCESS; +} + +static inline int hi_server_extract_status_msg( const u_char *start, const u_char *ptr, + const u_char *end, URI_PTR *result) +{ + int iRet = HI_SUCCESS; + SkipBlankSpace(start,end,&ptr); + + if ( hi_util_in_bounds(start, end, ptr) ) { - if( (data[0]!='H') || (data[1]!='T') || - (data[2]!='T') || (data[3]!='P') ) + const u_char *crlf = (u_char *)SnortStrnStr((const char *)ptr, end - ptr, "\n"); + result->uri = ptr; + if (crlf) { - Server->header_size = 0; - Server->header = NULL; + if(crlf[-1] == '\r') + result->uri_end = crlf - 1; + else + result->uri_end = crlf; + ptr = crlf; + } + else + { + result->uri_end =end; + } - return HI_SUCCESS; + if(result->uri < result->uri_end) + iRet = STAT_END; + else + iRet = HI_OUT_OF_BOUNDS; + } + else + iRet = HI_OUT_OF_BOUNDS; + + return iRet; +} + + +static inline int hi_server_extract_status_code(HI_SESSION *Session, const u_char *start, const u_char *ptr, + const u_char *end, URI_PTR *result) +{ + int iRet = HI_SUCCESS; + SkipBlankSpace(start,end,&ptr); + + result->uri = ptr; + result->uri_end = ptr; + + while( hi_util_in_bounds(start, end, ptr) ) + { + if(isdigit((int)*ptr)) + { + SkipDigits(start, end, &ptr); + if ( hi_util_in_bounds(start, end, ptr) ) + { + if(isspace((int)*ptr)) + { + result->uri_end = ptr; + iRet = STAT_END; + return iRet; + } + else + { + result->uri_end = ptr; + iRet = HI_NONFATAL_ERR; + return iRet; + } + + } + else + { + iRet = HI_OUT_OF_BOUNDS; + return iRet; + } + + } + else + { + + if(hi_eo_generate_event(Session, HI_EO_SERVER_INVALID_STATCODE)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_INVALID_STATCODE, NULL, NULL); + } + ptr++; + } + } + + iRet = HI_OUT_OF_BOUNDS; + + return iRet; +} + +/* Grab the argument of "charset=foo" from a Content-Type header */ +static inline const u_char *extract_http_content_type_charset(HI_SESSION *Session, + HttpSessionData *hsd, const u_char *p, const u_char *start, const u_char *end ) +{ + size_t cmplen; + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const char *ptr, *ptr_end; + + if (hsd == NULL) + return p; + + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_DEFAULT); + + /* Don't trim spaces so p is set to end of header */ + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0, 0); + if (!unfold_size) + return p; + + p += unfold_size; + + ptr = (const char *)unfold_buf; + ptr_end = (const char *)(ptr + strlen((const char *)unfold_buf)); + + ptr = SnortStrcasestr(ptr, (int)(ptr_end - ptr), "text"); + if (!ptr) + return p; + + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UNKNOWN); + + ptr = SnortStrcasestr(ptr, (int)(ptr_end - ptr), "utf-"); + if (!ptr) + return p; + + ptr += 4; /* length of "utf-" */ + cmplen = ptr_end - ptr; + + if ((cmplen > 0) && (*ptr == '8')) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_DEFAULT); + } + else if ((cmplen > 0) && (*ptr == '7')) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF7); + if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF7)) + hi_eo_server_event_log(Session, HI_EO_SERVER_UTF7, NULL, NULL); + } + else if (cmplen >= 4) + { + if ( !strncasecmp(ptr, "16le", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16LE); + else if ( !strncasecmp(ptr, "16be", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16BE); + else if ( !strncasecmp(ptr, "32le", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32LE); + else if ( !strncasecmp(ptr, "32be", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32BE); + } + + return p; +} + +#ifdef ZLIB +static inline const u_char *extract_http_content_encoding(HTTPINSPECT_CONF *ServerConf, + const u_char *p, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, + HEADER_FIELD_PTR *header_field_ptr) +{ + const u_char *crlf; + int space_present = 0; + if (header_ptr->content_encoding.cont_encoding_start) + { + header_ptr->header.uri_end = p; + header_ptr->content_encoding.compress_fmt = 0; + return p; + } + else + { + header_field_ptr->content_encoding = &header_ptr->content_encoding; + p = p + HTTPRESP_HEADER_LENGTH__CONTENT_ENCODING; + } + SkipBlankSpace(start,end,&p); + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if ( hi_util_in_bounds(start, end, p) ) + { + if ( ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) + { + SkipWhiteSpace(start,end,&p); + } + else + { + SkipBlankAndNewLine(start,end,&p); + } + if( hi_util_in_bounds(start, end, p)) + { + if ( *p == '\n' ) + { + while(hi_util_in_bounds(start, end, p)) + { + if ( *p == '\n') + { + p++; + while( hi_util_in_bounds(start, end, p) && ( *p == ' ' || *p == '\t')) + { + space_present = 1; + p++; + } + if ( space_present ) + { + if ( isalpha((int)*p)) + break; + else if(isspace((int)*p) && (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) ) + { + SkipWhiteSpace(start,end,&p); + } + else + { + header_field_ptr->content_encoding->cont_encoding_start= + header_field_ptr->content_encoding->cont_encoding_end = NULL; + header_field_ptr->content_encoding->compress_fmt = 0; + return p; + } + } + else + { + header_field_ptr->content_encoding->cont_encoding_start= + header_field_ptr->content_encoding->cont_encoding_end = NULL; + header_field_ptr->content_encoding->compress_fmt = 0; + return p; + } + } + else + break; + } + } + else if(isalpha((int)*p)) + { + header_field_ptr->content_encoding->cont_encoding_start = p; + while(hi_util_in_bounds(start, end, p) && *p!='\n' ) + { + if(IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__GZIP, HTTPRESP_HEADER_LENGTH__GZIP) || + IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__XGZIP, HTTPRESP_HEADER_LENGTH__XGZIP)) + { + header_field_ptr->content_encoding->compress_fmt |= HTTP_RESP_COMPRESS_TYPE__GZIP; + p = p + HTTPRESP_HEADER_LENGTH__GZIP; + continue; + } + else if(IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__DEFLATE, HTTPRESP_HEADER_LENGTH__DEFLATE)) + { + header_field_ptr->content_encoding->compress_fmt |= HTTP_RESP_COMPRESS_TYPE__DEFLATE; + p = p + HTTPRESP_HEADER_LENGTH__DEFLATE; + continue; + } + else + p++; + } + + /*crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); + if(crlf) + { + p = crlf; + } + else + { + header_ptr->header.uri_end = end ; + return end; + }*/ + } + else + { + header_field_ptr->content_encoding->cont_encoding_start= + header_field_ptr->content_encoding->cont_encoding_end = NULL; + header_field_ptr->content_encoding->compress_fmt = 0; + return p; + } + } + } + } + else + { + if(hi_util_in_bounds(start, end, p)) + { + crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); + if(crlf) + { + p = crlf; + } + else + { + header_ptr->header.uri_end = end ; + return end; + } + } + } + if(!p || !hi_util_in_bounds(start, end, p)) + p = end; + + return p; +} +#endif + +const u_char *extract_http_transfer_encoding(HI_SESSION *Session, HttpSessionData *hsd, + const u_char *p, const u_char *start, const u_char *end, + HEADER_PTR *header_ptr, int iInspectMode) +{ + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *start_ptr, *end_ptr, *cur_ptr; + + + SkipBlankSpace(start,end,&p); + + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 1, 0); + + if(!unfold_size) + { + header_ptr->header.uri_end = end; + return end; + } + + p = p + unfold_size; + + start_ptr = unfold_buf; + cur_ptr = unfold_buf; + end_ptr = unfold_buf + unfold_size; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; + + + if(!strncasecmp((const char *)start_ptr, "chunked", (end_ptr - start_ptr))) + { + if ((iInspectMode == HI_SI_SERVER_MODE) && hsd) + { + hsd->resp_state.last_pkt_chunked = 1; + hsd->resp_state.last_pkt_contlen = 0; + } + header_ptr->content_len.len = 0 ; + header_ptr->content_len.cont_len_start = NULL; + header_ptr->is_chunked = true; } + } + else + { + header_ptr->header.uri_end = end; + return end; + } + + return p; +} - /* - ** OK its an HTTP response header. - ** - ** Now, limit the amount we inspect, - ** we could just examine this whole packet, - ** since it's usually full of HTTP Response info. - ** For protocol analysis purposes we probably ought to - ** let the whole thing get processed, or have a - ** different pattern match length and protocol inspection - ** length. - */ - if(dsize > flow_depth) + +static inline const u_char *extractHttpRespHeaderFieldValues(HTTPINSPECT_CONF *ServerConf, + const u_char *p, const u_char *offset, const u_char *start, + const u_char *end, HEADER_PTR *header_ptr, + HEADER_FIELD_PTR *header_field_ptr, int parse_cont_encoding, HttpSessionData *hsd, + HI_SESSION *Session) +{ + if (((p - offset) == 0) && ((*p == 'S') || (*p == 's'))) + { + /* Search for 'Cookie' at beginning, starting from current *p */ + if ( ServerConf->enable_cookie && + IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__COOKIE, + HTTPRESP_HEADER_LENGTH__COOKIE)) { - Server->header_size = flow_depth; + p = extract_http_cookie((p + HTTPRESP_HEADER_LENGTH__COOKIE), end, header_ptr, header_field_ptr); } } + else if (((p - offset) == 0) && ((*p == 'C') || (*p == 'c'))) + { + if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_TYPE, + HTTPRESP_HEADER_LENGTH__CONTENT_TYPE) && ServerConf->normalize_utf) + { + p = extract_http_content_type_charset(Session, hsd, p, start, end); + } - return HI_SUCCESS; +#ifdef ZLIB + else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_ENCODING, + HTTPRESP_HEADER_LENGTH__CONTENT_ENCODING) && ServerConf->extract_gzip && + parse_cont_encoding) + { + p = extract_http_content_encoding(ServerConf, p, start, end, header_ptr, header_field_ptr ); + } +#endif + else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_LENGTH, + HTTPRESP_HEADER_LENGTH__CONTENT_LENGTH) ) + { + if(!hsd->resp_state.last_pkt_chunked) + p = extract_http_content_length(Session, ServerConf, p, start, end, header_ptr, header_field_ptr ); + } + } + else if (((p - offset) == 0) && ((*p == 'T') || (*p == 't'))) + { + if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__TRANSFER_ENCODING, + HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING)) + { + p = p + HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING; + p = extract_http_transfer_encoding(Session, hsd, p, start, end, header_ptr, HI_SI_SERVER_MODE); + } + } + return p; +} + + +static inline const u_char *hi_server_extract_header( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HEADER_PTR *header_ptr, const u_char *start, + const u_char *end, int parse_cont_encoding, + HttpSessionData *hsd) +{ + const u_char *p; + const u_char *offset; + HEADER_FIELD_PTR header_field_ptr ; + + if(!start || !end) + return NULL; + + p = start; + + offset = (u_char*)p; + + header_ptr->header.uri = p; + header_ptr->header.uri_end = end; + header_ptr->content_encoding.compress_fmt = 0; + header_ptr->content_len.len = 0; + header_ptr->is_chunked = false; + + while (hi_util_in_bounds(start, end, p)) + { + if(*p == '\n') + { + p++; + + offset = (u_char*)p; + + if (!hi_util_in_bounds(start, end, p)) + { + header_ptr->header.uri_end = p; + return p; + } + + if (*p < 0x0E) + { + if(*p == '\r') + { + p++; + + if(hi_util_in_bounds(start, end, p) && (*p == '\n')) + { + p++; + header_ptr->header.uri_end = p; + return p; + } + } + else if(*p == '\n') + { + p++; + header_ptr->header.uri_end = p; + return p; + } + } + else if ( (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, + start, end, header_ptr, &header_field_ptr, + parse_cont_encoding, hsd, Session)) == end) + { + return end; + } + + } + else if( (p == header_ptr->header.uri) && + (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, + start, end, header_ptr, &header_field_ptr, + parse_cont_encoding, hsd, Session)) == end) + { + return end; + } + if ( *p == '\n') continue; + p++; + } + + header_ptr->header.uri_end = p; + return p; +} + +static inline int hi_server_extract_body( + HI_SESSION *Session, HttpSessionData *sd, + const u_char *ptr, const u_char *end, URI_PTR *result) +{ + HTTPINSPECT_CONF *ServerConf; + const u_char *start = ptr; + int iRet = HI_SUCCESS; + const u_char *post_end = end; + uint32_t chunk_size = 0; + uint32_t chunk_read = 0; + int bytes_to_read = 0; + ServerConf = Session->server_conf; + + switch(ServerConf->server_flow_depth) + { + case -1: + result->uri = result->uri_end = NULL; + return iRet; + case 0: + break; + default: + if(sd->resp_state.flow_depth_read < ServerConf->server_flow_depth) + { + bytes_to_read = ServerConf->server_flow_depth - sd->resp_state.flow_depth_read; + if((end-ptr) > bytes_to_read ) + { + end = ptr + bytes_to_read; + } + sd->resp_state.flow_depth_read +=bytes_to_read; + } + else + { + result->uri = result->uri_end = NULL; + return iRet; + } + } + +/* if( ServerConf->server_flow_depth && ((end - ptr) > ServerConf->server_flow_depth) ) + { + end = ptr + ServerConf->server_flow_depth; + }*/ + + if (!(sd->resp_state.last_pkt_contlen)) + { + if( ServerConf->chunk_length || ServerConf->small_chunk_length.size ) + { + if (sd->resp_state.last_pkt_chunked + && CheckChunkEncoding(Session, start, end, &post_end, + (u_char *)HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), + sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd, HI_SI_SERVER_MODE) == 1) + { + sd->resp_state.last_chunk_size = chunk_size; + sd->resp_state.last_pkt_chunked = 1; + result->uri = (u_char *)HttpDecodeBuf.data; + result->uri_end = result->uri + chunk_read; + return iRet; + } + else + { + if(!(sd->resp_state.last_pkt_chunked)) + { + if(hi_eo_generate_event(Session, HI_EO_SERVER_NO_CONTLEN)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_NO_CONTLEN, NULL, NULL); + } + } + else + sd->resp_state.last_pkt_chunked = 0; + result->uri = start; + result->uri_end = end; + } + } + else + { + result->uri = start; + result->uri_end = end; + return iRet; + } + } + + result->uri = start; + result->uri_end = end; + + return STAT_END; +} + +#ifdef ZLIB +static void SetGzipBuffers(HttpSessionData *hsd, HI_SESSION *session) +{ + if ((hsd != NULL) && (hsd->decomp_state == NULL) + && (session != NULL) && (session->server_conf != NULL) + && (session->global_conf != NULL) && session->server_conf->extract_gzip) + { + MemBucket *bkt = mempool_alloc(hi_gzip_mempool); + + if (bkt != NULL) + { + hsd->decomp_state = (DECOMPRESS_STATE *)calloc(1, sizeof(DECOMPRESS_STATE)); + if(hsd->decomp_state != NULL) + { + hsd->decomp_state->gzip_bucket = bkt; + hsd->decomp_state->compr_depth = session->global_conf->compr_depth; + hsd->decomp_state->decompr_depth = session->global_conf->decompr_depth; + hsd->decomp_state->compr_buffer = (unsigned char *)bkt->data; + hsd->decomp_state->decompr_buffer = (unsigned char *)bkt->data + session->global_conf->compr_depth; + hsd->decomp_state->inflate_init = 0; + } + else + { + mempool_free(hi_gzip_mempool, bkt); + } + } + } +} + +int uncompress_gzip ( u_char *dest, int destLen, u_char *source, + int sourceLen, HttpSessionData *sd, int *total_bytes_read, int compr_fmt) +{ + z_stream stream; + int err; + int iRet = HI_SUCCESS; + + stream = sd->decomp_state->d_stream; + + stream.next_in = (Bytef*)source; + stream.avail_in = (uInt)sourceLen; + if ((uLong)stream.avail_in != (uLong)sourceLen) + { + sd->decomp_state->d_stream = stream; + return HI_FATAL_ERR; + } + + stream.next_out = dest; + stream.avail_out = (uInt)destLen; + if ((uLong)stream.avail_out != (uLong)destLen) + { + sd->decomp_state->d_stream = stream; + return HI_FATAL_ERR; + } + + + if(!sd->decomp_state->inflate_init) + { + sd->decomp_state->inflate_init = 1; + stream.zalloc = (alloc_func)0; + stream.zfree = (free_func)0; + if(compr_fmt & HTTP_RESP_COMPRESS_TYPE__DEFLATE) + err = inflateInit(&stream); + else + err = inflateInit2(&stream, GZIP_WBITS); + if (err != Z_OK) + { + sd->decomp_state->d_stream = stream; + return HI_FATAL_ERR; + } + } + else + { + stream.total_in = 0; + stream.total_out =0; + } + + err = inflate(&stream, Z_SYNC_FLUSH); + if ((!sd->decomp_state->deflate_initialized) + && (err == Z_DATA_ERROR) + && (compr_fmt & HTTP_RESP_COMPRESS_TYPE__DEFLATE)) + { + /* Might not have zlib header - add one */ + static char zlib_header[2] = { 0x78, 0x01 }; + + inflateReset(&stream); + stream.next_in = (Bytef *)zlib_header; + stream.avail_in = sizeof(zlib_header); + + sd->decomp_state->deflate_initialized = true; + + err = inflate(&stream, Z_SYNC_FLUSH); + if (err == Z_OK) + { + stream.next_in = (Bytef*)source; + stream.avail_in = (uInt)sourceLen; + + err = inflate(&stream, Z_SYNC_FLUSH); + } + } + + if ((err != Z_STREAM_END) && (err !=Z_OK)) + { + + /* If some of the compressed data is decompressed we need to provide that for detection */ + if( stream.total_out > 0) + { + *total_bytes_read = stream.total_out; + iRet = HI_NONFATAL_ERR; + } + else + iRet = HI_FATAL_ERR; + inflateEnd(&stream); + sd->decomp_state->d_stream = stream; + return iRet; + } + *total_bytes_read = stream.total_out; + sd->decomp_state->d_stream = stream; + return HI_SUCCESS; +} + +static inline int hi_server_decompress(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, + const u_char *end, URI_PTR *result) +{ + const u_char *start = ptr; + int rawbuf_size = end - ptr; + int iRet = HI_SUCCESS; + int zRet = HI_FATAL_ERR; + int compr_depth, decompr_depth; + int compr_bytes_read, decompr_bytes_read; + int compr_avail, decompr_avail; + int total_bytes_read = 0; + uint32_t chunk_size = 0; + uint32_t chunk_read = 0; + + u_char *compr_buffer; + u_char *decompr_buffer; + compr_depth = sd->decomp_state->compr_depth; + decompr_depth = sd->decomp_state->decompr_depth; + compr_bytes_read = sd->decomp_state->compr_bytes_read; + decompr_bytes_read = sd->decomp_state->decompr_bytes_read; + compr_buffer = sd->decomp_state->compr_buffer; + decompr_buffer = sd->decomp_state->decompr_buffer; + + if(Session->server_conf->unlimited_decompress) + { + compr_avail = compr_depth; + decompr_avail = decompr_depth; + } + else + { + compr_avail = compr_depth-compr_bytes_read; + decompr_avail = decompr_depth - decompr_bytes_read; + } + + /* Apply the server flow depth + * If the server flow depth is set then we need to decompress only upto the + * server flow depth + */ + switch ( Session->server_conf->server_flow_depth) + { + case -1: + decompr_avail=0; + break; + case 0: + break; + default: + if(sd->resp_state.flow_depth_read < Session->server_conf->server_flow_depth) + { + if(decompr_avail > (Session->server_conf->server_flow_depth - sd->resp_state.flow_depth_read)) + decompr_avail = Session->server_conf->server_flow_depth - sd->resp_state.flow_depth_read; + } + else + { + decompr_avail = 0; + } + break; + } + + if(compr_avail <=0 || decompr_avail <=0 || + (!compr_buffer) || (!decompr_buffer)) + { + ResetGzipState(sd->decomp_state); + ResetRespState(&(sd->resp_state)); + return iRet; + } + + + if(rawbuf_size < compr_avail) + { + compr_avail = rawbuf_size; + } + + if(!(sd->resp_state.last_pkt_contlen)) + { + if(sd->resp_state.last_pkt_chunked + && CheckChunkEncoding(Session, start, end, NULL, compr_buffer, compr_avail, + sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd, HI_SI_SERVER_MODE ) == 1) + { + sd->resp_state.last_chunk_size = chunk_size; + compr_avail = chunk_read; + zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, &total_bytes_read, + sd->decomp_state->compress_fmt); + } + else + { + /* No Content-Length or Transfer-Encoding : chunked */ + if(hi_eo_generate_event(Session, HI_EO_SERVER_NO_CONTLEN)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_NO_CONTLEN, NULL, NULL); + } + + memcpy(compr_buffer, ptr, compr_avail); + zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, + &total_bytes_read, sd->decomp_state->compress_fmt); + } + } + else + { + memcpy(compr_buffer, ptr, compr_avail); + zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, + &total_bytes_read, sd->decomp_state->compress_fmt); + } + + sd->decomp_state->compr_bytes_read += compr_avail; + hi_stats.compr_bytes_read += compr_avail; + + if((zRet == HI_SUCCESS) || (zRet == HI_NONFATAL_ERR)) + { + if(decompr_buffer) + { + result->uri = decompr_buffer; + if ( total_bytes_read < decompr_avail ) + { + result->uri_end = decompr_buffer + total_bytes_read; + sd->decomp_state->decompr_bytes_read += total_bytes_read; + sd->resp_state.flow_depth_read += total_bytes_read; + hi_stats.decompr_bytes_read += total_bytes_read; + } + else + { + result->uri_end = decompr_buffer + decompr_avail; + sd->decomp_state->decompr_bytes_read += decompr_avail; + sd->resp_state.flow_depth_read += decompr_avail; + hi_stats.decompr_bytes_read += decompr_avail; + } + } + } + else + { + ResetGzipState(sd->decomp_state); + ResetRespState(&(sd->resp_state)); + } + + if(zRet!=HI_SUCCESS) + { + if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + } + } + + return iRet; + + +} +#endif + +static inline int hi_server_inspect_body(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, + const u_char *end, URI_PTR *result) +{ + int iRet = HI_SUCCESS; + + result->uri =ptr; + result->uri_end = end; + if(!Session || !sd ) + { + if ((sd != NULL)) + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + return HI_INVALID_ARG; + } + } + +#ifdef ZLIB + if((sd->decomp_state != NULL) && sd->decomp_state->decompress_data) + { + iRet = hi_server_decompress(Session, sd, ptr, end, result); + } + else +#endif + { + result->uri = ptr; + result->uri_end = end; + iRet = hi_server_extract_body(Session, sd, ptr, end, result); + } + + return iRet; + +} +static inline void ApplyFlowDepth(HTTPINSPECT_CONF *ServerConf, Packet *p, + HttpSessionData *sd, int resp_header_size, int expected, uint32_t seq_num) +{ + if(!ServerConf->server_flow_depth) + { + SetDetectLimit(p, p->dsize); + } + else if(ServerConf->server_flow_depth == -1) + { + SetDetectLimit(p, resp_header_size); + } + else + { + if(sd != NULL) + { + if(sd->resp_state.is_max_seq ) + { + if(SEQ_GEQ((sd->resp_state.max_seq), seq_num)) + { + if(((uint32_t)p->dsize) > (sd->resp_state.max_seq- seq_num)) + { + SetDetectLimit(p, (uint16_t)(sd->resp_state.max_seq-seq_num)); + return; + } + else + { + SetDetectLimit(p, p->dsize); + return; + } + } + else + { + SetDetectLimit(p, resp_header_size); + return; + } + } + else + { + if(expected) + { + if(p->dsize > ServerConf->server_flow_depth) + { + SetDetectLimit(p, ServerConf->server_flow_depth); + return; + } + else + { + SetDetectLimit(p, p->dsize); + return; + } + } + else + { + SetDetectLimit(p, 0); + return; + } + } + + } + else + { + SetDetectLimit(p, p->dsize); + } + } +} + +static inline void ResetState (HttpSessionData* sd) +{ +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); } -static int ServerInspection(HI_SESSION *Session, const unsigned char *data, - int dsize) +int HttpResponseInspection(HI_SESSION *Session, Packet *p, const unsigned char *data, + int dsize, HttpSessionData *sd) { + HTTPINSPECT_CONF *ServerConf; + URI_PTR stat_code_ptr; + URI_PTR stat_msg_ptr; + HEADER_PTR header_ptr; + URI_PTR body_ptr; HI_SERVER *Server; - int iRet; + + const u_char *start; + const u_char *end; + const u_char *ptr; + int len; + int iRet = 0; + int resp_header_size = 0; + /* Refers to the stream reassembled packets when reassembly is turned on. + * Refers to all packets when reassembly is turned off. + */ + int not_stream_insert = 1; +#ifdef ZLIB + int parse_cont_encoding = 1; + int status; +#endif + int expected_pkt = 0; + int alt_dsize; + uint32_t seq_num = 0; + + if (!Session || !p || !data || (dsize == 0)) + return HI_INVALID_ARG; + + ServerConf = Session->server_conf; + if(!ServerConf) + return HI_INVALID_ARG; + Server = &(Session->server); + clearHttpRespBuffer(Server); + + seq_num = GET_PKT_SEQ(p); + +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + expected_pkt = !PacketHasStartOfPDU(p); +#ifdef ZLIB + parse_cont_encoding = !expected_pkt; +#endif + not_stream_insert = PacketHasPAFPayload(p); + + if ( !expected_pkt ) + { + if ( sd ) + { + ResetState(sd); + } + } + else if ( sd && ServerConf->server_flow_depth ) + { + if ( !(sd->resp_state.is_max_seq) || + !SEQ_LT(seq_num, (sd->resp_state.max_seq)) ) + { + ResetState(sd); + } + } + } + else + // when PAF is hardened, the following can be removed +#endif + if ( (sd != NULL) ) + { + /* If the previously inspected packet in this session identified as a body + * and if the packets are stream inserted wait for reassembled */ + if (sd->resp_state.inspect_reassembled) + { + if(p->packet_flags & PKT_STREAM_INSERT) + { +#ifdef ZLIB + parse_cont_encoding = 0; +#endif + not_stream_insert = 0; + } + } + /* If this packet is the next expected packet to be inspected and is out of sequence + * clear out the resp state*/ +#ifdef ZLIB + if(( sd->decomp_state && sd->decomp_state->decompress_data) && parse_cont_encoding) + { + if( sd->resp_state.next_seq && + (seq_num == sd->resp_state.next_seq) ) + { + sd->resp_state.next_seq = seq_num + p->dsize; + expected_pkt = 1; + } + else + { + ResetGzipState(sd->decomp_state); + ResetRespState(&(sd->resp_state)); + } + } + else +#endif + if(sd->resp_state.inspect_body && not_stream_insert) + { + /* If the server flow depth is 0 then we need to check if the packet + * is in sequence + */ + if(!ServerConf->server_flow_depth) + { + if( sd->resp_state.next_seq && + (seq_num == sd->resp_state.next_seq) ) + { + sd->resp_state.next_seq = seq_num + p->dsize; + expected_pkt = 1; + } + else + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + } + else + { + /*Check if the sequence number of the packet is within the allowed + * flow_depth + */ + if( (sd->resp_state.is_max_seq) && + SEQ_LT(seq_num, (sd->resp_state.max_seq))) + { + expected_pkt = 1; + } + else + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + } + + } + } + + memset(&stat_code_ptr, 0x00, sizeof(URI_PTR)); + memset(&stat_msg_ptr, 0x00, sizeof(URI_PTR)); + memset(&header_ptr, 0x00, sizeof(HEADER_PTR)); + memset(&body_ptr, 0x00, sizeof(URI_PTR)); + + start = data; + end = data + dsize; + ptr = start; + + /* moving past the CRLF */ + + while(hi_util_in_bounds(start, end, ptr)) + { + if(*ptr < 0x21) + { + if(*ptr < 0x0E && *ptr > 0x08) + { + ptr++; + continue; + } + else + { + if(*ptr == 0x20) + { + ptr++; + continue; + } + } + } + + break; + } + + /*after doing this we need to basically check for version, status code and status message*/ + + len = end - ptr; + if ( len > 4 ) + { + if(!IsHttpVersion(&ptr, end)) + { + if(expected_pkt) + { + ptr = start; + p->packet_flags |= PKT_HTTP_DECODE; + } + else + { + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(ServerConf, p, sd, resp_header_size, 0, seq_num); + if ( not_stream_insert && (sd != NULL)) + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + CLR_SERVER_HEADER(Server); + return HI_SUCCESS; + } + } + else + { + p->packet_flags |= PKT_HTTP_DECODE; + /* This is a next expected packet to be decompressed but the packet is a + * valid HTTP response. So the gzip decompression ends here */ + if(expected_pkt) + { + expected_pkt = 0; +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + while(hi_util_in_bounds(start, end, ptr)) + { + if (isspace((int)*ptr)) + break; + ptr++; + } + + } + } + else if (!expected_pkt) + { + return HI_SUCCESS; + } + + /*If this is the next expected packet to be decompressed, send this packet + * decompression */ + + if (expected_pkt) + { + if (hi_util_in_bounds(start, end, ptr)) + { + iRet = hi_server_inspect_body(Session, sd, ptr, end, &body_ptr); + } + } + else + { + iRet = hi_server_extract_status_code(Session, start,ptr,end , &stat_code_ptr); + + if ( iRet != HI_OUT_OF_BOUNDS ) + { + Server->response.status_code = stat_code_ptr.uri; + Server->response.status_code_size = stat_code_ptr.uri_end - stat_code_ptr.uri; + if ( (int)Server->response.status_code_size <= 0) + { + CLR_SERVER_STAT(Server); + } + else + { + iRet = hi_server_extract_status_msg(start, stat_code_ptr.uri_end , + end, &stat_msg_ptr); + + if ( stat_msg_ptr.uri ) + { + Server->response.status_msg = stat_msg_ptr.uri; + Server->response.status_msg_size = stat_msg_ptr.uri_end - stat_msg_ptr.uri; + if ((int)Server->response.status_msg_size <= 0) + { + CLR_SERVER_STAT_MSG(Server); + } + { +#ifdef ZLIB + ptr = hi_server_extract_header(Session, ServerConf, &header_ptr, + stat_msg_ptr.uri_end , end, parse_cont_encoding, sd ); +#else + /* We dont need the content-encoding header when zlib is not enabled */ + ptr = hi_server_extract_header(Session, ServerConf, &header_ptr, + stat_msg_ptr.uri_end , end, 0, sd ); +#endif + } + } + else + { + CLR_SERVER_STAT(Server); + } + } + + if (header_ptr.header.uri) + { + Server->response.header_raw = header_ptr.header.uri; + Server->response.header_raw_size = + header_ptr.header.uri_end - header_ptr.header.uri; + if(!Server->response.header_raw_size) + { + CLR_SERVER_HEADER(Server); + } + else + { + resp_header_size = (header_ptr.header.uri_end - p->data); + hi_stats.resp_headers++; + Server->response.header_norm = header_ptr.header.uri; + if (header_ptr.cookie.cookie) + { + hi_stats.resp_cookies++; + Server->response.cookie.cookie = header_ptr.cookie.cookie; + Server->response.cookie.cookie_end = header_ptr.cookie.cookie_end; + Server->response.cookie.next = header_ptr.cookie.next; + } + else + { + Server->response.cookie.cookie = NULL; + Server->response.cookie.cookie_end = NULL; + Server->response.cookie.next = NULL; + } + if (sd != NULL) + { +#ifdef ZLIB + if( header_ptr.content_encoding.compress_fmt ) + { + hi_stats.gzip_pkts++; + + /* We've got gzip data - grab buffer from mempool and attach + * to session data if server is configured to do so */ + if (sd->decomp_state == NULL) + SetGzipBuffers(sd, Session); + + if (sd->decomp_state != NULL) + { + sd->decomp_state->decompress_data = 1; + sd->decomp_state->compress_fmt = + header_ptr.content_encoding.compress_fmt; + } + + } + else +#endif + { + sd->resp_state.inspect_body = 1; + } + + sd->resp_state.last_pkt_contlen = (header_ptr.content_len.len != 0); + if(ServerConf->server_flow_depth == -1) + sd->resp_state.is_max_seq = 0; + else + { + sd->resp_state.is_max_seq = 1; + sd->resp_state.max_seq = seq_num + + (header_ptr.header.uri_end - start)+ ServerConf->server_flow_depth; + } + + if (p->packet_flags & PKT_STREAM_INSERT) + { +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + if ( PacketHasFullPDU(p) ) + expected_pkt = 1; + else + sd->resp_state.inspect_reassembled = 1; + } + else +#endif + if ( + header_ptr.content_len.cont_len_start && + ((uint32_t)(end - (header_ptr.header.uri_end)) >= header_ptr.content_len.len)) + { + /* change this when the api is fixed to flush correctly */ + //stream_api->response_flush_stream(p); + expected_pkt = 1; + } + else + sd->resp_state.inspect_reassembled = 1; + } + else + { + if(p->packet_flags & PKT_REBUILT_STREAM) + sd->resp_state.inspect_reassembled = 1; + + expected_pkt = 1; + } + if(expected_pkt) + { + sd->resp_state.next_seq = seq_num + p->dsize; + + if(hi_util_in_bounds(start, end, header_ptr.header.uri_end)) + { + iRet = hi_server_inspect_body(Session, sd, header_ptr.header.uri_end, + end, &body_ptr); + } + } + } + } + } + else + { + CLR_SERVER_HEADER(Server); + + } + } + else + { + CLR_SERVER_STAT(Server); + } + } + + if( body_ptr.uri ) + { + Server->response.body = body_ptr.uri; + Server->response.body_size = body_ptr.uri_end - body_ptr.uri; + if( Server->response.body_size > 0) + { + if ( Server->response.body_size < sizeof(HttpDecodeBuf.data) ) + { + alt_dsize = Server->response.body_size; + } + else + { + alt_dsize = sizeof(HttpDecodeBuf.data); + } +#ifdef ZLIB + if(sd->decomp_state && sd->decomp_state->decompress_data) + { + status = SafeMemcpy(HttpDecodeBuf.data, Server->response.body, + alt_dsize, HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + if( status != SAFEMEM_SUCCESS ) + return HI_MEM_ALLOC_FAIL; + + SetHttpDecode((uint16_t)alt_dsize); + Server->response.body = HttpDecodeBuf.data; + Server->response.body_size = HttpDecodeBuf.len; + if(sd) + sd->log_flags |= HTTP_LOG_GZIP_DATA; + } + else +#endif + { + if(sd->resp_state.last_pkt_chunked) + { + SetHttpDecode((uint16_t)alt_dsize); + Server->response.body = HttpDecodeBuf.data; + Server->response.body_size = HttpDecodeBuf.len; + } + else + { + Server->response.body_size = alt_dsize; + } + } + + if ((get_decode_utf_state_charset(&(sd->utf_state)) != CHARSET_DEFAULT) + || (ServerConf->normalize_javascript && Server->response.body_size)) + { + if ( Server->response.body_size < sizeof(HttpDecodeBuf.data) ) + { + alt_dsize = Server->response.body_size; + } + else + { + alt_dsize = sizeof(HttpDecodeBuf.data); + } + Server->response.body_size = alt_dsize; + SetHttpDecode((uint16_t)alt_dsize); + } + } + + } + { + /* There is no body to the HTTP response. + * In this case we need to inspect the entire HTTP response header. + */ + ApplyFlowDepth(ServerConf, p, sd, resp_header_size, 1, seq_num); + } + + return HI_SUCCESS; +} + +int ServerInspection(HI_SESSION *Session, Packet *p, HttpSessionData *hsd) +{ + int iRet; + + if ((p->data == NULL) || (p->dsize == 0)) + { + return HI_INVALID_ARG; + } + + if ( Session->server_conf->inspect_response ) + { + iRet = HttpResponseInspection(Session, p, p->data, p->dsize, hsd); + } + else + { + iRet = IsHttpServerData(Session, p, hsd); + } - /* - ** There's really only one thing that we do right now for server - ** responses, that's HTTP flow. - */ - iRet = IsHttpServerData(Server, data, dsize, Session->server_conf->server_flow_depth); if (iRet) { return iRet; @@ -151,13 +1703,13 @@ return HI_SUCCESS; } -int hi_server_inspection(void *S, const unsigned char *data, int dsize) +int hi_server_inspection(void *S, Packet *p, HttpSessionData *hsd) { HI_SESSION *Session; int iRet; - if(!S || !data || dsize < 1) + if(!S ) { return HI_INVALID_ARG; } @@ -167,7 +1719,7 @@ /* ** Let's inspect the server response. */ - iRet = ServerInspection(Session, data, dsize); + iRet = ServerInspection(Session, p, hsd); if (iRet) { return iRet; diff -Nru snort-2.8.5.2/src/preprocessors/HttpInspect/server/hi_server_norm.c snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server_norm.c --- snort-2.8.5.2/src/preprocessors/HttpInspect/server/hi_server_norm.c 1970-01-01 00:00:00.000000000 +0000 +++ snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server_norm.c 2011-11-21 20:15:24.000000000 +0000 @@ -0,0 +1,385 @@ +/**************************************************************************** + * + * Copyright (C) 2003-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/** +** @file hi_client_norm.c +** +** @author Daniel Roelker +** +** @brief HTTP client normalization routines +** +** We deal with the normalization of HTTP client requests headers and +** URI. +** +** In this file, we handle all the different HTTP request URI evasions. The +** list is: +** - ASCII decoding +** - UTF-8 decoding +** - IIS Unicode decoding +** - Directory traversals (self-referential and traversal) +** - Multiple Slashes +** - Double decoding +** - %U decoding +** - Bare Byte Unicode decoding +** +** Base 36 is deprecated and essentially a noop +** - Base36 decoding +** +** NOTES: +** - Initial development. DJR +*/ +#include +#include +#include +#include + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "hi_norm.h" +#include "hi_util.h" +#include "hi_return_codes.h" +#include "hi_eo_log.h" + +#include "snort_bounds.h" +#include "detection_util.h" + + +extern int hi_split_header_cookie(HI_SESSION *, u_char *, int *, u_char *, int *, const u_char *, int , COOKIE_PTR *); + +int hi_server_norm(HI_SESSION *Session, HttpSessionData *hsd) +{ + static u_char HeaderBuf[MAX_URI]; + static u_char CookieBuf[MAX_URI]; + static u_char RawHeaderBuf[MAX_URI]; + static u_char RawCookieBuf[MAX_URI]; + HI_SERVER_RESP *ServerResp; + int iRet; + int iRawHeaderBufSize = MAX_URI; + int iRawCookieBufSize = MAX_URI; + int iHeaderBufSize = MAX_URI; + int iCookieBufSize = MAX_URI; + uint16_t encodeType = 0; + + if(!Session || !Session->server_conf) + { + return HI_INVALID_ARG; + } + + ServerResp = &Session->server.response; + ServerResp->header_encode_type = 0; + ServerResp->cookie_encode_type = 0; + + if (ServerResp->cookie.cookie) + { + /* There is an HTTP header with a cookie, look for the cookie & + * separate the two buffers */ + iRet = hi_split_header_cookie(Session, + RawHeaderBuf, &iRawHeaderBufSize, + RawCookieBuf, &iRawCookieBufSize, + ServerResp->header_raw, ServerResp->header_raw_size, + &ServerResp->cookie); + if( iRet == HI_SUCCESS) + { + ServerResp->cookie.cookie = RawCookieBuf; + ServerResp->cookie.cookie_end = RawCookieBuf + iRawCookieBufSize; + } + } + else + { + if (ServerResp->header_raw_size) + { + if (ServerResp->header_raw_size > MAX_URI) + { + ServerResp->header_raw_size = MAX_URI; + } + /* Limiting to MAX_URI above should cause this to always return SAFEMEM_SUCCESS */ + SafeMemcpy(RawHeaderBuf, ServerResp->header_raw, ServerResp->header_raw_size, + &RawHeaderBuf[0], &RawHeaderBuf[0] + iRawHeaderBufSize); + } + iRawHeaderBufSize = ServerResp->header_raw_size; + iRawCookieBufSize = 0; + } + + if(ServerResp->header_norm && Session->server_conf->normalize_headers) + { + Session->norm_flags &= ~HI_BODY; + iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, + RawHeaderBuf, iRawHeaderBufSize, &encodeType); + if (iRet == HI_NONFATAL_ERR) + { + /* There was a non-fatal problem normalizing */ + ServerResp->header_norm = NULL; + ServerResp->header_norm_size = 0; + ServerResp->header_encode_type = 0; + } + else + { + /* Client code is expecting these to be set to non-NULL if + * normalization occurred. */ + ServerResp->header_norm = HeaderBuf; + ServerResp->header_norm_size = iHeaderBufSize; + ServerResp->header_encode_type = encodeType; + } + encodeType = 0; + } + else + { + /* Client code is expecting these to be set to non-NULL if + * normalization occurred. */ + if (iRawHeaderBufSize) + { + ServerResp->header_norm = RawHeaderBuf; + ServerResp->header_norm_size = iRawHeaderBufSize; + ServerResp->header_encode_type = 0; + } + } + + if(ServerResp->cookie.cookie && Session->server_conf->normalize_cookies) + { + Session->norm_flags &= ~HI_BODY; + iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, + RawCookieBuf, iRawCookieBufSize, &encodeType); + if (iRet == HI_NONFATAL_ERR) + { + /* There was a non-fatal problem normalizing */ + ServerResp->cookie_norm = NULL; + ServerResp->cookie_norm_size = 0; + ServerResp->cookie_encode_type = 0; + } + else + { + /* Client code is expecting these to be set to non-NULL if + * normalization occurred. */ + ServerResp->cookie_norm = CookieBuf; + ServerResp->cookie_norm_size = iCookieBufSize; + ServerResp->cookie_encode_type = encodeType; + } + encodeType = 0; + } + else + { + /* Client code is expecting these to be set to non-NULL if + * normalization occurred. */ + if (iRawCookieBufSize) + { + ServerResp->cookie_norm = RawCookieBuf; + ServerResp->cookie_norm_size = iRawCookieBufSize; + ServerResp->cookie_encode_type = 0; + } + } + + if (Session->server_conf->normalize_utf && (ServerResp->body_size > 0)) + { + int bytes_copied, result, charset; + + if (hsd) + { + charset = get_decode_utf_state_charset(&(hsd->utf_state)); + + if (charset == CHARSET_UNKNOWN) + { + /* Got a text content type but no charset. + * Look for potential BOM (Byte Order Mark) */ + if (ServerResp->body_size >= 4) + { + uint8_t size = 0; + + if (!memcmp(ServerResp->body, "\x00\x00\xFE\xFF", 4)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32BE); + size = 4; + } + else if (!memcmp(ServerResp->body, "\xFF\xFE\x00\x00", 4)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32LE); + size = 4; + } + else if (!memcmp(ServerResp->body, "\xFE\xFF", 2)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16BE); + size = 2; + } + else if (!memcmp(ServerResp->body, "\xFF\xFE", 2)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16LE); + size = 2; + } + + ServerResp->body += size; + ServerResp->body_size -= size; + + charset = get_decode_utf_state_charset(&(hsd->utf_state)); + } + } + + /* Normalize server responses with utf-16le, utf-16be, utf-32le, + or utf-32be charsets.*/ + switch (charset) + { + case CHARSET_UTF16LE: + case CHARSET_UTF16BE: + case CHARSET_UTF32LE: + case CHARSET_UTF32BE: + result = DecodeUTF((char *)ServerResp->body, ServerResp->body_size, + (char *)HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), + &bytes_copied, + &(hsd->utf_state)); + + if (result == DECODE_UTF_FAILURE) + { + if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF_NORM_FAIL)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_UTF_NORM_FAIL, NULL, NULL); + } + } + SetHttpDecode((uint16_t)bytes_copied); + ServerResp->body = HttpDecodeBuf.data; + ServerResp->body_size = HttpDecodeBuf.len; + break; + default: + break; + } + } + } + + if (Session->server_conf->normalize_javascript && (ServerResp->body_size > 0)) + { + int js_present, status, index; + char *ptr, *start, *end; + JSState js; + + js.allowed_spaces = Session->server_conf->max_js_ws; + js.allowed_levels = MAX_ALLOWED_OBFUSCATION; + js.alerts = 0; + + js_present = status = index = 0; + start = (char *)ServerResp->body; + ptr = start; + end = start + ServerResp->body_size; + + while(ptr < end) + { + char *angle_bracket, *js_start; + int type_js, bytes_copied, script_found; + bytes_copied = 0; + type_js = 0; + hi_current_search = &hi_js_search[0]; + script_found = search_api->search_instance_find(hi_javascript_search_mpse, (const char *)ptr, + (end-ptr), 0 , HI_SearchStrFound); + if (script_found > 0) + { + js_start = ptr + hi_search_info.index; + angle_bracket = (char *)SnortStrnStr((const char *)(js_start), (end - js_start), ">"); + if(!angle_bracket) + break; + + if(angle_bracket > js_start) + { + script_found = search_api->search_instance_find(hi_htmltype_search_mpse, (const char *)js_start, + (angle_bracket-js_start), 0 , HI_SearchStrFound); + js_start = angle_bracket; + if(script_found > 0) + { + switch (hi_search_info.id) + { + case HTML_JS: + js_present = 1; + type_js = 1; + break; + default: + type_js = 0; + break; + } + } + else + { + //if no type or language is found we assume its a javascript + js_present = 1; + type_js = 1; + } + + } + //Save before the